From 7d394417e09e876ece1f88761c554ef753cf4b57 Mon Sep 17 00:00:00 2001
From: Flatcar Buildbot <buildbot@flatcar-linux.org>
Date: Mon, 2 Feb 2026 07:30:00 +0000
Subject: [PATCH] net-libs/gnutls: Sync with Gentoo

It's from Gentoo commit dad2d80945d6ed01047c3f9b07efda49d4f681a1.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
---
 .../portage-stable/net-libs/gnutls/Manifest   |   2 +
 .../net-libs/gnutls/gnutls-3.8.10-r1.ebuild   |   2 +-
 .../net-libs/gnutls/gnutls-3.8.10.ebuild      |   2 +-
 .../net-libs/gnutls/gnutls-3.8.11.ebuild      | 164 ++++++++++++++++++
 .../net-libs/gnutls/gnutls-3.8.9-r1.ebuild    |   2 +-
 .../net-libs/gnutls/metadata.xml              |   3 +
 6 files changed, 172 insertions(+), 3 deletions(-)
 create mode 100644 sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.11.ebuild

diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
index 9a71dff8b4..3100e6b719 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
@@ -1,4 +1,6 @@
 DIST gnutls-3.8.10.tar.xz 6909856 BLAKE2B 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d SHA512 d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
 DIST gnutls-3.8.10.tar.xz.sig 566 BLAKE2B 32af044eb25978b752428d72a597f44457b6f3979d79e5b9e224523d6ef3bd213a0887960dddce84b97db78a9ebbbbd6b034adaa0dd7a1dd2d1db30527f5b42c SHA512 72d6dd2c23f768f5041c3dca0f49b3f60cd01fc960ce77f097094a2aae6d76fddeb6295c425e3750c711d5f700957a62268aecc4873e53c31abb60eecf0fd4a8
+DIST gnutls-3.8.11.tar.xz 6939944 BLAKE2B 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6 SHA512 68f9e5bec3aa6686fd3319cc9c88a5cc44e2a75144049fc9de5fb55fef2241b4e16996af4be5dd48308abbee8cfaed6c862903f6bb89aff5dfa5410075bd7386
+DIST gnutls-3.8.11.tar.xz.sig 566 BLAKE2B 411c166ae5daf58ec325a1f2b528cb40decff01bc78e30346394d7b9c88189b0c93891208045beac8d5e3f701e918b5a5bcf0914700396f391d024ff16266e5f SHA512 90883e5736299b103844ca42b85d371969ef66b50b60cb185e814ad9978598796e9ed07a590245ff28ac6ac084b1dee93fae0845576464583a5941835990957d
 DIST gnutls-3.8.9.tar.xz 6847364 BLAKE2B 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7 SHA512 b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7
 DIST gnutls-3.8.9.tar.xz.sig 566 BLAKE2B 3e723c90186a00b33f1d036c564039f7340ae495400f05d31bb054dad93a9529be4761ba9f97b2df51e8483dd1433c902cf5b8f9bdc127d0f540c9faf82a8f1c SHA512 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10-r1.ebuild
index 45a48a147b..bded588c41 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10-r1.ebuild
@@ -17,7 +17,7 @@ LICENSE="GPL-3 LGPL-2.1+"
 # Subslot format:
 # <libgnutls.so number>.<libgnutlsxx.so number>
 SLOT="0/30.30"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
 IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd"
 REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
index 84c0b9c87a..39988f5ddd 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
@@ -17,7 +17,7 @@ LICENSE="GPL-3 LGPL-2.1+"
 # Subslot format:
 # <libgnutls.so number>.<libgnutlsxx.so number>
 SLOT="0/30.30"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
 IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd"
 REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.11.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.11.ebuild
new file mode 100644
index 0000000000..1fa771060b
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.11.ebuild
@@ -0,0 +1,164 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnutls.asc
+inherit libtool multilib-minimal verify-sig
+
+DESCRIPTION="Secure communications library implementing the SSL, TLS and DTLS protocols"
+HOMEPAGE="https://www.gnutls.org/"
+SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )"
+
+LICENSE="GPL-3 LGPL-2.1+"
+# As of 3.8.0, the C++ library is header-only, but we won't drop the subslot
+# component for it until libgnutls.so breaks ABI, to avoid pointless rebuilds.
