OpenBSD Journal

You may have missed the event during the weekend, but with this commit, OpenBSD -current turned 6.9-beta.

The commit message reads,

Read more…

Does your pf configuration have route-to rules? If so, you need to consider the implications of this commit by David Gwynne (dlg@) carefully.

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2021/01/31 17:31:05 Modified files: sbin/pfctl : parse.y pfctl_parser.c share/man/man5 : pf.conf.5 sys/net : if_pfsync.c pf.c pfvar.h Log message: change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating.

This change is intended to make configuration and maintenance easier, but it runs a high risk of breaking existing configurations. Read on for the rest of David's commit message, with some background.

Read more…

OpenBSD has managed to drop KDE3 and KDE4 in the 6.8 -> 6.9 release cycle. That makes me very happy because it was a big piece of work and long discussions. This of course brings questions: Kde Plasma 5 package missing.

After half a year of work, I managed to successfully update the Qt5 stack to the last LTS version 5.15.2. On the whole, the most work was updating QtWebengine. What a monster! With my CPU power at home, I can build it 1-2 times a day which makes testing a little bit annoying and time intensive.

But today we can be happy about an up-to-date KDE stack in OpenBSD. Currently - at the end of January - our stack is very up-to-date:

• Qt 5.15.2
• Qt Creator 4.14.0
• KDE Frameworks 5.78.0
• KDE Applications 20.12.1 (Almost everything!)
• Kdevelop 5.6.1
• Krita 4.4.2
• KMyMoney 5.1.1
• DigiKam 7.1.0

I try to keep KDE Applications 20.12.x stable until the 6.9 release.

Let's move on to the topic of KDE Plasma. The Plasma desktop and some other KDE applications have a strong dependence on Wayland. As long as there is no Wayland under OpenBSD, there will also be no KDE Plasma.

It can be observed that more and more KDE applications already prefer a strong dependency on Wayland. For example Spectacle.

In summary, no OpenBSD Wayland support, no KDE Plasma, and probably less and less KDE applications.

With the following commit, Thomas Frohwein (thfr@) added a joystick/gamecontroller driver to -current:

CVSROOT: /cvs Module name: src Changes by: thfr@cvs.openbsd.org 2021/01/22 22:08:36 Modified files: etc : MAKEDEV.common etc/etc.alpha : MAKEDEV.md etc/etc.amd64 : MAKEDEV.md […] sys/dev/usb : files.usb uhid.c uhid.h sys/sys : conf.h Added files: share/man/man4 : ujoy.4 sys/dev/usb : ujoy.c Log message: introduce ujoy(4), a restricted subset of uhid(4) for gamecontrollers. This includes ujoy_hid_is_collection() to work around limitations of hid_is_collection() until this can be combined without fallout. input, testing with 8bitdo controller, and ok brynet@ PS4 controller testing, fix for hid_is_collection, and ok mglocker@

Read more…

Introduction

Pf-badhost is a very practical, robust, stable and lightweight security script for network servers.

It's compatible with BSD based operating systems such as {Open,Free,Net,Dragonfly}BSD and MacOS. It prevents potentially-bad IP addresses that could possibly attack your servers (and waste your bandwidth and fill your logfiles), by blocking all those IPs contacting your server, and therefore it makes your server network/resources lighter and the logs of important services running on your server become simpler, more readable and efficient.

Read more…

OpenBSD developer Vadim Zhukov (zhukov@) has added preliminary OpenBSD support to Open Broadcaster Software (OBS) Studio release 26.1.0 and later. The changes come as part of an ongoing collaboration between the upstream OBS project and OpenBSD developers.

Preliminary OpenBSD support was added in two commits. One introduced sndio(7) support. This adds a sndio plugin which Zhukov advises will provide more reliable, lower latency audio mixing than the ffmpeg plugin for OpenBSD users. The other provides basic support such as help evaluating OpenBSD-specific filesystem paths.

A link to the release was posted on Reddit, with a title claiming full OpenBSD support. Bryan Steele (brynet@) was quick to provide helpful context in a comment:

Note that this is still a WIP and it hasn't been submitted to the ports mailing list or committed to the ports tree, zhuk@ and others have been working with the upstream. As I understand there are issues that still remain, so "full OpenBSD support" is a bit premature.

