------------------------------------------------------------------------
- OpenBSD 7.7 RELEASED -------------------------------------------------

April 28, 2025.

We are pleased to announce the official release of OpenBSD 7.7.
This is our 58th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.7 provides significant improvements,
including new features, in nearly all areas of the system:

- Platforms specific improvements:
o arm64:
- Set AP power state, fixing the SMC initialization on the M1
MacBook with the latest system firmware.
- Implemented a new pmap_populate() interface on arm64 and
riscv64 to help pmap_enter(9) succeed when there's enough
free physical memory but we can't allocate KVA to map that
memory.
- Optimized pmap teardown by skipping TLB flushes, giving ~5%
performance boost for kernel build.
- Enabled PAC on hardware that uses the new QARMA3 cipher.
- Implemented support for SVE (Scalable Vector Extension).
o amd64:
- Added the ability for bus_dmamem_alloc(9) to recognize the
BUS_DMA_64BIT flag and allocate memory for DMA without any
4GB restrictions on amd64.
- Allowed boot loader to run as AMD SEV guest on QEMU with EFI.
- Allowed kernel boot on QEMU with AMD SEV.
- Allowed use of MSI with the QEMU default pc-i440fx machine.
- Stopped amd64 leak of kernel stack guard pages.
- Implemented the AMD SEV psp(4) download firmware command to
load new firmware onto the chip and made the AMD SEV
automatically load psp(4) firmware during vmd(8) startup.
o Other architectures:
- Fixed riscv64 sigcode copying and put riscv64 sigcode in the
.rodata memory section.
- Implemented an interrupt depth counter on sparc64.
- Moved the hppa stack 1GB higher.
- On i386, improved the stability in low-memory situations,
especially for MP.
- Fixed a powerpc64 bug where a pte could be put into an
incorrect pteg, leading to a crash.
- Changed luna88k disklabel labeloffset to 0.
o More platform specific changes can be found in the hardware
support section below.

- Various kernel improvements:
o Improved responsiveness in OOM situations and made free target
checks coherent.
o Removed the ability to specify a root, dump or swap device on
st(4).
o In uvm, prevent a race where a mapped object is being truncated
while we are spinning to unwire it.
o Optimized page daemon active and inactive list traversals when
looking only for low pages.
o Added a helper to check if memory has been freed for a given
request to improve speed of the page daemon loop.
o Started accounting for in-flight pages being written to disk when
the page daemon is computing page shortage.
o Adjusted the ptrace interface to properly support single-threaded
continue and make it possible to use breakpoints in multi-threaded
processes in gdb.
o Add ptrace(2) commands used to read/write the XSAVE area of a
traced process.
o Correctly honored the count optional argument of the ddb(4) break
command, ensuring execution does not stop until the breakpoint is
hit at least that many times.
o Taught ddb(4) how to disassemble endbr64.
o Moved dt(4) to using a ringbuffer per CPU.
o Added 'socket' refcnt type to dt(4).
o Made btrace(8) support additional interval/profile units (hz, us,
ms, s).
o Added multi-line strings support to the bt(5) script parser.
o Added kern.audio.kbdcontrol sysctl(2) variable, allowing the
volume keys on multimedia keyboards to be handled as regular keys
if set to 0.
o Implement bus_dma(9) bounce buffering for raw memory.
o Started ignoring sub-nodes of non-functional nodes in the ACPI
tree walk to fix double and triple attachments of the same PCIe
root bridges.
o Suspend/Hibernate Support
- Ensured all hibernate data is written inside the allocated
chunk of swap.
- Removed unneeded zeroing of free pages during hibernate.
- Corrected hibernate error detection during RLE writes.
- Ensured hibernate fails when I/O or memory allocation errors
occur.
o Bugfixes
- Fixed a (mostly) hypothetical race in pinsyscalls(2) by
making it return an error if called in a multi-threaded
process.
- Fixed CPU idle percentage in top(1) on macppc.
- Reworked how processes are stopped because of a signal. Now
multithreaded processes can be reliably stopped and
continued. This should fix problems seen in golang, mpv and
in our regress tests.
- Fix possible races of changes to the per-process unveil data
structures by either pledge() [removing all path promises] or
unveil() [adding new paths], against namei() inspecting in
other thread system calls.

