11 files changed, 598 insertions, 8 deletions
diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz
index aee857ff0927..c9d9c46b053c 100644
--- a/net-misc/Manifest.gz
+++ b/net-misc/Manifest.gz
diff --git a/net-misc/mobile-broadband-provider-info/Manifest b/net-misc/mobile-broadband-provider-info/Manifest
index caeca7f0db42..3445d77795da 100644
--- a/net-misc/mobile-broadband-provider-info/Manifest
+++ b/net-misc/mobile-broadband-provider-info/Manifest
@@ -1,5 +1,5 @@
 DIST mobile-broadband-provider-info-20220511.tar.xz 85064 BLAKE2B 7abb1d493cc39b9988a188edf260b5440bc8cb9e0879897df550ee63cb46c52721ee75dee304bbc93add3173a7ff56bd17bccf8dd062590ae583cee67e9093ab SHA512 7b3a9c0a2e618ef3ef0e29b947ab9f0a55f30bd738f0e976529e8f3ddbb60a738f623e718ea67fa6e6008275dbbe78ce3ed9852c005748a266f04e3dd65179a6
 DIST mobile-broadband-provider-info-20220725.tar.xz 85184 BLAKE2B 1b36b2cf8f0a66755a7cd10090531efd2c5094e5d611247af748f0923fd76b5e1ce20c31ce16be2b0bad5bd64e44e72eeeec7123435366186e31c7da9e66343a SHA512 335b3a5598144f4b11eab2d924b4671055c414664c783507fb8aa0ee20769dca640d03e559e7f55741b38652590812e777b663264d6dcafd24407cfaeb5bc24d
-EBUILD mobile-broadband-provider-info-20220511.ebuild 488 BLAKE2B 1c46369ee3b79249ffae15a221d7ada3e5ca87b059b487cf234f7e101b4881e80c919efb51d77d8fbfb2e723c8535f6d3bcf01bf52e22325d5af43c5fd4e2d12 SHA512 52facb711e158c793aafdaac25988cffd71232c0e76eddd8fda73cb40118f20c345c4a5b2c3f6666037aeb815e102686773e295472d5fae48da5729ccf3566e9
-EBUILD mobile-broadband-provider-info-20220725.ebuild 495 BLAKE2B 509ec523e86477ca0b5bfadba1845a3281e9cc445107bb1bf73550429d31f7742d661a989978a195991147fec63a5eefc61779701f7da7dea68720bdbc3b3f5f SHA512 e0ec81442c77762b70df2d0b96bbcea2fd606ffcd69de1e118a0ab07630d453d1634c3fac6826f5caf210195c443c49a7d9f813f8ed7f2a2c29ccca09cb35f65
+EBUILD mobile-broadband-provider-info-20220511.ebuild 507 BLAKE2B 692c6b48d251b1cb661ca7db75e3b9ae4213bb3f4b873feb1cc5f607db2a06876077273fb794b5f387258af529a7e97e81b05932ace34dbfee384ccd9e61c7f4 SHA512 0bf76efddb05f9be64930d4930b0086dc3700b3ede55c2c715ec85eb1a3cff5db2417f55f80fc5860a840e7dd8925cfd849a9ce0d4086361227e76defe98561f
+EBUILD mobile-broadband-provider-info-20220725.ebuild 514 BLAKE2B 9d54d229eb440eeb8ebb5990f0d193a2398616ba5fb2dd884c390566ea114989e7bf41a0dff51fa2391c7e7e688edc0f08eb51da3ad1927389f3f60c9842eb4b SHA512 6f98264d452a79b0175c560122714537d07547f1254a9d0a2dd5dd2859f857b0bb87661cc6128680c9de773cdf51eeff27660a2f3b553755833aef32228a88da
 MISC metadata.xml 250 BLAKE2B 8f7f0fe023d43e380e7861e897e6afcb5de4baefb42ea9c65a57dfc0d204c6f787a99295141832e732ebb08be218da56ba77e2dd9639e4e3aabf718ce4db1d0c SHA512 2684e772dd6d83e4b49f08f2ba22d8a0a753e7b46863489eff1b5d1f2f147ad80ffd93245ca405ac4c747249bc1b754454ec9865fe16da70f9b257051e105fd8
diff --git a/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220511.ebuild b/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220511.ebuild
index c852b0dcbc9a..8738df855a0d 100644
--- a/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220511.ebuild
+++ b/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220511.ebuild
@@ -12,7 +12,7 @@ LICENSE="CC-PD"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv sparc x86"
 IUSE="test"
-RESTRICT="!test? ( test )"
+RESTRICT="!test? ( test ) test" # bug #856436
 
