OpenBSD 5.7 highlights
The OpenBSD 5.7 release is still a month away, but the changes have been done for some time. The release page lists lots of changes, though certainly not all, and sometimes it’s hard to tell the big changes from the small changes. Annoying perhaps, but rewarding to someone who reads through the entire list looking for hidden gems. A few notes about changes I found personally interesting.
USB 3.0 may qualify as the headline hardware feature. The blue ports work at last, even though they aren’t even blue anymore. Owners of newer laptops are likely happy to see the iwm driver for the latest generation of Intel wireless chips.
Lots of hash function related changes. MD5 in many contexts has been replaced by SHA512. For the most part, MD5 was harmless, but now it even looks harmless at first inspection. SipHash was introduced and replaces the hash function for many hash table lookups. In some cases, the previous function was XOR, so this is a pretty substantial improvement. DES crypt moved ever closer to the attic. Most userland programs will no longer operate on traditional password hashes.
memcpy checks for overlap. After earlier experiences dealing with the fallout, there was some question of whether to leave the abort enabled for release. We’d like the release to be stable, but not everyone tests snapshots. Releases bring greater exposure. So the abort is still there. Switching back and forth would draw out the process. Eventually, after enough time has passed without trouble, we can switch back to the optimized version without the check. But since at least one problem has already been reported after the 5.7 source was tagged, it may be a while.
The PIE conversion is now complete for many archs, including static binaries.
The etc sets are now gone. All the sample
/etc files are now included in the base set. This should make sysmerge must easier and faster in the future, since there will be many fewer conflicts to resolve. On the other hand, even rc and rc.conf are now overwritten, so it’s not possible to maintain local mods without additional work. This makes sense, though, since
/etc/rc is as much a part of the base system as
/sbin/init. You don’t want to be running a five year old edition.
fdisk now zaps the GPT, which hopefully resolves some of the “OpenBSD broke my disk” bug reports with (imo) broken BIOSes.
Assorted coolness: signify seems to be working out, so gzsig can go away. At one point, long ago, gzsig seemed like a path towards signing releases and packages. httpd is probably closer to ready; it was a little raw in 5.6. man is now actually mandoc.
There was some LibreSSL activity of course, bringing in new features, some good (ALPN), some sucky (SCSV).