------------------------------------------------------------------------
- OpenBSD 7.7 RELEASED -------------------------------------------------
April 28, 2025.
We are pleased to announce the official release of OpenBSD 7.7.
This is our 58th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.
As in our previous releases, 7.7 provides significant improvements,
including new features, in nearly all areas of the system:
- Platforms specific improvements:
o arm64:
- Set AP power state, fixing the SMC initialization on the M1
MacBook with the latest system firmware.
- Implemented a new pmap_populate() interface on arm64 and
riscv64 to help pmap_enter(9) succeed when there's enough
free physical memory but we can't allocate KVA to map that
memory.
- Optimized pmap teardown by skipping TLB flushes, giving ~5%
performance boost for kernel build.
- Enabled PAC on hardware that uses the new QARMA3 cipher.
- Implemented support for SVE (Scalable Vector Extension).
o amd64:
- Added the ability for bus_dmamem_alloc(9) to recognize the
BUS_DMA_64BIT flag and allocate memory for DMA without any
4GB restrictions on amd64.
- Allowed boot loader to run as AMD SEV guest on QEMU with EFI.
- Allowed kernel boot on QEMU with AMD SEV.
- Allowed use of MSI with the QEMU default pc-i440fx machine.
- Stopped amd64 leak of kernel stack guard pages.
- Implemented the AMD SEV psp(4) download firmware command to
load new firmware onto the chip and made the AMD SEV
automatically load psp(4) firmware during vmd(8) startup.
o Other architectures:
- Fixed riscv64 sigcode copying and put riscv64 sigcode in the
.rodata memory section.
- Implemented an interrupt depth counter on sparc64.
- Moved the hppa stack 1GB higher.
- On i386, improved the stability in low-memory situations,
especially for MP.
- Fixed a powerpc64 bug where a pte could be put into an
incorrect pteg, leading to a crash.
- Changed luna88k disklabel labeloffset to 0.
o More platform specific changes can be found in the hardware
support section below.
- Various kernel improvements:
o Improved responsiveness in OOM situations and made free target
checks coherent.
o Removed the ability to specify a root, dump or swap device on
st(4).
o In uvm, prevent a race where a mapped object is being truncated
while we are spinning to unwire it.
o Optimized page daemon active and inactive list traversals when
looking only for low pages.
o Added a helper to check if memory has been freed for a given
request to improve speed of the page daemon loop.
o Started accounting for in-flight pages being written to disk when
the page daemon is computing page shortage.
o Adjusted the ptrace interface to properly support single-threaded
continue and make it possible to use breakpoints in multi-threaded
processes in gdb.
o Add ptrace(2) commands used to read/write the XSAVE area of a
traced process.
o Correctly honored the count optional argument of the ddb(4) break
command, ensuring execution does not stop until the breakpoint is
hit at least that many times.
o Taught ddb(4) how to disassemble endbr64.
o Moved dt(4) to using a ringbuffer per CPU.
o Added 'socket' refcnt type to dt(4).
o Made btrace(8) support additional interval/profile units (hz, us,
ms, s).
o Added multi-line strings support to the bt(5) script parser.
o Added kern.audio.kbdcontrol sysctl(2) variable, allowing the
volume keys on multimedia keyboards to be handled as regular keys
if set to 0.
o Implement bus_dma(9) bounce buffering for raw memory.
o Started ignoring sub-nodes of non-functional nodes in the ACPI
tree walk to fix double and triple attachments of the same PCIe
root bridges.
o Suspend/Hibernate Support
- Ensured all hibernate data is written inside the allocated
chunk of swap.
- Removed unneeded zeroing of free pages during hibernate.
- Corrected hibernate error detection during RLE writes.
- Ensured hibernate fails when I/O or memory allocation errors
occur.
o Bugfixes
- Fixed a (mostly) hypothetical race in pinsyscalls(2) by
making it return an error if called in a multi-threaded
process.
- Fixed CPU idle percentage in top(1) on macppc.
- Reworked how processes are stopped because of a signal. Now
multithreaded processes can be reliably stopped and
continued. This should fix problems seen in golang, mpv and
in our regress tests.
- Fix possible races of changes to the per-process unveil data
structures by either pledge() [removing all path promises] or
unveil() [adding new paths], against namei() inspecting in
other thread system calls.
- SMP Improvements
o Unlocked sysctl kern.timeout_stats.
o Unlocked sysctl kern.allowkmem.
o Unlocked sysctl kern.video.record.
o Unlocked sysctl net.inet.gre.allow and net.inet.gre.wccp.
o Unlocked sysctl kern.global_ptrace.
o Unlocked sysctl kern.wxabort.
o Unlocked sysctl kern.malloc.kmemstat.
o Reduced kernel lock contention when tearing down file-backed
regions.
o Unlocked ptsignal, psignal and prsignal by using the ps_mtx
mutex(9).
o Used a mutex to make psp(4) MP safe.
o Locked send socket buffer for fstat(2) syscall.
o Made lock changes to reduce lock contention in __thrsleep and
__thrwakeup syscalls. go performance particularly benefits from
this.
o Unlocked virtio(4).
o Made `video_filtops' MP-safe.
o Run TCP output and TCP timers in parallel.
- TCP send(2) and recv(2) system calls use shared netlock.
Multiple userland threads can work on different sockets in
parallel.
- TCP output no longer blocks IP processing.
