Skip to main content.

Tracking -STABLE and -CURRENT (OpenBSD)

2014-01-29

Live demo in BSD Now Episode 022 | Originally written by TJ for bsdnow.tv | Last updated: 2014/09/14

In most of the BSDs, there are different branches (or "versions") of the OS that you can use. Often times in addition to the normal releases, there is a development version with the latest features. In OpenBSD, there are three main flavors of the OS you can use: -release, -stable and -current. In contrast to FreeBSD, -stable is just the latest -release plus security fixes and minor improvements. All development happens in -current and then goes to a new -release after being tested. New releases of OpenBSD happen every six months. Theo gave a talk at AsiaBSDCon entitled "The OpenBSD Release Process: A Success Story" if you're interested in the details of their release engineering.


-release

Every May and November, there is a new version of OpenBSD announced and uploaded to the FTP servers. The only updates that a -release will get are security and "reliability" fixes. They're distributed as source code patches in the errata page. Errata announcements are sent out via the announce list, so you should subscribe to it. If you're running -release, you will have to manually download these patches, apply them to your /usr/src directory and rebuild whatever was affected. At the top of every patch, there are usually instructions on how to apply it and what needs to be rebuilt.

In this example, I'll apply a fix for OpenSSL in 5.5 that was pretty serious. I'm assuming you already have the source code installed.

# cd /usr/src
# ftp http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig
# signify -Vep /etc/signify/openbsd-55-base.pub -x 002_openssl.patch.sig -m - | (cd /usr/src && patch -p0)

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|
|OpenBSD 5.5 errata 2, Apr 8, 2014:  Missing bounds checking in OpenSSL's
|implementation of the TLS/DTLS heartbeat extension (RFC6520) which, if
|exploited, can result in a leak of memory contents.
|
|After patching, private keys and certificates exposed to services running
|this code (for example web/mail server SSL certificates) should be replaced
|and old certificates revoked.
|
|Only SSL/TLS services are affected.  Software that uses libcrypto alone
|is not affected.  In particular, ssh/sshd are not affected and there
|is no need to regenerate SSH host keys that have not otherwise been
|exposed.
|
|Apply patch using:
|
|    signify -Vep /etc/signify/openbsd-55-base.pub -x 002_openssl.patch.sig \
|       -m - | (cd /usr/src && patch -p0)
|
|Then build and install libssl
|
|    cd /usr/src/lib/libssl/ssl
|    make obj
|    make
|    make install
|
|Also recompile any statically-linked binaries depending on it - in
|the base OS, this is just ftp(1):
|
|    cd /usr/src/usr.bin/ftp
|    make obj
|    make clean
|    make
|    make install
|
|Then restart services which depend on SSL.
|
|Index: lib/libssl/src/ssl/d1_both.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/d1_both.c,v
|retrieving revision 1.2
|diff -u -p -r1.2 d1_both.c
|--- lib/libssl/src/ssl/d1_both.c       27 Feb 2014 21:04:57 -0000      1.2
|+++ lib/libssl/src/ssl/d1_both.c       8 Apr 2014 00:22:22 -0000
--------------------------
Patching file lib/libssl/src/ssl/d1_both.c using Plan A...
Hunk #1 succeeded at 1459.
Hunk #2 succeeded at 1499.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/t1_lib.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v
|retrieving revision 1.12
|diff -u -p -r1.12 t1_lib.c
|--- lib/libssl/src/ssl/t1_lib.c        14 Feb 2013 15:11:44 -0000      1.12
|+++ lib/libssl/src/ssl/t1_lib.c        8 Apr 2014 00:22:23 -0000
--------------------------
Patching file lib/libssl/src/ssl/t1_lib.c using Plan A...
Hunk #1 succeeded at 2441.
Hmm...  Ignoring the trailing garbage.
done

Now follow the directions of the patch. In this case, that was:

# cd /usr/src/lib/libssl/ssl
# make obj
# make
# make install

As well as a few other things outlined in the instructions. Afterwards, just to tidy up a bit..

# rm -rf /usr/obj/* /usr/src/002_openssl.patch.sig

That's it. You'll want to verify the patches (as described in the file) before applying them. Sometimes patches require kernel rebuilds, reboots or certain services to be restarted. Only the most recent -release and the -previous release get security updates, so they basically have a one-year life cycle. Upgrading between -release versions can be done via manual steps or with a third party script.


-current

The active development of OpenBSD happens in the bleeding edge -current branch. In the past, there was sometimes a way to upgrade directly from a -release to -current via source. Now, the recommended way is to start from the "appropriate binary." Doing so is fairly easy, but if you want an even easier experience, reinstall the OS from a snapshot ISO as a starting point. That is a requirement if you wish to build future -current revisions from source. It's encouraged to only use snapshots to follow -current, using bsd.rd and binary upgrades, but this tutorial outlines the method of building it from source.

I've installed the latest snapshot, so now I'll sync my system sources via AnonCVS. I want the base system as well as OpenBSD's version of X11. I'm assuming you do not currently have the system sources installed.

