Revamp README.

Add and enable smtp-delay.

Add smtp-delay: Introduce SMTP banner delays for qmail

This little number can be used to introduce smtp banner delays for
qmail. When run between tcpserver and rblsmtpd, it'll do a reverse
lookup of the connecting IP, compare that PTR to a regex, and then apply
long banner delays if there was no PTR or if the PTR matches the
"dialup" regex. The program depends on the fact that tcpserver will set
TCPREMOTEIP, and will take advantage of TCPREMOTEHOST if it's set. If
the client tries to pipeline (ram SMTP commands down our throat before
we show them an SMTP banner), RBLSMTPD is set, notifying rblsmtpd to
refuse their mail.

doc: Added mail/smtp-delay version 0.20

greetdelay: use archive.org'd HOMEPAGE.

Add and enable twitch-tui.

Add twitch-tui: Twitch chat in the terminal

Twitch chat in the terminal. Feature list:

- Read/send/search messages
- Switch channels
- Create and toggle filters
- Command, channel, and mention suggestions
- Customize functionality and looks to your liking using a config file

doc: Added chat/twitch-tui version 2.6.1

doc: Updated misc/moreutils to 0.68

moreutils: update to 0.68. From the changelog:

* popen: Use pclose, fixing compile warning.
  Thanks, Mikel Olasagasti Uranga
* vidir: Zero pad line numbers to work better when used with
  a small tab size such as 2.
  Thanks, Johan Grande

doc: Updated print/lilypond to 2.24.3

lilypond: update to 2.24.3. Changes:

- Restore PDF conversion with the recent Ghostscript 10.02.1
- Add initial support for Guile 3.0 (2.2 remains recommended)

daemontools-run: improve symlink creation. Bump version.

doc: Updated sysutils/daemontools-run to 20231129

doc: Updated sysutils/etckeeper to 1.18.21

etckeeper: update to 1.18.21. Changes:

* Consistently use mktemp if available, falling back to tempfile
  otherwise.

Bump Kotlin, Detekt, versions plugin.

dovecot2-fts-xapian: update to 1.5.7.

pkgvm: no more Debian 9 or 10.

cairo: just always install cairo-ft. Bump PKGREVISION.

Depend on freetype and fontconfig even if no options are selected, and
take care to explicitly enable or disable meson options. Should fix
pango build error seen on NetBSD sans X11:

    meson.build:429:4: ERROR: Problem encountered: No Cairo font backends found

Build-tested (and `otool -L`-inspected) on macOS with each of 'quartz',
'x11', 'xcb', 'x11 xcb', and no options selected.

doc: Updated graphics/cairo to 1.18.0nb1

Actually add ALTERNATIVES, missed in previous.

doc: Updated devel/goredo to 2.5.0

goredo: update to 2.5.0. Changes:

* Prevent rare race in the code, where externally modified target may
  panic the program.

pkgsrc changes:

* Offer 'redo' alternative.

pkg_comp: enable gd libimagequant (C, not Rust).

pkg_comp: pcre2-jit is already off by default.

checkpw: actually bump PKGREVISION.

checkpw: offer 'nbcheckpassword' alternative. Bump PKGREVISION.

(While here, install helpful docs and examples.)

doc: Updated sysutils/checkpw to 1.03

doc: Updated sysutils/fp-checkpassword to 0.0.20171108nb1

doc: Updated sysutils/qmail-dovecot-checkpassword to 0.0.20141125nb1

fp-checkpassword: offer 'nbcheckpassword' alternative. Bump PKGREVISION.

qmail-checkpassword-dovecot: offer 'nbcheckpassword' alternative. Bump PKGREVISION.

(While here, install the README.)

checkpassword-phpbb: offer 'nbcheckpassword' alternative. Bump PKGREVISION.

doc: Updated sysutils/checkpassword-phpbb to 0.0.20150326nb2

doc: Updated devel/skalibs to 2.14.0.1

doc: Updated devel/swagger-codegen to 3.0.51

doc: Updated net/s6-dns to 2.3.7.0

doc: Updated net/s6-networking to 2.7.0.0

doc: Updated sysutils/s6 to 2.12.0.2

doc: Updated www/tipidee to 0.0.2.0

s6-dns: update to 2.3.7.0. Changes:

- New s6dns_init_options() function, to choose whether
  to support /etc/hosts or not.
- Properly ignore link-local addresses in hosts files
  instead of erroring out on them.
- New s6dns_hosts_name46() macro.

s6-networking: update to 2.7.0.0. Changes:

- Bugfixes.
- Better API for s6-tlsc-io: now "s6-tlsc-io 6 7" is the equivalent
  of s6-ioconnect with TLS, and can be used interactively as a client
  program to talk to TLS-tunneled services.
- The -K option for TLS programs now set a timeout for the whole handshake.
- The -h option for s6-tcpclient and s6-tcpserver-access now indicates
  /etc/hosts should be consulted before DNS.

s6: update to 2.12.0.2. Changes:

- Bugfix: shutdown might have been prevented from completing
- Bugfix: s6-svscanctl -an was not working as intended

skalibs: update to 2.14.0.1. Changes:

- Revamped ipv6 parsing code.

swagger-codegen: update to 3.0.51. Changes:

- update auth values in openapi document

tipidee: update to 0.0.2.0. Changes:

- Bugfixes.
- Support for treating all executables as CGI.
- Support for logging X-Forwarded-For.
- No Referrer-Policy header by default.

slack-term: update GitHub location and distinfo.

{py-,}brotli: set DIST_SUBDIR to distinguish distfiles on case-insensitive fs.