- TCP timer also use locks that are specific to the socket they
are working on, other network traffic can be processed by
different CPUs.
- Socket splicing is MP-safe for TCP.
- Some of the sysctl syscalls affecting TCP no longer block
network operations on other CPUs.
- Only TCP input still uses exclusive netlock and prevents
other parts of the network stack from running in parallel.
o Unlocked accept(2) for TCP sockets.
o Started using shared net lock when calling shutdown(2) on internet
socket.
o Reworked rwlocks to reduce pressure on the scheduler and
SCHED_LOCK.
o Pushed the KERNEL_LOCK() down to namei(9) in stat(2), lstat(2) &
fstatat(2) and Unlocked fstat(2).
o Unlocked wskbd(4) kqueue filterops.
o Used `ws_mtx' mutex(9) to make wsmux(4) filterops MP-safe.
o Unlocked open(2) and openat(2).
o Made wsmouse(4) and wstpad filterops MP-safe.
o Pushed KERNEL_LOCK() inside __realpath(2).
o Made wakeup of parent process in dowait6 reliable even without
kernel lock.
o Used ps_mtx mutex(9) to lock the child process that is being
checked by dowait6.
- Direct Rendering Manager and graphics drivers
o Updated drm(4) to Linux 6.12.21.
o amdgpu(4): Added kernel support for Ryzen AI 300 (Strix Point,
Strix Halo, Krackan Point), Radeon RX 9070 (Navi 48).
o inteldrm(4): Added support for Arrow Lake.
- VMM/VMD improvements
o Added an IPI for executing INVEPT to flush EPT on remote CPUs, a
first step toward allowing guest memory not to be wired by UVM.
o Implemented psp(4) shutdown command and ioctl(2) PSP_IOC_SHUTDOWN,
which will be used by vmd(8) to reset psp(4) on startup.
o Started using acpipci(4) on hypervisors. If the hypervisor cpuid
bit is set, use acpipci to attach PCI busses. As virtualization is
not that old, we can assume that in VMs we don't need the quirk
for old, broken ACPI. This solves problems with PCI BAR access and
recent SeaBIOS versions on QEMU.
- Various new userland features:
o Numerous changes to make the imsg API stricter and better, which
were followed by adapting all applications across the tree.
o Allow the user to provide an alternative perfpolicy when on
battery, extending the semantics of hw.perfpolicy to provide two
buttons to specify desired behavior. This gives users more
flexibility in setting the performance when AC-powered vs. battery
powered.
o Made calendar(1) use the environment variable RECIPIENT_EMAIL for
sending mails to.
o Made security(8) use GMT rather than the local timezone when
checking for changes in device nodes and setuid files. Avoids
false positives when changing timezones.
o Added a new variable PASSWDSKIP that can be set in
/etc/daily.local to prevent security(8) from complaining about
specific accounts that have no password. This is typically used
for services like anoncvs and gotd.
o Added [-f file] to sysctl(8) to apply sysctl.conf(5) in one go,
and started using it in rc(8) instead of a parser implemented in
ksh.
o Added support for read/write of xmm/ymm registers to lldb(1).
- Various bugfixes and tweaks in userland:
o Added wsconscfg(8) -g option to get the index of the current
virtual terminal.
o Made getgrouplist(3) always return the total number of groups
found.
o Ignore extra groups that don't fit in the buffer passed to
getgrouplist(3), providing only the kernel maximum of sixteen
groups.
o Prevent newsyslog(8) from running through time checks when an
entry needs to be rotated based on size.
o Changed ps(1) to print the session id (PID of the session leader)
instead of a pointer with display argument 'sess'.
o In cu(1), map ucom unit number to cuaU number using the same
scheme MAKEDEV uses, fixing problems with ucom units > 10.
o Made CPU frequencies human-readable with systat(1) sensors -h.
o Fixed a bug where getty(8) dx flag was supposed to set decctlq,
but was setting ixany instead.
o Made pkg_add(1) run ldconfig(8) after each updateset if the list
of shared libraries was changed.
o Corrected behavior of sed(1) c command to match POSIX.
o Make clang(1) -fzero-call-used-regs aware of the register used by
retguard. QEMU is using -fzero-call-used-regs, causing a crash.
o Disk partition information is now saved by security(8).
o Made security(8) ignore quota(1) files and all subdirectories of
/var/mail when checking the ownership and mode of mailboxes.
o Added pkg-config(1) support for relocatable .pc files.
o Made mandoc(1) "-T html" and "-T markdown" output translate ".%R
RFC <number>" to a hyperlink to rfc-editor.org.
o Support decimal fractions like "0.25i" in roff(7) scaled widths
and arithmetic operations in tbl(7) column widths, as needed for
some manual pages written with DocBook.
o When syslogd(8) acting as logserver with TLS (-S) and
client-certificates are used for authentication (-K), use the CN
from the client's certificate as hostname.
o Adjusted the alignment when df(1) prints inode columns. This makes
'df -hi' on systems with large partitions easier on the eyes.
o Made test(1) use timespeccmp() and st_mtim instead of comparing
st_mtime to fix comparison of files with modification times that
differ by less than a second.
o Made ksh(1) use timespeccmp() and st_mtim instead of comparing
st_mtime to fix comparison of files with modification times that
differ by less than a second.
o In ps(1) added a digit to vsz and rss to accommodate processes
using more memory.
o Updated tzfile(5) to 2025bgtz from
https://github.com/JodaOrg/global-tz.
o Updated libc/locale support including e.g. wcwidth(3) and the
iswalnum(3) family of functions to Unicode Version 15.0.0.
