- OpenBSD 7.4 RELEASED -------------------------------------------------

October 16, 2023.

We are pleased to announce the official release of OpenBSD 7.4.
This is our 55th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.4 provides significant improvements,
including new features, in nearly all areas of the system:

 - Various kernel improvements:
    o On arm64, show BTI and SBSS features in dmesg(8).
    o New kqueue1(2) system call supporting the O_CLOEXEC flag.
    o Map device tree read/write to unbreak root on softraid(4).
    o Correctly recognize umass(4) floppy disk devices as floppy disks.
    o In wscons(4), catch up with box drawing characters which have been
      standardized in unicode after the original wscons code was written
      and chose placeholder values.
    o In wscons(4), make sure we do not increase the escape sequence
      argument count beyond usable bounds.
    o Implement dt(4) utrace(2) support on amd64 and i386.
    o Correct undefined behavior when using MS-DOS filesystems, fixes
      imported from FreeBSD.
    o Make the softdep mount(8) option a no-op. Softdep was a
      significant impediment to improving the vfs layer.
    o Allow unveil(2)ed programs to dump core(5) into the current
      working directory.
    o Address incomplete validation of ELF program headers in execve(2).
    o On arm64, use the deep idle state available on Apple M1/M2 cores
      in the idle loop and for suspend, resulting in power savings.
    o Update AMD CPU microcode if a newer patch is available.
    o Enable a workaround for the 'Zenbleed' AMD CPU bug.
    o Report speculation control bits in dmesg(8) CPU lines.
    o To give the primary CPU an opportunity to perform clock interrupt
      preparation in a machine-independent manner we need to separate
      the "initialization" parts of cpu_initclocks() from the "start the
      clock interrupt" parts. Separate cpu_initclocks() from
    o Fix a problem where CPU time accounting and RLIMIT_CPU was
      unreliable on idle systems.
    o Improve the output of the "show proc" command of the kernel
      debugger ddb(4) and show both the PID and TID of the proc.

 - SMP Improvements
    o Rewrite pfsync(4), in particular to improve locking and to help
      with unlocking more of pf(4) and with parallelisation of the
      network stack in the future. The protocol remains compatible with
      the older version.
    o Remove kernel locks from the ARP input path.
    o Pull MP-safe arprequest() out of kernel lock.
    o Remove the kernel lock from IPv6 neighbor discovery.
    o Unlock more parts of ioctl(2) and the routing code in the network

 - Direct Rendering Manager and graphics drivers
    o Update drm(4) to Linux 6.1.55.
    o Don't change end marker in sg_set_page(). Caused bad memory
      accesses when using page flipping on Alder Lake and Raptor Lake.

 - VMM/VMD improvements
    o Allowed vmm(4) guests to enable and use supervisor IBT.
    o Suppressed AMD hardware p-state visibility to vmm(4) guests.
    o Avoid use of uninitialised memory in vmd(8).
    o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object
      to be transmitted over an ipc channel.
    o Cleaned up file descriptor closing in vmd(8) vmm process.
    o Fixed vm send/receive, restoring device virtqueue addresses on
    o Introduced execvp(3) after fork for child vm processes.
    o No longer generate an error in vmd(8) if vm.conf(5) is absent.
    o Split vmm(4) into MI/MD parts.
    o Introduced multi-process model for vmd(8) virtio block and network
    o Allowed vm owners to override boot kernel when using vmctl(8) to
      start a vm.
    o Changed staggered start of vms to number of online CPUs.
    o Fixed a segfault on vm creation.
    o Switched to anonymous shared memory mappings for vmd(8) vm
      processes, introducing a new vmm(4) ioctl(2).
    o Relaxed absolute path requirements for vmd(8) configtest mode
    o Adjusted shutdown logic by vm id to function similarly as by name.
    o Moved validation of local network prefixes for the internal vmd(8)
      DHCP service into the config parser.
    o Fixed QCOW2 base images when used with the vmd(8) multi-process
      device model.
    o Fixed setting verbose logging in child processes.
    o Fixed a race condition related to the emulated i8259 interrupt
      controller by ignoring interrupt masks on assert.
    o Inlined pending interrupts in the vmm(4) ioctl(2) for running the
      vcpu, reducing vm latency.
    o Added zero-copy, vectored io to the vmd(8) virtio block device.
    o Changed to logging vmd(8) vm ids in the vcpu run loop on error and
      not the ids used by vmm(4).
    o Fixed a vm pause deadlock.
    o Changed vmd(8) logging format to disambiguate vm and device
      process by names and indices.
    o Fixed dynamically toggling verbose logging mode with vmctl(8).

 - Various new userland features:
    o New ISO C11 header <uchar.h> declaring the types char32_t and
      char16_t and the functions c32rtomb(3), mbrtoc32(3), c16rtomb(3),
      and mbrtoc16(3).
    o Introduce a new malloc(3) option D for memory leak detection with
      ktrace(1) and kdump(1).
    o Support ${.VARIABLES} in make(1), listing the names of all global
      variables that have been set.
    o New kdump(1) -u option to select utrace(2) tracepoints by label.
    o In openrsync(1), support the options --size-only and
    o Update zoneinfo to tzdata2023c.
    o Accept the ucom(4) fixed name format as a valid format for the
      cu(1) -l option.
    o In cron(8) and crontab(5), add support for random offsets when
      using ranges with a step value in cron. This extends the random
      range syntax to support step values. Instead of choosing a random
      number between the high and low values, the field is treated as a
      range with a random offset less than the step value. This can be
      used to avoid thundering herd problems where multiple machines
      contact a server all at the same time via cron jobs.
    o Extend and improve the ibuf API in libutil and add functions for
      more specific data types, for modifying data at specific offsets,
      for getting and setting the file descriptor stored on the ibuf and
      for efficient wrapping of ibufs into imsgs. The ibuf API is mostly
      used in network daemons.
    o In wsconsctl(8), add button mappings for two- and three-finger
      clicks on clickpads.

