doc: Updated www/firefox to 102.0

(ryoon)

firefox: Update to 102.0

Changelog:
New

  * Tired of too many windows crowding your screen? You can now disable
    automatic opening of the download panel every time a new download starts.
    Read more.

  * Firefox now mitigates query parameter tracking when navigating sites in ETP
    strict mode.

Fixed

  * When using a screen reader on Windows, pressing enter to activate an
    element no longer fails or clicks the wrong element and/or another
    application window. For those blind or with very limited vision, this
    technology reads out loud what is on the screen, and users can adapt them
    to their needs (now, on our platform, without errors).

  * Various security fixes.

Changed

  * Improved security by moving audio decoding into a separate process with
    stricter sandboxing, thus improving process isolation.

Enterprise

  * Various bug fixes and new policies have been implemented in the latest
    version of Firefox. You can find more information in the Firefox for
    Enterprise 102 Release Notes.

  * Firefox 102 is the new Extended Support Release (ESR). Firefox 91 ESR goes
    out of support on September 20, 2022. (See the 102 ESR release notes for
    more information)

Developer

  * Developer Information
  * You can now filter style sheets in the Style Editor tab of our developer
    tools

Web Platform

  * TransformStream and ReadableStream.pipeThrough have landed, allowing you to
    pipe from a ReadableStream to a WritableStream, executing a transformation
    on each chunk.

  * ReadableStream, TransformStream, and WritableStream are all transferable
    now.

  * Firefox now supports Content-Security-Policy (CSP) integration with
    WebAssembly. A document with a CSP that restricts scripts will no longer
    execute WebAssembly unless the policy uses 'unsafe-eval' or the new
    'wasm-unsafe-eval' keyword.

Security fixes:
#CVE-2022-34479: A popup window could be resized in a way to overlay the
address bar with web content
#CVE-2022-34470: Use-after-free in nsSHistory
#CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via
retargeted javascript: URI
#CVE-2022-34482: Drag and drop of malicious image could have led to malicious
executable and potential code execution
#CVE-2022-34483: Drag and drop of malicious image could have led to malicious
executable and potential code execution
#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed
ASN.1
#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
#CVE-2022-34474: Sandboxed iframes could redirect to external schemes
#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be
bypassed by the user on Firefox for Android
#CVE-2022-34471: Compromised server could trick a browser into an addon
downgrade
#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked
#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt
#CVE-2022-2200: Undesired attributes could be set as part of prototype
pollution
#CVE-2022-34480: Free of uninitialized pointer in lg_init
#CVE-2022-34477: MediaError message property leaked information on cross-origin
same-site pages
#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script
via use tags
#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags
#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
#CVE-2022-34485: Memory safety bugs fixed in Firefox 102

(ryoon)

doc: Added shells/etsh version 5.4.0

(pin)

shells/etsh: import package

Packaged in wip by Paolo Vincenzo Olivo.

Etsh provides two ports of the original /bin/sh from Version 6 (V6) UNIX
(circa 1975).

Etsh(1) is an enhanced, backward-compatible port of the V6 Thompson shell.
Tsh(1) is an unenhanced port of the shell, and glob(1) is a port of its
global command.  Together, tsh and glob provide a user interface which
is backward compatible with that provided by the V6 Thompson shell and
global command, but without the obvious enhancements found in etsh.

The original Thompson shell was principally written by Ken Thompson
of Bell Labs.

This package also includes the following shell utilities:

- if(1) - conditional command (ported from V6 UNIX)
- goto(1) - transfer command (ported from V6 UNIX)
- fd2(1) - redirect from/to file descriptor 2

(pin)

Add etsh

(pin)

doc: Updated security/opendoas to 6.8.2

(pin)

security/opendoas: update to 6.8.2

This release adds a patch from PR#92 to aborting early if argv is not set or
empty.
Nothing else has changed in this patch release.

(pin)

doc: Updated sysutils/openipmi to 2.0.32

(wiz)

openipmi: update to 2.0.32.

Comment out python option, it uses the deprecated distutils
for installation:
https://sourceforge.net/p/openipmi/feature-requests/10/

Changes not found.

(wiz)

calibre: mark as not supporting python 3.10 (for now)

(wiz)

doc: Updated converters/p5-Cpanel-JSON-XS to 4.30

(wiz)

p5-Cpanel-JSON-XS: update to 4.30.

4.30 2022-06-14 (rurban)
        - Fix perl 5.37 utf8n_to_uvuni deprecation. GH #196

4.29 2022-05-27 (rurban)
        - Hack: Revert native bool (unblessed) overloads via JSON::PP 4.08.
          JSON::PP ignores unblessed bools for now. GH #194

4.28 2022-05-05 (rurban)
        - Validate the JSON struct which might get corrupted by wrong FREEZE/THAW
          methods, or other serializers, or corrupting our magic object. (GH #192)
        - Improve our DESTROY and END methods to avoid NULL dereferences.
          Fixes perl-compiler/#438
        - Fix 3 tests in t/20_unknown.t with the latest 5.35.10 bool enhancements
          and JSON::PP (GH #194)
        - Fix t/118_type.t with Windows ivtype long long. (GH #178)
        - Added github actions

4.27 2021-10-13 (rurban)
        - Only add -Werror=declaration-after-statement for 5.035004 and earlier (PR #186 nwc)
- Fix 125_shared_boolean.t for threads (PR #184 Sinan Unur)

4.26 2021-04-12 (rurban)
        - Fix compilation with C++ (GH #177)

4.25 2020-10-28 (rurban)
        - Fix decode relaxed with comment at the end of the buffer (GH #174 fgaspar), a regression
          introduced with 3.0220, to fix n_number_then_00.
        - Possible fix for a gcc-9 optimizer bug (GH #172)

4.24 2020-10-02 (rurban)
        - Fix decode_json(scalar, 0) (GH #171 plicease), check 2nd arg for true-ness

(wiz)

Handle MAKE_JOBS.${PKGNAME} when dealing with the MAKE_JOBS_SAFE vs.
--with-parallelism stuff

"Looks fine" from wiz@

(pgoyette)

multimedia/handbrake: add option for gtk3 gui, defaults to enabled

(dbj)

doc: Downgraded shells/ksh93 to 1.0.0beta2

(leot)

ksh93: Remove not needed USE_LANGUAGES

It is already `c' by default.