Track pkgsrc PHP default (now 8.1).

Finish previous.

Finish removing centos 7 and 8.

Retire pkgbuild-vm-hostnames.

pkgvm: reduce duplication into ssh config.

doc: Updated devel/goredo to 2.4.0

goredo: update to 2.4.0. Changes:

* Continue regression fixing of 'redo-whichdo'.

Add and enable git-crawl.

Add and enable ssh-agent-switcher.

Add git-crawl: Crawl through git commits

git-crawl is a shell script that extends the git api allowing one to
'crawl' through their commits.

Add ssh-agent-switcher: SSH agent proxy for tmux

ssh-agent-switcher is a daemon that proxies SSH agent connections to any valid
forwarded agent provided by sshd.  This allows long-lived processes such as
terminal multiplexers like `tmux` or `screen` to access the connection-specific
forwarded agents.

The ssh-agent-switcher daemon solves this problem by exposing an SSH agent
socket at a well-known location, allowing you to set `SSH_AUTH_SOCK` to a path
that does *not* change across different connections.  The daemon then looks for
a valid socket every time it receives a request and forwards the request to the
real forwarded agent.

doc: Added sysutils/ssh-agent-switcher version 0.0.20231117

doc: Updated devel/git-crawl to 0.0.20161010

dovecot2: fix clang 15 build.

doc: Updated textproc/p5-XML-LibXML to 2.0209

p5-XML-LibXML: update to 2.0209. Changes:

- t/35huge_mode.t: fix test with libxml2 2.11
- Add clearer reference to using cloneNode to extract node with namespaces
- initialize xmlValidCtxt

zziplib: fix clang 15 build with patch from FreeBSD Ports.

FreeBSD is now 14.

daemontools-run: bump version. Changes:

- Remove inet6 option; simply depend on dual-stack ucspi-tcp6 (or
  v4-only original DJB ucspi-tcp, if that's already installed)

doc: Updated mail/qmail to 1.03nb54

doc: Updated mail/qmail-conf to 0.60nb6

doc: Updated net/publicfile to 0.52nb3

doc: Updated sysutils/daemontools-run to 20231116

publicfile: bump PKGREVISION. Changes:

- Remove inet6 option; simply depend on dual-stack ucspi-tcp6 (or
  v4-only original DJB ucspi-tcp, if that's already installed)
- Apply upstream patch to support https URLs under e.g. sslserver
- Add patch comments

qmail-conf: bump PKGREVISION. Changes:

- Remove inet6 option; simply depend on dual-stack ucspi-tcp6 (or
  v4-only original DJB ucspi-tcp, if that's already installed)
- Set LICENSE to public-domain, as this is derived from djbdns-1.05
  which has long been public-domain.

qmail: bump PKGREVISION. Changes:

- Remove inet6 option; simply depend on dual-stack ucspi-tcp6 (or
  v4-only original DJB ucspi-tcp, if that's already installed)

pkgdiff: adding diff to USE_TOOLS had broken gdiff selection. Fix.

mosh: buildlink with libexecinfo to fix macOS build.

doc: Updated pkgtools/pkgdiff to 1.11

doc: Updated www/goaccess to 1.8.1

goaccess: update to 1.8.1. Changes:

1.8.1:

- Added latest Android and macOS versions to the list of OSs.
- Fixed issue when trying to apply a regex on an invalid value (HTML report).
- Fixed issue with D3.js xScale.domain() going out of boundaries in certain
  cases.
- Prevent setting default static files when no static-file options are
  defined in config file.

1.8:

- Added dual-stack support to the WebSocket server.
- Added Debian Bookworm to the official deb repo.
- Added Ubuntu Lunar to the official deb repo.
- Fixed compiler error on macOS 10.12.
- Updated bootstrap to v3.4.
- Updated FontAwesome with additional icons for upcoming major release.
- Updated Japanese translation.
- Updated OS display from Macintosh to macOS.
- Updated to D3.js v7 (latest) including charts.js code.

pkgdiff: update to 1.11. Changes:

- Let pkgvi take multiple file arguments
- Update HOMEPAGE
- Quell pkglint

qmail-lint: update HOMEPAGE.

qmail: use notqmail.org's qmail.org mirror.

pkgcomp-conf: use not-nfs PKGSRCDIR if present.

py-testfixtures: update to 7.2.2. Changes:

7.2.2:
- Fix bug in support for :class:`os.PathLike` arguments to
  :class:`popen.MockPopen`.

7.2.1:
- Added missing support for :class:`os.PathLike` arguments to
  :class:`popen.MockPopen`.

7.2.0:
- Add ``order_matters`` parameter to :class:`ShouldWarn`.

7.1.0:
- Implement new IDE and static-analysis ways of :doc:`mocking <mocking>`
  including additional parameters to :meth:`~Replacer.replace` along
  with the :any:`replace_on_class`, :any:`replace_in_module` and
  :any:`replace_in_environ` context managers.

7.0.4:
- Remove `py.typed` file: neither `mypy` nor `testfixtures` are ready
  for this file to be present.

7.0.3:
- Further bugfixes around self-referential datastructures and
  :func:`compare`.

7.0.2:
- Reinstate support for self-referential data structures in
  :func:`compare`. The new implementation provides more clarity about
  what's going on and also ignores more immutable data types.

7.0.1:
- Remove non-functional support for self-referential data structures in
  :func:`compare`. The functionality didn't work but did cause
  erroneous reported equality of values in dictionaries that were
  actually not equal.