 - Various bugfixes and tweaks in userland:
    o In pax(1) and tar(1), do not open files that will be skipped,
      speeding up archive creation when many files are skipped.
    o In pax(1), tar(1), and cpio(1) terminal output, escape
      non-printable characters in messages that may include file names,
      and truncate times to the correct maximum value.
    o Better diagnostics from make(1) when a makefile exists but cannot
      be opened.
    o Prevent a buffer underflow in patch(1) that could occur with lines
      longer than 32kB.
    o Prevent a segmentation fault in patch(1) that occurred when a
      patch specified a file name so long that basename(3) failed.
    o Prevent a read buffer overrun in patch(1) that could occur when a
      patch specified a file name ending in a slash.
    o Let stat(1) correctly print mtimes after 2038.
    o Refactoring and documenting of fdisk(8) code, to make it easier to
    o fdisk(8) no longer adds extra blanks at the end of lines,
      eliminating spurious line wrapping.
    o In clang(1), allow out-of-class defaulting of comparison
      operators, by ways of backporting an upstream commit.
    o Many changes in mg(1):
       - New command set-tab-width to change the tabulator width on a
         per-buffer basis.
       - Let the space-to-tabstop command move to the right position
         even if the line contains tabs, control characters, or
         non-ASCII bytes.
       - Fall back to /bin/sh if $SHELL is undefined.
       - Fix parsing of tag files with duplicate entries. Instead of
         erroring out, ignore duplicates. Fixes using
         /var/db/libc.tags again.
       - Change the visit-tags-table command to immediately load the
         tag file, and drop the lazy mechanics.
       - Do not leak memory in pop-tag-mark if it fails to switch
       - Fix a read buffer overrun caused by -u arguments longer than
         1023 bytes.
       - Fix a write buffer overrun on the stack caused by
         blink-and-insert matching a very long line that is not
         currently visible in the window.
       - Skip checking permissions of conffile with access(2).
       - Resurrect no-tab-mode and add it to the list of modes that
         can be set with set-default-mode.
    o Fix a segfault when the disklabel(8) simple editor encounters an
      incomplete partition line.
    o Fix disklabel(8) handling of templates with partitions after a
      "N-* 100" entry.
    o Enable disklabel(8) regress tests to work on sparc64.
    o Fix fdisk(8) initialization of CHS/LBA fields in an MBR, allowing
      machines with a BIOS that uses CHS to boot from disks >8G.
    o Retire disklabel(8) -E expert mode.
    o When displaying GPT partition attributes fdisk(8) prefixes
      Microsoft partition attribute names with 'MS'.
    o In the absence of the 'disktype' command line parameter
      disklabel(8) always uses the current media type provided by the
    o Ensure fdisk(8) handles the case where a GPT partition name is not
      a valid C string.
    o When creating new crypto volumes with bioctl(8), by default use a
      hardware based number of KDF rounds for passphrases.
    o Let bioctl(8) gracefully prompt again during interactive creation
      and passphrase change on CRYPTO and 1C volumes.
    o Let bioctl(8) read passphrases without prompts or confirmation in
      -s mode, allowing non-interactive use.
    o Allow the atactl(8) command readattr to succeed even for disks
      where ATA_SMART_READ and ATA_SMART_THRESHOLD revisions mismatch,
      as long as checksums are OK.
    o In ld.so(1), treat symlinks in $ORIGIN determination the same way
      as other OS linkers do.
    o In ld.so(1), avoid an overflow in the ELF SYSV ABI hash function.
    o Make sure modf(3) and modff(3) return correct values for
    o Do not fail in ober_scanf_elements(3) when encountering empty
    o Remove broken special handling of test -t in ksh(1).
    o The caching mechanism used by pkg_add(1) to speed up pkg_add -u
      now also works if -stable packages are available.
    o Significantly increase the speed of pkg-config(1).
    o In seq(1), fix a check for rounding error and truncation.
    o In cron(8), introduce upstream fixes in the handling of @yearly,
      @monthly, @weekly, @daily and @hourly entries.
    o Fix a bug in cron(8) where whitespace after usernames would not be
      completely skipped while parsing the crontab(5) file.
    o Make rcctl(8) check if a daemon exists before trying to disable
      it, thereby avoiding parsing and printing of bogus characters.
    o Print to the console the fingerprint of a newly generated ssh(1)
      host key of the preferred type (currently ED25519), typically when
      booting for the first time. This simplifies a secure first ssh
      connection to a freshly installed machine.

