OpenBSD 6.3 Released - Apr 2, 2018

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

OpenBSD 6.3 Released - Apr 2, 2018

Theo de Raadt-2
The release was scheduled for April 15, but since all the components
are ready ahead of schedule it is being released now.

- OpenBSD 6.3 RELEASED -------------------------------------------------

Apr 15, 2018.

We are pleased to announce the official release of OpenBSD 6.3.
This is our 44th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.3 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o SMP support on OpenBSD/arm64 platforms.
    o VFP and NEON support on OpenBSD/armv7 platforms.
    o New acrtc(4) driver for X-Powers AC100 audio codec and Real Time
    o New axppmic(4) driver for X-Powers AXP Power Management ICs.
    o New bcmrng(4) driver for Broadcom BCM2835/BCM2836/BCM2837 random
      number generator.
    o New bcmtemp(4) driver for Broadcom BCM2835/BCM2836/BCM2837
      temperature monitor.
    o New bgw(4) driver for Bosch motion sensor.
    o New bwfm(4) driver for Broadcom and Cypress FullMAC 802.11 devices
      (still experimental and not compiled into the kernel by default).
    o New efi(4) driver for EFI runtime services.
    o New imxanatop(4) driver for i.MX6 integrated regulator.
    o New rkpcie(4) driver for Rockchip RK3399 Host/PCIe bridge.
    o New sxirsb(4) driver for Allwinner Reduced Serial Bus controller.
    o New sxitemp(4) driver for Allwinner temperature monitor.
    o New sxits(4) driver for temperature sensor on Allwinner A10/A20
      touchpad controller.
    o New sxitwi(4) driver for two-wire bus found on several Allwinner
    o New sypwr(4) driver for the Silergy SY8106A regulator.
    o Support for Rockchip RK3328 SoCs has been added to the dwge(4),
      rkgrf(4), rkclock(4) and rkpinctrl(4) drivers.
    o Support for Rockchip RK3288/RK3328 SoCs has been added to the
      rktemp(4) driver.
    o Support for Allwinner A10/A20, A23/A33, A80 and R40/V40 SoCs has
      been added to the sxiccmu(4) driver.
    o Support for Allwinner A33, GR8 and R40/V40 SoCs has been added to
      the sxipio(4) driver.
    o Support for SAS3.5 MegaRAIDs has been added to the mfii(4) driver.
    o Support for Intel Cannon Lake and Ice Lake integrated Ethernet has
      been added to the em(4) driver.
    o cnmac(4) ports are now assigned to different CPU cores for
      distributed interrupt processing.
    o The pms(4) driver now detects and handles reset announcements.
    o On amd64 Intel CPU microcode is loaded on boot and
      installed/updated by fw_update(1).
    o Support the sun4v hypervisor interrupt cookie API, adding support
      for SPARC T7-1/2/4 machines.
    o Hibernate support has been added for SD/MMC storage attached to
      sdhc(4) controllers.
    o clang(1) is now used as the system compiler on armv7, and it is
      also provided on sparc64.

 - vmm(4)/ vmd(8) improvements:
    o Add CD-ROM/DVD ISO support to vmd(8) via vioscsi(4).
    o vmd(8) no longer creates an underlying bridge interface for
      virtual switches defined in vm.conf(5).
    o vmd(8) receives switch information (rdomain, etc) from underlying
      switch interface in conjunction of settings in vm.conf(5).
    o Time Stamp Counter (TSC) support in guest VMs.
    o Support ukvm/Solo5 unikernels in vmm(4).
    o Handle valid (but uncommon) instruction encodings better.
    o Better PAE paging support for 32-bit Linux guest VMs.
    o vmd(8) now allows up to four network interfaces in each VM.
    o Add paused migration and snapshotting support to vmm(4) for AMD
      SVM/RVI hosts.
    o BREAK commands sent over a pty(4) are now understood by vmd(8).
    o Many fixes to vmctl(8) and vmd(8) error handling.

