Congratulations!!! :) On Mon, Apr 2, 2018 at 3:49 PM, Theo de Raadt <dera...@openbsd.org> wrote:
> The release was scheduled for April 15, but since all the components > are ready ahead of schedule it is being released now. > > ------------------------------------------------------------------------ > - OpenBSD 6.3 RELEASED ------------------------------------------------- > > Apr 15, 2018. > > We are pleased to announce the official release of OpenBSD 6.3. > This is our 44th release. We remain proud of OpenBSD's record of more > than twenty years with only two remote holes in the default install. > > As in our previous releases, 6.3 provides significant improvements, > including new features, in nearly all areas of the system: > > - Improved hardware support, including: > o SMP support on OpenBSD/arm64 platforms. > o VFP and NEON support on OpenBSD/armv7 platforms. > o New acrtc(4) driver for X-Powers AC100 audio codec and Real Time > Clock. > o New axppmic(4) driver for X-Powers AXP Power Management ICs. > o New bcmrng(4) driver for Broadcom BCM2835/BCM2836/BCM2837 random > number generator. > o New bcmtemp(4) driver for Broadcom BCM2835/BCM2836/BCM2837 > temperature monitor. > o New bgw(4) driver for Bosch motion sensor. > o New bwfm(4) driver for Broadcom and Cypress FullMAC 802.11 devices > (still experimental and not compiled into the kernel by default). > o New efi(4) driver for EFI runtime services. > o New imxanatop(4) driver for i.MX6 integrated regulator. > o New rkpcie(4) driver for Rockchip RK3399 Host/PCIe bridge. > o New sxirsb(4) driver for Allwinner Reduced Serial Bus controller. > o New sxitemp(4) driver for Allwinner temperature monitor. > o New sxits(4) driver for temperature sensor on Allwinner A10/A20 > touchpad controller. > o New sxitwi(4) driver for two-wire bus found on several Allwinner > SoCs. > o New sypwr(4) driver for the Silergy SY8106A regulator. > o Support for Rockchip RK3328 SoCs has been added to the dwge(4), > rkgrf(4), rkclock(4) and rkpinctrl(4) drivers. > o Support for Rockchip RK3288/RK3328 SoCs has been added to the > rktemp(4) driver. > o Support for Allwinner A10/A20, A23/A33, A80 and R40/V40 SoCs has > been added to the sxiccmu(4) driver. > o Support for Allwinner A33, GR8 and R40/V40 SoCs has been added to > the sxipio(4) driver. > o Support for SAS3.5 MegaRAIDs has been added to the mfii(4) driver. > o Support for Intel Cannon Lake and Ice Lake integrated Ethernet has > been added to the em(4) driver. > o cnmac(4) ports are now assigned to different CPU cores for > distributed interrupt processing. > o The pms(4) driver now detects and handles reset announcements. > o On amd64 Intel CPU microcode is loaded on boot and > installed/updated by fw_update(1). > o Support the sun4v hypervisor interrupt cookie API, adding support > for SPARC T7-1/2/4 machines. > o Hibernate support has been added for SD/MMC storage attached to > sdhc(4) controllers. > o clang(1) is now used as the system compiler on armv7, and it is > also provided on sparc64. > > - vmm(4)/ vmd(8) improvements: > o Add CD-ROM/DVD ISO support to vmd(8) via vioscsi(4). > o vmd(8) no longer creates an underlying bridge interface for > virtual switches defined in vm.conf(5). > o vmd(8) receives switch information (rdomain, etc) from underlying > switch interface in conjunction of settings in vm.conf(5). > o Time Stamp Counter (TSC) support in guest VMs. > o Support ukvm/Solo5 unikernels in vmm(4). > o Handle valid (but uncommon) instruction encodings better. > o Better PAE paging support for 32-bit Linux guest VMs. > o vmd(8) now allows up to four network interfaces in each VM. > o Add paused migration and snapshotting support to vmm(4) for AMD > SVM/RVI hosts. > o BREAK commands sent over a pty(4) are now understood by vmd(8). > o Many fixes to vmctl(8) and vmd(8) error handling. > > - IEEE 802.11 wireless stack improvements: > o The iwm(4) and iwn(4) drivers will automatically roam between > access points which share an ESSID. Forcing a particular AP's MAC > address with ifconfig's bssid command disables roaming. > o Automatically clear configured WEP/WPA keys when a new network > ESSID is configured. > o Removed the ability for userland to read configured WEP/WPA keys > back from the kernel. > o The iwm(4) driver can now connect to networks with a hidden SSID. > o USB devices supported by the