OpenBSD Following -current and using snapshots [FAQ Index]


Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots.

Aggressive changes are sometimes pushed in this branch, and complications can arise when building the latest code or upgrading from a previous point in time. Some of the steps for getting over these hurdles are explained on this page. Make sure you've read and understand how to build the system from source before using -current and the instructions below.

In general, it's far easier to use snapshots, as developers will have gone through much of the trouble for you already.

You should always use a snapshot as the starting point for running -current. This process typically consists of running sysupgrade(8) with the -s flag. Alternatively, download (and verify) the appropriate bsd.rd file from the /snapshots/ directory of your preferred mirror, boot from it, and choose (U)pgrade at the prompt. Any installed packages should then be upgraded after booting into the new system.

Upgrading to -current by compiling your own source code is discouraged for everyone except for experts, as difficult build-time crossing-points can occur often, and no assistance will be provided. In case of failure, use a snapshot to recover.

Most of these changes will have to be performed as root.

2019/11/06 - unwind(8): configuration syntax change

asr has been renamed to stub in unwind.conf(5).

2019/11/15 - rpki-client(8) reuses the named uid/gid

The new _rpki-client user recycles the user and group ids of the "named" daemon user (named, uid/gid 70) which was removed in 2014. If you upgraded your system from all the way back then and never deleted the user and group, delete them and the /var/named directory:
# userdel named
# groupdel named
# rm -rf /var/named  # backup the data if still needed
If you do not delete them before upgrading, sysmerge(8) will fail and will need to be re-run manually after deleting them.

2019/11/27 - unwind(8) no longer uses http to detect captive portals

unwind(8) uses a DNS based heuristic to detect captive portals. Existing captive portal sections must be removed from /etc/unwind.conf.

2019/12/17 - usb(4) and uhid(4) changes

The default permissions of the usb(4) and uhid(4) device nodes have been changed by restricting read-write access to the root user. Run MAKEDEV to update the device nodes manually:
# cd /dev
# sh MAKEDEV all

Access to FIDO/U2F security keys is now provided by the fido(4) driver instead of uhid(4). Programs have to use /dev/fido/N instead of /dev/uhidN for U2F/FIDO.

2019/12/29 - perl updated to 5.30.1

With the update to perl 5.30.1 some files should be removed manually. Packages providing Perl XS modules will fail to work until they are built with the new version. New binary packages should be available (pkg_add -u will update them) or they can be rebuilt from ports.
# rm -rf /usr/libdata/perl5/*/Storable \
       /usr/libdata/perl5/*/arybase.pm \
       /usr/libdata/perl5/*/auto/arybase \
       /usr/libdata/perl5/B/Debug.pm \
       /usr/libdata/perl5/Locale/{Codes,Country,Currency,Language,Script}* \
       /usr/libdata/perl5/Math/BigInt/CalcEmu.pm \
       /usr/libdata/perl5/unicore/To/_PerlWB.pl \
       /usr/libdata/perl5/unicore/lib/GCB/EB.pl \
       /usr/libdata/perl5/unicore/lib/GCB/GAZ.pl \
       /usr/share/man/man3p/B::Debug.3p \
       /usr/share/man/man3p/Locale::{Codes*,Country,Currency,Language,Script}.3p \
       /usr/share/man/man3p/Math::BigInt::CalcEmu.3p \
       /usr/share/man/man3p/arybase.3p

2020/01/14 - iked(8) automatic IPv6 blocking removed

iked(8) no longer automatically blocks unencrypted outbound IPv6 packets. This feature was intended to avoid accidental leakage, but in practice was found to mostly be a cause of misconfiguration. Instead, if you would like to explicitly block these packets, add the following line to /etc/ipsec.conf (not iked.conf):
flow esp out from ::/0 to ::/0 type deny
and enable loading it with
# rcctl enable ipsec           # to load at boot
# ipsecctl -f /etc/ipsec.conf  # to load immediately
If you previously used iked(8)'s -6 flag to disable this feature, it is no longer needed and should be removed from /etc/rc.conf.local if used.

2020/01/24 - rebound(8) removed

rebound(8) has been removed. Users are advised to consider alternatives such as unwind(8).

2020/01/24 - [packages] firefox 71.0: pledge configuration change

Previously, disabling pledge was done by modifying an entry in about:config but now it is done using files in /etc/firefox as explained in the pkg-readme file, /usr/local/share/doc/pkg-readmes/firefox. Unveil has been added to firefox to restrict filesystem access by default. To grant access to additional paths or disable unveil, see the pkg-readme file.
$OpenBSD: current.html,v 1.1022 2020/01/28 11:43:29 sthen Exp $