Oops, array append syntax in Meson is +=. Should fix non-macOS builds.
Problem reported by wiz@.

pax11publish.1 is only installed if we build with x11.

Fix macOS build. NFCI elsewhere.

Fix some (not all) of the macOS build failures. NFCI elsewhere.

doc: Updated audio/jack to 1.9.19nb3

Add a few seemingly macOS-specific PLIST entries.

Add patch missed in previous.

Install manpages under man1 (instead of at the top-level PKGMANDIR).
Bump PKGREVISION.

Apply upstream patch 32517af7 to check for st_mtim in struct stat. Fixes
macOS build.

Remove stuff inadvertently included in previous (thanks wiz@).

mk/platform: add SDK mapping for macOS 11.6.

Update to 0.82. From the changelog:

[Added]
- Environment variable expansion in configuration profiles; use
  ${ENVVAR} anywhere in a 'pherkin.yaml' file to substitute the
  value from the environment. Use $${ENVVAR} to include the
  exact value '${ENVVAR}.

Update to 1.12.0. From the changelog:

- If you renamed the executable or use a symlink to use a
  different name, `mob` will detect the new name and use that in
  its console output.
- Improves error handling when using `mob start -i`. When the working
  directory is a subdirectory that would be removed due to `git stash`
  the mob tool will tell the user about this and aborts with an error.

pkgsrc changes:

- Install an `ensemble` symlink.

doc: Updated devel/mob to 1.12.0

doc: Updated devel/p5-Test-BDD-Cucumber to 0.82

Update to 1.11.1. From the changelog:

- Bugfix release.

(Looks like an extraneous debug statement was removed, and that's it.)

doc: Updated devel/mob to 1.11.1

Update to 1.11.0. From the changelog:

- Allow to override the text in the notification and the voice via
  environment variables `MOB_NOTIFY_MESSAGE` and `MOB_VOICE_MESSAGE`.
- Allow to override the stash name used for stashing uncommitted changes
  via the environment variable `MOB_STASH_NAME`.
- Allow to override the cli name of the tool via `MOB_CLI_NAME` so you
  can use `pair`, `ensemble`, `team`, or whatever you like best, instead
  of `mob`. Just install the `mob` tool, set an alias in your cli and
  set the environment variable `MOB_CLI_NAME` to the name of your alias.

doc: Updated devel/mob to 1.11.0

Update to 1.10.0. From the changelog:

- Print current time after mob start. This helps when scrolling through
  the terminal to distinguish the mob start calls.

doc: Updated devel/mob to 1.10.0

Update to 2.0.0. From the changelog:

# Create regex scrubber

Renamed `scrub_with_regex` to `create_regex_scrubber`. It can now take
either a `str` or a `Callable[[int], str]`.

Going forward, functions that return scrubber will start with `create`
while functions that scrub directly will start with `scrub`.

doc: Updated devel/py-approvaltests to 2.0.0

Update to 1.9.0. From the changelog:

- Show commit hash of WIP commits made by the `mob` tool on the console.
- `mob start --include-uncommitted-changes` now fails fast. That means,
  if `mob` can detect any issue preventing it to succeed, it will exit
  BEFORE calling `git stash`. This will make error recovery much easier
  as one doesn't have to think about applying any stashes by themselves.

doc: Updated devel/mob to 1.9.0

De-symlink .gitignore to mollify new Git.

In Git 2.32.0 and newer, `git status` (for instance) says:

    warning: unable to access '.gitignore': Too many levels of symbolic links

https://github.com/git/git/blob/master/Documentation/RelNotes/2.32.0.txt
explains thus:

    * It does not make sense to make ".gitattributes", ".gitignore" and
      ".mailmap" symlinks, as they are supposed to be usable from the
      object store (think: bare repositories where HEAD:.mailmap etc.
      are used). When these files are symbolic links, we used to read
      the contents of the files pointed by them by mistake, which has
      been corrected.

To satisfy Git, turn .gitignore back into a regular file containing the
contents of TARGETS. To satisfy other uses of TARGETS (such as in
exported tar archives, which don't include .gitignore), keep it as a
regular in-tree file too, with reminders in each to sync with the other.

Update to 0.5.16. From the changelog:

* .dovecot.sieve.log file now includes year in the header.
* Change Sieve script result execution to delay definitive action
  execution to the end of a successful Sieve script execution session.
  This is part of an effort to solve problems with the Sieve duplicate
  test. As a side-effect, some rare temporary-error cases yield
  different results, in which partial failure is more likely.

Update to 2.3.16. From the changelog:

