OpenBSD Following -current and using snapshots [FAQ Index]

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots. Active development sometimes pushes aggressive changes, and complications can arise when building the latest code from a previous point in time. Some of the shortcuts for getting over these hurdles are explained on this page. In general, it's far better to use the OpenBSD upgrade procedure with a newer snapshot, as developers will have gone through the trouble for you already.

Make sure you've read and understand how to build the system from source before using -current and the instructions below.

You should always use a snapshot as the starting point for running -current. Upgrading by compiling your own source code is not supported.

Most of these changes will have to be performed as root.

2016/08/01 - new mandoc.db(5) format

To update all mandoc.db(5) files to the new format, run:

2016/08/08 - mandatory W^X enforcement

W^X violations are now only permitted for binaries marked wxneeded executed from filesystems marked wxallowed.

2016/08/10 - RELRO by default on all archs but luna88k

The system now uses the RELRO design ("read-only after relocation") to lay out executables and libraries such that they use fewer mappings and more of the initial data can be protected as read-only. Unlike other OSes, this applies to all dynamic executables and libraries by default, as well as to static PIE executables.

To upgrade over this, start from a system running 6.0-release or later and an up-to-date source tree:

cd /usr/src && make obj && make clean && make includes
cd /usr/src/libexec/
make SUBDIR= depend && make SUBDIR= && doas make SUBDIR= install
cd /usr/src/lib/csu
make depend && make && doas make install
cd /usr/src/gnu/usr.bin/binutils-2.17
make -f Makefile.bsd-wrapper && doas make -f Makefile.bsd-wrapper install
cd /usr/src && make build

2016/08/12 - [ports] py-elasticsearch-curator update

With the update of Elasticsearch Curator to the 4.x version, the CLI interface changed. Instead of parameters, yaml configuration files are used to steer actions of curator. Configuration file documentation can be found on the curator reference pages.

2016/08/14 - qabs(3) and qdiv(3) manpages removed

Their content was merged into the labs(3) and lldiv(3) manpages, so the separate files should be removed and and the database updated.
rm -f /usr/share/man/man3/qabs.3 /usr/share/man/man3/qdiv.3

2016/09/01 - armv7 complete ABI break

OpenBSD/armv7 moved to the ARM EABI. This is a hard ABI break which you cannot cross with a simple build. To upgrade through this break, you need to upgrade from a snapshot.

2016/09/01 - [ports] letskencrypt renamed/moved to base

letskencrypt, previously in ports/security, has been imported to base under its new name acme-client. Adjust scripts/cronjobs as necessary.

2016/09/03 - armv7 is now PIE

The armv7 platform has been switched to PIE (position-independent executables) by default. Everyone is encouraged to update via snapshots (dated after 2016/09/02); if you want to upgrade via sources, follow these instructions:

First, install the new system Makefiles with the change to PIE_ARCH in

cd /usr/src/share/mk && make install
Then, recompile and install gcc and binutils.
cd /usr/src/gnu/usr.bin/binutils-2.17
make -f Makefile.bsd-wrapper clean && make -f Makefile.bsd-wrapper obj && \
       make -f Makefile.bsd-wrapper depend && make -f Makefile.bsd-wrapper
cd /usr/src/gnu/usr.bin/cc
make clean && make obj && make depend && make && make install
cd /usr/src/gnu/usr.bin/binutils-2.17 && make -f Makefile.bsd-wrapper install
Finally, recompile your system by following the procedure outlined in release(8).

2016/09/08 - armv7 now supports static PIE

The armv7 platform now also supports PIE for static binaries. Everyone is encouraged to update via snapshots (dated after 2016/09/09); if you want to upgrade via sources, follow these instructions:

First, install the new system Makefiles with the change to STATICPIE_ARCH in

cd /usr/src/share/mk && make install
Then, build and install rcrt0.o:
cd /usr/src/lib/csu
make clean && make obj && make depend && make && make install
Then, recompile and install gcc:
cd /usr/src/gnu/usr.bin/cc
make clean && make obj && make depend && make && make install
Finally, recompile your system by following the procedure outlined in release(8).

