Update to 3.0.40. From the changelog:

- switch generator-v3 docker image to ubi-minimal jre-17

doc: Updated devel/swagger-codegen to 3.0.40

Update to 3.0.39. From the changelog:

- fix set-output in GH workflows by @frantuma in #12032
- bump org.json:json and jersey versions (CVE-2022-45690,
  CVE-2021-28168) by @frantuma in #12033

doc: Updated devel/swagger-codegen to 3.0.39

Update to 3.0.38. From the changelog:

- add ENV disableOas31Resolve to dockerfile by @frantuma in #12026

doc: Updated devel/swagger-codegen to 3.0.38

Update to 4.2.0. From the changelog:

- Feature: mob.sh now starts a mob session with an empty commit to skip
  CI when creating a new remote branch for the session. The commit is
  squashed or dropped when `mob done` except for `--no-squash` option.

doc: Updated devel/mob to 4.2.0

Update to 3.0.37. From the changelog:

- Updated Swagger Core and Parser to latest release

doc: Updated devel/swagger-codegen to 3.0.37

Update to 1.30.0. From the changelog:

* Fixed wrong OOD-cache value of source file dependency.  Targets
  could be rebuilt without any reason.

doc: Updated devel/goredo to 1.30.0

Add and enable sheldon.

Add sheldon, a fast, configurable shell plugin manager. Features:

- Plugins from Git repositories
    - Branch / tag / commit support
    - Submodule support
    - First class support for GitHub repositories
    - First class support for Gists
- Arbitrary remote scripts or binary plugins
- Local plugins
- Inline plugins

doc: Added shells/sheldon version 0.7.1

Update to 2.11.2.0. From the changelog:

- Adaptation to skalibs-2.13.0.0.
- The name of the service is now passed as an argument to ./run and
  as the third argument to ./finish.
- The 1-second service restart delay can now only be skipped when
  the service is ready.
- New s6-log directive: p, to set a log line prefix.
- Implementation of instances! New programs: s6-instance-maker,
  s6-instance-create, s6-instance-delete, s6-instance-control,
  s6-instance-status, s6-instance-list.
- Bugfixes.

Update to 2.9.1.0. From the changelog:

- Adaptation to skalibs-2.13.0.0
- New program: eltest.
- New -a/-o options to wait (-o waits for one process only).
- wait now exits 99 on timeout.
- Bugfixes.

doc: Updated devel/skalibs to 2.13.0.0

doc: Updated lang/execline to 2.9.1.0

doc: Updated sysutils/s6 to 2.11.2.0

Provide compatibility defines for skalibs 2.13.0.0 and up.

Update to 0.0.1.2. From the changelog:

- Adaptation to skalibs-2.13.0.0.

Update to 1.27.39. From the changelog:

1.27.51
=======

* api-change:``billingconductor``: This release adds support for SKU
  Scope for pricing plans.
* api-change:``cloud9``: Added minimum value to AutomaticStopTimeMinutes
  parameter.
* api-change:``imagebuilder``: Add support for AWS Marketplace product
  IDs as input during CreateImageRecipe for the parent-image parameter.
  Add support for listing third-party components.
* api-change:``network-firewall``: Network Firewall now allows creation
  of dual stack endpoints, enabling inspection of IPv6 traffic.


1.27.50
=======

* api-change:``connect``: This release updates the responses of
  UpdateContactFlowContent, UpdateContactFlowMetadata,
  UpdateContactFlowName and DeleteContactFlow API with empty responses.
* api-change:``ec2``: Documentation updates for EC2.
* api-change:``outposts``: This release adds POWER_30_KVA as an option
  for PowerDrawKva. PowerDrawKva is part of the RackPhysicalProperties
  structure in the CreateSite request.
* api-change:``resource-groups``: AWS Resource Groups customers can now
  turn on Group Lifecycle Events in their AWS account. When you turn
  this on, Resource Groups monitors your groups for changes to group
  state or membership. Those changes are sent to Amazon EventBridge as
  events that you can respond to using rules you create.


1.27.49
=======

* api-change:``cleanrooms``: Initial release of AWS Clean Rooms
* api-change:``lambda``: Add support for MaximumConcurrency parameter
  for SQS event source. Customers can now limit the maximum concurrent
  invocations for their SQS Event Source Mapping.
* api-change:``logs``: Bug fix: logGroupName is now not a required field
  in GetLogEvents, FilterLogEvents, GetLogGroupFields, and
  DescribeLogStreams APIs as logGroupIdentifier can be provided instead
* api-change:``mediaconvert``: The AWS Elemental MediaConvert SDK has
  added support for compact DASH manifest generation, audio
  normalization using TruePeak measurements, and the ability to clip the
  sample range in the color corrector.
* api-change:``secretsmanager``: Update documentation for new
  ListSecrets and DescribeSecret parameters


1.27.48
=======

* api-change:``kendra``: This release adds support to new document types
  - RTF, XML, XSLT, MS_EXCEL, CSV, JSON, MD


1.27.47
=======

* api-change:``location``: This release adds support for two new route
  travel models, Bicycle and Motorcycle which can be used with Grab
  data source.
* api-change:``rds``: This release adds support for configuring
  allocated storage on the CreateDBInstanceReadReplica,
  RestoreDBInstanceFromDBSnapshot, and
  RestoreDBInstanceToPointInTime APIs.


1.27.46
=======

* bugfix:``codeartifact login``: Fix parsing of dotnet output for aws
  codeartifact login command; fixes `#6197
  <https://github.com/aws/aws-cli/issues/6197>`__
* api-change:``ecr-public``: This release for Amazon ECR Public makes
  several change to bring the SDK into sync with the API.
* api-change:``kendra-ranking``: Introducing Amazon Kendra Intelligent
  Ranking, a new set of Kendra APIs that leverages Kendra semantic
  ranking capabilities to improve the quality of search results from
  other search services (i.e. OpenSearch, ElasticSearch, Solr).
* api-change:``network-firewall``: Network Firewall now supports the
  Suricata rule action reject, in addition to the actions pass, drop,
  and alert.
* api-change:``ram``: Enabled FIPS aws-us-gov endpoints in SDK.
* api-change:``workspaces-web``: This release adds support for a new
  portal authentication type: AWS IAM Identity Center (successor to AWS
  Single Sign-On).


1.27.45
=======

* api-change:``acm-pca``: Added revocation parameter validation: bucket
  names must match S3 bucket naming rules and CNAMEs conform to RFC2396
  restrictions on the use of special characters in URIs.
* api-change:``auditmanager``: This release introduces a new data
  retention option in your Audit Manager settings. You can now use the
  DeregistrationPolicy parameter to specify if you want to delete your
  data when you deregister Audit Manager.


