libcbor: update to 0.13.0

Update to version 0.13.0 that provides compatibility with cmake 4.0.
(new cmake version require at least cmake 3.5 requirement declared
in CMakeLists.txt)

* remove the temporary patch for CMakeLists.txt

Signed-off-by: Hannu Nyman <[email protected]>

python-urllib3: update to 2.5.0

Changelogs can be found in https://github.com/urllib3/urllib3/releases.

Signed-off-by: Wei-Ting Yang <[email protected]>

python-packaging: update to 25.0

Changelogs can be found in https://github.com/pypa/packaging/releases.

Signed-off-by: Wei-Ting Yang <[email protected]>

syncthing: bump to 2.0.10

Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.10
Signed-off-by: George Sapkin <[email protected]>

gitlab-runner: drop unmaintained package here

Unfortunately, this package has not been well maintained since 2021,
when Jan left CZ.NIC. Its usage on OpenWrt devices is limited.

It is a very specific package,
and I believe there will not be enough users
 to maintain it, as no one from the community has stepped up to update it.

Running it on a dedicated server makes sense, but on OpenWrt?
Maybe only on x86_64 and aarch64 devices, as they are significantly more powerful.

Signed-off-by: Josef Schlehofer <[email protected]>

elektra: drop package

libelektra [1] was archived on 16th February 2025.
The latest release was in 2023.

In https://github.com/openwrt/packages/pull/24775#issuecomment-2285683663
it was suggested to drop this package. So, lets drop it

[1] https://github.com/ElektraInitiative/libelektra

Signed-off-by: Josef Schlehofer <[email protected]>

netbird: update to 0.58.2

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.58.2

Signed-off-by: Wesley Gimenes <[email protected]>

telegraf: update to 1.36.2

- Update Telegraf to v1.36.2
- Remove HOME environment variable in service file

Signed-off-by: Niklas Thorild <[email protected]>

syslog-ng: update to version 4.10.1

Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.1

Signed-off-by: Josef Schlehofer <[email protected]>

apache: update to version 2.4.65

Fixes CVEs:
- CVE-2025-54090
- CVE-2025-53020
- CVE-2025-49812
- CVE-2025-49630
- CVE-2025-23048
- CVE-2024-47252
- CVE-2024-43394
- CVE-2024-43204
- CVE-2024-42516

More details can be found in
https://downloads.apache.org/httpd/CHANGES_2.4

Signed-off-by: Josef Schlehofer <[email protected]>

msmtp: update to version 1.8.31

Release notes:
https://marlam.de/msmtp/news/

Signed-off-by: Josef Schlehofer <[email protected]>

mariadb: update to version 11.4.8

Release notes:
https://mariadb.com/docs/release-notes/community-server/mariadb-11-4-series/mariadb-11.4.8-release-notes

Refreshed patch

Signed-off-by: Josef Schlehofer <[email protected]>

python-hatchling: update to version 1.27.0

Release notes:
https://github.com/pypa/hatch/releases/tag/hatchling-v1.27.0

Signed-off-by: Josef Schlehofer <[email protected]>

tailscale: update to 1.88.3

Changelog: https://tailscale.com/changelog#2025-09-25

Signed-off-by: Sandro Jäckel <[email protected]>

umurmur: update to version 0.3.1

Makefile changes
----------------

1. The location of uMurmur binary was changed to /sbin
in release 0.3.1. See release notes [1]

2. I need to specify location of the library file instead of
the directory.

Fixes:
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
  Target "umurmurd" requests linking to directory
  "/build/staging_dir/target-powerpc_8548_musl/usr/lib".
  Targets may link only to libraries.  CMake is dropping the item.

CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
  Target "umurmurd" requests linking to directory
  "/build/staging_dir/target-powerpc_8548_musl/usr/lib".
  Targets may link only to libraries.  CMake is dropping the item.

Because of these two warnings, the build fails with
undefined references to
protobuf-c symbols (e.g. protobuf_c_message_get_packed_size).

Patches
-------

Removed all of them, because they are included in
the upstream source code.

[1] https://github.com/umurmur/umurmur/releases/tag/v0.3.1

Signed-off-by: Josef Schlehofer <[email protected]>

xmlrpc-c: [Security] Remove obsolete "-internal" variant

Closes #26263
Remove myself as maintainer

Signed-off-by: Ted Hess <[email protected]>

nfs-kernel-server: fix recursive Kconfig dependencies

Move CONFLICTS definition to the respective v4 packages to avoid
creating a recursive dependency.