2016/09/09 - /dev/sound removed

Remove unused device nodes:
rm -f /dev/sound*

2016/09/13 - [ports] Railo replaced with Lucee

Railo has been replaced with Lucee (a fork). Make notes on your existing Railo configuration before updating. You will need to adjust Tomcat configuration, and configure Lucee according to your previous Railo configuration.

2016/09/19 - softraid crypto switched to bcrypt PBKDF

New volumes will be created with bcrypt PBKDF, however existing volumes will continue to use PKCS5 PBKDF2 until a passphrase change is made.

If you're booting from softraid crypto, ensure that your boot loader has been upgraded to a version that supports bcrypt prior to changing your passphrase. That is to say, it should be from a snapshot dated after 2016/09/19. The boot(8) version should be at least 3.33 on amd64 and 3.31 on i386. Also be aware that once the passphrase has been changed, an older version of bioctl(8) (one that does not support bcrypt PBKDF) will not be able to "unlock" the volume.

2016/09/23 - sqlite3 moved back to ports

SQLite has moved from base back to ports. The old files must be removed before building from ports:
rm /usr/bin/sqlite3
rm /usr/include/sqlite3*.h
rm /usr/lib/pkgconfig/sqlite3.pc
rm /usr/libdata/perl5/site_perl/*-openbsd/sqlite3*.ph
rm /usr/share/man/man1/sqlite3.1
rm /usr/lib/libsqlite3*         # see below
Ports bulk builders must remove the old libraries before building new packages.

Users should wait until updated packages are available before removing the libraries, otherwise many installed packages will break. You can check:

$ pkg_info -S nss
Information for inst:nss-3.26

If the sqlite3 version number is 32.0 or lower, they are not updated yet.

2016/09/27 - more secure package and firmware signatures

Packages and firmware are now signed with a more secure scheme. If pkg_add(1) and fw_update(1) complain about unsigned packages/firmware, you must upgrade to a more recent snapshot or rebuild the system—involves pieces in libc, signify(1) and pkg_add(1), so following release(8) is the best way.

2016/10/06 - new build infrastructure, noperm release process

The infrastructure to build the base system from source and to make a release has changed. The SUDO variable was removed from the base system makefiles and the make build command now must be issued by root. Whenever possible, the makefiles will de-escalate privileges to BUILDUSER (as specified in mk.conf(5); defaults to USER). Make sure that /usr/obj or /usr/xobj is empty and owned by BUILDUSER before starting a build.

Start the build as follows:

# cd /usr/src/share/mk && make install	# only needed the first time
# cd /usr/src && make obj && make build
To make a release(8), further setup is required: To build a base release, set DESTDIR=/dest/base and to build a xenocara release, set DESTDIR=/dest/xbase.

2016/10/14 - [ports] Ansible copy module change

The copy module of Ansible added a newline to the value of the content attribute in case it was not present. This behaviour is non-standard and was not documented. It has been reverted in the ansible- package.
If you previously relied on this behaviour you will need to explicitly add \n to your playbooks.

2016/10/14 - kernel builds now need make obj

Kernels now build in an obj directory just like the rest of the source tree. This helps ensuring that the src tree can be read-only during builds. Some cleanup needs to be done before updating your source trees via cvs:
$ cd /sys
$ rm -r arch/*/compile/[GR]*
$ rm arch/*/compile/.cvsignore
$ cvs -q up -Pd
The new way of configuring, building and installing a kernel is:
$ cd /sys/arch/$(machine)/compile/GENERIC.MP
$ doas make obj
$ make config
$ make
$ doas make install

2016/10/24 - uxterm and koi8xterm removed

The uxterm and koi8rxterm shell scripts have been removed, as xterm(1) on OpenBSD is already set up to support UTF-8. Some cleanup needs to be done after upgrading to -current:
cd /usr/X11R6
rm bin/koi8rxterm bin/uxterm
rm share/X11/app-defaults/KOI8RXTerm share/X11/app-defaults/UXTerm
rm man/man1/koi8rxterm.1 man/man1/uxterm.1
If you edited any configuration files to call uxterm, do not forget to change these to call xterm directly. If you defined X resources for UXTerm, consider moving them to XTerm.

