Hi,
Just upgraded my both server from 6.9 to 7.0.
But I noticed an issue on the mirrors with
rc.firsttime.
syspatch fails with error 404 on the mirrors:
Error retrieving
https://cdn.openbsd.org/pub/OpenBSD/syspatch/7.0/amd64/SHA256.sig: 404
Not Found
Indeed SHA256.sig is currently missing on the mirrors.
Best regards,
J. K.
On 14.10.21 16:34, Theo de Raadt wrote:
>
> ------------------------------------------------------------------------
> - OpenBSD 7.0 RELEASED -------------------------------------------------
>
> October 14, 2021.
>
> We are pleased to announce the official release of OpenBSD 7.0.
> This is our 51st release. We remain proud of OpenBSD's record of more
> than twenty years with only two remote holes in the default install.
>
> As in our previous releases, 7.0 provides significant improvements,
> including new features, in nearly all areas of the system:
>
> - New/extended platforms:
> o Added new riscv64 platform for 64-bit RISC-V systems.
> o The arm64 platform support was improved with the following
> changes:
> - Support for Apple Silicon Macs has improved but is not ready
> for general use yet:
> # Added support for installing on a disk with a GPT.
> # Added apldart(4) support for a DART with two sets of
> registers, needed to support the Synopsis DesignWare USB
> 3 controller.
> # Added apldwusb(4), a glue driver for the Synopsys
> DesignWare USB 3 controllers found on the Apple M1 SoC.
> # Added aplns(4) to provide support for Apple NVME storage
> as found in Apple M1 devices.
> # Added aplpinctrl(4) driver for the Apple GPIO controller
> found on the M1 SoCs.
> # Added aplpmu(4), a driver for the Apple "sera" SPMI
> power management unit that contains the RTC on Apple M1
> systems.
> # Added aplspmi(4), a driver for the Apple SPMI
> controller.
> - Enabled LEDs for the mue(4) LAN7800 chip as found on the
> Raspberry Pi 3 Model B+.
> - Added rktcphy(4), a driver for the Type-C PHY controller
> found on the Rockchip RK3399.
> - Implemented multicast support in mvpp(4).
> o Changes on other architectures:
> - Switched macppc to use ld.lld(1).
> - Fixed an issue preventing applications from selecting the
> non-ALTIVEC code path on macppc.
> - Made amd64 hw.setperf percentages proportional to the
> enhanced speed step frequencies on Intel processors. The
> default hw.setperf=99 corresponds to the maximum ordinary
> speed, and setting it to 100 enables turbo mode.
> - Enabled cy(4) on amd64.
> - Disabled base-gcc on amd64.
> - Prevented crashes on amd64 when TLB entries which should have
> been invalidated were used.
> - Prevented a kernel panic in sparc64 due to page boundary
> misalignment.
> - Forced luna88k to use the serial console when no graphics
> board is found.
> - Made additional free inodes on luna88k bsd.rd by specifying
> density=4096.
> - Fixed strchr() and strrchr() on mips64.
> - Prevented watchdog resets on some i.MX 64-bit machines with a
> recent U-Boot and watchdog enabled on boot in imxdog(8).
> - Created audio devices on armv7.
> - Retired OpenBSD/sgi platform.
> - Enabled MSI-X support for powerpc64.
> - Fixed __ppc_lock for page faults that recursively grab the
> lock on powerpc.
> - Increased the maximum data size on powerpc64 to 32GB.
> - Disabled global page table mappings when using PCID to
> prevent crashes when not flushed from TLB on amd64.
> - Added cduart(4) driver for Cadence Universal Asynchronous
> Receiver/Transmitter on armv7.
> - Added zqclock(4) driver for Xilinx Zynq-7000 clock controller
> on armv7.
> - Added zqreset(4) driver for Xilinx Zynq-7000 reset controller
> on armv7.
>
> - Various kernel improvements:
> o Unlocked the top part of the VM fault handler on i386.
> o Enabled dt(4) for GENERIC kernels on amd64, arm64, i386, sparc64,
> and powerpc64.
> o Added kprobes provider for dt(4).
> o Implemented < and > operators in btrace(8) filters.
> o Added btrace(8) display of time spent in userland when analyzing
> the kernel stack in the flame graph tool and fixed a parsing bug.
> o Introduced /etc/bsd.re-config(5), which can be used to configure
> the kernel using config(8), allowing use of KARL while making
> changes to the GENERIC kernel.
> o Identify TPM 2.0 devices and perform the 2.0-specific suspend
> command, allowing the ThinkPad X1 Carbon Gen 9 and ThinkPad X1
> Nano with the latest BIOS (which added S3) to resume.
> o Changed the printing of the hibernate image size from bytes to
> megabytes.
> o Increased hibernate writeout speed.
> o Added "machine sysregs" command to ddb(4) on amd64.
> o Prevented interleaved stack traces in ddb(4) from multiple CPUs.
> o Delayed installation of sensors until a device with battery
> support is connected, allowing sensorsd(8) to pick up hotplugged
> uhidpp(4) devices.
> o Prevented a kernel panic after VFS shutdown.
> o Increased the setitimer(2) timer limit to UINT_MAX seconds.
> o Serialized the internals of kqueue(2) with a mutex.
> o Enabled pool cache on knote(9) pool.
> o Fixed futex(2) errno handling to match what Mesa expects and
> prevent failure to properly report timeouts.
> o Fixed a kernel crash in tty(4).
> o Increased the default buffer space on PF_UNIX sockets to 8k and
> made the values tuneable via sysctl(2).
> o Made kqueue(2) timer re-addition reset an existing timer to use
> the new timeout period.
> o In the build system, pass make flags to kernel and lib builds,
> making hacking on ramdisks/the installer much faster.
>
> - SMP Improvements
> o Made pmap_extract() mpsafe on hppa and amd64.
> o Introduced CPU_IS_RUNNING() and used it in scheduler-related code
> to prevent waiting on non-running CPUs.
> o Made anonymous object reference counting independent from the
> KERNEL_LOCK().
> o Unlocked connect(2).
> o Unlocked setrtable(2).
> o Introduced per-CPU panic(9) message buffers.
> o Used so_lock to protect key management (PF_KEY) sockets.
> o Used so_lock to protect routing (PF_ROUTE) sockets.
> o Unlocked lseek(2).
> o Unlocked the top part of the fault handler.
