Todd C. Miller | 31 Mar 17:33 2014

Mailing list downtime: 4/5/2014

The OpenBSD mailing lists will be down on Saturday April 5 at 6am
MDT for machine room maintenance.  As long as things go well the
lists should be back before noon but they could be down as long as
6pm MDT.

This also affects ftp.usa.openbsd.org (aka ftp3.usa.openbsd.org)
and anoncvs3.usa.openbsd.org which reside in the same machine room.

 - todd

Nick Holland | 1 Nov 15:19 2013
Picon

OpenBSD 5.4 released Nov 1, 2013

------------------------------------------------------------------------
- OpenBSD 5.4 RELEASED -------------------------------------------------

November 1, 2013.

We are pleased to announce the official release of OpenBSD 5.4.
This is our 34th release on CD-ROM (and 35th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.4 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o OpenBSD/octeon
      New platform for systems based on the Cavium Octeon
      MIPS-compatible processors. Supported machines include:
      - Portwell CAM-0100
      - Ubiquiti Networks EdgeRouter LITE (no local storage)
    o OpenBSD/beagle
      New platform for OMAP3/4 and AM335x systems using an ARM Cortex-A8
      or Cortex-A9 CPU. Supported boards include:
      - BeagleBoard C4 / xM
      - BeagleBone and BeagleBone Black
      - PandaBoard and PandaBoard ES

 - Improved hardware support, including:
    o inteldrm(4) has been overhauled, including:
      - Now mostly in sync with Linux 3.8.13.
      - Support for Kernel Mode Setting (KMS) including support for
(Continue reading)

Todd C. Miller | 11 Oct 23:49 2013

OpenBSD mailing list server downtime

The OpenBSD mailing list server will be down for machine room A/C
maintenance on Sat October 12th from 5:15am to 6pm MDT.  If the
maintenance is complete before 6pm the list server will be back
earlier (possibly as soon as noon).

This also affects ftp.usa.openbsd.org (aka anoncvs3.usa.openbsd.org)
which is in the same machine room.

 - todd

Miller, Vincent (Rick | 7 Oct 16:58 2013
Picon

OpenBSD at vBSDcon October 25 - 27, 2013 in Herndon, VA

For only USD $75 you can register for vBSDcon hosted by Verisign
on October 25 - 27, 2013 in Herndon, VA.  That is less than 3 weeks
away!  If you have not registered yet, it is definitely recommended
as vBSDcon will feature a series of roundtable discussions, educational
sessions, best practice conversations, and exclusive networking
opportunities.  Registrations for vBSDcon will be open until October
23, 2013 at http://www.vbsdcon.com/.

vBSDcon will feature developers, Henning Brauer and Reyk Floeter,
from the OpenBSD project.  Henning and Reyk will be tag teaming a
presentation on packet inspection with pf in OpenBSD.  pf was
introduced in 2001 as an alternative to ipf. Over the years, pf has
become a mature, secure, and powerful, yet easy to use high performance
packet filter. In this presentation, Henning Brauer will describe
some of the features of pf and Reyk Floeter will describe utilizing
relayd in conjunction with pf. You can expect to hear about using
hooks for transparent proxies, deep packet inspection, socket
splicing, NATs, load balancing and more.

Read more about our speakers and their topics, the conference agenda,
other activities, and registrations at http://www.vbsdcon.com/.
This is an event you will not want to miss.  Register now before
it's too late!

Follow  <at> VERISIGN and  <at> hostileaddmin on Twitter for more news and
updates on #vBSDcon

--
Vincent (Rick) Miller
Systems Engineer
(Continue reading)

Miller, Vincent (Rick | 3 Oct 20:32 2013
Picon

vBSDcon Is Coming: Oct 25 - 27, 2013 in Herndon, VA

vBSDcon is a BSD-related conference occurring *this month* from 25th =96 27=
th, just 3 weeks away in the DC Metropolitan area.  At a cost of only USD$7=
5, the time to register for this event is now!  vBSDcon has an amazing list=
 of speakers from the FreeBSD and OpenBSD communities, but participation fr=
om all sectors of the community is encouraged.  Our list of speakers and th=
eir respective topics can be reviewed at http://www.vbsdcon.com<http://www.=
vbsdcon.com/>/.

In addition to plenary speakers, vBSDcon will also have lightning talks.  T=
he topics for these talks is chosen by you!  When attendees register for vB=
SDcon at http://www.vbsdcon.com<http://www.vbsdcon.com/>/, you are given th=
e opportunity to identify subjects and areas of interest to you.  This will=
 be translated into a lightning talk to be given by one of our attendees.

Be sure not to miss this event hosted by Verisign!  This is your opportunit=
y to come together with others in the BSD communities for a series of round=
table discussions, educational sessions, best practice conversations, and e=
xclusive networking opportunities.

Registrations will be accepted now through October 23rd at http://www.vbsdc=
on.com<http://www.vbsdcon.com/>/.  We look forward to seeing you all there!

--
Vincent (Rick) Miller
Systems Engineer
vmiller <at> verisign.com

t: 703-948-4395  m: 703-581-3068
12061 Bluemont Way, Reston, VA  20190

(Continue reading)

Miller, Vincent (Rick | 9 Sep 17:20 2013
Picon

vBSDcon 2013 Registrations Open

With approximately six (6) weeks until the event, Registrations for vBSDcon 2013 remain open until October 23rd, 2013.  Register now for this BSD conference scheduled to take place at the Dulles Hyatt in Herndon, VA from October 25 – 27, 2013.

Users and developers from across the BSD communities are encouraged to attend the event intended bring together members of the BSD community for a series of roundtable discussions, educational sessions, best practice conversations, and exclusive networking opportunities.  Those interested in such an opportunity to learn, experience, and meet others involved in the BSD communities should plan to attend vBSDcon 2013.

vBSDcon is proud to bring such prolific speakers such as:
  • David Chisnall, a member of FreeBSD's Core Team, speaking on the migration from GCC to LLVM/CLANG within the FreeBSD project.
  • Luigi Rizzo, FreeBSD source committer and project developer for netmap, speaking on the Evolution of the Netmaps Framework
  • Baptiste Daroussin, FreeBSD source committer and project developer for PkgNG, speaking on the topic of PkgNG
  • Henning Brauer & Reyk Floeter, OpenBSD developers, speaking on deep packet inspection with OpenBSD and PF
  • Scott Long, FreeBSD source committer, speaking on "Disspelling the Stigma of the "Dot-oh" Release
  • Devin Teske, FreeBSD source committer, with "A Comprehensive Look at bsdconfig"
  • Kris Moore, PC-BSD Director of Development, speaking on automating deployment of FreeBSD and PC-BSD systems
  • John Hixson, of iXsystems, speaking on the topic of FreeNAS plugins
vBSDcon is being hosted at the Dulles Hyatt in Herndon, VA making it extremely convenient for attendees who book their room at the venue.  The venue is also just minutes from Dulles International Airport with regular shuttles to/from the hotel and airport terminal during the day.  Breakfast, lunch, and snacks will be provided on-site by the hotel's on premise restaurant.

