-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
FreeBSD Project Quarterly Status Report: January - March 2015
This report covers FreeBSD-related projects between January and March
2015. This is the first of four reports planned for 2015.
The first quarter of 2015 was another productive quarter for the
FreeBSD project and community. FreeBSD is being used in research
projects, and those projects are making their way back into FreeBSD as
new and exciting features, bringing improved network performance and
security features to the system. Work continues to improve support for
more architectures and architecture features, including progress
towards the goal of making ARM (32- and 64-bit) a Tier 1 platform in
FreeBSD 11. The toolchain is receiving updates, with new versions of
clang/LLVM in place, migrations to ELF Tool Chain tools, and updates to
the LLDB and gdb debuggers. Work by ports teams and kernel developers
is maintaining and improving the state of FreeBSD as a desktop
operating system. The pkg team is continuing to make binary packages
easier to use and upgrade.
Thanks to all the reporters for the excellent work!
The deadline for submissions covering the period from April to June
2015 is July 7th, 2015.
__________________________________________________________________
FreeBSD Team Reports
* FreeBSD Bugmeister
* Ports Collection
* The FreeBSD Core Team
Projects
* bhyve
* CheriBSD
* Clang, llvm and lldb updated to 3.6.0
* FreeBSD on POWER8
* Jenkins Continuous Integration for FreeBSD
* Lua boot loader
* Mellanox iSCSI Extensions for RDMA (iSER) Support
* Multipath TCP for FreeBSD
* New Automounter
* Opaque ifnet
* pkg
* Secure Boot
Kernel
* Adding PCIe Hot-plug Support
* Address Space Layout Randomization (ASLR)
* Modern x86 platform support and VT-d
* Nanosecond file timestamps
Architectures
* FreeBSD on newer ARM boards
* FreeBSD/arm64
* Nested Kernel
Userland Programs
* libthr improvements
* Migration to ELF Tool Chain tools
* The LLDB Debugger
* Updates to GDB
Ports
* FreeBSD Ada Ports
* FreeBSD Python Ports
* GNOME on FreeBSD
* KDE on FreeBSD
* The Graphics stack on FreeBSD
* Wine/FreeBSD
* Xfce on FreeBSD
Documentation
* More Michael Lucas FreeBSD books
Miscellaneous
* The FreeBSD Foundation
__________________________________________________________________
FreeBSD Bugmeister
Contact: FreeBSD Bugmeister <bugmeister@FreeBSD.org>
Bugzilla replaced GNATS in June 2014 as the bug management tool of
choice for FreeBSD, granting GNATS its well-deserved retirement after
more than 20 years of operation. The following months were rough for
Bugzilla: a lot of functionality was still missing and several
uncertainties caused users and committers to adapt only slowly to the
new system.
Over the last six months, a lot of missing features were brought into
place to allow users and committers to focus on getting bugs solved.
Categories, the status model and many workflow-related knobs were
continuously reworked and improved to provide the necessary information
without getting in the way.
An auto-assigner for ports issues was implemented, resembling what
GNATS successfully did in the past. A dashboard page within Bugzilla
provides users and committers with quick access to common queries and
overall statistics; many other smaller tweaks, configurations, and
extensions were implemented to improve the usability of the system.
An improved reporting system is currently being implemented to provide
graphs and statistics for users and committers. Handling MFCs and a
better feedback mechanism for requests (flags in Bugzilla) will be the
next things to do.
Bugmeister is also working closely with the FreeBSD GitHub team to
establish a workflow between GitHub's issue tracker and our Bugzilla
system. The technical solution already exists as a proof of concept,
but its usage in production will have to wait until Bugzilla 5.0 has
been adopted.
Open tasks:
1. Create a solid charting extension for FreeBSD Bugzilla.
2. Improve MFC handling.
3. Do you feel that something important is missing? Let us know!
__________________________________________________________________
Ports Collection
URL: http://www.FreeBSD.org/ports/
URL: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/ports-contributing.html
URL: http://portsmon.freebsd.org/index.html
URL: http://portscout.freebsd.org/
URL: http://www.freebsd.org/portmgr/index.html
URL: http://blogs.freebsdish.org/portmgr/
URL: http://www.twitter.com/freebsd_portmgr/
URL: http://www.facebook.com/portmgr
URL: http://plus.google.com/communities/108335846196454338383
Contact: Frederic Culot <portmgr-secretary@FreeBSD.org>
Contact: Port Management Team <portmgr@FreeBSD.org>
As of the end of Q1 the ports tree holds almost 25,000 ports, and the
PR count is just over 1,500. The tree saw more activity than during the
previous quarter, with almost 7,000 commits performed by 163 active
committers. The number of problem reports closed also increased by
about 20%, with nearly 2,000 PRs closed!
In Q1 two new developers were granted a ports commit bit (jbeich@ and
brd@) and one bit was taken in for safekeeping (rafan@, on his
request).
On the management side, decke@ decided to step down from his portmgr
duties in February. No other changes were made to the team during Q1.
This quarter also saw the release of the first quarterly branch of the
year, 2015Q1. On this branch, 140 changes were applied by 35
committers.
On the QA side, 29 exp-runs were performed to validate sensitive
updates or cleanups.
Open tasks:
1. As during the previous quarter a tremendous amount of work was done
on the tree to update major ports and to close even more PRs than
in 2014Q4. However, we sometimes lag behind with regards to
documentation, so volunteers are welcome to help on this important
task.
__________________________________________________________________
The FreeBSD Core Team
Contact: FreeBSD Core Team <core@FreeBSD.org>
The FreeBSD Core Team constitutes the project's "Board of Directors",
responsible for deciding the project's overall goals and direction as
well as managing specific areas of the FreeBSD project landscape.
January began with members of core dealing with the fallout from the
accidental deletion of the Bugzilla database. This incident highlighted
the fact that backup and recovery mechanisms in the cluster were not up
to the task. Core has discussed what measures are appropriate with
clusteradm and is reviewing their implementation.
After a long process of consultation, plans for introducing the new
support model with 11.0-RELEASE were finally agreed on and published in
early February. This announcement puts the practical detail onto the
motion that was adopted at BSDCan 2014, and clarifies the steps needed
for implementation.
Also in February core revisited discussions on making the
blogs.freebsdish.org blog aggregator an official project service and
also providing a blogging platform directly to developers. However,
security and man-power are both major concerns. Given the track records
of most freely available blogging platforms, core is rightly wary of
introducing them into the cluster. Similarly, curating a blogging
platform will take a substantial volunteer effort to ensure all posts
are appropriate and to remove spam.
March has seen two discussions about potentially divisive topics.
Should the ZFS ARC Responsiveness patches be committed and MFC'd as a
pragmatic fix to performance problems in 10.1-RELEASE, understanding
that this is not an ideal solution to the problem and will need rework?
Should we stop maintaining support for older (C89 or earlier) compilers
in kernel code, and just code directly to the C11 standard? Broadening
out from this last point: should we have a formal mechanism for
deciding what has become obsolete in the system and when it should be
removed?
During this quarter five new src commit bits were granted and two were
taken in for safe-keeping.
__________________________________________________________________
bhyve
URL: http://www.bhyve.org
Contact: Peter Grehan <grehan@FreeBSD.org>
Contact: Neel Natu <neel@FreeBSD.org>
Contact: John Baldwin <jhb@FreeBSD.org>
Contact: Tycho Nightingale <tychon@FreeBSD.org>
Contact: Allan Jude <allanjude@FreeBSD.org>
Contact: Alexander Motin <mav@FreeBSD.org>
bhyve is a hypervisor that runs on the FreeBSD/amd64 platform. At
present, it runs FreeBSD (8.x or later), Linux i386/x64, OpenBSD
i386/amd64, and NetBSD/amd64 guests. Current development is focused on
enabling additional guest operating systems and implementing features
found in other hypervisors.
Peter Grehan did a status update at bhyvecon 2015 in Tokyo. The slides
are available at http://bhyvecon.org/bhyvecon2015-Peter.pdf.
Mihai Carabas presented the results of his GSoC project on implementing
instruction caching in bhyve at AsiaBSDCon 2015 in Tokyo. The slides
are available at
http://people.freebsd.org/~neel/bhyve/bhyve-cache-emul-slides.pdf.
A number of improvements were made to bhyve this quarter:
* The RTC device model can now be instructed to keep UTC time instead
of localtime. This is useful for guests like OpenBSD that expect
the RTC to keep UTC time.
* The virtio-blk device now does I/O asynchronously without blocking
the vcpu thread that initiated the I/O.
* The virtio-blk and ahci-hd devices are now able to execute multiple
I/O requests in parallel. This can significantly boost virtual disk
throughput.
* The ahci-hd device emulation advertises TRIM to the guest if the
backend device supports it (e.g., ZVOL).
* The virtio-blk and ahci-hd devices now advertise the proper logical
and physical block size of the backend device or file.
Open tasks:
1. Improve documentation.
2. bhyveucl is a tool for starting bhyve instances based on a UCL
formatted config file. More information is at
https://github.com/allanjude/bhyveucl
3. Add support for virtio-scsi.
4. Flexible networking backends such as wanproxy and vhost-net.
5. Move to a single process model, instead of bhyveload and bhyve.
6. Support running bhyve as non-root.
7. Add filters for popular VM file formats (VMDK, VHD, QCOW2).
8. Implement an abstraction layer for video (no X11 or SDL in the base
system).
9. Suspend/resume support.
10. Live Migration.
11. Nested VT-x support (bhyve in bhyve).
12. Support for other architectures (ARM, MIPS, PPC).
__________________________________________________________________
CheriBSD
URL: http://cheri-cpu.org/
Contact: Robert Watson <rwatson@FreeBSD.org>
Contact: Brooks Davis <brooks@FreeBSD.org>
Contact: David Chisnall <theraven@FreeBSD.org>
Contact: Ruslan Bukin <br@FreeBSD.org>
CheriBSD is a fork of FreeBSD to support the CHERI research CPU. We
have extended the kernel to provide support for CHERI memory
capabilities as well as modifying applications and libraries including
tcpdump, libmagic, and libz to take advantage of these capabilities for
improved memory safety and compartmentalization. We have also developed
custom demo applications and deployment infrastructure for our table
demo platform.
As this goes to press, we are finalizing our first open source release
of the CHERI CPU which will be available from the CHERI CPU website.
We have been merging support for the BERI CPU platform to FreeBSD since
2012 and continue to do so as new features are developed. Most
recently, Ruslan has added support for the Terasis SoCkit board which
combines an ARM processor with an FPGA capable of running BERI (and
soon CHERI) in a single package.
This project is sponsored by DARPA/AFRL.
__________________________________________________________________
Clang, llvm and lldb updated to 3.6.0
URL: http://llvm.org/releases/3.6.0/docs/ReleaseNotes.html
URL: http://llvm.org/releases/3.6.0/tools/clang/docs/ReleaseNotes.html
Contact: Dimitry Andric <dim@FreeBSD.org>
Contact: Ed Maste <emaste@FreeBSD.org>
Contact: Roman Divacky <rdivacky@FreeBSD.org>
Contact: Davide Italiano <davide@FreeBSD.org>
Just before the end of the quarter, we updated clang, llvm and lldb in
the base system to the 3.6.0 release. These all contain numerous
improvements; please see the linked release notes for more detailed
information.
We have also imported a newer snapshot of compiler-rt, with better
support for the Address Sanitizer and the Undefined Behavior Sanitizer,
and arm64 runtime support routines. With the updated clang, llvm, and
compiler-rt, we now support the Address and Undefined Behavior
Sanitizers in the base system toolchain.
As with the 3.5.0 release, these components require C++11 support to
build. C++11 support is available in FreeBSD 10.0 and later on the x86
architectures.
It is still unclear whether we will be able to MFC these updates to any
of the stable branches, due to the difficulty it will introduce for
upgrading from a system without C++11 support, either from older
releases or from architectures still using gcc.
In the lld-import branch, we have also imported a recent snapshot of
lld, a linker produced by the LLVM project. This is a very preliminary
effort of making it available as a system linker.
Thanks to Ed Maste, Roman Divacky, Andrew Turner and Davide Italiano
for their help with this import, and thanks to Antoine Brodin for
performing a ports exp-run.
Open tasks:
1. After the ports exp-run, a small number of ports turned out to have
problems, and for almost all of these, PRs with fixes or
workarounds were filed. While most of these PRs have been processed
and closed, there are still a few left that need attention, from
either the maintainer(s) or other volunteers.
2. Andrew Turner is working on bringing up the arm64 architecture,
which is now fully supported in clang and llvm. This will be a very
interesting new area for solving challenging problems.
3. There are still issues with the powerpc and sparc64 architectures,
and any help in these areas is very much appreciated.
__________________________________________________________________
FreeBSD on POWER8
URL: http://www.tyan.com/campaign/openpower/
Contact: Nathan Whitehorn <nwhitehorn@freebsd.org>
Contact: Justin Hibbits <jhibbits@freebsd.org>
Contact: Adrian Chadd <adrian@freebsd.org>
IBM and the OpenPOWER Foundation are pushing for a wider software and
hardware ecosystem for POWER8-based systems. Starting in January 2014,
we have been doing bringup work on a Tyan GN70-BP010 POWER8 server, a
quad-core 3 GHz system with a total of 32 hardware threads.
Updates since the previous report:
* FreeBSD now boots under a hypervisor with the virtual SCSI block
device; the issue previously preventing this has been fixed.
* The powerpc64 pmap code was rewritten to be more scalable, as the
previous pmap code did not scale beyond a small number of CPUs.
* Initial support for IBM's Vector-Scalar Extensions (VSX) was added.
* The FreeBSD kernel was made completely position independent for
powerpc64, and later powerpc32 as well.
This project is sponsored by The FreeBSD Foundation.
Open tasks:
1. Get FreeBSD booting natively, rather than under KVM. This requires
writing OPAL drivers for the various hardware devices in the
system.
2. Integrate loader(8) with petitboot.
__________________________________________________________________
Jenkins Continuous Integration for FreeBSD
URL: https://jenkins.freebsd.org
URL: http://www.cloud9ers.com/
URL: https://wiki.ubuntu.com/AhmedKamal
URL: https://github.com/saltstack/salt/pulls?q=is%3Apr+author%3Akim0
URL: http://julipedia.meroh.net/2015/02/kyua-turns-parallel.html
URL: https://github.com/jenkinsci/multiple-scms-plugin/commits?author=rodrigc
URL: https://lists.freebsd.org/pipermail/freebsd-toolchain/2015-March/001545.html
URL: https://wiki.freebsd.org/ExternalToolchain
Contact: Craig Rodrigues <rodrigc@FreeBSD.org>
Contact: Jenkins Administrators <jenkins-admin@FreeBSD.org>
Contact: FreeBSD Testing <freebsd-testing@FreeBSD.org>
The Jenkins Continuous Integration and Testing project has been helping
to improve the quality of FreeBSD. Since the last status report, we
have quickly found commits which caused build breakage or test
failures. FreeBSD developers saw these problems and quickly fixed them.
