python-psycopg2: bump to 2.9.12

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-lxml: bump to 6.1.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-cython: bump to 3.2.5

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-awscli: fix stale assertion in test.sh

awscli 1.45.19 no longer exposes awscli.topics.TOPIC_TAGS, so the test
raised an AssertionError (silently, as the heredoc exit code was ignored).
Drop the brittle check and make the smoke test fail hard if the CLI driver
cannot be created.

Signed-off-by: Alexandru Ardelean <redacted>

python-rsa: add test-version.sh generic version-check override

The pyrsa-* command line tools use argparse and do not print the package
version with any of the flags probed by the CI generic version check, so it
reports "No executables in the package provided version" and fails. Add a
test-version.sh override; functionality remains covered by test.sh.

Signed-off-by: Alexandru Ardelean <redacted>

python-jmespath: install jp as a non-byte-compiled command

Upstream ships its jp command-line tool as a plain "jp.py" script. Under
that name OpenWrt byte-compiles it into a non-executable /usr/bin/jp.pyc
(and the -src package keeps a "#!/usr/bin/env python" jp.py, which has no
interpreter on OpenWrt), so it fails the CI generic executable check.

Install it as /usr/bin/jp instead: the missing .py extension stops it from
being byte-compiled and Python3/FixShebang rewrites the shebang to
/usr/bin/python3. Add a test-version.sh override since jp takes a required
expression argument and has no version flag for the generic check to probe.

Signed-off-by: Alexandru Ardelean <redacted>

python-awscli: bump to 1.45.19

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-boto3: bump to 1.43.19

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-botocore: bump to 1.43.19

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

numpy: bump to 2.4.6

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

taglib: bump to 2.3

Refresh sha256 from upstream release tarball.

Signed-off-by: Alexandru Ardelean <redacted>

ngtcp2: bump to 1.23.0

Refresh sha256 from upstream release tarball.

Signed-off-by: Alexandru Ardelean <redacted>

nghttp3: bump to 1.16.0

Refresh sha256 from upstream release tarball.

Signed-off-by: Alexandru Ardelean <redacted>

quickjs: add basic evaluation test

Add basic JS evaluation test and move version check to override.

Signed-off-by: George Sapkin <redacted>

quickjs: bump to 2026.06.04

Changes: https://bellard.org/quickjs/Changelog
Signed-off-by: George Sapkin <redacted>

onionshare-cli: drop dependency for python3-pysocks and python3-unidecode

- Python3-pysocks was removed as it was not maintained in commit 95fe4bf3327b316c9184f4f17e09266e979ecf17 ("python-pysocks: remove outdated and not maintained package")

- Python3-unidecode was removed in commit 09951a9cfdf47b560b5bd00db1dd92ceffd5724b ("python-unidecode: drop unmaintained package"), because there is no official support for Python 3.12 and it is still using setup.py, which is deprecated.

Fixes:
```
WARNING: Makefile 'package/feeds/packages/onionshare-cli/Makefile' has a dependency on 'python3-pysocks', which does not exist
WARNING: Makefile 'package/feeds/packages/onionshare-cli/Makefile' has a dependency on 'python3-unidecode', which does not exist
```

Signed-off-by: Josef Schlehofer <redacted>

perl: install libperl.so using $(INSTALL_BIN) to enable stripping

Install libperl.so with executable permissions (0755) instead of copying
it as-is.

This allows the OpenWrt build system to recognize the library as a binary and
automatically run the "strip" utility on it. Stripping removes unnecessary
debugging metadata and helper symbols that are only needed for development but
not for running Perl on the router.

This change reduces the installed size of libperl.so on the device:
- Before (not stripped): 3.7 MB (3,929,652 bytes)

```
root@turris:~# file /usr/lib/perl5/5.40/CORE/libperl.so
/usr/lib/perl5/5.40/CORE/libperl.so: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked, with debug_info, not stripped
```

- After (stripped):     3.5 MB (3,674,081 bytes)

```
root@turris:~# file /usr/lib/perl5/5.40/CORE/libperl.so
/usr/lib/perl5/5.40/CORE/libperl.so: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked, no section header
```

Saving ~255 KB of flash storage space on target devices.

