OpenBSD 6.6 release, Oct 17, 2019
17 October, 2019 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------ - OpenBSD 6.6 RELEASED ------------------------------------------------- October 17, 2019. We are pleased to announce the official release of OpenBSD 6.6. This is our 47th release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 6.6 provides significant improvements, including new features, in nearly all areas of the system: - General improvements and bugfixes: o Fixed support for amd64 machines with greater than 1023GB physical memory. o drm(4) updates. o The octeon platform is now using clang(1) as the base system compiler. o The powerpc architecture is now provided with clang(1), in addition to aarch64, amd64, armv7, i386, mips64el, sparc64. o Disabled gcc in base on armv7 and i386. o Prevented dhclient(8) from repeatedly obtaining a new lease when the mtu is given in a lease. o Prevented more than one thread from opening a wscons(4) device in read/write mode. o Allowed non-root users to become owner of the drm(4) device when they are the first to open it. o Added regular expression support for the format search, match and substitute modifiers in tmux(1). o Added a -v flag to source-file in tmux(1) to show the commands and line numbers. o Added simple menus usable with mouse or keyboard in tmux(1). Introduced the command "display-menu" to show a menu bound to the mouse on status line by default, and added menus in tree, client and buffer modes. o Changed the behavior of swap-window -d in tmux(1) to match swap-pane. o Allow panes to be empty in tmux(1), and enabling output to be piped to them with split-window or display-message -I. o Adjusted tmux(1) to automatically scroll when dragging to create a selection with the mouse when the cursor reaches the top or bottom line. o Fixed a tmux(1) crash when killing the current window, and other bugfixes. - SMP-Improvements, System call unlocking: o Unlocked getrlimit(2) and setrlimit(2) syscalls. o Unlocked read(2) and write(2) syscalls. o Removed the KERNEL_LOCK from the bridge(4) output fast-path. o Made resource limit access MP-safe. o Made file(9) offset access MP-safe. - Improved hardware support, including: o Implemented Linux compatible acpi(4) interfaces and enabled the ACPI support code in radeon(4) and amdgpu(4). o Implemented backlight control for amdgpu(4), allowing setting of the backlight using wsconsctl(8). o Both sets of speakers work by default on the ThinkPad X1C7. o Added amdgpu(4), an AMD Radeon GPU video driver. o Added TSC synchronization for multiprocessor machines and re-enabled TSC as the default amd64 time source. o Added support for Realtek ALC285 in azalia(4). o Added uvideo(4) support for the KSMedia 8-bit IR format and for dual functions on integrated USB cameras. o Added the aplgpio(4) driver for the GPIO controllers on Intel's Apollo Lake SoC. o Implemented MSI-X support on sparc64. o Skipped PCI host bridges and devices not present with acpi(1) when establishing the mapping between ACPI device nodes and PCI devices. o Added the ukspan(4) driver for the Keyspan USA19HS USB serial adapter. o Improved support for SAS3 controllers, made device enumeration during boot more reliable, and enabled 64bit DMA for io in mpii(4). o Fixed MSI/MSI-X on arm64 machines with agintc(4). o Added MSI-X support in acpipci(4), pciecam, dwpcie(4) and rkpcie(4). o Improved support for type4 devices in the ubcmtp(4) multi-touch trackpad driver. o Support for virtio(4) 1.0 specification for PCI devices. o Improved support for the AR9271 chipset in athn(4) . o Repaired support for athn(4) 9280 1T2R devices (broken since OpenBSD 6.5). o Added support for the trackpad and trackpoint of the Dell Precision 7520 laptop. o Added the Colemak keyboard layout. o New fusbtc(4) driver for the Fairchild FUSB302 USB Type-C controller. o Added a fallback to ehci(4) which enables the USB ports on the RockPro64. o Added support for more Intel 300 Series PCH devices to ichiic(4). o Added mcx(4) driver for Mellanox ConnectX-4 (and later) Ethernet controllers. o Added support for the cryptographic coprocessor found on newer AMD Ryzen CPUs/APUs. o Improved the envy(4) codec API and used it on ESI Juli@ cards. o Enabled EnvyHT-specific sample rates (above 96kHz) on the host controller for envy(4) devices. o Added support for the USB serial adapter found in Juniper SRX 300 to uslcom(4). o Updated shared drm code, inteldrm(4) and radeondrm(4) to linux 4.19.78. This adds support for Intel