No functional change.

(leot)

ksh93: Downgrade to 1.0.0beta.2

Simplify distname handling and downgrade to 1.0.0beta.2 to match actual
upstream version.

(leot)

doc: Added x11/xbrightness version 0.3

(pin)

Add xbrightness

(pin)

x11/xbrightness: import package

Packaged in wip by Paolo Vincenzo Olivo.

xbrightness is a command-line tool for altering the brightness (and optionally
gamma) at software level, through the X server.

(pin)

doc: Added shells/ksh93 version 1.0.0.2

(pin)

Add ksh93

(pin)

shells/ksh93: import package

Packaged in wip by Paolo Vincenzo Olivo.

Between 2017 and 2020 there was an ultimately unsuccessful attempt to breathe
new life into the KornShell by extensively refactoring the last unstable AST
beta version (93v-). While that ksh2020 effort is now abandoned and still has
many critical bugs, it also had a lot of bugs fixed. More importantly, the AST
issue tracker now contains a lot of documentation on how to fix those bugs,
which made it possible to backport many of them to the last stable release
instead. This ksh 93u+m reboot now incorporates many of these bugfixes, plus
patches from OpenSUSE, Red Hat, and Solaris, as well as many new fixes from the
community (1, 2). Though there are many bugs left to fix, we are confident at
this point that 93u+m is already the least buggy version of ksh93 ever
released. As of late 2021, distributions such as Debian and Slackware have
begun to package it as their default version of ksh93.

(pin)

doc: Added x11/qt5-styleplugins version 5.0.0.20170112

(pin)

Add qt5-styleplugins

(pin)

x11/qt5-styleplugins: import package

Packaged in wip by Paolo Vincenzo Olivo.

(pin)

doc: Updated devel/py-mercurial to 6.1.4

(wiz)

py-mercurial: update to 6.1.4.

Changes not found

(wiz)

py-hg-evolve: update URL in comment

(wiz)

snapcast: Needs gcc8 for std::filesystem

(nia)

doc: Updated print/poppler to 22.06.0

(wiz)

poppler*: update to 22.06.0

Release 22.06.0:
        core:
        * Forms: Fix crash in forms with their own DR
        * Refactor CairoFontEngine caching
        * CairoOutputDev: preserve text color when drawing type 3 glyphs
        * Windows: font code simplification
        * Minor code improvements

        cpp:
        * Add missing header

        utils:
        * pdfattach: Assume filename is utf8 encoded
        * pdftohtml: Fix type 3 font size calculation

Release 22.05.0:
        core:
        * Annotations: Make sure we embed fonts for the FreeText annots
        * Forms: Make sure we embedd fonts as needed
        * Signatures: Make sure we embed the needed fonts
        * CairoOutputDev: color type 3 fonts
        * fix two bugs in multiline find_text()
        * code improvements

        utils:
        * pdftotext: added TSV mode
        * HtmlOutputDev: don't use png.h

        cpp:
        * Use time_t for time
        * Add page_transition::durationReal

        qt:
        * Pass leftFontSize down to `FormWidgetSignature::signDocumentWithAppearence`

(wiz)

xentools415: add untested bl3.mk for collectd-xen

(wiz)

remove stray comma

(nia)

doc: Added audio/snapcast version 0.26.0

(nia)

add audio/snapcast

Snapcast is a multiroom client-server audio player, where all clients are
time synchronized with the server to play perfectly synced audio. It's not
a standalone player, but an extension that turns your existing audio player
into a Sonos-like multiroom solution.

(nia)

doc: Updated audio/openal-soft to 1.22.1

(wiz)

openal-soft: update to 1.22.1.

openal-soft-1.22.1:

    Fixed CoreAudio capture.

    Fixed air absorption strength.

    Fixed handling 5.1 devices on Windows that use Rear channels instead of
    Side channels.

    Fixed some compilation issues on MinGW.

    Fixed ALSA not being used on some systems without PipeWire and PulseAudio.

    Fixed OpenSL capturing noise.

    Fixed Oboe capture failing with some buffer sizes.

    Added checks for the runtime PipeWire version. The same or newer version
    than is used for building will be needed at runtime for the backend to
    work.

    Separated 3D7.1 into its own speaker configuration.

(wiz)

doc: Updated lang/gcc10 to 10.4.0

(wiz)

gcc10: update to 10.4

GCC 10.4

60 bug reports were fixed.

  Target Specific Changes

    x86-64

    * The x86-64 ABI of passing and returning structures with a 64-bit
      integer vector changed in GCC 10.1 when MMX is disabled. Disabling
      MMX no longer changes how they are passed nor returned. This ABI
      change is now diagnosed with -Wpsabi.

(wiz)

doc: Updated devel/googletest to 1.12.1

(wiz)

googletest: update to 1.12.1.

1.12.1

C++ Language Support

    This will be the last release to support C++11. Future releases will require at least C++14.

Mocking

    Support for move-only values to Return (5126f71)

Matchers

    New matchers
        WhenBase64Unescaped (652ec31)
    ResultOf() now has a 3-arg overload that takes a description string for better error messages (0e40217)

Build & Test

    CMake minimum increased to 3.5
    Bazel users that build GoogleTest using the Abseil library as a dependency now also require a dependency on RE2 (e33c2b2)
    Bazel users that build GoogleTest using the Abseil library now use the Abseil library to parse all command-line flags (25dcdc7)

Patches

58d77fa - Fixes the version number in CMakeLists.txt (#3911)

(wiz)

doc: Updated news/pan to 0.151

(rhialto)

news/pan: update to 1.151

0.151 "Butcha" (Буча) - 2022-06-25

  This release is dedicated to all people suffering from Russian war
  in Ukraine. Until this war is over, Pan release are named after
  Ukrainian towns ravaged by this war.

