OpenBSD 7.7 Released

OpenBSD 7.7

Released Apr 28, 2025. (58th OpenBSD release) Copyright 1997-2025, Theo de Raadt. Artwork by Tomáš Rodr. See the information on the FTP page for a list of mirror machines. Go to the pub/OpenBSD/7.7/ directory on one of the mirror sites. Have a look at the 7.7 errata page for a list of bugs and workarounds. See a detailed log of changes between the 7.6 and 7.7 releases. signify(1) pubkeys for this release: openbsd-77-base.pub: RWSbCCUoGpcxVRmNb/XFYBbthxWMK7G6fNbJhb993Ohuh29WFaT9vhe2 openbsd-77-fw.pub: RWSJsKh8CzZG93aXHWDPCNM04iMwt7wRzfWzs1nL/2K6OsUvmAEfQavY openbsd-77-pkg.pub: RWQ0omJ8AdcUd41n7fqEccjc/VyLhJLKVJo7oFUg7epg6lUHRtgMgT52 openbsd-77-syspatch.pub: RWRtcHFMyeKCcG4TkoK/TbEvDd1vch0tq8VgRR5UBpvAQkUcgja3jtV9 All applicable copyrights and credits are in the src.tar.gz, sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the files fetched via ports.tar.gz.

---

What's New

This is a partial list of new features and systems included in OpenBSD 7.7. For a comprehensive list, see the changelog leading to 7.7.

