Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| d9badc08 | 2025-04-13 20:04:02 | track upgrade.site(5) If present, this is probably the first user-specified code that runs on new systems, right in the installer even before reboot, so watch for changes. OK job | ||
| 9f1c115b | 2025-04-07 14:49:26 | only run sysctl -f if the sysctl.conf file exists (using -s) ok tb lucas | ||
| aee0bd00 | 2025-04-05 14:12:37 | replace shell parser with sysctl's new -f to apply /etc/sysctl.conf | ||
| 22339438 | 2025-03-31 17:35:28 | Support setting the new variable PASSWDSKIP in /etc/daily.local to prevent security(8) from complaining about specific accounts that have no password, typically used for services like anoncvs and gotd. In addition to improving support for gotd, this also improves security for everyone because the exception will now only exist on machines where the admin explicitly enables it. Based on an idea from stsp@; OK stsp@. (Actually, sthen@ also mentioned a similar idea in 2009, and afresh1@ indicated potential support for the general direction in 2024.) | ||
| 35409f47 | 2025-03-10 04:05:14 | Use the new syntax, listen for accounting, and use file module. | ||
| 42117123 | 2025-03-04 19:04:34 | root.mail: bump year, we're apparently in 2025 "Roads? Where we're going, we don't need roads." | ||
| 002bb7b2 | 2025-03-04 10:20:00 | fix day of the week | ||
| 10fc8ac3 | 2025-03-01 19:44:07 | move to 7.7-beta | ||
| 1e32fabb | 2025-03-01 15:22:01 | mips64: Bump build datasize for LLVM 19 OK deraadt@ | ||
| d997cf94 | 2025-02-28 20:21:07 | fix comment header for "Building ports with DPB uses raised limits" on amd64, in alignment with other sections in this file and all other archs | ||
| af136ac2 | 2025-02-22 06:48:19 | add 7.8 syspatch key | ||
| 48dd2004 | 2025-02-21 23:05:35 | 7.8 packages key | ||
| 5f804832 | 2025-02-21 20:55:53 | 7.8 base key | ||
| 9e68f358 | 2025-02-21 19:27:40 | add 7.8 firmware key | ||
| 1d2dd358 | 2025-02-21 10:19:52 | Remove acme-challenge location from HTTPS server configuration as RFC8555 8.3 explicitly states that the challenge must be over HTTP. From Lucas de Sena (lucas AT seninha.org), thanks! ok sdk@ | ||
| 46a4264a | 2025-02-19 21:36:02 | Use installboot -c in the installer such that a freshly installed or upgraded system will boot from the disk we installed on. ok deraadt@, kn@ | ||
| 2e876759 | 2025-02-05 20:45:00 | Add AS26597 to LACNIC allowlist Seems the hole got filled OK tb@ | ||
| 1e57e084 | 2025-01-28 19:43:10 | Add allow for AS112 Project IPv6 prefix to ARIN's constraints OK tb@ | ||
| ce222dd0 | 2025-01-17 00:20:15 | Finally include ARIN's RPKI Trust Anchor Locator Backstory: We strive to provide a source distribution that can be freely used, copied, modified, and redistributed by anyone and for any purpose. Unfortunately, up until now, several legal barriers stopped us from distributing the ARIN TAL. The main legal obstacles stemmed from the terms and conditions in the Relying Party Agreement (RPA) governing access to ARIN's RPKI repository and the way ARIN tried to ensure that agreement was binding. Originally, ARIN used a cumbersome email-based method of RPA acceptance. Then in 2016, ARIN moved to a browser user interface-based "clickwrap" method via their website, requiring affirmative assent via a mouse-click. In 2019, a new approach was offered where ARIN encouraged software distributors to pass through restrictive terms in irksome pop-ups during installation; this we also deemed unworkable. In 2022, this "Redistributor RPA" was subsumed in a single RPA, but without material change to the mechanics, and the terms remained a showstopper. Over the years various people suggested ARIN to adopt an "AS IS" disclaimer of warranties. In 2024, Job Snijders authored a modified version of the BSD license and proposed ARIN to include it in the optional comment section in the TAL file format. In 2025 ARIN updated its TAL to include this disclaimer. After more than a decade of iterations, this public key now is available to the public in an unencumbered fashion and can serve its main purpose, a purpose that can only occur through immensely widespread distribution. Some pointers for historic context: 2012 - https://web.archive.org/web/20130127143807/https://www.arin.net/resources/rpki/rpa.pdf 2015 - https://web.archive.org/web/20150203184532/https://www.arin.net/public/rpki/tal/index.xhtml 2017 - https://lists.arin.net/pipermail/arin-ppml/2017-January/031231.html 2017 - https://www.arin.net/vault/about/welcome/board/meetings/20170405/exhibit_d.pdf 2018 - https://mailman.nanog.org/pipermail/nanog/2018-September/097161.html 2019 - https://papers.ssrn.com/sol3/Papers.cfm?abstract_id=3308619 2019 - https://www.arin.net/vault/participate/meetings/reports/ARIN_43/PDF/PPM/yoo_rpki.pdf 2019 - https://www.arin.net/vault/announcements/20191021/ 2019 - https://www.theregister.com/2019/10/28/arin_rpki_open_source/ 2022 - https://www.arin.net/vault/announcements/20220926/ 2022 - https://www.arin.net/vault/announcements/20220929/ 2025 - https://www.arin.net/announcements/20250116-tal/ OK tb@ claudio@ deraadt@ | ||
| 853e987b | 2025-01-16 09:39:40 | Bump datasize of build user to 2000M on sparc64. LLVM19 llvm-tblgen needs around 1900M during a make build so this should give use a bit of air. OK tb@ | ||
| bfeff85e | 2025-01-09 08:43:21 | regen | ||
| 4fcc5b99 | 2025-01-08 23:09:25 | Increase the default count of /dev/videoX from 2 to 4 It's quite common for a laptop to have a visible light camera, an infrared camera, or both, in addition to a camera connected via USB. OK: sthen@ ratchov@ mglocker@ armani@ | ||
| 7dd88e41 | 2024-12-21 14:12:45 | ld.lld now needs 9GB of ram to link firefox/libxul.so on riscv64 | ||
| 4cf1cdd0 | 2024-12-18 16:00:26 | Make the example bgpd.conf work with 4byte ASN out of the box. Use local-as in community and large-community stanzas since that will be expanded at runtime. For communities that only work with 2byte ASN the filter will never match (or nothing will be set / deleted) since a 4byte ASN can never match. We want an bgpd.conf example ruleset that is sensible, works and is a good starting point for beginners. In other words we should not add traps to the config. OK deraadt@ job@ | ||
| 52e728d0 | 2024-12-04 13:16:26 | use kmem(4) instead of "all memory" which has more information about what exactly is allowed, and specifically refers to allowkmem (and that it permits both /dev/mem and /dev/kmem). discussed with deraadt | ||
| 9b8b48b5 | 2024-12-04 10:14:14 | Mention kern.allowdt and kern.allowkmem in examples/sysctl.conf. From espie, ok claudio mpi | ||
| ca433cef | 2024-12-04 06:01:23 | Bump datasize-cur for the pbuild user on sparc64 so that we can build llvm 18. ok sthen | ||
| f651b06a | 2024-11-29 00:13:36 | Import regenerated moduli. | ||
| ececade9 | 2024-11-02 16:55:44 | add the build user to the build login class now that enough time has passed since the addition of that class ok deraadt@ | ||
| bb54ed3d | 2024-11-02 09:43:12 | Update APNIC trust anchor constraints The IANA IPv6 Global Unicast Address Assignments registry has been updated to reflect the allocation of the following block to APNIC: 2410::/12 APNIC 2024-11-01 the registry is at: https://www.iana.org/assignments/ipv6-unicast-address-assignments/ OK sthen@ | ||
| 9923fb39 | 2024-10-31 22:14:04 | track dhcp6leased uuid; OK florian | ||
| 1b590ae1 | 2024-10-29 21:03:09 | Include cdXX.iso in MDEXT on arm64 ok deraadt@ | ||
| 91e742ee | 2024-10-22 22:23:21 | rc: Use the correct path to sshd-auth's relink kit From Josiah Frentsos <jfrent AT tilde.team> OK tb | ||
| a5ae96e3 | 2024-10-15 00:08:27 | grow i386 media a bit | ||
| 115810f9 | 2024-10-14 02:46:50 | sshd-auth also has a relink kit | ||
| ce178b85 | 2024-10-12 07:36:52 | introduce a new build class to be used by the build user this class will be required for the upcoming llvm update that requires bumped datasize because of llvm-tblgen ok deraadt@ | ||
| 35fe2a76 | 2024-10-09 15:42:56 | Get trust anchor via unbound-checkconf(8) This tool knows our default config path and '-o auto-trust-anchor-file' prints the actually set path, if any, regardless of whether exists. Use that to generate it rather than a best-effort grep/hardcoded path. OK sthen | ||
| a69ebb35 | 2024-09-30 14:31:56 | change release date | ||
| 4f37b6d8 | 2024-09-29 14:36:13 | sync synopsis and usage, sort commands, fix their spacing OK input lucas | ||
| 95790570 | 2024-09-23 20:54:01 | Replace `&&' with `if' for proper $? handling; OK lucas iked and isakmpd guard against themselves with "return 0" as rc.subr(8) checks rc_pre()'s return code and aborts daemo start iff non-zero, but that isn't needed if we use ksh properly. | ||
| 2dcab2a6 | 2024-09-23 20:44:24 | zap redundant "|| return 1"; OK lucas unbound-checkconf(8) itself exits 1 on error already. | ||
| ee503ce9 | 2024-09-18 11:29:55 | back to previous plan | ||
| 39dae566 | 2024-09-18 02:43:54 | adjust date | ||
| 88baa316 | 2024-09-03 09:36:12 | regen | ||
| 48fdf972 | 2024-09-03 09:35:46 | For AMD SEV create /dev/psp. To call ioctl(2) for the platform security processor (PSP), vmd(8) needs a device file. It is currently linked to the cryptographic co-processor ccp(4). We may split this into a separate psp(4) device. from hshoexer@; input jsg@ | ||
| d2e81d51 | 2024-08-29 12:58:57 | draft-ietf-v6ops-rfc3849-update turned into RFC9637, adjust comment | ||
| c19afa09 | 2024-08-26 22:54:21 | calendars are so hard | ||
| 39cd50f5 | 2024-08-21 07:06:27 | Import regenerated moduli. | ||
| 74154050 | 2024-08-16 06:42:21 | add 7.7 syspatch pubkey | ||
| 2d33a48f | 2024-08-15 10:25:25 | add 77-fw pubkey | ||
| 9e043578 | 2024-08-12 19:40:17 | xkbcomp 1.7.0 moved its data files from lib/X11 to share/X11 | ||
| 6d453ff9 | 2024-08-09 14:57:06 | 7.7 packages key | ||
| 90885033 | 2024-08-07 23:03:24 | old keys can go away | ||
| 67c00f17 | 2024-08-07 23:02:48 | add 7.7 base key | ||
| 64c8f752 | 2024-08-07 15:59:24 | crank to 7.6-beta, release date is vague | ||
| ba9b1da2 | 2024-08-04 20:06:04 | bump datasize for armv7's pbuild user, some software has grown over the years OK jca@ | ||
| 4efb5f0a | 2024-07-24 19:28:37 | Add 5f00::/16 segment routing SRv6 SIDs prefix to example bogon list "In SRv6, SR source nodes initiate packets with a segment identifier in the Destination Address of the IPv6 header, and SR segment endpoint nodes process a local segment present in the Destination Address of an IPv6 header." https://www.iana.org/assignments/iana-ipv6-special-registry/ https://datatracker.ietf.org/doc/html/draft-ietf-6man-sids OK phessler@ | ||
| 76917c93 | 2024-07-24 18:56:57 | 3fff::/20 has been set aside as an additional documentation prefix Per https://www.iana.org/assignments/iana-ipv6-special-registry/ and https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-rfc3849-update OK phessler@ claudio@ | ||
| a6b235b6 | 2024-07-14 09:39:15 | Add /usr/X11R6/include/va. ok tb@ | ||
| a523645b | 2024-07-12 12:35:32 | Recommend veb(4) instead of bridge(4). bridge(4) has weird interactions with traffic crossing the bridge. Missing change after updating the faq pointed out by ajacoutot OK dv | ||
| ec5358ab | 2024-07-04 05:06:58 | Revert "Make daily(8) reporting services that are running" Stop daily(8) mails with false information on rogue services. OK florian@, solene@ | ||
| 0fbf39a0 | 2024-06-30 17:30:52 | delete dhclient(8). ipv4 dhcp leases have been acquired by the always-running-in-background dhcpleased(8) for a while, which is activated per-interface with "ifconfig $if autoconf', or "ifconfig $if inet autoconf", or with "inet autoconf" in /etc/hostname.$if dhclient(8) has done execve(3) of ifconfig(8) to handle this for a while, so everyone has moved to the dhcpleased(8) method ok florian | ||
| bb7daed8 | 2024-06-04 18:13:23 | services: add matrix-fed tcp port 8448 registered at IANA since last august for Matrix Federation Protocol https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8448 ok djm@ solene@ | ||
| 28d450f0 | 2024-06-03 10:07:27 | Track changes to dhcp6leased.conf looks correct to deraadt | ||
| 060ceba5 | 2024-06-03 10:06:35 | etc bits for dhcp6leased looks correct to deraadt | ||
| b32d40bd | 2024-06-02 12:32:33 | user, group & /var/db/dhcp6leased for dhcpleased(8) typo spotted by ccappuc Input & OK deraadt | ||
| ae8ed1c1 | 2024-05-30 14:29:05 | sem_open() uses /tmp/*.sem files. Exclude them from /tmp daily cleanup like is already done for /tmp/*.shm used by libc. ok millert@ tb@, same diff landry@ | ||
| 821b7f42 | 2024-05-17 00:33:43 | run the sshd-session link kit also | ||
| 068b29ca | 2024-05-16 11:33:59 | Make daily(8) reporting services that are running but not enabled in rc.conf.local(8) wording by jmc@ ok schwarze@ florian@ | ||
| e9beec88 | 2024-05-08 15:30:26 | - for pwraction, point to acpibtn(4) - for lidaction, document the value 0 - for lidaction, adjust the description to a format similar to that of pwraction ok kettenis deraadt | ||
| e81b35ef | 2024-04-17 14:31:59 | Sync RPKI Trust Anchor constraints to nro-delegated-stats Turns out that registry at https://www.iana.org/assignments/as-numbers/as-numbers.xml is an incomplete one, where only 'new' assignments are listed. In the past this registry used to list all ASNs, but the RIRs asked IANA to revert to not being very detailed... There is another source of truth, the 'nro-delegated-stats' file at https://ftp.ripe.net/pub/stats/ripencc/nro-stats/latest/nro-delegated-stats this is updated daily and composed of information from each RIR. Summary of changes: * LACNIC manages a more ASNs than previously known: - allow those ASNs for LACNIC - deny those for RIPE, APNIC, ARIN * AFRINIC's allow list was good (compared to nro-delegated-stats), but the full set of AfriNIC ASNs wasn't denylisted for RIPE, ARIN, APNIC. OK tb@ | ||
| 5ee01a3f | 2024-04-09 11:13:51 | Remove the "cubie" miniroot. There are far more popular armv7 boards with Allwinner SoCs and the presence of this particular miniroot is making it hard to update U-Boot. ok jsg@ | ||
| 39a11509 | 2024-04-02 08:21:04 | also relink ssh-agent | ||