Fixes: ee3b06e42 ("nfs-kernel-server: provide a NFSv3 and NFSv4 daemon")
Fixes: #27555
Signed-off-by: Daniel Golle <[email protected]>

v2ray-core: Update to 5.39.0

Release note: https://github.com/v2fly/v2ray-core/releases/tag/v5.39.0

Signed-off-by: Tianling Shen <[email protected]>

cloudflared: Update to 2025.9.1

Release note: https://github.com/cloudflare/cloudflared/releases/tag/2025.9.1

Signed-off-by: Tianling Shen <[email protected]>

rclone: Update to 1.71.1

Release note: https://github.com/rclone/rclone/releases/tag/v1.71.1

Signed-off-by: Tianling Shen <[email protected]>

owntone: update to 29.0

Changes available at https://github.com/owntone/owntone-server/releases/tag/29.0

Added libmount dependency ref. bullet 4 in the ChangeLog

Signed-off-by: Espen Jürgensen <[email protected]>

openvswitch: add missing dependency

This resolves this failure observed when building on a 6.12 kernel:

Package kmod-openvswitch is missing dependencies for the following libraries:
psample.ko

The psample module is provided by kmod-sched-act-sample.

Closes: https://github.com/openwrt/packages/issues/26571
Signed-off-by: Mathew McBride <[email protected]>

unbound: update to 1.24.0

latest upstream 09182024

Signed-off-by: Eric Luehrsen <[email protected]>

openvpn: bump `PKG_RELEASE`

Although recent updates were made, the `PKG_RELEASE` bump was missed.

Signed-off-by: Wesley Gimenes <[email protected]>

boost: fix PKG_SOURCE_URL

boostorg.jfrog.io is no longer available for download, so remove it.
use archives.boost.io (fastly cdn) to download first.

Signed-off-by: Andy Chiang <[email protected]>

adblock-fast: update to 1.2.0

Makefile:
* update version/release
Init Script:
* boot up reliability improvements:
  - change START from 50 to 20 to ensure procd_add_raw_trigger works on boot
  - better logic of checking/using the cache/compressed cache on boot
* new dnsmasq handling/integration logic:
  - new logic for checking dnsmasq functionality (similar to dnsmasq init script)
  - instead of copying/duplicating adblock-fast files per specified dnsmasq instance, create one file
    and add softlinks to it for specified dnsmasq instances and make sure it's in the instance's addnmounts
  - update dnsmasqConfFile, dnsmasqIpsetFile and dnsmasqNftsetFile to point to the same filename as the
    logic for integrating with dnsmasq is the same for those options
  - get the confdir for specified dnsmasq instances via ubus info/config file since the config_get is broken
    between releases by https://github.com/openwrt/openwrt/pull/14975
  - update clean-up procedures for other dns backend settings to properly clean up when switching away from
    dnsmasq.conf, dnsmasq.ipset, dnsmasq.nftset where the new logic is used
  - remove obsolete outputDnsmasqFileList variable and logic of building and using it
  - only create compressed cache in service_started after successful resolver restart with the block-file
* new package config / environment loading logic
  - switch away from using `load_validate_config` to start functions to loading package config "manually"
  - unset boolean variables which are non-true on package config load
  - switch checking values of such variables from `-eq 0` to empty/non-empty
* debugging improvements:
  - rename debug option to debug_init_script and proc_debug to debug_performance
  - output performance debug info to log only when debug_performance is set
* miscellaneous changes:
  - move best dl tool detection into its own function for reuse in adb_config_update
  - change uci_changes function to return 0/1 instead of the text of changes
  - improve mktemp calls reliability by creating the file and not using `-u` anymore
  - add remove_cache/remove_gzip calls to adb_file function
  - better readability of the start_serice logic determining the action
  - change flock value from 207 to 209 to avoid collisions with pbr
  - temporarily switch namespaces when using jshn functions to avoid collisions with PROCD
  - move from using spaces to tabs in indentation in code
  - prevent Command Not Found message on uninstall
  - remove unneeded IPKG_INSTROOT check in the init script
  - update all sourcing instructions to include IPKG_INSTROOT in the path
Uci-defaults script:
* transition old debug and proc_debug options to debug_init_script/debug_performance

Signed-off-by: Stan Grishin <[email protected]>

fail2ban: bump to 1.1.0

fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
  - filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
  - cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.

Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")
Signed-off-by: Andrey Zotikov <[email protected]>

ovpn-dco: bump version to 0.2.20250801

Fix version number for timer API changes

Signed-off-by: Andy Chiang <[email protected]>

ovpn-dco: fix package dependencies

add kmod-crypto-chacha20poly1305 kmod-crypto-lib-chacha20 kmod-crypto-lib-poly1305 for chacha20

Signed-off-by: Andy Chiang <[email protected]>

giflib: Add Gentoo patch to fix various CVEs

Fixes:
    CVE-2022-28506
    CVE-2023-48161
    CVE-2024-45993
    CVE-2025-31344

Remove myself as maintainer

Signed-off-by: Ted Hess <[email protected]>

owut: update to 2025.09.27

Bug fixes:
    efahl/owut@f049043ed721 owut: use installed SSL certs instead of default

Signed-off-by: Eric Fahlgren <[email protected]>

expat: upgrade to 2.7.3

Upstream changelog: https://github.com/libexpat/libexpat/blob/R_2_7_3/expat/Changes

Signed-off-by: Ted Hess <[email protected]>

i2pd: update to 2.58.0

* Updating package to 2.58.0
* Update patch for i2pd.conf

Signed-off-by: David Yang <[email protected]>

gperftools: make libunwind dependency conditional

Make libunwind support optional depending on package availability.

