OpenRiot v7.9.2 — The One Where the Kernel Was a Replicant

“The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards. But it won’t run pkg_add very well.” — Gene Spafford, probably, if he had to deal with our packages.yaml

Release Overview

v7.9.2 is the release where we realized the operating system has been running a long con. Your kernel says it is OpenBSD 7.9. It is not. It is -current, which means it is whatever Theo dreamed up after his third cup of coffee on a Tuesday in Ottawa. The snapshot mirror knows this. The stable mirror does not. And when you ask pkg_add to install rsync-3.4.2 on a stable CDN, the CDN looks at you the way Deckard looked at the replicant in the Tyrell Corp elevator: with quiet judgment and a 404.

This release is about truth. About refusing to let a kernel gaslight you into believing it knows what version it is running. About making your package list as honest as a Minor Threat song. About giving snapshot users an escape hatch that does not involve reading installurl(5) like it is the Necronomicon.

7.9 Stable Package Truth and Reconciliation — or, The SHA256 Inquisition — Twenty-plus packages stood before the manifest and confessed. rsync-3.4.1 admitted it was not 3.4.2. python-3.13.13 admitted it was not 3.14.4p1. fish-4.6.0 admitted it was not 4.7.1. firefox-150.0 admitted it was not 151.0. bitcoin-30.2p0 admitted it was not 31.0p0. The list goes on: alacritty, btop, gnupg, meson, feh, ImageMagick, ffmpeg, tdesktop, libreoffice, gnome-text-editor, mpd, rclone, supertux, wesnoth. Every single one had been listed in packages.yaml as a version that only existed on the snapshot mirror — a mirror that lives in the future, where packages go to become Schrodinger’s binaries.

They were neither installed nor missing. They were 404.

install/packages.yaml now contains only versions verified against cdn.openbsd.org/pub/OpenBSD/7.9/packages/amd64/SHA256. If a version is not in the manifest, it is not in the file. This is called “reality-based package management.” It is punk rock. It is DIY. It is correct. And it is the first time we have ever treated packages.yaml like a source of truth instead of a wishlist.

Config-First Snapshot Detection — or, Do Androids Dream of Stable Releases? — source/config/types.go IsSnapshot() used to ask the kernel what it thought. The kernel, being a -current kernel, thought it was 7.9 stable. It was wrong. It has been wrong this whole time. It was like asking Roy Batty if he had seen attack ships on fire off the shoulder of Orion — he would say yes, because he is programmed to believe his own memories. But the memories are implants. The kernel’s version string is an implant.

Now IsSnapshot() checks packages.yaml first. If the config says "7.9", the installer targets 7.9 stable regardless of what the kernel’s delusions are. The YAML is a text file. It does not have ego. It does not run in ring 0. It does not pretend to be a C compiler. It just says what it says. This means a developer running -current can build a 7.9-targeted installer image without their own operating system betraying them like a replicant with a four-year lifespan. The config is the source of truth. The kernel can go sit in a lead-lined room and think about what it has done.

--pkg-update — The Escape Hatch from Snapshot Purgatory — On -current, installurl points at the snapshot mirror by default. This is fine until you want 7.9 stable packages. Then pkg_add -u tries the exact version from packages.yaml, fails because the snapshot mirror has different builds, falls back to the base name, and installs whatever the snapshot has. This works, technically, but it is spiritually incorrect. You asked for 7.9. You got “whatever the build farm had for lunch.”

--pkg-update wraps the whole thing in doas sh -c 'PKG_PATH=https://cdn.openbsd.org/pub/OpenBSD/7.9/packages/amd64/ pkg_add -u'. It sets PKG_PATH inside the elevated shell because doas strips environment variables the way a club bouncer strips fake IDs. You cannot just PKG_PATH=... doas pkg_add -u. The unprivileged shell opens the output file before doas elevates. This is POSIX. This is how privilege separation works. This is why hackers drink.

Use --pkg-update when you want stable and your OS wants chaos. It is the red pill for package management. It is the escape from the Matrix of snapshot drift. It is the John Connor moment where you look at Skynet and say, “Not today.”

