OpenBSD 7.7 released
Table of Contents
Intro#
Exciting times! OpenBSD 7.7 has been released, time to upgrade.
It was actually released a couple of days ago, but to be honest I felt the process was a little scary. Not to spoil anything but it was quite uneventful. I also wanted to wait a little to see some other reports on the upgrade process, and they seemed to be all positive.
The upgrade#
I made sure everything was up to date first by running syspatch
and pkg_add -Uu, and then finally the big sysupgrade.
I don’t know if I was unlucky with the mirror I hit, or if there
simply was a lot of traffic when I tried, but the download process
took some time. Downloading base77.tgz which is only 483 MB
took over 5 minutes.
Fetching from https://cdn.openbsd.org/pub/OpenBSD/7.7/amd64/
SHA256.sig 100% |*************************************| 2324 00:00
Signature Verified
BUILDINFO 100% |*************************************| 54 00:00
Verifying old sets.
INSTALL.amd64 100% |************************************| 44889 00:00
base77.tgz 100% |*************************************| 483 MB 05:26
bsd 100% |*************************************| 31152 KB 00:16
bsd.mp 100% |*************************************| 31257 KB 00:08
bsd.rd 100% |*************************************| 4687 KB 00:04
comp77.tgz 100% |*************************************| 81731 KB 00:22
game77.tgz 100% |*************************************| 2746 KB 00:00
man77.tgz 100% |*************************************| 8265 KB 00:05
xbase77.tgz 100% |*************************************| 60706 KB 00:11
xfont77.tgz 100% |*************************************| 23021 KB 00:09
xserv77.tgz 100% |*************************************| 20074 KB 00:07
xshare77.tgz 100% |*************************************| 4554 KB 00:04
Verifying sets.
Fetching updated firmware.
fw_update: add none; update none; keep intel
Upgrading.
I hurried to log on to the console to watch the process. After the reboot it detected that it should do an update, and continued to boot from a ramdisk.
Using drive 0, partition 3.
Loading......
probing: pc0 com0 mem[638K 1022M a20=on]
disk: hd0+
>> OpenBSD/amd64 BOOT 3.67
upgrade detected: switching to /bsd.upgrade
(...)
OpenBSD 7.7 (RAMDISK_CD) #613: Sun Apr 13 08:35:08 MDT 2025
deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1056952320 (1007MB)
avail mem = 1018798080 (971MB)
random: good seed from bootblocks
mainbus0 at root
There was a capitalized text about something to do with the date, I guess I should look into that. Nevertheless, it continued the update, answering the questions with some script I guess
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
erase ^?, werase ^W, kill ^U, intr ^C, status ^T
Welcome to the OpenBSD/amd64 7.7 installation program.
Performing non-interactive upgrade...
Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
Force checking of clean non-root filesystems? [no] no
Then it installed all the sets, relinked the kernel, which took quite some time and showed the “congratulations” message before rebooting again.
Installing bsd 100% |**************************| 31152 KB 00:01
Installing bsd.rd 100% |**************************| 4687 KB 00:00
Installing base77.tgz 100% |**************************| 483 MB 01:05
Installing comp77.tgz 100% |**************************| 81731 KB 00:29
Installing man77.tgz 100% |**************************| 8265 KB 00:08
Installing game77.tgz 100% |**************************| 2746 KB 00:00
Installing xbase77.tgz 100% |**************************| 60706 KB 00:10
Installing xshare77.tgz 100% |**************************| 4554 KB 00:08
Installing xfont77.tgz 100% |**************************| 23021 KB 00:04
Installing xserv77.tgz 100% |**************************| 20074 KB 00:03
Installing BUILDINFO 100% |**************************| 54 00:00
Location of sets? (disk http nfs or 'done') [done] done
Making all device nodes... done.
fw_update: add none; update none; keep intel
Relinking to create unique kernel... done.
