xref: /freebsd-11.0-release/release/doc/en_US.ISO8859-1/relnotes/article.xml

<articleinfo>
  <title>&os;/&arch; &release.current; Release Notes</title>

  <corpauthor>The &os; Project</corpauthor>

  <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 135436 2004-09-18 18:42:33Z bmah $</pubdate>

  <copyright>
    <year>2000</year>
    <year>2001</year>
    <year>2002</year>
    <year>2003</year>
    <year>2004</year>
    <holder role="mailto:doc@FreeBSD.org">The &os; Documentation Project</holder>
  </copyright>

  <abstract>
    <para>The release notes for &os; &release.current; contain a summary
      of
<![ %include.historic; [
      the changes made to the &os; base system since &release.prev;.
]]>
<![ %no.include.historic; [
      recent changes made to the &os; base system on the &release.branch;
      development branch.
]]>
      This document lists applicable security advisories that were issued since
      the last release, as well as significant changes to the &os;
      kernel and userland.
      Some brief remarks on upgrading are also presented.</para>
  </abstract>
</articleinfo>

<sect1 id="intro">
  <title>Introduction</title>

  <para>This document contains the release notes for &os;
    &release.current; on the &arch.print; hardware platform.  It
    describes recently added, changed, or deleted features of &os;.
    It also provides some notes on upgrading
    from previous versions of &os;.</para>

<![ %release.type.current [

  <para>The &release.type; distribution to which these release notes
    apply represents the latest point along the &release.branch; development
    branch since &release.branch; is created.  Some pre-built, binary
    &release.type; distributions along this branch
    can be found at <ulink url="&release.url;"></ulink>.</para>

]]>

<![ %release.type.snapshot [

  <para>The &release.type; distribution to which these release notes
    apply represents a point along the &release.branch; development
    branch between &release.prev; and the future &release.next;.  Some
    pre-built, binary &release.type; distributions along this branch
    can be found at <ulink url="&release.url;"></ulink>.</para>

]]>

<![ %release.type.release [

  <para>This distribution of &os; &release.current; is a
    &release.type; distribution.  It can be found at <ulink
    url="&release.url;"></ulink> or any of its mirrors.  More
    information on obtaining this (or other) &release.type;
    distributions of &os; can be found in the <ulink
    url="&url.books.handbook;/mirrors.html"><quote>Obtaining
    &os;</quote> appendix</ulink> to the <ulink
    url="&url.books.handbook;/">&os;
    Handbook</ulink>.</para>

]]>

  <para>All users are encouraged to consult the release errata before
    installing &os;.  The errata document is updated with
    <quote>late-breaking</quote> information discovered late in the
    release cycle or after the release.  Typically, it contains
    information on known bugs, security advisories, and corrections to
    documentation.  An up-to-date copy of the errata for &os;
    &release.current; can be found on the &os; Web site.</para>

</sect1>

<sect1 id="new">
  <title>What's New</title>

  <para>This section describes
    the most user-visible new or changed features in &os;
    since &release.prev;.
    In general, changes described here are unique to the &release.branch;
    branch unless specifically marked as &merged; features.
  </para>

  <para>Typical release note items
    document recent security advisories issued after
    &release.prev.historic;,
    new drivers or hardware support, new commands or options,
    major bug fixes, or contributed software upgrades.  They may also
    list changes to major ports/packages or release engineering
    practices.  Clearly the release notes cannot list every single
    change made to &os; between releases; this document focuses
    primarily on security advisories, user-visible changes, and major
    architectural improvements.</para>

  <sect2 id="security">
    <title>Security Advisories</title>

    <para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a
      file system snapshot to reset the flags on the file system to
      their default values.  The possible consequences depended on local
      usage, but could include disabling extended access control lists
      or enabling the use of setuid executables stored on an untrusted
      file system.  This bug also affected the &man.dump.8;
      <option>-L</option> option, which uses &man.mksnap.ffs.8;.  Note
      that &man.mksnap.ffs.8; is normally only available to the
      superuser and members of the <groupname>operator</groupname>
      group.  For more information, see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>

    <para>A bug with the System V Shared Memory interface
      (specifically the &man.shmat.2; system call) has been fixed.
      This bug can cause a shared memory segment to reference
      unallocated kernel memory.  In turn, this can permit a local
      attacker to gain unauthorized access to parts of kernel memory,
      possibly resulting in disclosure of sensitive information,
      bypass of access control mechanisms, or privilege escalation.
      More details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.
      &merged;</para>

    <para>A programming error in the &man.jail.attach.2; system call
      has been fixed.  This error could allow a process with superuser
      privileges inside a &man.jail.8; environment to change its root
      directory to that of a different jail, and thus gain full read
      and write access to files and directories within the target
      jail.  More information can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>

    <para>A potential low-bandwidth denial-of-service attack against
      the &os; TCP stack has been prevented by limiting the number of
      out-of-sequence TCP segments that can be held at one time.  More
      details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>.
      &merged;</para>

    <para>A bug in <application>OpenSSL</application>'s SSL/TLS
      ChangeCipherSpec message processing could result in
      a null pointer dereference, has been fixed.
      This could allow a remote attacker to crash an
      <application>OpenSSL</application>-using
      application and cause a denial-of-service on the system.
      More details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink>.
      &merged;</para>

    <para>A programming error in the handling of some IPv6
      socket options within the &man.setsockopt.2; system call
      has been fixed.  This allows a local attacker to cause a
      system panic, and may allow to gain unauthorized access to
      parts of kernel memory, possibly resulting in disclosure
      of sensitive information, bypass of access control
      mechanisms, or privilege escalation.
      More details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc">FreeBSD-SA-04:06</ulink>.</para>

    <para>Two programming errors in <application>CVS</application>
      have been fixed.  They allow a server to overwrite arbitrary
      files on the client, and a client to read arbitrary files
      on the server when accessing remote CVS repositories.
      More details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc">FreeBSD-SA-04:07</ulink>. &merged;</para>

    <para>A bugfix for <application>Heimdal</application> rectifies a
      problem in which it would not perform adequate checking of
      authentication across autonomous realms.  For more information,
      see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc">FreeBSD-SA-04:08</ulink>. &merged;</para>

    <para>A programming error in <application>CVS</application> which
      allow the malicious client to overwrite arbitrary portions of
      the server's memory has been fixed.  For more information,
      see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc">FreeBSD-SA-04:10</ulink>. &merged;</para>

    <para>A potential cache consistency problem of
      the implementation of the &man.msync.2; system call
      involving the <literal>MS_INVALIDATE</literal>
      operation has been fixed.  However, as a side effect of closing
      this security problem, the <literal>MS_INVALIDATE</literal>
      flag no longer guarantees that all pages in the range are invalidated.
      Users who require the old semantics of <literal>MS_INVALIDATE</literal>
      and are not concerned with the security issue being fixed can set the
      <varname>vm.old_msync</varname> sysctl to 1 which will revert to
      the old (insecure) behavior.  For more information,
      see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:11.msync.asc">FreeBSD-SA-04:11</ulink>. &merged;</para>

    <para>A programming error in the &man.jail.2; system call
      which results in a failure to verify that an attempt
      to manipulate routing tables originated from a non-jailed process
      has been fixed.
      For more information, see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:12.jail.asc">FreeBSD-SA-04:12</ulink>. &merged;</para>

    <para>A programming error in the handling of some Linux system calls which
      may result in memory locations being accessed without proper validation
      has been fixed.
      For more information, see security advisory <ulink
      url="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:13.linux.asc">FreeBSD-SA-04:13</ulink>. &merged;</para>

  </sect2>

  <sect2 id="kernel">
    <title>Kernel Changes</title>

    <para><literal>ADAPTIVE_MUTEXES</literal> has been added
      and enabled by default.  This changes the behavior
      of blocking mutexes to spin if the thread that currently
      owns the mutex is executing on another CPU.
      This feature can be disabled explicitly by setting
      a kernel option <varname>NO_ADAPTIVE_MUTEXES</varname>.</para>

    <para>A kernel option <varname>ADAPTIVE_GIANT</varname>, which
      causes the Giant lock to also be treated in
      an adaptive fashion when adaptive mutexes are enabled,
      has been added.  This improves the performance of SMP machines
      and is enabled by default on the i386.</para>

    <para>The &man.bus.dma.9; interface now supports transparently honoring
      the alignment and boundary constraints in the DMA tag
      when loading buffers, and <function>bus_dmamap_load()</function>
      will automatically use bounce buffers when needed.
      In addition, a set of sysctls <varname>hw.busdma.*</varname>
      for &man.bus.dma.9; statistics has been added.</para>

    <para>The &man.contigmalloc.9; function has been reimplemented
      with an algorithm which stands a greatly-improved chance of working
      despite pressure from running programs.  The old algorithm can be used
      by setting a sysctl <varname>vm.old_contigmalloc</varname>.  More details
      can be found in the &man.contigmalloc.9; manual page.</para>

    <para>The &man.devfs.5; path rules now work correctly on
      directories.</para>

    <para>The &man.getvfsent.3; API has been removed.</para>

    <para>The <varname>hw.pci.allow_unsupported_io_range</varname>
      loader tunable has been removed.</para>

    <para>&man.jail.2; now supports the use of raw sockets from within a jail.
      This feature is disabled by default, and controlled by using the
      <varname>security.jail.allow_raw_sockets</varname> sysctl.</para>

    <para>&man.kqueue.2; now supports a new filter
      <literal>EVFILT_FS</literal> to be used to signal generic file system
      events to the user space.  Currently, mount, unmount, and up/down
      status of NFS are signaled.</para>