7.0.0:
- Refresh documentation.
- Add type annotations.
- Drop support for Python 2. The minimum supported Python version
  is now 3.6.
- Sybil 3 is now the minimum supported version if you use
  :class:`~.sybil.FileParser`.
- Rename and refactor the date and time mocks, they are now
  :any:`mock_date`, :any:`mock_datetime` and :any:`mock_time`.
  :any:`test_date<mock_date>`, :any:`test_datetime <mock_datetime>` and
  :any:`test_time <mock_time>` are still present as aliases but are now
  deprecated.
- Add :meth:`TempDirectory.as_string`, :meth:`TempDirectory.as_path` and
  :meth:`TempDirectory.as_local`. :meth:`TempDirectory.getpath` is now
  deprecated.
- :class:`TempDirectory` can now be used to wrap existing directories.
- Fixed a bug where :any:`OutputCapture.captured` returned bytes instead
  of a string with ``fd=True``.
- The deprecated ``strict`` option to :class:`Comparison` has been
  removed, use the ``partial`` option instead.
- The deprecated ``TempDirectory.check``, ``TempDirectory.check_dir``
  and ``TempDirectory.check_all`` methods have been removed.

6.18.5:
- Fix bug in detection of Mock backport.

6.18.4:
- Ensure compatibility with Sybil 2 and Sybil 3 along with pytest 6
  and pytest 7.

6.18.3:
- Fix bug when using :func:`compare` on two regular expressions that
  have very long patterns.

6.18.2:
- Fix bug that meant :class:`LogCapture` didn't preserve or provide a
  clean testing environment for filters.

6.18.1:
- Fix bug when showing differences between mappings found by
  :func:`compare` when mismatching values contained the same number more
  than once.

6.18.0:
- Add support for lazy resolution of ``prefix`` and ``suffix`` when
  using :func:`compare`.

6.17.1:
- Fix bug where bug where duplicated entries in an ordered but partial
  :class:`SequenceComparison` could result in a failed match.

6.17.0:
- Add simpler flag support to :class:`StringComparison`.
- Fix deprecation warning about invalid escape sequence.

6.16.0:
- Simplify and clarify the documentation of timezones when using
  :any:`test_datetime <mock_datetime>` .
- :doc:`api` has been re-arranged to make it easier to browse.
- The ``strict`` parameter to :class:`Comparison` has been deprecated in
  favour of ``partial``.
- Add :class:`SequenceComparison`, :class:`Subset` and
  :class:`Permutation` objects.
- Add :class:`MappingComparison` objects.
- Officially support Python 3.9.

doc: Updated devel/goredo to 2.3.0

goredo: update to 2.3.0. Changes:

* Fix regressions in 'redo-whichdo' happened after huge refactoring.

Add and enable tipidee.

Add tipidee: Minimalistic web server

tipidee is a web server supporting HTTP 1.0 and 1.1. It aims to be
compliant with RFC 9112: while it only implements a very limited subset
of the optional functionality in HTTP 1.1, it implements all the
mandatory parts.

It runs under a super-server, e.g. inetd, s6-tcpserver, or s6-tlsserver
(for HTTPS). Traditionally, inetd-mode web servers aren't considered
performant, but tipidee aims to eke out every single drop of performance
that is attainable with its programming model.

Key features:

- Usability with HTTPS without the need to entangle the code with a
  given TLS library
- Support for HTTP 1.1, with persistent connections, and not only 1.0
- Support for real CGI, not only NPH

doc: Updated devel/skalibs to 2.14.0.0

doc: Updated lang/execline to 2.9.4.0

doc: Updated mail/smtpd-starttls-proxy to 0.0.1.3

doc: Updated misc/s6-portable-utils to 2.3.0.3

doc: Updated net/s6-dns to 2.3.6.0

doc: Updated net/s6-networking to 2.6.0.0

doc: Updated sysutils/s6 to 2.12.0.0

execline: update to 2.9.4.0. Changes:

- Adaptation to skalibs-2.14.0.0.
- New dummy -e option in execlineb.
- Slightly better error reporting in execlineb.

s6-dns: update to 2.3.6.0. Changes:

- Bugfixes.
- New s6dns_hosts functions.
- New command: s6-dns-hosts-compile
- s6-dnsip* and s6-dnsname now support a -h option, to make use of
  /etc/hosts data.

s6-networking: update to 2.6.0.0. Changes:

- Bugfixes.
- s6-tcpserver has been unified! no ipv4 and ipv6 separation anymore.
   * The only programs in the superserver chain are now s6-tcpserver,
     s6-tcpserver-socketbinder, and s6-tcpserverd.
   * s6-tcpserver-access still exists, should now run under s6-tcpserverd,
     still invoked once per connection. Doesn't spam the log anymore when
     invoked with no ruleset.
   * Options -4 and -6 removed from s6-tcpserver and s6-tlsserver.
     Protocol detection happens when the cmdline address is scanned.
   * Option -e removed from s6-tlsserver. It should now always invoke
     s6-tcpserver-access when needed (and only then).
- Major performance improvements. s6-tcpserverd does not fork on systems
  that support posix_spawn. Also, its lookups are now logarithmic
  instead of linear (which only matters on *heavy* loads).

s6-portable-utils: update to 2.3.0.3. Changes:

- Adaptation to skalibs-2.14.0.0.
- Bugfixes.

s6: update to 2.12.0.0. Changes:

- New option to s6-svc: -s, to specify a signal by name (or number).
- New option to s6-log: -t, to specify a timeout for partial last lines.
- s6-svscan rewrite: no more quadratic reaps, no more forced 1s wait on shutdown
- Eliminated fork() wherever possible on systems supporting posix_spawn()
- Obsolete s6lockd subsystem removed.