* Any unexpected exit() will now result in a core dump. This can
  especially help notice problems when a Lua script causes exit(0).
* auth-worker process is now restarted when the number of auth
  requests reaches service auth-worker { service_count }. The default
  is still unlimited.
+ Event improvements: Added data_stack_grow event and http-client
  category. See https://doc.dovecot.org/admin_manual/list_of_events/
+ oauth2: Support RFC 7628 openid-configuration element. This allows
  clients to support OAUTH2 for any server, not just a few hardcoded
  servers like they do now. See openid_configuration_url setting in
  dovecot-oauth2.conf.ext.
+ mysql: Single statements are no longer enclosed with BEGIN/COMMIT.
+ dovecot-sysreport --core supports multiple core files now and does
  not require specifying the binary path.
+ imapc: When imap_acl plugin is loaded and imapc_features=acl is used,
  IMAP ACL commands are proxied to the remote server. See
  https://doc.dovecot.org/configuration_manual/mail_location/imapc/
+ dict-sql now supports the "UPSERT" syntax for SQLite and PostgreSQL.
+ imap: If IMAP client disconnects during a COPY command, the copying
  is aborted, and changes are reverted. This may help to avoid many
  email duplicates if client disconnects during COPY and retries it
  after reconnecting.
- master process was using 100% CPU if service attempted to create more
  processes due to process_min_avail, but process_limit was already
  reached. v2.3.15 regression.
- Using attachment detection flags wrongly logged unnecessary "Failed
  to add attachment keywords" errors. v2.3.13 regression.
- IMAP QRESYNC: Expunging UID 1 mail resulted in broken VANISHED
  response, which could have confused IMAP clients. v2.3.13 regression.
- imap: STORE didn't send untagged replies for \Seen changes for
  (shared) mailboxes using INDEXPVT. v2.3.10 regression.
- rawlog_dir setting would not log input that was pipelined after
  authentication command.
- Fixed potential infinite looping with autoexpunging.
- Log event exporter: Truncate long fields to 1000 bytes
- LAYOUT=index: ACL inheritance didn't work when creating mailboxes
- Event filters: Unquoted '?' wildcard caused a crash at startup
- fs-metawrap: Fix to handling zero sized files
- imap-hibernate: Fixed potential crash at deinit.
- acl: dovecot-acl-list files were written for acl_ignore_namespaces
- program-client (used by Sieve extprograms, director_flush_socket)
  may have missed status response from UNIX and network sockets,
  resulting in unexpected failures.

doc: Updated mail/dovecot2 to 2.3.16

doc: Updated mail/dovecot2-pigeonhole to 0.5.16

Honor CFLAGS and LDFLAGS.

Honor LDFLAGS.

Update to 18. From the changelog:

- Due to problems binding with IPv4-mapped IPv6 addresses for a DNS
  lookup, splitted up randombind into randombind4 and randombind6.
  socket operations on IPv4 use IPv4 address only. (tx. Kouichi).

Bump PKGREVISION for fehqlibs update.

Update to 38. From the changelog:

- dns_transmit binds to IPv4 or IPv6 UDP/TCP sockets specifically <->
  fehQlibs-18.

doc: Updated net/djbdnscurve6 to 38

doc: Updated net/fehqlibs to 18

Update to 0.13. From the changelog:

- discount/configure.inc: include stdlib.h to find WORD/DWORD @Hugmeir
- discount/configure.sh: include strings.h to find bzero & memset
  @Hugmeir
- add configure option "--with-fenced-code --with-dl=both" @Songmu

doc: Updated textproc/p5-Text-Markdown-Discount to 0.13

Update to 1.8.0. From the changelog:

- `mob next` does not show the same committer multiple times in the list
  of previous committers.
- `mob next` does not suggest the current Git user to be the next typist
  as long as there were other persons involved in the mob.
- `mob next` performs a simple lookahead to also suggest persons who
  might have been absent only during the last mob round.
- When user.name is not set in the git config, mob no longer shows an
  error but a warning with a help how to fix it.

doc: Updated devel/mob to 1.8.0

Update to 0.81. From the changelog:

[Fixed]
- Remove cruft from released archive (by expanding .gitignore)
- UTF-8 in test output double encoded
- Tutorial example references `use_ok`, which does not exist in
  Test2::Bundle::More
- Step redispatching with step data now work (with documentation)

Update to 1.1.0. From the changelog:

# Storyboards

Sometimes we might want to see different steps in a workflow or lifetime
of an object. Storyboards are a convenience object to help enable that.

Approvaltests allows us to look at a complete object instead of just
pieces of it. Storyboards allow us to track an object through time.

The mechanism to map time to space that storyboards use is very
analogous to a comic book, but with each frame vertically after each
other so that it works well with the diff tool and shows a progression.

doc: Updated devel/p5-Test-BDD-Cucumber to 0.81

doc: Updated devel/py-approvaltests to 1.1.0

Add and enable brlaser.

Add brlaser, a CUPS driver for Brother laser printers.

Although most Brother printers support a standard printer language such
as PCL or PostScript, not all do. If you have a monochrome Brother laser
printer (or multi-function device) and the other open source drivers
don't work, this one might help.

doc: Added print/brlaser version 6

Sort patchsums (NFCI).

Apply upstream eb95c29 to fix macOS M1 build.

Update to 1.0.1. From the changelog:

10/09/2020: GPAC 1.0.1
This release fixes build and installation issues in 1.0.0, as well as
various bugs introduced during the migration to the filters
architecture.

It also adds several small features:
- better ttml import
- better support for MPEGH audio
- support fur DASH UTCTiming
- manifest generation from pre-fragmented DASH/HLS mp4
- speed optimization in isobmf reading (normal and fragmented)
- improved JS API for the filter session
- core tools exposed as JS module (file io, bitstream, etc ...)
- android fixes