The schedule includes a reception dinner at the Dulles Hyatt on the evening of October 25th provided by Verisign and a mid-conference social the following evening celebrating 20 years of FreeBSD.  Space for off hours hacker lounges and doc sprints will be available in the conference facilities with complimentary wireless internet access.  The BSD Certification Group will also be hosting a BSDA certification exam on Saturday evening following the completion of conference activities for the day.

All are invited to take part in this event and are encouraged to register at the vBSDcon web site at http://www.vbsdcon.com/.  Simply click the "Register now" button to begin your registration!  We look forward to meeting you all there!

--
Vincent (Rick) Miller
Systems Engineer
vmiller <at> verisign.com

t: 703.948.4395   m: 703.581.3068
12061 Bluemont Way, Reston, VA  20190

http://www.vbsdcon.com/


“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
Stuart Henderson | 1 May 15:42 2013
Picon

OpenBSD 5.3 released May 1, 2013

------------------------------------------------------------------------
- OpenBSD 5.3 RELEASED -------------------------------------------------

May 1, 2013.

We are pleased to announce the official release of OpenBSD 5.3.
This is our 33rd release on CD-ROM (and 34th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.3 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o New driver oce(4) for Emulex OneConnect 10Gb Ethernet adapters.
    o New driver rtsx(4) for the Realtek RTS5209 card reader.
    o New driver mfii(4) for the LSI Logic MegaRAID SAS Fusion controllers.
    o New driver smsc(4) for SMSC LAN95xx 10/100 USB Ethernet adapters.
    o New drivers for Toradex OAK USB sensors: uoaklux(4) (illuminance),
      uoakrh(4) (temperature and relative humidity) and
      uoakv(4) (+/- 10V 8channel ADC).
    o New drivers for virtio(4) devices: vio(4) (network), vioblk(4)
      (block devices, attaching as SCSI disks) and viomb(4)
      (memory ballooning).
    o Support for Adaptec 39320LPE added to ahd(4).
    o Broadcom 5718/5719/5720 Gigabit Ethernet devices supported in bge(4).
    o Intel X540-based 10Gb Ethernet devices supported in ix(4).
    o Support for SFP+ hot-plug (82599) and various other improvements
      in ix(4).
    o TX interrupt mitigation, hardware VLAN tagging and checksum offload
      reduce CPU use in vr(4).
    o Baby jumbo frames supported in vr(4) and sis(4) useful for e.g. MPLS,
      vlan(4) tag stacking (QinQ) and RFC4638 pppoe(4).
    o TCP RX Checksum offload in gem(4).
    o Improvements for NICs using 82579/pch2 in em(4).
    o Flow control is now supported on bnx(4) 5708S/5709S adapters,
      gem(4) and jme(4).
    o Power-saving clients supported in hostap mode with acx(4) and athn(4).
    o A cause of RT2661 ral(4) wedging in hostap mode was fixed.
    o iwn(4) supports additional devices (Centrino Advanced-N 6235 and
      initial support for Centrino Wireless-N 1030).
    o Improvements to ahci(4).
    o Support for the fixed-function performance counter on newer x86
      chips with constant time stamp counters.
    o Elantech touchpads supported in pms(4) and synaptics(4).
    o Support for "physical devices" on skinny mfi(4) controllers.
    o VMware emulated SAS adapters supported by mpi(4).
    o Support for Intel's Supervisor Mode Execution Protection (SMEP)
      and Supervisor Mode Access Prevention (SMAP) features on i386 and amd64.
    o Support for the RDRAND instruction to read the hardware random
      number generator on recent Intel processors.
    o amd64 PCI memory extent changed to cover the whole 64-bit memory
      space; fixes erroneous extent allocation panic on IBM x3100.
    o ulpt(4) can now upload firmware to certain HP LaserJet printers.
    o Added stat clock to Loongson machines, improving accuracy of CPU
      usage statistics.
    o CPU throttling supported on Loongson 2F.
    o Support for Apple UniNorth and U3 AGP added to agp(4).
    o DRM support for macppc. 

 - Generic network stack improvements:
    o Restriction on writing to trunk(4) member interfaces relaxed; BPF
      can now write to interfaces directly (useful for LLDP).
    o UDP support added to sosplice(9) (zero-copy socket splicing).
    o IPv6 autoconfprivacy is enabled by default (can be disabled
      per-interface with an ifconfig(8) flag).
    o ifconfig(8) hwfeatures displays the maximum MTU supported by
      the driver (indicating support for jumbo/baby-jumbo frames).
    o Vastly improved IPsec v3 compatibility, including support for
      Extended Sequence Numbers in the AES-NI driver for AES-GCM
      and other modes. 

 - Routing daemons and other userland network improvements:
    o OpenBSD now includes npppd(8), a server-side daemon for L2TP,
      L2TP/IPsec, PPTP and PPPoE.
    o New standalone tftp-proxy(8) to replace the old inetd(8)-based implementation.
    o SNMPv3 supported in snmpd(8).
    o bgpd(8) is more tolerant of unknown capabilities when bringing
      up a session (logs a warning rather than fails).
    o bgpd(8) now handles client side of "graceful restart".
    o bgpd(8) can now filter based on the NEXTHOP attribute.
    o A stratum can now be assigned to hardware sensors in ntpd(8).
    o authpf(8) now supports the use of per-group rules files.
    o ftp(1) client now supports basic HTTP authentication as per
      RFC 2617 and 3986 like "ftp http[s]://user:pass <at> host/file".
    o ftp(1) client's mput command allows to upload a directory
      tree recursively using the -r switch.
    o relayd(8) has various improvements including additional
      scheduling algorithms (least-states, for redirections, and
      random/source-hash, for relays).
    o The iked(8) IKEv2 daemon supports NAT-T. (The isakmpd daemon
      for IKEv1 has supported this for a long time).
    o iked(8) blocks IPv6 traffic unless there are v6 VPN flows; this
      is to prevent leakages as described in draft-gont-opsec-vpn-leakages. 

- dhclient(8) improvements:
    o dhclient-script eliminated, all configuration is done with ioctl's
      and routing sockets.
    o Interface configuration is much faster.
    o HUP signals cause dhclient to restart; making it re-read the
      dhclient.conf(5) and resolv.conf.tail(5) files, and obtain a new lease.
    o INIT, USR1, USR2 signals cause dhclient to exit after attempting
      to remove routes and addresses it configured.
    o resolv.conf(5) is written only when the in-use default route was
      inserted by dhclient. Possible changes to the default route are
      detected and cause dhclient to write out resolv.conf when appropriate.
    o Interface hardware address changes are detected and cause
      dhclient to restart.
    o dhclient.conf directive 'ignore' and command line option '-i'
      added, allowing the suppression of specific options offered by server.
    o '-L' command line option added, allowing the creation of a complete
      record of the most recent offer and what we modified it to when
      binding the lease.
    o Rejected offers no longer prevent dhclient from trying recorded
      leases and going daemon.
    o Cleanup of routing tables when starting and exiting is more complete.
    o Log messages cleaned up and reduced.
    o dhclient(8) is automatically placed in the routing domain of the interface.
    o Incoming and outgoing packet buffers are separate, eliminating
      possible transmission of inappropriate packets when re-trying
      DISCOVER and REQUEST.
    o resolv.conf.tail read only once, at startup.
    o Both OFFER and ACK packets that lack required options are rejected.
    o File names passed to '-L' and '-l' are constrained to be regular files.
    o Bind success reported after binding complete, not when it is started.
    o Privileged process daemonizes, eliminating its controlling terminal.
    o STDIN/STDOUT/STDERR no longer redirected to /dev/null when '-d' specified.
    o All existing addresses on the interface are deleted when binding
      a new lease.
    o Leases which would cause routing problems because another interface
      is already configured with the same subnet are rejected.
    o Premature and repeated DISCOVER and/or REQUEST messages at startup
      are avoided.
    o Permanent ARP cache entries are no longer deleted during binding.
    o Allow empty lists of option names for 'ignore', 'request', and
      'require' dhclient.conf directives, so lists can be reset in
      interface declarations.
    o dhcpd(8) and dhclient recognize the same list of dhcp options.
    o Hand-rolled IMSG implementation replaced with imsg_init(3) and
      related functions..
    o Hand-rolled date string construction replaced with strftime(3)
      invocations.
    o Hand-rolled '%m' option replaced with strerror(3) invocations.
    o Many other internal code improvements. 

 - pf(4) improvements:
    o The divert(4) socket now supports the new IP_DIVERTFL socket option
      to control whether both inbound and outbound packets are diverted
      (the default) or only packets travelling in one direction.
    o Sloppy state tracking (a special mode occasionally needed with
      asymmetric routing) now works correctly with ICMP.
    o PF now restricts the fragment limit to protect against a
      misconfiguration running the kernel out of mbuf clusters. 

- OpenSMTPD 5.3:
    o New features:
      - Code is now considered stable and suitable for use in production.
      - smtpctl(8) trace supports runtime tracing of various components,
        including imsg exchanges, incoming and outgoing sessions, aliases
        expansion and much more.
      - smtpctl(8) monitor can now be used to monitor in real-time an
        instance of smtpd(8).
      - smtpctl(8) show queue now supports an "online" mode where the
        scheduler is queried instead of the disk-based queue to provide
        more accurate information.
      - Virtual domain support has been reworked to simplify and bring
        support for new features like global catch-alls and shared
        user mappings.
      - New table API replaces the map API: better handling of transient
        errors, improved performances and a much better interface.
      - The transfer process may now select the source IP address to
        use as well as the HELO hostname to advertise from a table.
      - Each listener may advertise a different banner hostname.
      - An alternate user database may be provided instead of
        instance of smtpd(8).relying on getpwnam(3).
      - Users may now be authenticated using credentials from a table.
      - Incoming sessions can be tagged, allowing for rules to only
        match envelopes that have been reinjected in the daemon after
        being passed to a proxy tool.
      - Intermediate bounces are now sent at configurable rates.
      - Rules can now check for a sender email address or domain.
      - Experimental (yet functional) support for aldap and sqlite as
        table backends. 
    o Improvements:
      - Improved logging format to make it both easier to read and parse.
      - Improved memory use by scheduler, smtp, queue and transfer
        processes.
      - More reliable and efficient disk-based queue.
      - Improved scheduler, dns and relaying logic that optimizes transfers.
      - Simplified grammar for smtpd.conf(5).
      - Initial support for client and server SSL peer certificates
        validation.
      - SSL certificate tree is now isolated and network-facing processes
        request SSL information on-demand by imsg.
      - Improved and simplified SMTP and MTA engines.
      - Much improved performances on both incoming and outgoing code paths.
      - Tons of cleanup and assorted minor bug fixes. 

 - Security improvements:
    o Position-independent executables (PIE) are now used by default
      on alpha, amd64, hppa, landisk, loongson, sgi and sparc64.
    o gcc(1) stack smashing protector added for Alpha and MIPS
      (enabled by default).
    o Shared libraries on GCC 4 platforms now each get their own stack
      protector cookies instead of sharing a single global cookie.

 - Performance improvements:
    o Switch default disk I/O sort algorithm to NSCAN for improved
      fairness and response times.
    o Softdep speedup improvements by the revert of a previously
      necessary workaround to prevent kva starvation.
    o Large performance and reliability improvements in make(1), especially
      in parallel mode.  Make no longer does any busy waiting, it
      handles concurrent targets correctly, and displays more accurate
      error messages.
    o Increased stack alignment in constructor functions and new threads
      on i386 to meet requirements for SSE.
    o Coredumping no longer hogs CPU or I/O and can be aborted by sending
      the process a SIGKILL signal.

 - Threading improvements:
    o Threaded programs and libraries can now be linked with the
      POSIX-standard -lpthread flag instead of the
      OpenBSD-specific -pthread flag
    o abort(3) and raise(3) now direct the signal to the calling thread,
      as specified by POSIX.
    o Whether a thread is currently executing on an alternate signal
      stack (c.f. sigaltstack(2)) is now determined dynamically, so the
      stack can be reused if siglongjmp(3) is used to exit the signal handler.
    o libpthread now caches automatically allocated, default size
      thread stacks.
    o Improvements in the handling of profiling, tracing, and %cpu
      calculation of threaded processes. 

 - Assorted improvements:
    o ldomctl(8) was added to manage logical domains on sun4v systems
      through ldomd(8).
    o Support for WPA Enterprise was added to the wpa_supplicant package.
    o OpenBSD/luna88k and OpenBSD/mvme88k have switched to GCC 3, elf(5)
      and gained shared library support.
    o OpenBSD/hp300 and OpenBSD/mvme68k have switched to GCC 3 and elf(5).
    o softraid(4) RAID1 and crypto volumes are now bootable on i386
      and amd64 (full disk encryption).
    o The mg(1) emacs-like editor now supports diff-buffer-with-file,
      make-directory and revert-buffer. Column numbers have been made
      configurable and locale is respected for ctype purposes, like
      displaying ISO Latin 1 characters.
    o Improved our own pkg-config(1) implementation to make it compatible
      with freedesktop.org's 0.27.1 release.
    o A number of improvements to the buffer cache and page daemon
      interactions to avoid issues in low memory/low kva situations.
    o Various bug fixes in uvm to avoid potential races and
      deadlock issues.
    o Memory filesystem (mfs) switched to bufq, giving us queue limits
      and FIFO queueing (rather than the current LIFO queueing).
    o Many improvements to the cwm(1) window manager, including tab
      completion and Xft support for menus, improved Xinerama support,
      and per-group vertical/horizontal manual tiling support.
    o Added dprintf(3), grantpt(3), posix_openpt(3), ptsname(3),
      unlockpt(3), and vdprintf(3).
    o Corrected the order of invocation of constructor and destruction
      functions.
    o Improved compliance and/or cleanliness of header files, particularly
      <dlfcn.h>, <netdb.h>, <net/if.h>, <netinet/in.h>, <sys/socket.h>,
      <sys/uio.h>, and <sys/un.h>.

 - OpenSSH 6.2:
    o New features:
      - ssh(1) and sshd(8): Added support for AES-GCM authenticated
        encryption in SSH protocol 2. The new cipher is available as
        "aes128-gcm <at> openssh.com" and "aes256-gcm <at> openssh.com". It uses
        an identical packet format to the AES-GCM mode specified in
        RFC 5647, but uses simpler and different selection rules during
        key exchange.
      - ssh(1) and sshd(8): Added support for encrypt-then-mac (EtM)
        MAC modes for SSH protocol 2. These modes alter the packet
        format and compute the MAC over the packet length and encrypted
        packet rather than over the plaintext data. These modes are
        considered more secure and are used by default when available.
      - ssh(1) and sshd(8): Added support for the UMAC-128 MAC as
        "umac-128 <at> openssh.com" and "umac-128-etm <at> openssh.com". The
        latter being an encrypt-then-mac mode.
      - sshd(8): Added support for multiple required authentication
        in SSH protocol 2 via an AuthenticationMethods option. This
        option lists one or more comma-separated lists of authentication
        method names. Successful completion of all the methods in any
        list is required for authentication to complete. This allows,
        for example, requiring a user having to authenticate via public
        key or GSSAPI before they are offered password authentication.
      - sshd(8) and ssh-keygen(1): Added support for Key Revocation
        Lists (KRLs), a compact binary format to represent lists of
        revoked keys and certificates that take as little as one bit
        per certificate when revoking by serial number. KRLs may be
        generated using ssh-keygen(1) and are loaded into sshd(8) via
        the existing RevokedKeys sshd_config(5) option.
      - ssh(1): IdentitiesOnly now applies to keys obtained from a
        PKCS11Provider. This allows control of which keys are offered
        from tokens using IdentityFile.
      - sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
        and "remote" in addition to its previous "yes"/"no" keywords to
        allow the server to specify whether just local or remote TCP
        forwarding is enabled.
      - sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand
        to support fetching authorized_keys from a command in addition
        to (or instead of) from the filesystem. The command is run under
        an account specified by an AuthorizedKeysCommandUser
        sshd_config(5) option.
      - sftp-server(8): Now supports a -d option to allow the starting
        directory to be something other than the user's home directory.
      - ssh-keygen(1): Now allows fingerprinting of keys hosted in
        PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider".
      - ssh(1): When SSH protocol 2 only is selected (the default),
        ssh(1) now immediately sends its SSH protocol banner to the
        server without waiting to receive the server's banner, saving
        time when connecting.
      - ssh(1) Added ~v and ~V escape sequences to raise and lower the
        logging level respectively.
      - ssh(1) Made the escape command help (~?) context sensitive so
        that only commands that will work in the current session are shown.
      - ssh-keygen(1): When deleting host lines from known_hosts using
        "ssh-keygen -R host", ssh-keygen(1) now prints details of
        which lines were removed. 
    o The following significant bugs have been fixed in this release:
      - ssh(1): Force a clean shutdown of ControlMaster client sessions
        when the ~. escape sequence is used. This means that ~. should
        now work in mux clients even if the server is no longer responding.
      - ssh(1): Correctly detect errors during local TCP forward
        setup in multiplexed clients. (bz#2055)
      - ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric
        with adding keys with respect to certificates. It now tries to
        delete the corresponding certificate and respects the -k option
        to allow deleting of the key only.
      - sftp(1): Fix a number of parsing and command-editing bugs,
        including bz#1956.
      - ssh(1): When muxmaster is run with -N, ensure that it shuts
        down gracefully when a client sends it "-O stop" rather than
        hanging around. (bz#1985)
      - ssh-keygen(1): When screening moduli candidates, append to the
        file rather than overwriting to allow resumption. (bz#1957)
      - ssh(1): Record "Received disconnect" messages at ERROR rather
        than INFO priority. (bz#2057)
      - ssh(1): Loudly warn if explicitly-provided private key is
        unreadable. (bz#1981) 

 - Over 7,800 ports, major performance and stability improvements in
   the package build process
 - The parallel ports builder is more efficient. The main improvement
   is that dpb consumes much less cpu on busy boxes, but there are
   lots of small optimizations that amount to a large performance
   increase: dpb can now build selected large ports using parallel
   make, and it has a notion of affinity, so that ports failing on a
   cluster will be preferentially restarted on the same machine. 

 - Many pre-built packages for each architecture:
    o i386:  7670                     o sparc64: 6756
    o alpha: 6151                     o sh: 1111
    o amd64: 7632                     o powerpc: 7215
    o sparc: 4635                     o arm: 4944
    o hppa: 6401                      o vax: 2081
    o mips64: 6519                    o mips64el: 6539

 - Some highlights:
    o GNOME 3.6.2                     o KDE 3.5.10
    o Xfce 4.10                       o MySQL 5.1.68
    o PostgreSQL 9.2.3                o Postfix 2.9.6
    o OpenLDAP 2.3.43 and 2.4.33      o GHC 7.4.2
    o Mozilla Firefox 3.6.28 and 18.0.2
    o Mozilla Thunderbird 17.0.2      o LibreOffice 3.6.5.2
    o Emacs 21.4 and 24.2             o Vim 7.3.154
    o PHP 5.2.17 and 5.3.21           o Python 2.5.4, 2.7.3 and 3.2.3
    o Ruby 1.8.7.370 and 1.9.3.392    o Tcl/Tk 8.5.13 and 8.6.0
    o Jdk 1.6.0.32 and 1.7.0.11       o Mono 2.10.9
    o Chromium 24.0.1312.68           o Groff 1.21
    o Go 1.0.3                        o GCC 4.6.3 and 4.7.2
    o LLVM/Clang 3.2

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.12.3 + patches,
      freetype 2.4.11, fontconfig 2.8.0, Mesa 7.11.2, xterm 287,
      xkeyboard-config 2.7 and more)
    o Gcc 4.2.1 (+ patches), 3.3.5 (+ patches) and 2.95.3 (+ patches)
    o Perl 5.12.2 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o Nginx 1.2.6 (+ patches)
    o OpenSSL 1.0.1c (+ patches)
    o SQLite 3.7.14.1 (+ patches)
    o Sendmail 8.14.6, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o NSD 3.2.15
    o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2p8
    o Ncurses 5.7
    o Heimdal 0.7.2 (+ patches)
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)
    o Less 444 (+ patches)
    o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.2
and 5.3, look at

        http://www.OpenBSD.org/plus53.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.3 FTP/CD-ROM binaries and the actual 5.3
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce <at> OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.3 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Blade Swimmer".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#53

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.3 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors <at> openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts,
with new and old designs, available from our web ordering system.

-----------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/5.3/ftplist

   As of May 1, 2013, the following ftp mirror sites have the 5.3 release:

        ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.3/       Stockholm, Sweden
        ftp://ftp.bytemine.net/pub/OpenBSD/5.3/         Oldenburg, Germany
        ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.3/       Zurich, Switzerland
        ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.3/       Paris, France
        ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.3/      Vienna, Austria
        ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.3/     Brisbane, Australia
        ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.3/      CO, USA
        ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.3/     CA, USA

        The release is also available at the master site:

        ftp://ftp.openbsd.org/pub/OpenBSD/5.3/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/5.3/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          macppc/          sparc/
        Changelogs/      ftplist          mvme68k/         sparc64/
        HARDWARE         hp300/           mvme88k/         src.tar.gz
        PACKAGES         hppa/            packages/        sys.tar.gz
        PORTS            i386/            ports.tar.gz     tools/
        README           landisk/         root.mail        vax/
        alpha/           loongson/        sgi/             xenocara.tar.gz
        amd64/           luna88k/         socppc/          zaurus/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

        INSTALL.i386    cd53.iso        floppyB53.fs    pxeboot*
        INSTALL.linux   cdboot*         floppyC53.fs    xbase53.tgz
        MD5             cdbr*           game53.tgz      xetc53.tgz
        base53.tgz      cdemu53.iso     index.txt       xfont53.tgz
        bsd*            comp53.tgz      install53.iso   xserv53.tgz
        bsd.mp*         etc53.tgz       man53.tgz       xshare53.tgz
        bsd.rd*         floppy53.fs     misc53.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install53.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install53.iso file (roughly 250MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.3 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/5.3/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.3 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.3/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.3/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.3/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Michael Erdely, Stuart Henderson,
Peter Hessler, Paul Irofti, Antoine Jacoutot, Sebastian Reitenbach,
and Christian Weisgerber.  System builds by Theo de Raadt and Miod
Vallat. X11 builds by Todd Fries and Miod Vallat.  ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.3 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexander Yurchenko,
    Alexandr Shadchin, Alexandre Ratchov, Anil Madhavapeddy,
    Anthony J. Bentley, Antoine Jacoutot, Austin Hook, Benoit Lecocq,
    Bob Beck, Brad Smith, Brandon Mercer, Bret Lambert, Brett Mahar,
    Brian Callahan, Bryan Steele, Camiel Dobbelaar, Can Erkin Acar,
    Charles Longeau, Chris Cappuccio, Christian Ehrhardt,
    Christian Weisgerber, Christiano F. Haesbaert,
    Christopher Zimmermann, Claudio Jeker, Damien Miller, Darren Tucker,
    David Coppa, David Gwynne, David Krause, Edd Barrett, Eric Faurot,
    Federico G. Schwindt, Felix Kronlage, Florian Obser, Gerhard Roth,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado,
    Ingo Schwarze, Jakob Schlyter, James Turner, Janne Johansson,
    Jason George, Jason McIntyre, Jasper Lievisse Adriaanse,
    Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Jung,
    Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
    Joshua Elsasser, Joshua Stein, Kenji Aoyama, Kenneth R Westerback,
    Kirill Bychkov, Kurt Miller, Landry Breuil, Laurent Fanis,
    Lawrence Teo, Luke Tymowski, Marc Espie, Marco Pfatschbacher,
    Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl,
    Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky,
    Matthias Kilian, Matthieu Herrb, Michael Erdely, Mike Belopuhov,
    Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott,
    Nick Holland, Nigel Taylor, Okan Demirmen, Otto Moerbeek,
    Pascal Stumpf, Patrick Wildt, Paul de Weerd, Paul Irofti,
    Peter Hessler, Peter Valchev, Philip Guenther,
    Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel,
    Reyk Floeter, Robert Nagy, Robert Peichaer, Ryan Freeman,
    Ryan Thomas McBride, Sasano, Sebastian Benoit, Sebastian Reitenbach,
    Simon Perreault, Stefan Fritsch, Stefan Sperling,
    Stephan A. Rickauer, Steven Mestdagh, Stuart Cassoff,
    Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
    Tobias Stoeckmann, Tobias Ulmer, Tobias Weingartner, Todd C. Miller,
    Todd Fries, Vadim Zhukov, Will Maier, William Yodlowsky,
    Yasuoka Masahiko, Yojiro Uo

Todd C. Miller | 3 Apr 17:32 2013

upcoming OpenBSD mailing list downtime

The OpenBSD mailing lists will be down on Saturday April 20th from
05:30 through 18:00 MDT while the machine room the server lives in
is under maintenance.

This also affects ftp.usa.openbsd.org (aka anoncvs3.usa.openbsd.org)
which is located in the same place.

 - todd

Damien Miller | 22 Mar 01:40 2013
Picon

Announce: OpenSSH 6.2 released


Changes since OpenSSH 6.1
=========================

This release introduces a number of new features:

Features:

 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
   SSH protocol 2. The new cipher is available as aes128-gcm <at> openssh.com
   and aes256-gcm <at> openssh.com. It uses an identical packet format to the
   AES-GCM mode specified in RFC 5647, but uses simpler and different
   selection rules during key exchange.

 * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
   for SSH protocol 2. These modes alter the packet format and compute
   the MAC over the packet length and encrypted packet rather than over
   the plaintext data. These modes are considered more secure and are
   used by default when available.

 * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
   "umac-128 <at> openssh.com" and "umac-128-etm <at> openssh.com". The latter
   being an encrypt-then-mac mode.

 * sshd(8): Added support for multiple required authentication in SSH
   protocol 2 via an AuthenticationMethods option. This option lists
   one or more comma-separated lists of authentication method names.
   Successful completion of all the methods in any list is required for
   authentication to complete. This allows, for example, requiring a
   user having to authenticate via public key or GSSAPI before they
   are offered password authentication.

 * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
   (KRLs), a compact binary format to represent lists of revoked keys
   and certificates that take as little as one bit per certificate when
   revoking by serial number. KRLs may be generated using ssh-keygen(1)
   and are loaded into sshd(8) via the existing RevokedKeys sshd_config
   option.

 * ssh(1): IdentitiesOnly now applies to keys obtained from a
   PKCS11Provider. This allows control of which keys are offered from
   tokens using IdentityFile.

 * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
   and "remote" in addition to its previous "yes"/"no" keywords to allow
   the server to specify whether just local or remote TCP forwarding is
   enabled.

 * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
   support fetching authorized_keys from a command in addition to (or
   instead of) from the filesystem. The command is run under an account
   specified by an AuthorizedKeysCommandUser sshd_config(5) option.

 * sftp-server(8): Now supports a -d option to allow the starting
   directory to be something other than the user's home directory.

 * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
   tokens using "ssh-keygen -lD pkcs11_provider".

 * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
   now immediately sends its SSH protocol banner to the server without
   waiting to receive the server's banner, saving time when connecting.

 * ssh(1): Added ~v and ~V escape sequences to raise and lower the
   logging level respectively.

 * ssh(1): Made the escape command help (~?) context sensitive so that
   only commands that will work in the current session are shown.

 * ssh-keygen(1): When deleting host lines from known_hosts using
   "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
   were removed.

Bugfixes:

 * ssh(1): Force a clean shutdown of ControlMaster client sessions when
   the ~. escape sequence is used. This means that ~. should now work in
   mux clients even if the server is no longer responding.

 * ssh(1): Correctly detect errors during local TCP forward setup in
   multiplexed clients. bz#2055

 * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
   adding keys with respect to certificates. It now tries to delete the
   corresponding certificate and respects the -k option to allow deleting
   of the key only.

 * sftp(1): Fix a number of parsing and command-editing bugs, including
   bz#1956

 * ssh(1): When muxmaster is run with -N, ensured that it shuts down
   gracefully when a client sends it "-O stop" rather than hanging around.
   bz#1985

 * ssh-keygen(1): When screening moduli candidates, append to the file
   rather than overwriting to allow resumption. bz#1957

 * ssh(1): Record "Received disconnect" messages at ERROR rather than
   INFO priority. bz#2057.

 * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
   bz#1981

Portable OpenSSH:

 * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
   platforms where the kernel supports it.

 * sshd(8): The seccomp-filter sandbox will not be enabled if the system
   headers support it at compile time, regardless of whether it can be
   enabled then. If the run-time system does not support seccomp-filter,
   sshd will fall back to the rlimit pseudo-sandbox.

 * ssh(1): Don't link in the Kerberos libraries. They aren't necessary
   on the client, just on sshd(8). bz#2072

 * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
   library. bz#2073

 * Fix compilation on systems with openssl-1.0.0-fips.

 * Fix a number of errors in the RPM spec files.

Checksums:
==========

 - SHA1 (openssh-6.2.tar.gz) = XXX
 - SHA1 (openssh-6.2p1.tar.gz) = XXX

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh <at> openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

Bob Beck | 1 Nov 17:47 2012
Picon

OpenBSD 5.2 Released


------------------------------------------------------------------------
- OpenBSD 5.2 RELEASED -------------------------------------------------

November 1, 2012.

We are pleased to announce the official release of OpenBSD 5.2.
This is our 32nd release on CD-ROM (and 33rd via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.2 provides significant improvements,
including new features, in nearly all areas of the system:

 - pthreads(3) support:
   o The most significant change in this release is the replacement of the
     user-level uthreads by kernel-level rthreads, allowing multithreaded
     programs to utilize multiple CPUs/cores.
   o Use PTHREAD_MUTEX_STRICT_NP as default mutex type.
   o Added pthread spinlock and barrier routines.
   o Added pthread_mutex_timedlock(3) and sem_timedwait(3).
   o Added pthread_condattr_setclock(3).
   o Added support for live multi-threaded debugging in gdb(1).
   o Improved handling for rusage totals and interval timers in threaded
     processes.
   o Changed the RLIMIT_NPROC rlimit to count processes instead of threads.
   o Added a new system limit kern.maxthread for the max number of threads.
   o Closed race conditions in thread creation, and in fork(2) and open(2) in a
     threaded process.
   o Improved handling of threaded processes in ps(1), top(1), and fstat(1).
   o Changed the lock around dlopen() to be recursive, so that dl*() operations
     from atexit() handlers don't deadlock.
   o Many fixes to pthread attribute and mutex error checking and cancellation
     handling.

 - Improved hardware support, including:
   o Added hibernation support on i386. Currently only working on pciide(4) and
     wd(4) disks.
   o Improved support for ALPS based touchpads in wsmouse(4) and the
     synaptics(4) X.Org input driver.
   o Performance improvements with ix(4) Intel 10Gb Ethernet NICs.
   o Support for i350 based devices in em(4).
   o Flow control support for bnx(4).
   o Hardware watchdog and HPET support for tcpcib(4) (Intel Atom E600) as
     found in some embedded x86 systems.
   o urndis(4) supports additional Android devices.
   o Support for Winbond W83627UHG has been added to wbsio(4).
   o Support for the SMBus controller of the AMD CS5536 in glxpcib(4) and the
     NVIDIA MCP89 in nviic(4).
   o Support for AX88772B based devices has been added to axe(4).
   o Support for MCS7832 based devices has been added to mos(4).
   o Support for the Roland UM-ONE has been added to umidi(4).
   o Support for the AMD Hudson-2 chipset has been added to azalia(4) and
     piixpm(4).
   o Support for NetMos NM9820 cardbus serial cards has been added to com(4).
   o Support for Huawei Mobile E303 has been added to umsm(4).
   o The sgi port now supports the R4000 Indigo (IP20), Indy (IP22), R4000
     Indigo2 (IP24) and POWER Indigo2 R10000 (IP28) families.

 - Generic network stack improvements:
   o Increased TCP initial window to 14600 bytes as proposed in
     draft-ietf-tcpm-initcwnd.
   o Cleanup handling of sockaddrs in degenerate use cases.
   o Improved handling of error and limit cases in file descriptor passing.
   o Improved socketbuffer handling for AF_UNIX sockets.
   o Fix yet another file descriptor leak in message passing.
   o Improved error handling in socket splicing.
   o IPv6 privacy addresses now appear alongside SLAAC addresses.
   o Support for Extended Sequence Numbers has been added to the IPsec stack
     and iked(8).
   o Bridging two IPv4 networks over an IPv6 link with gif(4) is now possible.

 - Routing daemons and other userland network improvements:
   o sndiod(1), bgpd(8), dvmrpd(8), ftp-proxy(8), iked(8), iscsid(8), ldapd(8),
     ldpd(8), nsd(8), ospf6d(8), ospfd(8), relayd(8), ripd(8), snmpd(8),
     spamd(8), sshd(8), tcpbench(1) and tmux(1) now rate limit their accepting
     of new connections when experiencing file descriptor exhaustion.
   o Allow route(8) destination/prefixlen syntax for IPv6 routes.
   o ASCII packet dumping support in tcpdump(8).
   o Better etherip and BGP protocol support in tcpdump(8).
   o isakmpd(8) and tcpdump(8) now recognize additional Internet Key Exchange
     DH groups.
   o Various improvements in iked(8) including support for retransmits.
   o ipsecctl(8) now allows SA lifetimes to be specified in its ipsec.conf(5)
     file.
   o tftpd(8) rewritten as a persistent, non-blocking daemon.
   o tftp(1) client now supports IPv6.
   o snmpd(8) now supports PF-MIB, UCD-DISKIO-MIB, and additional OIDs in
     HOST-RESOURCES-MIB.
   o bgpd(8) is now more robust when encountering network instability.
   o Adjust the bgpd(8) route decision code to cover checks needed due to route
     reflection.
   o Various fixes to improve error reporting in bgpd(8) including support of
     RFC 6608.
   o For debugging purposes bgpctl(8) can load MRT dumps into bgpd(8).
   o Fixed distribution of MPLS VPN routes in bgpd(8).
   o Introduced a new option "selected" to the bgpctl(8) "show rib" command to
     show only selected routes.
   o Correctly support the LSA_TYPE_AREA_OPAQ and LSA_TYPE_AS_OPAQ types in
     ospfd(8).
   o Make relayd(8) able to handle transactions larger than 2GB in size.
   o Various bug fixes and better HTTP standard compliance in relayd(8).
   o rtadvd(8) can now advertise DNS servers and search paths in router
     advertisements.
   o rtadvd(8) can now send router advertisements with no prefix information
     using the noifprefix option.
   o ftp(1) client now allows the source IP address of the connection to be
     specified.
   o ypldap(8) now handles larger directories and is more tolerant when
     processing groups.
   o Added support for AF_INET6 to inet_net_pton(3) and inet_net_ntop(3).