athn(4) driver now use an open source > firmware, and hostap mode now works with these devices. > > - Generic network stack improvements: > o The network stack no longer runs with the KERNEL_LOCK() when IPsec > is enabled. > o Processing of incoming TCP/UDP packets is now done without > KERNEL_LOCK(). > o The socket splicing task runs without KERNEL_LOCK(). > o Cleanup and removal of code in sys/netinet6 since > autoconfiguration runs in userland now. > o bridge(4) members can now be prevented to talk to each others with > the new protected option. > o The pf divert-packet feature has been simplified. The IP_DIVERTFL > socket option has been removed from divert(4). > o Various corner cases of pf divert-to and divert-reply are more > consistent now. > o Enforce in pf(4) that all neighbor discovery packets have 255 in > their IPv6 header hop limit field. > o New set syncookies option in pf.conf(5). > o Support for GRE over IPv6. > o New egre(4) driver for Ethernet over GRE tunnels. > o Support for the optional GRE key header and GRE key entropy in > gre(4) and egre(4). > o New nvgre(4) driver for Network Virtualization using Generic > Routing Encapsulation. > o Support for configuring the Don't Fragment flag packets > encapsulated by tunnel interfaces. > > - Installer improvements: > o if install.site or upgrade.site fails, notify the user and error > out after storing rand.seed. > o allow CIDR notation when entering IPv4 and IPv6 addresses. > o repair selection of a HTTP mirror from the list of mirrors. > o allow '-' in usernames. > o ask a question at the end of the install/upgrade process so > carriage return causes the appropriate action, e.g. reboot. > o display the mode (install or upgrade) shell prompts as long as no > hostname is known. > o correctly detect which interface has the default route and if it > was configured via DHCP. > o ensure sets can be read from the prefetch area. > o ensure URL redirection is effective for entire install/upgrade. > o add the HTTP proxy used when fetching sets to rc.firsttime, where > fw_update and syspatch can find and use it. > o add logic to support RFC 7217 with SLAAC. > o ensure that IPv6 is configured for dynamically created network > interfaces like vlan(4). > o create correct hostname when both domain-name and domain-search > options are provided in the DHCP lease. > > - Routing daemons and other userland network improvements: > o bgpctl(8) has a new ssv option which outputs rib entries as a > single semicolon-separated like for selection before output. > o slaacd(8) generates random but stable IPv6 stateless > autoconfiguration addresses according to RFC 7217. These are > enabled per default in accordance with RFC 8064. > o slaacd(8) follows RFC 4862 by removing an artificial limitation on > /64 sized prefixes using RFC 7217 (random but stable) and RFC 4941 > (privacy) style stateless autoconfiguration addresses. > o ospfd(8) can now set the metric for a route depending on the > status of an interface. > o ifconfig(8) has a new staticarp option to make interfaces reply to > ARP requests only. > o ipsecctl(8) can now collapse flow outputs having the same source > or destination. > o The -n option in netstart(8) no longer messes with the default > route. It is now documented as well. > > - Security improvements: > o Use even more trap-sleds on various architectures. > o More use of .rodata for constant variables in assembly source. > o Stop using x86 "repz ret" in dusty corners of the tree. > o Introduce "execpromises" in pledge(2). > o The elfrdsetroot utility used to build ramdisks and the rebound(8) > monitoring process now use pledge(2). > o Prepare for the introduction of MAP_STACK to mmap(2) after 6.3. > o Push a small piece of KARL-linked kernel text into the random > number generator as entropy at startup. > o Put a small random gap at the top of thread stacks, so that > attackers have yet another calculation to perform for their ROP > work. > o Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs. > o OpenBSD/arm64 now uses kernel page table isolation to mitigate > Spectre variant 3 (Meltdown) attacks. > o OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer > (BTB) on processors that do speculative execution to mitigate > Spectre variant 2 attacks. > o pool_get(9) perturbs the order of items on newly allocated pages, > making the kernel