Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-07-16.

Changes:

• TLS: remove support for Secure Transport and BearSSL

Bugfixes:

• asyn-ares: remove redundant NULL check
• asyn-thrdd: free the previous name before strdup'ing the new
• autotools: detect and link `brotlicommon` library for brotli
• autotools: drop `$top_builddir/src` from src header path
• autotools: drop headers from src mk-unity rules (fixup)
• autotools: drop no longer necessary `--srcdir` unity options
• autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src
• autotools: simplify configuration in tests, examples
• bufq: change read/write signatures
• bufq: remove the unused Curl_bufq_unwrite function
• build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in `curl/curl.h`)
• build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros
• build: drop explicit curlx from hdr paths, refer headers with `curlx/` prefix
• build: drop unused variables in tests
• build: fix libcurltool with cmake and tunits, related tidy-ups
• build: split `.c` and `.h` file lists in tests
• build: stop checking for `sys/stat.h`
• build: stubgss tidy-ups (in tests)
• build: sync build scripts between client/libtest
• build: tidy up `Makefile.inc` use in lib and src
• build: tidy up header paths, use srcdir where possible
• checksrc: reduce exceptions, apply again to curlx
• cmake: build `stubgss` library for libtests to match autotools
• cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS
• cmake: configure c-ares header directory in project root (was: lib)
• cmake: document OpenSSL and ngtcp2 crypto lib custom variables
• cmake: drop never propagated C macros
• cmake: drop passing redundant `CURL_STATICLIB` in examples and clients
• cmake: drop redundant macro from test clients
• cmake: drop reference to future variable
• cmake: enable soversion by default for OpenHarmony OS
• cmake: fix generator expression in docs/examples
• cmake: make docs depend on support files
• cmake: move `OUTPUT` argument in the `add_custom_command()` line
• cmake: omit clang-tidy on internal libs curlu and curltool
• cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues
• cmake: replace the way clang-tidy verifies tests, fix issues found
• cmake: simplify handling generated `lib1521.c` in libtests
• cmake: sync `target_link_libraries()` order in tests more
• cmake: sync tests scripts by using the variable `BUNDLE`
• cmake: sync tests scripts with each other and autotools (more)
• cmake: use `target_link_options()` when available
• connection: eliminate member `remote_addr`
• curl-config: fix whitespace in usage text
• curl.h: make CURLSSLOPT_* symbols defined as longs
• curl.h: remove the "RESERVED" error codes
• curl: implement non-blocking STDIN read on Windows
• curl: improve non-blocking STDIN performance
• curl_get_line: make sure lines end with newline
• curl_path: make SFTP handle a path like /~ properly.
• digest: fix build with disabled digest auth
• DISTROS: update NixOS link
• docs/examples: add ftp-delete.c
• docs: fix broken link in CODE_REVIEW.md
• docs: fix broken link in INSTALL.md
• docs: fix docs for CURLOPT_PREQUOTE after #17616
• docs: fix documentation of connect_only 2
• docs: mention that the netrc file works without port numbers
• docs: reflect that delimiter-separated capath is only OpenSSL
• easy: fix comment-documentation
• firefox-db2pem: avoid use of eval in script
• ftp: fix prequotes for a directory in URL
• ftplistparser: split parse_unix into sub functions
• h2_serverpush: fix file handle leaks reported by clang-tidy
• http2: do not delay RST send on aborted transfer
• http: explicitly ignore parsing errors for Retry-After
• http: fix build with cookies and HSTS disabled
• http_ntlm: protect against null deref
• http_ntlm: remove unreachable code
• INSTALL.md: cygwin details and add source code link
• lib2082: drop `typedef struct`
• lib: address singleuse issues
• lib: avoid reusing unclean connection
• lib: make `CURLX_SET_BINMODE()` and use it
• lib: make `curlx_wait_ms()` and use it
• lib: replace scache no-op macros with `#ifdef`
• lib: unify recv/send function signatures
• libcurl-env.md: drop LOGNAME, USER and NTLMUSER
• libssh: de-complex myssh_statemach_act()