Broxton/Apollo Lake, Amber Lake, Gemini Lake, Coffee Lake, Whiskey Lake, and Comet Lake hardware. o Made startx(1) and xinit(1) work again on modern systems using inteldrm(4), radeondrm(4) and amdgpu(4). o Added mcprtc(4), a driver for the Microchip MCP79400 RTC and similar. o Added I2C clock gates to mvclock(4). o Added support for MSI-X to bnxt(4). o Added octpip(4), a driver for the Octeon packet input processing unit. o Added the octiic(4) driver for OCTEON two-wire serial interfaces. o Enabled nvme(4) on octeon. o Added octpcie(4), a driver for the PCIe controller found on OCTEON II and OCTEON III. o Fixed random kernel hangs on some sparc64 machines by blocking interrupts while sending an IPI on sunv4 (as on sun4u). o ure(4) now supports RTL8153B devices, adding support for Ethernet on Lenovo USB-C docks. o Added new ksmn(4) driver for temperature sensor on AMD Family 17h CPUs. o Explicitly disable BCM4331 wifi chips present in 2011-2012 Apple Mac systems. Fixes an interrupt storm that consumes about 50% of CPU0 on affected machines. - Improved arm64 hardware support, including: o Added support for Ampere eMAG CPU based systems. o Added support to amlclock(4) for obtaining CPU clock frequency. o Enabled amlmmc(4), a driver for the SD/MMC controller found on various Amlogic SoCs. o Implemented setting the CPU clock for Allwinner A64 SoCs in sxiccmu(4). o Added amldwusb(4), amlusbphy(4) and amlpciephy(4), drivers for the USB controller and PHYs on the Amlogic G12A/B SoCs. o Added imxtmu(4), a driver to support the temperature sensors on i.MX8M SoCs. o Added amlrng(4), a simple random number generator driver for Amlogic SoCs. o Added amclock(4), a driver for the Amlogic SoC clocks. o Added amluart(4), a driver for the UARTs found on various Amlogic SoCs. o Added support for the SMBus System Interfaces (SSIF) to ipmi(4). o PXE booting using U-Boot works now. o Added clock support to sxisyscon(4), a driver for the system controller found on various Allwinner SoCs. o Implemented smbios(4) support on arm64. o Added ucrcom(4), a driver for the serial console of chromebooks. o Enabled mvmdio(4) and mvneta(4) on arm64. o Added pinctrl(4) support for 'pinconf-single' devices and support for bias and drive-strength properties, needed for HiSilicon SoCs. o Added mvdog(4), a driver to support the watchdog on the Armada 3700 SoC. o Added support for the Allwinner H6 to sxipio(4) and sxiccmu(4). o Added mviic(4), a driver to support the I2C controller on the Armada 3700 SoC. o Added mvuart(4) to support the Armada 3720's serial console. o Added support for the Armada 3720 clocks to mvclock(4). o Added support for the Armada 3720 pinctrl controller to mvpinctrl(4). This controller also includes GPIO controller functionality. o Added the RK3328 and RK3399 GMAC clocks to rkclock(4). o Increased MAXCPUs to 32 in arm64, allowing use of all cores on the Ampere eMAG. o Added support for the Cortex-A65 CPU. o Implemented interrupt controller functionality in rkgpio(4), allowing use of the fusbtc(4) interrupt on the RockPro64. - IEEE 802.11 wireless stack improvements: o Repaired the ifconfig(8) 'nwflag' command (broken since OpenBSD 6.4). o Added a new 'stayauth' nwflag which can be set to ignore deauth frames. This is useful when deauth frames are being spoofed by an attacker. o Repaired the ifconfig(8) 'mode' command to properly force a wireless interface into 11a/b/g/n mode. o Made 11n Tx rate selection more sensitive to transmission failures. o Fixed automatic use of HT protection in 11n hostap mode. o Fixed WPA APs occasionally appearing as non-WPA APs during AP selection. o Fixed some eligible APs being ignored during AP selection after a roaming failure. o Added support for 802.11n Tx aggregation to net80211 and the iwn(4) driver. o Made net80211 expose reasons for association failures to have ifconfig(8) display them in "scan" output and on the ieee80211(9) status line. o Made all wireless drivers submit a batch of received packets to the network stack during one interrupt if possible, rather than submitting each packet individually. Prevents packet loss under high load due to backpressure from the network stack. - Generic network stack improvements: o Enabled TCP and UDP checksum offloading by default for ix(4). o Added tpmr(4), a 802.1Q two-port MAC relay implementation. o Added iavf(4), a driver for Intel SR-IOV Virtual Functions of Intel 700 series Ethernet controllers. o Added aggr(4), a dedicated driver to implement 802.1AX link