heap layout harder to predict. > o The fktrace(2) system call was deleted. > > - dhclient(8) improvements: > o Parsing dhclient.conf(5) no longer leaks SSID strings, strings > that are too long for the parsing buffer or repeated string > options and commands. > o Storing leases in dhclient.conf(5) is no longer supported. > o 'DENY' is no longer valid in dhclient.conf(5). > o dhclient.conf(5) and dhclient.leases(5) parsing error messages > have been simplified and clarified, with improved behaviour in the > presence of unexpected semicolons. > o More care is taken to only use configuration information that was > successfully parsed. > o '-n' has been added, which causes dhclient(8) to exit after > parsing dhclient.conf(5). > o Default routes in options classless-static-routes (121) and > classless-ms-static-routes (249) are now correctly represented in > dhclient.leases(5) files. > o Overwrite the file specified with '-L' rather than appending to > it. > o Leases in dhclient.leases(5) now contain an 'epoch' attribute > recording the time the lease was accepted, which is used to > calculate correct renewal, rebinding and expiry times. > o No longer nag about underscores in names violating RFC 952. > o Unconditionally send host-name information when requesting a > lease, eliminating the need for dhclient.conf(5) in the default > installation. > o Be quiet by default. '-q' has been removed and '-v' added to > enable verbose logging. > o Decline duplicate offers for the requested address. > o Unconditionally go into the background after link-timeout seconds. > o Significantly reduce logging when being quiet, but make '-v' log > all debug information without needing to compile a custom > executable. > o Ignore 'interface' statements in dhclient.leases(5) and assume all > leases in the file are for the interface being configured. > o Display the source of the lease bound to the interface. > o 'ignore', 'request' and 'require' declarations in dhclient.conf(5) > now add the specified options to the relevant list rather than > replacing the list. > o Eliminate a startup race that could result in dhclient(8) exiting > without configuring the interface. > > - Assorted improvements: > o Code reorganization and other improvements to malloc(3) and > friends to make them more efficient. > o When performing suspend or hibernate operations, ensure all > filesystems are properly synchronized and marked clean, or if they > cannot be put into perfectly clean state on disk (due to > open+unlinked files) then mark them dirty, so that a failed > resume/unhibernate is guaranteed to perform fsck(8). > o acme-client(1) autodetects the agreement URL and follows 30x HTTP > redirects. > o Added __cxa_thread_atexit() to support modern C++ tool chains. > o Added EVFILT_DEVICE support to kqueue(2) for monitoring changes to > drm(4) devices. > o ldexp(3) now handles the sign of denormal numbers correctly on > mips64. > o New sincos(3) functions in libm. > o fdisk(8) now ensures the validity of MBR partition offsets entered > while editing. > o fdisk(8) now ensures that default values lie within the valid > range. > o less(1) now splits only the environment variable LESS on '$'. > o less(1) no longer creates a spurious file when encountering '$' in > the initial command. > o softraid(4) now validates the number of chunks when assembling a > volume, ensuring the on-disk and in-memory metadata are in sync. > o disklabel(8) now always offers to edit an FFS partition's fragment > size before offering to edit the blocksize. > o disklabel(8) now allows editing the cylinders/group (cpg) > attribute whenever the partition blocksize can be edited. > o disklabel(8) now detects ^D and invalid input during (R)esize > commands. > o disklabel(8) now detects underflows and overflows when -/+ > operators are used. > o disklabel(8) now avoids an off-by-one when calculating the number > of cylinders in a free chunk. > o disklabel(8) now validates the requested partition size against > the size of the largest free chunk instead of the total free > space. > o Support for dumping USB transfers via bpf(4). > o tcpdump(8) can now understand dumps of USB transfers in the > USBPcap format. > o The default prompts of csh(1), ksh(1) and sh(1) now include the > hostname. > o Memory allocation in ksh(1) was switched from calloc(3) back to > malloc(3), making