>
> - Direct Rendering Manager
> o Updated drm(4) to Linux 5.10.65
> o inteldrm(4): better support for Tiger Lake
> o amdgpu(4): support for Navi 12, Navi 21 "Sienna Cichlid", Arcturus
> o amdgpu(4): support for Cezanne "Green Sardine" Ryzen 5000 APU
>
> - VMM/VMD improvements
> o Added a theoretical limit of 512 to the number of allocated vcpus
> in vmm(4).
> o Fixed vmm(4) vcpu locking issues.
> o Added vmd(8) support for variable length vionet rx descriptor
> chains.
> o Prevented stack overflow in vmd(8) due to large DHCP packets on
> local interfaces.
> o Allowed locking of a randomly assigned lladdr in vmd(8).
> o Skipped inspecting non-udp packets on local interfaces for vmd(8).
> o Prevented guest virtio drivers from causing stack and buffer
> overflows in vmd(8).
> o Fixed a race condition in vmm(4) relating to incorrect physical
> cpu tracking.
> o Fixed vmctl(8) client "wait" state corruption in vmd(8) when a
> wait is canceled and restarted, allowing multiple waiting clients.
> o Added protections against guests with bad virtio drivers to vmd(8)
> o Unlocked the kernel in vmm(4) ioctl handlers and introduced vcpu
> locks
>
> - Various new userland features:
> o Imported timeout(1) utility from NetBSD. timeout(1) can be used to
> run commands with a time limit.
> o Added include and exclude options to openrsync(1).
> o Implemented reporting of supplemental groups in ps(1).
> o Added indication of whether an mg(1) function is unsuitable for a
> startup file.
> o Added "dired-jump" command to mg(1) to open a dired buffer
> containing the current buffer's directory location.
>
> - Various bugfixes and tweaks in userland:
> o Modified doas(1) to retry up to 3 times on password authentication
> failure.
> o Made all vi(1) signal handler functions async-signal-safe.
> o Changed diff(1) to consider two files sharing the same inode
> identical.
> o Allowed xenodm(1) login when ~/.Xauthority does not exist.
> o Disabled building all of the non-unicode fonts in Xenocara except
> for ISO8859-1.
> o Altered passwd(1) to use stderr for printer error and
> informational messages. This allows easier parsing of what
> passwd(1) is doing if spawned from a GUI.
> o Fixed iostat(8) per-device values when systat(1) is in boot time
> mode ('b'), not normalizing based on the sleep interval.
> o Made jot(1) -b, -c and -w mutually exclusive.
> o Made cdio(1) discard the current input line when Ctrl-C is used
> during line editing and provide a fresh prompt rather than exiting
> the program.
> o Let el_gets(3) honour the first Ctrl-C typed by the user rather
> than ignoring it.
> o Corrected awk(1) -F null string behavior to ensure -F '' behaves
> consistently with -v FS="".
> o Avoided a potential buffer overflow in backslash escaping in
> awk(1).
> o Disallowed the use of an empty list between "while" and "do" in
> ksh(1).
> o Changed cwm(1) maximization and full-screen mode toggling to keep
> the cursor within the window, preventing focus loss.
> o Made rc(8) quietly attempt an early mount of /var/log in case
> someone has created it as a separate filesystem to avoid /var
> overflow issues.
> o Improved fdisk(8) to retain essential partitions on various
> platforms.
> o Improved fdisk(8) for disks with 4K sectors.
> o Cleaned up the fdisk(8) MBR/GPT initialization code, making -g
> independent of -i, leaving four mutually exclusive initialization
> options (-i, -g, -u and -A) with the last option specified
> executed (allowing the existing -i -g to work as intended).
> o Relaxed criteria for recognizing GPT formatted media, allowing GPT
> disk images added with dd(1) onto larger physical media to be
> recognized by fdisk(8) and the kernel.
> o Added the ability for fdisk(8) to recognize "BIOS Boot", "APFS",
> "APFS ISC", "APFS Recovry" (sic), "HiFive FSBL" and "HiFive BBL"
> GPT partitions.
> o Ensured the values for fdisk(8) -b and -l are treated as 512-byte
> block counts.
> o Added an fdisk(8) -A option to initialize a GPT without removing
> special boot partitions.
> o Made fdisk(8) -b option available to architectures other than
> amd64 and i386 and extended the syntax to allow specification of
> the boot partition type and offset.
> o Adjusted density for partitions on a 4k disk in newfs(8) when
> fragsize and density are not passed on the command line to ensure
> sufficient inodes to hold a src tree on a 2G fs.
> o Fixed disklabel(8) generation on sparc64.
> o Fixed overlap check in disklabel(1) autoalloc code.
> o Corrected various min/max cluster numbers for FAT12/16/32 in
> newfs_msdos(8).
> o Added libexecinfo, a library providing backtrace functions.
> o Updated C library support for character classification to Unicode
> 13.0.
> o Let wcwidth(3) treat all characters in Unicode private use areas
> as single-width, even those in planes 15 and 16.
> o Limited the printf(1) \x escape sequence to two characters.
> o Corrected the output of date(1) -f %s which was wrongly affected
> by the local timezone.
> o Turn printing additional information into toggles for systat(1).
>
> - Improved hardware support and driver bugfixes, including:
> o Added a workaround to amdgpu(4) for machines where the framebuffer
> size reported by the hardware is incorrect.
> o In pchgpio(4), worked around a BIOS bug on Lenovo ThinkPads based
> on Intel's Tiger Lake platform to properly restore the GPIO pin
> used for the touchpad interrupt upon resume.
> o Stopped setting the highspeed bit on bcm2835-sdhci sdhc(4)
> controllers, fixing bwfm(4) wifi on the Raspberry Pi 3 Model B+.
> o Added support for obtaining sense status and source slot of a
> media to chio(1) and ch(4).
> o Fixed dwiic(4) timeouts requesting data from at least one
> touchpad.
> o Added ucc(4), a driver for USB HID Consumer Control keyboards.
> Often used to expose volume, audio and application launch keys.
> Volume keys are handled by the kernel and all other keys are
> propagated to X11 and the console through wscons(4).
> o Set the uhidpp(4) battery level sensor status to unknown while
> charging to handle devices reporting zero during charge,
> preventing certain sensorsd.conf(5) actions from triggering
> inappropriately.
> o Added Tiger Lake LP (INT34C5) support to pchgpio(4).
> o Fixed a panic at shutdown relating to azalia(4) on the X1 Extreme
> Gen 1.
> o Fixed a panic reported in upd(4).
> o Fixed display of incorrect patterns on LUNA's wscons(4) with 1bpp
> framebuffer when backspace is typed.
> o Fixed an attachment problem for dwctwo(4) for certain devices
> issuing NAK interrupts during split transactions.