    <para>KDB, a new debugger framework, has been added.
      This consists of a new GDB backend, which has been rewritten to support
      threading, run-length encoding compression, and so on, and
      the frontend that provides a framework in which multiple, different
      debugger backends can be configured and which provides
      basic services to those backends.
      The following options has been changed:</para>

    <itemizedlist>
      <listitem>
	<para>KDB is enabled by default
	  via the kernel options <literal>options KDB</literal>,
	  <literal>options GDB</literal>, and <literal>options DDB</literal>.
	  Both <literal>DDB</literal> and
	  <literal>GDB</literal> specify which KDB backends to include.</para>
      </listitem>

      <listitem>
	<para><literal>WITNESS_DDB</literal> has been renamed to
	  <literal>WITNESS_KDB</literal>.</para>
      </listitem>

      <listitem>
	<para><literal>DDB_TRACE</literal> has been renamed to
	  <literal>KDB_TRACE</literal>.</para>
      </listitem>

      <listitem>
	<para><literal>DDB_UNATTENDED</literal> has been renamed to
	  <literal>KDB_UNATTENDED</literal>.</para>
      </listitem>

      <listitem>
	<para><literal>SC_HISTORY_DDBKEY</literal> has been renamed to
	  <literal>SC_HISTORY_KDBKEY</literal>.</para>
      </listitem>

      <listitem>
	<para><literal>DDB_NOKLDSYM</literal> has been removed.
	  The new DDB backend supports pre-linker symbol
	  lookups as well as KLD symbol lookups at the same time.</para>
      </listitem>

      <listitem>
	<para><literal>GDB_REMOTE_CHAT</literal> has been removed.
	  The GDB protocol hacks to allow this are &os; specific.
	  At the same time, the GDB protocol has packets for console
	  output.</para>
      </listitem>
    </itemizedlist>

    <para>KDB also serves as the single point of contact for any and
      all code that wants to make use of the debugger functions,
      such as entering the debugger or handling of the
      alternate break sequence.
      For this purpose, the frontend has been made non-optional.
      All debugger requests are forwarded or handed over to the current
      backend, if applicable.
      Selection of the current backend is done by the
      <varname>debug.kdb.current</varname> sysctl.
      A list of configured backends can be obtained with the
      <varname>debug.kdb.available</varname> sysctl.
      One can enter the debugger by writing to the
      <varname>debug.kdb.enter</varname> sysctl.</para>

    <para>A new sysctl <varname>debug.kdb.stop_cpus</varname> has been
      added.  This controls whether or not IPI (Inter Processor Interrupts)
      to other CPUs will be delivered when entering the debugger,
      in order to stop them while in the debugger.</para>

    <para arch="amd64">Loadable kernel modules now work and are
      enabled in the amd64 build.</para>

    <para arch="amd64">Preliminary support for running 32-bit
      Linux binaries on amd64 has been added.  This feature is enabled with the
      <literal>COMPAT_LINUX32</literal> kernel option.</para>

    <para>A new kernel option <literal>MAC_STATIC</literal> which
      disables internal MAC Framework synchronization protecting against
      dynamic load and unload of MAC policies, has been added.</para>

    <para>The &man.mac.bsdextended.4; policy now supports to match and
      apply on a first rule only in place of all rules match.
      This feature can be enabled by setting a new sysctl
      <varname>mac_bsdextended_firstmatch_enabled</varname>.</para>

    <para>The &man.mac.bsdextended.4; policy can now log
      failed attempts to syslog's <literal>AUTHPRIV</literal> facility.
      This feature can be enabled by setting a new sysctl
      <varname>mac_bsdextended_logging</varname>.</para>

    <para>mballoc has been replaced with mbuma, an Mbuf and Cluster
      allocator built on top of a number of extensions to the UMA framework.
      Due to this change, the <literal>NMBCLUSTERS</literal> kernel option
      is no longer used.  The maximum number of the clusters is still
      capped off according to <literal>maxusers</literal>,
      but it can be made unlimited by setting the
      <varname>kern.ipc.nmbclusters</varname> loader tunable to zero.</para>

    <para><filename>/dev/kmem</filename>, <filename>/dev/mem</filename>,
      and <filename>/dev/io</filename> are also provided as kernel
      loadable modules now.</para>

    <para>A bug in &man.mmap.2; that pages marked as <literal>PROT_NONE</literal>
      may become readable under certain circumstances, has been fixed.  &merged;</para>

    <para arch="i386,pc98">A new kernel option <literal>MP_WATCHDOG</literal>
      has been added; it
      allows one of the logical CPUs on a system to be used as a dedicated
      watchdog to cause a drop to the debugger and/or generate an NMI
      to the boot processor if the kernel ceases to respond.
      Several sysctls are available to enable the watchdog running out of the
      processor's idle thread; a callout is launched to reset a timer
      in the watchdog.  If the callout fails to reset the timer for ten seconds,
      the timeout process will take place.  The <varname>debug.watchdog_cpu</varname>
      sysctl allows to select which CPU will run the watchdog.</para>

    <para arch="i386,pc98">A sysctl <varname>debug.leak_schedlock</varname>
      has been added.  This causes a sysctl handler that incorrectly leaks
      the holding sched lock, to spin the lock
      in order to trigger the watchdog provided by the
      <literal>MP_WATCHDOG</literal> option.</para>

    <para>A new loader tunable <varname>debug.mpsafenet</varname> has been
      added and enabled by default.  This causes the &os; network stack
      to operate without the Giant lock, resulting in performance
      improvement by increasing parallelism and decreasing latency
      in network processing.  Note that enabling one of the &man.ng.tty.4;
      Netgraph node type, KAME IPsec, and IPX/SPX subsystem results in a boot-time
      restoration of Giant-enabled network operation, or run-time
      warning on dynamic load as these components require Giant lock
      for correct operation.</para>

    <para>A new kernel option <varname>NET_WITH_GIANT</varname> has been
      added.  This restores the default value of debug.mpsafenet to
      <literal>0</literal>, and is intended for use on systems compiled with
      known unsafe components, or where a more conservative configuration is
      desired.</para>

    <para>A new loader tunable <varname>debug.mpsafevm</varname> has been
      added.  This currently results in almost
      Giant-free execution of zero-fill page faults.</para>

    <para arch="i386,amd64">A loader tunable <varname>debug.mpsafevm</varname>
      has been enabled by default.</para>

    <para arch="alpha,amd64,i386">A new kernel option
      <literal>PREEMPTION</literal> has been added.
      This allows the threads that are in the kernel to be preempted
      by higher priority threads.  It helps with interactivity and
      allows interrupt threads to run sooner rather than waiting.</para>

    <para>A devclass level has been added to the dev sysctl tree,
      in order to support per-class variables in addition to
      per-device variables.  This means that <varname>dev.foo0.bar</varname>
      is now called <varname>dev.foo.0.bar</varname>, and it is
      possible to to have <varname>dev.foo.bar</varname> as well.</para>

    <para>A new sysctl, <varname>kern.always_console_output</varname>,
      has been added.  It makes output from the kernel go to the console despite
      the use of <varname>TIOCCONS</varname>.</para>

    <para>A sysctl <varname>kern.sched.name</varname>
      which has the name of the scheduler currently in use,
      has been added, and the <varname>kern.quantum</varname> sysctl
      has been moved to <varname>kern.sched.quantum</varname>
      for consistency.</para>

    <para>The &man.pci.4; bus resource and power management have
      been updated.

      <note>
	<para>Although the &man.pci.4; bus power state management
	  has been enabled by default, it may cause problems on some systems.
	  This can be disabled by setting the tunable
	  <varname>hw.pci.do_powerstate</varname> to
	  <literal>0</literal>.</para>
      </note>
    </para>

    <para>The ULE scheduler has been added as an additional scheduler.
      Note that the conventional one, which is called 4BSD, is still used
      as the default scheduler in <filename>GENERIC</filename> kernel.
      For the average user,
      interactivity is reported to be better in many cases.  This
      means less <quote>skipping</quote> and <quote>jerking</quote> in
      interactive applications while the machine is very busy.  This
      will not prevent problems due to overloaded disk subsystems, but
      it does help with overloaded CPUs.  On SMP machines, ULE has
      per-CPU run queues which allow for CPU affinity, CPU binding,
      and advanced HyperThreading support, as well as providing a
      framework for more optimizations in the future.  As fine-grained
      kernel locking continues, the scheduler will be able to make
      more efficient use of the available parallel resources.</para>

    <para>A linear search algorithm used in
      &man.vm.map.findspace.9; has been replaced with
      an O(log n) algorithm built into the map entry splay tree.
      This significantly reduces the overhead in &man.vm.map.findspace.9;
      for applications that &man.mmap.2; many hundreds or thousands
      of regions.</para>

    <para>The loader tunables <varname>debug.witness_*</varname>
      have been renamed to <varname>debug.witness.*</varname>.</para>

    <!-- Above this line, sort kernel changes by manpage/keyword-->

    <para>The &os; dynamic and static linker now support Thread Local Storage (TLS),
      a <application>GCC</application> feature which supports
      a <literal>__thread</literal> modifier
      to the declaration of global and static variables.
      This extra modifier means that the variable's value is
      thread-local; one thread changing its value will not
      affect the value of the variable in any other thread.</para>

    <para>The kernel's file descriptor allocation code has been
      updated, and is now derived from similar code in OpenBSD.</para>

    <para arch="sparc64">On &os;/sparc64, <varname>time_t</varname>
      has been changed from a 32-bit value to a 64-bit value.

