[Comment removed by author]
Heartbleed occurred after the release had been made - so the OpenSSL library included with 5.5 is vulnerable - so yes patching is required.
I feel a bit dense asking, but how? The release date for OpenBSD 5.5 is May 1, well after heartbleed occurred. Are you saying the release was cut a while back, but only released to the public today?
Yes. The release process basically goes:
So as you can see, 5.5 was created 2 months ago and already burned on CDs that shipped out. We can only backport fixes from -current to the OPENBSD_5_5 tree and issue errata during those 2 months between tagging 5.5 and formally releasing it.
Although the OpenBSD release dates are 1 May and 1 November each year - there is a lot of work goes into ensuring that each release and associated packages are ready for manufacturing to create the CD’s so that they can be delivered on or before the release dates. So although each release happens on the 1 May and 1 November each the code that goes into each release is fixed about 1 to 2 months before the release date. This means that if you run current you start running some of the next release code - you can tell when this is happening as the ports tree is locked and ports are fixed ready for the release. hth :~)
PS This is way the releases are such high quality every six months.
Looks like M:tier is officially endorsed by Theo:
For those not in the know, M:tier provides the binary packages for stable releases:
Does this imply that M:tier’s binary packages are now endorsed, too?
I don’t read it that way; just that they donated money/hardware and their company functions and services are unrelated.
True, but I think people will be much more comfortable with getting binaries from M:tier now that Theo has took the time to specifically thank them for providing some support for the release.
I mean, just look at the title of his email alone:
Subject: Thanks to M:tier for package signing infrastucture
I’d be surprised if they don’t see some spike in the business.
Releasing with a known security flaw surprises me. Why wouldn’t they delay the release to get it fixed?
I’m guessing because it was cut ahead of time and CDs had already gone out
Yes. An overview of the process: http://www.openbsd.dk/papers/asiabsdcon2009-release_engineering/mgp00020.html
It’s worth pre-ordering your CD’s as mine turned up in the post today :~)
5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
This is the first release to have lots of DJB crypto.
I wonder whether DJB would switch.
I would like to try OpenBSD for experimenting on my Desktop. Perhaps through a virtual-machine for now.
Is Java available on OpenBSD? Either Oracle JRE or OpenJDK. And is the latest version (8) available?
Latest OpenJDK in amd64 -current packages found at http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/ is jdk-188.8.131.52p2v0.tgz which btw. seem to be the same version found in the 5.5 package set.
A little off-topic, but really surprised that they don’t have an https server, and there are no checksums visible for the downloads.
The reasoning on https so far have been something like: the data on the webserver is open/public and the CA system is proven to be close to broken when it comes to ensuring identity, and the encryption part, too it turns out.
Buying the CDs might give you a reasonable amount of trust in the origin of the code, but you can’t really be sure when it comes to identity trust - it comes with a built-in bootstrap problem. If you trust the CD you will have a signify pubkey which will allow you to verify the integrity and identify of the online releases. Of course you might get this key in some other way. The signature has been released in several places and comparing those seem to be as good as it gets, unless you happen to know one really close to the release process.
The signed checksums can be found at http://ftp.openbsd.org/pub/OpenBSD/5.5/amd64/SHA256.sig