Previously, gperftools unconditionally enabled libunwind as
mandatory dependency, which led to build failures on architectures where
libunwind is not provided.

Signed-off-by: Josef Schlehofer <[email protected]>

nfs-kernel-server: provide a NFSv3 and NFSv4 daemon

Summary:

The current build does not produce an NFSV4 capable package. This commit
fixes that providing a v3 and v4 variant to empower users to have either.

Approx. size differences between v3 and v4:

The v4 variant is approximately 16 MiB larger than the v3 variant
due to additional dependencies, kernel modules, etc.[1]

Detailed changes:

1. Split into a v3 and v4 version series of packages. In doing
   this, the build-time V4 options are removed which is a major "win"
   from a user's perspective because it means that for both release and
   for snapshot builds, both options will be available to users of the
   binary hosted packages.

2. Since V3 and V4 require different init processes, we should simplify
   daemon management by providing a single init script unique to each
   variant.

3. Added CPE_ID and PKG_LICENSE and also added myself as the Makefile
   MAINTAINER.

Discussion about the v4 initd script:

It should be noted that mimicking the systemd implementation in an init.d
script with procd was not straight forward. There are some quirks
associated with the interplay of the five executables (listed below)
with procd, but despite of them, the init script works reliably based
on my somewhat extensive testing.

My observations and justification for the script as-is:
1a. procd_set_param command /usr/sbin/nfsdcld cannot be started with an
    appended -F as doing so will somehow cause the executable to never
    connect to the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld.

    In fact, if you run `watch -n 1 tree /var/lib/nfs/rpc_pipefs` while
    calling the init.d script to start, this pipe will quickly disappear
    resulting in nfsdcld being unable to find it and thus fail to track
    clients. On the other hand, starting it as I have in the init.d
    script works as expected.

1b. Starting /usr/sbin/nfsdcld even with the -F arg outside of procd
    also results in the communication pipe quickly disappearing.

2.  Even though rpc.nfsd is a user space util, and even though it runs
    and then exits, it must be started by procd with the procd_set_param
    or else, the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld
    will again quickly disappear breaking client tracking.

3.  The addition of the umountem function keeps syslog output cleaner as
    a shutdown of rpc.idmapd will cause the following to be logged:

    daemon.warn rpc.idmapd[xxxxx]: dirscancb: scandir(/var/lib/nfs/rpc_pipefs//nfs): No such file or directory

    Adding a 1 sec delay allows procd to kill it before we umount the
    nfs related mounts to prevent that warning.

4.  I can find no way to suppress rpc.idmapd and nfsv4.exportd reporting
    that they received a SIGTERM (signal 15). The syslog will contain
    two lines on exit, e.g.:
    daemon.warn rpc.idmapd[1894]: exiting on signal 15
    daemon.notice nfsv4.exportd[1893]: Caught signal 15, exiting.

The result of points 1 and 2 mean that if a users queries the status of
the daemon when running, (ie /etc/init.d/nfsv4d status), it will show:
running (2/4) despite the kernel serving up NFSV4 mounts 100% correctly.

I am unaware of a more perfect approximation of the systemd units.

List of the five needed calls:
* /usr/sbin/nfsv4.exportd (run once then quit)
* /usr/sbin/rpc.idmapd (needs to continue running)
* /usr/sbin/nfsdcld (needs to continue running)
* /usr/sbin/exportfs -r (run once then quit)
* /usr/sbin/rpc.nfsd -N 3 (run once then quit)

1. As assessed by comparing the uncompressed img files from a build of a
   minimal image for x86/64 with the v3 variant vs with the v4.

Both variants have been tested and work.

v3:
On a network node, the NFSV3 export is fully functional:

% mount -t nfs -o vers=3 10.9.8.1:/mnt/data/nfs/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.9.8.1,mountvers=3,mountport=32780,mountproto=udp,local_lock=none,addr=10.9.8.1)

v4:
On a network node, the NFSV4 export is fully functional:

% mount 10.9.8.1:/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.9.8.102,local_lock=none,addr=10.9.8.1)

Finally, added 240-fix-cleanup_lockfiles-function-linkage-in-exportd.patch[1]

1. https://marc.info/?l=linux-nfs&m=175604879721922&w=2

From commit msg therein:
The cleanup_lockfiles function in utils/exportd/exportd.c was declared
as 'inline void' without a proper function prototype, causing linker
errors during the build process:

  exportd.c:(.text+0x5a): undefined reference to `cleanup_lockfiles'
  exportd.c:(.text.startup+0x317): undefined reference to `cleanup_lockfiles'

This occurred because:
1. The inline keyword prevented the compiler from generating a callable
   function symbol in some build configurations
2. The function lacked a proper prototype declaration, triggering
   -Werror=missing-prototypes

The fix changes the function to:
- Remove the 'inline' keyword to ensure symbol generation
- Add a proper static function prototype
- Make the function 'static' since it's only used within exportd.c

This resolves both the linking error and the missing prototype warning,
allowing exportd to build successfully in OpenWrt's cross-compilation
environment.