  The main points of this release are:
  - Gtk2 minimal version is now 2.24.0. Note that this release is
    probably the last one with Gtk2 support.
  - addition of a helper script to build Pan on Windows (Thomas)
  - fix Gtk3 icon scaling on Windows (Thomas, fixes #144)
  - fix header handling errors (Thomas, fixes #61 and #66)
  - Add a menu entry to allow editing the Score file in text editor (Thomas, fixes #11)

  Many thanks to Thomas Tanner for the work done on this release.

  Contributors to this release:

    Thomas Tanner, Dominique Dumont, Miguel Ángel Nieto, Daniel
    Mustieles, Andre Klapper, Anders Jonsson

  Updated translations:
    da        (Alan Mortensen)
    eu        (Asier Sarasua Garmendia)
    hu        (Balázs Úr)
    pl        (Piotr Drąg)
    sr        (Мирослав Николић)
    sv        (Anders Jonsson)
    uk        (Yuri Chornoivan)

(rhialto)

doc: Updated devel/py-msgpack to 1.0.4

(wiz)

py-msgpack: update to 1.0.4.

What's Changed

    Support Python 3.11 (beta)
    refresh ci settings. by @methane in #492
    Don't define _*ENDIAN macro on Unix. by @methane in #495
    Update setuptools and black by @methane in #498
    Use PyFloat_Pack8() on Python 3.11a7 by @vstinner in #499
    Upgrade black to fix CI by @hauntsaninja in #505
    Fix Unpacker max_buffer_length handling by @methane in #506
    ci: Update action versions. by @methane in #507
    Release v1.0.4 by @methane in #509

(wiz)

doc: Updated sysutils/py-borgbackup to 1.2.1

(wiz)

py-borgbackup: update to 1.2.1.

Version 1.2.1 (2022-06-06)
--------------------------

Upgrade notes:

Some things can be recommended for the upgrade process from borg 1.1.x
(please also read the important compatibility notes below):

- do you already want to upgrade? 1.1.x also will get fixes for a while.
- be careful, first upgrade your less critical / smaller repos.
- first upgrade to a recent 1.1.x release - especially if you run some older
  1.1.* or even 1.0.* borg release.
- using that, run at least one `borg create` (your normal backup), `prune`
  and especially a `check` to see everything is in a good state.
- check the output of `borg check` - if there is anything special, consider
  a `borg check --repair` followed by another `borg check`.
- if everything is fine so far (borg check reports no issues), you can consider
  upgrading to 1.2.x. if not, please first fix any already existing issue.
- if you want to play safer, first **create a backup of your borg repository**.
- upgrade to latest borg 1.2.x release (you could use the fat binary from
  github releases page)
- run `borg compact --cleanup-commits` to clean up a ton of 17 bytes long files
  in your repo caused by a borg 1.1 bug
- run `borg check` again (now with borg 1.2.x) and check if there is anything
  special.
- run `borg info` (with borg 1.2.x) to build the local pre12-meta cache (can
  take significant time, but after that it will be fast) - for more details
  see below.
- check the compatibility notes (see below) and adapt your scripts, if needed.
- if you run into any issues, please check the github issue tracker before
  posting new issues there or elsewhere.

If you follow this procedure, you can help avoiding that we get a lot of
"borg 1.2" issue reports that are not really 1.2 issues, but existed before
and maybe just were not noticed.

Compatibility notes:

- matching of path patterns has been aligned with borg storing relative paths.
  Borg archives file paths without leading slashes. Previously, include/exclude
  patterns could contain leading slashes. You should check your patterns and
  remove leading slashes.
- dropped support / testing for older Pythons, minimum requirement is 3.8.
  In case your OS does not provide Python >= 3.8, consider using our binary,
  which does not need an external Python interpreter. Or continue using
  borg 1.1.x, which is still supported.
- freeing repository space only happens when "borg compact" is invoked.
- mount: the default for --numeric-ids is False now (same as borg extract)
- borg create --noatime is deprecated. Not storing atime is the default behaviour
  now (use --atime if you want to store the atime).
- list: corrected mix-up of "isomtime" and "mtime" formats.
  Previously, "isomtime" was the default but produced a verbose human format,
  while "mtime" produced a ISO-8601-like format.
  The behaviours have been swapped (so "mtime" is human, "isomtime" is ISO-like),
  and the default is now "mtime".
  "isomtime" is now a real ISO-8601 format ("T" between date and time, not a space).
- create/recreate --list: file status for all files used to get announced *AFTER*
  the file (with borg < 1.2). Now, file status is announced *BEFORE* the file
  contents are processed. If the file status changes later (e.g. due to an error
  or a content change), the updated/final file status will be printed again.
- removed deprecated-since-long stuff (deprecated since):

  - command "borg change-passphrase" (2017-02), use "borg key ..."
  - option "--keep-tag-files" (2017-01), use "--keep-exclude-tags"
  - option "--list-format" (2017-10), use "--format"
  - option "--ignore-inode" (2017-09), use "--files-cache" w/o "inode"
  - option "--no-files-cache" (2017-09), use "--files-cache=disabled"
- removed BORG_HOSTNAME_IS_UNIQUE env var.
  to use borg you must implement one of these 2 scenarios:

  - 1) the combination of FQDN and result of uuid.getnode() must be unique
      and stable (this should be the case for almost everybody, except when
      having duplicate FQDN *and* MAC address or all-zero MAC address)
  - 2) if you are aware that 1) is not the case for you, you must set
      BORG_HOST_ID env var to something unique.
- exit with 128 + signal number, #5161.
  if you have scripts expecting rc == 2 for a signal exit, you need to update
  them to check for >= 128.

