summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 09:59:16 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 09:59:16 +0000
commitabd376d1e24e6665ef3662eb23ad76adadf78f72 (patch)
treeec7213f75b7e8c9cdbb4d335ed9ca7c11aae6f5f /debian
parentAdding upstream version 2.2.27. (diff)
downloadgnupg2-debian/2.2.27-2+deb11u2.tar.xz
gnupg2-debian/2.2.27-2+deb11u2.zip
Adding debian version 2.2.27-2+deb11u2.debian/2.2.27-2+deb11u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
-rw-r--r--debian/NEWS38
-rw-r--r--debian/Xsession.d/90gpg-agent22
-rw-r--r--debian/changelog2528
-rw-r--r--debian/clean9
-rw-r--r--debian/control504
-rw-r--r--debian/copyright253
-rw-r--r--debian/dirmngr.NEWS49
-rw-r--r--debian/dirmngr.README.Debian47
-rw-r--r--debian/dirmngr.docs5
-rw-r--r--debian/dirmngr.install6
-rw-r--r--debian/dirmngr.maintscript5
-rw-r--r--debian/dirmngr.manpages2
-rw-r--r--debian/gbp.conf38
-rw-r--r--debian/gnupg-l10n.install3
-rw-r--r--debian/gnupg-l10n.lintian-overrides2
-rw-r--r--debian/gnupg-utils.install11
-rw-r--r--debian/gnupg-utils.manpages11
-rw-r--r--debian/gnupg.README.Debian44
-rw-r--r--debian/gnupg.docs4
-rw-r--r--debian/gnupg.info3
-rw-r--r--debian/gnupg.manpages1
-rw-r--r--debian/gnupg2.links2
-rw-r--r--debian/gpg-agent.NEWS19
-rw-r--r--debian/gpg-agent.README.Debian82
-rw-r--r--debian/gpg-agent.examples2
-rw-r--r--debian/gpg-agent.install11
-rw-r--r--debian/gpg-agent.links2
-rw-r--r--debian/gpg-agent.lintian-overrides3
-rw-r--r--debian/gpg-agent.logcheck.ignore.server11
-rw-r--r--debian/gpg-agent.manpages3
-rw-r--r--debian/gpg-check-pattern.136
-rw-r--r--debian/gpg-wks-client.install1
-rw-r--r--debian/gpg-wks-client.lintian-overrides2
-rw-r--r--debian/gpg-wks-client.manpages1
-rw-r--r--debian/gpg-wks-server.install1
-rw-r--r--debian/gpg-wks-server.manpages1
-rw-r--r--debian/gpg-zip.1106
-rw-r--r--debian/gpg.install1
-rw-r--r--debian/gpg.manpages1
-rw-r--r--debian/gpgcompose.156
-rw-r--r--debian/gpgconf.examples1
-rw-r--r--debian/gpgconf.install3
-rw-r--r--debian/gpgconf.manpages2
-rw-r--r--debian/gpgsm.install1
-rw-r--r--debian/gpgsm.manpages1
-rw-r--r--debian/gpgsplit.141
-rw-r--r--debian/gpgv-static.132
-rw-r--r--debian/gpgv-static.install1
-rw-r--r--debian/gpgv-static.lintian-overrides3
-rw-r--r--debian/gpgv-static.manpages1
-rw-r--r--debian/gpgv-udeb.install1
-rw-r--r--debian/gpgv-win32.install1
-rw-r--r--debian/gpgv.install1
-rw-r--r--debian/gpgv.manpages1
-rw-r--r--debian/gpgv2.links2
-rw-r--r--debian/kbxutil.162
-rw-r--r--debian/lspgpot.122
-rwxr-xr-xdebian/migrate-pubring-from-classic-gpg108
-rw-r--r--debian/migrate-pubring-from-classic-gpg.194
-rw-r--r--debian/not-installed2
-rw-r--r--debian/org.gnupg.scdaemon.metainfo.xml53
-rw-r--r--debian/package-dependencies.dot73
-rw-r--r--debian/patches/Make-gpg-zip-use-tar-from-PATH.patch27
-rw-r--r--debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch71
-rw-r--r--debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch89
-rw-r--r--debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch48
-rw-r--r--debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch47
-rw-r--r--debian/patches/debian-packaging/avoid-beta-warning.patch44
-rw-r--r--debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch39
-rw-r--r--debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch29
-rw-r--r--debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch47
-rw-r--r--debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch230
-rw-r--r--debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch81
-rw-r--r--debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch50
-rw-r--r--debian/patches/from-master/gpg-default-to-3072-bit-keys.patch91
-rw-r--r--debian/patches/from-master/gpg-default-to-AES-256.patch35
-rw-r--r--debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch84
-rw-r--r--debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch26
-rw-r--r--debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch101
-rw-r--r--debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch191
-rw-r--r--debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch49
-rw-r--r--debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch32
-rw-r--r--debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch106
-rw-r--r--debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch201
-rw-r--r--debian/patches/series24
-rw-r--r--debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch64
-rw-r--r--debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch46
-rwxr-xr-xdebian/rules90
-rw-r--r--debian/scdaemon.examples1
-rw-r--r--debian/scdaemon.install2
-rw-r--r--debian/scdaemon.lintian-overrides2
-rw-r--r--debian/scdaemon.manpages1
-rw-r--r--debian/scdaemon.udev69
-rw-r--r--debian/simplified-package-dependencies.dot43
-rw-r--r--debian/source/format1
-rw-r--r--debian/source/lintian-overrides2
-rwxr-xr-xdebian/systemd-environment-generator/90gpg-agent21
-rw-r--r--debian/tests/control11
-rwxr-xr-xdebian/tests/gpgv-win3234
-rwxr-xr-xdebian/tests/migration20
-rw-r--r--debian/tests/simple-tests34
-rw-r--r--debian/upstream/signing-key.asc77
-rw-r--r--debian/watch5
103 files changed, 6697 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..2a30631
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,38 @@
+gnupg2 (2.2.27-2) unstable; urgency=medium
+
+ Starting with version 2.2.27-1, per-user configuration of the GnuPG
+ suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options
+ is no longer in use. Please rename the file if necessary, or move
+ its contents to the new location.
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 22 Apr 2021 20:37:45 +0200
+
+gnupg2 (2.2.17-1) unstable; urgency=medium
+
+ Upstream GnuPG now defaults to not accepting third-party certifications
+ from the keyserver network. Given that the SKS keyserver network is
+ under attack via certificate flooding, and third-party certifications
+ will not be accepted anyway, we now ship with the more tightly-constrained
+ and abuse-resistant system hkps://keys.openpgp.org as the default
+ keyserver.
+
+ Users with bandwidth to spare who want to try their luck with the SKS
+ pool should add the following line to ~/.gnupg/dirmngr.conf to revert to
+ upstream's default keyserver:
+
+ keyserver hkps://hkps.pool.sks-keyservers.net
+
+ See the 2.2.17 section in the upstream NEWS file at
+ /usr/share/doc/gnupg/NEWS.gz for more information about fully
+ reverting to the old, risky behavior.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jul 2019 22:12:07 -0400
+
+gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
+
+ The gnupg package now provides the "modern" version of GnuPG.
+
+ Please read /usr/share/doc/gnupg/README.Debian for details about the
+ transition from "classic" to "modern"
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 09:59:35 -0400
diff --git a/debian/Xsession.d/90gpg-agent b/debian/Xsession.d/90gpg-agent
new file mode 100644
index 0000000..8b45b05
--- /dev/null
+++ b/debian/Xsession.d/90gpg-agent
@@ -0,0 +1,22 @@
+# On systems with systemd running, we expect the agent to be launched
+# via systemd's user mode (see
+# /usr/lib/systemd/user/gpg-agent.{socket,service} and
+# systemd.unit(5)). This allows systemd to clean up the agent
+# automatically at logout.
+
+# If systemd is absent from your system, or you do not permit it to
+# run in user mode, then you may need to manually launch gpg-agent
+# from your session initialization with something like "gpgconf
+# --launch gpg-agent"
+
+# Nonetheless, ssh and older versions of gpg require environment
+# variables to be set in order to find the agent, so we will set those
+# here.
+
+agent_sock=$(gpgconf --list-dirs agent-socket)
+export GPG_AGENT_INFO=${agent_sock}:0:1
+if [ -n "$(gpgconf --list-options gpg-agent | \
+ awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
+ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+fi
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..0a4a041
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2528 @@
+gnupg2 (2.2.27-2+deb11u2) bullseye-security; urgency=high
+
+ * fix broken status line (Closes: #1014157)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jul 2022 03:03:46 -0400
+
+gnupg2 (2.2.27-2+deb11u1) bullseye; urgency=medium
+
+ [ Raphaƫl Hertzog ]
+ * Avoid network interaction in generator. Closes: #993578
+
+ [ Christoph Biedl ]
+ * Backport "Scd: Fix CCID driver for SCM SPR332/SPR532". Closes: #982546
+
+ [ Daniel Kahn Gillmor ]
+ * update git to point to debian/bullseye branch
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Jan 2022 14:46:11 -0500
+
+gnupg2 (2.2.27-2) unstable; urgency=medium
+
+ * Add a NEWS entry about the end of support for ~/.gnupg/options.
+ Closes: #985158
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 22 Apr 2021 20:40:36 +0200
+
+gnupg2 (2.2.27-1) unstable; urgency=medium
+
+ [ NIIBE Yutaka ]
+ * New upstream release.
+
+ [ Christoph Biedl ]
+ * Tighten libgcrypt and libksba dependency
+
+ [ Daniel Kahn Gillmor ]
+ * change debian packaging branch name to debian/main
+ * refresh patches using gbp pq
+ * point to upstream commit used to improve spawning reliability
+ * Refresh 3072-bit default patch
+ * standards-version: bump to 4.5.1 (no changes needed)
+ * dh: bump to dh 13
+ * clean up lintian overrides
+ * fully drop symcryptrun
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Feb 2021 17:57:00 -0500
+
+gnupg2 (2.2.26-1) UNRELEASED; urgency=medium
+
+ [ Jeremiah C. Foster ]
+ * debian/scdaemon.udev: Add an entry for Librem Key.
+
+ [ NIIBE Yutaka ]
+ * New upstream release.
+ * refresh patches.
+ * debian/rules: Add build for regexp.
+ * debian/gnupg-utils.install: Remove /usr/bin/symcryptrun.
+ Fix for gpgsplit, which is changed in upstream from 'noinst'.
+ * debian/patches/gpg-change-agent-spawn-2019-07-24-v2.patch: New patch to
+ fix a race condition, backported from master (Closes: #868550, #972525).
+ * debian/scdaemon.udev: Add a generic entry for "Gnuk Token" and another
+ for GnuPG e.V.
+ * org.gnupg.scdaemon.metainfo.xml: Add an entry for GnuPG e.V.
+
+ -- NIIBE Yutaka <gniibe@fsij.org> Thu, 07 Jan 2021 09:07:21 +0900
+
+gnupg2 (2.2.20-1) unstable; urgency=medium
+
+ * New upstream release
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Mar 2020 15:05:13 -0400
+
+gnupg2 (2.2.19-3) unstable; urgency=medium
+
+ * d/copyright update years
+ * Avoid errors in systemd environment generator (Closes: #950836)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 09 Mar 2020 14:27:42 -0400
+
+gnupg2 (2.2.19-2) unstable; urgency=medium
+
+ * clarify that keys.openpgp.org is a debian-specific
+ choice for default keyserver
+ * Standards-version: bump to 4.5.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Feb 2020 17:35:36 -0500
+
+gnupg2 (2.2.19-1) unstable; urgency=medium
+
+ * New upstream release
+
+ [ Roger Shimizu ]
+ * d/control: Update Build-Depends: libgpg-error-dev (>= 1.35)
+
+ [ Daniel Kahn Gillmor ]
+ * clean up unnecessary whitespace
+ * Ship identifiers for Librem Key (Closes: #932474)
+ * drop extra systemd user service links (Closes: #931954)
+ * update signing key for Werner
+ * fixup patch
+ * drop patches already upstream
+ * refresh patches
+ * cherry-pick fix from upstream
+ * dirmngr-idling: add some commentary about dns housekeeping
+ * bump standards-version to 4.4.1 (no changes needed)
+ * sort scdaemon metainfo.xml modalias
+ * announce librem key in scdaemon metainfo.xml
+ * add lintian overrides for executables shipped by upstream in /usr/lib/gnupg/
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 08 Jan 2020 10:33:12 -0500
+
+gnupg2 (2.2.17-3) unstable; urgency=medium
+
+ * avoid data loss when using keyservers (see https://dev.gnupg.org/T4628)
+ * avoid O(N^2) operations when listing certificates with many sigs
+ * d/tests/gpgv-win32: make more robust
+ * avoid system CAs for HKPS pool
+ * build-depend on gpgrt-tools for yat2m
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 Jul 2019 20:20:39 -0400
+
+gnupg2 (2.2.17-2) unstable; urgency=medium
+
+ * d/tests/gpgv-win32: depend directly on wine32 (Closes: #905563)
+ * d/tests/gpgv-win32: by default pinentry-mode loopback is allowed upstream
+ * migrate-pubring-from-classic-gpg: make more robust (Closes: #931385)
+ * migrate-pubring-from-classic-gpg: always pass --homedir and --batch
+ * added test of migration script
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 13 Jul 2019 21:36:24 -0400
+
+gnupg2 (2.2.17-1) unstable; urgency=medium
+
+ * New upstream release
+ * upload to unstable, since buster is released
+
+ [ kwadronaut ]
+ * Specify what new and old keyrings are in migration script
+
+ [ Daniel Kahn Gillmor ]
+ * drop unnecessary patches, including broken patch for printing
+ revocation certificates
+ * use DEP-14 for debian/master
+ * refresh and reorganize patches
+ * only use Kristian's CA for the SKS HKPS pool
+ * switch to hkps://keys.openpgp.org as the default keyserver
+ * added NEWS entry about move to keys.openpgp.org
+ * Standards-Version: bump to 4.4.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jul 2019 22:09:21 -0400
+
+gnupg2 (2.2.16-2) experimental; urgency=medium
+
+ * fix HKPS redirections
+ * drop dh_missing --fail-missing (Closes: #930042)
+ * enable cert update without uids (Closes: #930665)
+ * fix upstream spelling of 'arbitrary'
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 Jun 2019 12:59:57 -0400
+
+gnupg2 (2.2.16-1) experimental; urgency=medium
+
+ * clean up logcheck rules for gpg-agent (Closes: #918466)
+ * drop patches already upstream
+ * refresh patches
+ * use upstream manpages for gpg-wks-{client,server} (Closes: #918586)
+ * use distributed form of gpgtar, not build/tools/gpgtar
+ * gnupg: ship every doc that upstream ships
+ * gnupg-l10n: ship basic help.txt as well
+ * explicitly avoid shipping gpgscm without the Scheme library
+ * use dh_missing --fail-missing to catch unshipped files
+ * gbp-import filter: drop m4/iconv.m4 as well
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 May 2019 20:13:01 -0400
+
+gnupg2 (2.2.15-1) experimental; urgency=medium
+
+ * new upstream release (still in experimental, due to freeze)
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 01 Apr 2019 09:56:09 -0400
+
+gnupg2 (2.2.14-1) experimental; urgency=medium
+
+ * new upstream release (to experimental, due to freeze)
+ * drop patches already upstream
+ * refresh remaining patches
+ * move to debhelper 12
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Mar 2019 07:19:50 -0400
+
+gnupg2 (2.2.13-2) unstable; urgency=medium
+
+ * Correct gpg-wks-server manpage (Closes: #927431) Thanks, ju xor!
+ * Fix handling private keys with comments (Closes: #928963, #928964)
+ * clean up logcheck rules for gpg-agent (Closes: #918466)
+ * Update gpg-wks-client.1 (Closes: #918586)
+ * cherry-pick more patches from upstream STABLE-BRANCH-2-2
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 14 May 2019 02:08:47 -0400
+
+gnupg2 (2.2.13-1) unstable; urgency=medium
+
+ * New upstream release (Closes: #919856)
+
+ [ Roger Shimizu ]
+ * add some simple tests for gpg{,v}. Thanks to Julian Andres Klode
+ (Closes: #920892).
+
+ [ Daniel Kahn Gillmor ]
+ * refresh patches
+ * cherry-pick fixes from upstream STABLE-BRANCH-2-2
+ * Standards-Version: bump to 4.3.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 02 Mar 2019 11:50:15 -0500
+
+gnupg2 (2.2.12-1) unstable; urgency=medium
+
+ * New upstream release
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 Dec 2018 20:17:16 -0500
+
+gnupg2 (2.2.11-1) unstable; urgency=medium
+
+ * new upstream release
+ * refresh patches
+ * refresh upstream/signing-key.asc
+ * deprecate gpg-zip
+ * gnupg-utils: ship gpgtar, since gpg-zip is deprecated
+ * Make gpg-zip use tar from $PATH (Closes: #913582)
+ * fix spelling mistakes in tools documentation
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 18 Nov 2018 17:38:30 -0500
+
+gnupg2 (2.2.10-3) unstable; urgency=medium
+
+ [ Bjarni Ingi Gislason ]
+ * clean up nroff for gpg-check-pattern.1 (Closes: #900247)
+
+ [ Daniel Kahn Gillmor ]
+ * backport fix for subkey binding sigs
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Oct 2018 11:36:01 -0400
+
+gnupg2 (2.2.10-2) unstable; urgency=medium
+
+ * import upstream minor bugfixes
+ * wrap-and-sort -ast
+ * actually ship gpgcompose in gnupg-utils
+ * drop debian/source/options (thanks, Lintian!)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 30 Sep 2018 11:40:42 -0500
+
+gnupg2 (2.2.10-1) unstable; urgency=medium
+
+ * new upstream maintenance release
+ * drop patches already upstream
+ * refresh patches
+ * Standards-Version: bump to 4.2.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Aug 2018 11:57:15 -0400
+
+gnupg2 (2.2.9-2) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * spell Tor correctly (Closes: #895398)
+ * Standards-Version: bump to 4.2.0 (no changes needed)
+ * corrected license in AppStream file
+ * standardize udev rules for Yubikey USB devices and claim them in AppStream
+ * from upstream: s2k bugfix, support for Trustica Cryptoucan
+ * Claim Trustica Cryptoucan via AppStream
+
+ [ JiÅ™Ć­ KeresteÅ” ]
+ * udev rule for Trustica Cryptoucan
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 Aug 2018 09:48:15 -0400
+
+gnupg2 (2.2.9-1) unstable; urgency=medium
+
+ * New upstream release
+ * Standards-Version: bump to 4.1.5 (no changes needed)
+ * drop patches already upstream
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Jul 2018 14:02:31 -0400
+
+gnupg2 (2.2.8-3) unstable; urgency=medium
+
+ * Ensure arch: all gnupg package supports binMNUs
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 21 Jun 2018 12:18:14 -0400
+
+gnupg2 (2.2.8-2) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * import bugfixes and improvements from upstream/STABLE-BRANCH-2-2
+ * ensure that revocation certificates show up in --show-keys output
+ (see 7c79bf7f71aa594102cb684b0abd8331bdac4608)
+ * try passing not explicit paths to wine for the gpgv-win32 test
+ * d/copyright: clarify debian/* licensing
+ * convert gnupg metapackage to Architecture: all
+
+ [ Giovanni Mascellani ]
+ * avoid parallel tests on riscv64 (Closes: #901646)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Jun 2018 06:56:09 -0400
+
+gnupg2 (2.2.8-1) unstable; urgency=medium
+
+ * New upstream release
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Jun 2018 10:08:36 -0400
+
+gnupg2 (2.2.7-1) unstable; urgency=medium
+
+ * new upstream release
+ * update/refresh patches, improve patch description
+ * bump standards-version to 4.1.4 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 23 May 2018 11:50:27 -0400
+
+gnupg2 (2.2.5-1) unstable; urgency=medium
+
+ * New upstream release
+ * d/gbp.conf: use DEP-14 branch naming
+ * d/control: declare Rules-Requires-Root: no
+ * drop patches already applied upstream
+ * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 Feb 2018 14:20:18 -0800
+
+gnupg2 (2.2.4-3) unstable; urgency=medium
+
+ * version build-deps on mingw library toolchain (Closes: #889921)
+ * drop misbehaving upstream scd patch (Closes: #889751)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 09 Feb 2018 13:51:35 -0500
+
+gnupg2 (2.2.4-2) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * move to debhelper 11
+ * d/control: move Vcs to salsa
+ * import more bugfixes and hardware from upstream
+
+ [ Helge Deller ]
+ * Fix FTBFS on hppa (Closes: #887843)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Feb 2018 23:07:21 -0500
+
+gnupg2 (2.2.4-1) unstable; urgency=medium
+
+ * New upstream release
+ * do not use uupdate (we use gbp-import-orig)
+ * dirmngr: cannot avoid idling in current arrangement
+ * adjusting fixes to gpgsm defaults
+ * prefer SHA-512 specifically on personal-digest-preferences.
+ * refresh patches
+ * Standards-Version: bump to 4.1.3 (no changes needed)
+ * drop unnecessary lintian override
+ * reflect actual requirement for libassuan
+ * import bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Jan 2018 12:43:40 -0500
+
+gnupg2 (2.2.3-1) unstable; urgency=medium
+
+ * New upstream release
+ * refreshed patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Nov 2017 19:06:35 -0500
+
+gnupg2 (2.2.2-1) unstable; urgency=medium
+
+ * new upstream release.