skalibs: update to 2.14.0.0. Changes:

- Bugfixes.
- New accessor function: selfpipe_fd().
- New functions: slurpn(), openslurpnclose().
- slurp() and openslurpclose() are now macros.
- New strerr macros to warn with a "fatal" message.
- New cdb functions: cdb_hashv(), cdbmake_addv().
- child_spawn() revamp. Prototype change (last arg is a size_t).
- case_lowerb() and friends now use ctype.h functions.
- case_str() removed, strcasestr() fallback implementation added.
- cspawn(): finally unifying fork() and posix_spawn().
- Better support for nonstandard posix_spawn subfunctions.
- Lots of new sysdeps.

smtpd-starttls-proxy: update to 0.0.1.3. Changes:

- Adaptation to skalibs-2.14.0.0.
- Bugfixes.

doc: Added www/tipidee version 0.0.1.0

doc: Updated devel/libowfat to 0.33

libowfat: update to 0.33. Changes:

- add byte_start, byte_starts
- add a man page for byte_equal_notimingattack
- buffer_seek is no longer limited to the current buffer contents
- add automated way to run unit test: make check
- add parse.h
- add bytestream abstraction for parsing data from a buffer or a file
- add compiler.h to abstract gcc attributes
- add fmt_strm_malloc
- add cross references to open_* and mmap_* man pages
- add fmt_strm_alloca and fmt_strm_malloc man pages
- add buffer_init_allocbuf, buffer_init_read, buffer_init_write,
  buffer_init_read_allocbuf, buffer_init_write_allocbuf
- fix buffer overread for len=0 in scan_longn (Martin Castillo)
- add iob_write2 with sendfile callback so caller can use OpenSSL's
  SSL_sendfile

doc: Updated security/libretls to 3.8.1

libretls: update to 3.8.1. LibreSSL changes:

3.8.1:

* Portable changes
  - Applications bundled as part of the LibreSSL package internally,
    nc(1) and openssl(1), now are linked statically if static libraries
    are built.
  - Internal compatibility function symbols are no longer exported from
    libcrypto. Instead, the libcompat library is linked to libcrypto,
    libssl, and libtls separately. This increases size a little, but
    ensures that the libraries are not exporting symbols to programs
    unintentionally.
  - Selective removal of CET implementation on platforms where it is
    not supported (macOS).
  - Integrated four more tests.
  - Added Windows ARM64 architecture to tested platforms.
  - Removed Solaris 10 support, fixed Solaris 11.
  - libtls no longer links statically to libcrypto / libssl unless
    '--enable-libtls-only' is specified at configure time.
  - Improved Windows compatibility library, namely handling of files vs
    sockets, correcting an exception when operating on a closed socket.
  - CMake builds no longer hardcode '-O2' into the compiler flags, instead
    using flags from the CMake build type instead.
  - Set the CMake default build type to 'Release'. This can be overridden
    during configuration.
  - Fixed broken ASM support with MinGW builds.
* Internal improvements
  - Fixed alignment handling in SHA-512.
  - Moved the verified_chain to the correct internal struct.
  - Improved checks for commonName in libtls.
  - Fixed error check for X509_get_ext_d2i() failure in libtls.
  - Improved BIGNUM internals and performance.
  - Significantly improved Montgomery multiplication performance.
  - Initial cleanup passes for SHA-256 internals.
  - Converted more libcrypto internals API using CBB and CBS.
  - Removed code guarded by #ifdef ZLIB.
  - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
    Ed25519 and fixed a few bugs in there.
  - Fixed various issues with EVP_PKEY_CTX_{new,dup}().
  - Improved X.509 certificate version checks.
  - Cleaned up handling of elliptic curve cofactors.
  - Made BN_num_bits() independent of bn->top.
  - Rewrote and simplified bn_sqr().
  - Removed EC_GROUP precomp machinery.
  - Ensure no X.509v3 extensions appear more than once in certificates.
  - Cleaned up various ECDH, ECDSA and EC internals.
  - Replaced ASN1_bn_print with a cleaner internal implementation.
  - Simplified ASN1_item_sign_ctx().
  - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
  - Various improvements in the 'simple' EC code.
  - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
  - Reduced the dependency of hash implementations on many layers of
    macros. This results in significant speedups since modern compilers
    are now less confused.
  - Significantly simplified the BN_BLINDING internals used in RSA.
* New features
* Compatibility changes
  - X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
    valid UTF-8 without embedded NUL.
  - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
  - Removed support for ECDH_METHOD and ECDSA_METHOD.
  - BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
    32 kbits for primality. This mitigates various DoS vectors.
  - Comp was removed.
  - Dynamic loading of conf modules is no longer supported.
  - DSO was removed and OPENSSL_NO_DSO is defined.
  - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
    of this, some stub functions are provided to avoid patching some
    applications that do not honor OPENSSL_NO_ENGINE.
  - It is no longer possible to make the library use your own error
    stack or ex_data implementation.
* Bug fixes
  - Fixed aliasing issue in BN_mod_inverse().
  - Made CRYPTO_get_ex_new_index() not return 0 to allow applications
    to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
    each other.
  - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
  - Plugged leaks in BIO_chain_dup().
  - Fixed numerous leaks and other minor bugs in RSA, DH, DSA and EC
    ASN.1 methods. Unified the coding style.
  - On socket errors in the poll loop, netcat could issue system calls
    on invalidated file descriptors.
* Documentation improvements
  - Made it very explicit that the verify callback should not be used.
  - Called out that the CRL lastUpdate is standardized as thisUpdate.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
* Security fixes
  - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
    be selected for use.