1.27.44
=======

* api-change:``amplifybackend``: Updated GetBackendAPIModels response to
  include ModelIntrospectionSchema json string
* api-change:``apprunner``: This release adds support of securely
  referencing secrets and configuration data that are stored in Secrets
  Manager and SSM Parameter Store by adding them as environment secrets
  in your App Runner service.
* api-change:``connect``: Documentation update for a new Initiation
  Method value in DescribeContact API
* api-change:``emr-serverless``: Adds support for customized images. You
  can now provide runtime images when creating or updating EMR
  Serverless Applications.
* api-change:``lightsail``: Documentation updates for Amazon Lightsail.
* api-change:``mwaa``: MWAA supports Apache Airflow version 2.4.3.
* api-change:``rds``: This release adds support for specifying which
  certificate authority (CA) to use for a DB instance's server
  certificate during DB instance creation, as well as other CA
  enhancements.


1.27.43
=======

* api-change:``application-autoscaling``: Customers can now use the
  existing DescribeScalingActivities API to also see the detailed and
  machine-readable reasons for Application Auto Scaling not scaling
  their resources and, if needed, take the necessary corrective actions.
* api-change:``logs``: Update to remove sequenceToken as a required
  field in PutLogEvents calls.
* api-change:``ssm``: Adding support for QuickSetup Document Type in
  Systems Manager


1.27.42
=======

* api-change:``securitylake``: Allow CreateSubscriber API to take string
  input that allows setting more descriptive SubscriberDescription
  field. Make souceTypes field required in model level for
  UpdateSubscriberRequest as it is required for every API call on the
  backend. Allow ListSubscribers take any String as nextToken param.


1.27.41
=======

* api-change:``cloudfront``: Extend response headers policy to support
  removing headers from viewer responses
* api-change:``iotfleetwise``: Update documentation - correct the epoch
  constant value of default value for expiryTime field in
  CreateCampaign request.


1.27.40
=======

* api-change:``apigateway``: Documentation updates for Amazon API
  Gateway
* api-change:``emr``: Update emr command to latest version
* api-change:``secretsmanager``: Added owning service filter, include
  planned deletion flag, and next rotation date response parameter in
  ListSecrets.
* api-change:``wisdom``: This release extends Wisdom CreateContent and
  StartContentUpload APIs to support PDF and MicrosoftWord docx document
  uploading.

Update to 1.29.0. From the changelog:

* Fix possible error when two always-ed targets are run
  simultaneously.
* Updated dependant libraries.

Update to 2.2.5.1. From the changelog:

- Adaptation to skalibs-2.13.0.0.
- s6-test is now deprecated: replaced with execline's eltest.
- Bugfixes.

Update to 2.3.5.5. From the changelog:

- Adaptation to skalibs-2.13.0.0.
- Workarounds for broken DNS caches.
- Bugfixes.

Update to 2.5.1.2. From the changelog:

- Adaptation to skalibs-2.13.0.0.
- Bugfixes.

Update to 3.7.0. From the upstream LibreSSL changelog:

3.5.3:
  * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
    the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
    reporting the issue and testing the fix.

3.6.0:
 * Internal improvements
   - Avoid expensive RFC 3779 checks during cert verification.
   - The templated ASN.1 decoder has been cleaned up, refactored,
     modernized with parts rewritten using CBB and CBS.
   - The ASN.1 time parser has been rewritten.
   - Rewrite and fix ASN1_STRING_to_UTF8().
   - Use asn1_abs_set_unused_bits() rather than inlining it.
   - Simplify ec_asn1_group2curve().
   - First pass at a clean up of ASN1_item_sign_ctx()
   - ssl_txt.c was cleaned up.
   - Internal function arguments and struct member have been changed
     to size_t.
   - Lots of missing error checks of EVP API were added.
   - Clean up and clarify BN_kronecker().
   - Simplify ASN1_INTEGER_cmp()
   - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
     the ASN1_INTEGER functions for ASN1_ENUMERATED.
   - Use ASN1_INTEGER to parse and build {Z,}LONG_it
   - Refactored and cleaned up group (elliptic curve) handling in
     t1_lib.c.
   - Simplify certificate list handling code in the legacy server.
   - Make CBB_finish() fail if *out_data is not NULL.
   - Remove tls_buffer_set_data() and remove/revise callers.
   - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
   - Simplify tlsext_supported_groups_server_parse().
   - Remove redundant length checks in tlsext parse functions.
   - Simplify tls13_server_encrypted_extensions_recv().
   - Add read and write support to tls_buffer.
   - Convert TLS transcript from BUF_MEM to tls_buffer.
   - Clear key on exit in PKCS12_gen_mac().
   - Minor fixes in PKCS12_parse().
   - Provide and use a primitive clear function for BIGNUM_it.
   - Use ASN1_INTEGER to encode/decode BIGNUM_it.
   - Add stack frames to AES-NI x86_64 assembly.
   - Use named initialisers for BIGNUMs.
   - Tidy up some of BN_nist_mod_*.
   - Expand BLOCK_CIPHER_* and related macros.
   - Avoid shadowing the cbs function parameter in
     tlsext_alpn_server_parse()
   - Deduplicate peer certificate chain processing code.
   - Make it possible to signal an error from an i2c_* function.
   - Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
   - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
   - Remove bogus length checks from EVP_aead_chacha20_poly1305().
   - Reworked DSA_size() and ECDSA_size().
   - Stop using CBIGNUM_it internal to libcrypto.
   - Provide c2i_ASN1_ENUMERATED_cbs() and call it from
     asn1_c2i_primitive().
   - Ensure ASN.1 types are appropriately encoded.
   - Avoid recycling ASN1_STRINGs when decoding ASN.1.
   - Tidy up asn1_c2i_primitive() slightly.
   - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
     BLOCK_CIPHER and the looney M_do_cipher macros.
   - Use correct length for EVP CFB mode ciphers.
   - Provide a version of ssl_msg_callback() that takes a CBS.
   - Use CBS to parse TLS alerts in the legacy stack.
   - Increment the input and output position for EVP AES CFB1.
   - Ensure there is no trailing data for a CCS received by the
     TLSv1.3 stack.
   - Use CBS when procesing a CCS message in the legacy stack.
   - Be stricter with middlebox compatibility mode in the TLSv1.3
     server.
 * Compatibility changes
   - The ASN.1 time parser has been refactored and rewritten using CBS.
     It has been made stricter in that it now enforces the rules from
     RFC 5280.
   - ASN1_AFLG_BROKEN was removed.
   - Error check tls_session_secret_cb() like OpenSSL.
   - Added ASN1_INTEGER_{get,set}_{u,}int64()
   - Move leaf certificate checks to the last thing after chain
     validation.
   - Added -s option to openssl(1) ciphers that only shows the ciphers
     supported by the specified protocol.
   - Use TLS_client_method() instead of TLSv1_client_method() in
     the openssl(1) ciphers command.
   - Validate the protocols in SSL{_CTX,}_set_alpn_protos().
   - Made TS and PKCS12 opaque.
   - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
   - Align PKCS12_key_gen_uni() with OpenSSL
   - Various PKCS12 and TS accessors were added. In particular, the
     TS_RESP_CTX_set_time_cb() function was added back.
   - Allow a NULL header in PEM_write{,_bio}()
   - Allow empty attribute sets in CSRs.
   - Adjust signatures of BIO_ctrl functions.
   - Provide additional defines for EVP AEAD.
   - Provide OPENSSL_cleanup().
   - Make BIO_info_cb() identical to bio_info_cb().
 * Bug fixes
   - Avoid use of uninitialized in BN_mod_exp_recp().
   - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
     set on X509_get_purpose() failure.
   - Fix HMAC() with NULL key.
   - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
   - Avoid strict aliasing violations in BN_nist_mod_*().
   - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
     No return value of X509_check_ca() indicates failure. Application
     code should therefore issue a checked call to X509_check_purpose()
     before calling X509_check_ca().
   - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
     valid input.
   - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
   - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
   - Avoid use of uninitialized in ASN1_STRING_to_UTF8().
   - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
   - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
   - Do not reject primes in trial divisions.
   - Error out on negative shifts in BN_{r,l}shift() instead of
     accessing arrays out of bounds.
   - Fix URI name constraints, allow for URI's with no host part.
   - Fix the legacy verifier callback behaviour for untrusted certs.
   - Correct serfver-side handling of TLSv1.3 key updates.
   - Plug leak in PKCS12_setup_mac().
   - Plug leak in X509V3_add1_i2d().
   - Only print X.509 versions we know about.
   - Avoid signed integer overflow due to unary negation
   - Initialize readbytes in BIO_gets().
   - Plug memory leak in CMS_add_simple_smimecap().
   - Plug memory leak in X509_REQ_print_ex().
   - Check HMAC() return value to avoid a later use of uninitialized.
   - Avoid potential NULL dereference in ssl_set_pkey().
   - Check return values in ssl_print_tmp_key().
   - Switch loop bounds from size_t to int in check_hosts().
   - Avoid division by zero if no connection was made in s_time.c.
   - Check sk_SSL_CIPHER_push() return value
   - Avoid out-of-bounds read in ssl_cipher_process_rulestr().
   - Use LONG_MAX as the limit for ciphers with long based APIs.
 * New features
   - EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
   - The security level API (SSL_{,CTX}_{get,set}_security_level()) is
     now available. Callbacks and ex_data are not supported. Sane
     software will not be using this.
   - Experimental support for the BoringSSL QUIC API.
   - Add initial support for TS ESSCertIDv2 verification.
   - LibreSSL now uses the Baillie-PSW primality test instead of
     Miller-Rabin .

3.6.1:
 - Custom verification callbacks could cause the X.509 verifier to
   fail to store errors resulting from leaf certificate verification.
     Reported by Ilya Shipitsin.
 - Unbreak ASN.1 indefinite length encoding.
     Reported by Niklas Hallqvist.
 - Fix endian detection on macOS
     Reported by jiegec on Github

3.7.0:
    * Internal improvements
      - Remove dependency on system timegm() and gmtime() by replacing
        traditional Julian date conversion with POSIX epoch-seconds date
        conversion from BoringSSL.
      - Clean old and unused BN code dealing with primes.
      - Start rewriting name constraints code using CBS.
      - Remove support for the HMAC PRIVATE KEY.
      - Rework DSA signing and verifying internals.
      - First few passes on cleaning up the BN code.
      - Internal headers coming from OpenSSL are all called *_local.h now.
      - Rewrite TLSv1.2 key exporter.
      - Cleaned up and refactored various aspects of the legacy TLS stack.
    * Compatibility changes
      - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
        various corner cases. More work is needed here.
    * Bug fixes
      - Add EVP_chacha20_poly1305() to the list of all ciphers.
      - Fix potential leaks of EVP_PKEY in various printing functions
      - Fix potential leak in OBJ_NAME_add().
      - Avoid signed overflow in i2c_ASN1_BIT_STRING().
      - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
      - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
      - Fix segfaults in BN_{dec,hex}2bn().
      - Fix NULL dereference in x509_constraints_uri_host() reachable only
        in the process of generating certificates.
      - Fixed a variety of memory corruption issues in BIO chains coming
        from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
      - Avoid potential divide by zero in BIO_dump_indent_cb()
    * Documentation improvements
      - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
      - The BN documentation is now considered to be complete.
    * Testing and Proactive Security
      - As always, new test coverage is added as bugs are fixed and
        subsystems are cleaned up.
      - Many old tests rewritten, cleaned up and extended.
    * New features
      - Added Ed25519 support both as a primitive and via OpenSSL's EVP
        interfaces.
      - X25519 is now also supported via EVP.
      - The OpenSSL 1.1 raw public and private key API is available with
        support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
        Poly1305 is not currently supported via this interface.

doc: Updated devel/goredo to 1.29.0

doc: Updated mail/smtpd-starttls-proxy to 0.0.1.2

doc: Updated misc/s6-portable-utils to 2.2.5.1

doc: Updated net/py-awscli to 1.27.51

doc: Updated net/s6-dns to 2.3.5.5

doc: Updated net/s6-networking to 2.5.1.2

doc: Updated security/libretls to 3.7.0

Update to 20230101. From the changelog:

- LICENCE update from public-domain to CC0
  public domain works differently depending on the country, to avoid it,
  set explicitly CC0

Update to 20230101. From the changelog:

20230101:
- removed duplicit crypto_scalarmult_curve25519.* implementation and
  used X25519 from bearssl library
- randombytes: rollback to /dev/urandom variant only
- Makefile: removed bearssl target

20221229:
- fixed parallel build

20221227:
- LICENCE updated from public-domain to CC0
- updated examples and linked examples.md from README.md
- added more error log messages when proxy-protocol is used

doc: Updated net/dq to 20230101

doc: Updated security/tlswrapper to 20230101

TODO: suggest Frescobaldi and EndBASIC.

doc: Updated pkgtools/rc.d-boot to 20221225

rc.d-boot: fix references to rc.subr in previous (it will have gotten
installed to ${SYSCONFBASE}, not necessarily the same as
${PKG_SYSCONFDIR}). UNPRIVILEGED still works, says triaxx@. Bump
version.

Add and enable asdf.

Add and enable gng.

Add and enable swagger-codegen.

Add gng, a tool to run (or create) each project's own Gradle wrapper.

GNG is a script that automatically search your gradlew when you are
inside your Gradle project and execute it. It also contains an official
Gradle wrapper. You can create gradle projects from scratch without
installing Gradle.

This is originally inspired by gdub and gradlew-bootstrap.

Add swagger-codegen, for generating clients, server stubs, and docs from
an OpenAPI spec.

swagger-codegen contains a template-driven engine to generate
documentation, API clients and server stubs in different languages by
parsing your OpenAPI / Swagger definition.

Indent.

Update to 1.14.2. From the changelog:


## v1.14.2 (2022-11-11)

### 1. Enhancements

#### Elixir

  * [Code] Add `Code.eval_quoted_with_env/4` with support for the
    `:prune_binding` option

#### ExUnit

  * [ExUnit.Case] Allow test cases to not be registered on use
  * [ExUnit.DocTest] Include `:doctest` and `:doctest_line` as meta tags
  * [ExUnit.Formatter] Expose `ExUnit.Formatter.format_assertion_diff/4`

#### Mix

  * [Mix] `Mix.install/2` accepts atoms as paths

### 2. Bug fixes

#### Elixir

  * [Code.Formatter] Fix `size*unit` shortcut in bitstring
  * [Kernel] Generate unique variables for macro expansion of `defguard`
  * [Protocol] Expand `:for` in protocols with the appropriate env

#### ExUnit

  * [ExUnit] Do not run duplicate cases on `ExUnit.run/1`

#### Mix

  * [mix test] Ensure proper error message when there is no test directory


## v1.14.1 (2022-10-10)

### 1. Enhancements

#### Elixir

  * [Kernel] Perform partial expansion of literals in module attributes
  * [Kernel] Do not add compile-time dependencies for literals as
    defaults in `Application.compile_env/3` inside module attributes
  * [Macro] Add `Macro.expand_literals/2` and `Macro.expand_literals/3`
  * [System] Add `:close_stdin` to `System.shell/2`

#### Mix

  * [mix test] Accept `--all-warnings` option

## 2. Bug fixes

#### Elixir

  * [Kernel] Fix misleading warning when `:uniq` is given in `for`
    comprehensions and the result is unused
  * [Kernel] Improve error message for when there is a conflicting
    struct and ignoring module conflict
  * [Kernel] Do not delete `@enforce_keys` attribute after `defstruct`
    declaration
  * [Kernel] Do not crash the checker on modules with missing
    `:debug_info` chunk
  * [Macro] Fix error in `Macro.to_string/2` when converting an AST with
    `:erlang.binary_to_atom/2`
  * [String] Fix `String.split/3` and `String.next_grapheme/1` returning
    invalid results on invalid UTF-8 encoding
  * [System] Do not close stdin by default in `System.shell/2`
  * [URI] Do not return `uri.port` as `:undefined` in certain cases in
    `URI.new/1`

#### ExUnit

  * [ExUnit.DocTest] Do not crash when both `:moduledoc` and functions
    are specified in `:only`

#### IEx

  * [CLI] Fix invalid argument handling when `--no-pry` is given

#### Mix

  * [mix format] Do not cache inputs from `.formatter.exs` so they are
    properly re-evaluted on every call

Update to 25.2 to match lang/erlang.

Update to 25.2. From the changelog:

Potential incompatibilities:
- The inet:setopts/2 {reuseaddr, true} option will now be ignored on
  Windows unless the socket is an UDP socket. For more information see
  the documentation of the reuseaddr option part of the documentation of
  inet:setopts/2. Prior to OTP 25 the {reuseaddr, true} option was
  ignored for all sockets on Windows, but as of OTP 25.0 this was
  changed so that it was not ignored for any sockets.

Update to 3.11.5. From the changelog:

3.11.5:

## Changes Worth Mentioning

### Core Server

#### Enhancements

 * Backported a number of free disk space monitor resiliency improvements.
   GitHub issue: #5831

 * `raft.adaptive_failure_detector.poll_interval` exposes [`aten`]()'s
   `poll_interval` setting to RabbitMQ users. Increasing it can reduce
   the probability of false positives in clusters where inter-node
   communication links are used at close to maximum capacity. The
   default is `5000` (5 seconds). GitHub issue: #6632

 * When both `disk_free_limit.relative` and `disk_free_limit.absolute`,
   or both `vm_memory_high_watermark.relative` and
   `vm_memory_high_watermark.absolute` are set, the absolute settings
   will now take precedence. GitHub issue: #4980

 * Closing channels will now log a warning if they had any messages
   pending a confirmation from the server. GitHub issue: #1399

 * New quorum queue option for in-memory table (MemTable) compression.
   GitHub issue: #6590

 * Default queue type (a virtual host setting) is now applied when
   importing definitions into a single virtual host. GitHub issue: #6599

#### Bug Fixes

 * Feature flags provided by plugins were mistakingly disabled after
   node restart. GitHub issue: #6500

 * Classic queues with Single Active Consumer enabled could run into an
   exception. GitHub issue: #6502

 * When a global parameter was cleared, nodes emitted an internal event
   of the wrong type. GitHub issue: #6538


### CLI Tools

#### Bug Fixes

 * `rabbitmq-queues grow` and `rabbitmq-queues shrink` misformatted the
   errors they could encounter. GitHub issue: #6601

#### Enhancements

 * Implicit `help` command (when CLI tools were invoked without a
   command name) now respects all global flags (such as `--node`). For
   example, previously the `--node` flag in

       rabbitmqctl --node rabbit@ns1.rabbitmq.cluster.local

   was ignored but now CLI tools would discover what plugins are enabled
   on node `rabbit@ns1.rabbitmq.cluster.local` and include them into
   `help` output. GitHub issue: #6598

 * New key supported by `rabbitmqctl list_queues`:
   `effective_policy_definition` that returns merged definitions of
   regular and operator policies effective for the queue. GitHub
   issue: #6556

### Management Plugin

#### Enhancements

 * It is now possible to omit explicitly specifying queue type when
   declaring a queue (or stream) in the management UI, and rely on the
   default queue type configured for the selected virtual host. GitHub
   issue: #6600

 * New HTTP API endpoint, `GET /api/config/effective`, returns effective
   node configuration. This is an HTTP API counterpart of
   `rabbitmq-diagnostics environment`. GitHub issue: #6016

### Shovel Plugin

#### Enhancements

 * Flow control state for Shovels is now reported with higher fidelity
   (of 1 second vs. several seconds previously). This means it should be
   easier to spot Shovels that run into flow control using management
   UI. GitHub issue: #6615

### Sharding Plugin

#### Bug Fixes

 * Plugin could fail to boot and halt node boot due to incorrect boot
   step metadata. GitHub issue: #6583

## Dependency Upgrades

 * `ra` was upgraded from `2.4.1` to `2.4.5`.


3.11.4:

## Changes Worth Mentioning

### Core Server

#### Enhancements

 * Import of definition files with many streams is now more efficient.
   GitHub issue: #6436

 * Lower CPU throughput in clusters with many mostly idle streams.
   GitHub issue: #6436

 * Streams with `max_age` retention now attempt to reclaim disk space
   every hour. This is relevant in environments with a lot of mostly
   inactive streams that set `max_age`. GitHub issue: #6436

 * Quorum queues are now more resilient to WAL log growth with workloads
   that involve clients that register a consumer and then close the
   channel or connection without ever consuming any deliveries or
   cancelling the consumer. GitHub issue: #6447

#### Bug Fixes

 * When a node encouters an invalid `definitions.local.file` on boot,
   it will refuse to start instead of ignoring the file. GitHub
   issue: #2610

 * Fixed a type analyzer definition. GitHub issue: #6401


### CLI Tools

#### Enhancements

 * `rabbitmq-diagnostics check_if_node_is_quorum_critical` and
   `rabbitmq-upgrade await_online_quorum_plus_one` now consider stream
   (not just quorum queues) replica placement when determining if target
   node is quorum-critical. GitHub issue: #6448

 * Queue info keys now support more inclusive property names related to
   (deprecated) classic mirrored queues. For example, `mirror_pids` can
   now be used instead of `slave_pids`. GitHub issue: #2635

 * `rabbitmq-diagnostics memory_breakdown` now executes significantly
   faster in environments with a large number (say, tens or hundreds of
   thousands) of quorum queues. Two orders of magnitude faster, in fact.
   GitHub issue: #6388

#### Bug Fixes

 * Definition export in JSON failed on nodes that used
   `definitions.skip_if_unchanged`. GitHub issue: #6424

 * Using quorum queue-specific commands on streams now results in
   clearer error messages. GitHub issue: #6488


### LDAP Plugin

#### Bug Fixes

 * LDAP server password could end up in the logs in certain types of
   exceptions. GitHub issue: #4842


### STOMP Plugin

#### Enhancements

  * `x-max-age` stream setting now can be set by STOMP clients via a
    header. GitHub issue: #5003


## Dependency Upgrades

 * `osiris` was upgraded from `1.3.3` to `1.4.0`

Update to 6.2. From the changelog:

Merge pull requests:
pdewacht#107 Added DCP-7070DW; Thanks Jan Musinsky
pdewacht#133 Fixed MFC-7460DN; Thanks Peter Ye
pdewacht#169 Changed Code; Thanks Thomas Nixon

Added additional Brother printer entries:
HL-L5000D series
HL-L2370DN series
DCP-7070DW
DCP-8065DN

Errors Fixed:
Fix the ppd file name for the MFC-7460DN, changed from br7365dn.ppd to
br7460dn.ppd

Code Changes:
Explicitly disable duplex in PCL \033&l0S.

Issues Resolved:
The HL-L2350DW printer continued to duplex even when disabled, but every
other page was garbled. Thanks to Thomas Nixon for the fix.

doc: Added devel/asdf version 0.11.0

doc: Added devel/gng version 1.0.3

doc: Added devel/swagger-codegen version 3.0.36

doc: Updated lang/elixir to 1.14.2

doc: Updated lang/erlang to 25.2

doc: Updated lang/erlang-doc to 25.2

doc: Updated lang/erlang-man to 25.2

doc: Updated net/rabbitmq to 3.11.5

doc: Updated print/brlaser to 6.2

pkgsrc-cpus: cover the remaining platforms.

On NetBSD, set MAKE_JOBS from sysctl hw.ncpus.

Indent.

Update to 1.18.18. From the changelog:

1.18.18:
- Replace deprecated egrep with grep -E. Thanks, Sam James
- Added support for Void Linux's xbps package manager. Thanks,
  Zev Weiss.

1.18.17:
- Fix committing of files with spaces in name when perl is not
  available. Thanks, Henrik Riomar
- Ignore udev's FHS violating large binary cache file /etc/udev/hwdb.bin
- Avoid warning messages from grep about binary files when there are
  filenames in /etc that do not correspond to the current locale
  settings. Thanks, thm

pkgsrc changes:
- Adjust installed bash-completion location to match other packages
- Use MAKE_DIRS instead of OWN_DIRS so unchanged files are uninstalled
- Take MAINTAINER

doc: Updated sysutils/etckeeper to 1.18.18

BUILDVM-TODO: update status.

buildvm-mk: accept ruby-license.

buildvm-mk: disable xcb option by default.

Update to 4.6.0. From the changelog:

- Fix warning on signedness of the ONE constant.  Thanks: Marek Vasut.
- Add note to conf-cc about how to silence gcc's incorrect warning
  "suggest parentheses around assignment". Thanks: Marek Vasut.
- Fix overflow in output for reported address.  Thanks: Marek Vasut.
- Add note about randomizing values used at runtime by seeding PRNG.
  Disabled by default for reproducibility.

doc: Updated sysutils/memtester to 4.6.0

Update to 4.2.2. From the changelog:

Bugfixes:
- Fixed problem with replay delay control in the UI, which did not work
  in locales with "," as decimal point.
- Fixed UI bug where scrolling in the Running tab ended up scrolling
  numeric values if the cursor was there.

Update to 8.0.0. From the changelog:

- Rename 'Throttle' to 'Limit'

Update to 8.0.0. No changes other than the version bump, but updating
because this is usually tightly coupled with py-approvaltests.

doc: Updated devel/py-approval-utilities to 8.0.0

doc: Updated devel/py-approvaltests to 8.0.0

doc: Updated devel/texttest to 4.2.2

Try parallel builds, except where it looks broken.

Mark MAKE_JOBS_SAFE=no (likely fixes NetBSD-current bulk build).

Add trn-license for latest editors/ce.

REPLACE_BASH *.sh one subdirectory further, fixing

- src/crypto/internal/boring/build.sh
- src/go/doc/comment/mkstd.sh

when ${PREFIX} != "/usr/pkg".

Avoid extracting the vendored discount library. We don't use it at all
(instead buildlinking textproc/discount), and it sometimes contains
macOS xattrs that break extraction as root on other systems.

Fixes "Cannot restore extended attributes: com.apple.quarantine
com.apple.quarantine" seen with pkg_comp(8) on NetBSD/amd64 9.3.

Update to 7.4.0. Changes:

- Add dependency on py-typing-extensions
- [pkgsrc] Add missing dependency on py-empty-files

Update to 7.4.0. From the changelog:

Throttling of reporters after 5:
- To avoid too many diff tools being launched, ApprovalTests will stop
  launching after the 5th time. This is configurable in
  GenericDiffReporter.throttling_threshold

doc: Updated devel/py-approval-utilities to 7.4.0

doc: Updated devel/py-approvaltests to 7.4.0

Update to 3.8.6. From the changelog:

3.8.6:

** Bug

  * [[MNG-7432](https://issues.apache.org/jira/browse/MNG-7432)] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader
  * [[MNG-7433](https://issues.apache.org/jira/browse/MNG-7433)] - [REGRESSION] Multiple maven instances working on same source tree can lock each other
  * [[MNG-7441](https://issues.apache.org/jira/browse/MNG-7441)] - Update Version of (optional) Logback to Address CVE-2021-42550
  * [[MNG-7448](https://issues.apache.org/jira/browse/MNG-7448)] - Don't ignore bin/ otherwise bin/ in apache-maven module cannot be readded
  * [[MNG-7455](https://issues.apache.org/jira/browse/MNG-7455)] - [REGRESSION] IllegalStateException in SessionScope during guice injection in multithreaded build
  * [[MNG-7459](https://issues.apache.org/jira/browse/MNG-7459)] - Revert MNG-7347 (SessionScoped beans should be singletons for a given session)
  * [[MNG-7467](https://issues.apache.org/jira/browse/MNG-7467)] - [REGRESSION] Compilation failure with relocated transitive dependency
  * [[MNG-7487](https://issues.apache.org/jira/browse/MNG-7487)] - Fix deadlock during forked lifecycle executions
  * [[MNG-7493](https://issues.apache.org/jira/browse/MNG-7493)] - [REGRESSION] Resolving dependencies between submodules fails

** New Feature

  * [[MNG-7486](https://issues.apache.org/jira/browse/MNG-7486)] - Create a multiline message helper for boxed log messages

** Improvement

  * [[MNG-7445](https://issues.apache.org/jira/browse/MNG-7445)] - to refactor some useless code
  * [[MNG-7476](https://issues.apache.org/jira/browse/MNG-7476)] - Display a warning when an aggregator mojo is locking other mojo executions

** Task

  * [[MNG-7466](https://issues.apache.org/jira/browse/MNG-7466)] - Align Assembly Descriptor NS versions

** Dependency upgrade

  * [[MNG-7488](https://issues.apache.org/jira/browse/MNG-7488)] - Upgrade SLF4J to 1.7.36
  * [[MNG-7489](https://issues.apache.org/jira/browse/MNG-7489)] - Upgrade JUnit to 4.13.2
  * [[MNG-7490](https://issues.apache.org/jira/browse/MNG-7490)] - Upgrade Plexus Utils to 3.3.1

3.8.5:

** Bug

  * [[MNG-5180](https://issues.apache.org/jira/browse/MNG-5180)] - Versioning's snapshot version list is not included in metadata merge
  * [[MNG-5561](https://issues.apache.org/jira/browse/MNG-5561)] - Plugin relocation loses configuration
  * [[MNG-5982](https://issues.apache.org/jira/browse/MNG-5982)] - The POM for ... is invalid, transitive dependencies ... while property was overriden
  * [[MNG-6326](https://issues.apache.org/jira/browse/MNG-6326)] - Build continues when core extensions aren't found
  * [[MNG-6727](https://issues.apache.org/jira/browse/MNG-6727)] - Using version range in parent and CI Friendly Version fails
  * [[MNG-6802](https://issues.apache.org/jira/browse/MNG-6802)] - FileProfileActivator changes FileProfileActivator.exists which lets flattened resolveCiFriendliesOnly depending fail activating profile
  * [[MNG-7156](https://issues.apache.org/jira/browse/MNG-7156)] - Parallel build can cause issues between clean and forked goals
  * [[MNG-7335](https://issues.apache.org/jira/browse/MNG-7335)] - [Regression] Parallel build fails due to missing JAR artifacts in compilePath
  * [[MNG-7347](https://issues.apache.org/jira/browse/MNG-7347)] - SessionScoped beans should be singletons for a given session
  * [[MNG-7357](https://issues.apache.org/jira/browse/MNG-7357)] - All Maven Core JARs have unusual entry order
  * [[MNG-7362](https://issues.apache.org/jira/browse/MNG-7362)] - DefaultArtifactResolver has spurious "Failure detected" INFO log
  * [[MNG-7374](https://issues.apache.org/jira/browse/MNG-7374)] - Mutating RelocatedArtifact does not retain type
  * [[MNG-7386](https://issues.apache.org/jira/browse/MNG-7386)] - ModelMerger$MergingList is not serializable
  * [[MNG-7402](https://issues.apache.org/jira/browse/MNG-7402)] - BuildListCalculator never detaches the classloader
  * [[MNG-7417](https://issues.apache.org/jira/browse/MNG-7417)] - Several classes do not set properties properly for building requests

** New Feature

  * [[MNG-7395](https://issues.apache.org/jira/browse/MNG-7395)] - Support interpolation in extensions.xml
  * [[MNG-7407](https://issues.apache.org/jira/browse/MNG-7407)] - Introduce a ModelVersionProcessor component to make CI Friendly Versions pluggable

** Improvement

  * [[MNG-6960](https://issues.apache.org/jira/browse/MNG-6960)] - Use RuntimeInformation instead of reading properties
  * [[MNG-7349](https://issues.apache.org/jira/browse/MNG-7349)] - Limit relocation warning message to direct dependencies only
  * [[MNG-7380](https://issues.apache.org/jira/browse/MNG-7380)] - Don't log non-threadsafe warning if only building a single module
  * [[MNG-7381](https://issues.apache.org/jira/browse/MNG-7381)] - Shorten parallel builder thread name to artifactId, conditionally with groupId
  * [[MNG-7385](https://issues.apache.org/jira/browse/MNG-7385)] - Improve documentation on repository metadata
  * [[MNG-7400](https://issues.apache.org/jira/browse/MNG-7400)] - Allow more WorkspaceReaders to participate
  * [[MNG-7408](https://issues.apache.org/jira/browse/MNG-7408)] - Explain reporting plugin version automatic selection (in Maven 3)

** Dependency upgrade

  * [[MNG-7370](https://issues.apache.org/jira/browse/MNG-7370)] - Upgrade Maven Wagon to 3.5.1
  * [[MNG-7384](https://issues.apache.org/jira/browse/MNG-7384)] - Upgrade Maven JAR Plugin to 3.2.2
  * [[MNG-7428](https://issues.apache.org/jira/browse/MNG-7428)] - Upgrade Maven Parent to 35

3.8.4:

** Bug

  * [[MNG-7270](https://issues.apache.org/jira/browse/MNG-7270)] - Maven startup script (init) calls which(1) which is an external command
  * [[MNG-7285](https://issues.apache.org/jira/browse/MNG-7285)] - [Regression] MavenProject.getArtifacts() not returning correct value across multiple threads
  * [[MNG-7300](https://issues.apache.org/jira/browse/MNG-7300)] - [Regression] Reloading web application (Enter) fails due to java.lang.ClassNotFoundException

** Task

  * [[MNG-7312](https://issues.apache.org/jira/browse/MNG-7312)] - Revert ThreadLocal approach from MNG-6843 and MNG-7251

** Dependency upgrade

  * [[MNG-7331](https://issues.apache.org/jira/browse/MNG-7331)] - Upgrade Jansi to 2.4.0

doc: Updated devel/apache-maven to 3.8.6

Update to 4.1.1. From the changelog:

- Fix: mob showed the wrong executable name in windows
- Feature: mob.sh now makes use of `--push-option=ci.skip` when pushing
- Feature: mob.sh now warns you when your git version is too old

doc: Updated devel/mob to 4.1.1

README.Cygwin: if using git, make sure to checkout with Unix line endings.

Avoid needing additional dependency not yet in pkgsrc (or
still-experimental core feature). Bump PKGREVISION.

doc: Updated textproc/po4a to 0.68nb2

Update to 7.3.0. From the changelog:

- Doc: add CLI example

Update to 7.3.0. From the changelog:

MrJobApprovals accepts options:
- MrJobApprovals mistakenly did not allow you to pass options. It does
  now. This is an api change, hence the minor version bump.

doc: Updated devel/py-approval-utilities to 7.3.0

doc: Updated devel/py-approvaltests to 7.3.0

Update to 0.16. From the changelog:

- 3f9e817 clean up MANIFEST and dist clean target files
- eac211d update manifest files

doc: Updated textproc/p5-Text-Markdown-Discount to 0.16

From <URL:http://cr.yp.to/distributors.html>:

2022.11.15: I hereby place the serialmail package (in particular,
serialmail-0.75.tar.gz, with SHA-256 checksum
1825c911087f28692c3441d4f95747201c520a22575ab3e6132b5c14097038f3) into
the public domain. The package is no longer copyrighted.

Bump PKGREVISION for license change.

doc: Updated mail/serialmail to 0.75nb3

Update to 0.14. From the changelog:

- e191fde Add missing URL in POD @anirvan

Update to 1.28.0. From the changelog:

* Do not remove '.lock' files, that leads to possible races between
  running targets.  Although 'nncp-cleanup lock' can be used to
  cleanup.
* Updated dependant libraries.

Update to 2.2.7b. From the changelog:

- Declare missing dependencies for pandoc_headers to fix parallel make

Update to 4.4. From the changelog:

- added support for Zig
- added `Legacy` option in lsp.conf to add support for LSP servers
  without capabilities report
- removed apidocs target in makefile
- CLI: added `--ls-legacy` option
- GUI: added legacy checkbox in the LSP section

doc: Updated devel/goredo to 1.28.0

doc: Updated textproc/discount to 2.2.7b

doc: Updated textproc/highlight to 4.4

doc: Updated textproc/libhighlight to 4.4

doc: Updated textproc/p5-Text-Markdown-Discount to 0.14

doc: Updated textproc/p5-highlight to 4.4

Add script to generate stable/unique MAC per host.

Specify which non-root user has the stuff.

Follow the default PKGSRC_USE_MKTOOLS=auto.

Reorganize default options. NFCI.

pkgsrc-vbox: Tribblix moved to qemu.

Oops, commit sums for new patch filenames.

Remove vestige of the tty-vs-x11 dualism from DESCR.

Missed a removal in previous.

Note removal (and successor) of ce-{doc,x11}.

Remove stray comment.

Retire ce-doc and ce-x11 packages.

Update to 4.8. No changelog. From the diffs:

- Update maintainer email address
- Regenerate with Autoconf 2.61
- Remove --with-purify configure option
- Remove old malloc
- Improve build system
- Remove TODO
- Sprinkle missing return types
- Fix bugs

pkgsrc changes:

- Specify license
- Merge ce-doc (always installed) and ce-x11 (with the 'x11' option)
  into this package
- Remove MAKE_JOBS_SAFE=no (seems fine)
- Comment patches and modernize patch filenames

doc: Updated editors/ce to 4.8

Fix macOS build with the 13.0 SDK, which has its own definition of
__deprecated__.

Fix packaging after recent py-sphinx update.

Update to 3.5.2. From the changelog:

- tls_signer: Replace ECDSA_METHOD with EC_KEY_METHOD
- doc: Note OpenSSL 3.0.0 compatibility in README

From the upstream LibreSSL changelog for 3.5.0:

* New Features
   - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
     regression tests were added and the code was cleaned up.
   - Certificate Transparency was ported from OpenSSL. Many internal
     improvements were made, resulting in cleaner and safer code.
     Regress coverage was added. libssl does not yet make use of it.
* Portable Improvements
   - Fixed various POSIX compliance and other portability issues
     found by the port to the Sortix operating system.
   - Add libmd as platform specific libraries for Solaris.
     Issue reported from (ihsan <at> opencsw org) on libressl ML.
   - Set IA-64 compiler flag only if it is HP-UX with IA-64.
     Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
   - Enabled and scheduled Coverity scan.
     Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
* Compatibility Changes
   - Most structs that were previously defined in the following headers
     are now opaque as they are in OpenSSL 1.1:
     bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
     x509.h, x509v3.h, x509_vfy.h
   - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
     OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
     of using something consistent with the previous naming. Various
     test suites expect these names (instead of checking for the much
     more sensible cipher numbers). The old names are still accepted
     as aliases.
   - Subject alternative names and name constraints are now validated
     when they are added to certificates. Various interoperability
     problems with stacks that validate certificates more strictly
     than OpenSSL can be avoided this way.
   - Attempt to opportunistically use the host name for SNI in s_client
* Bug fixes
   - In some situations, the verifier would discard the error on an
     unvalidated certificate chain. This would happen when the
     verification callback was in use, instructing the verifier to
     continue unconditionally. This could lead to incorrect decisions
     being made in software.
   - Avoid an infinite loop in SSL_shutdown()
   - Fix another return 0 bug in SSL_shutdown()
   - Handle zero byte reads/writes that trigger handshakes in the
     TLSv1.3 stack
   - A long standing memleak in libtls CRL handling was fixed
* Internal Improvements
   - Cache the SHA-512 hash instead of the SHA-1 hash and cache
     notBefore and notAfter times when X.509 certificates are parsed.
   - The X.509 lookup code has been simplified and cleaned up.
   - Fixed numerous issues flagged by coverity and the cryptofuzz
     project
   - Increased the number of Miller-Rabin checks in DH and DSA
     key/parameter generation
   - Started using the bytestring API in libcrypto for cleaner and
     safer code
   - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
     ASN1
   - Convert ASN1_OBJECT_new() to calloc()
   - Convert ASN1_STRING_type_new() to calloc()
   - Rewrite ASN1_STRING_cmp()
   - Use calloc() for X509_CRL_METHOD_new() instead of malloc()
   - Convert ASN1_PCTX_new() to calloc()
   - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
     function
   - Consolidate {d2i,i2d}_{pr,pu}.c
   - Remove handling of a NULL BUF_MEM from asn1_collect()
   - Pull the recursion depth check up to the top of asn1_collect()
   - Inline collect_data() in asn1_collect()
   - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
   - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
   - Consolidate ASN.1 universal tag type data
   - Rewrite ASN.1 identifier/length parsing in CBS
   - Make OBJ_obj2nid() work correctly with NID_undef
   - tlsext_tick_lifetime_hint is now an uint32_t
   - Untangle ssl3_get_message() return values
   - Rename tls13_buffer to tls_buffer
   - Fold DTLS_STATE_INTERNAL into DTLS1_STATE
   - Provide a way to determine our maximum legacy version
   - Mop up enc_read_ctx and read_hash
   - Fold SSL_SESSION_INTERNAL into SSL_SESSION
   - Use ssl_force_want_read in the DTLS code
   - Add record processing limit to DTLS code
   - Add explicit CBS_contains_zero_byte() check in CBS_strdup()
   - Improve SNI hostname validation
   - Ensure SSL_set_tlsext_host_name() is given a valid hostname
   - Fix a strange check in the auto DH codepath
   - Factor out/rewrite DHE key exchange
   - Convert server serialisation of DHE parameters/public key to new
     functions
   - Check DH public key in ssl_kex_peer_public_dhe()
   - Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
   - Clean up and refactor server side DHE key exchange
   - Provide CBS_get_last_u8()
   - Provide CBS_get_u64()
   - Provide CBS_add_u64()
   - Provide various CBS_peek_* functions
   - Use CBS_get_last_u8() to find the content type in TLSv1.3 records
   - unifdef TLS13_USE_LEGACY_CLIENT_AUTH
   - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
   - Only allow zero length key shares when we know we're doing HRR
   - Pull key share group/length CBB code up from
     tls13_key_share_public()
   - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
     validation
   - Return 0 on failure from send/get kex functions in the legacy
     stack
   - Rename tls13_key_share to tls_key_share
   - Allocate and free the EVP_AEAD_CTX struct in
     tls13_record_protection
   - Convert legacy TLS client to tls_key_share
   - Convert legacy TLS server to tls_key_share
   - Stop attempting to duplicate the public and private key of dh_tmp
   - Rename dh_tmp to dhe_params
   - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
   - Clean up pkey handling in ssl3_get_server_key_exchange()
   - Fix GOST skip certificate verify handling
   - Simplify tlsext_keyshare_server_parse()
   - Plumb decode errors through key share parsing code
   - Simplify SSL_get_peer_certificate()
   - Cleanup/simplify ssl_cert_type()
   - The S3I macro was removed
   - The openssl(1) cms and smime subcommands option handling was
     converted and the C source was cleaned up.
* Documentation improvements
   - 45 new manual pages, most of which were written from scratch.
     Documentation coverage of ASN.1 and X.509 code has been
     significantly improved.

Upstream 3.5.1 changelog:

* A malicious certificate can cause an infinite loop.
  Reported by and fix from Tavis Ormandy and David Benjamin, Google.

Upstream 3.5.2 changelog:

This is the first stable release for the 3.5.x branch, as shipped with
OpenBSD 7.1.

doc: Updated security/libretls to 3.5.2

Note nodejs{,16} PKGREVISION bumps.

lang/nodejs{,16}: as expected by upstream, install corepack (and bump
PKGREVISION). For earlier versions, no change.

Add more Gentoo OS update details.

bootstrap-bootstrap: extract TREESDIR, NFCI.

bootstrap-moretools: add tmux, extract TREESDIR.

buildvm: WRKOBJDIR must not contain any symlinks.

Update to 0.83. From the changelog:

- Updated keyword translations from upstream Cucumber project

doc: Updated devel/p5-Test-BDD-Cucumber to 0.83

Trim newly(?) verbose CC_VERSION on macOS Ventura.

pkgsrc-vbox: not much VirtualBox usage left.

Fix some line wrapping on wide terminals.

Install the zsh completion to site-functions. Bump PKGREVISION.

doc: Updated devel/git-base to 2.38.0nb1

Define environ before it's used, to fix build on at least NetBSD.
Take MAINTAINER.

Take MAINTAINER.

Add and enable py-approval-utilities.

Add py-approval-utilities, utilities for your production code that work
well with (and have just been extracted to their own package from)
py-approvaltests.

Update to 7.2.0. From the changelog:

7.0.0:
Breaking Change:
- approval_utilities is becoming its own pypi package to allow usage in
  production code.

7.1.0:
Command Line Approvals:
- You can now easily verify command line outputs. You can also pass
  inputs into the command line under test, including Iterables. This
  allows you to easily test non-python programs from ApprovalTests.

7.2.0:
- You can invoke a verify() call from the command line. This allows
  invoking python approvals from any other stack via subprocesses.

doc: Added devel/py-approval-utilities version 7.2.0

doc: Updated devel/py-approvaltests to 7.2.0

Update to 4.0.0. From the changelog:

- **NEW** Feature: `mob reset` doesn't reset the mob branch anymore. It
  now warns you that it deletes the mob branch for everyone and if you
  want to continue do `mob reset --delete-remote-wip-branch`.
- **NEW** Feature: `mob timer`, `mob break`, `mob start`, `mob next` and
  `mob done` will stop already running local timers.
- Feature: `mob start --create` will create the remote branch and start
  the mob session on that branch.
- Feature: mob.sh now also works with tools like `git-repo` which
  symlink the `.git` folder
- Removed `MOB_START_INCLUDE_UNCOMMITTED_CHANGES` environment variable
  (has been deprecated for some time).
- `MOB_DONE_SQUASH` no longer supports a boolean value, you have to use
  the proper values `squash`, `no-squash` or `squash-wip` instead.