> o Added AMD 17h/6xh Root Complex to ksmn(4).
> o Ensured the TX FIFO isn't overrun for longer transfers in
> dwiic(4).
> o Added titmp(4), a driver for the TI TMP451 temperature sensor.
> o Ensured a USB mouse will attach if otherwise qualified even if the
> usage report does not include X and Y usages.
> o Attached unsupported video devices to uvideo(4) but not video(1),
> rather than leaving it unmatched.
> o Added a -R flag to usbhidctl(1) to dump the raw report descriptor
> bytes.
> o Added hid_get_report_desc_data() to usbhid(3) to access raw report
> descriptor data.
> o Fixed overflows when reading multiple bytes from AML over an i2c
> bus in acpi(4).
> o Fixed uaudio(4) on certain machines such as the RPI4 by adding a
> pre-DMA-write barrier after data is stored to memory.
> o Worked around x86 machines that advertise the "hardware reduced"
> ACPI feature, advertise S4 and S5 support, but fail to populate
> the SLEEP_CONTROL_REG and SLEEP_STATUS_REG descriptions in the
> FADT. This fixed the ASUS Zenbook 14.
> o Added quirk to enable ThinkPad X1 Extreme 1 speakers and Dolby
> Atmos in azalia(4).
> o Fixed pchgpio(4) issues with dead touchpads after resume.
> o Fixed an mbuf leak in xnf(4).
>
> - New or improved network hardware support:
> o Fixed ix(4) with older amd64 and current riscv64 hardware if MSI
> is not enabled for the device.
> o Added the uaq(4) driver for Aquantia AQC111U/AQC112U USB Ethernet
> devices.
> o Added the aq(4) driver to support Aquantia 1/2.5/5/10Gb/s PCIe
> Ethernet adapters.
> o Synced dwctwo(4) with the NetBSD-current code base, enabling the
> USB on-board Ethernet controller through mue(4), fixing uvideo(4),
> and enabling the two USB uhub3 ports on the Raspberry Pi 3 Model
> B+.
> o Added cad(4), a driver for Cadence GEM.
> o Added Broadcom BCM5725 to brgphy(4).
> o Added support for RTL8168FP/RTL8111FP/RTL8117 to re(4).
> o Fixed ure(4) after a media link change on RTL8153/B devices.
> o Fixed bnxt(4) with a single queue in MSI-X mode.
>
> - Added or improved wireless network drivers:
> o Zeroed out iwx(4) Tx descriptors of frames which are done to
> prevent the device from writing to the former DMA address of a
> buffer which has been taken off the Tx ring.
> o Fixed a bug in iwx(4) Tx done interrupt processing which could
> cause fatal firmware errors under load and memory corruption.
> o Changed iwm(4) and iwx(4) to sleep for 1 second while loading
> firmware to match what iwn(4) does. This fixes some issues with
> suspend/resume.
> o Ensured that iwm(4) and iwx(4) will reload firmware from disk on
> down/up and not during resume.
> o Fixed iwx(4) crystal latency values to match those used by Linux
> iwlwifi.
> o Fixed an off-by-one error in bwfm(4).
> o Changed iwn(4), iwm(4), and iwx(4) devices to hide detailed
> firmware error reports by default.
> o Prevented a loop when bwfm(4) receives an unsolicited association
> status event right after successful association.
> o Fixed a leak with wg(4) keepalive.
> o Switched iwx(4) to -63 firmware images as shipped in
> iwx-firmware-20210512, including fixes addressing fragattacks
> vulnerabilities.
> o Supported the new iwx(4) firmware session protection command,
> required for successful associations with new firmware.
> o Stopped asking iwx(4) to send probe requests on passive channels,
> fixing firmware going unresponsive after association.
> o Fixed an iwx(4) edge case where devices failed to resume after
> system suspend.
> o Switched iwm(4) to newer firmware images available in
> iwm-firmware-20210512. This provides FragAttacks fixes for the
> updated devices.
> o Fixed iwx(4) against access points using TKIP as the group cipher.
> o Prevented athn(4) from calling ieee80211_find_rxnode() on bad
> frames in an attempt to prevent creation of bogus node cache
> entries.
> o Implemented various fixes addressing firmware errors in iwm(4) and
> iwx(4).
> o Fixed node leaks in iwm(4) and iwx(4) which caused the drivers to
> get stuck when roaming between access points.
> o Fixed iwx(4) firmware reloading after a failure to parse the
> firmware file.
> o Avoided "mac clock not ready" panics in iwm(4) and iwx(4).
> o Worked around a problem with certain athn(4) hardware that caused
> problem when running in HostAP mode with clients that use Tx
> aggregation.
> o Corrected multicast decryption for iwx(4).
> o Added 802.11n Tx aggregation support to iwm(4).
> o Made iwn(4), iwm(4) and iwx(4) keep track of beacon parameters at
> run-time.
> o Implemented support for Rx aggregation offload in iwm(4) and
> iwx(4) and re-enabled de-aggregation of A-MSDUs in net80211 for
> all drivers capable of 11n mode.
> o Changed error reporting for bwfm(4) to use the long version of the
> firmware path. This makes it easier to find the correct files to
> add to the bwfm-firmware port.
>
> - IEEE 802.11 wireless stack improvements and bugfixes:
> o Drop fragmented 802.11 frames.
> o Prevent frame injection via forged 802.11n A-MSDUs.
> o Tweaked net80211 RA heuristics to avoid picking Tx rate choices
> that may be too optimistic.
>
> - Generic network stack improvements and bugfixes:
> o Implemented reception of "VLAN 0 priority tagged" packets.
> o Fixed an alignment fault observed on an octeon machine while
> pppoe(4) negotiated a large MTU.
> o Display provider ID for a umb(4) SIM in ifconfig(8).
>
> - Installer and upgrade improvements:
> o Checked the installer's /tmp/i/hostname.* files for a configured
> IP address so that configurations without a broadcast address are
> detected as well.
> o Handled "inet autoconf" in the ramdisk.
> o Introduced a short wait in rc(8) after netstart(8) finishes until
> an IPv4 or IPv6 default route is present before continuing boot.
> Fixed setups depending on working network and DNS resolution
> during early boot when using autoconfiguration (dhcpleased(8) or
> slaacd(8)).
> o Made fdisk(8) always create an EFI SYS partition if the -b option
> is specified when initializing a GPT.
> o Allowed (w)hole disk allocation for GPT disks in arm64, using
> fdisk(8) -A when an Apple APFS ISC partition is detected and fdisk
> -ig otherwise. Created EFI SYS boot partitions only on ROOTDISK
> GPT disks.
