mozjs60: fix configuration failure

The added patch hacks the virtualenv configuration process which sometimes
finds invalid modification times and try to restart a broken configuration.

(triaxx)

x11/qt4-pgsql: suppress USE_TOOLS+=perl warning

(rillig)

x11/qt4-mysql: suppress USE_TOOLS+=perl warning

(rillig)

x11/qt4-tiff: suppress USE_TOOLS+=perl warning

(rillig)

x11/qt4-sqlite3: suppress USE_TOOLS+=perl warning

(rillig)

databases/libgda: remove unknown configure option

(rillig)

help2man: SOEXT may not change, needs SUBST_NOOP_OK

(nia)

mk/tools: not all linuxes have bash (e.g. alpine)

(nia)

qemu: support opengl

bump pkgrevision

(nia)

doc: Updated graphics/libmypaint to 1.6.1

(ryoon)

libmypaint: Update to 1.6.1

Changelog:
1.6.1 - libtool '-release' flag no longer used

1.6.0
This minor version release includes:

    The new mypaint_brush_stroke_to_2_linearsRGB function.
    Some performance improvements, particularly improved auto-vectorization in the spectral->rgb conversion function (thanks to SleepProgger).
    Improved documentation (still lacking a comprehensive overview).
    New translations for Croatian, Portuguese, Valencian, English (UK) and Dutch

(ryoon)

archivers: Enable quazip

(ryoon)

doc: Added archivers/quazip version 0.9

(ryoon)

archivers/quazip: import quazip-0.9

QuaZIP is the C++ wrapper for Gilles Vollant's ZIP/UNZIP package
(AKA Minizip) using Trolltech's Qt library.

If you need to write files to a ZIP archive or read files from one
using QIODevice API, QuaZIP is exactly the kind of tool you need.

(ryoon)

doc: Removed x11/libgnomekbd2 successor x11/libgnomekbd

(nia)

x11: remove libgnomekbd2 - no longer used gnome 2 component

(nia)

doc: Removed time/gtodo

(nia)

time: remove gtodo - gnome 2 app discontinued in 2004

(nia)

doc: Removed editors/notecase

(nia)

Updated databases/redis, devel/py-joblib

(adam)

py-joblib: updated 0.15.1

Release 0.15.1
- Make joblib work on Python 3 installation that do not ship with the lzma
  package in their standard library.

(adam)

editors: remove notecase

"The free NoteCase Outliner has been discontinued in 2008, in favor of a much advanced variant of the program called NoteCase Pro.

NoteCase Pro, albeit a commercial product, can be used for free with some limitations, but even the free mode of NoteCase Pro is much more advanced than the old NoteCase.

Proceed to NoteCase Pro: ..."

(nia)

redis: updated to 6.0.4

Redis 6.0.4
===========

Upgrade urgency CRITICAL: this release fixes a severe replication bug.

Redis 6.0.4 fixes a critical replication bug caused by a new feature introduced
in Redis 6. The feature, called "meaningful offset" and strongly wanted by
myself (antirez) was an improvement that avoided that masters were no longer
able, during a failover where they were demoted to replicas, to partially
synchronize with the new master. In short the feature was able to avoid full
synchronizations with RDB. How did it work? By trimming the replication backlog
of the final "PING" commands the master was sending in the replication channel:
this way the replication offset would no longer go "after" the one of the
promoted replica, allowing the master to just continue in the same replication
history, receiving only a small data difference.

However after the introduction of the feature we (the Redis core team) quickly
understood there was something wrong: the apparently harmless feature had
many bugs, and the last bug we discovered, after a joined effort of multiple
people, we were not even able to fully understand after fixing it. Enough was
enough, we decided that the complexity cost of this feature was too high.
So Redis 6.0.4 removes the feature entirely, and fixes the data corruption that
it was able to cause.

However there are two facts to take in mind.

Fact 1: Setups using chained replication, that means that certain replicas
are replicating from other replicas, up to Redis 6.0.3 can experience data
corruption. For chained replication we mean that:

    +--------+          +---------+        +-------------+
    | master |--------->| replica |-------->| sub-replica |
    +--------+          +---------+        +-------------+

People using chained replication SHOULD UPGRADE ASAP away from Redis 6.0.0,
6.0.1, 6.0.2 or 6.0.3 to Redis 6.0.4.

To be clear, people NOT using this setup, but having just replicas attached
directly to the master, SHOUDL NOT BE in danger of any problem. But we
are no longer confident on 6.0.x replication implementation complexities
so we suggest to upgrade to 6.0.4 to everybody using an older 6.0.3 release.
We just so far didn't find any bug that affects Redis 6.0.3 that does not
involve chained replication.

People starting with Redis 6.0.4 are fine. People with Redis 5 are fine.
People upgrading from Redis 5 to Redis 6.0.4 are fine.
TLDR: The problem is with users of 6.0.0, 6.0.1, 6.0.2, 6.0.3.

Fact 2: Upgrading from Redis 6.0.x to Redis 6.0.4, IF AND ONLY IF you
use chained replication, requires some extra care:

1. Once you attach your new Redis 6.0.4 instance as a replica of the current
  Redis 6.0.x master, you should wait for the first full synchronization,
  then you should promote it right away, if your setup involves chained
  replication. Don't give it the time to do a new partial synchronization
  in the case the link between the master and the replica  will break in
  the mean time.

2. As an additional care, you may want to set the replication ping period
  to a very large value (for instance 1000000) using the following command:

      CONFIG SET repl-ping-replica-period 1000000

  Note that if you do "1" with care, "2" is not needed.
  However if you do it, make sure to later restore it to its default:

      CONFIG SET repl-ping-replica-period 10

So this is the main change in Redis 6. Later we'll find a different way in
order to achieve what we wanted to achieve with the Meaningful Offset feature,
but without the same complexity.

Other changes in this release:

* PSYNC2 tests improved.
* Fix a rare active defrag edge case bug leading to stagnation
* Fix Redis 6 asserting at startup in 32 bit systems.
* Redis 6 32 bit is now added back to our testing environments.
* Fix server crash for STRALGO command,
* Implement sendfile for RDB transfer.
* TLS fixes.
* Make replication more resistant by disconnecting the master if we
  detect a protocol error. Basically we no longer accept inline protocol
  from the master.
* Other improvements in the tests.

(adam)

doc: Removed audio/gnome-vfs-cdda

(nia)

audio: remove gnome-vfs-cdda - unused

(nia)

doc: Removed sysutils/gnome-vfs-monikers

(nia)

sysutils: remove gnome-vfs-monikers - unused

(nia)

Updated devel/protobuf, devel/py-protobuf

(adam)

protobuf py-protobuf: updated to 3.12.2

Protocol Buffers v3.12.2

C++
Simplified the template export macros to fix the build for mingw32.

(adam)

doc: Removed www/browser-bookmarks-menu

(nia)

www: remove browser-bookmarks-menu (gnome 2 panel applet)

(nia)

doc: Updated net/rclone to 1.52.0

(leot)

rclone: Update to 1.52.0

pkgsrc changes:
- Update patches due file renames

Changes:
1.52.0
------
Special thanks to Martin Michlmayr for proof reading and correcting all
the docs and Edward Barker for helping re-write the front page.