aggregration. o Added port protection support to switch(4). Domain membership is checked for unicast, flooded (broadcast) and local (host-network-bound, e.g. trunk) traffic. o Disabled mobileip(4). o Added support to ifconfig(8) for getting and setting rxprio, finishing support for RFC 2983. Implemented configuring rxprio in vlan(4), gre(4), mpw(4), mpe(4), mpip(4), etherip(4) and bpe(4). o Implemented Tx mitigation by calling the hardware transmit routine per several packets rather than for individual packets. Defers calls to the transmit routine to a network taskq, or until a backlog of packets has built up. o Stopped using splnet(9) when running the network stack now that it is using the NET_LOCK for protection, reducing latency spikes. o Added support for reading SFPs to some ethernet cards. - Installer improvements: o Allowed quoted SSIDs in the installer, rather than ignoring those containing whitespace. o Introduced sysupgrade(8) that can be used to upgrade OpenBSD unattended. o A syspatch was provided which adds sysupgrade(8) to 6.5, so unattended upgrades to 6.6 can be performed on amd64/arm64/i386 with '# syspatch && sysupgrade'. o Created an octeon bootloader which is a modified kernel. To use this bootloader, the firmware must be configured to load file "boot" instead of "bsd". o Included mount_nfs(8) on the amd64 CD ramdisk. o Added tee(1) to the ramdisk, and display a moving progress bar during auto upgrade/install. o Repaired and improved v6 default route selection, fixing autoinstalls. o Added sysupgrade(8) support to the sparc64 bootloader. o The DHCP configuration is now preserved when restarting an install. o The installer now remembers 'autoconf' when restarting an install. o Stopped prompting for disks that do not contain a root partition during upgrades. This defaults to the correct disk when full disk encryption is in use, and will be useful for future unattended upgrades. - Security improvements: o unveil(2) is now used in 77 userland programs to redact filesystem access. o Various changes in unveil(2) to improve application behavior when encountering hidden filesystem paths. o ps(1) can show which processes have called unveil(2) with the u and U flags in STATE field. o ps(1) can show the list of pledge(2) options processes use with the -o pledge option. o Further and improved mitigations against Spectre side-channel vulnerability in Intel CPUs built since 2012. o Mitigations for Intel's Microarchitectural Data Sampling vulnerability, using the new CPU VERW behavior if available or by using the proper sequence from Intel's "Deep Dive" doc in the return-to-userspace and enter-VMM-guest paths. Updated vmm(4) to pass through the MSR bits so that guests can apply the optimal mitigation. o Rewrote doas(1) environment inheritance not to inherit, and instead reset to the target user's values by default. o Prepare the amd64 BIOS bootloader for loading the kernel at a random virtual address (future work). o Introduced malloc_conceal(3) and calloc_conceal(3), which return memory in pages marked MAP_CONCEAL and call freezero(3) on free(3). o Make 'systat pf' not require root permissions (systat(8)). o Added support for the EFI Random Number Generator Protocol, using it to XOR random data into the buffer we feed the kernel for amd64. o Added information about system call memory write protection and stack mapping violations to system accounting. Now daily(8) will print a list of affected processes and lastcomm(1) will flag violations with 'M'. - Routing daemons and other userland network improvements: o The ntpd(8) daemon now gets and sets the clock in a secure way when booting even when a battery-backed clock is absent. o slaacd(8) now removes IPv6 addresses when it detects a link-state change but no new router advertisement is received. o ifconfig(8) now reports SFP, SFP+ and QSFP module information when using the sff option. o Imported snmp(1), a new SNMP client which aims to be netsnmp-compatible for supported features, and removed snmpctl(8). o Improvements in ntpd(8) DNS resolving and constraints checking, especially during startup. Unreliable NTP peers are removed from the pool and DNS resolving is repeated to add replacements. o Changed the bgpd(8) Adj-RIB-Out to a per-peer set of RB trees, improving speed. o Rewrote bgpd(8) community matching and handling code and improved performance for setups using many communities. o Checked the type of a network statement when looking for duplicates in bgpd(8). This fixes added