Some of the highlights include:
* Ahmed Kamal agreed to join the jenkins-admin team. Even though he
is not a FreeBSD committer, he is subscribed to the jenkins-admin
alias, and is contributing code via GitHub. Ahmed has contributed
multiple SaltStack scripts which are in the freebsd-ci GitHub
repository. Ahmed has also found multiple bugs in SaltStack's
FreeBSD support. He has fixed these bugs and pushed them back to
SaltStack via GitHub pull requests.
Ahmed is a software developer who lives in Cairo, Egypt. He
presently works for Cloud9ers, a cloud and devops consulting firm.
In the past, he has worked for Canonical as the Ubuntu Cloud and
Server community liaison.
Ahmed found out about the Request for Help sent out by Craig
Rodrigues for help with Jenkins in FreeBSD via a random web search.
Ahmed found FreeBSD to be a very nice project, and was eager to
volunteer and help out, and responded to the Request. Ahmed will
attend BSDCan, where he will learn more about the BSD Community.
* Julio Merino extended Kyua to support executing test cases in
parallel. This should help the scaling of testing in environments
with thousands of test cases.
* Craig Rodrigues got a commit bit to the Jenkins Multiple SCM's
plugin, and committed fixes to that plugin to help it work with
Subversion 1.8
* Craig Rodrigues worked with Dimitry Andric in the freebsd-toolchain
team to help identify and fix several compile problems in the
FreeBSD src tree when using GCC 4.9. This work will help with the
External Toolchain project.
Open tasks:
1. Set up more builds based on different architectures.
2. Improve the maintenance of nodes in the Jenkins cluster using
devops frameworks such as Saltstack.
3. People interested in helping out should join the
freebsd-testing@FreeBSD.org list.
__________________________________________________________________
Lua boot loader
URL: https://svnweb.freebsd.org/base/projects/lua-bootloader/
Contact: Rui Paulo <rpaulo@FreeBSD.org>
Contact: Pedro Souza <pedrosouza@FreeBSD.org>
Contact: Wojciech Koszek <wkoszek@FreeBSD.org>
The Lua boot loader project is in its final stage and it can be used on
x86 already. The aim of this project is to replace the Forth boot
loader with a Lua boot loader. All the scripts were re-written in Lua
and are available in sys/boot/lua. Once all the Forth features have
been tested and the boot menus look exactly like in Forth, we will
start merging this project to FreeBSD HEAD. Both loaders can co-exist
in the source tree with no problems because a pluggable loader was
introduced for this purpose.
The project was initially started by Wojciech Koszek, and Pedro Souza
wrote most of the Lua code last year in his Google Summer of Code
project.
To build a Lua boot loader just use:
WITH_LUA=y
WITHOUT_FORTH=y
Open tasks:
1. Feature/appearance parity with Forth.
2. Investigate use of floating point by Lua.
3. Test the EFI Lua loader.
4. Test the U-Boot Lua loader.
5. Test the serial console.
__________________________________________________________________
Mellanox iSCSI Extensions for RDMA (iSER) Support
Contact: Max Gurtovoy <maxg@mellanox.com>
Contact: Sagi Grimberg <sagig@mellanox.com>
Building on the new in-kernel iSCSI initiator stack released in FreeBSD
10.0, and the recently added iSCSI offload interface, Mellanox
Technologies has begun developing iSCSI extensions for RDMA (iSER)
initiator support to enable efficient data movement using the hardware
offload capabilities of Mellanox's 10, 40, 56, and 100 gigabit
IB/Ethernet adapters.
Remote Direct Memory Access (RDMA) has been shown to have a great value
for storage applications. RDMA infrastructure provides benefits such as
zero-copy, CPU offload, reliable transport, fabric consolidation and
many more. The iSER protocol eliminates some of the bottlenecks in the
traditional iSCSI/TCP stack, provides low latency and high throughput,
and is well suited for latency-aware workloads.
This work includes a new ICL module that implements the iSER initiator.
The iSCSI stack is slightly modified to support some extra features
such as asynchronous IO completions, unmapped data buffers, and
data-transfer offloads. The user will be able to choose iSER as the
iSCSI transport with iscsictl(8).
The project is in its initial implementation phase. The code will be
released under the BSD license and is expected to be completed later
this year.
This project is sponsored by Mellanox Technologies.
__________________________________________________________________
Multipath TCP for FreeBSD
URL: http://caia.swin.edu.au/urp/newtcp/mptcp/
Contact: Nigel Williams <njwilliams@swin.edu.au>
Multipath TCP (MPTCP) is an extension to TCP that allows for the use of
multiple network interfaces on a standard TCP session. The addition of
new addresses and scheduling of data across these occurs transparently
from the perspective of the TCP application.
The goal of this project is to deliver an MPTCP kernel patch that
interoperates with the reference MPTCP implementation, along with
additional enhancements to aid network research.
After a major re-design of the earlier prototype implementation, the
patch is again able to establish and carry out multi-path connections
that incorporate multiple addresses. Improvements have also been made
to path management and to the code handling the addition of subflows to
a connection.
Most recently data-level re-transmission support has been added and is
being tested. Soon more extensive testing of the patch in different
multi-path scenarios will begin, with plans for a public release of
v0.5 in May.
This project is sponsored by The FreeBSD Foundation.
Open tasks:
1. Testing of data-level re-transmission.
2. Basic support for per-subflow congestion control algorithm
selection.
3. Testing and release of v0.5 patch.
__________________________________________________________________
New Automounter
URL: https://wiki.freebsd.org/Automounter
URL: http://people.freebsd.org/~trasz/autofs.pdf
URL: http://freebsdfoundation.blogspot.com/2015/03/freebsd-from-trenches-using-autofs5-to_13.html
Contact: Edward Tomasz Napierała <trasz@FreeBSD.org>
The new automounter is a cleanroom implementation of functionality
available in most other Unix systems, using proper kernel support
implemented via an autofs filesystem. The automounter supports a
standard map format, and integrates with the Lightweight Directory
Access Protocol (LDAP) service.
After shipping in 10.1-RELEASE, most of the work focused on bug fixing,
improving documentation, and optimization. The biggest new feature was
the addition of a "-media" map, designed to handle removable media,
such as flash drives or DVDs, and the necessary elements of
infrastructure to support it, namely fstyp(8) and GEOM devd
notifications. Also, the "-noauto" map was added, for automatic
mounting of filesystems marked "noauto" in fstab(5), instead of having
to write an autofs map for them.
This project is sponsored by The FreeBSD Foundation.
__________________________________________________________________
Opaque ifnet
URL: https://wiki.freebsd.org/projects/ifnet
Contact: Gleb Smirnoff <glebius@FreeBSD.org>
This project aims to design a new KPI for network drivers that would
allow the network stack to evolve without breaking compatibility with
older drivers. The core idea is to hide struct ifnet from drivers,
giving the project the name "opaque ifnet". However, the project will
include more changes than just hiding the struct's definition.
At present, the new KPI has been prototyped, most of the important
parts of network stack have been modified appropriately, and several
drivers have been converted to the new KPI.
The project needs more manpower, since there are many network drivers
in the tree, with a total of 245 sites where a struct ifnet is
allocated.
This project is sponsored by Netflix.
Open tasks:
1. Convert more drivers.
__________________________________________________________________
pkg
URL: https://github.com/freebsd/pkg
URL: https://lists.freebsd.org/mailman/listinfo/freebsd-pkg
Contact: Baptiste Daroussin <bapt@FreeBSD.org>
Contact: Vsevolod Stakhov <vsevolod@FreeBSD.org>
Contact: Andrej Zverev <az@FreeBSD.org>
Lots of work has been done on the pkg(8) front, which has brought
pkg(8) to the 1.5.0 release.
Special attention has been spent on the test suite; the number of tests
went from around 20 to more than 70. They are mostly functional tests,
each of which tests many different features, with less emphasis on unit
tests.
One of the main highlights is initial support for provides/requires.
This is still simple but is good enough to allow fixing a lot of
situations when dealing with php-related ports: PHP can now safely
upgrade from one major version to another. This allows for the
pecl/pear packages to be reinstalled each time a minor php upgrade is
done.
Some pkg internals have been reworked to allow cross installation of
packages without the need for chroot(2) or jail(2) calls.
The plist and keyword parser have been improved to keep simplifying
creating new ports:
* Keywords can now have arguments
* A lazy mode is available for setting credentials via the plist
* Flags (immutable and others) can now be specified in the plist
pkg now supports resume for http/ftp downloads.
Open tasks:
1. Populate the ports tree with provides/requires.
2. Make all scripts in the ports tree support cross installation.
3. Improve provides/requires.
4. Continue adding more tests.
__________________________________________________________________
Secure Boot
URL: https://wiki.freebsd.org/SecureBoot
Contact: Edward Tomasz Napierała <trasz@FreeBSD.org>
UEFI Secure Boot is a mechanism that requires boot drivers and
operating system loaders to be cryptographically signed by an
authorized key. It will refuse to execute any software that is not
correctly signed, and is intended to secure boot drivers and operating
system loaders from malicious tampering or replacement.
The utility to add Authenticode signatures to EFI files, uefisign(8),
was committed to 11-CURRENT and will ship in 10.2-RELEASE. Ports for
other open source utilities were added to the Ports Collection, as
sysutils/pesign, sysutils/sbsigntool, and sysutils/shim. There is a
prototype patch that makes boot1 use the Secure Boot shim, and modifies
the shim to provide the functionality necessary for a successful
bootstrap.
This project is sponsored by The FreeBSD Foundation.
Open tasks:
1. Finalize the shim API extension and get it accepted upstream.
2. Commit boot1 changes.
__________________________________________________________________
Adding PCIe Hot-plug Support
URL: http://p4web.freebsd.org/@md=d&cd=//depot/projects/&c=LQ6@//depot/projects/pciehotplug/?ac=83
Contact: John-Mark Gurney <jmg@FreeBSD.org>
PCI Express (PCIe) hot-plug is used on both laptops and servers to
allow peripheral devices to be added or removed while the system is
running. Laptops commonly include hot-pluggable PCIe as either an
ExpressCard slot or a Thunderbolt interface. ExpressCard has built-in
USB support that is already supported by FreeBSD, but ExpressCard PCIe
devices like Gigabit Ethernet adapters and eSATA cards are only
supported when they are present at boot, and removal may cause a kernel
panic.
The goal of this project is to allow these devices to be inserted and
removed while FreeBSD is running. The work will provide the basic
infrastructure to support adding and removing devices, though it is
expected that additional work will be needed to update individual
drivers to support hot-plug.
Current testing is focused on getting a simple UART device functional.
Basic hot swap is functional.
This project is sponsored by The FreeBSD Foundation.
Open tasks:
1. Get suspend/resume functional by saving/restoring the necessary
registers.
2. Make sure that upon suspend, devices are removed so that if they
are replaced while the machine is suspended, the new devices will
be detected.
3. Improve how state transitions are handled, possibly by using a
proper state machine.
__________________________________________________________________
Address Space Layout Randomization (ASLR)
URL: https://hardenedbsd.org/
URL: https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054669.html
URL: https://reviews.freebsd.org/D473
Contact: Shawn Webb <shawn.webb@hardenedbsd.org>
Contact: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Address Space Layout Randomization (ASLR) is a computer security
technique that aids in mitigating low-level vulnerabilities such as
buffer overflows. ASLR randomizes the memory layout of running
applications to prevent an attacker from knowing where a given
exploitable vulnerability lies in memory.
We have been working hard the last few months to ensure the robustness
of our ASLR implementation. We have written a manpage and updated the
patch on FreeBSD's code review system (Phabricator). Our ASLR
implementation is in use by the HardenedBSD team in production
environments and is performing robustly.
The next task is to compile the base system applications as
Position-Independent Executables (PIEs). For ASLR to be effective,
applications must be compiled as PIEs to allow the main binary, as well
as shared libraries, to be located at random addresses. It is likely
that this part will take a long time to accomplish, given the
complexity surrounding building the libraries in the base system. Even
if applications are not compiled as PIEs, having ASLR available still
helps those applications (like HardenedBSD's secadm) which force
compilation as PIE for themselves.
This project is sponsored by SoldierX.
Open tasks:
1. Test our patch against 11-CURRENT.
__________________________________________________________________
Modern x86 platform support and VT-d
Contact: Konstantin Belousov <kib@FreeBSD.org>
Modern x86 platforms include a number of architectural enhancements.
Work is ongoing to support these features in FreeBSD.
Starting with SandyBridge CPUs, Intel introduced an enhanced local
interrupt controller (APIC) mode, called x2APIC. Instead of using a
mapped page, registers are now accessed using special Model-Specific
Registers (MSR) read and write instructions. This is intended to
support virtualization. The access overhead is also reduced by not
requiring serialization, and by simplification of Inter-Process
Interrupt (IPI) generation. The main commit introducing the feature was
r278473, with fixes following on.
End Of Interrupt (EOI) suppression is a mode of EOI delivery to
Input/Output Interrupt Controllers (IO-APICs) where the EOI message for
a level-triggered interrupt is not broadcast by an EOI write to the
local APIC, but instead an explicit EOI command is sent to the source
IO-APIC. The optimization reduces the number of APIC messages that must
be broadcast; it should be used on all modern Intel systems. Support
for EOI suppression was committed in r279319.
VT-d Interrupt Remapping (IR) is provided by hardware with the VT-d
feature. It translates interrupt messages on the way from the root
complex to the north bridge and allows control of interrupt delivery
without reprogramming MSI/MSI-X registers or IO-APICs. The original
intent was to allow hypervisors to safely delegate interrupt
programming for devices owned by guests to the guest OS. IR is also
needed to avoid some limitations in IO-APICs and to make interrupt
rebalancing atomic and transparent. Support has been committed as
r280260.
Both x2APIC mode and IR are required to send IPIs and device interrupts
to processors with LAPIC ID greater then 254. It is believed that the
only missing platform code to handle big machines is parsing the
"Processor Local x2APIC Structure" and "Local x2APIC NMI Structure"
from the ACPI Multiple APIC Description Table (MADT), which report
LAPIC IDs > 255, and handling boot on such systems with the x2APIC mode
enabled by firmware. The work to complete that is expected to be
relatively trivial, and can be done with access to a real
high-core-count machine. But an audit of the common machine-independent
code must be finished to ensure that large CPU IDs are handled
correctly, before such support can safely be enabled.