* New backends
  * Tardigrade backend for use with storj.io (Caleb Case)
  * Union re-write to have multiple writable remotes (Max Sum)
  * Seafile for Seafile server (Fred @creativeprojects)
* New commands
  * backend: command for backend specific commands (see backends)
    (Nick Craig-Wood)
  * cachestats: Deprecate in favour of `rclone backend stats cache:`
    (Nick Craig-Wood)
  * dbhashsum: Deprecate in favour of `rclone hashsum DropboxHash` (Nick Craig-Wood)
* New Features
  * Add `--header-download` and `--header-upload` flags for setting
    HTTP headers when uploading/downloading (Tim Gallant)
  * Add `--header` flag to add HTTP headers to every HTTP transaction
    (Nick Craig-Wood)
  * Add `--check-first` to do all checking before starting transfers
    (Nick Craig-Wood)
  * Add `--track-renames-strategy` for configurable matching criteria for
    `--track-renames` (Bernd Schoolmann)
  * Add `--cutoff-mode` hard,soft,catious (Shing Kit Chan & Franklyn Tackitt)
  * Filter flags (eg `--files-from -`) can read from stdin (fishbullet)
  * Add `--error-on-no-transfer` option (Jon Fautley)
  * Implement `--order-by xxx,mixed` for copying some small and some big
    files (Nick Craig-Wood)
  * Allow `--max-backlog` to be negative meaning as large as possible
    (Nick Craig-Wood)
  * Added `--no-unicode-normalization` flag to allow Unicode filenames to
    remain unique (Ben Zenker)
  * Allow `--min-age`/`--max-age` to take a date as well as a duration
    (Nick Craig-Wood)
  * Add rename statistics for file and directory renames (Nick Craig-Wood)
  * Add statistics output to JSON log (reddi)
  * Make stats be printed on non-zero exit code (Nick Craig-Wood)
  * When running `--password-command` allow use of stdin (Sébastien Gross)
  * Stop empty strings being a valid remote path (Nick Craig-Wood)
  * accounting: support WriterTo for less memory copying (Nick Craig-Wood)
  * build
    * Update to use go1.14 for the build (Nick Craig-Wood)
    * Add `-trimpath` to release build for reproduceable builds
      (Nick Craig-Wood)
    * Remove GOOS and GOARCH from Dockerfile (Brandon Philips)
  * config
    * Fsync the config file after writing to save more reliably
      (Nick Craig-Wood)
    * Add `--obscure` and `--no-obscure` flags to `config create`/`update`
      (Nick Craig-Wood)
    * Make `config show` take `remote:` as well as `remote` (Nick Craig-Wood)
  * copyurl: Add `--no-clobber` flag (Denis)
  * delete: Added `--rmdirs` flag to delete directories as well (Kush)
  * filter: Added `--files-from-raw` flag (Ankur Gupta)
  * genautocomplete: Add support for fish shell (Matan Rosenberg)
  * log: Add support for syslog LOCAL facilities (Patryk Jakuszew)
  * lsjson: Add `--hash-type` parameter and use it in lsf to speed up
    hashing (Nick Craig-Wood)
  * rc
    * Add `-o`/`--opt` and `-a`/`--arg` for more structured input
      (Nick Craig-Wood)
    * Implement `backend/command` for running backend specific commands
      remotely (Nick Craig-Wood)
    * Add `mount/mount` command for starting `rclone mount` via the
      API (Chaitanya)
  * rcd: Add Prometheus metrics support (Gary Kim)
  * serve http
    * Added a `--template` flag for user defined markup (calistri)
    * Add Last-Modified headers to files and directories (Nick Craig-Wood)
  * serve sftp: Add support for multiple host keys by repeating `--key` flag
    (Maxime Suret)
  * touch: Add `--localtime` flag to make `--timestamp` localtime not UTC
    (Nick Craig-Wood)
* Bug Fixes
  * accounting
    * Restore "Max number of stats groups reached" log line (Michał Matczuk)
    * Correct exitcode on Transfer Limit Exceeded flag. (Anuar Serdaliyev)
    * Reset bytes read during copy retry (Ankur Gupta)
    * Fix race clearing stats (Nick Craig-Wood)
  * copy: Only create empty directories when they don't exist on the remote
    (Ishuah Kariuki)
  * dedupe: Stop dedupe deleting files with identical IDs (Nick Craig-Wood)
  * oauth
    * Use custom http client so that `--no-check-certificate` is honored by
      oauth token fetch (Mark Spieth)
    * Replace deprecated oauth2.NoContext (Lars Lehtonen)
  * operations
    * Fix setting the timestamp on Windows for multithread copy
      (Nick Craig-Wood)
    * Make rcat obey `--ignore-checksum` (Nick Craig-Wood)
    * Make `--max-transfer` more accurate (Nick Craig-Wood)
  * rc
    * Fix dropped error (Lars Lehtonen)
    * Fix misplaced http server config (Xiaoxing Ye)
    * Disable duplicate log (ElonH)
  * serve dlna
    * Cds: don't specify childCount at all when unknown (Dan Walters)
    * Cds: use modification time as date in dlna metadata (Dan Walters)
  * serve restic: Fix tests after restic project removed vendoring
    (Nick Craig-Wood)
  * sync
    * Fix incorrect "nothing to transfer" message using `--delete-before`
      (Nick Craig-Wood)
    * Only create empty directories when they don't exist on the remote
      (Ishuah Kariuki)
* Mount
  * Add `--async-read` flag to disable asynchronous reads (Nick Craig-Wood)
  * Ignore `--allow-root` flag with a warning as it has been removed upstream
    (Nick Craig-Wood)
  * Warn if `--allow-non-empty` used on Windows and clarify docs
    (Nick Craig-Wood)
  * Constrain to go1.13 or above otherwise bazil.org/fuse fails to compile
    (Nick Craig-Wood)
  * Fix fail because of too long volume name (evileye)
  * Report 1PB free for unknown disk sizes (Nick Craig-Wood)
  * Map more rclone errors into file systems errors (Nick Craig-Wood)
  * Fix disappearing cwd problem (Nick Craig-Wood)
  * Use ReaddirPlus on Windows to improve directory listing performance (Nick Craig-Wood)
  * Send a hint as to whether the filesystem is case insensitive or not (Nick Craig-Wood)
  * Add rc command `mount/types` (Nick Craig-Wood)
  * Change maximum leaf name length to 1024 bytes (Nick Craig-Wood)
* VFS
  * Add `--vfs-read-wait` and `--vfs-write-wait` flags to control time
    waiting for a sequential read/write (Nick Craig-Wood)
  * Change default `--vfs-read-wait` to 20ms (it was 5ms and not configurable)
    (Nick Craig-Wood)
  * Make `df` output more consistent on a rclone mount. (Yves G)
  * Report 1PB free for unknown disk sizes (Nick Craig-Wood)
  * Fix race condition caused by unlocked reading of Dir.path (Nick Craig-Wood)
  * Make File lock and Dir lock not overlap to avoid deadlock (Nick Craig-Wood)
  * Implement lock ordering between File and Dir to eliminate deadlocks
    (Nick Craig-Wood)
  * Factor the vfs cache into its own package (Nick Craig-Wood)
  * Pin the Fs in use in the Fs cache (Nick Craig-Wood)
  * Add SetSys() methods to Node to allow caching stuff on a node
    (Nick Craig-Wood)
  * Ignore file not found errors from Hash in Read.Release (Nick Craig-Wood)
  * Fix hang in read wait code (Nick Craig-Wood)
* Local
  * Speed up multi thread downloads by using sparse files on Windows
    (Nick Craig-Wood)
  * Implement `--local-no-sparse` flag for disabling sparse files
    (Nick Craig-Wood)
  * Implement `rclone backend noop` for testing purposes (Nick Craig-Wood)
  * Fix "file not found" errors on post transfer Hash calculation
    (Nick Craig-Wood)
* Cache
  * Implement `rclone backend stats` command (Nick Craig-Wood)
  * Fix Server Side Copy with Temp Upload (Brandon McNama)
  * Remove Unused Functions (Lars Lehtonen)