- Improved hardware support and driver bugfixes, including:
o Increased psp(4) timeouts, allowing the EPYC 9124 time to attach.
o Added PercentLoad sensor to upd(4), reporting the % of the
available UPS power drawn by output outlets.
o Fixed RunTimeToEmpty on some EATON models in upd(4).
o Improved the heuristic for detecting I2C devices (making type-A
ports on the Vivobook work in ACPI mode).
o Added support for CSI b control sequence (repeat last printed
character) to the wscons(4) vt100 emulation.
o Fixed simplefb(4) colours for BPP16 and BPP24.
o Added support for BPP16 16-bit color EFI framebuffer format as
offered by U-Boot.
o Implemented CSI s and CSI u to save and restore cursor position in
wscons(4).
o Made scaling available for normal wsmouse.4 mice, not just
touchpads.
o Added scmi(4) mailbox transport and perf protocol for CPU
frequency management on Snapdragon X Elite.
o Moved to send only a single reset during attach for ihidev(4)
devices, preventing issues with some devices like the built-in
keyboard on the ThinkPad T14s Gen 6.
o Changed the sdhc(4) bus power behavior to no longer perform a
power-off voltage switch request when the card is already
operating at the requested voltage.
o Implemented aplsmc(4) support for the new CHLS key used to control
the battery charge level in newer SMC firmware.
o Added pinctrl(4) support to the qciic(4) driver for Qualcomm
Snapdragon SoCs.
o Made qcpas(4) send APM_POWER_CHANGE events on AC/battery life
changes, allowing upowerd to react.
o Added qccpucp(4), a driver for the Qualcomm CPUSS Control
Processor (CPUCP) mailbox controller.
o Made qcpon(4) query hardware for the button state to detect
release even if the press event is missed, and to signal wakeup
when the button is pressed.
o Made qcscm(4) attach at acpi(4). This lets Qualcomm machines which
use qcscm(4) access EFI variables in ACPI mode. Some arm64
machines, like the Samsung Galaxy Book4 Edge can be successfully
installed with this change.
o Fixed support for AMD 600 series ahci(4) controller.
o Introduce a pckbc@acpi driver attachment that is use instead of
pckbc@isa when an interrupt configuration is incompatible with
legacy ISA. This unbreaks, among other things, the keyboards in
various Chromebooks.
o Implemented rkpmic(4) power down if the PMIC is marked as the
system power controller in the device tree.
o Added RK3399 support to rkusbphy(4).
o Added dwmmc(4) support for the "post-power-on-delay-ms" in the MMC
power sequencing.
o Implemented regulator-based signal voltage switch support in
dwmmc(4), fixing bootup on the MNT Reform2 with the RK3588 module.
o Added uvideo(4) support for Jabra PanaCast 20.
o Ensure uvideo(4) fills v4l2_capability correctly (allowing some
V4L consumers to use bus_info to identify the desired webcam when
attempting to switch devices).
o Added uvideo(4) support for devices which report bulk and
isochronous endpoints.
o Made uvideo(4) bypass unknown pixelformat to consumer rather than
rejecting unknown driver formats.
o Support colorformat from uvideo(4) device.
o Fixed a uvideo(4) crash on close of isochronous endpoint's webcam.
o Ensure uvideo(4) forwards frames with error bit to V4L consumers,
which adds support of the integrated camera on ThinkPad T14 Gen 5,
ThinkPad X1 Nano Gen 2, ThinkPad X13 and many other devices.
o Forced 32-bit accesses when reading 8-bit or 16-bit registers,
allowing use of xhci(4) on a Cadence xHCI controller as seen on
the Radxa Orion O6.
o Added USB 3.0 speed support to xhci(4) and uvideo(4).
o Fixed uaudio(4) devices that don't support sample rate changes.
o Added LED support for ikbd(4) keyboards.
o Added mtintc(4) a driver supporting interrupt controllers found on
MediaTek SoCs.
o Added mtrng(4), a driver supporting the 32-bit random number
generator on MediaTek SoCs.
o Added mtxhci(4), a driver for the xHCI USB controller found on
MediaTek SoCs, and enable it on armv7 and arm64.
- New or improved network hardware support:
o Added ice(4), a driver for Intel E810 Ethernet
(1Gb/10Gb/25Gb/50Gb/100Gb) devices.
o Increased receive mbuf size with LRO in vio(4), helping TCP splice
performance.
o Fixed xbf(4) and xnf(4) not attaching on XCP-ng 8.3/Xen 4.17.
o Added printing of number of queues and interrupt and Ethernet
address details to mcx(4).
o Fixed the bnxt(4) receive refill timeout to only refill rings that
are currently empty, preventing possible corruption and crashes.
o Added support for AX88772D to axen(4).
o Added ixv(4), a driver for virtual functions of Intel 82598EB,
82559 and X540.
o Enabled rx/tx checksum offloading on iavf(4).
o Added RSS/multiqueue support for AQC11x models ("aq2") in aq(4).
o Added support for reading EEPROM pages for aq(4) cards with SFP
slots.
o Started clearing the OACTIVE flag on transmit queues when ixl(4)
is reset.