3.8.0:

* Portable changes
  - Extended the endian.h compat header with hto* and *toh macros.
  - Adapted more tests to the portable framework.
* Internal improvements
  - Improved sieve of Eratosthenes script used for generating a table
    of small primes.
  - Started cleaning up and rewriting SHA internals.
  - Replace internal use of BN_copy() with bn_copy() for consistency.
  - Rewrote and improved BN_exp() and BN_copy().
  - Add branch target information (BTI) support to arm64 assembly.
  - Replaced BN_mod_sqrt() with a new implementation.
  - Removed incomplete and dangerous BN_RECURSION code.
  - Added endbr64 instructions to amd64 assembly.
  - Imported RFC 5280 policy checking code from BoringSSL and used it
    to replace the old exponential time code.
  - Converted more of libcrypto to use CBB/CBS.
  - Cleaned up and simplified the code dealing with builtin curves.
* New features
  - Added support for truncated SHA-2 and for SHA-3.
  - The BPSW primality test performs additional Miller-Rabin rounds
    with random bases to reduce the likelihood of composites passing.
  - Allow testing of ciphers and digests using badly aligned buffers
    in openssl speed.
  - Added a workaround for a poorly thought-out change in OpenSSL 3 that
    broke privilege separation support in libtls.
* Compatibility changes
  - Support for GF2m was removed: BIGNUM no longer supports binary extension
    field arithmetic and all binary elliptic builtin curves were removed.
  - Removed dangerous, "fast" NIST prime and elliptic curve implementations.
    In particular, EC_GFp_nist_method() is no longer available.
  - Removed most public symbols that were deprecated in OpenSSL 0.9.8.
  - Removed the public X9.31 API (RSA_X931_PADDING is still available).
  - Removed Cipher Text Stealing mode.
  - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
    openssl(1) nseq command.
  - Dropped proxy certificate (RFC 3820) support.
  - The POLICY_TREE and its related structures and API were removed.
  - The explicitText user notice uses UTF8String instead of VisibleString
    to reduce the risk of emitting certificates with invalid DER-encoding.
  - Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
    compliant with RFC 8446.
* Bug fixes
  - Correctly handle negative input to various BIGNUM functions.
  - Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
  - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
  - Fixed detection of extended operations (XOP) on AMD hardware.
  - Ensure Montgomery exponentiation is used for the initial RSA blinding.
  - Policy is always checked in X509 validation. Critical policy extensions
    are no longer silently ignored.
  - Fixed error handling in tls_check_common_name().
  - Add missing pointer invalidation in SSL_free().
  - Fixed X509err() and X509V3err() and their internal versions.
  - Ensure that OBJ_obj2txt() always returns a C string again.
  - In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
    host list.
* Documentation improvements
  - Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
    BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
  - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
    undocumented.
* Testing and Proactive Security
  - Significantly improved test coverage of BN_mod_sqrt() and GCD.
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.


3.7.3:

* Bug fix
  - Hostflags in the verify parameters would not propagate from an
    SSL_CTX to newly created SSL.
* Reliability fix
  - A double free or use after free could occur after SSL_clear(3).


3.7.2:

* Portable changes
  - Moved official Github project to https://github.com/libressl/.
  - Build support for Apple Silicon.
  - Installed opensslconf.h is now architecture-specific.
  - Removed internal defines from opensslconf.h.
  - Support reproducible builds on tagged commits in main branch.
* Internal improvements
  - Initial overhaul of the BIGNUM code:
    - Added a new framework that allows architecture-dependent
      replacement implementations for bignum primitives.
    - Imported various s2n-bignum's constant time assembly primitives
      and switched amd64 to them.
    - Lots of cleanup, simplification and bug fixes.
  - Changed Perl assembly generators to move constants into .rodata,
    allowing code to run with execute-only permissions.
  - Capped the number of iterations in DSA and ECDSA signing (avoiding
    infinite loops), added additional sanity checks to DSA.
  - ASN.1 parsing improvements.
  - Made UI_destroy_method() NULL safe.
  - Various improvements to nc(1).
  - Always clear EC groups and points on free.
  - Cleanup and improvements in EC code.
  - Various openssl(1) improvements.
  - Remove dependency on system timegm() and gmtime() by replacing
    traditional Julian date conversion with POSIX epoch-seconds date
    conversion from BoringSSL.
  - Clean old and unused BN code dealing with primes.
  - Start rewriting name constraints code using CBS.
  - Remove support for the HMAC PRIVATE KEY.
  - Rework DSA signing and verifying internals.
  - Internal headers coming from OpenSSL are all called *_local.h now.
  - Rewrite TLSv1.2 key exporter.
  - Cleaned up and refactored various aspects of the legacy TLS stack.
* Bug fixes
  - Fixed a memory leak, a double free and various other issues in
    BIO_new_NDEF().
  - Fixed various crashes in the openssl(1) testing utility.
  - Do not check policies by default in the new X.509 verifier.
  - Added missing error checking in PKCS7.
  - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
  - Add EVP_chacha20_poly1305() to the list of all ciphers.
  - Fix potential leaks of EVP_PKEY in various printing functions
  - Fix potential leak in OBJ_NAME_add().
  - Avoid signed overflow in i2c_ASN1_BIT_STRING().
  - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
  - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
  - Fix segfaults in BN_{dec,hex}2bn().
  - Fix NULL dereference in x509_constraints_uri_host() reachable only
    in the process of generating certificates.
  - Fixed a variety of memory corruption issues in BIO chains coming
    from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
  - Avoid potential divide by zero in BIO_dump_indent_cb()
* New features
  - Added UI_null()
  - Added X509_STORE_*check_issued()
  - Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors.
  - Added EVP_CIPHER_meth_*() setter API.
  - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
    various corner cases. More work is needed here.
  - Added Ed25519 support both as a primitive and via OpenSSL's EVP
    interfaces.
  - X25519 is now also supported via EVP.
  - The OpenSSL 1.1 raw public and private key API is available with
    support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
    Poly1305 is not currently supported via this interface.
* Documentation improvements
  - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
    BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
  - Document BIO_number_read(3), BIO_number_written(3),
    BIO_set_retry_read(3), BIO_set_retry_write(3),
    BIO_set_retry_special(3), BIO_clear_retry_flags(3),
    BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
    BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
    BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
    BIO_callback_fn(3), and the BIO_FLAGS_* constants
  - Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3).
  - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
  - Document EVP_PKEY_new_raw_private_key(3),
    EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
    EVP_PKEY_get_raw_public_key(3).
  - Document ASN1_buf_print(3).
  - Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*.
  - Merged documentation of UI_null() from OpenSSL 1.1
  - Various spelling and other documentation improvements.
  - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
  - The BN documentation is now considered to be complete.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
  - New Wycheproof tests added.
  - OpenSSL 3.0 Interop tests added.
  - Many old tests rewritten, cleaned up and extended.
* Security fixes
  - A malicious certificate revocation list or timestamp response token
    would allow an attacker to read arbitrary memory.


