Keep the system up to date

To ensure your system security, it is essential to keep it up to date. In order to apply the security patches, you must update:

Short 😉:

# syspatch
# pkg_add -u

Update ports (packages)

Updating packages is as easy as :

# pkg_add -u

Yes that's all. 😁

Thanks to solene who made this possible.

Since this paragraph is a bit short, I take this opportunity to give you two tips 😊. I advise you to add to the /etc/daily.local file the command

pkg_add -nu

This way, in the daily mail from Charlie Root, you will see what might happen if upgrades for packages are availables. Nothing is done for real, because if an updated program needs to be restarted, it may not work until it is. Thus, you are just warned of any updates to apply, and with the -n option, the packages are kept in the cache in order to save time without risking to put a service down if it has to be restarted after the update. You will enter "pkg_add -u" when you get the chance.

If you still want to apply the updates automatically, I advise you to first install the "checkrestart" port which will tell you if a service must be restarted after the update. This will therefore look like this in /etc/daily.local:

pkg_add -u
echo "Service to restart with rcctl restart:"
checkrestart

You will still have to reload the services manually with rcctl.

Update the system

First of all, a little reminder: OpenBSD is available in 3 "flavors":

It can indeed happen that bugs are discovered. Each time, fixes are quickly proposed. It is then recommended to apply the security patches.

Since version 6.1, this operation is very simple with the following command:

# syspatch

The binary patches are then downloaded and installed. That's it! 😁 It looked like this in OpenBSD 6.1 (a long time ago):

Get / Verify syspatch61-002_vmmfpu.tgz 100% | ******************************* | 9377 KB 00:49
Installing patch 002_vmmfpu
Get / Verify syspatch61-003_libress ... 100% | ******************************* | 11391 KB 00:22
Installing patch 003_libressl
...

This tool is only available for i386, amd64, and more recently arm64 architectures.

One may want to use the old method of source recovery and manual installation described in the official FAQ (for reasons).

Be notified of updates

To find out if updates need to be applied, you can consult the errata page which contains the list of available security patches. It is located at

"https://www.openbsd.org/errataXX.html" where "XX" is the version number of your release, i.e "70" for OpenBSD 7.0.

You can also be notified by email (and that's great 😊). To receive important update messages available on the system, subscribe to the announce and security-announce lists. For that, send a first email to majordomo@OpenBSD.org simply containing:

subscribe announce

Then send a second message with:

subscribe security-announce

I also advise you to subscribe to the list indicating that there is a new version of ports by subscribing to the ports-security list by always sending to the same address a message containing:

subscribe ports-security

Upgrade from a version to another

When a new major version of OpenBSD is available, the update procedure is always detailed on the official website. You must read the release notes when upgrading at "https://www.openbsd.org/faq/upgradeXX.html" where "XX" must be replaced by the version number you want to upgrade to.

Since version 6.5, it only takes a simple command to update to the latest publication release or to -current:

# sysupgrade

ALWAYS check upgrade notes anyway 😄.

Clean up after multiple updates

If your installation is a bit outdated, you can check which files you may have forgotten to delete with the help of the "sysclean" port (command of the same name).

The files which are not supposed to be present in a base system will then be listed. Read the output carefully, most of them are configuration files you created and want to keep 😉.