Log Message:
Update sysutils/cfengine3 to 3.7.2.

Patch based largely on a pull request by bahamat@:

  https://github.com/joyent/pkgsrc/pull/307

3.7.2:

Bug fixes:
- readfile() and read*list() should print an error if they fail to read file.
  (Redmine #7702)
- Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error
  message on AIX.
- If there is an error saving a mustache template file
  it is now logged with log-level error (was inform).
- Change: Clarify bootstrap/failsafe reports
- Fixed several bugs which prevented CFEngine from loading
  libraries from the correct location. This affected several platforms.
  (Redmine #6708)
- If file_select.file_types is set to symlink and there
  are regular files in the scanned directory, CFEngine no longer
  produces an unneccessary error message. (Redmine #6996)
- Fix: Solaris packages no longer contain duplicate library
  files, but instead symlinks to them. (Redmine #7591)
- cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor
  multiple -D, -N and -s arguments (Redmine #7191)
- Fix "@endif" keyword sometimes being improperly processed
  by policy parser. (Redmine #7413)
- It is possible to edit the same value in multiple regions
  of one file. (Redmine #7460)
- Fix select_class not setting class when used in common bundle with slist.
  (Redmine #7482)
- Fix broken HA policy for 3rd disaster-recovery node.
- Directories should no more be changed randomly
  into files. (Redmine #6027)
- Include latest security updates for 3.7.
- Reduce malloc() thread contention on heavily loaded
  cf-serverd, by not exiting early in the logging function, if no message
  is to be printed. (Redmine #7624)
- Improve cf-serverd's lock contention because of getpwnam()
  call. (Redmine #7643)
- action_policy "warn" now correctly produces warnings instead
  of various other verbosity levels. (Redmine #7274)
- Change: Improve efficiency and debug reports (Redmine #7527)
- Change package modules permissions on hub package so that
  hub can execute package promises. (Redmine #7602)
- No longer hang when changing permissions/ownership on fifos
  (Redmine #7030)
- Fix exporting CSV reports through HTTPS. (Redmine #7267)
- failsafe.cf will be created when needed. (Redmine #7634)
- Mustache templates: Fix  key when value is not a
  primitive. The old behavior, when iterating across a map or array of
  maps, was to abort if the key was requested with . The new
  behavior is to always replace  with either the key name or the
  iteration position in the array. An error is printed if  is used
  outside of a Mustache iteration section.
- Legacy package promise: Result classes are now defined if
  the package being promised is already up to date. (Redmine #7399)
- TTY detection should be more reliable. (Redmine #7606)

Masterfiles:
- Add: Path to svcprop in stdlib
- Add: New `results` classes body [] (Redmine #7418, #7481)
- Remove: Support for email settings from augments_file (Redmine #7682)

3.7.1:

Bug fixes:
- Fix daemons not restarting correctly on upgrade on AIX. (Redmine #7550)
- Fix upgrade causing error message under systemd because of open ports.
- Fix build with musl libc. (Redmine #7455)
- Long promiser strings with multiple lines are now
  abbreviated in logs. (Redmine #3964)
- Fixed a bug which could cause daemons to not to be killed
  correctly when upgrading or manually running "service cfengine3 stop".
  (Redmine #7193)
- Package promise: Fix inability to install certain packages
  with numbers.
- Fix package promise not removing dependant packages. (Redmine #7424)
- Fix warning "Failed to parse csv file entry" with certain very long
  commands promises. (Redmine #7400)
- Fix misaligned help output in cf-hub. (Redmine #7273)
- Augmenting inputs from the augments_file (Redmine #7420)
- Add support for failover to 3rd HA node located outside cluster.
- Upgrade all dependencies for patch release.
- Fix a bug which caused daemons not to be restarted on
  upgrade. (Redmine #7528)

3.7.0:

New features:
- New package promise implementation.
- Full systemd support for all relevant platforms
- New classes to determine whether certain features are enabled:
    * feature_yaml
    * feature_xml
  For the official CFEngine packages, these are always enabled, but
  packages from other sources may be built without the support.
- New readdata() support for generic data input (CSV, YAML, JSON, or auto)
- YAML support: new readyaml() function and in readdata()
- CSV support: new readcsv() function and in readdata()
- New string_mustache() function
- New data_regextract() function
- eval() can now be called with "class" as the "mode" \ 
argument, which
  will cause it to return true ("any") if the calculated result is
  non-zero, and false ("!any") if it is zero.
- New list_ifelse() function
- New mapjson() function as well as JSON support in maparray().
- filestat() function now supports "xattr" argument for extended
  attributes.
- "ifvarclass" now has "if" as an alias, and \ 
"unless" as an inverse
  alias.
- Ability to expand JSON variables directory in Mustache templates:
  Prefix the name with '%' for multiline expansion, '$' for compact
  expansion.
- Ability to expand the iteration *key* in Mustache templates with @
- Canonical JSON output: JSON output has reliably sorted keys so the
  same data structure will produce the same JSON every time.
- New "@if minimum_version(x.x)" syntax in order to hide future language
  improvements from versions that don't understand them.
- compile time option (--with-statedir) to
  override the default state/ directory path.
- Fix error messages/ handling in process signalling which no longer
  allowed any signals to fail silently
- Also enable shortcut keyword for cf-serverd classic protocol, eg to
  simplify the bootstrap process for clients that have different
  sys.masterdir settings (Redmine #3697)
- methods promises now accepts the bundle name in the promiser string,
  as long as it doesn't have any parameters.
- In a services promise, if the service_method bundle is not specified,
  it defaults to the promiser string (canonified) with "service_" as a
  prefix. The bundle must be in the same namespace as the promise.
- inline JSON in policy files: surrounding with parsejson() is now
  optional *when creating a new data container*.
- New data_expand() function to interpolate variables in a data container.
- Add configurable network bandwidth limit for all outgoing
  connections ("bwlimit" attribute in "body common control") . To
  enforce it in both directions, make sure the attribute is set on both
  sides of the connection.
- Secure bootstrap has been facilitated by use of
  "cf-agent --boostrap HUB_ADDRESS --trust-server=no"
- Implement new TLS-relevant options (Redmine #6883):
  - body common control: tls_min_version
  - body server control: allowtlsversion
  - body common control: tls_ciphers
  - body server control: allowciphers (preexisting)