 BDEPEND="
 	dev-libs/libxslt
diff --git a/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220725.ebuild b/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220725.ebuild
index ba7cf7cab4d5..39b48f37d9a7 100644
--- a/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220725.ebuild
+++ b/net-misc/mobile-broadband-provider-info/mobile-broadband-provider-info-20220725.ebuild
@@ -12,7 +12,7 @@ LICENSE="CC-PD"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
 IUSE="test"
-RESTRICT="!test? ( test )"
+RESTRICT="!test? ( test ) test" # bug #856436
 
 BDEPEND="
 	dev-libs/libxslt
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index d4707f83812f..3c8906ed80a7 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -15,6 +15,7 @@ AUX openssh-8.9_p1-hpn-15.2-glue.patch 8473 BLAKE2B a4616e498db7400702b3c0ba8c6e
 AUX openssh-9.0_p1-X509-glue-13.3.2.patch 2118 BLAKE2B 8d7211b713025dc2749b58907dce8fd9bc415f92a90041b9daae0b80401b91095b7160b5105634fb7c578af12d425863ea85bab4a59dec5d6a9746fbba603a65 SHA512 681d457457fd2a2709c34d7df0eee93a6602532b79b4ceb17f937e0639ded0efd786fdf2002c48a9a52594eae305bd818ae6ee9cc9bf192e619e19bf553be2ae
 AUX openssh-9.0_p1-X509-glue-13.4.1.patch 2118 BLAKE2B 171c776e8a1dc64dd63d0e471dd7064fb0360a4abdec7f03915246f07082341e6b505e7a5467aad25bd5282ab4a63a48405984317b12c1692d04f5427503a86b SHA512 7dc1c43e6f70a4c990dc3cf493f8a5b4fbdf1753f2d4bf474ba40adb656d843fcf72a4e076e6450e0488ada68758f9e2e0814a71388d552ce50d34c3692e573d
 AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5
+AUX openssh-9.0_p1-implicit-func-decl-vsnprintf.patch 2071 BLAKE2B 412277bf109e93e785c2d81830d11697e1718992204177aa5048c4a86f0d62982a5a3af0f7b7ef92e3b506f6afe428953fe5e6cbe0f9a27a3fbc760d536d0fd9 SHA512 d42cd6da269e3d44da2230a3597808f522d73c8d8ddc15617b43dbd922587e6a90a81f686a816313330b02a53d0da517d563f134d6281adcc7d85d9666dd07b2
 AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe
 AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27
 AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391af5769798e0b0185f0a588bc089d229c76138fd2db39fbe6bd33924f0d53e0513074d9c2d7abf88dcb78 SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c
@@ -36,4 +37,5 @@ DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a2
 EBUILD openssh-8.9_p1-r2.ebuild 17076 BLAKE2B 6f236af760da98ff31643f2bf22560c65d7fc0b00a00502b84657739039663e230b78db2a0cc3cc02eea6fc3f030157bc22053955501ecaa055698eea5a70bca SHA512 4d2d05fc3a15318687d769c99b779bdc41998a5456650b7d174828e4d557711036d2def92f7f8465c9c4e38180e614f12462e58ca7e0653d7be7e242e4408bb5
 EBUILD openssh-9.0_p1-r1.ebuild 16937 BLAKE2B 34b2fa4021a8f55c017af579bac3e07f20debc330450c56b0fe562bcf8822397fd527902fc5bed3f9f2a7c687ab96d67a33ce29a894eea641db154301d15e505 SHA512 de3849679d4440d2e2d69b68c2c2d5d01bf240aff3868dcae1d53b120468098f3dedebcefc826b0898ea8fcea61107a177e6c1df6f5ba54e600e2f41ae67d772
 EBUILD openssh-9.0_p1-r2.ebuild 16929 BLAKE2B a218c0faba8bb8218841f2c621584bd7b381629a12620e27f54cb5c563fcd1d56a21b2f10be20b77c7492eb2d89be31c209fc250252be86cb88d427642123ebe SHA512 d7a865cbf8bd64fd4518966b43a4af8f3156cd125cb6b91a4d9a63ba1c02625155bd641f082056d753c5f84172c2965e3fc5e5376a6d68b72edf651c8f7b5d55
+EBUILD openssh-9.0_p1-r3.ebuild 17007 BLAKE2B 35994ed1626e65fceefa75b523ea56b0965283f4784f38e257278d5ddca81b14514eee116c4b4666633d8f0ace12d2213137c60e5bbb907723532758fb36f0c8 SHA512 98f567c9901a1b858ccb4ff8f9cc3d500064be033a52c954fbe7eab538efe952f3449cdc5cff93b472f8b5343b19dd295f75076ab9528cd45d253f491f63239f
 MISC metadata.xml 2047 BLAKE2B 87356343744e121075383ad94ba6b821d2db5c3f5af16745130078f939e53b6a83281c19b89f272d20509753bc734bfdd3aab024d72651c7d5c69df27b36841a SHA512 a5b69ff7fa94b00062e78eba36b6d321fd923d27e953fc24ae81d8e25040bebde9ccb8b1555912726eff2b39ee0256aee0da52359e326fb4b1edd394e4f1e406
diff --git a/net-misc/openssh/files/openssh-9.0_p1-implicit-func-decl-vsnprintf.patch b/net-misc/openssh/files/openssh-9.0_p1-implicit-func-decl-vsnprintf.patch
new file mode 100644
index 000000000000..c3a464eb3fe8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.0_p1-implicit-func-decl-vsnprintf.patch
@@ -0,0 +1,32 @@
+https://github.com/openssh/openssh-portable/pull/339
+
+From a15d08a25f1ccc3ee803dfe790cc1f608651464c Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Thu, 8 Sep 2022 02:49:29 +0100
+Subject: [PATCH] openbsd-compat/bsd-asprintf: add <stdio.h> include for
+ vsnprintf
+
+Fixes the following build failure with Clang 15 on musl:
+```
+bsd-asprintf.c:51:8: error: call to undeclared library function 'vsnprintf' with type 'int (char *, unsigned long, const char *, struct __va_list_tag *)'; ISO C99 and laterclang -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -mretpoline  -ftrapv -fzero-call-used-regs=all -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/misc/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/lib/misc/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c cipher-aes.c -o cipher-aes.o
+ do not support
+      implicit function declarations [-Wimplicit-function-declaration]
+        ret = vsnprintf(string, INIT_SZ, fmt, ap2);
+              ^
+bsd-asprintf.c:51:8: note: include the header <stdio.h> or explicitly provide a declaration for 'vsnprintf'
+1 error generated.
+```
+
+See also: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-June/037811.html
+See also: 73eb6cef41daba0359c1888e4756108d41b4e819
+--- a/openbsd-compat/bsd-asprintf.c
++++ b/openbsd-compat/bsd-asprintf.c
+@@ -32,6 +32,7 @@
+ 
+ #include <errno.h>
+ #include <stdarg.h>
++#include <stdio.h>
+ #include <stdlib.h>
+ 
+ #define INIT_SZ	128
+
diff --git a/net-misc/openssh/openssh-9.0_p1-r3.ebuild b/net-misc/openssh/openssh-9.0_p1-r3.ebuild
new file mode 100644
index 000000000000..fb65bd3d8b54
--- /dev/null
+++ b/net-misc/openssh/openssh-9.0_p1-r3.ebuild
@@ -0,0 +1,486 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="13.4.1"
+X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+	eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
+	eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
+	eapply "${FILESDIR}"/${PN}-9.0_p1-implicit-func-decl-vsnprintf.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}
diff --git a/net-misc/rsync/Manifest b/net-misc/rsync/Manifest
index d9d4b1319535..f5ebfacb1b7c 100644
--- a/net-misc/rsync/Manifest
+++ b/net-misc/rsync/Manifest
@@ -1,5 +1,6 @@
 AUX rsync-3.2.4-strlcpy.patch 1715 BLAKE2B 4159391589cc6eba7c6719b15d32d33e68ff5a15765b3377e1e53975c2d7c9413ac99e178d0e6a796d347aab4bf43b3f7a788a434ea36bc35adb916a39394ca4 SHA512 b097b253624fa67feb32f3cb6412fadbd731ec659791010310824ef0c83209a9d228706e84eca72614c0e3ce7a3ccbd4250dafad20dc2113b20d79135573fa9a
 AUX rsync-3.2.4-unsigned-char-checksum.patch 610 BLAKE2B eb6803c673bb38907738e5475e9469c07555d96769cc86baad43f806cd6a823c5aa9d890c63096b5c229402315cdd90d76d93687ddc1a7d17360ff739afc9596 SHA512 a8f8eb0568139893e2f3f36feb1cebfb5fcf3b1fd807459bce635d61f2582e960c55b0bb4c8914a6579ad0eb7e4322d2ce3480598d425e256fb6a73efbc9315e
+AUX rsync-3.2.5-pedantic-errors.patch 2098 BLAKE2B d1a785647fcc1541d70fbc1cf2042e129d610fbdb7aa8364ddb2cfacc587f7540163af127f2d972a3663486b1017b9b4322441bc58c95f605794c2854d2db4f0 SHA512 76e67ecb10e6161723148f8669661a53dba539fb8d7a1dffc3ec021808509bb3e32d9906cacf583174f20a0a1fc51dfe37ee4a5d4ba0cec783ad74bdfe297533
 AUX rsyncd.conf-3.0.9-r1 462 BLAKE2B 45a7dde876368e7392ee7a05edf593f55cf6b3b4dc913745f4322ebd75f97bcdf1a24240a54e11469bd659fd565fc74cd8eeaa9490434d88444b5a076803cea7 SHA512 5c57f633aa3daa6513b5d35a1157a50308559ad993257374ce4eea0269f6bf384938f95bed749acb19538e8c4672355351fcee5cef9607153463b19227d343d7
 AUX rsyncd.conf.d 149 BLAKE2B fd2556d0c270c2baa83d4d474d44ab1d16e35f112279a339f179f9af693d977cc0863bf4cd7139363c58e4e6a1a18a24c06474ecc248167224261dbaf04ae0a8 SHA512 8ea9a2f1fea508fa132313fa16513eac84a9ed3ce75741c42769b56bbcd3f1bd2eb8bfdfe40a6c7f619e4281e8fc8d95d1bd84096d0b64aaacf606cd614ae5b3
 AUX rsyncd.init.d-r1 247 BLAKE2B ec4f7a875a51bae10cff7e15df18d285b01dddaa99a03127ba242ec535b7c8a3af3ad4489661ba7b5f6b074e2af38b12da394c0f8992bd28328d807a89757bb0 SHA512 df2ef4d9e65fa72daa9a7d91d69a06027d0e0fbc48f9ebd485e2d51990c8d00985b7ccf41314f984975e8073e2075bbdfe5543754718381497c334dc7d96451a
@@ -11,6 +12,6 @@ DIST rsync-3.2.5.tar.gz 1129957 BLAKE2B a0d1c4a2dbebe37bad4f6e2e5e4fae41c53529d9
 DIST rsync-3.2.5.tar.gz.asc 195 BLAKE2B 9ca9034afc39299c2178190412b188f561d274d8e38d58a988487f2db14a8135840acf3413096d26f080358b69779fa3b48e292670ba6b23ae4eb0c05f9df614 SHA512 b384f48b2fd459a51715c8ab2a14e540c5fa7f7f12453282db770893d6121b1b3c9809e667ccacaf910fd90548abeb700a2c717d76fbea22fe3d6a22aa6b2c44
 EBUILD rsync-3.2.4-r1.ebuild 4489 BLAKE2B d13cc511cb1c48c11dfce0df382a0e3baf107ffeddc6d8204debf64c2a15aa97f970a0e4a59b33f71d3e98ad42913ece4ffe576e653a985d9e3391b61419896b SHA512 bdb098101abe7ef32e23b8658f56718cfb00ca3acf273bf590a21edd80e1e54bdeee6169e4a55af4d6e9c94d00233f9e3dbbe970e48bc9d21da5a9479863df73
 EBUILD rsync-3.2.4-r3.ebuild 4766 BLAKE2B 2c5a0c4bd2f5f600cec463fe3d5a41cd4f9908ec5ead8e19a52a29108ad25be43cb6da3eb3f04fb0aafb9efb0bcc33e66d6b6f3450ce59a922d21db533d5f87d SHA512 482dee5328c886e9103a4d0a7d05e7bb258f12093f2dd530eef427714dd7f80ffbff821c4104783c066a7178efbe46da7d86101d74fb094c46f32ee411db22d2
-EBUILD rsync-3.2.5-r1.ebuild 4331 BLAKE2B c72a6165786d505bd6264c6ca3a0e1038e89b52426c85be14a5a2b52dcc792dab9a68df4b3822dc1819711d2ea1152a3b7e542427dc615e74da96cbe879c9304 SHA512 542b908bfff95508753b69efa57d8410749e3d865d9f15961dcada1286f2ac23aeea4cd34766e0757a4452bfcad99c1d587e7159b4ef3521831450d8a998d688
-EBUILD rsync-9999.ebuild 4331 BLAKE2B c72a6165786d505bd6264c6ca3a0e1038e89b52426c85be14a5a2b52dcc792dab9a68df4b3822dc1819711d2ea1152a3b7e542427dc615e74da96cbe879c9304 SHA512 542b908bfff95508753b69efa57d8410749e3d865d9f15961dcada1286f2ac23aeea4cd34766e0757a4452bfcad99c1d587e7159b4ef3521831450d8a998d688