Co-authored-by: Maxim Storchak <[email protected]>
Co-authored-by: Daniel Golle <[email protected]>
Signed-off-by: John Audia <[email protected]>

docker-compose: Update to version 2.39.4

Release notes:
https://github.com/docker/compose/releases/tag/v2.39.4

Signed-off-by: Javier Marcet <[email protected]>

microsocks: run as unprivileged user

Run the daemon as unprivileged user for better security.

Trim whitespaces while at it.

Signed-off-by: Tianling Shen <[email protected]>

gperftools: enable it for mips*

It should be working for mips*,
so enable it and let's see. :-)

In the past, there were some issues related to mips,
when the package was added, but these days, it appears
that these issues are gone. More details
about those issues could be found in the GitHub pull request
when gperftools was added. Reference is in the Fixes tag.

Fixes: c1b4e80825d6855d66899dc32490b0ce9537aff5 ("gperftools: add new package")
Signed-off-by: Josef Schlehofer <[email protected]>

dnsdist: update to 2.0.1

fixes CVE-2025-4820, CVE-2025-4821, CVE-2025-7054

adds python-yaml/host build dep as the dnsdist configuration handling
is now (since 2.0.0) generated at build time

Signed-off-by: Peter van Dijk <[email protected]>

frp: bump to 0.65.0

Change log is available at: https://github.com/fatedier/frp/releases/tag/v0.65.0

Signed-off-by: Roc Lai <[email protected]>

natmap: update to 20250924

Upstream changelog:
https://github.com/heiher/natmap/releases/tag/20250924

Signed-off-by: Ray Wang <[email protected]>

libfmt: bump to new upstream version 12.0.0

bump to new upstream relaese

Signed-off-by: Othmar Truniger <[email protected]>

fluent-bit: update to 4.1.0

- Remove obsolete patch

Build system: aarch64
Build-tested: mediatek/filogic
Run-tested: mediatek/filogic

Signed-off-by: Biao Zhu <[email protected]>

knot: backport patch to fix linking with libhiredis

It was discovered that even while using ``--enable-redis=no``
and ``--disable-redis`` that it was still linking with libhiredis.

This avoids to picking up libhiredis as dependency:

```
Package knot is missing dependencies for the following libraries:
libhiredis.so.1.1.0
```

Fixes: cbbd2b5b3bd6df7e550b114cf1c9f8e0f5bc8616 ("knot: disable redis as it was enabled since 3.5.0 by default")
Signed-off-by: Jan Hák <[email protected]>

acme-acmesh: support TLS-ALPN-01 challenge

This change adds an ability to invoke acme.sh with --alpn option
invoking a TLS-ALPN-01 challenge on the 443 port.

Signed-off-by: Vladimir Kochnev <[email protected]>

knot: disable redis as it was enabled since 3.5.0 by default

By disabling redis, it is not possible to use redis database as zone storage

Signed-off-by: Jan Hák <[email protected]>

vectorscan: drop custom DEPENDS_COMMON

There is no reason to have custom specific DEPENDS_COMMON,
I dropped it and added it to DEPENDS. Simplified, easier to read
and understand.

Signed-off-by: Josef Schlehofer <[email protected]>

mpack: drop package

The package is ancient, old and not developed anymore.
Project URL on GitLab shows 404, I could find it on Debian GitLab [1].

[1] https://salsa.debian.org/debian/mpack

Signed-off-by: Josef Schlehofer <[email protected]>

netatalk: update to 4.3.2

Netatalk 4.3.x adds the option to use sqlite as a CNID DB. This
is now a config option for the full package.
(mysql is also an option but this has not been included here yet).

As CNID DB backends are now managed by the netatalk meta-daemon
the init script has been updated to use it instead of starting
afpd & dbd manually.

Cleaned up tab/space issues here and there.

Signed-off-by: Antonio Pastor <[email protected]>

syslog-ng: update to version 4.10.0

Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.0

Makefile changes
----------------

1. Disable experimental feature: stackdump
due to issues, which were reported to upstream

2. Disabled example modules to avoid adding libstdc++.so.6 dependency
Fixes:
Package syslog-ng is missing dependencies for the following libraries:
libstdc++.so.6

Other changes
-------------

In syslog-ng 4.8.0, there was added possibility to use value "current"
as version in the config file, so use it, which confirm to use
the latest version instead of bumping the version in the file
manually.

Signed-off-by: Josef Schlehofer <[email protected]>

syslog-ng: add runtime test

It adds a runtime test to verify that the compiled binary in
CI/CD runs without segfault and prints the version.

