OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Signed Installs, Upgrades, and Packages
Contributed by tbert on Tue Jan 21 11:43:30 2014 (GMT)
from the puffy's-signature-is-$10-a-pop dept.

Marc Espie (espie@) lets the cat out of the bag:

It's probably time to talk about it.

Yes, we are now distributing signed packages.  A lot of people have probably
noticed because there was a key mismatch on at least one batch of signed

Obviously, we haven't finished testing yet.

Don't read too much into that.  "Signed packages" just mean you can use
an insecure medium, such as ftp, to download packages: if the key matches,
it means the package hasn't been tampered with since it was signed.

The cryptographic framework used to sign packages is called signify(1),
mostly written by Ted Unangst, with a lot of feedback from (mostly) Theo
and I.

The signing framework in pkg_add/pkg_create is much older than that, if
was written for x509 a few years ago, but signify(1) will probably be more
robust and ways simpler.  In particular, there's no "chain-of-trust", so
you keep complete control on the sources YOU trust.

Signatures should be transparent in use: the package is opened, the 
packing-list signature is checked, and then files are checksummed while
extracted against the packing-list embedded checksums (there are provisions
to ensure any dangerous meta-data is also encoded in the packing-list as
@mode/@user/@group annotations.

So, barring problems, you shouldn't even notice signatures.

And Theo de Raadt (deraadt@) talks about signed base sets for installations and upgrades:

[ 15 comments 192d12:58 ago ] (flat) (expanded)

ruBSD: interviews with Theo and Henning
Contributed by tbert on Wed Jan 15 05:48:28 2014 (GMT)
from the from-russia-with-love dept.

Last December Russian tech giant Yandex organised first ruBSD event in Moscow. OpenBSD developers Theo de Raadt, Henning Brauer and Mike Belopuhov gave three talks on different topics. There were interviews with Theo and Henning recorded as well. Theo spoke about current adoption of mitigation techniques in other OSes and state of OpenBSD project. Henning gave a history overview of PF.

All talks and interviews available online and for download.

Theo de Raadt: Exploit Mitigation Techniques: an Update After 10 Years (slides, video and interview)
Henning Brauer: OpenBSD's pf: Design, Implementation and Future (slides, video and interview)
Mike Belopuhov: OpenBSD: Where is crypto headed? (slides and video)

[ 1 comment 192d11:22 ago ] (flat) (expanded)

Urgent Request for Funding OpenBSD HQ's Electricity
Contributed by pitrh on Mon Jan 13 07:57:49 2014 (GMT)
from the do pufferfish dream of electric eels dept.

OpenBSD supports a wide range of hardware architectures, and for practical and logistical reasons there are few places in the world that have them all in one place except OpenBSD headquarters, see eg this picture, which shows a subset of the machines involved in building OpenBSD releases.

But keeping all this hardware running involves a considerable electricity bill, and Theo de Raadt (deraadt@) is asking for help, preferably in the form of a company willing to specifically sponsor the project's electricity bill.

See the message to openbsd-misc titled Request for Funding our Electricity for details, and if you are in a position to move on this, please do whatever it takes.

[ 263 comments 179d2:13 ago ] (flat) (expanded)

OpenBSD-current is now 5.5-beta
Contributed by pitrh on Mon Jan 13 05:50:53 2014 (GMT)
from the the-high-five-five dept.

Yes, folks, it's that time of the year again. With this commit, Theo de Raadt (deraadt@) cranked the version strings and turned 5.4-current into 5.5-beta.

Subject:    CVS: src
From:       Theo de Raadt 
Date:       2014-01-12 11:26:10

Module name:	src
Changes by:	2014/01/12 04:26:09

Modified files:
	sys/conf       : 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	etc/root       : root.mail 
	sys/sys        : param.h 
	share/mk       : 

Log message:
crank to 5.5beta

You know the drill, folks: Time to head over to the changelog page and see what the upcoming goodies are (newqueue and automated install comes to mind), then install and test! New snapshots with a 5.5-beta version tag should be appearing on your favorite mirror shortly (and has been spotted at the .eu mirror).

[ 0 comments ] (flat) (expanded)

Call For Testing Of OpenBSD Automatic Installation
Contributed by tbert on Tue Jan 14 10:03:51 2014 (GMT)
from the unattended-consequences dept.

As we mentioned previously the OpenBSD developers have been working on adding support for unattended, automatic installation and configuration of the operating system. The new support is still a work in progress and the developers need help from the community to test the new features and report their findings.