  * Disable race tests until bbolt is fixed (Nick Craig-Wood)
  * Move methods used for testing into test file (greatroar)
  * Add Pin and Unpin and canonicalised lookup (Nick Craig-Wood)
  * Use proper import path go.etcd.io/bbolt (Robert-André Mauchin)
* Crypt
  * Calculate hashes for uploads from local disk (Nick Craig-Wood)
      * This allows crypted Jottacloud uploads without using local disk
      * This means crypted s3/b2 uploads will now have hashes
  * Added `rclone backend decode`/`encode` commands to replicate functionality
    of `cryptdecode` (Anagh Kumar Baranwal)
  * Get rid of the unused Cipher interface as it obfuscated the code
    (Nick Craig-Wood)
* Azure Blob
  * Implement streaming of unknown sized files so `rcat` is now supported
    (Nick Craig-Wood)
  * Implement memory pooling to control memory use (Nick Craig-Wood)
  * Add `--azureblob-disable-checksum` flag (Nick Craig-Wood)
  * Retry `InvalidBlobOrBlock` error as it may indicate block concurrency
    problems (Nick Craig-Wood)
  * Remove unused `Object.parseTimeString()` (Lars Lehtonen)
  * Fix permission error on SAS URL limited to container (Nick Craig-Wood)
* B2
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Ignore directory markers at the root also (Nick Craig-Wood)
  * Force the case of the SHA1 to lowercase (Nick Craig-Wood)
  * Remove unused `largeUpload.clearUploadURL()` (Lars Lehtonen)
* Box
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Implement About to read size used (Nick Craig-Wood)
  * Add token renew function for jwt auth (David Bramwell)
  * Added support for interchangeable root folder for Box backend (Sunil Patra)
  * Remove unnecessary iat from jws claims (David)
* Drive
  * Follow shortcuts by default, skip with `--drive-skip-shortcuts`
    (Nick Craig-Wood)
  * Implement `rclone backend shortcut` command for creating shortcuts
    (Nick Craig-Wood)
  * Added `rclone backend` command to change `service_account_file` and
    `chunk_size` (Anagh Kumar Baranwal)
  * Fix missing files when using `--fast-list` and `--drive-shared-with-me`
    (Nick Craig-Wood)
  * Fix duplicate items when using `--drive-shared-with-me` (Nick Craig-Wood)
  * Extend `--drive-stop-on-upload-limit` to respond to
    `teamDriveFileLimitExceeded`. (harry)
  * Don't delete files with multiple parents to avoid data loss
    (Nick Craig-Wood)
  * Server side copy docs use default description if empty (Nick Craig-Wood)
* Dropbox
  * Make error insufficient space to be fatal (harry)
  * Add info about required redirect url (Elan Ruusamäe)
* Fichier
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Implement custom pacer to deal with the new rate limiting (buengese)
* FTP
  * Fix lockup when using concurrency limit on failed connections
    (Nick Craig-Wood)
  * Fix lockup on failed upload when using concurrency limit (Nick Craig-Wood)
  * Fix lockup on Close failures when using concurrency limit (Nick Craig-Wood)
  * Work around pureftp sending spurious 150 messages (Nick Craig-Wood)
* Google Cloud Storage
  * Add support for `--header-upload` and `--header-download` (Nick Craig-Wood)
  * Add `ARCHIVE` storage class to help (Adam Stroud)
  * Ignore directory markers at the root (Nick Craig-Wood)
* Googlephotos
  * Make the start year configurable (Daven)
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Create feature/favorites directory (Brandon Philips)
  * Fix "concurrent map write" error (Nick Craig-Wood)
  * Don't put an image in error message (Nick Craig-Wood)
* HTTP
  * Improved directory listing with new template from Caddy project (calisro)
* Jottacloud
  * Implement `--jottacloud-trashed-only` (buengese)
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Use `RawURLEncoding` when decoding base64 encoded login token (buengese)
  * Implement cleanup (buengese)
  * Update docs regarding cleanup, removed remains from old auth, and added
    warning about special mountpoints. (albertony)
* Mailru
  * Describe 2FA requirements (valery1707)
* Onedrive
  * Implement `--onedrive-server-side-across-configs` (Nick Craig-Wood)
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Fix occasional 416 errors on multipart uploads (Nick Craig-Wood)
  * Added maximum chunk size limit warning in the docs (Harry)
  * Fix missing drive on config (Nick Craig-Wood)
  * Make error `quotaLimitReached` to be fatal (harry)
* Opendrive
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
* Pcloud
  * Added support for interchangeable root folder for pCloud backend
    (Sunil Patra)
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Fix initial config "Auth state doesn't match" message (Nick Craig-Wood)
* Premiumizeme
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Prune unused functions (Lars Lehtonen)
* Putio
  * Add support for `--header-upload` and `--header-download` (Nick Craig-Wood)
  * Make downloading files use the rclone http Client (Nick Craig-Wood)
  * Fix parsing of remotes with leading and trailing / (Nick Craig-Wood)
* Qingstor
  * Make `rclone cleanup` remove pending multipart uploads older than 24h
    (Nick Craig-Wood)
  * Try harder to cancel failed multipart uploads (Nick Craig-Wood)
  * Prune `multiUploader.list()` (Lars Lehtonen)
  * Lint fix (Lars Lehtonen)
* S3
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Use memory pool for buffer allocations (Maciej Zimnoch)
  * Add SSE-C support for AWS, Ceph, and MinIO (Jack Anderson)
  * Fail fast multipart upload (Michał Matczuk)
  * Report errors on bucket creation (mkdir) correctly (Nick Craig-Wood)
  * Specify that Minio supports URL encoding in listings (Nick Craig-Wood)
  * Added 500 as retryErrorCode (Michał Matczuk)
  * Use `--low-level-retries` as the number of SDK retries
    (Aleksandar Janković)
  * Fix multipart abort context (Aleksandar Jankovic)
  * Replace deprecated `session.New()` with `session.NewSession()`
    (Lars Lehtonen)
  * Use the provided size parameter when allocating a new memory pool
    (Joachim Brandon LeBlanc)
  * Use rclone's low level retries instead of AWS SDK to fix listing retries
    (Nick Craig-Wood)
  * Ignore directory markers at the root also (Nick Craig-Wood)
  * Use single memory pool (Michał Matczuk)
  * Do not resize buf on put to memBuf (Michał Matczuk)
  * Improve docs for `--s3-disable-checksum` (Nick Craig-Wood)
  * Don't leak memory or tokens in edge cases for multipart upload
    (Nick Craig-Wood)
* Seafile
  * Implement 2FA (Fred)
* SFTP
  * Added `--sftp-pem-key` to support inline key files (calisro)
  * Fix post transfer copies failing with 0 size when using
    `set_modtime=false` (Nick Craig-Wood)
* Sharefile
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
* Sugarsync
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
* Swift
  * Add support for `--header-upload` and `--header-download` (Nick Craig-Wood)
  * Fix cosmetic issue in error message (Martin Michlmayr)
* Union
  * Implement multiple writable remotes (Max Sum)
  * Fix server-side copy (Max Sum)
  * Implement ListR (Max Sum)
  * Enable ListR when upstreams contain local (Max Sum)
* WebDAV
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)
  * Fix `X-OC-Mtime` header for Transip compatibility (Nick Craig-Wood)
  * Report full and consistent usage with `about` (Yves G)
* Yandex
  * Add support for `--header-upload` and `--header-download` (Tim Gallant)