- Added or improved wireless network drivers:
o Added support for MA devices to iwx(4).
o Restricted scanned channels appropriately when qwx(4) runs in a
fixed PHY mode.
o Add support for QCA2066 to qwx(4).
o Changed mtw(4) to only open bulk usb(4) pipes once for the
lifetime of the device.
- Installer, upgrade and bootloader improvements:
o On the macppc architecture, make ofwboot sync instruction cache
before entering kernel, preventing a potential boot failure.
o Made installboot(8) install a copy of the UEFI bootloader in
/efi/openbsd on the EFI system partition, allowing creation of
boot options for the firmware boot manager other OSes will leave
alone.
o Only install a second copy of the bootloader if the EFI System
Partition is at least 1MB to avoid filling up the tiny ESPs we
used to create a few releases ago.
o Made installboot(8) only set BootOrder if our boot option isn't
already part of it. This means sysupgrade (or reinstalls) will no
longer set OpenBSD as the default OS if users change the boot
order by some other means. Fresh installs will still make OpenBSD
the default OS.
o Added a -c option installboot(8) that sets up the machine to boot
from the specified disk, used on arm64 and amd64 with UEFI and
GPT.
o Added sysupgrade(8) -R #.# to try to use a specific release
version rather than the immediate +0.1.
o Provided a mechanism for getting required keys to sysupgrade(8)
older machines, providing a new set of keybundles signed by older
keys to allow sysupgrade to securely and automatically download
the required key.
o Added firmware keys to the signify key bundles. sysupgrade(8) will
now extract the firmware key also, allowing fw_update fetch the
most up-to-date firmware before upgrading.
o Added support to sysupgrade(8) to perform a sysupgrade from a
fileset stored on a filesystem. This is convenient for offline
machines.
o Made fw_update(8) -a mean all when downloading or installing, not
just deleting.
o Allowed fw_update(8) to download firmware without root.
o Added fw_update(8) -l flag to list drivers or files.
o Added -D option to fw_update(8) for using a different dmesg for
driver detection.
o Reworked the "Default IPv6 router?" question in the installer to
behave like the other questions.
o On amd64 with ACPI >= 5, assume that the installer booted in UEFI
mode and default to using a GUID Partition Table (GPT).
o Make IPv6 link-local scope identifiers in "HTTP Server?" answers
work in the installer.
o On updates using sysmerge(8), added options to interactive
sdiff(1) merge for choosing both sides of a diff.
- Security improvements:
o Added sshd-auth to the binaries that relink at boot.
o Split the user authentication code from the sshd-session binary
into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only. Splitting this code into a separate binary ensures
that the crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection.
o Unveiled mountd(8) privileged child's write to/create of mountdtab
file, and drop exec permission.
- New features in the network stack:
o Added an AF_FRAME socket domain and an IFT_ETHER protocol family
under it, allowing userland to use sockets to send and receive
Ethernet frames.
o Added tunneldf support to sec(4).
o Added use of Toeplitz hash for UDP and IPv6 TCP output, giving an
improvement in traffic distribution over the queues and 20%
performance increase with UDP send on v4/v6 and TCP send on v6
without pf.
o Implemented tun(4) network offloads between the kernel and
userland and introduced a new TUNSCAP ioctl .
o Implement a per-thread route cache by implementing a thread local
memory (struct netstack) that gets passed down the network stack.
For consecutive packets it can reuse the route to the same
destination.
- Further changes and bugfixes in the network stack:
o Replaced rwlock with iterator in UDP input multicast loop,
preventing a potential kernel crash.
o Ensure that the correct address family is used in ip_deliver() for
enqueuing a packet, fixing a problem with tunneling of different
address families.
o Let LLDP packets fall through to being handled on the port
interfaces for aggr(4) as mandated by the standard.
o Enabled multiqueue for vio(4).
o Let pppoe(4) data packets go through if_vinput instead of the
pppoeinq, improving throughput and possibly reducing packet loss.
o Fixed out-of-band data in somove(9) socket splicing.
o Added wg(4) logging of IP addresses of remote endpoints.
o Limited receive queue of loopback interfaces with 8192 packets,
preventing unlimited queues from reaching mbuf limits and making
network unusable on some architectures.
o Fixed TCP checksum for IPv6 packets with extension headers.
o Fixed incorrect ICMP error translation in af-to NAT, making
traceroute6 behind af-to to provide meaningful information.
o Fixed a 24-year old bug where various checks for broadcast packets
were mistakenly skipped, allowing one to send broadcast packets
without the SO_BROADCAST option.
o Prevented installation of path MTU routes for IPsec transport mode
SAs.
- The following changes were made to the pf(4) firewall:
o Allowed pfctl(8) specification of interface and queue bandwidths
greater than ~4Gbit.
o Fixed inpcb leak in divert(4) attach.
