Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-07-16.

Changes:

• TLS: remove support for Secure Transport and BearSSL

Bugfixes:

• asyn-ares: remove redundant NULL check
• asyn-thrdd: free the previous name before strdup'ing the new
• autotools: detect and link `brotlicommon` library for brotli
• autotools: drop `$top_builddir/src` from src header path
• autotools: drop headers from src mk-unity rules (fixup)
• autotools: drop no longer necessary `--srcdir` unity options
• autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src
• autotools: simplify configuration in tests, examples
• bufq: change read/write signatures
• bufq: remove the unused Curl_bufq_unwrite function
• build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in `curl/curl.h`)
• build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros
• build: drop explicit curlx from hdr paths, refer headers with `curlx/` prefix
• build: drop unused variables in tests
• build: fix libcurltool with cmake and tunits, related tidy-ups
• build: split `.c` and `.h` file lists in tests
• build: stop checking for `sys/stat.h`
• build: stubgss tidy-ups (in tests)
• build: sync build scripts between client/libtest
• build: tidy up `Makefile.inc` use in lib and src
• build: tidy up header paths, use srcdir where possible
• cf-socket: make socket data_pending a nop
• checksrc: reduce exceptions, apply again to curlx
• cmake/FindGSS: fix processing C header path options
• cmake/FindGSS: initialize result variables
• cmake: `curl_add_clang_tidy_test_target` tidy-ups
• cmake: build `stubgss` library for libtests to match autotools
• cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS
• cmake: configure c-ares header directory in project root (was: lib)
• cmake: document OpenSSL and ngtcp2 crypto lib custom variables
• cmake: drop never propagated C macros
• cmake: drop passing redundant `CURL_STATICLIB` in examples and clients
• cmake: drop redundant macro from test clients
• cmake: drop reference to future variable
• cmake: enable soversion by default for OpenHarmony OS
• cmake: fix `curl_add_clang_tidy_test_target` when no `-D` option
• cmake: fix generator expression in docs/examples
• cmake: gather options recursively in `curl_add_clang_tidy_test_target`
• cmake: make docs depend on support files
• cmake: move `OUTPUT` argument in the `add_custom_command()` line
• cmake: omit clang-tidy on internal libs curlu and curltool
• cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues
• cmake: replace the way clang-tidy verifies tests, fix issues found
• cmake: simplify handling generated `lib1521.c` in libtests
• cmake: sync `target_link_libraries()` order in tests more
• cmake: sync tests scripts by using the variable `BUNDLE`
• cmake: sync tests scripts with each other and autotools (more)
• cmake: use `target_link_options()` when available
• connection: eliminate member `remote_addr`
• curl-config: fix whitespace in usage text
• curl.h: make CURL_IPRESOLVE_* symbols defined as longs
• curl.h: make CURLSSLOPT_* symbols defined as longs
• curl.h: remove the "RESERVED" error codes
• curl: implement non-blocking STDIN read on Windows
• curl: improve non-blocking STDIN performance
• curl_get_line: make sure lines end with newline
• curl_memory.h: fix to undefine `accept4`
• curl_path: make SFTP handle a path like /~ properly.
• curlinfo: provide the 'digest' feature
• CURLSHOPT_SHARE.md: mention multi-threading requires callbacks
• digest: fix build with disabled digest auth
• DISTROS: update NixOS link
• docs,tests: fix english grammar "allow to" -> "allow <something> to"
• docs/CONTRIBUTE: fix broken link
• docs/examples: add ftp-delete.c
