workarounds.  Some of them will soon stand in the way of armv7.
Off to the attic you go.

ok jung@ (some time ago) phessler@

ok deraadt@

pseudo-interfaces.
This unbreak vlan(4) on top of tap(4) since the refactoring to turn it
MP-safe.
ok claudio@, deraadt@

changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@

Found by Frank Scheiner, thanks for reporting this.
OK krw, halex
'cool' deraadt

with a little help from jmc@ for the man page bits
ok jca@  and a reluctant tedu@

ok kettenis@ deraadt@ jasper@

In the event of a failure in _rs_allocate for rsx, we still have a reference to
freed memory for rs on return. Not a huge deal since we subsequently abort in
_rs_init, but it looks strange on its own.
ok deraadt@

For Windows, we are simply using calloc, which has two annoyances:
the memory has more permissions than needed by default, and it comes
from the process heap, which looks like a memory leak since this memory
is rightfully never freed.
This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the
memory to READ|WRITE and keeps the memory out of the process heap.
ok deraadt@

chunk rnd), rm P: is default

double unmap and I experienced a much more unstable firefox.
discussed with otto on icb

expensive syscall, and we don't want to tie up other threads. there's no
need to hold the lock, so defer it to afterwards.
from Michael McConville
ok deraadt

for login.conf, and we don't want to go lower.

already does this, so we don't want to go backwards on password changes.
ok krw

for example, were removed in 2013 because they don't make sense in ldpd.
ok deraadt

filters (AS, peer-as, source-as, transit-as).
Add a use case (block illegal AS numbers) to the bgpd.conf example.
feedback from claudio, sthen, florian,
ok florian@ phessler@

Point at wikipedia's list of blacklists instead, some are DNS-only but there
are a few rsyncable ones in there (including a good commercial one and some
free ones).

frequently for my taste, and disk is cheap.
ok deraadt millert

became more visible recently because a log_debug was changed to
log_warnx.  Change it back for now.
ok jsing

ok tedu@

a rant Theo wrote 24 years ago.  Mark __ypexclude_{add,is,free}() as hidden
"get off my lawn!" deraadt@

ok natano@ millert@ deraadt@

- run commands in subshell only if mktemp is successful
- on error just leave the for-loop but set _error=true
- cleanup tmpdirs afterwards
- set _error=true if the ro remount fails
- print appropriate final message depending on $_error
positive feedback from deraadt
OK krw

are left for now but umg files are no longer built when building
releases.

OK deraadt

OK sthen, deraadt

in some cases.  Be consistent and use "dst" everywhere like for
strlcat(3) and strncat(3).  From Tim Kuijsten.

- move the info message inside the function
- skip reordering if /usr/lib is on a nfs mounted filesystem
- temporarily remount rw if /usr/lib is on a ro ffs file-system
OK deraadt

longjmp performs can't really be relied upon, even after we got rid of the
false positives...
ok millert@ deraadt@

ok millert@ deraadt@

OK deraadt

available wide open.  there should be some access model either via a
group or fbtab.  This will cause a decision to be made.
ok millert