Some readers will be aware that Miod Vallat (miod@) has been chronicling some of the more challenging parts of OpenBSD development in his OpenBSD stories collection for a while now.

The latest entry is the full OpenBSD on SGI: a rollercoaster story, which is also available in six parts,

A missed opportunity, 1988-1998
Individual efforts, 200-2004
The blowfish awakens, 2004-2006
Tinkering on big iron, 2007-2008
Hardware galore, 2009
The last challenges, 2010-2021

for those of us who like to take it in as smaller chunks, or all articles as one file.

It's a story some thirty years in the making and telling. Enjoy!

A long standing and somewhat odd conflict between two OpenBSD security mechanisms, pledge(2) and unveil(2) has been resolved by eliminating the tmppath promise from what pledge(2) offers.

The commit by Theo de Raadt (deraadt@) comes with an explanation in the commit message, which reads

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2026-02-26 7:42:26
CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2026/02/26 00:42:26

Modified files:
	sys/sys        : pledge.h 
	sys/kern       : kern_pledge.c 
	lib/libc/sys   : pledge.2 

Log message:
pledge "tmppath" goes away because it sucks.  The history is kind of
sad:  unveil(2) was invented by Bob Beck and myself because a couple
of us struggled and couldn't expand the "tmppath" mechanism to general use.

Dave Voutila (dv@) has continued his work on moving vmd(8) to a multi-process model. (Undeadly first reported on this in 2023.) This time the virtio scsi device has been converted to a subprocess:

CVSROOT:	/cvs
Module name:	src
Changes by:	dv@cvs.openbsd.org	2026/02/22 15:54:54

Modified files:
	usr.sbin/vmd   : vioscsi.c virtio.c virtio.h vmd.c vmd.h 

Log message:
vmd(8): convert virtio scsi device to a subprocess.

Break the virtio scsi device (used as a cd-rom drive) into a
subprocess like the virtio block and network devices. This leaves
only the entropy device (viornd) and vmmci device running in-process
with the vcpus.

ok mlarkin@

Version 0.123 of Game of Trees has been released (and the port updated):

Every OpenBSD admin has booted bsd.rd at least once — to install, upgrade, or rescue a broken system. But few people stop to look at what’s actually inside that file.

In this article over at the OpenBSD Jumpstart site, they take a look at just that.

The contents and format of the bsd.rd ramdisk kernel is shown, so you can understand and customize it for your own needs.

Enjoy!

Version 0.122 of Game of Trees has been released (and the port updated):

Version 0.121 of Game of Trees has been released (and the port updated):

In a move likely to be welcomed by users of streaming video services, Robert Nagy (robert@) has added a port for OpenWV (a free and open-source reimplementation of Google's Widevine CDM), and enabled its use with the chromium port:

Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 networks requires address family translation.

On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.

But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".

In the message titled pf: make af-to less magical, David explains the motivation,

List:       openbsd-tech
Subject:    pf: make af-to less magical
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2026-01-16 2:11:57
Message-ID: aWmebWvdwBi6z98j () animata ! net

i only recently figured out that af-to is very special in pf, but i dont
think it should be.

currently af-to has the following restrictions:

1. it only works for incoming packets, ie, you can only use it on "pass
in" rules in pf.

2. it forces the translated packet to be forwarded.

a consequence of these, and 2 in particular, is that only one state is
created for an af-to connection over the firewall. this is unlike other
forwarded connections where there's generally two states created, one
when the packet comes in from the wire into the stack, and another when
the packet goes out from the stack to the wire.