OpenRiot v7.5 — Lock It Down

“The only secure system is one that assumes it’s already compromised.” — The OpenRiot Crew, after one too many port scans

Release Overview

v7.5 is a security and stability release. No new eye candy, no new features you can screenshot — just a tighter ship.

OpenBSD 7.9 stable is now the default target. Every hardcoded snapshots path in the image builder, downloader, and install.site script has been replaced with dynamic version resolution via formatVersion(cfg.Version). This means -current users still get snapshots automatically, but release users get stable 7.9 sets and packages out of the box.

We also completed a full security audit. Four issues were found and fixed:

Transmission peer port binding — The BitTorrent client now binds its peer port exclusively to the WireGuard tunnel IPv4 address. No more leaking your real IP to the swarm. The binding happens at toggle time because Mullvad rotates IPs.
PF firewall hardening — The installer now changes the permissive pass all flags S/SA rule to pass out all flags S/SA. Inbound traffic is blocked by default unless explicitly allowed.
CUPS removal — cupsd is no longer added to pkg_scripts in /etc/rc.conf.local. If you need printing, add it back manually.
SSH hardening documentation — A new troubleshooting section covers disabling password authentication, enforcing key-only login, and locking down sshd_config without breaking your remote session.

README donation paragraph — We added a Bitcoin address before the table of contents. If this project saved you a weekend of dotfile suffering, throw some sats our way.

WebP thumbnail support — webp-pixbuf-loader-0.2.7 is now in the desktop package list. Thunar and tumbler can generate thumbnails for .webp images natively.

Snapshot-to-Release Migration

If you are running 7.9-current (snapshots) and want to switch to the stable release branch…

sysupgrade(8) without -s follows the release branch, but sysupgrade -R 7.9 from a post-release snapshot is technically a downgrade. The man page says downgrading is “unlikely to work.” The installer “Upgrade” option performs the same set extraction, just interactively. None of these paths are officially supported for moving from -current back to release on the same version number.

The clean paths:

Stay on snapshots — Keep using sysupgrade -s. This is the supported path for -current systems. Change /etc/installurl to a release CDN and run pkg_add -u (without -D snap) if you only want stable packages while waiting for the next release.
Fresh install — Back up /etc and /home, boot the 7.9 release media, and reinstall. This is the only guaranteed clean base-system migration.

Do not pretend sysupgrade -R 7.9 from a May 2026 snapshot is a safe one-click fix. It isn’t.

🧾 Files Changed

File	Nature of Change
`install/packages.yaml`	`openbsd_version: "7.9"`; PF `pass out`
	(default and permissive styles); cupsd removal
	cache regen command
`source/commands/helpers.go`	`bindTransmissionToWireGuard()`
	`regexp` import; toggle/notify hook updates
`source/wireguard/wireguard.go`	`GetTunnelIP()` export
	parses `ifconfig wg0` for IPv4
`source/imaging/prereqs.go`	Base image URL uses
	`formatVersion(cfg.Version)`
`source/imaging/download.go`	Package dir and CDN use dynamic repo path
`source/imaging/site.go`	`install.site` uses dynamic package path
`source/installer/mirrors.go`	Comment updated from “snapshots” to “7.9”
`README.md`	Donation paragraph; SSH hardening section
	`install79.img` URL updated; TOC updated

🎵 What We’re Listening To

Still the same library. Still loud. Still wondering why the album labeled “Cyberpunk” has a Theremin solo in track three. Now with the added comfort of knowing your torrent client isn’t doxxing your home IP to the DHT.

🗣️ Final Words

“I don’t want new features. I want to stop worrying about whether my” _“firewall is a suggestion.” — Every user who actually read pf.conf

v7.5 will not make your desktop prettier. It will make it harder to break into. The image builder no longer assumes everyone lives on -current. The firewall no longer waves every packet through. Your torrent client no longer broadcasts your ISP’s IPv4 to strangers.

This is the release for people who run pfctl -sr for fun.

Upgrade paths are documented honestly. No snake oil. No “just run sysupgrade and pray.” If you want stable, you know what to do.

— The OpenRiot Crew

“Your firewall just stopped being decorative.”

← Back to README