Az OpenBSD fejlesztők ígéretükhöz híven május 1-ére kiadták az OpenBSD 3.5-ös verzióját. Ez a kiadás a 15. CD-ROM és egyben a 16. FTP kiadás - olvashatjuk Todd C. Miller levelében.
Természetesen (mint mindig) megjegyzik, hogy büszkék arra, hogy az OpenBSD-ben csak egy távolról kihasználható hiba volt 8 év alatt alapértelmezett telepítés esetén.
A korábbi kiadásokhoz képest az OpenBSD 3.5 számos jelentős újdonságot hoz a felhasználóknak:
- Biztonság - új ptm eszköz, privilégium elkülönítés kiterjesztése több szolgáltatásra, számos javítás a ProPolice verem védelemben, malloc(8)-ban történt változtatások a nagyobb biztonság érdekében
- Javított hardver támogatás - számos új architektúra támogatása (OpenBSD/amd64, OpenBSD/cats, OpenBSD/mvme88k), és még több új és javított driver
- Fejlesztések a pf-ben (packet filter): az OpenBSD csomagszűrője, a pf is jelentős javításokon ment keresztül (30%-kal kevesebb bejegyzés az állapot-táblában, forrás követés, jelentős javítások a kezelő felületben, stb.)
- Magas rendelkezésre-állás: A HA funkciók biztosítására két új eszköz jelent meg. Az egyik a CARP, a másik pedig a pfsync
- Teljesítmény javítások: az OpenBSD 3.5-ben jelentős javítások történtek az operációs rendszer sebességét növelendő. 100x gyorsabb socket/kapcsolat lookup 10000 socket esetén, mint a 3.4-ben, TCP SYN cache, OpenSSL gyorsítások i386-on (akár 100% gyorsulás), stb.
- Egyebek: megszűnt i386-on a 8GB-os bootolási limitáció, lecserélésre kerültek a GNU bc(1), dc(1), nm(1) és size(1) parancsok a BSD licencű megfelelőikre, stb.
Felsorolni is nehéz lenne az újdonságok listáját, úgyhogy olvassuk el inkább Todd C Miller levelét a részletes tudnivalókért:List: openbsd-announce
Subject: OpenBSD 3.5 released!
From: "Todd C. Miller"
Date: 2004-04-30 23:05:55
Message-ID:
[Download message RAW]
------------------OpenBSD 3.5 RELEASED-------------------------
May 1, 2004.
We are pleased to announce the official release of OpenBSD 3.5.
This is our 15th release on CD-ROM (and 16th via FTP). We remain
proud of OpenBSD's record of eight years with only a single remote
hole in the default install. As in our previous releases, 3.5
provides significant improvements, including new features, in nearly
all areas of the system:
- Ever-improving security (http://www.OpenBSD.org/security.html)
o New ptm device (see pty(4)) that allows non-privileged processes to
allocate a properly-permissioned pty. As a result any process can
now open a pty easily, meaning xterm(1) and xconsole(1) are no longer
setuid root. (In 3.4 they were setuid root, but privilege revoking).
o malloc(3) chunk randomization and guard pages. This helps to detect
out-of-bounds reads and writes.
o Privilege separation added to allow complex operations to occur in an
untrusted, unprivileged process, resulting in much greater security
for the following processes:
- isakmpd(8)
- named(8) (Previously privilege revoking, but this had a small breakage).
- pflogd(8)
- tcpdump(8)
o Many improvements and bug fixes in the ProPolice stack protector.
Several other code generation bugs for RISC architectures were also
found and fixed.
- Improved hardware support (http://www.OpenBSD.org/plat.html)
o New hardware platforms:
- OpenBSD/amd64
Supporting the AMD64 architecture natively, with full 64-bit support,
8 extra registers in the architecture to significantly increase
performance, and a memory management Non-Executable bit that permits
full W^X support.
- OpenBSD/cats
Our first entry in the ARM-cpu landscape. We intend to use this as a
development platform for something else we plan for the future...