> o Added installboot(8) "-p" to prepare by creating a new filesystem
> on the partition reserved for the bootloader on relevant
> architectures.
> o Added GPT support to armv7 installboot(8).
> o Added the Spleen 12x24 and 16x32 font on amd64's RAMDISK_CD and
> RAMDISK kernels.
> o Use installboot(8) on arm64 ramdisks.
> o Enable dhcpleased(8) on ramdisks, and activate resolvd(8),
> replacing dhclient(8).
> o Enable slaacd(8) to configure nameservers on ramdisks.
>
> - Security improvements:
> o Moved objcopy to base set to allow KARL to work on all installs.
> o Added unveil(2) calls to xterm in the case where there are no
> exec-formatted or exec-selected resources set.
> o Changed usage of %n from a syslog warning to syslog and abort for
> printf(3) (and associated variants).
> o Made kernel stop all threads when terminating via pledge_fail().
>
> - Routing daemons and other userland network improvements:
> o The bgpd(8) daemon saw the following changes:
> - Stop processing queued UPDATES when the max-prefix limit was
> reached.
> - Improved negotiation for route refresh, graceful restart and
> multi-protocol capabilities
> - Correctly track 'rde evaluate all' and 'export' settings
> during reload.
> - Properly withdraw prefixes when 'rde evaluate all' is used.
> - Fixed MRT handling on initial startup for message dump types.
> - Fixed and use non-blocking connect for RTR sessions.
> - Fully implemented RFC 6286 by checking for BGP ID collisions.
> - Adjusted the 4-byte AS number handling to RFC 6793 by
> changing error behaviour from prefix witdraw to attribute
> discard.
> - In bgpctl(8) print out both the sent "Neighbor capabilities"
> and the "Negotiated capabilities" for a session.
> - Print timestamps both as a formatted and a pure time in
> seconds field in various JSON objects.
> - Fixed a bug, where during bgpd(8) config reloads prefixes of
> the wrong address family could leak to peers resulting in
> session resets.
> - Added support for RFC 7313 - Enhanced Route Refresh Disabled
> by default, to enable use 'announce enhanced refresh yes'.
> - Improved output of Adj-RIB-Out by updating nexthop and ASPATH
> before adding the prefix to the RIB. This improves `bgpctl
> show rib out` output.
> - Added command line option to both bgpd(8) and bgpctl(8) to
> show the version.
> - Added support for RFC 9072 - Extended Optional Parameters
> Length for BGP OPEN Message
> - Added support for RFC 8050 - MRT Format with BGP Additional
> Path Extensions
> - Implemented receive side of RFC 7911 - Advertisement of
> Multiple Paths in BGP. OpenBGPD is currently not able to send
> multiple paths out.
> - Improved checks of VRPs loaded via RTR or from the roa-set
> table.
> - Allowed optionally specifying an expiry time for roa-set
> entries to mitigate BGP route decision making based on
> outdated RPKI data. OpenBGPD's companion rpki-client(8)
> produces roa-sets with the new 'expires' property
> o The pf(4) packet filter and its userland utility:
> - Corrected a potential memory leak associated with pfsync(4)
> update requests.
> - Introduced locks around the global pf(4) state list.
> - Fixed a panic due to pfsync(4) deferral timeout handling.
> - Added support for pf(4) divert-to on tpmr(4) and veb(4).
> - Fixed state key reference underflow when both state keys are
> identical in pf(4).
> - Only skipped pf(4) once for packets injected by a
> divert-packet socket, allowing pf to still act later on a
> diverted packet.
> o IPSEC support in the kernel and the iked(8) userland daemon:
> - Zeroed out potential passwords when freeing memory or
> handling parsing errors in iked(8).
> - Added client-side support for DNS configuration to iked(8).
> - Increased iked(8) default data bytes limit for Child SAs to 4
> GB, preventing excessive rekeying and lost data in high
> performance setups.
> - Fixed an iked(8) bug where no flows are added if a single
> address is configured in the config address instead of a
> pool.
> - Fixed a problem in iked(8) where no flows are loaded when a
> single config address without pool is configured.
> - Added an experimental post-quantum hybrid key exchange method
> based on Streamlined NTRU Prime (coupled with X25519) to
> iked(8) as sntrup761x25519.
> - Fixed races which were slowing ipsec(4) throughput.
> - Fixed ipsec(4) NAT-T to work with pipex(4).
> o rpki-client(8) received the following new features and bugfixes:
> - Added keep-alive support to the HTTP client code for RRDP.
> - Reference-count and delete unused files synced via RRDP, as
> far as possible.
> - In the JSON output, changed the AS Number from a string
> ("AS123") to an integer ("123") to make processing of the
> output easier,
> - Added an 'expires' column to CSV & JSON output, based on
> certificate and CRL validity times. The 'expires' value can
> be used to avoid route selection based on stale data when
> generating VRP sets, when faced with loss of communication
> between consumer and validator, or validator and CA
> repository.
> - Made the runtime timeout (-s option) also trigger in child
> processes.
> - Improved RRDP support and make RRDP the default protocol for
> synchronizing the RPKI repository data, with openrsync(1)
> used as secondary.
> - At startup, warn if the filesystem containing the cache
> directory is probably too small.
> - Handle running out of disk space more gracefully, including
> cleanup of temporary and old files before exiting.
> - Improved the HTTP/1.1 request headers being sent.
> - Improved validation checks for ROA and MFT objects.
> - Improved the HTTP client code (status code handling, http
> proxy support, keep-alive).
> - In RRDP, do not access URI with userinfo (@-sign)
> - Improved RRDP syncing by considering a notification file
> serial jumping backwards as synced repository.
> - Made -R (rsync only) also apply to the fetching of TA files.
> - Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude
> all others.
> - When producing output for bgpd(8), make use of the 'roa-set
> expires' attribute to prevent machines from loading outdated
> roa-sets.
> - In RRDP, limited the number of deltas to 300 per repo. If
> more deltas exist, downloading a full snapshot is faster.
> - Limited the validation depth of X.509 certificate chains to
> 12, double the current depth seen in RPKI.
> o traceroute(8) was improved:
> - Probe packets are now sent in quick succession and responses
> handled asynchronously.
> - DNS lookups are performed asynchronously. This speeds up the
> time required to display results considerably.
> o dhcpleased(8) was made the default program for configuring IPv4
> addresses via DHCP. resolvd(8) was activated to handle concurrent
> changes to resolv.conf(5) by both dhcpleased(8) and slaacd(8).
