Hi, Just upgraded my both server from 6.9 to 7.0. But I noticed an issue on the mirrors with rc.firsttime.
syspatch fails with error 404 on the mirrors: Error retrieving https://cdn.openbsd.org/pub/OpenBSD/syspatch/7.0/amd64/SHA256.sig: 404 Not Found Indeed SHA256.sig is currently missing on the mirrors. Best regards, J. K. On 14.10.21 16:34, Theo de Raadt wrote: > > ------------------------------------------------------------------------ > - OpenBSD 7.0 RELEASED ------------------------------------------------- > > October 14, 2021. > > We are pleased to announce the official release of OpenBSD 7.0. > This is our 51st release. We remain proud of OpenBSD's record of more > than twenty years with only two remote holes in the default install. > > As in our previous releases, 7.0 provides significant improvements, > including new features, in nearly all areas of the system: > > - New/extended platforms: > o Added new riscv64 platform for 64-bit RISC-V systems. > o The arm64 platform support was improved with the following > changes: > - Support for Apple Silicon Macs has improved but is not ready > for general use yet: > # Added support for installing on a disk with a GPT. > # Added apldart(4) support for a DART with two sets of > registers, needed to support the Synopsis DesignWare USB > 3 controller. > # Added apldwusb(4), a glue driver for the Synopsys > DesignWare USB 3 controllers found on the Apple M1 SoC. > # Added aplns(4) to provide support for Apple NVME storage > as found in Apple M1 devices. > # Added aplpinctrl(4) driver for the Apple GPIO controller > found on the M1 SoCs. > # Added aplpmu(4), a driver for the Apple "sera" SPMI > power management unit that contains the RTC on Apple M1 > systems. > # Added aplspmi(4), a driver for the Apple SPMI > controller. > - Enabled LEDs for the mue(4) LAN7800 chip as found on the > Raspberry Pi 3 Model B+. > - Added rktcphy(4), a driver for the Type-C PHY controller > found on the Rockchip RK3399. > - Implemented multicast support in mvpp(4). > o Changes on other architectures: > - Switched macppc to use ld.lld(1). > - Fixed an issue preventing applications from selecting the > non-ALTIVEC code path on macppc. > - Made amd64 hw.setperf percentages proportional to the > enhanced speed step frequencies on Intel processors. The > default hw.setperf=99 corresponds to the maximum ordinary > speed, and setting it to 100 enables turbo mode. > - Enabled cy(4) on amd64. > - Disabled base-gcc on amd64. > - Prevented crashes on amd64 when TLB entries which should have > been invalidated were used. > - Prevented a kernel panic in sparc64 due to page boundary > misalignment. > - Forced luna88k to use the serial console when no graphics > board is found. > - Made additional free inodes on luna88k bsd.rd by specifying > density=4096. > - Fixed strchr() and strrchr() on mips64. > - Prevented watchdog resets on some i.MX 64-bit machines with a > recent U-Boot and watchdog enabled on boot in imxdog(8). > - Created audio devices on armv7. > - Retired OpenBSD/sgi platform. > - Enabled MSI-X support for powerpc64. > - Fixed __ppc_lock for page faults that recursively grab the > lock on powerpc. > - Increased the maximum data size on powerpc64 to 32GB. > - Disabled global page table mappings when using PCID to > prevent crashes when not flushed from TLB on amd64. > - Added cduart(4) driver for Cadence Universal Asynchronous > Receiver/Transmitter on armv7. > - Added zqclock(4) driver for Xilinx Zynq-7000 clock controller > on armv7. > - Added zqreset(4) driver for Xilinx Zynq-7000 reset controller > on armv7. > > - Various kernel improvements: > o Unlocked the top part of the VM fault handler on i386. > o Enabled dt(4) for GENERIC kernels on amd64, arm64, i386, sparc64, > and powerpc64. > o Added kprobes provider for dt(4). > o Implemented < and > operators in btrace(8) filters. > o Added btrace(8) display of time spent in userland when analyzing > the kernel stack in the flame graph tool and fixed a parsing bug. > o Introduced /etc/bsd.re-config(5), which can be used to configure > the kernel using config(8), allowing use of KARL while making > changes to the GENERIC kernel. > o Identify TPM 2.0 devices and perform the 2.0-specific suspend > command, allowing the ThinkPad X1 Carbon Gen 9 and ThinkPad X1 > Nano with the latest BIOS (which added S3) to resume. > o Changed the printing of the hibernate image size from bytes to > megabytes. > o Increased hibernate writeout speed. > o Added "machine sysregs" command to ddb(4) on amd64. > o Prevented interleaved stack traces in ddb(4) from multiple CPUs. > o Delayed installation of sensors until a device with battery > support is connected, allowing sensorsd(8) to pick up hotplugged > uhidpp(4) devices. > o Prevented a kernel panic after VFS shutdown. > o Increased the setitimer(2) timer limit to UINT_MAX seconds. > o Serialized the internals of kqueue(2) with a mutex. > o Enabled pool cache on knote(9) pool. > o Fixed futex(2) errno handling to match what Mesa expects and > prevent failure to properly report timeouts. > o Fixed a kernel crash in tty(4). > o Increased the default buffer space on PF_UNIX sockets to 8k and > made the values tuneable via sysctl(2). > o Made kqueue(2) timer re-addition reset an existing timer to use > the new timeout period. > o In the build system, pass make flags to kernel and lib builds, > making hacking on ramdisks/the installer much faster. > > - SMP Improvements > o Made pmap_extract() mpsafe on hppa and amd64. > o Introduced CPU_IS_RUNNING() and used it in scheduler-related code > to prevent waiting on non-running CPUs. > o Made anonymous object reference counting independent from the > KERNEL_LOCK(). > o Unlocked connect(2). > o Unlocked setrtable(2). > o Introduced per-CPU panic(9) message buffers. > o Used so_lock to protect key management (PF_KEY) sockets. > o Used so_lock to protect routing (PF_ROUTE) sockets. > o Unlocked lseek(2). > o Unlocked the top part of the fault handler. > > - Direct Rendering Manager > o Updated drm(4) to Linux 5.10.65 > o inteldrm(4): better support for Tiger Lake > o amdgpu(4): support for Navi 12, Navi 21 "Sienna Cichlid", Arcturus > o amdgpu(4): support for Cezanne "Green Sardine" Ryzen 5000 APU > > - VMM/VMD improvements > o Added a theoretical limit of 512 to the number of allocated vcpus > in vmm(4). > o Fixed vmm(4) vcpu locking issues. > o Added vmd(8) support for variable length vionet rx descriptor > chains. > o Prevented stack overflow in vmd(8) due to large DHCP packets on > local interfaces. > o Allowed locking of a randomly assigned lladdr in vmd(8). > o Skipped inspecting non-udp packets on local interfaces for vmd(8). > o Prevented guest virtio drivers from causing stack and buffer > overflows in vmd(8). > o Fixed a race condition in vmm(4) relating to incorrect physical > cpu tracking. > o Fixed vmctl(8) client "wait" state corruption in vmd(8) when a > wait is canceled and restarted, allowing multiple waiting clients. > o Added protections against guests with bad virtio drivers to vmd(8) > o Unlocked the kernel in vmm(4) ioctl handlers and introduced vcpu > locks > > - Various new userland features: > o Imported timeout(1) utility from NetBSD. timeout(1) can be used to > run commands with a time limit. > o Added include and exclude options to openrsync(1). > o Implemented reporting of supplemental groups in ps(1). > o Added indication of whether an mg(1) function is unsuitable for a > startup file. > o Added "dired-jump" command to mg(1) to open a dired buffer > containing the current buffer's directory location. > > - Various bugfixes and tweaks in userland: > o Modified doas(1) to retry up to 3 times on password authentication > failure. > o Made all vi(1) signal handler functions async-signal-safe. > o Changed diff(1) to consider two files sharing the same inode > identical. > o Allowed xenodm(1) login when ~/.Xauthority does not exist. > o Disabled building all of the non-unicode fonts in Xenocara except > for ISO8859-1. > o Altered passwd(1) to use stderr for printer error and > informational messages. This allows easier parsing of what > passwd(1) is doing if spawned from a GUI. > o Fixed iostat(8) per-device values when systat(1) is in boot time > mode ('b'), not normalizing based on the sleep interval. > o Made jot(1) -b, -c and -w mutually exclusive. > o Made cdio(1) discard the current input line when Ctrl-C is used > during line editing and provide a fresh prompt rather than exiting > the program. > o Let el_gets(3) honour the first Ctrl-C typed by the user rather > than ignoring it. > o Corrected awk(1) -F null string behavior to ensure -F '' behaves > consistently with -v FS="". > o Avoided a potential buffer overflow in backslash escaping in > awk(1). > o Disallowed the use of an empty list between "while" and "do" in > ksh(1). > o Changed cwm(1) maximization and full-screen mode toggling to keep > the cursor within the window, preventing focus loss. > o Made rc(8) quietly attempt an early mount of /var/log in case > someone has created it as a separate filesystem to avoid /var > overflow issues. > o Improved fdisk(8) to retain essential partitions on various > platforms. > o Improved fdisk(8) for disks with 4K sectors. > o Cleaned up the fdisk(8) MBR/GPT initialization code, making -g > independent of -i, leaving four mutually exclusive initialization > options (-i, -g, -u and -A) with the last option specified > executed (allowing the existing -i -g to work as intended). > o Relaxed criteria for recognizing GPT formatted media, allowing GPT > disk images added with dd(1) onto larger physical media to be > recognized by fdisk(8) and the kernel. > o Added the ability for fdisk(8) to recognize "BIOS Boot", "APFS", > "APFS ISC", "APFS Recovry" (sic), "HiFive FSBL" and "HiFive BBL" > GPT partitions. > o Ensured the values for fdisk(8) -b and -l are treated as 512-byte > block counts. > o Added an fdisk(8) -A option to initialize a GPT without removing > special boot partitions. > o Made fdisk(8) -b option available to architectures other than > amd64 and i386 and extended the syntax to allow specification of > the boot partition type and offset. > o Adjusted density for partitions on a 4k disk in newfs(8) when > fragsize and density are not passed on the command line to ensure > sufficient inodes to hold a src tree on a 2G fs. > o Fixed disklabel(8) generation on sparc64. > o Fixed overlap check in disklabel(1) autoalloc code. > o Corrected various min/max cluster numbers for FAT12/16/32 in > newfs_msdos(8). > o Added libexecinfo, a library providing backtrace functions. > o Updated C library support for character classification to Unicode > 13.0. > o Let wcwidth(3) treat all characters in Unicode private use areas > as single-width, even those in planes 15 and 16. > o Limited the printf(1) \x escape sequence to two characters. > o Corrected the output of date(1) -f %s which was wrongly affected > by the local timezone. > o Turn printing additional information into toggles for systat(1). > > - Improved hardware support and driver bugfixes, including: > o Added a workaround to amdgpu(4) for machines where the framebuffer > size reported by the hardware is incorrect. > o In pchgpio(4), worked around a BIOS bug on Lenovo ThinkPads based > on Intel's Tiger Lake platform to properly restore the GPIO pin > used for the touchpad interrupt upon resume. > o Stopped setting the highspeed bit on bcm2835-sdhci sdhc(4) > controllers, fixing bwfm(4) wifi on the Raspberry Pi 3 Model B+. > o Added support for obtaining sense status and source slot of a > media to chio(1) and ch(4). > o Fixed dwiic(4) timeouts requesting data from at least one > touchpad. > o Added ucc(4), a driver for USB HID Consumer Control keyboards. > Often used to expose volume, audio and application launch keys. > Volume keys are handled by the kernel and all other keys are > propagated to X11 and the console through wscons(4). > o Set the uhidpp(4) battery level sensor status to unknown while > charging to handle devices reporting zero during charge, > preventing certain sensorsd.conf(5) actions from triggering > inappropriately. > o Added Tiger Lake LP (INT34C5) support to pchgpio(4). > o Fixed a panic at shutdown relating to azalia(4) on the X1 Extreme > Gen 1. > o Fixed a panic reported in upd(4). > o Fixed display of incorrect patterns on LUNA's wscons(4) with 1bpp > framebuffer when backspace is typed. > o Fixed an attachment problem for dwctwo(4) for certain devices > issuing NAK interrupts during split transactions. > o Added AMD 17h/6xh Root Complex to ksmn(4). > o Ensured the TX FIFO isn't overrun for longer transfers in > dwiic(4). > o Added titmp(4), a driver for the TI TMP451 temperature sensor. > o Ensured a USB mouse will attach if otherwise qualified even if the > usage report does not include X and Y usages. > o Attached unsupported video devices to uvideo(4) but not video(1), > rather than leaving it unmatched. > o Added a -R flag to usbhidctl(1) to dump the raw report descriptor > bytes. > o Added hid_get_report_desc_data() to usbhid(3) to access raw report > descriptor data. > o Fixed overflows when reading multiple bytes from AML over an i2c > bus in acpi(4). > o Fixed uaudio(4) on certain machines such as the RPI4 by adding a > pre-DMA-write barrier after data is stored to memory. > o Worked around x86 machines that advertise the "hardware reduced" > ACPI feature, advertise S4 and S5 support, but fail to populate > the SLEEP_CONTROL_REG and SLEEP_STATUS_REG descriptions in the > FADT. This fixed the ASUS Zenbook 14. > o Added quirk to enable ThinkPad X1 Extreme 1 speakers and Dolby > Atmos in