- SMP Improvements
o Unlocked sysctl kern.timeout_stats.
o Unlocked sysctl kern.allowkmem.
o Unlocked sysctl kern.video.record.
o Unlocked sysctl net.inet.gre.allow and net.inet.gre.wccp.
o Unlocked sysctl kern.global_ptrace.
o Unlocked sysctl kern.wxabort.
o Unlocked sysctl kern.malloc.kmemstat.
o Reduced kernel lock contention when tearing down file-backed
regions.
o Unlocked ptsignal, psignal and prsignal by using the ps_mtx
mutex(9).
o Used a mutex to make psp(4) MP safe.
o Locked send socket buffer for fstat(2) syscall.
o Made lock changes to reduce lock contention in __thrsleep and
__thrwakeup syscalls. go performance particularly benefits from
this.
o Unlocked virtio(4).
o Made `video_filtops' MP-safe.
o Run TCP output and TCP timers in parallel.
- TCP send(2) and recv(2) system calls use shared netlock.
Multiple userland threads can work on different sockets in
parallel.
- TCP output no longer blocks IP processing.
- TCP timer also use locks that are specific to the socket they
are working on, other network traffic can be processed by
different CPUs.
- Socket splicing is MP-safe for TCP.
- Some of the sysctl syscalls affecting TCP no longer block
network operations on other CPUs.
- Only TCP input still uses exclusive netlock and prevents
other parts of the network stack from running in parallel.
o Unlocked accept(2) for TCP sockets.
o Started using shared net lock when calling shutdown(2) on internet
socket.
o Reworked rwlocks to reduce pressure on the scheduler and
SCHED_LOCK.
o Pushed the KERNEL_LOCK() down to namei(9) in stat(2), lstat(2) &
fstatat(2) and Unlocked fstat(2).
o Unlocked wskbd(4) kqueue filterops.
o Used `ws_mtx' mutex(9) to make wsmux(4) filterops MP-safe.
o Unlocked open(2) and openat(2).
o Made wsmouse(4) and wstpad filterops MP-safe.
o Pushed KERNEL_LOCK() inside __realpath(2).
o Made wakeup of parent process in dowait6 reliable even without
kernel lock.
o Used ps_mtx mutex(9) to lock the child process that is being
checked by dowait6.

- Direct Rendering Manager and graphics drivers
o Updated drm(4) to Linux 6.12.21.
o amdgpu(4): Added kernel support for Ryzen AI 300 (Strix Point,
Strix Halo, Krackan Point), Radeon RX 9070 (Navi 48).
o inteldrm(4): Added support for Arrow Lake.

- VMM/VMD improvements
o Added an IPI for executing INVEPT to flush EPT on remote CPUs, a
first step toward allowing guest memory not to be wired by UVM.
o Implemented psp(4) shutdown command and ioctl(2) PSP_IOC_SHUTDOWN,
which will be used by vmd(8) to reset psp(4) on startup.
o Started using acpipci(4) on hypervisors. If the hypervisor cpuid
bit is set, use acpipci to attach PCI busses. As virtualization is
not that old, we can assume that in VMs we don't need the quirk
for old, broken ACPI. This solves problems with PCI BAR access and
recent SeaBIOS versions on QEMU.

- Various new userland features:
o Numerous changes to make the imsg API stricter and better, which
were followed by adapting all applications across the tree.
o Allow the user to provide an alternative perfpolicy when on
battery, extending the semantics of hw.perfpolicy to provide two
buttons to specify desired behavior. This gives users more
flexibility in setting the performance when AC-powered vs. battery
powered.
o Made calendar(1) use the environment variable RECIPIENT_EMAIL for
sending mails to.
o Made security(8) use GMT rather than the local timezone when
checking for changes in device nodes and setuid files. Avoids
false positives when changing timezones.
o Added a new variable PASSWDSKIP that can be set in
/etc/daily.local to prevent security(8) from complaining about
specific accounts that have no password. This is typically used
for services like anoncvs and gotd.
o Added [-f file] to sysctl(8) to apply sysctl.conf(5) in one go,
and started using it in rc(8) instead of a parser implemented in
ksh.
o Added support for read/write of xmm/ymm registers to lldb(1).