(leot)

doc: Updated games/easyrpg-player to 0.6.2.1

(nia)

easyrpg-player: Update to 0.6.2.1

Release notes:
https://blog.easyrpg.org/2020/05/easyrpg-player-0-6-2-1-pincer-attack-patch-1/

(nia)

doc: Updated audio/fluidsynth to 2.1.3

(nia)

fluidsynth: Update to 2.1.3

Changes:

- fix a cross-compilation failure from Win32 to WinARM
- fix issues while fluid_player is seeking
- fix a NULL pointer dereference if synth.dynamic-sample-loading is enabled
- fix a NULL pointer dereference in delete_rvoice_mixer_threads()
- fix a NULL pointer dereference in the soundfont loader
- fix dsound driver playing garbage when terminating fluidsynth
- avoid memory leaks when using libinstpatch

(nia)

woof: add missing pkg-config tool

(wiz)

doc: Updated devel/pcre2 to 10.35nb1

(wiz)

pcre2: update to 10.35nb1.

Fix cleanup alloc_chunk() in sljitProtExec for NetBSD using upstream
patch.

(wiz)

time: reorder

(markd)

print: reorder

(markd)

*: reset MAINTAINER for fhajny on his request

(wiz)

Updated security/py-nacl, devel/py-test-cov

(adam)

py-test-cov: updated to 2.9.0

2.9.0:
* Fixed ``RemovedInPytest4Warning`` when using Pytest 3.10.
* Made pytest startup faster when plugin not active by lazy-importing.
* Various CI improvements.
* Various Python support updates (drop EOL 3.4, test against 3.8 final).
* Changed ``--cov-append`` to always enable ``data_suffix`` (a coverage setting).
  Contributed by Harm Geerts in
* Changed ``--cov-append`` to handle loading previous data better
  (fixes various path aliasing issues).
* Various other testing improvements, github issue templates, example updates.
* Fixed internal failures that are caused by tests that change the current working directory by
  ensuring a consistent working directory when coverage is called.

(adam)

py-nacl: updated to 1.4.0

1.4.0:
* Update ``libsodium`` to 1.0.18.
* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
  wheels. Continuing to produce them was a maintenance burden.
* Added support for Python 3.8, and removed support for Python 3.4.
* Add low level bindings for extracting the seed and the public key
  from crypto_sign_ed25519 secret key
* Add low level bindings for deterministic random generation.
* Add ``wheel`` and ``setuptools`` setup_requirements in ``setup.py``
* Fix checks on very slow builders
* Add low-level bindings to ed25519 arithmetic functions
* Update low-level blake2b state implementation
* Fix wrong short-input behavior of SealedBox.decrypt()
* Raise CryptPrefixError exception instead of InvalidkeyError when trying
  to check a password against a verifier stored in a unknown format
* Add support for minimal builds of libsodium. Trying to call functions
  not available in a minimal build will raise an UnavailableError
  exception. To compile a minimal build of the bundled libsodium, set
  the SODIUM_INSTALL_MINIMAL environment variable to any non-empty
  string (e.g. ``SODIUM_INSTALL_MINIMAL=1``) for setup.

(adam)

Updated www/py-meinheld, sysutils/py-supervisor

(adam)

py-supervisor: updated to 4.2.0

4.2.0:

- When ``supervisord`` is run in the foreground, a new ``--silent`` option
  suppresses the main log from being echoed to ``stdout`` as it normally
  would.

- Parsing ``command=`` now supports a new expansion, ``%(numprocs)d``, that
  expands to the value of ``numprocs=`` in the same section.

- Web UI buttons no longer use background images.

- The Web UI now has a link to view ``tail -f stderr`` for a process in
  addition to the existing ``tail -f stdout`` link.  Based on a
  patch by OuroborosCoding.

- The HTTP server will now send an ``X-Accel-Buffering: no`` header in
  logtail responses to fix Nginx proxy buffering.

- When ``supervisord`` reaps an unknown PID, it will now log a description
  of the ``waitpid`` status.

- Fixed a bug introduced in 4.0.3 where ``supervisorctl tail -f foo | grep bar``
  would fail with the error ``NoneType object has no attribute 'lower'``.  This
  only occurred on Python 2.7 and only when piped.

(adam)

py-meinheld: updated to 1.0.2

1.0.2
* Fix: HTTP Request Smuggling

(adam)

doc: Updated net/knot to 2.9.5

(ryoon)

knot: Update to 2.9.5

Changelog:
Monday, May 25, 2020
Bugfixes:
        Old ZSK can be withdrawn too early during a ZSK rollover if maximum zone TTL is computed automatically
        Server responds SERVFAIL to ANY queries on empty non-terminal nodes

Improvements:
        Also module onlinesign returns minimized responses to ANY queries
        Linking against libcap-ng can be disabled via a configure option

(ryoon)

Updated devel/py-modulegraph, devel/py-rope

(adam)

py-rope: updated to 0.17.0

New release 0.17.0:
Make tests compatible with Python 3.8
Use context manager for open()
Don窶冲 use UserDict (!!!) and collections.MutableMapping.
assertEquals has been deprecated for long time (-> assertEqual)
Remove weird escpaing of 's' character, which is the syntax error these days.
Add testing for Python 3.8 as well
Fix pattern for matching short strings
Work with deprecated types and using aliased ones.
Don't use underscored _ast, but use ast instead
Direct import from collections is getting deprecated.
Use .is_alive method instead of a deprecated .isAlive in threading.Thread
Fix simple typo: sitaution -> situation
Two more assertEquals happened.

(adam)

py-modulegraph: updated to 0.18

0.18
* Avoid exception when one of the items on "packages" is not a package
  (modulegraph.find_modules.find_needed_modules)
* ``Modulegraph.foldReferences()`` called the wrong method

(adam)

security/openssh

(sevan)

Update to OpenSSH 8.3

OpenSSH 8.3 was released on 2020-05-27. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
  algorithms have the advantage of using the same key type as
  "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
  supported since OpenSSH 7.2 and are already used by default if the
  client and server support them.

* The ssh-ed25519 signature algorithm. It has been supported in
  OpenSSH since release 6.5.

* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
  have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually. Vendors of devices
that implement the SSH protocol should ensure that they support the
new signature algorithms for RSA keys.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
========

* scp(1): when receiving files, scp(1) could be become desynchronised
  if a utimes(2) system call failed. This could allow file contents
  to be interpreted as file metadata and thereby permit an adversary
  to craft a file system that, when copied with scp(1) in a
  configuration that caused utimes(2) to fail (e.g. under a SELinux
  policy or syscall sandbox), transferred different file names and
  contents to the actual file system layout.

  Exploitation of this is not likely as utimes(2) does not fail under
  normal circumstances. Successful exploitation is not silent - the
  output of scp(1) would show transfer errors followed by the actual
  file(s) that were received.

  Finally, filenames returned from the peer are (since openssh-8.0)
  matched against the user's requested destination, thereby
  disallowing a successful exploit from writing files outside the
  user's selected target glob (or directory, in the case of a
  recursive transfer). This ensures that this attack can achieve no
  more than a hostile peer is already able to achieve within the scp
  protocol.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* sftp(1): reject an argument of "-1" in the same way as ssh(1) and
  scp(1) do instead of accepting and silently ignoring it.