 - Improved hardware support and driver bugfixes, including:
    o Add rkiovd(4), a driver for the I/O voltage domains on Rockchip
    o Add support for TEMPerGold 3.4 temperature sensor to ugold(4).
    o Add qcrng(4), a driver for the Qualcomm RNG device found on the
      ThinkPad X13s.
    o Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs.
    o Support AP806/CP110 SoCs in mvtemp(4).
    o Add dwmshc(4) to support Designware Mobile Storage Host
      Controllers found on rk356x and rk3588 SoCs.
    o Add iosf(4), a driver for the Intel OnChip System Fabric.
    o Add support for the RTL8153D chipset in ure(4).
    o Add support for the Peripheral Authentication Service SMC
      interface in qcscm(4).
    o Add qcmtx(4), a driver for the hardware spinlock on Qualcomm SoCs
      that is used to synchronize access to the shared memory table.
    o Add qcsmptp(4), a driver to share 32-bit values between
    o Add qcaoss(4), a driver for the Always On Subsystem found on
      Qualcomm SoCs.
    o Add qcpas(4), a driver for the Peripheral Authentication Service
      found on Qualcomm SoCs. Enable AC detection.
    o Add qctsens(4), a driver for the Temperature Sensor found on
      Qualcomm SoCs.
    o Add driver qccpu(4) for QC CPU Power States.
    o Add qcsdam(4), a driver for the PMIC Shared Direct Access Memory
      found on Qualcomm SoCs.
    o Add stfrng(4), a driver for the random number generator on the
      StarFive JH7110 SoC.
    o Add support for the PCIe controller on the JH7110 SoC with
    o New sysctl(2) nodes for battery management, hw.battery.charge*.
      Support them with acpithinkpad(4) and aplsmc(4).
    o Define fixed names for ucom(4) USB serial ports, display them in
      attach messages and via the new hw.ucomnames sysctl(2).
    o Add support for the RK3568 32k RTC, RK3588, and other clocks in
    o In dwpcie(4), attach Baikal-M PCIe.
    o In openfirmware, implement regulator notifiers which get called
      when the voltage/current for a regulator is changed or when the
      regulator gets initialized when it attaches for the first time.
      The latter makes it possible to register a notifier for a
      regulator that hasn't attached yet.
    o Ignore duplicate ACPI lid transitions as they can happen on Dell
      Precision 5510 systems.
    o Make RK3568 PCIe controllers run at the maximum possible speed by
      using dwpcie_link_config() when initializing.
    o In the Universal Flash Storage Host Controller Interface
      (ufshci(4)), enable Force Unit Access (FUA) for write commands.
    o Make SATA (ahci(4)) work on a Banana Pi BPI-R2 Pro.
    o In umcs(4), set parity bits correctly.
    o Enable the caps lock LED on modern Apple laptop keyboards.
    o Add support for Rockchip "cryptov2-rng" random number generator in
    o Fix cpuperf on the Apple M2 Pro/Max.
    o Add support for the PCIe controller found on Apple M2 Pro/Max
    o Add support for enabling both the USB2 and USB3 PHYs in xhci(4)
      with device tree.
    o In the SCSI tape driver st(4), add support for I/O statistics so
      that tape speeds can be observed with iostat(8).
    o Fix use of MMC/SD/SDIO on RK3588 ARM SoC in dwmmc(4).
    o Support thermal sensors on Ryzen 9 79xx in ksmn(4).
    o Add support for JH7110 to dwmmc(4), making eMMC and microSD mostly
      work on the Starfive VisionFive 2.
    o Add support for the RK3588 PCIe3 PHY to rkpciephy(4). The PHY
      controls 4 lanes that can be routed to 4 of 5 PCIe controllers.
    o Add mute control to sncodec(4). This makes the mute button work on
      laptops using this driver.
    o Add mute control to tascodec(4). This makes the mute button on
      laptops that use tascodec(4) work.
    o Improve the suspend/resume behavior of several drivers, reducing
      power consumption during suspend.
    o Add support for the Synopsys DesignWare I2C controller (dwiic(4))
      and the X-Powers AXP Power Management IC (axppmic(4)).
    o Enable the mbg(4) timedelta sensor on amd64 and match the Meinberg

 - New or improved network hardware support:
    o Fix dwqe(4) on several boards that use rgephy(4) by configuring
      the RGMII interface before taking the PHY out of reset.
    o Improve dwqe(4) and determine PHY mode and pass the appropriate
      flags down to the PHY when attaching.
    o Report in dmesg(8) on which gmac the dwqe(4) driver is attaching
    o Document that Intel i226 adapters are supported by igc(4).
    o Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb
      Ethernet devices. Also support it on amd64 install media.
    o Add support for the RTL8211F-VD PHY in rgephy(4).
    o In openfirmware, add glue for network interfaces to be found by
      fdt/ofw node or phandle in order to support "switch chips" like
      the marvell link street.
    o Add support for RTL8153D devices to ure(4).
    o Provide byte and packet counter statistics in some dwge(4)
    o On bge(4), make hardware counters available via kstats for BCM5705
      and newer controller chips.
    o Make several improvements to vmx(4), the VMware VMXNET3 Virtual
      Interface Controller.
    o In em(4), stop putting multicast addresses into the Receive
      Address Registers. Instead hash them all into the Multicast Table
    o Support Mellanox ConnectX-6 Lx in mcx(4).
    o In mcx(4), add 100GB LR4 Ethernet capability and map it to
    o Add initial support for Atlantic 2 hardware in aq(4).

 - Added or improved wireless network drivers:
    o Improve how Quectel LTE&5G devices attach to umb(4).

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Add support for RTL8188FTV devices to the urtwn(4) driver.
    o Attach Intel wireless devices with PCI product ID 0x51f1 to
    o Fix a bug where iwm(4) and iwx(4) background scan tasks were added
      to the wrong task queue.
    o Fix a firmware error that occurred when an iwx(4) interface was
      brought down.
    o Fix iwx(4) firmware errors triggered during background scans.
    o Fix a crash in the iwm(4) driver when userland attempts to inject
      frames via bpf in monitor mode.

 - Installer, upgrade and bootloader improvements:
    o In the arm64 ramdisk, simplify apple firmware copying to make it
      easier to add new firmware.
    o On armv7 and arm64, silence informational messages from dd(1) when
      zeroing a disk's first 1MB. Use character not block devices with
      dd(1) like on other architectures.
    o Refactor the code of md_installboot() on armv7 and arm64 to be
      more in line with other architectures.
    o Improve the dialogue of the installer without affecting
      autoinstall(8) files.
    o Enable ufshci(4) on arm64 install media.
    o On arm64 pine64 boards, stop writing pine64 firmware to disk.
    o When media has neither a GPT nor an MBR installboot(8), assume
      OpenBSD occupies the entire disk starting at sector 0.
    o Attempt to not overflow the ramdisk when extracting firmware on
      Apple arm64 systems.
    o Add support for loading files from the EFI System Partition.
    o Fix a bug in the handling of SCSI drives in the bootloader on the
      luna88k architecture.
    o On luna88k, implement the chmod() signaling mechanism for
      /bsd.upgrade to prevent re-upgrade, like other architectures.
    o Support for softraid(4) disks in the installer was improved:
       - Make root on softraid(4) installations boot out of the box on
         Raspberry Pis (arm64).
       - Support installations with root on softraid(4) on arm64,
         tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
       - On riscv64, enable softraid(4) in the ramdisk kernel and
         support installations with root on softraid(4)
       - When installing on encrypted softraid(4), determine the disk
         for placing the root device automatically and make it default
         as it is the only legit choice.
       - Add arm64 to the list of architectures with support for
         guided disk encryption.
       - Retain existing EFI System partitions on systems with APFSISC
         partitions (arm64 Apple M1/M2) during installation with root
         on softraid(4).
       - Enable softraid(4) in ramdisk on the powerpc64 architecture.

