From c07d92e1b325851ae16e64b74885bff0e55887a6 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Wed, 24 Aug 2022 12:59:01 +0200
Subject: [PATCH 1/2] net-libs/gnutls: update to 3.7.7

Update net-libs/gnutls to 3.7.7 mainly to address CVE-2022-2509.
---
 .../portage-stable/net-libs/gnutls/Manifest   |   8 +-
 .../gnutls-3.7.4-configure-compression.patch  |  63 --------
 .../net-libs/gnutls/gnutls-3.7.2.ebuild       | 137 ------------------
 ...nutls-3.7.4.ebuild => gnutls-3.7.6.ebuild} |  28 ++--
 ...ls-3.7.3-r1.ebuild => gnutls-3.7.7.ebuild} |  36 +++--
 .../net-libs/gnutls/metadata.xml              |  85 +++++------
 6 files changed, 83 insertions(+), 274 deletions(-)
 delete mode 100644 sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.7.4-configure-compression.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.2.ebuild
 rename sdk_container/src/third_party/portage-stable/net-libs/gnutls/{gnutls-3.7.4.ebuild => gnutls-3.7.6.ebuild} (83%)
 rename sdk_container/src/third_party/portage-stable/net-libs/gnutls/{gnutls-3.7.3-r1.ebuild => gnutls-3.7.7.ebuild} (70%)

diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
index c966044906..f468c56dbe 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
@@ -1,4 +1,4 @@
-DIST gnutls-3.7.2.tar.xz 6091508 BLAKE2B f408ff65f2e08cf294b449dfac64a272a8ba40e987618960f57ee36c167a25974711ab8d11bdbd6335fbf18ac902a79b5c6b40bb6a37f4ee07549832d0611df2 SHA512 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329
-DIST gnutls-3.7.3.tar.xz 6119292 BLAKE2B 811e6fbb62fbd35fa63e66cfcbfc3bf899cea5cece1d2a68bc650f507df0f7be9f59c707c90fa19b7ef5a52455a663da49682704e0884af06075c566afbfc0bf SHA512 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
-DIST gnutls-3.7.4.tar.xz 6131772 BLAKE2B 1c44528952275f48e4e458558c4e03c5b90dfb267482d6815f6c836f9530abb486a23ae5ea70ba2db7e272eee8e2066b259374f02a9bb9e714487466fd5994c9 SHA512 38b488ca1223d9aa8fc25756df08db6f29aaf76fb5816fdeaa14bd89fb431a2e1c495fefc64094f726337d5b89e198146ec7dc22e9a1bca6841a9d881b0d99e6
-DIST gnutls-3.7.4.tar.xz.sig 685 BLAKE2B ad485450abb916a229984f8f0d74fe7c46a0a87627f9d739f8121dccf36f4ca454007178f2a4e9bd5fffa2813363481bf80eaeee40f86e1b9c23b1f25dff7b4c SHA512 74b8badd67e215313583bd25c7b639207860af45d6f5cbcb81f1aaf46dacf0992b6d06876979594688e13dac5b8b27ba39935626374b4ddaa3e48118bbc2e7de
+DIST gnutls-3.7.6.tar.xz 6338276 BLAKE2B 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3 SHA512 f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
+DIST gnutls-3.7.6.tar.xz.sig 685 BLAKE2B eae022d6cb0d772e465257411381afd97f3dfd19d6f794a1c3e0f8c3c1232a8a1b91269ca7252a5662782183b11ca393c31efe3f88171a526884400fd0534528 SHA512 c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e
+DIST gnutls-3.7.7.tar.xz 6351664 BLAKE2B a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 SHA512 ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08
+DIST gnutls-3.7.7.tar.xz.sig 685 BLAKE2B 53d76a06ed5a74664d6c193459eb310f06e87dd3db97aca9e9fa78837677df58d8de66f187c182b9375786ee0308c5da55f08414183c959c7acb4527c38cd7c7 SHA512 6463bc4661e20051ff9f31c1a557cece34d06b748f4e24f98e807ddc72a3daa9348aa9f0afa83a0f9cd226421c575210eec1936fbeb9a55849e2c397ace9d03d
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.7.4-configure-compression.patch b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.7.4-configure-compression.patch
deleted file mode 100644
index edd688d9b5..0000000000
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.7.4-configure-compression.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-https://gitlab.com/gnutls/gnutls/-/merge_requests/1557
-
-From: Sam James <sam@gentoo.org>
-Date: Fri, 18 Mar 2022 05:40:28 +0000
-Subject: [PATCH 1/2] configure.ac: fix brotli/zstd configure argument name
-
-The old `./configure` arguments for brotli and zstd respectively
-were inconsistent with the `./configure --help` output.
-
-Old: --without-libbrotli --without-libzstd (also --with-*)
-New: --without-brotli --without-zstd (also --with-*)
-
-Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1342
-Signed-off-by: Sam James <sam@gentoo.org>
---- a/configure.ac
-+++ b/configure.ac
-@@ -1010,7 +1010,7 @@ if test x$ac_zlib != xno; then
- fi
- AC_SUBST(LIBZ_PC)
- 
--AC_ARG_WITH(libbrotli,
-+AC_ARG_WITH(brotli,
- 	    AS_HELP_STRING([--without-brotli], [disable brotli compression support]),
- 	    ac_brotli=$withval, ac_brotli=yes)
- AC_MSG_CHECKING([whether to include brotli compression support])
-@@ -1033,7 +1033,7 @@ else
- fi
- AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" != "no" && test "$with_libbrotlidec" != "no")
- 
--AC_ARG_WITH(libzstd,
-+AC_ARG_WITH(zstd,
- 	    AS_HELP_STRING([--without-zstd], [disable zstd compression support]),
- 	    ac_zstd=$withval, ac_zstd=yes)
- AC_MSG_CHECKING([whether to include zstd compression support])
-GitLab
-
-From: Sam James <sam@gentoo.org>
-Date: Fri, 18 Mar 2022 05:51:29 +0000
-Subject: [PATCH 2/2] configure.ac: fix zstd detection
-
-Fixes typo in zstd detection.
-
-None of the used autoconf macros will define `has_zstd_h` so
-configure will (AFAICT) always fail to find zstd, even if it succeeded
-via pkg-config moments before.
-
-Drop it and rely solely on pkg-config as that's the only search
-we're actually doing.
-
-Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1343
-Signed-off-by: Sam James <sam@gentoo.org>
---- a/configure.ac
-+++ b/configure.ac
-@@ -1040,7 +1040,7 @@ AC_MSG_CHECKING([whether to include zstd compression support])
- if test x$ac_zstd != xno; then
-     AC_MSG_RESULT(yes)
-     PKG_CHECK_MODULES(LIBZSTD, [libzstd >= 1.3.0], [with_libzstd=yes], [with_libzstd=no])
--    if test "${with_libzstd}" = "yes" && test "${has_zstd_h}" = "yes"; then
-+    if test "${with_libzstd}" = "yes"; then
- 	AC_DEFINE([HAVE_LIBZSTD], 1, [Define if ZSTD compression is enabled.])
- 	if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
- 	    GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd"
-GitLab
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.2.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.2.ebuild
deleted file mode 100644
index 5448b73bad..0000000000
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.2.ebuild
+++ /dev/null
@@ -1,137 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit libtool multilib-minimal
-
-DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
-HOMEPAGE="https://www.gnutls.org/"
-SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
-
-LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30" # libgnutls.so number
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"
-
-REQUIRED_USE="
-	test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
-RESTRICT="!test? ( test )"
-
-# NOTICE: sys-devel/autogen is required at runtime as we
-# use system libopts
-RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
-	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
-	>=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}]
-	>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
-	tools? ( sys-devel/autogen:= )
-	dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
-	guile? ( >=dev-scheme/guile-2:=[networking] )
-	nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
-	pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] )
-	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	test? (
-		seccomp? ( sys-libs/libseccomp )
-	)"
-BDEPEND=">=virtual/pkgconfig-0-r1
-	doc? ( dev-util/gtk-doc )
-	nls? ( sys-devel/gettext )
-	tools? ( sys-devel/autogen )
-	valgrind? ( dev-util/valgrind )
-	test-full? (
-		app-crypt/dieharder
-		>=app-misc/datefudge-1.22
-		dev-libs/softhsm:2[-bindist(-)]
-		net-dialup/ppp
-		net-misc/socat
-	)"
-
-DOCS=(
-	README.md
-	doc/certtool.cfg
-)
-
-HTML_DOCS=()
-
-pkg_setup() {
-	# bug#520818
-	export TZ=UTC
-
-	use doc && HTML_DOCS+=(
-		doc/gnutls.html
-	)
-}
-
-src_prepare() {
-	default
-
-	# force regeneration of autogen-ed files
-	local file
-	for file in $(grep -l AutoGen-ed src/*.c) ; do
-		rm src/$(basename ${file} .c).{c,h} || die
-	done
-
-	# don't try to use system certificate store on macOS, it is
-	# confusingly ignoring our ca-certificates and more importantly
-	# fails to compile in certain configurations
-	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
-
-	# Use sane .so versioning on FreeBSD.
-	elibtoolize
-}
-
-multilib_src_configure() {
-	LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
-
-	local libconf=()
-
-	# TPM needs to be tested before being enabled
-	libconf+=( --without-tpm )
-
-	# hardware-accell is disabled on OSX because the asm files force
-	#   GNU-stack (as doesn't support that) and when that's removed ld
-	#   complains about duplicate symbols
-	[[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
-
-	# Cygwin as does not understand these asm files at all
-	[[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
-
-	local myeconfargs=(
-		$(multilib_native_enable manpages)
-		$(multilib_native_use_enable doc gtk-doc)
-		$(multilib_native_use_enable doc)
-		$(multilib_native_use_enable guile)
-		$(multilib_native_use_enable seccomp seccomp-tests)
-		$(multilib_native_use_enable test tests)
-		$(multilib_native_use_enable test-full full-test-suite)
-		$(multilib_native_use_enable tools)
-		$(multilib_native_use_enable valgrind valgrind-tests)
-		$(use_enable cxx)
-		$(use_enable dane libdane)
-		$(use_enable nls)
-		$(use_enable openssl openssl-compatibility)
-		$(use_enable sslv2 ssl2-support)
-		$(use_enable sslv3 ssl3-support)
-		$(use_enable static-libs static)
-		$(use_enable tls-heartbeat heartbeat-support)
-		$(use_with idn)
-		$(use_with pkcs11 p11-kit)
-		--disable-rpath
-		--with-default-trust-store-file="${EPREFIX}/etc/ssl/certs/ca-certificates.crt"
-		--with-unbound-root-key-file="${EPREFIX}/etc/dnssec/root-anchors.txt"
-		--without-included-libtasn1
-		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
-	)
-	ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
-}
-
-multilib_src_install_all() {
-	einstalldocs
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use examples; then
-		docinto examples
-		dodoc doc/examples/*.c
-	fi
-}
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.4.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.6.ebuild
similarity index 83%
rename from sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.4.ebuild
rename to sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.6.ebuild
index 6eaf9997a9..15710987c2 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.6.ebuild
@@ -4,7 +4,7 @@
 EAPI=7
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnutls.asc
-inherit autotools multilib-minimal verify-sig
+inherit libtool multilib-minimal verify-sig
 
 DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
 HOMEPAGE="https://www.gnutls.org/"
@@ -12,10 +12,8 @@ SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
 SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )"
 
 LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30" # libgnutls.so number
-# Drop keywords while figuring out what to do (if anything) about USE=cxx ABI break
-# https://gitlab.com/gnutls/gnutls/-/commit/f746f7d4be0070395834bef8e7f7b6f9c8d3158b
-#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+SLOT="0/30.30" # <libgnutls.so number>.<libgnutlsxx.so number>
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 IUSE="brotli +cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind zlib zstd"
 
 REQUIRED_USE="test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
@@ -56,10 +54,6 @@ DOCS=( README.md doc/certtool.cfg )
 
 HTML_DOCS=()
 
-PATCHES=(
-	"${FILESDIR}"/${P}-configure-compression.patch
-)
-
 pkg_setup() {
 	# bug #520818
 	export TZ=UTC
@@ -78,16 +72,7 @@ src_prepare() {
 	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
 
 	# Use sane .so versioning on FreeBSD.
-	#elibtoolize
-
-	# Need eautoreconf for:
-	# 1) gtk-doc macro fix
-	#    (once fixed, we can drop unconditional gtk-doc-am BDEPEND too)
-	#    see https://gitlab.com/gnutls/gnutls/-/issues/1341
-	#
-	# 2) configure fixes for brotli, zstd
-	#    see https://gitlab.com/gnutls/gnutls/-/issues/1343
-	eautoreconf
+	elibtoolize
 }
 
 multilib_src_configure() {
@@ -110,6 +95,11 @@ multilib_src_configure() {
 	# Cygwin as does not understand these asm files at all
 	[[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
 