Signed-off-by: Josef Schlehofer <redacted>

treewide: add or correct license information

Add or correct license information across multiple packages.

Signed-off-by: Wei-Ting Yang <redacted>

tor: update to 0.4.9.9 stable

Minor release, see the changelog [1] for what's new.

[1] https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.9.9/ChangeLog

Signed-off-by: Rui Salvaterra <redacted>

adguardhome: bump to 0.107.77

Changes: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.77
Signed-off-by: David Mandy <redacted>

python3: fix host python extension compilation on macOS

On macOS (Darwin) hosts, building host Python C extensions (such as Cython) using the '-shared' flag and linking against '-lpython3.x' causes the host Python interpreter to load a duplicate copy of the Python runtime. This leads to type checking mismatches and segmentation faults (SIGSEGV) when importing the compiled extension.

For example, running:
    ./staging_dir/hostpkg/bin/python3 -c "import Cython.Utils"
crashes with:
    Segmentation fault: 11

To build shared modules correctly on macOS, they must be compiled as bundles using the '-bundle -undefined dynamic_lookup' flags instead of '-shared', and they should not link against the Python library (no '-lpython3.x' in LDFLAGS).

Fix this by dynamically adjusting LDSHARED and LDFLAGS in python3-host.mk when the host OS is Darwin.

Signed-off-by: Josef Schlehofer <redacted>

privoxy: add support for https inspection

Creates CA and server cert for use with https inspection

Signed-off-by: Richard Schneidt <redacted>

openldap: add version check override

The slapd daemon uses -V, and ldapsearch uses -VV. The libopenldap
sub-package provides only shared libraries.

Signed-off-by: W. Michael Petullo <redacted>

openldap: update to 2.6.13

Upstream record of changes is available at
https://git.openldap.org/openldap/openldap.

Signed-off-by: W. Michael Petullo <redacted>

perl: fix version check in test-version.sh

Enable version checking for the main perl package.
Previously, the version check for perl was skipped. Add a check
that runs perl -v and verifies that the output matches PKG_VERSION.

Signed-off-by: Josef Schlehofer <redacted>

libxslt: add test-version.sh

xsltproc doesn't say it's own version but only dependcies it compiled on

Signed-off-by: Seo Suchan <redacted>

luajit2: add test-version.sh

luajit2 use build number at -v, but releases are named by date

Signed-off-by: Seo Suchan <redacted>

nginx: update to 1.30.2

Large version jump from 1.26.3 to 1.30.2
(upstream stable).
changelogs at https://nginx.org/en/CHANGES-1.30,
https://nginx.org/en/CHANGES-1.28 .include security fixs.

Signed-off-by: Seo Suchan <redacted>

python-orjson: update to 3.11.9

3.11.8 failed to build against the SDK's stable rust 1.96.0: build.rs enabled
orjson's "cold_path" cargo feature for rustc >= 1.95.0, activating an unstable
feature gate that errors with E0554. 3.11.9 drops it; plain version bump.

Signed-off-by: Alexandru Ardelean <redacted>

python-docutils: bump to 0.23

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-zope-interface: bump to 8.5

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-wheel: bump to 0.47.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

libexif: update 0.6.26

Upstream list of changes is available at
https://github.com/libexif/libexif/releases/tag/v0.6.26.

Signed-off-by: W. Michael Petullo <redacted>

nmap: update to version 7.99

- Patches automatically rebased
- Release notes: https://nmap.org/changelog.html#7.99
- Update Makefile due to ndiff dropped setup.py using pyproject.toml.
  Remove PYTHON3_PKG_FORCE_DISTUTILS_SETUP and set PYTHON3_PKG_WHEEL_NAME
  to match the ndiff package name rather than PKG_NAME (nmap).

Signed-off-by: John Audia <redacted>

liboqs: fix missing symbolic link installation

The current installation process fails to correctly install the
'liboqs.so' symbolic link due to an incorrect path syntax (extra dot).

This prevents other packages from linking against liboqs
(e.g., using -loqs) during development, which was discovered while
testing PQC key exchange implementations dependent on OQS.

Removes the trailing dot to ensure the symbolic link is preserved and
copied correctly to the destination directory.