• Platforms specific improvements:
  • arm64:
    • Set AP power state, fixing the SMC initialization on the M1 MacBook with the latest system firmware.
    • Implemented a new pmap_populate() interface on arm64 and riscv64 to help pmap_enter(9) succeed when there's enough free physical memory but we can't allocate KVA to map that memory.
    • Optimized pmap teardown by skipping TLB flushes, giving ~5% performance boost for kernel build.
    • Enabled PAC on hardware that uses the new QARMA3 cipher.
    • Implemented support for SVE (Scalable Vector Extension).
  • amd64:
    • Added the ability for bus_dmamem_alloc(9) to recognize the BUS_DMA_64BIT flag and allocate memory for DMA without any 4GB restrictions on amd64.
    • Allowed boot loader to run as AMD SEV guest on QEMU with EFI.
    • Allowed kernel boot on QEMU with AMD SEV.
    • Allowed use of MSI with the QEMU default pc-i440fx machine.
    • Stopped amd64 leak of kernel stack guard pages.
    • Implemented the AMD SEV psp(4) download firmware command to load new firmware onto the chip and made the AMD SEV automatically load psp(4) firmware during vmd(8) startup.
  • Other architectures:
    • Fixed riscv64 sigcode copying and put riscv64 sigcode in the .rodata memory section.
    • Implemented an interrupt depth counter on sparc64.
    • Moved the hppa stack 1GB higher.
    • On i386, improved the stability in low-memory situations, especially for MP.
    • Fixed a powerpc64 bug where a pte could be put into an incorrect pteg, leading to a crash.
    • Changed luna88k disklabel labeloffset to 0.
  • More platform specific changes can be found in the hardware support section below.
• Various kernel improvements:
  • Improved responsiveness in OOM situations and made free target checks coherent.
  • Removed the ability to specify a root, dump or swap device on st(4).
  • In uvm, prevent a race where a mapped object is being truncated while we are spinning to unwire it.
  • Optimized page daemon active and inactive list traversals when looking only for low pages.
  • Added a helper to check if memory has been freed for a given request to improve speed of the page daemon loop.
  • Started accounting for in-flight pages being written to disk when the page daemon is computing page shortage.
  • Adjusted the ptrace interface to properly support single-threaded continue and make it possible to use breakpoints in multi-threaded processes in gdb.
  • Add ptrace(2) commands used to read/write the XSAVE area of a traced process.
  • Correctly honored the count optional argument of the ddb(4) break command, ensuring execution does not stop until the breakpoint is hit at least that many times.
  • Taught ddb(4) how to disassemble endbr64.
  • Moved dt(4) to using a ringbuffer per CPU.
  • Added 'socket' refcnt type to dt(4).
  • Made btrace(8) support additional interval/profile units (hz, us, ms, s).
  • Added multi-line strings support to the bt(5) script parser.
  • Added kern.audio.kbdcontrol sysctl(2) variable, allowing the volume keys on multimedia keyboards to be handled as regular keys if set to 0.
  • Implement bus_dma(9) bounce buffering for raw memory.
  • Started ignoring sub-nodes of non-functional nodes in the ACPI tree walk to fix double and triple attachments of the same PCIe root bridges.
  • Suspend/Hibernate Support
    • Ensured all hibernate data is written inside the allocated chunk of swap.
    • Removed unneeded zeroing of free pages during hibernate.
    • Corrected hibernate error detection during RLE writes.
    • Ensured hibernate fails when I/O or memory allocation errors occur.
  • Bugfixes
    • Fixed a (mostly) hypothetical race in pinsyscalls(2) by making it return an error if called in a multi-threaded process.
    • Fixed CPU idle percentage in top(1) on macppc.
    • Reworked how processes are stopped because of a signal. Now multithreaded processes can be reliably stopped and continued. This should fix problems seen in golang, mpv and in our regress tests.
    • Fix possible races of changes to the per-process unveil data structures by either pledge() [removing all path promises] or unveil() [adding new paths], against namei() inspecting in other thread system calls.
• SMP Improvements
  • Unlocked sysctl kern.timeout_stats.
  • Unlocked sysctl kern.allowkmem.
  • Unlocked sysctl kern.video.record.
  • Unlocked sysctl net.inet.gre.allow and net.inet.gre.wccp.
  • Unlocked sysctl kern.global_ptrace.
  • Unlocked sysctl kern.wxabort.
  • Unlocked sysctl kern.malloc.kmemstat.
  • Reduced kernel lock contention when tearing down file-backed regions.
  • Unlocked ptsignal, psignal and prsignal by using the ps_mtx mutex(9).
  • Used a mutex to make psp(4) MP safe.
  • Locked send socket buffer for fstat(2) syscall.
  • Made lock changes to reduce lock contention in __thrsleep and __thrwakeup syscalls. go performance particularly benefits from this.
  • Unlocked virtio(4).
  • Made `video_filtops' MP-safe.
  • Run TCP output and TCP timers in parallel.
    • TCP send(2) and recv(2) system calls use shared netlock. Multiple userland threads can work on different sockets in parallel.
    • TCP output no longer blocks IP processing.
    • TCP timer also use locks that are specific to the socket they are working on, other network traffic can be processed by different CPUs.
    • Socket splicing is MP-safe for TCP.
    • Some of the sysctl syscalls affecting TCP no longer block network operations on other CPUs.
    • Only TCP input still uses exclusive netlock and prevents other parts of the network stack from running in parallel.
  • Unlocked accept(2) for TCP sockets.
  • Started using shared net lock when calling shutdown(2) on internet socket.
  • Reworked rwlocks to reduce pressure on the scheduler and SCHED_LOCK.
  • Pushed the KERNEL_LOCK() down to namei(9) in stat(2), lstat(2) & fstatat(2) and Unlocked fstat(2).
  • Unlocked wskbd(4) kqueue filterops.
  • Used `ws_mtx' mutex(9) to make wsmux(4) filterops MP-safe.
  • Unlocked open(2) and openat(2).
  • Made wsmouse(4) and wstpad filterops MP-safe.
  • Pushed KERNEL_LOCK() inside __realpath(2).
  • Made wakeup of parent process in dowait6 reliable even without kernel lock.
  • Used ps_mtx mutex(9) to lock the child process that is being checked by dowait6.
• Direct Rendering Manager and graphics drivers
  • Updated drm(4) to Linux 6.12.21.
  • amdgpu(4): Added kernel support for Ryzen AI 300 (Strix Point, Strix Halo, Krackan Point), Radeon RX 9070 (Navi 48).
  • inteldrm(4): Added support for Arrow Lake.
• VMM/VMD improvements
  • Added an IPI for executing INVEPT to flush EPT on remote CPUs, a first step toward allowing guest memory not to be wired by UVM.
  • Implemented psp(4) shutdown command and ioctl(2) PSP_IOC_SHUTDOWN, which will be used by vmd(8) to reset psp(4) on startup.
  • Started using acpipci(4) on hypervisors. If the hypervisor cpuid bit is set, use acpipci to attach PCI busses. As virtualization is not that old, we can assume that in VMs we don't need the quirk for old, broken ACPI. This solves problems with PCI BAR access and recent SeaBIOS versions on QEMU.
• Various new userland features:
  • Numerous changes to make the imsg API stricter and better, which were followed by adapting all applications across the tree.
  • Allow the user to provide an alternative perfpolicy when on battery, extending the semantics of hw.perfpolicy to provide two buttons to specify desired behavior. This gives users more flexibility in setting the performance when AC-powered vs. battery powered.
  • Made calendar(1) use the environment variable RECIPIENT_EMAIL for sending mails to.
  • Made security(8) use GMT rather than the local timezone when checking for changes in device nodes and setuid files. Avoids false positives when changing timezones.
