From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: WIP security/browserpass-native: changes to pledge/Go in 7.9?
To: Chris Billington <emulti@disroot.org>, <ports@openbsd.org>
Date: Thu, 28 May 2026 10:06:19 +0100

Yes.

-- 
  Sent from a phone, apologies for poor formatting.

On 28 May 2026 03:21:30 Chris Billington <emulti@disroot.org> wrote:

> I have in progress a port of browserpass-native, a Native Messaging host
> in Go for the Browserpass browser extension, that works with
> security/password-store, the Pass password manager.
>
> This survived unchanged a previous upgrade from OpenBSD 7.7 to 7.8, but
> after the upgrade to 7.9 the browserpass-native process is aborted with
> what I eventually found is a pledge violation, a wpath syscall that was
> not present before. Tracing revealed that the main process is trying to
> open /dev/null with O_WRONLY, before forking a gpg subprocess.
>
> This was fixed by adding wpath to the pledge promises with a patch, but
> I am curious about the change: Go itself was upgraded from 1.25 to 1.26
> with the 7.9 upgrade, but I can't find any relevant changes in the way
> it execs subprocesses. The browserpass-native port was unchanged. Were
> there any recent changes to pledge with 7.9 that might be behind it?
>
> Chris