+	# -fanalyzer substantially slows down the build and isn't useful for
+	# us. It's useful for upstream as it's static analysis, but it's not
+	# useful when just getting something built.
+	export gl_cv_warn_c__fanalyzer=no
+
 	local myeconfargs=(
 		$(multilib_native_enable manpages)
 		$(multilib_native_use_enable doc gtk-doc)
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.3-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.7.ebuild
similarity index 70%
rename from sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.3-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.7.ebuild
index b8efb393ff..12d7654cc6 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.3-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.7.ebuild
@@ -1,18 +1,20 @@
 # Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-inherit libtool multilib-minimal
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnutls.asc
+inherit libtool multilib-minimal verify-sig
 
 DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
 HOMEPAGE="https://www.gnutls.org/"
 SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )"
 
 LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30" # libgnutls.so number
-KEYWORDS="~alpha amd64 arm ~arm64 hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"
+SLOT="0/30.30" # <libgnutls.so number>.<libgnutlsxx.so number>
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="brotli +cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind zlib zstd"
 
 REQUIRED_USE="test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
@@ -21,16 +23,21 @@ RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
 	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
 	>=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}]
 	>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
+	brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] )
 	dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
 	guile? ( >=dev-scheme/guile-2:=[networking] )
 	nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
-	pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] )
-	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )"
+	pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )
+	zlib? ( sys-libs/zlib[${MULTILIB_USEDEP}] )
+	zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )"
 DEPEND="${RDEPEND}
 	test? (
 		seccomp? ( sys-libs/libseccomp )
 	)"
-BDEPEND=">=virtual/pkgconfig-0-r1
+BDEPEND="
+	dev-util/gtk-doc-am
+	>=virtual/pkgconfig-0-r1
 	doc? ( dev-util/gtk-doc )
 	nls? ( sys-devel/gettext )
 	valgrind? ( dev-util/valgrind )
@@ -40,7 +47,8 @@ BDEPEND=">=virtual/pkgconfig-0-r1
 		dev-libs/softhsm:2[-bindist(-)]
 		net-dialup/ppp
 		net-misc/socat
-	)"
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20220320 )"
 
 DOCS=( README.md doc/certtool.cfg )
 
@@ -73,6 +81,7 @@ multilib_src_configure() {
 	local libconf=()
 
 	# TPM needs to be tested before being enabled
+	# Note that this may add a libltdl dep when enabled. Check configure.ac.
 	libconf+=(
 		--without-tpm
 		--without-tpm2
@@ -86,6 +95,11 @@ multilib_src_configure() {
 	# Cygwin as does not understand these asm files at all
 	[[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
 
+	# -fanalyzer substantially slows down the build and isn't useful for
+	# us. It's useful for upstream as it's static analysis, but it's not
+	# useful when just getting something built.
+	export gl_cv_warn_c__fanalyzer=no
+
 	local myeconfargs=(
 		$(multilib_native_enable manpages)
 		$(multilib_native_use_enable doc gtk-doc)
@@ -104,14 +118,18 @@ multilib_src_configure() {
 		$(use_enable sslv3 ssl3-support)
 		$(use_enable static-libs static)
 		$(use_enable tls-heartbeat heartbeat-support)
+		$(use_with brotli)
 		$(use_with idn)
 		$(use_with pkcs11 p11-kit)
+		$(use_with zlib)
+		$(use_with zstd)
 		--disable-rpath
 		--with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
 		--with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt
 		--without-included-libtasn1
 		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
 	)
+
 	ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
 }
 