+ * avoid testsuite delays from excess socket waiting
+ * clean up trailing whitespace in debian/{rules,changelog}
+ * drop patches already upstream
+ * refresh remaining patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 08 Nov 2017 20:09:33 +0100
+
+gnupg2 (2.2.1-5) unstable; urgency=medium
+
+ * block ptrace on scdaemon as well as gpg-agent (Closes: #878952)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 27 Oct 2017 01:43:20 -0400
+
+gnupg2 (2.2.1-4) unstable; urgency=medium
+
+ * restore lintian override, because ftp-master isn't yet running lintian
+ 2.5.55 (see #877999 for more details)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Oct 2017 02:33:36 -0400
+
+gnupg2 (2.2.1-3) unstable; urgency=medium
+
+ * bugfix for multiple keyrings (Closes: #878812)
+ * drop an unnecessary lintian override
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Oct 2017 00:23:41 -0400
+
+gnupg2 (2.2.1-2) unstable; urgency=medium
+
+ * adopt bugfixes and documentation improvements from upstream
+ * reorganize debian/patches for simpler maintenance
+ * move gnupg-l10n to Section: localization
+ * Standards-Version: bump to 4.1.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 Oct 2017 10:05:45 -0400
+
+gnupg2 (2.2.1-1) unstable; urgency=medium
+
+ * New upstream release
+ * drop patches already applied upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 19 Sep 2017 08:26:26 -0400
+
+gnupg2 (2.2.0-3) unstable; urgency=medium
+
+ * avoid FTBFS when TZ=UTC-12 (Closes: #874617)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Sep 2017 02:10:02 -0400
+
+gnupg2 (2.2.0-2) unstable; urgency=medium
+
+ * dirmngr and gpgv-static are Multi-arch: foreign (Closes: #874111)
+ * update to stronger cryptographic defaults.
+ * use upstream gpg-agent-browser.socket systemd user service
+ * publish SSH_AUTH_SOCK for wayland users (Closes: #855868)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 07 Sep 2017 19:20:35 -0400
+
+gnupg2 (2.2.0-1) unstable; urgency=medium
+
+ * New upstream release.
+ * drop patches already upstream
+ * scdaemon: bugfix from upstream for large ECC keys
+ * Standards-Version: bump to 4.1.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 06 Sep 2017 13:10:28 -0400
+
+gnupg2 (2.1.23-2) unstable; urgency=medium
+
+ * add openssh-client to build-deps for testing
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 13 Aug 2017 22:48:23 -0400
+
+gnupg2 (2.1.23-1) unstable; urgency=medium
+
+ * New upstream release
+ * move to unstable
+ * refresh patches
+ * keep default --no-auto-key-retrieve
+ * Standards-Version: 4.0.1 (Priority: extra -> optional)
+ * run tests in parallel
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 Aug 2017 09:56:05 -0400
+
+gnupg2 (2.1.22-1) experimental; urgency=medium
+
+ * New upstream release
+ * refreshed patches
+ * pulled a few bugfix patches from upstream
+ * simplify systemd user units
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 07 Aug 2017 01:17:19 -0400
+
+gnupg2 (2.1.21-4) experimental; urgency=medium
+
+ * package reorganization:
+ - new package 'gpg' is just for public key operations
+ - 'gnupg' package is the full suite
+ - 'gnupg-agent' package is renamed to 'gpg-agent'
+ - 'gpgconf' is a base package, other packages depend on it
+ - 'gnupg-utils' are a grab-bag of helper tools that may be useful
+ * scdaemon: add AppStream metainfo about supported smartcards
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Jul 2017 12:50:55 -0400
+
+gnupg2 (2.1.21-3) experimental; urgency=medium
+
+ * include upstream bugfixes and improvements (Closes: #863221)
+ * build gpgcompose, ship new gpgcompose binary package
+ * upgrade to debhelper 10
+ * upgrade to Standards-Version 4.0.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 11 Jun 2017 01:50:30 +0200
+
+gnupg2 (2.1.21-2) experimental; urgency=medium
+
+ [ Stefan BĆ¼hler ]
+ * Create WKS server and client packages
+
+ [ Daniel Kahn Gillmor ]
+ * minor packaging cleanups
+ * more upstream bugfix and cleanup patches
+ * rename WKS packages to match the tool names
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 May 2017 18:02:46 -0400
+
+gnupg2 (2.1.21-1) experimental; urgency=medium
+
+ * new upstream release
+ * drop patches alread yupstream, refresh patches
+ * import post-release bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 May 2017 22:42:20 -0400
+
+gnupg2 (2.1.20-4) experimental; urgency=medium
+
+ * avoid shipping or trying to use .skel files
+ * more bugfixes from upstream
+ * skip missing signing keys (Closes: #834922)
+ * prefer available smartcard
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 10 May 2017 14:59:02 -0400
+
+gnupg2 (2.1.20-3) experimental; urgency=medium
+
+ * more upstream bugfixes (Closes: #858400)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 07 Apr 2017 11:36:51 -0400
+
+gnupg2 (2.1.20-2) experimental; urgency=medium
+
+ * more bugfix patches from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Apr 2017 11:21:24 -0400
+
+gnupg2 (2.1.20-1) experimental; urgency=medium
+
+ * new upstream release
+ * drop patches already upstream, refresh patches
+ * import post-release bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Apr 2017 11:43:09 -0400
+
+gnupg2 (2.1.19-3) experimental; urgency=medium
+
+ * more patches from usptream
+ - test suite should now use /tmp and not require /run/user/
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 Mar 2017 12:34:47 -0400
+
+gnupg2 (2.1.19-2) experimental; urgency=medium
+
+ * more patches from upstream (Closes: #854829)
+ * add verbose=3 to the test suite as requested by upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 Mar 2017 14:05:46 -0400
+
+gnupg2 (2.1.19-1) experimental; urgency=medium
+
+ * New upstream release (Closes: #854359)
+ * many post-release bugfixes from upstream
+ * add logcheck filters for gpg-agent (Closes: #856438)
+ * Upload to experimental due to the freeze
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 16 Mar 2017 12:47:40 -0400
+
+gnupg2 (2.1.18-6) unstable; urgency=medium
+
+ [ NIIBE Yutaka ]
+ * scdaemon: Fix duplicated entries (Closes: #855056).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 19:29:34 -0500
+
+gnupg2 (2.1.18-5) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * Xsession.d/90gpg-agent: use simpler and more direct gpgconf
+ invocations for socket names.
+
+ [ NIIBE Yutaka ]
+ * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
+ * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 09:15:07 -0500
+
+gnupg2 (2.1.18-4) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * document that debian disables --allow-version-check
+ * docs, debugging, and bugfix patches from upstream (Closes: #852979)
+
+ [ NIIBE Yutaka ]
+ * scdaemon bugfixes
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 04 Feb 2017 22:03:26 -0500
+
+gnupg2 (2.1.18-3) unstable; urgency=medium
+
+ * fix searches for keys with raw addr-spec
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 25 Jan 2017 16:58:56 -0500
+
+gnupg2 (2.1.18-2) unstable; urgency=medium
+
+ * pull fixes from upstream (including a double-free in gpg-agent)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 25 Jan 2017 09:29:25 -0500
+
+gnupg2 (2.1.18-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 23:12:35 -0500
+
+gnupg2 (2.1.17-6) unstable; urgency=medium
+
+ * Upstream patches, fixing unnecessary delay in gpg-agent (Closes: #851298)
+ * gpg-agent: avoid race in shutdown (Closes: #841143)
+ * improve dirmngr, gpg-agent README.Debian (Closes: #850982)
+ * clean up gpg-agent-idling patch
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 18 Jan 2017 14:40:41 -0500
+
+gnupg2 (2.1.17-5) unstable; urgency=medium
+
+ * more fixes from upstream (improving but not yet closing: #849845)
+ * gpg-agent: actively poll when shutdown is pending. Thanks, NIIBE
+ Yutaka! (addresses but does not close #841143)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2017 15:44:57 -0500
+
+gnupg2 (2.1.17-4) unstable; urgency=medium
+
+ * more patches from upstream, including dirmngr debugging
+ improvements
+ * resolve ambiguity in aliased options and commands (Closes: #850475)
+ * auto-enable gpg-agent and dirmngr for systemd user sessions
+ * enable easy reloads from systemd
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 Jan 2017 17:30:08 -0500
+
+gnupg2 (2.1.17-3) unstable; urgency=medium
+
+ * more bugfixes from upstream (improving but not yet closing: #849845)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 03 Jan 2017 15:39:52 -0500
+
+gnupg2 (2.1.17-2) unstable; urgency=medium
+
+ * include patches from upstream to avoid build failures on 32-bit
+ arches.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 18:11:51 -0500
+
+gnupg2 (2.1.17-1) unstable; urgency=medium
+
+ * new upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 15:39:04 -0500
+
+gnupg2 (2.1.16-3) unstable; urgency=medium
+
+ * remove -pie from hppa, kfreebsd-amd64, and x32 builds of
+ gpgv-static (Closes: #846889)
+ * import several upstream bugfix patches (Closes: #846834, #846168)
+ * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Dec 2016 15:34:49 -0500
+
+gnupg2 (2.1.16-2) unstable; urgency=medium
+
+ * avoid using adns, due to lack of security support (Closes: #845078)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 21 Nov 2016 09:57:26 -0500
+
+gnupg2 (2.1.16-1) unstable; urgency=medium
+
+ * New upstream version
+ * dropped many patches already incorporated upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 20 Nov 2016 23:22:49 -0500
+
+gnupg2 (2.1.15-9) unstable; urgency=medium
+
+ * Introduce gpgv-static package (Closes: #806940)
+ * more patches from upstream
+ * use adns for better DNS resolution in dirmngr
+ * add some import-options to
+ migrate-pubring-from-classic-gpg for better migration
+ * reorganize patches to distinguish debian variations from upstream
+ * set simple and easy defaults for keyservers
+ * help dirmngr and gpg-agent idle better in the default case
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Nov 2016 07:28:16 -0800
+
+gnupg2 (2.1.15-8) unstable; urgency=medium
+
+ * rename gpg-agent-restricted.socket to gpg-agent-extra.socket
+ (for symmetry with option names and actual sockets created)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Oct 2016 13:54:53 -0400
+
+gnupg2 (2.1.15-7) unstable; urgency=medium
+
+ * more upstream patches
+ * dirmngr systemd user service is now socket-activated.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Oct 2016 12:48:15 -0400
+
+gnupg2 (2.1.15-6) unstable; urgency=medium
+
+ * more upstream patches (Closes: #841437, #840680)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Oct 2016 17:44:20 -0400
+
+gnupg2 (2.1.15-5) unstable; urgency=medium
+
+ * added udev rules for Fujitsu Siemens cardreader (Closes: #840312)
+ * mark transitional packages Multi-Arch: Foreign (closes: #840258)
+ * make gnupg2 binNMU-safe
+ * more patches from upstream
+ * track upstream decision-making about gpg-agent socket names
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Oct 2016 21:30:06 -0400
+
+gnupg2 (2.1.15-4) unstable; urgency=medium
+
+ * update debian/tests/gpgv-win32
+ * more patches from upstream (Closes: #838153)
+ * tighten dependencies between gnupg and dirmngr (Closes: #834602)
+ * updated systemd user gpg-agent units for socket activation
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 04 Oct 2016 17:22:30 -0400
+
+gnupg2 (2.1.15-3) unstable; urgency=medium
+
+ * Use upstream fix to avoid touching homedir during test suite
+ * backward compatibility for preset-passphrase and protect-tool
+ * add Breaks: for python3-apt too (thanks, Harald Jenny!)
+ * Avoid network access during tests (Closes: #836259)
+ * more patches from upstream
+ - gpgv --output now works
+ - fingerprint display doesn't vary with --keyid-format
+ - minor cleanup to scdaemon dealing with removed cards
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 Sep 2016 17:08:58 -0400
+
+gnupg2 (2.1.15-2) unstable; urgency=medium
+
+ * restore keyid output in gpgv (Closes: #836144)
+ * avoid test suite failures when HOME does not exist
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 Aug 2016 12:37:48 -0400
+
+gnupg2 (2.1.15-1) unstable; urgency=medium
+
+ * new upstream release
+ - blocks signals during keyring updates (Closes: #293556)
+ * avoid libusb on hurd. Thanks, Pino Toscano! (Closes: #834533)
+ * permissions on test suite are already fixed
+ * drop patches applied upstream and refresh remaining patches
+ * make gnupg2 reproducible by not regenerating documentation date
+ * make autopkgtest work with modern wine (Closes: #835976)
+ * wrap-and-sort -ast for cleaner diffs
+ * add versioned Breaks: for affected packages (Closes: #835349)
+ - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904)
+ - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592)
+ - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465)
+ - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600)
+ - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281)
+ - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075)
+ - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Aug 2016 13:19:23 -0400
+
+gnupg2 (2.1.14-5) unstable; urgency=medium
+
+ * actually ship /usr/share/doc/gnupg/README.Debian
+ * Release to unstable.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Aug 2016 16:27:22 -0400
+
+gnupg2 (2.1.14-4) experimental; urgency=medium
+
+ * add ZeitControl card (Closes: #814584)
+ * three more fixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Aug 2016 12:54:21 -0400
+
+gnupg2 (2.1.14-3) experimental; urgency=medium
+
+ * cleanup debian/copyright
+ * update debian/watch
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Aug 2016 11:09:05 -0400
+
+gnupg2 (2.1.14-2) experimental; urgency=medium
+
+ * mark the gpgv binary as Priority: important, since apt depends on it
+ * import a bunch of fixes from upstream
+ * include permissioning on patched-in tests
+ * Breaks: some packages that expect old gpg behavior (Closes: #831500)
+ * remove scdaemon.service; it will be managed by gpg-agent.service
+ * avoid bulleted items in debian/NEWS (thanks, Lintian!)
+ * debian/copyright: cleanup, fix URLs
+ * debian/control: use standard URL for Vcs-Browser
+ * fix spelling and grammar noticed by lintian
+ * avoid lintian notes about a misspelled "written"
+ * clean up gpgv2 Description
+ * break out arch-indep localization files into new gnupg-l10n package
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 01 Aug 2016 17:54:59 -0400
+
+gnupg2 (2.1.14-1) experimental; urgency=medium
+
+ * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 15 Jul 2016 01:39:25 +0200
+
+gnupg2 (2.1.13-5) experimental; urgency=medium
+
+ * dependency cleanup!
+ - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr}
+ - make gnupg Provide: gpg and mention it in the package description
+ - drop mention of newpg, which has not been in debian for many releases
+ - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention
+ in debian/control
+ - drop Suggests: gnupg-doc, which does not appear to be maintained
+ - drop all references to gpg-idea, which has not been in debian for
+ several releases
+ - removed dependency on "dpkg (>= 1.15.4) | install-info", since that
+ dpkg version predates oldstable (wheezy)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 04 Jul 2016 10:13:42 -0400
+
+gnupg2 (2.1.13-4) experimental; urgency=medium
+
+ * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that
+ we can generate win32 packages on non-x86 platforms.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jul 2016 11:30:28 -0400
+
+gnupg2 (2.1.13-3) experimental; urgency=medium
+
+ * pull bugfixes from upstream (Closes: #828109, #814584)
+ * should also allow for reproducible builds, with fix to
+ timestamps in tofu.test
+ * provide supervised dirmngr, gpg-agent, and scdaemon services from
+ systemd's user sessioniif the user wants to enable them. These
+ services should terminate at logout (Closes: #825911)
+ * avoid launching gpg-agent from Xsession.d since we have more robust
+ session management available (added NEWS entry about this change)
+ * gnupg-agent now Provides: gpg-agent to mitigate common confusion.
+ * updated dirmngr package description.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 13:46:36 -0400
+
+gnupg2 (2.1.13-2) experimental; urgency=medium
+
+ * brown paper bag time: fix build-dep from libusb-1.0.0-dev to
+ libusb-1.0-0-dev
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 17 Jun 2016 23:07:43 -0400
+
+gnupg2 (2.1.13-1) experimental; urgency=medium
+
+ * New upstream release
+ - new keyid-format "none", used by default (Closes: #826273)
+ * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks,
+ gniibe!)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 16 Jun 2016 18:30:36 -0400
+
+gnupg2 (2.1.12-1) experimental; urgency=medium
+
+ * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 May 2016 20:58:06 -0400
+
+gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
+
+ * switching over binary package names in experimental -- gnupg2 source
+ package now provides gnupg and gpgv
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Apr 2016 19:17:19 -0400
+
+gnupg2 (2.1.11-7) unstable; urgency=medium
+
+ * move to unstable
+ * re-enable test suites on mips and mipsel since #730846 is resolved
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Apr 2016 07:45:16 -0400
+
+gnupg2 (2.1.11-6+exp4) experimental; urgency=medium
+
+ * stop using help2man to fix cross-building
+ * ensure gpgv-win32 is properly stripped
+ * enable autopkgtest to run without root on systems that already have
+ wine32 installed
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Apr 2016 13:08:07 -0300
+
+gnupg2 (2.1.11-6+exp3) experimental; urgency=medium
+
+ * more cleanup on arch-dependent packages.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 03:36:18 -0400
+
+gnupg2 (2.1.11-6+exp2) experimental; urgency=medium
+
+ * avoid build failures when building only arch-dependent or only
+ arch-independent packages.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 02:59:18 -0400
+
+gnupg2 (2.1.11-6+exp1) experimental; urgency=medium
+
+ * take over gpgv-win32 from gnupg 1.4 packaging
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 28 Mar 2016 23:27:43 -0400
+
+gnupg2 (2.1.11-6) unstable; urgency=medium
+
+ * avoid FTBFS with patch from upstream (Closes: #814842)
+ * bumped standards-version to 3.9.7 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 01 Mar 2016 09:36:41 +0100
+
+gnupg2 (2.1.11-5) unstable; urgency=medium
+
+ * taking over gpgv-udeb from gnupg 1.4 packaging
+ * debian/control: use secure transport for Vcs-* and Homepage
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Feb 2016 17:17:47 -0500
+
+gnupg2 (2.1.11-4) unstable; urgency=medium
+
+ * disable gpgtar, since it is causing unpredictable testsuite failures
+ and we don't ship it anyway.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Feb 2016 11:57:57 -0500
+
+gnupg2 (2.1.11-3) unstable; urgency=medium
+
+ * trying again to get a proper dump of the gpgtar.test.log. sigh.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Jan 2016 08:34:22 -0500
+
+gnupg2 (2.1.11-2) unstable; urgency=medium
+
+ * added temporary hook to view failing gpgtar test output on build
+ daemons since i can't replicate the failures on my own build systems.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Jan 2016 00:53:29 -0500
+
+gnupg2 (2.1.11-1) unstable; urgency=medium
+
+ * new upstream release
+ - drops buggy attempt to detect duplicate keys (Closes: #807819)
+ * removed -dbg package, since we have automatic -dbgsym packages now
+ * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 25 Jan 2016 15:29:25 -0500
+
+gnupg2 (2.1.10-3) unstable; urgency=medium
+
+ * avoid infinite loop when doing --gen-revoke by fingerprint
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 12 Dec 2015 16:53:40 -0500
+
+gnupg2 (2.1.10-2) unstable; urgency=medium
+
+ * actually use sks-keyservers CA by default if the user asks for
+ hkps://hkps.pool.sks-keyservers.net
+ * move ownership of some files in /usr/share/gnupg2/ to more appropriate
+ owners like gpgsm and dirmngr.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 Dec 2015 17:06:10 -0500
+
+gnupg2 (2.1.10-1) unstable; urgency=medium
+
+ * new upstream release
+ * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps.
+ * avoid shipping Changelog-2011, use upstream ChangeLog (Closes:
+ #803225)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 09 Dec 2015 12:05:42 -0500
+
+gnupg2 (2.1.9-1) unstable; urgency=medium
+
+ * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 13 Oct 2015 10:04:33 -0400
+
+gnupg2 (2.1.8-2) UNRELEASED; urgency=medium
+
+ [ NIIBE Yutaka ]
+ * update scdaemon dependencies
+
+ [ Daniel Kahn Gillmor ]
+ * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 Sep 2015 00:00:28 -0400
+
+gnupg2 (2.1.8-1) unstable; urgency=medium
+
+ * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Sep 2015 17:00:06 -0400
+
+gnupg2 (2.1.7-2) unstable; urgency=medium
+
+ * upload to unstable
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 Aug 2015 21:24:18 -0400
+
+gnupg2 (2.1.7-1) experimental; urgency=medium
+
+ * new upstream release
+ * block ptrace connections to gpg-agent
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 Aug 2015 20:05:38 -0400
+
+gnupg2 (2.1.6-1) experimental; urgency=medium
+
+ * new upstream release
+ * drop deprecated gpgsm-gencert.sh
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Jul 2015 14:27:23 -0400
+
+gnupg2 (2.1.5-2) experimental; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that
+ pinentry-gnome3 can work across sessions.
+ * ensure that l10n files are rebuilt.
+
+ [ Eric Dorland ]
+ * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for
+ build failure when rebuilding info docs.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Jun 2015 18:13:58 -0400
+
+gnupg2 (2.1.5-1) experimental; urgency=medium
+
+ * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jun 2015 13:18:56 -0400
+
+gnupg2 (2.1.4-2) experimental; urgency=medium
+
+ * avoid excess dependencies on headless servers (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Jun 2015 14:12:49 -0400
+
+gnupg2 (2.1.4-1) experimental; urgency=medium
+
+ * New upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 May 2015 00:25:55 -0400
+
+gnupg2 (2.1.3-1) experimental; urgency=medium
+
+ * New upstream version.
+ * Add gnupg2-dbg (Closes: #781631)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 01 Apr 2015 12:10:38 -0400
+
+gnupg2 (2.1.2-2) experimental; urgency=medium
+
+ * Fix segv due to NULL value stored as opaque MPI.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2015 10:26:50 -0500
+
+gnupg2 (2.1.2-1) experimental; urgency=medium
+
+ * New upstream version
+ * move from automake1.11 to plain automake (upstream uses 1.14 now)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 12 Feb 2015 20:10:43 -0500
+
+gnupg2 (2.1.1-1) experimental; urgency=medium
+
+ * New upstream version (closes: #772654)
+ * gnupg2 now Breaks: older versions of dirmngr (closes: #769460)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 Dec 2014 14:58:06 -0500
+
+gnupg2 (2.1.0-1) experimental; urgency=medium
+
+ * import upstream 2.1.0 release.