- OpenBSD/mvme88k
Supporting an older, but very cool cpu architecture, perhaps the most
pure RISC cpu ever.
o The hppa architecture gets support for many PCI based machines with the
addition of dino(4) GSC-PCI bridge.
o New oosiop(4) driver for NCR 53C700 SCSI host adapters.
o Major improvements to ahc(4), bringing support for many new models.
o New bce(4) driver, supporting the Broadcom BCM4401 FastEthernet chipset.
o New mpt(4) driver for LSI Fusion-MPT SCSI and FibreChannel host adapters.
o New snapper(4) audio driver for recent iBook (since May 02) and PowerBook
(since Apr 02) models.
o Improved stability of the wi(4) driver as well as support for
USB-based adapters and software WEP.
o wi(4) in HostAP mode now supports SSID hiding in newer prism firmware
revisions.
o Fixed several firmware incompatibility issues in an(4).
o Improved ATA and SATA support.
o Support for i835 AGP GART in vga(4).
o Improved Gigabit Ethernet support for em(4), sk(4) & bge(4).
o Several fixes for apm(4).
o Support for Intel 852/855/865 AGP chipsets.
o SCSI(4) improvements:
- Bus probe made faster by skipping non-existent LUNs.
- Bus probe made saner by elimination of spurious commands.
- Bus probe made safer by having INQUIRY commands ask only for
available data.
- Eliminated a race that, e.g., caused problems burning CDs at high speeds.
- SCSIDEBUG output can now be restricted to specified buses.
- ASC/ASCQ diagnostic messages updated to SCSI-3 standards.
- Better error handling.
o Many more USB Flash and other umass(4) devices work as a result of
SCSI improvements.
o hw.setperf sysctl allows controlling the speed of many new i386 cpus,
great for prolonged battery life..
- Major improvements in the pf packet filter, including:
o Atomic commits of ruleset changes (reduce the chance of ending up in
in an inconsistent state).
o A 30% reduction in the size of state table entries.
o Source-tracking (limit number of clients and states per client).
o Sticky-address (the flexibility of round-robin with the benefits
of source-hash).
o Invert the socket match order when redirecting to localhost (prevents
the potential security problem of remote connections being identified
as local).
o Significant improvements to interface handling.
- New tools for filtering gateway failover:
o CARP (the Common Address Redundancy Protocol) carp(4) allows
multiple machines to share responsibility for a given IP address
or addresses. If the owner of the address fails, another member
of the group will take over for it. A discussion of the history
of CARP can be found here.
o Additions to the pfsync(4) interface allow it to synchronise
state table entries between two or more firewalls which are
operating in parallel, allowing stateful connections to cross
any of the firewalls regardless of where the state was initially
created.
- Performance improvements:
o Improved connection/socket lookup - about 100 times faster at
10000 sockets than 3.4.
o TCP SYN cache. Greatly reduces the memory cost of half-open TCP connections.
o Implemented TCP adjustments recommended by RFC3390, controllable via sysctl.
o OpenSSL speedup on i386, up to 100% improvement for md5, sha1,
blowfish, des, 3des, rsa, dsa and bn.
o OpenSSL now directly uses the new AES instructions some VIA C3
processors provide, increasing AES to 780MBytes/second (so you get to
see a fan-less cpu performing AES more than 10x faster than the
fastest cpu currently sold).
o Directory hashing makes lookups in large directories much faster.
- New features and significant bug-fixes included with 3.5
o Replacement of the GNU bc(1), dc(1), nm(1) and size(1) commands
with BSD licensed equivalents.
o pty(4) devices are now allocated on demand, up to a configurable limit.
o The closefrom(2) system call has been added.
o TCP MD5 signatures (used by nc(1) and bgpd(8)).
o Network boot support for i386 and amd64, using pxeboot(8).
o The i386 8GB boot loader limitation has been removed.
o spamd(8) gains greylisting support. This allows greylisting (a very
powerful spam reduction technique) to be done on a firewall for many
mail hosts, no matter what MTA is being used.
o Interface 'cloning', accessed by ifconfig(8) commands create and destroy.