 - Security improvements:
    o Enable indirect branch tracking (IBT) on amd64 and branch target
      identification (BTI) on arm64 in both the kernel and in userland.
      On hardware that supports this feature, it helps enforcing control
      flow integrity by making sure malicious code cannot jump into the
      middle of a function.
    o On the arm64 architecture, enable pointer authentication (PAC) in
      userland on those machines where it works correctly. It helps
      enforcing control flow integrity by making sure malicious code
      cannot manipulate a function's return address.
    o Together with retguard these two features protect against ROP
      attacks. Compiler defaults for base clang, ports clang and ports
      gcc (as well as some other non-C language family compilers in
      ports) have been changed to enable these features by default. As a
      result the vast majority of programs on OpenBSD (and all programs
      in the base system) run with these security features enabled.
    o Change malloc(3) chunk sizes to be fine grained: chunk sizes are
      closer to the requested allocation size.
    o In malloc(3), check all chunks in the delayed free list for
    o The shutdown(8) program can now only be executed by members of the
      new _shutdown group. The idea is that system administrators can
      now remove most users from the excessively powerful operator
      group, which in particular provides read access to disk device
    o Using unveil(2), restrict patch(1) filesystem access to the
      current directory including subdirectories, TMPDIR, and file names
      given on the command line.
    o In ksh(1), consistently escape control characters when displaying
      file name completions, even when there are multiple matches.

 - Changes in the network stack:
    o Sync the use of getuptime(9) in the Neighbour Discovery (ND) code
      with ARP.
    o In the IPv6 forwarding code, call getuptime(9) once for
      consistency with IPv4.
    o ARP has a queue of packets that should be sent after name
      resolution. Neighbor discovery (ND6) did only hold a single
      packet. Unified the code, added a queue to ND6 and made the code
      MP safe.
    o Implement a new sysctl(2) net.inet6.icmp6.nd6_queued to show the
      number of packets waiting for an ND6 response, analogous to ARP.
    o When configuring a new IPv6 address on an interface, an upstream
      router doesn't know where to send traffic. Send an unsolicited
      neighbor advertisement, as described in RFC9131, to the
      all-routers multicast address so all routers on the same link will
      learn the path back to the address.
    o Implement the inbound portion of RFC9131. Let routers create new
      neighbor cache entries when receiving valid neighbor
    o Initial support for TCP segmentation offload (TSO) and TCP large
      receive offload (LRO) was implemented:
       - If the driver of a network interface supports TSO, do not
         chop the packet in the network stack, but pass it down to the
         interface layer for TSO.
       - Provide a software TSO implementation, to be used as a
         fallback if network hardware does not support TSO.
       - Provide a new sysctl(2) node net.inet.tcp.tso such that TSO
         can be globally disabled. By default, it is enabled on all
         interfaces supporting it.
       - In ifconfig(8), display separate hwfeatures for TSOv4, TSOv6,
         and LRO and provide a -tcplro parameter to disable LRO on a
         per-interface basis.
       - Enable TSO and forwarding of LRO packets via TSO in ix(4).
       - In ix(4), allocate less memory for tx buffers.
       - Speed up TCP transfer on lo(4) interfaces by using TSO and
       - Enable LRO per default in network drivers. LRO allows to
         receive aggregated packets larger than the MTU. Receiving TCP
         streams becomes much faster. Currently only ix(4) and lo(4)
         devices support LRO, and ix(4) is limited to IPv4 and
         hardware newer than the old 82598 model.
    o The following changes were made to the pf(4) firewall:
       - Speed up the ioctl(2) request DIOCGETRULE such that pfctl(8)
         can retrieve all pf(4) rules from the kernel in linear rather
         than in quadratic time. To protect the kernel from memory
         exhaustion, userland processes now have to release tickets
         obtained with DIOCGETRULES by issuing the new ioctl(2)
         request DIOCXEND. In particular, snmpd(8) and systat(1) now
         do that.
       - Relax the implementation of the pass all rule so all forms of
         neighbor advertisements are allowed in either direction.
       - When redirecting locally generated IP packets to userland
         with divert-packet rules, the packets may have no checksum
         due to hardware offloading. Calculate the checksum in that
       - Fix a bug where nat-to could fail to insert a state due to
         conflict on chosen source port number.
       - No longer ignore keep state and nat-to actions for
         unsolicited ICMP error responses. Tighten the rule matching
         logic so ICMP error responses no longer match keep state
         rule. In typical scenarios, ICMP errors (if solicited) should
         match existing state. The change is going to bite firewalls
         which deal with asymmetric routes. In those cases the keep
         state action should be relaxed to sloppy or new no state rule
         to explicitly match ICMP errors should be added.
    o Do not calculate IP, TCP, and UDP checksums on lo(4) interfaces.
    o Convert the tcp_now() time counter to 64 bits to avoid 32 bits
      wrap around after changing tcp_now() ticks to milliseconds.
    o Add initial support for route-based IPsec VPNs.
      Rather than use IPsec flows (aka, entries in the IPsec security
      policy database) to decide which traffic should be encapsulated in
      IPsec and sent to a peer, this changes security associations (SAs)
      so they can also refer to a tunnel interface. When traffic is
      routed over that tunnel interface, an IPsec SA is looked up and
      used to encapsulate traffic before being sent to the peer on the
      SA. When traffic is received from a peer using an interface SA,
      the specified interface is looked up and the packet is handed to
      it so it looks like packets come out of the tunnel.
    o Add sec(4) to support route-based IPsec VPNs.
    o Introduce reference counting for TCP syn cache entries.
    o Have wg(4) copy the priority from the inner packet to the outer
      encrypted packet, so that higher priority packets are picked from
      hfsc queues for earlier transmission.