• docs: beef up examples/websocket.c
• docs: fix broken link in CODE_REVIEW.md
• docs: fix broken link in INSTALL.md
• docs: fix docs for CURLOPT_PREQUOTE after #17616
• docs: fix documentation of connect_only 2
• docs: fix two typos
• docs: mention that the netrc file works without port numbers
• docs: reflect that delimiter-separated capath is only OpenSSL
• docs: warn about lifetime in CURLOPT_CLOSESOCKET*
• easy: fix comment-documentation
• easygetopt: fix curl logo in header comment
• firefox-db2pem: avoid use of eval in script
• ftp: fix prequotes for a directory in URL
• ftplistparser: split parse_unix into sub functions
• h2_serverpush: fix file handle leaks reported by clang-tidy
• http2: do not delay RST send on aborted transfer
• http: explicitly ignore parsing errors for Retry-After
• http: fix build with cookies and HSTS disabled
• http_ntlm: protect against null deref
• http_ntlm: remove unreachable code
• INSTALL.md: cygwin details and add source code link
• lib2082: drop `typedef struct`
• lib: address singleuse issues
• lib: avoid reusing unclean connection
• lib: drop two interim macros in favor of native libcurl API calls
• lib: fix unused parameter/function compiler warnings
• lib: make `CURLX_SET_BINMODE()` and use it
• lib: make `curlx_wait_ms()` and use it
• lib: replace scache no-op macros with `#ifdef`
• lib: unify recv/send function signatures
• libcurl-env.md: drop LOGNAME, USER and NTLMUSER
• libssh2: remove use of 'initialised' for cleanup
• libssh: de-complex myssh_statemach_act()
• libssh: fix readdir issues
• libtests: make test 1503,1504,1505 use the 1502 binary
• libtests: stop building the sames source multiple times
• memdebug.h: #undef `fclose` before defining it
• memdebug.h: eliminate global macro `CURL_MT_LOGFNAME_BUFSIZE`
• memdebug: include in unity batch
• memory: stop overriding unused `wcsdup()`/`_wcsdup()` system functions
• memory: tidy up `_tcsdup()` override
• mk-lib1521: replace `printf` with `curl_mprintf`
• multi: add dirty bitset
• multi: do no expire a blocked transfer
• multi: fix polling with pending input
• multi: remove careful bounds check as coverity says it is not needed
• multi: xfer table/bitset, handle limits
• ngtcp2: fix coverity warning about result handling
• openssl: enable readahead
• openssl: error on SSL_ERROR_SYSCALL
• openssl: fix handling of buffered data
• openssl: fix openssl engine use
• openssl: fix pkcs11 provider available check
• os400: upgrade ILE/RPG bindings with latest definitions.
• pingpong: on disconnect, check for unflushed pingpong state
• pytest test_07_70, weaken early data check
• pytest: adapt for runs with openssl-1.1.1
• pytest: disable test_07_37 and test_07_36 with openssl's quic
• quic: implement CURLINFO_TLS_SSL_PTR
• RELEASE-PROCEDURE.md: update docs/VERSIONS
• runtests.pl: fix sprintf() using one too many %s
• runtests: fix `LD_PRELOAD` detection for cmake-built curl binaries
• runtests: support memory-limits per test
• rustls: apply memory function overrides, fixing an ECH buffer free
• rustls: don't try printing the not provided file
• schannel: allow partial chains for manual peer verification
• schannel: drop Windows 2000 compatibility logic
• scorecard: flame graphs and documentation
• SCP/SFTP: avoid busy loop after EAGAIN
• system.h: remove some macros
• test1117: reduce write delays
• test1499: verify two chunked responses on reused connection
• test1596: let test pass after year 2036
• tests/client: drop autotools logic no longer necessary
• tests/client: use `curl_mfprintf()`
• tests/dnsd: read config from file
• tests/http/clients: drop hack and use `curl_setup.h` again