+ * drop debian/patches/speed-up-test-suite.patch -- included upstream.
+ * avoid self-reporting as a beta now that this is a release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Nov 2014 12:31:06 -0500
+
+gnupg2 (2.1.0~beta895-3) experimental; urgency=medium
+
+ * update gnupg-agent.xsession to export ssh-agent where
+ configured. (Closes: #767341)
+ * use cheap/fast entropy for the test suite so that builds on
+ low-entropy machines go faster.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Oct 2014 13:37:08 -0400
+
+gnupg2 (2.1.0~beta895-2) experimental; urgency=medium
+
+ * added pkg-config to Build-Depends.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2014 18:36:27 -0400
+
+gnupg2 (2.1.0~beta895-1) experimental; urgency=medium
+
+ * new upstream version in experimental (Closes: #762844, #751266, #762844)
+ * ship /usr/bin/gpgparsemail (Closes: #760575)
+ * document that doc/OpenPGP is not actually an RFC, but just refers to
+ one (closes: #745410)
+ * Bump Standards-Version to 3.9.6 (no changes needed)
+ * --enable-large-secmem to ensure that gpg2 works with pre-generated
+ oversized RSA keys
+ * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO
+ about the standard socket.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2014 17:53:06 -0400
+
+gnupg2 (2.0.28-3) unstable; urgency=medium
+
+ * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 04 Jul 2015 14:21:41 -0400
+
+gnupg2 (2.0.28-2) unstable; urgency=medium
+
+ * d/clean: drop stamp-po to rebuild l10n (Closes: #788989)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Jun 2015 17:17:11 -0400
+
+gnupg2 (2.0.28-1) unstable; urgency=medium
+
+ * new upstream release
+ * really address excess dependencies on headless server (thanks Raphaƫl
+ Halimi for noticing) (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Jun 2015 12:16:57 -0400
+
+gnupg2 (2.0.27-2) unstable; urgency=medium
+
+ * import upstream fix to avoid replicating unknown subkey
+ packets. (Closes: #787045) (Thanks, NIIBE Yutaka)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 May 2015 00:55:51 -0400
+
+gnupg2 (2.0.27-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Provide a simple way for users to avoid gpg-agent hijacking,
+ working around: #760102 (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 May 2015 18:15:15 -0400
+
+gnupg2 (2.0.26-6) unstable; urgency=medium
+
+ * Avoid NULL dereference with opaque MPI.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2015 18:01:40 -0500
+
+gnupg2 (2.0.26-5) unstable; urgency=medium
+
+ * import bug-fixes from upstream
+ (Closes: #773415, #773469, #773471, #773472, #773423)
+ * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip
+ invalid packets", CVE-2015-1607 "memcpy with overlapping ranges,
+ resulting from incorrect bitwise left shifts" (Closes: #778577)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 16 Feb 2015 17:45:06 -0500
+
+gnupg2 (2.0.26-4) unstable; urgency=medium
+
+ [ David PrƩvot ]
+ * Update POT and PO files, and ensure the translations get rebuild
+ * Update French translation (Closes: #769574)
+ * Update Ukrainian translation, thanks to Yuri Chornoivan
+ * Update German translation, thanks to Werner Koch
+ * Update Danish translation, thanks to Joe Hansen
+ * Update Japanese translation, thanks to NIIBE Yutaka
+ * Update Chinese (traditional) translation, thanks to Jedi Lin
+ * Update Russian translation, thanks to Ineiev
+ * Update Polish translation, thanks to Jakub Bogusz
+ * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta
+ (Closes: #770727)
+ * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981)
+
+ [ Daniel Kahn Gillmor ]
+ * bugfix and cryptographic safety changes imported from upstream:
+ - Avoid regression when adding subkeys with strong s2k algorithms
+ (Closes: #772780) Thanks, NIIBE Yutaka
+ - Allow french translation to work when prompting for passphrase.
+ - add build and runtime support for larger RSA keys (Closes: #739424)
+ - fix runtime errors on bad input (Closes: #771987)
+ - deprecate insecure one-argument variant for gpg --verify of detached
+ signatures (Closes: #771992)
+ - initialize trustdb before trying to clear it (Closes: #735363)
+ - default to issuing SHA256 signatures for RSA
+ - avoid relying on MD5 signatures
+ - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 04 Jan 2015 17:17:00 -0500
+
+gnupg2 (2.0.26-3) unstable; urgency=medium
+
+ * fix typo in gpg.info (closes: #760273)
+ * drop versioned Build-Conflicts on automake by setting environment
+ variables in debian/rules
+ * ship /usr/bin/gpgparsemail (closes: #760575)
+ * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf
+ (closes: #762844)
+ * do not break on --trust-model=always (closes: #751266)
+ * document that doc/OpenPGP is not actually an RFC, but just refers to
+ one (closes: #745410)
+ * Bump Standards-Version to 3.9.6 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Sep 2014 23:39:15 -0400
+
+gnupg2 (2.0.26-2) unstable; urgency=medium
+
+ * ignore emacs turds in debian/
+ * update Vcs fields
+ * move package to group maintenance
+ * wrap-and-sort cleanup of debian/*
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Aug 2014 11:42:18 -0700
+
+gnupg2 (2.0.26-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261)
+
+ -- Eric Dorland <eric@debian.org> Tue, 19 Aug 2014 18:09:08 -0400
+
+gnupg2 (2.0.25-2) unstable; urgency=medium
+
+ * debian/control: Switch to libgcrypt20-dev (aka 1.6 release).
+
+ -- Eric Dorland <eric@debian.org> Fri, 08 Aug 2014 14:12:05 -0400
+
+gnupg2 (2.0.25-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Eric Dorland <eric@debian.org> Mon, 30 Jun 2014 13:10:04 -0400
+
+gnupg2 (2.0.24-1) unstable; urgency=high
+
+ * New upstream release. Fixes CVE-2014-4617 "infinite loop when
+ decompressing data packets". (Closes: #752498)
+ * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now
+ upstreamed.
+
+ -- Eric Dorland <eric@debian.org> Wed, 25 Jun 2014 00:11:19 -0400
+
+gnupg2 (2.0.23-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to
+ the new, supported name.
+ * debian/control: Restore versioned conflict against gpg-idea. (Closes:
+ #733984)
+ * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579)
+
+ -- Eric Dorland <eric@debian.org> Sun, 08 Jun 2014 19:20:17 -0400
+
+gnupg2 (2.0.22-3) unstable; urgency=low
+
+ * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing
+ key for uscan verification.
+ * debian/kbxutil.1, debian/rules: Add better description and regenerate
+ the manpage.
+ * debian/control: Remove version on gpg-idea conflict, add missing
+ Breaks for gpgsm and convert Conflicts to Breaks for gpgv2.
+ * debian/control: Move gnupg-agent to Depends for gpgsm instead of
+ Replaces (which in turn should have been Recommends).
+ * debian/control: Standards-Version to 3.9.5.
+ * debian/copyright: Switch to a shiny DEP-5 copyright file.
+
+ -- Eric Dorland <eric@debian.org> Wed, 01 Jan 2014 22:56:56 -0500
+
+gnupg2 (2.0.22-2) unstable; urgency=low
+
+ * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris
+ Boot. (Closes: #726015)
+ * debian/control: IDEA is no longer patented, drop its metion from the
+ description. Thanks brian m. carlson. (Closes: #726139)
+ * debian/rules: Disable the test suite on mips and mipsel to work around
+ Bug:#730846.
+
+ -- Eric Dorland <eric@debian.org> Sat, 30 Nov 2013 23:47:56 -0500
+
+gnupg2 (2.0.22-1) unstable; urgency=low
+
+ * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes:
+ #725433, #722724)
+ * debian/gnupg2.install: Install gnupg-card-architecture.png for the
+ info file.
+
+ -- Eric Dorland <eric@debian.org> Sat, 05 Oct 2013 17:45:28 -0400
+
+gnupg2 (2.0.21-2) unstable; urgency=low
+
+ * debian/rules, debian/gnupg2.install: Switch libexecdir to
+ /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific
+ location. (Closes: #717303)
+ * debian/control, debian/gpgv2.install: Split out gpgv2 into its own
+ package.
+ * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and
+ manpage for kbxutil using help2man. (Closes: #323494)
+ * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2
+ against libassuan as it's not used.
+ * debian/rules: Install changelog for gpgv2.
+
+ -- Eric Dorland <eric@debian.org> Sun, 01 Sep 2013 00:42:16 -0400
+
+gnupg2 (2.0.21-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #613465, #720369)
+ * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+ * debian/control: Fix Vcs-Git path.
+ * debian/control: Now depends on libgpg-error >= 1.11.
+ * debian/control: Build-Depends on automake1.11 since the test suite
+ fails on newer versions. (Closes: #713287)
+ * debian/control: Also need a Build-Conflicts on automake (<= 1.12).
+
+ -- Eric Dorland <eric@debian.org> Sat, 24 Aug 2013 20:33:19 -0400
+
+gnupg2 (2.0.20-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #691237, #583893)
+ * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream.
+ * debian/control: Upgrade Standards-Version to 3.9.4.
+ * debian/compat, debian/control: Upgrade to debhelper v9.
+ * debian/control, debian/rules: Drop hardening-wrapper, now that we use
+ debhelper v9.
+ * debian/scdaemon.install: scdaemon has moved under $libexecdir.
+ * debian/control: Tighten dependency on scdaemon.
+ * debian/rules: Turn on all hardening options.
+ * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+ * debian/gnupg-agent.install, debian/gnupg2.install,
+ debian/scdaemon.install: Fix /usr/lib paths for multi-arch.
+ * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes
+ ${libdir} by default.
+
+ -- Eric Dorland <eric@debian.org> Sat, 11 May 2013 18:28:57 -0400
+
+gnupg2 (2.0.19-2) unstable; urgency=high
+
+ * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix
+ CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251)
+ * debian/control: Use canonical addresses for VCS.
+ * debian/control: Fix scdaemon short description.
+
+ -- Eric Dorland <eric@debian.org> Fri, 04 Jan 2013 00:56:52 -0500
+
+gnupg2 (2.0.19-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #666092)
+ * debian/control: Add Multi-Arch: foreign to all packages.
+ * debian/rules: Update ChangeLog locations.
+
+ -- Eric Dorland <eric@debian.org> Sat, 31 Mar 2012 01:06:02 -0400
+
+gnupg2 (2.0.18-2) unstable; urgency=low
+
+ * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a
+ separate package for the scdaemon. (Closes: #416129)
+ * debian/control, debian/gpgsm.install, debian/gnupg2.install,
+ gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool
+ into the gnupg-agent.
+ * debian/control: Upgrade Standards-Version to 3.9.2.
+ * debian/rules: Install ChangeLog for new scdaemon package.
+
+ -- Eric Dorland <eric@debian.org> Sat, 15 Oct 2011 20:21:35 -0400
+
+gnupg2 (2.0.18-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #635206)
+ * debian/copyright: Update ftp location. (Closes: #624404)
+ * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+
+ -- Eric Dorland <eric@debian.org> Tue, 30 Aug 2011 03:43:20 -0400
+
+gnupg2 (2.0.17-3) unstable; urgency=low
+
+ * debian/rules: Convert the rules file to use the lovely dh format.
+ * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove
+ unless dirs files.
+ * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides,
+ debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files.
+
+ -- Eric Dorland <eric@debian.org> Mon, 14 Feb 2011 03:17:39 -0500
+
+gnupg2 (2.0.17-2) unstable; urgency=low
+
+ * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for
+ info install trigger.
+ * debian/control, debian/rules: Use debian build hardening.
+
+ -- Eric Dorland <eric@debian.org> Sun, 13 Feb 2011 16:33:17 -0500
+
+gnupg2 (2.0.17-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #584316, #603985, #603983, #603984)
+ * debian/patches/02-encode-s2k.diff,
+ debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now
+ unneeded security patches.
+ * debian/rules, debian/patches/01-gnupg2-rename.diff,
+ debian/gnupg2.info, debian/gnupg2.install: No need to rename the info
+ file anymore.
+ * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for
+ better renaming of pkg directories. (Closes: #579006)
+ * debian/control, debian/compat: Upgrade to debhelper level 8.
+ * debian/control:
+ - Upgrade Standards-Version to 3.9.1.
+ - Update Build-Depends versions for the latest release.
+ * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes:
+ #567537)
+ * debian/gnupg2.docs: doc/faq.html no longer exists.
+
+ -- Eric Dorland <eric@debian.org> Sun, 13 Feb 2011 16:06:41 -0500
+
+gnupg2 (2.0.14-2) unstable; urgency=low
+
+ * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename
+ lintian files and use dh_lintian instead of shell snippets.
+ * debian/source/patch-header, debian/source/options: Delete patch header
+ and remove single-debian-patch option.
+ * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary
+ renaming of gnupg -> gnupg2 in a quilt patch.
+ * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase
+ problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this
+ problem in 2.0.14-1.1.
+ * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509
+ certificates" for gpgsm. (Closes: #590122)
+ * debian/rules, debian/control: Use dh-autoreconf and autopoint to
+ regenerate autotools files at build time.
+
+ -- Eric Dorland <eric@debian.org> Sun, 25 Jul 2010 02:16:42 -0400
+
+gnupg2 (2.0.14-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/control: Build depend on libreadline-dev instead of
+ libreadline5-dev, since libreadline6-dev is out. (Closes: #548922)
+ * debian/source/format, debian/source/options,
+ debian/source/patch-header: Convert to v3 quilt format, with
+ single-debian-patch.
+ * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792)
+
+ -- Eric Dorland <eric@debian.org> Sat, 09 Jan 2010 21:15:18 -0500
+
+gnupg2 (2.0.13-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/control: Depend instead of Recommend gnupg-agent. (Closes:
+ #538947)
+
+ -- Eric Dorland <eric@debian.org> Mon, 07 Sep 2009 20:38:23 -0400
+
+gnupg2 (2.0.12-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #499569, #463270, #446494, #314068,
+ #519375, #514587)
+ * debian/control: Change build dependency on gs to ghoscript, since
+ ghoscript has been replaced.
+ * debian/compat: Use debhelper v7.
+ * debian/control: Update Standards-Version to 3.8.2.
+ * debian/control: Use ${misc:Depends}.
+ * configure.ac: Override pkgdatadir so that it points to
+ /usr/share/gnupg2. (Closes: #528734)
+ * debian/rules: No longer need to specify pkgdatadir at make install
+ time.
+
+ -- Eric Dorland <eric@debian.org> Sun, 23 Aug 2009 20:48:11 -0400
+
+gnupg2 (2.0.11-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #496663)
+ * debian/control: Make the description a little more distinctive than
+ gnupg v1's. Thanks Jari Aalto. (Closes: #496323)
+
+ -- Eric Dorland <eric@debian.org> Sun, 08 Mar 2009 22:46:47 -0400
+
+gnupg2 (2.0.9-3) unstable; urgency=medium
+
+ * Urgency medium to try to beat the release.
+ * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh
+ key generation. (Closes: #473841)
+
+ -- Eric Dorland <eric@debian.org> Mon, 21 Jul 2008 03:48:11 -0400
+
+gnupg2 (2.0.9-2) unstable; urgency=low
+
+ * The "I've neglected you too long" release.
+
+ * debian/control:
+ - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need
+ it under most circumstances. (Closes: #459462, #477691)
+ - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the
+ front of the alternatives list. (Closes: #462951)
+ * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc
+ 4.3 strictness on bitfields combined with curl. (Closes: #476999)
+
+ -- Eric Dorland <eric@debian.org> Mon, 28 Apr 2008 03:22:20 -0400
+
+gnupg2 (2.0.9-1) unstable; urgency=low
+
+ * New upstream release. Fixes CVE-2008-1530, Key import memory corruption.
+ (Closes: #472928)
+ * debian/rules: Don't ignore status of make distclean, just check for
+ the existance of the Makefile.
+
+ -- Eric Dorland <eric@debian.org> Sat, 29 Mar 2008 03:21:21 -0400
+
+gnupg2 (2.0.8-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #428635)
+ * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy
+ otherwise. (Closes: #456467)
+ * debian/control:
+ - Requires libassuan >= 1.0.4 now.
+ - Remove the XS- prefix from the Vcs-* headers.
+ - Add Homepage header.
+ - Upgrade Standards-Version to 3.7.3.0.
+ - Make gnupg2 optional rather than extra.
+ - Remove unnecessary conflict on suidmanager.
+
+ -- Eric Dorland <eric@debian.org> Sat, 22 Dec 2007 02:06:42 -0500
+
+gnupg2 (2.0.7-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/rules:
+ - Remove unnecessary deletion of the .gmo files. (Closes: #442583)
+ - Clean out some old comments
+ * gnupg-agent.xsession: Remove the quotes around --write-env-file
+ argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo
+ Cruz. (Closes: #443580)
+
+ -- Eric Dorland <eric@debian.org> Sun, 30 Sep 2007 02:50:40 -0400
+
+gnupg2 (2.0.6-1) unstable; urgency=low
+
+ * New upstream release. (Closes: #437289)
+ * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so
+ it exits properly when the session dies. (Closes: #401843)
+ * debian/control: Add XS-Vcs headers for its new git home.
+
+ -- Eric Dorland <eric@debian.org> Mon, 03 Sep 2007 23:29:11 -0400
+
+gnupg2 (2.0.5-2) unstable; urgency=low
+
+ * The "Ubuntu, I would have done it had you only asked" release.
+
+ * debian/copyright: Fix download location. Thanks Ubuntu.
+ * debian/README.Debian: Remove, doesn't contain any relevant info.
+ * debian/rules:
+ - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790)
+ - Run dh_installexamples.
+ - Don't list the docs to install in here.
+ * debian/gnupg2.examples: New file, install gpgconf.conf as an example
+ into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes:
+ #434878)
+ * debian/control:
+ - Remove opensc and pcsc-lite build dependencies, they're not used anymore.
+ - Add libcurl4-gnutls-dev build dep, to use the real curl.
+ * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug
+ message. Thanks Ubuntu.
+ * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here,
+ add some new docs. Thanks Ubuntu.
+ * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it
+ in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787)
+ * debian/rules, debian/control: Only recommend libldap, don't depend on
+ it.Thanks Riku. (Closes: #435138)
+
+ -- Eric Dorland <eric@debian.org> Thu, 16 Aug 2007 22:24:16 -0400
+
+gnupg2 (2.0.5-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/watch: Add watch file.
+ * debian/control:
+ - Require libassuan 1.0.2 or greater.
+ - Require libksba 1.0.2 or greater.
+ - Don't recommend plain gpg anymore.
+ * debian/copyright: Update copyright text for GPL v3 relicensing.
+ * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks
+ Ludovic Rousseau. (Closes: #404128)
+
+ -- Eric Dorland <eric@debian.org> Sun, 22 Jul 2007 16:03:32 -0400
+
+gnupg2 (2.0.4-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Eric Dorland <eric@debian.org> Fri, 11 May 2007 00:41:01 -0400
+
+gnupg2 (2.0.3-1) unstable; urgency=high
+
+ * New upstream release.
+ - Fixes multoiple messages problem aka CVE-2007-1263.
+
+ -- Eric Dorland <eric@debian.org> Fri, 9 Mar 2007 03:28:53 -0500
+
+gnupg2 (2.0.2-1) unstable; urgency=high
+
+ * New upstream release. (Closes: #409559)
+ * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913)
+ * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper.
+
+ -- Eric Dorland <eric@debian.org> Mon, 19 Feb 2007 20:34:52 -0500
+
+gnupg2 (2.0.0-5) unstable; urgency=high
+
+ * debian/control: Remove unnecessary dependencies on makedev and
+ udev. Thanks Marco d'Itri.
+ * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file
+ to gnupg2.info, and use that for the index. (Closes: #398493)
+
+ -- Eric Dorland <eric@debian.org> Fri, 24 Nov 2006 02:23:35 -0500
+
+gnupg2 (2.0.0-4) unstable; urgency=medium
+
+ * debian/control: Update forgotten replaces for pcsc-wrapper move.
+
+ -- Eric Dorland <eric@debian.org> Mon, 20 Nov 2006 23:02:25 -0500
+
+gnupg2 (2.0.0-3) unstable; urgency=medium
+
+ * debian/control: Remove warning about development, thanks Gonzalo
+ HIGUERA DIAZ. (Closes: #399551)
+
+ -- Eric Dorland <eric@debian.org> Mon, 20 Nov 2006 14:32:33 -0500
+
+gnupg2 (2.0.0-2) unstable; urgency=medium
+
+ * All packaging fixes, so urgency medium to beat the freeze.
+ * debian/distfiles, debian/lintian.override, debian/point-to-info.1:
+ Remove unused files.
+ * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info
+ files properly. (Closes: #398493)
+ * debian/rules:
+ - Remove some unnecessary autotools build rules.
+ - Move some of make install targets more correctly to the
+ configure line.
+ * debian/*.files, debian/rules: Rename *.files to .install and use
+ dh_install nstead of dh_movefiles.
+ * debian/gnupg-agent.xsession: Account for spaces in the configuration
+ file, thanks Artem Zolochevskiy. (Closes: #352326)
+ * debian/control:
+ - Adjust build-dependency versions slightly to match what the
+ configure scipt requires.
+ - Update Standards-Version to 3.7.2.2.
+ * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper
+ in gpgsm. (Closes: #353232)
+ * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into
+ /usr/libb/gnupg2.