- Various bugfixes and tweaks in userland:
o Added wsconscfg(8) -g option to get the index of the current
virtual terminal.
o Made getgrouplist(3) always return the total number of groups
found.
o Ignore extra groups that don't fit in the buffer passed to
getgrouplist(3), providing only the kernel maximum of sixteen
groups.
o Prevent newsyslog(8) from running through time checks when an
entry needs to be rotated based on size.
o Changed ps(1) to print the session id (PID of the session leader)
instead of a pointer with display argument 'sess'.
o In cu(1), map ucom unit number to cuaU number using the same
scheme MAKEDEV uses, fixing problems with ucom units > 10.
o Made CPU frequencies human-readable with systat(1) sensors -h.
o Fixed a bug where getty(8) dx flag was supposed to set decctlq,
but was setting ixany instead.
o Made pkg_add(1) run ldconfig(8) after each updateset if the list
of shared libraries was changed.
o Corrected behavior of sed(1) c command to match POSIX.
o Make clang(1) -fzero-call-used-regs aware of the register used by
retguard. QEMU is using -fzero-call-used-regs, causing a crash.
o Disk partition information is now saved by security(8).
o Made security(8) ignore quota(1) files and all subdirectories of
/var/mail when checking the ownership and mode of mailboxes.
o Added pkg-config(1) support for relocatable .pc files.
o Made mandoc(1) "-T html" and "-T markdown" output translate ".%R
RFC <number>" to a hyperlink to rfc-editor.org.
o Support decimal fractions like "0.25i" in roff(7) scaled widths
and arithmetic operations in tbl(7) column widths, as needed for
some manual pages written with DocBook.
o When syslogd(8) acting as logserver with TLS (-S) and
client-certificates are used for authentication (-K), use the CN
from the client's certificate as hostname.
o Adjusted the alignment when df(1) prints inode columns. This makes
'df -hi' on systems with large partitions easier on the eyes.
o Made test(1) use timespeccmp() and st_mtim instead of comparing
st_mtime to fix comparison of files with modification times that
differ by less than a second.
o Made ksh(1) use timespeccmp() and st_mtim instead of comparing
st_mtime to fix comparison of files with modification times that
differ by less than a second.
o In ps(1) added a digit to vsz and rss to accommodate processes
using more memory.
o Updated tzfile(5) to 2025bgtz from
https://github.com/JodaOrg/global-tz.
o Updated libc/locale support including e.g. wcwidth(3) and the
iswalnum(3) family of functions to Unicode Version 15.0.0.