it easier to recognize uninitialized memory. As > a result, a history-related bug in emacs editing mode was > discovered and fixed. > o New script(1) -c option to run a command instead of a shell. > o New grep(1) -m option to limit the number of matches. > o New uniq(1) -i option for case-insensitive comparison. > o The printf(3) format string is no longer validated when looking > for % formats. Based on a commit by android and following most > other operating systems. > o Improved error checking in vfwprintf(3). > o Many base programs have been audited and fixed for stale file > descriptors, including cron(8), ftp(1), mandoc(1), openssl(1), > ssh(1) and sshd(8). > o Various bug fixes and improvements in jot(1): > - Arbitrary length limits for the arguments for the -b, -s, -w > options were removed. > - The %F format specifier is now supported and a bug in the %D > format was fixed. > - Better code coverage in regression tests. > - Several buffer overruns were fixed. > o The patch(1) utility now copes better with git diffs that create > or delete files. > o pkg_add(1) now has improved support for HTTP(S) redirectors such > as cdn.openbsd.org. > o ftp(1) and pkg_add(1) now support HTTPS session resumption for > improved speed. > o mandoc(1) -T ps output file size reduced by more than 50%. > o syslogd(8) logs if there were warnings during startup. > o syslogd(8) stopped logging to files in a full filesystem. Now it > writes a warning and continues after space has been made > available. > o vmt(4) now allows cloning and taking disk-only snapshots of > running guests. > > - OpenSMTPD 6.0.4 > o Add spf walk option to smtpctl(8). > o Assorted cleanups and improvements. > o Numerous manual page fixes and improvements. > > - OpenSSH 7.7 > o New/changed features: > - All: Add experimental support for PQC XMSS keys (Extended > Hash- Based Signatures) based on the algorithm described in > https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-s > ignatures-12 The XMSS signature code is experimental and not > compiled in by default. > - sshd(8): Add a "rdomain" criteria for the sshd_config Match > keyword to allow conditional configuration that depends on > which routing domain a connection was received on (currently > supported on OpenBSD and Linux). > - sshd_config(5): Add an optional rdomain qualifier to the > ListenAddress directive to allow listening on different > routing domains. This is supported only on OpenBSD and Linux > at present. > - sshd_config(5): Add RDomain directive to allow the > authenticated session to be placed in an explicit routing > domain. This is only supported on OpenBSD at present. > - sshd(8): Add "expiry-time" option for authorized_keys files > to allow for expiring keys. > - ssh(1): Add a BindInterface option to allow binding the > outgoing connection to an interface's address (basically a > more usable BindAddress). > - ssh(1): Expose device allocated for tun/tap forwarding via a > new %T expansion for LocalCommand. This allows LocalCommand > to be used to prepare the interface. > - sshd(8): Expose the device allocated for tun/tap forwarding > via a new SSH_TUNNEL environment variable. This allows > automatic setup of the interface and surrounding network > configuration automatically on the server. > - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, > e.g. ssh://user@host or sftp://user@host/path. Additional > connection parameters described in > draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented > since the ssh fingerprint format in the draft uses the > deprecated MD5 hash with no way to specify the any other > algorithm. > - ssh-keygen(1): Allow certificate validity intervals that > specify only a start or stop time (instead of both or > neither). > - sftp(1): Allow "cd" and "lcd" commands with no explicit path > argument. lcd will change to the local user's home directory > as usual. cd will change to the starting directory for > session (because the protocol offers no way to obtain the > remote user's home directory). bz#2760 > - sshd(8): When doing a config test with sshd -T, only require > the attributes that are actually used in Match criteria > rather than (an incomplete list of) all criteria. > o The following significant bugs have been fixed in this release: > - ssh(1)/sshd(8): More strictly check signature types during > key exchange against what