Development of important software sometimes happens without fanfare. If not for one of our editors noticing by watching commits, we would have missed the fact that Damien Miller (djm@) recently added a couple of notable features to OpenSSH:

The WiFI 802.11 standards are a gnarly lot, and checking for compatibility of the various sub-specifications has been known to drive even seasoned OpenBSD developers to the brink of distraction.

Now Stefan Sperling (stsp@) is airing a possible improvement in compatibility checks via a message to tech@ titled "fix net80211 802.11g compatibility check", saying

List:       openbsd-tech
Subject:    fix net80211 802.11g compatibility check
From:       Stefan Sperling <stsp () stsp ! name>
Date:       2025-07-31 10:26:18

I have a WIP fix for qwx which relies on ieee80211_iserp_sta() to
detect whether an AP supports 802.11g, rather than 802.11b only.

And I encountered an access point which qwx could not connect to when
my WIP fix is applied.

Much longed for by some, remembered as a quaint memory by other greybeards, the classic Common Desktop Environment (CDE) is being added to the ports collection.

The initial commit message reads,

List:       openbsd-ports-cvs
Subject:    CVS: cvs.openbsd.org: ports
From:       Antoine Jacoutot <ajacoutot () cvs ! openbsd ! org>
Date:       2025-07-28 12:35:38

CVSROOT:	/cvs
Module name:	ports
Changes by:	ajacoutot@cvs.openbsd.org	2025/07/28 06:35:38

Log message:
    Import cde-2.5.2
    
    CDE - The Common Desktop Environment is X Windows desktop environment that was
    commonly used on commercial UNIX variants such as Sun Solaris, HP-UX and IBM
    AIX. Developed between 1993 and 1999, it has now been released under an Open
    Source licence by The Open Group.

Version 0.116 of Game of Trees has been released (and the port updated):

• make our pack-refs header format align with the expectations of git 2.50.0
• fix bogus "bad offset in pack file" errors wrongly raised by gotd
• fix gotd branch protection rejecting commits that already exist on server
• pick a default branch to clone when the server does not advertise HEAD symref
• do not clobber changes staged via stage -p during "got revert"
• enforce additional restrictions on reference names specified in gotsys.conf
• change gotwebd favicons to show the smiley fish only
• fix gotd reload when /etc/gotd-secrets.conf is used
• fix bogus "raw object has unexpected size" errors during deltification
• fix bug in delta block stretch size calculation resulting in invalid deltas
• fix gotsysd behaviour when the anonymous user is removed from gotsys.conf
• add support for email and http/json notifications to gotsysd and gotsys.conf

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

" ... anyone who’s ever had to investigate a security incident knows the harsh reality: logs are only as trustworthy as their protection against post-incident tampering. An attacker who gains root access isn’t going to politely leave their tracks in the log files – unless they physically can’t alter them anymore."

Read the whole thing, When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, over at Rafael's site!

In -current, the struct underlying stdio(3)'s FILE type has been made opaque, with library versions bumps across the board:

CVSROOT:	/cvs
Module name:	src
Changes by:	yasuoka@cvs.openbsd.org	2025/07/16 09:33:05

Modified files:
	lib/libc       : Symbols.list shlib_version 
	lib/libc/hidden: stdio.h wchar.h 
	lib/libc/stdio : Makefile.inc fclose.3 fclose.c findfp.c 
	lib/libcrypto  : shlib_version 
	lib/libcurses  : shlib_version 
	lib/libedit    : shlib_version 
	lib/libexpat   : shlib_version 
	lib/libfido2   : shlib_version 
	lib/libfuse    : shlib_version 

In a series of commits, Anthony J Bentley (bentley@) modified the system so that font caching runs as dedicated (unprivileged) user, "_fc-cache".

fc-cache(1) has been using pledge(2) since May.

Job Snijders (job@) has added (to -current) a new utility, watch(1), for periodically executing a command and displaying its output.

The IIJ's iwatch was initially imported back in May, and has been reworked substantially before being linked to the build.

Yes, you read that right: KDE 6.4.0 Plasma is now in OpenBSD packages.

This was made possible by the efforts of Rafael Sadowski (rsadowski@) with the help of several others. The news was announced 2025-07-04 via a fediverse post and of course the commit message itself, where the description reads

Log message:
Update Plasma 6.4

The most parts are straightforward as usual but in 6.4 the KDE
Kwin team split kwin into kwin-x11 and kwin (wayland). This seems
to be the sign that X11 is no longer of interest and we are
focussing on Wayland.