E.g. `ifconfig vlan100 create'.
o ifconfig(8) can now be used with a generic interface name, for listing
all such configured interfaces. E.g. `ifconfig carp'.
o The MAKEDEV(8) manual pages are now generated, and hence, accurate.
o Complete rewrite of package tools in perl.
o syslogd(8) now supports logging to memory buffers, to be read using
syslogc(8). This is useful for diskless or flash-based computers.
o IPsec ESP in UDP encapsulation.
o authpf(8) now tags traffic in pflog(4) so that users may be associated
with traffic through a NAT setup.
o XFS has been added to the GENERIC kernels so that afsd(8) may be started
easily, eliminating the need to recompile the kernel to use AFS.
o AFS can now be used anonymously by enabling it in rc.conf(8) with no
further configuration.
o The ps, top and w utilities no longer break when changes are made in
kernel structures.
o A poll interface has been added to the rpc routines in the standard C
library. Use of poll over select can result in better performance for
programs with a large number of open file descriptors.
o dhclient(8) now detects when the interface it configured is modified and
gracefully exits. e.g. repeatedly running it against the same
interface leaves only the last instance active.
o New tools:
- sensorsd(8), monitoring hardware sensors.
- procmap(1), to examine a process' memory map.
- bgpd(8), implementing the BGP-4 routing protocol.
- pkill(1) and pgrep(1), finding or signalling processes by name.
o OpenSSH 3.8.1.
o Many, many man page improvements.
- The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)
o The 3.5 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).
- The system includes the following major components from outside suppliers:
o XFree86 4.pre4.0 (+ patches).
o gcc 2.95.3 (+ patches and ProPolice)
gcc 3.3.2 (+ patches and ProPolice) on sparc64, amd64, and cats
o Perl 5.8.2 (+ patches).
o Apache 1.3.29 and mod_ssl 2.8.16, DSO support (+ patches).
o OpenSSL 0.9.7c (+ patches).
o Groff 1.15.
o Sendmail 8.12.11.
o Bind 9.2.3 (+ patches).
o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
o Sudo 1.6.7p5.
o Ncurses 5.2.
o Latest KAME IPv6.
o Heimdal 0.6rc1 (+ patches).
o Arla-current.
If you'd like to see a list of what has changed between OpenBSD 3.4
and 3.5, look at
http://www.OpenBSD.org/plus35.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
--------------------- SECURITY AND ERRATA ----------------------
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.5 FTP/CD-ROM binaries and the actual 3.5
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to
http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html
Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:
http://www.OpenBSD.org/mail.html
------------------------- CD-ROM SALES ----------------------------
OpenBSD 3.5 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track, combining
the "CARP License" skit and a song entitled "Redundancy must be free".
Lyrics for the song may be found at:
http://www.OpenBSD.org/lyrics.html#35
Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 3.5 CD-ROMs are bootable on the following five platforms:
o i386
o amd64
o macppc
o sparc
o sparc64 (UltraSPARC)
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:
https://https.OpenBSD.org/cgi-bin/order
or, for European orders:
https://https.OpenBSD.org/cgi-bin/order.eu
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are highly
appreciated, as described in more detail at:
http://www.OpenBSD.org/goals.html#funding
---------------------------- T-SHIRT SALES -------------------------
The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:
https://https.OpenBSD.org/cgi-bin/order
and for Europe:
https://https.OpenBSD.org/cgi-bin/order.eu
The OpenBSD 3.5 t-shirts are available now. We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.
------------------------ FTP INSTALLS -------------------------------
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.
1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:
http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/3.5/ftplist
As of May 1, 2004, the following ftp sites have the 3.5 release:
ftp://ftp.ca.openbsd.org/pub/OpenBSD/3.5/ Alberta, Canada
(above is master site, please USE A MIRROR below)
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.5/ Boulder, CO, USA
ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.5/ Redwood City, CA, USA
ftp://ftp7.usa.openbsd.org/pub/os/OpenBSD/3.5/ West Lafayette, IN, USA
ftp://openbsd.wiretapped.net/pub/OpenBSD/3.5/ Sydney, Australia
ftp://ftp.kd85.com/pub/OpenBSD/3.5/ Lovendegem, Belgium
ftp://ftp.calyx.nl/pub/OpenBSD/3.5/ Amsterdam, Netherlands
ftp://ftp.se.openbsd.org/pub/OpenBSD/3.5/ Stockholm, Sweden
ftp://ftp.linux.org.tr/pub/OpenBSD/3.5/ Turkey
Other mirrors will take a day or two to update.