 - IEEE 802.11 wireless stack improvements:
    o The iwm(4) and iwn(4) drivers will automatically roam between
      access points which share an ESSID. Forcing a particular AP's MAC
      address with ifconfig's bssid command disables roaming.
    o Automatically clear configured WEP/WPA keys when a new network
      ESSID is configured.
    o Removed the ability for userland to read configured WEP/WPA keys
      back from the kernel.
    o The iwm(4) driver can now connect to networks with a hidden SSID.
    o USB devices supported by the athn(4) driver now use an open source
      firmware, and hostap mode now works with these devices.

 - Generic network stack improvements:
    o The network stack no longer runs with the KERNEL_LOCK() when IPsec
      is enabled.
    o Processing of incoming TCP/UDP packets is now done without
    o The socket splicing task runs without KERNEL_LOCK().
    o Cleanup and removal of code in sys/netinet6 since
      autoconfiguration runs in userland now.
    o bridge(4) members can now be prevented to talk to each others with
      the new protected option.
    o The pf divert-packet feature has been simplified. The IP_DIVERTFL
      socket option has been removed from divert(4).
    o Various corner cases of pf divert-to and divert-reply are more
      consistent now.
    o Enforce in pf(4) that all neighbor discovery packets have 255 in
      their IPv6 header hop limit field.
    o New set syncookies option in pf.conf(5).
    o Support for GRE over IPv6.
    o New egre(4) driver for Ethernet over GRE tunnels.
    o Support for the optional GRE key header and GRE key entropy in
      gre(4) and egre(4).
    o New nvgre(4) driver for Network Virtualization using Generic
      Routing Encapsulation.
    o Support for configuring the Don't Fragment flag packets
      encapsulated by tunnel interfaces.

 - Installer improvements:
    o if or fails, notify the user and error
      out after storing rand.seed.
    o allow CIDR notation when entering IPv4 and IPv6 addresses.
    o repair selection of a HTTP mirror from the list of mirrors.
    o allow '-' in usernames.
    o ask a question at the end of the install/upgrade process so
      carriage return causes the appropriate action, e.g. reboot.
    o display the mode (install or upgrade) shell prompts as long as no
      hostname is known.
    o correctly detect which interface has the default route and if it
      was configured via DHCP.
    o ensure sets can be read from the prefetch area.
    o ensure URL redirection is effective for entire install/upgrade.
    o add the HTTP proxy used when fetching sets to rc.firsttime, where
      fw_update and syspatch can find and use it.
    o add logic to support RFC 7217 with SLAAC.
    o ensure that IPv6 is configured for dynamically created network
      interfaces like vlan(4).
    o create correct hostname when both domain-name and domain-search
      options are provided in the DHCP lease.

 - Routing daemons and other userland network improvements:
    o bgpctl(8) has a new ssv option which outputs rib entries as a
      single semicolon-separated like for selection before output.
    o slaacd(8) generates random but stable IPv6 stateless
      autoconfiguration addresses according to RFC 7217. These are
      enabled per default in accordance with RFC 8064.
    o slaacd(8) follows RFC 4862 by removing an artificial limitation on
      /64 sized prefixes using RFC 7217 (random but stable) and RFC 4941
      (privacy) style stateless autoconfiguration addresses.
    o ospfd(8) can now set the metric for a route depending on the
      status of an interface.
    o ifconfig(8) has a new staticarp option to make interfaces reply to
      ARP requests only.
    o ipsecctl(8) can now collapse flow outputs having the same source
      or destination.
    o The -n option in netstart(8) no longer messes with the default
      route. It is now documented as well.

 - Security improvements:
    o Use even more trap-sleds on various architectures.
    o More use of .rodata for constant variables in assembly source.
    o Stop using x86 "repz ret" in dusty corners of the tree.
    o Introduce "execpromises" in pledge(2).
    o The elfrdsetroot utility used to build ramdisks and the rebound(8)
      monitoring process now use pledge(2).
    o Prepare for the introduction of MAP_STACK to mmap(2) after 6.3.
    o Push a small piece of KARL-linked kernel text into the random
      number generator as entropy at startup.
    o Put a small random gap at the top of thread stacks, so that
      attackers have yet another calculation to perform for their ROP
    o Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs.
    o OpenBSD/arm64 now uses kernel page table isolation to mitigate
      Spectre variant 3 (Meltdown) attacks.
    o OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer
      (BTB) on processors that do speculative execution to mitigate
      Spectre variant 2 attacks.
    o pool_get(9) perturbs the order of items on newly allocated pages,
      making the kernel heap layout harder to predict.
    o The fktrace(2) system call was deleted.