Additional work remains in progress: split domains and contexts for DMA
Remapper Unit (DMAR) driver. Right now, the DMAR driver is only used to
implement busdma(9), which is done by assigning a dedicated domain to
each translation context. Some devices could issue PCIe Transaction
Layer Packets (TLPs) with several originators IDs, e.g., PCIe/PCI
bridges, or phantom functions of PCIe devices, or such TLPs could occur
just due to hardware bugs. To handle them, a single domain (which
shares the translation page tables) must handle several contexts.
Splitting domains and contexts is also required for the DMAR driver to
start handling PCI pass-through in bhyve, instead of the less complete
implementation which is currently provided by bhyve itself. All PCIe
devices passed to the guest must share a domain. The splitting patch is
written and is being tested, and external interfaces to manage domains
are being formed.
Stability work for the VT-d code is ongoing. In particular, nvme(4) and
ixgbe(4)'s use of busdma interfaces was debugged and improved, and
tested on a very large-memory machine.
This project is sponsored by The FreeBSD Foundation.
__________________________________________________________________
Nanosecond file timestamps
Contact: Jilles Tjoelker <jilles@FreeBSD.org>
Contact: Sergey Kandaurov <pluknet@FreeBSD.org>
Two new system calls, futimens() and utimensat(), were added, making it
possible to set file timestamps with nanosecond accuracy. Various
utilities like cp, mv and touch were updated to use the new calls to
preserve and set timestamps with full precision.
The stat() and related system calls have returned file timestamps with
nanosecond accuracy for a long time, but there was no way to set a
timestamp more accurately than microseconds.
With these changes, it will be possible to use more accurate timestamps
(sysctl vfs.timestamp_precision=3) without anomalies such as a copy of
a file (from cp -p) appearing older than the original. This is
particularly useful for NFS servers, which use file timestamps for
cache invalidation.
Open tasks:
1. Where possible, fix code that still sets inaccurate timestamps on
files, typically by calling futimes(), futimesat(), lutimes(),
utime() or utimes() with a non-null times pointer. There may be a
reason for this such as a limited network protocol or file format,
but there is some code left that can be fixed.
__________________________________________________________________
FreeBSD on newer ARM boards
URL: https://wiki.freebsd.org/FreeBSD/arm/Odroid-C1
URL: https://svnweb.freebsd.org/changeset/base/280905
Contact: John Wehle <john@feith.com>
Contact: Ganbold Tsagaankhuu <ganbold@FreeBSD.org>
We made the changes necessary to support various Amlogic SoC devices,
specifically aml8726-m6 and aml8726-m8b SoC-based devices. The
aml8726-m6 SoC is used in devices such as the Visson ATV-102, and the
Hardkernel ODROID-C1 board uses the aml8726-m8b SoC. The following
support is included:
* Basic machdep code
* SMP
* Interrupt controller
* Clock control driver (aka gate)
* Pinctrl
* Timer
* Real time clock
* UART
* GPIO
* I2C
* SD controller
* SDXC controller
* USB
* Watchdog
* Random number generator
* PLL/Clock frequency measurement
* Frame buffer
Open tasks:
1. Get the DWC driver working.
__________________________________________________________________
FreeBSD/arm64
URL: https://wiki.freebsd.org/arm64
URL: https://github.com/FreeBSDFoundation/freebsd/tree/arm64-dev
Contact: Andrew Turner <andrew@FreeBSD.org>
Contact: Ed Maste <emaste@FreeBSD.org>
Contact: Zbigniew Bodek <zbb@semihalf.com>
The collaborative development on the FreeBSD arm64 port made
significant progress over the last quarter. The FreeBSD Foundation is
collaborating with ARM, Cavium, the Semihalf team, and Andrew Turner to
port FreeBSD to the arm64 architecture, also known as ARMv8 and
AArch64.
After significant review and refinement, the initial set of changes are
being delivered into FreeBSD-HEAD. This initial support targets the
QEMU and ARM Foundation Model emulators, and boots to a usable
multiuser environment.
Cavium's ThunderX platform is the initial hardware reference target for
the FreeBSD arm64 port. The platform currently boots to multiuser, with
a root file system mounted over NFS via a PCIe 10 Gbps Ethernet NIC.
Reference hardware is installed in the FreeBSD test lab hosted by
Sentex Communications and in Semihalf's offices.
This project is sponsored by The FreeBSD Foundation, ARM, and Cavium.
Open tasks:
1. Merge kernel changes to HEAD.
2. Finish remaining userland and kernel support.
3. Produce installable images.
__________________________________________________________________
Nested Kernel
URL: http://nestedkernel.org
URL: http://web.engr.illinois.edu/~dautenh1//downloads/publications/asplos200-dautenhahn.pdf
URL: http://prezi.com/in6qr3l92ffc/?utm_campaign=share&utm_medium=copy
URL: https://github.com/HardenedBSD/hardenedBSD/tree/hardened/9/kernsep
Contact: Nathan Dautenhahn <dautenh1@illinois.edu>
Contact: Theodoros Kasampalis <kasampa2@illinois.edu>
Contact: Will Dietz <wdietz2@illinois.edu>
This work on a nested kernel architecture is part of Nathan's doctoral
thesis work at the University of Illinois at Urbana-Champaign. It
attempts to improve upon the traditional monolithic operating system
kernel, where a single exploit anywhere in the kernel grants the
attacker full superuser privileges. The nested kernel operating system
architecture addresses this problem by "nesting" a small, isolated
kernel within a traditional monolithic kernel. This "nested kernel"
interposes on all updates to virtual memory translations to assert
protections on physical memory, thus significantly reducing the trusted
computing base for memory access control enforcement.
We incorporated the nested kernel architecture into FreeBSD on x86-64
hardware by write-protecting Memory-Management Unit (MMU) translations
and de-privileging the untrusted part of the kernel, thereby enabling
the entire operating system, trusted and untrusted components alike, to
operate at the highest hardware privilege level. Our implementation
inherently enforces kernel code integrity while still allowing
dynamically loaded kernel modules, thus defending against code
injection attacks. We also demonstrate, by introducing write-mediation
and write-logging services, that the nested kernel architecture allows
kernel developers to isolate memory in ways not possible in monolithic
kernels, though gaining security benefits from this will require adding
policies that have not yet been designed.
The performance of the nested kernel prototype shows modest overheads:
less than 1% average for Apache, 3.7% average for sshd, and 2.7%
average for kernel compilation. Overall, our results and experience
show that the nested kernel design can be retrofitted onto existing
monolithic kernels, providing defense in depth.
The basic idea is that the nested kernel initializes the system so that
all page tables are mapped as read-only. Then all MMU-modifying
operations are removed from the untrusted portion of the kernel;
runtime code integrity is enforced by write-protecting all code pages,
marking all non-code pages as non-executable (NX-bit), and preventing
execution of privileged MMU operations located in userspace mappings
(Supervisor Mode Execution Prevention, SMEP). Because the nested kernel
has control of the page tables it can enforce these integrity
properties, leading to virtualization of the MMU.
The links include a recent conference publication that details the
design, implementation, and evaluation of our prototype nested kernel
architecture on top of FreeBSD 9.0. There is also a link to a
presentation on the nested kernel, and a website with information about
the project and instructions on how to get the source and build it.
We are very interested in feedback on the design of the nested kernel,
and having discussions about how it might get upstreamed.
We are also hoping to gain additional contributors and interest in the
project! The nested kernel has the potential to enhance commodity
operating system design, and FreeBSD is a major operating system in use
today which has high impact. The current implementation is merely a
research prototype and requires significant effort to make
production-ready (see the list of tasks).
Finally, we have developed an interface to write-protect data
structures in the kernel and are soliciting ideas for uses of this
service. Section 2.4 in the paper details the interface, and section 4
presents some simple uses of the nested kernel services. We are
interested in ways that the nested kernel could be used to protect
critical kernel data structures from malware or even just buggy code.
This project is sponsored by University of Illinois at
Urbana-Champaign, and ONR via grant number N00014-12-1-0552.
Open tasks:
1. Finish implementing core mechanisms: verify DMAP is properly
protected and that we are not using superpages (I think we have
this completed but need to fully verify), full NX support for all
non-kernel code pages (we might need to specially consider the
stack if it is used to execute code), protect IDT and SMM, and add
IOMMU protections. We also need to do some optimizations where we
batch calls into the nested kernel on process creation (fork) and
mmap operations. The motivation for these implementation directives
can be reviewed in the paper.
2. Implement SMP functionality and evaluate performance.
3. Port and refactor for FreeBSD-HEAD. The current implementation is a
research prototype and requires some refactoring to make it clean
and consistent, as well as make it relevant to modern versions of
FreeBSD.
4. The nested kernel isolation depends upon certain hardware
instructions to be completely removed from a subset of the kernel.
Therefore, we need to utilize automated linker/loader techniques to
identify and remove privileged MMU operations from untrusted kernel
components to make it maintainable in practice.
5. Detailed review on the design and implementation with particular
focus on a plan for upstreaming.
__________________________________________________________________
libthr improvements
Contact: Konstantin Belousov <kib@FreeBSD.org>
Historically, dynamic loading of the libthr.so thread library into a
single-threaded process did not work in FreeBSD. The longstanding
recommendation to work around the problem has been to always link the
main binary with -lpthread if there was any chance of a need for
threading functionality. This project converted libthr.so into a plugin
for libc, which fixed the known issues preventing dynamic loading of
libthr.so.
After the fix, linking the main binary with -lpthread is no longer
required, but is not harmful. I recommend thoroughly testing before
removing libpthread from the library list in favor of dynamic loading,
though. Note that potential problems will be subtle and their
user-visible manifestations in the affected program even more
surprising.
The following issues were present in the old version of libthr with
respect to dynamic loading, but are fixed as a result of this work:
* Invalid errno value seen after failed syscalls.
* Broken libthr internal locks and critical sections ignored by
signals.
* Hung attempts to lock mutexes.
* Thread cancellation not occurring at guaranteed cancellation
points.
The main change was committed as r276630 to HEAD, with many follow ups.
It was merged to stable/10 in r277317.
This project is sponsored by The FreeBSD Foundation.
__________________________________________________________________
Migration to ELF Tool Chain tools
URL: http://elftoolchain.sourceforge.net
Contact: Ed Maste <emaste@FreeBSD.org>
The ELF Tool Chain project provides BSD-licensed implementations of
compilation tools and libraries for building and analyzing ELF objects.
The project began as part of FreeBSD but later became an independent
project to encourage wider participation from others in the open-source
developer community.
ELF Tool Chain provides a set of tools equivalent to the GNU Binutils
suite. This project's goal is to import these tools into the FreeBSD
base system so that we have a set of up-to-date and maintained tools
that also provide support for new CPU architectures of interest, such
as arm64.
In addition to the libelf and libdwarf libraries, the following tools
are now provided by the ELF Tool Chain project:
* addr2line
* nm
* readelf
* size
* strings
* strip (elfcopy)
ELF Tool Chain's elfcopy provides equivalent functionality to Binutils'
objcopy, and accepts the same command-line arguments. For it to be a
viable replacement for all uses of objcopy in the base system, it must
gain support for writing portable executable (PE) format binaries,
which are used by UEFI boot code.
The ELF Tool Chain project does not currently provide replacements for
as, ld, or objdump. For FreeBSD, these tools will likely be obtained
from the LLVM project.
This project is sponsored by The FreeBSD Foundation.
Open tasks:
1. Add missing functionality to elfcopy and migrate the base system
build.
2. Fix issues found by fuzzing inputs to the tools.
3. Add automatic support for separate debug files.
__________________________________________________________________
The LLDB Debugger
URL: https://wiki.freebsd.org/lldb
Contact: Ed Maste <emaste@FreeBSD.org>
LLDB is the debugger project associated with Clang/LLVM. It supports
the Mac OS X, Linux, FreeBSD and Windows platforms. It builds on
existing components in the larger LLVM project, for example using
Clang's expression parser and LLVM's disassembler.
The LLDB in the base system was upgraded to version 3.6.0 as part of
the Clang and LLVM upgrade. In the upstream repository, Justin Hibbits
added support for live and core file debugging on PowerPC, and Ed Maste
added core file support for FreeBSD/arm64.
This project is sponsored by DARP/AFRL, SRI International, and
University of Cambridge.
Open tasks:
1. Rework the LLDB build to use LLVM and Clang shared libraries.
2. Port remote debug stub to FreeBSD.
3. Add support for local and core file kernel debugging.
4. Improve support on non-amd64 architectures.
5. Enable by default in the base system.
__________________________________________________________________
Updates to GDB
URL: https://github.com/bsdjhb/gdb/tree/freebsd-7.9.0-kgdb
Contact: John Baldwin <jhb@FreeBSD.org>
Several improvements to GDB have been merged upstream to GDB's master
branch over the past few months, including fixes for unwinding across
signal trampoline frames on x86, removing the procfs dependency from
the gcore command, and support for XSAVE extensions (such as AVX
registers) on x86. These fixes are already available in the existing
devel/gdb port as patches relative to 7.8.
In addition, progress has been made on porting kgdb to a newer gdb.
Currently, only support for the amd64 backend has been ported, but it
is functional both for remote debugging and against crash dumps. The
current port generally has feature parity with the kgdb in the base
system. The plan for kgdb is to fix it to always include all platform
targets (so that it always supports cross debugging for remote targets
out of the box). At some point it may also include cross debugging
support for crash dumps as well (this would require changes to libkvm).
Open tasks:
1. Tidy the amd64 port of kgdb and finish the i386 port. This includes
fixing these platform-specific targets to work with cross-debugging
for remote targets.
2. Add a KGDB option to the devel/gdb port to include kgdb support.
3. Port the rest of the platform-specific targets for kgdb.
4. Write a new 1:1-only thread target for FreeBSD that can be sent
upstream.
5. Add support for debugging powerpc vector registers.
__________________________________________________________________
FreeBSD Ada Ports
URL: http://home.gna.org/ghdl/
URL: http://sourceforge.net/projects/ghdl-updates/
Contact: John Marino <marino@FreeBSD.org>
There are 51 Ada-related ports currently, but two of them are being
retired: the GCC 4.7-based lang/gcc47-aux and the BSD->android
cross-compiler for ARMv5 (lang/gnatdroid-armv5). The former has no
advantage over the newer GCC 4.9-based lang/gcc-aux, and the latter has
not built for over a year. Android enthusiasts can still use the the
ARMv7 cross-compiler (lang/gnatdroid-armv7).