      <note>
	<para>Since this change is not backward-compatible,
	  any programs which were built on an older system using
	  a 32-bit <varname>time_t</varname> and
	  call system routines for handling
	  <varname>time_t</varname> values, will have to be recompiled.
	  More detailed information and notice on upgrading from
	  the source can be found in
	  <filename>/usr/src/UPDATING.64BTT</filename>.</para>
      </note>
    </para>

    <para arch="i386">It is now possible to compile the &os;/i386
      kernel with the Intel C/C++ Compiler (as in the <filename
      role="package">lang/icc</filename> port).</para>

    <sect3 id="boot">
      <title>Boot Loader Changes</title>

      <para arch="i386">A serial console-capable version of
	<filename>boot0</filename> has been added.  It can be written
	to a disk using &man.boot0cfg.8; and specifying
	<filename>/boot/boot0sio</filename> as the argument to the
	<option>-b</option> option.</para>

      <para arch="i386"><filename>cdboot</filename> now works around a
	BIOS problem observed on some systems when booting from USB
	CDROM drives.</para>

      <!-- Above this line, order boot loader changes by keyword-->

    </sect3>

    <sect3 id="proc">
      <title>Hardware Support</title>

      <para arch="i386">The &man.acpi.asus.4; driver has been added
	to use ACPI-controlled hardware features, such as hot keys and
	LEDs on ASUSTek laptops.</para>

      <para arch="i386">The &man.acpi.panasonic.4; driver has been added
	to support hot keys of Panasonic laptops.  It now supports
	Let's note (or Toughbook, outside Japan) CF-R1N, CF-R2A, and
	CF-R3.</para>

      <para arch="i386">The &man.acpi.toshiba.4; driver has been added
	to use Toshiba's Hardware Control Interface to manipulate
	certain hardware features on Toshiba laptops, such as
	video output switching.</para>

      <para>The &man.acpi.video.4; driver has been added to provide
	control display switching and backlight brightness using the
	ACPI Video Extensions.</para>

      <para arch="i386">The &man.acpi.4; driver now supports
	per-device sysctls (<varname>dev.root0.nexus0.acpi0.acpi_lid0.wake</varname>,
	for instance) to allow users to set whether or not a given
	device can wake the system.</para>

      <para arch="i386">The &man.acpi.4; driver will now
	be disabled automatically when the machine has a well-known broken BIOS.
	This behavior can be overridden by setting the loader tunable
	<varname>hint.acpi.0.disabled</varname> to <literal>0</literal>.</para>

      <para arch="amd64">The &man.agp.4; driver now supports the AMD64 graphics
	aperture relocation table (GART).</para>

      <para arch="i386">The &man.ctau.4; driver has been added for Cronyx Tau
	synchronous serial adapters. This driver was known for a long time as
	<quote>ct</quote> in its previous life outside the &os; source tree. &merged;

	<note>
	  <para>The driver name has changed, but the network interface still
	    has the <devicename>ct</devicename> name.</para>
	</note>
      </para>

      <para arch="i386,pc98">The &man.cp.4; driver has been added for Cronyx Tau-PCI
	synchronous serial adapters.</para>

      <para arch="i386,pc98">The <devicename>dgb</devicename>
	(DigiBoard intelligent serial card) driver has been
	removed due to breakage.  Its replacement is the &man.digi.4; driver,
	which supports all the hardware of the <devicename>dgb</devicename>
	driver.</para>

      <para>The &man.nmdm.4; driver has been rewritten to improve its reliability.</para>

      <para>The <devicename>raid(4)</devicename> driver
	(RAIDframe disk driver from NetBSD) has been removed.
	It is currently non-functional, and would require some amount of work
	to make it work under the &man.geom.4; API in 5-CURRENT.</para>

      <para>An entry of the &man.pcic.4; driver has been removed from a
	kernel configuration file for <filename>GENERIC</filename> kernel because
	this is no longer maintained.  The entry had actually
	been commented out for a long time.</para>

      <para arch="i386">The &man.psm.4; driver and &man.moused.8;
	now support the Synaptics TouchPad.</para>

      <para arch="i386">The entropy device &man.random.4; now
        supports a hardware random number generator (RNG)
        in the VIA C3 Nehemiah (Stepping 3 and above) CPU.</para>

      <para arch="sparc64">The &man.sab.4; driver now supports the
	<literal>BREAK_TO_DEBUGGER</literal> kernel option.</para>

      <para arch="i386,pc98">The <devicename>sx</devicename> driver,
	which supports Specialix I/O8+ and I/O4+
	intelligent multiport serial controllers, has been added.</para>

      <para arch="alpha,amd64,i386">For the &man.uart.4; device,
	the <varname>hw.uart.console</varname> and
	<varname>hw.uart.dbgport</varname> kernel environment variables
	have been added.  They can be used to select a serial console and
	debug port respectively, as well as the attributes.</para>

      <para>The &man.ubser.4; device driver has been added to support
	BWCT console management serial adapters.</para>

      <para>&man.ucycom.4; driver has been added for
	the Cypress CY7C637xx and CY7C640/1xx families of USB to RS232 bridges,
	such as the one found in the DeLorme Earthmate USB GPS
	receiver (which is the only device currently supported by this driver).
	This driver is not complete because there is no support yet for flow
	control and output.</para>

      <para arch="i386">Several old drivers for ISA cards have been removed,
	including
	the <devicename>asc</devicename> driver for GI1904-based hand scanners,
	the <devicename>ctx</devicename> driver for CORTEX-I Frame Grabber,
	the <devicename>gp</devicename> driver for National Instruments AT-GPIB and AT-GPIB/TNT boards,
	the <devicename>gsc</devicename> driver for the Genius GS-4500 hand scanner,
	the <devicename>le</devicename> driver for DEC EtherWORKS II and III Ethernet controllers,
	the <devicename>rdp</devicename> driver for RealTek RTL 8002-based pocket Ethernet adapters,
	the <devicename>spigot</devicename> driver for the Creative Labs Video Spigot video-acquisition board,
	the <devicename>stl</devicename> and
	<devicename>stli</devicename> drivers for Stallion Technologies multiport serial
	controllers, and the <devicename>wt</devicename> driver for Archive/Wangtek cartridge tapes.
	They are currently non-functional, and would require a considerable
	amount of work to make them work under the new API in 5-CURRENT.
	The userland support such as related ioctls and utilities including
	<devicename>sasc</devicename> and <devicename>sgsc</devicename>
	has also been removed.</para>

      <para>The device driver infrastructure (as well as many drivers)
	have been updated.  Among the changes: Many more drivers now use
	automatically-assigned major numbers (instead of the old static
	major numbers).  Enhanced functions to support cloning of
	pseudo-devices.  Several changes to the driver API, including a
	new <varname>d_version</varname> field in <varname>struct
	  cdevsw</varname>.  Note that third-party device drivers will
	require recompiling after this change.</para>

      <sect4 id="mm">
	<title>Multimedia Support</title>

	<para>The <devicename>meteor</devicename> (video capture)
	  driver has been removed due to
	  breakage and lack of maintainership.</para>

	<para>The Direct Rendering Manager (DRM) code has been updated
	  from the DRI Project CVS tree as of 26 May, 2004.  This update
	  includes new PCI IDs and a new packet for Radeon.</para>

	<para>The drivers for various sound cards has been reorganized;
	  <literal>device sound</literal> is the generic sound driver,
	  and <literal>device snd_*</literal> are device-specific sound drivers now.
	  The <devicename>midi</devicename> driver, which supports serial port
	  and several sound cards, has been removed.
	  More details can be found in related manual pages:
	  &man.sound.4;, &man.snd.ad1816.4;, &man.snd.als4000.4;, &man.snd.cmi.4;,
	  &man.snd.cs4281.4;, &man.snd.csa.4;, &man.snd.ds1.4;, &man.snd.emu10k1.4;,
	  &man.snd.es137x.4;, &man.snd.gusc.4;, &man.snd.maestro3.4;,
	  &man.snd.sbc.4;, &man.snd.solo.4;, and &man.snd.uaudio.4;.</para>

	<para>The &man.sound.4; (formerly &man.pcm.4;) driver has been modified to read
	  <filename>/boot/device.hints</filename> on startup, to allow setting
	  of default values for mixer channels.
	  Note that currently the device driver's name used in
	  <filename>/boot/device.hints</filename> is still <literal>pcm</literal>.
	  More detailed information and examples can be found in the &man.sound.4;
	  manual page.</para>
      </sect4>

      <sect4 id="net-if">
	<title>Network Interface Support</title>

	<para arch="i386">The &man.arl.4; driver, which supports
	  Aironet Arlan 655 wireless adapters has been added. &merged;</para>

	<para arch="sparc64">The &man.dc.4; driver now supports sparc64
	  Davicom cards that store their MAC address in
	  Open Firmware.</para>

	<para>A short hiccup in the &man.em.4; driver during parameter
	  reconfiguration, has been fixed.  &merged;</para>

	<para>The &man.fwip.4; driver, which supports IP over FireWire has been added.
	  Note that currently the broadcast channel number is hardwired and
	  MCAP for multicast channel allocation is not supported.
	  This driver is intended to conform to the RFC 2734 and RFC 3146
	  standard for IP over FireWire and eventually replace
	  the &man.fwe.4; driver.</para>

	<para>&man.fxp.4; now uses the device sysctl tree such as
	  <varname>dev.fxp0</varname>, and those sysctls can be set
	  on a per-device basis.</para>

	<para>&man.fxp.4; now provides actual control over its capability
	  to receive extended Ethernet frames, indicated by the
	  <literal>VLAN_MTU</literal> interface capability.
	  It can be toggled from userland with the aid of the
	  <option>vlanmtu</option> and <option>-vlanmtu</option> options
	  to &man.ifconfig.8;.</para>