 - pf(4) improvements:
   o pf(4) now ignores/preserves the lower 2 bits of the tos-header (used for
     Explicit Congestion Notification).
   o Allow more than 16 pflog(4) interfaces.
   o pf(4) now supports weighted least-states load balancing.
   o The prio and tos options are now part of the "set { }" block. See
     pf.conf(5).
   o Allow setting the tos on IPv6 packets.
   o Better demotion handling in pfsync(4) to prevent failovers without having
     a full state table.
   o Fixed printing of wildcard anchors in pfctl(8).

 - Assorted improvements:
   o Added nginx(8), an HTTP server, reverse proxy server and mail proxy server.
   o Added SQLite 3.7.13, a self-contained SQL database engine.
   o libpcap has been updated with several core functions from tcpdump.org's
     libpcap-1.2.0 API, without the clutter.
   o Disabled SSLv2 in OpenSSL.
   o Moved libtool(1) into the base system. Much work remains to be done.
   o Removed lint(1).
   o Removed the raid(4) RAIDframe driver and its corresponding raidctl(8)
     utility. RAIDframe has been superseded by softraid(4).
   o Added posix_spawn(3).
   o Added mbsnrtowcs(3) and wcsnrtombs(3).
   o Added getdelim(3) and getline(3).
   o More configuration variables for sysconf(3) and pathconf(2).
   o dirfd(3) is now a function instead of a macro.
   o posix_memalign(3) supports arbitrarily large alignments.
   o Improved realloc(3) performance.
   o ld.so(1) recognizes the DF_1_NOOPEN flag and refuses to dlopen(3) shared
     objects linked with "-z nodlopen".
   o Improved compliance and/or cleanliness of header files, particularly
     <dirent.h>, <time.h>, <sys/time.h>, <limits.h>, <arpa/inet.h>,
     <netinet/in.h>, and <sys/param.h>.
   o Improved kernel uvm memory allocator.
   o Added support for using AMT to provide console-over-Ethernet (c.f. the
     amtterm package).
   o Improved support for amd64 systems with many memory extents.
   o compat_linux(8) improvements: TLS-vs-clone and futex fixes, added support
     for statfs64(), tgkill(), gettid(), SOCK_CLOEXEC, and SOCK_NONBLOCK.
   o kdump(1) improvements, including the ability to show thread IDs and
     dumping of timespec, timeval, sigaction, rlimit, sigset, clockid, and fdset
     arguments and results.
   o Various improvements in smtpd(8): reliability fixes, new MTA client, new
     scheduler and improved queue logic, simplified smtpd.conf(5) syntax,
     better RFC compliance and several cosmetic changes.
   o The mg(1) emacs-like editor now supports cscope functionality. Also,
     backup files can now be saved to a user's home directory in addition to the
     current working directory.
   o Fixed operation of kvm_getfile2() (and therefore fstat(1) and pstat(8)) on
     kernel crash dumps.
   o Improved emacs-style key bindings and handling of large arrays in ksh(1).
   o halt(8) disables "suspend-on-lid-close" so that you don't accidentally
     suspend instead of shutting down.
   o Improvements to parallel make(1): added the .CHEAP and .EXPENSIVE special
     targets and fixed glitches in already-rebuilt logic.
   o The libusb package is able to access non-ugen(4) devices for some
     operations, allowing e.g. programming YubiKeys with a standard kernel.
   o Various improvements in tmux(1): a new unified tree view to select
     sessions or windows, new move-pane and renumber-windows commands, a history
     of pane layouts, simple output rate limiting, and custom formats (-F) have
     been extended and are now accepted by more commands.
   o fsck_msdos(8) now works on devices with non-512 byte sectors.
   o quotacheck(8) now works with DUID based fstab(5) files.
   o Numerous minor improvement to fdisk(8), including more sanity checking and
     better default partition sizing on large disks.
   o dhclient(8) now discards trailing NULs in option data, and in general
     parses option data with more paranoia.
   o Various improvements to dhclient(8) startup and timeout handling.
   o disklabel(8) does a better job of calculating physical memory during
     partition auto-allocation of devices with non-512 byte sectors.
   o SCSI errors are now correctly propogated to userland, e.g. mount(2) now
     reports specific errors such as trying to mount RW filesystems from RO
     media.
   o Improved FAT media handling: autorecognize such media even if the 0x55aa
     signature is missing and prevent the writing of an OpenBSD disklabel over
     the FAT data structures.
   o The MS-DOS FAT filesystem implementation gained a significant write
     speedup for large files (up to twice as fast).

 - OpenSSH 6.1:
    o New features:
      - sshd(8): This release turns on pre-auth sandboxing sshd by default for
        new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
      - sshd-keygen(1): Add options to specify starting line number and number
        of lines to process when screening moduli candidates, allowing
        processing of different parts of a candidate moduli file in parallel.
      - sshd(8): The Match directive now supports matching on the local
        (listen) address and port upon which the incoming connection was
        received via LocalAddress and LocalPort clauses.
      - sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
        and {Allow,Deny}{Users,Groups}.
      - Add support for RFC6594 SSHFP DNS records for ECDSA key types. (bz#1978)
      - sshd-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8.
      - sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
        an argument to refuse all port-forwarding requests.
      - sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile.
      - sshd-keyscan(1): Look for ECDSA keys by default. (bz#1971)
      - sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
        to append some arbitrary text to the server SSH protocol banner.
    o The following significant bugs have been fixed in this release:
      - sshd(8) and ssh(1): Don't spin in accept() in situations of file
        descriptor exhaustion. Instead back off for a while.
      - sshd(8) and ssh(1): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs
        as they were removed from the specification. (bz#2023)
      - sshd(8): Handle long comments in config files better. (bz#2025)
      - ssh(1): Delay setting tty_flag so RequestTTY options are correctly
        picked up. (bz#1995)
      - sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
        on platforms that use login_cap.

