With a message from Claudio Jeker (claudio@), the OpenBSD project today announced the release of the OpenBSD BGP (Border Gateway Protocol) daemon OpenBGPD, version 8.2.

The announcement reads,

From: Claudio Jeker <claudio () openbsd ! org>
Date: Mon, 02 Oct 2023 10:22:39 +0000
To: openbsd-announce
Subject: OpenBGPD 8.2 released

We have released OpenBGPD 8.2, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

Many OpenBSD sysadmins find the sysclean(8) port useful for removing obsolete files following upgrades.

Sebastien Marie (semarie@), the author of sysclean(8), has written a piece giving an under-the-hood look at the operation of this handy utility. It's well worth reading for those interested in understanding how it works!

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.4:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2023/09/26 07:27:32

Modified files:
	sys/conf       : newvers.sh 

Log message:
we are heading out of -beta

For those unfamiliar with the process: this is not the 7.4 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add (and pkg_info).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Theo de Raadt (deraadt@) posted to tech@ a detailed message explaining the past and (potential) future of anti-ROP measures in OpenBSD.

It's well worth reading its entirety. Highlights include:

Years later, Todd Mortimer and I developed RETGUARD.  At the start of
that initiative he proposed we protect all functions, to try to guard
all the RET instructions, and therefore achieve a state we call
"ROP-free".  I felt this was impossible, but after a couple hurdles the
RETGUARD performance was vastly better than the stack protector and we
were able to protect all functions and get to ROP-free (on fixed-sized
instruction architecures).  Performance was acceptable to trade against
improved security.
[…]
We were able to enable RETGUARD on all functions because it was fast.
[…]
On the other hand the RETGUARD approach uses an illegal instruction (of
some sort), which is a speculation barrier. That prevents the cpu from
heading off into an alternative set of weeds.  It will go decode more
instructions along the post-RET execution path.

I filed that idea as interesting but did nothing with it.  Until now.

Like we said earlier, it is worth reading the whole thing! This points forward to some remarkable improvements on several architectures, and those changes could be a clear benefit for other systems too.

Frederic Cambus (fcambus@) wrote a blogpost about running OpenBSD on the arm64-based cloudservers provided by Hetzner. For now, only -current will work, because the new viogpu(4) driver [on which we reported earlier] is needed.

Head on over to Frederic's blog for the full story!

EuroBSDCon 2023 has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.

Video of the presentations can be expected somewhat later.

Slides from the tutorial "Network Management with the OpenBSD Packet Filter Toolset" are also available.

Version 0.93 of Game of Trees has been released (and the port updated).

With the following commit(s), Theo de Raadt (deraadt@) moved -current to version 7.4-beta:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2023/09/18 07:16:13

Modified files:
	share/mk       : sys.mk 
	etc/root       : root.mail 
	sys/conf       : newvers.sh 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	usr.bin/signify: signify.1 

Log message:
crank to 7.4-beta

Snapshots are (already) available for several platforms. At the time of writing, there are a mixture of 7.3 and 7.4 files on at least some mirrors, so readers are advised that problems may occur.

(Regular readers will know what comes next…)

This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

We are pleased to have another p2k23 report, this time from Volker Schlecht (volker@) who writes:

"Ladies and Gentlemen, our plane is equipped with two engines, and I'm afraid I need to tell you that the one that you see to your right won't start right now…"
As with several other developers my trip to p2k23 didn't exactly start off as planned. Eventually the engine did start, though (and I'm glad to report it stayed on, too) and I made it to Dublin.