ok henning@

ok henning@

ok deraadt@ guenther@

ok deraadt@

very rarely if ever needed any more. we should not trick people into
thinking they are impoving sth doing so, it's rather the opposite
these days.
ok claudio

carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler

"commit the switch now" espie@  "go for it" deraadt@
See the apropos(1) manual for a description of what's new.
On machines where you want the full functionality,
run "sudo makewhatis" and put "MAKEWHATISARGS=' '" into weekly.local(8).
Otherwise, when upgrading via source, run "sudo makewhatis -Q".

as configuration files; split manpages and .pc files between libcrypto and
libssl.
No functional change, only there to make engineering easier, and libcrypto
sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.

in the install media. Reported by Donovan Watteau

executable and will not serve any purpose with smtpd by default
ok jmc@ tedu@

ok deraadt millert

ok florian@ jung@ sthen@

opens the log before chrooting, but this handles the case where syslogd is
restarted during Unbound's runtime.

iterator" by default.  Pointed out by Patrik Lundin.

ok jung@ stephan@
tweaks and ok sthen@

and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

such a manpage does not currently exist. Requested by jmc@

increase root to 9(+1).
ok deraadt (and a thank you to miod for helping to reduce the set of
architectures harmed by this)

this hardware alive is becoming increasingly difficult, and I should heed the
message sent by the three disks which have died on me over the last few days.
Noone sane will mourn these ports anyway. So long, and thanks for the fish.

disallow them itself. ok deraadt@ millert@, gsoares@ and aja@ like it too.
("nobody" still needs to be listed).

tree results in one-true-ppp not coming into existance.  This code is
essentially un-audited and quite dangerous.
ok claudio sthen

Add a log socket in /var/www/dev/log if nginx is enabled, it is needed as
the openlog() call is done after chrooting.
ok brad@ florian@ deraadt@

to the port list in net.inet.tcp.baddynamic. Service name taken from IANA
service-names-port-numbers.txt.
If anyone's interested in adding AF_UNIX support for comms between unbound
and unbound-control, that would very welcome.
OK brad@ deraadt@

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

ok todd

ok deraadt gilles todd

No.
Well, then tell them to stay out of the way.
ok deraadt