Log message:
gnutls: disable GNUTLS_GAS_VERSION check for NetBSD

This was added in 2020 for CentOS 6. This test never worked on NetBSD
because the version number looks different there ($4 is always
"Binutils").

Perhaps this should be limited to Linux instead.

Avoids a fork during Makefile parsing.

Log message:
*: recursive bump for icu 78.1

Log message:
Two patches for Build fix. Approved by wiz@

cvs add forgotten in previous commit

Log message:
Two patches for Build fix. Approved by wiz@

Log message:
gnutls: update to 3.8.11.

* Version 3.8.11 (released 2025-11-18)

** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
   CVSS: low] [CVE-2025-9820]

** libgnutls: MAC algorithms for PSK binders is now configurable
   The previous implementation assumed HMAC-SHA256 to calculate the
   PSK binders. With the new gnutls_psk_allocate_client_credentials2()
   and gnutls_psk_allocate_server_credentials2() functions, the
   application can use other MAC algorithms such as HMAC-SHA384.

** libgnutls: Expose a new function to provide the maximum record send size
   A new function gnutls_record_get_max_send_size() has been added to
   determine the maximum size of a TLS record to be sent to the peer.

** libgnutls: Expose a new function to update keys without sending a KeyUpdate
   to the peer. A new function gnutls_handshake_update_receiving_key()
   has been added to allow updating the local receiving key without
   sending any KeyUpdate messages.

** libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
   instead of a module path. To allow using a PKCS#11 module exposing
   multiple tokens, the "path" configuration keyword was replaced with
   the "url" keyword.

** libgnutls: Support crypto-auditing probe points
   crypto-auditing is a project to monitor which cryptographic
   operations are taking place in the library at run time, through
   eBPF. This adds necessary probe points for that, in public key
   cryptography and the TLS use-case. To enable this, run configure
   with --enable-crypto-auditing.

** build: The minimum version of Nettle has been updated to 3.10
   Given Nettle 3.10 is ABI compatible with 3.6 and includes several
   security relevant fixes, the library's minimum requirement of
   Nettle is updated to 3.10.

** build: The default priority file path is now constructed from sysconfdir
   Previously, the location of the default priority file was
   hard-coded to be /etc/gnutls/config. Now it takes into account of
   the --sysconfdir option given to the configure script.

Log message:
gnutls: updated to 3.8.10

Version 3.8.10 (released 2025-07-08)

** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
   Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
   [CVE-2025-6395]

** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
   Spotted by oss-fuzz and reported by OpenAI Security Research Team,
   and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
   CVSS: medium] [CVE-2025-32989]

** libgnutls: Fix double-free upon error when exporting otherName in SAN
   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
   CVSS: low] [CVE-2025-32988]

** certtool: Fix 1-byte write buffer overrun when parsing template
   Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
   CVSS: low] [CVE-2025-32990]

** libgnutls: PKCS#11 modules can now be used to override the default
   cryptographic backend. Use the [provider] section in the system-wide config
   to specify path and pin to the module (see system-wide config Documentation).

** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
   support. The library running on the aforementioned version now utilizes the
   kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
   TLS session. The --enable-ktls configure option as well as the system-wide
   kTLS configuration(see GnuTLS Documentation) are still required to enable
   this feature.

** libgnutls: liboqs support for PQC has been removed
   For maintenance purposes, support for post-quantum cryptography
   (PQC) is now only provided through leancrypto. The experimental key
   exchange algorithm, X25519Kyber768Draft00, which is based on the
   round 3 candidate of Kyber and only supported through liboqs has
   also been removed altogether.

** libgnutls: TLS certificate compression methods can now be set with
   cert-compression-alg configuration option in the gnutls priority file.

** libgnutls: All variants of ML-DSA private key formats are supported
   While the previous implementation of ML-DSA was based on
   draft-ietf-lamps-dilithium-certificates-04, this updates it to
   draft-ietf-lamps-dilithium-certificates-12 with support for all 3
   variants of private key formats: "seed", "expandedKey", \ 
and "both".

** libgnutls: ML-DSA signatures can now be used in TLS
   The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
   ML-DSA-87, can now be used to digitally sign TLS handshake
   messages.

** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t

Log message:
*: recursive bump for icu 77 and libxml2 2.14

Log message:
mk: Introduce and use MASTER_SITE_GNUPG

Various packages around the tree use a different variant
of MASTER_SITES to access various GnuPG mirrors, let's just
centralize them in one locaiton.

While here, fix some lint warnings.