was negotiated. Prevents downgrade > of RSA signatures made with SHA-256/512 to SHA-1. > - sshd(8): Fix support for client that advertise a protocol > version of "1.99" (indicating that they are prepared to > accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 > during the removal of SSHv1 support. bz#2810 > - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) > signature when a rsa-sha2-256/512 signature was requested. > This condition is possible when an old or non-OpenSSH agent > is in use. bz#2799 > - ssh-agent(1): Fix regression introduce in 7.6 that caused > ssh-agent to fatally exit if presented an invalid signature > request message. > - sshd_config(5): Accept yes/no flag options > case-insensitively, as has been the case in ssh_config(5) for > a long time. bz#2664 > - ssh(1): Improve error reporting for failures during > connection. Under some circumstances misleading errors were > being shows. bz#2814 > - ssh-keyscan(1): Add -D option to allow printing of results > directly in SSHFP format. bz#2821 > - regress tests: fix PuTTY interop test broken in last > release's SSHv1 removal. bz#2823 > - ssh(1): Compatibility fix for some servers that erroneously > drop the connection when the IUTF8 (RFC8160) option is sent. > - scp(1): Disable RemoteCommand and RequestTTY in the ssh > session started by scp (sftp was already doing this.) > - ssh-keygen(1): Refuse to create a certificate with an > unusable number of principals. > - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write > all the public key during key generation. Previously it would > silently ignore errors writing the comment and terminating > newline. > - ssh(1): Do not modify hostname arguments that are addresses > by automatically forcing them to lower-case. Instead > canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) > before they are matched against known_hosts. bz#2763 > - ssh(1): Don't accept junk after "yes" or "no" responses to > hostkey prompts. bz#2803 > - sftp(1): Have sftp print a warning about shell cleanliness > when decoding the first packet fails, which is usually caused > by shells polluting stdout of non-interactive startups. > bz#2800 > - ssh(1)/sshd(8): Switch timers in packet code from using > wall-clock time to monotonic time, allowing the packet layer > to better function over a clock step and avoiding possible > integer overflows during steps. > - Numerous manual page fixes and improvements. > > - LibreSSL 2.7.2 > o Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on > observations of real-world usage in applications. These are > implemented in parallel with existing OpenSSL 1.0.1 APIs - > visibility changes have not been made to existing structs, > allowing code written for older OpenSSL APIs to continue working. > o Extensive corrections, improvements, and additions to the API > documentation, including new public APIs from OpenSSL that had no > pre-existing documentation. > o Added support for automatic library initialization in libcrypto, > libssl, and libtls. Support for pthread_once or a compatible > equivalent is now required of the target operating system. As a > side-effect, minimum Windows support is Vista or higher. > o Converted more packet handling methods to CBB, which improves > resiliency when generating TLS messages. > o Completed TLS extension handling rewrite, improving consistency of > checks for malformed and duplicate extensions. > o Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. > This removes the last remaining use of the old M_ASN1_* macros > (asn1_mac.h) from API that needs to continue to exist. > o Added support for client-side session resumption in libtls. A > libtls client can specify a session file descriptor (a regular > file with appropriate ownership and permissions) and libtls will > manage reading and writing of session data across TLS handshakes. > o Improved support for strict alignment on ARMv7 architectures, > conditionally enabling assembly in those cases. > o Fixed a memory leak in libtls when reusing a tls_config. > o Merged more DTLS support into the regular TLS code path, removing > duplicated code. > > - Ports and packages: > o Pre-built packages are available for the following architectures on > the day of release: > - aarch64 (arm64): 7790 > - alpha: 1 > - amd64: 9912 > - i386: 9361 > - mips64: 8149 > - sh: 1 > o Packages for the