azalia(4). > o Fixed pchgpio(4) issues with dead touchpads after resume. > o Fixed an mbuf leak in xnf(4). > > - New or improved network hardware support: > o Fixed ix(4) with older amd64 and current riscv64 hardware if MSI > is not enabled for the device. > o Added the uaq(4) driver for Aquantia AQC111U/AQC112U USB Ethernet > devices. > o Added the aq(4) driver to support Aquantia 1/2.5/5/10Gb/s PCIe > Ethernet adapters. > o Synced dwctwo(4) with the NetBSD-current code base, enabling the > USB on-board Ethernet controller through mue(4), fixing uvideo(4), > and enabling the two USB uhub3 ports on the Raspberry Pi 3 Model > B+. > o Added cad(4), a driver for Cadence GEM. > o Added Broadcom BCM5725 to brgphy(4). > o Added support for RTL8168FP/RTL8111FP/RTL8117 to re(4). > o Fixed ure(4) after a media link change on RTL8153/B devices. > o Fixed bnxt(4) with a single queue in MSI-X mode. > > - Added or improved wireless network drivers: > o Zeroed out iwx(4) Tx descriptors of frames which are done to > prevent the device from writing to the former DMA address of a > buffer which has been taken off the Tx ring. > o Fixed a bug in iwx(4) Tx done interrupt processing which could > cause fatal firmware errors under load and memory corruption. > o Changed iwm(4) and iwx(4) to sleep for 1 second while loading > firmware to match what iwn(4) does. This fixes some issues with > suspend/resume. > o Ensured that iwm(4) and iwx(4) will reload firmware from disk on > down/up and not during resume. > o Fixed iwx(4) crystal latency values to match those used by Linux > iwlwifi. > o Fixed an off-by-one error in bwfm(4). > o Changed iwn(4), iwm(4), and iwx(4) devices to hide detailed > firmware error reports by default. > o Prevented a loop when bwfm(4) receives an unsolicited association > status event right after successful association. > o Fixed a leak with wg(4) keepalive. > o Switched iwx(4) to -63 firmware images as shipped in > iwx-firmware-20210512, including fixes addressing fragattacks > vulnerabilities. > o Supported the new iwx(4) firmware session protection command, > required for successful associations with new firmware. > o Stopped asking iwx(4) to send probe requests on passive channels, > fixing firmware going unresponsive after association. > o Fixed an iwx(4) edge case where devices failed to resume after > system suspend. > o Switched iwm(4) to newer firmware images available in > iwm-firmware-20210512. This provides FragAttacks fixes for the > updated devices. > o Fixed iwx(4) against access points using TKIP as the group cipher. > o Prevented athn(4) from calling ieee80211_find_rxnode() on bad > frames in an attempt to prevent creation of bogus node cache > entries. > o Implemented various fixes addressing firmware errors in iwm(4) and > iwx(4). > o Fixed node leaks in iwm(4) and iwx(4) which caused the drivers to > get stuck when roaming between access points. > o Fixed iwx(4) firmware reloading after a failure to parse the > firmware file. > o Avoided "mac clock not ready" panics in iwm(4) and iwx(4). > o Worked around a problem with certain athn(4) hardware that caused > problem when running in HostAP mode with clients that use Tx > aggregation. > o Corrected multicast decryption for iwx(4). > o Added 802.11n Tx aggregation support to iwm(4). > o Made iwn(4), iwm(4) and iwx(4) keep track of beacon parameters at > run-time. > o Implemented support for Rx aggregation offload in iwm(4) and > iwx(4) and re-enabled de-aggregation of A-MSDUs in net80211 for > all drivers capable of 11n mode. > o Changed error reporting for bwfm(4) to use the long version of the > firmware path. This makes it easier to find the correct files to > add to the bwfm-firmware port. > > - IEEE 802.11 wireless stack improvements and bugfixes: > o Drop fragmented 802.11 frames. > o Prevent frame injection via forged 802.11n A-MSDUs. > o Tweaked net80211 RA heuristics to avoid picking Tx rate choices > that may be too optimistic. > > - Generic network stack improvements and bugfixes: > o Implemented reception of "VLAN 0 priority tagged" packets. > o Fixed an alignment fault observed on an octeon machine while > pppoe(4) negotiated a large MTU. > o Display provider ID for a umb(4) SIM in ifconfig(8). > > - Installer and upgrade improvements: > o Checked the installer's /tmp/i/hostname.* files for a configured > IP address so that configurations without a broadcast address are > detected as well. > o Handled "inet autoconf" in the ramdisk. > o Introduced a short wait in rc(8) after netstart(8) finishes until > an IPv4 or IPv6 default route is present before continuing boot. > Fixed setups depending on working network and DNS resolution > during early boot when using autoconfiguration (dhcpleased(8) or > slaacd(8)). > o Made fdisk(8) always create an EFI SYS partition if the -b option > is specified when initializing a GPT. > o Allowed (w)hole disk allocation for GPT disks in arm64, using > fdisk(8) -A when an Apple APFS ISC partition is detected and fdisk > -ig otherwise. Created EFI SYS boot partitions only on ROOTDISK > GPT disks. > o Added installboot(8) "-p" to prepare by creating a new filesystem > on the partition reserved for the bootloader on relevant > architectures. > o Added GPT support to armv7 installboot(8). > o Added the Spleen 12x24 and 16x32 font on amd64's RAMDISK_CD and > RAMDISK kernels. > o Use installboot(8) on arm64 ramdisks. > o Enable dhcpleased(8) on ramdisks, and activate resolvd(8), > replacing dhclient(8). > o Enable slaacd(8) to configure nameservers on ramdisks. > > - Security improvements: > o Moved objcopy to base set to allow KARL to work on all installs. > o Added unveil(2) calls to xterm in the case where there are no > exec-formatted or exec-selected resources set. > o Changed usage of %n from a syslog warning to syslog and abort for > printf(3) (and associated variants). > o Made kernel stop all threads when terminating via pledge_fail(). > > - Routing daemons and other userland network improvements: > o The bgpd(8) daemon saw the following changes: > - Stop processing queued UPDATES when the max-prefix limit was > reached. > - Improved negotiation for route refresh, graceful restart and > multi-protocol capabilities > - Correctly track 'rde evaluate all' and 'export' settings > during reload. > - Properly withdraw prefixes when 'rde evaluate all' is used. > - Fixed MRT handling on initial startup for message dump types. > - Fixed and use non-blocking connect for RTR sessions. > - Fully implemented RFC 6286 by checking for BGP ID collisions. > - Adjusted the 4-byte AS number handling to RFC 6793 by > changing error behaviour from prefix witdraw to attribute > discard. > - In bgpctl(8) print out both the sent "Neighbor capabilities" > and the "Negotiated capabilities" for a session. > - Print timestamps both as a formatted