Version 0.77 of Game of Trees has been released (and the port updated):
* got 0.77; 2022-10-24 - disallow integrating into references outside refs/heads/ (jrick) - gotwebd.conf: add syntax for defining macros and document them (op) - simplify the way 'got patch' opens a tempfile when reading from stdin - lots of refactoring to allow gotd(8) code to run without libexec helpers - more refactoring to allow gotd(8) to stream packfile data on network sockets - add missing error checking around some unlink(2) syscalls - don't crash if delta cache is missing while combining deltas; for dev builds - allow got_object_parse_tree() to reuse entries buffer allocations for speed - show a more useful error if the size of a packed object won't fit in 64 bits - switch integers used for counting objects while indexing packs to unsigned - refresh cached list of pack index paths while searching a packed object - introduce gotd(8) and gotsh(1); WIP and not yet provided in binary packages - close parent's end of imsg pipe before waiting for a child process to exit - fix detection of SIGTERM in tog; this signal was accidentally being ignored - avoid printing harmless errors that can occur when tog exits due to Ctrl-COf particular note is the introduction of [WIP] gotd(8)/gotd.conf(5) and gotsh(1), which provide networking support for got(1). Great stuff!
This is the 53rd release from the OpenBSD project. Highlights of the new release include:
As always, the release is available for download from mirror sites all over the world; be sure to pick one that is near you, network-wise! Those upgrading from the 7.1 release (or earlier) should consult the Upgrade Guide.
Also remember to support the project with a donation, perhaps buy some swag from the OpenBSD Store, and if you are at all corporate, please go to the OpenBSD Foundation and see about becoming an official sponsor.
Thanks from all of us to the developers for delivering yet another awesome release!
In a long series of commits, Theo de Raadt (deraadt@) has added support for the immutable memory mappings on which we reported earlier. We see:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/10/06 21:20:58 Modified files: sys/sys : exec_elf.h Log message: Add identifiers for the new "mutable bss" section, ".openbsd.mutable" is 0x65a3dbe5. Also add PF_MUTABLE as a segment flag for later use.The announcement notes some key improvements in this release:
Subject: OpenBGPD 7.7 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2022-10-06 21:25:58 We have released OpenBGPD 7.7, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.
We have released LibreSSL 3.6.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is a development release for the 3.6.x branch, and we appreciate additional testing and feedback before the final release coming soon with OpenBSD 7.2. It includes the following changes:
OpenSSH 9.1 has been released. It is primarily a bug-fix release.
Version 9.1 will be part of the OpenBSD 7.2 release.
Another site for searching OpenBSD packages has appeared - OpenBSD.app.
The site, which supports full text search, is run by Aaron Bieber (abieber@ when his OpenBSD hat isn't askew). He commented on Lobsters.
An important message from Damien Miller (djm@) turned up on mailing lists and elsewhere, saying,
From: Damien Miller <djm () mindrot ! org> Date: Wed, 28 Sep 2022 00:03:37 +0000 To: openssh-unix-dev Subject: Call for testing: openssh-9.1 Hi, OpenSSH 9.1p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/You can read the whole message here or continue after the fold -
The full text of the talk is also available here, without trackers.
Topics covered: PF basics, state tracking tricks, greytrapping, traffic shaping, with pointers to further material.
All good fun while we are waiting for the next bit thing.
Joel Carnat has written a blog entry on using docker under and from OpenBSD. It starts:
The OpenBSD virtual machine daemon works pretty well with Linux VMs nowadays. This was time for me to see if I could replace the Synology Docker service with some Docker host provided by vmd(8).EuroBSDCon 2022 is currently underway.
Slides for some of the OpenBSD sessions are already available from the the usual place on the OpenBSD web site.
At the time of writing, it's not too late to catch live streams of the final day of the conference!
The release announcement leads in,
We have released OpenBGPD 7.6, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Include OpenBSD 7.1 errata 008: bgpd(8) could fail to invalidate nexthops and incorrectly leave them in the FIB or Adj-RIB-Out. * Speedup bgpctl show rib 10/8 or-longer and show rib 10/8 or-shorter * Switch various static hash tables to RB trees improving performance on large systems * Export per neighbor pending update and withdraw statistics * Fix race between a neighbor session reset and its update message backlog * Improve handling of nexthop reachability state changes * Further improve portability of the FIB handling code
The main tools are what comes in the base system of our favorite operating system, with particular focus on spamd(8) and the greytrapping feature.
The article leads in with
It finally happened. Today, I added the three hundred thousandth (yes, 300,000th) spamtrap address to my greytrapping setup, for the most part fished out of incoming traffic here, for spammers to consume.
and is liberally sprinkled with references to other relevant material.
The article is also available in a trackerless (aside from the server's ordinarily rotated log) version.
With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.2:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/09/11 08:27:09 Modified files: sys/conf : newvers.sh Log message: drop the -betaFor those unfamiliar with the process: this is not the 7.2 release, but is part of the standard build-up to the release.
It's time to start using "-D snap" with pkg_add (and pkg_info).
(Regular readers will know what comes next…) This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].
The announcement reads, rpki-client 8.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.
Stefan Sperling (stsp@) noted the release of version 0.75 of Game of Trees:
Version control system #gameoftrees 0.75 has been released.
This is the first release which ships
gotwebd,
a Fast-CGI Git repository web server written by
@basepr1me
and lots of help by
@op
and others. In the long term, gotwebd will replace its ancestor, the gotweb CGI program. If you already run gotweb then please try gotwebd and let us know about any issues.
[…]
We are delighted to have received a report on the recently-concluded g2k22 hackathon. Martijn van Duren (martijn@) writes:
Coming to Bad Liebenzell for the 3rd year in a row I knew what to expect, but the scenery still continues to amaze me. Driving through the black forest was a nice little escape before plunging back into the SNMP world.
One of the biggest misconceptions I've seen floating around and one of my biggest irks with snmpd(8) was its privilege separation situation. While true that snmpd(8) always had multiple processes it was never used to any meaningful degree. The engine process (snmpe) handled everything snmp related: Handling packets/connections, de-/encoding the BER, handling authentication, finding the correct object and retrieving the data from the proper source (usually the kernel). Because some metrics fell outside the scope of pledge it also ran without the pledge seat belt. The engine however does run inside a /var/empty chroot, this is where the other (parent) process comes into play. When a trap (notification) is received and covered by "trap handle" it's forwarded to the parent process, which then executes the "command".
In the last few years, I have been improving the strictness of userland memory layout. An example is the recent addition of MAP_STACK and msyscall(). The first one marks pages that are stack, so that upon entry to the kernel we can check if the stack-pointer is pointing in the stack range. If it isn't, the most obvious conclusion is that a ROP pivot has occured, and we kills the process. The second one marks the region which contains syscall traps, if upon entry to the kernel the PC is not in that region, we know somone is trying to do system calls via an unapproved method.