> Additionally these programs saw the following improvements and
> bugfixes:
> - Changed dhcpleased(8) client identifier transmission to match
> other DHCP client implementations.
> - Simplified dhcpleasectl(8) and added syntax to match
> dhclient(8) (interface), allowing one to be aliased to the
> other.
> - Retried broadcast with dhcpleased(8) when the DHCP server is
> unreachable via unicast UDP.
> - Made resolvd(8) accept DNS proposals for the loopback
> addresses.
> - Added to dhcpleased.conf(5) the ability to ignore routes or
> nameservers from a lease and to ignore servers entirely.
> - Made dhclient(8) defer to dhcpleased(8) when the inet
> autoconf flag is set. When run, dhclient will signal
> dhcpleased to request a new lease rather than requesting one
> itself.
> - Fixed potential races in slaacd(8) and dhcpleased(8) when two
> processes are configuring the same IP.
> - Added the possibility to send vendor class identifier and
> client identifier using dhcpleased.conf(5).
> - Made dhcpleased(8) always configure provided routes,
> regardless of whether the address received in the lease is
> already configured.
> - Used exclusive locks under /dev/ to ensure single instances
> of resolvd(8), slaacd(8) and dhcpleased(8).
> - Implemented classless static routes DHCP option in
> dhcpleased(8).
> - Added a new "nameserver" command to route(8), sending
> nameserver proposals to resolvd(8) using the DNS proposal
> protocol over the route socket. This command is intended be
> used to integrate userland triggered nameserver changes, for
> example by VPN software.
> o Changes to snmp related tools:
> - Disable SNMPv1 and SNMPv2c by default in snmpd(8).
> - Remove default communities from snmpd(8).
> - Switched default seclevel to enc for snmpd(8).
> - Changed the default snmp(1) version to -v3 and removed the
> default community.
> - Switched default snmp(1) auth to hmac-sha1.
> - Switched default snmp(1) and snmpd(8) privacy protocol to
> AES.
> - Added the ability for snmpd(8) to send SNMPv3 traps.
> - Allowed "any" to be used as a listen on address in
> snmpd.conf(5).
> - Allowed setting of the engineid in snmpd(8).
> o Other userland network changes:
> - Fixed acme-client(1) SAN generation for CSRs.
> - Added pledge(2) for ftpd(8) user processes.
> - Allowed router solicitations from the unspecified address
> (::) in rad(8).
> - Altered slowcgi(8) so it no longer sends debug logging to
> syslog unless debug logging is requested via the new -v flag.
> - Prevented httpd(8) from trying to chunk encode an empty http
> body coming from an fcgi upstream.
> - Used relative reference URIs in Location header on directory
> redirects in httpd(8), adding support for front-ending httpd
> with a TLS-terminating gateway that forwards unencrypted http
> traffic.
> - Prevented a crash on strict alignment architectures of
> tcpdump(8) WireGuard printer.
> - Made tcpdump(8) split the 802.11 sequence number field into
> its sequence number and fragment number components rather
> than printing the whole field in decimal.
> - Added simple BGP enhanced route refresh message decoding to
> tcpdump(8).
>
> - tmux(1) improvements and bug fixes:
> o Added a -B flag to tmux(1) to remove borders from popups and added
> a menu to popups as well as options to convert a popup into a
> pane.
> o Added pipe variants of the tmux(1) line copy commands.
> o Added basic support for zero width joiners to tmux(1).
> o Added client focus hooks to tmux(1).
> o Made window-linked and window-unlinked window options in tmux(1).
> o Added -F for tmux(1) command-prompt and used it to fix "Rename" on
> the window menu.
> o Added different tmux(1) command histories for different types of
> prompts.
> o Fixed tmux(1) problems with xterm in VT340 mode.
> o Added an "always" value to the extended-keys option to always
> forward those keys to applications inside tmux(1).
>
> - OpenSMTPD 7.0.0
> o Fixed incorrect status code for expired mails resulting in a
> misleading bounce report in smtpd(8).
> o Added TLS options cafile=(path), nosni, noverify and
> servername=(name) to smtp(1).
> o Allowed specification of TLS ciphers and protocols in smtp(1).
>
> - LibreSSL 3.4.1
> o New Features
> - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
> - Enabled the new X.509 validator to allow verification of
> modern certificate chains.
> o Portable Improvements
> - Ported continuous integration and test infrastructure to
> Github actions.
> - Added Universal Windows Platform (UWP) build support.
> - Fixed mingw-w64 builds on newer versions with missing SSP
> support.
> - Added non-executable stack annotations for CMake builds.
> o API and Documentation Enhancements
> - Added the following APIs from OpenSSL
> BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
> EC_GROUP_order_bits EC_GROUP_set_curve
> EC_POINT_get_affine_coordinates
> EC_POINT_set_affine_coordinates
> EC_POINT_set_compressed_coordinates EVP_DigestSign
> EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
> SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
> SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
> SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
> SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
> SSL_SESSION_set_max_early_data SSL_get_early_data_status
> SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
> SSL_set_ciphersuites SSL_set_max_early_data
> SSL_set_post_handshake_auth
> SSL_set_psk_use_session_callback
> SSL_verify_client_post_handshake SSL_write_early_data
> - Added AES-GCM constants from RFC 7714 for SRTP.
> o Compatibility Changes
> - Implement flushing for TLSv1.3 handshakes behavior, needed
> for Apache.
> - Call the info callback on connect/accept exit in TLSv1.3,
> needed for p5-Net-SSLeay.
> - Default to using named curve parameter encoding from
> pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
> - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
> o Testing and Proactive Security
> - Added additional state machine test coverage.
> - Improved integration test support with ruby/openssl tests.
> - Error codes and callback support in new X.509 validator made
> compatible with p5-Net_SSLeay tests.
> o Internal Improvements
> - Numerous fixes and improvements to the new X.509 validator to
> ensure compatible error codes and callback support compatible
> with the legacy OpenSSL validator.
>
> - OpenSSH 8.8
> o Security
> - sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When
> this option was enabled with a set of patterns that activated
> logging in code that runs in the low-privilege sandboxed sshd
> process, the log messages were constructed in such a way that
> printf(3) format strings could effectively be specified the
> low-privilege code.
> - sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly
> initialise supplemental groups when executing an
> AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
> AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> directive has been set to run the command as a different
> user.
> o Potentially incompatible changes
> - A near-future release of OpenSSH will switch scp(1) from
> using the legacy scp/rcp protocol to using SFTP by default.
> - This release disables RSA signatures using the SHA-1 hash
> algorithm by default.
