Rolling your own OpenBSD syspatches

DISCLAIMER: if you're running OpenBSD on a machine for which the OpenBSD project provides official syspatches, don't bother building your own. It's not supported, and probably a bad idea.

When the OpenBSD developers find serious problems and bugs in the system, they will backport the fixes to the two most recent release and publish a patch against the source tree at the time of the release. One can then download and apply the patch, and then rebuild affected components to fix the problem. However, for Intel machines and 64-bit ARM machines, OpenBSD also provides binary updates, as these are popular platforms with a lot of users -- it saves a lot of people the trouble of keeping a source tree around and rebuilding things every time there's an erratum published.

At the time of writing, the only machines I have around which are running OpenBSD (and which I use with any degree of regularity) are all old Apple PowerPC machines, none of which are particularly fast. Upstream does not provide syspatches for macppc machines, but it seems a bit pointless (and a waste of time and electricity) to recompile things on each machine for each erratum released. I wanted some way to rebuild things on one machine and then distribute them to other machines -- seeing as the infrastructure for doing this already exists, I decided I'd roll my own syspatches.

Building syspatches

Some setup is required before building syspatches. There are some instructions in the README, which require a separate filesystem for staging the syspatch release. This filesystem should be mounted with the noperm option and the mount point should be owned by the build user. The install sets used to install the release should then be unpacked under this mount point as a reference point when building later syspatches.

The preparation is the hard part, really. Once you have that all set up, you create a Makefile for the syspatch, which lists the name of the patch to be download from the OpenBSD site and the component to be rebuilt, which is either "src", "kernel" or "xenocara". For example, the Makefile for the 6.4 Xorg erratum looks like this:

ERRATA = 001_xserver
BUILD = xenocara

Then, you run make(1) with the appropriate options (see the README), and then after a while, a magic syspatch tarball will have appeared in the obj directory. (Note the section regarding editing the "plist" file to remove files which should not be included in the syspatch -- you can download the corresponding official syspatches for one of the platforms where syspatch is supported and use the contents of the tarball shown with tar tzf tarball.tgz to get a list of files to include.)

Deploying syspatches

First, you need a webserver to host the syspatches; I'll skip over that part. Copy the syspatch tarballs somewhere where you can work with them. First, create a new signify(1) keypair for signing the syspatches with something like:

$ signify -G -c "macppc 6.4 syspatch signing key" -s macppc-64-syspatch.sec -p

Install the public key into /etc/signify on the machines where you're going to install the syspatches. Then, in the directory with your syspatches, create a SHA256 file with the hashes of the tarballs, and then sign the SHA256 file:

$ sha256 -h SHA256 syspatch-*.tgz
$ signify -S -e -s /path/to/macppc-64-syspatch.sec -m SHA256 -x SHA256.sig

Make a directory under your webroot for the syspatches, and then copy the directory with the tarballs, hash list and signed hash list to the path syspatch/6.4/macppc under the directory you just created.

Installing syspatches

One easter egg inside syspatch(8) is that when it loads the URL for the mirror from which to download syspatches, it uses the last line in /etc/installurl (as opposed to the package tools, which read the first line). So you can safely append the URL for your own syspatches to /etc/installurl without interfering with the operation of the package tools.

Then, make a copy of /usr/sbin/syspatch -- I called mine /usr/local/sbin/macppcpatch. Edit this copy, and find the line where signify(1) is called to verify the signature of the signed hash list, and change the path of the public key used to the key you installed into /etc/signify earlier.

Then, run the modified syspatch(8) script -- the syspatches should then be downloaded and installed.

(Note that after the second OpenBSD 6.4 syspatch is installed, you should repeat the copy and edit, as this particular patch is for the syspatch script itself.)


Thanks to Antoine Jacoutot ( for some help with getting started with building the syspatches.