 - dhclient(8) improvements:
    o Parsing dhclient.conf(5) no longer leaks SSID strings, strings
      that are too long for the parsing buffer or repeated string
      options and commands.
    o Storing leases in dhclient.conf(5) is no longer supported.
    o 'DENY' is no longer valid in dhclient.conf(5).
    o dhclient.conf(5) and dhclient.leases(5) parsing error messages
      have been simplified and clarified, with improved behaviour in the
      presence of unexpected semicolons.
    o More care is taken to only use configuration information that was
      successfully parsed.
    o '-n' has been added, which causes dhclient(8) to exit after
      parsing dhclient.conf(5).
    o Default routes in options classless-static-routes (121) and
      classless-ms-static-routes (249) are now correctly represented in
      dhclient.leases(5) files.
    o Overwrite the file specified with '-L' rather than appending to
    o Leases in dhclient.leases(5) now contain an 'epoch' attribute
      recording the time the lease was accepted, which is used to
      calculate correct renewal, rebinding and expiry times.
    o No longer nag about underscores in names violating RFC 952.
    o Unconditionally send host-name information when requesting a
      lease, eliminating the need for dhclient.conf(5) in the default
    o Be quiet by default. '-q' has been removed and '-v' added to
      enable verbose logging.
    o Decline duplicate offers for the requested address.
    o Unconditionally go into the background after link-timeout seconds.
    o Significantly reduce logging when being quiet, but make '-v' log
      all debug information without needing to compile a custom
    o Ignore 'interface' statements in dhclient.leases(5) and assume all
      leases in the file are for the interface being configured.
    o Display the source of the lease bound to the interface.
    o 'ignore', 'request' and 'require' declarations in dhclient.conf(5)
      now add the specified options to the relevant list rather than
      replacing the list.
    o Eliminate a startup race that could result in dhclient(8) exiting
      without configuring the interface.

 - Assorted improvements:
    o Code reorganization and other improvements to malloc(3) and
      friends to make them more efficient.
    o When performing suspend or hibernate operations, ensure all
      filesystems are properly synchronized and marked clean, or if they
      cannot be put into perfectly clean state on disk (due to
      open+unlinked files) then mark them dirty, so that a failed
      resume/unhibernate is guaranteed to perform fsck(8).
    o acme-client(1) autodetects the agreement URL and follows 30x HTTP
    o Added __cxa_thread_atexit() to support modern C++ tool chains.
    o Added EVFILT_DEVICE support to kqueue(2) for monitoring changes to
      drm(4) devices.
    o ldexp(3) now handles the sign of denormal numbers correctly on
    o New sincos(3) functions in libm.
    o fdisk(8) now ensures the validity of MBR partition offsets entered
      while editing.
    o fdisk(8) now ensures that default values lie within the valid
    o less(1) now splits only the environment variable LESS on '$'.
    o less(1) no longer creates a spurious file when encountering '$' in
      the initial command.
    o softraid(4) now validates the number of chunks when assembling a
      volume, ensuring the on-disk and in-memory metadata are in sync.
    o disklabel(8) now always offers to edit an FFS partition's fragment
      size before offering to edit the blocksize.
    o disklabel(8) now allows editing the cylinders/group (cpg)
      attribute whenever the partition blocksize can be edited.
    o disklabel(8) now detects ^D and invalid input during (R)esize
    o disklabel(8) now detects underflows and overflows when -/+
      operators are used.
    o disklabel(8) now avoids an off-by-one when calculating the number
      of cylinders in a free chunk.
    o disklabel(8) now validates the requested partition size against
      the size of the largest free chunk instead of the total free
    o Support for dumping USB transfers via bpf(4).
    o tcpdump(8) can now understand dumps of USB transfers in the
      USBPcap format.
    o The default prompts of csh(1), ksh(1) and sh(1) now include the
    o Memory allocation in ksh(1) was switched from calloc(3) back to
      malloc(3), making it easier to recognize uninitialized memory. As
      a result, a history-related bug in emacs editing mode was
      discovered and fixed.
    o New script(1) -c option to run a command instead of a shell.
    o New grep(1) -m option to limit the number of matches.
    o New uniq(1) -i option for case-insensitive comparison.
    o The printf(3) format string is no longer validated when looking
      for % formats. Based on a commit by android and following most
      other operating systems.
    o Improved error checking in vfwprintf(3).
    o Many base programs have been audited and fixed for stale file
      descriptors, including cron(8), ftp(1), mandoc(1), openssl(1),
      ssh(1) and sshd(8).
    o Various bug fixes and improvements in jot(1):
       - Arbitrary length limits for the arguments for the -b, -s, -w
         options were removed.
       - The %F format specifier is now supported and a bug in the %D
         format was fixed.
       - Better code coverage in regression tests.
       - Several buffer overruns were fixed.
    o The patch(1) utility now copes better with git diffs that create
      or delete files.
    o pkg_add(1) now has improved support for HTTP(S) redirectors such
    o ftp(1) and pkg_add(1) now support HTTPS session resumption for
      improved speed.
    o mandoc(1) -T ps output file size reduced by more than 50%.
    o syslogd(8) logs if there were warnings during startup.
    o syslogd(8) stopped logging to files in a full filesystem. Now it
      writes a warning and continues after space has been made
    o vmt(4) now allows cloning and taking disk-only snapshots of
      running guests.