and a pure time in > seconds field in various JSON objects. > - Fixed a bug, where during bgpd(8) config reloads prefixes of > the wrong address family could leak to peers resulting in > session resets. > - Added support for RFC 7313 - Enhanced Route Refresh Disabled > by default, to enable use 'announce enhanced refresh yes'. > - Improved output of Adj-RIB-Out by updating nexthop and ASPATH > before adding the prefix to the RIB. This improves `bgpctl > show rib out` output. > - Added command line option to both bgpd(8) and bgpctl(8) to > show the version. > - Added support for RFC 9072 - Extended Optional Parameters > Length for BGP OPEN Message > - Added support for RFC 8050 - MRT Format with BGP Additional > Path Extensions > - Implemented receive side of RFC 7911 - Advertisement of > Multiple Paths in BGP. OpenBGPD is currently not able to send > multiple paths out. > - Improved checks of VRPs loaded via RTR or from the roa-set > table. > - Allowed optionally specifying an expiry time for roa-set > entries to mitigate BGP route decision making based on > outdated RPKI data. OpenBGPD's companion rpki-client(8) > produces roa-sets with the new 'expires' property > o The pf(4) packet filter and its userland utility: > - Corrected a potential memory leak associated with pfsync(4) > update requests. > - Introduced locks around the global pf(4) state list. > - Fixed a panic due to pfsync(4) deferral timeout handling. > - Added support for pf(4) divert-to on tpmr(4) and veb(4). > - Fixed state key reference underflow when both state keys are > identical in pf(4). > - Only skipped pf(4) once for packets injected by a > divert-packet socket, allowing pf to still act later on a > diverted packet. > o IPSEC support in the kernel and the iked(8) userland daemon: > - Zeroed out potential passwords when freeing memory or > handling parsing errors in iked(8). > - Added client-side support for DNS configuration to iked(8). > - Increased iked(8) default data bytes limit for Child SAs to 4 > GB, preventing excessive rekeying and lost data in high > performance setups. > - Fixed an iked(8) bug where no flows are added if a single > address is configured in the config address instead of a > pool. > - Fixed a problem in iked(8) where no flows are loaded when a > single config address without pool is configured. > - Added an experimental post-quantum hybrid key exchange method > based on Streamlined NTRU Prime (coupled with X25519) to > iked(8) as sntrup761x25519. > - Fixed races which were slowing ipsec(4) throughput. > - Fixed ipsec(4) NAT-T to work with pipex(4). > o rpki-client(8) received the following new features and bugfixes: > - Added keep-alive support to the HTTP client code for RRDP. > - Reference-count and delete unused files synced via RRDP, as > far as possible. > - In the JSON output, changed the AS Number from a string > ("AS123") to an integer ("123") to make processing of the > output easier, > - Added an 'expires' column to CSV & JSON output, based on > certificate and CRL validity times. The 'expires' value can > be used to avoid route selection based on stale data when > generating VRP sets, when faced with loss of communication > between consumer and validator, or validator and CA > repository. > - Made the runtime timeout (-s option) also trigger in child > processes. > - Improved RRDP support and make RRDP the default protocol for > synchronizing the RPKI repository data, with openrsync(1) > used as secondary. > - At startup, warn if the filesystem containing the cache > directory is probably too small. > - Handle running out of disk space more gracefully, including > cleanup of temporary and old files before exiting. > - Improved the HTTP/1.1 request headers being sent. > - Improved validation checks for ROA and MFT objects. > - Improved the HTTP client code (status code handling, http > proxy support, keep-alive). > - In RRDP, do not access URI with userinfo (@-sign) > - Improved RRDP syncing by considering a notification file > serial jumping backwards as synced repository. > - Made -R (rsync only) also apply to the fetching of TA files. > - Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude > all others. > - When producing output for bgpd(8), make use of the 'roa-set > expires' attribute to prevent machines from loading outdated > roa-sets. > - In RRDP, limited the number of deltas to 300 per repo. If > more deltas exist, downloading a full snapshot is faster. > - Limited the validation depth of X.509 certificate chains to > 12, double the current depth seen in RPKI. > o traceroute(8) was improved: > - Probe packets are now sent in quick succession and responses > handled asynchronously. > - DNS lookups are performed asynchronously. This speeds up the > time required to display results considerably. > o dhcpleased(8) was made the default program for configuring IPv4 > addresses via DHCP. resolvd(8) was activated to handle concurrent > changes to resolv.conf(5) by both dhcpleased(8) and slaacd(8). > Additionally these programs saw the following improvements and > bugfixes: > - Changed dhcpleased(8) client identifier transmission to match > other DHCP client implementations. > - Simplified dhcpleasectl(8) and added syntax to match > dhclient(8) (interface), allowing one to be aliased to the > other. > - Retried broadcast with dhcpleased(8) when the DHCP server is > unreachable via unicast UDP. > - Made resolvd(8) accept DNS proposals for the loopback > addresses. > - Added to dhcpleased.conf(5) the ability to ignore routes or > nameservers from a lease and to ignore servers entirely. > - Made dhclient(8) defer to dhcpleased(8) when the inet > autoconf flag is set. When run, dhclient will signal > dhcpleased to request a new lease rather than requesting one > itself. > - Fixed potential races in slaacd(8) and dhcpleased(8) when two > processes are configuring the same IP. > - Added the possibility to send vendor class identifier and > client identifier using dhcpleased.conf(5). > - Made dhcpleased(8) always configure provided routes, > regardless of whether the address received in the lease is > already configured. > - Used exclusive locks under /dev/ to ensure single instances > of resolvd(8), slaacd(8) and dhcpleased(8). > - Implemented classless static routes DHCP option in > dhcpleased(8). > - Added a new "nameserver" command to route(8), sending > nameserver proposals to resolvd(8) using the DNS proposal > protocol over the route socket. This command is intended be > used to integrate userland triggered nameserver changes, for > example by VPN software. > o Changes to snmp related tools: > - Disable SNMPv1 and SNMPv2c by default in snmpd(8). > - Remove default communities from snmpd(8). > - Switched default seclevel to enc for snmpd(8). > - Changed the default snmp(1) version to -v3 and removed the > default community. > - Switched default snmp(1) auth to hmac-sha1. > - Switched default snmp(1) and snmpd(8) privacy protocol to > AES. > - Added the ability for snmpd(8) to send SNMPv3 traps. > - Allowed "any" to be used as a listen on address in > snmpd.conf(5). > - Allowed setting of the engineid in snmpd(8). > o Other userland network changes: > - Fixed acme-client(1) SAN generation for CSRs. > - Added pledge(2) for ftpd(8) user processes. > - Allowed router solicitations from the unspecified address > (::) in rad(8). > - Altered slowcgi(8) so it no longer sends debug logging to > syslog unless debug logging is requested via the new -v flag. > - Prevented httpd(8) from trying to chunk encode an empty http > body coming from an fcgi upstream. > - Used relative reference URIs in Location header on directory > redirects in httpd(8), adding support for front-ending httpd > with a TLS-terminating gateway that forwards unencrypted http > traffic. > - Prevented a crash on strict alignment architectures of > tcpdump(8) WireGuard printer. > - Made tcpdump(8) split the 802.11 sequence number field into > its sequence number and fragment number components rather > than printing the whole field in decimal. > - Added simple BGP enhanced route refresh message decoding to > tcpdump(8). > > - tmux(1) improvements and bug fixes: > o Added a -B flag to tmux(1) to remove borders from popups and added > a menu to popups as well as options to convert a popup into a > pane. > o Added pipe variants of the tmux(1) line copy commands. > o Added basic support for zero width joiners to tmux(1). > o Added client focus hooks to tmux(1). > o Made window-linked and window-unlinked window options in tmux(1). > o Added -F for tmux(1) command-prompt and used it to fix "Rename" on > the window menu. > o Added different tmux(1) command histories for different types of > prompts. > o Fixed tmux(1) problems with xterm in VT340 mode. > o Added an "always" value to the extended-keys option to always > forward those keys to applications inside tmux(1). > > - OpenSMTPD 7.0.0 > o Fixed incorrect status code for expired mails resulting in a > misleading bounce report in smtpd(8). > o Added TLS options cafile=(path), nosni, noverify and > servername=(name) to smtp(1). > o Allowed specification of TLS ciphers and protocols in smtp(1). > > - LibreSSL 3.4.1 > o New Features > - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. > - Enabled the new X.509 validator to allow verification of > modern certificate chains. > o Portable Improvements > - Ported continuous integration and test infrastructure to > Github actions. > - Added Universal Windows Platform (UWP) build support. > - Fixed mingw-w64 builds on newer versions with missing SSP > support. > - Added non-executable stack annotations for CMake builds. > o API and Documentation Enhancements > - Added the following APIs from OpenSSL > BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve > EC_GROUP_order_bits EC_GROUP_set_curve > EC_POINT_get_affine_coordinates > EC_POINT_set_affine_coordinates > EC_POINT_set_compressed_coordinates EVP_DigestSign > EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey > SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method > SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data > SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher > SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable > SSL_SESSION_set_max_early_data SSL_get_early_data_status > SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio > SSL_set_ciphersuites SSL_set_max_early_data > SSL_set_post_handshake_auth > SSL_set_psk_use_session_callback > SSL_verify_client_post_handshake SSL_write_early_data > - Added AES-GCM constants from RFC 7714 for SRTP. > o Compatibility Changes > - Implement flushing for TLSv1.3 handshakes behavior, needed > for Apache. > - Call the info callback on connect/accept exit in TLSv1.3, > needed for p5-Net-SSLeay. > - Default to using named curve parameter encoding from > pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. > - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. > o Testing and Proactive Security > - Added additional state machine test coverage. > - Improved integration test support with ruby/openssl tests. > - Error codes and callback support in new X.509 validator made > compatible with p5-Net_SSLeay tests. > o Internal Improvements > - Numerous fixes and improvements to the new X.509 validator to > ensure compatible error codes and callback support compatible > with the legacy OpenSSL validator. > > - OpenSSH 8.8 > o Security > - sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When > this option was enabled with a set of patterns that activated > logging in code that runs in the low-privilege sandboxed sshd > process, the log messages were constructed in such a way that > printf(3) format strings could effectively be specified the > low-privilege code. > - sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly > initialise supplemental groups when executing an > AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a > AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser > directive has been set to run the command as a different > user. > o Potentially incompatible changes > - A near-future release of OpenSSH will switch scp(1) from > using the legacy scp/rcp protocol to using SFTP by default. > - This release disables RSA signatures using the SHA-1 hash > algorithm by default. > - scp(1): this release changes the behaviour of remote to > remote copies (e.g. "scp host-a:/path host-b:") to transfer > through the local host by default. This was previously > available via the -3 flag. This mode avoids the need to > expose credentials on the origin hop, avoids triplicate > interpretation of filenames by the shell (by the local > system, the copy origin and the destination) and, in > conjunction with the SFTP support for scp(1) mentioned below, > allows use of all authentication methods to the remote hosts > (previously, only non-interactive methods could be used). A > -R flag has been added to select the old behaviour. > - ssh(1)/sshd(8): both the client and server are now using a > stricter configuration file parser. The new parser uses more > shell-like rules for quotes, space and escape characters. It > is also more strict in rejecting configurations that include > options lacking arguments. Previously some options (e.g. > DenyUsers) could appear on a line with no subsequent > arguments. This release will reject such configurations. The > new parser will also reject configurations with unterminated > quotes and multiple '=' characters after the option name. > - ssh(1): when using SSHFP DNS records for host key > verification, ssh(1) will verify all matching records instead > of just those with the specific signature type