  • Added a new variable PASSWDSKIP that can be set in /etc/daily.local to prevent security(8) from complaining about specific accounts that have no password. This is typically used for services like anoncvs and gotd.
  • Added [-f file] to sysctl(8) to apply sysctl.conf(5) in one go, and started using it in rc(8) instead of a parser implemented in ksh.
  • Added support for read/write of xmm/ymm registers to lldb(1).
• Various bugfixes and tweaks in userland:
  • Added wsconscfg(8) -g option to get the index of the current virtual terminal.
  • Made getgrouplist(3) always return the total number of groups found.
  • Ignore extra groups that don't fit in the buffer passed to getgrouplist(3), providing only the kernel maximum of sixteen groups.
  • Prevent newsyslog(8) from running through time checks when an entry needs to be rotated based on size.
  • Changed ps(1) to print the session id (PID of the session leader) instead of a pointer with display argument 'sess'.
  • In cu(1), map ucom unit number to cuaU number using the same scheme MAKEDEV uses, fixing problems with ucom units > 10.
  • Made CPU frequencies human-readable with systat(1) sensors -h.
  • Fixed a bug where getty(8) dx flag was supposed to set decctlq, but was setting ixany instead.
  • Made pkg_add(1) run ldconfig(8) after each updateset if the list of shared libraries was changed.
  • Corrected behavior of sed(1) c command to match POSIX.
  • Make clang(1) -fzero-call-used-regs aware of the register used by retguard. QEMU is using -fzero-call-used-regs, causing a crash.
  • Disk partition information is now saved by security(8).
  • Made security(8) ignore quota(1) files and all subdirectories of /var/mail when checking the ownership and mode of mailboxes.
  • Added pkg-config(1) support for relocatable .pc files.
  • Made mandoc(1) "-T html" and "-T markdown" output translate ".%R RFC <number>" to a hyperlink to rfc-editor.org.
  • Support decimal fractions like "0.25i" in roff(7) scaled widths and arithmetic operations in tbl(7) column widths, as needed for some manual pages written with DocBook.
  • When syslogd(8) acting as logserver with TLS (-S) and client-certificates are used for authentication (-K), use the CN from the client's certificate as hostname.
  • Adjusted the alignment when df(1) prints inode columns. This makes 'df -hi' on systems with large partitions easier on the eyes.
  • Made test(1) use timespeccmp() and st_mtim instead of comparing st_mtime to fix comparison of files with modification times that differ by less than a second.
  • Made ksh(1) use timespeccmp() and st_mtim instead of comparing st_mtime to fix comparison of files with modification times that differ by less than a second.
  • In ps(1) added a digit to vsz and rss to accommodate processes using more memory.
  • Updated tzfile(5) to 2025bgtz from https://github.com/JodaOrg/global-tz.
  • Updated libc/locale support including e.g. wcwidth(3) and the iswalnum(3) family of functions to Unicode Version 15.0.0.
• Improved hardware support and driver bugfixes, including:
  • Increased psp(4) timeouts, allowing the EPYC 9124 time to attach.
  • Added PercentLoad sensor to upd(4), reporting the % of the available UPS power drawn by output outlets.
  • Fixed RunTimeToEmpty on some EATON models in upd(4).
  • Improved the heuristic for detecting I2C devices (making type-A ports on the Vivobook work in ACPI mode).
  • Added support for CSI b control sequence (repeat last printed character) to the wscons(4) vt100 emulation.
  • Fixed simplefb(4) colours for BPP16 and BPP24.
  • Added support for BPP16 16-bit color EFI framebuffer format as offered by U-Boot.
  • Implemented CSI s and CSI u to save and restore cursor position in wscons(4).
  • Made scaling available for normal wsmouse.4 mice, not just touchpads.
  • Added scmi(4) mailbox transport and perf protocol for CPU frequency management on Snapdragon X Elite.
  • Moved to send only a single reset during attach for ihidev(4) devices, preventing issues with some devices like the built-in keyboard on the ThinkPad T14s Gen 6.
  • Changed the sdhc(4) bus power behavior to no longer perform a power-off voltage switch request when the card is already operating at the requested voltage.
  • Implemented aplsmc(4) support for the new CHLS key used to control the battery charge level in newer SMC firmware.
  • Added pinctrl(4) support to the qciic(4) driver for Qualcomm Snapdragon SoCs.
  • Made qcpas(4) send APM_POWER_CHANGE events on AC/battery life changes, allowing upowerd to react.
  • Added qccpucp(4), a driver for the Qualcomm CPUSS Control Processor (CPUCP) mailbox controller.
  • Made qcpon(4) query hardware for the button state to detect release even if the press event is missed, and to signal wakeup when the button is pressed.
  • Made qcscm(4) attach at acpi(4). This lets Qualcomm machines which use qcscm(4) access EFI variables in ACPI mode. Some arm64 machines, like the Samsung Galaxy Book4 Edge can be successfully installed with this change.
  • Fixed support for AMD 600 series ahci(4) controller.
  • Introduce a pckbc@acpi driver attachment that is use instead of pckbc@isa when an interrupt configuration is incompatible with legacy ISA. This unbreaks, among other things, the keyboards in various Chromebooks.
  • Implemented rkpmic(4) power down if the PMIC is marked as the system power controller in the device tree.
  • Added RK3399 support to rkusbphy(4).
  • Added dwmmc(4) support for the "post-power-on-delay-ms" in the MMC power sequencing.
  • Implemented regulator-based signal voltage switch support in dwmmc(4), fixing bootup on the MNT Reform2 with the RK3588 module.
  • Added uvideo(4) support for Jabra PanaCast 20.
  • Ensure uvideo(4) fills v4l2_capability correctly (allowing some V4L consumers to use bus_info to identify the desired webcam when attempting to switch devices).
  • Added uvideo(4) support for devices which report bulk and isochronous endpoints.
  • Made uvideo(4) bypass unknown pixelformat to consumer rather than rejecting unknown driver formats.
  • Support colorformat from uvideo(4) device.
  • Fixed a uvideo(4) crash on close of isochronous endpoint's webcam.
  • Ensure uvideo(4) forwards frames with error bit to V4L consumers, which adds support of the integrated camera on ThinkPad T14 Gen 5, ThinkPad X1 Nano Gen 2, ThinkPad X13 and many other devices.
  • Forced 32-bit accesses when reading 8-bit or 16-bit registers, allowing use of xhci(4) on a Cadence xHCI controller as seen on the Radxa Orion O6.
  • Added USB 3.0 speed support to xhci(4) and uvideo(4).
  • Fixed uaudio(4) devices that don't support sample rate changes.
  • Added LED support for ikbd(4) keyboards.
  • Added mtintc(4) a driver supporting interrupt controllers found on MediaTek SoCs.
  • Added mtrng(4), a driver supporting the 32-bit random number generator on MediaTek SoCs.
  • Added mtxhci(4), a driver for the xHCI USB controller found on MediaTek SoCs, and enable it on armv7 and arm64.
• New or improved network hardware support:
  • Added ice(4), a driver for Intel E810 Ethernet (1Gb/10Gb/25Gb/50Gb/100Gb) devices.
  • Increased receive mbuf size with LRO in vio(4), helping TCP splice performance.
  • Fixed xbf(4) and xnf(4) not attaching on XCP-ng 8.3/Xen 4.17.
  • Added printing of number of queues and interrupt and Ethernet address details to mcx(4).
  • Fixed the bnxt(4) receive refill timeout to only refill rings that are currently empty, preventing possible corruption and crashes.
  • Added support for AX88772D to axen(4).
  • Added ixv(4), a driver for virtual functions of Intel 82598EB, 82559 and X540.
  • Enabled rx/tx checksum offloading on iavf(4).
  • Added RSS/multiqueue support for AQC11x models ("aq2") in aq(4).
  • Added support for reading EEPROM pages for aq(4) cards with SFP slots.
  • Started clearing the OACTIVE flag on transmit queues when ixl(4) is reset.
• Added or improved wireless network drivers:
  • Added support for MA devices to iwx(4).