+
+ -- Eric Dorland <eric@debian.org> Sun, 19 Nov 2006 18:03:39 -0500
+
+gnupg2 (2.0.0-1) unstable; urgency=medium
+
+ * New upstream release. (Closes: #398215)
+ * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess.
+
+ -- Eric Dorland <eric@debian.org> Sun, 12 Nov 2006 23:52:59 -0500
+
+gnupg2 (1.9.94-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Eric Dorland <eric@debian.org> Thu, 2 Nov 2006 16:06:30 -0500
+
+gnupg2 (1.9.93-1) unstable; urgency=medium
+
+ * New upstream release. Urgency medium to try to beat the freeze. Thanks
+ to Andreas Metzler for getting this package into shape.
+
+ -- Eric Dorland <eric@debian.org> Wed, 25 Oct 2006 00:41:15 -0400
+
+gnupg2 (1.9.91-0.1) unstable; urgency=low
+
+ * New upstream version, built against clean upstream tarball.
+ (Closes: #378489,#388257)
+ * bump Build-Depends:
+ - libgpg-error-dev 0.6 -> 1.4
+ - libassuan-dev 0.6.10 -> 0.9.1
+ - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552)
+ * Add libreadline5-dev to Build-Depends.
+ * Pass proper --build and --host args to ./configure.
+ * configure with --mandir='$${prefix}/share/man'.
+ * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am.
+ * New upstream includes a lot more manpages, ship them.
+ (Closes: #300129,#300677)
+ gpg-agent(1) documents ~/gpg-agent.conf. (Closes: #300676)
+ * Update debian/copyright.
+ * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited
+ of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg".
+ suidregister has been obsolete for a long time and /usr/bin/gpg is not
+ part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed
+ suid it should be shipped with these permissions in the deb instead
+ using chmod in postinst anyway.
+ * Drop preinst (ending up as gnupg-agent's preinst), which only showed
+ a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent
+ 0.3.2-1.
+ * Add (noop) binary-indep target as required by policy 4.9.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 8 Oct 2006 07:51:44 +0000
+
+gnupg2 (1.9.20-2) unstable; urgency=high
+
+ * debian/control: Make myself the maintainer with Matthias' permission.
+ * Acknowledge NMU. (Closes: #375053, #376755)
+ * g10/parse-packet.c: Patch from Martin Schulze to backport security fix
+ for CVE-2006-3746, crash when receiving overly long comments.
+
+ -- Eric Dorland <eric@debian.org> Fri, 4 Aug 2006 18:11:43 -0400
+
+gnupg2 (1.9.20-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Adapt patch from upstream CVS, fixing buffer overflow leading to remote
+ DoS/crash (CVE-2006-3082). (Closes: #375053)
+
+ -- Steinar H. Gunderson <sesse@debian.org> Tue, 4 Jul 2006 20:37:43 +0200
+
+gnupg2 (1.9.20-1) unstable; urgency=low
+
+ * New Upstream version. Closes:#306890,#344530
+ * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files
+ * Depend on libopensc2-dev, not -1-. Closes:#348106
+
+ -- Matthias Urlichs <smurf@debian.org> Tue, 24 Jan 2006 04:31:42 +0100
+
+gnupg2 (1.9.19-2) unstable; urgency=low
+
+ * Convert debian/changelog to UTF-8.
+ * Put gnupg-agent and gpgsm lintian overrides in the respectively
+ right package. Closes: #335066
+ * Added debhelper tokens to maintainer scripts.
+ * xsession fixes:
+ o Added host name to gpg-agent PID file name. Closes: #312717
+ o Fixed xsession script to be able to run under zsh. Closes: #308516
+ o Don't run gpg-agent if one is already running. Closes: #336480
+ * debian/control:
+ o Fixed package description of gpgsm package. Closes: #299842
+ o Added mention of gpg-agent to description of gnupg-agent package.
+ Closes: #304355
+ * Thanks to Peter Eisentraut <petere@debian.org> for all of the above.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 8 Dec 2005 22:13:21 +0100
+
+gnupg2 (1.9.19-1) unstable; urgency=low
+
+ * Merged with 1.9.19.
+ * Re-enable gpgv2 package.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 22 Oct 2005 14:33:33 +0200
+
+gnupg2 (1.9.17-1) unstable; urgency=low
+
+ * Merged with Upstream 1.9.17.
+
+ -- Matthias Urlichs <smurf@debian.org> Mon, 4 Jul 2005 01:56:43 +0200
+
+gnupg2 (1.9.15-6) unstable; urgency=high
+
+ * Move gpg-protect-tool to the gpgsm package.
+ Closes: #303492.
+ High urgency because this renders gpgsm unuseable for some people.
+ * gpg-agent: Override max-cache-ttl if a higher default is set.
+ Closes: #302692.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 7 Apr 2005 10:13:19 +0200
+
+gnupg2 (1.9.15-5) unstable; urgency=low
+
+ * Add /etc/X11/Xsession.d/90gpg-agent script. Closes: #300128.
+ * Emphasize that gnupg2 is NOT useful at the moment.
+ * Conflict+replace gpg-agent with newpg.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 10 Mar 2005 22:46:10 +0100
+
+gnupg2 (1.9.15-4) unstable; urgency=low
+
+ * Incorporated Ubuntu changes from Andreas Mueller.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 10 Mar 2005 21:41:59 +0100
+
+gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low
+
+ * removed info file
+
+ -- Andreas Mueller <amu@ubuntu.com> Tue, 8 Mar 2005 01:58:39 +0100
+
+gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low
+
+ * changed rules file, part cp gnupg.info to mv
+ and added dh_installinfo.
+ * changed Standards Version to 3.6.1
+
+ -- Andreas Mueller <amu@ubuntu.com> Tue, 8 Mar 2005 00:53:31 +0100
+
+gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low
+
+ * added missing build depends texinfo
+
+ -- Andreas Mueller <amu@ubuntu.com> Mon, 7 Mar 2005 22:47:56 +0100
+
+gnupg2 (1.9.15-2) hoary; urgency=low
+
+ * Initial checkin
+
+ -- Andreas Mueller <amu@ubuntu.com> Mon, 7 Mar 2005 21:13:32 +0100
+
+gnupg2 (1.9.15-1) experimental; urgency=low
+
+ * New Upstream release.
+ * Removed -doc package:
+ - The package itself is too smal to merit being packaged separately.
+ - Interim solution: Documentation is included in the gnupg2 package.
+ - Goal: ask Upstream to split the .info file.
+ * Removed suidness.
+ * Update debian/copyright.
+ * Require libassuan >= 0.6.9.
+
+ -- Matthias Urlichs <smurf@debian.org> Tue, 25 Jan 2005 08:19:15 +0100
+
+gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low
+
+ * Rebuild to depend on opensc1.
+ * Split -doc into its own package.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 16 Dec 2004 10:30:44 +0100
+
+gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low
+
+ * Turn on setuid-ness.
+ - Added Lintian overrides.
+ * Install all "standard" message files.
+ - Makefile.in: The package name for gettext is in the macro PACKAGE_GT,
+ not PACKAGE.
+ * Fix shebang line of addgnupghome script.
+ * Install info file in the correct place.
+ * Build cleanups.
+
+ -- Matthias Urlichs <smurf@debian.org> Tue, 5 Oct 2004 10:59:56 +0200
+
+gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low
+
+ * rename gnupg-agent's changelog file
+ * Fix gnupg-agent's dependencies
+
+ -- Matthias Urlichs <smurf@debian.org> Sun, 3 Oct 2004 20:14:30 +0200
+
+gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low
+
+ * Shipped a /usr/share/locale.alias file. Ouch.
+ * Split off gpgsm.
+
+ -- Matthias Urlichs <smurf@debian.org> Wed, 29 Sep 2004 10:25:51 +0200
+
+gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low
+
+ * New Upstream.
+
+ -- Matthias Urlichs <smurf@debian.org> Sat, 25 Sep 2004 11:05:44 +0200
+
+gnupg2 (1.9.10+cvs-1) experimental; urgency=low
+
+ * Packaged latest Upstream version.
+ * Split gpg-agent into its own .deb.
+ * Bit the bullet and started using debhelper.
+
+ -- Matthias Urlichs <smurf@debian.org> Thu, 19 Aug 2004 11:43:34 +0200
+
+gnupg2 (1.9.9-1) experimental; urgency=low
+
+ * Packaged latest Upstream version.
+
+ -- Matthias Urlichs <smurf@debian.org> Mon, 14 Jun 2004 17:18:18 +0200
+
+gnupg2 (1.9.5-1) experimental; urgency=low
+
+ * Packaged Upstream development version.
+ Closes:#187548
+
+ -- Matthias Urlichs <smurf@debian.org> Mon, 8 Mar 2004 05:30:35 +0100
+
+gnupg (1.2.4-4) unstable; urgency=low
+
+ * 12_zero_length_header.dpatch: update patch from David Shaw
+ <dshaw@jabberwocky.com> to fix the fix of crashing on certain
+ keys. Closes: #234289
+
+ -- James Troup <james@nocrew.org> Mon, 23 Feb 2004 18:02:20 +0000
+
+gnupg (1.2.4-3) unstable; urgency=low
+
+ * Move to dpatch; existing non-debian/ change split into
+ 10_hppa_unaligned_constant.dpatch.
+
+ * debian/rules: include /usr/share/dpatch/dpatch.make.
+ * debian/rules (build): depend on patch-stamp.
+ * debian/rules (clean): depend on unpatch. Remove debian/patched.
+ * debian/control (Build-Depends): add dpatch.
+
+ * debian/rules: update version number and use install_foo convenience
+ variables.
+ * debian/rules (clean): remove emacs backup files from any directory.
+
+ * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen
+ <thv+debian@iki.fi> to update Finnish translation as the current one
+ renders gnupg unusable. Closes: #232030, #222951, #192582
+ * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors
+ over unrepresentable changes to source.
+
+ * 12_zero_length_header.dpatch: new patch from David Shaw
+ <dshaw@jabberwocky.com> to fix cases where importing certain keys
+ makes the keyring unuseable. Closes: #232714
+
+ * 13_revoked_keys.dpatch: new patch from David Shaw
+ <dshaw@jabberwocky.com> to list revoked keys as revoked. Closes: #231814
+
+ * 14_getkey_not_found_fix.dpatch: new patch from David Shaw
+ <dshaw@jabberwocky.com> to fix --list-sigs incorrectly claiming "User
+ id not found". Closes: #229549
+
+ -- James Troup <james@nocrew.org> Fri, 20 Feb 2004 16:38:12 +0000
+
+gnupg (1.2.4-2) unstable; urgency=low
+
+ * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones <lamont@debian.org>
+ to fix unaligned constant. Closes: #228456
+ * debian/copyright: update year and version number.
+
+ -- James Troup <james@nocrew.org> Tue, 20 Jan 2004 17:19:58 +0000
+
+gnupg (1.2.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293
+ * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957
+ * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079
+ * Fixes segmentation fault in prime generator. Closes: #213989
+ * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368
+
+ * debian/control (Build-Depends): add libbz2-dev.
+
+ -- James Troup <james@nocrew.org> Wed, 31 Dec 2003 17:57:52 +0000
+
+gnupg (1.2.3-1) unstable; urgency=low
+
+ * New upstream release (Closes: #207340).
+ * gpg no longer kills keyrings by importing broken keys. Closes: #196505
+ * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092
+ * --import now closes files when it's done. Closes: #196643
+ * A key listing speed regression has been fixed. Closes: #192083
+ * debian/copyright: update URL and date.
+ * debian/rules: update dates and version.
+
+ * debian/control (Standards-Version): bump to 3.6.0.
+
+ * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman
+ <dark@xs4all.nl>. Closes: #173233
+ * debian/rules (binary-arch): install it.
+
+ * debian/rules (build): correct libexecdir passed to configure; patch
+ from Matthias Cramer <cramer@freestone.net>. Fixes invocation of
+ gpgkeys_ldap. Closes: #168486
+
+ -- James Troup <james@nocrew.org> Thu, 28 Aug 2003 14:08:50 +0100
+
+gnupg (1.2.2-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/control (Standards-Version): bump to 3.5.9.0.
+ * debian/rules (binary-arch): install convert-from-106 as
+ gpg-convert-from-106 and fix the path to gpg.
+ * debian/control: remove trailing full stop from short description.
+ * debian/control: remove out-dated and contradictory information about
+ RSA.
+
+ -- James Troup <james@nocrew.org> Mon, 5 May 2003 03:08:58 +0100
+
+gnupg (1.2.1-2) unstable; urgency=low
+
+ * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05).
+ Thanks to Ryan Murray. Closes: #166696
+
+ -- James Troup <james@nocrew.org> Mon, 28 Oct 2002 01:47:26 +0000
+
+gnupg (1.2.1-1) unstable; urgency=low
+
+ * New upstream version.
+ * An inifinte loop in --update-trustdb has been fixed. Closes: #162039
+ * The polish translation is now correctly specified as UTF-8. Closes: #162885
+ * --refresh-keys is now documented in the manpage. Closes: #165566
+ * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is
+ incompatible with that version of gpg-idea. Closes: #162314
+
+ -- James Troup <james@nocrew.org> Fri, 25 Oct 2002 18:18:43 +0100
+
+gnupg (1.2.0-1) unstable; urgency=low
+
+ * New upstream version. Closes: #161817.
+ * --options no longer mis-handles a directory as an argument. Closes: #151973
+ * gpg now prompts before sending all keys to the keyserver. Closes: #64607
+ * There is now a gnupg(7) manpage. Closes: #157750
+ * The permission checking has been sanitized and handles non-home-dir
+ keyrings better. Closes: #147760
+ * notation data longer than 5 characters is now handled. Closes: #156871
+ * an abort when setting trust levels in a czech locale has been fixed.
+ Closes: #149212
+ * debian/rules (binary-arch): there are no more modules, adjust
+ accordingly.
+ * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks.
+ * debian/rules (binary-arch): don't install obsolete postinst or prerm.
+ * debian/rules (binary-arch): gzip gnupg.7 too.
+ * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure.
+ * debian/rules (binary-arch): likewise, pass suitable libexcedir
+ argument to make install.
+ * debian/control (Standards-Version): update to 3.5.7.0.
+ * debian/copyright: update URL and date.
+ * debian/rules: update dates and version.
+
+ -- James Troup <james@nocrew.org> Sun, 22 Sep 2002 22:26:25 +0100
+
+gnupg (1.0.7-2) unstable; urgency=low
+
+ * debian/control (Suggests): add xloadimage since that's what gpg uses
+ by default to view photo IDs. Thanks to Julien Danjou
+ <acid@debian.org> for the suggestion. Closes: #156245
+ * debian/control (Depends): add "hurd" to the alternatives to
+ makedev. Thanks to Michal Suchanek <hramrach_l@centrum.cz> for
+ noticing. Closes: #158492
+ * po/it.po: patch to fix typos from Marco Bodrato
+ <bodrato@gulp.linux.it. Closes: #149462
+ * g10/g10.c (main): remove the bogus undef of USE_SHM_COPROCESSING to
+ match upstream and fix gabber and libgnupg-perl. Closes: #147679, #151969
+
+ -- James Troup <james@nocrew.org> Thu, 29 Aug 2002 01:42:58 +0100
+
+gnupg (1.0.7-1) unstable; urgency=low
+
+ * New upstream version. Closes: #145477.
+ * GDBM support has been removed. Closes: #33009.
+ * Now adds the default keyring when a keyring is specified.
+ Closes: #50616, #65260.
+ * Now does the Right Thing when receiving a key from the keyserver and
+ the key in question is in both a read-only and writable keyring.
+ Closes: #63297.
+ * Automatic key retrieval is now configurable. Closes: #64940.
+ * --no-options supresses ~/.gnupg creation again. Closes: #95486.
+ * duplicate trust entries are no longer treated as an error. Closes: #96480.
+ * There's now no comment line in ascii armours. Closes: #100088.
+ * Handle secret keyring given as keyring better. Closes: #100581, #106670.
+ * It's now documented that --with-colons unconditionally uses UTF8.
+ Closes: #101446, 101454.
+ * s/now/knows/ typo in manpage fixed. Closes: #107471.
+ * There's now support for a primary UID. Closes: #106567, #108155.
+ * Handles errors in uncompression layer beter. Closes: #112392.
+ * Key selection has been entirely revamped. Closes: #136170.
+ * Handles empty encrypt-to. Closes: #138378
+
+ * debian/rules (binary-arch): remove empty /usr/info directory, thanks
+ to Joey Hess <joeyh@debian.org>. Closes: #121864.
+ * debian/control: remove duplicated word from long description, thanks
+ to Nicolas Boulenguez <nicolas.boulenguez@free.fr>. Closes: #144786.
+ * README: correct URL to GPH and other docs, thanks to Mark Brown
+ <broonie@sirena.org.uk>. Closes: #100277.
+ * debian/control (Standards-Version): updated to 3.5.6.1.
+ * debian/rules (binary-arch): only strip ELF binaries. es_ES -> es hack
+ no longer needed as fixed upstream.
+ * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used.
+ * debian/README.Debian: remove note about gdbm support which was finally
+ removed. Update note on old versions of gnupg to reflect the
+ pre-historic nature of those versions.
+ * debian/control (Build-Depends): add libldap2-dev.
+ * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries.
+ * debian/control (Build-Depends): add file.
+ * debian/control (Priority): increase to standard to match overrides.
+
+ -- James Troup <james@nocrew.org> Sat, 11 May 2002 15:08:02 +0100
+
+gnupg (1.0.6-3) unstable; urgency=low
+
+ * moved into main.
+
+ -- James Troup <james@nocrew.org> Tue, 19 Mar 2002 16:17:09 +0000
+
+gnupg (1.0.6-2) unstable; urgency=high
+
+ * debian/rules (binary-arch): remove the erroneous
+ /usr/share/locale/locale.alias that 'make install' adds; closes:
+ #99293.
+
+ -- James Troup <james@nocrew.org> Wed, 30 May 2001 20:40:59 +0100
+
+gnupg (1.0.6-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Tue, 29 May 2001 20:59:49 +0100
+
+gnupg (1.0.5-4) unstable; urgency=low
+
+ * Patch from Werner.
+
+ -- James Troup <james@nocrew.org> Sun, 27 May 2001 09:34:50 +0100
+
+gnupg (1.0.5-3) unstable; urgency=low
+
+ * Apply patch from Matthew Wilcox <matthew@wil.cx> to fix assembly on
+ hppa.
+
+ -- James Troup <james@nocrew.org> Sun, 13 May 2001 02:36:45 +0100
+
+gnupg (1.0.5-2) unstable; urgency=medium
+
+ * util/http.c: patch from Werner that fixes --send-key, closes: #96277.
+ * debian/control (Depends): accept devfsd in place of makedev, closes:
+ #96307.
+
+ -- James Troup <james@nocrew.org> Mon, 7 May 2001 00:13:51 +0100
+
+gnupg (1.0.5-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/README.Debian: fix spelling and update URL.
+ * debian/rules (binary): remove the new info files.
+ * scripts/config.{guess,sub}: sync with subversions, closes: #95729.
+
+ -- James Troup <james@nocrew.org> Mon, 30 Apr 2001 02:12:38 +0100
+
+gnupg (1.0.4-4) unstable; urgency=low
+
+ * po/ru.po: patch by Ilya Martynov <m_ilya@agava.com> to replace German
+ entries and add missing translations, closes: #93987.
+ * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no
+ longer/g); noticed by Colin Watson <cjw44@flatline.org.uk>, closes:
+ #93664.
+
+ * Deprecated depreciated; noticed by Vincent Broman
+ <broman@spawar.navy.mil>.
+
+ * Following two patches are from Vincent Broman.
+ * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference
+ to iobuf_get_fname().
+ * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly.
+
+ -- James Troup <james@nocrew.org> Fri, 20 Apr 2001 23:32:44 +0100
+
+gnupg (1.0.4-3) unstable; urgency=medium
+
+ * debian/rules (binary): make gpg binary suid, closes: #86433.
+ * debian/postinst: don't use suidregister.
+ * debian/postrm: removed (only called suidunregister).
+ * debian/control: conflict with suidmanager << 0.50.
+ * mpi/longlong.h: apply fix for ARM long long artimetic from Philip
+ Blundell <philb@gnu.org>, closes: #87487.
+ * debian/preinst: the old GnuPG debs have moved to people.debian.org.
+ * cipher/random.c: #include <time.h> as well as <sys/time.h>
+ * g10/misc.c: likewise.
+ * debian/rules: define a strip alias which removes the .comment and
+ .note sections.
+ * debian/rules (binary-arch): use it.
+ * debian/lintian.override: new file; override the SUID warning from
+ lintian.
+ * debian/rules (binary-arch): install it.
+
+ -- James Troup <james@nocrew.org> Sun, 25 Feb 2001 05:24:58 +0000
+
+gnupg (1.0.4-2) stable unstable; urgency=high
+
+ * Apply security fix patch from Werner.
+ * Apply another patch from Werner to fix bogus warning on Rijndael
+ usage.
+ * Change section to 'non-US'.
+
+ -- James Troup <james@nocrew.org> Mon, 12 Feb 2001 07:47:02 +0000
+
+gnupg (1.0.4-1) stable unstable; urgency=high
+
+ * New upstream version.
+ * Fixes a serious bug which could lead to false signature verification
+ results when more than one signature is fed to gpg.
+
+ -- James Troup <james@nocrew.org> Tue, 17 Oct 2000 17:26:17 +0100
+
+gnupg (1.0.3b-1) unstable; urgency=low
+
+ * New upstream snapshot version.
+
+ -- James Troup <james@nocrew.org> Fri, 13 Oct 2000 18:08:14 +0100
+
+gnupg (1.0.3-2) unstable; urgency=low
+
+ * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref.
+ Fix long description to reflect the fact that RSA is no longer
+ patented and now included. [#72177]
+ * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ
+ from /usr/share/gnupg/. Thanks to Robert Luberda
+ <robert@pingu.ii.uj.edu.pl> for noticing. [#72151]
+ * debian/control: Suggest new package gnupg-doc. [#64323, #65560]
+ * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM,
+ as Linux will do this if resource limits (or other reasons) prevent
+ memory from being locked, instead treat it like permission was denied
+ and warn but continue. Thanks to Topi Miettinen
+ <Topi.Miettinen@nic.fi>. [#70446]
+ * g10/hkp.c (not_implemented): s/ist/is/ in error message.
+ * debian/README.Debian: add a note about GDBM support and why it is
+ disabled. Upstream already fixed the manpage. [#65913]
+ * debian/rules (binary-arch): fix the Spanish translation to be 'es' not
+ 'es_ES' at NicolƔs Lichtmaier <nick@debian.org>'s request. [#57314]
+
+ -- James Troup <james@nocrew.org> Sun, 1 Oct 2000 14:55:03 +0100
+
+gnupg (1.0.3-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Mon, 18 Sep 2000 15:56:54 +0100
+
+gnupg (1.0.2-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Thu, 13 Jul 2000 20:26:50 +0100
+
+gnupg (1.0.1-2) unstable; urgency=low
+
+ * debian/control (Build-Depends): added.
+ * debian/copyright: corrected location of copyright file. Removed
+ references to Linux. Removed warnings about beta nature of GnuPG.
+ * debian/rules (binary-arch): install documentation into
+ /usr/share/doc/gnupg/ and pass mandir to make install to ensure the
+ manpages go to /usr/share/man/.
+ * debian/postinst: create /usr/doc/gnupg symlink.
+ * debian/prerm: new file; remove /usr/doc/gnupg symlink.
+ * debian/rules (binary-arch): install prerm.
+ * debian/control (Standards-Version): updated to 3.1.1.1.
+
+ -- James Troup <james@nocrew.org> Thu, 30 Dec 1999 16:16:49 +0000
+
+gnupg (1.0.1-1) unstable; urgency=low
+
+ * New upstream version.
+ * doc/gpg.1: updated to something usable from
+ ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz.
+
+ -- James Troup <james@nocrew.org> Sun, 19 Dec 1999 23:47:10 +0000
+
+gnupg (1.0.0-3) unstable; urgency=low
+
+ * debian/rules (build): remove the stunningly ill-advised --host option
+ to configure. [#44698, #48212, #48281]
+
+ -- James Troup <james@nocrew.org> Tue, 26 Oct 1999 01:12:59 +0100
+
+gnupg (1.0.0-2) unstable; urgency=low
+
+ * debian/rules (binary-arch): fix the permissions on the
+ modules. [#47280]
+ * debian/postinst, debian/postrm: fix the package name passed to
+ suidregister. [#45013]
+ * debian/control: update long description. [#44636]
+ * debian/rules (build): pass the host explicitly to configure to avoid
+ problems on sparc64. [(Should fix) #44698].
+
+ -- James Troup <james@nocrew.org> Wed, 20 Oct 1999 23:39:05 +0100
+
+gnupg (1.0.0-1) unstable; urgency=low
+
+ * New upstream release. [#44545]
+
+ -- James Troup <james@nocrew.org> Wed, 8 Sep 1999 00:53:02 +0100
+
+gnupg (0.9.10-2) unstable; urgency=low
+
+ * debian/rules (binary-arch): install lspgpot. Requested by Kai
+ Henningsen <kai@khms.westfalen.de>. [#42288]
+ * debian/rules (binary-arch): correct the path where modules are looked
+ for. Reported by Karl M. Hegbloom <karlheg@odin.cc.pdx.edu>. [#40881]
+ * debian/postinst, debian/postrm: under protest, register gpg the
+ package with suidmanager and make it suid by default.
+ [#29780,#32590,#40391]
+
+ -- James Troup <james@nocrew.org> Tue, 10 Aug 1999 00:12:40 +0100
+
+gnupg (0.9.10-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Fri, 6 Aug 1999 01:16:21 +0100
+
+gnupg (0.9.9-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Sun, 25 Jul 1999 01:06:31 +0100
+
+gnupg (0.9.8-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/rules (binary-arch): don't create a gpgm manpage as the binary
+ no longer exists. Noticed by Wichert Akkerman
+ <wichert@cs.leidenuniv.nl>. [#38864]
+
+ -- James Troup <james@nocrew.org> Sun, 27 Jun 1999 01:07:58 +0100
+
+gnupg (0.9.7-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Tue, 25 May 1999 13:23:24 +0100
+
+gnupg (0.9.6-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/copyright: update version number, noticed by Lazarus Long
+ <lazarus@frontiernet.net>.
+ * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure
+ that /dev/urandom exists; reported by Steffen Markert
+ <smort@rz.tu-ilmenau.de>. [#32076]
+
+ -- James Troup <james@nocrew.org> Tue, 11 May 1999 21:06:27 +0100
+
+gnupg (0.9.5-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/control (Description): no tabs. [Lintian]
+
+ -- James Troup <james@nocrew.org> Wed, 24 Mar 1999 22:37:40 +0000
+
+gnupg (0.9.4-1) unstable; urgency=low
+
+ * New version.
+ * debian/control: s/GNUPG/GnuPG/
+
+ -- Werner Koch <wk@isil.d.suttle.de> Mon, 8 Mar 1999 19:58:28 +0100
+
+gnupg (0.9.3-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Mon, 22 Feb 1999 22:55:04 +0000
+
+gnupg (0.9.2-1) unstable; urgency=low
+
+ * New version.
+ * debian/rules (build): Removed CFLAGS as the default is now sufficient.
+ * debian/rules (clean): remove special handling cleanup in intl.
+
+ -- Werner Koch <wk@isil.d.suttle.de> Wed, 20 Jan 1999 21:23:11 +0100
+
+gnupg (0.9.1-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Sat, 9 Jan 1999 22:29:11 +0000
+
+gnupg (0.9.0-1) unstable; urgency=low
+
+ * New upstream version.
+ * g10/armor.c (armor_filter): add missing new line in comment string; as
+ noticed by Stainless Steel Rat <ratinox@peorth.gweep.net>.
+
+ -- James Troup <james@nocrew.org> Tue, 29 Dec 1998 20:22:43 +0000
+
+gnupg (0.4.5-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/rules (clean): force removal of intl/libintl.h which the
+ Makefiles fail to remove properly.
+
+ -- James Troup <james@nocrew.org> Tue, 8 Dec 1998 22:40:23 +0000
+
+gnupg (0.4.4-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Sat, 21 Nov 1998 01:34:29 +0000
+
+gnupg (0.4.3-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/README.Debian: new file; contains same information as is in the
+ preinst. Suggested by Wichert Akkerman <wichert@cs.leidenuniv.nl>.
+ * debian/rules (binary-arch): install `README.Debian'
+ * debian/control (Standards-Version): updated to 2.5.0.0.
+
+ -- James Troup <james@nocrew.org> Sun, 8 Nov 1998 19:08:12 +0000
+
+gnupg (0.4.2-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/preinst: improve message about the NEWS file which isn't
+ actually installed when it's referred to, thanks to Martin Mitchell
+ <martin@debian.org>.
+ * debian/rules (binary-arch): don't install the now non-existent `rfcs',
+ but do install `OpenPGP'.
+
+ -- James Troup <james@nocrew.org> Sun, 18 Oct 1998 22:48:34 +0100
+
+gnupg (0.4.1-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/rules (binary-arch): fix the gpgm manpage symlink now installed
+ by `make install'.
+
+ -- James Troup <james@nocrew.org> Sun, 11 Oct 1998 17:01:21 +0100
+
+gnupg (0.4.0-1) unstable; urgency=high
+
+ * New upstream version. [#26717]
+ * debian/copyright: tone down warning about alpha nature of gnupg.
+ * debian/copyright: new maintainer address.
+ * debian/control: update extended description.
+ * debian/rules (binary-arch): install FAQ and all ChangeLogs.
+ * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about
+ incompatibilities in keyring format and offer to move old copy out of
+ gpg out of the way for transition strategy and inform the user about
+ the old copies of gnupg available on my web page.
+ * debian/rules (binary-arch) install preinst.
+ * debian/rules (binary-arch): don't depend on the test target as it is
+ now partially interactive (tries to generate a key, which requires
+ someone else to be using the computer).
+
+ -- James Troup <james@nocrew.org> Thu, 8 Oct 1998 00:47:07 +0100
+
+gnupg (0.3.2-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/control (Maintainer): new address.
+ * debian/copyright: updated list of changes.
+
+ -- James Troup <james@nocrew.org> Thu, 9 Jul 1998 21:06:07 +0200
+
+gnupg (0.3.1-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <james@nocrew.org> Tue, 7 Jul 1998 00:26:21 +0200
+
+gnupg (0.3.0-2) unstable; urgency=low
+
+ * Applied bug-fix patch from Werner.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 26 Jun 1998 12:18:29 +0200
+
+gnupg (0.3.0-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/control: rewrote short and long description.
+ * cipher/Makefile.am: link tiger with -lc.
+ * debian/rules (binary-arch): strip loadable modules.
+ * util/secmem.c (lock_pool): get rid of errant test code; fix from
+ Werner Koch <wk@isil.d.shuttle.de>.
+ * debian/rules (test): new target which runs gnupg's test suite.
+ binary-arch depends on it, to ensure it's run whenever the package is
+ built.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Thu, 25 Jun 1998 16:04:57 +0200
+
+gnupg (0.2.19-1) unstable; urgency=low
+
+ * New upstream version.
+ * debian/control: Updated long description.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 30 May 1998 12:12:35 +0200
+
+gnupg (0.2.18-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <J.J.Troup@comp.brad.ac.uk> Sat, 16 May 1998 11:52:47 +0200
+
+gnupg (0.2.17-1) unstable; urgency=high
+
+ * New upstream version.
+ * debian/control (Standards-Version): updated to 2.4.1.0.
+ * debian/control: tone down warning about alpha nature of gnupg, as per
+ README.
+ * debian/copyright: ditto.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Mon, 4 May 1998 22:36:51 +0200
+
+gnupg (0.2.15-1) unstable; urgency=high
+
+ * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 10 Apr 1998 01:12:20 +0100
+
+gnupg (0.2.13-1) unstable; urgency=high
+
+ * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Wed, 11 Mar 1998 01:52:51 +0000
+
+gnupg (0.2.12-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 7 Mar 1998 13:52:40 +0000
+
+gnupg (0.2.11-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Wed, 4 Mar 1998 01:32:12 +0000
+
+gnupg (0.2.10-1) unstable; urgency=low
+
+ * New upstream version.
+ * Name changed upstream.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Mon, 2 Mar 1998 07:32:05 +0000
+
+g10 (0.2.7-1) unstable; urgency=low
+
+ * Initial release.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 20 Feb 1998 02:05:34 +0000
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..4b27f09
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1,9 @@
+po/*.gmo
+po/stamp-po
+build-gpgv-static/
+build-gpgv-udeb/
+build-gpgv-win32/
+build-maintainer/
+doc/gnupg.info
+doc/gnupg.info-1
+doc/gnupg.info-2
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..9e6a03c
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,504 @@
+Source: gnupg2
+Section: utils
+Priority: optional
+Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Uploaders:
+ Eric Dorland <eric@debian.org>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+ Christoph Biedl <debian.axhn@manchmal.in-ulm.de>,
+Standards-Version: 4.5.1
+Build-Depends:
+ automake,
+ autopoint,
+ debhelper-compat (= 13),
+ file,
+ gettext,
+ ghostscript,
+ gpgrt-tools,
+ imagemagick,
+ libassuan-dev (>= 2.5.0),
+ libbz2-dev,
+ libcurl4-gnutls-dev,
+ libgcrypt20-dev (>= 1.8.0),
+ libgnutls28-dev (>= 3.0),
+ libgpg-error-dev (>= 1.35),
+ libksba-dev (>= 1.3.5),
+ libldap2-dev,
+ libnpth0-dev (>= 1.2),
+ libreadline-dev,
+ librsvg2-bin,
+ libsqlite3-dev,
+ libusb-1.0-0-dev [!hurd-any],
+ openssh-client <!nocheck>,
+ pkg-config,
+ texinfo,
+ transfig,
+ zlib1g-dev | libz-dev,
+Build-Depends-Indep:
+ binutils-multiarch [!amd64 !i386],
+ libassuan-mingw-w64-dev (>= 2.5.0),
+ libgcrypt-mingw-w64-dev (>= 1.8.0),
+ libgpg-error-mingw-w64-dev (>= 1.26-2~),
+ libksba-mingw-w64-dev (>= 1.3.5),
+ libnpth-mingw-w64-dev (>= 1.2),
+ libz-mingw-w64-dev,
+ mingw-w64,
+Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/bullseye
+Vcs-Browser: https://salsa.debian.org/debian/gnupg2
+Homepage: https://www.gnupg.org/
+Rules-Requires-Root: no
+
+Package: gpgconf
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Replaces:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Description: GNU privacy guard - core configuration utilities
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ This package contains core utilities used by different tools in the
+ suite offered by GnuPG. It can be used to programmatically edit
+ config files for tools in the GnuPG suite, to launch or terminate
+ per-user daemons (if installed), etc.
+
+Package: gnupg-agent
+Architecture: all
+Section: oldlibs
+Multi-Arch: foreign
+Depends:
+ gpg-agent (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - cryptographic agent (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This is a dummy transitional package; please use gpg-agent instead.
+
+Package: gpg-agent
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ pinentry-curses | pinentry,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Suggests:
+ dbus-user-session,
+ libpam-systemd,
+ pinentry-gnome3,
+ scdaemon,
+Replaces:
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg-agent (<< 2.1.21-4),
+Provides:
+ gnupg-agent,
+Description: GNU privacy guard - cryptographic agent
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the agent program gpg-agent which handles all
+ secret key material for OpenPGP and S/MIME use. The agent also
+ provides a passphrase cache, which is used by pre-2.1 versions of
+ GnuPG for OpenPGP operations. Without this package, trying to do
+ secret-key operations with any part of the modern GnuPG suite will
+ fail.
+
+Package: gpg-wks-server
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpg (= ${binary:Version}),
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Description: GNU privacy guard - Web Key Service server
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package provides the GnuPG server for the Web Key Service
+ protocol.
+ .
+ A Web Key Service is a service that allows users to upload keys per
+ mail to be verified over https as described in
+ https://tools.ietf.org/html/draft-koch-openpgp-webkey-service
+ .
+ For more information see: https://wiki.gnupg.org/WKS
+
+Package: gpg-wks-client
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ dirmngr (= ${binary:Version}),
+ gpg (= ${binary:Version}),
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Description: GNU privacy guard - Web Key Service client
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package provides the GnuPG client for the Web Key Service
+ protocol.
+ .
+ A Web Key Service is a service that allows users to upload keys per
+ mail to be verified over https as described in
+ https://tools.ietf.org/html/draft-koch-openpgp-webkey-service
+ .
+ For more information see: https://wiki.gnupg.org/WKS
+
+Package: scdaemon
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Enhances:
+ gpg-agent,
+Description: GNU privacy guard - smart card support
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the smart card program scdaemon, which is used
+ by gpg-agent to access OpenPGP smart cards.
+
+Package: gpgsm
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Breaks:
+ gnupg2 (<< 2.1.10-2),
+Replaces:
+ gnupg2 (<< 2.1.10-2),
+Description: GNU privacy guard - S/MIME version
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the gpgsm program. gpgsm is a tool to provide
+ digital encryption and signing services on X.509 certificates and the
+ CMS protocol. gpgsm includes complete certificate management.
+
+Package: gpg
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Breaks:
+ gnupg (<< 2.1.21-4),
+Replaces:
+ gnupg (<< 2.1.21-4),
+Description: GNU Privacy Guard -- minimalist public key operations
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains /usr/bin/gpg itself, and is useful on its own
+ only for public key operations (encryption, signature verification,
+ listing OpenPGP certificates, etc). If you want full capabilities
+ (including secret key operations, network access, etc), please
+ install the "gnupg" package, which pulls in the full suite of tools.
+
+Package: gnupg
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ dirmngr (<< ${source:Version}.1~),
+ dirmngr (>= ${source:Version}),
+ gnupg-l10n (= ${source:Version}),
+ gnupg-utils (<< ${source:Version}.1~),
+ gnupg-utils (>= ${source:Version}),
+ gpg (<< ${source:Version}.1~),
+ gpg (>= ${source:Version}),
+ gpg-agent (<< ${source:Version}.1~),
+ gpg-agent (>= ${source:Version}),
+ gpg-wks-client (<< ${source:Version}.1~),
+ gpg-wks-client (>= ${source:Version}),
+ gpg-wks-server (<< ${source:Version}.1~),
+ gpg-wks-server (>= ${source:Version}),
+ gpgsm (<< ${source:Version}.1~),
+ gpgsm (>= ${source:Version}),
+ gpgv (<< ${source:Version}.1~),
+ gpgv (>= ${source:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ ${shlibs:Recommends},
+Suggests:
+ parcimonie,
+ xloadimage,
+Breaks:
+ debsig-verify (<< 0.15),
+ dirmngr (<< ${binary:Version}),
+ gnupg2 (<< 2.1.11-7+exp1),
+ libgnupg-interface-perl (<< 0.52-3),
+ libgnupg-perl (<= 0.19-1),
+ libmail-gnupg-perl (<= 0.22-1),
+ monkeysphere (<< 0.38~),
+ php-crypt-gpg (<= 1.4.1-1),
+ python-apt (<= 1.1.0~beta4),
+ python-gnupg (<< 0.3.8-3),
+ python3-apt (<= 1.1.0~beta4),
+Replaces:
+ gnupg2 (<< 2.1.11-7+exp1),
+Description: GNU privacy guard - a free PGP replacement
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the full suite of GnuPG tools for cryptographic
+ communications and data storage.
+
+Package: gnupg2
+Architecture: all
+Section: oldlibs
+Multi-Arch: foreign
+Depends:
+ gnupg (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - a free PGP replacement (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This is a dummy transitional package that provides symlinks from gpg2
+ to gpg.
+
+Package: gpgv
+Architecture: any
+Priority: important
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks:
+ gnupg2 (<< 2.0.21-2),
+ gpgv2 (<< 2.1.11-7+exp1),
+ python-debian (<< 0.1.29),
+Replaces:
+ gnupg2 (<< 2.0.21-2),
+ gpgv2 (<< 2.1.11-7+exp1),
+Suggests:
+ gnupg,
+Description: GNU privacy guard - signature verification tool
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ gpgv is actually a stripped-down version of gpg which is only able
+ to check signatures. It is somewhat smaller than the fully-blown gpg
+ and uses a different (and simpler) way to check that the public keys
+ used to make the signature are valid. There are no configuration
+ files and only a few options are implemented.
+
+Package: gpgv2
+Section: oldlibs
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ gpgv (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - signature verification tool (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage. gpgv
+ is a stripped-down version of gpg which is only able to check
+ signatures.
+ .
+ This is a dummy transitional package that provides symlinks from gpgv2
+ to gpgv.
+
+Package: dirmngr
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ adduser,
+ gpgconf (= ${binary:Version}),
+ lsb-base (>= 3.2-13),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Enhances:
+ gpg,
+ gpgsm,
+ squid,
+Breaks:
+ gnupg2 (<< 2.1.10-2),
+Replaces:
+ gnupg2 (<< 2.1.10-2),
+Suggests:
+ dbus-user-session,
+ libpam-systemd,
+ pinentry-gnome3,
+ tor,
+Description: GNU privacy guard - network certificate management service
+ dirmngr is a server for managing and downloading OpenPGP and X.509
+ certificates, as well as updates and status signals related to those
+ certificates. For OpenPGP, this means pulling from the public
+ HKP/HKPS keyservers, or from LDAP servers. For X.509 this includes
+ Certificate Revocation Lists (CRLs) and Online Certificate Status
+ Protocol updates (OCSP). It is capable of using Tor for network
+ access.
+ .
+ dirmngr is used for network access by gpg, gpgsm, and dirmngr-client,
+ among other tools. Unless this package is installed, the parts of
+ the GnuPG suite that try to interact with the network will fail.
+
+Package: gpgv-udeb
+Package-Type: udeb
+Section: debian-installer
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: minimal signature verification tool
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This is GnuPG's signature verification tool, gpgv, packaged in minimal
+ form for use in debian-installer.
+
+Package: gpgv-static
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ debian-archive-keyring,
+ debootstrap,
+Description: minimal signature verification tool (static build)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This is GnuPG's signature verification tool, gpgv, built statically
+ so that it can be directly used on any platform that is running on
+ the Linux kernel. Android and ChromeOS are two well known examples,
+ but there are many other platforms that this will work for, like
+ embedded Linux OSes. This gpgv in combination with debootstrap and
+ the Debian archive keyring allows the secure creation of chroot
+ installs on these platforms by using the full Debian signature
+ verification that is present in all official Debian mirrors.
+
+Package: gpgv-win32
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+Suggests:
+ wine,
+Description: GNU privacy guard - signature verification tool (win32 build)
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ gpgv is a stripped-down version of gnupg which is only able to check
+ signatures. It is smaller than the full-blown gnupg and uses a
+ different (and simpler) way to check that the public keys used to
+ make the signature are trustworthy.
+ .
+ This is a win32 version of gpgv. It's meant to be used by the win32-loader
+ component of Debian-Installer.
+
+Package: gnupg-l10n
+Section: localization
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+Enhances:
+ dirmngr,
+ gpg,
+ gpg-agent,
+Breaks:
+ gnupg (<< 2.1.14-2~),
+ gnupg2 (<< 2.1.14-2~),
+Replaces:
+ gnupg (<< 2.1.14-2~),
+ gnupg2 (<< 2.1.14-2~),
+Description: GNU privacy guard - localization files
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This package contains the translation files for the use of GnuPG in
+ non-English locales.