	<para arch="i386,pc98">The <devicename>hea</devicename>
	  (Efficient Networks, Inc. ENI-155p ATM adapter)
	  driver has been removed due to breakage.  Its functionality
	  has been subsumed into the &man.en.4; driver.</para>

	<para>The &man.hme.4; driver now natively supports
	  long frames, so it can be used for &man.vlan.4; with full Ethernet
	  MTU size.</para>

	<para>The &man.hme.4; driver now supports
	  TCP/UDP Transmit/Receive checksum offload.
	  Since &man.hme.4; does not compensate the checksum
	  for UDP datagram which can yield to <literal>0x0</literal>,
	  UDP transmit checksum offload is disabled by default.
	  This can be reactivated by setting the special link
	  option <option>link0</option> with &man.ifconfig.8;.</para>

	<para>The &man.ixgb.4; driver, which supports
	  Intel PRO/10GBE 10 Gigabit Ethernet cards, has been
	  added. &merged;</para>

	<para arch="i386">The <devicename>lmc</devicename>
	  (LAN Media Corp. PCI WAN adapter) driver has been
	  removed due to breakage and lack of maintainership.</para>

	<para arch="i386">The <devicename>loran</devicename>
	  (Loran-C receiver) driver has been removed due to
	  breakage and lack of maintainership.</para>

	<para arch="i386">&os; now provides a binary compatibility layer
	  for using &microsoft.windows; NDIS drivers for network
	  adapters under &os;/i386.  It includes a relocator/linker for
	  &windows; <filename>.SYS</filename> files to interface with
	  the &os; kernel and emulates various parts of the NDIS API
	  using native &os; kernel functions.  This system supports PCI
	  (&man.pci.4;) and CardBus (&man.cardbus.4;) network devices,
	  and is designed principally for
	  Ethernet and wireless network interfaces.
	  For more information, see the &man.ndis.4; and
	  &man.ndiscvt.8; manual pages.</para>

	<para>A bug that prevents VLAN support in the &man.nge.4; driver
	  from working has been fixed.  &merged;</para>

	<para>Several bugs related to &man.polling.4; support
	  in the &man.rl.4; driver have been fixed.  &merged;</para>

	<para>Several bugs related to multicast and promiscuous mode
	  handling in the &man.sk.4; driver have been fixed.</para>

	<para>The &man.ste.4; driver now supports &man.polling.4;.
	  &merged;</para>

	<para>The &man.udav.4; driver has been added.  It provides
	  support for USB Ethernet adapters based on the Davicom DM9601
	  chipset.</para>

	<para>&man.vge.4; driver, which supports
	  the VIA Networking Technologies
	  VT6122 Gigabit Ethernet chip and integrated 10/100/1000 copper PHY,
	  has been added.</para>

	<para>The &man.vr.4; driver now supports &man.polling.4;.  &merged;</para>

	<para>The hardware TX checksum support in the &man.xl.4; driver
	  has been disabled as it does not work correctly and slows down
	  the transmission rate.  &merged;</para>

	<para>Interface &man.polling.4; support
	  can now be enabled on a per-interface basis.  All of the network drivers that support &man.polling.4;
	  (&man.dc.4;, &man.fxp.4;, &man.em.4;, &man.nge.4;, &man.re.4;,
	  &man.rl.4;, &man.sis.4;, &man.ste.4;, and &man.vr.4;)
	  now also support this capability and it can be controlled
	  via &man.ifconfig.8;.  &merged;</para>
      </sect4>
    </sect3>

    <sect3 id="net-proto">
      <title>Network Protocols</title>

      <para>The &man.gre.4; tunnel driver now supports WCCP version
	2.</para>

      <para>&man.ipfw.4; rules now support the <literal>versrcreach</literal>
        option to verify that a valid route to the source address
	of a packet exists in the routing table.
	This option is very useful for routers with a complete view of
	the Internet (BGP) in the routing table to reject packets with
	spoofed or unroutable source addresses.  For example,

	<programlisting>deny ip from any to any not versrcreach</programlisting>

	is equivalent to the following in Cisco IOS syntax:

	<programlisting>ip verify unicast source reachable-via any</programlisting>
      </para>

      <para>&man.ipfw.4; rules now support the <literal>antispoof</literal>
        option to verify if incoming packet's source address belongs to
	a directly connected network.  If the network is directly
	connected, then the interface the packet came on in is compared to
	the interface the network is connected to.  When incoming interface
	and directly connected interface are not the same, the packet does
	not match.  For example:

	<programlisting>deny ip from any to any not antispoof in</programlisting>
      </para>

      <para>&man.ipfw.4; rules now support the <literal>jail</literal>
        option to associate the rule with a specific prison ID.
	For example:

	<programlisting>count ip from any to any jail 2</programlisting>

	Note that this rule currently applies for TCP and UDP packets only.
      </para>

      <para>&man.ipfw.4; now supports lookup tables.  This feature is
        useful for handling large sparse address sets. &merged;</para>

      <para>The &man.ipfw.4; <literal>forward</literal> rule has to be compiled
	into the kernel with a kernel option <literal>IPFIREWALL_FORWARD</literal>
	to enable it.</para>

      <para>A new sysctl <varname>net.inet.ip.process_options</varname>
	to control the processing of IP options.  When this sysctl
	is set to <literal>0</literal> IP options are ignored and passed unmodified,
	set to <literal>1</literal> all IP options are processed (default),
	and set to <literal>2</literal> all packets with
	IP options are rejected with an ICMP filter prohibited message,
	respectively.</para>

      <para>Some bugs in the IPsec implementation from the KAME
	Project have been fixed.  These bugs were related to freeing
	memory objects before all references to them were removed, and
	could cause erratic behavior or kernel panics after flushing
	the Security Policy Database (SPD).</para>

      <para>&man.natd.8; now supports multiple instances via
	a new option <option>globalports</option>.
	This allows &man.natd.8; to be bound to
	different network interfaces and sharing of load.</para>

      <para>The &man.ng.atmllc.4; Netgraph node type, which handles
	RFC 1483 ATM LLC encapsulation, has been added.</para>

      <para>The &man.ng.hub.4; Netgraph node type, which supports
	a simple packet distribution that acts like an Ethernet hub,
	has been added.  &merged;</para>

      <para>The &man.ng.rfc1490.4; Netgraph node type now supports
	Cisco style encapsulation, which is often used alongside
	RFC 1490 in frame relay links.</para>

      <para>The &man.ng.sppp.4; Netgraph node type, which is a &man.netgraph.4
	interface to the original &man.sppp.4 network module for synchronous
	lines, has been added.</para>

      <para>A new Netgraph method has been added to restore some
	behavior lost in the change from 4.<replaceable>X</replaceable> style &man.ng.tee.4;
	Netgraph nodes.</para>

      <para>The &man.ng.vlan.4; Netgraph node type, which supports
        IEEE 802.1Q VLAN tagging, has been added.  &merged;</para>

      <para><literal>PFIL_HOOKS</literal> support is now always
	compiled into the kernel, and the associated kernel compile
	options have been removed.  All of the packet filter subsystems
	that &os; supports now use the <literal>PFIL_HOOKS</literal>
	framework.</para>

      <para>The link state change notification of Ethernet media
	support has been added to the routing socket.</para>

      <para>Link Quality Monitoring (LQM) support in &man.ppp.8;
	has been reimplemented.  LQM, which is described
	in RFC 1989, allows PPP to keep track of the quality
	of a running connection. &merged;</para>

      <para>The pseudo-interface cloning has been updated and
	the match function to allow creation of &man.stf.4;
	interfaces named <devicename>stf0</devicename>,
	<devicename>stf</devicename>, or <devicename>6to4</devicename>.
	Note that this breaks backward compatibility; for example,
	<command>ifconfig stf</command> now creates
	the interface named <devicename>stf</devicename>,
	not <devicename>stf0</devicename>, and does not print
	<devicename>stf0</devicename> to stdout.</para>

      <para>The following TCP features are now enabled by default: RFC
	3042 (Limited Retransmit), RFC 3390 (increased initial
	congestion window sizes), TCP bandwidth-delay product
	limiting.  A set of sysctls <varname>net.inet.tcp.rfc3042</varname>,
	<varname>net.inet.tcp.rfc3390</varname>, and
	<varname>net.inet.tcp.inflight.enable</varname>
	for these features are available.
	More information can be found in &man.tcp.4;.</para>

      <para>&os;'s TCP implementation now includes support for a
	minimum MSS (settable via the
	<varname>net.inet.tcp.minmss</varname> sysctl variable) and a
	rate limit on connections that send many small TCP segments
	within a short period of time (via the
	<varname>net.inet.tcp.minmssoverload</varname> sysctl
	variable).  Connections exceeding this limit may be reset and
	dropped.  This feature provides protection against a class of
	resource exhaustion attacks.</para>

      <para>The TCP implementation now includes partial (output-only)
	support for RFC 2385 (TCP-MD5) digest support.  This feature,
	enabled with the <literal>TCP_SIGNATURE</literal> and
	<literal>FAST_IPSEC</literal> kernel options, is a TCP option
	for authenticating TCP sessions.  &man.setkey.8; now includes
	support for the TCP-MD5 class of security associations.
	&merged;</para>

      <para>The TCP connection reset handling has been improved to
        make several reset attacks as difficult as possible while
	maintaining compatibility with the widest range of TCP stacks.</para>

      <para>The implementation of RFC 1948 has been improved.
	The time offset component of an Initial Sequence Number (ISN)
	now includes random positive
	increments between clock ticks so that ISNs will always
	be increasing, no matter how quickly the port is recycled.</para>

      <para>The random ephemeral port allocation, which come from OpenBSD
	has been implemented.  This is enabled by default and can be disabled
	by using the <varname>net.inet.ip.portrange.randomized</varname>
	sysctl.  &merged;</para>

      <para>TCP Selective Acknowledgements (SACK) as described in RFC
        2018 have been added.  This improves TCP performance over
        connections with heavy packet loss.  SACK can be enabled with
        the sysctl <varname>net.inet.tcp.sack.enable</varname>.</para>
    </sect3>

    <sect3 id="disks">
      <title>Disks and Storage</title>

      <para>The &man.ata.4; driver now supports &man.cardbus.4; ATA/SATA
        controllers.</para>

      <para>A number of bugs in the &man.ata.4; driver have been
	fixed.  Most notably, master/slave device detection should
	work better, and some problems with timeouts should be
	resolved.</para>

      <para>The &man.ata.4; driver now supports the Promise command
	sequencer present on all modern Promise controllers
	(PDC203** PDC206**).