| abe7e67a | 2024-03-31 10:14:46 | Regen | ||
| 86970818 | 2024-03-31 10:14:35 | Fix /dev/bio major. | ||
| 36cf69b3 | 2024-03-30 07:35:01 | program relinking currently uses a Makefile.relink inside the re-link kit. For sshd (the only relinked program at the moment), this file is created in an extremely nasty way. It'll be better if we have a proper clean install.sh script, which I've built for sshd. But let's first commit the change to /etc/rc which will handle that in the near future. ok djm | ||
| 3d0ad41c | 2024-03-26 01:23:11 | Import regenerated moduli. | ||
| f6444559 | 2024-03-23 04:18:56 | Expand ASN range for LACNIC LACNIC received a new block of ASNs from IANA https://mail.lacnic.net/pipermail/lacnog/2024-March/009690.html OK tb@ | ||
| 6a1ce0f2 | 2024-03-13 10:02:37 | mail(1) is very sensitive to spacing in the header, and sometimes when we manually edit this file we forget that. noticed by naddy | ||
| d1483037 | 2024-03-04 08:37:40 | fix weekday | ||
| 90280a8f | 2024-03-03 18:24:07 | better estimate | ||
| c51145c5 | 2024-02-29 22:21:21 | An empty file /var/account/acct in etc.tgz simplifies accounting. OK deraadt@ | ||
| a81e9577 | 2024-02-22 08:35:38 | add 7.6 syspatch public key | ||
| 21cabe6c | 2024-02-20 15:30:54 | add 7.6 fw key | ||
| 7d92a13a | 2024-02-17 22:33:06 | 7.6 packages key | ||
| b7f1152f | 2024-02-17 16:27:29 | delete old keys | ||
| 950548fb | 2024-02-17 16:27:21 | add 7.6 base key, commiting myself to another 6 months | ||
| de8ea3c7 | 2024-02-17 16:13:24 | move to 7.5-beta | ||
| 5a77c2f7 | 2024-02-11 01:31:28 | firefall -> firewall, from Joel Carnat | ||
| e1e64b41 | 2024-01-30 03:40:01 | Add more RPKI TA constraints: LACNIC ASNs cannot transfer to/from other RIRs OK tb@ | ||
| 9c93d01c | 2024-01-17 08:26:06 | Zap trailing space. from Kirill Miazine, thanks. | ||
| a03fa7cf | 2024-01-04 09:51:49 | Import regenerated moduli. | ||
| e006e8e6 | 2023-12-31 16:05:50 | Increase datasize to 1536 MB for running llvm-tblgen on i386. Fixes build in src/gnu/usr.bin/clang/include/llvm/AMDGPU. OK semarie@ | ||
| 49a7a16f | 2023-12-26 13:36:18 | Align the other RIRs with the recent clarifications from AFRINIC Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@ | ||
| 5568aeed | 2023-12-19 08:10:19 | Add markers OK tb@ | ||
| 654e8744 | 2023-12-15 16:59:48 | Run non-daemons services in a different process group to avoid SIGHUP at boot 12 factors apps and similar don't daemonize and are thus vulnerable to receiving a SIGHUP signal at the end of /etc/rc. Shield them by running them in a different process group. Do this only for services that need rc_bg=Yes, as suggested by ajacoutot@ There have been several reports about this issue in the past years, the last one being from edd@ who successfully tested this fix. Input from several folks, ok sthen@ ajacoutot@ | ||
| 592bd543 | 2023-12-15 10:17:40 | Sync limits with octeon. | ||
| 0b77ea89 | 2023-12-14 12:26:03 | Constrain the AFRINIC TA further Today AFRINIC clarified its actual current resource holdings by issuing a new CA certificate in response to a report on overclaiming: https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html OK tb@ | ||
| b44517b3 | 2023-12-14 09:13:00 | For historical reasons, APNIC ended up with a v6 block for IX assignments carved out of a larger block assigned to RIPE NCC OK tb@ | ||
| 668419e1 | 2023-12-13 11:34:56 | Impose constraints on RPKI Trust Anchors See https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors for more information. Tested for a few months. OK tb@ claudio@ |