• libtests: make test 1503,1504,1505 use the 1502 binary
• libtests: stop building the sames source multiple times
• memdebug: include in unity batch
• mk-lib1521: replace `printf` with `curl_mprintf`
• multi: add dirty bitset
• multi: do no expire a blocked transfer
• multi: fix polling with pending input
• multi: xfer table/bitset, handle limits
• openssl: enable readahead
• openssl: error on SSL_ERROR_SYSCALL
• openssl: fix handling of buffered data
• openssl: fix openssl engine use
• pingpong: on disconnect, check for unflushed pingpong state
• pytest test_07_70, weaken early data check
• pytest: adapt for runs with openssl-1.1.1
• pytest: disable test_07_37 and test_07_36 with openssl's quic
• RELEASE-PROCEDURE.md: update docs/VERSIONS
• runtests.pl: fix sprintf() using one too many %s
• runtests: fix `LD_PRELOAD` detection for cmake-built curl binaries
• rustls: don't try printing the not provided file
• schannel: allow partial chains for manual peer verification
• schannel: drop Windows 2000 compatibility logic
• SCP/SFTP: avoid busy loop after EAGAIN
• system.h: remove some macros
• test1117: reduce write delays
• test1596: let test pass after year 2036
• tests/client: drop autotools logic no longer necessary
• tests/client: use `curl_mfprintf()`
• tests/dnsd: read config from file
• tests/http/clients: drop hack and use `curl_setup.h` again
• tests/http/clients: move to tests/client
• tests/libtest: call `curlx_now_init()` for unit 1399, 2600 (Windows)
• tests/libtest: drop `TEST_HANG_TIMEOUT` redefinition hack
• tests/libtest: drop a checksrc exception
• tests/libtest: use `curltime` from curlx
• tests/server/util.c: include netinet/in6.h
• tests/server: de-dupe/merge three `sockdaemon()` clones into one
• tests/server: drop `memdebug.h`
• tests/server: make all global vars/funcs static
• tests/server: move memory init to `memptr.c`
• tests/servers.pm: add more ways to figure out current user
• tests: always make bundles, adapt build and tests
• tests: bundle http clients, de-dupe, enable for MSVC
• tests: constify, make consts static
• tests: drop `BUNDLE_SRC` variable
• tests: drop mk-bundle exceptions
• tests: drop unused or redundant includes
• tests: drop useless "nodist_SOURCES" assignments
• tests: fail torture if !valgrind&threaded resolver
• tests: fix `BUNDLE` variable references in `Makefile.am`
• tests: make individual test sources compile cleanly
• tests: make sshserver less verbose
• tests: torture: don't duplicate valgrind command
• tests: use %b64[] to base64 data
• tests: use %b64[] to base64 data in 2056, 2057
• tftpd: use `CURLMIN()` macro
• tidy-up: replace `<memdebug.h>` with `"memdebug.h"` (src, units)
• tls: remove Curl_ssl false_start
• tool_getparam: fix --ftp-pasv
• tool_operate: fix return code when --retry is used but not triggered
• top-complexity: lower max allowed complexity threshold to 90
• unit1302: expand the base64 encode/decode tests
• url: fix connection lifetime checks
• url: fix NULL deref with bad password when no user is provided
• urlapi: simplify and split into sub functions
• urlapi: use uppercase hex encoding
• vauth: move auth structs to conn meta data
• vtls: change send/recv signatures of tls backends
• VULN-DISCLOSURE-POLICY: all reports should be disclosed
• VULN-DISCLOSURE-POLICY: exclude not installed software
• warnless: drop parts of the `read`/`write` preprocessor hack (Windows)
• warnless: replace `read()`/`write()` wrapper functions with macros (Windows)
• windows: fixup `fopen()` in `CURLDEBUG` builds
• windows: reduce/stop loading DLLs at runtime
• xfer: manage pause bits

Contributors:

4lan.m, Bartosz Ruszczak, behindtheblackwall on hackerone, Bernhard M. Wiedemann, Brad Harder, Brian Harris, Calvin Ruocco, Carlos Henrique Lima Melara, Christian Weisgerber, Christopher Boyd, Dan Fandrich, Daniel Gustafsson, Daniel McCarney, Daniel Stenberg, DoI, Edwin Török, Ethan Alker, Fabrício Canedo, fjaell on github, hiimmat on github, Jeroen Ooms, Joel Depooter, John Haugabook, Keno Fischer, Kirill Obukhov, Marcel Raad, Michael Kaufmann, NINIKA, Orgad Shaneh, Randall S. Becker, Ray Satiro, renovate[bot], Rod Widdowson, SC404, Stefan Eissing, Theodore A. Roth, Tristan Perrault, Viktor Szakats, Yedaya Katsman, z2_