Fixes:

- create: skip with warning if opening the parent dir of recursion root fails, #6374
- create: fix crash. metadata stream can produce all-zero chunks, #6587
- fix crash when computing stats, escape % chars in archive name, #6500
- fix transaction rollback: use files cache filename as found in txn.active/, #6353
- import-tar: kill filter process in case of borg exceptions, #6401 #6681
- import-tar: fix mtime type bug
- ensure_dir: respect umask for created directory modes, #6400
- SaveFile: respect umask for final file mode, #6400
- check archive: improve error handling for corrupt archive metadata block, make
  robust_iterator more robust, #4777
- pre12-meta cache: do not use the cache if want_unique is True, #6612
- fix scp-style repo url parsing for ip v6 address, #6526
- mount -o versions: give clear error msg instead of crashing.
  it does not make sense to request versions view if you only look at 1 archive,
  but the code shall not crash in that case as it did, but give a clear error msg.
- show_progress: add finished=true/false to archive_progress json, #6570
- delete/prune: fix --iec mode output (decimal vs. binary units), #6606
- info: fix authenticated mode repo to show "Encrypted: No", #6462
- diff: support presence change for blkdev, chrdev and fifo items, #6615

New features:

- delete: add repository id and location to prompt, #6453
- borg debug dump-repo-objs --ghost: new --segment=S --offset=O options

Other changes:

- support python 3.11
- allow msgpack 1.0.4, #6716
- load_key: no key is same as empty key, #6441
- give a more helpful error msg for unsupported key formats, #6561
- better error msg for defect or unsupported repo configs, #6566
- docs:

  - document borg 1.2 pattern matching behavior change, #6407
    Make clear that absolute paths always go into the matcher as if they are
    relative (without leading slash). Adapt all examples accordingly.
  - authentication primitives: improved security and performance infos
  - mention BORG_FILES_CACHE_SUFFIX as alternative to BORG_FILES_CACHE_TTL, #5602
  - FAQ: add a hint about --debug-topic=files_cache
  - improve borg check --max-duration description
  - fix values of TAG bytes, #6515
  - borg compact --cleanup-commits also runs a normal compaction, #6324
  - virtualization speed tips
  - recommend umask for passphrase file perms
  - borg 1.2 is security supported
  - update link to ubuntu packages, #6485
  - use --numeric-ids in pull mode docs
  - remove blake2 docs, blake2 code not bundled any more, #6371
  - clarify on-disk order and size of segment file log entry fields, #6357
  - docs building: do not transform --/--- to unicode dashes
- tests:

  - check that borg does not require pytest for normal usage, fixes #6563
  - fix OpenBSD symlink mode test failure, #2055
- vagrant:

  - darwin64: remove fakeroot, #6314
  - update development.lock.txt
  - use pyinstaller 4.10 and python 3.9.13 for binary build
  - upgrade VMCPUS and xdistn from 4 to 16, maybe this speeds up the tests
- crypto:

  - use hmac.compare_digest instead of ==, #6470
  - hmac_sha256: replace own cython wrapper code by hmac.digest python stdlib (since py38)
  - hmac and blake2b minor optimizations and cleanups
  - removed some unused crypto related code, #6472
  - avoid losing the key (potential use-after-free). this never could happen in
    1.2 due to the way we use the code. The issue was discovered in master after
    other changes, so we also "fixed" it here before it bites us.
- setup / build:

  - add pyproject.toml, fix sys.path, #6466
  - setuptools_scm: also require it via pyproject.toml
  - allow extra compiler flags for every extension build
  - fix misc. C / Cython compiler warnings, deprecation warnings
  - fix zstd.h include for bundled zstd, #6369
- source using python 3.8 features: ``pyupgrade --py38-plus ./**/*.py``

(wiz)

doc: Updated converters/py-chardet to 5.0.0

(wiz)

py-chardet: update to 5.0.0.

This release is the first release of chardet that no longer
supports Python < 3.6.

In addition to that change, it features the following user-facing
changes:

    Added a prober for Johab Korean (#207, @grizlupo)
    Added a prober for UTF-16/32 BE/LE (#109, #206, @jpz)
    Added test data for Croatian, Czech, Hungarian, Polish, Slovak,
    Slovene, Greek, and Turkish, which should help prevent future
    errors with those languages
    Improved XML tag filtering, which should improve accuracy for
    XML files (#208)
    Tweaked SingleByteCharSetProber confidence to match latest
    uchardet (#209)
    Made detect_all return child prober confidences (#210)
    Updated examples in docs (#223, @domdfcoding)
    Documentation fixes (#212, #224, #225, #226, #220, #221, #244
    from too many to mention)
    Minor performance improvements (#252, @deedy5)
    Add support for Python 3.10 when testing (#232, @jdufresne)
    Lots of little development cycle improvements, mostly thanks
    to @jdufresne

(wiz)

doc: Updated devel/py-hypothesis to 6.48.2nb1

(wiz)

py-hypothesis: add missing dependency on py-exceptiongroup

Bump PKGREVISION

(wiz)

doc: Added devel/py-exceptiongroup version 1.0.0rc8

(wiz)

devel/Makefile: + py-exceptiongroup

(wiz)

devel/py-exceptiongroup: import py-exceptiongroup-1.0.0rc8

This is a backport of the BaseExceptionGroup and ExceptionGroup
classes from Python 3.11.

It contains the following:

    The exceptiongroup.BaseExceptionGroup and exceptiongroup.ExceptionGroup
    classes
    A utility function (exceptiongroup.catch()) for catching
    exceptions possibly nested in an exception group
    Patches to the TracebackException class that properly formats
    exception groups (installed on import)
    An exception hook that handles formatting of exception groups
    through TracebackException (installed on import)

(wiz)

doc: Added devel/py-flit_scm version 1.6.2

(wiz)

devel/Makefile: + py-flit_scm

(wiz)

devel/py-flit_scm: import py-flit_scm-1.6.2

A PEP 518 build backend that uses setuptools_scm to generate a
version file from your version control system, then flit_core to
build the package.