Signed-off-by: Josef Schlehofer <[email protected]>

liburcu: correct licenses

I've listed what files contain each SPDX-License-Identifier, and tried
to classify their purpose as below:

- BSD-2-Clause: `tests/**` (tests)
- CC0-1.0: `extras/abi/**/*.xml` (documentation)
- CC-BY-4.0: `ChangeLog`, `**/*.md` (documentation)
- FSFAP: `m4/*.m4` (build system)
- GPL-2.0-only: `tests/**`, `extras/abi/dump_abi.sh` (tests,
  documentation)
- GPL-2.0-or-later: `scripts/urcu-api-list.sh`, `tests/**` (tests,
  documentation)
- GPL-2.0-or-later WITH Autoconf-exception-2.0: `m4/ae_pprint.m4` (build
  system)
- GPL-2.0-or-later WITH LicenseRef-Autoconf-exception-macro: `m4/*.m4`
  (build system)
- GPL-3.0-or-later: `tests/utils/tap.sh` (tests)
- LGPL-2.1-only: `configure.ac`, `include/**/*.h` (build system,
  headers)
- LGPL-2.1-or-later: `doc/**`, `include/**/*.h`, `src/**/*.{c,h}`,
  `tests/**`, (documentation, headers, source, tests)
- LicenseRef-Boehm-GC: `include/**/*.h`, `tests/common/thread-id.h`
  (headers, documentation)
- MIT: `.gitignore`, `.gitreview`, `Makefile.am`, `bootstrap`, `doc/**`,
  `extras/Makefile.am`, `include/Makefile.am`, `include/**/*.h`,
  `src/**/*.{am,h,pc.in}`, `tests/**` (documentation, build system,
  headers, source control)

Then in PKG_LICENSE I've included licenses which are used for headers,
source, or build system. I've also corrected PKG_LICENSE_FILES: license
texts are in the LICENSES directory, lgpl-relicensing ends with .md, and
I've added the overarching LICENSE.md.

Signed-off-by: Linus Kardell <[email protected]>

yaml: correct PKG_LICENSE_FILES

Point to correct file name.

Signed-off-by: Linus Kardell <[email protected]>

tiff: correct PKG_LICENSE_FILES

Point to correct file name.

Signed-off-by: Linus Kardell <[email protected]>

lvm2: disable readline and interactive shell

remove support of interactive mode in /sbin/lvm

Benefits:
- drop dependency on readline and ncurses (-700kb if there are no other users of these libs)
- shrink the lvm binary itself (-260k)

Drawback:
- lose interactive shell:
lvm> vgchange -ay
  4 logical volume(s) in volume group "vg0" now active
lvm>

"lvm <subcommand> --params" and "<subcommand> --params" entry points are still available

Signed-off-by: Maxim Storchak <[email protected]>

ufp: update to 2025.09.23

Update to latest version, which enables ubus calls via uhttpd.

Signed-off-by: Christian Korber <[email protected]>

nft-qos: drop it as it does not work

There are several issues opened in our repository:
https://github.com/openwrt/packages/issues/16007
https://github.com/openwrt/packages/issues/19833
https://github.com/openwrt/packages/issues/20498
https://github.com/openwrt/packages/issues/20899
https://github.com/openwrt/packages/issues/24027
https://github.com/openwrt/packages/issues/24147
https://github.com/openwrt/packages/issues/24149

Unfortunately, maintainer @rosysong appears to be gone
and his domain is not working anymore.

For such reason as it is not maintained since 2021, drop it.

Signed-off-by: Josef Schlehofer <[email protected]>

dysk: drop unmaintained package here

This package was introduced in https://github.com/openwrt/packages/pull/22592
and it has not received any update in this repository despite
the upstream releases new versions.

Because, we dont have enough man power to keep it updated,
lets drop this.

Signed-off-by: Josef Schlehofer <[email protected]>

treewide: drop anything related to uClibc

uClibc-ng was removed in 2020 from OpenWrt main repo [1].
These things are leftovers.

[1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=63fb175203bbf3b336804587c2f5b3a2d8132ec1

Signed-off-by: Josef Schlehofer <[email protected]>

knot: update to version 3.5.0

Release notes: https://www.knot-dns.cz/2025-09-18-version-350.html
Patch from commit https://gitlab.nic.cz/knot/knot-dns/-/commit/1297a6cc0fef21f35cfa517b5b55d94cd9cea41d

Signed-off-by: Jan Hák <[email protected]>

sendmail: fix build on hosts with Berkley DB installed

Buildbot caught an error:
  "Berkeley DB file locking needs flock() for version 5.x (and greater?)"

It is caused by leakage of host-installed Berkley DB into the build.
Since libmilter is not using the DB and because of convoluted build
process of sendmail, we do the workaround  - define a macro which
prevents the error without affecting libmilter binary.

Also change source URL from FTP to HTTPS.

