/dev/null.  copy the code from the ntp engine.

are the errno messages and signal names.  Everything else is in
English.  We are not planning to translate more text.  Running a
mixed system with less than 1% of the text in native language makes
no sense.  So remove the NLS support from libc messages.  The
catopen(3) functions stay as they are.
OK stsp@ mpi@

wrappers.  To keep uses from crawling back in, mark signal() as
deprecated inside libc.
ok deraadt@

and pwd_gensalt.c - so remove it from the default /etc/login.conf files as well.
ok millert@

and coping with error conditions... that lets us avoid a pledge "wpath".
Putting it all together, this lets the master ntpd pledge "stdio rpath
inet settime proc id".  It works like this: "rpath" to load the
certificates, "proc" to create constraint processes, "id" to chroot
and lock the constraint processes into a jail, then "inet" to open a
https session.  "settime" is used by the master to manage the system
time when the ntp-speaking engine instructs the master.
with help from naddy

OK dlg@ mpi@

non-sensical.  The dns lookups happened in the process routing table
(usually '0'), which is very likely to have different results from the
other routing domains.  If you do depend on having this behaviour,
you'll need to use pf to cross the rtable boundary.
"listen on * rtable X" is still supported.
Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"
OK deraadt@

SIGINT and SIGQUIT with sigaction() instead of signal() so that all bits
are preserved.
ok deraadt@ millert@

into libc, and move pthread_sigmask() as well (just a trivial wrapper).
This provides consistent handling of SIGTHR between single- and multi-threaded
programs and is a step in the merge of all the libpthread overloads, providing
some ASM and Makefile bits that the other wrappers will need.
ok deraadt@ millert@

ok renato@

OpenSSH requires a 2048 minimum for DH in the client and server.
input and ok sthen@
ok dtucker@, djm@

Move the one useful bit of information contained in the file ("one
user name per line") to the ftpd(8) manual page where it belongs.
OK deraadt@ sthen@

utctime and gentime wrappers accordingly. Along with some other cleanup.
this also removes the need for timegm.
ok bcook@ sthen@ jsing@

OK krw@ halex@

ok aja

and eliminate the now superfluous -D option
ok kettenis@ millert@

ok schwarze@

The file format is so simple that no example is needed.
All relevant documentation is already available
from the proper place, which is the lpd(8) manual.
Consequently, delete the empty file.
OK millert@ dcoppa@ beck@ deraadt@

ok millert

the truncation check immediately following it was not updated to
match.  Not an issue in practice since the buffers are the same
size.  OK deraadt@

This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent.  The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@

types of functions (perhaps required by 'stdio' or 'libevent' will not
become available unless DNS suceeds.  Replace it with "stdio dns".

ok gilles@

including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine.  That would increase accuracy and security.
Lots of conversations with reyk and bcook

"stdio inet".  It took weeks to get to this point...

ok deraadt@

that's the case after kernel code got fixed to handle inet6 for dns...

since that is all it will do till termination.

in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the parsing
together in one function that converts into a struct tm. While we are at it this
also brings us into conformance with RFC 5280 for times allowed in an X509 cert,
as OpenSSL is very liberal with what it allows.
input and fixes from deraadt@ jsing@ guethther@ and others.
ok krw@, guenther@, jsing@

case, by deleting some useless '& of an array' we also eliminate the need
for the casts which prompted the original lint warnings
ok deraadt@

- verify that kbd is executable and kbdtype is not empty
- use safer 'print --' to pipe the initial pf ruleset to pfctl
- simplify the ipsecctl if-block
Feedback and OK halex@
OK krw@

ok florian@ rpe@

Userland should get these from /usr/X11R6/include/libdrm.
ok deraadt@ (and suggested by jsg@)

ok millert@

OK semarie@