- Improved hardware support and driver bugfixes, including:
o Increased psp(4) timeouts, allowing the EPYC 9124 time to attach.
o Added PercentLoad sensor to upd(4), reporting the % of the
available UPS power drawn by output outlets.
o Fixed RunTimeToEmpty on some EATON models in upd(4).
o Improved the heuristic for detecting I2C devices (making type-A
ports on the Vivobook work in ACPI mode).
o Added support for CSI b control sequence (repeat last printed
character) to the wscons(4) vt100 emulation.
o Fixed simplefb(4) colours for BPP16 and BPP24.
o Added support for BPP16 16-bit color EFI framebuffer format as
offered by U-Boot.
o Implemented CSI s and CSI u to save and restore cursor position in
wscons(4).
o Made scaling available for normal wsmouse.4 mice, not just
touchpads.
o Added scmi(4) mailbox transport and perf protocol for CPU
frequency management on Snapdragon X Elite.
o Moved to send only a single reset during attach for ihidev(4)
devices, preventing issues with some devices like the built-in
keyboard on the ThinkPad T14s Gen 6.
o Changed the sdhc(4) bus power behavior to no longer perform a
power-off voltage switch request when the card is already
operating at the requested voltage.
o Implemented aplsmc(4) support for the new CHLS key used to control
the battery charge level in newer SMC firmware.
o Added pinctrl(4) support to the qciic(4) driver for Qualcomm
Snapdragon SoCs.
o Made qcpas(4) send APM_POWER_CHANGE events on AC/battery life
changes, allowing upowerd to react.
o Added qccpucp(4), a driver for the Qualcomm CPUSS Control
Processor (CPUCP) mailbox controller.
o Made qcpon(4) query hardware for the button state to detect
release even if the press event is missed, and to signal wakeup
when the button is pressed.
o Made qcscm(4) attach at acpi(4). This lets Qualcomm machines which
use qcscm(4) access EFI variables in ACPI mode. Some arm64
machines, like the Samsung Galaxy Book4 Edge can be successfully
installed with this change.
o Fixed support for AMD 600 series ahci(4) controller.
o Introduce a pckbc@acpi driver attachment that is use instead of
pckbc@isa when an interrupt configuration is incompatible with
legacy ISA. This unbreaks, among other things, the keyboards in
various Chromebooks.
o Implemented rkpmic(4) power down if the PMIC is marked as the
system power controller in the device tree.
o Added RK3399 support to rkusbphy(4).
o Added dwmmc(4) support for the "post-power-on-delay-ms" in the MMC
power sequencing.
o Implemented regulator-based signal voltage switch support in
dwmmc(4), fixing bootup on the MNT Reform2 with the RK3588 module.
o Added uvideo(4) support for Jabra PanaCast 20.
o Ensure uvideo(4) fills v4l2_capability correctly (allowing some
V4L consumers to use bus_info to identify the desired webcam when
attempting to switch devices).
o Added uvideo(4) support for devices which report bulk and
isochronous endpoints.
o Made uvideo(4) bypass unknown pixelformat to consumer rather than
rejecting unknown driver formats.
o Support colorformat from uvideo(4) device.
o Fixed a uvideo(4) crash on close of isochronous endpoint's webcam.
o Ensure uvideo(4) forwards frames with error bit to V4L consumers,
which adds support of the integrated camera on ThinkPad T14 Gen 5,
ThinkPad X1 Nano Gen 2, ThinkPad X13 and many other devices.
o Forced 32-bit accesses when reading 8-bit or 16-bit registers,
allowing use of xhci(4) on a Cadence xHCI controller as seen on
the Radxa Orion O6.
o Added USB 3.0 speed support to xhci(4) and uvideo(4).
o Fixed uaudio(4) devices that don't support sample rate changes.
o Added LED support for ikbd(4) keyboards.
o Added mtintc(4) a driver supporting interrupt controllers found on
MediaTek SoCs.
o Added mtrng(4), a driver supporting the 32-bit random number
generator on MediaTek SoCs.
o Added mtxhci(4), a driver for the xHCI USB controller found on
MediaTek SoCs, and enable it on armv7 and arm64.

- New or improved network hardware support:
o Added ice(4), a driver for Intel E810 Ethernet
(1Gb/10Gb/25Gb/50Gb/100Gb) devices.
o Increased receive mbuf size with LRO in vio(4), helping TCP splice
performance.
o Fixed xbf(4) and xnf(4) not attaching on XCP-ng 8.3/Xen 4.17.
o Added printing of number of queues and interrupt and Ethernet
address details to mcx(4).
o Fixed the bnxt(4) receive refill timeout to only refill rings that
are currently empty, preventing possible corruption and crashes.
o Added support for AX88772D to axen(4).
o Added ixv(4), a driver for virtual functions of Intel 82598EB,
82559 and X540.
o Enabled rx/tx checksum offloading on iavf(4).
o Added RSS/multiqueue support for AQC11x models ("aq2") in aq(4).
o Added support for reading EEPROM pages for aq(4) cards with SFP
slots.
o Started clearing the OACTIVE flag on transmit queues when ixl(4)
is reset.