+# Subslot format:
+# <libgnutls.so number>.<libgnutlsxx.so number>
+SLOT="0/30.30"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
+IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 sslv2 sslv3"
+IUSE+=" systemtap static-libs test test-full +tls-heartbeat tools zlib zstd"
+REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 tls-heartbeat tools )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
+	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
+	>=dev-libs/nettle-3.10:=[gmp,${MULTILIB_USEDEP}]
+	>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
+	brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] )
+	dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
+	nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
+	pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )
+	zlib? ( virtual/zlib:=[${MULTILIB_USEDEP}] )
+	zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="
+	${RDEPEND}
+	test-full? ( sys-libs/libseccomp )
+	systemtap? ( dev-debug/systemtap )
+"
+BDEPEND="
+	dev-build/gtk-doc-am
+	>=virtual/pkgconfig-0-r1
+	doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+	test-full? (
+		app-crypt/dieharder
+		|| ( sys-libs/libfaketime >=app-misc/datefudge-1.22 )
+		dev-libs/softhsm:2[-bindist(-)]
+		net-dialup/ppp
+		net-misc/socat
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20240415 )
+"
+
+DOCS=( README.md doc/certtool.cfg )
+
+HTML_DOCS=()
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	# gnulib FPs
+	MIN
+	alignof
+	static_assert
+)
+
+src_prepare() {
+	default
+
+	# bug #520818
+	export TZ=UTC
+
+	use doc && HTML_DOCS+=( doc/gnutls.html )
+
+	# don't try to use system certificate store on macOS, it is
+	# confusingly ignoring our ca-certificates and more importantly
+	# fails to compile in certain configurations
+	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
+
+	# Fails with some combinations of USE="brotli zlib zstd"
+	# https://gitlab.com/gnutls/gnutls/-/issues/1721
+	# https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
+	cat <<-EOF > tests/system-override-compress-cert.sh || die
+	#!/bin/sh
+	exit 77
+	EOF
+	chmod +x tests/system-override-compress-cert.sh || die
+
+	elibtoolize
+}
+
+multilib_src_configure() {
+	LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
+
+	local libconf=()
+
+	# TPM needs to be tested before being enabled
+	# Note that this may add a libltdl dep when enabled. Check configure.ac.
+	libconf+=(
+		--without-tpm
+		--without-tpm2
+	)
+
+	# hardware-accel is disabled on OSX because the asm files force
+	#   GNU-stack (as doesn't support that) and when that's removed ld
+	#   complains about duplicate symbols
+	[[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
+
+	# -fanalyzer substantially slows down the build and isn't useful for
+	# us. It's useful for upstream as it's static analysis, but it's not
+	# useful when just getting something built.
+	export gl_cv_warn_c__fanalyzer=no
+
+	local myeconfargs=(
+		--disable-valgrind-tests
+		$(multilib_native_enable manpages)
+		$(multilib_native_use_enable doc gtk-doc)
+		$(multilib_native_use_enable doc)
+		$(multilib_native_use_enable test tests)
+		$(multilib_native_use_enable test-full full-test-suite)
+		$(multilib_native_use_enable test-full seccomp-tests)
+		$(multilib_native_use_enable tools)
+		$(use_enable cxx)
+		$(use_enable dane libdane)
+		$(use_enable nls)
+		$(use_enable openssl openssl-compatibility)
+		$(use_enable sslv2 ssl2-support)
+		$(use_enable sslv3 ssl3-support)
+		$(use_enable static-libs static)
+		$(use_enable systemtap crypto-auditing)
+		$(use_enable tls-heartbeat heartbeat-support)
+		$(use_with brotli '' link)
+		$(use_with idn)
+		$(use_with pkcs11 p11-kit)
+		$(use_with zlib '' link)
+		$(use_with zstd '' link)
+		--disable-rpath
+		--with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+		--with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt
+		--without-included-libtasn1
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# gnulib ends up defining its own pthread_mutexattr_gettype
+		# otherwise, which is causing versioning problems
+		echo "#define PTHREAD_IN_USE_DETECTION_HARD 1" >> config.h || die
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	if use examples; then
+		docinto examples
+		dodoc doc/examples/*.c
+	fi
+}
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.9-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.9-r1.ebuild
index bebeaf8b1a..9a7f3cfc80 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.9-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.9-r1.ebuild
@@ -17,7 +17,7 @@ LICENSE="GPL-3 LGPL-2.1+"
 # Subslot format:
 # <libgnutls.so number>.<libgnutlsxx.so number>
 SLOT="0/30.30"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
 IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd"
 REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
index f20c363977..c619456d57 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/metadata.xml
@@ -27,6 +27,9 @@
 		<flag name="sslv3">
 			Support for the old/insecure SSLv3 protocol
 		</flag>
+		<flag name="systemtap">
+			Support crypto-auditing probes via <pkg>dev-debug/systemtap</pkg>
+		</flag>
 		<flag name="test-full">
 			Enable full test mode
 		</flag>