Signed-off-by: Aleksey Vasilenko <[email protected]>

tcpreplay: bump to version 4.5.2

This change bumps to version 4.5.2

Signed-off-by: Alexandru Ardelean <[email protected]>

stress-ng: bump to version 0.19.04

This change bumps the version of stress-ng to 0.19.04

Signed-off-by: Alexandru Ardelean <[email protected]>

squashfs-tools: bump to version 4.7.2

Contains backported patch '0001-print_pager-add-missing-includes.patch'
so we can remove it.

Signed-off-by: Alexandru Ardelean <[email protected]>

python-atomicwrites: drop package

- archived upstream
- drop confirmed by Python maintainer
- last local commit:
  commit: d5ac6e103eb11d29f4e822fadb727225e0e80992
  Author: Jeffery To <[email protected]>
  Date:   Mon, 24 Jul 2023 22:46:41 -0700

  python-atomicwrites: Update to 1.4.1

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2848164601
Signed-off-by: George Sapkin <[email protected]>

temperusb: drop package

- unmaintained upstream
- drop confirmed by maintainer
- last local commit:
  commit: 4ca726ae02d92e0ab061c4d2b26d3b31f84b71d9
  Author: Samuel Progin <[email protected]>
  Date:   Thu, 2 May 2019 21:46:30 +0200

  temperusb: package upgrade

- no PKG_MAINTAINER in Makefile

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2847739732
Signed-off-by: George Sapkin <[email protected]>

dhcp-forwarder: drop package

- unmaintained upstream
- drop confirmed by maintainer
- last local commit:
  commit: 4006865ae81b20b1793ae2a07db20235fefd2c71
  Author: Etienne Champetier <[email protected]>
  Date:   Tue, 29 Aug 2017 21:41:14 -0700

  treewide: run "make check FIXUP=1"

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2848168367
Signed-off-by: George Sapkin <[email protected]>

libantlr3c: drop package

- unmaintained upstream
- drop confirmed by maintainer
- last local commit:
  commit: 77519979190f1634ba35ec69ca18f42f0cc7db12
  Author: Rosen Penev <[email protected]>
  Date:   Sun, 8 Jul 2018 19:51:17 -0700

  libantlr3c: Update to 3.4

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2848168367
Signed-off-by: George Sapkin <[email protected]>

intltool: drop package

- unmaintained upstream
- drop confirmed
- last local commit:
  commit: cea49c620dbd53e79d206d0eba7f0dbce92e2d2f
  Author: Ansuel Smith <[email protected]>
  Date:   Wed, 7 Aug 2019 13:42:26 +0200

  intltool: fix broken compile on WSL

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2840303503
Signed-off-by: George Sapkin <[email protected]>

pkg-config: drop package

- unmaintained upstream
- drop confirmed by maintainer
- last local commit:
  commit: 243a1a13241dffc3d8da2830d825cbc535c1e33d
  Author: Rosen Penev <[email protected]>
  Date:   Sat, 2 Nov 2019 11:14:50 -0700

  pkg-config: Add CONFLICTS for pkgconf

Link: https://github.com/openwrt/packages/pull/26400#issuecomment-2848120084
Signed-off-by: George Sapkin <[email protected]>

numpy: bump to version 2.3.3

Bump the version number to 2.3.3

Signed-off-by: Alexandru Ardelean <[email protected]>

openblas: backport version of fix from upstream

From this PR:
  https://github.com/OpenMathLib/OpenBLAS/pull/5442

Signed-off-by: Alexandru Ardelean <[email protected]>

Revert "afraid.org-v2-token.json: Fix 404 on update"

This reverts commit 366629b117b49dab040b98dcb6433e4dc9772a36.

It has been determined that the URL currently in use points to v1. The
previously used URL remains valid and is correct. If someone requires the
v1 URL, a new provider must be created.

Signed-off-by: Florian Eckert <[email protected]>

ddns-scripts: stash the next check time

Calculating the next check time based on the last update time is not
very accurate if the next check is a large multiple forwards from the
last update time because the cumulative sleeps and wake times are not
exact but best effort of the OS. Other factors including clock-drift
give rise to a larger time discrepancy the further the next update is in
the future.

Stash the next check time which should be quite accurate since it's
only one sleep instance away. This is also for use in the GUI.

Tested on 24.10.2

Signed-off-by: Paul Donald <[email protected]>

tunneldigger: add broker_selection option to expose load balancing capabilities

Using the broker_selection param makes it possible to decide by use (default),
always use the first available broker to connect or select a random broker

See also: https://github.com/wlanslovenija/tunneldigger/blob/51a5e46ad143c92d2867835a563146ec4fbc6211/client/l2tp_client.c#L1331-L1333

Signed-off-by: Florian Maurer <[email protected]>

zerotier: update to 1.16.0

Authored-by: Óscar García Amor <[email protected]>
Signed-off-by: Moritz Warning <[email protected]>

btop: Update to 1.4.5

Release note: https://github.com/aristocratos/btop/releases/tag/v1.4.5

Signed-off-by: Tianling Shen <[email protected]>

cloudflared: Update to 2025.9.0

Release note: https://github.com/cloudflare/cloudflared/releases/tag/2025.9.0

Signed-off-by: Tianling Shen <[email protected]>

openlist: Update to 4.1.3

Release note: https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.3

Signed-off-by: Tianling Shen <[email protected]>

syncthing: bump to 2.0.9

Major version change that switches DB backend from
LevelDB to SQLite. Requires golang 1.24+.