- Routing daemons and other userland network programs saw the following
improvements:
o Added iked(8) "natt" option that forces negotiation of nat-t (and
udpencap).
o Made radiusd(8) log the username when rejecting by ipcp.
o Added ifconfig(8) vxlan "[-]endpoint" command, to remove a tunnel
endpoint of a MAC address.
o Made ifconfig(8) scan display wpa3.
o Made tcpdump(8) print PPPoE tags as hex dumps.
o Improved lldp output of tcpdump(8).
o Added support for client certificates to relayd(8).
o Made acme-client(1) -v show the account URI from the Location
header sent by the server in response to the newAccount API call.
o Made acme-client(1) always print account URI on first creation of
an account key.
o Added TLS support to tcpbench(1).
o Started taking into account how long the ntpd(8) DNS probe takes
before deciding to punt.
o Added unwind(8) block list wildcard support using block list
entries starting with '.'.
o Implemented zoneversion EDNS option (RFC 9660) in dig(1).
o Adjusted rDNS lifetime to RFC 8106 default (minimum) value in
rad(8).
o Made nfsd(8) default to UDP when using only -n.
o Implemented iscsid(8) handling of HeaderDigest and DataDigest
params.
o Made iscsid send out all the values for session and connection
params for each login stage, keeping control of what is selected,
making it possible to connect to a lio target.
o Respect checksum offloading in dhcrelay(8) and dhcrelay6(8).
o Respect checksum offloading for incoming UDP in dhcpd(8).
o In smtpd(8),
- Fixed few imprecisions in forward(5) with regard to where and
when | and :include: are disallowed.
- Fixed the connect filter request documentation in
smtpd-filters(7).
- Proper handling of permanent failures in mail.lmtp(8),
previously all failures were considered temporary and so
delivery was attempted again.
o In bgpd(8),
- Cache the Adj-RIB-Out for sessions that have not been down
for more than 1h. This significantly improves synchronisation
time of peers that flap.
- Implement RFC 8538: Notification Message Support for BGP
Graceful Restart.
- Add support for RFC 8654, extended messages.
- In bgplgd add additional endpoints to query the Adj-RIB-In
and Adj-RIB-Out.
- Bump internal message size limit to 128k and handle up to 10
000 ASPA SPAS entries as suggested in
draft-ietf-sidrops-aspa-profile.
- Various improvements to the ibuf API including a new reader
API which is used to make all message parsing in bgpd memory
safe.
- Added support for IPsec and TCP MD5 to RTR sessions.
- Improve default multiproto capability announcement selection.
The default MP capability is only set if no other capability
is configured on the neighbor.
- The `reject as-set` configuration option now defaults to yes.
Route announcements with AS_SET segments in the AS_PATH
Attribute will be rejected. See
draft-ietf-idr-deprecate-as-set-confed-set for more
information.
- The RFC 8654 Extended Message configuration changed from
"announce extended (yes|no|enforce)" to "announce extended
message (yes|no|enforce)"
- RFC 8950 - Extended nexthop encoding support in the RIB.
- Preliminary support for EVPN in the RIB.
- When "transparent-as yes" is set, well-known BGP communities
are passed on according to RFC 7947. This means that IX Route
Servers transparently pass through NO_EXPORT, NO_ADVERTISE,
etc.
- Make the example bgpd.conf work out of the box with 4byte
ASN.
o In rpki-client(8),
- The generated BIRD config file was reworked. BIRD versions
1.x are no longer supported and the -T option to customize
the ROA table name was removed. The config file now includes
the ASPA-set by default and is therefore only compatible with
BIRD 2.16 and later. If compatibility with older BIRD
versions is required, the ASPA-set can be excluded with the
-A flag. Operators should delete any remaining bird1v4 and
bird1v6 output files.
- Validated ROA payloads from AS0 TALs are by default excluded
from the output files as they are not recommended for
automatic filtering of BGP routes. This precaution can be
overridden with the new -0 flag.
- Various improvements to the ibuf API, including a new reader
API which is used to make all message parsing in rpki-client
memory safe.
- Warn about gaps in manifest issuance. Such gaps can appear
for example if rpki-client isn't run frequently enough, if
there are issues with an RFC 8181 publication server or if
there is an operational error on the side of the CA.
- Work around a backward compatibility break accidentally
introduced in OpenSSL 3.4.0, which resulted in all RPKI
signed objects being rejected. Earlier and later versions of
OpenSSL are not affected.
- Improved validity period checking in file mode. The product's
lifetime and the expiration time of the signature path are
now taken into account.
- Better cleanup in case of a fallback from RRDP to RSYNC. In
rare circumstances, files were moved to the wrong place in
the cache.
- rpki-client now includes arin.tal which is no longer legally
encumbered.
- rpki-client reports Certification Authorities that do not
meaningfully participate in the RPKI as non-functional CAs.
By definition, a CA is non-functional if there is no
currently valid Manifest. The number of such CAs is printed
at the end of each run and more detailed information is
available in the JSON (-j) and ometrics (-m) output.
- Fix a problem where incorrect internal RRDP state handling in
rpki-client could lead to a denial of service.
- Termination of rsync child processes with SIGTERM is no
longer treated as an error if rpki-client has sent this
signal. This only affects openrsync.
- Do not exit filemode with an error if a .gbr or a .tak object
contains control characters in its UTF-8 strings. Instead,
only warn and emit a sanitized version in JSON output.