	<note>
	  <para>This also adds preliminary support for the
	    Promise SX4/SX4000 as a <quote>normal</quote> Promise ATA
	    controller; ATA RAID's are supported though
	    but only RAID0, RAID1 and RAID0+1.</para>
	</note>
      </para>

      <para>The <literal>DA_OLD_QUIRKS</literal> kernel option,
	which is for the CAM SCSI disk driver (&man.cam.4;),
	has been removed.  &merged;</para>

      <para arch="pc98">A bug of the automatic density selection code
	in the &man.fd.4; driver has been fixed.</para>

      <para>A bug in &man.geom.4; that could result in I/O hangs in some rare
	cases has been fixed.</para>

      <para>A new <literal>GEOM_CONCAT</literal>
	&man.geom.4; class has been added to concatenate
        multiple disks to appear as a single larger disk.</para>

      <para>A new <literal>GEOM_NOP</literal> &man.geom.4; class for various
	testing purposes has been added.</para>

      <para>A new <literal>GEOM_RAID3</literal> &man.geom.4; class for
	RAID3 transformation and &man.graid3.8; userland utility
	have been added.</para>

      <para>A new <literal>GEOM_STRIPE</literal>
	&man.geom.4; class which implements RAID0 transformation has been added.
	This class has two modes: <quote>fast</quote> and
	<quote>economic</quote>.  In fast mode,
	when very small stripe size is used, only one I/O request
	will be sent to every disk in a stripe; it performs about 10
	times faster for small stripe sizes than economic
	mode and other RAID0 implementations.
	While fast mode is used by default,
	it consumes more memory than
	economic mode, which sends requests each time.
	Economic mode can be enabled by setting a loader tunable
	<varname>kern.geom.stripe.fast</varname> to 0.
	It is also possible to specify the maximum memory
	that fast mode can consume,
	by setting the loader tunable
	<varname>kern.geom.stripe.maxmem</varname>.</para>

      <para>GEOM Gate, which consists of a new <literal>GEOM_GATE</literal>
	&man.geom.4; class and several GEOM Gate userland utilities
	(&man.ggatel.8;, &man.ggatec.8;,
	and &man.ggated.8;) has been added.  It supports exporting
	devices, including non &man.geom.4;-aware devices,
	through the network.</para>

      <para>A new <literal>GEOM_LABEL</literal>
	&man.geom.4; class to detect volume labels on various file systems,
	such as UFS, MSDOSFS (FAT12, FAT16, FAT32), and ISO9660,
	has been added.</para>

      <para>A new <literal>GEOM_GPT</literal> &man.geom.4; class,
	which supports GUID Partition Table (GPT) partitions
	and the ability to have a large
	number of partitions on a single disk, has been added into
	<filename>GENERIC</filename> by default.</para>

      <para>A new <literal>GEOM_MIRROR</literal> &man.geom.4; class to support
	which supports RAID1 functionality, has been added.
	The &man.gmirror.8; utility can be used for control
	of this class.</para>

      <para>A new <literal>GEOM_UZIP</literal> &man.geom.4; class to implement
	read-only compressed disks has been added.
	This currently supports cloop V2.0 disk compression format.</para>

      <para>A new <literal>GEOM_VINUM</literal> &man.geom.4; class to support
	cooperation between &man.vinum.4; and &man.geom.4;
	has been added.</para>

      <para>The &man.ips.4; driver now supports the recent
	Adaptec ServeRAID series SCSI controller cards.</para>

      <para arch="sparc64">A bug in the &man.isp.4; driver
        which prevents the cards on SBus from working correctly,
	has been fixed.</para>

      <para arch="i386">The &man.twa.4; driver, which supports
	3ware's 9000 series PATA/SATA RAID controllers has been added.  &merged;</para>

      <para>The &man.umass.4; driver now supports the missing
	ATAPI MMC commands and handles the timeout properly.  &merged;</para>

      <para>The &man.vinum.4; volume manager, has been updated to use
        &man.geom.4;, the 5.x disk I/O request transformation framework.
	A <command>gvinum</command> userland utility has been added.</para>

      <para arch="sparc64">The &man.esp.4; device driver has been
        ported from NetBSD to support the SBus SCSI card in Sun Ultra
        1e and 2 machines.</para>

      <para>Support for LSI-type software RAID has been added.</para>

    </sect3>

    <sect3 id="fs">
      <title>File Systems</title>

      <para>The autofs(9) file system and the userland library
	&man.libautofs.3; have been added.</para>

      <para>The EXT2FS file system code now includes partial support
	for large (&gt; 4GB) files.  This support is partial in that
	it will refuse to create large files on file systems that have
	not been upgraded to <literal>EXT2_DYN_REV</literal> or that
	do not have the
	<literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set
	in the superblock.</para>

      <para>A panic in the NFSv4 client has been fixed; this occurred
	when attempting operations against an NFSv3/NFSv2-only
	server.</para>

      <para>The <literal>MSDOSFS_LARGE</literal> kernel option
	has been added to support FAT32 file systems bigger
	than 128GB.  This option is disabled by default.  It
	uses at least 32 bytes of kernel memory for
	each file on disk; furthermore it is only safe to use in certain
	controlled situations, such as read-only mount
	with less than 1 million files and so on.
	Exporting these large file systems
	over NFS is not supported.</para>

      <para>The SMBFS client now has support for SMB request signing,
	which prevents <quote>man in the middle</quote> attacks and is
	required in order to connect to Windows 2003 servers in their
	default configuration.  As signing each message imposes a
	significant performance penalty, this feature is only enabled
	if the server requires it; this may eventually become an
	option to &man.mount.smbfs.8;.</para>
    </sect3>

    <sect3>
      <title>Contributed Software</title>

      <para>The <application>ALTQ framework</application>
	has been imported from a KAME snapshot as of 7 June, 2004.
	This import breaks ABI compatibility of
	<varname>struct ifnet</varname> and requires all network
	drives to be recompiled.
	Additionally some of the networking drivers have been
	modified to support the ALTQ framework.
	Updated drivers are &man.bfe.4;, &man.em.4;, &man.fxp.4;,
	&man.em.4;, &man.lnc.4;, &man.tun.4;, &man.de.4;,
	&man.rl.4;, &man.sis.4;, and &man.xl.4;.</para>

      <para><application>IPFilter</application> has been updated
	from version 3.4.31 to version 3.4.35 &merged;.</para>

      <para arch="ia64">An ia64 stack unwinder,
	<application>Unwind Express (libuwx)</application>
	by Hewlett-Packard has been imported for use in the kernel.</para>
    </sect3>
  </sect2>

  <sect2 id="userland">
    <title>Userland Changes</title>

    <para>&man.acpidump.8; now supports SSDT tables.  Dumping or
      disassembling the DSDT will now include the contents if
      there are any SSDT table as well.</para>

    <para>&man.bsdlabel.8; now supports a <option>-f</option> option
      to work on files instead of disk partitions.</para>

    <para>&man.bsdtar.1; is now the default &man.tar.1; utility in the &os;
      base system.  <filename>/usr/bin/tar</filename>
      has been a symlink pointing to
      <filename>/usr/bin/bsdtar</filename> by default.
      To return to using <filename>/usr/bin/gtar</filename> by
      default, the <varname>WITH_GTAR</varname>
      make variable can be used.</para>

    <para>The <command>bthidcontrol</command> and
      <command>bthidd</command> commands, which support Bluetooth
      HIDs (Human Interface Devices), have been added.</para>

    <para>&man.col.1;, &man.colcrt.1;, &man.colrm.1;,
      &man.column.1;, &man.fmt.1;, &man.join.1;, &man.rev.1;,
      &man.tr.1;, and &man.ul.1; now support multibyte characters.</para>

    <para>&man.conscontrol.8; now supports
      <literal>set</literal> and <literal>unset</literal>
      commands which set/unset the virtual console.
      <literal>unset</literal> makes outputs from the system, such as
      the kernel &man.printf.9;, always go out to the real
      main console.  This is an interface to the tty ioctl
      <literal>TIOCCONS</literal>.</para>

    <para>The &man.cron.8 daemon now accepts two new options,
      <option>-j</option> and <option>-J</option>, to enable
      time jitter for jobs to run as unprivileged users and the
      superuser, respectively.  Time jitter means that &man.cron.8
      will sleep for a small random period of time in the specified
      range before executing a job.  This feature is intended to
      smooth load peaks appearing when a lot of jobs are scheduled
      for a particular moment. &merged;</para>

    <para>A bug that prevents &man.crontab.1 with the <option>-e</option>
      option from properly prompting the user to re-edit the entries written in
      the incorrect format, has been fixed.</para>

    <para>&man.cut.1; <option>-c</option>,
      <option>-d</option>, and <option>-f</option>
      now work correctly in locales with multibyte characters.</para>

    <para>&man.cvs.1; now supports <option>iso8601</option>
      option keyword to print dates in ISO 8601 format.</para>

