The OpenBSD project has announced the release of version 9.5 of rpki-client:

rpki-client 9.5 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI
repository system and validates untrusted network inputs. The program
outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
in configuration formats suitable for OpenBGPD and BIRD, and supports
emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- rpki-client now includes arin.tal which is no longer legally encumbered.
  See https://www.arin.net/announcements/20250116-tal/

- rpki-client reports Certification Authorities that do not meaningfully 
  participate in the RPKI as non-functional CAs. By definition, a CA is
  non-functional if there is no currently valid Manifest. The number of
  such CAs is printed at the end of each run and more detailed information
  is available in the JSON (-j) and ometrics (-m) output.

- OpenBSD reliability errata 014:
  Incorrect internal RRDP state handling in rpki-client can lead to a
  denial of service. Affected are rpki-client versions 7.5 - 9.4. 

- Termination of rsync child processes with SIGTERM is no longer treated as
  an error if rpki-client has sent this signal. This only affects openrsync.

- Do not exit filemode with an error if a .gbr or a .tak object contains
  control characters in its UTF-8 strings. Instead, only warn and emit a
  sanitized version in JSON output.

Upcoming breaking change:

- Starting with release 9.6, rpki-client will emit all key identifiers
  (AKI and SKI) encoded in JSON as bare hex strings without colons.

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.7-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenBSD project has announced the release of OpenIKED 7.4:

We have released OpenIKED 7.4, which will be arriving in the OpenIKED
directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

 * Fixed a double free bug in ECDH

 * Added a natt config option that forces negotiation of nat-t
   (and udpencap) for a policy

 * Made config file verification not require root permissions

 * Fixed a bug where iked was retransmitting fragments too eagerly

 * Tightened apparmor sandboxing on Linux

 * Various other bug fixes, compatibility fixes and documentation
   improvements

The OpenSSH project has announced their latest release, OpenSSH 10.0.

The announcement and release notes read:

OpenSSH 10.0/10.0p1 (2025-04-09)

OpenSSH 10.0 was released on 2025-04-09. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Potentially-incompatible changes
--------------------------------

 * This release removes support for the weak DSA signature
   algorithm, completing the deprecation process that began in
   2015 (when DSA was disabled by default) and repeatedly warned
   over the last 12 months.

If you have ever been irked by having to enter a sequence of sysctl(8) commands to achieve things like enabling forwarding for IPv4 and IPv6 both, help is at hand.

In a recent commit, Klemens Nanni (kn@) added functionality to have the classic command read multiple settings from a file:

Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2025-04-05 14:09:06
Message-ID: f3c322a675a4cd33 () cvs ! openbsd ! org
[Download RAW message or body]

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2025/04/05 08:09:06

Modified files:
	sbin/sysctl    : sysctl.8 sysctl.c 

Log message:
Add [-f file] to apply sysctl.conf in one go

We (undeadly.org editors) had not noticed ourselves, but Will Backman wrote in about the news that some OpenBSD code -- openrsync -- had been made available to a wider audience, courtesy of Apple:

"While Apple has been updating the rsync 2.6.9 command line tool it shipped with macOS as needed in response to security issues and other problems, the fact remains that Apple’s version of rsync up until macOS Sequoia was almost twenty years old and did not include any of the new features introduced in rsync versions which came after version 2.6.9."

"Now with macOS Sequoia, Apple has replaced rsync 2.6.9 with openrsync, an implementation of rsync which is not using any version of the GPL open source license."

You can read more at https://derflounder.wordpress.com/2025/04/06/rsync-replaced-with-openrsync-on-macos-sequoia/

The editors can confirm that on a fully updated Mac, man rsync will reveal that rsync is indeed the OpenBSD openrsync.

The OpenBSD 7.7 release cycle is entering its final phases…

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.7 (dropping the "-beta"):

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2025/03/30 14:43:36

Modified files:
	sys/conf       : newvers.sh 

Log message:
head out of -beta to 7.7

For those unfamiliar with the process:
this is not the 7.7 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add(1) (and pkg_info(1)).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Hitherto, fw_update(8) has gathered system information largely from /var/run/dmesg.boot (on the host on which it is invoked).

Andrew Hewus Fresh (afresh1@) has committed a change which allows specifying an arbitrary dmesg file. The commit message explains the rationale:

CVSROOT:	/cvs
Module name:	src
Changes by:	afresh1@cvs.openbsd.org	2025/03/21 18:33:34

Modified files:
	usr.sbin/fw_update: fw_update.8 fw_update.sh 

Log message:
Allow using a different dmesg for driver detection

This also solves an issue that jmc@ was having with installing
downloaded firmware. (thanks for reporting)

It also adjusts detecting the OpenBSD version from the dmesg
instead of from sysctl while still allowing sysupgrade to override.

I see two main uses for this, the first being downloading firmware
to be used on a machine that doesn't have access to download for
itself.  The other would be for testing detection of devices in a
dmesg for a machine you don't have or that is hard to test such as
from the installer.

This is a very welcome change indeed!

At least one of the editors (and we suspect several of our readers) would have saved quite a bit of time while installing our favourite operating system on hardware that requires firmware that for some reason is not included in the install media, such as some recent-ish laptops.

It's that time of the year again. With the following commit, Theo de Raadt (deraadt@) changed the version of the OpenBSD development branch to 7.7-beta:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2025/03/01 12:44:07

Modified files:
	sys/sys        : param.h 
	distrib/sets/lists/base: md.alpha md.hppa md.landisk md.luna88k 
	                         md.sparc64 
	distrib/sets/lists/comp: gcc.alpha gcc.hppa gcc.landisk 
	                         gcc.luna88k gcc.sparc64 
	etc/root       : root.mail 
	share/mk       : sys.mk 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	sys/conf       : newvers.sh 
	usr.bin/signify: signify.1 

Log message:
move to 7.7-beta

7.7-beta snapshots can be expected on the OpenBSD mirrors soon.

As always, this change should encourage testing and donation!