A long standing and somewhat odd conflict between two OpenBSD security mechanisms, pledge(2) and unveil(2) has been resolved by eliminating the tmppath promise from what pledge(2) offers.

The commit by Theo de Raadt (deraadt@) comes with an explanation in the commit message, which reads

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2026-02-26 7:42:26
CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2026/02/26 00:42:26

Modified files:
	sys/sys        : pledge.h 
	sys/kern       : kern_pledge.c 
	lib/libc/sys   : pledge.2 

Log message:
pledge "tmppath" goes away because it sucks.  The history is kind of
sad:  unveil(2) was invented by Bob Beck and myself because a couple
of us struggled and couldn't expand the "tmppath" mechanism to general use.

Dave Voutila (dv@) has continued his work on moving vmd(8) to a multi-process model. (Undeadly first reported on this in 2023.) This time the virtio scsi device has been converted to a subprocess:

CVSROOT:	/cvs
Module name:	src
Changes by:	dv@cvs.openbsd.org	2026/02/22 15:54:54

Modified files:
	usr.sbin/vmd   : vioscsi.c virtio.c virtio.h vmd.c vmd.h 

Log message:
vmd(8): convert virtio scsi device to a subprocess.

Break the virtio scsi device (used as a cd-rom drive) into a
subprocess like the virtio block and network devices. This leaves
only the entropy device (viornd) and vmmci device running in-process
with the vcpus.

ok mlarkin@

Version 0.123 of Game of Trees has been released (and the port updated):

Every OpenBSD admin has booted bsd.rd at least once — to install, upgrade, or rescue a broken system. But few people stop to look at what’s actually inside that file.

In this article over at the OpenBSD Jumpstart site, they take a look at just that.

The contents and format of the bsd.rd ramdisk kernel is shown, so you can understand and customize it for your own needs.

Enjoy!

Version 0.122 of Game of Trees has been released (and the port updated):

Version 0.121 of Game of Trees has been released (and the port updated):

In a move likely to be welcomed by users of streaming video services, Robert Nagy (robert@) has added a port for OpenWV (a free and open-source reimplementation of Google's Widevine CDM), and enabled its use with the chromium port:

Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 networks requires address family translation.

On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.

But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".

In the message titled pf: make af-to less magical, David explains the motivation,

List:       openbsd-tech
Subject:    pf: make af-to less magical
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2026-01-16 2:11:57
Message-ID: aWmebWvdwBi6z98j () animata ! net

i only recently figured out that af-to is very special in pf, but i dont
think it should be.

currently af-to has the following restrictions:

1. it only works for incoming packets, ie, you can only use it on "pass
in" rules in pf.

2. it forces the translated packet to be forwarded.

a consequence of these, and 2 in particular, is that only one state is
created for an af-to connection over the firewall. this is unlike other
forwarded connections where there's generally two states created, one
when the packet comes in from the wire into the stack, and another when
the packet goes out from the stack to the wire.

Following a recent series of commits by Helg Bredow (helg@) and Stefan Fritsch (sf@), OpenBSD/arm64 now works as a guest operating system under the Apple Hypervisor.

The commits read

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Helg Bredow <helg () cvs ! openbsd ! org>
Date:       2026-01-12 18:15:33


CVSROOT:	/cvs
Module name:	src
Changes by:	helg@cvs.openbsd.org	2026/01/12 11:15:33

Modified files:
	sys/dev/pv     : viogpu.c 

Log message:
viogpu_wsmmap() returns a kva but instead should return a physical
address via bus_dmamem_mmap(9). Without this, QEMU would only show a
black screen when starting X11. On the Apple Hypervisor, the kernel
would panic.