 - Routing daemons and other userland network improvements:
    o IPsec support was improved:
       - In iked(8), support route-based sec(4) tunnels.
       - In iked(8), add support to verify X.509 chain from CERT
       - In iked(8), do not leak memory when receiving a CERT payload
         for pubkey auth or for an invalid CERT Encoding.
       - In iked(8), do not leak a file descriptor if
         open_memstream(3) fails while trying to enable a child SA.
       - While trying to verify an ECDSA signature in iked(8),
         correctly detect failure of DER encoding with
       - In ipsecctl(8), support route-based IPsec VPN negotiation
         with sec(4).
       - In isakmpd(8), support configuring interface SAs for
         route-based IPsec VPNs.
       - In isakmpd(8) quick mode, do not crash with a NULL pointer
         access when a group description is specified but it is
         invalid, unsupported, or memory allocation or key generation
       - In isakmpd(8), avoid a double free in the unlikely event that
         EC_KEY_check_key(3) fails right after generating a new key
       - Allow building isakmpd(8) with a libcrypto library that has
         binary field support ("GF2m") removed.
    o In bgpd(8),
       - Add first version of flowspec support. Right now only
         announcement of flowspec rules is possible.
       - Update ASPA support to follow
         draft-ietf-sidrops-aspa-verification-16 and
         draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
         tables AFI-agnostic.
       - Rework UPDATE message generation to use the new ibuf API
         instead of the hand-rolled solution before.
       - Fix ext-community * * matching which also affects filters
         removing all ext-communities.
       - Improve and extend the bgpctl parser to handle commands like
         bgpctl show rib detail. Also add various
         flowspec specific commands.
       - Introduce a semaphore to protect intermittent RTR session
         data from being published to the RDE.
       - Limit the socket buffer size to 64k for all sessions.
         Limiting the buffer size to a reasonable size ensures that
         not too many updates end up queued in the TCP stack.
       - Adjust example GRACEFUL_SHUTDOWN filter rule in the example
         config to only match on ebgp sessions.
    o rpki-client(8) saw some changes:
       - A 30%-50% performance improvement was achieved through
         libcrypto's partial chains certificate validation feature.
         Already validated non-inheriting CA certificates are now
         marked as trusted roots. This way it can be ensured that a
         leaf's delegated resources are properly covered, and at the
         same time most validation paths are significantly shortened.
       - Support for gzip and deflate HTTP Content-Encoding
         compression was added. This allows web servers to send RRDP
         XML in compressed form, saving around 50% of bandwidth.
       - ASPA support was updated to
         draft-ietf-sidrops-aspa-profile-16. As part of supporting
         AFI-agnostic ASPAs, the JSON syntax for Validated ASPA
         Payloads changed in both filemode and normal output.
       - In filemode (-f option) the applicable manifests are now
         shown as part of the signature path.
       - A new -P option was added to manually specify a moment in
         time to use when parsing the validity window of certificates.
         Useful for regression testing. Default is invocation time of
       - The -A option will now also exclude ASPA data from the JSON
       - The synchronisation protocol used to sync the repository is
         now included in the OpenMetrics output.
       - Improved accounting by tracking objects both by repo and tal.
       - Check whether products listed on a manifest were issued by
         the same authority as the manifest itself.
       - File modification timestamps of objects retrieved via RRDP
         are now deterministically set to prepare the on-disk cache
         for seamless failovers from RRDP to RSYNC.
       - Improved detection of RRDP session desynchronization: a check
         was added to compare whether the delta hashes associated to
         previously seen serials are different in newly fetched
         notification files.
       - Improved handling of RRDP deltas in which objects are
         published, withdrawn, and published again.
       - Disallow X.509 v2 issuer and subject unique identifiers in
         certs. RPKI CAs will never issue certificates with V2 unique
       - A check to disallow duplicate X.509 certificate extensions
         was added.
       - A check to disallow empty sets of IP Addresses or AS numbers
         in RFC 3779 extensions was added.
       - A warning is printed when the CMS signing-time attribute in a
         Signed Object is missing.
       - Warnings about unrecoverable message digest mismatches now
         include the manifestNumber to aid debugging the cause.
       - A check was added to disallow multiple RRDP publish elements
         for the same file in RRDP snapshots. If this error condition
         is encountered, the RRDP transfer is failed and the RP falls
         back to rsync.
       - A compliance check for the proper X.509 Certificate version
         and CRL version was added.
       - A compliance check was added to ensure CMS Signed Objects
         contain SignedData, in accordance to RFC 6488 section 3
         checklist item 1a.
       - Compliance checks were added for the version, KeyUsage, and
         ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR
         Signed Objects.
       - A CMS signing-time value being after the X.509 notAfter
         timestamp was downgraded from an error to a warning.
       - A bug was fixed in the handling of CA certificates which
         inherit IP resources.
       - A compliance check was added to ensure the X.509 Subject only
         contains commonName and optionally serialNumber.
       - A compliance check was added to ensure the CMS SignedData and
         SignerInfo versions to be 3.
       - Fisher-Yates shuffle the order in which Manifest entries are
         processed. Previously, work items were enqueued in the order
         the CA intended them to appear on a Manifest. However, there
         is no obvious benefit to third parties deciding the order in
         which things are processed.
    o In smtpd(8),
       - Swapped link-auth filter arguments to avoid ambiguities with
         user names containing a "|" character.
       - Bumped smtpd-filters(7) protocol version.
       - Fixed potential truncation of filtered data lines.
       - Allowed arguments on NOOP.
    o Many other changes in various network programs and libraries:
       - Allow libpcap to read files with some additional link-layer
         type values.
       - Let pcap_fopen_offline(3) correctly interpret some LINKTYPE_*
         values in pcap headers written on foreign operating systems.
       - Make dig(1) use less deprecated LibreSSL API.
       - Remove stylistic differences between arp(8) and ndp(8)
         delete() function. This makes it easier to spot real changes
         in behavior.
       - Make ndp(8) not remove cloning routes when no neighbor entry
         is found with ndp -d.
       - Improved error handling in the asr resolver.
       - In unwind(8), handle SERVFAIL results on name resolution
       - In unwind(8), fix a use-after-free bug triggered by fatal
         write errors while sending TCP responses.
       - In the router advertisement daemon rad(8), update the default
         timers for prefix preferred and valid lifetimes to use the
         values from RFC 9096.
       - In slaacd(8), remove artificial limit of 2 hours on a PIO
       - In ypldap(8), reduce memory usage when updating larger
       - Make ypldap(8) more resilient when some servers are
         misbehaving: keep trying LDAP servers until full results
         arrive rather than just until one accepts the TCP connection.
       - New wgdescription parameter to ifconfig(8) to set a string
         describing the wg(4) peer.
       - Let ifconfig(8) prefix the interface name to many error and
         warning messages.
       - Make the tlsv1.0 and tlsv1.1 options in relayd(8) do nothing,
         as one should use the default tlsv1.2 instead.
       - Fix IPv6 routes being changed by relayd(8) with Routers
       - In dhcrelay6(8), do not ignore the AF_LINK entries of carp(4)
       - Improve the config parser of radiusd(8) to better handle
         comments, improve error messages and plug a memory leak.
       - In radiusd(8), add request or response decoration feature
         which is used through the radiusd module interface. This
         makes additional modules can modify RADIUS request or
         response messages. Also add new "radius_standard" module
         which uses this new feature, provides some generic features
         like "strip-atmark-realm" which removes the realm part from
         the User-Name attribute.
       - Allow UDP for built-in inetd(8) services on This
         restriction was added in year 2000 due to IPv6 compatible and
         mapped addresses. Nowadays our kernel does not support these
         IPv6 features and blocks localhost addresses on non-loopback
         interfaces. Make IPv4 and IPv6 ::1 behave
         identically and provide local services if configured.
       - In spamd(8), log a dummy "" IP address in the unlikely event
         that getnameinfo(3) fails.