A new port is lang/gcc5-aux, which includes GNAT from the upcoming
release of gcc5. This compiler already builds all Ada ports except
gtkada3 (which blocks devel/gps, the GNAT Programming Studio), and
gtkada3 should be fixed soon. When GCC5 is released, the Ada framework
will switch to using gcc5-aux as the default compiler. For those that
cannot wait, it is possible to use it now by putting ADA_DEFAULT=5 in
/etc/make.conf, but this requires rebuilding all Ada ports from source.
Open tasks:
1. It is a near-term objective to bring the Ada-based GDHL (VHDL
simulator) to ports. The upcoming 0.32 release will be based on GCC
4.9 and the port will be based on this release.
__________________________________________________________________
FreeBSD Python Ports
URL: https://wiki.FreeBSD.org/Python
URL: irc://freebsd-python@irc.freenode.net
Contact: FreeBSD Python Team <python@FreeBSD.org>
The FreeBSD Python team continued to improve the overall experience
with Python-based software on FreeBSD. A lot of previously deprecated
code and option knobs were removed to improve the maintainability of
the Python Ports infrastructure.
The CPython interpreters were updated to version 2.7.9 and 3.4.3 and
Twisted was updated to version 15.0.0.
Open tasks:
1. Retire the Python 3-specific port duplicates.
2. More tasks can be found on the team's wiki page (see the links).
3. To get involved, interested people can say hello on IRC in
#freebsd-python on freenode and let us know their areas of
interest!
__________________________________________________________________
GNOME on FreeBSD
URL: http://www.freebsd.org/gnome
URL: https://github.com/freebsd/freebsd-ports-gnome
URL: https://wiki.gnome.org/Projects/Jhbuild/FreeBSD
Contact: FreeBSD GNOME Team <freebsd-gnome@freebsd.org>
The FreeBSD GNOME Team maintains the GNOME, MATE, and CINNAMON desktop
environments and graphical user interfaces for FreeBSD. GNOME 3 is part
of the GNU Project. MATE is a fork of the GNOME 2 desktop. CINNAMON is
a desktop environment using GNOME 3 technologies but with a GNOME 2
look and feel.
At the end of this quarter we updated GNOME and CINNAMON to the latest
versions on their branches, 3.14 and 2.4, respectively.
GNOME 3.16 was released February 25th; we ported it to FreeBSD. There
are still some showstopper problems that appeared. During testing of
the current versions of the 3.16 ports a bug in pkg was uncovered in
the multiple repository support, and swiftly fixed in pkg 1.4.99.15.
For the GNOME 3.18 cycle we are going to work closely with the x11 team
on porting libinput and testing Wayland. When that is done we need to
see if we want to enable Wayland for our stable releases and we
probably need XWayland from xorg-server 1.16+ to support X
applications. The estimate is that Wayland arriving in ports will have
to wait until 8.4-Release is EOL.
Open tasks:
1. The GNOME website is stale. Work is underway, although slowly, on
the development section. We could use some help here.
2. MATE 1.10 porting is under way; the latest 1.9 releases are
available in the mate-1.10 branch.
__________________________________________________________________
KDE on FreeBSD
URL: https://freebsd.kde.org/
URL: https://freebsd.kde.org/area51.php
URL: https://wiki.freebsd.org/KDE
URL: https://mail.kde.org/mailman/listinfo/kde-freebsd
URL: https://github.com/tcberner/kde5
Contact: KDE on FreeBSD team <kde@FreeBSD.org>
The KDE on FreeBSD team focuses on packaging and making sure that the
experience of KDE and Qt on FreeBSD is as good as possible.
First of all, we would like to welcome Tobias Berner to the ranks of
the area51 (the KDE ports staging area) committers. He has been
regularly mentioned in our recent status reports, and has finally
received committer privileges to our experimental repository. Becoming
an area51 committer is usually the first step towards becoming a kde@
ports committer. We hope that Tobias can fix and update our ports more
easily, and start committing his KDE Frameworks 5 ports to area51.
Additionally, this quarter Qt 5.4.1 was committed to the ports tree.
This marks the first time ever since Qt 5 was released that we have the
latest upstream stable release in our ports tree! This was made
possible by all the work we had to put into cleaning up the Qt 5 ports
infrastructure for the 5.3 update, mentioned in our previous status
report.
Last but not least, Alonso Schaich finally landed an update to our KDE4
ports that had been in our experimental repository for a while,
bringing them to the latest 4.14 release, 4.14.3.
Overall, we have updated the following ports in this quarter:
* Calligra 2.9.1 (committed to area51)
* CMake 3.1.0, 3.1.1, 3.1.3 (committed to ports)
* DigiKam 4.2.0 (committed to ports), 4.8.0 (committed to area51)
* PyQt 4.11.3 + QScintilla 2.8.4 + sip 4.16.5 (committed to ports),
sip 4.16.7 (committed to area51)
* Qt 5.4.1 (committed to ports)
Open tasks:
1. Put more effort into Qt5-related ports: KDE Frameworks 5 (currently
worked on by Tobias Berner) and PyQt 5.
__________________________________________________________________
The Graphics stack on FreeBSD
URL: https://wiki.freebsd.org/Graphics
URL: http://blogs.freebsdish.org/graphics/
URL: https://github.com/freebsd/freebsd-ports-graphics
Contact: FreeBSD Graphics team <freebsd-x11@FreeBSD.org>
In the official Ports tree, the Mesa ports (libglapi, libGL, libEGL,
libglesv2, gbm, and dri) are kept close to the latest Mesa 10.4.x
release.
In the development tree (see the GitHub link), the update to Mesa 10.5
came, along with several improvements and cleanup to the ports
themselves. Now all ports share the same configure flags and build
dependencies. As Mesa is built from scratch for each port, this ensures
that all libraries and drivers are consistent with each other. This
fixes at least two problems:
* A long standing bug: the drm EGL platform is now functional,
meaning we will be able to enable Glamor (the 2D acceleration
engine based on OpenGL) in the X.Org server. This is required to
provide 2D acceleration for Radeon HD 7000 and later GPUs, for
instance.
* Clover, the Mesa OpenCL implementation, now works; see the next
paragraph.
The downside of this unification is that all ports will depend on LLVM.
This work is happening in the mesa-10.5 branch.
Progress has been made on OpenCL, thanks to help from Johannes
Dieterich. Clover (Mesa's implementation) and Beignet (Intel's
implementation) were added as ports to the development tree. They were
tested successfully on Radeon and Intel GPUs, but see the wiki for an
up-to-date status. Initially developed in the opencl branch, everything
has now been merged into the mesa-10.5 branch. This cannot go into the
official Ports tree yet because it requires the unification explained
above.
A new port, drm-kmod, was added to the official Ports tree. It provides
updated drm2, i915kms and radeonkms kernel modules for FreeBSD
9.3-RELEASE and 9.3-STABLE. The only difference from the vanilla
modules is the addition of hardware context support to the i915 driver.
The xf86-video-radeon and xf86-video-intel drivers were patched to use
the drm-kmod port on these versions of FreeBSD. This will allow us to
remove the duality of the Mesa ports (libGL/libEGL/dri) and only
support one version (as is already the case in the mesa-10.5 branch
where Mesa 9.1.7 is gone). There is no ETA yet for when this last part
will happen.
In the development Ports tree, the xserver-next branch was updated from
xorg-server 1.16 to be tracking 1.17. Again, this depends on the
previous step: the removal of Mesa 9.1.7.
Work is finishing up on an update of miscellaneous X.Org components.
Apart from updates to several X.Org ports, this update also removes the
use of .la files from the X.Org libraries that still have them. Also,
the xf86-video-intel driver will receive patches to allow it to compile
against a newer xorg-server than 1.14. Most of the X.Org component
updates were submitted by Matthew Rezny.
The location where fonts get installed was overhauled and the way to
handle fonts from the plist has been simplified. Now all fonts are
installed in /usr/local/share/fonts as required by the XDG rules.
Furthermore, making a port for fonts should be easier: more aspects,
such as calling fc-cache(1), are handled by the Ports framework.
Therefore, the font ports' consistency was greatly improved.
In the kernel, the DRM device-independent code was updated to match
Linux 3.8. A merge to 10-STABLE is pending. The i915kms kernel driver
received an update, too, which is already merged to 10-STABLE.
Having both updates in place enables work on a second update of the
i915 driver: this time it will be synchronized with Linux 3.8, like the
rest of the DRM subsystem, and include Haswell support. This work was
started recently. Our hope is that it will be ready in time for FreeBSD
10.2-RELEASE.
During Q2, we are going to work with the GNOME team on porting libinput
and testing Wayland. Currently we know that GTK+3 and GNOME 3 have full
support for Wayland. We also need to test Xwayland from xorg-server
1.16+ to support X applications on Wayland desktops. If you know of
more software that uses Wayland, we would like to hear about them. At
this point there are no plans to port the Weston reference
implementation of a Wayland compositor.
Open tasks:
1. See the "Graphics" wiki page for up-to-date information.
__________________________________________________________________
Wine/FreeBSD
URL: http://wiki.FreeBSD.org/Wine
URL: http://wiki.FreeBSD.org/i386-Wine
URL: http://www.winehq.org
Contact: Gerald Pfeifer <gerald@FreeBSD.org>
Contact: David Naylor <dbn@FreeBSD.org>
This quarter has seen five updates to the wine-devel port that closely
tracks upstream development, as well as updates to helper ports
(wine-gecko-devel and wine-mono-devel):
* Stable releases: 1.6.2 (1 port revision)
* Development releases: 1.7.34 through 1.7.39
A major development has been the introduction of Wine64 (i.e., the
ability to run 64-bit Windows applications). This is currently
available through the wine-devel port. At this stage it is currently
mutually exclusive with the i386-wine-devel port, however, we have
plans to integrate these ports to offer a full Wine experience on
amd64. The i386-wine-devel port has packages built for amd64 for
FreeBSD 8.4, 9.1+, 10.1+ and CURRENT.
Accomplishments include:
* Upstreaming 8 patches to fix Wine on FreeBSD -- many thanks to
Gerald and David.
* Optional support for V4L has been added to the stable
emulators/wine port.
* Optionally building wine with the X composite extension (if one
selects the X11 option).
* Support for alternative toolchains that require LD to be honoured.
* Fixing and tidying up the pkg-plist.
* Wine64 support
* Updating the patch-nvidia.sh script to support arbitrary suffixes.
* Removing support for the old pkg_ tools from patch-nvidia.sh.
* Developing a patch to fix usage of getdirentries(2). This fixes
Steam, EVE Online and other applications.
We would like to thank all volunteers who contributed feedback and
patches.
Future development on Wine will focus on:
* Rename wine-compholio to wine-staging (to match upstream
development).
* Add the getdirentries(2) patch to the wine-devel port.
* Redevelop and upstream the getdirentries(2) patch.
* Redevelop and upstream the kernel32 Makefile patch.
* Add support to the i386-wine port for pkg 1.5 (conflicts with
libraries currently prevent such support).
* Add support for WoW64:
+ Reduce the i386-wine port to just the components required for
WoW64.
+ Rename the i386-wine port to wow64.
+ Make the wine ports depend on the wow64 ports when built on
amd64.
+ Investigate and verify the interactions between Wine64 and
WoW64.
+ Investigate possible update approaches for the wow64 ports
(that have to be pre-compiled) and how updating with the wine
ports will work.
Maintaining and improving Wine is a major undertaking that directly
impacts end-users on FreeBSD (including many gamers). If you are
interested in helping, please contact us. We will happily accept
patches, suggest areas of focus or have a chat.
Open tasks:
1. FreeBSD/amd64 integration (see the i386-Wine wiki).
2. Porting WoW64.
__________________________________________________________________
Xfce on FreeBSD
URL: https://wiki.freebsd.org/Xfce
Contact: FreeBSD Xfce Team <xfce@FreeBSD.org>
Xfce is a free software desktop environment for Unix and Unix-like
platforms, such as FreeBSD. It aims to be fast and lightweight, while
still being visually appealing and easy to use.
This quarter was an exciting time for the Xfce Team. We imported
version 4.12 of the Xfce desktop environment into the ports tree, after
more than two years of development.
Overall, we have updated the following ports:
* Xfce core (4.12)
* audio/xfce4-mpc-plugin (0.4.5)
* deskutils/xfce4-tumbler (0.1.31
* deskutils/xfce4-xkb-plugin (0.7.1)
* editors/mousepad (0.4.0)
* graphics/ristretto (0.8.0)
* multimedia/xfce4-parole (0.8.0)
* sysutils/garcon (0.4.0)
* sysutils/xfce4-diskperf-plugin (2.5.5)
* sysutils/xfce4-fsguard-plugin (1.0.2)
* sysutils/xfce4-power-manager (1.4.4)
* sysutils/xfce4-wavelan-plugin (0.5.12)
* textproc/xfce4-dict-plugin (0.7.1)
* www/xfce4-smartbookmark-plugin (0.4.6)
* x11/libexo (0.10.4)
* x11-clocks/xfce4-timer-out-plugin (1.0.2)
* x11-fm/thunar (1.6.6)
* x11-themes/gtk-xfce-engine (3.2.0)
At the same time we switched to the USES framework, and a new plugin
has been added, called audio/xfce4-pulseaudio-plugin.
We also follow the unstable releases (available in our experimental
repository) of:
* x11/xfce4-dashboard (0.3.91)
* x11/xfce4-notes-plugin (1.8.0 beta)
The following documentation patches are ready:
* PR197878, Update Xfce section in Porter's Handbook
* D1305, FAQ
Open tasks:
1. Work on support for Compact Disc Digital Audio (CD-DA) in
multimedia/xfce4-parole.
2. Add a new property (through xfconf-query) to allow users to change
the greyscale value of quicklaunch icons in x11/xfce4-dashboard
(this feature is only available in the unstable release).
__________________________________________________________________
More Michael Lucas FreeBSD books
URL: http://blather.michaelwlucas.com/archives/2352
Contact: Michael Lucas <mwlucas@michaelwlucas.com>
The FreeBSD storage books are proceeding slower than expected. This is
a complex project.
It appears that ZFS will be a two-book topic. The first book will cover
basic ZFS, while the second will cover advanced cases like live and
cold replication, sharing, performance, and using ZFS on top of less
common GEOM providers. More details can be found in the links section.
Allan Jude (allanjude@) is co-authoring the ZFS books. Little did he
know of the magnitude of the task ahead of him when he signed up....
__________________________________________________________________
The FreeBSD Foundation
URL: http://www.FreeBSDFoundation.org/
URL: http://freebsdjournal.com/
URL: http://www.bsdnow.tv/episodes/2015_03_11-the_pcbsd_tour_ii
URL: http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2
Contact: Deb Goodkin <deb@FreeBSDFoundation.org>
The Foundation turned 15 on March 15th! We kicked off our anniversary
celebration by launching a spring fundraising campaign, to bring in 500
new community investors. In conjunction with our anniversary, BSDNow
interviewed Justin Gibbs about our history and plans for the future as
part of the PC-BSD tour. BSDNow also interviewed Ed Maste about FreeBSD
projects and processes in a "From the Foundation" episode.
We were a Platinum Sponsor of AsiaBSDCon and had five team members
attend the conference. Kirk McKusick taught a two-day FreeBSD kernel
tutorial and gave a talk on Journaled Soft Updates, and George
Neville-Neil gave a talk on network performance in FreeBSD; George also
taught a two day tutorial (A Look Inside FreeBSD with DTrace). This is
from ongoing work with Robert Watson in support of both academic and
practitioner educational material for FreeBSD. Dru gave a talk on
Advanced OpenSource Storage with FreeNAS 9.3, and Ed Maste gave a talk
on the LLDB Debugger in FreeBSD.
We became a Platinum Sponsor for BSDCan, and have approved six travel
grants to FreeBSD contributors. We also sponsored Michael Dexter to
attend SCALE so he could give a talk on virtualization.
In addition to the above conferences, we helped promote FreeBSD at the
following conferences:
* USENIX FAST '15
* FOSDEM
* SCALE
We received and published FreeBSD testimonials from Xinuos, Netgate,
and Tarsnap.
We launched the "From the Trenches" series to provide stories from
FreeBSD contributors on what they are doing with FreeBSD. Glen Barber
wrote an article called ZFS and How to Make a Foot Cannon. Glen also
investigated a deadlock issue when rebooting after upgrades (PR
195458), and he released weekly 11-CURRENT and 10-STABLE snapshot
builds.
The FreeBSD Journal now has over 8300 subscribers and has a 98% renewal
rate. We are now publishing a few free FreeBSD Journal articles. We
also created landing pages for each Journal issue for easier promotion.
We started work on the Ottawa Vendor and Developer Summits and another
one that has not yet been officially announced on the East Coast in the
fall.
Our development staff and project grant recipients were responsible for
a large number of feature improvements and bug fixes over this past
quarter. We have nine individual reports in this quarterly update for
Foundation-sponsored projects that demonstrate a number of different
ways the Foundation supports the FreeBSD project.
One project is the subject of a research master's project at Swinburne
University in Melbourne: the Multipath TCP (MPTCP) implementation for
FreeBSD. The PCIe hot plug project is an individual project grant. The
FreeBSD/arm64 project represents a collaborative development effort,
where the Foundation facilitates a broader project with multiple
participants.
There are also a number of projects undertaken directly by Foundation
staff. In this quarterly report we have several reports in this
category: Secure Boot, the autofs-based automount daemon, dynamically
loadable libthr, Intel DMA remapping, and migration to the ELF Tool
Chain project tools.
Additionally, one of the benefits of having long-term permanent staff
is the ability to continue to maintain projects and contribute
improvements beyond a fixed timeline. Over the last quarter, Foundation
staff contributed improvements to the UEFI boot process, vt(4) system
console, in-kernel iSCSI stack, virtual memory subsystem, and many
others.
__________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGgBAEBCgAGBQJVQvLjAAoJECjZpvNk63USJccMH3ysbDt3xkAcUjn2DM3LAsLy
vONxPv1h0J3WujOQAXvBMLrfyiQNybOmEs28xRMhMdePhJOjNdUI/qeS6FvuUQ3D
mgR2ZR5uv1Qni3zpA8H2F7e/EGptLDZrstUdo5lrleJ52CBukljyQxTOzfIsqg8j
VNkM4qaUrloT19PRbWjSIY0+RKyFRClavjcXmpUNobNAfTgKyzraN1A9V6Rq+bZA
Z1ET5EnaqMJlh6Qt9KIQu3WUFK6isqbXVBScScxhMhlr0e0bXi/isP1BpE7tOZkA
Q2iFSwteCZVt161mOpQOl8o+fnlIkFdkLw4weSzuXXheYDXhQPnEgStJ36pSPJsU
MhFtXviMsYP2olf5a1LAO9KmG5rpNM2IaHIPCUJffRROhVwLKjRkfQpwMq1ECoqc
F3mm/a6wG2ca2qbrUDVOeL0WhX0Qd6Zr+c9mVwo0WCz2zH7J61Grm4Z1DEemfV30
OlVH7jmux0ue7xNsGeo4M72uj5jtUIan5zfEAMf9t1PBzrI=
=QJWh
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Thursday, April 30, 2015
OpenBSD 5.7 Released
May 1, 2015.
We are pleased to announce the official release of OpenBSD 5.7.
This is our 37th release on CD-ROM (and 38th via FTP/HTTP). We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.
As in our previous releases, 5.7 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support, including:
o New xhci(4) driver for USB 3.0 host controllers.
o New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport
serial adapters.
o New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
o New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
o New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
o New iwm(4) driver for Intel 7260, 7265, and 3160 wifi cards.
o The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
o The bge(4) driver now supports jumbo frames on various additional
BCM57xx chipsets.
o The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA
devices.
o The mpi(4) and mfi(4) drivers now have mpsafe interrupt handlers
running without the big lock.
o The ppb(4) driver now supports PCI bridges that support
subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI
bridge), and devices with 64-bit BARs behind PCI-PCI bridges as
seen on SPARC T5-2 systems.
o The puc(4) driver now supports Winchiphead CH382 devices.
o The sdmmc(4) driver now supports eMMC storage devices larger than
2GB.
o The sdhc(4) driver can properly resume on Ricoh controllers.
o The sdhc(4) driver now supports Ricoh R5U822 and R5U823 card
readers.
o The mfii(4) driver now supports the Megaraid 3008 (Fury) and 3108
(Invader) cards.
o The myx(4) driver runs less code under the big lock.
o The msk(4) driver now supports Yukon Prime, Yukon Optima 2, Yukon
88E8079, and various EC U and Supreme chipsets.
o The umass(4) driver now supports Archos 24y Vision devices.
o The athn(4) driver now supports Atheros UB94 devices.
o The azalia(4) driver now supports Realtek ALC885 codecs and Bay
Trail HD Audio devices.
o The ix(4) driver now supports onboard Ethernet devices in SPARC T5
machines.
o The upd(4) driver now handles UPSes with broken report descriptors.
o The ums(4) driver now supports the USB Tablet device emulated by
Qemu.
o The umsm(4) driver now supports MEDION S4222 devices.
o The pciide(4) driver now supports Intel C610 chipsets.
o The ukbd(4) driver now supports "wellspring" Apple keyboards.
o The pms(4) driver now supports click-and-drag with Elantech v4
touchpads.
o The umodem(4) driver now supports Arduino Leonardo devices.
o The sk(4) driver now supports receive ring scaling.
o Replaced custom jumbo allocators in sk(4), nge(4), lge(4), and
ti(4) with MCLGETI(9).
o Wireless network scanning problems with the iwn(4) driver have
been fixed.
o Support for RS* IGP Radeon devices in the radeondrm(4) driver has
been fixed.
o PowerMac7,2 and PowerMac7,3 can now boot with a multiprocessor
kernel.
- Removed hardware support:
o The lofn(4) and nofn(4) drivers for Hifn crypto accelerator
devices have been removed.
o The art(4) driver for Accoom Networks Artery T1/E1 devices has been
removed.
o The urio(4) driver for Diamond Multimedia Rio MP3 players has been
removed.
- Generic network stack improvements:
o The routing table is now used for most of the address lookup
operations superseding the RB-tree and IPv4 address list.
o The SipHash algorithm is now used for PCB hashing, trunk(4)
loadbalancing, pf(4) and bridge(4).
o Traffic destinated to link-local IPv6 addresses can now be seen
with tcpdump(8).
o A carp(4) now needs to be configured with an explicit carpdev
parent interface.
o The mbuf(9) layer has been made mpsafe.
o Introduce mbuf_list and mbuf_queue structures and APIs.
o Support changing the IPv6 input queue length via sysctl(1) and
net.inet6.ip6.ifq.
- Installer improvements:
o The etc and xetc sets are now part of base and xbase and are not
distributed separately anymore. They are extracted from base and
xbase during installation and upgrades.
Note that this includes the rc and rc.conf files!
o The installer now supports trunk(4) interfaces during upgrades.
o The discovery of the responsefile location for unattended
installation and upgrades has been extended to be more flexible.
- Ask for the location if DHCP discovery fails for location or
mode.
- Provide a default URL if the 'next-server' DHCP option is found.
- Use /auto_install.conf or /auto_upgrade.conf if present.
- Automatically start the installer in unattended mode if either
one of these files is present when the system boots.
o Ignore hostname.if.* files when upgrading.
o Configure all physical interfaces before any dynamic interface
types (e.g. trunks, vlans) when upgrading.
o fdisk(8) now zeros out GPT signatures found when writing out an
MBR that has been re-initialized and has no EFI or EFISYS
partition.
o Fixed manipulation of 'ro' and 'rw' fstab options to avoid damage
to other options that happen to contain 'ro' or 'rw'.
o The ramdisk binary (one binary contains all the commands) is now
compiled without optimization and security features. The benefit
is a substantial saving in space, allowing more features in the
future.
- Routing daemons and other userland network improvements:
o nginx has been removed from base -- use the package if you need it.
o sliplogin has been removed.
o Sendmail has been removed from base -- use the package if you need
it.
o IPv6 router solicitations are now sent by the kernel ("inet6
autoconf"); rtsol(8) and rtsold(8) are no longer necessary and
have been removed.
o Enhancements and bugfixes in arp(8) and ndp(8)
o The effects of the AI_ADDRCONFIG flag on getaddrinfo(3) results
are limited to DNS queries. This avoids erratic behavior with
transient network problems, "raw" addresses and localhost entries
in /etc/hosts.
o gethostbyname(3) now no longer fails when more than 16
addresses/aliases are returned. The original pre-asr limit of 35
has been restored, with additional results being truncated.
o tftp(1) now supports sending or receiving files larger than 65536
blocks in size.
- Security improvements:
o Stricter enforcement of W^X in the kernel address space,
especially on architectures with the right featureset (amd64, in
particular, has seen substantial improvements).
o Support for loadable kernel modules has been removed.
o procfs has been removed.
o Comprehensive audit of the tree to use the reallocarray(3) idiom
throughout.
o Many conversions from select(2) to poll(2).
o /var/tmp is now a symbolic link to /tmp, as a first step towards
reducing the "fill it up" attack surface against the /var
partition.
o memcpy(3) with overlapping arguments now aborts a program (with a
syslog report), allowing these problems to be found. Overlapping
copies should use memmove(3). Sometime after 5.7 release, having
learned more about the situation and repairing instances that are
discovered by users during release use, we will go back to the
optimized version.
o Change rand(3), random(3), drand48(3), lrand48(3), mrand48(3),
srand48(3) to return non-deterministic strong random values by
default, sourced from arc4random(3). New functions
srand_deterministic(3), srandom_deterministic(3),
seed48_deterministic(3) and lcong48_deterministic(3) are added for
cases where determinism needs to be requested.
o At resume (or unhibernate) time, use a variety of methods to
reseed the random number generator. This also works on VMs which
wake up (if a wakeup event is seen).
o All architectures have been transitioned to static PIE, meaning
the statically linked binaries in /bin and /sbin now have randomly
located text segments.
o Allow larger .openbsd.randomdata ELF segments.
o Sync kernel AES code and ssh(1) AES code to the one shipped with
OpenSSL/LibreSSL.
o Removed passwd(1) support for all password ciphers except
blowfish(3).
o Use sha512 instead of md5 for tcp(4) initial sequence number.
o Use sha512 instead of md5 in the random number generator.
o Delete secret or secret-derived data in many base utilities with
explicit_bzero(3).
- Assorted improvements:
o New rcctl(8) utility to control daemons.
o fw_update(1) has been rewritten to be faster and smarter.
o Cleanup libevent(3), the compatibility layer for other operating
systems has been removed. The API is still compatible with
upstream libevent 1.4.15-stable.
o openssl(1) s_client now supports a -proxy parameter for connecting
over an HTTP proxy.
o gzsig has been removed.
o Switch to fast assembly versions of some libc functions on amd64.
o Frequency scaling has been moved from apmd(8) to the kernel with
an improved algorithm.
o Switch last workq API uses to taskq API and remove all traces of
workq.
o Use services(5) names in the default pf rules in force during
startup.
o what(1) now correctly displays $OpenBSD$ expansions.
o dhcpd(8) now removes addresses from its pf table a single time
when they expire, rather than at every timeout after the expiry.
o dhcpd(8) now ensures that the pf table process exits when the main
process does.
o dhcpd(8) has more informative log entries for DHCPACKs issued in
response to DHCPINFORM messages.
o Added POSIX types blkcnt_t (int64) and blksize_t (int32), and used
them for st_blocks (formerly int64_t) and st_blksize (formerly
u_int32_t) in struct stat.
o Improved typography for banner(6).
o dhclient(8) adjusts MTU when the interface-mtu DHCP option is
provided.
o Various memory leaks in dhclient(8) plugged, providing more
stability for long running (in terms of time or renewals)
instances.
o The dhclient(8) command line options -q (quiet) and -d (don't
daemonize) are now mutually exclusive.
o The communication between the privileged and unprivileged
dhclient(8) processes was reworked to further minimize information
sharing.
o dhclient(8) ensures lease timeouts (renew, rebind, expire) are
sane and uses default values closer to RFC suggestions.
o dhclient(8) no longer crashes when a lease expires and cannot be
renewed or replaced.
o dhclient(8) improved tracking network interface link states.
o Improved network error tracking and accounting in dhclient(8).
o Private number conversion functions in dhclient(8) eliminated in
favour of standard library functions.
o Further signal race cleanups in ftp(1).
o BIND has been retired, encouraging use of nsd(8) and unbound(8).
o Significant namespace cleanup in the /usr/include files,
especially related to <sys/param.h> and <limits.h>.
o softraid(4) RAID1 and CRYPTO volumes are now bootable on the
sparc64 platform.
o relayd(8) now uses "TLS" rather than "SSL" terminology to reflect
the deprecation of the latter.
o relayd(8) now supports the random and source-hash modes with
redirections.
o relayd(8) now supports the OPENBSD-RELAYD-MIB via agentx with
snmpd(8).
o Added interfaces for setting the close-on-exec flag and/or
non-blocking mode on new file descriptors: pipe2(2), dup3(2),
accept4(2), mkostemp(3), mkostemps(3), the SOCK_CLOEXEC and
SOCK_NONBLOCK flags for socket(2) and socketpair(2), and the
MSG_CMSG_CLOEXEC flag for recvmsg(2). In addition,
posix_spawn_file_actions_adddup2(3) now always clears the
close-on-exec flag.
o Added interfaces for setting the close-on-exec flag on new FILE
handles and for requesting exclusive creation via the the 'e' and
'x' mode letters for fopen(3), fdopen(3), freopen(3), and popen(3).
o Many library functions and programs changed to use the above for
safety or simplicity.
o Added chflagsat(2), sockatmark(3), and stravis(3).
o Merged performance and safety fixes for fts(3) from FreeBSD.
o Merged fixes for file descriptor leaks in various rpc(3) functions
from NetBSD.
o Added a kern.global_ptrace sysctl(1) to disable, by default, the
ability to ptrace(2) processes that aren't your descendent.
o kdump(1) now always displays both the numeric and the textual
forms for users, groups, timestamps, and sysctl ids, eliminating
the -r option. It also auto-selects between decimal and hex format
for arguments, renders more types of flags, and is more robust
when parsing corrupt ktrace files.
o chmod(1)/chgrp(1)/chown(8) now comply with POSIX's requirements
when they encounter symlinks when the -R option is used, and are
safe from race conditions when doing so.
o The dmesg(8) utility can now display the console message buffer in
addition to the system message buffer.
o inetd(8) now uses libevent instead of select(3).
o Reworking of the kernel pool(9) implementation to provide mpsafety
and pave the way for performance improvements.
o Removed the workq API after replacing it with the task API.
o Add support for creating kernel threads that cannot sleep to
taskq_create(9).
o Completed the implementation of the atomic (eg, atomic_cas_uint(9),
atomic_swap_uint(9), atomic_add_int(9), atomic_sub_int(9),
atomic_inc_int(9), and atomic_dec_int(9)) and membar
(membar_sync(9)) APIs across all supported architectures.