 - OpenSMTPD 6.0.4
    o Add spf walk option to smtpctl(8).
    o Assorted cleanups and improvements.
    o Numerous manual page fixes and improvements.

 - OpenSSH 7.7
    o New/changed features:
       - All: Add experimental support for PQC XMSS keys (Extended
         Hash- Based Signatures) based on the algorithm described in
         ignatures-12 The XMSS signature code is experimental and not
         compiled in by default.
       - sshd(8): Add a "rdomain" criteria for the sshd_config Match
         keyword to allow conditional configuration that depends on
         which routing domain a connection was received on (currently
         supported on OpenBSD and Linux).
       - sshd_config(5): Add an optional rdomain qualifier to the
         ListenAddress directive to allow listening on different
         routing domains. This is supported only on OpenBSD and Linux
         at present.
       - sshd_config(5): Add RDomain directive to allow the
         authenticated session to be placed in an explicit routing
         domain. This is only supported on OpenBSD at present.
       - sshd(8): Add "expiry-time" option for authorized_keys files
         to allow for expiring keys.
       - ssh(1): Add a BindInterface option to allow binding the
         outgoing connection to an interface's address (basically a
         more usable BindAddress).
       - ssh(1): Expose device allocated for tun/tap forwarding via a
         new %T expansion for LocalCommand. This allows LocalCommand
         to be used to prepare the interface.
       - sshd(8): Expose the device allocated for tun/tap forwarding
         via a new SSH_TUNNEL environment variable. This allows
         automatic setup of the interface and surrounding network
         configuration automatically on the server.
       - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp,
         e.g. ssh://user@host or sftp://user@host/path. Additional
         connection parameters described in
         draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented
         since the ssh fingerprint format in the draft uses the
         deprecated MD5 hash with no way to specify the any other
       - ssh-keygen(1): Allow certificate validity intervals that
         specify only a start or stop time (instead of both or
       - sftp(1): Allow "cd" and "lcd" commands with no explicit path
         argument. lcd will change to the local user's home directory
         as usual. cd will change to the starting directory for
         session (because the protocol offers no way to obtain the
         remote user's home directory). bz#2760
       - sshd(8): When doing a config test with sshd -T, only require
         the attributes that are actually used in Match criteria
         rather than (an incomplete list of) all criteria.
    o The following significant bugs have been fixed in this release:
       - ssh(1)/sshd(8): More strictly check signature types during
         key exchange against what was negotiated. Prevents downgrade
         of RSA signatures made with SHA-256/512 to SHA-1.
       - sshd(8): Fix support for client that advertise a protocol
         version of "1.99" (indicating that they are prepared to
         accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6
         during the removal of SSHv1 support. bz#2810
       - ssh(1): Warn when the agent returns a ssh-rsa (SHA1)
         signature when a rsa-sha2-256/512 signature was requested.
         This condition is possible when an old or non-OpenSSH agent
         is in use. bz#2799
       - ssh-agent(1): Fix regression introduce in 7.6 that caused
         ssh-agent to fatally exit if presented an invalid signature
         request message.
       - sshd_config(5): Accept yes/no flag options
         case-insensitively, as has been the case in ssh_config(5) for
         a long time. bz#2664
       - ssh(1): Improve error reporting for failures during
         connection. Under some circumstances misleading errors were
         being shows. bz#2814
       - ssh-keyscan(1): Add -D option to allow printing of results
         directly in SSHFP format. bz#2821
       - regress tests: fix PuTTY interop test broken in last
         release's SSHv1 removal. bz#2823
       - ssh(1): Compatibility fix for some servers that erroneously
         drop the connection when the IUTF8 (RFC8160) option is sent.
       - scp(1): Disable RemoteCommand and RequestTTY in the ssh
         session started by scp (sftp was already doing this.)
       - ssh-keygen(1): Refuse to create a certificate with an
         unusable number of principals.
       - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write
         all the public key during key generation. Previously it would
         silently ignore errors writing the comment and terminating
       - ssh(1): Do not modify hostname arguments that are addresses
         by automatically forcing them to lower-case. Instead
         canonicalise them to resolve ambiguities (e.g. ::0001 => ::1)
         before they are matched against known_hosts. bz#2763
       - ssh(1): Don't accept junk after "yes" or "no" responses to
         hostkey prompts. bz#2803
       - sftp(1): Have sftp print a warning about shell cleanliness
         when decoding the first packet fails, which is usually caused
         by shells polluting stdout of non-interactive startups.
       - ssh(1)/sshd(8): Switch timers in packet code from using
         wall-clock time to monotonic time, allowing the packet layer
         to better function over a clock step and avoiding possible
         integer overflows during steps.
       - Numerous manual page fixes and improvements.