3.7.1:

* Internal improvements
  - Initial overhaul of the BIGNUM code:
    - Added a new framework that allows architecture-dependent
      replacement implementations for bignum primitives.
    - Imported various s2n-bignum's constant time assembly primitives
      and switched amd64 to them.
    - Lots of cleanup, simplification and bug fixes.
  - Changed Perl assembly generators to move constants into .rodata,
    allowing code to run with execute-only permissions.
  - Capped the number of iterations in DSA and ECDSA signing (avoiding
    infinite loops), added additional sanity checks to DSA.
  - ASN.1 parsing improvements.
  - Made UI_destroy_method() NULL safe.
  - Various improvements to nc(1).
  - Always clear EC groups and points on free.
  - Cleanup and improvements in EC code.
  - Various openssl(1) improvements.
* Bug fixes
  - Fixed a memory leak, a double free and various other issues in
    BIO_new_NDEF().
  - Fixed various crashes in the openssl(1) testing utility.
  - Do not check policies by default in the new X.509 verifier.
  - Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
  - Added missing error checking in PKCS7.
  - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
* Compatibility changes
  - Correct the prototypes of BIO_get_conn_ip(3) and
    BIO_get_conn_int_port(3).
* New features
  - Added UI_null()
  - Added X509_STORE_*check_issued()
  - Added X509_CRL_get0_sigalg() and X509_get0_uids() accessors.
  - Added EVP_CIPHER_meth_*() setter API.
* Documentation improvements
  - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
    BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
  - Merged documentation of UI_null() from OpenSSL 1.1
  - Document BIO_number_read(3), BIO_number_written(3),
    BIO_set_retry_read(3), BIO_set_retry_write(3),
    BIO_set_retry_special(3), BIO_clear_retry_flags(3),
    BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
    BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
    BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
    BIO_callback_fn(3), and the BIO_FLAGS_* constants
  - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
  - Document EVP_PKEY_new_raw_private_key(3),
    EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
    EVP_PKEY_get_raw_public_key(3).
  - Document ASN1_buf_print(3).
  - Document ECDSA_SIG_get0_{r,s}().
  - Document DH_get0_* for individual DH members.
  - Document DSA_get0_* for individual DSA members
  - Document RSA_get0_* for individual RSA members.
  - Various spelling and other documentation improvements.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
  - New Wycheproof tests added.
  - OpenSSL 3.0 Interop tests added.
  - Many old tests rewritten, cleaned up and extended.
* Security fixes
  - A malicious certificate revocation list or timestamp response token
    would allow an attacker to read arbitrary memory.

doc: Updated textproc/libhighlight to 4.10

highlight: reset PKGREVISION after libhighlight update.

highlight: update to 4.10. Changes:

- updated astyle lib to version 3.4.10

doc: Updated textproc/xapian to 1.4.24

doc: Updated textproc/xapian-omega to 1.4.24

tcl-xapian: fix build, missed in recent xapian update.

xapian-omega: update to 1.4.24. Changes:

documentation:

* Document $filesize error handling.

indexers:

* omindex:

  + Implement piped input to filters for __WIN32__.  Previously it looks like
    the filter was run but the input wasn't connected to its stdin so it would
    probably block indefinitely.

  + Fix corner case in shell emulation - we no longer set environment variables
    which start with a digit.

    This issue was spotted from reading the code - in practice this isn't a
    case that's likely to be encountered, and the previous behaviour doesn't
    appear to have any security consequences even if a user was somehow tricked
    into specifying an extraction command did this.

* scriptindex:

  + Check if we can actually support %z in parsedate action.  Previously we
    assumed we could if struct tm had a tm_gmtoff member, but that's only a
    necessary condition and not sufficient, e.g. on Cygwin we have tm_gmtoff
    but strptime() doesn't currently understand %z.

  + If we were expecting an action but didn't get an identifier this triggered
    an infinitely repeating error:

    Unknown index action ''

    Now we instead give a single error:

    Expected index action, found '...'

    where '...' shows the sequence of non-whitespace characters encountered.

testsuite:

* Run tests under eatmydata if available.

* Turn off MSYS2 argument conversion for tests as it breaks omegatest, and we
  shouldn't need this conversion there.