- OpenBSD httpd(8):
o SSLv2/3 is not supported anymore; renamed all occurrences of "SSL"
to "TLS".
o Various TLS improvements with better support for ECDHE/DHE forward
secrecy.
o Improved support for virtual hosts by supporting name- and IP-
ibased aliases.
o Added support for basic authentication by checking against files
created with htpasswd(1).
o Added support for custom error codes, blocking and dropping of
connections.
o Added support for redirections and macros in specified target URLs.
o Added the "root strip" option to sanitize PATH_INFO for some CGI
scripts.
o Added an option to specify an alternative log directory instead of
/var/www/logs.
o Various FastCGI improvements; httpd(8) is now compatible with many
well-known web applications.
o Various other fixes and improvements.
- OpenSMTPD 5.4.4:
o SSLv3 is not supported anymore.
o Added support for a new message and headers parser.
o Added support for append-domain.
o Restricted address lookups to configured address families.
o Domain is no longer required when mailing a local user.
o Various other fixes and improvements.
- OpenSSH 6.8:
o Potentially-incompatible changes:
- sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config(5) or
authorized_keys) may need to re-enable it or convert to
matching against addresses.
o New/changed features:
- Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
- Add FingerprintHash option to ssh(1) and sshd(8), and
equivalent command-line flags to the other tools to control
algorithm used for key fingerprints. The default changes from
MD5 to SHA256 and format from hex to base64. Fingerprints now
have the hash algorithm prepended. Please note that visual host
keys will also be different.
- ssh(1), sshd(8): Experimental host key rotation support. Add a
protocol extension for a server to inform a client of all its
available host keys after authentication has completed. The
client may record the keys in known_hosts, allowing it to
upgrade to better host key algorithms and a server to
gracefully rotate its keys. The client side of this is
controlled by a UpdateHostkeys config option (default off).
- ssh(1): Add a ssh_config(5) HostbasedKeyType option to control
which host public key types are tried during host-based
authentication.
- ssh(1), sshd(8): fix connection-killing host key mismatch
errors when sshd(8) offers multiple ECDSA keys of different
lengths.
- ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. Fixes bz#2074 and avoiding needless DNS
lookups in some cases.
- ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.
- ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.
- sshd(8): SSH protocol v.1 workaround for the Meyer, et al.,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryption.
- sshd(8): Remember which public keys have been used for
authentication and refuse to accept previously-used keys. This
allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two different public keys.
- sshd(8): add sshd_config(5) HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd(8) to control what
public key types will be accepted. Currently defaults to all.
- sshd(8): Don't count partial authentication success as a
failure against MaxAuthTries.
- ssh(1): Add RevokedHostKeys option for the client to allow
text-file or KRL-based revocation of host keys.
- ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
serial number or key ID without scoping to a particular CA.
- ssh(1): Add a "Match canonical" criteria that allows
ssh_config(5) Match blocks to trigger only in the second config
pass.
- ssh(1): Add a -G option to ssh(1) that causes it to parse its
configuration and dump the result to stdout, similar to "sshd
-T".
- ssh(1): Allow Match criteria to be negated (e.g. "Match !host").
- The regression test suite has been extended to cover more
OpenSSH features. The unit tests have been expanded and now
cover key exchange.
o The following significant bugs have been fixed in this release:
- ssh-keyscan(1): ssh-keyscan(1) has been made much more robust
again servers that hang or violate the SSH protocol.
- ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names
were being lost as comment fields.
- ssh(1): Allow ssh_config(5) Port options set in the second
config parse phase to be applied (they were being ignored).
(bz#2286)
- ssh(1): Tweak config re-parsing with host canonicalisation --
make the second pass through the config files always run when
host name canonicalisation is enabled (and not whenever the
host name changes). (bz#2267)
- ssh(1): Fix passing of wildcard forward bind addresses when
connection multiplexing is in use. (bz#2324)
- ssh-keygen(1): Fix broken private key conversion from
non-OpenSSH formats. (bz#2345)
- ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
use.
- Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)
- LibreSSL
o User-visible features:
- Reluctantly add server-side support for TLS_FALLBACK_SCSV.
- Import BoringSSL's crypto bytestring and crypto bytebuilder
APIs.
- Jettison DTLS over SCTP.
- Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
- Two important cipher suites, GOST and Camellia, have been
reworked or reenabled, providing better interoperability with
systems around the world.
- libtls: New API for loading CA chains directly from memory
instead of a file, allowing verification with privilege
separation in a chroot(8) without direct access to CA
certificate files.
- libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
- libtls: Improved error handling and message generation.
- Added X509_STORE_load_mem API for loading certificates from
memory. This facilitates accessing certificates from a chrooted
environment.
- New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
using 'TLSv1.2+AEAD' as the cipher selection string.
- New openssl(1) command 'certhash' replaces the c_rehash script.
- Application-Layer Protocol Negotiation (ALPN) support.
o Code improvements:
- Dead and disabled code removal including MD5, Netscape
workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0"
sections, and more.
- The ASN1 macros are expanded to aid readability and
maintainability.
- Various NULL pointer asserts removed in favor of letting the
OS/signal handler catch them.
- Dozens of issues found with the Coverity scanner fixed.
o Security updates:
- Fix a Bleichenbacher style timing oracle with bad PKCS padding.
- Fix memory leaks.
- Address POODLE attack by disabling SSLv3 by default.
- SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
- Earlier libtls support for non-blocking sockets and randomized
session ID contexts.
- Ensure the stack is marked non-executable for assembly sections.
- Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507,
CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511,
CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205 and
CVE-2015-0206.
- mandoc 1.13.3:
o man(1), apropos(1), and mandoc(1) now have a unified user
interface, all with the same options, and are in fact all
implemented by the same binary program.
o For man(1), this implies new options -l and -IKOTW, and it now
finds manual pages by the names in their NAME sections even if
they lack matching file names.
o For apropos(1), this implies new options -acfhklw and -IKOTW.
o For mandoc(1), this implies new options -acfhkl.
o mandoc(1) now automatically detects and transparently accepts
input encoded in utf-8 and iso-8859-1, and provides a new option
-K to explicitly specify the input encoding.
o The mandoc(1) default output mode now is -Tlocale rather than
-Tascii.
o eqn(7) now supports in-line equations, and terminal rendering of
equations is considerably improved.
o mandoc(1) -Thtml now generates polyglot HTML5 and renders eqn(7)
using MathML.
o mandoc(1) can no longer fail with fatal errors, no matter how
broken the input file may be, and the -Wfatal message level no
longer has any effect. A new diagnostic level -Wunsupp is
provided. Besides, many diagnostic messages are now more specific.
o Many crashes were fixed that Jonathan Gray found with the American
Fuzzy Lop (afl).
- Syslogd:
o OpenBSD syslogd(8) is based on libevent now.
o Sending and receiving UDP messages works with both IPv4 and IPv6.
o Syslog messages can also be sent over TCP or TLS. The syntax to
specify the loghost is documented in syslog.conf(5).
o Sending over TCP and TLS is reliable. If a connection terminates,
syslogd tries to reconnect. When the message buffer in memory gets
full, the number of dropped messages is counted and logged.
o With TLS, the x509 certificate of the syslog server is verified.
o The maximum message size has been increased according to newer RFC.
- Ports and packages:
o Over 9,000 ports.
- Many pre-built packages for each architecture:
o i386: 8722 o sparc64: 8184
o alpha: 6811 o sh: 0
o amd64: 8745 o powerpc: 8286
o sparc: 4026 o arm: 0
o hppa: 6718 o vax: 1550
o mips64: 1595 o mips64el: 6914
o m88k: 1148
- Some highlights:
o Chromium 40.0.2214.115 o Node.js 0.10.35
o Emacs 21.4 and 24.4 o OpenLDAP 2.3.43 and 2.4.40
o GCC 4.8.4 and 4.9.2 o PHP 5.3.29, 5.4.38, 5.5.22 and
o GHC 7.8.4 5.6.5
o GNOME 3.14.2 o Postfix 2.11.4
o Go 1.4.1 o PostgreSQL 9.4.1
o Groff 1.22.3 o Python 2.7.9 and 3.4.2
o JDK 1.7.0.71 o R 3.1.2
o KDE 3.5.10 and 4.14.3 o Ruby 1.8.7.374, 1.9.3.551,
o LLVM/Clang 3.5 (20140228) 2.0.0.598, 2.1.5, and 2.2.0
o LibreOffice 4.3.5.2 o Sendmail 8.15.1
o MariaDB 10.0.16 o Tcl/Tk 8.5.16 and 8.6.2
o Mono 3.12.0 o TeX Live 20
o Mozilla Firefox 31.4.0esr and o Vim 7.4.475
35.0.1 o Xfce 4.10
o Mozilla Thunderbird 31.4.0
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
xkeyboard-config 2.13 and more)
o Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.20.1 (+ patches)
o SQLite 3.8.6 (+ patches)
o NSD 4.1.1
o Unbound 1.5.2
o Sudo 1.7.2p8
o Ncurses 5.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)
o Less 458 (+ patches)
o Awk Aug 10, 2011 version
If you'd like to see a list of what has changed between OpenBSD 5.6
and 5.7, look at
http://www.OpenBSD.org/plus57.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.7 HTTP/CD-ROM binaries and the actual 5.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to
http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
http://www.OpenBSD.org/mail.html
------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------
OpenBSD 5.7 is also available on CD-ROM. The 3-CD set costs 44 EUR and
is available via web order worldwide.
The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled "Source Fish". MP3 and OGG versions of
the audio track can be found on the first CD.
Lyrics (and an explanation) for the songs may be found at:
http://www.OpenBSD.org/lyrics.html#57
Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 5.7 CD-ROMs are bootable on the following platforms:
o i386
o amd64
o macppc
o sparc64
(Other platforms must boot from network, floppy, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:
http://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs. Contact the foundation directors at
directors@openbsdfoundation.org for more information.
------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------
The OpenBSD distribution companies also sell T-shirts and polo shirts,
with new and old designs, available from our web ordering system.
------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads. Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP. With the CD-ROMs,
the necessary documentation is easier to find.
1) Read either of the following two files for a list of HTTP
mirrors which provide OpenBSD, then choose one near you:
http://www.OpenBSD.org/ftp.html
http://ftp.openbsd.org/pub/OpenBSD/ftplist
As of May 1, 2015, the following HTTP mirror sites have the 5.7 release:
http://ftp.eu.openbsd.org/pub/OpenBSD/5.7/ Stockholm, Sweden
http://ftp.bytemine.net/pub/OpenBSD/5.7/ Oldenburg, Germany
http://ftp.ch.openbsd.org/pub/OpenBSD/5.7/ Zurich, Switzerland
http://ftp.fr.openbsd.org/pub/OpenBSD/5.7/ Paris, France
http://ftp5.eu.openbsd.org/pub/OpenBSD/5.7/ Vienna, Austria
http://mirror.aarnet.edu.au/pub/OpenBSD/5.7/ Brisbane, Australia
http://ftp.usa.openbsd.org/pub/OpenBSD/5.7/ CO, USA
http://ftp5.usa.openbsd.org/pub/OpenBSD/5.7/ CA, USA
http://mirror.esc7.net/pub/OpenBSD/5.7/ TX, USA
The release is also available at the master site:
http://ftp.openbsd.org/pub/OpenBSD/5.7/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTP mirror site and go into the directory
pub/OpenBSD/5.7/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT alpha/ luna88k/ sparc/
Changelogs/ amd64/ macppc/ sparc64/
HARDWARE armv7/ octeon/ src.tar.gz
PACKAGES aviion/ packages/ sys.tar.gz
PORTS hppa/ ports.tar.gz tools/
README i386/ root.mail vax/
SHA256 landisk/ sgi/ xenocara.tar.gz
SHA256.sig loongson/ socppc/ zaurus/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
HARDWARE - list of hardware we support
PORTS - description of our ports tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
INSTALL.amd64 bsd.rd* game57.tgz pxeboot*
SHA256 cd57.iso index.txt xbase57.tgz
SHA256.sig cdboot* install57.fs xfont57.tgz
base57.tgz cdbr* install57.iso xserv57.tgz
bsd* comp57.tgz man57.tgz xshare57.tgz
bsd.mp* floppy57.fs miniroot57.fs
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install57.iso. The install57.iso file (roughly 250MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install57.fs and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
http://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 5.7 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/5.7/tools
directory to do so.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.7 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.
Note: some of the most popular ports, e.g., the nginx web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------
A large number of binary packages are provided. Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/PACKAGES) for more details.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/README)
file explains how to deal with these source files. For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.7/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Stuart Henderson, Peter Hessler,
Paul Irofti, Sebastian Reitenbach, Miod Vallat, and Christian Weisgerber.
