Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:

Since I attend OpenBSD hackathons, I hear stories about how crazy are the ports hackathons. So I try my best to look like a porter in order to experience this craziness. I must admit p2k19 was awesome but the craziness of port hackathons is still an enigma to me.

Damien Miller (djm@) posted to tech@:

Hi,

I just committed all the dependencies for OpenSSH security key (U2F)
support to base and tweaked OpenSSH to use them directly. This means
there will be no additional configuration hoops to jump through to use
U2F/FIDO2 security keys.

The first p2k19 hackathon report comes from Marc Espie (espie@), who writes:

I already came to Bucharest a year ago for EuroBSDcon, but I welcomed the chance at spending more time here, especially at a hackathon organized by Paul, who is such a great guy.

I heard that there was a lot of chanting involved around the city, but we had magical weather, totally unseasonally warm and sunny for november in Romania.

Theo de Raadt (deraadt@) posted to tech@:

The ntpd options -s and -S are going to be removed soon and at startup
with print:

    -s option no longer works and will be removed soon.
    Please reconfigure to use constraints or trusted servers.

Probably after 6.7 we'll delete the warning.  Maybe for 6.8 we'll remove
-s and -S from getopt, and starting with those options will fail.

Effective immediately, the -s option stops doing what you expect.  It now
does nothing.

Big improvements have happened in ntpd recently.  At startup, ntpd
aggressively tries to learn from NTP packets validated by constraints,
and set the time.

That means a smarter variation of -s is the default, but the information
is now *VALIDATED* by constraints.

2 additional constraints have been added.  If you have upgraded, please
review /etc/examples/ntpd.conf for modern use

Those who cannot use https constraints, can instead tag server lines
with the keyword "trusted", which means you believe MITM attacks are not
possible on the network to those specific NTP servers.  Do this only on
servers directly connected over trusted network.  If someone does
"servers pool.ntp.org trusted", we're going to have a great laugh.

We're creating something a bit complex, but our goal is for every
machine to have a close approximation of correct time.  If we get
there, some good things will happen.  Some serious cargo-culting
for using -s has gotten in the way (-s performs no MITM checks).

DNSSEC validation has been enabled in the default unbound.conf(5) in -current. The relevant commits were from Job Snijders (job@)

CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2019/11/07 05:49:45

Modified files:
	etc            : unbound.conf 

Log message:
Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

and from Stuart Henderson (sthen@)

CVSROOT:	/cvs
Module name:	src
Changes by:	sthen@cvs.openbsd.org	2019/11/07 08:46:37

Modified files:
	etc            : unbound.conf 

Log message:
Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

This was attempted late last year, but reverted because of difficulties bootstrapping machines with incorrect clocks.

In a message to the openssh-unix-dev mailing list, Damien Miller (djm@) wrote:

[…]
As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type "sk-ecdsa-sha2-nistp256@openssh.com"
or "ecdsa-sk" for short (the "sk" stands for "security key").

If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
for users to get a hardware-backed keypair and there is a good range of
vendors who sell them including Yubico, Feitian, Thetis and Kensington.
Hardware-backed keys offer the benefit of being considerably more
difficult to steal - an attacker typically has to steal the physical
token (or at least persistent access to it) in order to steal the key.
[…]

See the full message for all the details.

Thank you Damien (djm@) and Darren (dtucker@) (OpenSSH-portable) for this important contribution to OpenSSH security.

The EuroBSDCon channel at YouTube now has the EuroBSDCon 2019 videos online.

One excellent way to start is with Patricia Aas' excellent keynote Embedded Ethics and just go on, but you could also go directly to the OpenBSD related talks:

• Marc Espie: Advanced ports toolkit: near-perfect packing-list generation
• Phillipp Buhler: OpenBSD: add VMM to ‘packer’
• Mischa Peters: The OpenBSD Hypervisor in the wild, a short story.
• Reyk Floeter: Modernizing relayd & the road to HTTP/2
• Stefan Sperling: Game of Trees
• Patrick Wildt: Wireless Fidelity with bwfm(4)
• Alexander Bluhm: Visualization of Regression and Performance

There are, of course, other talks worth taking in from the other projects too. There is even a playlist that gives you all 28 talks! And we're already looking forward to next year in Vienna (Wien), Austria!

A new OpenBSD store has been started, for those looking for OpenBSD swag now that the project no longer produces CDs. If you like the artwork that comes with the releases, this is a great way to support it. Quoting the about page:

We believe art helps explain and define what OpenBSD is. Store managed by Job Snijders (job@) and Natasha Allegri. All profits from this store are used to pay the artists who create art for OpenBSD.

So if your old wireframe puffy shirt is getting a bit faded, or if your three-headed-daemon shirt is tearing at the seams - get a new shirt now and support artwork for the project!

In a message to relevant mailing lists, Theo de Raadt (deraadt@) announced that the OpenBSD project's 47^th release, OpenBSD 6.6, is now available from mirror sites worldwide.

Rather than reproducing here the full list of new features, we refer readers to the official OpenBSD 6.6 page, and the detailed changelog.

Notable changes include but are not limited to:

• sysupgrade(8) has been added. (Fortunately for those upgrading, this has been retrofitted to 6.5.)
• The octeon platform now uses clang(1) as the base compiler.
• amdgpu(4), an AMD GPU driver, has been added.
• startx(1) and xinit(1) again work on many modern systems.
• unveil(2) has been improved, and is now used in 77 base programs.
• ntpd(9) now gets and sets the clock in a secure manner when booting, even in the absence of a battery-backed clock.
• smtpd(8) now supports builtin and [experimental] standalone filters.

Those upgrading from version 6.5 should read the Upgrade Guide.

As always, readers are encouraged to show their appreciation in the conventional manner.