* omegatest: Rewrite in Perl as we were hitting non-portable quoting issues
  with the shell implementation, and really it had grown too large to make
  sense as a shell script anyway.

build system:

* Add --enable-werror configure option.

* configure: Only auto-enable -D_FORTIFY_SOURCE=2 if it works without
  additional libraries and remove the hard-coded block against using it
  on mingw.  Mingw-w64 v11.0.0 eliminated the requirement to link with -lssp
  so we now auto-enable -D_FORTIFY_SOURCE=2 there.

portability:

* Fix to build on Cygwin.

* Rename our bswap32 helper function to avoid clash with system-provided
  function on FreeBSD and NetBSD.

xapian: update to 1.4.24. Changes:

testsuite:

* apitest: Add coverage that docids generated by replace_document() don't wrap
  to nomoredocids1 testcase.

* unittest: Improve block file functions unit test which were (unintentionally)
  trying to test with a 4TB sparse file, which not all platforms support.  A
  file just over 4GB is enough to test what we want, and if we trying to create
  one fails with errno EFBIG, indicating the file size is too large, we now
  skip the rest of the testcase.

* unittest: Catch Xapian::Error exceptions and rethrow the std::string returned
  by get_description() as the utestsuite harness doesn't know about
  Xapian::Error so was confusingly reporting it as "UNKNOWN EXCEPTION".

* The testsuite no longer reports NULL as the address associated with a
  signal when running on a platform without both sigaction() and SA_SIGINFO.

matcher:

* Reorder fields in each MSet entry to avoid structure padding on x86-64
  probably other 64-bit platforms.  This reduces the memory needed to hold an
  MSet by 8 bytes per entry on such platforms.

glass backend:

* Eliminate unnecessary memory allocations.  When committing changes, we were
  allocating blocks for all possible levels of the built-in cursor in each
  writable table, even those levels that weren't in use.

  The worst case is a really small database with all optional tables existing
  which would have 54 unused allocations of blocksize + 8 bytes, which with the
  default 8K block size is ~432KB per WritableDatabase; if you explicitly ask
  for 64K block size it'll be ~3.4MB.

  For a more typical WritableDatabase it's probably going to be more like half
  these numbers.

build system:

* Add --enable-werror configure option.

* configure: Only auto-enable -D_FORTIFY_SOURCE=2 if it works without
  additional libraries and remove the hard-coded block against using it
  on mingw.  Mingw-w64 v11.0.0 eliminated the requirement to link with -lssp
  and with this change we now auto-enable -D_FORTIFY_SOURCE=2 for it.

portability:

* swig-depcomp: Strip CR from generated files which fixes an issue in some
  cases when building from git on Microsoft Windows.

* We now avoid triggering SIGPIPE in library code on most platforms.

  On Unix-like platforms we want to avoid generating SIGPIPE when writing to a
  socket when the other end has been closed since signals break the
  encapsulation of what we're doing inside the library - either user code would
  need to handle the SIGPIPE, or we set a signal handler for SIGPIPE but that
  would handle *any* SIGPIPE in the process, not just those we might trigger,
  and that could break user code which expects to trigger and handle SIGPIPE.

  We don't need SIGPIPE since we can check errno==EPIPE instead (which is
  actually simpler to do).

  It seems all current Unix-like platforms now support SO_NOSIGPIPE or
  MSG_NOSIGNAL, so currently we just fall back to setting SIGPIPE to SIG_IGN.
  If there are actually current platforms which have SIGPIPE without
  SO_NOSIGPIPE or MSG_NOSIGNAL then we can look at other ways to avoid
  generating the signal.

* Avoid MSVC warning C4312 which is a reasonable warning in general, but in
  this case we checked that the value wasn't truncated when cast to an int.

* Use TEST_EQUAL_DOUBLE in netstats1 testcase which fixes testcase failure on
  FreeBSD.

* Address GCC13 -Wredundant-move warnings.  In 1.4.10 we added std::move()
  here to address clang warnings from -Wreturn-std-move (enabled by -Wall).
  Just removing the std::move() reintroduces those warning with clang 8 and
  clang 11 (but not clang 13 or later) but changing to apply a static_cast
  to the returned type seems to make all versions of both compilers happy.

* Fix build with UCRT64 variant of mingw-w64 by stopping defining
  __MSVCRT_VERSION__ by default.  It looks like doing so hasn't been needed
  since 2015.

* Add workaround for testsuite failures under Wine where attempting to unlink a
  stub file sometimes fails with errno == EACCES and _doserrno ==
  ERROR_SHARING_VIOLATION.  This is what you'd get if the file was still open,
  but we've already closed it.  Sleeping for a second and retrying makes it
  work, so we now do that.  It'd be better to get to the bottom of what's going
  on, but I've run out of ideas and this workaround is only in the testharness
  at least.

debug code:

* xapian-inspect:

  + `goto` and `until` now go to the entry *after* the specified key if there's
    no exact match, which seems more natural.

  + New `count" command.  This is actually just the same as `until` which
    already reports a count of the number of entries advanced by, except that
    `count` suppresses printing each entry.

Lua:

* Use pkg-config for Lua flags instead of some rather ad-hoc configure probes.
  This improves portability to platforms which require linking to a Lua
  library, or which install the Lua headers directly without a versioned
  containing directory.

PHP8:

* Update configure probe PHP_LIBS on cygwin.  Based on patch found in cygwin
  packaging, authored by Yaakov Selkowitz.

Tcl:

* Fix to handle the case of tcl_pkgPath not existing, which happens on
  Microsoft Windows builds of Tcl.