(wiz)

*: use versioned_dependencies.mk for py-chardet

(wiz)

python: add chardet to versioned_dependencies

(wiz)

doc: Added converters/py-chardet4 version 4.0.0nb2

(wiz)

converters/Makefile: + py-chardet4

(wiz)

converters/py-chardet4: import py27-chardet-4.0.0nb2

Character encoding auto-detection in Python.

This package contains the last version supporting Python 2.

(wiz)

doc: Updated security/py-cryptography to 37.0.2

(wiz)

py-cryptography: update to 37.0.2.

Based mostly on work by adam@ in wip.

.. _v37-0-2:

37.0.2 - 2022-05-03
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
* Added a constant needed for an upcoming pyOpenSSL release.

.. _v37-0-1:

37.0.1 - 2022-04-27
~~~~~~~~~~~~~~~~~~~

* Fixed an issue where parsing an encrypted private key with the public
  loader functions would hang waiting for console input on OpenSSL 3.0.x rather
  than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
  removed again in the future, so ``pyOpenSSL`` users should still upgrade
  to the latest version of that package when they upgrade ``cryptography``.

.. _v37-0-0:

37.0.0 - 2022-04-26
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
  The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
  from the public key and private key classes. These methods were originally
  deprecated in version 2.0, but had an extended deprecation timeline due
  to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
  the OpenSSL project. The next release of ``cryptography`` will be the last
  to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
  Python core team. Support for Python 3.6 will be removed in a future
  ``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
  In the next release we will raise MSRV to 1.48.0. Users with the latest
  ``pip`` will typically get a wheel and not need Rust installed, but check
  :doc:`/installation` for documentation on installing a newer ``rustc`` if
  required.
* Deprecated
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
  they are legacy algorithms with extremely low usage. These will be removed
  in a future version of ``cryptography``.
* Added limited support for distinguished names containing a bit string.
* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
  and ``x86_64`` architectures. Users on macOS should upgrade to the latest
  ``pip`` to ensure they can use this wheel, although we will continue to
  ship ``x86_64`` specific wheels for now to ease the transition.
* This will be the final release for which we ship ``manylinux2010`` wheels.
  Going forward the minimum supported ``manylinux`` ABI for our wheels will
  be ``manylinux2014``. The vast majority of users will continue to receive
  ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
  wheels this release already requires ``manylinux2014`` for compatibility
  with binaries distributed by upstream.
* Added support for multiple
  :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
  :class:`~cryptography.x509.ocsp.OCSPResponse`.
* Restored support for signing certificates and other structures in
  :doc:`/x509/index` with SHA3 hash algorithms.
* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
  disabled in FIPS mode.
* Added support for serialization of PKCS#12 CA friendly names/aliases in
  :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
* Added support for 12-15 byte (96 to 120 bit) nonces to
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
  previously supported only 12 byte (96 bit).
* Added support for
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
  OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
  certificates with
  :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
* Added support for parsing :rfc:`4514` strings with
  :meth:`~cryptography.x509.Name.from_rfc4514_string`.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
  :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
  be used to verify a signature where the salt length is not already known.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
  to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
  constant will set the salt length to the same length as the ``PSS`` hash
  algorithm.
* Added support for loading RSA-PSS key types with
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
  and
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
  This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
  normal RSA private key, discarding the PSS constraint information.

.. _v36-0-2:

36.0.2 - 2022-03-15
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

.. _v36-0-1:

36.0.1 - 2021-12-14
~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

.. _v36-0-0:

36.0.0 - 2021-11-21
~~~~~~~~~~~~~~~~~~~

* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
  asymmetric key classes was deprecated in version 2.0. These functions had an
  extended deprecation due to usage, however the next version of
  ``cryptography`` will drop support. Users should migrate to ``sign`` and
  ``verify``.
* The entire :doc:`/x509/index` layer is now written in Rust. This allows
  alternate asymmetric key implementations that can support cloud key
  management services or hardware security modules provided they implement
  the necessary interface (for example:
  :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
* :ref:`Deprecated the backend argument<faq-missing-backend>` for all
  functions.
* Added support for
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
* Added support for iterating over arbitrary request
  :attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
* Deprecated the ``get_attribute_for_oid`` method on
  :class:`~cryptography.x509.CertificateSigningRequest` in favor of
  :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
  :class:`~cryptography.x509.Attributes` object.
* Fixed handling of PEM files to allow loading when certificate and key are
  in the same file.
* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
  containing legacy ``BMPString`` values in their ``explicitText``.
* Allow parsing of negative serial numbers in certificates. Negative serial
  numbers are prohibited by :rfc:`5280` so a deprecation warning will be
  raised whenever they are encountered. A future version of ``cryptography``
  will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
  certificates with
  :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
  which will return an object of type
  :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`.
* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
  an optional ``attr_name_overrides`` parameter to supply custom OID to name
  mappings, which can be used to match vendor-specific extensions.
* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
  email address fields as ``E`` in
  :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.

  The previous behavior can be restored with:
  ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
* Allow
  :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
  and
  :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
  be used as public keys when parsing certificates or creating them with
  :class:`~cryptography.x509.CertificateBuilder`. These key types must be
  signed with a different signing algorithm as ``X25519`` and ``X448`` do
  not support signing.
* Extension values can now be serialized to a DER byte string by calling
  :func:`~cryptography.x509.ExtensionType.public_bytes`.
* Added experimental support for compiling against BoringSSL. As BoringSSL
  does not commit to a stable API, ``cryptography`` tests against the
  latest commit only. Please note that several features are not available
  when building against BoringSSL.
* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
  time period, allows the ``Extension`` ``critical`` field to be incorrectly
  encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
  for complete details. This will be reverted in a future ``cryptography``
  release.
* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
  value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
  to :rfc:`6960` but conflicts with the original behavior specified in
  :rfc:`2560`. For a temporary period for backwards compatibility, we will
  also parse values that are encoded as specified in :rfc:`2560` but this
  behavior will be removed in a future release.

.. _v35-0-0:

35.0.0 - 2021-09-29
~~~~~~~~~~~~~~~~~~~

* Changed the :ref:`version scheme <api-stability:versioning>`. This will
  result in us incrementing the major version more frequently, but does not
  change our existing backwards compatibility policy.
* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
  that the PEM string passed have PEM delimiters of the correct type. For
  example, parsing a private key PEM concatenated with a certificate PEM will
  no longer be accepted by the PEM certificate parser.
* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
  negative serial numbers. :rfc:`5280` has always prohibited these.
* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
  :doc:`/x509/index` parsing will raise an error on initial parse rather than
  when the malformed field is accessed.
* Rust is now required for building ``cryptography``, the
  ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
  respected.
* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
  rewritten in Rust. This should be backwards compatible (modulo the items
  listed above) and improve both security and performance.
* Added support for OpenSSL 3.0.0 as a compilation target.
* Added support for
  :class:`~cryptography.hazmat.primitives.hashes.SM3` and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
  when using OpenSSL 1.1.1. These algorithms are provided for compatibility
  in regions where they may be required, and are not generally recommended.
* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
  our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
  like Alpine Linux should ensure they upgrade to the latest ``pip`` to
  correctly receive wheels.
* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
  <cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.

.. _v3-4-8:

3.4.8 - 2021-08-24
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1l.

.. _v3-4-7:

3.4.7 - 2021-03-25
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1k.

.. _v3-4-6:

3.4.6 - 2021-02-16
~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1j.

.. _v3-4-5:

3.4.5 - 2021-02-13
~~~~~~~~~~~~~~~~~~

* Various improvements to type hints.
* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
  improves compatibility with system-provided Rust on several Linux
  distributions.
* ``cryptography`` will be switching to a new versioning scheme with its next
  feature release. More information is available in our
  :doc:`/api-stability` documentation.

.. _v3-4-4:

3.4.4 - 2021-02-09
~~~~~~~~~~~~~~~~~~

* Added a ``py.typed`` file so that ``mypy`` will know to use our type
  annotations.
* Fixed an import cycle that could be triggered by certain import sequences.

.. _v3-4-3:

3.4.3 - 2021-02-08
~~~~~~~~~~~~~~~~~~

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
  on older versions will get a clear error message.

.. _v3-4-2:

3.4.2 - 2021-02-08
~~~~~~~~~~~~~~~~~~

* Improvements to make the rust transition a bit easier. This includes some
  better error messages and small dependency fixes. If you experience
  installation problems **Be sure to update pip** first, then check the
  :doc:`FAQ </faq>`.

.. _v3-4-1:

3.4.1 - 2021-02-07
~~~~~~~~~~~~~~~~~~

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
  due to outdated ``pip`` or missing ``rustc``.

.. _v3-4:

3.4 - 2021-02-07
~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
  wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
  cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
  themselves will need to have the Rust toolchain installed. Users who use an
  officially produced wheel will not need to make any changes. The minimum
  supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
  APIs. Users can begin using them to type check their code with ``mypy``.

(wiz)

*: bump PKGREVISION for libwebsockets shlib bump

(wiz)

doc: Updated www/libwebsockets to 4.3.0

(wiz)

libwebsockets: update to 4.3.0.

v4.3.0
======

- Add full CBOR stream parsing and writing support, with huge
  amount of test vectors and resumable printf type write apis
  See ./READMEs/README.cbor-lecp.md
- Add COSE key and signing / validation support with huge amount of
  test vectors
    cose_sign[1] ES256/384/512, RS256/384/512
    cose_mac0    HS256/384/512
  See ./READMEs/README.cbor-cose.md
- JIT Trust: for constrained devices, provides a way to determine the
  trusted CA certs the peer requires, and instantiate just those.
  This allows generic client browsing without the overhead of ~130
  x.509 CA certs in memory permanently.
  See ./READMEs/README.jit-trust.md
- Add support for client Netscape cookie jar with caching
- Secure Streams: issue LWSSSCS_EVENT_WAIT_CANCELLED state() when
  lws_cancel_service() called, so cross-thread events can be handled
  in SS
- Actively assert() on attempt to destroy SS handles still active in
  the call stack, use DESTROY_ME returns instead so caller can choose
  how to handle it.
- Improved Client Connection Error report strings for tls errors
- SMP: Use a private fakewsi for PROTOCOL_INIT so pts cannot try to
  use the same one concurrently
- MbedTLS v3 support for all release changes, as well as retaining
  support for v2.x
- MQTT client: support QoS2
- Event lib ops can now be set at context creation time directly,
  bringing full event lib hooking to custom event loops.  See
  minimal-http-server-eventlib-custom
- Extra APIs to recover AKID and SKID from x.509 in mbedtls and openssl
- Improve http redirect to handle h2-> h2 cleanly
- IPv4+6 listen sockets on vhosts are now done with two separate
  sockets bound individually to AF_INET and AF_INET6 addresses,
  handled by the same vhost listen flow.
- Improved tls restriction handling
- Log contexts: allow objects to log into local logging contexts, by
  lws_context, vhost, wsi and ss handle.  Each context has its own
  emit function and log level. See ./READMEs/README.logging.md
- Upgrade compiler checking to default to -Werror -Wall -Wextra
- Fault injection apis now also support pseudo-random number binding
  within a specified range, eg,
  --fault-injection "f1(10%),f1_delay(123..456)"
- Remove LWS_WITH_DEPRECATED_THINGS, remove master branch
- Interface binding now uses ipv6 scoring to select bind address