> - scp(1): this release changes the behaviour of remote to
> remote copies (e.g. "scp host-a:/path host-b:") to transfer
> through the local host by default. This was previously
> available via the -3 flag. This mode avoids the need to
> expose credentials on the origin hop, avoids triplicate
> interpretation of filenames by the shell (by the local
> system, the copy origin and the destination) and, in
> conjunction with the SFTP support for scp(1) mentioned below,
> allows use of all authentication methods to the remote hosts
> (previously, only non-interactive methods could be used). A
> -R flag has been added to select the old behaviour.
> - ssh(1)/sshd(8): both the client and server are now using a
> stricter configuration file parser. The new parser uses more
> shell-like rules for quotes, space and escape characters. It
> is also more strict in rejecting configurations that include
> options lacking arguments. Previously some options (e.g.
> DenyUsers) could appear on a line with no subsequent
> arguments. This release will reject such configurations. The
> new parser will also reject configurations with unterminated
> quotes and multiple '=' characters after the option name.
> - ssh(1): when using SSHFP DNS records for host key
> verification, ssh(1) will verify all matching records instead
> of just those with the specific signature type requested.
> This may cause host key verification problems if stale SSHFP
> records of a different or legacy signature type exist
> alongside other records for a particular host.
> - ssh-keygen(1): when generating a FIDO key and specifying an
> explicit attestation challenge (using -Ochallenge), the
> challenge will now be hashed by the builtin security key
> middleware. This removes the (undocumented) requirement that
> challenges be exactly 32 bytes in length and matches the
> expectations of libfido2.
> - sshd(8): environment="..." directives in authorized_keys
> files are now first-match-wins and limited to 1024 discrete
> environment variable names.
> o New features
> - scp(1): experimental support for transfers using the SFTP
> protocol as a replacement for the venerable SCP/RCP protocol
> that it has traditionally used. SFTP offers more predictable
> filename handling and does not require expansion of glob(3)
> patterns via the shell on the remote side.
> - sftp-server(8): add a protocol extension to support expansion
> of ~/ and ~user/ prefixed paths. This was added to support
> these paths when used by scp(1) while in SFTP mode.
> - ssh(1): add a ForkAfterAuthentication ssh_config(5)
> counterpart to the ssh(1) -f flag.
> - ssh(1): add a StdinNull directive to ssh_config(5) that
> allows the config file to do the same thing as -n does on the
> ssh(1) command- line.
> - ssh(1): add a SessionType directive to ssh_config, allowing
> the configuration file to offer equivalent control to the -N
> (no session) and -s (subsystem) command-line flags.
> - ssh-keygen(1): allowed signers files used by ssh-keygen(1)
> signatures now support listing key validity intervals
> alongside they key, and ssh-keygen(1) can optionally check
> during signature verification whether a specified time falls
> inside this interval. This feature is intended for use by git
> to support signing and verifying objects using ssh keys.
> - ssh-keygen(8): support printing of the full public key in a
> sshsig signature via a -Oprint-pubkey flag.
> - ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
> directive to accept a "none" argument to specify the default
> behaviour.
> o Bugfixes
> - ssh(1)/ sshd(8): start time-based re-keying exactly on
> schedule in the client and server mainloops. Previously the
> re-key timeout could expire but re-keying would not start
> until a packet was sent or received, causing a spin in
> select() if the connection was quiescent.
> - ssh-keygen(1): avoid Y2038 problem in printing certificate
> validity lifetimes. Dates past 2^31-1 seconds since epoch
> were displayed incorrectly on some platforms.
> - scp(1): allow spaces to appear in usernames for local to
> remote and scp -3 remote to remote copies.
> - ssh(1)/ sshd(8): remove references to
> ChallengeResponseAuthentication in favour of
> KbdInteractiveAuthentication. The former is what was in
> SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
> treated as somewhat but not entirely equivalent. We retain
> the old name as a deprecated alias so configuration files
> continue to work as well as a reference in the man page for
> people looking for it.
> - ssh(1)/ ssh-add(1)/ ssh-keygen(1): fix decoding of X.509
> subject name when extracting a key from a PKCS#11
> certificate.
> - ssh(1): restore blocking status on stdio fds before close.
> ssh(1) needs file descriptors in non-blocking mode to operate
> but it was not restoring the original state on exit. This
> could cause problems with fds shared with other programs via
> the shell.
> - ssh(1)/ sshd(8): switch both client and server mainloops from
> select(3) to pselect(3). Avoids race conditions where a
> signal may arrive immediately before select(3) and not be
> processed until an event fires.
> - ssh(1): sessions started with ControlPersist were incorrectly
> executing a shell when the -N (no shell) option was
> specified.
> - ssh(1): check if IPQoS or TunnelDevice are already set before
> overriding. Prevents values in config files from overriding
> values supplied on the command line.
> - ssh(1): fix debug message when finding a private key to match
> a certificate being attempted for user authentication.
> Previously it would print the certificate's path, whereas it
> was supposed to be showing the private key's path.
> - sshd(8): match host certificates against host public keys,
> not private keys. Allows use of certificates with private
> keys held in a ssh-agent.
> - ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8),
> which allows RSA/SHA2 signatures for public key
> authentication but fails to advertise this correctly via
> SSH2_MSG_EXT_INFO. This causes clients of these server to
> incorrectly match PubkeyAcceptedAlgorithms and potentially
> refuse to offer valid keys.
> - sftp(1)/ scp(1): degrade gracefully if a sftp-server offers
> the limits@openssh.com extension but fails when the client
> tries to invoke it.
> - ssh(1): allow ssh_config SetEnv to override $TERM, which is
> otherwise handled specially by the protocol. Useful in
> ~/.ssh/config to set TERM to something generic (e.g. "xterm"
> instead of "xterm-256color") for destinations that lack
> terminfo entries.
> - sftp-server(8): the limits@openssh.com extension was
> incorrectly marked as an operation that writes to the
> filesystem, which made it unavailable in sftp-server
> read-only mode.
> - ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered
> when the update removed more host keys than remain present.
> - scp(1): when using the SFTP protocol, continue transferring
> files after a transfer error occurs, better matching original
> scp/rcp behaviour.
> - ssh(1): fixed a number of memory leaks in multiplexing,
> - ssh-keygen(1): avoid crash when using the -Y find-principals
> command.
> - A number of documentation and manual improvements.
>
> - mandoc 1.14.6
> o Added a style message about overlong text input lines.
> o Made "-W style" check .Xr links along the full manpath to help
> validation of non-base manual pages.
> o Supported auto-tagging for ".It Va" in mdoc(7) documents.