 - tmux(1) improvements and bug fixes:
    o For passthrough, don't write to clients attached to different
    o Add a format to show if there are unseen changes while in a mode.
    o Discard mouse sequences that have the right form but actually are
    o Invalidate cached tty state after changing features since they may
      change what the terminal can do and need mouse sequences or
      similar to be sent again.
    o Add options to change the confirm key and default behaviour of
    o Add an option menu-selected-style to configure the currently
      selected menu item.
    o Add -c to run-shell to set working directory.
    o Add detach-on-destroy previous and next,
    o Set visited flag on last windows when linking session.

 - LibreSSL version 3.8.2
    o Security fixes
       - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no
         longer be selected for use.
       - BN_is_prime{,_fasttest}_ex() refuse to check numbers larger
         than 32 kbits for primality. This mitigates various DoS
       - Restricted the RFC 3779 code to IPv4 and IPv6. It was not
         written to be able to deal with anything else.
    o Portable changes
       - Extended the endian.h compat header with hto* and *toh
       - Adapted more tests to the portable framework.
       - Internal tools are now statically linked.
       - Applications bundled as part of the LibreSSL package
         internally, nc(1) and openssl(1), now are linked statically
         if static libraries are built.
       - Internal compatibility function symbols are no longer
         exported from libcrypto. Instead, the libcompat library is
         linked to libcrypto, libssl, and libtls separately. This
         increases size a little, but ensures that the libraries are
         not exporting symbols to programs unintentionally.
       - Selective removal of CET implementation on platforms where it
         is not supported (macOS).
       - Integrated four more tests.
       - Added Windows ARM64 architecture to tested platforms.
       - Removed Solaris 10 support, fixed Solaris 11.
       - libtls no longer links statically to libcrypto / libssl
         unless --enable-libtls-only is specified at configure time.
       - Improved Windows compatibility library, namely handling of
         files vs sockets, correcting an exception when operating on a
         closed socket.
       - CMake builds no longer hardcode -O2 into the compiler flags,
         instead using flags from the CMake build type instead.
       - Set the CMake default build type to Release. This can be
         overridden during configuration.
       - Fixed broken ASM support with MinGW builds.
    o New features
       - Added support for truncated SHA-2 and for SHA-3.
       - The BPSW primality test performs additional Miller-Rabin
         rounds with random bases to reduce the likelihood of
         composites passing.
       - Allow testing of ciphers and digests using badly aligned
         buffers in openssl speed using -unalign.
       - Ed25519 certificates are now supported in openssl(1) ca and
         req. Prepared Ed25519 support in libssl.
       - Add branch target information (BTI) support to amd64 and
         arm64 assembly.
    o Compatibility changes
       - Added a workaround for a poorly thought-out change in OpenSSL
         3 that broke privilege separation support in libtls.
       - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
       - Removed GF2m support: BIGNUM no longer supports binary
         extension field arithmetic and all binary elliptic builtin
         curves were removed.
       - Removed dangerous, "fast" NIST prime and elliptic curve
         implementations. In particular, EC_GFp_nist_method() is no
         longer available.
       - Removed most public symbols that were deprecated in OpenSSL
       - Removed the public X9.31 API (RSA_X931_PADDING is still
       - Removed Cipher Text Stealing mode.
       - Removed ENGINE support, including ECDH_METHOD and
       - Removed COMP, DSO, dynamic loading of conf modules and
         support for custom ex_data and error stacks.
       - Removed proxy certificate (RFC 3820) support.
       - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including
         the openssl(1) nseq command.
       - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In
         spite of this, some stub functions are provided to avoid
         patching some applications that do not honor
       - The POLICY_TREE and its related structures and API were
       - In X509_VERIFY_PARAM_inherit() copy hostflags independently
         of the host list.
       - Made CRYPTO_get_ex_new_index() not return 0 to allow
         applications to use *_{get,set}_app_data() and
         *_{get,set}_ex_data() alongside each other.
       - X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they
         contain valid UTF-8 without embedded NUL.
       - The explicitText user notice uses UTF8String instead of
         VisibleString to reduce the risk of emitting certificates
         with invalid DER-encoding.
       - Initial fixes for RSA-PSS support to make the TLSv1.3 stack
         more compliant with RFC 8446.
       - Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
         EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
    o Internal improvements
       - Improved sieve of Eratosthenes script used for generating a
         table of small primes.
       - Removed incomplete and dangerous BN_RECURSION code.
       - Imported RFC 5280 policy checking code from BoringSSL and
         used it to replace the old exponential time code.
       - Converted more of libcrypto to use CBB/CBS.
       - Started cleaning up and rewriting SHA internals.
       - Reduced the dependency of hash implementations on many layers
         of macros. This results in significant speedups since modern
         compilers are now less confused.
       - Improved BIGNUM internals and performance.
       - Significantly simplified the BN_BLINDING internals used in
       - Made BN_num_bits() independent of bn->top.
       - Rewrote and simplified bn_sqr().
       - Significantly improved Montgomery multiplication performance.
       - Rewrote and improved BN_exp() and BN_copy().
       - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work
         with Ed25519 and fixed a few bugs in there.
       - Lots of cleanup for DH, DSA, EC, RSA internals. Plugged
         numerous memory leaks, fixed logic errors and
       - Cleaned up and simplified various ECDH and ECDSA internals.
       - Removed EC_GROUP precomp machinery.
       - Fixed various issues with EVP_PKEY_CTX_{new,dup}().
       - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
       - Improved X.509 certificate version checks.
       - Ensure no X.509v3 extensions appear more than once in
       - Replaced ASN1_bn_print with a cleaner internal
       - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
       - Improved checks for commonName in libtls.
       - Fixed error check for X509_get_ext_d2i() failure in libtls.
       - Removed code guarded by #ifdef ZLIB.
       - Plug a potential memory leak in ASN1_TIME_normalize().
       - Fixed a use of uninitialized in i2r_IPAddrBlocks().
       - Rewrote CMS_SignerInfo_{sign,verify}().
    o Bug fixes
       - Correctly handle negative input to various BIGNUM functions.
       - Ensure ERR_load_ERR_strings() does not set errno
       - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
       - Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing
         of result and modulus in various BN_mod_* functions.
       - Fixed detection of extended operations (XOP) on AMD hardware.
       - Ensure Montgomery exponentiation is used for the initial RSA
       - Policy is always checked in X509 validation. Critical policy
         extensions are no longer silently ignored.
       - Fixed error handling in tls_check_common_name().
       - Add missing pointer invalidation in SSL_free().
       - Fixed X509err() and X509V3err() and their internal versions.
       - Ensure that OBJ_obj2txt() always returns a C string again.
       - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
       - On socket errors in the poll loop, netcat could issue system
         calls on invalidated file descriptors.
       - Allow IP addresses to be specified in a URI.
       - Fixed a copy-paste error in ASN1_TIME_compare() that could
         lead to two UTCTimes or two GeneralizedTimes incorrectly
         being compared as equal.
    o Documentation improvements
       - Improved documentation of BIO_ctrl(3),
         BIO_set_info_callback(3), BIO_get_info_callback(3),
         BIO_method_type(3), and BIO_method_name(3).
       - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as
         intentionally undocumented.
       - Made it very explicit that the verify callback should not be
       - Called out that the CRL lastUpdate is standardized as
       - Documented the RFC 3779 API and its shortcomings.
    o Testing and Proactive Security
       - Significantly improved test coverage of BN_mod_sqrt() and
       - As always, new test coverage is added as bugs are fixed and
         subsystems are cleaned up.