    <para>&man.daemon.8; now supports a <option>-p</option>
      option to create a PID file.</para>

    <para>&man.dd.1; now supports a <option>fillchar</option> option
      to specify an alternative padding character when using a conversion
      mode, or when using <option>noerror</option> with
      <option>sync</option> and an input error occurs.</para>

    <para>&man.df.1; now supports a <option>-c</option> option to display
      a grand total of statistics for file systems.</para>

    <para>A bug in &man.df.1;, which can print invalid information
      when a <option>-t</option> option is specified and
      a mount point is not accessible by the calling user,
      has been fixed.</para>

    <para>The <command>doscmd</command> utility has been
      removed from the &os; base system.  It is now available
      via the <filename role="package">emulators/doscmd</filename>
      port in the &os; Ports Collection.</para>

    <para>&man.dump.8; and &man.restore.8; now support
      a <option>-P</option> option to specify backup methods
      other than files and tapes.  The argument is passed to
      a normal &man.sh.1; pipeline with either the
      <varname>$DUMP_VOLUME</varname> or <varname>$RESTORE_VOLUME</varname>
      environment variable defined, respectively.
      For more information, see &man.dump.8; and &man.restore.8;.</para>

    <para>The &man.eeprom.8; utility to display and
      modify system configurations stored in EEPROM or NVRAM
      has been added.  The current implementation supports
      systems equipped with Open Firmware.</para>

    <para arch="pc98">The &man.fdcontrol.8;, &man.fdformat.1;, and
      &man.fdread.1; utilities now work on &os;/pc98.</para>

    <para>&man.fgetwln.3; function, a wide character version of
      &man.fgetln.3; has been added.</para>

    <para>The &man.find.1; utility now supports a <option>-acl</option>
      primary to locate files with &man.acl.3;.</para>

    <para>The &man.find.1; utility now supports a new primary
      <option>-depth <replaceable>n</replaceable></option>
      which tests whether the depth of the current file relative
      to the starting point of the traversal is <replaceable>n</replaceable>.
      &merged;</para>

    <para>&man.ftpd.8; now opens a socket for a data transfer
      in active mode using effective UID of the current user,
      not <username>root</username>.  This is useful for matching anonymous FTP data
      traffic with a single &man.ipfw.8; rule with <literal>uid</literal>.</para>

    <para>The &man.ftw.3; and &man.nftw.3; functions have been implemented.
      These are used to traverse a directory hierarchy.</para>

    <para>The &man.geom.8; utility for operating on &man.geom.4; classes
      from the userland has been added.</para>

    <para>&man.gpt.8;, a GUID partition table maintenance utility,
      now supports a <option>remove</option> command.  Its
      <option>add</option> command now supports a <option>-i</option> option,
      which allows the user to specify
      the partition number of a new partition.</para>

    <para>The &man.id.1; now supports a <option>-M</option> option
      to print the MAC label of the current process.</para>

    <para>&man.ifconfig.8; now supports renaming of network interfaces
      at run-time using the <option>name</option> parameter.</para>

    <para>&man.ifconfig.8; now prints the &man.polling.4; status
      on the interface.  &merged;</para>

    <para>&man.ifconfig.8; now provides the
      <option>vlanmtu</option> and <option>-vlanmtu</option> options,
      which control the capability of some Ethernet interfaces
      to receive extended frames (i.e. frames containing more than
      1500 bytes of payload).</para>

    <para>&man.ifconfig.8; now provides the
      <option>vlanhwtag</option> and <option>-vlanhwtag</option> options,
      which control the capability of some Ethernet interfaces
      to process VLAN tags in the hardware.</para>

    <para>&man.indent.1; now supports a <option>-ldi</option> option
      to control indentation of local variables.  A number of other
      tunings were made to this utility.</para>

    <para>&man.indent.1; now supports <option>-fbs</option> and
      <option>-ut</option> for function declarations
      with the opening brace on the same line as the declaration
      of arguments all spaces and no tabs in order
      to fix problem when non-8 space tabs are used.</para>

    <para>&man.ip6fw.8; now supports a <option>-n</option> flag to
      stop it from making any changes to the rules in the kernel</para>

    <para>&man.ipcs.1; now supports a <option>-u</option> option to
      display information about IPC mechanisms owned by the specified
      user.</para>

    <para>&man.ipfw.8; now supports a <option>-b</option> flag to
      print only the action and comment for each rule, thus omitting
      the rule body.</para>

    <para>&man.jail.8; now supports a <option>-U</option> option to
      run command as a user which exists only in the &man.jail.2;
      environment.</para>

    <para>&man.jail.8; now supports a <option>-l</option> option to
      clean the environment.  All environment variables are discarded
      except for <varname>HOME</varname>, <varname>SHELL</varname>,
      <varname>PATH</varname>, <varname>TERM</varname>, and
      <varname>USER</varname> before running the jailed program under
      specific user's credentials.  This behavior is similar to that
      provided by the &man.su.1; <option>-l</option>
      option.</para>

    <para>&man.kgdb.1;, a kernel debugging utility which uses
      <application>libgdb</application>
      and understands kernel threads, kernel modules, and &man.kvm.3;,
      has been added.</para>

    <para>&man.killall.1; now supports a <option>-e</option> flag to
      make the <option>-u</option> operate on effective, rather than
      real, user IDs. &merged;</para>

    <para>&man.libalias.3; now has support (and a new API) for
      multiple aliasing instances in a single process.  The existing
      API has been reimplemented in terms of the new one to preserve
      compatibility.</para>

    <para>A <application>libarchive</application> library for manipulation
      of compressed and uncompressed archive files has been
      added.  More details can be found in &man.libarchive.3;.</para>

    <para arch="pc98"><application>libdisk</application> now uses the
      correct PC98 disk partition value for &os;.  This permits the
      &man.sysinstall.8; disk partition editor to correctly create a
      single &os; partition covering the entire disk. &merged;</para>

    <para><application>libdisk</application> now uses
      <varname>d_addr_t</varname> for disk addresses.
      This allows &man.sysinstall.8; to properly handle disks
      and file systems more than 1 TB.</para>

    <para arch="i386,pc98,amd64,ia64">The library formerly known as
      <application>libkse</application> has been renamed
      <application>libpthread</application> and is now the default threading
      library on the i386, amd64, and ia64 platforms.
      <application>GCC</application>'s <option>-pthread</option>
      option has been changed to use <application>libpthread</application>
      rather than <application>libc_r</application>.

      <note>
	<para>Users with older binaries (for example, ports compiled
	  before this change was made) should use &man.libmap.conf.5;
	  to map <application>libc_r</application> and/or
	  <application>libkse</application> to
	  <application>libpthread</application>.</para>
      </note>

      <note>
	<para>Users with NVIDIA-supplied drivers and libraries may
	  need to use a &man.libmap.conf.5; that maps
	  <application>libpthread</application> references to the older
	  <application>libc_r</application> since these drivers and
	  utilities do not work with
	  <application>libpthread</application>.</para>
      </note>
    </para>

    <para><application>libpthread</application> now supports
      a <varname>LIBPTHREAD_SYSTEM_SCOPE</varname> environment
      variable to force 1:1 mode (using system scope threads).  Note that
      building <application>libpthread</application> with
      <option>-DSYSTEM_SCOPE_ONLY</option> flag also forces 1:1 mode,
      and that this option is set by default for architectures that do not
      support M:N mode yet.
      In addition, a <varname>LIBPTHREAD_PROCESS_SCOPE</varname> environment
      variable can be used to force M:N mode (using process scope
      threads).  For example:</para>

    <screen>&prompt.user; <userinput>LIBPTHREAD_SYSTEM_SCOPE=yes <replaceable>threaded_app</replaceable></userinput></screen>

    <para>forces the application <replaceable>threaded_app</replaceable> to use
      system scope threads, and</para>

    <screen>&prompt.user; <userinput>LIBPTHREAD_PROCESS_SCOPE=yes <replaceable>threaded_app</replaceable></userinput></screen>

    <para>forces it to use process scope threads, respectively.</para>

    <para>A bug in the <option>-d</option> option of &man.look.1;
      has been fixed.  Also, &man.look.1; now works correctly in
      locales with multibyte characters.</para>

    <para>&man.ls.1; now treat filenames as multibyte character strings
      according to the current <varname>LC_CTYPE</varname>
      when determining which characters are printable.</para>

    <para>&man.make.1; now supports the new <literal>.warning</literal>
      directive.</para>

    <para>&man.make.1; now supports the POSIX-compatible
      <literal>+</literal> flag in <filename>Makefile</filename> command lines,
      which causes a line to be executed even when <option>-n</option>
      is specified.  This is useful for calls to submakes, for example.</para>

    <para>&man.make.1; now puts variable assignments from
      the command line into the <varname>MAKEFLAGS</varname>
      variable as required by POSIX.  This causes such variables
      to be pushed into all sub-makes called by the &man.make.1;
      (except when the <varname>MAKEFLAGS</varname>
      variable is explicitly changed in the sub-make's environment).
      This makes them also mostly un-overrideable
      in sub-makes except on the sub-make's command line.</para>

    <para arch="i386">The &man.mkuzip.8;, which is a non-GPL
      utility to compress file system images for use with
      <literal>GEOM_UZIP</literal> &man.geom.4; module,
      has been added.</para>

    <para>The &man.nearbyint.3; and
      &man.nearbyintf.3; C99 functions
      have been implemented.</para>

    <para>The <filename>tgmath.h</filename> C99 header has
      been implemented.  This provides
      type-generic macros for the <filename>math.h</filename>
      and <filename>complex.h</filename> functions that have
      float, double and long double implementations.</para>

