Version 0.109 of Game of Trees has been released (and the port updated):

• fix gotd failing to protect references when the client sends an empty pack
• during pack generation, fix exclusion of commits via an ancestor commit
• fix a bogus "received unexpected privsep message" error from gotsh
• fix diffstat path order bug in field width computation
• gotwebd: preserve 'folder=' parameter when following More links

The OpenBGPD project (essentially a subproject of the OpenBSD project), have released their latest work in the OpenBGPD 8.8 release.

The release announcement reads,

Subject:    OpenBGPD 8.8 released
From:       Claudio Jeker <claudio () openbsd ! org>
Date:       2025-02-06 19:59:43

We have released OpenBGPD 8.8, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

    * Improve default multiproto capability announcement selection.
      The default MP capability is only set if no other capability is
      configured on the neighbor.

    * The `reject as-set` configuration option now defaults to yes.
      Route announcements with AS_SET segments in the AS_PATH Attribute
      will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set
      for more information.

Version 0.108 of Game of Trees has been released (and the port updated):

• add ssh -i identity-file support to commands which use the network
• make 'got import' output independent of readdir(3) entry order
• avoid full file content comparisons in 'got status' for speed
• tog: fix NULL deref when log view T keymap is used on worktree entry
• tog: fix a deadlock (hang) in the log view implementation
• tog: plug a memory leak
• tog: do not exit if a tag pointing at a non-commit is selected in ref view
• tog: do not mark an incorrect base commit in nested log views
• tog: fix NULL deref when scrolling small tree views down
• tog: avoid showing a negative log view entry index
• tog: do not apply a pointless count modifier to the H, &, p keymaps
• tog: do not make users wait for the worktree diff to quit out of tog
• gotwebd: make parent process drop root privileges
• gotwebd: drop read access to /var/www from parent process
• gotwebd: rename "socket" processes to "server"
• gotadmin cleanup: pack the repository before removing objects
• gotadmin cleanup: do not delete directly referenced trees and blobs
• gotadmin cleanup: do not delete objects reachable via nested tags
• regress: skip test memleak_send_basic in sha256 mode; expected to fail
• regress: make seq(1) invocations portable to fix test failures on linux
• regress/gotwebd: implement paginated commits test

There's also a toot which mentions some ongoing work.

As announced by Job Snijders on the FediVerse rpki-client 9.4 has been released.

The complete release notes from https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt are below:

Version 0.107 of Game of Trees has been released (and the port updated):

• gotwebd.css styling tweaks
• hide ssh debug output during fetch/send -v, keep showing it at -vv and -vvv
• discern mixed-commit worktree diffs with commit ID headers
• gotwebd: avoid printf("%s", NULL) when path parameter is not in query
• implement a regression test harness for gotwebd
• fix free() called with bogus pointer in 'got fetch'; regression from 0.106
• ensure config privsep children get collected upon error to prevent zombies
• fix some fprintf(3) failure checks
• gotwebd: replace strftime(3) with asctime_r(3) for the sake of consistency
• tweak gotwebd log message levels, and log requests in verbose (-v) mode
• prevent out-of-bounds read during gotwebd fcgi record debugging
• implement tog work tree diff support via log view and CLI
• improve error reporting when 'got patch' encounters malformed patches
• improve got_opentemp_named_fd error reporting by showing the path template
• add ssh -J jumphost support to got and cvg commands which use the network
• add regression tests checking for memory leaks with Otto malloc and ktrace
• got tag: change -s signer to -S signer
• got tag: provide one-line output mode via new -s option
• tog: use wtimeout(3) instead of nodelay(3) to honour our display refresh rate
• switch got_pathlist data store from TAILQ to RB-tree
• plug many memory leaks, some of which affected gotwebd in particular

There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.

Today Job Snijders (job@) commited code to rpki-client(8) to implement a gradual phase in of a stricter policy on TA certificates lifetimes.

The commit message reads,

Subject:    CVS: cvs.openbsd.org: src
From:       Job Snijders <job () cvs ! openbsd ! org>
Date:       2024-12-18 16:38:40


CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2024/12/18 09:38:40

Modified files:
	usr.sbin/rpki-client: cert.c 

Log message:
Schedule future rejection of ultra long-lived TA certificates

The RPKI ecosystem suffers from a partially unmitigated risk related to
long-lived Trust Anchor certificate issuances.

Thanks to work by David Gwynne (dlg@), OpenBSD -current now has a new "AF_FRAME" socket domain:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2024/12/15 04:00:05

Modified files:
	sys/conf       : files 
	sys/kern       : uipc_domain.c uipc_socket.c 
	sys/net        : if_ethersubr.c 
	sys/sys        : socket.h 
Added files:
	sys/net        : af_frame.c frame.h 

Log message:
add an AF_FRAME socket domain and an IFT_ETHER protocol family under it.

this allows userland to use sockets to send and receive Ethernet
frames. as per the upcoming frame.4 man page:

frame protocol family sockets are designed as an alternative to bpf(4)
for handling low data and packet rate communication protocols.  Rather
than filtering every frame entering the system before the network stack
like bpf(4), the frame protocol family processing avoids this overhead by
running after the built in protocol handlers in the kernel.  For this
reason, it is not possible to handle IPv4 or IPv6 packets with frame
protocol sockets because the kernel network stack consumes them before
the receive handling for frame sockets is run.

if you've used udp sockets then these should feel much the same.

my main motivation is to implement an lldp agent in userland, but
without having to have bpf look at every packet when lldp happens
every minute or two.

the only feedback i had was positive, so i'm putting it in
ok claudio@

There's been a related change to aggr(4).

Claudio Jeker (claudio@) announced the release of version 8.7 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.7, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

    * Cache the Adj-RIB-Out for sessions that have not been down for
      more than 1h. This significantly improves synchronisation time
      of peers that flap.

    * Implement RFC 8538: Notification Message Support for
      BGP Graceful Restart.

    * Add support for RFC 8654, extended messages.

    * In bgplgd add additional endpoints to query the Adj-RIB-In and
      Adj-RIB-Out.

    * Bump internal message size limit to 128k and handle up to 10 000
      ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile.

    * Various improvements to the ibuf API including a new reader API
      which is used to make all message parsing in bgpd memory safe.

    * Added support for IPsec and TCP MD5 to RTR sessions.

OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the
Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE,
and Ubuntu. It is our hope that packagers take interest and help adapt
OpenBGPD-portable to more distributions.

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

The initial list of 21 'low hanging fruit' videos from EuroBSDcon 2024 has been released with more to follow:

Here is the EuroBSDcon 2024 playlist.

The OpenBSD highlights include:

Confidential Computing with OpenBSD - Hans Jörg Höxer

Building a SD-WAN appliance suitable for Australian Health Sector NFP/NGO - Jason Tubnor

A Packet's Journey Through the OpenBSD Network Stack - Alexander Bluhm

OpenBSD vs. IPv6 - Florian Obser

Global anycast using OpenBSD on a budget - Rob Keizer

Why rewrite fw_update(8)? - Andrew Hewus Fresh<br>

vmd's multi-process device emulation: 2 releases later - Dave Voutila

Puffy does Realtime Hypermedia - Patrick Marchand

The rest (see the conference schedule) will appear soon, pending some necessary post-processing.

Enjoy this bunch, and do come back for the rest soon!