- improve syncthing argument parsing to be more
  robust
- remove unused and add updated config options

Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.0
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.1
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.2
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.3
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.4
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.5
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.6
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.7
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.8
Changelog: https://github.com/syncthing/syncthing/releases/tag/v2.0.9
Signed-off-by: George Sapkin <[email protected]>
wip

Signed-off-by: George Sapkin <[email protected]>

lf: update to r38

https://github.com/gokcehan/lf/releases/tag/r38

Signed-off-by: Nate Robinson <[email protected]>

unbound: update README

* add adblock-fast to the Ad Blocking segment
* fix grammar (Its -> It's)
* modify last paragraph of the instructions as they are specific to adblock

Signed-off-by: Stan Grishin <[email protected]>

sane-backends: update to 1.4.0

Changelog: https://gitlab.com/sane-project/backends/-/releases/1.4.0
Signed-off-by: Luiz Angelo Daros de Luca <[email protected]>

gphoto2: update to 2.5.32

Fixes compilation with GCC15.

Signed-off-by: Rosen Penev <[email protected]>

libgphoto2: update to 2.5.32

Fixes compilation with GCC15.

Signed-off-by: Rosen Penev <[email protected]>

net/iputils: fix PKG_CPE_ID

iputils_project:iputils has been deprecated in favour of iputils:iputils

Signed-off-by: Fabrice Fontaine <[email protected]>

cjson: fix PKG_CPE_ID

cjson_project:cjson has been deprecated in favour of davegamble:cjson:
https://nvd.nist.gov/products/cpe/detail/70BC45DA-D915-4A1D-96AF-84A6CECEE148

Signed-off-by: Fabrice Fontaine <[email protected]>

python-cryptography: fix PKG_CPE_ID

cryptography_project:cryptography has been deprecated in favour of
cryptography.io:cryptography:
https://nvd.nist.gov/products/cpe/detail/2EBA50FC-F3F9-40D5-82BD-EFB67F761153

Signed-off-by: Fabrice Fontaine <[email protected]>

gnuplot: fix PKG_CPE_ID

gnuplot_project:gnuplot has been deprecated in favour of
gnuplot:gnuplot:
https://nvd.nist.gov/products/cpe/detail/DB68C9F5-3330-4749-A6F5-61FF041037CC

Signed-off-by: Fabrice Fontaine <[email protected]>

boinc: fix PKG_CPE_ID

rom_walton:boinc has been deprecated in favour of
universityofcalifornia:boinc_client:
https://nvd.nist.gov/products/cpe/detail/DAC161C5-2154-44BF-916A-EACB524E8B8F

Signed-off-by: Fabrice Fontaine <[email protected]>

sendmail: update to 8.18.1

- Fix GCC 15 build with 2 patches from Gentoo [1][2]
- Refresh existing patch
- Extend 010-enable-nonroot-install.patch to remove "-o U -g G" from
  more install targets (fixes 'invalid user buildbot' in CI)

[1]: https://github.com/gentoo/gentoo/blob/master/mail-mta/sendmail/files/sendmail-8.18.1-c23-sm_strtoll.patch
[2]: https://github.com/gentoo/gentoo/blob/master/mail-mta/sendmail/files/sendmail-8.18.1-c23-ctime.patch

Co-authored-by: W. Michael Petullo <[email protected]>
Signed-off-by: Aleksey Vasilenko <[email protected]>

snort3: add patch to unambiguously show vectorscan

When snort is run with the --version option, it advertises components'
versions in the output. Add a patch to modify the output to clearly
show vectorscan is in use.

Signed-off-by: John Audia <[email protected]>

snort3: replace hyperscan with vectorscan in deps

* Replacement of hyperscan-runtime reference with vectorscan-runtime
* Added support for all aarch64 targets which I believe is exhaustive

For x86 and x86/64, I found that vectorscan is truly a drop-in
replacement for hyperscan as assessed by speedtests with snort3 running
on my Intel N150 PC. CPU load during the test with each condition was
nearly saturating on a single core for both cases on a symmetrical
Gbps line.

Using: https://www.waveform.com/tools/bufferbloat in IPS mode:
  Download speed w/ hyperscan: 950-960 Mbit/s (n=2)
  Download speed w/ vectorscan: 942-960 Mbit/s (n=2)

Using: https://www.speedtest.net in IPS mode:
  Download speed w/ hyperscan: 996-1002 Mbit/s (n=2)
  Download speed w/ vectorscan: 993-988 Mbit/s (n=2)

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc (Intel N150 based box running snort3)

Signed-off-by: John Audia <[email protected]>

hyperscan: remove package

Remove hyperscan since Intel announced a proprietary/closed source
license beginning with hyperscan 5.5[1,2] and a general lock of support
for the 5.4.x branch which has not seen a commit since 19-Apr-2023[3].

