xzMar 22
After sysupgrade -s-ing my semi-production #OpenBSD system, I realized that the upcoming pledge(2) changes in OpenBSD 7.9 can result in downstream breakage when using pledge(2) promises which are implicitly allowing certain files to be accessed, such as the "dns" promise which allowed r/o access to /etc/resolv.conf regardless of any unveil(2) shenanigans. This has changed now, these implicit allows seems to be gone.

Especially when using a programming language deciding not to go through libc for name resolution, this will require a small change. I am looking at you, #Golang.

Now, I have multiple diffs like this one:
- openbsd.PledgePromises("stdio inet dns")
+ openbsd.Unveil("/etc/resolv.conf", "r")
+ openbsd.UnveilBlock()
+ openbsd.PledgePromises("stdio rpath inet dns")
More details are available in this detailed post to ports@, which I missed so far:
https://marc.info/?l=openbsd-ports&m=177389567528083
'Pledge changes in 7.9-beta' - MARC

Show threadDavid Leadbeater

@xz note that Go can use libc as a resolver (https://pkg.go.dev/net#hdr-Name_Resolution), if this breaks you setting one of those environment variables is a potential workaround, but only a temporary one.

I'd also recommend unveils for the other DNS related files listed in my post (/etc/hosts in particular, there are some very subtle behaviours there, some recursive DNS servers will resolve "localhost", others won't, so if you don't have /etc/hosts, it's essentially random whether "localhost" works). There's a few more details to be worked out, I'll share a Go specific update to that post soon.

net package - net - Go Packages

Package net provides a portable interface for network I/O, including TCP/IP, UDP, domain name resolution, and Unix domain sockets.

Mar 25 at 3:02amWeb