following architectures will be made available as > their builds complete: > - arm > - hppa > - mips64el > - powerpc > - sparc64 > o dpb(1) and normal ports(7) can now enjoy the same privilege > separated model by setting PORTS_PRIVSEP=Yes > > - Some highlights: > > o AFL 2.52b o Mutt 1.9.4 and NeoMutt 20180223 > o Cmake 3.10.2 o Node.js 8.9.4 > o Chromium 65.0.3325.181 o Ocaml 4.03.0 > o Emacs 21.4 and 25.3 o OpenLDAP 2.3.43 and 2.4.45 > o GCC 4.9.4 o PHP 5.6.34 and 7.0.28 > o GHC 8.2.2 o Postfix 3.3.0 and 3.4-20180203 > o Gimp 2.8.22 o PostgreSQL 10.3 > o GNOME 3.26.2 o Python 2.7.14 and 3.6.4 > o Go 1.10 o R 3.4.4 > o Groff 1.22.3 o Ruby 2.3.6, 2.4.3 and 2.5.0 > o JDK 8u144 o Rust 1.24.0 > o KDE 3.5.10 and 4.14.3 (plus o Sendmail 8.16.0.21 > KDE4 core updates) o SQLite 3.22.0 > o LLVM/Clang 5.0.1 o Sudo 1.8.22 > o LibreOffice 6.0.2.1 o Tcl/Tk 8.5.19 and 8.6.8 > o Lua 5.1.5, 5.2.4, and 5.3.4 o TeX Live 2017 > o MariaDB 10.0.34 o Vim 8.0.1589 > o Mozilla Firefox 52.7.2esr and o Xfce 4.12 > 59.0.1 > o Mozilla Thunderbird 52.6.0 > > - As usual, steady improvements in manual pages and other documentation. > > - The system includes the following major components from outside > suppliers: > o Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches, > freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330, > xkeyboard-config 2.20 and more) > o LLVM/Clang 5.0.1 (+ patches) > o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) > o Perl 5.24.3 (+ patches) > o NSD 4.1.20 > o Unbound 1.6.8 > o Ncurses 5.7 > o Binutils 2.17 (+ patches) > o Gdb 6.3 (+ patches) > o Awk Aug 10, 2011 version > o Expat 2.2.5 > > ------------------------------------------------------------------------ > - SECURITY AND ERRATA -------------------------------------------------- > > We provide patches for known security threats and other important > issues discovered after each release. Our continued research into > security means we will find new security problems -- and we always > provide patches as soon as possible. Therefore, we advise regular > visits to > > https://www.OpenBSD.org/security.html > and > https://www.OpenBSD.org/errata.html > > ------------------------------------------------------------------------ > - MAILING LISTS AND FAQ ------------------------------------------------ > > Mailing lists are an important means of communication among users and > developers of OpenBSD. For information on OpenBSD mailing lists, please > see: > > https://www.OpenBSD.org/mail.html > > You are also encouraged to read the Frequently Asked Questions (FAQ) at: > > https://www.OpenBSD.org/faq/ > > ------------------------------------------------------------------------ > - DONATIONS ------------------------------------------------------------ > > The OpenBSD Project is volunteer-driven software group funded by > donations. Besides OpenBSD itself, we also develop important software > like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet > filter, the quality work of our ports development process, and many > others. This ecosystem is all handled under the same funding umbrella. > > We hope our quality software will result in contributions that maintain > our build/development infrastructure, pay our electrical/internet costs, > and allow us to continue operating very productive developer hackathon > events. > > All of our developers strongly urge you to donate and support our future > efforts. Donations to the project are highly appreciated, and are > described in more detail at: > > https://www.OpenBSD.org/donations.html > > ------------------------------------------------------------------------ > - OPENBSD FOUNDATION --------------------------------------------------- > > For those unable to make their contributions as straightforward gifts, > the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian > not-for-profit corporation that can accept larger contributions and > issue receipts. In some situations, their receipt may qualify as a > business expense write-off, so this is certainly a consideration for > some organizations or businesses. > > There may also be exposure benefits since the Foundation may be > interested in participating in press releases. In turn, the Foundation > then uses these contributions to assist OpenBSD's infrastructure needs. > Contact the foundation directors at direct...