Changes since OpenSSH 8.2
=========================

The focus of this release is bug fixing.

New Features
------------

* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
  rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
  to allow .shosts files but not .rhosts.

* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
  sshd_config, not just before any Match blocks; bz3148

* ssh(1): add %TOKEN percent expansion for the LocalFoward and
  RemoteForward keywords when used for Unix domain socket forwarding.
  bz#3014

* all: allow loading public keys from the unencrypted envelope of a
  private key file if no corresponding public key file is present.

* ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
  possible instead of the (slower) portable C implementation included
  in OpenSSH.

* ssh-keygen(1): add ability to dump the contents of a binary key
  revocation list via "ssh-keygen -lQf /path" bz#3132

Bugfixes
--------

* ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
  a PKCS11Provider; bz#3141

* ssh-keygen(1): avoid NULL dereference when trying to convert an
  invalid RFC4716 private key.

* scp(1): when performing remote-to-remote copies using "scp -3",
  start the second ssh(1) channel with BatchMode=yes enabled to
  avoid confusing and non-deterministic ordering of prompts.

* ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
  perform hashing of the message to be signed in the middleware layer
  rather than in OpenSSH code. This permits the use of security key
  middlewares that perform the hashing implicitly, such as Windows
  Hello.

* ssh(1): fix incorrect error message for "too many known hosts
  files." bz#3149

* ssh(1): make failures when establishing "Tunnel" forwarding
  terminate the connection when ExitOnForwardFailure is enabled;
  bz#3116

* ssh-keygen(1): fix printing of fingerprints on private keys and add
  a regression test for same.

* sshd(8): document order of checking AuthorizedKeysFile (first) and
  AuthorizedKeysCommand (subsequently, if the file doesn't match);
  bz#3134

* sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
  not considered for HostbasedAuthentication when the target user is
  root; bz#3148

* ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
  key parsing (oss-fuzz #20074).

* ssh(1), sshd(8): more consistency between sets of %TOKENS are
  accepted in various configuration options.

* ssh(1), ssh-keygen(1): improve error messages for some common
  PKCS#11 C_Login failure cases; bz#3130

* ssh(1), sshd(8): make error messages for problems during SSH banner
  exchange consistent with other SSH transport-layer error messages
  and ensure they include the relevant IP addresses bz#3129

* various: fix a number of spelling errors in comments and debug/error
  messages

* ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
  from a token, don't prompt for a PIN until the token has told us
  that it needs one. Avoids double-prompting on devices that
  implement on-device authentication.

* sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
  should be an extension, not a critical option.

* ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
  when trying to use a FIDO key function and SecurityKeyProvider is
  empty.

* ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
  the values allowed by the wire format (u32). Prevents integer
  wraparound of the timeout values. bz#3119

* ssh(1): detect and prevent trivial configuration loops when using
    ProxyJump. bz#3057.

Portability
-----------

* Detect systems where signals flagged with SA_RESTART will interrupt
  select(2). POSIX permits implementations to choose whether
  select(2) will return when interrupted with a SA_RESTART-flagged
  signal, but OpenSSH requires interrupting behaviour.

* Several compilation fixes for HP/UX and AIX.

* On platforms that do not support setting process-wide routing
  domains (all excepting OpenBSD at present), fail to accept a
  configuration attempts to set one at process start time rather than
  fatally erroring at run time. bz#3126

* Improve detection of egrep (used in regression tests) on platforms
  that offer a poor default one (e.g. Solaris).

* A number of shell portability fixes for the regression tests.

* Fix theoretical infinite loop in the glob(3) replacement
  implementation.

* Fix seccomp sandbox compilation problems for some Linux
  configurations bz#3085

* Improved detection of libfido2 and some compilation fixes for some
  configurations when --with-security-key-builtin is selected.

OpenSSH 8.2 was released on 2020-02-14. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
  algorithms have the advantage of using the same key type as
  "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
  supported since OpenSSH 7.2 and are already used by default if the
  client and server support them.

* The ssh-ed25519 signature algorithm. It has been supported in
  OpenSSH since release 6.5.

* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
  have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
========

* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures
  (i.e. the client and server CASignatureAlgorithms option) and will
  use the rsa-sha2-512 signature algorithm by default when the
  ssh-keygen(1) CA signs new certificates.

  Certificates are at special risk to the aforementioned SHA1
  collision vulnerability as an attacker has effectively unlimited
  time in which to craft a collision that yields them a valid
  certificate, far more than the relatively brief LoginGraceTime
  window that they have to forge a host key signature.

  The OpenSSH certificate format includes a CA-specified (typically
  random) nonce value near the start of the certificate that should
  make exploitation of chosen-prefix collisions in this context
  challenging, as the attacker does not have full control over the
  prefix that actually gets signed. Nonetheless, SHA1 is now a
  demonstrably broken algorithm and futher improvements in attacks
  are highly likely.

  OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
  algorithms and will refuse to accept certificates signed by an
  OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is
  explicitly selected during signing ("ssh-keygen -t ssh-rsa").
  Older clients/servers may use another CA key type such as
  ssh-ed25519 (supported since OpenSSH 6.5) or one of the
  ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7)
  instead if they cannot be upgraded.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
  CASignatureAlgorithms list.

* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
  from the default key exchange proposal for both the client and
  server.

* ssh-keygen(1): the command-line options related to the generation
  and screening of safe prime numbers used by the
  diffie-hellman-group-exchange-* key exchange algorithms have
  changed. Most options have been folded under the -O flag.

* sshd(8): the sshd listener process title visible to ps(1) has
  changed to include information about the number of connections that
  are currently attempting authentication and the limits configured
  by MaxStartups.

* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one). It needs to be installed
  in the expected path, typically under /usr/libexec or similar.

Changes since OpenSSH 8.1
=========================

This release contains some significant new features.

FIDO/U2F Support
----------------

This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication.  In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly authorise
operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will usually
require the user tap the token to confirm the operation:

  $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  Generating public/private ecdsa-sk key pair.
  You may need to touch your security key to authorize key generation.
  Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
  Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any other
supported key in OpenSSH and may be listed in authorized_keys, added
to ssh-agent(1), etc. The only additional stipulation is that the FIDO
token that the key belongs to must be attached when the key is used.

FIDO tokens are most commonly connected via USB but may be attached
via other means such as Bluetooth or NFC. In OpenSSH, communication
with the token is managed via a middleware library, specified by the
SecurityKeyProvider directive in ssh/sshd_config(5) or the
$SSH_SK_PROVIDER environment variable for ssh-keygen(1) and
ssh-add(1). The API for this middleware is documented in the sk-api.h
and PROTOCOL.u2f files in the source distribution.

OpenSSH includes a middleware ("SecurityKeyProvider=internal") with
support for USB tokens. It is automatically enabled in OpenBSD and may
be enabled in portable OpenSSH via the configure flag
--with-security-key-builtin. If the internal middleware is enabled
then it is automatically used by default. This internal middleware
requires that libfido2 (https://github.com/Yubico/libfido2) and its
dependencies be installed. We recommend that packagers of portable
OpenSSH enable the built-in middleware, as it provides the
lowest-friction experience for users.

Note: FIDO/U2F tokens are required to implement the ECDSA-P256
"ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is
less common. Similarly, not all hardware tokens support some of the
optional features such as resident keys.

The protocol-level changes to support FIDO/U2F keys in SSH are
documented in the PROTOCOL.u2f file in the OpenSSH source
distribution.

There are a number of supporting changes to this feature:

* ssh-keygen(1): add a "no-touch-required" option when generating
  FIDO-hosted keys, that disables their default behaviour of
  requiring a physical touch/tap on the token during authentication.
  Note: not all tokens support disabling the touch requirement.

* sshd(8): add a sshd_config PubkeyAuthOptions directive that
  collects miscellaneous public key authentication-related options
  for sshd(8). At present it supports only a single option
  "no-touch-required". This causes sshd to skip its default check for
  FIDO/U2F keys that the signature was authorised by a touch or press
  event on the token hardware.

* ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option
  for authorized_keys and a similar extension for certificates. This
  option disables the default requirement that FIDO key signatures
  attest that the user touched their key to authorize them, mirroring
  the similar PubkeyAuthOptions sshd_config option.

* ssh-keygen(1): add support for the writing the FIDO attestation
  information that is returned when new keys are generated via the
  "-O write-attestation=/path" option. FIDO attestation certificates
  may be used to verify that a FIDO key is hosted in trusted
  hardware. OpenSSH does not currently make use of this information,
  beyond optionally writing it to disk.

FIDO2 resident keys
-------------------

FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
in the private key file on disk, and a per-device private key that is
unique to each FIDO/U2F token and that cannot be exported from the
token hardware. These are combined by the hardware at authentication
time to derive the real key that is used to sign authentication
challenges.

For tokens that are required to move between computers, it can be
cumbersome to have to move the private key file first. To avoid this
requirement, tokens implementing the newer FIDO2 standard support
"resident keys", where it is possible to effectively retrieve the key
handle part of the key from the hardware.

OpenSSH supports this feature, allowing resident keys to be generated
using the ssh-keygen(1) "-O resident" flag. This will produce a
public/private key pair as usual, but it will be possible to retrieve
the private key part from the token later. This may be done using
"ssh-keygen -K", which will download all available resident keys from
the tokens attached to the host and write public/private key files
for them. It is also possible to download and add resident keys
directly to ssh-agent(1) without writing files to the file-system
using "ssh-add -K".

Resident keys are indexed on the token by the application string and
user ID. By default, OpenSSH uses an application string of "ssh:" and
an empty user ID. If multiple resident keys on a single token are
desired then it may be necessary to override one or both of these
defaults using the ssh-keygen(1) "-O application=" or "-O user="
options. Note: OpenSSH will only download and use resident keys whose
application string begins with "ssh:"

Storing both parts of a key on a FIDO token increases the likelihood
of an attacker being able to use a stolen token device. For this
reason, tokens should enforce PIN authentication before allowing
download of keys, and users should set a PIN on their tokens before
creating any resident keys.

Other New Features
------------------

* sshd(8): add an Include sshd_config keyword that allows including
  additional configuration files via glob(3) patterns. bz2468

* ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
  via the IPQoS directive; bz2986,

* ssh(1): when AddKeysToAgent=yes is set and the key contains no
  comment, add the key to the agent with the key's path as the
  comment. bz2564

* ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
  subjects as key comments, rather than simply listing the PKCS#11
  provider library path. PR138

* ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091

* ssh(1), sshd(8): make zlib compile-time optional, available via the
  Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
  option for OpenSSH portable.

* sshd(8): when clients get denied by MaxStartups, send a
  notification prior to the SSH2 protocol banner according to
  RFC4253 section 4.2.

* ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
  program, pass a hint to the program to describe the type of
  desired prompt.  The possible values are "confirm" (indicating
  that a yes/no confirmation dialog with no text entry should be
  shown), "none" (to indicate an informational message only), or
  blank for the original ssh-askpass behaviour of requesting a
  password/phrase.

* ssh(1): allow forwarding a different agent socket to the path
  specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
  option to accepting an explicit path or the name of an environment
  variable in addition to yes/no.

* ssh-keygen(1): add a new signature operations "find-principals" to
  look up the principal associated with a signature from an allowed-
  signers file.

* sshd(8): expose the number of currently-authenticating connections
  along with the MaxStartups limit in the process title visible to
  "ps".

Bugfixes
--------

* sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
  will now disable connection killing entirely rather than the
  current behaviour of instantly killing the connection after the
  first liveness test regardless of success. bz2627

* sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
  DenyGroups in the sshd(8) manual page. bz1690

* sshd(8): better describe HashKnownHosts in the manual page. bz2560

* sshd(8): clarify that that permitopen=/PermitOpen do no name or
  address translation in the manual page. bz3099

* sshd(8): allow the UpdateHostKeys feature to function when
  multiple known_hosts files are in use. When updating host keys,
  ssh will now search subsequent known_hosts files, but will add
  updated host keys to the first specified file only. bz2738

* All: replace all calls to signal(2) with a wrapper around
  sigaction(2). This wrapper blocks all other signals during the
  handler preventing races between handlers, and sets SA_RESTART
  which should reduce the potential for short read/write operations.

* sftp(1): fix a race condition in the SIGCHILD handler that could
  turn in to a kill(-1); bz3084

* sshd(8): fix a case where valid (but extremely large) SSH channel
  IDs were being incorrectly rejected. bz3098

* ssh(1): when checking host key fingerprints as answers to new
  hostkey prompts, ignore whitespace surrounding the fingerprint
  itself.

* All: wait for file descriptors to be readable or writeable during
  non-blocking connect, not just readable. Prevents a timeout when
  the server doesn't immediately send a banner (e.g. multiplexers
  like sslh)

* sshd_config(5): document the sntrup4591761x25519-sha512@tinyssh.org
  key exchange algorithm. PR#151

Portability
-----------

* sshd(8): multiple adjustments to the Linux seccomp sandbox:
  - Non-fatally deny IPC syscalls in sandbox
  - Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31)
  - Allow clock_nanosleep_time64 in sandbox (ARM) bz3100
  - Allow clock_nanosleep() in sandbox (recent glibc) bz3093

* Explicit check for memmem declaration and fix up declaration if the
  system headers lack it. bz3102

OpenSSH 8.1 was released on 2019-10-09. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Security
========

* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
  overflow bug was found in the private key parsing code for the XMSS
  key type. This key type is still experimental and support for it is
  not compiled by default. No user-facing autoconf option exists in
  portable OpenSSH to enable it. This bug was found by Adam Zabrocki
  and reported via SecuriTeam's SSD program.

* ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
  rest in RAM against speculation and memory side-channel attacks like
  Spectre, Meltdown and Rambleed. This release encrypts private keys
  when they are not in use with a symmetric key that is derived from a
  relatively large "prekey" consisting of random data (currently 16KB).

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

* ssh-keygen(1): when acting as a CA and signing certificates with
  an RSA key, default to using the rsa-sha2-512 signature algorithm.
  Certificates signed by RSA keys will therefore be incompatible
  with OpenSSH versions prior to 7.2 unless the default is
  overridden (using "ssh-keygen -t ssh-rsa -s ...").

Changes since OpenSSH 8.0
=========================

This release is focused on bug-fixing.

New Features
------------

* ssh(1): Allow %n to be expanded in ProxyCommand strings

* ssh(1), sshd(8): Allow prepending a list of algorithms to the
  default set by starting the list with the '^' character, E.g.
  "HostKeyAlgorithms ^ssh-ed25519"

* ssh-keygen(1): add an experimental lightweight signature and
  verification ability. Signatures may be made using regular ssh keys
  held on disk or stored in a ssh-agent and verified against an
  authorized_keys-like list of allowed keys. Signatures embed a
  namespace that prevents confusion and attacks between different
  usage domains (e.g. files vs email).

