Log message:
mk: Introduce and use MASTER_SITE_GNUPG

Various packages around the tree use a different variant
of MASTER_SITES to access various GnuPG mirrors, let's just
centralize them in one locaiton.

While here, fix some lint warnings.

Log message:
gnutls: updated to 3.8.9

Version 3.8.9 (released 2025-02-07)

** libgnutls: leancrypto was added as an interim option for PQC
   The library can now be built with leancrypto instead of liboqs for
   post-quantum cryptography (PQC), when configured with
   --with-leancrypto option instead of --with-liboqs.

** libgnutls: Experimental support for ML-DSA signature algorithm
   The library and certtool now support ML-DSA signature algorithm as
   defined in FIPS 204 and based on
   draft-ietf-lamps-dilithium-certificates-04. This feature is
   currently marked as experimental and can only be enabled when
   compiled with --with-leancrypto or --with-liboqs.
   Contributed by David Dudas.

** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
   The support for ML-KEM post-quantum key encapsulation mechanisms
   has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
   MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
   draft-kwiatkowski-tls-ecdhe-mlkem-03.

** libgnutls: Fix potential DoS in handling certificates with numerous name
   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
   bundled copy of libtasn1 has also been updated to the latest 4.20.0
   release to complete the fix.
   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]

** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t

Log message:
Revert "security/gnutls: Use system TLS trust anchors."

This requires review of how SmartOS and macOS, at least, are supposed
to handle TLS trust anchors for pkgsrc, which I didn't do -- it's
practically guaranteed that referring to
share/mozilla-rootcerts/cacert.pem is wrong on those platforms like
it is on NetBSD, but I don't know offhand what the right alternative
is and this can hold off until we determine that.

Log message:
security/gnutls: Use system TLS trust anchors.

Until 2018, gnutls would search at _build-time_ for one of various
files /etc/ssl/ca-bundle.pem, /etc/ssl/certs/ca-certificates.crt,
/etc/pki/tls/cert.pem, &c., for trust anchors, and bake that path
into the build product -- or, if none of those existed at build-time,
it would bake _nothing_ into the build product and require programs
doing TLS to specify trust anchors explicitly; the gnutls function
gnutls_x509_trust_list_add_system_trust would fail with
GNUTLS_E_UNIMPLEMENTED_FEATURE.

In 2018, gnutls was changed to depend on mozilla-rootcerts and use
${PREFIX}/share/mozilla-rootcerts/cacert.pem.  This was expedient for
NetBSD which (a) had no trust anchors shipped out of the box until
10.0 but (b) would usually be configured with mozilla-rootcerts
anyway, but wrong, because:

1. The system may manage TLS trust anchors differently, e.g. on
   Fedora they're somewhere in /etc/pki/tls, or even if you install
   trust anchors from pkgsrc you might use security/ca-certificates
   instead of security/mozilla-rootcerts.

2. Even if the system uses Mozilla's trust anchors, there is no way
   for an operator to safely selectively override individual CA
   certificates, like nixing Digi-Notar after their compromise --
   ${PREFIX}/share/mozilla-rootcerts/cacert.pem is a static file that
   is not allowed to change, not an editable configuration file.

With this change, on platforms where mk/ssl.mk defines SSLCERTBUNDLE,
gnutls will look there; on platforms without it, gnutls will revert
to its original default of checking various paths at build-time.  For
systems where the binary packages are built without trust anchors at
build-time, but where there is a fixed path known at build-time where
the trust anchors will be at run-time, mk/ssl.mk should be adapted to
set SSLCERTBUNDLE.

PR pkg/58143: security/gnutls uses wrong trust anchors

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
gnutls: gnu99 isn't valid for USE_CC_FEATURES

Log message:
gnutls: update test results comment

Log message:
gnutls: fix builds with older GCCs, e.g., 7.5 on NetBSD 9.x

Log message:
gnutls: require gnu99 for non-constant initializer element

Log message:
gnutls: updated to 3.8.8

Version 3.8.8 (released 2024-11-05)

** libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key \ 
exchange in TLS 1.3
   The support for post-quantum key exchanges has been extended to
   cover the final standard of ML-KEM, following
   draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of
   liboqs is bumped to 0.11.0.

** libgnutls: All records included in an OCSP response are now checked in TLS
   Previously, when multiple records are provided in a single OCSP
   response, only the first record was considered; now all those
   records are examined until the server certificate matches.

** libgnutls: Handling of malformed compress_certificate extension is now more \ 
standard compliant
   The server behavior of receiving a malformed compress_certificate
   extension now more strictly follows RFC 8879; return
   illegal_parameter alert instead of bad_certificate, as well as
   overlong extension data is properly rejected.

** build: More flexible library linking options for compression libraries, TPM, \ 
and liboqs support
   The configure options, --with-zstd, --with-brotli, --with-zlib,
   --with-tpm2, and --with-liboqs now take 4 states:
   yes/link/dlopen/no, to specify how the libraries are linked or
   loaded.

** API and ABI modifications:
No changes since last version.