In a message to tech@ with the subject "die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

List:       openbsd-tech
Subject:    die DSA die
From:       Damien Miller <djm () mindrot ! org>
Date:       2025-05-05 6:34:15

This finally removes all the remaining bits of DSA support from
OpenSSH and fixes up the regress tests that I could run.

I'm not set up to run the ssh.com interop tests so it's possible
they are broken by this.

ok?

Index: usr.bin/ssh/authfd.c
[ … ]

followed by the diff that implements the change.

(An earlier Undeadly article provides some background on DSA removal.)

Note that Damien asks for testing help here -- if you are able to help testing this change before it goes in for real, please do!

A long discussion on tech@ (initiated by a suggestion/patch from Jesper Wallin) has culminated in Damien Miller (djm@) committing changes which increase security by taking advantage of the use of unveil(2) elsewhere in the OpenBSD ecosystem:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2025/05/04 20:48:07

Modified files:
	usr.bin/ssh/sshd-session: Makefile 
	usr.bin/ssh/sshd-auth: Makefile 
	usr.bin/ssh/ssh-agent: Makefile 
	usr.bin/ssh    : ssh-agent.c ssh-agent.1 session.c pathnames.h 
	                 misc.h misc.c hostfile.c 

Log message:
Move agent listener sockets from /tmp to under ~/.ssh/agent for both
ssh-agent(1) and forwarded sockets in sshd(8).

This ensures processes (such as Firefox) that have restricted
filesystem access that includes /tmp (via unveil(3)) do not have the
ability to use keys in an agent.

Klemens Nanni (kn@) has committed the his proposed change [See previous article] such that the OpenBSD installer now prefers disks over 1GB when prompting for the root disk. The commit message explains the change:

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2025/05/04 06:32:41

Modified files:
	distrib/miniroot: install.sub 

Log message:
Prefer disks bigger than 1G as default root disk on install

-current picks the alphanumerically first disk as default, which isn't the
beset choice if install media, softraid(4) key disks or small external media
attaches before the disk one intends to use.

You can tell it's right after a release is cut when new ideas are fielded in patches to tech@. One such small but potentially important change that is being aired now is a change to the installer to suggest the larger one when several disks are available. Klemens Nanni (kn@) describes the motivation for the change as

[…] whenever install media, small USB sticks or softraid(4) keydisks attach
before you actual disk, defaulting to sd0 is most certainly not what you want.

An easy rule of thumb that works great for me is to reshuffle the list of valid
root disks such that small ones come last.

The message with the patch reads:

List:       openbsd-tech
Subject:    installer: default root disk: prefer those bigger than 1G
From:       Klemens Nanni <kn () openbsd ! org>
Date:       2025-05-01 15:41:25

Now we show all valid root disks and pick the first one, i.e. the
alphanumerically lowest value, as default:

In a post to tech@, Martin Pieuchot (mpi@) has requested testing of a diff (against -current) to enable running the upper part of the fault handler in parallel :

Hello,

Diff below enables running the fault handler in parallel.  Please test
an report back, with dmesg, if this increases or decreases the perfs of
your usual setup.

Thanks for the help,
Martin

LibreSSL version 4.1.0 has been released.

This is the version found in (the recently released) OpenBSD 7.7

The release notes read,

We have released LibreSSL 4.1.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 4.1.x branch, also available with OpenBSD 7.7

It includes the following changes from LibreSSL 4.0.0:

    * Portable changes
      - Added initial experimental support for loongarch64.
      - Fixed compilation for mips32 and reenable CI.
      - Fixed CMake builds on FreeBSD.
      - Fixed the --prefix option for cmake --install.
      - Fixed tests for MinGW due to missing sh(1).

Klemens Nanni (kn@) committed a change removing misleading messages on package update:

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2025/04/28 12:56:25

Modified files:
	usr.sbin/pkg_add/OpenBSD: Delete.pm 

Log message:
Stop advising to remove files on update

The following only make sense on for pkg_delete(1), yet pkg_add(1) prints
them as well, which is confusing at best and trips up way too many people:
"You should also run ..." (often "rm -rf /something/important*")
"You should also remove ..."

No longer print those when -u is used.
There may be some commands

"i like it" ian kirill
OK phessler kmos

Quieter and more accurate updates - what's not to like?

As we saw recently in the Graphed and measured: running TCP input in parallel story, Alexander Bluhm (bluhm@) has been working on parallel TCP input, finally making tcp_input() MP-safe. This work has now been committed,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Alexander Bluhm <bluhm () openbsd ! org>
Date:       2025-04-26 13:58:08
CVSROOT:	/cvs
Module name:	src
Changes by:	bluhm@cvs.openbsd.org	2025/04/26 07:58:08

Modified files:
	sys/netinet    : in_proto.c 
	sys/netinet6   : in6_proto.c 

Log message:
Run TCP input in parallel on multiple CPUs.

The OpenBSD project has announced OpenBSD 7.7, its 58^th release.

The new release contains a number of significant improvements, including but certainly not limited to:

• Multiple SMP improvements have been made. TCP output and TCP timers now run in parallel. Only TCP input still uses exclusive netlock.
• drm(4) has been updated to to Linux 6.12.21
• Performance policy specification is now more flexible. [See earlier report]
• sysctl(8) now supports an input file. [See earlier report]
• Improvements to network hardware support include new drivers ice(4) for Intel E810 Ethernet devices, and ixv(4) for virtual functions of Intel 82598EB, 82559, and X540.
• By default, sysupgrade(8) now upgrades to the next release. [See earlier report]
• fw_update(8) now supports arbitrary dmesg files. [See earlier report]
• Support for FRAME sockets was added. [See earlier report]
• ifconfig scan can now detect/display WPA3 access points.
• (Limited) EFI boot manager support has been added to installboot(8).
• unwind(8) now supports wildcards in block list. [See earlier report]
• rpki-client(8) now has a stricter aging policy for Trust Anchor certificates. [See earlier report]
• LibreSSL 4.1.0 [See earlier report for version 4.0.0]
• OpenSSH 10.0 [See earlier reports on sshd(8) splitting, and on release]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!