Version 0.118 of Game of Trees has been released (and the port updated):

• security fix for -portable: gotwebd can be tricked into reading repositories outside its repos_path; bug introduced in got-0.111; OpenBSD is not affected
• make 'tog diff' show the repository name in names of patches written to /tmp
• plug memory leaks which were making gotwebd regress tests fail
• fix parallel processing of requests in gotwebd, improving responsiveness
• set gotwebd pledges according to address families of listening sockets
• run gotwebd fcgi parameter parsing in a dedicated process under pledge "stdio"
• make gotd commit notifications only show history which is unique to the branch
• enable sftp/scp support in the sshd_config file generated by gotsysd
• make gotsysd-managed repositories readable for the _gotd group

OpenBSD -current has gained initial support for the Raspberry Pi 5:

CVSROOT:	/cvs
Module name:	src
Changes by:	mglocker@cvs.openbsd.org	2025/09/01 12:56:04

Modified files:
	distrib/arm64/iso: Makefile 
	distrib/arm64/ramdisk: Makefile install.md list 

Log message:
Add Raspberry Pi 5 Model B support for RAMDISK.

Rafael Sadowski (rsadowski@) completed updates to C++ libraries in -current:

CVSROOT:	/cvs
Module name:	src
Changes by:	rsadowski@cvs.openbsd.org	2025/08/21 09:26:58

Modified files:
	gnu/lib/libcxx : Makefile 
	gnu/lib/libcxx/include/c++/v1: __config_site 
	gnu/lib/libcxxabi: Makefile 
	gnu/lib/libexecinfo: Makefile 
Added files:
	gnu/lib/libcxx/include/c++/v1: __assertion_handler 

Log message:
update build infrastructure for libunwind-, libcxxabi- and libcxx-19.1.7

This gives us a modern c++ lib in base!

Yubikey OTP support has been disabled in -current. The commit message explains the rationale:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2025/08/14 08:39:44

Modified files:
	sys/dev/usb    : ukbd.c 

Log message:
Most Yubikey ship with OTP support enabled out of the box (and generate
accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk).
Yubikey re-configuration requires crazy buggy and fragile tools using crazy
usb feature support, and therefore OTP disabling is very annoying.  We
make a policy decision to not attach these as keyboards anymore, because a
majority of users just want the FIDO functionality.  If you want to use OTP,
buy a different device from a different vendor or convince Yubikey to
significantly improve their tooling.
idea from kettenis

To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:

• USB security devices from other vendors are not affected.
• FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
• login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).

Running a patched kernel is the only way [at present] to reverse this change.

OpenSSH will now adapt IP QoS to actual sessions and traffic. In a fresh commit, Damien Miller (djm@) introduced a significant change, which enables ssh and sshd to set the IP QoS based on what connections and sessions are active.

The commit message says,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2025-08-18 3:43:01

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2025/08/17 21:43:01

Modified files:
	usr.bin/ssh    : sshd-session.c sshd-auth.c ssh.c session.c 
	                 serverloop.c packet.h packet.c mux.c misc.c 
	                 clientloop.c channels.h channels.c 

Log message:
Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
continually at runtime based on what sessions/channels are open.

Version 0.117 of Game of Trees has been released (and the port updated):

• regress: replace "sed -i" with ed(1) for portable in-place editing
• ensure that error messages from gotsysd libexec helpers get logged
• fix gotsysd using wrong auth and hmac labels in the generated gotd.conf
• preserve bad symlinks across merges during rebase and histedit
• improve binary files detection: detect any control characters, not just NUL
• gotwebd: fix race condition resulting in trucated html with trailing garbage
• make commit coloring faster and more accurate, producing smaller pack files
• improve selection of pack files for pinning in the open pack file cache
• regress: don't load global/home git configuration files while running tests
• make 'got clone' set a got.conf default branch for fetching only, not sending

In a recent entry on his blog, OpenBSD developer Ted Unangst (tedu@) asks, is OpenBSD 10x faster than Linux?. He explains,

Here’s a little benchmark complements of Jann Horn. It’s unexpectedly slow on Linux. OpenBSD is so fast, I had to modify the program slightly to measure itself, as the time utility is missing sufficient precision to even record nonzero.

Go on, read the rest over at Ted's blog for some fun tidbits on performance and benchmarks.

OpenBSD users and aficionados are more likely than others to be familiar with the concept of greytrapping (the nastier kid sister of greylisting), as implemented via the OpenBSD spamd(8) spammer taunting software.

The feature has now been around for 18 years, and undeadly.org co-editor Peter Hansteen found that and another milestone to be a good reason to write a retrospective:

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

So I wrote up one: Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? (also available with G's trackers here) is a retrospective article with data and graphs.

That's right, we've been making life harder for spammers for 18 years. Peter's writeup has links to data, and more field notes and war stories than he could actually remember writing when he started on the retrospective.

We have long been aware that OpenBSD and OpenSSH in general are at the very forefront of cryptography engineering.

A recent data point here is that Damien Miller (djm@) just committed a new OpenSSH Post-Quantum Cryptography FAQ page to the OpenSSH web site:

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: www
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2025-08-11 5:26:51

CVSROOT:	/cvs
Module name:	www
Changes by:	djm@cvs.openbsd.org	2025/08/10 23:26:51

Added files:
	openssh        : pq.html