 - OpenSSH 9.5 and OpenSSH 9.4
    o Potentially incompatible changes
       - ssh-keygen(1): generate Ed25519 keys by default. Ed25519
         public keys are very convenient due to their small size.
         Ed25519 keys are specified in RFC 8709 and OpenSSH has
         supported them since version 6.5 (January 2014).
       - sshd(8): the Subsystem directive now accurately preserves
         quoting of subsystem commands and arguments. This may change
         behaviour for exotic configurations, but the most common
         subsystem configuration (sftp-server) is unlikely to be
       - ssh-agent(1): PKCS#11 modules must now be specified by their
         full paths. Previously dlopen(3) could search for them in
         system library directories.
    o New features
       - ssh(1): add keystroke timing obfuscation to the client. This
         attempts to hide inter-keystroke timings by sending
         interactive traffic at fixed intervals (default: every 20ms)
         when there is only a small amount of data being sent. It also
         sends fake "chaff" keystrokes for a random interval after the
         last real keystroke. These are controlled by a new ssh_config
         ObscureKeystrokeTiming keyword.
       - ssh(1), sshd(8): Introduce a transport-level ping facility.
         This adds a pair of SSH transport protocol messages
         SSH2_MSG_PING/PONG to implement a ping capability. These
         messages use numbers in the "local extensions" number space
         and are advertised using a "p...@openssh.com" ext-info
         message with a string version number of "0".
       - sshd(8): allow override of Subsystem directives in sshd Match
       - ssh(1): allow forwarding Unix Domain sockets via ssh -W.
       - ssh(1): add support for configuration tags to ssh(1). This
         adds a ssh_config(5) "Tag" directive and corresponding "Match
         tag" predicate that may be used to select blocks of
         configuration similar to the pf.conf(5) keywords of the same
       - ssh(1): add a "match localnetwork" predicate. This allows
         matching on the addresses of available network interfaces and
         may be used to vary the effective client configuration based
         on network location.
       - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for
         KRL extensions. This defines wire formats for optional KRL
         extensions and implements parsing of the new submessages. No
         actual extensions are supported at this point.
       - sshd(8): AuthorizedPrincipalsCommand and
         AuthorizedKeysCommand now accept two additional %-expansion
         sequences: %D which expands to the routing domain of the
         connected session and %C which expands to the addresses and
         port numbers for the source and destination of the
       - ssh-keygen(1): increase the default work factor (rounds) for
         the bcrypt KDF used to derive symmetric encryption keys for
         passphrase protected key files by 50%.
    o Bugfixes
       - scp(1): fix scp in SFTP mode recursive upload and download of
         directories that contain symlinks to other directories. In
         scp mode, the links would be followed, but in SFTP mode they
         were not.
       - ssh-keygen(1): handle cr+lf (instead of just cr) line endings
         in sshsig signature files.
       - ssh(1): interactive mode for ControlPersist sessions if they
         originally requested a tty.
       - sshd(8): make PerSourceMaxStartups first-match-wins
       - sshd(8): limit artificial login delay to a reasonable maximum
         (5s) and don't delay at all for the "none" authentication
       - sshd(8): Log errors in kex_exchange_identification() with
         level verbose instead of error to reduce preauth log spam.
         All of those get logged with a more generic error message by
       - sshd(8): correct math for ClientAliveInterval that caused the
         probes to be sent less frequently than configured.
       - ssh-agent(1): improve isolation between loaded PKCS#11
         modules by running separate ssh-pkcs11-helpers for each
         loaded provider.
       - ssh(1): make -f (fork after authentication) work correctly
         with multiplexed connections, including ControlPersist.
       - ssh(1): make ConnectTimeout apply to multiplexing sockets and
         not just to network connections.
       - ssh-agent(1), ssh(1): improve defences against invalid
         PKCS#11 modules being loaded by checking that the requested
         module contains the required symbol before loading it.
       - sshd(8): fix AuthorizedPrincipalsCommand when
         AuthorizedKeysCommand appears before it in sshd_config. Since
         OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was
         incorrectly ignored in this situation.
       - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for
         KRL signatures When the KRL format was originally defined, it
         included support for signing of KRL objects. However, the
         code to sign KRLs and verify KRL signatures was never
         completed in OpenSSH. This release removes the
         partially-implemented code to verify KRLs. All OpenSSH tools
         now ignore KRL_SECTION_SIGNATURE sections in KRL files.
       - All: fix a number of memory leaks and unreachable/harmless
         integer overflows.
       - ssh-agent(1), ssh(1): don't truncate strings logged from
         PKCS#11 modules
       - sshd(8), ssh(1): better validate CASignatureAlgorithms in
         ssh_config and sshd_config. Previously this directive would
         accept certificate algorithm names, but these were unusable
         in practice as OpenSSH does not support CA chains.
       - ssh(1): make ssh -Q CASignatureAlgorithms only list signature
         algorithms that are valid for CA signing. Previous behaviour
         was to list all signing algorithms, including certificate
       - ssh-keyscan(1): gracefully handle systems where rlimits or
         the maximum number of open files is larger than INT_MAX
       - ssh-keygen(1): fix "no comment" not showing on when running
         ssh-keygen -l on multiple keys where one has a comment and
         other following keys do not.
       - scp(1), sftp(1): adjust ftruncate() logic to handle servers
         that reorder requests. Previously, if the server reordered
         requests then the resultant file would be erroneously
       - ssh(1): don't incorrectly disable hostname canonicalization
         when CanonicalizeHostname=yes and ProxyJump was explicitly
         set to "none".
       - scp(1): when copying local to remote, check that the source
         file exists before opening an SFTP connection to the server.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 11508
       - amd64: 11845
       - i386: 10603
       - sparc64: 8469
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64
       - powerpc
       - powerpc64
       - riscv64

