Log message:
cfengine3: update to 3.24.1 (latest LTS release)

Fixes build with openssl 3. Upstream now includes pkgsrc masterfile.
Builds and installs, otherwise untested, but that's an improvement to
not building...

3.24.1:
	- Added logging CFEngine component related SELinux denials in cf-support
	  (ENT-12137)
	- Agent now also ignores interfaces listed in ignore_interfaces.rx when
	  looking for IPv6 interface info. Variables such as
	  'default:sys.hardware_mac[<INTERFACE>]' will no longer be defined for
	  ignored interfaces. (ENT-11840)
	- Atomic copy_from in files promise
	  Changes to 'files' promise in 'copy_from' attribute:
	  - The new file (i.e., '<FILENAME>.cfnew') is now created with correct
	    permission during remote copy. Previously it would be created with
	    default permissions.
	  - The destination file (i.e., '<FILENAME>') is no longer deleted on
	    backup during file copy. Previously it would be renamed to
	    '<FILENAME>.cfsaved', causing the original file to dissappear. Now an
	    actual copy of the original file with the same permissions is created
	    instead.
	  As a result, there will no longer be a brief moment where the original
	  file is inaccessible. (ENT-11988)
	- commands promises with exit codes not matching any
	  _returncodes attributes from classes body now log and
	  error message not just an info message (CFE-4429, ENT-12103)

3.24.0:
	- Added a sanity check to policy parser that checks for and warns
	  in case of promise declarations with no actions. The motivation
	  for this check is to aid policy writers in detecting semantic
	  errors early. (ENT-11137)
	- Added sys.os_name_human for Alpine, postmarketOS, OpenBSD and NetBSD
	- Added warning log message when OS is not recognized (CFE-4342)
	- Adjusted locale settings in masterfiles stage common script to
	  handle more cases (ENT-11885)
	- Adjusted package module inventory to include quotes around
	  fields when needed (CFE-4341)
	- Added 'sys.os_name_human' and 'sys.os_version_major' variables
	  for Amazon. Additionally changed value of 'sys.flavor' from
	  'AmazonLinux' to 'amazon_linux_2', so that it is similar to other
	  supported Linux distros. This change was necessary, due to the
	  fact that the 'sys.os_version_major' variable is derived from
	  it. However, the 'AmazonLinux' class previously derived from
	  'sys.flavor' is still defined for backwards compatibility.
	  (ENT-10817)
	- CFEngine now uses PCRE2 for regular expressions (ENT-10629)
	- CFEngine processes no longer suffer from the "Invalid argument"
	  issues when working with LMDB (ENT-11543)
	- Changed cf-apache systemd unit to reload configuration gracefully
	  (ENT-11526)
	- Changed cf-execd's sleep behavior so it attempts to wake up at
	  the beginning of every minute (ENT-11765)
	- File copying now uses more efficient implementation on Linux
	  platforms (CFE-4380)
	- Fixed bug in double expansion of foreign list variables with namespaces
	  (ENT-11923)
	- Fixed bug related to failing backwards directory traversial when
	  using forward slashes in path argument of the findfiles_up()
	  policy function on Windows.
	- Fixed bug where 'default:sys.fqhost' contained many spaces when domain is
	  set in body common control (CFE-4053)
	- Fixed cf-support call to cf-promises to collect all classes and vars
	  (CFE-4300)
	- Fixed package promises with only promisers and no other attributes
	  (CFE-4315, CFE-4398, CFE-4408)
	- Modified package promise default. If platform_default is present
	  use that package module. (CFE-4315)
	- Ownership of symlinks is now handled properly (ENT-11235)
	- SELinux no longer breaks exporting large reports as PDF (ENT-11154)
	- The 'arglist' attribute in the 'commands' promises now preserves
	  whitespaces in the arguments. Whitespaces are currently not preserved on
	  Windows, or if the 'useshell' attribute is set to anything other than
	  '"noshell"'. (CFE-2724, CFE-4294)
	- Trailing newline on insert_tree promisers no longer removes
	  ending tag for select_xpath (CFE-3806)
	- cf-agent has two new options --no-augments and
	  --no-host-specific-data to skip loading augments
	  (def.json or def_preferred.json) and host-specific
	  data (host_specific.json), respectively (ENT-10792)
	- cf-agent now has a new option --skip-bootstrap-service-start to
	  skip starting CFEngine services during the bootstrap process
	  (ENT-11932)
	- cf-runalerts.service no longer exists, alerts are now
	  periodically run by cf-reactor (ENT-11538)
	- depth_search acting on a non-directory promiser now handles such
	  file as if the promise didn't use depth_search. A warning is issued in this case.
	  (ENT-8996)
	- masterfiles-stage.sh now supports a new --check-only option
	  (ENT-9386)
	- Added new policy variable 'sys.cfengine_roles'. This
	  variable is a string list, containing "Reporting hub" if cf-hub
	  exists (hub package installed), "Policy server" if the host is
	  bootstrapped to itself ('policy_server' class defined), and just
	  "Client" if none of the other options are true.
	- Added 2 new classes correlating to the values in 'sys.cfengine_roles':
	  'cfengine_reporting_hub' and 'cfengine_client'.