System builds by Jasper Lievisse Adriaanse, Kenji Aoyama, Theo de Raadt,
Jonathan Gray, Mark Kettenis, and Miod Vallat. X11 builds by
Jasper Lievisse Adriaanse, Kenji Aoyama, Todd Fries, and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.7 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Shadchin,
Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Benoit Lecocq, Bob Beck,
Brandon Mercer, Brent Cook, Bret Lambert, Brett Mahar,
Brian Callahan, Bryan Steele, Camiel Dobbelaar, Charles Longeau,
Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
Claudio Jeker, Damien Miller, Daniel Dickman, Darren Tucker,
David Coppa, David Gwynne, Doug Hogan, Edd Barrett, Eric Faurot,
Federico G. Schwindt, Florian Obser, Gerhard Roth, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jakob Schlyter, James Turner, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Jim Razmus II, Joel Sing, Joerg Jung, Jonathan Armani,
Jonathan Gray, Jonathan Matthew, Joshua Elsasser, Joshua Stein,
Juan Francisco Cantero Hurtado, Kenji Aoyama, Kenneth R Westerback,
Kent R. Spillner, Kirill Bychkov, Kurt Miller, Landry Breuil,
Lawrence Teo, Loganaden Velvindron, Luke Tymowski, Marc Espie,
Marco Pfatschbacher, Mark Kettenis, Mark Lumsden, Markus Friedl,
Martin Pelikan, Martin Pieuchot, Martin Reindl, Martynas Venckus,
Masao Uebayashi, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat,
Naoya Kaneko, Nayden Markatchev, Nicholas Marriott, Nick Holland,
Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
Paul de Weerd, Paul Irofti, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Raphael Graf, Remi Pointel, Renato Westphal,
Reyk Floeter, Robert Nagy, Robert Peichaer, Ryan Thomas McBride,
Sasano Takayoshi, Sebastian Benoit, Sebastian Reitenbach,
Simon Perreault, Stefan Fritsch, Stefan Sperling, Stephan Rickauer,
Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sylvestre Gallon,
Ted Unangst, Theo de Raadt, Tobias Stoeckmann, Tobias Ulmer,
Todd C. Miller, Todd Fries, Vadim Zhukov, William Yodlowsky,
Yasuoka Masahiko, Yojiro Uo
We are pleased to announce the official release of OpenBSD 5.7.
This is our 37th release on CD-ROM (and 38th via FTP/HTTP). We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.
As in our previous releases, 5.7 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support, including:
o New xhci(4) driver for USB 3.0 host controllers.
o New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport
serial adapters.
o New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
o New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
o New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
o New iwm(4) driver for Intel 7260, 7265, and 3160 wifi cards.
o The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
o The bge(4) driver now supports jumbo frames on various additional
BCM57xx chipsets.
o The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA
devices.
o The mpi(4) and mfi(4) drivers now have mpsafe interrupt handlers
running without the big lock.
o The ppb(4) driver now supports PCI bridges that support
subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI
bridge), and devices with 64-bit BARs behind PCI-PCI bridges as
seen on SPARC T5-2 systems.
o The puc(4) driver now supports Winchiphead CH382 devices.
o The sdmmc(4) driver now supports eMMC storage devices larger than
2GB.
o The sdhc(4) driver can properly resume on Ricoh controllers.
o The sdhc(4) driver now supports Ricoh R5U822 and R5U823 card
readers.
o The mfii(4) driver now supports the Megaraid 3008 (Fury) and 3108
(Invader) cards.
o The myx(4) driver runs less code under the big lock.
o The msk(4) driver now supports Yukon Prime, Yukon Optima 2, Yukon
88E8079, and various EC U and Supreme chipsets.
o The umass(4) driver now supports Archos 24y Vision devices.
o The athn(4) driver now supports Atheros UB94 devices.
o The azalia(4) driver now supports Realtek ALC885 codecs and Bay
Trail HD Audio devices.
o The ix(4) driver now supports onboard Ethernet devices in SPARC T5
machines.
o The upd(4) driver now handles UPSes with broken report descriptors.
o The ums(4) driver now supports the USB Tablet device emulated by
Qemu.
o The umsm(4) driver now supports MEDION S4222 devices.
o The pciide(4) driver now supports Intel C610 chipsets.
o The ukbd(4) driver now supports "wellspring" Apple keyboards.
o The pms(4) driver now supports click-and-drag with Elantech v4
touchpads.
o The umodem(4) driver now supports Arduino Leonardo devices.
o The sk(4) driver now supports receive ring scaling.
o Replaced custom jumbo allocators in sk(4), nge(4), lge(4), and
ti(4) with MCLGETI(9).
o Wireless network scanning problems with the iwn(4) driver have
been fixed.
o Support for RS* IGP Radeon devices in the radeondrm(4) driver has
been fixed.
o PowerMac7,2 and PowerMac7,3 can now boot with a multiprocessor
kernel.
- Removed hardware support:
o The lofn(4) and nofn(4) drivers for Hifn crypto accelerator
devices have been removed.
o The art(4) driver for Accoom Networks Artery T1/E1 devices has been
removed.
o The urio(4) driver for Diamond Multimedia Rio MP3 players has been
removed.
- Generic network stack improvements:
o The routing table is now used for most of the address lookup
operations superseding the RB-tree and IPv4 address list.
o The SipHash algorithm is now used for PCB hashing, trunk(4)
loadbalancing, pf(4) and bridge(4).
o Traffic destinated to link-local IPv6 addresses can now be seen
with tcpdump(8).
o A carp(4) now needs to be configured with an explicit carpdev
parent interface.
o The mbuf(9) layer has been made mpsafe.
o Introduce mbuf_list and mbuf_queue structures and APIs.
o Support changing the IPv6 input queue length via sysctl(1) and
net.inet6.ip6.ifq.
- Installer improvements:
o The etc and xetc sets are now part of base and xbase and are not
distributed separately anymore. They are extracted from base and
xbase during installation and upgrades.
Note that this includes the rc and rc.conf files!
o The installer now supports trunk(4) interfaces during upgrades.
o The discovery of the responsefile location for unattended
installation and upgrades has been extended to be more flexible.
- Ask for the location if DHCP discovery fails for location or
mode.
- Provide a default URL if the 'next-server' DHCP option is found.
- Use /auto_install.conf or /auto_upgrade.conf if present.
- Automatically start the installer in unattended mode if either
one of these files is present when the system boots.
o Ignore hostname.if.* files when upgrading.
o Configure all physical interfaces before any dynamic interface
types (e.g. trunks, vlans) when upgrading.
o fdisk(8) now zeros out GPT signatures found when writing out an
MBR that has been re-initialized and has no EFI or EFISYS
partition.
o Fixed manipulation of 'ro' and 'rw' fstab options to avoid damage
to other options that happen to contain 'ro' or 'rw'.
o The ramdisk binary (one binary contains all the commands) is now
compiled without optimization and security features. The benefit
is a substantial saving in space, allowing more features in the
future.
- Routing daemons and other userland network improvements:
o nginx has been removed from base -- use the package if you need it.
o sliplogin has been removed.
o Sendmail has been removed from base -- use the package if you need
it.
o IPv6 router solicitations are now sent by the kernel ("inet6
autoconf"); rtsol(8) and rtsold(8) are no longer necessary and
have been removed.
o Enhancements and bugfixes in arp(8) and ndp(8)
o The effects of the AI_ADDRCONFIG flag on getaddrinfo(3) results
are limited to DNS queries. This avoids erratic behavior with
transient network problems, "raw" addresses and localhost entries
in /etc/hosts.
o gethostbyname(3) now no longer fails when more than 16
addresses/aliases are returned. The original pre-asr limit of 35
has been restored, with additional results being truncated.
o tftp(1) now supports sending or receiving files larger than 65536
blocks in size.
- Security improvements:
o Stricter enforcement of W^X in the kernel address space,
especially on architectures with the right featureset (amd64, in
particular, has seen substantial improvements).
o Support for loadable kernel modules has been removed.
o procfs has been removed.
o Comprehensive audit of the tree to use the reallocarray(3) idiom
throughout.
o Many conversions from select(2) to poll(2).
o /var/tmp is now a symbolic link to /tmp, as a first step towards
reducing the "fill it up" attack surface against the /var
partition.
o memcpy(3) with overlapping arguments now aborts a program (with a
syslog report), allowing these problems to be found. Overlapping
copies should use memmove(3). Sometime after 5.7 release, having
learned more about the situation and repairing instances that are
discovered by users during release use, we will go back to the
optimized version.
o Change rand(3), random(3), drand48(3), lrand48(3), mrand48(3),
srand48(3) to return non-deterministic strong random values by
default, sourced from arc4random(3). New functions
srand_deterministic(3), srandom_deterministic(3),
seed48_deterministic(3) and lcong48_deterministic(3) are added for
cases where determinism needs to be requested.
o At resume (or unhibernate) time, use a variety of methods to
reseed the random number generator. This also works on VMs which
wake up (if a wakeup event is seen).
o All architectures have been transitioned to static PIE, meaning
the statically linked binaries in /bin and /sbin now have randomly
located text segments.
o Allow larger .openbsd.randomdata ELF segments.
o Sync kernel AES code and ssh(1) AES code to the one shipped with
OpenSSL/LibreSSL.
o Removed passwd(1) support for all password ciphers except
blowfish(3).
o Use sha512 instead of md5 for tcp(4) initial sequence number.
o Use sha512 instead of md5 in the random number generator.
o Delete secret or secret-derived data in many base utilities with
explicit_bzero(3).
- Assorted improvements:
o New rcctl(8) utility to control daemons.
o fw_update(1) has been rewritten to be faster and smarter.
o Cleanup libevent(3), the compatibility layer for other operating
systems has been removed. The API is still compatible with
upstream libevent 1.4.15-stable.
o openssl(1) s_client now supports a -proxy parameter for connecting
over an HTTP proxy.
o gzsig has been removed.
o Switch to fast assembly versions of some libc functions on amd64.
o Frequency scaling has been moved from apmd(8) to the kernel with
an improved algorithm.
o Switch last workq API uses to taskq API and remove all traces of
workq.
o Use services(5) names in the default pf rules in force during
startup.
o what(1) now correctly displays $OpenBSD$ expansions.
o dhcpd(8) now removes addresses from its pf table a single time
when they expire, rather than at every timeout after the expiry.
o dhcpd(8) now ensures that the pf table process exits when the main
process does.
o dhcpd(8) has more informative log entries for DHCPACKs issued in
response to DHCPINFORM messages.
o Added POSIX types blkcnt_t (int64) and blksize_t (int32), and used
them for st_blocks (formerly int64_t) and st_blksize (formerly
u_int32_t) in struct stat.
o Improved typography for banner(6).
o dhclient(8) adjusts MTU when the interface-mtu DHCP option is
provided.
o Various memory leaks in dhclient(8) plugged, providing more
stability for long running (in terms of time or renewals)
instances.
o The dhclient(8) command line options -q (quiet) and -d (don't
daemonize) are now mutually exclusive.
o The communication between the privileged and unprivileged
dhclient(8) processes was reworked to further minimize information
sharing.
o dhclient(8) ensures lease timeouts (renew, rebind, expire) are
sane and uses default values closer to RFC suggestions.
o dhclient(8) no longer crashes when a lease expires and cannot be
renewed or replaced.
o dhclient(8) improved tracking network interface link states.
o Improved network error tracking and accounting in dhclient(8).
o Private number conversion functions in dhclient(8) eliminated in
favour of standard library functions.
o Further signal race cleanups in ftp(1).
o BIND has been retired, encouraging use of nsd(8) and unbound(8).
o Significant namespace cleanup in the /usr/include files,
especially related to <sys/param.h> and <limits.h>.
o softraid(4) RAID1 and CRYPTO volumes are now bootable on the
sparc64 platform.
o relayd(8) now uses "TLS" rather than "SSL" terminology to reflect
the deprecation of the latter.
o relayd(8) now supports the random and source-hash modes with
redirections.
o relayd(8) now supports the OPENBSD-RELAYD-MIB via agentx with
snmpd(8).
o Added interfaces for setting the close-on-exec flag and/or
non-blocking mode on new file descriptors: pipe2(2), dup3(2),
accept4(2), mkostemp(3), mkostemps(3), the SOCK_CLOEXEC and
SOCK_NONBLOCK flags for socket(2) and socketpair(2), and the
MSG_CMSG_CLOEXEC flag for recvmsg(2). In addition,
posix_spawn_file_actions_adddup2(3) now always clears the
close-on-exec flag.
o Added interfaces for setting the close-on-exec flag on new FILE
handles and for requesting exclusive creation via the the 'e' and
'x' mode letters for fopen(3), fdopen(3), freopen(3), and popen(3).
o Many library functions and programs changed to use the above for
safety or simplicity.
o Added chflagsat(2), sockatmark(3), and stravis(3).
o Merged performance and safety fixes for fts(3) from FreeBSD.
o Merged fixes for file descriptor leaks in various rpc(3) functions
from NetBSD.
o Added a kern.global_ptrace sysctl(1) to disable, by default, the
ability to ptrace(2) processes that aren't your descendent.
o kdump(1) now always displays both the numeric and the textual
forms for users, groups, timestamps, and sysctl ids, eliminating
the -r option. It also auto-selects between decimal and hex format
for arguments, renders more types of flags, and is more robust
when parsing corrupt ktrace files.
o chmod(1)/chgrp(1)/chown(8) now comply with POSIX's requirements
when they encounter symlinks when the -R option is used, and are
safe from race conditions when doing so.
o The dmesg(8) utility can now display the console message buffer in
addition to the system message buffer.
o inetd(8) now uses libevent instead of select(3).
o Reworking of the kernel pool(9) implementation to provide mpsafety
and pave the way for performance improvements.
o Removed the workq API after replacing it with the task API.
o Add support for creating kernel threads that cannot sleep to
taskq_create(9).
o Completed the implementation of the atomic (eg, atomic_cas_uint(9),
atomic_swap_uint(9), atomic_add_int(9), atomic_sub_int(9),
atomic_inc_int(9), and atomic_dec_int(9)) and membar
(membar_sync(9)) APIs across all supported architectures.