v4.2.0
======

- Sai coverage upgrades, 495 builds on 27 platforms, including OSX M1,
  Xenial, Bionic and Focal Ubuntu, Debian Sid and Buster on both 32 and
  64-bit OS, and NetBSD, Solaris, FreeBSD, Windows, ESP32.
  Ctest run on more scenarios including all LWS_WITH_DISTRO_RECOMMENDED.
  More tests use valgrind if available on platform.
- RFC7231 date and time parsing and retry-after wired up to lws_retry
- `LWS_WITH_SUL_DEBUGGING` checks that no sul belonging to Secure Streams
  and wsi objects are left registered on destruction
- Netlink monitoring on Linux dynamically tracks interface address and
  routing changes, and immediately closes connections on invalidated
  routes.
- RFC6724 DNS results sorting over ipv4 + ipv6 results, according to
  available dynamic route information
- Support new event library, sdevent (systemd native loop), via
  `LWS_WITH_SDEVENT`
- Reduce .rodata cost of role structs by making them sparse
- Additional Secure Streams QA tests and runtime state transition
  validation
- SMD-over-ss-proxy documentation and helpers to simplify forwarding
- SSPC stream buffering at proxy and client set from policy by streamtype
- Trigger Captive Portal Detection if DNS resolution fails
- Switch all logs related to wsi and Secure Streams to use unique,
  descriptive tags instead of pointers (which may be reallocated)
- Use NOITCE logging for Secure Streams and wsi lifecycle logging using
  tags
- Update SSPC serialization to include versioning on initial handshake,
  and pass client pid to proxy so related objects are tagged with it
- Enable errors on -Wconversion pedantic type-related build issues
  throughout the lws sources and upgrade every affected cast.
- Windows remove WSA event implementation and replace with WSAPoll, with
  a pair of UDP sockets instead of pipe() for `lws_cancel_service()`
- `lws_strcmp_wildcard()` helper that understand "x*", "x*y", "x*y*" etc
- `LWS_WITH_PLUGINS_BUILTIN` cmake option just builds plugins into the main
library image directly
- Secure Streams proxy supports policy for flow control between proxy and
clients
- libressl also supported along with boringssl, wolfssl
- prepared for openssl v3 compatibility, for main function and GENCRYPTO
- Fault injection apis can confirm operation of 48 error paths and counting
- `LWS_WITH_SYS_METRICS` keeps stats and reports them to user-defined
function, compatible with openmetrics
- windows platform knows how to prepare openssl with system trust store certs
- `LWS_WITH_SYS_CONMON` allows selected client connections to make precise
measurements of connection performance and DNS results, and report them in a struct
- New native support for uloop event loop (OpenWRT loop)
- More options around JWT
- Support TLS session caching and reuse by default, on both OpenSSL and
mbedtls
- Many fixes and improvements...

(wiz)

doc: Updated security/py-cyclonedx-python-lib to 2.6.0

(wiz)

py-cyclonedx-python-lib: update to 2.6.0.

2.6.0

    Reduce unnessessarry type casting of set/SortedSet (#203)

2.5.1

    Add expected lower-than comparators for OrganizationalEntity
    and VulnerabilityCredits (#248)

(wiz)

doc: Updated security/py-pip-audit to 2.3.4

(wiz)

py-pip-audit: update to 2.3.4.

## [2.3.4]

### Fixed

* Vulnerability fixing: the `--fix` flag now works for vulnerabilities found in
  requirement subdependencies. A new line is now added to the requirement file
  to explicitly pin the offending subdependency
  ([#297](https://github.com/trailofbits/pip-audit/pull/297))

## [2.3.3]

### Changed

* CLI: `pip-audit` now warns on the combination of `-s osv` and
  `--require-hashes`, notifying users that only the PyPI service
  can fully verify hashes
  ([#298](https://github.com/trailofbits/pip-audit/pull/298))

### Fixed

* CLI/Dependency sources: `--cache-dir=...` and other flags that affect
  dependency resolver behavior now work correctly when auditing a
  `pyproject.toml` dependency source
  ([#300](https://github.com/trailofbits/pip-audit/pull/300))

## [2.3.2] - 2022-05-14

### Changed

* CLI: `pip-audit`'s progress spinner has been refactored to make it
  faster and more responsive
  ([#283](https://github.com/trailofbits/pip-audit/pull/283))

* CLI, Vulnerability sources: the error message used to report
  connection failures to vulnerability sources was improved
  ([#287](https://github.com/trailofbits/pip-audit/pull/287))

* Vulnerability sources: the OSV service is now more resilient
  to schema changes ([#288](https://github.com/trailofbits/pip-audit/pull/288))

* Vulnerability sources: the PyPI service provides a better
  error message during some cases of service degradation
  ([#294](https://github.com/trailofbits/pip-audit/pull/294))

### Fixed

* Vulnerability sources: a bug stemming from an incorrect assumption
  about OSV's schema guarantees was fixed
  ([#284](https://github.com/trailofbits/pip-audit/pull/284))

* Caching: `pip-audit` now respects `pip`'s `PIP_NO_CACHE_DIR`
  and will not attempt to use the `pip` cache if present
  ([#290](https://github.com/trailofbits/pip-audit/pull/290))

(wiz)

doc: Updated print/cups to 2.4.2

(wiz)