    <para>The GNU extensions of &man.mbsnrtowcs.3;
      and &man.wcsnrtombs.3; have been implemented.</para>

    <para>&man.newsyslog.8; now allows the users to set
      a debugging option via the <filename>newsyslog.conf</filename>
      file.</para>

    <para>&man.newsyslog.8; now uses a new order when processing
      files to rotate.  It first rotates all files that need
      to be rotated, then sends a single signal to each process
      which needs to be signaled, and finally compresses
      all the files that were rotated.</para>

    <para>A &man.nextwctype.3; function to iterate over all characters
      in a particular character class
      has been added.</para>

    <para>Initial support for UTF-8 versions of all the currently
      supported system locales has been added.  This is primarily
      for the benefit of the <filename role="package">misc/utf8locale</filename>
      port.</para>

    <para>An Israel Hebrew locale <literal>he_IL.UTF-8</literal>
      has been added.</para>

    <para>The &man.logins.1; utility has been added to display
      information about user and system accounts.</para>

    <para>&man.mountd.8; now supports the <option>-p</option> option,
       which allows users to specify a known port for use
       in firewall rulesets.</para>

    <para>&man.netstat.1; now displays the multicast group
      memberships present in the system.</para>

    <para>&man.newfs.8; and &man.mdmfs.8; now support a
      <option>-l</option> flag to enable them to set the MAC
      multilabel flag on new file systems without requiring the use of
      &man.tunefs.8;.</para>

    <para>&man.nologin.8; now reports login attempts via
       &man.syslogd.8;.</para>

    <para>&man.nologin.8; has been moved from <filename>/sbin/nologin</filename>
       to <filename>/usr/sbin/nologin</filename>.
       <filename>/sbin/nologin</filename> remains as a symbolic link
       for backward compatibility.</para>

    <para>A bugfix has been applied to NSS support, which fixes
      problems when using third-party NSS modules (such as <filename
      role="package">net/nss_ldap</filename>) and groups with large
      membership lists.</para>

    <para>&man.od.1; now has POSIX-style support for multibyte
      characters.</para>

    <para>&man.patch.1; has been replaced with a BSD-licensed version
      from OpenBSD.  This includes a <option>--posix</option> option
      for strict POSIX conformance.</para>

    <para>The &man.pgrep.1; and &man.pkill.1; commands, which come from NetBSD,
      have been added.  They also support a <option>-M</option> option
      to extract values associated with the name list from the
      specified core instead of the default <filename>/dev/kmem</filename>,
      and a <option>-N</option> option to extract the name list from
      the specified system instead of the default kernel.</para>

    <para>&man.ppp.8; now supports a <quote>set rad_alive
	<replaceable>N</replaceable></quote> command
      to enable periodic RADIUS accounting information
      being sent to the RADIUS server.  &merged;</para>

    <para>&man.ppp.8; now supports a
      <quote>set pppoe [standard|3Com]</quote> command
      to configure the operating mode of an underlying
      &man.ng.pppoe.4; Netgraph node.</para>

    <para>&man.ps.1; compatibility with POSIX/SUSv3 has been improved.
      The changes include <option>-p</option> for a list of process IDs,
      <option>-t</option> for a list of terminal names,
      <option>-A</option> which is equivalent to <option>-ax</option>,
      <option>-G</option> for a list of group IDs,
      <option>-X</option> which is the opposite of <option>-x</option>,
      and some minor improvements.  For more information, see &man.ps.1;.
      &merged;</para>

    <para>&man.ps.1; now supports a <option>-O emul</option>
      format option, which prints the name of the system call emulation
      environment the process is in.</para>

    <para>&man.pw.8; now supports a <option>-H</option> option, which
      accepts an encrypted password on a file descriptor. &merged;</para>

    <para>A bug in &man.rarpd.8; that prevents it from working properly
      when a interface has more than one IP address has been fixed.
      &merged;</para>

    <para>&man.regex.3; now supports regular expression matching aware
      of multibyte characters.</para>

    <para>The configuration files used by the &man.resolver.3; now
      support the <literal>timeout:</literal> and
      <literal>attempts:</literal> keywords.</para>

    <para>The &man.resolver.3; and associated interfaces are now much
      more reentrant and thread-safe.  Multiple DNS lookups can now be
      run at the same time, showing major improvements in the
      performance of some multi-threaded applications.  Some
      multi-threaded programs need to be recompiled; examples from the
      Ports Collection are <filename
      role="package">www/mozilla</filename> and variants, <filename
      role="package">mail/evolution</filename>, <filename
      role="package">devel/gnomevfs</filename>, and <filename
      role="package">devel/gnomevfs2</filename>.</para>

    <para>&man.rmdir.1; now supports a <option>-v</option> flag,
      which makes it verbose.</para>

    <para>&man.savecore.8; now works correctly for dump files larger
      than 2GB.</para>

    <para>A bug in &man.script.1; has been fixed so that it now works
      correctly if the standard input is closed.  This fix prevents a
      potentially dangerous interaction with the <filename
      role="package">sysutils/portupgrade</filename> package; if it was
      run non-interactively, it could remove all out-of-date
      ports without reinstalling them.</para>

    <para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon
      has been added.</para>

    <para>&man.sed.1; <literal>y</literal> (translate) command
      now supports multibyte characters.</para>

    <para>The &man.sha1.1; and &man.rmd160.1; utilities have been added.
      Similar to &man.md5.1;, they calculate a message digest of their
      inputs.
      &merged;</para>

    <para>&man.smbmsg.8;, a small utility to send/receive SMBus messages,
      has been added.</para>

    <para arch="sparc64">&man.sunlabel.8; now supports two new flags:
      <option>-c</option> to calculate all partition sizes
      in cylinders as opposed to sectors, and
      <option>-h</option> to print the label in human readable
      size/offset format.</para>

    <para>&man.talk.1; now use <hostid>localhost</hostid>
      as a default machine name in &man.talkd.8;
      request packets, when the destination and source are local.
      This makes &man.talk.1; dependent on a valid host entry
      for <hostid>localhost</hostid> in <filename>/etc/hosts</filename>
      or the DNS.</para>

    <para>&man.tftpd.8; now supports two new options:
      a <option>-w</option> option allows new files to be created,
      and a <option>-U</option> option allows the umask to be set.</para>

    <para>&man.top.1; now supports to display the current amount
      of I/O.  This feature can be enabled by hitting <quote>m</quote>
      or passing the command line option <option>-m io</option>.</para>

    <para arch="amd64">&man.truss.1; now includes early support
      for &os;/amd64.</para>

    <para>Many userland utilities in the base system (mostly GNU
      contributed utilities) now use the system version of
      &man.getopt.long.3;, rather than the GNU version.</para>

    <sect3 id="rc-scripts">
      <title><filename>/etc/rc.d</filename> Scripts</title>

      <para>The <filename>diskless</filename> script has been
	split out into <filename>hostname</filename>,
        <filename>resolve</filename>, <filename>tmp</filename>, and
        <filename>var</filename> scripts.</para>

      <para>The <filename>gbde_swap</filename> script, which supports
	gbde-enabled swap devices has been added.
	When the <varname>gbde_swap_enable</varname> variable is specified
	in &man.rc.conf.5;, a swap device named
	<filename>/dev/<replaceable>foo.bde</replaceable></filename>
	in &man.fstab.5;
	is automatically attached at boot time with the device
	<filename>/dev/<replaceable>foo</replaceable></filename>
	and a random key, which
	generated by computing the MD5 checksum of 512 bytes read
	from <filename>/dev/random</filename>.
	Note that this prevents recovery of kernel dumps.</para>

      <para>The <varname>ip6addrctl_enable</varname> and
	<varname>ip6addrctl_verbose</varname> have been added.
	When <varname>ip6addrctl_enable</varname> is set
	to <literal>YES</literal>,
	the address selection policy is installed into the kernel.
	If there is <filename>/etc/ip6addrctl.conf</filename>
	it will be used, otherwise a default policy will be installed.
	The default policy is one described in RFC 3484 when
	<varname>ipv6_enable</varname> is set to <literal>YES</literal>.
	Otherwise, the priority policy for IPv4 address will be used
	as a default policy.</para>

      <para>The <filename>mixer</filename> script has been added.
	It saves the current settings of all audio mixers present
	in the system on shutdown and restores the settings on boot.</para>

      <para>The <filename>pf</filename> and <filename>pflog</filename>
        scripts for &man.pf.4; has been added.</para>
    </sect3>
  </sect2>

  <sect2 id="contrib">
    <title>Contributed Software</title>

    <para>The <application>ACPI-CA</application> code has been updated
      from the 20030619 snapshot to the 20040527 snapshot.</para>

    <para>The <application>AMD (am-utils)</application> has been updated
      from version 6.0.9 to version 6.0.10p1.</para>

    <para><application>awk</application> from Bell Labs has been
      updated from the 29 July 2003 release to the 7 February 2004
      release.</para>

    <para><application>Binutils</application> have been updated to
      a 23 May 2004 snapshot from the FSF 2.15 branch.</para>

    <para><application>CVS</application> has been updated from
      version 1.11.15 to version 1.11.17.  &merged;</para>

    <para>The <application>FILE</application> has been
      updated from version 3.41 to version 4.10.</para>

    <para><application>gdtoa</application> (a library that performs
      conversions of numbers between binary and decimal form) has been
      updated from version 20030324 to version 20040118.</para>

    <para><application>GDB</application> has been updated to version
      6.1.1.</para>

    <para><application>GNU GCC</application> has been updated from
      3.3.3-prerelease as of 6 November, 2003 to 3.4.2-prerelease as of 28 July, 2004.</para>

    <para><application>GNU grep</application> has been updated from
      version 2.4d to version 2.5.1.</para>

    <para><application>less</application> has been updated from
      version 371 to version 381.</para>

    <para><application>GNU readline</application> 4.3 has been updated
      with official patches 001 through 005.</para>

    <para>The <application>GNU regex</application> library has been
      updated to the version included with <application>GNU
      grep</application> 2.5.1.</para>

    <para><application>GNU sort</application> has been updated from
      textutils 2.1 to a coreutils snapshot as of 12 August, 2004.</para>

    <para>The <application>GNU tar</application> implementation in the
      base system is now called <filename>gtar</filename>.</para>

    <para><application>Heimdal Kerberos</application> has been
       updated from version 0.6 to version 0.6.1.</para>

    <para>The <application>ISC DHCP</application> client has been
       updated from version 3.0.1 RC10 to version 3.0.1.</para>

    <para><application>libpcap</application> has been updated from
      version 0.7.1 to version 0.8.3.</para>

    <para><application>lukemftp</application>
      has been updated from a snapshot as of
      3 November, 2003 to one as of 9 August, 2004.</para>

    <para><application>NTP</application>
      has been updated from version 4.1.1a to version 4.2.0.</para>

    <para><application>OpenPAM</application> has been updated from the
      Dogwood release to the Eelgrass release.</para>

    <para><application>OpenSSH</application> has been updated from
      version 3.6.1p1 to version 3.8.1p1.