requested. > This may cause host key verification problems if stale SSHFP > records of a different or legacy signature type exist > alongside other records for a particular host. > - ssh-keygen(1): when generating a FIDO key and specifying an > explicit attestation challenge (using -Ochallenge), the > challenge will now be hashed by the builtin security key > middleware. This removes the (undocumented) requirement that > challenges be exactly 32 bytes in length and matches the > expectations of libfido2. > - sshd(8): environment="..." directives in authorized_keys > files are now first-match-wins and limited to 1024 discrete > environment variable names. > o New features > - scp(1): experimental support for transfers using the SFTP > protocol as a replacement for the venerable SCP/RCP protocol > that it has traditionally used. SFTP offers more predictable > filename handling and does not require expansion of glob(3) > patterns via the shell on the remote side. > - sftp-server(8): add a protocol extension to support expansion > of ~/ and ~user/ prefixed paths. This was added to support > these paths when used by scp(1) while in SFTP mode. > - ssh(1): add a ForkAfterAuthentication ssh_config(5) > counterpart to the ssh(1) -f flag. > - ssh(1): add a StdinNull directive to ssh_config(5) that > allows the config file to do the same thing as -n does on the > ssh(1) command- line. > - ssh(1): add a SessionType directive to ssh_config, allowing > the configuration file to offer equivalent control to the -N > (no session) and -s (subsystem) command-line flags. > - ssh-keygen(1): allowed signers files used by ssh-keygen(1) > signatures now support listing key validity intervals > alongside they key, and ssh-keygen(1) can optionally check > during signature verification whether a specified time falls > inside this interval. This feature is intended for use by git > to support signing and verifying objects using ssh keys. > - ssh-keygen(8): support printing of the full public key in a > sshsig signature via a -Oprint-pubkey flag. > - ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs > directive to accept a "none" argument to specify the default > behaviour. > o Bugfixes > - ssh(1)/ sshd(8): start time-based re-keying exactly on > schedule in the client and server mainloops. Previously the > re-key timeout could expire but re-keying would not start > until a packet was sent or received, causing a spin in > select() if the connection was quiescent. > - ssh-keygen(1): avoid Y2038 problem in printing certificate > validity lifetimes. Dates past 2^31-1 seconds since epoch > were displayed incorrectly on some platforms. > - scp(1): allow spaces to appear in usernames for local to > remote and scp -3 remote to remote copies. > - ssh(1)/ sshd(8): remove references to > ChallengeResponseAuthentication in favour of > KbdInteractiveAuthentication. The former is what was in > SSHv1, the latter is what is in SSHv2 (RFC4256) and they were > treated as somewhat but not entirely equivalent. We retain > the old name as a deprecated alias so configuration files > continue to work as well as a reference in the man page for > people looking for it. > - ssh(1)/ ssh-add(1)/ ssh-keygen(1): fix decoding of X.509 > subject name when extracting a key from a PKCS#11 > certificate. > - ssh(1): restore blocking status on stdio fds before close. > ssh(1) needs file descriptors in non-blocking mode to operate > but it was not restoring the original state on exit. This > could cause problems with fds shared with other programs via > the shell. > - ssh(1)/ sshd(8): switch both client and server mainloops from > select(3) to pselect(3). Avoids race conditions where a > signal may arrive immediately before select(3) and not be > processed until an event fires. > - ssh(1): sessions started with ControlPersist were incorrectly > executing a shell when the -N (no shell) option was > specified. > - ssh(1): check if IPQoS or TunnelDevice are already set before > overriding. Prevents values in config files from overriding > values supplied on the command line. > - ssh(1): fix debug message when finding a private key to match > a certificate being attempted for user authentication. > Previously it would print the certificate's path, whereas it > was supposed to be showing the private key's path. > - sshd(8): match host certificates against host public keys, > not private keys. Allows use of certificates with private > keys held in a ssh-agent. > - ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), > which allows RSA/SHA2 signatures for public key > authentication but fails to advertise this correctly via > SSH2_MSG_EXT_INFO. This causes clients of these server to > incorrectly match PubkeyAcceptedAlgorithms and potentially > refuse to offer valid keys. > - sftp(1)/ scp(1): degrade gracefully if a sftp-server offers > the [email protected] extension but fails when the client > tries to invoke it. > - ssh(1): allow ssh_config SetEnv to override $TERM, which is > otherwise handled specially by the protocol. Useful in > ~/.ssh/config to set TERM to something generic (e.g. "xterm" > instead of "xterm-256color") for destinations that lack > terminfo entries. > - sftp-server(8): the [email protected] extension was > incorrectly marked as an operation that writes to the > filesystem, which made it unavailable in sftp-server > read-only mode. > - ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered > when the update removed more host keys than remain present. > - scp(1): when using the SFTP protocol, continue transferring > files after a transfer error occurs, better matching original > scp/rcp behaviour. > - ssh(1): fixed a number of memory leaks in multiplexing, > - ssh-keygen(1): avoid crash when using the -Y find-principals > command. > - A number of documentation and manual improvements. > > - mandoc 1.14.6 > o Added a style message about overlong text input lines. > o Made "-W style" check .Xr links along the full manpath to help > validation of non-base manual pages. > o Supported auto-tagging for ".It Va" in mdoc(7) documents. > o Stopped printing two extra blank lines at the top and bottom of > man(7) documents. > o Supported the CB and CI fonts in roff(7) \f font escapes and .ft > font requests. > o Added support for two-character font names (BI, CW, CR, CB, CI) to > the tbl(7) layout font modifier. > o Implemented the tbl(7) layout modifiers "b" (bold) and "i" > (italic) in HTML output mode. > o Completed support for the "nospaces" option in the tbl(7) parser. > o Fixed an infinite loop in the tbl(7) parser for some cases of > horizontally overlapping horizontal spans. > o Added a meta viewport element to "-T html" output. > o Fixed a crash with "-T man" when an input file contains tbl(7) or > eqn(7) input. > o Fixed a crash in makewhatis(8) when a manpath directory