network 0.0.0.0/0 after 'network inet static'. o Made improvements to bgpd(8) speed when configuring many peers. o Implemented bgpctl(8) 'show mrt neighbors', to print the neighbor table of MRT TABLE_DUMP_V2 dumps. o Moved bgpd(8) pfkey socket to the parent process. The refreshing of the keys for MD5 and IPSEC is done whenever the session state changes to IDLE or ACTIVE, which should behave better when reloading configs with auth changes. o In bgpd(8), fixed reloading of network statements that have no fixed prefix specification. o Extended the maximum size of the bgpd(8) shutdown communication message to 255 bytes. o Improvements in pfctl(8), to always check for namespace collisions on table commands. Introduced 'pfctl -FR' to reset pfctl(8) settings to defaults. o Imported Kristaps Dzonsons' RPKI validator, rpki-client(8). o relayd(8) now supports binary protocol health checking. See relayd.conf(5). o Added support for OCSP stapling to relayd(8). o Added relayd(8) support for SNI with new 'tls keypair' option to load additional certificates. o Added support for 'from/to address[/prefix]' in relayd(8) filter rules. o Implemented RFC 8555 "Automatic Certificate Management Environment (ACME)" to enable acme-client(1) to communicate with the v02 Let's Encrypt API. Read the upgrade guide for more information. o tcpdump(8) support for '-T erspan' and arbitrary gre(4) protocols. o Allowed specifying area by number as well as id in ospf6d(8). o ospfctl(8) now accepts both address and number format for 'ospfctl show database area XXX'. o ospfd(8) reload improvements. o Added a check to ospfd(8) and ospf6d(8) that any "depend on" interfaces are in the same rdomain. o Make 'passive' (announce a network configured on an interface as a stub network) work with P2P interfaces in ospfd(8). o Shutdown the service port when behind a captive portal with unwind(8), allowing bypass of captive portals that correctly answer SOA queries for the root zone and return NXDOMAIN for the captive portal redirect domain if edns0 is present. o Implemented DNS block lists in unwind(8). o Added support for IKEv2 Message Fragmentation (RFC 7383) to iked(8). o Enabled switching between wireless and wired interfaces in dhclient(8), setting the default route with the interface address and allowing two default routes in the routing table. A wired interface will be preferred when connected. o Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear existing configurations completely after restarting an install. o Added 'forwarded' log format extending the 'combined' log format in httpd(8). - Assorted improvements: o The filesystem buffer cache now more aggressively uses memory outside the DMA region, to improve cache performance on amd64 machines. o The BER API previously internal to ldap(1), ldapd(8), ypldap(8), and snmpd(8) has been moved into libutil. See ber_read_elements(3). o Removed the old userland realpath(3) and replaced it with __realpath(2), a kernel implementation. This will prevent calling readlink(2) on every component of a path and improve performance for unveil(2). o ld.so(1) speedups, improving dynamic linker performance for large objects. o Modified systat(1) to allow the use of 'b' to switch to stats since boot. o From perldoc(1), always produce man(7) output in UTF-8, which gives better results with our mandoc(1) renderer no matter which LC_CTYPE the user selected. - VMM/VMD improvements o Added support for 'boot device' to vm.conf(5) grammar, the '-B device' counterpart from vmctl(8). o Emulated kvm pvclock in vmm(4), compatible with pvclock(4) in OpenBSD. o Enabled reporting of the vm state through use of the vmctl(8) 'status' command. o Synced vm state in vmd(8) when (un)pausing a vm to ensure both vmm(4) and vmd(8) processes know the vm is paused. o Handled some unhandled instructions for SVM which led to vmm(4) guest termination, as well as RDTSCP and INVLPGA instructions. o Modified vmm(4) to flush guest TLB entries if the guest disables paging. - OpenSMTPD 6.6.0 o New Features - Introduced support for ECDSA certificates with an ECDSA privsep engine. - Introduced builtin filters to allow basic filtering of incoming sessions in smtpd(8). - Introduced option to deliver junk to a Junk folder in mail.maildir(8). o Bug fixes - Fixed the smtp(1) client so it uses correct default port for SMTPS. - Fixed an smtpd(8) crash on excessively large input. - Ensured mail rejected by an LMTP server will stay queued rather than bouncing. o Experimental Features - Introduced a filters API to allow writing standalone filters for smtpd(8), with multiple filters made available in ports. - Introduced support for proxy-v2 protocol allowing smtpd(8) to operate behind proxy. - LibreSSL 3.0.2 o API and Documentation Enhancements - Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. - Documented undescribed options and removed unfunctional options description in openssl(1) manual. o Compatibility Changes o Testing and Proactive Security - A plethora of small fixes due to regular oss-fuzz testing. - Various side channels in DSA and ECDSA were addressed. These are some of the many issues found in an extensive systematic analysis of bignum usage by Samuel Weiser, David Schrammel et al. - Try to compute the cofactor if a nonsensical value was provided for ECC parameters. Fix from Billy Brumley. o Internal Improvements o Portable Improvements - Enabled performance optimizations when building with Visual Studio on Windows. - Enabled openssl(1) speed subcommand on Windows platform. o Bug Fixes - Fixed issue where SRTP extension would not be sent by server. - Fixed incorrect carry operation in 512 addition for Streebog. - Fixed -modulus option with openssl(1) dsa subcommand. - Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. - Fixed a padding oracle attack in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() (CMS is currently disabled). From Bernd Edlinger. - OpenSSH 8.1 o New Features - ssh(1): Allow %n to be expanded in ProxyCommand strings - ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" - ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). - ssh-keygen(1): print key comment when extracting public key from a private key. bz#3052 - ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. bz#3003 - All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. o Bugfixes - ssh(1): if a PKCS#11 token returns no keys then try to login and refetch them. Based on patch from Jakub Jelen; bz#2430 - ssh(1): produce a useful error message if the user's shell is set incorrectly during "match exec" processing. bz#2791 - sftp(1): allow the maximum uint32 value for the argument passed to -b which allows better error messages from later validation. bz#3050 - ssh(1): avoid pledge sandbox violations in some combinations of remote forwarding, connection multiplexing and ControlMaster. - ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX proposal; allows ssh-keyscan to harvest keys from servers that disable old SHA1 ssh-rsa. bz#3029 - sftp(1): print explicit "not modified" message if a file was requested for resumed download but was considered already complete. bz#2978 - sftp(1): fix a typo and make <esc><right> move right to the closest end of a word just like <esc><left> moves left to the closest beginning of a word. - sshd(8): cap the number of permitopen/permitlisten directives allowed to appear on a single authorized_keys line. - All: fix a number of memory leaks (one-off or on exit paths). - Regression tests: a number of fixes and improvements, including fixes to the interop tests, adding the ability to run most tests on builds that disable OpenSSL support, better support for running tests under Valgrind and a number of bug-fixes. - ssh(1), sshd(8): check for convtime() refusing to accept times that resolve to LONG_MAX Reported by Kirk Wolf bz2977 - ssh(1): slightly more instructive error message when the user specifies multiple -J options on the command-line. bz3015 - ssh-agent(1): process agent requests for RSA certificate private keys using correct signature algorithm when requested. bz3016 - sftp(1): check for user@host when parsing sftp target. This allows user@[1.2.3.4] to work without a path. bz#2999 - sshd(8): enlarge format buffer size for certificate serial number so the log message can record any 64-bit integer without truncation. bz#3012 - sshd(8): for PermitOpen violations add the remote host and port to be able to more easily ascertain the source of the request. Add the same logging for PermitListen violations which where not previously logged at all. - scp(1), sftp(1): use the correct POSIX format style for left justification for the transfer progress meter. bz#3002 - sshd(8) when examining a configuration using sshd -T, assume any attribute not provided by -C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858 - ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned no slots" warning from log level error to debug. This is common when attempting to enumerate keys on smartcard