Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
*: recursive bump for heimdal 7.7.0

its buildlink3.mk now includes openssl's buildlink3.mk

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
security/kstart: remove unknown configure option

Log message:
kstart: update to 4.2

k5start, when run with the -K option to run as a daemon, no longer exits if
the initial authentication fails (unless -x was given). Instead, it reports
the error to standard error and then continues to run, attempting authentication
every minute as if authentication had failed after it had started.

For both k5start with a command or -K and no -x flag, and krenew with the -i
flag, repeatedly retry the initial authentication. The first retry will be
immediate, and then the commands will keep trying with exponential backoff to
one minute intervals, and then continuously at one minute intervals until the
command is killed or authentication succeeds. k5start and krenew will no longer
start any other command until the initial authentication succeeds, fixing
startup behavior when running a command that must have valid Kerberos tickets
immediately on start.

Clean up the temporary ticket cache on k5start failure if -o, -g, or -m were
given.

The -H flag to k5start or krenew may now be used in conjunction with -K and
controls whether the ticket is renewed when the command wakes up. Normally,
the ticket will be renewed if it will expire sooner than two minutes after the
next time the command will wake up. If -H is specified, its value replaces the
default value of two minutes.

Add a new -a option to both k5start and krenew that, when used with -K, tells
those programs to refresh tickets every time they wake up. This is useful with
-t to ensure that the AFS token renewal program is always run, even if something
else renews the ticket cache before k5start or krenew wake up. It also provides
more predictable ticket refresh behavior. This probably should have been the
default with -K from the beginning, but the default wasn't changed to keep
backward compatibility. Consider always using -a with -K.

Fix k5start and krenew to not incorrectly reject the -b flag in conjunction
with -K or a command.

Log message:
Sort PLIST files.

Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:

  pkglint -Cnone,PLIST -Wnone,plist-sort -r -F

Log message:
Follow some http redirects.

Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Log message:
Update kstart to 4.1.