With the following commit, Marcus Glocker (mglocker@) added an enhanced privacy control for video recording:

CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2020/12/28 11:28:11 Modified files: sys/dev : video.c sys/kern : kern_sysctl.c sys/sys : sysctl.h Log message: Analog to the the kern.audio.record sysctl parameter for audio(4) devices, introduce kern.video.record for video(4) devices. By default kern.video.record will be set to zero, blanking all data delivered by device drivers which attach to video(4). The idea was initially proposed by Laurence Tratt <laurie AT tratt DOT net>. ok mpi@

This is analogous to kern.audio.record, which was first seen in OpenBSD 6.4.

Undeadly.org co-editor Peter Hansteen writes in, saying,

On Saturday November 7th I remote participated in OpenFest 2020 with an updated version of the OpenBSD and you talk.

Recordings will be released after the conference, but I was happy enough with my dry run or backup recording that I'm making that available too, along with the slides to follow along. I hope this will be useful in your advocacy or education on OpenBSD and why the project matters.

In case you were wondering, this is an update on a talk we covered previously, with updates to cover the more recent OpenBSD 6.8.

Solène Rapenne (solene@) has written a blog entry on the software system underlying the building of -stable packages:

In this long blog post, I will write about the technical details of the OpenBSD stable packages building infrastructure. I have setup the infrastructure with the help of Theo De Raadt who provides me the hardware in summer 2019, since then, OpenBSD users can upgrade their packages using pkg_add -u for critical updates that has been backported by the contributors. Many thanks to them, without their work there would be no packages to build.

(-stable packages have been the subject of earlier articles.)

Readers are reminded that they can express their gratitude to solene@ and others by donating!

On its 25th birthday, the OpenBSD project has released OpenBSD 6.8, the 49th release.

The new release comes with a large number of improvements and debuts a new architecture, OpenBSD/powerpc64, running on the POWER9 family of processors. The full list of changes can be found in the announcement and on the release page. Some highlights:

• As already mentioned, this release debuts the OpenBSD/powerpc64 architecture, supporting the POWER9 [and POWER8] family of processors.
• Numerous kernel improvements such as better time measurements across several architectures, (see eg this article), updated graphics support, and of course numerous improvements in hardware support with updated drivers across several platforms.
• Numerous network stack improvements, including those described by kn@ in his k2k20 hackathon report.
• wg(4), an in-kernel driver for WireGuard VPN [reported previously]
• login_ldap added to base [reported previously]
• FFS2 improvements [some of which were reported earlier]
• LibreSSL 3.2.2 with TLSv1.3 enabled for both client and server, and a new-and-improved X509 certificate chain validator (see beck@'s k2k20 hackathon report).

Those upgrading from 6.7 should consult the Upgrade Guide.

Thanks to the developers for all the good work that went into this excellent new release!

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation, buying T-shirts. Corporate entities may prefer sending some money in the direction of the OpenBSD Foundation, which is a Canadian non-profit corporation.

Introduction

Hitherto, releases of the fwobac software (which underlies Undeadly) have been unsigned. This is overdue for change, so for the latest release [version 1.7], we are providing a digital signature. As signing is being performed manually, why not employ an additional [hardware] factor?

signify(1) does not support the use of FIDO authenticators. However, recent versions of OpenSSH do support signing using the [under-appreciated] -Y sign option of ssh-keygen(1), and with the recent addition of FIDO authenticator support to OpenSSH [as reported previously], we have a means (using tools in base OpenBSD) of using a hardware factor when signing files.

Read more…

Todd Mortimer (mortimer@) has committed RETGUARD (see previous coverage) for the macppc (powerpc) and powerpc64 platforms:

CVSROOT: /cvs Module name: src Changes by: mortimer@cvs.openbsd.org 2020/10/12 08:52:09 Modified files: gnu/llvm/clang/lib/Driver/ToolChains: Clang.cpp gnu/llvm/llvm/lib/Target/PowerPC: CMakeLists.txt PPCAsmPrinter.cpp PPCFrameLowering.cpp PPCFrameLowering.h PPCInstrInfo.td gnu/usr.bin/clang/libLLVMPowerPCCodeGen: Makefile Added files: gnu/llvm/llvm/lib/Target/PowerPC: PPCReturnProtectorLowering.cpp PPCReturnProtectorLowering.h Log message: Add RETGUARD implementation for powerpc and powerpc64. ok deraadt@ kettenis@

See the Innovations page for the full list of platforms on which RETGUARD is implemented.