 - LibreSSL 2.7.2
    o Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
      observations of real-world usage in applications. These are
      implemented in parallel with existing OpenSSL 1.0.1 APIs -
      visibility changes have not been made to existing structs,
      allowing code written for older OpenSSL APIs to continue working.
    o Extensive corrections, improvements, and additions to the API
      documentation, including new public APIs from OpenSSL that had no
      pre-existing documentation.
    o Added support for automatic library initialization in libcrypto,
      libssl, and libtls. Support for pthread_once or a compatible
      equivalent is now required of the target operating system. As a
      side-effect, minimum Windows support is Vista or higher.
    o Converted more packet handling methods to CBB, which improves
      resiliency when generating TLS messages.
    o Completed TLS extension handling rewrite, improving consistency of
      checks for malformed and duplicate extensions.
    o Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
      This removes the last remaining use of the old M_ASN1_* macros
      (asn1_mac.h) from API that needs to continue to exist.
    o Added support for client-side session resumption in libtls. A
      libtls client can specify a session file descriptor (a regular
      file with appropriate ownership and permissions) and libtls will
      manage reading and writing of session data across TLS handshakes.
    o Improved support for strict alignment on ARMv7 architectures,
      conditionally enabling assembly in those cases.
    o Fixed a memory leak in libtls when reusing a tls_config.
    o Merged more DTLS support into the regular TLS code path, removing
      duplicated code.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 7790
       - alpha: 1
       - amd64: 9912
       - i386:  9361
       - mips64: 8149
       - sh: 1
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - hppa
       - mips64el
       - powerpc
       - sparc64
    o dpb(1) and normal ports(7) can now enjoy the same privilege
      separated model by setting PORTS_PRIVSEP=Yes

