It's that time of the year again. With the following commit, Theo de Raadt (deraadt@) changed the version of the OpenBSD development branch to 7.7-beta:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2025/03/01 12:44:07

Modified files:
	sys/sys        : param.h 
	distrib/sets/lists/base: md.alpha md.hppa md.landisk md.luna88k 
	                         md.sparc64 
	distrib/sets/lists/comp: gcc.alpha gcc.hppa gcc.landisk 
	                         gcc.luna88k gcc.sparc64 
	etc/root       : root.mail 
	share/mk       : sys.mk 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	sys/conf       : newvers.sh 
	usr.bin/signify: signify.1 

Log message:
move to 7.7-beta

7.7-beta snapshots can be expected on the OpenBSD mirrors soon.

As always, this change should encourage testing and donation!

Version 0.110 of Game of Trees has been released (and the port updated):

• fix an endless loop in got-read-pack (regression from 0.109)
• change gotwebd diff algorithm from Myers to Patience diff
• gotd regress depends on p5-Net-Daemon now due to an added test case

Version 0.109 of Game of Trees has been released (and the port updated):

• fix gotd failing to protect references when the client sends an empty pack
• during pack generation, fix exclusion of commits via an ancestor commit
• fix a bogus "received unexpected privsep message" error from gotsh
• fix diffstat path order bug in field width computation
• gotwebd: preserve 'folder=' parameter when following More links

The OpenBGPD project (essentially a subproject of the OpenBSD project), have released their latest work in the OpenBGPD 8.8 release.

The release announcement reads,

Subject:    OpenBGPD 8.8 released
From:       Claudio Jeker <claudio () openbsd ! org>
Date:       2025-02-06 19:59:43

We have released OpenBGPD 8.8, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

    * Improve default multiproto capability announcement selection.
      The default MP capability is only set if no other capability is
      configured on the neighbor.

    * The `reject as-set` configuration option now defaults to yes.
      Route announcements with AS_SET segments in the AS_PATH Attribute
      will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set
      for more information.

Version 0.108 of Game of Trees has been released (and the port updated):

• add ssh -i identity-file support to commands which use the network
• make 'got import' output independent of readdir(3) entry order
• avoid full file content comparisons in 'got status' for speed
• tog: fix NULL deref when log view T keymap is used on worktree entry
• tog: fix a deadlock (hang) in the log view implementation
• tog: plug a memory leak
• tog: do not exit if a tag pointing at a non-commit is selected in ref view
• tog: do not mark an incorrect base commit in nested log views
• tog: fix NULL deref when scrolling small tree views down
• tog: avoid showing a negative log view entry index
• tog: do not apply a pointless count modifier to the H, &, p keymaps
• tog: do not make users wait for the worktree diff to quit out of tog
• gotwebd: make parent process drop root privileges
• gotwebd: drop read access to /var/www from parent process
• gotwebd: rename "socket" processes to "server"
• gotadmin cleanup: pack the repository before removing objects
• gotadmin cleanup: do not delete directly referenced trees and blobs
• gotadmin cleanup: do not delete objects reachable via nested tags
• regress: skip test memleak_send_basic in sha256 mode; expected to fail
• regress: make seq(1) invocations portable to fix test failures on linux
• regress/gotwebd: implement paginated commits test

There's also a toot which mentions some ongoing work.

As announced by Job Snijders on the FediVerse rpki-client 9.4 has been released.

The complete release notes from https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt are below:

Version 0.107 of Game of Trees has been released (and the port updated):

• gotwebd.css styling tweaks
• hide ssh debug output during fetch/send -v, keep showing it at -vv and -vvv
• discern mixed-commit worktree diffs with commit ID headers
• gotwebd: avoid printf("%s", NULL) when path parameter is not in query
• implement a regression test harness for gotwebd
• fix free() called with bogus pointer in 'got fetch'; regression from 0.106
• ensure config privsep children get collected upon error to prevent zombies
• fix some fprintf(3) failure checks
• gotwebd: replace strftime(3) with asctime_r(3) for the sake of consistency
• tweak gotwebd log message levels, and log requests in verbose (-v) mode
• prevent out-of-bounds read during gotwebd fcgi record debugging
• implement tog work tree diff support via log view and CLI
• improve error reporting when 'got patch' encounters malformed patches
• improve got_opentemp_named_fd error reporting by showing the path template
• add ssh -J jumphost support to got and cvg commands which use the network
• add regression tests checking for memory leaks with Otto malloc and ktrace
• got tag: change -s signer to -S signer
• got tag: provide one-line output mode via new -s option
• tog: use wtimeout(3) instead of nodelay(3) to honour our display refresh rate
• switch got_pathlist data store from TAILQ to RB-tree
• plug many memory leaks, some of which affected gotwebd in particular

There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.

Today Job Snijders (job@) commited code to rpki-client(8) to implement a gradual phase in of a stricter policy on TA certificates lifetimes.

The commit message reads,

Subject:    CVS: cvs.openbsd.org: src
From:       Job Snijders <job () cvs ! openbsd ! org>
Date:       2024-12-18 16:38:40


CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2024/12/18 09:38:40

Modified files:
	usr.sbin/rpki-client: cert.c 

Log message:
Schedule future rejection of ultra long-lived TA certificates

The RPKI ecosystem suffers from a partially unmitigated risk related to
long-lived Trust Anchor certificate issuances.

Thanks to work by David Gwynne (dlg@), OpenBSD -current now has a new "AF_FRAME" socket domain:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2024/12/15 04:00:05

Modified files:
	sys/conf       : files 
	sys/kern       : uipc_domain.c uipc_socket.c 
	sys/net        : if_ethersubr.c 
	sys/sys        : socket.h 
Added files:
	sys/net        : af_frame.c frame.h 

Log message:
add an AF_FRAME socket domain and an IFT_ETHER protocol family under it.

this allows userland to use sockets to send and receive Ethernet
frames. as per the upcoming frame.4 man page:

frame protocol family sockets are designed as an alternative to bpf(4)
for handling low data and packet rate communication protocols.  Rather
than filtering every frame entering the system before the network stack
like bpf(4), the frame protocol family processing avoids this overhead by
running after the built in protocol handlers in the kernel.  For this
reason, it is not possible to handle IPv4 or IPv6 packets with frame
protocol sockets because the kernel network stack consumes them before
the receive handling for frame sockets is run.

if you've used udp sockets then these should feel much the same.

my main motivation is to implement an lldp agent in userland, but
without having to have bpf look at every packet when lldp happens
every minute or two.

the only feedback i had was positive, so i'm putting it in
ok claudio@

There's been a related change to aggr(4).