- OpenBSD httpd(8):
o SSLv2/3 is not supported anymore; renamed all occurrences of "SSL"
to "TLS".
o Various TLS improvements with better support for ECDHE/DHE forward
secrecy.
o Improved support for virtual hosts by supporting name- and IP-
ibased aliases.
o Added support for basic authentication by checking against files
created with htpasswd(1).
o Added support for custom error codes, blocking and dropping of
connections.
o Added support for redirections and macros in specified target URLs.
o Added the "root strip" option to sanitize PATH_INFO for some CGI
scripts.
o Added an option to specify an alternative log directory instead of
/var/www/logs.
o Various FastCGI improvements; httpd(8) is now compatible with many
well-known web applications.
o Various other fixes and improvements.
- OpenSMTPD 5.4.4:
o SSLv3 is not supported anymore.
o Added support for a new message and headers parser.
o Added support for append-domain.
o Restricted address lookups to configured address families.
o Domain is no longer required when mailing a local user.
o Various other fixes and improvements.
- OpenSSH 6.8:
o Potentially-incompatible changes:
- sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config(5) or
authorized_keys) may need to re-enable it or convert to
matching against addresses.
o New/changed features:
- Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
- Add FingerprintHash option to ssh(1) and sshd(8), and
equivalent command-line flags to the other tools to control
algorithm used for key fingerprints. The default changes from
MD5 to SHA256 and format from hex to base64. Fingerprints now
have the hash algorithm prepended. Please note that visual host
keys will also be different.
- ssh(1), sshd(8): Experimental host key rotation support. Add a
protocol extension for a server to inform a client of all its
available host keys after authentication has completed. The
client may record the keys in known_hosts, allowing it to
upgrade to better host key algorithms and a server to
gracefully rotate its keys. The client side of this is
controlled by a UpdateHostkeys config option (default off).
- ssh(1): Add a ssh_config(5) HostbasedKeyType option to control
which host public key types are tried during host-based
authentication.
- ssh(1), sshd(8): fix connection-killing host key mismatch
errors when sshd(8) offers multiple ECDSA keys of different
lengths.
- ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. Fixes bz#2074 and avoiding needless DNS
lookups in some cases.
- ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.
- ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.
- sshd(8): SSH protocol v.1 workaround for the Meyer, et al.,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryption.
- sshd(8): Remember which public keys have been used for
authentication and refuse to accept previously-used keys. This
allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two different public keys.
- sshd(8): add sshd_config(5) HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd(8) to control what
public key types will be accepted. Currently defaults to all.
- sshd(8): Don't count partial authentication success as a
failure against MaxAuthTries.
- ssh(1): Add RevokedHostKeys option for the client to allow
text-file or KRL-based revocation of host keys.
- ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
serial number or key ID without scoping to a particular CA.
- ssh(1): Add a "Match canonical" criteria that allows
ssh_config(5) Match blocks to trigger only in the second config
pass.
- ssh(1): Add a -G option to ssh(1) that causes it to parse its
configuration and dump the result to stdout, similar to "sshd
-T".
- ssh(1): Allow Match criteria to be negated (e.g. "Match !host").
- The regression test suite has been extended to cover more
OpenSSH features. The unit tests have been expanded and now
cover key exchange.
o The following significant bugs have been fixed in this release:
- ssh-keyscan(1): ssh-keyscan(1) has been made much more robust
again servers that hang or violate the SSH protocol.
- ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names
were being lost as comment fields.
- ssh(1): Allow ssh_config(5) Port options set in the second
config parse phase to be applied (they were being ignored).
(bz#2286)
- ssh(1): Tweak config re-parsing with host canonicalisation --
make the second pass through the config files always run when
host name canonicalisation is enabled (and not whenever the
host name changes). (bz#2267)
- ssh(1): Fix passing of wildcard forward bind addresses when
connection multiplexing is in use. (bz#2324)
- ssh-keygen(1): Fix broken private key conversion from
non-OpenSSH formats. (bz#2345)
- ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
use.
- Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)
- LibreSSL
o User-visible features:
- Reluctantly add server-side support for TLS_FALLBACK_SCSV.
- Import BoringSSL's crypto bytestring and crypto bytebuilder
APIs.
- Jettison DTLS over SCTP.
- Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
- Two important cipher suites, GOST and Camellia, have been
reworked or reenabled, providing better interoperability with
systems around the world.
- libtls: New API for loading CA chains directly from memory
instead of a file, allowing verification with privilege
separation in a chroot(8) without direct access to CA
certificate files.
- libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
- libtls: Improved error handling and message generation.
- Added X509_STORE_load_mem API for loading certificates from
memory. This facilitates accessing certificates from a chrooted
environment.
- New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
using 'TLSv1.2+AEAD' as the cipher selection string.
- New openssl(1) command 'certhash' replaces the c_rehash script.
- Application-Layer Protocol Negotiation (ALPN) support.
o Code improvements:
- Dead and disabled code removal including MD5, Netscape
workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0"
sections, and more.
- The ASN1 macros are expanded to aid readability and
maintainability.
- Various NULL pointer asserts removed in favor of letting the
OS/signal handler catch them.
- Dozens of issues found with the Coverity scanner fixed.
o Security updates:
- Fix a Bleichenbacher style timing oracle with bad PKCS padding.
- Fix memory leaks.
- Address POODLE attack by disabling SSLv3 by default.
- SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
- Earlier libtls support for non-blocking sockets and randomized
session ID contexts.
- Ensure the stack is marked non-executable for assembly sections.
- Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507,
CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511,
CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205 and
CVE-2015-0206.
- mandoc 1.13.3:
o man(1), apropos(1), and mandoc(1) now have a unified user
interface, all with the same options, and are in fact all
implemented by the same binary program.
o For man(1), this implies new options -l and -IKOTW, and it now
finds manual pages by the names in their NAME sections even if
they lack matching file names.
o For apropos(1), this implies new options -acfhklw and -IKOTW.
o For mandoc(1), this implies new options -acfhkl.
o mandoc(1) now automatically detects and transparently accepts
input encoded in utf-8 and iso-8859-1, and provides a new option
-K to explicitly specify the input encoding.
o The mandoc(1) default output mode now is -Tlocale rather than
-Tascii.
o eqn(7) now supports in-line equations, and terminal rendering of
equations is considerably improved.
o mandoc(1) -Thtml now generates polyglot HTML5 and renders eqn(7)
using MathML.
o mandoc(1) can no longer fail with fatal errors, no matter how
broken the input file may be, and the -Wfatal message level no
longer has any effect. A new diagnostic level -Wunsupp is
provided. Besides, many diagnostic messages are now more specific.
o Many crashes were fixed that Jonathan Gray found with the American
Fuzzy Lop (afl).
- Syslogd:
o OpenBSD syslogd(8) is based on libevent now.
o Sending and receiving UDP messages works with both IPv4 and IPv6.
o Syslog messages can also be sent over TCP or TLS. The syntax to
specify the loghost is documented in syslog.conf(5).
o Sending over TCP and TLS is reliable. If a connection terminates,
syslogd tries to reconnect. When the message buffer in memory gets
full, the number of dropped messages is counted and logged.
o With TLS, the x509 certificate of the syslog server is verified.
o The maximum message size has been increased according to newer RFC.
- Ports and packages:
o Over 9,000 ports.
- Many pre-built packages for each architecture:
o i386: 8722 o sparc64: 8184
o alpha: 6811 o sh: 0
o amd64: 8745 o powerpc: 8286
o sparc: 4026 o arm: 0
o hppa: 6718 o vax: 1550
o mips64: 1595 o mips64el: 6914
o m88k: 1148
- Some highlights:
o Chromium 40.0.2214.115 o Node.js 0.10.35
o Emacs 21.4 and 24.4 o OpenLDAP 2.3.43 and 2.4.40
o GCC 4.8.4 and 4.9.2 o PHP 5.3.29, 5.4.38, 5.5.22 and
o GHC 7.8.4 5.6.5
o GNOME 3.14.2 o Postfix 2.11.4
o Go 1.4.1 o PostgreSQL 9.4.1
o Groff 1.22.3 o Python 2.7.9 and 3.4.2
o JDK 1.7.0.71 o R 3.1.2
o KDE 3.5.10 and 4.14.3 o Ruby 1.8.7.374, 1.9.3.551,
o LLVM/Clang 3.5 (20140228) 2.0.0.598, 2.1.5, and 2.2.0
o LibreOffice 4.3.5.2 o Sendmail 8.15.1
o MariaDB 10.0.16 o Tcl/Tk 8.5.16 and 8.6.2
o Mono 3.12.0 o TeX Live 20
o Mozilla Firefox 31.4.0esr and o Vim 7.4.475
35.0.1 o Xfce 4.10
o Mozilla Thunderbird 31.4.0
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
xkeyboard-config 2.13 and more)
o Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.20.1 (+ patches)
o SQLite 3.8.6 (+ patches)
o NSD 4.1.1
o Unbound 1.5.2
o Sudo 1.7.2p8
o Ncurses 5.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)
o Less 458 (+ patches)
o Awk Aug 10, 2011 version
If you'd like to see a list of what has changed between OpenBSD 5.6
and 5.7, look at
http://www.OpenBSD.org/plus57.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.7 HTTP/CD-ROM binaries and the actual 5.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to
http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
http://www.OpenBSD.org/mail.html
------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------
OpenBSD 5.7 is also available on CD-ROM. The 3-CD set costs 44 EUR and
is available via web order worldwide.
The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled "Source Fish". MP3 and OGG versions of
the audio track can be found on the first CD.
Lyrics (and an explanation) for the songs may be found at:
http://www.OpenBSD.org/lyrics.html#57
Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 5.7 CD-ROMs are bootable on the following platforms:
o i386
o amd64
o macppc
o sparc64
(Other platforms must boot from network, floppy, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:
http://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs. Contact the foundation directors at
directors@openbsdfoundation.org for more information.
------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------
The OpenBSD distribution companies also sell T-shirts and polo shirts,
with new and old designs, available from our web ordering system.
------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads. Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP. With the CD-ROMs,
the necessary documentation is easier to find.
1) Read either of the following two files for a list of HTTP
mirrors which provide OpenBSD, then choose one near you:
http://www.OpenBSD.org/ftp.html
http://ftp.openbsd.org/pub/OpenBSD/ftplist
As of May 1, 2015, the following HTTP mirror sites have the 5.7 release:
http://ftp.eu.openbsd.org/pub/OpenBSD/5.7/ Stockholm, Sweden
http://ftp.bytemine.net/pub/OpenBSD/5.7/ Oldenburg, Germany
http://ftp.ch.openbsd.org/pub/OpenBSD/5.7/ Zurich, Switzerland
http://ftp.fr.openbsd.org/pub/OpenBSD/5.7/ Paris, France
http://ftp5.eu.openbsd.org/pub/OpenBSD/5.7/ Vienna, Austria
http://mirror.aarnet.edu.au/pub/OpenBSD/5.7/ Brisbane, Australia
http://ftp.usa.openbsd.org/pub/OpenBSD/5.7/ CO, USA
http://ftp5.usa.openbsd.org/pub/OpenBSD/5.7/ CA, USA
http://mirror.esc7.net/pub/OpenBSD/5.7/ TX, USA
The release is also available at the master site:
http://ftp.openbsd.org/pub/OpenBSD/5.7/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTP mirror site and go into the directory
pub/OpenBSD/5.7/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT alpha/ luna88k/ sparc/
Changelogs/ amd64/ macppc/ sparc64/
HARDWARE armv7/ octeon/ src.tar.gz
PACKAGES aviion/ packages/ sys.tar.gz
PORTS hppa/ ports.tar.gz tools/
README i386/ root.mail vax/
SHA256 landisk/ sgi/ xenocara.tar.gz
SHA256.sig loongson/ socppc/ zaurus/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
HARDWARE - list of hardware we support
PORTS - description of our ports tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
INSTALL.amd64 bsd.rd* game57.tgz pxeboot*
SHA256 cd57.iso index.txt xbase57.tgz
SHA256.sig cdboot* install57.fs xfont57.tgz
base57.tgz cdbr* install57.iso xserv57.tgz
bsd* comp57.tgz man57.tgz xshare57.tgz
bsd.mp* floppy57.fs miniroot57.fs
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install57.iso. The install57.iso file (roughly 250MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install57.fs and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
http://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 5.7 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/5.7/tools
directory to do so.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.7 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.
Note: some of the most popular ports, e.g., the nginx web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------
A large number of binary packages are provided. Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/PACKAGES) for more details.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/README)
file explains how to deal with these source files. For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.7/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Stuart Henderson, Peter Hessler,
Paul Irofti, Sebastian Reitenbach, Miod Vallat, and Christian Weisgerber.
System builds by Jasper Lievisse Adriaanse, Kenji Aoyama, Theo de Raadt,
Jonathan Gray, Mark Kettenis, and Miod Vallat. X11 builds by
Jasper Lievisse Adriaanse, Kenji Aoyama, Todd Fries, and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.7 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Shadchin,
Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Benoit Lecocq, Bob Beck,
Brandon Mercer, Brent Cook, Bret Lambert, Brett Mahar,
Brian Callahan, Bryan Steele, Camiel Dobbelaar, Charles Longeau,
Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
Claudio Jeker, Damien Miller, Daniel Dickman, Darren Tucker,
David Coppa, David Gwynne, Doug Hogan, Edd Barrett, Eric Faurot,
Federico G. Schwindt, Florian Obser, Gerhard Roth, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jakob Schlyter, James Turner, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Jim Razmus II, Joel Sing, Joerg Jung, Jonathan Armani,
Jonathan Gray, Jonathan Matthew, Joshua Elsasser, Joshua Stein,
Juan Francisco Cantero Hurtado, Kenji Aoyama, Kenneth R Westerback,
Kent R. Spillner, Kirill Bychkov, Kurt Miller, Landry Breuil,
Lawrence Teo, Loganaden Velvindron, Luke Tymowski, Marc Espie,
Marco Pfatschbacher, Mark Kettenis, Mark Lumsden, Markus Friedl,
Martin Pelikan, Martin Pieuchot, Martin Reindl, Martynas Venckus,
Masao Uebayashi, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat,
Naoya Kaneko, Nayden Markatchev, Nicholas Marriott, Nick Holland,
Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
Paul de Weerd, Paul Irofti, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Raphael Graf, Remi Pointel, Renato Westphal,
Reyk Floeter, Robert Nagy, Robert Peichaer, Ryan Thomas McBride,
Sasano Takayoshi, Sebastian Benoit, Sebastian Reitenbach,
Simon Perreault, Stefan Fritsch, Stefan Sperling, Stephan Rickauer,
Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sylvestre Gallon,
Ted Unangst, Theo de Raadt, Tobias Stoeckmann, Tobias Ulmer,
Todd C. Miller, Todd Fries, Vadim Zhukov, William Yodlowsky,
Yasuoka Masahiko, Yojiro Uo
Subscribe to:
Posts (Atom)