Ingo (schwarze@) writes in about a side project he's been working on to do his own accounting:

Sometimes, it happens to me that i make little progress with the work i planned to do (so let's not talk about the badly needed mandoc release today) and instead end up doing work that wasn't planned at all.

Read more…

Fresh off the k2k20 hackathon, Rafael Sadowski (rsadowski@) writes in:

Due to the pandemic, this hackathon seemed to be called very spontaneously. Fortunately, the hackathon was over a weekend. This enabled me to attend without missing any professional obligations. On Friday morning, shortly after sunrise, I took the train to Bad Liebenzell. On the train I worked for my employer until I reached Karlsruhe at about 11am. I swapped my MacBook for my OpenBSD ThinkPad T470s.

Read more…

The fourth report from k2k20 comes from Florian Obser (florian@), who worked mostly on DNS related things:

I spent the week before the hackathon with monitoring the current pandemic situation. Will ze germans let me in? Will I put people at risk? In the end it all looked OK-ish and I booked my train ticket a day before leaving. Time to pack!

My current bag of holding is an Osprey Talon 22 and it fits an X1, roost laptop stand, Microsoft sculpt keyboard, assorted cables, toiletry bag and clothing for 6 days. Yes, this includes fresh underwear and T-Shirts for every day.

Read more…

Our next k2k20 report comes from Klemens Nanni (kn@):

I'd been looking forward to k2k20 just like my other hackathon with its unique atmosphere where getting work done in fact means holiday hacking with friends.

There was nothing big on my list but it had already grown into a rich assortment of issues and itches to scratch - this usually aligns well with the release cycle since it means focusing on regression fixes and polish during the -beta phase until the tree gets locked for release.

Read more…

Fresh off the just-finished k2k20 hackathon, here is a report from Bob Beck (beck@):

We have a saying about hackathons - They are for starting something, or for finishing something. This time for me was a "finishing something" - I landed the new x509 certificate chain validation in libcrypto.

Read more…

The k2k20 hackathon concluded recently, and we are please to have received a report from Martijn van Duren (martijn@):

I came to k2k20 on my motorcycle with my mask, a small backpack and a stack of projects burning on my laptop to get pushed. After a long ride ending on the lovely winding roads of the black forest I arrived at Burg Liebenzell slightly past noon, where I was greeted by a collection of other OpenBSD developers who just came back from lunch. After checking in and a quick lunch of my own I joined the rest in the hackroom where everything was set up in a wide circle giving every table plenty of room for privilege separation^W^Wsocial distancing.

Read more…

With this commit, Martijn van Duren (martijn@) added login_ldap(8) to -current:

CVSROOT: /cvs Module name: src Changes by: martijn@cvs.openbsd.org 2020/09/12 09:06:12 Modified files: libexec : Makefile Added files: libexec/login_ldap: Makefile aldap.c aldap.h bind.c login_ldap.8 login_ldap.c login_ldap.h search.c util.c Log message: Import login_ldap. The code is based login_ldap port, but uses our own aldap implementation instead of openldap. It also uses a stand alone configuration file instead of login.conf, since setting this up might contain information not destined for everyone to see. OK bluhm@ "Go for it" deraadt@

An example configuration file was also committed.

Theo (deraadt@) has just committed the crank to 6.8-beta to CVS

From: Theo de Raadt Date: Mon, 31 Aug 2020 10:08:28 -0600 (MDT) To: source-changes@openbsd.org Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2020/08/31 10:08:28 Modified files: sys/conf : newvers.sh sys/sys : param.h usr.bin/signify: signify.1 etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi Log message: crank to 6.8-beta

You know what this means: time to test snapshots and report any issues you find, both in the base systems as in the supplied packages, so that the upcoming 6.8 release will not surprise you in unfortunate ways!