2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.5/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT XF4.tar.gz i386/ root.mail
Changelogs/ alpha/ mac68k/ sparc/
HARDWARE amd64/ macppc/ sparc64/
PACKAGES cats/ mvme68k/ src.tar.gz
PORTS ftplist mvme88k/ sys.tar.gz
README hp300/ packages/ tools/
SIZES hppa/ ports.tar.gz vax/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:
CKSUM bsd.rd* floppyB35.fs pxeboot*
INSTALL.i386 cd35.iso floppyC35.fs xbase35.tgz
INSTALL.linux cdrom35.fs game35.tgz xfont35.tgz
MD5 comp35.tgz index.txt xserv35.tgz
base35.tgz etc35.tgz man35.tgz xshare35.tgz
bsd* floppy35.fs misc35.tgz
If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or cd35.iso file. Consult the
INSTALL.i386 file if you don't know which of the floppy images
you need (or simply fetch all of them).
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
http://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 3.5 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/3.5/tools
directory to do so.
---------------- XFree86 FOR MOST ARCHITECTURES ------------
XFree86 has been integrated more closely into the system. This
release contains XFree86 4.pre4.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During installation,
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.
On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.pre4.0 or where XFree86 4.3.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.
------------------------ PORTS TREE -----------------------------
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.5 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.
Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
--------------- BINARY PACKAGES WE PROVIDE -----------------
A large number of binary packages are provided. Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.5/PACKAGES) for more details.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.5/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.5/ directory:
XF4.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
----------------------- THANKS --------------------------------
OpenBSD 3.5 includes artwork and CD artistic layout by Ty Semaka,
who also arranged an audio track on the OpenBSD 3.5 CD set. Ports tree
and package building by Peter Valchev, Nikolay Sturm and Christian
Weisgerber. System builds by Theo de Raadt, Henning Brauer, and Miod
Vallat. ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.5 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Campbell, Alexander Yurchenko, Andreas Gunnarsson,
Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad Smith, Brandon Creighton,
Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar,
Can Erkin Acar, Cedric Berger, Chad Loder, Chris Cappuccio,
Christian Weisgerber, Claudio Jeker, Constantine Sapuntzakis, Dale Rahn,
Damien Couderc, Damien Miller, Dan Harnett, Daniel Hartmeier,
Darren Tucker, David B Terrell, David Krause, David Lebel,
David Leonard, Dug Song, Eric Jackson, Federico G. Schwindt,
Grigoriy Orlov, Hakan Olsson, Hans Insulander, Hans-Joerg Hoexer,
Heikki Korpela, Henning Brauer, Henric Jungheim, Hiroaki Etoh,
Horacio Menezo Ganau, Hugh Graham, Ian Darwin, Jakob Schlyter,
Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason Peel, Jason Wright,
Jean-Baptiste Marchand, Jean-Francois Brousseau,
Jean-Jacques Bernard-Gundol, Jim Rees, Jolan Luff, Jose Nazario,
Joshua Stein, Jun-ichiro itojun Hagino, Kenjiro Cho,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
Louis Bertrand, Magnus Holmberg, Marc Espie, Marc Matteo,
Marco Peereboom, Marco Pfatschbacher, Marco S Hyman, Marcus Watts,
Margarida Sequeira, Mark Grimes, Mark Kettenis, Markus Friedl,
Mats O Jansson, Matt Behrens, Matt Smart, Matthew Jacob, Matthieu Herrb,
Michael Shalayeff, Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin,
Miod Vallat, Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,
Nikolay Sturm, Nils Nordman, Oleg Safiullin, Otto Moerbeek, Paul Janzen,
Peter Galbavy, Peter Stromberg, Peter Valchev, Philipp Buehler,
Reinhard J. Sammer, Rich Cannings, Ryan Thomas McBride, Saad Kadhi,
Shell Hin-lik Hung, Steve Murphree, Ted Unangst, Theo de Raadt,
Thierry Deval, Thomas Nordin, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Tom Cosgrove, Vincent Labrecque,
Wilbern Cobb, Wim Vandeputte, Xavier Santolaria.