1. https://networkbuilders.intel.com/docs/networkbuilders/accelerate-snort-performance-with-hyperscan-and-intel-xeon-processors-on-public-clouds-1680176363.pdf
2. https://www.phoronix.com/news/Intel-Hyperscan-Now-Proprietary (and references therein)
3. intel/hyperscan@bc3b191

Signed-off-by: John Audia <[email protected]>

snort3: remove hyperscan specific patch

Drop 100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch as
it was only needed to fix the build against hyperscan. Vectorscan
builds fine without it.

Signed-off-by: John Audia <[email protected]>

vectorscan: new package for speeding up regex ops

Vectorscan is fork of Hyperscan, a high-performance multiple regex
matching library. It follows the regular expression syntax of the
commonly-used libpcre library, but is a standalone library with
its own C API.

Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM
SVE2 support is in ongoing with access to hardware now. More
platforms will follow in the future.

The performance difference of snort3 compiled against this is
sizable for aarch64 confirmed on two different SoCs:

Test SoC #1 flogic/glinet_gl-mt6000
IDS mode:
Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3)
Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3)
Gain of 3.6x

IPS mode:
Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3)
Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3)
Gain of 1.8x

Notes:
* Data generated on snapshot build on 12-Apr-2024 using kernel
  6.6.26, snort 3.1.84.0, vectorscan 5.4.11.
* Speedtest script hitting the same server.
* Snort rules file of was 37,917 lines/22 MB.
* In all cases, single core CPU saturation occurred which
  speaks to the efficiency gains supplied by vectorscan.

Test Soc #2 bcm2712/RPi5B

IPS mode:
Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3)
Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3)
Gain of 1.4x

Notes:
* Data generated on snapshot build on 13-Apr-2024 using kernel
  6.1.86, snort 3.1.84.0, vectorscan 5.4.11.
* Google fiber speedtest (https://fiber.google.com/speedtest/)
  hitting the same server.
* Snort rules contained 39,801 rules/22 MB.
* In all cases, single core CPU saturation occurred which
  speaks to the efficiency gains supplied by vectorscan.

Build system: x86/64
Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B, x86/64-glibc
Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B, x86/64-glibc (Intel N150 based box)

Co-authored-by: Tianling Shen <[email protected]>
Co-authored-by: Jeffery To <[email protected]>
Signed-off-by: John Audia <[email protected]>

bind: don't break IPv6 support

What started in #20183 as a attempt to clean up noise in the logfiles,
turned out to be causing denial-of-service for dual-stack and especially
IPv6-only environments.

Breaking core network functionality cannot possibly be less important
than cosmetic issues, and those affected by log spam can avoid it via
other means (e.g. "query-source-v6 none;" in named.conf).

There's no reliable heuristic for determining whether there's IPv6
connectivity at the time bind is started which will catch any and all
corner cases, as discussed in #26327.

So, remove this logic for now. If a suitable heuristic can be devised,
it can always be added in a subsequent patch, but I have my doubts.

(Also, quote one variable to make shellcheck happy)

Closes: #26327
Closes: #20468
Signed-off-by: David Härdeman <[email protected]>

rust: Update to 1.90.0

Release note: https://blog.rust-lang.org/2025/09/18/Rust-1.90.0/

Signed-off-by: Tianling Shen <[email protected]>

fluent-bit: update to 4.0.9

- Remove obsolete patch
- Add patch replace NPN with ALPN for client connections \
because the default OpenSSL library does not enable NPN.
- Add newly libstdcpp dependency

Build system: aarch64
Build-tested: mediatek/filogic
Run-tested: mediatek/filogic

Signed-off-by: Biao Zhu <[email protected]>

ruby: update to 3.4.5

Ruby 3.4.0 is a major release that introduces several changes:
- Adds `it` block parameter reference
- Switches default parser to Prism
- Implements Happy Eyeballs Version 2 in the socket library
- Improves YJIT
- Adds Modular GC
- And more (see changelog for full details)

Subsequent minor releases include:
- 3.4.1: fixes version description
- 3.4.2: routine bugfix release
- 3.4.3: routine bugfix release
- 3.4.4: routine bugfix release (Linux-specific)
- 3.4.5: routine bugfix release, adds GCC 15 support

Packaging changes:
- (NEW) ruby-repl_type_completor (packaging the repl_type_completor gem)
- Refreshed package dependencies
- Updated `ruby_missingfiles` (detects unpacked files) to use `apk`
- Refactored `ruby_find_pkgsdeps` (detects inter-package dependencies)
  to use the Ruby parser (Prism) instead of heuristic string matching

Changelog: https://www.ruby-lang.org/en/news/2024/12/25/ruby-3-4-0-released/
Signed-off-by: Luiz Angelo Daros de Luca <[email protected]>