3.23.0:
	- Added selinux policy to allow cf-hub to initiate scheduled reports
	  (ENT-10696, ENT-9825)
	- Added version_compare() policy function (CFE-3991)
	- Bodies can now inherit attributes containing global variables
	  (CFE-4254)
	- Cached policy function results now take into account number of arguments
	  and function name (CFE-4244)
	- Fixed infinite loop on error bug while reading interface exception file
	- Fixed inventoried policy release id when masterfiles-stage.sh deploys with cfbs
	  (ENT-10832)
	- Improved locale override in masterfiles stage scripts (ENT-10753)
	- Improved syntax description for validjson() (ENT-9759)
	- Made cf-support use coredumpctl for core analysis only when configured in \ 
kerenl.core_pattern
	  (ENT-9985)
	- Modified classesmatching() function to search parent bundles with inherit \ 
=> true
	  (ENT-5850)
	- Moved expected location of ignore_interfaces.rx from $(sys.inputdir) to
	  $(sys.workdir). If the file is found in $(sys.inputdir) but not in
	  $(sys.workdir), we will still process it for backwards compatability,
	  but issue a warning prompting the user to move it to the appropriate
	  location. (ENT-9402)
	- Only CFEngine processes are now killed as expired lock owners
	  (CFE-3982)
	- SELinux no longer blocks CFEngine deamons in reading security parameters from \ 
/proc/sys/kernel
	  (ENT-9684)
	- cf-hub is now allowed to use the TLS kernel module on
	  SELinux-enabled systems (ENT-9727)
	- cf_lock.lmdb is no longer restored from backup on
	  every boot (CFE-3982)
	- packagesmatching() and packageupdatesmatching() now look for the software
	  inventory databases in the state directory and use them if found. This
	  change enables the usage of these functions in standalone policy files
	  without the demand for specifying the default package inventory attribute
	  in body common control. However, you still need the default package
	  inventory attribute specified in the policy framework for the software
	  inventory databases to exist in the first place and to be maintained.
	  (ENT-9083)
	- CFEngine locks are now purged dynamically based on the local locks DB
	  usage/size ranging from no purging (<=25% usage) (ENT-8201, CFE-2136, ENT-5898)
	- `cf-check repair` now rotates DB files with high usage (>95%) (CFE-3374)
	- Full LMDB files are now handled gracefully by moving them aside and using new
	  empty LMDB files (ENT-8201)
	- `cf-check repair` now supports the `--test-write` option to check if DBs can
	  be written to as part of identifying DBs that need repairing (CFE-3375)
	- `cf-check diagnose` now shows DB usage and a hint if rotation is required
	- /usr/bin/getent is now attempted to be used if /bin/getent doesn't exist \ 
(CFE-4256)

