===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- www/74.html	2023/10/15 10:45:56	1.89
+++ www/74.html	2023/10/15 11:13:48	1.90
@@ -644,37 +644,21 @@
 
 <li>Security improvements:
   <ul>
-  <li>Enabled support for branch target identification (BTI) in both
-	the kernel and userland.  On hardware that supports this feature, it
-	helps enforcing control flow integrity by making sure malicious code
-	cannot jump into the middle of a function.
-  <li>Enabled support for pointer authentication (PAC) in userland.  On
-	hardware that supports this feature it helps enforcing control flow
-	integrity by making sure malicious code cannot manipulate a
-	function's return address.
-  <li>On the amd64 architecture, enabled support for indirect
-	branch tracking (IBT) in both the kernel and userland.  On hardware
-	that supports this feature, it helps enforcing control flow integrity
-	by making sure malicious code cannot jump into the middle of a
-	function.
-  <li>On the arm64 architecture, enabled support for branch target
-	identification (BTI) in both the kernel and userland.  On hardware
-	that supports this feature, it helps enforcing control flow integrity
-	by making sure malicious code cannot jump into the middle of a
-	function.
-  <li>On the arm64 architecture, enabled support for pointer
-	authentication (PAC) in userland.  On hardware that supports this
-	feature it helps enforcing control flow integrity by making sure
-	malicious code cannot manipulate a function's return address.
-  </ul>
-<p>Together with retguard these features protect against ROP attacks.</p>
-<p>Compiler defaults for base clang, ports clang and ports gcc (as well
-as some other non-C language family compilers in ports) have been
-changed to enable these features by default.  As a result the vast
-majority of programs on OpenBSD (and all programs in the base system)
-run with these security features enabled.</p>
-<p><br>Further security enhancements in this release are:</p>
-  <ul>
+  <li>Enable indirect branch tracking (IBT) on amd64 and branch target
+      identification (BTI) on arm64 in both the kernel and in userland.
+      On hardware that supports this feature, it helps enforcing
+      control flow integrity by making sure malicious code
+      cannot jump into the middle of a function. 
+  <li>On the arm64 architecture, enable pointer authentication (PAC)
+      in userland on those machines where it works correctly.
+      It helps enforcing control flow integrity by making sure
+      malicious code cannot manipulate a function's return address.
+  <li>Together with retguard these two features protect against ROP attacks.
+      Compiler defaults for base clang, ports clang and ports gcc (as well
+      as some other non-C language family compilers in ports) have been
+      changed to enable these features by default.  As a result the vast
+      majority of programs on OpenBSD (and all programs in the base system)
+      run with these security features enabled.
   <li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
       chunk sizes to be fine grained: chunk sizes are closer to the
       requested allocation size.