In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

" ... anyone who’s ever had to investigate a security incident knows the harsh reality: logs are only as trustworthy as their protection against post-incident tampering. An attacker who gains root access isn’t going to politely leave their tracks in the log files – unless they physically can’t alter them anymore."

Read the whole thing, When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, over at Rafael's site!

In -current, the struct underlying stdio(3)'s FILE type has been made opaque, with library versions bumps across the board:

CVSROOT:	/cvs
Module name:	src
Changes by:	yasuoka@cvs.openbsd.org	2025/07/16 09:33:05

Modified files:
	lib/libc       : Symbols.list shlib_version 
	lib/libc/hidden: stdio.h wchar.h 
	lib/libc/stdio : Makefile.inc fclose.3 fclose.c findfp.c 
	lib/libcrypto  : shlib_version 
	lib/libcurses  : shlib_version 
	lib/libedit    : shlib_version 
	lib/libexpat   : shlib_version 
	lib/libfido2   : shlib_version 
	lib/libfuse    : shlib_version 

In a series of commits, Anthony J Bentley (bentley@) modified the system so that font caching runs as dedicated (unprivileged) user, "_fc-cache".

fc-cache(1) has been using pledge(2) since May.

Job Snijders (job@) has added (to -current) a new utility, watch(1), for periodically executing a command and displaying its output.

The IIJ's iwatch was initially imported back in May, and has been reworked substantially before being linked to the build.

Yes, you read that right: KDE 6.4.0 Plasma is now in OpenBSD packages.

This was made possible by the efforts of Rafael Sadowski (rsadowski@) with the help of several others. The news was announced 2025-07-04 via a fediverse post and of course the commit message itself, where the description reads

Log message:
Update Plasma 6.4

The most parts are straightforward as usual but in 6.4 the KDE
Kwin team split kwin into kwin-x11 and kwin (wayland). This seems
to be the sign that X11 is no longer of interest and we are
focussing on Wayland.

News from the Exotic Silicon front: Crystal Kolipe posted an update to misc@, saying

List:       openbsd-misc
Subject:    Console 4096 colours and blink attribute
From:       Crystal Kolipe <kolipe.c () exoticsilicon ! com>
Date:       2025-07-04 13:58:41

Tired of having just 256 colours on your console instead of 4096?

Do you miss the blink attribute from the old VGA text mode days?

Want to learn how cool stuff like this is implemented?

Look no further:

https://research.exoticsilicon.com/articles/console_4096

Clicking that link will bring you a colorful article with all implementation details and links to the code for you to try out yourself.

Happy blink and 4k colors console day to all who celebrate!

In a fediverse post on 2025-07-04, the Game of Trees Hub announced that they will be taking signups for repository hosting:

We have started our first round of sign-up for #Git repository hosting.

Our first server for Git hosting is expected to be installed next week. Additional servers will be added as needed based on demand.

See https://gothub.org for an introduction to our project.

See https://gothub.org/features.html to get an idea about which features are already working and what is planned for the future.

See https://gothub.org/tiers.html for the initial service tier configurations and prices.

See https://gothub.org/signup.html for details about the sign-up process.

Do you have code that could need to be hosted, and/or money to send their way? Click the links!

Version 0.115 of Game of Trees has been released (and the port updated):

• make errors reported by gotsys-apply-conf actually visible
• stop trying to start gotd from gotsys-apply-conf if gotd is not running
• fix infinite loop in got_pack_repaint_parent_commits() and got-read-pack
• fix creation of gotd.conf deny rules in gotsys-write-conf
• add support for global repository access rules to gotsysd.conf
• fix segfault due to double-free in got-read-gotconfig

Version 0.114 of Game of Trees has been released (and the port updated):

• preserve author timestamps when rebasing commits
• stop running ssh with -q by default; -q hides host key fingerprint errors
• fix gotsys-read-conf crash when ssh key comments are missing in gotsys.conf
• relax repository path permission checks in gotsys-repo-create
• add gotsys apply -w option which waits until sysconf has been run
• fix gotsysd getting stuck due to missing final messages from libexec helpers
• plug a file descriptor leak in the gotsysd libexec process