WiFi Config & Monitor Config — Two New Entries in the Neural Net — The rofi app menu (Super+D) now has two new entries between “OpenRiot Settings” and “System Settings”: WiFi Config (launches openriot --nmtui) and Monitor Config (launches openriot --resolution-tui). Both open as floating Alacritty windows. Both reuse the same window classes already defined in the settings submenu. The only difference is they are smaller than other floating dialogs (40 ppt x 50 ppt instead of 45 x 75) because a network list and a resolution picker do not need to pretend they are the monolith from 2001: A Space Odyssey. They are utility windows. They should be modest. They should not block out the sun.

We also fixed the Proton Sync Update floating rule to match. It was still at 45 x 75, looming over the new entries like the Tyrell Corporation headquarters over Los Angeles. Now all four floating dialogs are the same size. Equality. Unity. One dialog size to rule them all.

i3 Floating Rule Tweaks — openriot_wifi shrank from 45 ppt x 75 ppt to 40 ppt x 50 ppt. New for_window [class="^openriot_resolution$"] rule added at the same dimensions. Workspace icon openriot_resolution = "󰹑" added to config/window/icons.toml. Proton Sync Update joined the 40 x 50 club. No dialog left behind.

🧾 Files Changed

File	Nature of Change
`install/packages.yaml`	20+ packages downverted to exact 7.9 stable
	versions; SHA256-verified, no more 404s
`source/config/types.go`	`IsSnapshot()` checks `OpenBSDVersion` first;
	config overrides kernel hallucinations
`source/commands/commands.go`	`--pkg-update` flag; forces 7.9 stable CDN
	via `doas sh -c` with `PKG_PATH` set
`config/rofi/apps.txt`	WiFi Config and Monitor Config entries
`config/i3/config`	Floating rules for `openriot_wifi`,
	`openriot_resolution`, and Proton Sync at 40 ppt x 50 ppt
`config/window/icons.toml`	`openriot_resolution = "󰹑"` icon mapping
`install/openriot`	Binary rebuilt

🎵 What We’re Listening To

Same playlist. Same questionable Theremin solo. But now your package list agrees with the CDN, your config overrides your kernel, and your app menu has a WiFi button that works on the first press like a well-tuned Roland TR-808. This is the kind of consistency that makes you wonder why snapshot mirrors are allowed to exist at all — like VHS tapes in a streaming world, or Java in a container.

The --pkg-update command exists because doas strips environment variables. You cannot just PKG_PATH=... doas pkg_add -u. The shell opens the file before doas elevates. The whole pipeline has to be inside doas sh -c. This is not a workaround. This is how POSIX privilege elevation works. It is the digital equivalent of sneaking a cassette tape past the RIAA — the entire operation has to happen inside the trusted zone, or it fails.

We verified every package against the SHA256 manifest. We did not trust. We verified. This is the OpenBSD way. This is the hacker way. This is the way of the guy at DEF CON who checks every USB stick with a microscope before plugging it in. Paranoid. Correct. Alive.

🗣️ Final Words

“The best package list is the one that does not return 404.” — The OpenRiot Crew, after running awk '{print length, $0}' on the manifest and discovering that truth has a fixed width

v7.9.2 is the release where we looked at packages.yaml and said, “These versions do not exist on the stable CDN.” Then we looked at IsSnapshot() and said, “The kernel should not decide the target.” Then we looked at the rofi menu and said, “There should be a WiFi button here.” Then we looked at the floating rules and said, “A network list does not need to be 75% tall.” Then we looked at --pkg-update and said, “Snapshot users need an escape hatch that does not involve editing /etc/installurl with a ceremonial dagger.”

None of these are revolutionary. All of them are correct. The package versions match the CDN. The config overrides the kernel. The app menu has more buttons. The dialogs are appropriately sized. The escape hatch exists. The manifest is truth.

Your make image builds without 404s. Your -current box can target stable. Your launcher has WiFi. Your monitor config has a home. Your package list is honest. Your kernel has been demoted.

This is maintenance. This is care. This is what it looks like when people who build the installer also have to flash it to a USB stick at 3 AM and watch it fail because rsync-3.4.2 was a fantasy.

— The OpenRiot Crew

“Your package versions should be a promise, not a guess. Your config should be the source of truth, not your kernel’s delusions. Your floating dialogs should be modest, not monumental. And your escape hatch should always be one flag away.”

← Back to README