+EBUILD rsync-3.2.5-r1.ebuild 4569 BLAKE2B 39e55ad37ad47876ae60b763004fa46dc03141833c3e7b4e24d2ef9fe76276c638f9e45c07f5dc4c2ba9f38d3bfa1657e3e17e1ea388d3606fef32bc5f99c76d SHA512 8a204dec65919da949bb9f341beb4a2b671c8ba3f80bbe775df01faef170682542f8bbb9c3f08b4649ddcd4be82f5cd81e77b64d768ccc0abcdbfdb31377662f
+EBUILD rsync-9999.ebuild 4515 BLAKE2B 89f5ad14e0dd506830dae96014566274a70b09b8d66215174dbe15c609075e2cdb179f83b20acde4170bd0c9b2707fa1e9b81a5bd6792d7913f60c5ece06532e SHA512 ebf536d851b3da99859f080e322147ac3438e90b06ea01148698bd22b4269ba4ccd84fc8b7217188010ab8e20ce3f92ff86a245de4aa7013ba500a93b620faf8
 MISC metadata.xml 718 BLAKE2B ba88a2f622a0af1d21fbef7dae30d034959c3a7527fb2a155867eeddad2641875212ad31baa39236dd980ee14d76ad5b826491cd32c6eb1059f6647e81d00e6f SHA512 06fd22f9f5c40abd1f3b524614dadaf8c13f2477b7f3201232c4d928020b7faf3ea2d70389c668c01323e2ed15b40a0ebe76ee89a60072474ee3283692d62c7e
diff --git a/net-misc/rsync/files/rsync-3.2.5-pedantic-errors.patch b/net-misc/rsync/files/rsync-3.2.5-pedantic-errors.patch
new file mode 100644
index 000000000000..33afbd954a12
--- /dev/null
+++ b/net-misc/rsync/files/rsync-3.2.5-pedantic-errors.patch
@@ -0,0 +1,53 @@
+https://github.com/WayneD/rsync/commit/9a3449a3980421f84ac55498ba565bc112b20d6c
+
+In particular, avoids attr configure test failing.
+
+From 9a3449a3980421f84ac55498ba565bc112b20d6c Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Thu, 18 Aug 2022 17:33:54 -0700
+Subject: [PATCH] Stop enabling -pedantic-errors.
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then
+     with_included_popt=yes
+ fi
+ 
+-if test x"$GCC" = x"yes"; then
+-    if test x"$with_included_popt" != x"yes"; then
+-	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
+-	CFLAGS="$CFLAGS -pedantic-errors"
+-    else
+-	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
+-	# turn off pedantic warnings (which will not lose the error for array-init overflow).
+-	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
+-	# -Wpedantic and use that as a flag.
+-	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
+-	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
+-	esac
+-    fi
+-fi
+-
+ AC_MSG_CHECKING([whether to use included libpopt])
+ if test x"$with_included_popt" = x"yes"; then
+     AC_MSG_RESULT($srcdir/popt)
+
+--- a/configure.sh
++++ b/configure.sh
+@@ -9982,14 +9982,14 @@ fi
+ if test x"$GCC" = x"yes"; then
+     if test x"$with_included_popt" != x"yes"; then
+ 	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
+-	CFLAGS="$CFLAGS -pedantic-errors"
++	CFLAGS="$CFLAGS "
+     else
+ 	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
+ 	# turn off pedantic warnings (which will not lose the error for array-init overflow).
+ 	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
+ 	# -Wpedantic and use that as a flag.
+ 	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
+-	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
++	    *-Wpedantic*) CFLAGS="$CFLAGS  -Wno-pedantic" ;;
+ 	esac
+     fi
+ fi
diff --git a/net-misc/rsync/rsync-3.2.5-r1.ebuild b/net-misc/rsync/rsync-3.2.5-r1.ebuild
index 1abfebf444ed..6e6e4bd34c3e 100644
--- a/net-misc/rsync/rsync-3.2.5-r1.ebuild
+++ b/net-misc/rsync/rsync-3.2.5-r1.ebuild
@@ -3,6 +3,8 @@
 