If you'd like to help out with the testing, you'll need to be following -current by running snapshots. Information on PXE booting can be found at the "FAQ 6.10 - How do I boot using PXE?" entry as well as the pxeboot(8/i386) and pxeboot(8/amd64) manuals. For instructions, read the "Preparing an unattended installation of OpenBSD" section of the "INSTALL.${arch}" file (e.g. "INSTALL.amd64") found in the same directory as the installation sets. Even if everything works perfectly for you, it's still helpful to report your test results on the tech@ OpenBSD mail lists.

Check below the fold for what a successful install looks like.

[ 6 comments 192d13:30 ago ] (flat) (expanded)

mdocml-1.12.3 Released
Contributed by tbert on Thu Jan 2 06:57:37 2014 (GMT)
from the man-of-docs dept.

Ingo Schwarze (schwarze@) wrote in to tell us about the new release of mdocml (mandoc):

I have just released version 1.12.3 of mdocml = mandoc on

This is a stable maintenance and bugfix release not changing any major functionality or interfaces. All users and downstream distributions are encouraged to upgrade from whatever earlier version they happen to be using.

The two main new features are in mdoc(7) parsing and output: In the SYNOPSIS, function declarations now break the line at better places and indent more nicely. This was accomplished with help from Franco Fichtner (franco@DragonFlyBSD). And mdoc(7) macro arguments now handle the quoting of quote characters correctly, thanks to a patch from Tsugutomo ENAMI (enami@NetBSD). There are several additional bug fixes and tiny new features; for more details, see

[ 0 comments ] (flat) (expanded)

Heads Up: atexit(3) Moved
Contributed by tbert on Wed Jan 1 06:25:06 2014 (GMT)
from the cant-find-the-right-door dept.

Due to internal changes in how atexit(3) is implemented, upgrades from source require a special set of steps:

To support the use of atexit(3) in dynamically loaded shared objects, atexit(3) is now
provided by the C runtime startup files. If you want to upgrade via source you will need
to build and install new C runtime startup files first:

  cd /usr/src/lib/csu
  make clean
  make obj
  make depend
  make install

Now you can follow the standard procedure outlined in release(8).

[ 0 comments ] (flat) (expanded)

Boot-Time Randomness
Contributed by tbert on Mon Dec 30 16:57:31 2013 (GMT)
from the mathematically-impossible-to-guess-what-you-got-for-christmas dept.

Initial support for boot-time availability of high-quality random numbers has been committed:

From: Theo de Raadt 
Subject: Randomization from the bootblocks

Over the holidays I've written code to do something we've
talked about for a long time but never gotten around to.

The bootblocks are now capable of providing entropy to the
kernel very early on.

This requires an upgrade of the bootblocks and at least
/etc/rc (which saves an entropy file for future use).  Some
bootblocks will be able to use machine-dependent features
to improve the entropy even further (for instance using
random instructions or fast-running counters or such).

As a result, the kernel can start using arc4random()
exceedingly early on, even before interrupt entropy is
collected.  The randomization subsystem can hopefully
become simpler due to this early entropy.. there is more
work do here.

At least i386, amd64, macppc, sparc64, hppa, and loongson
are supported.  Hopefully the others are not far behind.

Because many in-kernel consumers of randomness are initialised very early, this means that the in-kernel protections derived from randomness should now be much better.

[ 0 comments ] (flat) (expanded)

Heads Up: i386 moves to PIE
Contributed by tbert on Sun Dec 29 12:53:37 2013 (GMT)
from the cake-is-a-lie dept.

Following up on the commit that enabled the change, Theo de Raadt (deraadt@) wrote in to tech@ with a note concerning care to be taken during upgrades now that i386 runs PIE executables.

From: Theo de Raadt 
Subject: i386 switched to PIE

The i386 architecture has now been switched to PIE.  There is a small
performance hit, but this part of ASLR is valuable combined with
W^X and the stack protector.

This is a non-trivial upgrade, so please be careful.  Check the FAQ
for details or use a snapshot.

As it says in the commit message, special steps are required for upgrading from source, so check the instructions for doing so, if not upgrading via snapshots.

[ 0 comments ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Tuesday, December 24
14:43 BSDNow Episode 016: Cryptocrystalline (0)
13:03 strlcpy(3) Use in 3rd Party Software (1)
15:33 OpenSMTP Update(s) (1)
Monday, December 23
08:03 OpenBSD ruBSD Talks Online (5)
Wednesday, December 18
05:11 USENIX LISA 2013 Managing Access Using SSH Keys [video] (0)
Tuesday, December 17
08:19 tmpfs Enabled in -current (14)
Friday, December 13
15:04 BSDCan 2014 CFP (0)
Tuesday, December 10
09:39 FuguIta - An OpenBSD 5.4 + Patches LiveCD/LiveUSB (3)
Wednesday, December 04
09:02 ChaCha20 and Poly1305 in OpenSSH (6)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata

OpenBSD Resources

Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]