16/06/2020: GPAC 1.0
 - Complete rewrite of GPAC streaming core:
    * addition of a filter-based architecture, used by MP4Client
      and MP4Box.
    * moving all decoders and demuxer plugins of MP4Client and most of
      MP4Box import/export code as filters for this new architecture,
    * moving DASH/HLS segmenter to a filter
    * moving MP4Client compositor and most of the GF_Terminal internals
      to a filter
    * addition of a new application gpac, whose only purpose is to
      create and run filter chains
    * removal of MP42TS and DashCast applications since these
      functionalities are provided by gpac
    * deprecation of some features (widget management, MSE draft
      implementation for SVG media, UPnP, TEMI player support).
- Profile system allowing to override through a static file default
  options of all filters and libgpac core
- Alias system for gpac app to simplify your command lines
- Enhanced DASHer:
    * Support for HLS and dual HLS / DASH generation
    * Support for any input
    * True low-latency mode for DASH
    * Support for multiple periods
    * Support for other segment formats (raw, mkv, webm currently
      tested)
- Input and outputs
    * Generic pipe, TCP, UDP, and Unix Domain socket input and output
    * RTSP server output
    * HTTP output (client and server), supporting low latency DASH access
    * Ad-hoc stream format called GSF to allow serialization to file,
      pipe or socket of a session (for distributed filter chains),
      supporting AES-128 CBC encryption.
- Raw audio (PCM) and video (RGB, YUV) reframers and exporters
- HEVC tile spliting and merging filters
- Compositor is a standalone filter (SVG/BIFS/VRML graphics in a
  filter chain)
- Image encoding support through libjpg and libpng
- Full FFMPEG support:
    * Encoding/decoding through FFMPEG libavcodec
    * Multiplexing/demultiplexing through FFMPEG libavformat
    * Device grabbers through FFMPEG libavdevice
    * Raw audio and video filters through FFMPEG libavfilter
- Support for QuickJS (ES2002) and bindings for:
    * Complete filter API
    * GPAC software rasterizer (EVG)
    * WebGL 1.0 Core
    * XmlHttpRequest and uDOM APIs
    * Storage
- Inspect and analyze filter
- MPEG-2 TS splitter
- Video cropper filter with zero-copy mode
- Video flip filter
- Source concatenator filter
- Simple audio and video output filters
- Experimental audio and video rewinder filter
- Encryption
    * On-the-fly encryption and decryption, now available as filters
    * Segment-based encryption and decryption
- ISOBMFF
    * box customization
    * Better QT support, prores parsing and dumping
    * Support for raw media (QT style or ISOBMFF for audio)
    * Simplify HEIF batch conversion through item to track mapping
    * Reading from pipes (fragmented or progressive files)
    * Writing to packets rather than files
    * Fast interleaved file creation mode with less storage requirements
- FileIO wrapper for cases where files are not stored in a file system
  known by GPAC
- Testing and Documentation
    * Live doc generation (man and wiki)
    * Improved coverage
    * Split test suite as dedicated repo
    * Moved all resource to https://wiki.gpac.io
    * Started howto pages on wiki
    * Many bug fixes

doc: Updated multimedia/gpac to 1.0.1

Disable NEON on aarch64 also on macOS to fix M1 build.

arm_cpudetect.c doesn't cover macOS. On M1 Macs, set
--disable-runtime-cpu-detect to fix build.

Update to 0.4. From the changelog:

* nq: now scales a lot better
* nq: set $NQDONEDIR to move finished jobs there
* fq: add kevent/kqueue support
* Bugfixes

Spaces to tabs (NFCI).

Update to 1.7. From the changelog:

- test: remove findport dependency
- fix error message
- sockc: clean up: remove unused macro, reformat usage
- socks: clean up: reformat usage, add statics, spelling
- tlss: Fix wrong synopsis. Spotted by Stanley Lieber.
- tlss: Add option for certificate revocation lists.
- tlss: Refactor error handling.
- tls{s,c}: Refactor error handling.  Update copyright date.
- tlsc: improve manpage
- README: Add description for httppc
- tests: Improve OpenSSL config for tests
- http_parser: Simplify lenght dependend string compare
- tests: Add files for certificate revocation list testing
- Makefile: Remove useless variable
- httpc: Improve error handing
- gitignore: add some non-tracking files
- Refactor makefiles
- httpc: fix spacing
- http: add comment and spacing
- tlsc.1: discribe -k and cleanup
- remove unused printf parameter
- add ftp client
- remove double include
- simplify envionment settings
- fix spacing
- simplify envitonment settings
- fix copyright comments
- simplify make
- simplify creation of tar balls
- add http server
- update gitignore
- simplify makefile
- update gitignore
- remove debug code
- Use LDLIBS for linked libraries
- Cleanup https
- Merge pull request #8 from jspricke/ldlibs
- remove useless make rules
- test: run with ksh and avoid ENOENT
- https: add content-length
- add comment
- https: handel Host: header
- https: default connection is closed
- https: simplify response code
- test: use default ksh shell

doc: Updated net/ucspi-tools to 1.7

Apply upstream commit 75eebe0 to fix macOS Big Sur build (working around
C++ "version" vs. "VERSION" crud).

On Mac OS X Snow Leopard with ABI=64, configure was selecting a 32-bit
build (and then failing in the assembler). Override its choice on
Darwin/x86_64 by specifying KERNEL_BITS=${ABI} in CONFIGURE_ENV.

Add and enable lazygit.

Add lazygit, a simple terminal UI for git commands.

lazygit is a CLI tool to handle git repositories, written in Go with the
gocui library. You can add files easily, resolve merge conflicts,
checkout recent branches easily, scroll through logs/diffs of
branches/commits.stash, push/pull quickly, squash down and rename
commits in CLI.

doc: Added devel/lazygit version 0.28.2

Add steps for Go packages using Go modules, from leot@ in private mail.

Moved lazygit to pkgsrc. Thanks leot@!

Add lazygit. Needs help with go dependencies.

Update to 1.0.1. From the changelog:

- Fixed major bug in the namer with unix and python3.8 and above.