- tmux(1) improvements and bug fixes:
o Fixed grey color in tmux(1).
o Added a way to make the preview larger in tmux(1) tree mode.
o Fixed tmux(1) problems with pasted text being interpreted as
extended keys.
o Made tmux(1) only use default-shell for popups, returning to
/bin/sh for run-shell, if-shell and #().
o Added MSYSTEM to tmux(1) default update-environment.
o Added copy-mode-position-format to configure the tmux(1) position
indicator.
o Added -y flag to disable tmux(1) confirmation prompts in modes.
o Reworked tmux(1) copy mode commands ("send-keys -X") to parse the
arguments so that flags may be detected properly rather than just
looking for strings ("-O" and so on). Also added -C and -P flags
to the copy commands. -C prevents the commands from sending the
text to the clipboard and -P prevents them from adding the text as
a paste buffer.
o Added tmux(1) prompt-cursor-colour and prompt-cursor-style to set
the style of the cursor in the command prompt and remove the
emulated cursor.
o Added tmux(1) initial-repeat-time option to allow the first repeat
time to be increased and later reduced.
o Added a tmux(1) sixel_support format variable which is 1 if SIXEL
is supported (always 0 on OpenBSD).
o Allow control characters prefixed with C-v to be entered at the
tmux.1 command prompt.
o Added tmux(1) support for a scrollbar at the side of each pane
using new options pane-scrollbars, pane-scrollbars-positions and
pane-scrollbars-styles.
o Added tmux(1) option to control the input buffer size.
o Added tmux(1) scrollbar mouse support.
o Added a tmux(1) no-detach-on-destroy client option, useful for
control mode clients.
o Added tmux(1) scrollbar style parameters width and pad.
o Added copy-mode-position-style and copy-mode-selection-style
options to tmux(1).
o Added a tmux(1) option allowing users to override the width of
individual Unicode codepoints.
o Fixed mouse_hyperlink format in tmux(1) copy mode.
o Added S-Up and S-Down to move windows in tmux(1) tree mode.
o Made tmux(1) correctly skip wide characters in hyperlinks.
o Made tmux(1) only align panes and windows, not sessions.
- LibreSSL version 4.1.0
o Portable changes
- Added initial experimental support for loongarch64.
- Fixed compilation for mips32 and reenable CI.
- Fixed CMake builds on FreeBSD.
- Fixed the --prefix option for cmake --install.
- Fixed tests for MinGW due to missing sh(1).
o Internal improvements
- Cleaned up the error implementation.
- Many bug fixes and simplifications in the EC ASN.1 code.
- Corrected DER encoding for EC keys and parameters.
- Polished EC_POINT_{oct2point,point2oct}(3) internals.
- Rewrote the wNAF code for fast ECDSA verification.
- Improved the code setting compressed coordinates for EC
points.
- Reworked CPU capabilities detection for amd64 and aarch64.
- New SHA-1, SHA-256 and SHA-512 assembly implementations for
amd64. These make use of the SHA-NI instruction if it is
available and replace the perl-generated assembly optimized
for museum pieces. These are not yet enabled in
libressl-portable.
- New SHA-256 and SHA-512 assembly implementations for aarch64
making use of the ARM Cryptographic Extension (CE). Not yet
enabled in libressl-portable.
- New simplified, readable MD5 implementation for amd64.
- Rewrote BN_bn2binpad(3) and its lebin siblings.
- The BIGNUMs in EC_GROUP and EC_POINT are now heap allocated.
- Rewrote TS_ASN1_INTEGER_print_bio().
- Improved bit counter handling in MD5.
- Simplified and cleaned up the BN_RECP_CTX internals.
- Improved SM4 to match other symmetric ciphers more closely.
- Rewrote X509_NAME_oneline(3) and X509_NAME_print() using
CBS/CBB.
- CRLs are now cached in the issuer cache like certificates.
- Replaced combinations of BN_MONT_CTX_new(3)/set with an
internal BN_MONT_CTX_create().
- Replaced BN_bn2hex(3) reimplementation in openssl(1) ca with
a proper API call.
- Fixed integer overflows due to signed shift in obj_dat.c.
- Improved some X509_VERIFY_PARAM internals and avoid an out of
bounds read from public API.
- Imported ML-KEM 768 and 1024 from BoringSSL (not yet public
API).
o Compatibility changes
- Added an OPENSSL_INIT_NO_ATEXIT flag for
OPENSSL_init_crypto(3). It has no effect since LibreSSL
doesn't call atexit(3).
- Elliptic curve parameters are only accepted if they encode a
built-in curve.
- EC_METHOD is no longer public and the API exposing it has
been removed. This includes EC_GROUP_new(3),
EC_GFp_mont_method(3), EC_GROUP_method_of(3), and
EC_METHOD_get_field_type().
- The precomputation stubs for EC_GROUP were removed.
- The API setting Jacobian projective coordinates for a point
was removed as were EC_POINTs_{mul,make_affine}(3).
- All elliptic curves over fields with less than 224 bits and a
few more were removed from the built-in curves. This includes
all WTLS curves and P-192.
- It is no longer necessary to set RSA_FLAG_SIGN_VER to use the
sign and verify handlers set with RSA_meth_set_{sign,verify}.
- Removed the -C option to generate "C code" from the
openssl(1) dh, dhparam, dsaparam, ecparam, and x509
subcommands.
- Removed #error in headers when OPENSSL_NO_* is defined.
- CRYPTO_set_mem_functions(3) now matches OpenSSL 1.1 and
CRYPTO_set_mem_ex_functions() was removed.
- The tls_session_secret_cb_fn type now matches OpenSSL 1.1.
- Unexport X509_NAME_print(3) and X509_OBJECT_up_ref_count(3).
- const corrected UI_OpenSSL(3) and BN_MONT_CTX_copy(3).
- Support OPENSSL_NO_FILENAMES.