 - Some highlights:

    o Asterisk 16.30.1, 18.19.0 and   o Mozilla Thunderbird 115.3.1
      20.4.0                          o Mutt 2.2.12 and NeoMutt 20230517
    o Audacity 3.3.3                  o Node.js 18.18.0
    o CMake 3.27.5                    o OCaml 4.12.1
    o Chromium 117.0.5938.149         o OpenLDAP 2.6.6
    o Emacs 29.1                      o PHP 7.4.33, 8.0.30, 8.1.24 and
    o FFmpeg 4.4.4                      8.2.11
    o GCC 8.4.0 and 11.2.0            o Postfix 3.7.3
    o GHC 9.2.7                       o PostgreSQL 15.4
    o GNOME 44                        o Python 2.7.18, 3.9.18, 3.10.13
    o Go 1.21.1                         and 3.11.5
    o JDK 8u382, 11.0.20 and 17.0.8   o Qt 5.15.10 and 6.5.2
    o KDE Applications 23.08.0        o R 4.2.3
    o KDE Frameworks 5.98.0           o Ruby 3.0.6, 3.1.4 and 3.2.2
    o Krita 5.1.5                     o Rust 1.72.1
    o LLVM/Clang 13.0.0 and 16.0.6    o SQLite 3.42.0
    o LibreOffice             o Shotcut 23.07.29
    o Lua 5.1.5, 5.2.4, 5.3.6 and     o Sudo
      5.4.6                           o Suricata 6.0.12
    o MariaDB 10.9.6                  o Tcl/Tk 8.5.19 and 8.6.13
    o Mono                 o TeX Live 2022
    o Mozilla Firefox 118.0.1 and     o Vim 9.0.1897 and Neovim 0.9.1
      ESR 115.3.1                     o Xfce 4.18

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
      freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
      xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
    o LLVM/Clang 13.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.36.1 (+ patches)
    o NSD 4.7.0
    o Unbound 1.18.0
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk September 12, 2023 version
    o Expat 2.5.0

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to


- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please


You are also encouraged to read the Frequently Asked Questions (FAQ) at:


- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:


- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at direct...@openbsdfoundation.org for
more information.

- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:


   As of October 16, 2023, the following HTTPS mirror sites have the
   7.4 release:

        https://cdn.openbsd.org/pub/OpenBSD/7.4/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/7.4/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/7.4/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/7.4/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/7.4/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/7.4/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/7.4/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/7.4/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/7.4/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.4/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/7.4/     Global

        The release is also available at the master site:

        https://ftp.openbsd.org/pub/OpenBSD/7.4/            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/7.4/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        octeon/             root.mail
        README           hppa/         openbsd-74-base.pub sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       riscv64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy74.img    pxeboot*
        BOOTX64.EFI*    bsd.mp*         game74.tgz      xbase74.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont74.tgz
        INSTALL.amd64   cd74.iso        install74.img   xserv74.tgz
        SHA256          cdboot*         install74.iso   xshare74.tgz
        SHA256.sig      cdbr*           man74.tgz
        base74.tgz      comp74.tgz      miniroot74.img

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install74.iso.  The install74.iso file (roughly 633MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install74.img and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:


   This is the page where we talk about the mistakes we made while
   creating the 7.4 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/7.4/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.4/README) file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Jeremie Courreges-Anglas,
Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
Kurt Mosiejczuk, and Christian Weisgerber.  Base and X system builds by
Kenji Aoyama, Theo de Raadt, and Miod Vallat.  Release art by
Jessica Scott.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
    Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
    Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
    Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
    Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
    Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
    Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
    Charles Longeau, Chris Cappuccio, Christian Weisgerber,
    Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
    Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila,
    David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    George Koehler, George Rosamond, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow,
    Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
    Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
    Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar,
    Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado,
    Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
    Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller,
    Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Raab,
    Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden,
    Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot,
    Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian,
    Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin,
    Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev,
    Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo,
    Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
    Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
    Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
    Yasuoka Masahiko, Yojiro Uo

Reply via email to