> o Stopped printing two extra blank lines at the top and bottom of
> man(7) documents.
> o Supported the CB and CI fonts in roff(7) \f font escapes and .ft
> font requests.
> o Added support for two-character font names (BI, CW, CR, CB, CI) to
> the tbl(7) layout font modifier.
> o Implemented the tbl(7) layout modifiers "b" (bold) and "i"
> (italic) in HTML output mode.
> o Completed support for the "nospaces" option in the tbl(7) parser.
> o Fixed an infinite loop in the tbl(7) parser for some cases of
> horizontally overlapping horizontal spans.
> o Added a meta viewport element to "-T html" output.
> o Fixed a crash with "-T man" when an input file contains tbl(7) or
> eqn(7) input.
> o Fixed a crash in makewhatis(8) when a manpath directory contains a
> symbolic link that points to a directory.
>
> - Ports and packages:
> o Pre-built packages are available for the following architectures on
> the day of release:
> - aarch64 (arm64): 11034
> - amd64: 11325
> - i386: 10248
> - mips64: 9311
> - powerpc64: 9273
> - sparc64: 9636
> o Packages for the following architectures will be made available as
> their builds complete:
> - arm
> - mips64el
> - powerpc
>
> - Some highlights:
>
> o Asterisk 18.6.0 o Mutt 2.1.3 and NeoMutt 20210205
> o Audacity 2.4.2 o Node.js 12.22.6
> o CMake 3.20.3 o OCaml 4.10.0
> o Chromium 93.0.4577.82 o OpenLDAP 2.4.59
> o Emacs 27.2 o PHP 7.3.30, 7.4.23 and 8.0.10
> o FFmpeg 4.4 o Postfix 3.5.12
> o GCC 8.4.0 and 11.2.0 o PostgreSQL 13.4
> o GHC 8.10.6 o Python 2.7.18, 3.8.12 and 3.9.7
> o GNOME 40.4 o Qt 5.15.2 and 6.0.4
> o Go 1.17 o R 4.1.1
> o JDK 8u302, 11.0.12 and 16.0.2 o Ruby 2.6.8, 2.7.4 and 3.0.2
> o KDE Applications 21.08.1 o Rust 1.55.0
> o KDE Frameworks 5.85.0 o SQLite 3.35.5
> o Krita 4.4.8 o Shotcut 21.01.29
> o LLVM/Clang 11.1.0 o Sudo 1.9.7p2
> o LibreOffice 7.2.1.2 o Suricata 6.0.2
> o Lua 5.1.5, 5.2.4 and 5.3.6 o Tcl/Tk 8.5.19 and 8.6.8
> o MariaDB 10.6.4 o TeX Live 2020
> o Mono 6.12.0.122 o Vim 8.2.3394 and Neovim 0.5.0
> o Mozilla Firefox 92.0 and o Xfce 4.16
> ESR 91.1.0
> o Mozilla Thunderbird 91.1.1
>
> - As usual, steady improvements in manual pages and other documentation.
>
> - The system includes the following major components from outside suppliers:
> o Xenocara (based on X.Org 7.7 with xserver 1.20.13 + patches,
> freetype 2.10.4, fontconfig 2.12.4, Mesa 21.1.8, xterm 367,
> xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
> o LLVM/Clang 11.1.0 (+ patches)
> o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
> o Perl 5.32.1 (+ patches)
> o NSD 4.3.7
> o Unbound 1.13.2
> o Ncurses 5.7
> o Binutils 2.17 (+ patches)
> o Gdb 6.3 (+ patches)
> o Awk December 18, 2020 version
> o Expat 2.4.1
>
> ------------------------------------------------------------------------
> - SECURITY AND ERRATA --------------------------------------------------
>
> We provide patches for known security threats and other important
> issues discovered after each release. Our continued research into
> security means we will find new security problems -- and we always
> provide patches as soon as possible. Therefore, we advise regular
> visits to
>
> https://www.OpenBSD.org/security.html
> and
> https://www.OpenBSD.org/errata.html
>
> ------------------------------------------------------------------------
> - MAILING LISTS AND FAQ ------------------------------------------------
>
> Mailing lists are an important means of communication among users and
> developers of OpenBSD. For information on OpenBSD mailing lists, please
> see:
>
> https://www.OpenBSD.org/mail.html
>
> You are also encouraged to read the Frequently Asked Questions (FAQ) at:
>
> https://www.OpenBSD.org/faq/
>
> ------------------------------------------------------------------------
> - DONATIONS ------------------------------------------------------------
>
> The OpenBSD Project is a volunteer-driven software group funded by
> donations. Besides OpenBSD itself, we also develop important software
> like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
> filter, the quality work of our ports development process, and many
> others. This ecosystem is all handled under the same funding umbrella.
>
> We hope our quality software will result in contributions that maintain
> our build/development infrastructure, pay our electrical/internet costs,
> and allow us to continue operating very productive developer hackathon
> events.
>
> All of our developers strongly urge you to donate and support our future
> efforts. Donations to the project are highly appreciated, and are
> described in more detail at:
>
> https://www.OpenBSD.org/donations.html
>
> ------------------------------------------------------------------------
> - OPENBSD FOUNDATION ---------------------------------------------------
>
> For those unable to make their contributions as straightforward gifts,
> the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
> not-for-profit corporation that can accept larger contributions and
> issue receipts. In some situations, their receipt may qualify as a
> business expense write-off, so this is certainly a consideration for
> some organizations or businesses.
>
> There may also be exposure benefits since the Foundation may be
> interested in participating in press releases. In turn, the Foundation
> then uses these contributions to assist OpenBSD's infrastructure needs.
> Contact the foundation directors at directors@openbsdfoundation.org for
> more information.
>
> ------------------------------------------------------------------------
> - RELEASE SONG ---------------------------------------------------------
>
> OpenBSD 7.0 comes with the song "The Style Hymn". Lyrics (and an
> explanation) of the song may be found at:
>
> https://www.OpenBSD.org/lyrics.html#70
>
> ------------------------------------------------------------------------
> - HTTPS INSTALLS -------------------------------------------------------
>
> OpenBSD can be easily installed via HTTPS downloads. Typically you need
> a single small piece of boot media (e.g., a USB flash drive) and then
> the rest of the files can be installed from a number of locations,
> including directly off the Internet. Follow this simple set of
> instructions to ensure that you find all of the documentation you will
> need while performing an install via HTTPS.