2016/11/04 - [ports] sympa update

The mail/sympa mailing list server port was updated to a new version. The upgrade notes explain how to migrate your setup.

2016/11/04 - [ports] nginx dynamic modules

The www/nginx port has been converted to use subpackages with dynamic modules, instead of using FLAVORs. If you previously were using a FLAVORed version of nginx, or the mail or stream modules, you need to install the apropriate subpackage(s). You also need to modify your nginx configuration to use load_module for each dynamic module you want to load.

2016/11/09 - perl headers removed

The perl headers are no longer generated and should be removed:
rm -rf /usr/libdata/perl5/site_perl

2016/11/14 - default lo(4) interface per rdomain

A loopback interface is now created by default for every rdomain(4). Much like lo0 for rdomain 0, it can be used to see and filter local traffic via bpf(4) and pf(4).

If you previously were using an loX in an rdomain other than X, it won't be possible to create rdomain X anymore. You need to either use a different lo(4) unit or rdomain(4) number.

2016/11/19 - new dedicated build user

A dedicated user now does the heavy lifting of make build.

It is recommended that you start from a very recent -current (dated after Nov 15), so you already have a user build and a group wobj, otherwise add them manually.

Clean out the object directories and set correct owners and permissions:

# rm -rf /usr/obj/* /usr/xobj/*
# chown build:wobj /usr/{,x}obj
# chmod 770 /usr/{,x}obj
Developers must add their users to the group wobj, so that they can still write to /usr/{,x}obj. Be sure to remove any custom BUILDUSER from mk.conf(5).

Install the new systemwide makefiles:

# cd /usr/src/share/mk && make install
You can now proceed by making and installing a kernel, rebooting and building the system from source as described in the release(8) man page.

Before making a release, ensure that build can write to DESTDIR and RELEASEDIR: chown the root of the noperm filesystem containing DESTDIR

# chown build /dest
and set ownership and permissions for RELEASEDIR
# chown build $RELEASEDIR 
# chmod u=rwx $RELEASEDIR
To avoid permission issues, it is recommended to start the first release with an empty RELEASEDIR.

Making xenocara needs no extra steps beyond the ones described in the release(8) man page.

2016/12/01 - cwm(1) bind function changes

The configuration syntax for binding functions to keys and mouse buttons has changed, replacing the bind and mousebind keywords with bind-key, bind-mouse, unbind-key and unbind-mouse. See the cwmrc(5) man page for new bind function names.

2016/12/18 - [ports] news/leafnode group change

The _news account used to run leafnode switched from the news group to the _news group. Ensure that you have at least leafnode-1.11.11p0 installed and that no leafnode process is running, then run
usermod -g _news _news
chgrp -R _news /var/spool/news/

2016/12/18 - [ports] net/uucp user change

Starting with uucp-1.07p4, the uucp suite now runs under the _uucp account. Ensure that you have no uucp process running, then adjust the ownership of some files:
find /etc/ /var/spool/ -user uucp -exec chown _uucp {} ';'

2016/12/27 - removal of uucp and news

The uucp user and the news group have been removed from base. Issue
userdel uucp
groupdel news
rm -rf /var/spool/uucp*		# unless you use the net/uucp port

2017/01/03 - https support added to the installer

On amd64, armv7, i386, hppa and macppc, the bsd.rd installer defaults to https. Your autoinstall(8) response file may need the additional line
Unable to connect using https. Use http instead = yes	# "no" is default
between the HTTP Server and Set name(s) responses.
$OpenBSD: current.html,v 1.772 2017/01/06 10:07:06 tb Exp $