• tests/http/clients: move to tests/client
• tests/http/requirements: remove multipart
• tests/libtest: call `curlx_now_init()` for unit 1399, 2600 (Windows)
• tests/libtest: drop `TEST_HANG_TIMEOUT` redefinition hack
• tests/libtest: drop a checksrc exception
• tests/libtest: use `curltime` from curlx
• tests/server/util.c: include netinet/in6.h
• tests/server: de-dupe/merge three `sockdaemon()` clones into one
• tests/server: drop `memdebug.h`
• tests/server: make all global vars/funcs static
• tests/server: move memory init to `memptr.c`
• tests/servers.pm: add more ways to figure out current user
• tests: always make bundles, adapt build and tests
• tests: bundle http clients, de-dupe, enable for MSVC
• tests: constify, make consts static
• tests: drop `BUNDLE_SRC` variable
• tests: drop mk-bundle exceptions
• tests: drop unused or redundant includes
• tests: drop useless "nodist_SOURCES" assignments
• tests: fail torture if !valgrind&threaded resolver
• tests: fix 1301, 1308 to fail on error
• tests: fix `BUNDLE` variable references in `Makefile.am`
• tests: make all names < 75 characters long
• tests: make individual test sources compile cleanly
• tests: make sshserver less verbose
• tests: move `curlcheck.h` to libtest as `unitcheck.h`
• tests: move GSS-API dynamic stub into debug-mode libcurl
• tests: torture: don't duplicate valgrind command
• tests: use %b64[] to base64 data
• tests: use %b64[] to base64 data in 2056, 2057
• tftpd: use `CURLMIN()` macro
• tidy-up: replace `<memdebug.h>` with `"memdebug.h"` (src, units)
• tls: remove Curl_ssl false_start
• tool1621: drop unused internal libcurl headers
• tool_getparam: fix --ftp-pasv
• tool_operate: fix return code when --retry is used but not triggered
• top-complexity: lower max allowed complexity threshold to 90
• unit tests: extract "private" prototypes at build time
• unit1302: expand the base64 encode/decode tests
• url: fix connection lifetime checks
• url: fix NULL deref with bad password when no user is provided
• urlapi: simplify and split into sub functions
• urlapi: use uppercase hex encoding
• vauth: move auth structs to conn meta data
• vtls: change send/recv signatures of tls backends
• VULN-DISCLOSURE-POLICY.md: fix typos
• VULN-DISCLOSURE-POLICY: all reports should be disclosed
• VULN-DISCLOSURE-POLICY: exclude not installed software
• VULN-DISCLOSURE-POLICY: minor language polish
• warnless: drop parts of the `read`/`write` preprocessor hack (Windows)
• warnless: replace `read()`/`write()` wrapper functions with macros (Windows)
• windows: drop redundant `curl_wcsdup_callback` callback
• windows: fixup `fopen()` in `CURLDEBUG` builds
• windows: reduce/stop loading DLLs at runtime
• ws: drop redundant `CURL_EXTERN` from function definitions
• xfer: manage pause bits

Contributors:

4lan.m, afengsoft on github, albrechtd on github, Ameda Amahru, Bartosz Ruszczak, behindtheblackwall on hackerone, Bernhard M. Wiedemann, Brad Harder, Brian Harris, Calvin Ruocco, Carlos Henrique Lima Melara, Christian Hesse, Christian Weisgerber, Christopher Boyd, Dan Fandrich, Daniel Gustafsson, Daniel McCarney, Daniel Stenberg, defnull, DoI, Edwin Török, Eshan Kelkar, Ethan Alker, Fabrício Canedo, fjaell on github, hiimmat on github, Jeroen Ooms, Joel Depooter, John Haugabook, Karthik Dasari, Keno Fischer, Kirill Obukhov, Larry Campbell, Luca Kellermann, Marcel Lang, Marcel Raad, Markus Unterwaditzer, Michael Kaufmann, NINIKA, Orgad Shaneh, Patrick Monnerat, Piotr Nakraszewicz, Randall S. Becker, Ray Satiro, renovate[bot], Rod Widdowson, SC404, Stefan Eissing, Theodore A. Roth, Tristan Perrault, Viktor Szakats, Yedaya Katsman, z2_