@openbsdfoundation.org for > more information. > > ------------------------------------------------------------------------ > - RELEASE SONGS -------------------------------------------------------- > > Every OpenBSD release is accompanied by artwork and a song. A song may > be coming for the 6.3 release, but later. If so, lyrics (and an > explanation) of the song may be found at: > > https://www.OpenBSD.org/lyrics.html > > ------------------------------------------------------------------------ > - HTTP/HTTPS INSTALLS -------------------------------------------------- > > OpenBSD can be easily installed via HTTP/HTTPS downloads. Typically you > need a single small piece of boot media (e.g., a USB flash drive) and > then the rest of the files can be installed from a number of locations, > including directly off the Internet. Follow this simple set of > instructions to ensure that you find all of the documentation you will > need while performing an install via HTTP/HTTPS. > > 1) Read either of the following two files for a list of HTTP/HTTPS > mirrors which provide OpenBSD, then choose one near you: > > https://www.OpenBSD.org/ftp.html > https://ftp.openbsd.org/pub/OpenBSD/ftplist > > As of March 31, 2018, the following HTTP/HTTPS mirror sites have > the 6.3 release: > > https://ftp.eu.openbsd.org/pub/OpenBSD/6.3/ Stockholm, Sweden > https://ftp.hostserver.de/pub/OpenBSD/6.3/ Frankfurt, Germany > http://ftp.bytemine.net/pub/OpenBSD/6.3/ Oldenburg, Germany > https://ftp.fr.openbsd.org/pub/OpenBSD/6.3/ Paris, France > https://mirror.aarnet.edu.au/pub/OpenBSD/6.3/ Brisbane, > Australia > https://ftp.usa.openbsd.org/pub/OpenBSD/6.3/ CO, USA > https://ftp5.usa.openbsd.org/pub/OpenBSD/6.3/ CA, USA > https://mirror.esc7.net/pub/OpenBSD/6.3/ TX, USA > https://openbsd.cs.toronto.edu/pub/OpenBSD/6.3/ Toronto, Canada > https://fastly.cdn.openbsd.org/pub/OpenBSD/6.3/ Global > > The release is also available at the master site: > > https://ftp.openbsd.org/pub/OpenBSD/6.3/ Alberta, Canada > > However it is strongly suggested you use a mirror. > > Other mirror sites may take a day or two to update. > > 2) Connect to that HTTP/HTTPS mirror site and go into the directory > pub/OpenBSD/6.3/ which contains these files and directories. > This is a list of what you will see: > > ANNOUNCEMENT arm64/ macppc/ src.tar.gz > Changelogs/ armv7/ octeon/ sys.tar.gz > README hppa/ packages/ tools/ > SHA256 i386/ ports.tar.gz xenocara.tar.gz > SHA256.sig landisk/ root.mail > alpha/ loongson/ sgi/ > amd64/ luna88k/ sparc64/ > > It is quite likely that you will want at LEAST the following > files which apply to all the architectures OpenBSD supports. > > README - generic README > root.mail - a copy of root's mail at initial login. > (This is really worthwhile reading). > > 3) Read the README file. It is short, and a quick read will make > sure you understand what else you need to fetch. > > 4) Next, go into the directory that applies to your architecture, > for example, amd64. This is a list of what you will see: > > BOOTIA32.EFI* bsd* floppy63.fs pxeboot* > BOOTX64.EFI* bsd.mp* game63.tgz xbase63.tgz > BUILDINFO bsd.rd* index.txt xfont63.tgz > INSTALL.amd64 cd63.iso install63.fs xserv63.tgz > SHA256 cdboot* install63.iso xshare63.tgz > SHA256.sig cdbr* man63.tgz > base63.tgz comp63.tgz miniroot63.fs > > If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 > and install63.iso. The install63.iso file (roughly 346MB in size) > is a one-step ISO-format install CD image which contains the various > *.tgz files so you do not need to fetch them separately. > > If you prefer to use a USB flash drive, fetch install63.fs and > follow the instructions in INSTALL.amd64. > > 5) If you are an expert, follow the instructions in the file called > README; otherwise, use the more complete instructions in the > file called INSTALL.amd64. INSTALL.amd64 may tell you that you > need to fetch other files. > > 6) Just in case, take a peek at: > > https://www.OpenBSD.org/errata.html > > This is the page where we talk about the mistakes we made while > creating the 6.3 release, or the significant bugs we fixed > post-release which we think our users should have fixes for. > Patches and workarounds are clearly described there. > > ------------------------------------------------------------------------ > - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- > > X.Org has been