- Added or improved wireless network drivers:
o Added support for MA devices to iwx(4).
o Restricted scanned channels appropriately when qwx(4) runs in a
fixed PHY mode.
o Add support for QCA2066 to qwx(4).
o Changed mtw(4) to only open bulk usb(4) pipes once for the
lifetime of the device.

- Installer, upgrade and bootloader improvements:
o On the macppc architecture, make ofwboot sync instruction cache
before entering kernel, preventing a potential boot failure.
o Made installboot(8) install a copy of the UEFI bootloader in
/efi/openbsd on the EFI system partition, allowing creation of
boot options for the firmware boot manager other OSes will leave
alone.
o Only install a second copy of the bootloader if the EFI System
Partition is at least 1MB to avoid filling up the tiny ESPs we
used to create a few releases ago.
o Made installboot(8) only set BootOrder if our boot option isn't
already part of it. This means sysupgrade (or reinstalls) will no
longer set OpenBSD as the default OS if users change the boot
order by some other means. Fresh installs will still make OpenBSD
the default OS.
o Added a -c option installboot(8) that sets up the machine to boot
from the specified disk, used on arm64 and amd64 with UEFI and
GPT.
o Added sysupgrade(8) -R #.# to try to use a specific release
version rather than the immediate +0.1.
o Provided a mechanism for getting required keys to sysupgrade(8)
older machines, providing a new set of keybundles signed by older
keys to allow sysupgrade to securely and automatically download
the required key.
o Added firmware keys to the signify key bundles. sysupgrade(8) will
now extract the firmware key also, allowing fw_update fetch the
most up-to-date firmware before upgrading.
o Added support to sysupgrade(8) to perform a sysupgrade from a
fileset stored on a filesystem. This is convenient for offline
machines.
o Made fw_update(8) -a mean all when downloading or installing, not
just deleting.
o Allowed fw_update(8) to download firmware without root.
o Added fw_update(8) -l flag to list drivers or files.
o Added -D option to fw_update(8) for using a different dmesg for
driver detection.
o Reworked the "Default IPv6 router?" question in the installer to
behave like the other questions.
o On amd64 with ACPI >= 5, assume that the installer booted in UEFI
mode and default to using a GUID Partition Table (GPT).
o Make IPv6 link-local scope identifiers in "HTTP Server?" answers
work in the installer.
o On updates using sysmerge(8), added options to interactive
sdiff(1) merge for choosing both sides of a diff.

- Security improvements:
o Added sshd-auth to the binaries that relink at boot.
o Split the user authentication code from the sshd-session binary
into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only. Splitting this code into a separate binary ensures
that the crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection.
o Unveiled mountd(8) privileged child's write to/create of mountdtab
file, and drop exec permission.

- New features in the network stack:
o Added an AF_FRAME socket domain and an IFT_ETHER protocol family
under it, allowing userland to use sockets to send and receive
Ethernet frames.
o Added tunneldf support to sec(4).
o Added use of Toeplitz hash for UDP and IPv6 TCP output, giving an
improvement in traffic distribution over the queues and 20%
performance increase with UDP send on v4/v6 and TCP send on v6
without pf.
o Implemented tun(4) network offloads between the kernel and
userland and introduced a new TUNSCAP ioctl .
o Implement a per-thread route cache by implementing a thread local
memory (struct netstack) that gets passed down the network stack.
For consecutive packets it can reuse the route to the same
destination.