+
+Package: gnupg-utils
+Architecture: any
+Multi-Arch: foreign
+Replaces:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gpg,
+ gpg-agent,
+ gpgconf,
+ gpgsm,
+Description: GNU privacy guard - utility programs
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ This package contains several useful utilities for manipulating
+ OpenPGP data and other related cryptographic elements. It includes:
+ .
+ * addgnupghome -- create .gnupg home directories
+ * applygnupgdefaults -- run gpgconf --apply-defaults for all users
+ * gpgcompose -- an experimental tool for constructing arbitrary
+ sequences of OpenPGP packets (e.g. for testing)
+ * gpgparsemail -- parse an e-mail message into annotated format
+ * gpgsplit -- split a sequence of OpenPGP packets into files
+ * gpgtar -- encrypt or sign files in an archive
+ * kbxutil -- list, export, import Keybox data
+ * lspgpot -- convert PGP ownertrust values to GnuPG
+ * migrate-pubring-from-classic-gpg -- use only "modern" formats
+ * symcryptrun -- use simple symmetric encryption tool in GnuPG framework
+ * watchgnupg -- watch socket-based logs
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..7ad8935
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,253 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: GnuPG - The GNU Privacy Guard (modern version)
+Upstream-Contact: GnuPG development mailing list <gnupg-devel@gnupg.org>
+Source: https://gnupg.org/download/
+
+Files: *
+Copyright: 1992, 1995-2020, Free Software Foundation, Inc
+License: GPL-3+
+
+Files: agent/command.c
+ agent/command-ssh.c
+ agent/gpg-agent.c
+ common/homedir.c
+ common/sysutils.c
+ g10/mainproc.c
+Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc
+ 2013, Werner Koch
+License: GPL-3+
+
+Files: autogen.sh
+Copyright: 2003, g10 Code GmbH
+License: permissive
+
+Files: common/gc-opt-flags.h
+ common/i18n.h
+ tools/clean-sat.c
+ tools/no-libgcrypt.c
+Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc
+License: permissive
+
+Files: common/localename.c
+Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc.
+License: LGPL-2.1+
+
+Files: dirmngr/dns.c
+ dirmngr/dns.h
+Copyright: 2008-2010, 2012-2016 William Ahern
+License: Expat
+
+Files: doc/yat2m.c
+ scd/app-geldkarte.c
+Copyright: 2004, 2005, g10 Code GmbH
+ 2006, 2008, 2009, 2011, Free Software Foundation, Inc
+License: GPL-3+
+
+Files: scd/ccid-driver.h
+ scd/ccid-driver.c
+Copyright: 2003-2007, Free Software Foundation, Inc
+License: GPL-3+ or BSD-3-clause
+
+Files: tools/rfc822parse.c
+ tools/rfc822parse.h
+Copyright: 1999-2000, Werner Koch, Duesseldorf
+ 2003-2004, g10 Code GmbH
+License: LGPL-3+
+
+Files: tools/sockprox.c
+Copyright: 2007, g10 Code GmbH
+License: GPL-3+
+
+Files: doc/OpenPGP
+Copyright: 1998-2013 Free Software Foundation, Inc.
+ 1997, 1998, 2013 Werner Koch
+ 1998 The Internet Society
+License: RFC-Reference
+
+Files: tests/gpgscm/*
+Copyright: 2000, Dimitrios Souflis
+ 2016, Justus Winter, Werner Koch
+License: TinySCHEME
+
+Files: debian/*
+Copyright: 1998-2020 Debian GnuPG packagers, including
+ Eric Dorland <eric@debian.org>
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ NIIBE Yutaka <gniibe@fsij.org>
+License: GPL-3+
+
+Files: debian/org.gnupg.scdaemon.metainfo.xml
+Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Comment: This file is licensed permissively for the sake of AppStream
+License: CC0-1.0
+
+License: TinySCHEME
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ Neither the name of Dimitrios Souflis nor the names of the
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+License: permissive
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+ .
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.
+
+License: RFC-Reference
+ doc/OpenPGP merely cites and references IETF Draft
+ draft-ietf-openpgp-formats-07.txt. This is believed to be fair use;
+ but if not, it's covered by the source document's license under
+ the 'comment on' clause. The license statement follows.
+ .
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph
+ are included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+ .
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+
+License: GPL-3+
+ GnuPG is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ GnuPG is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+
+License: LGPL-3+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 3 of
+ the License, or (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU Lesser General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/LGPL-3'.
+
+License: LGPL-2.1+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 2.1 of
+ the License, or (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU Lesser General Public
+ License version 2.1 can be found in the file
+ `/usr/share/common-licenses/LGPL-2.1'.
+
+License: BSD-3-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, and the entire permission notice in its entirety,
+ including the disclaimer of warranties.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the author may not be used to endorse or promote
+ products derived from this software without specific prior
+ written permission.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to permit
+ persons to whom the Software is furnished to do so, subject to the
+ following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+ USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+License: CC0-1.0
+ To the extent possible under law, the author(s) have dedicated all
+ copyright and related and neighboring rights to this software to the public
+ domain worldwide. This software is distributed without any warranty.
+ .
+ On Debian systems, the complete text of the CC0 license, version 1.0,
+ can be found in /usr/share/common-licenses/CC0-1.0.
diff --git a/debian/dirmngr.NEWS b/debian/dirmngr.NEWS
new file mode 100644
index 0000000..b0c550f
--- /dev/null
+++ b/debian/dirmngr.NEWS
@@ -0,0 +1,49 @@
+dirmngr (2.1.18-1) unstable; urgency=medium
+
+ If your machine is configured with system user session management,
+ dirmngr will be managed automatically by systemd's user sessions on
+ machines configured with use systemd. Please consider installing the
+ packages that the dirmngr package Suggests:, and see
+ /usr/share/doc/dirmngr/README.Debian for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 22:50:34 -0500
+
+dirmngr (2.1.13-3) experimental; urgency=medium
+
+ gpg and most related processes will auto-launch dirmngr if needed.
+
+ Any user who wants to launch dirmngr manually should do so with:
+
+ gpgconf --launch dirmngr
+
+ and may want to terminate dirmngr when their session ends with:
+
+ gpgconf --kill dirmngr
+
+ Users on machines with systemd can ensure that dirmngr is always
+ running for their session (and that it gets terminated at logout)
+ with:
+
+ gpgconf --kill dirmngr
+ systemctl --user enable dirmngr
+ systemctl --user start dirmngr
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 17:55:15 -0400
+
+dirmngr (2.1.0~beta895-1) experimental; urgency=medium
+
+ No more dirmngr system service!
+ ===============================
+
+ As of the 2.1.0 beta series, dirmngr is a local daemon that works
+ closely with gnupg2. It is launched on its own, per-user, and
+ listens on a standard socket (usually ~/.gnupg/S.dirmngr). There is
+ no more system-wide dirmngr process.
+
+ If there is a special case where a dirmngr system process is
+ actually needed, please report a bug in dirmngr, and we can sort out
+ a way to set one up for that case so that everyone with dirmngr
+ installed doesn't need to have it running.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Oct 2014 10:33:52 -0400
+
diff --git a/debian/dirmngr.README.Debian b/debian/dirmngr.README.Debian
new file mode 100644
index 0000000..099240a
--- /dev/null
+++ b/debian/dirmngr.README.Debian
@@ -0,0 +1,47 @@
+dirmngr system integration
+==========================
+
+Since 2.1.x, gpg and most related processes will auto-launch dirmngr
+if needed. These auto-launched processes will inherit whatever
+environment they started from, and they will not terminate
+automatically.
+
+systemd
+=======
+
+Since 2.1.17, users on machines with systemd will have a dirmngr
+process launched automatically by systemd's user session, upon first
+access of the standard socket. systemd will also cleanly tear this
+process down at session logout.
+
+Users who don't want systemd to manage their dirmngr in this way for
+all future sessions should do:
+
+ systemctl --user mask --now dirmngr.socket
+
+Doing this means that dirmngr will fall back to its manual mode of
+operation. (This decision can be reversed by the user with "unmask"
+instead of "mask")
+
+See systemctl(1) for more details about managing the dirmngr.socket
+unit.
+
+Manual dirmngr startup and teardown
+===================================
+
+Any user who wants to launch dirmngr manually (e.g., to talk to it
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
+
+ gpgconf --launch dirmngr
+
+If dirmngr is launched manually or automatically (but not supervised
+by systemd), you also probably want to ensure that it terminates when
+your session ends with:
+
+ gpgconf --kill dirmngr
+
+If you're not using systemd, you may wish to add this command to your
+session logout scripts.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:49:45 -0500
diff --git a/debian/dirmngr.docs b/debian/dirmngr.docs
new file mode 100644
index 0000000..61e3257
--- /dev/null
+++ b/debian/dirmngr.docs
@@ -0,0 +1,5 @@
+AUTHORS
+NEWS
+THANKS
+TODO
+doc/KEYSERVER
diff --git a/debian/dirmngr.install b/debian/dirmngr.install
new file mode 100644
index 0000000..4bd9ed2
--- /dev/null
+++ b/debian/dirmngr.install
@@ -0,0 +1,6 @@
+debian/tmp/usr/bin/dirmngr
+debian/tmp/usr/bin/dirmngr-client
+debian/tmp/usr/lib/gnupg/dirmngr_ldap
+debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem
+doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user
+doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user
diff --git a/debian/dirmngr.maintscript b/debian/dirmngr.maintscript
new file mode 100644
index 0000000..aa11aa5
--- /dev/null
+++ b/debian/dirmngr.maintscript
@@ -0,0 +1,5 @@
+rm_conffile /etc/default/dirmngr
+rm_conffile /etc/dirmngr/dirmngr.conf
+rm_conffile /etc/dirmngr/ldapservers.conf
+rm_conffile /etc/init.d/dirmngr
+rm_conffile /etc/logrotate.d/dirmngr
diff --git a/debian/dirmngr.manpages b/debian/dirmngr.manpages
new file mode 100644
index 0000000..93702d9
--- /dev/null
+++ b/debian/dirmngr.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man1/dirmngr-client.1
+debian/tmp/usr/share/man/man8/dirmngr.8
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..2061ad9
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,38 @@
+[DEFAULT]
+debian-branch = debian/bullseye
+pristine-tar = True
+upstream-vcs-tag = gnupg-%(version)s
+
+[import-orig]
+filter = [
+ 'aclocal.m4',
+ 'build-aux/compile',
+ 'build-aux/config.rpath',
+ 'build-aux/depcomp',
+ 'build-aux/install-sh',
+ 'build-aux/missing',
+ 'build-aux/mkinstalldirs',
+ 'build-aux/texinfo.tex',
+ 'config.h.in',
+ 'configure',
+ 'doc/gnupg.info*',
+ 'INSTALL',
+ 'm4/iconv.m4',
+ 'm4/intdiv0.m4',
+ 'm4/intl.m4',
+ 'm4/lock.m4',
+ 'm4/printf-posix.m4',
+ 'm4/size_max.m4',
+ 'm4/uintmax_t.m4',
+ 'm4/wint_t.m4',
+ '*/*/Makefile.in',
+ '*/Makefile.in',
+ 'Makefile.in',
+ 'po/*.gmo',
+ 'po/Makefile.in.in',
+ 'po/stamp-po',
+ ]
+filter-pristine-tar = False
+
+[pq]
+patch-numbers = False
diff --git a/debian/gnupg-l10n.install b/debian/gnupg-l10n.install
new file mode 100644
index 0000000..a84f37d
--- /dev/null
+++ b/debian/gnupg-l10n.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/gnupg/help.*.txt
+debian/tmp/usr/share/gnupg/help.txt
+debian/tmp/usr/share/locale
diff --git a/debian/gnupg-l10n.lintian-overrides b/debian/gnupg-l10n.lintian-overrides
new file mode 100644
index 0000000..b1493da
--- /dev/null
+++ b/debian/gnupg-l10n.lintian-overrides
@@ -0,0 +1,2 @@
+# these files are how GnuPG distributes localized help text
+gnupg-l10n: package-contains-documentation-outside-usr-share-doc usr/share/gnupg/help.*txt
diff --git a/debian/gnupg-utils.install b/debian/gnupg-utils.install
new file mode 100644
index 0000000..5c764d4
--- /dev/null
+++ b/debian/gnupg-utils.install
@@ -0,0 +1,11 @@
+build-maintainer/g10/gpgcompose usr/bin
+build/tools/gpg-zip usr/bin
+debian/migrate-pubring-from-classic-gpg usr/bin
+debian/tmp/usr/bin/gpgparsemail
+debian/tmp/usr/bin/gpgtar
+debian/tmp/usr/bin/gpgsplit
+debian/tmp/usr/bin/kbxutil
+debian/tmp/usr/bin/watchgnupg
+debian/tmp/usr/sbin/addgnupghome
+debian/tmp/usr/sbin/applygnupgdefaults
+tools/lspgpot usr/bin
diff --git a/debian/gnupg-utils.manpages b/debian/gnupg-utils.manpages
new file mode 100644
index 0000000..e65e4ff
--- /dev/null
+++ b/debian/gnupg-utils.manpages
@@ -0,0 +1,11 @@
+debian/gpg-zip.1
+debian/gpgcompose.1
+debian/gpgsplit.1
+debian/kbxutil.1
+debian/lspgpot.1
+debian/migrate-pubring-from-classic-gpg.1
+debian/tmp/usr/share/man/man1/gpgparsemail.1
+debian/tmp/usr/share/man/man1/gpgtar.1
+debian/tmp/usr/share/man/man1/watchgnupg.1
+debian/tmp/usr/share/man/man8/addgnupghome.8
+debian/tmp/usr/share/man/man8/applygnupgdefaults.8
diff --git a/debian/gnupg.README.Debian b/debian/gnupg.README.Debian
new file mode 100644
index 0000000..24944d3
--- /dev/null
+++ b/debian/gnupg.README.Debian
@@ -0,0 +1,44 @@
+Using "Modern" GnuPG
+====================
+
+As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern"
+version of GnuPG.
+
+This means:
+
+ * supporting daemons are auto-launched as needed
+
+ * all access to secret key material is handled by gpg-agent
+
+ * all smartcard access is handled by scdaemon
+
+ * all network access is handled by dirmngr
+
+ * PGPv3 keys are no longer supported
+
+ * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but
+ instead in $GNUPGHOME/private-keys-v1.d/
+
+ * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by
+ default for new users. Upgrading users will continue to use
+ pubring.gpg until they decide to explicitly convert.
+
+Converting an existing installation
+-----------------------------------
+
+If you have an existing GnuPG homedir from "classic" GnuPG, secret
+keys should be migrated automatically upon the first run of the
+"modern" version.
+
+If you have any secret keys that are stored only in a smartcard, after
+your first use of "modern" gpg you should insert the card and run:
+
+ gpg --card-status
+
+ (see https://bugs.debian.org/795881)
+
+Public keys will not be automatically migrated from pubring.gpg to
+pubring.kbx, however. If you want to migrate your public keyring, you
+can use a script like /usr/bin/migrate-pubring-from-classic-gpg
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 18 Apr 2016 19:08:36 -0400
diff --git a/debian/gnupg.docs b/debian/gnupg.docs
new file mode 100644
index 0000000..66384bb
--- /dev/null
+++ b/debian/gnupg.docs
@@ -0,0 +1,4 @@
+debian/tmp/usr/share/doc/gnupg/*
+NEWS
+THANKS
+TODO
diff --git a/debian/gnupg.info b/debian/gnupg.info
new file mode 100644
index 0000000..e4baa0f
--- /dev/null
+++ b/debian/gnupg.info
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/info/gnupg.info*
+doc/gnupg-card-architecture.png
+doc/gnupg-module-overview.png
diff --git a/debian/gnupg.manpages b/debian/gnupg.manpages
new file mode 100644
index 0000000..60f7ab7
--- /dev/null
+++ b/debian/gnupg.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man7/gnupg.7
diff --git a/debian/gnupg2.links b/debian/gnupg2.links
new file mode 100644
index 0000000..96fde98
--- /dev/null
+++ b/debian/gnupg2.links
@@ -0,0 +1,2 @@
+usr/bin/gpg usr/bin/gpg2
+usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz
diff --git a/debian/gpg-agent.NEWS b/debian/gpg-agent.NEWS
new file mode 100644
index 0000000..69b4e49
--- /dev/null
+++ b/debian/gpg-agent.NEWS
@@ -0,0 +1,19 @@
+gnupg-agent (2.1.18-1) unstable; urgency=medium
+
+ If your machine is configured with system user session management,
+ gpg-agent will be managed automatically by systemd's user sessions on
+ machines configured with use systemd. Please consider installing the
+ packages that the gnupg-agent package Suggests:, and see
+ /usr/share/doc/gnupg-agent/README.Debian for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 22:54:48 -0500
+
+gnupg-agent (2.1.13-3) experimental; urgency=medium
+
+ gpg-agent is no longer auto-launched by
+ /etc/X11/Xsession.d/90gpg-agent. Please read
+ /usr/share/doc/gnupg-agent/README.Debian for details about system
+ integration.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 17:29:46 -0400
+
diff --git a/debian/gpg-agent.README.Debian b/debian/gpg-agent.README.Debian
new file mode 100644
index 0000000..f57d278
--- /dev/null
+++ b/debian/gpg-agent.README.Debian
@@ -0,0 +1,82 @@
+gpg-agent system integration
+============================
+
+Since 2.1.x, gpg and most related processes will auto-launch gpg-agent
+if needed. These auto-launched processes will inherit whatever
+environment they started from, and they will not terminate
+automatically.
+
+systemd
+=======
+
+Since 2.1.17, users on machines with systemd will have their gpg-agent
+process launched automatically by systemd's user session, upon first
+access of any of the expected gpg-agent sockets (including the ssh
+socket). systemd will also cleanly tear this process down at session
+logout.
+
+If dbus-user-session and pinentry-gnome3 packages are installed, then
+all user interaction with this systemd-managed gpg-agent process
+(e.g. prompting for passwords or confirmations, etc) will take place
+over the d-bus session, for better integration with graphical
+environments like GNOME.
+
+Users who don't want systemd to manage their gpg-agent in this way for
+all future sessions should do:
+
+ systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
+
+Doing this means that gpg-agent will fall back to its manual mode of
+operation. (This decision can be reversed by the user with "unmask"
+instead of "mask")
+
+See systemctl(1) for more details about managing the gpg-agent*.socket
+units.
+
+ssh-agent emulation
+===================
+
+gpg-agent offers an ssh-agent emulation which can be achieved by
+setting the environment variable SSH_AUTH_SOCK to:
+
+ /run/user/$(id -u)/gnupg/S.gpg-agent.ssh
+
+(replace $(id -u) with the user's numeric user ID, of course).
+
+But ssh doesn't have a way to tell ssh-agent how to prompt the user
+when necessary; the systemd-managed gpg-agent process will only know
+how to prompt the user if you have dbus-user-session and
+pinentry-gnome3 installed. This is the recommended configuration for
+gpg-agent's ssh-agent emulation on desktop machines running systemd,
+and doesn't need any additional configuration.
+
+However, if dbus-user-session and pinentry-gnome3 are not in use, by
+default the systemd-managed gpg-agent will not know how to get
+feedback from the user when a request is first received by ssh. You
+can give it a hint for all future ssh connections by running:
+
+ gpg-connect-agent updatestartuptty /bye
+
+You may wish to do this in the login scripts for your user session if
+you run systemd without dbus-user-session and pinentry-gnome3, and you
+plan to use gpg-agent's ssh-agent emulation.
+
+Manual gpg-agent startup and teardown
+=====================================
+
+Any user who wants to launch gpg-agent manually (e.g., to talk to it
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
+
+ gpgconf --launch gpg-agent
+
+If gpg-agent is launched manually or automatically (but not supervised
+by systemd), you probably want to ensure that it terminates when your
+session ends with:
+
+ gpgconf --kill gpg-agent
+
+If you're not using systemd, you may wish to add this to your session
+logout scripts.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:56:08 -0500
diff --git a/debian/gpg-agent.examples b/debian/gpg-agent.examples
new file mode 100644
index 0000000..34213be
--- /dev/null
+++ b/debian/gpg-agent.examples
@@ -0,0 +1,2 @@
+doc/examples/pwpattern.list
+doc/examples/trustlist.txt
diff --git a/debian/gpg-agent.install b/debian/gpg-agent.install
new file mode 100644
index 0000000..ae93fb5
--- /dev/null
+++ b/debian/gpg-agent.install
@@ -0,0 +1,11 @@
+debian/Xsession.d/90gpg-agent etc/X11/Xsession.d
+debian/systemd-environment-generator/90gpg-agent usr/lib/systemd/user-environment-generators
+debian/tmp/usr/bin/gpg-agent
+debian/tmp/usr/lib/gnupg/gpg-check-pattern
+debian/tmp/usr/lib/gnupg/gpg-preset-passphrase
+debian/tmp/usr/lib/gnupg/gpg-protect-tool
+doc/examples/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user
diff --git a/debian/gpg-agent.links b/debian/gpg-agent.links
new file mode 100644
index 0000000..2927701
--- /dev/null
+++ b/debian/gpg-agent.links
@@ -0,0 +1,2 @@
+usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase
+usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool
diff --git a/debian/gpg-agent.lintian-overrides b/debian/gpg-agent.lintian-overrides
new file mode 100644
index 0000000..52dc367
--- /dev/null
+++ b/debian/gpg-agent.lintian-overrides
@@ -0,0 +1,3 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+gpg-agent: spare-manual-page usr/share/man/man1/gpg-check-pattern.1.gz
+gpg-agent: spare-manual-page usr/share/man/man1/gpg-preset-passphrase.1.gz
diff --git a/debian/gpg-agent.logcheck.ignore.server b/debian/gpg-agent.logcheck.ignore.server
new file mode 100644
index 0000000..6de7991
--- /dev/null
+++ b/debian/gpg-agent.logcheck.ignore.server
@@ -0,0 +1,11 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG network certificate management daemon\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(restricted\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent \(ssh-agent emulation\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG network certificate management daemon\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(restricted\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent \(ssh-agent emulation\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$
+
diff --git a/debian/gpg-agent.manpages b/debian/gpg-agent.manpages
new file mode 100644
index 0000000..ca2e72f
--- /dev/null
+++ b/debian/gpg-agent.manpages
@@ -0,0 +1,3 @@
+debian/gpg-check-pattern.1
+debian/tmp/usr/share/man/man1/gpg-agent.1
+debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1
diff --git a/debian/gpg-check-pattern.1 b/debian/gpg-check-pattern.1
new file mode 100644
index 0000000..0714faf
--- /dev/null
+++ b/debian/gpg-check-pattern.1
@@ -0,0 +1,36 @@
+.TH GPG-CHECK-PATTERN "1" "March 2016" "gpg-check-pattern (GnuPG) 2.1.11" "User Commands"
+
+.SH NAME
+gpg-check-pattern \- Check a passphrase on stdin against the patternfile
+
+.SH SYNOPSIS
+.B gpg\-check\-pattern
+.RI [ options ]
+.I patternfile
+
+.SH DESCRIPTION
+.B gpg\-check\-pattern
+checks a passphrase given on stdin against a specified patternfile.