contains a > symbolic link that points to a directory. > > - Ports and packages: > o Pre-built packages are available for the following architectures on > the day of release: > - aarch64 (arm64): 11034 > - amd64: 11325 > - i386: 10248 > - mips64: 9311 > - powerpc64: 9273 > - sparc64: 9636 > o Packages for the following architectures will be made available as > their builds complete: > - arm > - mips64el > - powerpc > > - Some highlights: > > o Asterisk 18.6.0 o Mutt 2.1.3 and NeoMutt 20210205 > o Audacity 2.4.2 o Node.js 12.22.6 > o CMake 3.20.3 o OCaml 4.10.0 > o Chromium 93.0.4577.82 o OpenLDAP 2.4.59 > o Emacs 27.2 o PHP 7.3.30, 7.4.23 and 8.0.10 > o FFmpeg 4.4 o Postfix 3.5.12 > o GCC 8.4.0 and 11.2.0 o PostgreSQL 13.4 > o GHC 8.10.6 o Python 2.7.18, 3.8.12 and 3.9.7 > o GNOME 40.4 o Qt 5.15.2 and 6.0.4 > o Go 1.17 o R 4.1.1 > o JDK 8u302, 11.0.12 and 16.0.2 o Ruby 2.6.8, 2.7.4 and 3.0.2 > o KDE Applications 21.08.1 o Rust 1.55.0 > o KDE Frameworks 5.85.0 o SQLite 3.35.5 > o Krita 4.4.8 o Shotcut 21.01.29 > o LLVM/Clang 11.1.0 o Sudo 1.9.7p2 > o LibreOffice 7.2.1.2 o Suricata 6.0.2 > o Lua 5.1.5, 5.2.4 and 5.3.6 o Tcl/Tk 8.5.19 and 8.6.8 > o MariaDB 10.6.4 o TeX Live 2020 > o Mono 6.12.0.122 o Vim 8.2.3394 and Neovim 0.5.0 > o Mozilla Firefox 92.0 and o Xfce 4.16 > ESR 91.1.0 > o Mozilla Thunderbird 91.1.1 > > - As usual, steady improvements in manual pages and other documentation. > > - The system includes the following major components from outside suppliers: > o Xenocara (based on X.Org 7.7 with xserver 1.20.13 + patches, > freetype 2.10.4, fontconfig 2.12.4, Mesa 21.1.8, xterm 367, > xkeyboard-config 2.20, fonttosfnt 1.2.2, and more) > o LLVM/Clang 11.1.0 (+ patches) > o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) > o Perl 5.32.1 (+ patches) > o NSD 4.3.7 > o Unbound 1.13.2 > o Ncurses 5.7 > o Binutils 2.17 (+ patches) > o Gdb 6.3 (+ patches) > o Awk December 18, 2020 version > o Expat 2.4.1 > > ------------------------------------------------------------------------ > - SECURITY AND ERRATA -------------------------------------------------- > > We provide patches for known security threats and other important > issues discovered after each release. Our continued research into > security means we will find new security problems -- and we always > provide patches as soon as possible. Therefore, we advise regular > visits to > > https://www.OpenBSD.org/security.html > and > https://www.OpenBSD.org/errata.html > > ------------------------------------------------------------------------ > - MAILING LISTS AND FAQ ------------------------------------------------ > > Mailing lists are an important means of communication among users and > developers of OpenBSD. For information on OpenBSD mailing lists, please > see: > > https://www.OpenBSD.org/mail.html > > You are also encouraged to read the Frequently Asked Questions (FAQ) at: > > https://www.OpenBSD.org/faq/ > > ------------------------------------------------------------------------ > - DONATIONS ------------------------------------------------------------ > > The OpenBSD Project is a volunteer-driven software group funded by > donations. Besides OpenBSD itself, we also develop important software > like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet > filter, the quality work of our ports development process, and many > others. This ecosystem is all handled under the same funding umbrella. > > We hope our quality software will result in contributions that maintain > our build/development infrastructure, pay our electrical/internet costs, > and allow us to continue operating very productive developer hackathon > events. > > All of our developers strongly urge you to donate and support our future > efforts. Donations to the project are highly appreciated, and are > described in more detail at: > > https://www.OpenBSD.org/donations.html > > ------------------------------------------------------------------------ > - OPENBSD FOUNDATION --------------------------------------------------- > > For those unable to make their contributions as straightforward gifts, > the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian > not-for-profit corporation that can accept larger contributions and > issue receipts. In some situations, their receipt may qualify as a > business expense write-off, so this is certainly a consideration for > some organizations or businesses. > > There may also be exposure benefits since the Foundation may be > interested in participating in press releases. In turn, the Foundation > then uses these contributions to assist OpenBSD's infrastructure needs. > Contact the foundation directors at [email protected] for > more information. > > ------------------------------------------------------------------------ > - RELEASE SONG --------------------------------------------------------- > > OpenBSD 7.0 comes with the song "The Style Hymn". Lyrics (and an > explanation) of the song may be found at: > > https://www.OpenBSD.org/lyrics.html#70 > > ------------------------------------------------------------------------ > - HTTPS INSTALLS ------------------------------------------------------- > > OpenBSD can be easily installed via HTTPS downloads. Typically you need > a single small piece of boot media (e.g., a USB flash drive) and then > the rest of the files can be installed from a number of locations, > including directly off the Internet. Follow this simple set of > instructions to ensure that you find all of the documentation you will > need while performing an install via HTTPS. > > 1) Read either of the following two files for a list of HTTPS mirrors > which provide OpenBSD, then choose one near you: > > https://www.OpenBSD.org/ftp.html > https://ftp.openbsd.org/pub/OpenBSD/ftplist > > As of October 14, 2021, the following HTTPS mirror sites have the > 7.0 release: > > https://cdn.openbsd.org/pub/OpenBSD/7.0/ Global > https://ftp.eu.openbsd.org/pub/OpenBSD/7.0/ Stockholm, Sweden > https://ftp.hostserver.de/pub/OpenBSD/7.0/ Frankfurt, Germany > https://ftp.bytemine.net/pub/OpenBSD/7.0/ Oldenburg, Germany > https://ftp.fr.openbsd.org/pub/OpenBSD/7.0/ Paris, France > https://mirror.aarnet.edu.au/pub/OpenBSD/7.0/ Brisbane, > Australia > https://ftp.usa.openbsd.org/pub/OpenBSD/7.0/ CO, USA > https://ftp5.usa.openbsd.org/pub/OpenBSD/7.0/ CA, USA > https://mirror.esc7.net/pub/OpenBSD/7.0/ TX, USA > https://openbsd.cs.toronto.edu/pub/OpenBSD/7.0/ Toronto, Canada > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.0/ Global > https://fastly.cdn.openbsd.org/pub/OpenBSD/7.0/ Global > > The release is also available at the master site: > > https://ftp.openbsd.org/pub/OpenBSD/7.0/ Alberta, Canada > > However it is strongly suggested you use a mirror. > > Other mirror sites may take a day or two to update. > > 2) Connect to that HTTPS mirror site and