>
> 1) Read either of the following two files for a list of HTTPS mirrors
> which provide OpenBSD, then choose one near you:
>
> https://www.OpenBSD.org/ftp.html
> https://ftp.openbsd.org/pub/OpenBSD/ftplist
>
> As of October 14, 2021, the following HTTPS mirror sites have the
> 7.0 release:
>
> https://cdn.openbsd.org/pub/OpenBSD/7.0/ Global
> https://ftp.eu.openbsd.org/pub/OpenBSD/7.0/ Stockholm, Sweden
> https://ftp.hostserver.de/pub/OpenBSD/7.0/ Frankfurt, Germany
> https://ftp.bytemine.net/pub/OpenBSD/7.0/ Oldenburg, Germany
> https://ftp.fr.openbsd.org/pub/OpenBSD/7.0/ Paris, France
> https://mirror.aarnet.edu.au/pub/OpenBSD/7.0/ Brisbane, Australia
> https://ftp.usa.openbsd.org/pub/OpenBSD/7.0/ CO, USA
> https://ftp5.usa.openbsd.org/pub/OpenBSD/7.0/ CA, USA
> https://mirror.esc7.net/pub/OpenBSD/7.0/ TX, USA
> https://openbsd.cs.toronto.edu/pub/OpenBSD/7.0/ Toronto, Canada
> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.0/ Global
> https://fastly.cdn.openbsd.org/pub/OpenBSD/7.0/ Global
>
> The release is also available at the master site:
>
> https://ftp.openbsd.org/pub/OpenBSD/7.0/ Alberta, Canada
>
> However it is strongly suggested you use a mirror.
>
> Other mirror sites may take a day or two to update.
>
> 2) Connect to that HTTPS mirror site and go into the directory
> pub/OpenBSD/7.0/ which contains these files and directories.
> This is a list of what you will see:
>
> ANNOUNCEMENT armv7/ octeon/ root.mail
> README hppa/ openbsd-70-base.pub sparc64/
> SHA256 i386/ packages/ src.tar.gz
> SHA256.sig landisk/ packages-stable/ sys.tar.gz
> alpha/ loongson/ ports.tar.gz xenocara.tar.gz
> amd64/ luna88k/ powerpc64/
> arm64/ macppc/ riscv64/
>
> It is quite likely that you will want at LEAST the following
> files which apply to all the architectures OpenBSD supports.
>
> README - generic README
> root.mail - a copy of root's mail at initial login.
> (This is really worthwhile reading).
>
> 3) Read the README file. It is short, and a quick read will make
> sure you understand what else you need to fetch.
>
> 4) Next, go into the directory that applies to your architecture,
> for example, amd64. This is a list of what you will see:
>
> BOOTIA32.EFI* bsd* floppy70.img pxeboot*
> BOOTX64.EFI* bsd.mp* game70.tgz xbase70.tgz
> BUILDINFO bsd.rd* index.txt xfont70.tgz
> INSTALL.amd64 cd70.iso install70.img xserv70.tgz
> SHA256 cdboot* install70.iso xshare70.tgz
> SHA256.sig cdbr* man70.tgz
> base70.tgz comp70.tgz miniroot70.img
>
> If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
> and install70.iso. The install70.iso file (roughly 697MB in size)
> is a one-step ISO-format install CD image which contains the various
> *.tgz files so you do not need to fetch them separately.
>
> If you prefer to use a USB flash drive, fetch install70.img and
> follow the instructions in INSTALL.amd64.
>
> 5) If you are an expert, follow the instructions in the file called
> README; otherwise, use the more complete instructions in the
> file called INSTALL.amd64. INSTALL.amd64 may tell you that you
> need to fetch other files.
>
> 6) Just in case, take a peek at:
>
> https://www.OpenBSD.org/errata.html
>
> This is the page where we talk about the mistakes we made while
> creating the 7.0 release, or the significant bugs we fixed
> post-release which we think our users should have fixes for.
> Patches and workarounds are clearly described there.
>
> ------------------------------------------------------------------------
> - X.ORG FOR MOST ARCHITECTURES -----------------------------------------
>
> X.Org has been integrated more closely into the system. This release
> contains X.Org 7.7. Most of our architectures ship with X.Org, including
> amd64, sparc64 and macppc. During installation, you can install X.Org
> quite easily using xenodm(1), our simplified X11 display manager forked
> from xdm(1).
>
> ------------------------------------------------------------------------
> - PACKAGES AND PORTS ---------------------------------------------------
>
> Many third party software applications have been ported to OpenBSD and
> can be installed as pre-compiled binary packages on the various OpenBSD
> architectures. Please see https://www.openbsd.org/faq/faq15.html for
> more information on working with packages and ports.
>
> Note: a few popular ports, e.g., NSD, Unbound, and several X
> applications, come standard with OpenBSD and do not need to be installed
> separately.
>
> ------------------------------------------------------------------------
> - SYSTEM SOURCE CODE ---------------------------------------------------
>
> The source code for all four subsystems can be found in the
> pub/OpenBSD/7.0/ directory:
>
> xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
>
> The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.0/README) file
> explains how to deal with these source files.
>
> ------------------------------------------------------------------------
> - THANKS ---------------------------------------------------------------
>
> Ports tree and package building by Jasper Lievisse Adriaanse,
> Pierre-Emmanuel Andre, Jeremie Courreges-Anglas, Visa Hankala,
> Stuart Henderson, Peter Hessler, Kurt Mosiejczuk, Christian Weisgerber,
> and Charlene Wendling. Base and X system builds by Kenji Aoyama and
> Theo de Raadt. Release art contributed by Natasha Allegri.
>
> We would like to thank all of the people who sent in bug reports, bug
> fixes, donation cheques, and hardware that we use. We would also like
> to thank those who bought our previous CD sets. Those who did not
> support us financially have still helped us with our goal of improving
> the quality of the software.
>
> Our developers are:
>
> Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
> Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
> Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
> Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
> Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
> Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
> Carlos Cardenas, Charlene Wendling, Charles Longeau,
> Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
> Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
> Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa,
> David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett,
> Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm,
> Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias,
> Gilles Chehade, Giovanni Bechis, Gleydson Soares,
> Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
> Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
> Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre,
> Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
> Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
> Jonathan Matthew, Jordan Hargrave, Joris Vink, Joshua Stein,
> Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
> Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
> Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
> Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
> Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
> Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson,
> Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
> Mike Belopuhov, Mike Larkin, Moritz Buhl, Nam Nguyen,
> Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
> Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
> Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
> Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
> Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
> Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
> Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
> Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
> Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
> Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
> T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
> Thomas Frohwein, Tim van der Molen, Tobias Heider,
> Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
> Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
> Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
> Yojiro Uo
>
No comments:
Post a Comment