integrated more closely into the system. This release > contains X.Org 7.7. Most of our architectures ship with X.Org, including > amd64, sparc64 and macppc. During installation, you can install X.Org > quite easily. Be sure to try out xenodm(1), our new, simplified X11 > display manager forked from xdm(1). > > ------------------------------------------------------------------------ > - PACKAGES AND PORTS --------------------------------------------------- > > Many third party software applications have been ported to OpenBSD and > can be installed as pre-compiled binary packages on the various OpenBSD > architectures. Please see https://www.openbsd.org/faq/faq15.html for > more information on working with packages and ports. > > Note: a few popular ports, e.g., NSD, Unbound, and several X > applications, come standard with OpenBSD and do not need to be installed > separately. > > ------------------------------------------------------------------------ > - SYSTEM SOURCE CODE --------------------------------------------------- > > The source code for all four subsystems can be found in the > pub/OpenBSD/6.3/ directory: > > xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz > > The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.3/README) file > explains how to deal with these source files. > > ------------------------------------------------------------------------ > - THANKS --------------------------------------------------------------- > > Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil, > Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and > Christian Weisgerber. Base and X system builds by Kenji Aoyama, > Theo de Raadt, and Visa Hankala. > > We would like to thank all of the people who sent in bug reports, bug > fixes, donation cheques, and hardware that we use. We would also like > to thank those who bought our previous CD sets. Those who did not > support us financially have still helped us with our goal of improving > the quality of the software. > > Our developers are: > > Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, > Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, > Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, > Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq, > Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, > Brian Callahan, Bryan Steele, Can Erkin Acar, Carlos Cardenas, > Charles Longeau, Chris Cappuccio, Christian Weisgerber, > Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, > Daniel Boulet, Daniel Dickman, Daniel Jakots, Darren Tucker, > David Coppa, David Gwynne, David Hill, Denis Fondras, > Dmitrij Czarkoff, Doug Hogan, Edd Barrett, Eric Faurot, > Florian Obser, Florian Riehm, Frederic Cambus, Gerhard Roth, > Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, > Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer, Ian Darwin, > Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, > Inoguchi Kinichiro, James Turner, Jason McIntyre, > Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, > Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, > Jonathan Matthew, Joris Vink, Joshua Stein, > Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, > Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, > Klemens Nanni, Kurt Miller, Landry Breuil, Lawrence Teo, > Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker, > Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, > Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson, > Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Mike Belopuhov, > Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, > Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf, > Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, > Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, > Rafael Sadowski, Rafael Zalamena, Remi Locherer, Remi Pointel, > Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter, > Rob Pierce, Robert Nagy, Robert Peichaer, Sasano Takayoshi, > Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, > Sebastien Marie, Stefan Fritsch, Stefan Kempf, Stefan Sperling, > Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, > T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, > Tim van der Molen, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, > Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, > Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo > >