OpenBSD 5.5 Released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 5.5 Released

Philip Guenther-3
May 1, 2014.

We are pleased to announce the official release of OpenBSD 5.5.
This is our 35th release on CD-ROM (and 36th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.5 provides significant improvements,
including new features, in nearly all areas of the system:

 - time_t is now 64 bits on all platforms.
    o From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run
      well beyond Tue Jan 19 03:14:07 2038 UTC.
    o The entire source tree (kernel, libraries, and userland programs)
      has been carefully and comprehensively audited to support 64-bit
      time_t.
    o Userland programs that were changed include arp(8), bgpd(8),
      calendar(1), cron(8), find(1), fsck_ffs(8), ifconfig(8), ksh(1),
      ld(1), ld.so(1), netstat(1), pfctl(8), ping(8), rtadvd(8), ssh(1),
      tar(1), tmux(1), top(1), and many others, including games!
    o Removed time_t from network, on-disk, and database formats.
    o Removed as many (time_t) casts as possible.
    o Format strings were converted to use %lld and (long long) casts.
    o Uses of timeval were converted to timespec where possible.
    o Parts of the system that could not use 64-bit time_t were converted
      to use unsigned 32-bit instead, so they are good till the year 2106.
    o Numerous ports throughout the ports tree received time_t fixes.

 - Releases and packages are now cryptographically signed with the
   signify(1) utility.
    o The installer will verify all sets before installing.
    o Installing without verification works, but is discouraged.
    o Users are advised to verify the installer (bsd.rd, install55.iso,
      etc.) ahead of time using the signify(1) tool if available.
    o pkg_add(1) now only trusts signed packages by default.

 - Installer improvements:
    o The installer now supports a scriptable auto-installation method
      that enables unattended installation and upgrades using a response
      file.
    o Disk images which can be written to a USB flash drive (miniroot55.fs
      [bsd.rd only] and install55.fs [bsd.rd + unsigned sets]) are now
      provided for amd64 and i386.
    o Rewritten installboot(8) utility aiming for a unified implementation
      across platforms (currently used by amd64 and i386 only).
    o The installer now parses nwids with embedded blanks correctly.

 - New/extended platforms:
    o OpenBSD/alpha:
      - Multiprocessor support.
    o OpenBSD/aviion
      - First self-hosting release for 88100-based AViiON systems.
    o OpenBSD/armv7 replaces OpenBSD/beagle.

 - Improved hardware support, including:
    o New vmx(4) driver for VMware VMXNET3 Virtual Interface Controller
      devices.
    o New vmwpvs(4) driver for VMware Paravirtual SCSI.
    o New vioscsi(4) driver for VirtIO SCSI adapters.
    o New viornd(4) driver for VirtIO random number devices.
    o New ubcmtp(4) driver for Broadcom multi-touch trackpads found on
      newer Apple MacBook, MacBook Pro, and MacBook Air laptops.
    o New ugold(4) driver for TEMPer gold HID thermometers.
    o New ugl(4) driver for Genesys Logic based USB host-to-host adapters.
    o radeondrm(4) has been overhauled, including:
      - New port of the Radeon code in Linux 3.8.13.19.
      - Support for Kernel Mode Setting (KMS) including support for
        additional output types such as DisplayPort.
      - wsdisplay(4) now attaches to radeondrm(4) and provides a
        framebuffer console.
    o inteldrm(4) has been updated to Linux 3.8.13.19 notably bringing
      Haswell stability fixes.
    o Support for Intel 8 Series Ethernet with i217/i218 PHYs, and
      i210/i211/i354 has been added to em(4).
    o Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has
      been added to iwn(4).
    o Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214,
      ARC-1264, and ARC-1284 has been added to arc(4).
    o Support for Elantech v2 touchpads in pms(4) has been fixed.
    o Support for 802.11a (5Ghz) has been added to wpi(4).
    o Workarounds for firmware stability issues have been added to
      wpi(4), iwi(4), and iwn(4).
    o Support for RT3572 chips has been added to the ral(4) driver.
    o Support for RTL8106E chips has been added to the re(4) driver.
    o Support for RTS5229 card readers has been added to rtsx(4).
    o Support for Microsoft XBox 360 controllers has been added to the
      uhid(4) driver.
    o Support for CoreChip RD9700 USB Ethernet devices has been added to
      the udav(4) driver.
    o Further reliability improvements regarding suspend/resume and
      hibernation.
    o Enabled IPv6 transmit TCP/UDP checksum offload in jme(4).

 - Generic network stack improvements:
    o Added vxlan(4), a virtual extensible local area network tunnel
      interface.
    o pflow(4) now sends 64 bit time values for pflowproto 10. The changed
      templates / flows for pflowproto 10 are now parsable by existing
      receivers.
    o Continued improvement of the checksum offload framework to
      streamline the calculation of TCP, UDP, ICMP, and ICMPv6 checksums.
    o Enabled IPv6 routing domain support.

 - Routing daemons and other userland network improvements:
    o The popa3d POP3 server has been removed.
    o Added ntpctl(8), a program to control the Network Time Protocol
      daemon.
    o slowcgi(8) now works with a high number of concurrent connections.
    o The inetd-based identd has been replaced by a new libevent-based
      identd(8).
    o tcpdump(8) can now detect bad ICMP and ICMPv6 checksums when used
      with the -v flag.
    o Added rdomain support to IPv6 configuration tools ndp(8), rtsold(8),
      ping6(8), and traceroute6(8).
    o Added SNMPv2 client support to snmpctl(8) ("get", "walk", and
      "bulkwalk").
    o relayd(8) now supports TLS Perfect Forward Secrecy (PFS) with ECDHE
      (Elliptic Curve Diffie-Hellman) that is enabled by default.

 - pf(4) improvements:
    o New queueing system with new syntax.
    o The "received-on" parameter can now be used with the "any" keyword
      to match any existing interface except loopback ones.
    o The block policy in the default pf.conf(5) is now "block return".

 - dhcpd(8) and dhclient(8) improvements:
    o No longer create a route to the bound address via 127.0.0.1.
    o The options dhcp-lease-time, dhcp-rebinding-time, and
      dhcp-renewal-time can now be configured in dhclient.conf(5).
    o 'next-server' (a.k.a. siaddr) info now saved in lease files.
    o Fall back to broadcasting when unicast renewal fails, as
      specified in RFC 2131 and friends.
    o Fix various problems in communications between privileged and
      non-privileged processes.
    o Fix many abuses of memcpy.
    o Stop pretending we still support FDDI or token ring hardware
      types.
    o Fix classless static routes option handling and add syntax to
      parse human readable forms.
    o Fix 'effective' lease created by '-L' to have correct address,
      next_server, timestamp, and resolv_conf fields.
    o Fix handling of non-printable characters in lease file strings.
    o Fix many edge cases in config file and lease parsing and ensure
      error messages refer to correct position in erroneous line.
    o dhclient.conf(5) can now override anything in an offer or saved
      lease when creating the effective lease, in particular
      'fixed-address', 'next-server', 'filename' and 'server-name'.
    o Fix parsing of dhclient.conf(5) statements 'fixed-address' and
      'next-server'.
    o Log failures to fchmod() or fchown() files being written.
    o Create lease files with permissions 0640.
    o Fix possible failure to write resolv.conf(5) when -L is used.
    o 'send dhcp-client-identifier "";' in dhclient.conf(5) will result
      in no dhcp-client-identifier (option 61) being sent.

 - iked(8) improvements:
    o Support for OCSP ("Online Certificate Status Protocol"); enable
      with "set ocsp URL".
    o Support for RSA public key authentication as an alternative to
      X.509 certificates or pre-shared keys.
    o Support for DPD ("Dead Peer Detection") similar to the
      implementation in isakmpd(8).
    o Support for dynamic IP address assignment from a pool in
      configuration mode; enabled with "config address net/pool-prefix".
    o Initial support for IPComp.
    o Various improvements and a thorough audit of the network input path.

 - OpenSMTPD 5.4.2 (includes changes to 5.4.1):
    o Introduce initial support for DSN extension:
      - NOTIFY=SUCCESS, NOTIFY=FAILURE, NOTIFY=DELAY, NOTIFY=NEVER
      - RET=HDRS, RET=FULL
    o Introduce initial support for ENHANCEDSTATUSCODES extension:
      - smtp process returns Enhanced Status Codes for most commands.
      - other processes now have an API to return more precise codes ...
      - ... which will be improved further with each version.
    o Improved smtpctl(8):
      - sendmail mode now supports DSN parameters
      - Can now pause/resume a source address -> destination domain route.
      - Can now display status of processes with smtpctl show status.
      - show relays: displays list of currently active relays.
      - show routes: displays status of routes currently known by smtpd.
      - show hosts: displays list of known remote MX.
      - show hoststats: display status of last delivery for active domains.
      - resume route: resumes route temporarily disable by the MTA.
      - pause/resume envelope: allows pausing individual envelopes.
      - pause/resume message: allows pausing individual messages.
      - encrypt: allows generating credentials suitable for authentication.
      - show message/envelope is now compression/encryption aware.
    o Introduced SNI support.
    o Improved configuration file:
      - Removed last known ambiguity in grammar.
      - Much simpler configuration for TLS-enabled hosts.
      - Most parameters are now swappable in listen and accept rules.
      - Conditions may be negated (ie: accept from ! <trusted> ...)
      - Forward-only rules can be declared to impose ~/.forward files.
      - New "recipient" keyword allows accept rule to provide a whitelist.
      - Sender and recipient tables accept wildcard in their domains.
    o TLS generic improvements:
      - Support for TLS Perfect Forward Secrecy.
      - Support for providing custom CA certificates.
    o MTA improvements:
      - mta may now require remote hosts to present valid certificates.
      - Always attempt TLS before falling back to plaintext.
      - Always present certificate if one is available.
      - AUTH LOGIN now supported.
      - MTA can now specify a EHLO-hostname when relaying.
    o SMTP server improvements:
      - IPv4-only and IPv6-only listeners are now possible.
      - Listeners may now hide the From part in a Received-line.
      - Listeners may require clients to provide a valid certificate.
      - Banner hostname can now be dynamically fetched from a table.
    o Queue improvements:
      - Introduce an envelope cache in the queue to improve disk-IO pattern.
    o Documentation:
      - table(5) describes format for static, file and db backends.
      - sendmail(8) describes our "sendmail" interface.
    o Reduced memory usage in both general and stressed cases.
    o OpenSMTPD now automagically upgrades queue if the format changes!
    o Support Qmail-like "sticky home".
    o Support for authenticating users from a credentials table.
    o Introduce passwd(5) table backend for user and credentials lookup.
    o Expansion variables in ~/.forward now support modifiers.
    o Much more efficient scheduler!
    o Many documentation fixes and improvements.
    o And a lot of minor bug fixes and internal cleanup!

 - Security improvements:
    o Position-independent executables (PIE) are now used by default on
      i386.
    o The arc4random(3) functions now use the ChaCha20 cipher.
    o The kernel random number system is initially seeded by the
       bootloader, providing better random very early.
    o -Wbounded is now enabled in GCC by default.
    o Added explicit_bzero(3).

 - Performance improvements:
    o Relations between the buffer cache and swap daemon have been
      improved.

 - Threading improvements:
    o Interprocess semaphores via sem_open(3).
    o Running threaded processes under a debugger no longer causes
      panics.
    o SIGPROF and SIGVTALRM are now reliably delivered to the thread
      that was running when they were triggered.
    o Thread stacks now have a random bias.
    o fork(2) no longer changes the pthread_t of the forking thread in
      the child.
    o Signaling races eliminated from pthread_kill(3) and
      pthread_cancel(3).

 - Assorted improvements:
    o New in-memory file system, tmpfs.
    o Many fuse(4) improvements and stability fixes.
    o Added POSIX-required nl(1) utility.
    o OpenBSD/vax has switched to GCC 3.
    o Replaced getdirentries(2) with getdents(2), vastly improving the
      performance and memory usage of telldir(3).
    o amd64 and i386 now use the MWAIT instruction for their idle loop
      where available to reduce latency.
    o Added support for CLOCK_UPTIME.
    o Added tcgetsid(3).
    o clock_t is now a 64 bit type, so it no longer wraps around in only
      248 days.
    o ino_t is now a 64 bit type, mostly to support large NFS
      filesystems.
    o Corrected handling of UTIME_OMIT.
    o pax(1) now sets the mode and timestamps correctly on symlinks, and
      makes hardlinks to symlinks when requested.
    o Corrected handling of shared library destructors when libc is
      statically linked.
    o Corrected various disk drivers to handle non-512-byte sectors and
      disk sizes greater than 32-bits.
    o Corrected growfs(8) to handle non-512-byte sectors and disk sizes
      greater than 32-bits.
    o All CIRCLEQ uses replaced with TAILQ.
    o Preserve and honour changes to the OpenBSD bounds in a disklabel.
    o fdisk(8) now always writes a good signature when the MBR is written
      to disk.
    o disklabel(8) now writes the disklabel to the correct location on
      non-512-byte sector devices.
    o Correctly parse nwid's with embedded blanks during install.
    o Fix athn(4) tick calculations to eliminate excessive timeouts.
    o Allow disklabel(8) to set any partition, including 'C', to type
      UNUSED.
    o New sha512(1) tool to calculate and verify the SHA-512 checksums
      of files.
    o sha256(1) and related tools (cksum(1), md5(1), sha1(1), and
      sha512(1)) now support a new -h flag to place the checksum into a
      specified hash file instead of stdout.
    o sha256(1) and related tools now support a new -C flag that allows
      the verification of selected files in a checklist.
    o sha256(1) and related tools will now print MISSING if they
      encounter non-existent files in a checklist.
    o i386 and amd64 platforms can now boot from keydisk-based
      softraid(4) crypto volumes.
    o Allow softraid(4) to work with partitions larger than 2TB.
    o Removed experimental RAID 4 support from softraid(4).
    o Added experimental support for rebuilding RAID 5 softraid(4)
      volumes. Lots of testing is still required and there is missing
      functionality, such as the ability to resume a partially completed
      rebuild. bioctl(8) refuses to create RAID 5 volumes unless
      recompiled with -DRAID5.
    o The uhts(4) driver has been merged into ums(4).
    o Many new checks were added to portcheck(1) utility; now it catches
      almost every popular mistake that was observed in ports in recent
      years.

 - OpenSSH 6.6 (including changes to 6.5, a feature-focused release):
    o Security:
      - sshd(8): when using environment passing with a sshd_config(5)
        AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
        tricked into accepting any enviornment variable that contains
        the characters before the wildcard character.
    o New/changed features:
      - ssh(1), sshd(8): Add support for key exchange using
        elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519.
        This key exchange method is the default when both the client
        and server support it.
      - ssh(1), sshd(8): Add support for ED25519 as a public key type.
        ED25519 is a elliptic curve signature scheme that offers better
        security than ECDSA and DSA and good performance. It may be used
        for both user and host keys.
      - Add a new private key format that uses a bcrypt KDF to better
        protect keys at rest. This format is used unconditionally for
        ED25519 keys, but may be requested when generating or saving
        existing keys of other types via the -o ssh-keygen(1) option. We
        intend to make the new format the default in the near future.
        Details of the new format are in the PROTOCOL.key file.
      - ssh(1), sshd(8): Add a new transport cipher
        "[hidden email]" that combines Daniel Bernstein's
        ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
        encryption mode. Details are in the PROTOCOL.chacha20poly1305
        file.
      - ssh(1), sshd(8): Refuse RSA keys from old proprietary clients
        and servers that use the obsolete RSA+MD5 signature scheme. It
        will still be possible to connect with these clients/servers but
        only DSA keys will be accepted, and OpenSSH will refuse
        connection entirely in a future release.
      - ssh(1), sshd(8): Refuse old proprietary clients and servers that
        use a weaker key exchange hash calculation.
      - ssh(1): Increase the size of the Diffie-Hellman groups requested
        for each symmetric key size. New values from NIST Special
        Publication 800-57 with the upper limit specified by RFC 4419.
      - ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
        X.509 certs instead of raw public keys. (requested as bz#1908)
      - ssh(1): Add a ssh_config(5) Match keyword that allows conditional
        configuration to be applied by matching on hostname, user and
        result of arbitrary commands.
      - ssh(1): Add support for client-side hostname canonicalisation
        using a set of DNS suffixes and rules in ssh_config(5). This
        allows unqualified names to be canonicalised to fully-qualified
        domain names to eliminate ambiguity when looking up keys in
        known_hosts or checking host certificate names.
      - sftp-server(8): Add the ability to whitelist and/or blacklist
        sftp protocol requests by name.
      - sftp-server(8): Add a sftp "[hidden email]" to support
        calling fsync(2) on an open file handle.
      - sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY
        allocation, mirroring the longstanding no-pty authorized_keys
        option.
      - ssh(1): Add a ssh_config(5) ProxyUseFDPass option that supports
        the use of ProxyCommands that establish a connection and then
        pass a connected file descriptor back to ssh(1). This allows the
        ProxyCommand to exit rather than staying around to transfer data.
      - ssh(1), sshd(8): this release removes the J-PAKE authentication
        code. This code was experimental, never enabled and had been
        unmaintained for some time.
      - ssh(1): when processing Match blocks, skip 'exec' clauses other
        clauses predicates failed to match.
      - ssh(1): if hostname canonicalisation is enabled and results in
        the destination hostname being changed, then re-parse
        ssh_config(5) files using the new destination hostname. This
        gives 'Host' and 'Match' directives that use the expanded
        hostname a chance to be applied.

 - Ports and packages:
    o Over 8,700 ports.
    o Major overhaul of the package tools, resulting in much better
      memory usage.
    o pkg_add(1) now only trusts signed packages only by default.
    o The build process now allows some limited capability for building
      conflicting packages, yielding KDE 4 packages as a result, along
      with KDE 3 ones.

 - Many pre-built packages for each architecture:
    o i386:   8468                    o sparc64:  7969
    o alpha:  6199                    o sh:       345
    o amd64:  8534                    o powerpc:  8057
    o sparc:  4681                    o arm:      6181
    o hppa:   6549                    o vax:      1007
    o mips64: 4726                    o mips64el: 6730
    o m68k:   3270                    o m88k:     1258

 - Some highlights:
    o GNOME 3.10.2                    o KDE 3.5.10 and 4.11.5
    o Xfce 4.10                       o MySQL 5.1.73
    o PostgreSQL 9.3.2                o Postfix 2.11.0
    o OpenLDAP 2.3.43 and 2.4.38      o GHC 7.6.3
    o Mozilla Firefox 24.3 and 26.0   o LibreOffice 4.1.4.2
    o Mozilla Thunderbird 24.3.0      o Vim 7.4.135
    o Emacs 21.4 and 24.3             o Python 2.7.6 and 3.3.2
    o PHP 5.3.28 and 5.4.24           o Mono 2.10.9
    o Ruby 1.8.7.374, 1.9.3.484, 2.0.0.353 and 2.1.0
    o Tcl/Tk 8.5.15 and 8.6.1         o Groff 1.22.2
    o JDK 1.6.0.32 and 1.7.0.21       o GCC 4.6.4 and 4.8.2
    o Chromium 32.0.1700.102          o Go 1.2
    o LLVM/Clang 3.3                  o Node.js 0.10.24

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.14.5 + patches,
      freetype 2.5.2, fontconfig 2.10.91, Mesa 9.2.5, xterm 301,
      xkeyboard-config 2.10.1 and more)
    o Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.16.3 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o Nginx 1.4.4 (+ patches)
    o OpenSSL 1.0.1c (+ patches)
    o SQLite 3.8.0.2 (+ patches)
    o Sendmail 8.14.8, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o NSD 4.0.1
    o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2p8
    o Ncurses 5.7
    o Heimdal 1.5.2 (+ patches)
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)
    o Less 444 (+ patches)
    o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.4
and 5.5, look at

        http://www.OpenBSD.org/plus55.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.5 FTP/CD-ROM binaries and the actual 5.5
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html
Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        http://www.OpenBSD.org/mail.html
OpenBSD 5.5 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Wrap in Time".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#55

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.5 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o macppc
  o sparc64
  o sparc
  o vax

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/donations.html
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
[hidden email] for more information.
The OpenBSD distribution companies also sell tshirts and polo shirts,
with new and old designs, available from our web ordering system.
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/5.5/ftplist

   As of May 1, 2014, the following ftp mirror sites have the 5.5 release:

        ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.5/       Stockholm, Sweden
        ftp://ftp.bytemine.net/pub/OpenBSD/5.5/         Oldenburg, Germany
        ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.5/       Zurich, Switzerland
        ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.5/       Paris, France
        ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.5/      Vienna, Austria
        ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.5/     Brisbane, Australia
        ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.5/      CO, USA
        ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.5/     CA, USA