go into the directory > pub/OpenBSD/7.0/ which contains these files and directories. > This is a list of what you will see: > > ANNOUNCEMENT armv7/ octeon/ root.mail > README hppa/ openbsd-70-base.pub sparc64/ > SHA256 i386/ packages/ src.tar.gz > SHA256.sig landisk/ packages-stable/ sys.tar.gz > alpha/ loongson/ ports.tar.gz xenocara.tar.gz > amd64/ luna88k/ powerpc64/ > arm64/ macppc/ riscv64/ > > It is quite likely that you will want at LEAST the following > files which apply to all the architectures OpenBSD supports. > > README - generic README > root.mail - a copy of root's mail at initial login. > (This is really worthwhile reading). > > 3) Read the README file. It is short, and a quick read will make > sure you understand what else you need to fetch. > > 4) Next, go into the directory that applies to your architecture, > for example, amd64. This is a list of what you will see: > > BOOTIA32.EFI* bsd* floppy70.img pxeboot* > BOOTX64.EFI* bsd.mp* game70.tgz xbase70.tgz > BUILDINFO bsd.rd* index.txt xfont70.tgz > INSTALL.amd64 cd70.iso install70.img xserv70.tgz > SHA256 cdboot* install70.iso xshare70.tgz > SHA256.sig cdbr* man70.tgz > base70.tgz comp70.tgz miniroot70.img > > If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 > and install70.iso. The install70.iso file (roughly 697MB in size) > is a one-step ISO-format install CD image which contains the various > *.tgz files so you do not need to fetch them separately. > > If you prefer to use a USB flash drive, fetch install70.img and > follow the instructions in INSTALL.amd64. > > 5) If you are an expert, follow the instructions in the file called > README; otherwise, use the more complete instructions in the > file called INSTALL.amd64. INSTALL.amd64 may tell you that you > need to fetch other files. > > 6) Just in case, take a peek at: > > https://www.OpenBSD.org/errata.html > > This is the page where we talk about the mistakes we made while > creating the 7.0 release, or the significant bugs we fixed > post-release which we think our users should have fixes for. > Patches and workarounds are clearly described there. > > ------------------------------------------------------------------------ > - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- > > X.Org has been integrated more closely into the system. This release > contains X.Org 7.7. Most of our architectures ship with X.Org, including > amd64, sparc64 and macppc. During installation, you can install X.Org > quite easily using xenodm(1), our simplified X11 display manager forked > from xdm(1). > > ------------------------------------------------------------------------ > - PACKAGES AND PORTS --------------------------------------------------- > > Many third party software applications have been ported to OpenBSD and > can be installed as pre-compiled binary packages on the various OpenBSD > architectures. Please see https://www.openbsd.org/faq/faq15.html for > more information on working with packages and ports. > > Note: a few popular ports, e.g., NSD, Unbound, and several X > applications, come standard with OpenBSD and do not need to be installed > separately. > > ------------------------------------------------------------------------ > - SYSTEM SOURCE CODE --------------------------------------------------- > > The source code for all four subsystems can be found in the > pub/OpenBSD/7.0/ directory: > > xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz > > The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.0/README) file > explains how to deal with these source files. > > ------------------------------------------------------------------------ > - THANKS --------------------------------------------------------------- > > Ports tree and package building by Jasper Lievisse Adriaanse, > Pierre-Emmanuel Andre, Jeremie Courreges-Anglas, Visa Hankala, > Stuart Henderson, Peter Hessler, Kurt Mosiejczuk, Christian Weisgerber, > and Charlene Wendling. Base and X system builds by Kenji Aoyama and > Theo de Raadt. Release art contributed by Natasha Allegri. > > We would like to thank all of the people who sent in bug reports, bug > fixes, donation cheques, and hardware that we use. We would also like > to thank those who bought our previous CD sets. Those who did not > support us financially have still helped us with our goal of improving > the quality of the software. > > Our developers are: > > Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, > Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, > Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, > Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, > Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, > Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, > Carlos Cardenas, Charlene Wendling, Charles Longeau, > Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, > Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, > Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa, > David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett, > Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm, > Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias, > Gilles Chehade, Giovanni Bechis, Gleydson Soares, > Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, > Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, > Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre, > Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, > Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, > Jonathan Matthew, Jordan Hargrave, Joris Vink, Joshua Stein, > Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, > Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, > Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, > Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis, > Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, > Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson, > Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, > Mike Belopuhov, Mike Larkin, Moritz Buhl, Nam Nguyen, > Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, > Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, > Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, > Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, > Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, > Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, > Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, > Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, > Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling, > Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, > T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, > Thomas Frohwein, Tim van der Molen, Tobias Heider, > Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, > Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, > Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko, > Yojiro Uo >