Update to 1.7.0. From the changelog:

- Allows creating parallel mob sessions on the same repository
  more easily.
- `mob branch` shows all remote mob branches currently available.
- `mob fetch` fetches the remote state, so you have everything up to
  date locally. Helpful to combine with `mob status` and `mob branch`
  who don't fetch by themselves.

doc: Updated devel/mob to 1.7.0

doc: Updated devel/py-approvaltests to 1.0.1

Don't let CDPATH affect the build.

Fix build on darwin20 and macOS arm64, via MacPorts. For other
platforms, NFCI.

Probably make cvm-checkpassword actually work as an alternative
checkpassword. Bump PKGREVISION.

Update to 1.0.0. From the changelog:

## Verify(text) ensures a newline at end of files

### BREAKING CHANGE

Since most tools will ensure a newline at the end of a file, approval
test is now adding this to allow copying approval results in diff tools
to work correctly. Please note that this will break all you previous
approvals that do not end with a newline!

This will show by your diff tool opening with two files that look
identical, but one actually has a newline at the end.

### Upgrade Path

We suggest you use ReporterByCopyMoveCommandForEverythingToClipboard()
as your Default Reporter to re-approve all your files.

## Namer handles multiple nested methods in a unit test

Previously if you had nested methods in your unit test, the names would
incorrectly identify the help method rather than the test method. This
is now fixed.

Update to 6.0.8. From the changelog:

* Fix the name and link to the chardet module in the documentation. (#280)

doc: Updated devel/py-approvaltests to 1.0.0

doc: Updated security/cvm to 0.97nb3

doc: Updated textproc/py-feedparser to 6.0.8

macFUSE headers have been in /usr/local/include/fuse for a while. Add
that to BUILDLINK_PASSTHRU_DIRS.

Check a little harder for stat64. Fixes the build on my M1 with
Big Sur 11.4.

Update to 6.0.7. From the changelog:

* Catch ``urllib.error.URLError`` to prevent crashes. (#239)

Updating during the freeze for the bugfix.

doc: Updated textproc/py-feedparser to 6.0.7

Update to 6.0.6. From the changelog:

* Prevent an AttributeError that occurs when a server returns HTTP 3xx
  but doesn't include a Location header as well. (#267)
* Prevent a TypeError crash that may occur when including a username and
  password in the feed URL. (#276)
* Prevent a UnicodeDecodeError crash that may occur when the title
  element's type attribute exists but is empty. (#277)
* Prevent a UnicodeEncodeError crash that may occur if the URL contains
  Unicode characters in the path. (#273)
* Fix an issue with the HTTP request status on Python >= 3.9.

Updating during the freeze for the bugfixes.

doc: Updated textproc/py-feedparser to 6.0.6

Add patch, missed in previous.

Rename VERSION to VERSION.txt so that it does not collide with the C++
version header on case-insensitive filesystems (via MacPorts). No change
intended to installed package.

Extend REPLACE_BASH to get cover.bash substed. Bump PKGREVISION.

doc: Updated lang/go-bin to 1.16.beta1nb3

Add and enable ruby-approvaltests.

Initial import of ruby-approvaltests, an assertion/verification library
to aid testing.

This is the Ruby port of ApprovalTests.

You can use ApprovalTests to verify objects that require more than a
simple assert including long strings, large arrays, and complex hash
structures and objects. ApprovalTests really shines when you need a more
granular look at the test failure. Sometimes, trying to find a small
difference in a long string printed to STDOUT is just too hard!
ApprovalTests solves this problem by providing reporters which let you
view the test results in one of many popular diff utilities.

doc: Added devel/ruby-approvaltests version 0.0.25

Update to 4.5.1. From the changelog:

- documentation-only update.
- add note to README about build problem with Tru64, with workaround.
  Thanks: Víctor Ostorga.

doc: Updated sysutils/memtester to 4.5.1

Update HOMEPAGE, and take MAINTAINER.

ExtUtils-MakeMaker-7.48 rejects invalid MIN_PERL_VERSION values.
Apply patch from <https://rt.cpan.org/Public/Bug/Display.html?id=133491>.

Update to 0.8.0. From the changelog:

- You can now set the approval file extensions via options:
  Options().for_file.with_extension(".md")

doc: Updated devel/py-approvaltests to 0.8.0

Update to 20210401. From the changelog:

- fix IPv6 split masklen
- vpnc-script-win: tidy up, more logging
- vpnc-script-win: make VPN addresses/gateways "non-persistent", and
  delete them on disconnect
- vpnc-script-win: delete DNS and WINS servers before adding them
- vpnc-script-win: dump stdout and stderr when a command fails
- vpnc-script-win: use TUNIDX in all netsh commands, remove
  waitForInterface()
- vpnc-script-win: add FIXMEs regard IPv6 split-excludes and gateways
- vpnc-script-win: add legacy IP split-exclude handling
- vpnc-script-win: cleanup spacing, clarify comments
- vpnc-script-win: simplify 'internal gateway' calculation
- GNU awk regex fix
- move destroy_tun_device into do_disconnect (called only here)
- remove bits for ancient Linux 2.6.x kernels
- mention IDLE_TIMEOUT
- cleanup whitespace and clarify comments
- tweak warning message about un-routable exclude routes
- Ignore unreachable exclude routes
- Document split tunnel EXC variables
- ignore bogus non-forwardable exclude routes on disconnect too
- *BSDs: get_default_gw needs to EXCLUDE routes through tunnel for
  attempt-reconnect, but should NOT exclude them otherwise
- mark tunnel device 'down' before destroying
- Add DragonFly BSD support and improve FreeBSD support
- Use '[[:space:]]' instead of '\s' to support POSIX awk
- *BSDs: don't inadvertently pick up a bogus 0.0.0.0/32 route as a
  default route
- Fix basename invocation on *BSD shells
- fix another ifconfig syntax difference between Linux and *BSDs
- use `ip netns` instead of ocserv `listen-netns` config option for
  test configs
- match preexisting code style
- Use systemd-resolve to check if resolved is running
- FIXME add mock IPv6 configuration to get CI to work
- add a bit more logging to test scripts
- split iproute2 and *BSD-ish into separate CI runs
- CI: don't need to install ocserv and which
- numerous fixes for Linux IPv6 configuration using
  ifconfig/route/netstat
- try running tests with *BSD-ish tools (ifconfig/route/netstat) for
  additional coverage
- match code style
- Don't use /sbin/resolvconf if it just points to resolvectl.
- include calling process ID in DEFAULT_ROUTE_FILE{,_IPV6}
- with BSD 'route', save-and-restore IPv6 default routes
- simplify cases and add ifconfig_syntax_del variable
- Patch: make ipv6 in ipv4 and ipv6 in ipv6 tunnels work on (Net)BSD
- vpnc-scripts: added a sanity check of routes and resolv.conf
  generation
- preserve metric in fix_ip_get_output
- with iproute2, sort the routes to the VPN gateway by metric before
  trying to create an explicit route to the gateway via each of them
- make do_attempt_reconnect work with route/ifconfig
- add working do_attempt_reconnect
- don't try to set an explicit route to VPN gateway if localhost, and
  ignore bogus non-forwardable exclude routes
- Ignore link-local routes in set_default_route
- leave support for older systemd-resolved (v229-v238) in place
- Windows IPv6: remove hard-coded next-hop of fe80::8
- Add split DNS support for systemd-resolved
- Use resolvectl for systemd-resolved
- fix tabs/spaces in POSIX vpnc-script as well
- cleanup whitespace in vpnc-script-win.js
- specify interface when adding routes
- fix Slackware issue (netconfig is an unrelated tool, not relevant for
  resolv.conf handling)
- No need to add a separate sed invocation for `$NETMASKLEN` fixing
- iproute2 5.1+ doesn't allow prefixlen!=32 in get

Update to 3.3.3, syncing with LibreSSL. No known changes.

doc: Updated net/vpnc-script to 20210401

doc: Updated security/libretls to 3.3.3

Update to 0.5. From the changelog:

Bug fixes

- Set peer_cert_len so that application sees correct length of
  certificate chain PEM (instead of 0).
- Account for null terminator when allocating PEM string buffer.
- Pass NULL to br_x509_minimal start_chain when client didn't use SNI
  instead of the empty string to avoid relying on undocumented
  BearSSL behavior.
- Save SNI name in ctx->servername on server side so that applications
  can determine which name the client connected to.
- Fix a few error messages printing errno unintentionally.

Changes

- tls_close() no longer waits for peer's close_notify. Some servers do
  not send their own close, resulting in a hang if they do not close the
  connection.
- Merge changes from libressl 3.3.3.

Update to 0.7.0. From the changelog:

- Date scrubbers are quite basic and only work with json-fied datetimes
- Verify now converts its input to string before verifying

doc: Updated devel/py-approvaltests to 0.7.0

Update to 3.13.1. From the changelog:

* Fix crash on html-mail entries with no URL

doc: Updated mail/rss2email to 3.13.1

Apply upstream patch to catch up to highlight 4.0 API change. Bump
PKGREVISION.

doc: Updated www/ikiwiki to 3.20200202.3nb4

Note highlight and p5-highlight updates.

Reset PKGREVISION for libhighlight update.

Update to 4.1. From the changelog:

- improved handling of Custom theme attributes (#182)
- fixed wrong color code in edit-kwrite.theme
- added rng file mapping (#129)
- improved Lisp highlighting
- GUI: fixed highlighting options tab title (thanks to Craig)
- renamed `std` style name to `def`
- version and README updates
- removed `extras/web_plugins`
- added user-select default property to HTML line number style
- revised color themes
- added two more keyword styles for default themes
- added Custom theme attributes for Plain TeX, LaTeX, SVG and Pango
- enabled syntax message output with `--ls-syntax-error`
- GUI: enabled syntax error checkbox
- added Custom theme attribute
- enabled inline stylesheets with `--ls-hover`
- added Error and Hover theme properties
- enabled syntax error highlighting with `ls-semantic`
- improved LSP message handling
- added delay LSP parameter
- added LSP semantic token styles to base16 themes
- renamed `str` style name to `sng`
- CLI: enabled `--ls-semantic` option
- GUI: enabled semantic checkbox and a server capability test
- added support for the language server protocol
- added new configuration file lsp.conf
- CLI: added `ls-profile`, `--ls-workspace`,`--ls-hover`
- CLI: deprecated `--start-nested`, `--reformat=user`,
  `--reformat-option`, `--base16`, `--delim-cr`, `--plug-in-read`
- GUI: added LSP configuration tab
- added `--syntax-supported` option

doc: Updated textproc/libhighlight to 4.1

Work around build failure with libc++ >=7.0 on case-insensitive
filesystems (issue #1051). Fixes macOS build, at least on Big Sur.

Update to 1.6.0. From the changelog:

- When `mob start` fails, the timer no longer starts to run.

doc: Updated devel/mob to 1.6.0

Update to 0.6.0. From the changelog:

- You can now scrub your approval files

doc: Updated devel/py-approvaltests to 0.6.0

Move "INSTALL" to "INSTALL.txt" so the "install" targets run as expected
on macOS with case-insensitive filesystem, fixing install of cxref.1.

While here, set LICENSE, update MASTER_SITES and HOMEPAGE, and remove
unrecognized configure option "--with-cxref-cpp".

Update to 0.5.0. From the changelog:

- The reporter can now be passed into any verify call via options.

doc: Updated devel/py-approvaltests to 0.5.0

Update to 3.3.2. From the (OpenBSD 6.9 LibreSSL) changelog:

# New Features

- Support for DTLSv1.2.
- Continued rewrite of the record layer for the legacy stack.
- Numerous bugs and interoperability issues were fixed in the new
  verifier. A few bugs and incompatibilities remain, so this release
  uses the old verifier by default.
- The OpenSSL 1.1 TLSv1.3 API is not yet available.


# Portable Improvements

- Added '--enable-libtls-only' build option, which builds and
  installs a statically-linked libtls, skipping libcrypto and libssl.
  This is useful for systems that ship with OpenSSL but wish to also
  package libtls.
- Update getentropy on Windows to use Cryptography Next Generation
  (CNG). wincrypt is deprecated and no longer works with newer Windows
  environments, such as in Windows Store apps.


# API and Documentation Enhancements

- Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
- Add support for
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with TLSv1.3.
- Add DTLSv1.2 methods.
- Implement SSL_is_dtls(3) and use it internally in place of the
  SSL_IS_DTLS macro.
- Provide
  [EVP_PKEY_new_CMAC_KEY(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3).
- Add missing prototype for
  [d2i_DSAPrivateKey_fp(3)](https://man.openbsd.org/d2i_DSAPrivateKey_fp.3) to x509.h.
- Add DTLSv1.2 to [openssl(1)](https://man.openbsd.org/openssl.1)
  s_server and s_client protocol message logging.
- Provide
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Provide
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Provide various DTLSv1.2 specific functions and defines.
- Document meaning of '*' in the genrsa output.
- Updated documentation for
  SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3).
- Add documentation for
  [SSL_get_finished(3)](https://man.openbsd.org/SSL_get_finished.3).
- Document
  [EVP_PKEY_new_CMAC_key(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3).
- Document
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Document
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Update [SSL_get_version(3)](https://man.openbsd.org/SSL_get_version.3)
  manual for DTLSv.1.2 support.
- Make supported protocols and options for DHE params more prominent in
  [tls_config_set_protocols(3)](https://man.openbsd.org/tls_config_set_protocols.3).
- Various documentation improvements around TLS methods.


# Compatibility Changes

- Make [openssl(1)](https://man.openbsd.org/openssl.3) s_server ignore
  -4 and -6 for compatibility with OpenSSL.
- Set SO_REUSEADDR on the server socket in the
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp command.
- Send a host header with OCSP queries to make
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp work with some
  widely used OCSP responders.
- Add ability to [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) to
  parse a port in the specified OCSP URL.
- Implement auto chain for the TLSv1.3 server since some software
  relies on this.
- Implement key exporter for TLSv1.3.
- Align
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with OpenSSL. This takes into account that it never returned server
  ciphers, so now it will fail when called from the client side.
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
- Make
  [SSL{_CTX,}_get_{min,max}_proto_version(3)](https://man.openbsd.org/SSL_CTX_get_min_proto_version.3)
  return a version of zero if the minimum or maximum has been set to
  zero to match OpenSSL's behavior.
- Add DTLSv1.2 support to
  [openssl(1)](https://man.openbsd.org/openssl.1) s_client/s_server.


# Testing and Proactive Security

- Malformed ASN.1 in a certificate revocation list or a timestamp
  response token can lead to a NULL pointer dereference.
- Pull in fix for
  [EVP_CipherUpdate(3)](https://man.openbsd.org/EVP_CipherUpdate.3)
  overflow from OpenSSL.
- Use EXFLAG_INVALID to handle out of memory and parse errors in
  x509v3_cache_extensions().
- Refactor and clean up
  [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) and add
  regression tests.


# Internal Improvements

- Further cleanup of the DTLS record handling.
- Continue the replacement of the TLSv1.2 record layer by reimplementing
  the read side of the TLSv1.2 record handling.
- Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
- Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
- Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
  .data.rel.ro and .rodata, respectively.
- Add a const qualifier to srtp_known_profiles.
- Simplify TLS method by removing the client and server specific methods
  internally.
- Avoid casting away const in ssl_ctx_make_profiles().
- Avoid explicitly conditioning an assert on DTLS1_VERSION to make the
  assert work for newer DTLS versions.
- Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
- Add a flag to mark DTLS methods as DTLS to have an easy way to
  recognize DTLS methods that avoids inspecting the version number.
- Mark a few more internal static tables const.
- Switch finish{,_peer}_md_len from an int to a size_t.
- Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size for
  cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 was a
  historical artefact.
- Free struct members in tls13_record_layer_free() in their natural
  order for reviewability.
- Use consistent names in tls13_{client,server}_finished_{recv,send}().
- Add tls13_secret_{init,cleanup}() and use them throughout the TLSv1.3
  code base.
- Move the read MAC key into the TLSv1.2 record layer.
- Make tls12_record_layer_free() NULL safe.
- Split the record protection from the TLSv1.2 record layer.
- Clean up sequence number handling in the new TLSv1.2 record layer.
- Clean up sequence number handling in DTLS.
- Clean up dtls1_reset_seq_numbers().
- Factor out code for explicit IV length, block size and MAC length from
  tls12_record_layer_open_record_protected_cipher().
- Provide record layer overhead for DTLS.
- Provide functions to determine if TLSv1.2 record protection is
  engaged.
- Add code to handle change of cipher state in the new TLSv1.2
  record layer.
- Mop up now unused dtls1_build_sequence_numbers() function.
- Allow setting a keypair on a tls context without specifying the
  private key, and fake it internally in libtls. This removes the need
  for privsep engines like relayd to use bogus keys.
- Skip the private key check for fake private keys.
- Move the private key setup from tls_configure_ssl_keypair() to a
  helper function with proper error checking.
- Change the internal tls_configure_ssl_keypair() function to return -1
  instead of 1 on failure.
- Move sequence numbers into the new TLSv1.2 record layer.
- Move AEAD handling into the new TLSv1.2 record layer.
- Factor out legacy stack version checks.
- Correct handshake MAC/PRF for various TLSv1.2 cipher suites which were
  originally added with the default handshake MAC and PRF rather than
  the SHA256 handshake MAC and PRF.
- Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
- Use dtls1_record_retrieve_buffered_record() to load buffered
  application data.
- Enforce read ahead with DTLS.
- Remove bogus DTLS checks that disabled ECC and OCSP.
- Clean up and simplify dtls1_get_cipher().
- Group HelloVerifyRequest decoding and add missing check for
  trailing data.
- Revise HelloVerifyRequest handling for DTLSv1.2.
- Handle DTLS1_2_VERSION in various places.
- Rename the "truncated" label into "decode_err" and the "f_err" label
  into "fatal_err".
- Factor out and change some of the legacy client version code.
- Simplify version checks in the TLSv1.3 client. Ensure that the server
  announced TLSv1.3 and nothing higher and check that the legacy_version
  is set to TLSv1.2 as required by RFC 8446.
- Only use TLS versions internally rather than both TLS and DTLS
  versions since the latter are the one's complement of the human
  readable version numbers, which means that newer versions
  decrease in value.
- Identify DTLS based on the version major value.
- Move handling of cipher/hash based cipher suites into the new
  record layer.
- Add tls12_record_protection_unused() and call it from CCS functions.
- Move key/IV length checks closer to usage sites. Also add explicit
  checks against
  [EVP_CIPHER_{iv,key}_length()](https://man.openbsd.org/EVP_CIPHER_iv_length.3).
- Replace two handrolled tls12_record_protection_engaged().
- Improve internal version handling: add handshake fields for our
  minimum version, our maximum version and the TLS version negotiated
  during the handshake. Convert most of the internal code to use these
  version fields.
- Guard against future internal use of
  TLS1_get_{client,}_version() macros.
- Remove the internal ssl_downgrade_max_version() function which is no
  longer needed.
- Add support for DTLSv1.2 version handling.
- Remove no longer needed read ahead workarounds in the s_client
  and s_server.
- Split TLSv1.3 record protection from record layer.
- Move the TLSv1.3 handshake struct inside the shared handshake struct.
- Fully initialize rrec in tls12_record_layer_open_record_protected() to
  avoid confusing some static analyzers.
- Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
  does not set errno.
- Convert openssl(1) x509 to new option handling and do the usual clean
  up that goes along with it.
- Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
- Rename new_cipher to cipher to align naming with keyblock or other
  parts of the handshake data.
- Move the TLSv1.2 record number increment into the new record layer.
- Move finished and peer finished into the handshake struct.
- Remove pointless assignment in SSL_get0_alpn_selected().
- Add some error checking to openssl(1) x509.


# Bug Fixes

- Move point-on-curve check to set_affine_coordinates to avoid verifying
  ECDSA signatures with unchecked public keys.
- Fix [SSL_is_server(3)](https://man.openbsd.org/SSL_is_server.3) to
  behave as documented by re-introducing the client-specific methods.
- Avoid undefined behavior due to memcpy(NULL, NULL, 0).
- Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
- Correct the return value type from ERR_peek_error() to a long.
- Avoid use of uninitialized in ASN1_time_parse() which could happen on
  parsing UTCTime if the caller did not initialize the passed struct tm.
- Destroy the mutex in a tls_config object on tls_config_free().
- Free alert_data and phh_data in tls13_record_layer_free(). These could
  leak if [SSL_shutdown(3)](https://man.openbsd.org/SSL_shutdown.3) or
  [tls_close(3)](https://man.openbsd.org/tls_close.3) were called after
  closing the underlying socket().
- Gracefully handle root certificates being both trusted and untrusted.
- Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new verifier.
- Use the legacy verifier when building auto chains for TLS.
- Search the intermediates only after searching the root certs in the
  new verifier to avoid problems with the legacy callback.
- Bail out early after finding a single chain in the new verifier, if we
  have been called via the legacy verifier API.
- Set (invalid and likely incomplete) chain on the xsc on chain build
  failure prior to calling the callback. This is required by various
  callers, including auto chain.
- Remove direct assignment of aead_ctx to avoid a leak.
- Fail early in legacy exporter if the master secret is not available to
  avoid a segfault if it is called when the handshake is not completed.
- Only print the certificate file once on verification failure.
- Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that the
  new validator checks for EXFLAG_CRITICAL in
  x509_vfy_check_chain_extension() for all untrusted certs in the chain.
  Take into account that the root is not necessarily trusted.
- Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
- Fix two bugs in the legacy verifier that resulted from refactoring
  of [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3)
  for the new verifier: a return value was incorrectly treated as
  boolean, making it insufficient to decide whether validation should
  carry on or not.
- Fix checks for memory caps of constraints names. There are internal
  caps on the number of name constraints and other names, that the new
  name constraints code allocates per cert chain. These limits were
  checked too late, making them only partially effective.
- Fix a copy-paste error - skid was confused with an akid when checking
  for EXFLAG_INVALID. This broke OCSP validation with certain mirrors.
- Avoid a use-after-scope in tls13_cert_add().
- Avoid mangled output in BIO_debug_callback().
- Fix client initiated renegotiation by replacing use of
  s->internal-type with s->server.
- Avoid transcript initialization when sending a TLS HelloRequest,
  fixing server initiated renegotiation.
- Avoid leaking param->name in x509_verify_param_zero().
- Avoid a leak in an error path in openssl(1) x509.
- When sending an alert in TLSv1.3, only set its error code when no
  other error was set previously. Certain clients rely on specific
  SSL_R_ error codes to identify that they are dealing with a self
  signed cert.
- When switching from the TLSv1.3 stack to the legacy stack include a
  TLS record header. This is necessary if there is more than one
  handshake message in the TLS plaintext record.
- Fix resource handling on error in OCSP_request_add0_id().
- Make sure there is enough room for stashing the handshake message when
  switching to the legacy TLS stack.
- Fix a memory leak in the openssl(1) s_client.
- Unbreak DTLS retransmissions for flights that include a CCS.
- If x509_verify() fails, ensure that the error is set on both the
  x509_verify_ctx() and its store context to make some failures visible
  from SSL_get_verify_result().
- Use the X509_STORE_CTX get_issuer() callback from the new X.509
  verifier to fix hashed certificate directories.
- Only check
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) on
  read and
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) on
  write. Previously,
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) was
  also checked after read and
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) after
  write which could cause stalls in software that uses the same BIO for
  read and write.
- In [openssl(1)](https://man.openbsd.org/openssl.1) verify, also check
  for error on the store context since the return value of
  [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3) is
  unreliable in presence of a callback that returns 1 too often.
- Handle additional certificate error cases in the new X.509 verifier.
  Keep track of the errors encountered if a verify callback tells the
  verifier to continue and report them back via the error on the store
  context. This mimics the behavior of the old verifier that would
  persist the first error encountered while building the chain.
- Report specific failures for "self signed certificates" in a way
  compatible with the old verifier since software relies on the
  error code.
- Plug a large memory leak in the new verifier caused by calling
  X509_policy_check(3) repeatedly.
- Avoid leaking memory in x509_verify_chain_dup().

doc: Updated security/libretls to 3.3.2

Update to 6.9. From the changelog:

- This is oksh-6.9, matching ksh(1) from OpenBSD 6.9 with portability
  additions.

From the OpenBSD 6.9 changelog:

- Fixed ksh(1) redrawing of a multiline PS1 prompt in vi mode and added
  support for ^R (redraw) in insert mode.

doc: Updated shells/oksh to 6.9

Update to 2021.04.30. From the changelog:

- Compatibility with the latest skalibs.

doc: Updated sysutils/fdtools to 2021.04.30

Update to 2.21.0. From the changelog:

- Minor change in taint extraction: Check for non-whitespace in library
  path after m{ (.+) }x, remove 's' in regex to avoid issues with paths
  including embedded newlines. Up the minor number: if anyone really
  does depend on locating all-whitespace paths or ones with embedded
  newlines warn me.

doc: Updated devel/p5-FindBin-libs to 2.21.0

Bump PKGREVISION for skalibs update.

Note fdtools PKGREVISION bump.

Update to 2.10.0.3. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.10.0.3. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

- Bugfixes.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.2.3.2. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Update to 2.3.5.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.4.1.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

Update to 2.8.0.1. From the changelog:

- Libraries and binaries don't have the .note.GNU-stack section stripped
  anymore. Previously, "make strip" would strip that section, which
  would sometimes (depending on the toolchain) cause binaries to be
  incorrectly tagged as needing an executable stack. This is not a
  security issue in itself, but an executable stack makes it easier for
  an attacker to turn bugs into exploits, so it should be avoided
  whenever possible. Thanks to Xavier Stonestreet for reporting and
  finding the cause of the problem.

- Link tests are now performed with a regular file as their
  output, instead of /dev/null, which makes them more portable to
  old/buggy linkers.

Bump default BUILDLINK_API_DEPENDS to match.

doc: Updated devel/skalibs to 2.10.0.3

doc: Updated lang/execline to 2.8.0.1

doc: Updated misc/s6-portable-utils to 2.2.3.2

doc: Updated net/s6-dns to 2.3.5.1

doc: Updated net/s6-networking to 2.4.1.1

doc: Updated sysutils/s6 to 2.10.0.3

Add another post-install dylib rpath fixup for macOS (libserde_derive).
Bump PKGREVISION.

doc: Updated lang/rust to 1.50.0nb2

Update to 1.06. From the changelog:

- Drop support for Perls prior to 5.6
- Fix bug in tests that fail could fail with parallel build
  (rt#92313, HAARG++)
- Fixed typo in documentation (rt#90009, dsteinbrunner++)
- Incidentally fixed compatability with Perls that do not have `.` in @INC
  (rt#121002)

Update to 4.0.7. From the changelog:

- Fixing comments on batch report, now compatible with PHP 7
- Try to fix recurring problems with test runs hanging when the last
  test requires a rerun due to a knownbug
- #82 trying to support Python 3.9

doc: Updated devel/texttest to 4.0.7

doc: Updated textproc/p5-File-ReadBackwards to 1.06

Update to 0.4.2. From the changelog:

- Easier to understand error messages (closes #97)

doc: Updated devel/py-approvaltests to 0.4.2