  • Restricted scanned channels appropriately when qwx(4) runs in a fixed PHY mode.
  • Add support for QCA2066 to qwx(4).
  • Changed mtw(4) to only open bulk usb(4) pipes once for the lifetime of the device.
• Installer, upgrade and bootloader improvements:
  • On the macppc architecture, make ofwboot sync instruction cache before entering kernel, preventing a potential boot failure.
  • Made installboot(8) install a copy of the UEFI bootloader in /efi/openbsd on the EFI system partition, allowing creation of boot options for the firmware boot manager other OSes will leave alone.
  • Only install a second copy of the bootloader if the EFI System Partition is at least 1MB to avoid filling up the tiny ESPs we used to create a few releases ago.
  • Made installboot(8) only set BootOrder if our boot option isn't already part of it. This means sysupgrade (or reinstalls) will no longer set OpenBSD as the default OS if users change the boot order by some other means. Fresh installs will still make OpenBSD the default OS.
  • Added a -c option installboot(8) that sets up the machine to boot from the specified disk, used on arm64 and amd64 with UEFI and GPT.
  • Added sysupgrade(8) -R #.# to try to use a specific release version rather than the immediate +0.1.
  • Provided a mechanism for getting required keys to sysupgrade(8) older machines, providing a new set of keybundles signed by older keys to allow sysupgrade to securely and automatically download the required key.
  • Added firmware keys to the signify key bundles. sysupgrade(8) will now extract the firmware key also, allowing fw_update fetch the most up-to-date firmware before upgrading.
  • Added support to sysupgrade(8) to perform a sysupgrade from a fileset stored on a filesystem. This is convenient for offline machines.
  • Made fw_update(8) -a mean all when downloading or installing, not just deleting.
  • Allowed fw_update(8) to download firmware without root.
  • Added fw_update(8) -l flag to list drivers or files.
  • Added -D option to fw_update(8) for using a different dmesg for driver detection.
  • Reworked the "Default IPv6 router?" question in the installer to behave like the other questions.
  • On amd64 with ACPI >= 5, assume that the installer booted in UEFI mode and default to using a GUID Partition Table (GPT).
  • Make IPv6 link-local scope identifiers in "HTTP Server?" answers work in the installer.
  • On updates using sysmerge(8), added options to interactive sdiff(1) merge for choosing both sides of a diff.
• Security improvements:
  • Added sshd-auth to the binaries that relink at boot.
  • Split the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection.
  • Unveiled mountd(8) privileged child's write to/create of mountdtab file, and drop exec permission.
• New features in the network stack:
  • Added an AF_FRAME socket domain and an IFT_ETHER protocol family under it, allowing userland to use sockets to send and receive Ethernet frames.
  • Added tunneldf support to sec(4).
  • Added use of Toeplitz hash for UDP and IPv6 TCP output, giving an improvement in traffic distribution over the queues and 20% performance increase with UDP send on v4/v6 and TCP send on v6 without pf.
  • Implemented tun(4) network offloads between the kernel and userland and introduced a new TUNSCAP ioctl .
  • Implement a per-thread route cache by implementing a thread local memory (struct netstack) that gets passed down the network stack. For consecutive packets it can reuse the route to the same destination.
• Further changes and bugfixes in the network stack:
  • Replaced rwlock with iterator in UDP input multicast loop, preventing a potential kernel crash.
  • Ensure that the correct address family is used in ip_deliver() for enqueuing a packet, fixing a problem with tunneling of different address families.
  • Let LLDP packets fall through to being handled on the port interfaces for aggr(4) as mandated by the standard.
  • Enabled multiqueue for vio(4).
  • Let pppoe(4) data packets go through if_vinput instead of the pppoeinq, improving throughput and possibly reducing packet loss.
  • Fixed out-of-band data in somove(9) socket splicing.
  • Added wg(4) logging of IP addresses of remote endpoints.
  • Limited receive queue of loopback interfaces with 8192 packets, preventing unlimited queues from reaching mbuf limits and making network unusable on some architectures.
  • Fixed TCP checksum for IPv6 packets with extension headers.
  • Fixed incorrect ICMP error translation in af-to NAT, making traceroute6 behind af-to to provide meaningful information.
  • Fixed a 24-year old bug where various checks for broadcast packets were mistakenly skipped, allowing one to send broadcast packets without the SO_BROADCAST option.
  • Prevented installation of path MTU routes for IPsec transport mode SAs.
• The following changes were made to the pf(4) firewall:
  • Allowed pfctl(8) specification of interface and queue bandwidths greater than ~4Gbit.
  • Fixed inpcb leak in divert(4) attach.
• Routing daemons and other userland network programs saw the following improvements:
  • Added iked(8) "natt" option that forces negotiation of nat-t (and udpencap).
  • Made radiusd(8) log the username when rejecting by ipcp.
  • Added ifconfig(8) vxlan "[-]endpoint" command, to remove a tunnel endpoint of a MAC address.
  • Made ifconfig(8) scan display wpa3.
  • Made tcpdump(8) print PPPoE tags as hex dumps.
  • Improved lldp output of tcpdump(8).
  • Added support for client certificates to relayd(8).
  • Made acme-client(1) -v show the account URI from the Location header sent by the server in response to the newAccount API call.
  • Made acme-client(1) always print account URI on first creation of an account key.
  • Added TLS support to tcpbench(1).
  • Started taking into account how long the ntpd(8) DNS probe takes before deciding to punt.
  • Added unwind(8) block list wildcard support using block list entries starting with '.'.
  • Implemented zoneversion EDNS option (RFC 9660) in dig(1).
  • Adjusted rDNS lifetime to RFC 8106 default (minimum) value in rad(8).
  • Made nfsd(8) default to UDP when using only -n.
  • Implemented iscsid(8) handling of HeaderDigest and DataDigest params.
  • Made iscsid send out all the values for session and connection params for each login stage, keeping control of what is selected, making it possible to connect to a lio target.
  • Respect checksum offloading in dhcrelay(8) and dhcrelay6(8).
  • Respect checksum offloading for incoming UDP in dhcpd(8).
  • In smtpd(8),
    • Fixed few imprecisions in forward(5) with regard to where and when | and :include: are disallowed.
    • Fixed the connect filter request documentation in smtpd-filters(7).
    • Proper handling of permanent failures in mail.lmtp(8), previously all failures were considered temporary and so delivery was attempted again.
  • In bgpd(8),
    • Cache the Adj-RIB-Out for sessions that have not been down for more than 1h. This significantly improves synchronisation time of peers that flap.
    • Implement RFC 8538: Notification Message Support for BGP Graceful Restart.
    • Add support for RFC 8654, extended messages.
    • In bgplgd add additional endpoints to query the Adj-RIB-In and Adj-RIB-Out.
    • Bump internal message size limit to 128k and handle up to 10 000 ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile.
    • Various improvements to the ibuf API including a new reader API which is used to make all message parsing in bgpd memory safe.
    • Added support for IPsec and TCP MD5 to RTR sessions.
    • Improve default multiproto capability announcement selection. The default MP capability is only set if no other capability is configured on the neighbor.
    • The `reject as-set` configuration option now defaults to yes. Route announcements with AS_SET segments in the AS_PATH Attribute will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set for more information.
    • The RFC 8654 Extended Message configuration changed from "announce extended (yes|no|enforce)" to "announce extended message (yes|no|enforce)"
    • RFC 8950 - Extended nexthop encoding support in the RIB.
    • Preliminary support for EVPN in the RIB.
    • When "transparent-as yes" is set, well-known BGP communities are passed on according to RFC 7947. This means that IX Route Servers transparently pass through NO_EXPORT, NO_ADVERTISE, etc.
    • Make the example bgpd.conf work out of the box with 4byte ASN.
  • In rpki-client(8),
    • The generated BIRD config file was reworked. BIRD versions 1.x are no longer supported and the -T option to customize the ROA table name was removed. The config file now includes the ASPA-set by default and is therefore only compatible with BIRD 2.16 and later. If compatibility with older BIRD versions is required, the ASPA-set can be excluded with the -A flag. Operators should delete any remaining bird1v4 and bird1v6 output files.
    • Validated ROA payloads from AS0 TALs are by default excluded from the output files as they are not recommended for automatic filtering of BGP routes. This precaution can be overridden with the new -0 flag.
    • Various improvements to the ibuf API, including a new reader API which is used to make all message parsing in rpki-client memory safe.
    • Warn about gaps in manifest issuance. Such gaps can appear for example if rpki-client isn't run frequently enough, if there are issues with an RFC 8181 publication server or if there is an operational error on the side of the CA.
    • Work around a backward compatibility break accidentally introduced in OpenSSL 3.4.0, which resulted in all RPKI signed objects being rejected. Earlier and later versions of OpenSSL are not affected.
    • Improved validity period checking in file mode. The product's lifetime and the expiration time of the signature path are now taken into account.
    • Better cleanup in case of a fallback from RRDP to RSYNC. In rare circumstances, files were moved to the wrong place in the cache.
    • rpki-client now includes arin.tal which is no longer legally encumbered.
    • rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non-functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output.
    • Fix a problem where incorrect internal RRDP state handling in rpki-client could lead to a denial of service.
    • Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync.
    • Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output.
• tmux(1) improvements and bug fixes:
  • Fixed grey color in tmux(1).
  • Added a way to make the preview larger in tmux(1) tree mode.
  • Fixed tmux(1) problems with pasted text being interpreted as extended keys.
  • Made tmux(1) only use default-shell for popups, returning to /bin/sh for run-shell, if-shell and #().
  • Added MSYSTEM to tmux(1) default update-environment.
  • Added copy-mode-position-format to configure the tmux(1) position indicator.
  • Added -y flag to disable tmux(1) confirmation prompts in modes.
  • Reworked tmux(1) copy mode commands ("send-keys -X") to parse the arguments so that flags may be detected properly rather than just looking for strings ("-O" and so on). Also added -C and -P flags to the copy commands. -C prevents the commands from sending the text to the clipboard and -P prevents them from adding the text as a paste buffer.
  • Added tmux(1) prompt-cursor-colour and prompt-cursor-style to set the style of the cursor in the command prompt and remove the emulated cursor.
  • Added tmux(1) initial-repeat-time option to allow the first repeat time to be increased and later reduced.
  • Added a tmux(1) sixel_support format variable which is 1 if SIXEL is supported (always 0 on OpenBSD).
  • Allow control characters prefixed with C-v to be entered at the tmux.1 command prompt.
  • Added tmux(1) support for a scrollbar at the side of each pane using new options pane-scrollbars, pane-scrollbars-positions and pane-scrollbars-styles.
  • Added tmux(1) option to control the input buffer size.
  • Added tmux(1) scrollbar mouse support.
  • Added a tmux(1) no-detach-on-destroy client option, useful for control mode clients.
  • Added tmux(1) scrollbar style parameters width and pad.
  • Added copy-mode-position-style and copy-mode-selection-style options to tmux(1).
  • Added a tmux(1) option allowing users to override the width of individual Unicode codepoints.
  • Fixed mouse_hyperlink format in tmux(1) copy mode.
  • Added S-Up and S-Down to move windows in tmux(1) tree mode.
  • Made tmux(1) correctly skip wide characters in hyperlinks.
  • Made tmux(1) only align panes and windows, not sessions.
• LibreSSL version 4.1.0
  • Portable changes
    • Added initial experimental support for loongarch64.
    • Fixed compilation for mips32 and reenable CI.
    • Fixed CMake builds on FreeBSD.
    • Fixed the --prefix option for cmake --install.
    • Fixed tests for MinGW due to missing sh(1).
  • Internal improvements
    • Cleaned up the error implementation.
    • Many bug fixes and simplifications in the EC ASN.1 code.
    • Corrected DER encoding for EC keys and parameters.
    • Polished EC_POINT_{oct2point,point2oct}(3) internals.
    • Rewrote the wNAF code for fast ECDSA verification.
    • Improved the code setting compressed coordinates for EC points.
    • Reworked CPU capabilities detection for amd64 and aarch64.
    • New SHA-1, SHA-256 and SHA-512 assembly implementations for amd64. These make use of the SHA-NI instruction if it is available and replace the perl-generated assembly optimized for museum pieces. These are not yet enabled in libressl-portable.
    • New SHA-256 and SHA-512 assembly implementations for aarch64 making use of the ARM Cryptographic Extension (CE). Not yet enabled in libressl-portable.
    • New simplified, readable MD5 implementation for amd64.
    • Rewrote BN_bn2binpad(3) and its lebin siblings.
    • The BIGNUMs in EC_GROUP and EC_POINT are now heap allocated.
    • Rewrote TS_ASN1_INTEGER_print_bio().
    • Improved bit counter handling in MD5.
    • Simplified and cleaned up the BN_RECP_CTX internals.
    • Improved SM4 to match other symmetric ciphers more closely.
    • Rewrote X509_NAME_oneline(3) and X509_NAME_print() using CBS/CBB.
    • CRLs are now cached in the issuer cache like certificates.
    • Replaced combinations of BN_MONT_CTX_new(3)/set with an internal BN_MONT_CTX_create().
    • Replaced BN_bn2hex(3) reimplementation in openssl(1) ca with a proper API call.
    • Fixed integer overflows due to signed shift in obj_dat.c.
    • Improved some X509_VERIFY_PARAM internals and avoid an out of bounds read from public API.
    • Imported ML-KEM 768 and 1024 from BoringSSL (not yet public API).
  • Compatibility changes
    • Added an OPENSSL_INIT_NO_ATEXIT flag for OPENSSL_init_crypto(3). It has no effect since LibreSSL doesn't call atexit(3).
    • Elliptic curve parameters are only accepted if they encode a built-in curve.
    • EC_METHOD is no longer public and the API exposing it has been removed. This includes EC_GROUP_new(3), EC_GFp_mont_method(3), EC_GROUP_method_of(3), and EC_METHOD_get_field_type().
    • The precomputation stubs for EC_GROUP were removed.
    • The API setting Jacobian projective coordinates for a point was removed as were EC_POINTs_{mul,make_affine}(3).
    • All elliptic curves over fields with less than 224 bits and a few more were removed from the built-in curves. This includes all WTLS curves and P-192.
    • It is no longer necessary to set RSA_FLAG_SIGN_VER to use the sign and verify handlers set with RSA_meth_set_{sign,verify}.
    • Removed the -C option to generate "C code" from the openssl(1) dh, dhparam, dsaparam, ecparam, and x509 subcommands.
    • Removed #error in headers when OPENSSL_NO_* is defined.
    • CRYPTO_set_mem_functions(3) now matches OpenSSL 1.1 and CRYPTO_set_mem_ex_functions() was removed.
    • The tls_session_secret_cb_fn type now matches OpenSSL 1.1.
    • Unexport X509_NAME_print(3) and X509_OBJECT_up_ref_count(3).
    • const corrected UI_OpenSSL(3) and BN_MONT_CTX_copy(3).
    • Support OPENSSL_NO_FILENAMES.
    • Support SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
    • Export PKCS12_key_gen_uni() again.
  • New features
    • libtls has a new tls_peer_cert_common_name(3) API call to retrieve the peer's common name without having to inspect the PEM.
  • Bug fixes
    • Plugged a leak in eckey_compute_pubkey().
    • Again allow the magic values -1, -2 and -3 for the salt length of an RSA-PSS key in the EVP_PKEY_CTX_ctrl_str(3) interface.
    • Fixed a few memory leaks in legacy code.
  • Documentation
    • The remaining undocumented public EVP API is now documented.
    • Reorganization of existing documentation for clarity and accuracy.
  • Testing and proactive security
    • Improved regress coverage of the EC code.
• OpenSSH 10.0
  • Security fixes
    • sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. X11 forwarding is disabled by default in the server and agent forwarding is off by default in the client.
  • Potentially incompatible changes
    • This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months.
    • scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp & sftp. This disables implicit session creation by these tools when ControlMaster was set to yes/auto by configuration, which some users found surprising. This change will not prevent scp/sftp from using an existing multiplexing session if one had already been created.
    • This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.
    • sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per- connection sshd-session binary to a new sshd-auth binary. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary.
    • sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman key exchange in sshd by default. Specifically, this removes the "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods from the default KEXAlgorithms list. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years.
    • sshd(8): this release removes the implicit fallback to compiled- in groups for Diffie-Hellman Group Exchange KEX when the moduli file exists but does not contain moduli within the client- requested range. The fallback behaviour remains for the case where the moduli file does not exist at all. This allows administrators more explicit control over which DH groups will be selected, but can lead to connection failures if the moduli file is edited incorrectly.
  • New features
    • ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default.
    • ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the connection. The default cipher preference list is now ChaCha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256).
    • ssh(1): add %-token and environment variable expansion to the ssh_config SetEnv directive.
    • ssh(1): allow %-token and environment variable expansion in the ssh_config User directive, with the exception of %r and %C which would be self-referential.
    • ssh(1), sshd(8): add "Match version" support to ssh_config and sshd_config. Allows matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*".
    • ssh(1): add support for "Match sessiontype" to ssh_config. Allows matching on the type of session initially requested, either "shell" for interactive sessions, "exec" for command execution sessions, "subsystem" for subsystem requests, such as sftp, or "none" for transport/forwarding-only sessions.
    • ssh(1): add support for "Match command ..." support to ssh_config, allowing matching on the remote command as specified on the command-line.
    • ssh(1): allow 'Match tagged ""' and 'Match command ""' to match empty tag and command values respectively.
    • sshd(8): allow glob(3) patterns to be used in sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
    • ssh(1): support the VersionAddendum in the client, mirroring the option of the same name in the server.
    • ssh-agent(1): the agent will now delete all loaded keys when signaled with SIGUSR1. This allows deletion of keys without having access to $SSH_AUTH_SOCK.
    • ssh-keygen(1): support FIDO tokens that return no attestation data, e.g. recent WinHello.
    • ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the default FIDO application ID allow-list to be overridden.
    • Add a work-in-progress tool to verify FIDO attestation blobs that ssh-keygen can optionally write when enrolling FIDO keys. This tool is available under regress/misc/ssh-verify-attestation for experimentation but is not installed by "make install".
    • ssh-keygen(1): allow "-" as output file for moduli screening.
  • Bugfixes
    • sshd(8): remove assumption that the sshd_config and any configs it includes can fit in a (possibly enlarged) socket buffer. Previously it was possible to create a sufficiently large configuration that could cause sshd to fail to accept any connection. sshd(8) will now actively manage sending its config to the sshd-session sub-process.
    • ssh(1): don't start the ObscureKeystrokeTiming mitigations if there has been traffic on a X11 forwarding channel recently. Should fix X11 forwarding performance problems when this setting is enabled.
    • ssh(1): prohibit the comma character in hostnames accepted, but allow an underscore as the first character in a hostname.
    • sftp(1): set high-water when resuming a "put". Prevents bogus "server reordered acks" debug message.
    • ssh(1), sshd(8): fix regression in openssh-9.8, which would fail to accept "Match criteria=argument" as well as the documented "Match criteria argument" syntax in ssh_config and sshd_config.
    • sftp(1), ssh(1): fix a number possible NULL dereference bugs, including Coverity CIDs 405019 and 477813.
    • sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime was exceeded.
    • sshd(8): fix "Match invalid-user" from incorrectly being activated in initial configuration pass when no other predicates were present on the match line
    • sshd(8): fix debug logging of user specific delay.
    • sshd(8): improve debug logging across sub-process boundaries. Previously some log messages were lost early in the sshd-auth and sshd-session processes' life.
    • ssh(1): require control-escape character sequences passed via the '-e ^x' command-line to be exactly two characters long. Avoids one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..."
    • ssh(1), sshd(8): prevent integer overflow in X11 port handling. These are theoretically possible if the admin misconfigured X11DisplayOffset or the user misconfigures their own $DISPLAY, but don't happen in normal operation.
    • ssh-keygen(1): don't mess up ssh-keygen -l output when the file contains CR characters.
    • sshd(8): add rate limits to logging of connections dropped by PerSourcePenalties. Previously these could be noisy in logs.
    • ssh(1): fix argument of "Compression" directive in ssh -G config dump, which regressed in openssh-9.8.
    • sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd refuses to accept the signature returned by an agent holding host keys during the hostkey rotation sub-protocol. This situation could occur in situations where a PKCS#11 smartcard that lacked support for particular signature algorithms was used to store host keys.
    • ssh-keygen(1): when using RSA keys to sign messages with "ssh-keygen -Y", select the signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx"). This allows using something other than the default of rsa-sha2-512, which may not be supported on all signing backends, e.g. some smartcards only support SHA256.
    • ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on big-endian systems.
    • Many regression and interop test improvements.
• Ports and packages:

  Many pre-built packages for each architecture:

  • aarch64: 12446
  • amd64: 12593
  • arm: xxx
  • i386: 10429
  • mips64: 8635
  • powerpc: xxx
  • powerpc64: 7501
  • riscv64: 10585
  • sparc64: 9080

  Some highlights:

  • Asterisk 16.30.1, 18.26.1, 20.13.0 and 22.3.0
  • Audacity 3.7.3
  • CMake 3.31.6
  • Chromium 135.0.7049.52
  • Emacs 30.1
  • FFmpeg 6.1.2
  • GCC 8.4.0 and 11.2.0
  • GHC 9.8.3
  • GNOME 47
  • Go 1.24.1
  • JDK 8u442, 11.0.26, 17.0.14 and 21.0.6
  • KDE Applications 24.12.3
  • KDE Frameworks 6.12.0
  • KDE Plasma 6.3.3
  • Krita 5.2.9
  • LLVM/Clang 13.0.0, 16.0.6, 18.1.8 and 19.1.7
  • LibreOffice 25.2.1.2
  • Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.7
  • MariaDB 11.4.5
  • Mono 6.12.0.199
  • Mozilla Firefox 137.0 and ESR 128.9.0
  • Mozilla Thunderbird 128.9.0
  • Mutt 2.2.14 and NeoMutt 20250113
  • Node.js 22.14.0
  • OCaml 4.14.2
  • OpenLDAP 2.6.9
  • PHP 8.2.28, 8.3.19 and 8.4.5
  • Postfix 3.10.1
  • PostgreSQL 17.4
  • Python 2.7.18 and 3.12.9
  • Qt 5.15.16 (+ kde patches) and 6.8.2
  • R 4.4.2
  • Ruby 3.2.8, 3.3.7 and 3.4.2
  • Rust 1.86.0
  • SQLite 3.49.1
  • Shotcut 25.01.25
  • Sudo 1.9.16p1
  • Suricata 7.0.7
  • Tcl/Tk 8.5.19 and 8.6.16
  • TeX Live 2024
  • Vim 9.1.1265 and Neovim 0.10.4
  • Xfce 4.20.0
• As usual, steady improvements in manual pages and other documentation.
• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 21.1.16 + patches, freetype 2.13.3, fontconfig 2.15.0, Mesa 23.3.6, xterm 395, xkeyboard-config 2.20, fonttosfnt 1.2.4 and more)
  • LLVM/Clang 16.0.6 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.40.1 (+ patches)
  • NSD 4.9.1
  • Unbound 1.22.0
  • Ncurses 6.4
  • Binutils 2.17 (+ patches)
  • Gdb 6.3 (+ patches)
  • Awk 20250116
  • Expat 2.7.1
  • zlib 1.3.1 (+ patches)

---

How to install

Please refer to the following files on the mirror site for extensive details on how to install OpenBSD 7.7 on your machine:

• .../OpenBSD/7.7/alpha/INSTALL.alpha
• .../OpenBSD/7.7/amd64/INSTALL.amd64
• .../OpenBSD/7.7/arm64/INSTALL.arm64
• .../OpenBSD/7.7/armv7/INSTALL.armv7
• .../OpenBSD/7.7/hppa/INSTALL.hppa
• .../OpenBSD/7.7/i386/INSTALL.i386
• .../OpenBSD/7.7/landisk/INSTALL.landisk
• .../OpenBSD/7.7/loongson/INSTALL.loongson
• .../OpenBSD/7.7/luna88k/INSTALL.luna88k
• .../OpenBSD/7.7/macppc/INSTALL.macppc
• .../OpenBSD/7.7/octeon/INSTALL.octeon
• .../OpenBSD/7.7/powerpc64/INSTALL.powerpc64
• .../OpenBSD/7.7/riscv64/INSTALL.riscv64
• .../OpenBSD/7.7/sparc64/INSTALL.sparc64

---

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/alpha:

If your machine can boot from CD, you can write install77.iso or cd77.iso to a CD and boot from it. Refer to INSTALL.alpha for more details.

OpenBSD/amd64:

If your machine can boot from CD, you can write install77.iso or cd77.iso to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install77.img or miniroot77.img to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.

OpenBSD/arm64:

If your machine can boot from CD, you can write install77.iso or cd77.iso to a CD and boot from it.

To boot from disk, write install77.img or miniroot77.img to a disk and boot from it after connecting to the serial console. Refer to INSTALL.arm64 for more details.

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.

OpenBSD/i386:

If your machine can boot from CD, you can write install77.iso or cd77.iso to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install77.img or miniroot77.img to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.

OpenBSD/landisk:

Write miniroot77.img to the start of the CF or disk, and boot normally.

OpenBSD/loongson:

Write miniroot77.img to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.

OpenBSD/luna88k:

Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /7.7/macppc/bsd.rd

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.

OpenBSD/powerpc64:

To install, write install77.img or miniroot77.img to a USB stick, plug it into the machine and choose the OpenBSD install menu item in Petitboot. Refer to the instructions in INSTALL.powerpc64 for more details.

OpenBSD/riscv64:

To install, write install77.img or miniroot77.img to a USB stick, and boot with that drive plugged in. Make sure you also have the microSD card plugged in that shipped with the HiFive Unmatched board. Refer to the instructions in INSTALL.riscv64 for more details.

OpenBSD/sparc64:

Burn the image from a mirror site to a CDROM, boot from it, and type boot cdrom.

If this doesn't work, or if you don't have a CDROM drive, you can write floppy77.img or floppyB77.img (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write miniroot77.img to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

---

How to upgrade

If you already have an OpenBSD 7.6 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.

---

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

---

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr # tar xvfz /tmp/ports.tar.gz

Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

# cd /usr/ports # cvs -d [email protected]:/cvs update -Pd -rOPENBSD_7_7

[Of course, you must replace the server name here with a nearby anoncvs server.]

Note that most ports are available as packages on our mirrors. Updated ports for the 7.7 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list [email protected] is a good place to know.