3.22.0:
	- Added --help option to cf-support and aligned output with other
	  components (ENT-9740)
	- Added classes and vars to cf-support (CFE-4160)
	- Added condition to runalerts service to require stamp directory
	  (ENT-9711)
	- Added mctp_socket class to selinux policy (ENT-10206)
	- Added native core dump handling in cf-support for Solaris (ENT-9786)
	- Added needed SELinux class lockdown for latest RHEL 9 hosts (ENT-9685)
	- Adjusted cf-support for exotic/legacy POSIX systems (ENT-9340)
	- Adjusted cf-support for hpux mktemp command (ENT-9786)
	- Directories are now created with correct perms (CFE-4114)
	- Variables & classes modules automatically tagged (ENT-7725)
	- Changed bootstrap policy to preserve log level for debug, verbose,
	  and info (CFE-4121)
	- Created new policy function isreadable (ENT-9380)
	- Enabled expireafter attribute for custom promise types (CFE-4083)
	- Enabled install-time SELinux policy compiling (ENT-9685)
	- Expired agents now terminate custom promise modules (CFE-4083)
	- Fixed debug module expand logging for scalars (CFE-4122)
	- Fixed syntax description of validjson() (ENT-9759)
	- Prevented cf-support from searching more than 1 level for core files
	  (ENT-9981)
	- Started checking status of all cf- prefixed systemd services in
	  cf-support (ENT-9804)
	- validjson() no longer accepts trailing bogus data (CFE-4080)

3.21.0:
	- Added cf-support utility for generating support information
	  (ENT-9037)
	- Adjusted cf-check and package module code for empty updates list
	  (ENT-9050)
	- '$(this.promiser)' can now be used in 'files' promise
	  attributes 'if', 'ifvarclass' and 'unless'
	  (CFE-2262, ENT-7008)
	- Fixed storage promise for nfs on MacOS (CFE-4093)
	- Fixed definition of _low_ldt class from cf-monitord (CFE-4022)
	- Insertion of contents of a file with blank lines into
	  another file with blank lines no longer results in
	  mixed content (ENT-8788)
	- Added suggestion to use a negative lookahead when non-convergent edits
	  are attempted
	  (CFE-192)
	- Unresolved function calls that return scalar values
	  are now considered OK for constraints expecting
	  strings during syntax check (CFE-4094)
	- cf-monitord now honors monitorfacility in body monitor control
	  (ENT-4492)
	- cf-serverd now periodically reloads its policy if it
	  contains unresolved variables (e.g. $(sys.policy_hub)
	  in 'allowconnect'). (ENT-8456)
	- cf-serverd now starts in the network-online.target on
	  systemd-based systems (ENT-8456)
	- edit_line bundles can now use the new
	  $(edit.empty_before_use) variable mirroring the value of
	  edit_defaults=>empty_before_use of the related files promise
	  (ENT-5866)
	- Package modules with unresolved variables in their
	  names are now skipped in package queries (ENT-9377)
	- Removed unsupported name_connect capability for udp_socket class
	  (ENT-8824)
	- 'meta' attribute can now be used in custom promises (CFE-3440)
	- Custom promise modules can now support the 'action_policy'
	  feature allowing promises of their custom types to be used
	  in dry-run and simulation modes and in combination with
	  'action_policy => "warn"'. (CFE-3433)
	- Use of custom promise modules that don't fully specify
	  protocol now results in warning (CFE-3433)
	- Warnings are logged if levels of log messages from
	  custom promise modules don't match results of their
	  related promises (CFE-3433)
	- Adjusted SELinux policy for RHEL 9 (ENT-8824)
	- Fixed SELinux policy to allow hub to send emails (ENT-9557, ENT-9473)
	- SELinux no longer breaks SQL queries with large result
	  sets on RHEL 8 hubs (ENT-9496)
	- Added SELinux LDAP port access for Mission Portal (ENT-9694)
	- Allowed ciphers are now properly split into TLS 1.3
	  cipher suites and ciphers used for TLS 1.2 and older
	  (ENT-9018)
	- Fixed git_cfbs_deploy_refspec in masterfiles_stage leaving temp dir
	  (ENT-9039)

3.20.0:
	- 'rxdirs' now defaults to "false". This means that the read permission
	  bit no longer implies execute bit for directories, by default.
	  Permission bits will be exactly as specified. To restore the old behavior
	  you can still enable 'rxdirs' explicitly. (CFE-951)
	- 'N' or 'Ns' signal specs can now be used to sleep
	  between signals sent by 'processes' promises
	  (CFE-2207, ENT-5899)
	- Directories named .no-distrib are no longer copied from policy server
	  (in bootstrap/failsafe) (ENT-8079)
	- Files promises using content attribute or template method now create
	  files by default unless `create => "false"` is specified. (CFE-3955,
	  CFE-3916)
	- template_method mustache and inline_mustache now create file in promiser,
	  if template rendering was successfull and file does not exist. (ENT-4792)
	- Added support for use of custom bodies in custom promise types
	  (CFE-3574)
	- Custom promise modules now never get promise data with unresolved variables
	  (CFE-3434)
	- Custom promises now use standard promise locking and support ifelapsed
	  (CFE-3434)
	- Enable comment-attribute for custom promise types (CFE-3432)
	- cf-secret encrypt now encrypts for localhost if no key or host is
	  specified (CFE-3874)
	- CFEngine now builds with OpenSSL 3 (ENT-8355)
	- CFEngine now requires OpenSSL 1.0.0 or newer (ENT-8355)
	- Moved Skipping loading of duplicate policy file messages from VERBOSE to DEBUG
	  (CFE-3934)
	- CFEngine processes now try to use getent if the builtin user/group
	  info lookup fails (CFE-3937)
	- No longer possible to undefine reserved hard classes (ENT-7718)
	- Unspecified 'rxdirs' now produces a warning (CFE-951)
	- Fixed wrong use of log level in users promises log messages (CFE-3906)
	- Fixed default for ignore_missing_bundles and ignore_missing_inputs
	  The issue here was that these attributes should default to false,
	  but when they are assigned with an unresolved variable, they
	  would default to true. (ENT-8430)
	- Added protocol 3 (cookie) to syntax description (ENT-8560)
	- Moved errors from data_sysctlvalues from inform to verbose (CFE-3818)
	- Fixed inconsistencies with methods promises and missing bundles
	  Previously, methods promises acted differently depending on if
	  you specify the bundle with usebundle or in the promiser string.
	  This change removes the inconsistent checking which was only
	  happening on promises with usebundle. It also ensures that
	  the agent will abort if trying to use an undefined bundle,
	  regardless of whether it was using promiser string or usebundle.
	  This change, combined with the fix for ignore_missing_bundles
	  and ignore_missing_inputs, allow you to use inputs and bundles
	  conditionally (like we do for the enterprise federation policy)
	  and still have the agent abort in the correct situations
	  (when a bundle is actually missing and you haven't enabled
	  ignore_missing_bundles). The downside is that there are some
	  potential situations where undefined bundles would be detected
	  earlier previously (both correctly and incorrectly).  (ENT-8430)

3.19.0:
	- -N/--negate now prevents persistent classes from being defined
	  (ENT-5886)
	- 'null' JSON value is now handled as empty data in augments/host-specific data
	  (ENT-7434)
	- Added a new common control attribute 'system_log_level'
	  For specifying the minimum log level required for log messages to
	  go to the system log. (ENT-7594)
	- Added support for cfbs managed policy set to masterfiles staging script (ENT-7709)
	- Trailing commas can now be used in policy argument lists (CFE-3734)
	- Changed cf-key option --print-digest to take an optional argument.
	  cf-key now defaults to the public key file in workdir, if no argument
	  is specified or an empty string is given as the argument. (CFE-3682)
	- Cached functions are now always called inside promises with 'iflapsed => \ 
"0"'
	  (CFE-3754)
	- Enabled 'handle' attribute for custom promise types (CFE-3439)
	- Enabled 'depends_on' attribute for custom promise types (CFE-3438)
	- Enabled 'with' attribute for custom promise types (CFE-3441)
	- Don't fail on new file creation when backups are enabled
	  (CFE-3640)
	- Extended 'hostsseen()' policy function to return host keys (CFE-2546)
	- Moved httpd.pid to root of httpd workdir (ENT-7966)
	- Only real changes in files now produce info messages (CFE-3708)
	- Reports with unexpanded variable references are now
	  attempted to be held off until the reference expands
	  (CFE-3776)
	- Set apache umask to 0177 (ENT-7948)
	- The --skip-bootstrap-policy-run option now skips the update policy
	  (ENT-7500, ENT-7511)
	- Added measurement names in cf-check dump (ENT-7452)
	- Value of '$(with)' is now expanded even if it contains unresolved variable \ 
references
	  (CFE-3776)
	- cf-serverd now binds to both IPV6 and IPV4 if bindtointerface is unspecified
	  (ENT-7362)
	- cf-serverd now reports if fails to bind to all possible addresses/interfaces
	  (ENT-7362)
	- Fixed dbm_quick.c DBPrivRead() argument type (CFE-3737)
	- Fixed dbm_tokyocab.c DBPrivRead() argument type (CFE-3737)
	- Fixed crashes (Segfaults) in VariableIsSecret() (ENT-7678)
	- Fixed crashes (Segfaults) in VariablesMatching() (ENT-7678)

3.18.0:
	- "No action for file" warning is no longer triggered when only
	  'content => "something"' is used (CFE-3507)
	- "source=promise_iteration" variables are no longer created in
	  foreign bundles (ENT-7029)
	- 'cf-remote install' now supports the '--trust-keys' option for
	  pre-establishing trust before bootstrap (CFE-3485)
	- 'cf-remote spawn' now supports adding new VMs to an existing group
	  (CFE-3502)
	- 'rename => newname()' now supports relative paths (CFE-3537)
	- 'variables' and 'classes' in CMDB and augments data now support
	  'comment' fields (CFE-3638)
	- Included custom promise type libraries in src tarball
	  (CFE-3575, CFE-3576)
	- --ignore-preferred-augments now sets a hard class; ignore_preferred_augments
	  This class makes it easy for cf-agent / cf-execd policy to
	  propagate the option to other binaries (CFE-3656)
	- Added 'classes' body support for custom promises (CFE-3437)
	- Added a new --simulate=manifest-full mode
	  New simulation mode that manifests all changed files as well as
	  all other files evaluated by the agent run which were not skipped
	  (by file selection rules) (CFE-3506)
	- Added a new runagent_socket_allow_users body executor control attribute
	  A new attribute that tells cf-execd to grant access to the
	  runagent.socket to the specified users (ENT-6735)
	- Added checks to return value from getpwuid & getgrgid (CFE-3521)
	- Added int() policy function (CFE-3616)
	- Added new command line option: --ignore-preferred-augments
	  This option causes the agent to ignore def_preferred.json
	  always reading def.json (old behavior) (CFE-3656)
	- Added policy function type()
	- Added policy function findfiles_up (CFE-3577)
	- Added policy variable sys.os_name_human (CFE-3569)
	- Added policy variable sys.os_version_major (CFE-3569)
	- Added shell library for custom promise types with cp example
	  (CFE-3516)
	- Added string() policy function (CFE-3476)
	- Augments data now supports meta information for classes
	  and a new 'variables' object for variables with meta information
	  (CFE-3633)
	- Fixed case where malformed input could trigger buffer overflow
	  in policy function format (CFE-3525)
	- Ability to report some number of lines from the END of a file by
	  specifying number_of_lines as a negative number using printfile
	  (CFE-3558)
	- CFEngine binaries now load host specific data
	  ($(sys.workdir)/data/host_specific.json) before Augments relative
	  to policy entry (def.json) (ENT-6789)
	- CFEngine processes are now properly identified in syslog on
	  non-GNU/Linux systems (ENT-7100)
	- CMDB data now supports meta information for classes
	  and a new 'variables' object for variables with meta information
	  (CFE-3633)
	- Changed custom promise type interpreter attribute to be optional
	  (CFE-3562)
	- Changed files promise repaired log level to verbose (CFE-3631)
	- Changed log message about whitespace in class expressions to be error
	  (CFE-3560)
	- Changed sys var attribute names:
	  "OS type" was changed to "Kernel", "OS kernel" \ 
was changed to "Kernel Release"
	  (ENT-6551)
	- Clarified error log message about untrusted state directory not being private
	  (CFE-3599)
	- Classes from augments are now defined as soft classes
	  within the 'namespace' context instead of being hard
	  classes. Policies using classes from augments in policy files
	  using namespaces need to be updated to refer to the augments
	  classes with the 'default:' prefix (CFE-3632)
	- Custom promise modules using JSON protocol now support data attributes
	  (CFE-3654)
	- Custom promise modules using JSON protocol now support slist attributes
	  (CFE-3444)
	- Custom promise types can now be declared in separate files (CFE-3510)
	- Custom promise types can now report back result classes (CFE-3515)
	- Custom promises now support the 'log_level' attribute (CFE-3436)
	- Each custom promise module is now only spawned once
	  and handles all promises of its matching type(s) (CFE-3572)
	- Early failing custom promises now properly set result classes
	  (CFE-3645)
	- Exit code from remote agent run is now sent to cf-runagent (CFE-3594)
	- Fixed crash when attempting to put methods promises in bundles
	  which are not agent bundles (CFE-3672)
	- Fixed memory leak in package module code (ENT-5752)
	- Fixed memory leak in simulate mode (CFE-3498)
	- Fixed some more sign-compare warnings (CFE-3415)
	- Improved error handling / logging of data received from promise module
	- Improved log messages for commands promise outcomes and return codes
	  (CFE-3604)
	- Made errors about failed validation of custom promises less noisy
	- Namespace and bundle can now be specified in augments and CMDB data
	  (CFE-3633)
	- New observations of root owned SETUID programs moved from WARN to NOTICE
	  (ENT-6519)
	- Policy function format() no longer truncates strings lager than 4KiB
	  (CFE-2686)
	- Policy function storejson() no longer truncates strings lager
	  than 4096 bytes (CFE-2507)
	- Promise type is now sent to custom promise modules (CFE-3563)
	- Reduced the noise caused by packages promises being skipped in
	  evaluation passes 2 and 3 (ENT-6553)
	- Set Filedescriptor Limit to a more practial Size (CFE-3625)
	- Stopped emitting warning and recording result when observing new
	  SETGID files (ENT-6750)
	- Stopped updating files promise result with WARN (notkept) when
	  setuid files are encountered (ENT-6519)
	- Unspecified 'files' constraints no longer cause '_kept' classes
	  to be defined (CFE-3578)
	- Updated contrib/masterfiles-stage scripts and instructions to be
	  accurate (ENT-6165)
	- Fixed using a custom promise module with two different
	  interpreters results in an error (CFE-3572) - Value of the
	  'files_single_copy' body control attribute is now logged in
	  verbose logging mode (CFE-3622)
	- Variables and classes defined in cmdb cannot be re-defined in
	  augments (ENT-7079)
	- Verbose log now contains comments associated with 'vars' and
	  'classes' promises (CFE-2442, CFE-2443)
	- cf-agent now checks that promise module logs expected errors
	- cf-agent now sends correct information to promise module in header
	- cf-execd now executes cf-agent for "localhost" requests via the
	  runagent.socket (ENT-7090)
	- cf-execd now handles requests to run cf-runagent on given hosts
	  (ENT-6182)
	- cf-execd now runs cf-agent from a child process instead of a
	  thread on POSIX systems (ENT-6182)
	- cf-runagent now exits with a code reflecting remote agent run
	  status(es) (CFE-3594)
	- cf-serverd now supports systemd-based socket activation
	- def_preferred.json is now used instead of def.json if it exists
	  Old clients will ignore it, allowing you to have 2
	  versions of the augments file, 1 for compatibility
	  with old clients, and 1 for utilizing the new feautres.
	  (CFE-3656)
	- files_single_copy body agent control attribute can now be an
	  empty list (CFE-3622)
	- files_single_copy no longer treats paths of copied files as
	  regular expressions (CFE-3621)
	- log_level is properly sent to promise modules in both validate
	  and evaluate requests (CFE-3564)
	- unless can now be used with custom promise types (CFE-3431)
	- CFEngine processes now reuse log facility from previous run for
	  early logging before policy is loaded (ENT-6955)

3.17.0:
	- cf-agent can now simulate the changes done to files in a chroot, printing
	  diff or manifest information about what it would do in a normal evaluation.
	  Use the new command line option: `--simulate=diff` or `--simulate=manifest`.
	  Please note that only files and packages promises are simulated currently.
	- Custom promise types can now be added using promise modules (CFE-3273)
	- cf-monitord now uses /proc/net/* files to get network information if
	  possible (CFE-2945)
	- Added new policy function execresult_as_data() (CFE-3315)
	- Added optional argument to execresult for choosing between stdout and
	  stderr (CFE-3108)
	- Outcome classes are now always defined for promiser in files promises
	  (CFE-3369)
	- and(), or(), not() now return boolean and cannot be used directly in
	  slist vars. They can now be used in other places where a boolean is
	  expected. (Most notably and / or promise attributes). The return values
	  can be converted to strings using concat(), if necessary (CFE-3470)
	- Backgrounded commands are now correctly executed in the child process
	  (CFE-3379)
	- CFEngine policy bodies can now be completely empty
	- Directory listings in files changes monitoring are now only updated
	  when there is a change (CFE-3382)
	- Promises with 'action => bg()' no longer break reporting data (ENT-6042)
	- Spaces inside square brackets (slist/data index) are now allowed in
	  class expressions (CFE-3320)
	- Variables specifying data/list names in @() references are now expanded
	  (CFE-2434)
	- Added warnings when trying to use {{.}} to expand containers in mustache
	  templates (CFE-3457, CFE-3489)
	- Limited unqualified host and domain name to 511 characters (CFE-3409)
	- AVCs are no longer produced for CFEngine processes accessing /proc/net
	  (CFE-3240)
	- Fixed how we check for `--cols` argument to `ps` (ENT-6098)
	- Fixed a memory leak in users promises
	- Fixed a small memory leak in cf-promises (CFE-3461)
	- Fixed expansion of variables in data/list references (CFE-3299)