readers with no cards plugged in. bz#3058 - ssh(1), ssh-keygen(1): do not unconditionally log in to PKCS#11 tokens. Avoids spurious PIN prompts for keys not selected for authentication in ssh(1) and when listing public keys available in a token using ssh-keygen(1). bz#3006 - Mandoc o Slowly start implementing tagging support for man(7) pages: tag alphabetic arguments of .IP, .TP, and .TQ macros. o In HTML output, wrap text and phrasing elements in paragraphs unless already contained in flow containers; never put them directly into sections. This helps to format paragraphs with the CSS class selector .Pp. o Implement the roff(7) .break request to break out of a .while loop. o If messages are shown and output is printed without a pager, display a heads-up on standard error output at the end because otherwise, users may easily miss the messages. o Let mandoc.css support prefers-color-scheme: dark. o For pages lacking a SYNOPSIS, let man(1) show the NAME section. - Ports and packages: o Pre-built packages are available for the following architectures on the day of release: - aarch64 (arm64): 10075 - amd64: 10736 - i386: 10682 - sparc64: 9685 - mips64: 7921 o Packages for the following architectures will be made available as their builds complete: - arm - mips64el - powerpc - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 1.20.5 + patches, freetype 2.10.1, fontconfig 2.12.4, Mesa 19.0.8, xterm 344, xkeyboard-config 2.20 and more) o LLVM/Clang 8.0.1 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.28.2 (+ patches) o NSD 4.2.2 o Unbound 1.9.4 o Ncurses 5.7 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk Aug 10, 2011 version o Expat 2.2.8 ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is a volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - HTTPS INSTALLS ------------------------------------------------------- OpenBSD can be easily installed via HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTPS. 1) Read either of the following two files for a list of HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of October 17, 2019, the following HTTPS mirror sites have the 6.6 release: https://cdn.openbsd.org/pub/OpenBSD/6.6/ Global https://ftp.eu.openbsd.org/pub/OpenBSD/6.6/ Stockholm, Sweden https://ftp.hostserver.de/pub/OpenBSD/6.6/ Frankfurt, Germany https://ftp.bytemine.net/pub/OpenBSD/6.6/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/6.6/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/6.6/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/6.6/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/6.6/ CA, USA https://mirror.esc7.net/pub/OpenBSD/6.6/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/6.6/ Toronto, Canada https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.6/ Global https://fastly.cdn.openbsd.org/pub/OpenBSD/6.6/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/6.6/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTPS mirror site and go into the directory pub/OpenBSD/6.6/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT arm64/ luna88k/ ports.tar.gz README armv7/ macppc/ root.mail SHA256 hppa/ octeon/ sparc64/ SHA256.sig i386/ openbsd-66-base.pub src.tar.gz alpha/ landisk/ packages/ sys.tar.gz amd64/ loongson/ packages-stable/ xenocara.tar.gz It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy66.fs pxeboot* BOOTX64.EFI* bsd.mp* game66.tgz xbase66.tgz BUILDINFO bsd.rd* index.txt xfont66.tgz INSTALL.amd64 cd66.iso install66.fs xserv66.tgz SHA256 cdboot* install66.iso xshare66.tgz SHA256.sig cdbr* man66.tgz base66.tgz comp66.tgz miniroot66.fs If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install66.iso. The install66.iso file (roughly 463MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install66.fs and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 6.6 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily using xenodm(1), our simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/6.6/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.6/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil, Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber. Base and X system builds by Kenji Aoyama and Theo de Raadt. Release art contributed by Natasha Allegri. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Carlos Cardenas, Charlene Wendling, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Joris Vink, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein, Otto Moerbeek, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo