zino: update to version 2.5.1.
Pkgsrc changes:
* version-bump + checksums + PLIST update.
* Require 0.2.1 of py-netsnmp-cffi.
Upstream changes:
- Add `zping` CLI utility to check if a Zino daemon is alive by
querying its SNMP agent for uptime.
([#528](https://github.com/Uninett/zino/issues/528))
- Configuration errors in `zino.toml` now report the underlying
parser message (with line and column) for syntax errors, and
friendlier messages â<80><94> including key suggestions â<80><94>
for validation errors. ([#539](https://github.com/Uninett/zino/issues/539))
- Single-interface link state verification no longer crashes with
an `AssertionError` when the target interface has disappeared from
[13 lines not shown]
Reject and normalize non-colon NIC MAC addresses
## Problem
A custom NIC MAC entered with dash, no-separator, or mixed separators (e.g. `10-66-6A-1F-F1-B1`) passed the permissive `mac` pattern but libvirt's `defineXML` only parses colon-separated MACs, so the container/VM saved fine and then failed to start with `XML error: unable to parse mac address`. The colon-only `MACAddr(separator=':')` guard the VM plugin used through electriceel was dropped when devices moved to the pydantic models at fangtooth, and containers (26.0+) never had it, so these values can already be sitting in `vm_device` and `container_device`.
## Solution
- Tightened the shared `MACAddress` type to colon-only with a clear message, and switched the v27 VM and Container NIC `mac` fields to use it (removing the duplicated permissive inline pattern). Frozen API versions are left as-is.
- Added a migration that normalizes existing NIC MACs in both `vm_device` and `container_device` to libvirt's canonical lowercase colon form, regenerating the rare value that isn't a real MAC. This is required because `*.device.query` re-validates rows through the model, so an un-normalized non-colon MAC would otherwise make `query` fail once the pattern is tightened. Normalization preserves the user's intended address and heals instances that were stuck failing to start.
Mark LastEpilogIdx as maybe_unused (#204857)
#203108 added a variable which is read only in debug builds, so we are
seeing warning in release builds without asserts.
Convert SSH plugin to typesafe pattern
## Context
Migrates the `ssh` plugin from the legacy dict-based `SystemServiceService` to the typesafe pattern, matching the `ups`/`ftp` shape.
## Solution
Split the single `ssh.py` into a package: a lean `SSHService` (`generic = True`) in `__init__.py` delegating to `SSHServicePart` in `config.py`, with the host-key helpers moved to plain functions in `keys.py`. `config`/`update` now return the `SSHEntry` Pydantic model in-process, so every internal consumer was updated: the `sshd_config` mako and the SSH `config.py` renderer `.model_dump()` the model at the top, and the in-process callers (`keychain`, `failover` nftables, the `service_` start/reload hooks, and the plugin's own `setup()`) were switched from string `middleware.call('ssh.…')` to typed `call2`/`call_sync2`. The only remaining string call is `etc.py`'s dynamic `CtxMethod` dispatch, which has no static method handle. Registered the service in `main.py` and added the package to the mypy workflow.
py-netsnmp-cffi: upgrade to version 0.2.1.
Pkgsrc changes:
* Version + checksum updates.
Upstream changes:
Fixed
* Fix ffi.error from a size mismatch between the cdef and the
real C layout of struct enum_list, by marking the cdef declaration
as flexible. The mismatch caused crashes on platforms where
CFFI verifies struct sizes against the C compiler (e.g.
NetBSD/pkgsrc builds of net-snmp), any time MIB enumerations
were looked up. (#23)
Added
* Test suite now also tests on Python 3.13 and 3.14.
* Wheel build/publish process also builds wheels for Python 3.13 and 3.14.
[flang][OpenMP] Scope-qualify user-defined reduction names in lowering (#202474)
A named !$omp declare reduction was lowered to an omp.declare_reduction
operation whose symbol name was just the bare reduction name (e.g.
`@a`), without any scope qualification. Semantic name resolution was
correct and gave each scope its own reduction symbol, but lowering
deduplicates the declare reduction op by name, so two subroutines that
declared a reduction with the same name collapsed onto a single op.
As a result, a reduction(name:var) clause could bind to a declaration
that leaked in from a different scope.
Per OpenMP 6.0 7.6.14, a user-defined reduction has the same visibility
and accessibility as a variable declared at the same location.
Qualify the generated op name with the scope in which the reduction is
declared using mangleName, the same approach already used for
omp.private and declare mapper. This is applied consistently when the op
is created, when a clause references it, and when its existence is
[2 lines not shown]
[flang][OpenMP] Emit warning that REVERSE_OFFLOAD is not supported (#204647)
Right now we quietly ignore it, whereas the OpenMP spec mandates a
compilation error for requirements that the implementation does not
support.
The REVERSE_OFFLOAD was not causing a compilation error to allow testing
of incremental implementation improvements, but we should at least warn
about not supporting it.
clang/AMDGPU: Fix double linking opencl libs with --libclc-lib
Noticed by inspection. If using an explicit --libclc-lib flag,
do not attempt to also link the rocm device libs which will contain
different implementations of the same opencl symbols.
Co-Authored-By: Claude <noreply at anthropic.com>
clang/AMDGPU: Merge toolchain subclasses
Simplify the toolchain implementations by collapsing
them into one. Previously we had a confusing split. The
AMDGPUToolChain base class implemented much of the base
support. It was subclassed by ROCMToolChain, which would
have been more accurately described as the offloading subclass.
That was further subclassed into HIP and OpenMP specific subclasses.
Deleting those two is the important part of this change. There was
code duplication, and features arbitrarily handled in one but not
the other. The offload kind is passed in almost everywhere if you
really need to know the original language. However, I consider
this an antifeature, and it is really poor QoI to have the HIP
and OpenMP toolchains behave differently in any way. The platform
should be consistent and the driver behaviors should not depend
on the language.
There is additional mess in the handling of spirv, which this
[9 lines not shown]
clang/AMDGPU: Remove artificial restriction on --gpu-max-threads-per-block
Previously this flag was only handled for HIP, and would produce an unused
argument warning. Also use a simpler method for forwarding the flag to cc1.
Convert SSH plugin to typesafe pattern
## Context
Migrates the `ssh` plugin from the legacy dict-based `SystemServiceService` to the typesafe pattern, matching the `ups`/`ftp` shape.
## Solution
Split the single `ssh.py` into a package: a lean `SSHService` (`generic = True`) in `__init__.py` delegating to `SSHServicePart` in `config.py`, with the host-key helpers moved to plain functions in `keys.py`. `config`/`update` now return the `SSHEntry` Pydantic model in-process, so every internal consumer was updated: the `sshd_config` mako and the SSH `config.py` renderer `.model_dump()` the model at the top, and the in-process callers (`keychain`, `failover` nftables, the `service_` start/reload hooks, and the plugin's own `setup()`) were switched from string `middleware.call('ssh.…')` to typed `call2`/`call_sync2`. The only remaining string call is `etc.py`'s dynamic `CtxMethod` dispatch, which has no static method handle. Registered the service in `main.py` and added the package to the mypy workflow.
Revert "[libc] Implement basename and dirname in libgen.h (#204554)" (#204856)
Reverted due to death tests failing with ASan on buildbots. Reverts
commit 29692c150f86d76cfb58e8bf2c0e97dc6afd2088.
[RFC][CodeGen] Add generic target feature checks for intrinsics
This PR adds target-independent infrastructure for annotating LLVM intrinsics
with required subtarget feature expressions.
It introduces a TargetFeatures string field to intrinsic TableGen records.
TableGen emits an intrinsic-to-feature mapping table.
Both SelectionDAG and GlobalISel now perform this check before lowering target
intrinsics. This allows targets to opt in by annotating intrinsic definitions
directly, rather than adding custom checks during lowering, legalization, or
instruction selection.
This PR uses one AMDGPU intrinsic as an example.
[RFC][IR] Extract AMDGPU-specific verification logic into `VerifierAMDGPU.cpp`
`Verifier.cpp` is large and already mixes generic IR verification with
target-specific checks. We also have a growing amount of AMDGPU verifier logic
downstream, which would all end up in the same file if we don't address this,
and that is not ideal.
This patch extracts AMDGPU-specific verification logic into a separate
`VerifierAMDGPU.cpp` file, with shared infrastructure (`VerifierSupport`) moved
into `VerifierInternal.h`.
This is purely a code organization change, not a target-dependent IR verifier.
All checks remain compiled and linked into `LLVMCore` regardless of the target
triple. The extracted functions are called unconditionally at well-defined
extension points in `Verifier.cpp`, and each function internally gates on
target-specific conditions (for example, triple checks or intrinsic IDs) as
needed. The file is strictly limited to AMDGPU-specific IR constructs (amdgcn
intrinsics, AMDGPU module flags, etc.), and does not contain generic IR rules
that vary by target.
[10 lines not shown]
[x64][win] Windows x64 unwind v3: Use tail-relative epilog offsets and add size-based splitting (#203108)
Win64 Unwind v3 encodes each epilog's EpilogOffset as a signed 16-bit
field. The encoder previously measured the first epilog offset from the
fragment start, which overflowed for large functions and produced a
cryptic "<unknown>:0: value too large for field" error (and, on the
early .seh_handlerdata path, an assertion failure).
Two changes:
- MCWin64EH.cpp: Always emit epilog offsets tail-relative. The first
epilog descriptor is measured from the fragment end and subsequent ones
as deltas from the previous epilog, so descriptors are emitted in
descending address order (all non-positive, per spec). A new lazy
MCUnwindV3EpilogOffsetTargetExpr resolves the fragment-end-relative
value at layout time (it may not have a symbol yet when emitted via
.seh_handlerdata) and reports a clean, function-named diagnostic on
genuine overflow.
[11 lines not shown]
[MemorySanitizer] Merge x86 BMI and PackedBits handlers into handleGenericBitManipulation (#204786)
As discussed on #204144 - its not necessary to have separate handlers, just because some are target intrinsics
www/nginx{,-devel}: Update to 1.30.3/1.31.2
Update nginx and nginx-devel to the latest security releases.
The quarterly branch was updated manually to account for changes
present in main that are not part of 2026Q2.
Security: CVE-2026-42055, CVE-2026-48142, CVE-2026-42530
Sponsored by: Netzkommune GmbH
