OpenBSD 5.5

=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/55.html,v retrieving revision 1.67 retrieving revision 1.68 diff -u -r1.67 -r1.68 --- www/55.html 2014/05/02 18:58:56 1.67 +++ www/55.html 2014/05/02 18:59:49 1.68 @@ -1 +1,1141 @@ -RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h + + + +OpenBSD 5.5 + + + + + + + + + + + +

+ + + +

OpenBSD 5.5

+Released May 1, 2014
+Copyright 1997-2014, Theo de Raadt.
+ISBN 978-0-9881561-3-5 +
+5.5 Song: "Wrap in Time" +

+ +

Order a CDROM from our ordering system. +
See the information on the FTP page for + a list of mirror machines. +
Go to the pub/OpenBSD/5.5/ directory on + one of the mirror sites. +
Briefly read the rest of this document. +
Have a look at the 5.5 errata page for a list + of bugs and workarounds. +
See a detailed log of changes between the + 5.4 and 5.5 releases. +
+
5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h +
5.5 fw signify pubkey: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO +
5.5 pkg signify pubkey: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 +

+
+All applicable copyrights and credits can be found in the applicable +file sources found in the files src.tar.gz, sys.tar.gz, +xenocara.tar.gz, or in the files fetched via ports.tar.gz. The +distribution files used to build packages from the ports.tar.gz file +are not included on the CDROM because of lack of space. +

+ + +

What's New

+This is a partial list of new features and systems included in OpenBSD 5.5. +For a comprehensive list, see the changelog leading +to 5.5. +

+ +

time_t is now 64 bits on all platforms. +
- From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC. +
- The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t. +
- Userland programs that were changed include + arp(8), + bgpd(8), + calendar(8), + cron(8), + find(1), + fsck_ffs(8), + ifconfig(8), + ksh(1), + ld(1), + ld.so(1), + netstat(1), + pfctl(8), + ping(8), + rtadvd(8), + ssh(1), + tar(1), + tmux(1), + top(1), + and many others, including games! +
- Removed time_t from network, on-disk, and database formats. +
- Removed as many (time_t) casts as possible. +
- Format strings were converted to use %lld and (long long) casts. +
- Uses of timeval were converted to timespec where possible. +
- Parts of the system that could not use 64-bit time_t were converted to use unsigned 32-bit instead, so they are good till the year 2106. +
- Numerous ports throughout the ports tree received time_t fixes. +
+
+ +
Releases and packages are now cryptographically signed with the +signify(1) utility. +
- The installer will verify all sets before installing. +
- Installing without verification works, but is discouraged. +
- Users are advised to verify the installer (bsd.rd, install55.iso, etc.) + ahead of time using the + signify(1) tool if available. +
- pkg_add(1) now only trusts signed packages by default. +
+
+ +
Installer improvements: +
- The installer now supports a scriptable + auto-installation + method that enables unattended installation and upgrades using a response file. +
- Disk images which can be written to a USB flash drive + (miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets]) + are now provided for amd64 and i386. +
- Rewritten + installboot(8) + utility aiming for a unified implementation across platforms (currently + used by amd64 and i386 only). +
- The installer now parses nwids with embedded blanks correctly. +
+
+ +
New/extended platforms: +
- OpenBSD/alpha: +
  - Multiprocessor support. +
  +
- OpenBSD/aviion: +
  - First self-hosting release for 88100-based AViiON systems. +
  +
- OpenBSD/armv7 replaces OpenBSD/beagle. +
+
+ +
Improved hardware support, including: +
- New vmx(4) + driver for VMware VMXNET3 Virtual Interface Controller devices. +
- New vmwpvs(4) + driver for VMware Paravirtual SCSI. +
- New vioscsi(4) + driver for VirtIO SCSI adapters. +
- New viornd(4) + driver for VirtIO random number devices. +
- New ubcmtp(4) + driver for Broadcom multi-touch trackpads found on newer Apple MacBook, + MacBook Pro, and MacBook Air laptops. +
- New ugold(4) + driver for TEMPer gold HID thermometers. +
- New ugl(4) + driver for Genesys Logic based USB host-to-host adapters. +
- New qla(4) driver for Qlogic fibre channel HBAs. +
- radeondrm(4) + has been overhauled, including: +
  - New port of the Radeon code in Linux 3.8.13.19. +
  - Support for Kernel Mode Setting (KMS) including support for + additional output types such as DisplayPort. +
  - wsdisplay(4) + now attaches to + radeondrm(4) + and provides a framebuffer console. +
  +
- inteldrm(4) + has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes. +
- Support for Intel 8 Series Ethernet with i217/i218 PHYs, and + i210/i211/i354 has been added to + em(4). +
- Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to + iwn(4). +
- Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to + arc(4). +
- Support for Elantech v2 touchpads in pms(4) has been fixed. +
- Support for 802.11a (5Ghz) has been added to wpi(4). +
- Workarounds for firmware stability issues have been added to + wpi(4), + iwi(4), and + iwn(4). +
- Support for RT3572 chips has been added to the + ral(4) driver. +
- Support for RTL8106E chips has been added to the + re(4) driver. +
- Support for RTS5229 card readers has been added to rtsx(4). +
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver. +
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver. +
- Further reliability improvements regarding suspend/resume and hibernation. +
- Enabled IPv6 transmit TCP/UDP checksum offload in + jme(4). +
+
+ +
Generic network stack improvements: +
- Added vxlan(4), + a virtual extensible local area network tunnel interface. +
- pflow(4) + now sends 64 bit time values for pflowproto 10. The changed templates / + flows for pflowproto 10 are now parsable by existing receivers. +
- Continued improvement of the checksum offload framework to streamline + the calculation of TCP, UDP, ICMP, and ICMPv6 checksums. +
- Enabled IPv6 routing domain support. +
+
+ +
Routing daemons and other userland network improvements: +
- The popa3d POP3 server has been removed. +
- Added ntpctl(8), + a program to control the Network Time Protocol daemon. +
- slowcgi(8) + now works with a high number of concurrent connections. +
- The inetd-based identd has been replaced by a new libevent-based + identd(8). +
- tcpdump(8) + can now detect bad ICMP and ICMPv6 checksums when used with the -v flag. +
- Added rdomain support to IPv6 configuration tools + ndp(8), + rtsold(8), + ping6(8), and + traceroute6(8). +
- Added SNMPv2 client support to + snmpctl(8) + ("get", "walk", and "bulkwalk"). +
- relayd(8) + now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default. +
+
+ +
pf(4) improvements: +
- New queueing system with new syntax. +
- The "received-on" parameter can now be used with the "any" keyword to + match any existing interface except loopback ones. +
- The block policy in the default pf.conf(5) is now "block return". +
+
+ +
dhcpd(8) and dhclient(8) improvements: +
- No longer create a route to the bound address via 127.0.0.1. +
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5). +
- 'next-server' (a.k.a. siaddr) info now saved in lease files. +
- Fall back to broadcasting when unicast renewal fails, as specified in +RFC 2131 and friends. +
- Fix various problems in communications between privileged and non-privileged processes. +
- Fix many abuses of memcpy. +
- Stop pretending we still support FDDI or token ring hardware types. +
- Fix classless static routes option handling and add syntax to parse human-readable forms. +
- Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields. +
- Fix handling of non-printable characters in lease file strings. +
- Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line. +
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'. +
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and +'next-server'. +
- Log failures to fchmod() or fchown() files being written. +
- Create lease files with permissions 0640. +
- Fix possible failure to write resolv.conf(5) when -L is used. +
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent. +
+
+ +
iked(8) improvements: +
- Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL". +
- Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys. +
- Support for DPD ("Dead Peer Detection") similar to the implementation in + isakmpd(8). +
- Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix". +
- Initial support for IPComp. +
- Various improvements and a thorough audit of the network input path. +
+
+ +
OpenSMTPD 5.4.2 (includes changes to 5.4.1): +
- Introduce initial support for DSN extension: +
  - NOTIFY=SUCCESS, NOTIFY=FAILURE, NOTIFY=DELAY, NOTIFY=NEVER +
  - RET=HDRS, RET=FULL +
  +
- Introduce initial support for ENHANCEDSTATUSCODES extension: +
  - smtp process returns Enhanced Status Codes for most commands. +
  - other processes now have an API to return more precise codes ... +
  - ... which will be improved further with each version. +
  +
- Improved smtpctl(8): +
  - sendmail mode now supports DSN parameters +
  - Can now pause/resume a source address -> destination domain route. +
  - Can now display status of processes with smtpctl show status. +
  - show relays: displays list of currently active relays. +
  - show routes: displays status of routes currently known by smtpd. +
  - show hosts: displays list of known remote MX. +
  - show hoststats: display status of last delivery for active domains. +
  - resume route: resumes route temporarily disable by the MTA. +
  - pause/resume envelope: allows pausing individual envelopes. +
  - pause/resume message: allows pausing individual messages. +
  - encrypt: allows generating credentials suitable for authentication. +
  - show message/envelope is now compression/encryption aware. +
  +
- Introduced SNI support. +
- Improved configuration file: +
  - Removed last known ambiguity in grammar. +
  - Much simpler configuration for TLS-enabled hosts. +
  - Most parameters are now swappable in listen and accept rules. +
  - Conditions may be negated (ie: accept from ! <trusted> ...) +
  - Forward-only rules can be declared to impose ~/.forward files. +
  - New "recipient" keyword allows accept rule to provide a whitelist. +
  - Sender and recipient tables accept wildcard in their domains. +
  +
- TLS generic improvements: +
  - Support for TLS Perfect Forward Secrecy. +
  - Support for providing custom CA certificates. +
  +
- MTA improvements: +
  - mta may now require remote hosts to present valid certificates. +
  - Always attempt TLS before falling back to plaintext. +
  - Always present certificate if one is available. +
  - AUTH LOGIN now supported. +
  - MTA can now specify a EHLO-hostname when relaying. +
  +
- SMTP server improvements: +
  - IPv4-only and IPv6-only listeners are now possible. +
  - Listeners may now hide the From part in a Received-line. +
  - Listeners may require clients to provide a valid certificate. +
  - Banner hostname can now be dynamically fetched from a table. +
  +
- Queue improvements: +
  - Introduce an envelope cache in the queue to improve disk-IO pattern. +
  +
- Documentation: +
  - table(5) describes format for static, file and db backends. +
  - sendmail(8) describes our "sendmail" interface. +
  +
- Reduced memory usage in both general and stressed cases. +
- OpenSMTPD now automagically upgrades queue if the format changes! +
- Support Qmail-like "sticky home". +
- Support for authenticating users from a credentials table. +
- Introduce passwd(5) table backend for user and credentials lookup. +
- Expansion variables in ~/.forward now support modifiers. +
- Much more efficient scheduler! +
- Many documentation fixes and improvements. +
- And a lot of minor bug fixes and internal cleanup! +
+
+ +
Security improvements: +
- Position-independent executables (PIE) are now used by default on i386. +
- The arc4random(3) + functions now use the ChaCha20 cipher. +
- The kernel random number system is initially seeded by the bootloader, + providing better random very early. +
- Kernel stack protector is also seeded via the same mechanism, providing + protection earlier. +
- -Wbounded is now enabled in GCC by default. +
- Added explicit_bzero(3). +
+
+ +
Performance improvements: +
- Relations between the buffer cache and swap daemon have been improved. +
+
+ +
Threading improvements: +
- Interprocess semaphores via sem_open(3). +
- Running threaded processes under a debugger no longer causes panics. +
- SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered. +
- Thread stacks now have a random bias. +
- fork(2) no longer changes the pthread_t of the forking thread in the child. +
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3). +
+
+ +
Assorted improvements: +
- New in-memory file system, tmpfs. +
- Many fuse(4) improvements and stability fixes. +
- Added POSIX-required nl(1) utility. +
- OpenBSD/vax has switched to GCC 3. +
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3). +
- amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency. +
- Added support for CLOCK_UPTIME. +
- Added tcgetsid(3). +
- clock_t is now a 64 bit type, so it no longer wraps around in only 248 days. +
- ino_t is now a 64 bit type, mostly to support large NFS filesystems. +
- Corrected handling of UTIME_OMIT. +
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested. +
- Corrected handling of shared library destructors when libc is statically linked. +
- Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits. +
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits. +
- All CIRCLEQ uses replaced with TAILQ. +
- Preserve and honour changes to the OpenBSD bounds in a disklabel. +
- fdisk(8) now always writes a good signature when the MBR is written to disk. +
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices. +
- Fix athn(4) tick calculations to eliminate excessive timeouts. +
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED. +
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files. +
- sha256(1) and related tools + (cksum(1), + md5(1), + sha1(1), and + sha512(1)) + now support a new -h flag to place the checksum into a specified hash file instead of stdout. +
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist. +
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist. +
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes. +
- Allow softraid(4) to work with partitions larger than 2TB. +
- Removed experimental RAID 4 support from softraid(4). +
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5. +
- The uhts(4) driver has been merged into + ums(4). +
- Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years. +
+
+ +
OpenSSH 6.6 (including changes to 6.5, a feature-focused release): +
- Security: +
  - sshd(8): + when using environment passing with a + sshd_config(5) + AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could + be tricked into accepting any enviornment variable that contains the + characters before the wildcard character. +
  +
- New/changed features: +
  - ssh(1), + sshd(8): + Add support for key exchange using elliptic-curve Diffie Hellman + in Daniel Bernstein's Curve25519. This key exchange method is + the default when both the client and server support it. +
  - ssh(1), + sshd(8): + Add support for ED25519 as a public key type. ED25519 is + a elliptic curve signature scheme that offers better security than + ECDSA and DSA and good performance. It may be used for + both user and host keys. +
  - Add a new private key format that uses a bcrypt KDF to better + protect keys at rest. This format is used unconditionally for + ED25519 keys, but may be requested when generating or saving + existing keys of other types via the -o + ssh-keygen(1) + option. We intend to make the new format the default in the near + future. Details of the new format are in the PROTOCOL.key + file. +
  - ssh(1), + sshd(8): + Add a new transport cipher "chacha20-poly1305@openssh.com" that + combines Daniel Bernstein's ChaCha20 stream cipher and + Poly1305 MAC to build an authenticated encryption mode. Details + are in the PROTOCOL.chacha20poly1305 file. +
  - ssh(1), + sshd(8): + Refuse RSA keys from old proprietary clients and servers that + use the obsolete RSA+MD5 signature scheme. It will still be + possible to connect with these clients/servers but only DSA keys + will be accepted, and OpenSSH will refuse connection entirely in a + future release. +
  - ssh(1), + sshd(8): + Refuse old proprietary clients and servers that use a weaker key + exchange hash calculation. +
  - ssh(1): + Increase the size of the Diffie-Hellman groups requested for + each symmetric key size. New values from NIST Special Publication + 800-57 with the upper limit specified by RFC 4419. +
  - ssh(1), + ssh-agent(1): + Support PKCS#11 tokens that only provide X.509 certs + instead of raw public keys. (requested as bz#1908) +
  - ssh(1): + Add a + ssh_config(5) + Match keyword that allows conditional configuration to be + applied by matching on hostname, user and result of + arbitrary commands. +
  - ssh(1): + Add support for client-side hostname canonicalisation using a + set of DNS suffixes and rules in + ssh_config(5). + This allows unqualified names to be canonicalised to fully-qualified + domain names to eliminate ambiguity when looking up keys in + known_hosts or checking host certificate names. +
  - sftp-server(8): + Add the ability to whitelist and/or blacklist sftp protocol requests by + name. +
  - sftp-server(8): + Add a sftp "fsync@openssh.com" to support calling + fsync(2) + on an open file handle. +
  - sshd(8): + Add a + ssh_config(5) + PermitTTY to disallow TTY allocation, mirroring the + longstanding no-pty authorized_keys option. +
  - ssh(1): + Add a + ssh_config(5) + ProxyUseFDPass option that supports the use of + ProxyCommands that establish a connection and then pass a + connected file descriptor back to + ssh(1). + This allows the ProxyCommand to exit rather than staying + around to transfer data. +
  - ssh(1), + sshd(8): + this release removes the J-PAKE authentication code. This code + was experimental, never enabled and had been unmaintained for some + time. +
  - ssh(1): + when processing Match blocks, skip 'exec' clauses + other clauses predicates failed to match. +
  - ssh(1): + if hostname canonicalisation is enabled and results in the destination + hostname being changed, then re-parse + ssh_config(5) + files using the new destination hostname. This gives 'Host' + and 'Match' directives that use the expanded hostname a chance + to be applied. +
  +
- The following significant bugs have been fixed in this release: +
  - ssh(1), + sshd(8): + Fix potential stack exhaustion caused by nested certificates. +
  - ssh(1): + make BindAddress work with UsePrivilegedPort. + (bz#1211) +
  - sftp(1): + fix the progress meter for resumed transfer. (bz#2137) +
  - ssh-add(1): + do not request smartcard PIN when removing keys from + ssh-agent(1). + (bz#2187) +
  - sshd(8): + fix re-exec fallback when original + sshd(8) + binary cannot be executed. (bz#2139) +
  - ssh-keygen(1): + Make relative-specified certificate expiry times relative to current + time and not the validity start time. +
  - sshd(8): + fix AuthorizedKeysCommand inside a Match block. + (bz#2161) +
  - sftp(1): + symlinking a file would incorrectly canonicalise the target path. + (bz#2129) +
  - ssh-agent(1): + fix a use-after-free in the PKCS#11 agent helper executable. + (bz#2175) +
  - sshd(8): + Improve logging of sessions to include the user name, remote + host and port, the session type (shell, command, + etc.) and allocated TTY (if any). +
  - sshd(8): + tell the client (via a debug message) when their preferred listen + address has been overridden by the server's GatewayPorts + setting. (bz#1297) +
  - sshd(8): + include report port in bad protocol banner message. (bz#2162) +
  - sftp(1): + fix memory leak in error path in do_readdir(). (bz#2163) +
  - sftp(1): + don't leak file descriptor on error. (bz#2171) +
  - sshd(8): + include the local address and port in "Connection + from ..." message. (only shown at loglevel>=verbose) +
  - ssh(1): + avoid spurious "getsockname failed: Bad file descriptor" in + ssh -W. (bz#2200, debian#738692) +
  - sshd(8): + allow the + shutdown(2) + syscall in seccomp-bpf and systrace sandbox modes, as it is reachable + if the connection is terminated during the pre-auth phase. +
  - ssh(1), + sshd(8): + fix unsigned overflow that in SSH protocol 1 bignum parsing. + Minimum key length checks render this bug unexploitable to compromise + SSH 1 sessions. +
  - sshd_config(5) + clarify behaviour of a keyword that appears in multiple matching + Match blocks. (bz#2184) +
  - ssh(1): + avoid unnecessary hostname lookups when canonicalisation is disabled. + (bz#2205) +
  - sshd(8): + avoid sandbox violation crashes in GSSAPI code by caching the supported + list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107) +
  - ssh(1): + fix possible crashes in SOCKS4 parsing caused by assumption that the + SOCKS username is nul-terminated. +
  - ssh(1): + fix regression for UsePrivilegedPort=yes when + BindAddress is not specified. +
  - ssh(1), + sshd(8): + fix memory leak in ECDSA signature verification. +
  - ssh(1): + fix matching of 'Host' directives in + ssh_config(5) + files to be case-insensitive again. (regression in 6.5) +
  +
+
+ +
Ports and packages: +
- Over 8,700 ports. +
- Major overhaul of the package tools, resulting in much better memory usage. +
- pkg_add(1) now only trusts signed packages by default. +
- The build process now allows some limited capability for building + conflicting packages, yielding KDE 4 packages as a result, along + with KDE 3 ones. +
+
+

Many pre-built packages for each architecture: + + +

i386: 8468 +
sparc64: 7969 +
alpha: 6199 +
m68k: 3270 +

sh: 345 +
amd64: 8534 +
powerpc: 8057 +
m88k: 1258 +

sparc: 4681 +
arm: 6181 +
hppa: 6549 +

vax: 1007 +
mips64: 4726 +
mips64el: 6730 +

+ +

Some highlights: +
- GNOME 3.10.2
- KDE 3.5.10 +
- KDE 4.11.5 +
- Xfce 4.10
- MySQL 5.1.73 +
- PostgreSQL 9.3.2
- Postfix 2.11.0 +
- OpenLDAP 2.3.43 and 2.4.38
- Mozilla Firefox 24.3 and 26.0 +
- Mozilla Thunderbird 24.3.0
- GHC 7.6.3 +
- LibreOffice 4.1.4.2
- Emacs 21.4 and 24.3 +
- Vim 7.4.135
- PHP 5.3.28 and 5.4.24 +
- Python 2.7.6 and 3.3.2
- Ruby 1.8.7.374, 1.9.3.484, 2.0.0.353 and 2.1.0 +
- Tcl/Tk 8.5.15 and 8.6.1
- JDK 1.6.0.32 and 1.7.0.21 +
- Mono 2.10.9
- Chromium 32.0.1700.102 +
- Groff 1.22.2
- Go 1.2 +
- GCC 4.6.4 and 4.8.2
- LLVM/Clang 3.3 +
- Node.js 0.10.24 +
+
+ +
As usual, steady improvements in manual pages and other documentation. +
+ +
The system includes the following major components from outside suppliers: +
- Xenocara (based on X.Org 7.7 with xserver 1.14.5 + patches, + freetype 2.5.2, fontconfig 2.10.91, Mesa 9.2.5, xterm 301, + xkeyboard-config 2.10.1 and more) +
- Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches) +
- Perl 5.16.3 (+ patches) +
- Our improved and secured version of Apache 1.3, with + SSL/TLS and DSO support +
- Nginx 1.4.4 (+ patches) +
- OpenSSL 1.0.1c (+ patches) +
- SQLite 3.8.0.2 (+ patches) +
- Sendmail 8.14.8, with libmilter +
- Bind 9.4.2-P2 (+ patches) +
- NSD 4.0.1 +
- Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches) +
- Sudo 1.7.2p8 +
- Ncurses 5.7 +
- Heimdal 1.5.2 (+ patches) +
- Binutils 2.15 (+ patches) +
- Gdb 6.3 (+ patches) +
- Less 444 (+ patches) +
- Awk Aug 10, 2011 version +
+ +

+ + +

How to install

+Following this are the instructions which you would have on a piece of +paper if you had purchased a CDROM set instead of doing an alternate +form of install. The instructions for doing an FTP (or other style +of) install are very similar; the CDROM instructions are left intact +so that you can see how much easier it would have been if you had +purchased a CDROM instead. +

+ +

+Please refer to the following files on the three CDROMs or FTP mirror for +extensive details on how to install OpenBSD 5.5 on your machine: +

+ +

+Quick installer information for people familiar with OpenBSD, and the +use of the "disklabel -E" command. If you are at all confused when +installing OpenBSD, read the relevant INSTALL.* file as listed above! +

+ +

OpenBSD/i386:

CD1:5.5/i386/floppy55.fs

+Use CD1:5.5/i386/floppyB55.fs instead for greater SCSI controller +support, or CD1:5.5/i386/floppyC55.fs for better laptop support. + +

+If you can't boot from a CD or a floppy disk, +you can install across the network using PXE as described in +the included INSTALL.i386 document. + +

+If you are planning on dual booting OpenBSD with another OS, you will need to +read INSTALL.i386. + +

+To make a boot floppy under MS-DOS, use the "rawrite" utility located +at CD1:5.5/tools/rawrite.exe. To make the boot floppy under a Unix OS, +use the +dd(1) +utility. The following is an example usage of +dd(1), +where the device could be "floppy", "rfd0c", or +"rfd0a". + +

+# dd if=<file> of=/dev/<device> bs=32k
+

+Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or +your install will most likely fail. For more information on creating a boot +floppy and installing OpenBSD/i386 please refer to +FAQ 4.3.2. +

+ +

OpenBSD/amd64:

CD2:5.5/amd64/floppy55.fs

+If you can't boot from a CD or a floppy disk, +you can install across the network using PXE as described in the included +INSTALL.amd64 document. + +

+If you are planning to dual boot OpenBSD with another OS, you will need to +read INSTALL.amd64. +

+ +

OpenBSD/macppc:

OpenBSD/macppc boot

+Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot +/5.5/macppc/bsd.rd +

+ +

OpenBSD/sparc64:

boot cdrom

+If this doesn't work, or if you don't have a CDROM drive, you can write +CD3:5.5/sparc64/floppy55.fs or CD3:5.5/sparc64/floppyB55.fs +(depending on your machine) to a floppy and boot it with boot +floppy. Refer to INSTALL.sparc64 for details. + +

+Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install +will most likely fail. + +

+You can also write CD3:5.5/sparc64/miniroot55.fs to the swap partition on +the disk and boot with boot disk:b. + +

+If nothing works, you can boot over the network as described in INSTALL.sparc64. +

+ +

OpenBSD/alpha:

Write FTP:5.5/alpha/floppy55.fs or +FTP:5.5/alpha/floppyB55.fs (depending on your machine) to a diskette and +enter boot dva0. Refer to INSTALL.alpha for more details. + +

+Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install +will most likely fail. + +

+ +

OpenBSD/armish:

+After connecting a serial port, Thecus can boot directly from the network +either tftp or http. Configure the network using fconfig, reset, +then load bsd.rd, see INSTALL.armish for specific details. +IOData HDL-G can only boot from an EXT-2 partition. Boot into linux +and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) +then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. +More details are available in INSTALL.armish. +

+ +

OpenBSD/hp300:

+Boot over the network by following the instructions in INSTALL.hp300. +

+ +

OpenBSD/hppa:

+Boot over the network by following the instructions in INSTALL.hppa or the +hppa platform page. +

+ +

OpenBSD/landisk:

+Write miniroot55.fs to the start of the CF +or disk, and boot normally. +

+ +

OpenBSD/loongson:

+Write miniroot55.fs to a USB stick and boot bsd.rd from it +or boot bsd.rd via tftp. +Refer to the instructions in INSTALL.loongson for more details. +

+ +

OpenBSD/luna88k:

+Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader +from the PROM, and the bsd.rd from the bootloader. +Refer to the instructions in INSTALL.luna88k for more details. +

+ +

OpenBSD/mvme68k:

+You can create a bootable installation tape or boot over the network.
+The network boot requires a MVME68K BUG version that supports the NIOT +and NBO debugger commands. Follow the instructions in INSTALL.mvme68k +for more details. +

+ +

OpenBSD/mvme88k:

+You can create a bootable installation tape or boot over the network.
+The network boot requires a MVME88K BUG version that supports the NIOT +and NBO debugger commands. Follow the instructions in INSTALL.mvme88k +for more details. +

+ +

OpenBSD/octeon:

+After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. +Refer to the instructions in INSTALL.octeon for more details. +

+ +

OpenBSD/sgi:

+To install, burn cd55.iso on a CD-R, put it in the CD drive of your +machine and select Install System Software from the System Maintenance +menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from +CD-ROM, and need a proper invocation from the PROM prompt. +Refer to the instructions in INSTALL.sgi for more details. + +

+If your machine doesn't have a CD drive, you can setup a DHCP/tftp network +server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your +system type. Refer to the instructions in INSTALL.sgi for more details. +

+ +

OpenBSD/socppc:

+After connecting a serial port, boot over the network via DHCP/tftp. +Refer to the instructions in INSTALL.socppc for more details. +

+ +

OpenBSD/sparc:

+ok boot cdrom 5.5/sparc/bsd.rd
+or
+> b sd(0,6,0)5.5/sparc/bsd.rd
+

+If your SPARC system does not have a CD drive, you can alternatively boot from floppy. +To do so you need to write floppy55.fs to a floppy. +For more information see FAQ 4.3.2. +To boot from the floppy use one of the two commands listed below, +depending on the version of your ROM. + +

+ok boot floppy
+or
+> b fd()
+

+Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install +will most likely fail. + +

+If your SPARC system doesn't have a floppy drive nor a CD drive, you can either +setup a bootable tape, or install via network, as told in the +INSTALL.sparc file. +

+ +

OpenBSD/vax:

+Boot over the network via mopbooting as described in INSTALL.vax. + + +

OpenBSD/zaurus:

+Using the Linux built-in graphical ipkg installer, install the +openbsd55_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus +for a few important details. +

+ +

Notes about the source code:

+# mkdir -p /usr/src
+# cd /usr/src
+# tar xvfz /tmp/src.tar.gz
+

+sys.tar.gz contains a source archive starting at /usr/src/sys. +This file contains all the kernel sources you need to rebuild kernels. +To extract: +

+# mkdir -p /usr/src/sys
+# cd /usr/src
+# tar xvfz /tmp/sys.tar.gz
+

+Both of these trees are a regular CVS checkout. Using these trees it +is possible to get a head-start on using the anoncvs servers as +described here. +Using these files +results in a much faster initial CVS update than you could expect from +a fresh checkout of the full OpenBSD source tree. +

+ + +

How to upgrade

+If you already have an OpenBSD 5.4 system, and do not want to reinstall, +upgrade instructions and advice can be found in the +Upgrade Guide. + + +

Ports Tree

+A ports tree archive is also provided. To extract: +

+# cd /usr
+# tar xvfz /tmp/ports.tar.gz
+

+The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go +read the ports page +if you know nothing about ports +at this point. This text is not a manual of how to use ports. +Rather, it is a set of notes meant to kickstart the user on the +OpenBSD ports system. +

+The ports/ directory represents a CVS (see the manpage for + +cvs(1) if +you aren't familiar with CVS) checkout of our ports. As with our complete +source tree, our ports tree is available via +AnonCVS. +So, in order to keep current with it, you must make the ports/ tree +available on a read-write medium and update the tree with a command +like: +

+# cd /usr/ports
+# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_5
+

+[Of course, you must replace the server name here with a nearby anoncvs +server.] +

+Note that most ports are available as packages through FTP. Updated +packages for the 5.5 release will be made available if problems arise. +

+If you're interested in seeing a port added, would like to help out, or just +would like to know more, the mailing list +ports@openbsd.org is a good place to know. +

+ +