      <note>
	<para>The configuration defaults for &man.sshd.8; have been
	  changed.  SSH protocol version 1 is no longer enabled by
	  default.  In addition, password authentication over SSH is
	  disabled by default if PAM is enabled.</para>
      </note>
      </para>

    <para><application>OpenSSL</application> has been updated from
      version 0.9.7c to version 0.9.7d.  &merged;</para>

    <para><application>OpenSSL</application> VIA C3 Nehemiah
      PadLock ACE (Advanced Cryptography Engine) crypto support,
      which provides Advanced Encryption Standard (AES) encryption,
      has been imported from a prerelease version
      of <application>OpenSSL</application>.</para>

    <para><application>pf</application>, OpenBSD's packet filter as of
      OpenBSD 3.5-stable, has been imported into &os; source tree and is now installed
      by default.  Two new users (<username>proxy</username> and
      <username>_pflogd</username>) and three new
      groups (<username>authpf</username>, <username>proxy</username>,
      and <username>_pflogd</username>),
      which <application>pf</application> needs, have been added as well.</para>

      <note>
	<para>On upgrading from source, these user accounts must be
	  added in advance.  <literal>mergemaster -p</literal> can be
	  used to assist in creating the proper entries in the
	  &man.passwd.5; and &man.group.5; files.
	  The <varname>NO_PF</varname> variable
	  in <filename>make.conf</filename> can be used to prevent
	  <application>pf</application> from building.</para>
      </note>

    <para>Several userland utilities of OpenBSD's
      <application>pf</application> have been imported.
      &man.ftp-proxy.8; is an ftp proxy for &man.pf.4;,
      &man.pfctl.8; is an equivalent to &man.ipf.8;,
      &man.pflogd.8; is a daemon logging packets via <literal>if_pflog</literal>
      in &man.pcap.3; format, and
      &man.authpf.8; is an authentication shell
      to modify &man.pf.4; rulesets.</para>

    <para><application>routed</application> has been updated from
      release 2.22 to release 2.27 from rhyolite.com.  Note that for
      users relying on RIP's MD5 authentication feature,
      &man.routed.8; routed is now incompatible with previous versions
      of &os;; however it is now compatible with implementations from
      Sun, Cisco and other vendors.</para>

    <para><application>sendmail</application> has been updated from
      version 8.12.10 to version 8.13.1. &merged;</para>

    <para><application>tcpdump</application> has been updated from
      version 3.7.1 to version 3.8.3.</para>

    <para><application>tcsh</application> has been updated from
      version 6.11 to version 6.13.00.</para>

    <para>The timezone database has been updated from
      <filename>tzdata2003a</filename> to
      <filename>tzdata2004a</filename>.</para>

    <para><application>zlib</application> has been updated
      from version 1.1.4 to version 1.2.1.</para>
  </sect2>

  <sect2 id="ports">
    <title>Ports/Packages Collection Infrastructure</title>

    <para>Most of startup/shutdown scripts installed by
      various ports now use the new &man.rc.8; framework
      introduced in &os; 5.<replaceable>X</replaceable>, while some ports still use the
      old-style scripts.  On startup, the new &man.rc.8; style scripts
      are executed first and then the old-style scripts.
      On shutdown, exactly the reverse happens.</para>

    <para>The <literal>SIZE</literal> attribute for distfiles,
      which can be used for checking file sizes before fetching,
      has been added and enabled by default.
      <varname>DISABLE_SIZE</varname> is a user control knob
      to disable the distfile size checking.  This is especially
      useful on old &os; versions which did not have &man.fetch.1;
      support for this, and for some FTP proxies which always
      report incorrect or bogus sizes.</para>

    <para>Two new files have been added to the ports tree to track
      note-worthy changes:  <filename>ports/CHANGES</filename> lists
      major changes to the Ports Collection and its infrastructure.
      <filename>ports/UPDATING</filename> describes some potential
      pitfalls that can be encountered when updating certain ports,
      analogous to <filename>src/UPDATING</filename> for the base
      system.</para>

    <para>The version number parsing code has been rewritten in the
      system <filename>pkg_*</filename> tools, restoring compatibility
      with 4.x and
      <filename role="package">sysutils/portupgrade</filename>.</para>

    <para>The package tools can now match packages with relational
      operators and csh-style <literal>{...}</literal>
      choices.  For example:</para>

    <screen>&prompt.root; <userinput>pkg_info -I 'docbook>=3.0'</userinput></screen>

    <para>will list (all) docbook DTDs with at least version 3.0.
      Additional command line options have also been added to aid
      pattern matching.</para>

    <para>The package tools have improved handling of corrupt package
      databases.</para>

    <para>&man.pkg.create.1; now supports a <option>-S</option>
      option to make all <literal>@cwd</literal> be prefixed
      during package creation.</para>

    <para>&man.pkg.info.1; now supports a <option>-j</option>
      option to show the requirements script for each package.</para>
  </sect2>

  <sect2 id="releng">
    <title>Release Engineering and Integration</title>

    <para arch="i386,pc98">The building process for boot floppy images
      has been completely overhauled.  The most significant change is
      that the loader now boots a stock <filename>GENERIC</filename>
      kernel split across multiple disks (two at the time of this
      writing).  This greatly improves installations that begin with a
      boot from floppy disk, because they now use exactly the same
      kernel (and thus support the same hardware) as CDROM
      installations.  The stripped-down <filename>MFSROOT</filename>
      kernel is no longer needed, and the <filename>mfsroot</filename>
      image no longer requires kernel modules.  The
      <filename>boot.flp</filename> and
      <filename>driver.flp</filename> images are also obsolete and no
      longer built.</para>

    <para>&os; cryptography support is no longer an optional component
      of releases, and the <literal>crypto</literal> release distribution
      is now part of <literal>base</literal>.
      Note that the <option>-DNOCRYPT</option> build option still
      exists for anyone who really wants to build non-cryptographic
      binaries. </para>

    <para>The supported release of <application>GNOME</application>
      has been updated from version 2.4 to version 2.6.2.

      <note>
	<para>If you are using the older <application>GNOME</application>
	  desktop itself (<filename role="package">x11/gnome2</filename>), simply upgrading it from the &os; Ports Collection
	  with
	  &man.portupgrade.1;
	  (<filename role="package">sysutils/portupgrade</filename>)
	  will cause serious problems.
	  If you are a <application>GNOME</application> desktop user,
	  please read the instructions carefully at
	  <ulink url="&url.base;/gnome/docs/faq26.html"></ulink>,
	  and use the <filename>gnome_upgrade.sh</filename> script to
	  properly upgrade to <application>GNOME</application> 2.6.</para>

	<para>Note that if you are just a casual user of some of the
	  <application>GNOME</application> libraries,
	  &man.portupgrade.1; should be sufficient
	  to update your ports.</para>
      </note>
    </para>

    <para>The supported release of <application>KDE</application>
      has been updated from version 3.1.4 to version 3.3.0.</para>

    <para>The <filename role="package">security/portaudit</filename> utility
      has been added to the &os; Ports Collection.  This utility will read a database
      containing known ports vulnerabilities and report them to the
      administrator.</para>

    <para>&os; now uses <application>Xorg</application> instead of
      <application>XFree86</application> as the default X Window System.
      The supported release is <application>Xorg</application> X11R6.7.0.
      Note that <application>XFree86</application> is also available in the &os;
      Ports Collection (<filename role="package">x11/XFree86-4</filename>).</para>
  </sect2>

  <sect2 id="doc">
    <title>Documentation</title>

    <para></para>

  </sect2>
</sect1>

<sect1 id="upgrade">
  <title>Upgrading from previous releases of &os;</title>

  <para>Users with existing &os; systems are
    <emphasis>highly</emphasis> encouraged to read the <quote>Early
    Adopter's Guide to &os; &release.current;</quote>.  This document generally has
    the filename <filename>EARLY.TXT</filename> on the distribution
    media, or any other place that the release notes can be found.  It
    offers some notes on upgrading, but more importantly, also
    discusses some of the relative merits of upgrading to &os;
    5.<replaceable>X</replaceable> versus running &os;
    4.<replaceable>X</replaceable>.</para>

  <important>
    <para>Upgrading &os; should, of course, only be attempted after
      backing up <emphasis>all</emphasis> data and configuration
      files.</para>
  </important>
</sect1>