 - Some highlights:

    o AFL 2.52b                       o Mutt 1.9.4 and NeoMutt 20180223
    o Cmake 3.10.2                    o Node.js 8.9.4
    o Chromium 65.0.3325.181          o Ocaml 4.03.0
    o Emacs 21.4 and 25.3             o OpenLDAP 2.3.43 and 2.4.45
    o GCC 4.9.4                       o PHP 5.6.34 and 7.0.28
    o GHC 8.2.2                       o Postfix 3.3.0 and 3.4-20180203
    o Gimp 2.8.22                     o PostgreSQL 10.3
    o GNOME 3.26.2                    o Python 2.7.14 and 3.6.4
    o Go 1.10                         o R 3.4.4
    o Groff 1.22.3                    o Ruby 2.3.6, 2.4.3 and 2.5.0
    o JDK 8u144                       o Rust 1.24.0
    o KDE 3.5.10 and 4.14.3 (plus     o Sendmail
      KDE4 core updates)              o SQLite 3.22.0
    o LLVM/Clang 5.0.1                o Sudo 1.8.22
    o LibreOffice             o Tcl/Tk 8.5.19 and 8.6.8
    o Lua 5.1.5, 5.2.4, and 5.3.4     o TeX Live 2017
    o MariaDB 10.0.34                 o Vim 8.0.1589
    o Mozilla Firefox 52.7.2esr and   o Xfce 4.12
    o Mozilla Thunderbird 52.6.0

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
      freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 5.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.24.3 (+ patches)
    o NSD 4.1.20
    o Unbound 1.6.8
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.2.5

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at [hidden email] for
more information.

- RELEASE SONGS --------------------------------------------------------

Every OpenBSD release is accompanied by artwork and a song.  A song may
be coming for the 6.3 release, but later.  If so, lyrics (and an
explanation) of the song may be found at:

- HTTP/HTTPS INSTALLS --------------------------------------------------

OpenBSD can be easily installed via HTTP/HTTPS downloads.  Typically you
need a single small piece of boot media (e.g., a USB flash drive) and
then the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP/HTTPS.

1) Read either of the following two files for a list of HTTP/HTTPS
   mirrors which provide OpenBSD, then choose one near you:

   As of March 31, 2018, the following HTTP/HTTPS mirror sites have
   the 6.3 release:     Stockholm, Sweden      Frankfurt, Germany        Oldenburg, Germany     Paris, France   Brisbane, Australia    CO, USA   CA, USA        TX, USA Toronto, Canada Global

        The release is also available at the master site:        Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP/HTTPS mirror site and go into the directory
   pub/OpenBSD/6.3/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     arm64/           macppc/          src.tar.gz
        Changelogs/      armv7/           octeon/          sys.tar.gz
        README           hppa/            packages/        tools/
        SHA256           i386/            ports.tar.gz     xenocara.tar.gz
        SHA256.sig       landisk/         root.mail
        alpha/           loongson/        sgi/
        amd64/           luna88k/         sparc64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy63.fs     pxeboot*
        BOOTX64.EFI**         game63.tgz      xbase63.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont63.tgz
        INSTALL.amd64   cd63.iso        install63.fs    xserv63.tgz
        SHA256          cdboot*         install63.iso   xshare63.tgz
        SHA256.sig      cdbr*           man63.tgz
        base63.tgz      comp63.tgz      miniroot63.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install63.iso.  The install63.iso file (roughly 346MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install63.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.3 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.3/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber.  Base and X system builds by Kenji Aoyama,
Theo de Raadt, and Visa Hankala.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq,
    Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook,
    Brian Callahan, Bryan Steele, Can Erkin Acar, Carlos Cardenas,
    Charles Longeau, Chris Cappuccio, Christian Weisgerber,
    Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
    Daniel Boulet, Daniel Dickman, Daniel Jakots, Darren Tucker,
    David Coppa, David Gwynne, David Hill, Denis Fondras,
    Dmitrij Czarkoff, Doug Hogan, Edd Barrett, Eric Faurot,
    Florian Obser, Florian Riehm, Frederic Cambus, Gerhard Roth,
    Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer, Ian Darwin,
    Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Landry Breuil, Lawrence Teo,
    Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Mike Belopuhov,
    Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott,
    Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
    Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler,
    Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Remi Locherer, Remi Pointel,
    Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Robert Peichaer, Sasano Takayoshi,
    Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach,
    Sebastien Marie, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Tim van der Molen, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer,
    Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo