The OpenBSD project has released OpenBSD 7.0, the project's 51^st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

• Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
• /etc/bsd.re-config(5) was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
• Hibernate time has been reduced. [See earlier report.]
• The timeout(1) utility was imported from NetBSD. [See earlier report.]
• openrsync(1) now has include and exclude options. [See earlier report.]
• doas(1) will now retry up to 3 times on password authentication failure.
• ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
• xterm(1) is now unveiled. [See earlier report.]
• printf(3) and friends now log an error and abort when confronted with format %n.
• iked(8) now has client-side support for DNS configuration. [See earlier report.]
• traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
• dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
• In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
• In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

In the run-up to the OpenBSD 7.0 release, we note several recent interesting things previously unreported:

• The 7.0 release song is available.
• The loongson hardware platform has been retired. The upcoming OpenBSD 7.0 will be the last release to support this platform.
• On tech@, Stefan Sperling (stsp@) has requested testing of a patch adding initial 40Mhz channel support for iwm(4).
• Mark Kettenis (kettenis@) added support for Apple M1 to U-Boot -- also see Bryan Steele's mastodon link.
• Brian Callahan (bcallah@ when wearing his OpenBSD hat) has been interviewed by the good folks at at BSD Now.

As a result of a licence change by Realtek, that company's wireless firmware images are now included in the tree. The following commit by Kevin Lo (kevlo@) explains the details:

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.

EuroBSDCon 2021 was held [virtually] earlier this month. Videos of the presentation are now available.

Amongst the OpenBSD-related presentations is that by Marc Espie (espie@) - Debug Packages in OpenBSD (slides, video).

Thanks to a commit by Damien Miller (djm@), scp(1) (in -current) now defaults to using the SFTP protocol:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2021/09/08 17:31:39

Modified files:
	usr.bin/ssh    : scp.1 scp.c 

Log message:
Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.

Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.

ok deraadt, after baking in snaps for a while without incident

As explained in the OpenSSH Release Notes,

SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.

In a recent message to tech@ Martin Pieuchot (mpi@) wrote about analysis of kernel lock contention. We reproduce the message(s) here, reformatted with his permission.

Unlocking UVM [virtual memory - Ed.] faults makes build time decrease a lot and improve the overall latency of mixed userland workload. In other words it gives a smoother feeling for "desktop usage": it is now possible to do 'make -j17' and watch a HD video at the same time.

Florian Obser (florian@) has committed a significant speed boost for traceroute(8):

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/09/03 03:13:00

Modified files:
	usr.sbin/traceroute: Makefile traceroute.8 traceroute.c 
	                     traceroute.h worker.c 

Log message:
Make traceroute(8) faster by sending probes and doing DNS async.

Traditional traceroute would send one probe and then wait for up to 5
seconds for a reply and then send the next probe. On a lossy link that
eventually ends in a black hole this would take about 15 minutes and
people would hit control-c in anger.

This rewrites the traceroute engine to use libevent and asr's async
DNS interface. Probes are now send every 30ms or as soon as we get an
answer back. With that we got the 15 minute worse case down to about
10 seconds.

A minor adjustment that is possible with this is to delay printing a
line until we get to a line with answers. This has two effects:

1) If there are intermediate hops that don't answer, output pauses for
a bit so we keep the visual cue of "something might be wrong here".
2) If there is a black hole at the end, we don't print out many "* * *"
lines and thus scrolling the interesting bits out of the terminal.
We collapse those lines and just print
64 * * *
at the end.

Unfortunately the -c option to send udp probes to a fixed port had to
go for now. But we should be able to add it back.

"Once you have seen the new one you can't go back to the old one" &
enthusiastic OK deraadt@
OK sthen@
"I am very distressed that florian went to bed without committing it"
beck@

Florian tooted links to recordings showing the old and new behaviours with an earlier version of this work.

With the following commit, Matthieu Herrb (matthieu@) gave xterm(1) some unveil(2) goodness:

CVSROOT:	/cvs
Module name:	xenocara
Changes by:	matthieu@cvs.openbsd.org	2021/09/02 03:31:38

Modified files:
	app/xterm      : main.c 

Log message:
Unveil paths needed by xterm at run-time. work with tb@ and deraadt@

Only in (default) case where there are no exec-formatted or
exec-selected resources set. In those case the commands and their
arguments could be anywhere.