- Further changes and bugfixes in the network stack:
o Replaced rwlock with iterator in UDP input multicast loop,
preventing a potential kernel crash.
o Ensure that the correct address family is used in ip_deliver() for
enqueuing a packet, fixing a problem with tunneling of different
address families.
o Let LLDP packets fall through to being handled on the port
interfaces for aggr(4) as mandated by the standard.
o Enabled multiqueue for vio(4).
o Let pppoe(4) data packets go through if_vinput instead of the
pppoeinq, improving throughput and possibly reducing packet loss.
o Fixed out-of-band data in somove(9) socket splicing.
o Added wg(4) logging of IP addresses of remote endpoints.
o Limited receive queue of loopback interfaces with 8192 packets,
preventing unlimited queues from reaching mbuf limits and making
network unusable on some architectures.
o Fixed TCP checksum for IPv6 packets with extension headers.
o Fixed incorrect ICMP error translation in af-to NAT, making
traceroute6 behind af-to to provide meaningful information.
o Fixed a 24-year old bug where various checks for broadcast packets
were mistakenly skipped, allowing one to send broadcast packets
without the SO_BROADCAST option.
o Prevented installation of path MTU routes for IPsec transport mode
SAs.

- The following changes were made to the pf(4) firewall:
o Allowed pfctl(8) specification of interface and queue bandwidths
greater than ~4Gbit.
o Fixed inpcb leak in divert(4) attach.

- Routing daemons and other userland network programs saw the following
improvements:
o Added iked(8) "natt" option that forces negotiation of nat-t (and
udpencap).
o Made radiusd(8) log the username when rejecting by ipcp.
o Added ifconfig(8) vxlan "[-]endpoint" command, to remove a tunnel
endpoint of a MAC address.
o Made ifconfig(8) scan display wpa3.
o Made tcpdump(8) print PPPoE tags as hex dumps.
o Improved lldp output of tcpdump(8).
o Added support for client certificates to relayd(8).
o Made acme-client(1) -v show the account URI from the Location
header sent by the server in response to the newAccount API call.
o Made acme-client(1) always print account URI on first creation of
an account key.
o Added TLS support to tcpbench(1).
o Started taking into account how long the ntpd(8) DNS probe takes
before deciding to punt.
o Added unwind(8) block list wildcard support using block list
entries starting with '.'.
o Implemented zoneversion EDNS option (RFC 9660) in dig(1).
o Adjusted rDNS lifetime to RFC 8106 default (minimum) value in
rad(8).
o Made nfsd(8) default to UDP when using only -n.
o Implemented iscsid(8) handling of HeaderDigest and DataDigest
params.
o Made iscsid send out all the values for session and connection
params for each login stage, keeping control of what is selected,
making it possible to connect to a lio target.
o Respect checksum offloading in dhcrelay(8) and dhcrelay6(8).
o Respect checksum offloading for incoming UDP in dhcpd(8).
o In smtpd(8),
- Fixed few imprecisions in forward(5) with regard to where and
when | and :include: are disallowed.
- Fixed the connect filter request documentation in
smtpd-filters(7).
- Proper handling of permanent failures in mail.lmtp(8),
previously all failures were considered temporary and so
delivery was attempted again.
o In bgpd(8),
- Cache the Adj-RIB-Out for sessions that have not been down
for more than 1h. This significantly improves synchronisation
time of peers that flap.
- Implement RFC 8538: Notification Message Support for BGP
Graceful Restart.
- Add support for RFC 8654, extended messages.
- In bgplgd add additional endpoints to query the Adj-RIB-In
and Adj-RIB-Out.
- Bump internal message size limit to 128k and handle up to 10
000 ASPA SPAS entries as suggested in
draft-ietf-sidrops-aspa-profile.
- Various improvements to the ibuf API including a new reader
API which is used to make all message parsing in bgpd memory
safe.
- Added support for IPsec and TCP MD5 to RTR sessions.
- Improve default multiproto capability announcement selection.
The default MP capability is only set if no other capability
is configured on the neighbor.
- The `reject as-set` configuration option now defaults to yes.
Route announcements with AS_SET segments in the AS_PATH
Attribute will be rejected. See
draft-ietf-idr-deprecate-as-set-confed-set for more
information.
- The RFC 8654 Extended Message configuration changed from
"announce extended (yes|no|enforce)" to "announce extended
message (yes|no|enforce)"
- RFC 8950 - Extended nexthop encoding support in the RIB.
- Preliminary support for EVPN in the RIB.
- When "transparent-as yes" is set, well-known BGP communities
are passed on according to RFC 7947. This means that IX Route
Servers transparently pass through NO_EXPORT, NO_ADVERTISE,
etc.
- Make the example bgpd.conf work out of the box with 4byte
ASN.
o In rpki-client(8),
- The generated BIRD config file was reworked. BIRD versions
1.x are no longer supported and the -T option to customize
the ROA table name was removed. The config file now includes
the ASPA-set by default and is therefore only compatible with
BIRD 2.16 and later. If compatibility with older BIRD
versions is required, the ASPA-set can be excluded with the
-A flag. Operators should delete any remaining bird1v4 and
bird1v6 output files.
- Validated ROA payloads from AS0 TALs are by default excluded
from the output files as they are not recommended for
automatic filtering of BGP routes. This precaution can be
overridden with the new -0 flag.
- Various improvements to the ibuf API, including a new reader
API which is used to make all message parsing in rpki-client
memory safe.
- Warn about gaps in manifest issuance. Such gaps can appear
for example if rpki-client isn't run frequently enough, if
there are issues with an RFC 8181 publication server or if
there is an operational error on the side of the CA.
- Work around a backward compatibility break accidentally
introduced in OpenSSL 3.4.0, which resulted in all RPKI
signed objects being rejected. Earlier and later versions of
OpenSSL are not affected.
- Improved validity period checking in file mode. The product's
lifetime and the expiration time of the signature path are
now taken into account.
- Better cleanup in case of a fallback from RRDP to RSYNC. In
rare circumstances, files were moved to the wrong place in
the cache.
- rpki-client now includes arin.tal which is no longer legally
encumbered.
- rpki-client reports Certification Authorities that do not
meaningfully participate in the RPKI as non-functional CAs.
By definition, a CA is non-functional if there is no
currently valid Manifest. The number of such CAs is printed
at the end of each run and more detailed information is
available in the JSON (-j) and ometrics (-m) output.
- Fix a problem where incorrect internal RRDP state handling in
rpki-client could lead to a denial of service.
- Termination of rsync child processes with SIGTERM is no
longer treated as an error if rpki-client has sent this
signal. This only affects openrsync.
- Do not exit filemode with an error if a .gbr or a .tak object
contains control characters in its UTF-8 strings. Instead,
only warn and emit a sanitized version in JSON output.