CONGRATULATIONS! Your OpenBSD upgrade has been successfully completed!
syncing disks... done
vmmci0: powerdown
rebooting...
During this second boot it ran sysmerge which stopped at sshd_config
probably because of the changes I had made, and then instructed me to run
it manually. It also did a check for any new patches available, and output
was empty as there was none.
running rc.sysmerge
===> Updating /etc/changelist
===> Updating /etc/login.conf
===> Updating /etc/ssl/cert.pem
---- /etc/ssh/sshd_config unhandled, re-run sysmerge to merge the new version
starting network daemons: sshd smtpd.
running rc.firsttime
fw_update: add none; update none; keep intel
Checking for available binary patches...
After this I was greeted with the login prompt and could log in again. All in all I think it took around 15 minutes from I ran sysupgrade until it was finished.
After logging in I had a new mail notification. Looking at it, it was the installation log showing what had been done, similar to the initial installation.
Continuing with the upgrade instructions I ran syspatch again, even though that probably wasn’t necessary because it looks like the installer did that on its own, but got an error:
syspatch: cannot apply patches while reorder_kernel is running
I’m not sure what that is compared to the relinking that was done before the reboot, but no worries. I waited a little, tried again, and no patches found as expected.
Then it was time to upgrade the packages: doas pkg_add -Uu which also
went without a hitch.
One thing to note here is that OpenBSD is quite conservative about updating packages. I follow the stable branch for OpenBSD itself, or so is my understanding of it, meaning I installed a release and will then only install security/errata patches as they become available with syspatch. The same pattern seems to be followed for packages. So the packages I upgraded to now right after release, if there aren’t any critical issues with them, I’ll still be running the same version until the OpenBSD 7.8 release in about 6 months.
There is maybe a case for using services that are in the base system here, as they will automatically be upgraded when you upgrade the OS. They are perhaps also tested better together, to ensure they work well together.
I’ve not noticed any issues yet though, with the few extra packages I had installed, it was just a thought, and I got ahead of myself. Let’s continue.
Then finally to finish by running sysmerge: doas sysmerge -d
This showed the diff first, then this:
Use 'd' to delete the temporary ./etc/pf.conf
Use 'i' to install the temporary ./etc/pf.conf
Use 'm' to merge the temporary and installed versions
Use 'v' to view the diff results again
Default is to leave the temporary file to deal with by hand
How should I deal with this? [Leave it for later]
It was fortunately easy to answer these questions, as there weren’t major changes in the new files, so I could delete the new temporary file and keep my edits.
So then, what’s new?#
That is a little hard for me to explain. There’s the release notes with changes compared to 7.6, but what it actually means in practice for me I don’t know.
Undeadly.org which calls itself “OpenBSD journal” is the one to follow for changes regarding OpenBSD, and they have this information about the release.
In general there seems to be lots of improvements here and there, driver improvements, security fixes and so on, which is nice. Will I notice a big difference running this web-server going from 7.6 to 7.7? Probably not. And I guess that is a good thing. It worked before, and it continues working now with general improvements.
The big thing I feel I can wrap my head around is the release of OpenSSH 10 which we now get in OpenBSD 7.7. In OpenSSH 9.9 the Kyber algorithm (also known as ML-KEM) was introduced, and now in OpenSSH 10 it’s been promoted to the preferred key exchange algorithm. I obviously don’t really understand any this, but it’s said to be quantum computer resistant or even secure against quantum computer attacks, which should be a good thing.
Another thing with the OpenSSH update is that they have split some of the binaries into
smaller pieces. With this release, sshd-auth was introduced, and the purpose of it is:
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Reducing the attack surface of a network service pre-authentication sounds like a good thing to me.
And as mentioned previously, new versions of packages which is nice.
To conclude then, goodbye
OpenBSD 7.6 (GENERIC) #1: Mon Feb 10 00:13:48 MST 2025
and hello
OpenBSD 7.7 (GENERIC) #619: Sun Apr 13 08:19:34 MDT 2025