+
+.SH OPTIONS
+.TP
+.BR \-v ", " \-\-verbose
+Produce verbose output
+.TP
+.B \-\-check
+run only a syntax check on the patternfile
+.TP
+.BR \-0 ", " \-\-null
+input is expected to be null delimited
+.PP
+Please report bugs to <https://dev.gnupg.org>.
+
+.SH COPYRIGHT
+Copyright \(co 2016 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian
+distribution (but may be used by others).
diff --git a/debian/gpg-wks-client.install b/debian/gpg-wks-client.install
new file mode 100644
index 0000000..1b331dd
--- /dev/null
+++ b/debian/gpg-wks-client.install
@@ -0,0 +1 @@
+debian/tmp/usr/lib/gnupg/gpg-wks-client
diff --git a/debian/gpg-wks-client.lintian-overrides b/debian/gpg-wks-client.lintian-overrides
new file mode 100644
index 0000000..d6fe3ff
--- /dev/null
+++ b/debian/gpg-wks-client.lintian-overrides
@@ -0,0 +1,2 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+gpg-wks-client: spare-manual-page usr/share/man/man1/gpg-wks-client.1.gz
diff --git a/debian/gpg-wks-client.manpages b/debian/gpg-wks-client.manpages
new file mode 100644
index 0000000..e600ad3
--- /dev/null
+++ b/debian/gpg-wks-client.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg-wks-client.1
diff --git a/debian/gpg-wks-server.install b/debian/gpg-wks-server.install
new file mode 100644
index 0000000..c18c2e7
--- /dev/null
+++ b/debian/gpg-wks-server.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpg-wks-server
diff --git a/debian/gpg-wks-server.manpages b/debian/gpg-wks-server.manpages
new file mode 100644
index 0000000..1469434
--- /dev/null
+++ b/debian/gpg-wks-server.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg-wks-server.1
diff --git a/debian/gpg-zip.1 b/debian/gpg-zip.1
new file mode 100644
index 0000000..c20f770
--- /dev/null
+++ b/debian/gpg-zip.1
@@ -0,0 +1,106 @@
+.TH "GPG\-ZIP" 1 "November 2006"
+
+.SH NAME
+gpg\-zip \- encrypt or sign files into an archive
+
+.SH SYNOPSIS
+.B gpg\-zip
+.RB [ OPTIONS ]
+.IR filename1 " [" "filename2, ..." ]
+.IR directory1 " [" "directory2, ..." ]
+
+.SH DESCRIPTION
+This manual page documents briefly the
+.B gpg\-zip
+command.
+.PP
+.B gpg\-zip
+IS DEPRECATED. PLEASE USE gpgtar(1) instead.
+.PP
+.B gpg\-zip
+encrypts or signs files into an archive. It is an gpg-ized tar using the
+same format as PGP's PGP Zip.
+
+.SH OPTIONS
+.TP
+.BR \-e ", " \-\-encrypt
+Encrypt data. This option may be combined with
+.B \-\-symmetric
+(for output that may be decrypted via a secret key or a passphrase).
+.TP
+.BR \-d ", " \-\-decrypt
+Decrypt data.
+.TP
+.BR \-c ", " \-\-symmetric
+Encrypt with a symmetric cipher using a passphrase. The default
+symmetric cipher used is CAST5, but may be chosen with the
+.B \-\-cipher\-algo
+option to
+.BR gpg (1).
+.TP
+.BR \-s ", " \-\-sign
+Make a signature. See
+.BR gpg (1).
+.TP
+.BR \-r ", " \-\-recipient " \fIUSER\fR"
+Encrypt for user id \fIUSER\fR. See
+.BR gpg (1).
+.TP
+.BR \-u ", " \-\-local\-user " \fIUSER\fR"
+Use \fIUSER\fR as the key to sign with. See
+.BR gpg (1).
+.TP
+.B \-\-list\-archive
+List the contents of the specified archive.
+.TP
+.BR \-o ", " \-\-output " " \fIFILE\fR"
+Write output to specified file
+.IR FILE .
+.TP
+.BI \-\-gpg " GPG"
+Use the specified command instead of
+.BR gpg .
+.TP
+.BI \-\-gpg\-args " ARGS"
+Pass the specified options to
+.BR gpg (1).
+.TP
+.BI \-\-tar " TAR"
+Use the specified command instead of
+.BR tar .
+.TP
+.BI \-\-tar\-args " ARGS"
+Pass the specified options to
+.BR tar (1).
+.TP
+.BR \-h ", " \-\-help
+Output a short usage information.
+.TP
+.B \-\-version
+Output the program version.
+
+.SH DIAGNOSTICS
+The program returns \fB0\fR if everything was fine, \fB1\fR otherwise.
+
+.SH EXAMPLES
+Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR:
+.IP
+.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs
+.PP
+List the contents of archive \fItest1\fR:
+.IP
+.B gpg\-zip \-\-list\-archive test1
+
+.SH SEE ALSO
+.BR gpg (1),
+.BR gpgtar (1),
+.BR tar (1)
+
+.SH AUTHOR
+Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to
+<\&bug-gnupg@gnu.org\&>.
+
+This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&>
+and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian
+distribution (but may be used by others).
+
diff --git a/debian/gpg.install b/debian/gpg.install
new file mode 100644
index 0000000..0b53564
--- /dev/null
+++ b/debian/gpg.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpg
diff --git a/debian/gpg.manpages b/debian/gpg.manpages
new file mode 100644
index 0000000..7c47415
--- /dev/null
+++ b/debian/gpg.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg.1
diff --git a/debian/gpgcompose.1 b/debian/gpgcompose.1
new file mode 100644
index 0000000..f92fb05
--- /dev/null
+++ b/debian/gpgcompose.1
@@ -0,0 +1,56 @@
+.TH "gpgcompose" 1 "June 2017"
+
+.SH NAME
+gpgcompose \- Generate a stream of OpenPGP packets
+
+.SH SYNOPSIS
+.B gpgcompose
+.RI [[ OPTION
+.RI [ ARGS ]]
+\&... ]
+
+.B gpgcompose --help
+
+.B gpgcompose
+.I OPTION
+.B --help
+
+.SH DESCRIPTION
+.B gpgcompose
+generates a stream of OpenPGP packets, including some which can
+include other nested packets within a layer of encryption. The syntax
+on the command line isn't stable enough to document currently, but
+additional hints and examples can be found from the command line using
+.BR \-\-help .
+
+.SH EXTERNAL DEPENDENCIES
+
+.B gpgcompose
+is not capable of performing secret key operations on its own.
+Creation of any OpenPGP object that requires secret key operations
+(e.g.,
+.BR \-\-signature )
+will need to speak to an already-running
+.BR gpg-agent .
+
+.SH FILES
+
+Occasionally,
+.B gpgcompose
+will need to look up existing public keys for reference (e.g.,
+.BR \-\-public-key ).
+It will do so in
+.BR ~/.gnupg/keyring.kbx,
+or in
+.B $GNUPGHOME/keyring.kbx
+if that variable is set.
+
+.SH SEE ALSO
+
+RFC 4880, gpg(1), gpg-agent(1), gpg-connect-agent(1)
+
+.SH AUTHOR
+gpgcompose is copyright (C) 2016, g10 Code GmbH.
+
+This manpage was written by Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
+
diff --git a/debian/gpgconf.examples b/debian/gpgconf.examples
new file mode 100644
index 0000000..3e74b94
--- /dev/null
+++ b/debian/gpgconf.examples
@@ -0,0 +1 @@
+doc/examples/gpgconf.conf
diff --git a/debian/gpgconf.install b/debian/gpgconf.install
new file mode 100644
index 0000000..398d8a6
--- /dev/null
+++ b/debian/gpgconf.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/bin/gpg-connect-agent
+debian/tmp/usr/bin/gpgconf
+debian/tmp/usr/share/gnupg/distsigkey.gpg
diff --git a/debian/gpgconf.manpages b/debian/gpgconf.manpages
new file mode 100644
index 0000000..70bb0d7
--- /dev/null
+++ b/debian/gpgconf.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man1/gpg-connect-agent.1
+debian/tmp/usr/share/man/man1/gpgconf.1
diff --git a/debian/gpgsm.install b/debian/gpgsm.install
new file mode 100644
index 0000000..8822607
--- /dev/null
+++ b/debian/gpgsm.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpgsm
diff --git a/debian/gpgsm.manpages b/debian/gpgsm.manpages
new file mode 100644
index 0000000..ad6a686
--- /dev/null
+++ b/debian/gpgsm.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpgsm.1
diff --git a/debian/gpgsplit.1 b/debian/gpgsplit.1
new file mode 100644
index 0000000..116ce89
--- /dev/null
+++ b/debian/gpgsplit.1
@@ -0,0 +1,41 @@
+.TH "gpgsplit" 1 "December 2005"
+
+.SH NAME
+gpgsplit \- Split an OpenPGP message into packets
+
+.SH SYNOPSIS
+.B gpgsplit
+.RI [ OPTIONS ]
+.RI [ FILES ]
+
+.SH DESCRIPTION
+This manual page documents briefly the
+.B gpgsplit
+command.
+.PP
+.B gpgsplit
+splits an OpenPGP message into packets.
+
+.SH OPTIONS
+.TP
+.BR \-v , \-\-verbose
+Verbose.
+.TP
+.BR \-p , "\-\-prefix " \fISTRING\fR
+Prepend filenames with \fISTRING\fR.
+.TP
+.B \-\-uncompress
+Uncompress a packet.
+.TP
+.B \-\-secret\-to\-public
+Convert secret keys to public keys.
+.TP
+.B \-\-no\-split
+Write to stdout and don't actually split.
+
+.SH AUTHOR
+Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to
+<bug-gnupg@gnu.org>.
+
+This manpage was written by Francois Wendling <frwendling@free.fr>.
+
diff --git a/debian/gpgv-static.1 b/debian/gpgv-static.1
new file mode 100644
index 0000000..c8dcc1a
--- /dev/null
+++ b/debian/gpgv-static.1
@@ -0,0 +1,32 @@
+.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1"
+
+.SH NAME
+gpgv-static - Verify OpenPGP signatures (static build)
+
+.SH SYNOPSIS
+.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP
+
+.SH DESCRIPTION
+\fBgpgv\fR is an OpenPGP signature verification tool.
+
+\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be
+directly used on any platform that is running on the Linux kernel,
+such as Android, ChromeOS, or many embedded Linux systems.
+
+This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and
+the Debian archive keyring allows the secure creation of chroot
+installs on these platforms by using the full Debian signature
+verification that is present in all official Debian mirrors.
+
+You may wish to re-name the binary to plain \fBgpgv\fR when
+transferring it into such a platform to create a chroot.
+
+Please read the documentation for \fBgpgv\fR for more details.
+
+.SH SEE ALSO
+\fBgpg\fR(1)
+
+.SH AUTHOR
+This manual page was written by Daniel Kahn Gillmor
+<dkg@fifthhorseman.net> for the Debian project, but may be used by
+others under the same license as GnuPG itself.
diff --git a/debian/gpgv-static.install b/debian/gpgv-static.install
new file mode 100644
index 0000000..adb6deb
--- /dev/null
+++ b/debian/gpgv-static.install
@@ -0,0 +1 @@
+build-gpgv-static/g10/gpgv-static usr/bin/
diff --git a/debian/gpgv-static.lintian-overrides b/debian/gpgv-static.lintian-overrides
new file mode 100644
index 0000000..fa0b8df
--- /dev/null
+++ b/debian/gpgv-static.lintian-overrides
@@ -0,0 +1,3 @@
+# gpgv-static is deliberately built statically. We cannot avoid
+# embedding zlib.
+gpgv-static: embedded-library usr/bin/gpgv-static: zlib
diff --git a/debian/gpgv-static.manpages b/debian/gpgv-static.manpages
new file mode 100644
index 0000000..e3f73aa
--- /dev/null
+++ b/debian/gpgv-static.manpages
@@ -0,0 +1 @@
+debian/gpgv-static.1
diff --git a/debian/gpgv-udeb.install b/debian/gpgv-udeb.install
new file mode 100644
index 0000000..fe27533
--- /dev/null
+++ b/debian/gpgv-udeb.install
@@ -0,0 +1 @@
+build-gpgv-udeb/g10/gpgv usr/bin/
diff --git a/debian/gpgv-win32.install b/debian/gpgv-win32.install
new file mode 100644
index 0000000..cf3cd8c
--- /dev/null
+++ b/debian/gpgv-win32.install
@@ -0,0 +1 @@
+build-gpgv-win32/g10/gpgv.exe usr/share/win32
diff --git a/debian/gpgv.install b/debian/gpgv.install
new file mode 100644
index 0000000..0a9f9a2
--- /dev/null
+++ b/debian/gpgv.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpgv
diff --git a/debian/gpgv.manpages b/debian/gpgv.manpages
new file mode 100644
index 0000000..86a9e29
--- /dev/null
+++ b/debian/gpgv.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpgv.1
diff --git a/debian/gpgv2.links b/debian/gpgv2.links
new file mode 100644
index 0000000..5107429
--- /dev/null
+++ b/debian/gpgv2.links
@@ -0,0 +1,2 @@
+usr/bin/gpgv usr/bin/gpgv2
+usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz
diff --git a/debian/kbxutil.1 b/debian/kbxutil.1
new file mode 100644
index 0000000..d59f1fe
--- /dev/null
+++ b/debian/kbxutil.1
@@ -0,0 +1,62 @@
+.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands"
+
+.SH NAME
+kbxutil \- List, export, import Keybox data
+
+.SH SYNOPSIS
+.B kbxutil
+.RB [ OPTIONS ]
+.RB [ FILES ]
+
+.SH DESCRIPTION
+List, export, import Keybox data
+
+.SH COMMANDS
+.TP
+.B \-\-stats
+show key statistics
+.TP
+.B \-\-import\-openpgp
+import OpenPGP keyblocks
+.TP
+.B \-\-find\-dups
+find duplicates
+.TP
+.B \-\-cut
+export records
+
+.SH OPTIONS
+.TP
+.BI \-\-from " N"
+first record to export
+.TP
+.BI \-\-to " N"
+last record to export
+.TP
+.BR \-v ", " \-\-verbose
+verbose
+.TP
+.BR \-q ", " \-\-quiet
+be somewhat more quiet
+.TP
+.BR \-n ", " \-\-dry\-run
+do not make any changes
+.TP
+.B \-\-debug
+set debugging flags
+.TP
+.B \-\-debug\-all
+enable full debugging
+
+.SH BUGS
+Please report bugs to <https://dev.gnupg.org>.
+
+.SH COPYRIGHT
+Copyright \(co 2016 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian
+distribution (but may be used by others).
diff --git a/debian/lspgpot.1 b/debian/lspgpot.1
new file mode 100644
index 0000000..ba27eca
--- /dev/null
+++ b/debian/lspgpot.1
@@ -0,0 +1,22 @@
+.TH "lspgpot" 1 "December 2005"
+
+.SH NAME
+lspgpot - extracts the ownertrust values from PGP keyrings and list them in
+GnuPG ownertrust format.
+
+
+.SH SYNOPSIS
+.B lspgpot
+
+
+.SH DESCRIPTION
+.B lspgpot
+extracts the ownertrust values from PGP keyrings and list them in
+GnuPG ownertrust format.
+
+.SH AUTHOR
+Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to
+<bug-gnupg@gnu.org>.
+
+This manpage was written by Francois Wendling <frwendling@free.fr>.
+
diff --git a/debian/migrate-pubring-from-classic-gpg b/debian/migrate-pubring-from-classic-gpg
new file mode 100755
index 0000000..ecbc8d9
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# script to migrate fully from pubring.gpg to pubring.kbx
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Date: 2016-04-01
+# License: GPLv3+
+
+# This was written for the Debian project
+
+set -e
+
+GPG="${GPG:-gpg}"
+
+# select the default GnuPG home directory to work from:
+GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg}
+
+# Check that this is gnupg 2.1 or 2.2:
+VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.)
+if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then
+ printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2
+ exit 1
+fi
+
+usage() {
+ printf 'Usage: %s [GPGHOMEDIR|--default]
+\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG
+\tusing %s version %s.
+
+\t--default migrates the GnuPG home directory at "%s"
+' "$0" "$GPG" "$VERSION" "$GHD"
+}
+
+if [ -z "$1" ]; then
+ usage >&2
+ exit 1
+else
+ case "$1" in
+ --help|--usage|-h)
+ usage
+ exit
+ ;;
+ --default)
+ ;;
+ *)
+ GHD="$1"
+ ;;
+ esac
+fi
+
+GPG=("$GPG" --homedir "$GHD" --batch)
+
+# ensure that there is a pubring.gpg to migrate:
+if ! [ -f "$GHD/pubring.gpg" ]; then
+ printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2
+ exit
+fi
+if ! [ -s "$GHD/pubring.gpg" ]; then
+ mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty"
+ printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2
+ exit
+fi
+
+BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")"
+printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2
+
+"${GPG[@]}" --export-ownertrust > "$BACKUP/ownertrust.txt"
+mv "$GHD/pubring.gpg" "$BACKUP/"
+
+revert() {
+ printf >&2 'Restoring pubring.gpg...\n'
+ cp "$BACKUP/pubring.gpg" "$GHD/pubring.gpg"
+}
+
+trap revert EXIT
+
+if ! "${GPG[@]}" --status-file "$BACKUP/import-status" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" ; then
+ cat >&2 <<EOF
+Keyring import was not completely successful (see error message above,
+and the LIMITATIONS section of migrate-pubring-from-classic-gpg(1) for
+more details).
+
+If you suspect a bug in the migration script, please use:
+
+ reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg partial failure'
+
+And include the above output (redacted for privacy as needed) in the
+body of the report.
+
+Continuing with the rest of the migration anyway...
+EOF
+fi
+"${GPG[@]}" --import-ownertrust < "$BACKUP/ownertrust.txt"
+"${GPG[@]}" --check-trustdb
+
+if ! [ -f "$GHD/pubring.kbx" ]; then
+ cat >&2 <<EOF
+No keybox was created at $GHD/pubring.kbx. Something went wrong!
+
+Please report a bug in the migration script, using:
+
+ reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg no pubring.kbx ($BACKUP)'
+EOF
+ exit 1
+fi
+trap - EXIT
+
+printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2
diff --git a/debian/migrate-pubring-from-classic-gpg.1 b/debian/migrate-pubring-from-classic-gpg.1
new file mode 100644
index 0000000..7cbeec7
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg.1
@@ -0,0 +1,94 @@
+.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016"
+
+.SH NAME
+migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG
+
+.SH SYNOPSIS
+.B migrate\-pubring\-from\-classic\-gpg
+.RB "[ " GPGHOMEDIR " | "
+.IR \-\-default " ]"
+
+.SH DESCRIPTION
+
+.B migrate\-pubring\-from\-classic\-gpg
+migrates the public keyring in GnuPG home directory GPGHOMEDIR from
+the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG
+versions 2.1 or 2.2 (pubring.kbx).
+
+Specifying
+.B \-\-default
+selects the standard GnuPG home directory (looking at $GNUPGHOME
+first, and falling back to ~/.gnupg if unset.
+
+.SH OPTIONS
+.BR \-h ", " \-\-help ", " \-\-usage
+Output a short usage information.
+
+.SH DIAGNOSTICS
+The program sends quite a bit of text (perhaps too much) to stderr.
+
+During a migration, the tool backs up several pieces of data in a
+timestamped subdirectory of the GPGHOMEDIR.
+
+.SH LIMITATIONS
+The keybox format rejects a number of OpenPGP certificates that the
+"classic" keyring format used to accept. These filters are defensive,
+since the certificates rejected are unsafe -- either cryptographically
+unsound, or dangerously non-performant. This means that some
+migrations may produce warning messages about the migration being
+incomplete. This is generally a good thing!
+
+Known limitations:
+
+.B Flooded certificates
+.RS 4
+Some OpenPGP certificates have been flooded with bogus certifications
+as part of an attack on the SKS keyserver network (see
+https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).
+
+The keybox format rejects import of any OpenPGP certificate larger
+than 5MiB. As of GnuPG 2.2.17, if gpg encounters such a flooded
+certificate will retry the import while stripping all third-party
+certifications (see "self-sigs-only" in gpg(1)).
+
+The typical error message when migrating a keyring with a flooded
+certificate will be something like:
+
+.RE
+.RS 8
+error writing keyring 'pubring.kbx': Provided object is too large
+.RE
+
+.B OpenPGPv3 public keys (a.k.a. "PGP-2" keys)
+.RS 4
+Modern OpenPGP implementations use so-called "OpenPGP v4" public keys.