- Support SSL_OP_NO_RENEGOTIATION and
SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
- Export PKCS12_key_gen_uni() again.
o New features
- libtls has a new tls_peer_cert_common_name(3) API call to
retrieve the peer's common name without having to inspect the
PEM.
o Bug fixes
- Plugged a leak in eckey_compute_pubkey().
- Again allow the magic values -1, -2 and -3 for the salt
length of an RSA-PSS key in the EVP_PKEY_CTX_ctrl_str(3)
interface.
- Fixed a few memory leaks in legacy code.
o Documentation
- The remaining undocumented public EVP API is now documented.
- Reorganization of existing documentation for clarity and
accuracy.
o Testing and proactive security
- Improved regress coverage of the EC code.
- OpenSSH 10.0
o Security fixes
- sshd(8): fix the DisableForwarding directive, which was
failing to disable X11 forwarding and agent forwarding as
documented. X11 forwarding is disabled by default in the
server and agent forwarding is off by default in the client.
o Potentially incompatible changes
- This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.
- scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked
by scp & sftp. This disables implicit session creation by
these tools when ControlMaster was set to yes/auto by
configuration, which some users found surprising. This change
will not prevent scp/sftp from using an existing multiplexing
session if one had already been created.
- This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
- sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as
the authentication code will be unloaded after the
authentication phase completes. This change should be largely
invisible to users, though some log messages may now come
from "sshd-auth" instead of "sshd-session". Downstream
distributors of OpenSSH will need to package the sshd-auth
binary.
- sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the
default key exchange in OpenSSH for the last 14 years.
- sshd(8): this release removes the implicit fallback to
compiled- in groups for Diffie-Hellman Group Exchange KEX
when the moduli file exists but does not contain moduli
within the client- requested range. The fallback behaviour
remains for the case where the moduli file does not exist at
all. This allows administrators more explicit control over
which DH groups will be selected, but can lead to connection
failures if the moduli file is edited incorrectly.
o New features
- ssh(1): the hybrid post-quantum algorithm
mlkem768x25519-sha256 is now used by default for key
agreement. This algorithm is considered to be safe against
attack by quantum computers, is guaranteed to be no less
strong than the popular curve25519-sha256 algorithm, has been
standardised by NIST and is considerably faster than the
previous default.
- ssh(1): prefer AES-GCM to AES-CTR mode when selecting a
cipher for the connection. The default cipher preference list
is now ChaCha20/Poly1305, AES-GCM (128/256) followed by
AES-CTR (128/192/256).
- ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.
- ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and
%C which would be self-referential.
- ssh(1), sshd(8): add "Match version" support to ssh_config
and sshd_config. Allows matching on the local version of
OpenSSH, e.g. "Match version OpenSSH_10.*".
- ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for command
execution sessions, "subsystem" for subsystem requests, such
as sftp, or "none" for transport/forwarding-only sessions.
- ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as
specified on the command-line.
- ssh(1): allow 'Match tagged ""' and 'Match command ""' to
match empty tag and command values respectively.
- sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
- ssh(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server.
- ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.
- ssh-keygen(1): support FIDO tokens that return no attestation
data, e.g. recent WinHello.
- ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
default FIDO application ID allow-list to be overridden.
- Add a work-in-progress tool to verify FIDO attestation blobs
that ssh-keygen can optionally write when enrolling FIDO
keys. This tool is available under
regress/misc/ssh-verify-attestation for experimentation but
is not installed by "make install".
- ssh-keygen(1): allow "-" as output file for moduli screening.
o Bugfixes
- sshd(8): remove assumption that the sshd_config and any
configs it includes can fit in a (possibly enlarged) socket
buffer. Previously it was possible to create a sufficiently
large configuration that could cause sshd to fail to accept
any connection. sshd(8) will now actively manage sending its
config to the sshd-session sub-process.
- ssh(1): don't start the ObscureKeystrokeTiming mitigations if
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this
setting is enabled.
- ssh(1): prohibit the comma character in hostnames accepted,
but allow an underscore as the first character in a hostname.
- sftp(1): set high-water when resuming a "put". Prevents bogus
"server reordered acks" debug message.
- ssh(1), sshd(8): fix regression in openssh-9.8, which would
fail to accept "Match criteria=argument" as well as the
documented "Match criteria argument" syntax in ssh_config and
sshd_config.
- sftp(1), ssh(1): fix a number possible NULL dereference bugs,
including Coverity CIDs 405019 and 477813.
- sshd(8): fix PerSourcePenalty incorrectly using "crash"
penalty when LoginGraceTime was exceeded.
- sshd(8): fix "Match invalid-user" from incorrectly being
activated in initial configuration pass when no other
predicates were present on the match line
- sshd(8): fix debug logging of user specific delay.
- sshd(8): improve debug logging across sub-process boundaries.
Previously some log messages were lost early in the sshd-auth
and sshd-session processes' life.
- ssh(1): require control-escape character sequences passed via
the '-e ^x' command-line to be exactly two characters long.
Avoids one byte out-of-bounds read if ssh is invoked as "ssh
-e^ ..."
- ssh(1), sshd(8): prevent integer overflow in X11 port
handling. These are theoretically possible if the admin
misconfigured X11DisplayOffset or the user misconfigures
their own $DISPLAY, but don't happen in normal operation.
- ssh-keygen(1): don't mess up ssh-keygen -l output when the
file contains CR characters.