* ssh-keygen(1): print key comment when extracting public key from a
  private key.  bz#3052

* ssh-keygen(1): accept the verbose flag when searching for host keys
  in known hosts (i.e. "ssh-keygen -vF host") to print the matching
  host's random-art signature too. bz#3003

* All: support PKCS8 as an optional format for storage of private
  keys to disk.  The OpenSSH native key format remains the default,
  but PKCS8 is a superior format to PEM if interoperability with
  non-OpenSSH software is required, as it may use a less insecure
  key derivation function than PEM's.

Bugfixes
--------

* ssh(1): if a PKCS#11 token returns no keys then try to login and
  refetch them. Based on patch from Jakub Jelen; bz#2430

* ssh(1): produce a useful error message if the user's shell is set
  incorrectly during "match exec" processing. bz#2791

* sftp(1): allow the maximum uint32 value for the argument passed
  to -b which allows better error messages from later validation.
  bz#3050

* ssh(1): avoid pledge sandbox violations in some combinations of
  remote forwarding, connection multiplexing and ControlMaster.

* ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX
  proposal; allows ssh-keyscan to harvest keys from servers that
  disable old SHA1 ssh-rsa. bz#3029

* sftp(1): print explicit "not modified" message if a file was
  requested for resumed download but was considered already complete.
  bz#2978

* sftp(1): fix a typo and make <esc><right> move right to the
  closest end of a word just like <esc><left> moves left to the
  closest beginning of a word.

* sshd(8): cap the number of permitopen/permitlisten directives
  allowed to appear on a single authorized_keys line.

* All: fix a number of memory leaks (one-off or on exit paths).

* Regression tests: a number of fixes and improvements, including
  fixes to the interop tests, adding the ability to run most tests
  on builds that disable OpenSSL support, better support for running
  tests under Valgrind and a number of bug-fixes.

* ssh(1), sshd(8): check for convtime() refusing to accept times that
  resolve to LONG_MAX Reported by Kirk Wolf bz2977

* ssh(1): slightly more instructive error message when the user
  specifies multiple -J options on the command-line. bz3015

* ssh-agent(1): process agent requests for RSA certificate private
  keys using correct signature algorithm when requested. bz3016

* sftp(1): check for user@host when parsing sftp target. This
  allows user@[1.2.3.4] to work without a path.  bz#2999

* sshd(8): enlarge format buffer size for certificate serial
  number so the log message can record any 64-bit integer without
  truncation. bz#3012

* sshd(8): for PermitOpen violations add the remote host and port to
  be able to more easily ascertain the source of the request. Add the
  same logging for PermitListen violations which where not previously
  logged at all.

* scp(1), sftp(1): use the correct POSIX format style for left
  justification for the transfer progress meter. bz#3002

* sshd(8) when examining a configuration using sshd -T, assume any
  attribute not provided by -C does not match, which allows it to work
  when sshd_config contains a Match directive with or without -C.
  bz#2858

* ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned no
  slots" warning from log level error to debug. This is common when
  attempting to enumerate keys on smartcard readers with no cards
  plugged in. bz#3058

* ssh(1), ssh-keygen(1): do not unconditionally log in to PKCS#11
  tokens. Avoids spurious PIN prompts for keys not selected for
  authentication in ssh(1) and when listing public keys available in
  a token using ssh-keygen(1). bz#3006

Portability
-----------

* ssh(1): fix SIGWINCH delivery of Solaris for multiplexed sessions
  bz#3030

* ssh(1), sshd(8): fix typo that prevented detection of Linux VRF

* sshd(8): add no-op implementation of pam_putenv to avoid build
  breakage on platforms where the PAM implementation lacks this
  function (e.g. HP-UX). bz#3008

* sftp-server(8): fix Solaris privilege sandbox from preventing
  the legacy sftp rename operation from working (was refusing to
  allow hard links to files owned by other users). bz#3036

* All: add a proc_pidinfo()-based closefrom() for OS X to avoid
  the need to brute-force close all high-numbered file descriptors.
  bz#3049

* sshd(8): in the Linux seccomp-bpf sandbox, allow mprotect(2) with
  PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
  heap allocators. Github PR#142

* sshd(8): in the Linux seccomp-bpf sandbox, allow the s390-specific
  ioctl for ECC hardware support.

* All: use "doc" man page format if the mandoc(1) tool is present on
  the system. Previously configure would not select the "doc" man
  page format if mandoc was present but nroff was not.

* sshd(8): don't install duplicate STREAMS modules on Solaris; check
  if STREAMS modules are already installed on a pty before installing
  since when compiling with XPG>=4 they will likely be installed
  already. Prevents hangs and duplicate lines on the terminal.
  bz#2945 and bz#2998,

(sevan)

Updated sysutils/py-crontab, www/py-beautifulsoup4

(adam)

py-beautifulsoup4: updated to 4.9.1

4.9.1:

* Added a keyword argument 'on_duplicate_attribute' to the
  BeautifulSoupHTMLParser constructor (used by the html.parser tree
  builder) which lets you customize the handling of markup that
  contains the same attribute more than once, as in:
  <a href="url1" href="url2">

* Added a distinct subclass, GuessedAtParserWarning, for the warning
  issued when BeautifulSoup is instantiated without a parser being
  specified.

* Added a distinct subclass, MarkupResemblesLocatorWarning, for the
  warning issued when BeautifulSoup is instantiated with 'markup' that
  actually seems to be a URL or the path to a file on
  disk.

* The new NavigableString subclasses (Stylesheet, Script, and
  TemplateString) can now be imported directly from the bs4 package.

* If you encode a document with a Python-specific encoding like
  'unicode_escape', that encoding is no longer mentioned in the final
  XML or HTML document. Instead, encoding information is omitted or
  left blank.

* Fixed test failures when run against soupselect 2.0.

(adam)

py-crontab: updated to 2.5.1

2.5.1:
Bug fixes

(adam)

Updated lang/py-six, net/py-botocore, net/py-boto3, net/py-awscli

(adam)

py-awscli: updated to 1.18.67

1.18.67
api-change:quicksight: Update quicksight command to latest version
api-change:macie: Update macie command to latest version
api-change:elasticache: Update elasticache command to latest version
api-change:ec2: Update ec2 command to latest version
api-change:dlm: Update dlm command to latest version
api-change:ssm: Update ssm command to latest version

1.18.66
api-change:iotsitewise: Update iotsitewise command to latest version
api-change:autoscaling: Update autoscaling command to latest version

1.18.65
api-change:codebuild: Update codebuild command to latest version
api-change:s3: Update s3 command to latest version
api-change:ec2: Update ec2 command to latest version
api-change:synthetics: Update synthetics command to latest version

1.18.64
api-change:codedeploy: Update codedeploy command to latest version
api-change:securityhub: Update securityhub command to latest version
api-change:chime: Update chime command to latest version
api-change:medialive: Update medialive command to latest version
api-change:backup: Update backup command to latest version
api-change:application-autoscaling: Update application-autoscaling command to latest version
api-change:appmesh: Update appmesh command to latest version

1.18.63
api-change:health: Update health command to latest version
bugfix:s3: Mute warnings for not restored glacier deep archive objects if --ignore-glacier-warnings option enabled. Fixes #4039
api-change:transcribe: Update transcribe command to latest version
api-change:ec2: Update ec2 command to latest version
api-change:chime: Update chime command to latest version