Signed-off-by: Ho Kim <redacted>

iperf3: backport GSO/GRO fix for small packets

Backport GSO/GRO fix for packets smaller than 508 bytes.

Signed-off-by: Aleksander Jan Bajkowski <redacted>

libdmapsharing: update to 3.9.14

Fixes https://github.com/openwrt/packages/pull/29586.

Signed-off-by: W. Michael Petullo <redacted>

valkey: bump to 9.1.0

includes server security related releases.

Signed-off-by: Matthew Cather <redacted>

python-trove-classifiers: bump to 2026.6.1.19

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-platformdirs: bump to 4.10.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-idna: bump to 3.17

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

pymysql: bump to 1.2.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-pip: bump to 26.1.2

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-pyopenssl: bump to 26.2.0

Refresh sha256 from PyPI sdist. pyOpenSSL 26.2.0 dropped EC support
from the legacy crypto.PKey API (the call surfaces as "OpenSSL.crypto.Error:
No such key type"); drop the EC-key arm of test.sh accordingly. Upstream
points at the cryptography package for EC key generation.

Signed-off-by: Alexandru Ardelean <redacted>

libsml: update to 1.1.5

bump version to 1.1.5

Signed-off-by: Andy Voigt <redacted>

boinc: fix can't open /proc/stat

Add procfs to boinc jail to allow access /proc/stat

Add test.sh to test boinc package

Signed-off-by: Hector Espert <redacted>

nfdump: update to 1.7.8

Upstream list of changes is available at
https://github.com/phaag/nfdump/releases/tag/v1.7.8.

Signed-off-by: W. Michael Petullo <redacted>

libsoup3: make zstd optional, drop unused deps

Meson auto-detects zstd if staged by other builds.
So, we need to enforce it enabled/disabled via build options.

Drop libxml2 and libgnutls from DEPENDS.
They're not required in libsoup3.
Maybe they're left-overs from libsoup2.

Signed-off-by: Alexandru Ardelean <redacted>

python-build: bump to 1.5.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-poetry-core: bump to 2.4.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-hatchling: bump to 1.30.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-pika: bump to 1.4.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-starlette: bump to 1.2.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-uvicorn: bump to 0.48.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

django: bump to version 6.0.6

Fix CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, and
CVE-2026-48587.

Full release notes:
https://docs.djangoproject.com/en/6.0/releases/6.0.6/

Signed-off-by: Wei-Ting Yang <redacted>

adblock: fix default values for ext. DNS resolver

- This fixes a breaking LuCI change (https://github.com/openwrt/luci/commit/974b5864e05ef30f38149389f15583c08bdd4eda)

Signed-off-by: Dirk Brenken <redacted>

adblock: release 4.5.6-1

- f_etag: strip CR in ETag header extraction (gsub(/[\r"]/,…)) — fixes empty-but-present etag
- f_etag: add feed_rm mode to drop a feed's etag entries; roll back the optimistically stored etag on failed downloads
- f_list/f_main: make restore-failure feed pruning subshell-safe via per-feed marker files
- f_jsnup: remove bogus trailing commas from the active_feeds array elements
- f_fetch: validate adb_fetchretry
- f_conf: ignore empty UCI option values so they don't override sane defaults
- f_report: add jclean() to strip control/quote/backslash from untrusted client/iface/domain fields
- LuCI: fix some cornercase issues
- update readme

Signed-off-by: Dirk Brenken <redacted>

nextdns: update to version 1.47.3

Update nextdns package to upstream version 1.47.3

Signed-off-by: Olivier Poitrey <redacted>

python-socketio: bump to 5.16.2

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-engineio: bump to 4.13.2

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-mako: bump to 1.3.12

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-pathspec: bump to 1.1.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

pipx: bump to 1.13.0

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

python-click: bump to 8.4.1

Refresh sha256 from PyPI sdist.

Signed-off-by: Alexandru Ardelean <redacted>

gcc: synchronize with toolchain

Modify the gcc package to support building 13.4.0, 14.3.0, and 15.2.0,
which are the same versions supported by the current toolchain.

Upstream list of changes can be found at:

https://gcc.gnu.org/gcc-13/changes.html
https://gcc.gnu.org/gcc-14/changes.html
https://gcc.gnu.org/gcc-15/changes.html

Signed-off-by: W. Michael Petullo <redacted>

rust: update to 1.96.0

Changelog:
- https://github.com/rust-lang/rust/releases/tag/1.95.0
- https://github.com/rust-lang/rust/releases/tag/1.96.0

Signed-off-by: hingbong <redacted>

zsh: update to 5.9.1

Removed upstreamed patches:
- 001-50658-test-Enable-to-switch-between-C-UTF-8-locales-.patch
- 002-51723-migrate-pcre-module-to-pcre2.patch
- 005-51877-do-not-build-pcre-module-if-pcre2-config-is-no.patch
- 006-52383-Avoid-incompatible-pointer-types-in-terminfo-g.patch

Remaining patches automatically rebased and filenames renumbered.

Changelog:
Incompatibilities
- PCRE support is now PCRE2.
Changes
- POSIX real-time signals (SIGRTMIN etc) are now supported by the kill and trap builtins, TRAP* functions, and the signals parameter, where available.
- The kill builtin learnt a new option -q to send the signal via sigqueue(3) along with an arbitrary integer value, where available.
- The kill builtin also learnt a new -L option to print a list of all known signal numbers and their names.
-The new completion helper _as_if can be used to complete one command as if it were another command with particular arguments.

Signed-off-by: John Audia <redacted>

totem-pl-parser: update to 3.26.7

Upstream list of changes is available at
https://gitlab.gnome.org/GNOME/totem-pl-parser/-/blob/master/NEWS.

Signed-off-by: W. Michael Petullo <redacted>

vala: update to 0.56.19

Upstream list of changes is available at
https://gitlab.gnome.org/GNOME/vala/-/blob/main/NEWS.

Signed-off-by: W. Michael Petullo <redacted>

libgcrypt: update to 1.12.2

Upstream list of changes is available at
https://github.com/gpg/libgcrypt/blob/master/NEWS.

Signed-off-by: W. Michael Petullo <redacted>

vips: update to 8.18.2

Upstream list of changes is available at
https://github.com/libvips/libvips/releases/tag/v8.18.2.

Signed-off-by: W. Michael Petullo <redacted>

krb5: update to 1.22.2

Upstream list of changes is available at
https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.2.html.

Signed-off-by: W. Michael Petullo <redacted>

libgpg-error: update to 1.61

Upstream list of changes is available at
https://github.com/gpg/libgpg-error/blob/master/NEWS.

Signed-off-by: W. Michael Petullo <redacted>

libsoup3: update to 3.7.1

Upstream record of changes is available at
https://gitlab.gnome.org/GNOME/libsoup/-/blob/master/NEWS.

Signed-off-by: W. Michael Petullo <redacted>

hwloc: update to 2.13.0

This upstream release included CPU kind improvements and fixed
CUDACoresPerMP on NVIDIA GPUs.

Signed-off-by: W. Michael Petullo <redacted>

python-pyelftools: install /usr/bin/pyreadelf

The wheel's /usr/bin/readelf.py collides with binutils' /usr/bin/readelf
and gets its shebang stripped by CompileAll + DeleteSourceFiles. Rename
to pyreadelf via the Py3Package install hook, matching Fedora's package.

Also depend on python3-asyncio and python3-codecs: elftools.construct.debug
imports pdb, and Python 3.14's pdb pulls in asyncio (via _pyrepl) and
unicodedata (via _pyrepl.utils) at import time.

Signed-off-by: Alexandru Ardelean <redacted>

python-pyelftools: add setuptools to host & target build deps

pyelftools 0.32 ships a PEP 517 build that requires setuptools as its
backend, so -m build fails with "BackendUnavailable: Cannot import
'setuptools.build_meta'" when only build, installer and wheel are staged.

Signed-off-by: Alexandru Ardelean <redacted>

meshtasticd: add python-pyelftools to host build deps

PlatformIO's SCons builder loads its tool modules at the start of
'pio run', including platformio/builder/tools/piosize.py which imports
elftools.elf. python-platformio's HOST_BUILD_DEPENDS already lists
python-pyelftools/host so it is installed alongside platformio in
staging_dir/hostpkg, but the dependency does not always reach
meshtasticd's compile step via that indirect chain, leading to:

  ModuleNotFoundError: No module named 'elftools'
    File ".../site-packages/platformio/builder/tools/piosize.py", line 22:
      from elftools.elf.descriptions import describe_sh_flags

Declare python-pyelftools/host directly in meshtasticd's build deps so
the host install is guaranteed before 'pio run' is invoked.