 EAPI=8
 
+# Uncomment when introducing a patch which touches configure
+RSYNC_NEEDS_AUTOCONF=1
 PYTHON_COMPAT=( python3_{8..10} )
 inherit prefix python-single-r1 systemd
 
@@ -17,6 +19,10 @@ else
 	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/waynedavison.asc
 	inherit verify-sig
 
+	if [[ -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
+		inherit autotools
+	fi
+
 	if [[ ${PV} == *_pre* ]] ; then
 		SRC_DIR="src-previews"
 	else
@@ -60,6 +66,10 @@ else
 	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-waynedavison )"
 fi
 
+PATCHES=(
+	"${FILESDIR}"/${P}-pedantic-errors.patch
+)
+
 pkg_setup() {
 	# - USE=examples needs Python itself at runtime, but nothing else
 	# - 9999 needs commonmark at build time
@@ -71,7 +81,7 @@ pkg_setup() {
 src_prepare() {
 	default
 
-	if [[ ${PV} == *9999 ]] ; then
+	if [[ ${PV} == *9999 || -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
 		eaclocal -I m4
 		eautoconf -o configure.sh
 		eautoheader && touch config.h.in
diff --git a/net-misc/rsync/rsync-9999.ebuild b/net-misc/rsync/rsync-9999.ebuild
index 1abfebf444ed..804909ae11e6 100644
--- a/net-misc/rsync/rsync-9999.ebuild
+++ b/net-misc/rsync/rsync-9999.ebuild
@@ -3,6 +3,8 @@
 
 EAPI=8
 
+# Uncomment when introducing a patch which touches configure
+#RSYNC_NEEDS_AUTOCONF=1
 PYTHON_COMPAT=( python3_{8..10} )
 inherit prefix python-single-r1 systemd
 
@@ -17,6 +19,10 @@ else
 	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/waynedavison.asc
 	inherit verify-sig
 
+	if [[ -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
+		inherit autotools
+	fi
+
 	if [[ ${PV} == *_pre* ]] ; then
 		SRC_DIR="src-previews"
 	else
@@ -71,7 +77,7 @@ pkg_setup() {
 src_prepare() {
 	default
 
-	if [[ ${PV} == *9999 ]] ; then
+	if [[ ${PV} == *9999 || -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
 		eaclocal -I m4
 		eautoconf -o configure.sh
 		eautoheader && touch config.h.in