* run-tcl-test: Fix not to hardcode smoketest.tcl and instead run the program
  specified on the command line.

* Use TCL_SHLIB_EXT for the installed extension which is what Tcl expects.
  Previously the installed Tcl extension used the filename extension that
  libtool thinks is right for modules on the current platform.  We're not
  currently aware of platform where these actually differ, so this may be just
  a latent bug.

* Improve configure probe for stub library to work if the tclConfig.sh we find
  forwards to a different script, as is the case with /usr/lib/tclConfig.sh on
  current Debian.  On Debian at least our method for finding the tclConfig.sh
  to use doesn't find such a forwarding script, but it seems better to be
  robust to this.

* Eliminate special cygwin handling which is no longer needed.

Bump junit-platform-launcher, actions/checkout.

nfstrace: add the basics. Needs PLIST, at least.

Align whitespace for previous.

Alpine needs linux-headers for at least OpenSSL.

Remove CentOS 7 and 8.

pkgvm-freebsd13-amd64: bump RAM to 2g.

doc: Updated devel/swagger-codegen to 3.0.50

swagger-codegen: update to 3.0.50. Changes:

- Update dependencies (#12254)
- Escape quotes in paths (#12257)
- Replace vars with defaults in server evaluation (#10565, #12259)
- Bump codegen v1 to 2.4.36 (#12263)
- Update swagger-generator docker image to 9.2 (#12253)

Bump Kotlin, Detekt.

Add Dependabot config.

Revert previous, Dependabot requires thought.

pkgbuild: bootstrap: sprinkle sudo.

doc: Updated mail/getmail to 5.16nb4

doc: Updated mail/getmail6 to 6.18.13nb1

doc: Updated www/lighttpd to 1.4.73

getmail6: avoid conflicts with getmail. Bump PKGREVISION.

getmail: avoid conflicts with getmail6. Bump PKGREVISION.

lighttpd: update to 1.4.73.

From the changelog:

* [core] add .mkv to mimetype.assign builtin defaults
* [core] warn if out-of-range value for config short
* [mod_openssl] set default curves for ossl < 1.1.0
* [mod_h2] parse HEADERS flags sooner
* [mod_h2] check send window before defer frame rd
* [mod_h2] send GOAWAY to excessive request flood
* [mod_h2] h2_parse_headers_frame() adjust args
* [mod_h2] h2_recv_headers() parse trailers earlier
* [mod_h2] discard new streams after GOAWAY sent
* [mod_h2] h2_discard_headers() to HPACK-decode hdrs
* [core] parse entire server.http-parseopts list
* [mod_wstunnel] Sec-WebSocket-Protocol only if req hdr
* [mod_h2] disable h2proto if mod_h2 was not found
* [core] omit dlopen trace for mod_h2, mod_deflate
* [mod_h2] defer input parsing if large output queue
* [mod_h2] defer frame handling if stream pend close
* [mod_h2] detect and log HTTP/2 rapid reset attack
* [core] honor MBEDTLS_USE_PSA_CRYPTO for hash,rand
* [mod_mbedtls] honor MBEDTLS_USE_PSA_CRYPTO for rand
* [core] comment out li_rand_bytes() (unused)
* [mod_mbedtls] handle mbedtls 3.x partial write
* [mod_openssl] warn if openssl version < 3.0.0
* [mod_openssl] include openssl/hmac.h for boringssl

Bump Gradle, ben-manes.versions.

doc: Updated devel/swagger-codegen to 3.0.48

highlight: update to 4.9.

From the changelog:

- updated astyle lib to version 3.4.9
- added support for Elm (#237)
- added support for Factor (#239)
- added support for Cpp2
- updated c.lang to include module keywords
- fixed Lua nested string deprecation error (#238)

swagger-codegen: update to 3.0.48.

From the changelog:

- Update dependencies

doc: Updated textproc/libhighlight to 4.9

doc: Updated devel/goredo to 2.2.0

goredo: update to 2.2.0. From the changelog:

* Prefix target's output lines with the name of the target.

OpenBSD/i386 is now 7.4.

Fix previous.

OpenBSD/amd64 is now 7.4.

libowfat, nacl, qlogtools, service-config: take MAINTAINER.

(In the event they're ever updated upstream, this will help me notice.)

doc: Updated devel/p5-Cucumber-TagExpressions to 6.0.0

p5-Cucumber-TagExpressions: update to 6.0.0. From the changelog:

Fixed:
- [Perl] Include README.md and LICENSE in the release tarball

discount: take MAINTAINER (email timeout after a week).

doc: Updated devel/goredo to 2.1.0

goredo: update to 2.1.0. From the changelog:

* Mistakenly path to '.do' file was not absolute and OS can refuse to
  run it because it is not in '$PATH'.

* Huge quantity of performance optimisations.

* Fixed possible unexpected lock file closing.

* When resulting target has the same contents, it does not replace
  already existing one.  That was done previously.  But now it also
  copies the file's mode flags to the target (for example making it
  executable).

* If 'redo-*' command runs under control of another (top-level) redo,
  then it does not parse the flags as options and treat each argument
  as a target, allowing passing the targets with dashes in the
  beginning.

* Prevented possible concurrent stderr writing by multiple running
  targets.

* 'redo-depfix' command now always rewrites dependency files and
  calculates checksums of the files.

* Own binary format is used for dependency files ('.dep'), instead of
  recfile ('.rec') one.  It is several times smaller and much faster
  to parse.  You must run 'redo-depfix' to convert all existing
  '.redo/*.rec' files to that binary format.

* 'redo-dep2rec' command appeared, that can convert '.dep' to recfile
  on stdout.