1.18.62
api-change:qldb: Update qldb command to latest version
api-change:ecs: Update ecs command to latest version
api-change:dynamodb: Update dynamodb command to latest version
api-change:macie2: Update macie2 command to latest version
api-change:chime: Update chime command to latest version
api-change:ec2: Update ec2 command to latest version

1.18.61
api-change:ecr: Update ecr command to latest version
api-change:glue: Update glue command to latest version
api-change:cloudformation: Update cloudformation command to latest version
api-change:sts: Update sts command to latest version

1.18.60
api-change:imagebuilder: Update imagebuilder command to latest version
api-change:ec2: Update ec2 command to latest version

1.18.59
api-change:elasticache: Update elasticache command to latest version
api-change:macie2: Update macie2 command to latest version

1.18.58
api-change:iotsitewise: Update iotsitewise command to latest version
api-change:workmail: Update workmail command to latest version

(adam)

py-boto3: updated to 1.13.17

1.13.17
api-change:elasticache: [botocore] Update elasticache client to latest version
api-change:dlm: [botocore] Update dlm client to latest version
api-change:quicksight: [botocore] Update quicksight client to latest version
api-change:ssm: [botocore] Update ssm client to latest version
api-change:ec2: [botocore] Update ec2 client to latest version
api-change:macie: [botocore] Update macie client to latest version

1.13.16
api-change:autoscaling: [botocore] Update autoscaling client to latest version
api-change:iotsitewise: [botocore] Update iotsitewise client to latest version

1.13.15
api-change:synthetics: [botocore] Update synthetics client to latest version
api-change:codebuild: [botocore] Update codebuild client to latest version
api-change:s3: [botocore] Update s3 client to latest version
api-change:ec2: [botocore] Update ec2 client to latest version

1.13.14
api-change:backup: [botocore] Update backup client to latest version
api-change:codedeploy: [botocore] Update codedeploy client to latest version
api-change:securityhub: [botocore] Update securityhub client to latest version
api-change:chime: [botocore] Update chime client to latest version
api-change:medialive: [botocore] Update medialive client to latest version
api-change:application-autoscaling: [botocore] Update application-autoscaling client to latest version
api-change:appmesh: [botocore] Update appmesh client to latest version

1.13.13
api-change:transcribe: [botocore] Update transcribe client to latest version
api-change:ec2: [botocore] Update ec2 client to latest version
api-change:health: [botocore] Update health client to latest version
api-change:chime: [botocore] Update chime client to latest version

1.13.12
api-change:chime: [botocore] Update chime client to latest version
api-change:qldb: [botocore] Update qldb client to latest version
api-change:ec2: [botocore] Update ec2 client to latest version
api-change:ecs: [botocore] Update ecs client to latest version
api-change:dynamodb: [botocore] Update dynamodb client to latest version
api-change:macie2: [botocore] Update macie2 client to latest version

1.13.11
api-change:sts: [botocore] Update sts client to latest version
api-change:ecr: [botocore] Update ecr client to latest version
api-change:glue: [botocore] Update glue client to latest version
api-change:cloudformation: [botocore] Update cloudformation client to latest version

1.13.10
api-change:ec2: [botocore] Update ec2 client to latest version
api-change:imagebuilder: [botocore] Update imagebuilder client to latest version

1.13.9
api-change:elasticache: [botocore] Update elasticache client to latest version
api-change:macie2: [botocore] Update macie2 client to latest version

1.13.8
api-change:workmail: [botocore] Update workmail client to latest version
api-change:iotsitewise: [botocore] Update iotsitewise client to latest version
enchancement:Endpoints: [botocore] Improved endpoint resolution for clients with unknown regions

(adam)

py-botocore: updated to 1.16.17

1.16.17
api-change:elasticache: Update elasticache client to latest version
api-change:dlm: Update dlm client to latest version
api-change:quicksight: Update quicksight client to latest version
api-change:ssm: Update ssm client to latest version
api-change:ec2: Update ec2 client to latest version
api-change:macie: Update macie client to latest version

1.16.16
api-change:autoscaling: Update autoscaling client to latest version
api-change:iotsitewise: Update iotsitewise client to latest version

1.16.15
api-change:synthetics: Update synthetics client to latest version
api-change:codebuild: Update codebuild client to latest version
api-change:s3: Update s3 client to latest version
api-change:ec2: Update ec2 client to latest version

1.16.14
api-change:backup: Update backup client to latest version
api-change:codedeploy: Update codedeploy client to latest version
api-change:securityhub: Update securityhub client to latest version
api-change:chime: Update chime client to latest version
api-change:medialive: Update medialive client to latest version
api-change:application-autoscaling: Update application-autoscaling client to latest version
api-change:appmesh: Update appmesh client to latest version

1.16.13
api-change:transcribe: Update transcribe client to latest version
api-change:ec2: Update ec2 client to latest version
api-change:health: Update health client to latest version
api-change:chime: Update chime client to latest version

1.16.12
api-change:chime: Update chime client to latest version
api-change:qldb: Update qldb client to latest version
api-change:ec2: Update ec2 client to latest version
api-change:ecs: Update ecs client to latest version
api-change:dynamodb: Update dynamodb client to latest version
api-change:macie2: Update macie2 client to latest version

1.16.11
api-change:sts: Update sts client to latest version
api-change:ecr: Update ecr client to latest version
api-change:glue: Update glue client to latest version
api-change:cloudformation: Update cloudformation client to latest version

1.16.10
api-change:ec2: Update ec2 client to latest version
api-change:imagebuilder: Update imagebuilder client to latest version

1.16.9
api-change:elasticache: Update elasticache client to latest version
api-change:macie2: Update macie2 client to latest version

1.16.8
api-change:workmail: Update workmail client to latest version
api-change:iotsitewise: Update iotsitewise client to latest version
enchancement:Endpoints: Improved endpoint resolution for clients with unknown regions

(adam)

py-six: updated to 1.15.0

1.15.0:
Optimize `six.ensure_str` and `six.ensure_binary`.

(adam)

doc: Updated mail/thunderbird-l10n to 68.8.1

(ryoon)

thunderbird-l10n: Update to 68.8.1

* Sync with mail/thunderbird-68.8.1.

(ryoon)

doc: Updated mail/thunderbird to 68.8.1

(ryoon)

thunderbird: Update to 68.8.1

Changelog:
Fixes:
fixed IMAP stability improvements
fixed HTML tags in IRC topic changes were rendered incorrectly
fixed MailExtensions: Websockets could not be used

(ryoon)

syncthing-gtk: Overhaul SUBST of /usr paths

This had a SUBST block to fix /usr/share to ${PREFIX}/share.  It was
doing this to files where the pattern didn't match, and also missed
fixin up /usr/bin.  Split into a bin and a share SUBST, and loosen the
regexp (specifically, to match /syncthing rather than just
/syncthing-gtk).  Tested to basically work on NetBSD 8.  Desktop files
etc. appear much better than before.

(Found by newish SUBST noop check.)

(gdt)

Updated net/py-zeroconf, databases/py-pypika

(adam)

py-pypika: updated to 0.37.7

0.37.7:
Bug fixes

(adam)

py-zeroconf: updated to 0.26.3

0.26.3
Improved readability of logged incoming data.
Threads are given unique names now to aid debugging.
Fixed a regression where get_service_info() called within a listener add_service method would deadlock, timeout and incorrectly return None.

(adam)

cups-base: Fix a wrong copypasta.

Thanks to leot@ for kindly reporting the problem.

(triaxx)

py-ldapdomaindump: add ALTERNATIVES

(adam)