        The release is also available at the master site:

        ftp://ftp.openbsd.org/pub/OpenBSD/5.5/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/5.5/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/           luna88k/         socppc/
        Changelogs/      aviion/          macppc/          sparc/
        HARDWARE         ftplist          mvme68k/         sparc64/
        PACKAGES         hp300/           mvme88k/         src.tar.gz
        PORTS            hppa/            octeon/          sys.tar.gz
        README           i386/            packages/        tools/
        alpha/           index.txt        ports.tar.gz     vax/
        amd64/           landisk/         root.mail        xenocara.tar.gz
        armish/          loongson/        sgi/             zaurus/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

        INSTALL.i386    bsd.rd*         floppyB55.fs    miniroot55.fs
        INSTALL.linux   cd55.iso        floppyC55.fs    pxeboot*
        SHA256          cdboot*         game55.tgz      xbase55.tgz
        SHA256.sig      cdbr*           index.txt       xetc55.tgz
        base55.tgz      comp55.tgz      install55.fs    xfont55.tgz
        bsd*            etc55.tgz       install55.iso   xserv55.tgz
        bsd.mp*         floppy55.fs     man55.tgz       xshare55.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install55.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install55.iso file (roughly 250MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.5 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/5.5/tools
      directory to do so.
X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.5 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the nginx web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided.  Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.5/PACKAGES) for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.5/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.5/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Stuart Henderson, Peter Hessler,
Nick Holland, Paul Irofti, Sebastian Reitenbach, Miod Vallat, and
Christian Weisgerber.  System builds by Jasper Lievisse Adriaanse,
Kenji Aoyama, Theo de Raadt, Nick Holland, and Miod Vallat.
X11 builds by Jasper Lievisse Adriaanse, Kenji Aoyama, Todd Fries,
Nick Holland, and Miod Vallat.  ISO-9660 filesystem layout by
Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.5 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Shadchin,
    Alexandre Ratchov, Andrew Fresh, Anthony J. Bentley,
    Antoine Jacoutot, Austin Hook, Benoit Lecocq, Bob Beck, Brad Smith,
    Brandon Mercer, Brett Mahar, Brian Callahan, Bryan Steele,
    Camiel Dobbelaar, Charles Longeau, Chris Cappuccio,
    Christian Ehrhardt, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Damien Miller, Darren Tucker, David Coppa,
    David Gwynne, Edd Barrett, Eric Faurot, Federico G. Schwindt,
    Florian Obser, Gerhard Roth, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin,
    Igor Sobrado, Ingo Schwarze, Jakob Schlyter, James Turner,
    Janne Johansson, Jason McIntyre, Jasper Lievisse Adriaanse,
    Jeremie Courreges-Anglas, Jeremy Evans, Jim Razmus II, Joel Knight,
    Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joshua Elsasser, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kenji Aoyama, Kenneth R Westerback,
    Kirill Bychkov, Kurt Miller, Landry Breuil, Laurent Fanis,
    Lawrence Teo, Luke Tymowski, Marc Espie, Marco Pfatschbacher,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martin Pelikan,
    Martin Pieuchot, Martin Reindl, Martynas Venckus, Masao Uebayashi,
    Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
    Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Naoya Kaneko, Nayden Markatchev, Nicholas Marriott, Nick Holland,
    Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
    Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev,
    Philip Guenther, Pierre-Emmanuel Andre, Raphael Graf, Remi Pointel,
    Renato Westphal, Reyk Floeter, Robert Nagy, Robert Peichaer,
    Ryan Freeman, Ryan Thomas McBride, Sasano Takayoshi,
    Sebastian Benoit, Sebastian Reitenbach, Simon Perreault,
    Stefan Fritsch, Stefan Sperling, Stephan Rickauer, Steven Mestdagh,
    Stuart Cassoff, Stuart Henderson, Sylvestre Gallon, Ted Unangst,
    Theo de Raadt, Tobias Stoeckmann, Tobias Ulmer, Todd C. Miller,
    Todd Fries, Uwe Stuehler, Vadim Zhukov, Will Maier,
    William Yodlowsky, Yasuoka Masahiko, Yojiro Uo