Signed-off-by: Alexandru Ardelean <redacted>

frp: bump to 0.69.1

Changes: https://github.com/fatedier/frp/releases/tag/v0.69.1

Signed-off-by: Roc Lai <redacted>

libzip: add version check override

zipmerge and zipcmp prints version on -V,
but ziptool does not offer version number in any output.

Co-authored-by: George Sapkin <redacted>
Signed-off-by: Michael Heimpold <redacted>

jose: disable man page generation via asciidoc

The asciidoc/a2x toolchain bundled with newer Python (3.14) is
incompatible with jose's docbook XSL configuration, causing the
build to fail with xsltproc returning non-zero status while
processing 'jose.1.xml'.

Since the man pages are not strictly required for OpenWrt (and
typically stripped from the final image anyway), unconditionally
disable a2x detection in meson.build via a disabler() so that the
'mans' list stays empty regardless of host tooling.

Link: https://github.com/latchset/jose
Signed-off-by: Daniel Golle <redacted>

libdrm: package test programs

Package the libdrm test programs which are useful when debugging
video output issues: drmdevice, modetest, modeprint, proptest, vbltest

Signed-off-by: Daniel Golle <redacted>

conmon: update to 2.2.1

Release notes: https://github.com/containers/conmon/releases/tag/v2.2.1

Upstream moved the install target from libexecdir/podman to bindir;
update Package/conmon/install accordingly and refresh
010-remove-libdl-dep.patch for the new context.

Signed-off-by: Daniel Golle <redacted>

gst1-plugins-base: pin GStreamer GL to the GLES2/EGL API

The 'gl_api' meson option was left at its 'auto' default, so the
GL plugin probed for desktop OpenGL. OpenWrt's Mesa is built with
-Dglx=disabled and -Dglvnd=disabled on every target, so it ships
no linkable desktop-GL library (no libGL.so, no gl.pc) - desktop
GL is only reachable through EGL. With nothing to satisfy the
probe in the sysroot, meson's cc.find_library('GL') fallback
escaped into the build host's /usr/lib and, on a host that has a
desktop libGL installed, put that foreign library on the link
line, breaking the cross link with:

  mold: fatal: /usr/lib/libGL.so: incompatible file type:
  riscv64 is expected but got x86_64

Pin -Dgl_api=gles2 and -Dgl_platform=egl to match what Mesa
actually provides (libGLESv2 + libEGL). This is correct on every
target, including x86_64: the desktop-GL link path was never
functional on OpenWrt and only ever "succeeded" by picking up a
host library.

Signed-off-by: Daniel Golle <redacted>

kea: handle network reconfiguration without restarting

Currently if a dynamic interface changes (VLAN, tunnel, etc)
that Kea is listening on, it needs to be told externally to
restart.  The re-detect option avoids this.

Signed-off-by: Philip Prindeville <redacted>

kea: bump to 3.0.3

3.0.3 is a security/vulnerability release on the stable 3.0 series.

Notable fixes since 3.0.2:

* **CVE-2026-3608** — A large number of bracket pairs in a JSON payload
  sent to any endpoint caused a stack overflow during recursive parsing.
  The exploit does not need a syntactically valid command, so it bypasses
  RBAC and the command filters on the High-Availability endpoints
  (upstream #4275 / #4288 / #4387).

* Null dereference when configuring the Control Agent with a socket
  entry that lacks the mandatory ``socket-name`` is now caught
  (#4388, #4365).

* UNIX command sockets are created group-writable so Stork 2.4.0+ and
  other tooling using the configured group can talk to the daemon
  (#4398, #4260).

Upstream's release notes flag "no incompatible changes" and "no known
issues" for this bump.

All current patches still apply cleanly.