# cd /usr
# cvs -qd anoncvs@anoncvs.usa.openbsd.org:/cvs get -P src xenocara

Choose a mirror close to you for the best speed. Future updates of the source code can be done like so:

# cd /usr/src
# cvs -q up -Pd

Before building anything, we should check the -current updates page to see any special workarounds that are needed. The changelog may also be of interest to you. When a big change is added to the tree that requires extra instructions, it will be posted to those pages. Keep in mind that you can only go TO -current, not FROM -current back to something else. A reinstall will be required if you decide you don't want to run it anymore.

Now that we have our source tree up to date, let's go through the build process. While slightly different for some architectures, the following will work on the more common i386 and x86_64 versions of the OS. The first step is to build the new kernel.

# cd /usr/src/sys/arch/`machine`/conf
# config GENERIC.MP
# cd ../compile/GENERIC.MP
# make clean && make && make install
# reboot

Use "GENERIC" if your CPU only has one core. Once the system comes up with the new kernel, we can build the userland applications and X11. Make sure your /usr/obj and /usr/xobj directories are empty first.

# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build
# cd /usr/xenocara
# make bootstrap
# make obj
# make build
# sysmerge

You may also be required to update /dev and /etc, but those will be outlined in the aforementioned -current changelog. Let's clean up a bit and reboot into the new system.

# rm -rf /usr/xobj/*
# rm -rf /usr/obj/*
# reboot

You should now have the latest and greatest OpenBSD has to offer! Remember to upgrade your installed packages if you have any. It's also possible to binary upgrade -current whenever new snapshots are posted, avoiding the whole build process. Consider watching the source code changes mailing list to see new features and fixes added as they come in.


-stable

OpenBSD does their -stable branch a little differently than other BSDs. There are really only two branches of the OS: -current and -release (with or without patches). The -stable branch is -release plus security patches and other small fixes. The changes between -release and -stable are always very small. If you only want the security patches, just rebuild what is detailed in the previously-mentioned patch instructions. This is assuming something else has been added and you want to rebuild the whole system, which is usually way overkill for such a small amount of changes. The process is largely the same as the -current instruction set. I'm assuming you don't have the source code installed.

# cd /usr
# cvs -qd anoncvs@anoncvs.usa.openbsd.org:/cvs get -rOPENBSD_`uname -r | sed 's/\./_/'` -P src xenocara

This will check out the source branch of the currently-running version of the OS. Choose a mirror that's close to you for better speeds. Updating the source code in the future is as easy as:

# cd /usr/src
# cvs -q up -rOPENBSD_`uname -r | sed 's/\./_/'` -Pd

Next we build the kernel.

# cd /usr/src/sys/arch/`machine`/conf
# config GENERIC.MP
# cd ../compile/GENERIC.MP
# make clean && make && make install
# reboot

Use "GENERIC" if your CPU only has one core. Rebooting isn't always required for -stable, but it's included for completeness' sake. Once the system comes up with the new kernel, we can build the userland applications and X11. Make sure your /usr/obj and /usr/xobj directories are empty first.

# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build
# cd /usr/xenocara
# make bootstrap
# make obj
# make build
# sysmerge

Clean up and reboot...

# rm -rf /usr/xobj/*
# rm -rf /usr/obj/*
# reboot

That's all you need to do!

Latest News

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...

BSDCan 2014

2014-04-30

We just wrapped up episode 35 after having some horrible audio issues. Sorry about the quality being lower than usual, we did the best we could given the circumstances. Next week we've got a normal episode, but the following week Allan and Kris will be at BSDCan. That week will...

AsiaBSDCon 2014

2014-03-05

Both Allan and Kris will be going to AsiaBSDCon this year, so episode 28 will be shorter than usual. We'll be back the following week with a huge episode. Hopefully they can get some interviews there!...

Christmas & New Year

2013-12-19

Episode 16 was just uploaded, and that's the last one we'll be doing live for this year. Episode 17 will be on Christmas, and feature a prerecorded interview with Scott Long about his BSD magic over at Netflix. Thanks for watching everyone! We look forward to more BSD Now in...


Episode 057: The Daemon's Apprentice

2014-10-01

This episode was brought to you by Headlines NetBSD at Hiroshima Open Source Conference NetBSD developers are hard at work, putting NetBSD on everything they can find At a technology conference in Hiroshima, some developers brought their exotic machines to put on display As usual, there are lots of pictures and a nice report from...

Episode 056: Beastly Infrastructure

2014-09-24

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Interview - Peter Wemm - peter@freebsd.org / @karinjiri The FreeBSD web cluster and infrastructure Feedback/Questions Todd writes in Brandon writes in All the tutorials are posted in their entirety at bsdnow.tv Send questions, comments, show ideas/topics, or stories...

Episode 055: The Promised WLAN

2014-09-17

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines FreeBSD 10.1-BETA1 is out The first maintenance update in the 10.x series of FreeBSD is on its way Since we can't see a changelog yet, the 10-STABLE release notes offer a glimpse at some...

Episode 054: Luminary Environment

2014-09-10

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Portscout ported to OpenBSD Portscout is a popular utility used in the FreeBSD ports infrastructure It lets port maintainers know when there's a new version of the upstream software available by automatically checking the...