Changes:
- Improved output format, less verbose, and messages are grouped.
- cf-execd: agent_expireafter default was changed to 120 minutes
  (Redmine #7113)
- All embedded databases are now rooted in the state/ directory.
- TLS used as default for all outgoing connections.
- process promise now reports kept status instead of repaired if a
  signal is not sent, even if the restart_class is set. The old
  behavior was to set the repaired status whenever the process was not
  running. (Redmine#7216).
- Bootstrapping requires keys to be generated in advance using cf-key.
- Disable class set on reverse lookup of interfaces IP addresses.
  (Redmine #3993, Redmine #6870)
- Define a hard class with just the OS major version on FreeBSD.
- Abort cf-agent if OpenSSL's random number generator can't
  be seeded securely.
- Masterfiles source tarball now installs using the usual commands
  "./configure; make install".
- Updated Emacs syntax highlighting template to support the latest
  syntax enhancements in 3.7.

Deprecations:
- Arbitrary arguments to cfruncommand (using "cf-runagent -o") are
  not acceptable any more. (Redmine #6978)
- 3.4 is no longer supported in masterfiles.

Bug fixes:
- Fix server common bundles evaluation order (Redmine#7211).
- Limit LMDB disk usage by preserving sparse areas in LMDB files
  (Redmine#7242).
- Fixed LMDB corruption on HP-UX 11.23. (Redmine #6994)
- Fixed insert_lines failing to converge if preserve_block was used.
  (Redmine #7094)
- Fixed init script failing to stop/restart daemons on openvz/lxc
  hosts. (Redmine #3394)
- rm_rf_depth now deletes base directory as advertised. (Redmine #7009)
- Refactored cf-agent's connection cache to properly differentiate
  hosts using all needed attributes like host and port.
  (Redmine #4646)
- Refactored lastseen database handling to avoid inconsistencies.
  (Redmine #6660)
- cf-key --trust-key now supports new syntax to also update the
  lastseen database, so that clients using old protocol will trust
  the server correctly.
- Fixed a bug which sometimes caused an agent or daemon to kill or stop
  itself. (Redmine #7075, #7244)
- Fixed a bug which made it difficult to kill CFEngine daemons,
  particularly cf-execd. (Redmine #6659, #7193)
- Fixed a bug causing systemd not to be detected correctly on Debian.
  (Redmine #7297)
- "cf-promises -T" will now correctly report the checked out commit,
  even if you haven't checked out a Git branch. (Redmine #7332)
- Reduce verbosity of harmless errors related to socket timeouts and
  missing thermal zone files. (Redmine #6486 and #7238)
- Fix process_result logic to match the purpose of body process_select
  days_older_than (Redmine #3009)

Masterfiles:

Added:
- Support for user specified overring of framework defaults without
  modifying policy supplied by the framework itself (see
  example_def.json)
- Support for def.json class augmentation in update policy
- Run vacuum operation on postgresql every night as a part of
  maintenance.
- Add measure_promise_time action body to lib (3.5, 3.6, 3.7, 3.8)
- New negative class guard `cfengine_internal_disable_agent_email` so
  that agent email can be easily disabled by augmenting def.json

Changed:
- Relocate def.cf to controls/VER/
- Relocate update_def to controls/VER
- Relocate all controls to controls/VER
- Only load cf_hub and reports.cf on CFEngine Enterprise installs
- Relocate acls related to report collection from bundle server
  access_rules to controls/VER/reports.cf into bundle server
  report_access_rules
- Re-organize cfe_internal splitting core from enterprise specific
  policies and loading the appropriate inputs only when necessary
- Moved update directory into cfe_internal as it is not generally
  intended to be modified
- services/autorun.cf moved to lib/VER/ as it is not generally intended
  to be modified
- To improve predictibility autorun bundles are activated in
  lexicographical order
- Relocate services/file_change.cf to cfe_internal/enterprise. This
  policy is most useful for a good OOTB experience with CFEngine
  Enterprise Mission Portal.
- Relocate service_catalogue from promsies.cf to services/main.cf. It is
  intended to be a user entry. This name change correlates with the main
  bundle being activated by default if there is no bundlesequence
  specified.
- Reduce benchmarks sample history to 1 day.
- Update policy no longer generates a keypair if one is not found.
  (Redmine: #7167)
- Relocate cfe_internal_postgresql_maintenance bundle to lib/VER/
- Set postgresql_monitoring_maintenance only for versions 3.6.0 and
  3.6.1
- Move hub specific bundles from lib/VER/cfe_internal.cf into
  lib/VER/cfe_internal_hub.cf and load them only if policy_server policy
  if set.
- Re-organize lib/VER/stdlib.cf from lists into classic array for use
  with getvalues

Removed:
- Diff reporting on /etc/shadow (Enterprise)
- Update policy from promise.cf inputs. There is no reason to include
  the update policy into promsies.cf, update.cf is the entry for the
  update policy
- _not_repaired outcome from classes_generic and scoped_classes generic
  (Redmine: # 7022)

Fixes:
- standard_services now restarts the service if it was not already
  running when using service_policy => restart with chkconfig (Redmine
  #7258)