- sshd(8): add rate limits to logging of connections dropped by
PerSourcePenalties. Previously these could be noisy in logs.
- ssh(1): fix argument of "Compression" directive in ssh -G
config dump, which regressed in openssh-9.8.
- sshd(8): fix a corner-case triggered by UpdateHostKeys when
sshd refuses to accept the signature returned by an agent
holding host keys during the hostkey rotation sub-protocol.
This situation could occur in situations where a PKCS#11
smartcard that lacked support for particular signature
algorithms was used to store host keys.
- ssh-keygen(1): when using RSA keys to sign messages with
"ssh-keygen -Y", select the signature algorithm based on the
requested hash algorithm ("-Ohashalg=xxx"). This allows using
something other than the default of rsa-sha2-512, which may
not be supported on all signing backends, e.g. some
smartcards only support SHA256.
- ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
big-endian systems.
- Many regression and interop test improvements.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 12446
- amd64: 12593
- i386: 10429
- mips64: 8635
- powerpc64: 7501
- riscv64: 10585
- sparc64: 9080
o Packages for the following architectures will be made available as
their builds complete:
- arm
- powerpc
- Some highlights:
o Asterisk 16.30.1, 18.26.1, o Mozilla Firefox 137.0 and
20.13.0 and 22.3.0 ESR 128.9.0
o Audacity 3.7.3 o Mozilla Thunderbird 128.9.0
o CMake 3.31.6 o Mutt 2.2.14 and NeoMutt 20250113
o Chromium 135.0.7049.52 o Node.js 22.14.0
o Emacs 30.1 o OCaml 4.14.2
o FFmpeg 6.1.2 o OpenLDAP 2.6.9
o GCC 8.4.0 and 11.2.0 o PHP 8.2.28, 8.3.19 and 8.4.5
o GHC 9.8.3 o Postfix 3.10.1
o GNOME 47 o PostgreSQL 17.4
o Go 1.24.1 o Python 2.7.18 and 3.12.9
o JDK 8u442, 11.0.26, 17.0.14 o Qt 5.15.16 (+ kde patches) and
and 21.0.6 6.8.2
o KDE Applications 24.12.3 o R 4.4.2
o KDE Frameworks 6.5.0 o Ruby 3.2.8, 3.3.7 and 3.4.2
o KDE Plasma 6.3.3 o Rust 1.86.0
o Krita 5.2.9 o SQLite 3.49.1
o LLVM/Clang 13.0.0, 16.0.6, o Shotcut 25.01.25
18.1.8 and 19.1.7 o Sudo 1.9.16p1
o LibreOffice 25.2.1.2 o Suricata 7.0.7
o Lua 5.1.5, 5.2.4, 5.3.6 and o Tcl/Tk 8.5.19 and 8.6.16
5.4.7 o TeX Live 2024
o MariaDB 11.4.5 o Vim 9.1.1265 and Neovim 0.10.4
o Mono 6.12.0.199 o Xfce 4.20.0
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 21.1.16 + patches,
freetype 2.13.3, fontconfig 2.15.0, Mesa 23.3.6, xterm 395,
xkeyboard-config 2.20, fonttosfnt 1.2.4, and more)
o LLVM/Clang 16.0.6 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.40.1 (+ patches)
o NSD 4.9.1
o Unbound 1.22.0
o Ncurses 6.4
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk 20250116
o Expat 2.7.1
o zlib 1.3.1 (+ patches)
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at direct...@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of April 28, 2025, the following HTTPS mirror sites have the
7.7 release:
https://cdn.openbsd.org/pub/OpenBSD/7.7/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/7.7/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/7.7/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/7.7/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/7.7/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/7.7/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/7.7/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/7.7/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/7.7/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/7.7/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.7/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/7.7/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/7.7/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/7.7/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT armv7/ octeon/ root.mail
README hppa/ openbsd-77-base.pub sparc64/
SHA256 i386/ packages/ src.tar.gz
SHA256.sig landisk/ packages-stable/ sys.tar.gz
alpha/ loongson/ ports.tar.gz xenocara.tar.gz
amd64/ luna88k/ powerpc64/
arm64/ macppc/ riscv64/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy77.img pxeboot*
BOOTX64.EFI* bsd.mp* game77.tgz xbase77.tgz
BUILDINFO bsd.rd* index.txt xfont77.tgz
INSTALL.amd64 cd77.iso install77.img xserv77.tgz
SHA256 cdboot* install77.iso xshare77.tgz
SHA256.sig cdbr* man77.tgz
base77.tgz comp77.tgz miniroot77.img
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install77.iso. The install77.iso file (roughly 782MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install77.img and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 7.7 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/7.7/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.7/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jeremie Courreges-Anglas,
Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by
Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by
Tomáš Rodr.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
Alexandre Ratchov, Andrew Hewus Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
Charles Longeau, Chris Cappuccio, Christian Weisgerber,
Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila,
David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck,
Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado,
Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings,
James Turner, Jan Klemkow, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Job Snijders, Joel Sing, Joerg Jung, Johannes Thyssen Tishman,
Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave,
Josh Rickmar, Joshua Sing, Joshua Stein,
Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
Kirill A. Korinsky, Kirill Bychkov, Klemens Nanni, Kurt Miller,
Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Gabriel Vuotto,
Lucas Raab, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot,
Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin,
Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev,
Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo,
Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
Yasuoka Masahiko, Yojiro Uo