Release notes:
https://ftp.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt

Signed-off-by: Alexandru Ardelean <redacted>

transmission: add p{read,write}v2 syscalls to seccomp filter

Tracing Transmission 4.11 showed the Transmission is started to use
the pwritev2 syscall for better write performance.
Add pwritev2 and preadv2 (which may be used as well, and anyway
doesn't hurt) to the list of allowed syscalls.

Signed-off-by: Daniel Golle <redacted>

linenoise: update to 2026-03-02

- Add bracketed paste folding
- Add test for ANSI CSI escape sequences in the prompt.
- Treat ANSI CSI escape sequences as zero-width in utf8StrWidth().
- Fix tab handling when no completion is available.
- Fix ARM unsigned char warning.

Signed-off-by: Maxim Storchak <redacted>

python-aiosignal: remove the package

aiosignal is a small aio-libs helper that provides a Signal class for
fan-out of coroutine callbacks. Its only practical use is as a runtime
dependency of aiohttp, which is not packaged in this repository, and no
other package here declares aiosignal as a runtime or build dependency.

Drop the package; users who pull in aiohttp via pip on the target will
get aiosignal as a transitive dependency anyway.

Signed-off-by: Alexandru Ardelean <redacted>

kea: add functional test.sh covering all subpackages

Smoke-test each subpackage with a real code path (config validators,
helper script sourcing, Python interpreter / module imports, hook .so
/ UCI file presence) instead of relying on the generic --version probe.

Signed-off-by: Alexandru Ardelean <redacted>

kea: ship admin-utils.sh and kea-shell Python modules

kea-admin and kea-shell were shipped without their helper script
and Python modules respectively, leaving both non-functional. Ship
the missing files, add +python3-light +python3-urllib +python3-openssl
to kea-shell, and rewrite its meson-baked host-absolute shebang and
sys.path.append to the on-target /usr/bin/python3 + $(PYTHON3_PKG_DIR).

Signed-off-by: Alexandru Ardelean <redacted>

python-anyio: add test.sh and python3-urllib dep

Exercise anyio end-to-end with the structured-concurrency example
from the upstream "Creating and managing tasks" docs: spawn 5 child
tasks via create_task_group(), each appending to a shared list, then
verify all completed.

Signed-off-by: Alexandru Ardelean <redacted>

python-maxminddb: extend test.sh past the import smoke check

Previous test.sh only confirmed the import smoke check. Add a $2
version check, assert MODE_* constants are distinct ints, and exercise
the loader's error paths (missing file, non-MMDB temp file).

Signed-off-by: Alexandru Ardelean <redacted>

python-maxminddb: add setuptools-scm host build dep

maxminddb 3.x switched to PEP 517 with build-system.requires including
setuptools-scm, so the wheel build now fails with "ERROR Missing
dependencies: setuptools-scm". Wire it into PKG_BUILD_DEPENDS and bump.

Signed-off-by: Alexandru Ardelean <redacted>

fontconfig: update to 2.17.1

Update to the newest stable version
* adjust download URL to gitlab
* add license info

Signed-off-by: Hannu Nyman <redacted>

python-zipp: remove the package

zipp is a small backport / forward-port of zipfile.Path, originally
useful when zipfile.Path was new in stdlib (Python 3.8). With the
python3 package now tracking 3.14, zipfile.Path covers what
zipp.Path exposes, and no other package in this repository declares
zipp as a runtime or build dependency.

Drop the package to remove the dead weight; users who still need it
can install it via pip on the target.

Signed-off-by: Alexandru Ardelean <redacted>

tmux: update to 3.6b

- Remove images from the correct list when they are removed while in the
  alternate screen

Signed-off-by: Maxim Storchak <redacted>

lsof: update to 4.99.6

- Treat NFS ESTALE fds as unlinked for +L selection
- Fix null pointer exception

- Add test.sh

Signed-off-by: Maxim Storchak <redacted>

haveged: update to 1.9.22

Update to version 1.9.22.

Signed-off-by: Hannu Nyman <redacted>

mdnsresponder: add version check override

None of the shipped binaries (mdnsd, dns-sd, mDNSClient/Net/Proxy*,
mDNSResponder) print the package version, so the generic probe always
fails. Add a test-version.sh exiting 0 for the three subpackages.

Signed-off-by: Alexandru Ardelean <redacted>