- tmux(1) improvements and bug fixes:
o Fixed grey color in tmux(1).
o Added a way to make the preview larger in tmux(1) tree mode.
o Fixed tmux(1) problems with pasted text being interpreted as
extended keys.
o Made tmux(1) only use default-shell for popups, returning to
/bin/sh for run-shell, if-shell and #().
o Added MSYSTEM to tmux(1) default update-environment.
o Added copy-mode-position-format to configure the tmux(1) position
indicator.
o Added -y flag to disable tmux(1) confirmation prompts in modes.
o Reworked tmux(1) copy mode commands ("send-keys -X") to parse the
arguments so that flags may be detected properly rather than just
looking for strings ("-O" and so on). Also added -C and -P flags
to the copy commands. -C prevents the commands from sending the
text to the clipboard and -P prevents them from adding the text as
a paste buffer.
o Added tmux(1) prompt-cursor-colour and prompt-cursor-style to set
the style of the cursor in the command prompt and remove the
emulated cursor.
o Added tmux(1) initial-repeat-time option to allow the first repeat
time to be increased and later reduced.
o Added a tmux(1) sixel_support format variable which is 1 if SIXEL
is supported (always 0 on OpenBSD).
o Allow control characters prefixed with C-v to be entered at the
tmux.1 command prompt.
o Added tmux(1) support for a scrollbar at the side of each pane
using new options pane-scrollbars, pane-scrollbars-positions and
pane-scrollbars-styles.
o Added tmux(1) option to control the input buffer size.
o Added tmux(1) scrollbar mouse support.
o Added a tmux(1) no-detach-on-destroy client option, useful for
control mode clients.
o Added tmux(1) scrollbar style parameters width and pad.

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)