*cups*: update to 2.4.2

Changes in CUPS v2.4.2 (26th May 2022)
--------------------------------------

- Fixed certificate strings comparison for Local authorization (CVE-2022-26691)
- The `cupsFileOpen` function no longer opens files for append in read-write
  mode (Issue #291)
- The cupsd daemon removed processing temporary queue (Issue #364)
- Fixed delay in IPP backend if GNUTLS is used and endpoint doesn't confirm
  closing the connection (Issue #365)
- Fixed conditional jump based on uninitialized value in cups/ppd.c (Issue #329)
- Fixed CSS related issues in CUPS Web UI (Issue #344)
- Fixed copyright in CUPS Web UI trailer template (Issue #346)
- mDNS hostname in device uri is not resolved when installaling a permanent
  IPP Everywhere queue (Issues #340, #343)
- The `lpstat` command now reports when the scheduler is not running
  (Issue #352)
- Updated the man pages concerning the `-h` option (Issue #357)
- Re-added LibreSSL/OpenSSL support (Issue #362)
- Updated the Solaris smf service file (Issue #368)
- Fixed a regression in lpoptions option support (Issue #370)
- The scheduler now regenerates the PPD cache information after changing the
  "cupsd.conf" file (Issue #371)
- Updated the scheduler to set "auth-info-required" to "username,password" if a
  backend reports it needs authentication info but doesn't set a method for
  authentication (Issue #373)
- Updated the configure script to look for the OpenSSL library the old way if
  pkg-config is not available (Issue #375)
- Fixed the prototype for the `httpWriteResponse` function (Issue #380)
- Brought back minimal AIX support (Issue #389)
- `cupsGetResponse` did not always set the last error.
- Fixed a number of old references to the Apple CUPS web page.
- Restored the default/generic printer icon file for the web interface.
- Removed old stylesheet classes that are no longer used by the web
  interface.

(wiz)

doc: Updated devel/libidn to 1.40

(wiz)

libidn: update to 1.40.

* Noteworthy changes in release 1.40 (2022-06-20) [stable]

** lib: Bump STRINGPREP_VERSION to 1.40.
It was mistakenly left at 1.38 in the 1.39 release.

* Noteworthy changes in release 1.39 (2022-06-20) [stable]

** lib: Code detecting current locale broken since 1.36.
The code always returned ASCII.  The precise cause is complicated to
track down but likely boils down to the new autotools/gettext
bootstrapping sequence introduced in release 1.36.  Reported by Богдан
Пилипенко <bogdan.pylypenko107@gmail.com>.

** maint: Java JAR archive no longer included in source tarball.

** Minor fixes: typos, makefiles, indentation, gnulib update, etc.

(wiz)

doc: Updated security/mozilla-rootcerts-openssl to 2.8

(wiz)

doc: Updated security/mozilla-rootcerts to 1.0.20220614

(wiz)

mozilla-rootcerts*: update to 20220614 data

(wiz)

*: bump PKGREVISION for libplist shlib name change

(wiz)

doc: Updated textproc/libplist to 2.2.0

(wiz)

libplist: update to 2.2.0.

Version 2.2.0
~~~~~~~~~~~~~

- Changes:
  * bplist: Improve recursion check performance by at least 30% for large files
  * test: Fix test suite on Windows
  * cython: Fix handling of Date nodes (MACH_EPOCH)
  * Add new plist_*_val_compare(), plist_*_val_contains() helper functions
  * Fix/suppress several compiler warnings
  * plistutil: Added ability for files to be read from stdin
  * plistutil: Added ability to specify output format
  * Fix: Return NULL from plist_copy() if passed a NULL pointer instead of asserting
  * Add GitHub Actions integration for automatic build tests
  * plistutil: Add manual page and usage output
  * Fix removal of docs directory on `make clean`
  * Improve README.md with project description, installation, contributing and
    usage sections
  * Rename library and all related files by adding an API version resulting
    in "libplist-2.0" and "libplist++-2.0"

(wiz)

doc: Updated security/nettle to 3.8

(wiz)

nettle: update to 3.8.

NEWS for the Nettle 3.8 release

This release includes a couple of new features, and many
performance improvements. It adds assembly code for two more
architectures: ARM64 and S390x.

The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.5 and libhogweed.so.6.5, with sonames
libnettle.so.8 and libhogweed.so.6.

New features:

* AES keywrap (RFC 3394), contributed by Nicolas Mora.

* SM3 hash function, contributed by Tianjia Zhang.

* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
  cbc_aes256_encrypt.

  On processors where AES is fast enough, e.g., x86_64 with
  aesni instructions, the overhead of using Nettle's general
  cbc_encrypt can be significant. The new functions can be
  implemented in assembly, to do multiple blocks with reduced
  per-block overhead.

  Note that there's no corresponding new decrypt functions,
  since the general cbc_decrypt doesn't suffer from the same
  performance problem.

Bug fixes:

* Fix fat builds for x86_64 windows, these appear to never
          have worked.

Optimizations:

* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
  SHA256, for processors supporting crypto extensions. Great
  speedups, and fat builds are supported. Contributed by
  Mamone Tarsha.

* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
  SHA256, SHA512 and SHA3. Great speedups, and fat builds are
  supported. Contributed by Mamone Tarsha.

* New PPC64 assembly for ecc modulo/redc operations,
  contributed by Amitay Isaacs, Martin Schwenke and Alastair
  D卒Silva.

* The x86_64 AES implementation using aesni instructions has
  been reorganized with one separate function per key size,
  each interleaving the processing of two blocks at a time
  (when the caller processes multiple blocks with each call).
  This gives a modest performance improvement on some
  processors.

* Rewritten and faster x86_64 poly1305 assembly.

Known issues:

* Nettle's testsuite doesn't work out-of-the-box on recent
  MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH
  environment variable. Nettle's test scripts handle this in
  some cases, but currently fails the test cases that are
  themselves written as /bin/sh scripts. As a workaround, use

  make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'

Miscellaneous:

* Updated manual to current makeinfo conventions, with no
  explicit node pointers. Generate pdf version with texi2pdf,
  to get working hyper links.

* Added square root functions for NIST ecc curves, as a
  preparation for supporting compact point representation.

* Reworked internal GCM/ghash interfaces, simplifying assembly
  implementations. Deleted unused GCM C implementation
  variants with less than 8-bit lookup table.

(wiz)