 - Over 7,600 ports, major performance and stability improvements in
   the package build process:
   o dpb got simpler and faster. Handles distfiles, works without any options.
   o Simpler and less error-prone mechanisms for handling MD differences.
   o dpb is now used for mirroring distfiles, to the great joy of
     ftp://ftp.openbsd.org/pub/OpenBSD/distfiles/
   o full databases of all ports available as packages:
     - pkglocatedb - a locate(1) database of all files in all packages
     - sqlports - a sqlite3(1) database of all meta-info for all packages
     - ports-readmes - a tree of html files for browsing thru available packages

 - Many pre-built packages for each architecture:
    o i386: 7483                      o sparc64: 6820
    o alpha: 5993                     o sh: 2412
    o amd64: 7439                     o powerpc: 7050
    o sparc: 4466                     o arm: 5802
    o hppa: 6316                      o vax: 2279
    o mips64: 5845                    o mips64el: 5908

 - Some highlights:
    o Gnome 3.4.2                     o KDE 3.5.10
    o Xfce 4.10                       o MySQL 5.1.63
    o PostgreSQL 9.1.4                o Postfix 2.9.3
    o OpenLDAP 2.3.43 and 2.4.31      o GHC 7.0.4
    o Mozilla Firefox 3.5.19, 3.6.28 and 13.0.1
    o Mozilla Thunderbird 13.0.1      o LibreOffice 3.5.5.3
    o Emacs 21.4, 22.3 and 23.4       o Vim 7.3.154
    o PHP 5.2.17 and 5.3.14           o Python 2.5.4, 2.7.3 and 3.2.3
    o Ruby 1.8.7.370 and 1.9.3.194    o Tcl/Tk 8.5.11
    o Jdk 1.7                         o Mono 2.10.9
    o Chromium 20.0.1132.57           o Groff 1.21
    o Go 1.0.2                        o GCC 4.6.3 and 4.7.1
    o LLVM/Clang 3.1                  o Lua 5.1.5 and 5.2.1

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.12.2 + patches,
      freetype 2.4.10, fontconfig 2.8.0, Mesa 7.10.3, xterm 279,
      xkeyboard-config 2.6 and more)
    o Gcc 4.2.1 (+ patches) and 2.95.3 (+ patches)
    o Perl 5.12.2 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o Nginx 1.2.2 (+ patches)
    o OpenSSL 1.0.0f (+ patches)
    o SQLite 3.7.13 (+ patches)
    o Sendmail 8.14.5, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2p8
    o Ncurses 5.7
    o Heimdal 0.7.2 (+ patches)
    o Arla 0.35.7
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)
    o Less 444 (+ patches)
    o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.1
and 5.2, look at

        http://www.OpenBSD.org/plus52.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.2 FTP/CD-ROM binaries and the actual 5.2
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce <at> OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.2 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Aquarela do Linux".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#52

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.2 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors <at> openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts,
with new and old designs, available from our web ordering system.

-----------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/5.2/ftplist

   As of Nov 1, 2012, the following ftp mirror sites have the 5.2 release:

        ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.2/       Stockholm, Sweden
        ftp://ftp.bytemine.net/pub/OpenBSD/5.2/         Oldenburg, Germany
        ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.2/       Zurich, Switzerland
        ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.2/       Paris, France
        ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.2/      Vienna, Austria
        ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.2/     Brisbane, Australia
        ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.2/      CO, USA
        ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.2/     CA, USA

        The release is also available at the master site:

        ftp://ftp.openbsd.org/pub/OpenBSD/5.2/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/5.2/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme88k/         src.tar.gz
        Changelogs/      ftplist          packages/        sys.tar.gz
        HARDWARE         hp300/           ports.tar.gz     tools/
        PACKAGES         hppa/            root.mail        vax/
        PORTS            i386/            sgi/             xenocara.tar.gz
        README           landisk/         socppc/          zaurus/
        alpha/           macppc/          sparc/
        amd64/           mvme68k/         sparc64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

        INSTALL.i386    cd52.iso        floppyB52.fs    pxeboot*
        INSTALL.linux   cdboot*         floppyC52.fs    xbase52.tgz
        MD5             cdbr*           game52.tgz      xetc52.tgz
        base52.tgz      cdemu52.iso     index.txt       xfont52.tgz
        bsd*            comp52.tgz      install52.iso   xserv52.tgz
        bsd.mp*         etc52.tgz       man52.tgz       xshare52.tgz
        bsd.rd*         floppy52.fs     misc52.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install52.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install52.iso file (roughly 250MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.2 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/5.2/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.2 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.2/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.2/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.2/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Michael Erdely, Stuart Henderson,
Peter Hessler, Paul Irofti, Antoine Jacoutot, Sebastian Reitenbach,
and Christian Weisgerber.  System builds by Theo de Raadt and Miod
Vallat. X11 builds by Todd Fries and Miod Vallat.  ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.2 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexander Schrijver,
    Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
    Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
    Austin Hook, Benoit Lecocq, Bob Beck, Brandon Mercer, Bret Lambert,
    Brett Mahar, Bryan Steele, Camiel Dobbelaar, Can Erkin Acar,
    Charles Longeau, Christian Weisgerber, Christiano F. Haesbaert,
    Claudio Jeker, Damien Bergamini, Damien Miller, Darren Tucker,
    David Coppa, David Gwynne, David Krause, Edd Barrett, Eric Faurot,
    Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
    Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Knight,
    Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Jordan Hargrave, Joshua Elsasser, Joshua Stein,
    Kenji Aoyama, Kenneth R Westerback, Kirill Bychkov, Kurt Miller,
    Landry Breuil, Laurent Fanis, Lawrence Teo, Luke Tymowski,
    Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martin Pieuchot, Martynas Venckus,
    Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
    Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
    Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Paul de Weerd,
    Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther,
    Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel,
    Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano,
    Sebastian Benoit, Sebastian Reitenbach, Simon Perreault,
    Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
    Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst,
    Theo de Raadt, Tobias Stoeckmann, Tobias Weingartner,
    Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
    Yasuoka Masahiko, Yojiro Uo

Todd C. Miller | 31 Oct 16:35 2012

OpenBSD mailing list policy change

Since its inception, the OpenBSD mailing lists have allowed postings
from any address, regardless of whether or not the sender was a
member of the mailing list.  As the years have gone by, more and
more spam has gotten through, evading both grey listing and
SpamAssassin.

To address this problem, the OpenBSD list server will start requiring
that posts be made from an address that is subscribed to the mailing
list, or an address that is marked as an "alias" in the sender's
majordomo settings.  Messages that don't meet this criteria will
have to be confirmed by the sender (not the moderator) via an
automated message sent by the list server.

This change will take effect the morning of November 1, shortly
after OpenBSD 5.2 is released.

I realize that there are a number of people who post from an address
different from the one that they are subscribed with.  It is easy
to add extra addresses as "aliases" in your majordomo settings which
will allow you to post from that address without requiring confirmation.
The simplest way to do this is via the web interface at

    https://lists.openbsd.org/cgi-bin/mj_wwwusr?func=show

After logging in, if you scroll down past your subscriptions list
you will see a section titled "Other E-mail Addresses".  Simply
enter the address you wish to post from in the "Other address:" box
and click the "alias" button.

For those of you who read the lists via alternate means (web-based
list archive, Usenet, carrier pigeon, etc), if you wish to be able
to post to a list without confirming each message you will need to
subscribe so that you are "known" to majordomo.  You can set the
"delivery class" on the settings page (same url as above) to "no
messages" if you do not wish to receive postings via email.

Alias additions and delivery settings can also be changed via the
email interface if you are so inclined.  Send majordomo <at> openbsd.org
"help alias" and/or "help set" commands to receive the relevant
help files.

 - todd


Gmane