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
index 8f171c8ee7..8a72ba7694 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
@@ -1,46 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-  <maintainer type="project">
-    <email>base-system@gentoo.org</email>
-  </maintainer>
-  <use>
-    <flag name="brotli">
-      Enable brotli decompression support via <pkg>app-arch/brotli</pkg>
-    </flag>
-    <flag name="dane">
-      Build libgnutls-dane, implementing DNS-based Authentication of
-      Named Entities. Requires <pkg>net-dns/unbound</pkg>
-    </flag>
-    <flag name="openssl">
-      Build openssl compatibility libraries
-    </flag>
-    <flag name="pkcs11">
-      Add support for PKCS#11 through <pkg>app-crypt/p11-kit</pkg>
-    </flag>
-    <flag name="tools">
-      Build extra tools
-    </flag>
-    <flag name="tls-heartbeat">
-      Enable the Heartbeat Extension in TLS and DTLS
-    </flag>
-    <flag name="sslv2">
-      Support for the old/insecure SSLv2 protocol
-    </flag>
-    <flag name="sslv3">
-      Support for the old/insecure SSLv3 protocol
-    </flag>
-    <flag name="test-full">
-      Enable full test mode
-    </flag>
-    <flag name="valgrind">
-      Enable usage of <pkg>dev-util/valgrind</pkg> in debug
-    </flag>
-  </use>
-  <slots>
-   <subslots>Reflect ABI compatibility of libgnutls.so</subslots>
-  </slots>
-  <upstream>
-    <remote-id type="cpe">cpe:/a:gnu:gnutls</remote-id>
-  </upstream>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+	</maintainer>
+	<use>
+		<flag name="brotli">
+			Enable brotli decompression support via <pkg>app-arch/brotli</pkg>
+		</flag>
+		<flag name="dane">
+			Build libgnutls-dane, implementing DNS-based Authentication of
+			Named Entities. Requires <pkg>net-dns/unbound</pkg>
+		</flag>
+		<flag name="openssl">
+			Build openssl compatibility libraries
+		</flag>
+		<flag name="pkcs11">
+			Add support for PKCS#11 through <pkg>app-crypt/p11-kit</pkg>
+		</flag>
+		<flag name="tools">
+			Build extra tools
+		</flag>
+		<flag name="tls-heartbeat">
+			Enable the Heartbeat Extension in TLS and DTLS
+		</flag>
+		<flag name="sslv2">
+			Support for the old/insecure SSLv2 protocol
+		</flag>
+		<flag name="sslv3">
+			Support for the old/insecure SSLv3 protocol
+		</flag>
+		<flag name="test-full">
+			Enable full test mode
+		</flag>
+		<flag name="valgrind">
+			Enable usage of <pkg>dev-util/valgrind</pkg> in debug
+		</flag>
+	</use>
+	<slots>
+		<subslots>Reflect ABI compatibility of libgnutls.so</subslots>
+	</slots>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:gnu:gnutls</remote-id>
+		<remote-id type="gitlab">gnutls/gnutls</remote-id>
+	</upstream>
 </pkgmetadata>

From 0cc5999ce895b5cfb0b1c80d05d655db0f298bbe Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Wed, 24 Aug 2022 13:48:01 +0200
Subject: [PATCH 2/2] changelog: add changelog for gnutls 3.7.7

---
 .../portage-stable/changelog/security/2022-08-24-gnutls-3.7.7.md | 1 +
 .../portage-stable/changelog/updates/2022-08-24-gnutls-3.7.7.md  | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/changelog/security/2022-08-24-gnutls-3.7.7.md
 create mode 100644 sdk_container/src/third_party/portage-stable/changelog/updates/2022-08-24-gnutls-3.7.7.md

diff --git a/sdk_container/src/third_party/portage-stable/changelog/security/2022-08-24-gnutls-3.7.7.md b/sdk_container/src/third_party/portage-stable/changelog/security/2022-08-24-gnutls-3.7.7.md
new file mode 100644
index 0000000000..acab64569c
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/changelog/security/2022-08-24-gnutls-3.7.7.md
@@ -0,0 +1 @@
+- gnutls ([CVE-2022-2509](https://nvd.nist.gov/vuln/detail/CVE-2022-2509))
diff --git a/sdk_container/src/third_party/portage-stable/changelog/updates/2022-08-24-gnutls-3.7.7.md b/sdk_container/src/third_party/portage-stable/changelog/updates/2022-08-24-gnutls-3.7.7.md
new file mode 100644
index 0000000000..3b6fc3217d
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/changelog/updates/2022-08-24-gnutls-3.7.7.md
@@ -0,0 +1 @@
+- gnutls ([3.7.7](https://gitlab.com/gnutls/gnutls/-/tags/3.7.7))