3.16.0:
	- Added 'cf-secret' binary for host-specific encryption (CFE-2613)
	- 'cf-check diagnose --test-write' can now be used to test writing
	  into LMDB files (ENT-4484)
	- 'if' constraint now works in combination with class contexts
	  (CFE-2615)
	- Added $(sys.cf_version_release) variable (ENT-5348)
	- Added new macros to parser: else, maximum_version, between_versions,
	  before_version, at_version and after_version. Version macros now
	  accept single digits (CFE-3198)
	- Added cf-postgres requirement to cf-apache and cf-hub systemd units
	  (ENT-5125)
	- Added files promise content attribute (CFE-3276)
	- Added string_trim() policy function (CFE-3074)
	- Added warning if CSV parser parses nothing from non-empty file
	  (CFE-3256)
	- All changes made by 'files' promises are now reported. Also,
	  directory and file creations are now properly reported as 'info'
	  messages. And failures in edit_xml result in promises marked as
	  failed not interrupted. Purged dirs and files are reported as
	  repaired (ENT-5291, CFE-3260)
	- Bootstrap to loopback interface is now allowed, with a warning
	  (CFE-3304)
	- Client initiated reporting was fixed on RHEL 8.1 (ENT-5415)
	- Fixed rare crashing bug when parsing zombie entries in ps output. The
	  problem was only ever observed on AIX, but could theoretically happen
	  on any platform depending on exact libc behavior. (ENT-5329)
	- Fixed an issue causing duplicate entries in sys.interfaces, and
	  sys.hardware. (CFE-3046)
	- Fixed ifelse() to return fallback in case of unresolved variables
	  (ENT-4653)
	- Fixed locking of promises using log_repaired / log_string with
	  timestamps (CFE-3376)
	- Fixed memory leak in handling of inline JSON in policy evaluation
	- Fixed memory leak in readlist functions (CFE-3263)
	- Fixed race condition when multiple agents are acquiring critical
	  section locks simultaneously (CFE-3361)
	- Fixed selection of standard_services when used from non-default
	  namespace (ENT-5406)
	- Fixed service status cfengine3 on systemd managed hosts (ENT-5528)
	- Fixed some memory leaks and crashes in policy evaluation (CFE-3263)
	- Improved error message for invalid body attribute names (CFE-3273)
	- Improved management of secondary groups to avoid intermediary state
	  failures (ENT-3710)
	- LMDB files are now created with correct permissions (ENT-5986)
	- Log messages about broken Mustache templates are now errors (CFE-3263)
	- Made classfiltercsv() fail properly on invalid class expression index
	- Measurements promises with no match no longer produce errors
	  (ENT-5171)
	- Moved error reading file in countlinesmatching() from verbose to error
	  (CFE-3234)
	- Added new data validation policy functions validdata() and validjson()
	  (CFE-2898)
	- New version checking convenience policy functions (CFE-3197)
	  Added the following policy functions to check against local CFEngine version:
	  - cf_version_maximum()
	  - cf_version_minimum()
	  - cf_version_after()
	  - cf_version_before()
	  - cf_version_at()
	  - cf_version_between()
	- Removed (USE AT YOUR OWN RISK) from cf-key help menu for -x (ENT-5090)
	- Rewrote helloworld.cf to use files promises content attribute
	  (CFE-3276)
	- The outcome classes are now defined for the top-level directory when
	  'include_basedir' is 'false' (ENT-5291)
	- Variable references with nested parentheses no longer cause errors
	  (CFE-3242)
	- cf-check: Added a more user friendly message when trying to print
	  unknown binary data (ENT-5234)
	- cf-check: Added data validation for cf_lastseen.lmdb (CFE-2988)
	- cf-check: Added nice printing for nova_agent_executions.lmdb
	  (ENT-5234)
	- cf-check: Added validation for timestamps in cf_lock.lmdb (CFE-2988)
	- cf-check: Added validation for timestamps in lastseen.lmdb (CFE-2988)
	- cf-check: Fixed issue causing repair to target the wrong database file
	  (ENT-5309)
	- cf-check: Symlinked LMDB databases are now preserved in repair
	  Performs diagnosis and repair on symlink target instead of symlink.
	  Repaired files / copies are placed alongside symlink target.
	  In some cases, the symlink target is deleted to repair a corrupt
	  database, and the symlink is left as a broken symlink. This is
	  handled gracefully by the agent, it will be recreated. Broken
	  symlinks are now detected as an acceptable condition in diagnose,
	  it won't try to repair them or delete them. (ENT-5162)
	- storage promises managing nfs mounts should now correctly mount
	  after editing fstab entries

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
*: revbump for icu downgrade

Log message:
*: recursive bump for icu 76.1 shlib bump

Log message:
revbump after icu and protobuf updates

Log message:
*: recursive bump for gnutls p11-kit option

(existing installations need the bl3.mk included, but it's now only
optionally included)

Log message:
*: recursive bump for icu 74.1

Log message:
*: bump for openssl 3