+Older versions of the public key format have serious known problems.
+See https://tools.ietf.org/html/rfc4880#section-5.5.2 for more details
+about and reasons for v3 key deprecation.
+
+The keybox format skips v3 keys entirely during migration, and GnuPG
+will produce a message like:
+
+.RE
+.RS 8
+skipped PGP-2 keys: 1
+.RE
+
+.SH ENVIRONMENT VARIABLES
+
+.B GNUPGHOME
+Selects the GnuPG home directory when set and --default is given.
+
+.B GPG
+The name of the
+.B gpg
+executable (defaults to
+.B gpg
+).
+
+.SH SEE ALSO
+.BR gpg (1)
+
+.SH AUTHOR
+Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please
+report bugs via the Debian BTS.
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..a563837
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,2 @@
+usr/bin/gpgscm
+usr/share/man/man1/symcryptrun.1
diff --git a/debian/org.gnupg.scdaemon.metainfo.xml b/debian/org.gnupg.scdaemon.metainfo.xml
new file mode 100644
index 0000000..b96f232
--- /dev/null
+++ b/debian/org.gnupg.scdaemon.metainfo.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component>
+ <id>org.gnupg.scdaemon</id>
+ <metadata_license>CC0-1.0</metadata_license>
+ <name>scdaemon</name>
+ <summary>USB SmartCard Readers</summary>
+ <description>
+ <p>
+ GnuPG's scdaemon provides access to USB tokens and smartcard
+ readers that provide cryptographic functionality (e.g. use of
+ protected secret keys).
+ </p>
+ </description>
+ <provides>
+ <modalias>usb:v046Ap0005d*</modalias>
+ <modalias>usb:v046Ap0010d*</modalias>
+ <modalias>usb:v046Ap003Ed*</modalias>
+ <modalias>usb:v04E6p5111d*</modalias>
+ <modalias>usb:v04E6p5115d*</modalias>
+ <modalias>usb:v04E6p5116d*</modalias>
+ <modalias>usb:v04E6p5117d*</modalias>
+ <modalias>usb:v04E6pE001d*</modalias>
+ <modalias>usb:v04E6pE003d*</modalias>
+ <modalias>usb:v058Fp9540d*</modalias>
+ <modalias>usb:v076Bp3821d*</modalias>
+ <modalias>usb:v076Bp6622d*</modalias>
+ <modalias>usb:v08E6p3437d*</modalias>
+ <modalias>usb:v08E6p3438d*</modalias>
+ <modalias>usb:v08E6p3478d*</modalias>
+ <modalias>usb:v08E6p34C2d*</modalias>
+ <modalias>usb:v08E6p34ECd*</modalias>
+ <modalias>usb:v0BF8p1006d*</modalias>
+ <modalias>usb:v0C4Bp0500d*</modalias>
+ <modalias>usb:v0D46p2012d*</modalias>
+ <modalias>usb:v1050p0111d*</modalias>
+ <modalias>usb:v1050p0112d*</modalias>
+ <modalias>usb:v1050p0115d*</modalias>
+ <modalias>usb:v1050p0116d*</modalias>
+ <modalias>usb:v1050p0404d*</modalias>
+ <modalias>usb:v1050p0405d*</modalias>
+ <modalias>usb:v1050p0406d*</modalias>
+ <modalias>usb:v1050p0407d*</modalias>
+ <modalias>usb:v1A44p0920d*</modalias>
+ <modalias>usb:v1FC9p81E6d*</modalias>
+ <modalias>usb:v20A0p4107d*</modalias>
+ <modalias>usb:v20A0p4108d*</modalias>
+ <modalias>usb:v20A0p4109d*</modalias>
+ <modalias>usb:v20A0p4211d*</modalias>
+ <modalias>usb:v234Bp0000d*</modalias>
+ <modalias>usb:v316Dp4C4Bd*</modalias>
+ <modalias>usb:v1209p2440d*</modalias>
+ </provides>
+</component>
diff --git a/debian/package-dependencies.dot b/debian/package-dependencies.dot
new file mode 100644
index 0000000..8297f78
--- /dev/null
+++ b/debian/package-dependencies.dot
@@ -0,0 +1,73 @@
+#!/usr/bin/dot
+
+# interrelationships between binary packages produced by gnupg2 source
+# package:
+
+# it would be good to graph the external dependencies as well.
+
+digraph gnupg2 {
+ # odd-duck packages:
+ node [shape=box];
+ gpgv_udeb [label="gpgv-udeb"];
+ gpgv_static [label="gpgv-static"];
+ gpgv_win32 [label="gpgv-win32"];
+
+ # meta-packages, transitional packages:
+ node [shape=diamond];
+ gnupg_agent [label="gnupg-agent"];
+ gnupg;
+ gnupg2;
+ gpgv2;
+
+
+ node [shape=ellipse];
+ gpg_agent [label="gpg-agent"];
+ gpg_wks_server [label="gpg-wks-server"];
+ gpg_wks_client [label="gpg-wks-client"];
+ gnupg_l10n [label="gnupg-l10n"];
+ gnupg_utils [label="gnupg-utils"];
+
+
+ # depends:
+ edge [color=black];
+ gnupg_agent -> gpg_agent;
+ gpg_agent -> gpgconf;
+ gpg_wks_server -> gpg;
+ gpg_wks_server -> gpg_agent;
+ gpg_wks_client -> gpg;
+ gpg_wks_client -> gpg_agent;
+ gpg_wks_client -> dirmngr;
+ scdaemon -> gpg_agent;
+ gpgsm -> gpgconf;
+ gpg -> gpgconf;
+ gnupg -> dirmngr;
+ gnupg -> gnupg_l10n;
+ gnupg -> gnupg_utils;
+ gnupg -> gpg;
+ gnupg -> gpg_agent;
+ gnupg -> gpg_wks_client;
+ gnupg -> gpg_wks_server;
+ gnupg -> gpgsm;
+ gnupg -> gpgv;
+ gnupg2 -> gnupg;
+ gpgv2 -> gpgv;
+ dirmngr -> gpgconf;
+
+
+ # recommends:
+ edge [color=red];
+ gpg_agent -> gnupg;
+ gpg_wks_server -> gnupg;
+ gpg_wks_client -> gnupg;
+ gpgsm -> gnupg;
+ gpg -> gnupg;
+ dirmngr -> gnupg;
+ gnupg_utils -> gpg;
+ gnupg_utils -> gpg_agent;
+ gnupg_utils -> gpgconf;
+ gnupg_utils -> gpgsm;
+
+ # suggests:
+ edge [color=blue];
+ gpgv -> gnupg;
+}
diff --git a/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
new file mode 100644
index 0000000..2deee94
--- /dev/null
+++ b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
@@ -0,0 +1,27 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 18 Nov 2018 17:29:52 -0500
+Subject: Make gpg-zip use tar from $PATH
+
+Apparently there is no clean way to configure this from ./configure,
+and upstream is deprecating gpg-zip anyway. So just force-set tar to
+be manually "tar" (meaning, that we should look in the $PATH at
+runtime).
+
+See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582
+---
+ tools/gpg-zip.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in
+index 9047e36..3821f3a 100644
+--- a/tools/gpg-zip.in
++++ b/tools/gpg-zip.in
+@@ -23,7 +23,7 @@
+ # the GNU or POSIX variant of USTAR.
+
+ VERSION=@VERSION@
+-TAR=@TAR@
++TAR=tar
+ GPG=gpg
+
+ usage="\
diff --git a/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
new file mode 100644
index 0000000..ce69403
--- /dev/null
+++ b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
@@ -0,0 +1,71 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 11 Jul 2019 21:52:11 -0400
+Subject: Use hkps://keys.openpgp.org as the default keyserver
+
+As of 2.2.17, GnuPG will refuse to accept any third-party
+certifications from OpenPGP certificates pulled from the keyserver
+network.
+
+The SKS keyserver network currently has at least a dozen popular
+certificates which are flooded with enough unusable third-party
+certifications that they cannot be retrieved in any reasonable amount
+of time.
+
+The hkps://keys.openpgp.org keyserver installation offers HKPS,
+performs cryptographic validation, and by policy does not distribute
+third-party certifications anyway.
+
+It is not distributed or federated yet, unfortunately, but it is
+functional, which is more than can be said for the dying SKS pool.
+And given that GnuPG is going to reject all the third-party
+certifications anyway, there is no clear "web of trust" rationale for
+relying on the SKS pool.
+
+One sticking point is that keys.openpgp.org does not distribute user
+IDs unless the user has proven control of the associated e-mail
+address. This means that on standard upstream GnuPG, retrieving
+revocations or subkey updates of those certificates will fail, because
+upstream GnuPG ignores any incoming certificate without a user ID,
+even if it knows a user ID in the local copy of the certificate (see
+https://dev.gnupg.org/T4393).
+
+However, we have three patches in
+debian/patches/import-merge-without-userid/ that together fix that
+bug.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ doc/dirmngr.texi | 6 +++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 4b9d908..47eb11c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1856,7 +1856,7 @@ AC_DEFINE_UNQUOTED(SCDAEMON_SOCK_NAME, "S.scdaemon",
+ AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
+ [The name of the dirmngr socket])
+ AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
+- "hkps://hkps.pool.sks-keyservers.net",
++ "hkps://keys.openpgp.org",
+ [The default keyserver for dirmngr to use, if none is explicitly given])
+
+ AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 84a8d28..603a11a 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -329,7 +329,11 @@ whether Tor is locally running or not. The check for a running Tor is
+ done for each new connection.
+
+ If no keyserver is explicitly configured, dirmngr will use the
+-built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
++built-in default of @code{hkps://keys.openpgp.org}.
++
++Note that the above default is a Debian-specific choice. Upstream
++GnuPG prefers @code{hkps://hkps.pool.sks-keyservers.net}. See
++/usr/share/doc/gpgconf/NEWS.Debian.gz for more details.
+
+ Windows users with a keyserver running on their Active Directory
+ should use @code{ldap:///} for @var{name} to access this directory.
diff --git a/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
new file mode 100644
index 0000000..a1ce6ea
--- /dev/null
+++ b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
@@ -0,0 +1,89 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 11 Aug 2015 20:28:26 -0400
+Subject: Avoid simple memory dumps via ptrace
+
+This avoids needing to setgid gpg-agent. It probably doesn't defend
+against all possible attacks, but it defends against one specific (and
+easy) one. If there are other protections we should do them too.
+
+This will make it slightly harder to debug the agent because the
+normal user won't be able to attach gdb to it directly while it runs.
+
+The remaining options for debugging are:
+
+ * launch the agent from gdb directly
+ * connect gdb to a running agent as the superuser
+
+Upstream bug: https://dev.gnupg.org/T1211
+---
+ agent/gpg-agent.c | 8 ++++++++
+ configure.ac | 2 +-
+ scd/scdaemon.c | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index b167c34..5afcf11 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -50,6 +50,9 @@
+ # include <signal.h>
+ #endif
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -1030,6 +1033,11 @@ main (int argc, char **argv )
+
+ early_system_init ();
+
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++ /* Disable ptrace on Linux without sgid bit */
++ prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+ /* Before we do anything else we save the list of currently open
+ file descriptors and the signal mask. This info is required to
+ do the exec call properly. We don't need it on Windows. */
+diff --git a/configure.ac b/configure.ac
+index 7a2d410..2d8b050 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1426,7 +1426,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \
+ ftruncate funlockfile getaddrinfo getenv getpagesize \
+ getpwnam getpwuid getrlimit getrusage gettimeofday \
+ gmtime_r inet_ntop inet_pton isascii lstat memicmp \
+- memmove memrchr mmap nl_langinfo pipe raise rand \
++ memmove memrchr mmap nl_langinfo pipe prctl raise rand \
+ setenv setlocale setrlimit sigaction sigprocmask \
+ stat stpcpy strcasecmp strerror strftime stricmp \
+ strlwr strncasecmp strpbrk strsep strtol strtoul \
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index 5c519f8..cab66a0 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -37,6 +37,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -446,6 +449,12 @@ main (int argc, char **argv )
+ npth_t pipecon_handler;
+
+ early_system_init ();
++
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++ /* Disable ptrace on Linux without sgid bit */
++ prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+ set_strusage (my_strusage);
+ gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+ /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch b/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch
new file mode 100644
index 0000000..a54ff93
--- /dev/null
+++ b/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch
@@ -0,0 +1,48 @@
+Subject: Scd: Fix CCID driver for SCM SPR332/SPR532
+Origin: gnupg-2.3.0-4-gab66c4357
+Upstream-Author: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu Apr 8 13:41:28 2021 +0900
+Bug-Debian: https://bugs.debian.org/982546
+
+ * scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
+ (ccid_vendor_specific_setup): Only send CLEAR_HALT.
+ (ccid_transceive_secure): Each time, use send_escape_cmd.
+
+ --
+
+ GnuPG-bug-id: 5297
+ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+--- a/scd/ccid-driver.c
++++ b/scd/ccid-driver.c
+@@ -1304,10 +1304,20 @@
+ {
+ if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
+ {
++ libusb_clear_halt (handle->idev, handle->ep_intr);
++ }
++ return 0;
++}
++
++
++static int
++ccid_vendor_specific_pinpad_setup (ccid_driver_t handle)
++{
++ if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
++ {
+ DEBUGOUT ("sending escape sequence to switch to a case 1 APDU\n");
+ send_escape_cmd (handle, (const unsigned char*)"\x80\x02\x00", 3,
+ NULL, 0, NULL);
+- libusb_clear_halt (handle->idev, handle->ep_intr);
+ }
+ return 0;
+ }
+@@ -3583,6 +3593,8 @@
+ if (pininfo->fixedlen < 0 || pininfo->fixedlen >= 16)
+ return CCID_DRIVER_ERR_NOT_SUPPORTED;
+
++ ccid_vendor_specific_pinpad_setup (handle);
++
+ msg = send_buffer;
+ msg[0] = cherry_mode? 0x89 : PC_to_RDR_Secure;
+ msg[5] = 0; /* slot */
diff --git a/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch b/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch
new file mode 100644
index 0000000..d66b346
--- /dev/null
+++ b/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch
@@ -0,0 +1,47 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 14 Jun 2022 11:33:27 +0200
+Subject: g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+--
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong. Fixed by always using a break to
+terminate the escape detection loop. Might have happened for all
+status lines which may wrap.
+
+GnuPG-bug-id: T6027
+(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b)
+---
+ g10/cpr.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/g10/cpr.c b/g10/cpr.c
+index d502e8b..bc4b715 100644
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
+ }
+ first = 0;
+ }
+- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++ for (esc=0, s=buffer, n=len; n; s++, n--)
+ {
+ if (*s == '%' || *(const byte*)s <= lower_limit
+ || *(const byte*)s == 127 )
+ esc = 1;
+ if (wrap && ++count > wrap)
+- {
+- dowrap=1;
+- break;
+- }
+- }
+- if (esc)
+- {
+- s--; n++;
++ dowrap=1;
++ if (esc || dowrap)
++ break;
+ }
+ if (s != buffer)
+ es_fwrite (buffer, s-buffer, 1, statusfp);
diff --git a/debian/patches/debian-packaging/avoid-beta-warning.patch b/debian/patches/debian-packaging/avoid-beta-warning.patch
new file mode 100644
index 0000000..5cb22e5
--- /dev/null
+++ b/debian/patches/debian-packaging/avoid-beta-warning.patch
@@ -0,0 +1,44 @@
+From: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Date: Tue, 14 Apr 2015 10:02:31 -0400
+Subject: avoid-beta-warning
+
+avoid self-describing as a beta
+
+Using autoreconf against the source as distributed in tarball form
+invariably results in a package that thinks it's a "beta" package,
+which produces the "THIS IS A DEVELOPMENT VERSION" warning string.
+
+since we use dh_autoreconf, i need this patch to avoid producing
+builds that announce themselves as DEVELOPMENT VERSIONs.
+
+See discussion at:
+
+ http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html
+---
+ autogen.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index b238550..9b86d3f 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then
+ esac
+
+ beta=no
+- if [ -e .git ]; then
++ if false; then
+ ingit=yes
+ tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+ tmp=$(echo "$tmp" | sed s/^"$package"//)
+@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then
+ rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+ else
+ ingit=no
+- beta=yes
+- tmp="-unknown"
++ beta=no
++ tmp=""
+ rev="0000000"
+ rvd="0"
+ fi
diff --git a/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
new file mode 100644
index 0000000..01489be
--- /dev/null
+++ b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
@@ -0,0 +1,39 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 29 Aug 2016 12:34:42 -0400
+Subject: avoid regenerating defsincdate (use shipped file)
+
+upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am
+tries to rewrite doc/defsincdate if it notices that any of the files
+have been modified more recently, and it does so assuming that we're
+running from a git repo.
+
+However, we'd rather ship the documents cleanly without regenerating
+defsincdate -- we don't have a git repo available (debian builds from
+upstream tarballs) and any changes to the texinfo files (e.g. from
+debian/patches/) might result in different dates on the files than we
+expect after they're applied by dpkg or quilt or whatever, which makes
+the datestamp unreproducible.
+---
+ doc/Makefile.am | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 2b882c3..6be571b 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -178,15 +178,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc
+
+ dist-hook: defsincdate
+
+-defsincdate: $(gnupg_TEXINFOS)
+- : >defsincdate ; \
+- if test -e $(top_srcdir)/.git; then \
+- (cd $(srcdir) && git log -1 --format='%ct' \
+- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+- elif test x"$$SOURCE_DATE_EPOCH" != x; then \
+- echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+- fi
+-
+ defs.inc : defsincdate Makefile mkdefsinc
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
diff --git a/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
new file mode 100644
index 0000000..6a0e778
--- /dev/null
+++ b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
@@ -0,0 +1,29 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 30 Jun 2019 11:54:35 -0400
+Subject: dirmngr: Only use SKS pool CA for SKS pool
+
+* dirmngr/http.c (http_session_new): when checking whether the
+keyserver is the HKPS pool, check specifically against the pool name,
+as ./configure might have been used to select a different default
+keyserver. It makes no sense to apply Kristian's certificate
+authority to anything other than the literal host
+hkps.pool.sks-keyservers.net.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 5e3f17c..40160e0 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -768,7 +768,7 @@ http_session_new (http_session_t *r_session,
+
+ is_hkps_pool = (intended_hostname
+ && !ascii_strcasecmp (intended_hostname,
+- get_default_keyserver (1)));
++ "hkps.pool.sks-keyservers.net"));
+
+ /* If we are looking for the hkps pool from sks-keyservers.net,
+ * then forcefully use its dedicated certificate authority. */
diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
new file mode 100644
index 0000000..bd68c9c
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
@@ -0,0 +1,47 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 20 Nov 2016 23:09:24 -0500
+Subject: dirmngr: Avoid automatically checking upstream swdb.
+
+* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically
+checking upstream's software database. In Debian, software updates
+should be handled by the distro mechanism, and additional upstream
+checks only confuse the user.
+* doc/dirmngr.texi: document that --allow-version-check does nothing.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 2 --
+ doc/dirmngr.texi | 7 ++++---
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 89eea4e..f26ed63 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -1955,8 +1955,6 @@ housekeeping_thread (void *arg)
+ if (network_activity_seen)
+ {
+ network_activity_seen = 0;
+- if (opt.allow_version_check)
+- dirmngr_load_swdb (&ctrlbuf, 0);
+ workqueue_run_global_tasks (&ctrlbuf, 1);
+ }
+ else
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 843fdbf..84a8d28 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -291,9 +291,10 @@ Set the size of the queue for pending connections. The default is 64.
+ @item --allow-version-check
+ @opindex allow-version-check
+ Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get
+-the list of current software versions. If this option is enabled
+-the list is retrieved in case the local
+-copy does not exist or is older than 5 to 7 days. See the option
++the list of current software versions.
++On debian-packaged versions, this option does nothing since software
++updates should be handled by the distribution.
++See the option
+ @option{--query-swdb} of the command @command{gpgconf} for more
+ details. Note, that regardless of this option a version check can
+ always be triggered using this command:
diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
new file mode 100644
index 0000000..cbd1695
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
@@ -0,0 +1,230 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 02:00:50 -0400
+Subject: dirmngr: Avoid need for hkp housekeeping.
+
+* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether
+host is alive and resurrects it if it has been dead long enough.
+(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
+instead of testing hostinfo_t->dead directly.
+(ks_hkp_housekeeping): Remove function, no longer needed.
+* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
+ks_hkp_housekeeping.
+
+--
+
+Rather than resurrecting hosts upon scheduled resurrection times, test
+whether hosts should be resurrected as they're inspected for being
+dead. This removes the need for explicit housekeeping, and makes host
+resurrections happen "just in time", rather than being clustered on
+HOUSEKEEPING_INTERVAL seconds.
+
+According to 392e068e9f143d41f6350345619543cbcd47380f,
+dns_stuff_housekeeping only works on Windows, so it also isn't
+necessary in debian, but it remains in place for now.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 3 ---
+ dirmngr/dirmngr.h | 1 -
+ dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++-------------------------
+ 3 files changed, 35 insertions(+), 41 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index ae967dd..89eea4e 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -1935,12 +1935,10 @@ static void *
+ housekeeping_thread (void *arg)
+ {
+ static int sentinel;
+- time_t curtime;
+ struct server_control_s ctrlbuf;
+
+ (void)arg;
+
+- curtime = gnupg_get_time ();
+ if (sentinel)
+ {
+ log_info ("housekeeping is already going on\n");
+@@ -1954,7 +1952,6 @@ housekeeping_thread (void *arg)
+ dirmngr_init_default_ctrl (&ctrlbuf);
+
+ dns_stuff_housekeeping ();
+- ks_hkp_housekeeping (curtime);
+ if (network_activity_seen)
+ {
+ network_activity_seen = 0;
+diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
+index 1b52a1d..4afc19b 100644
+--- a/dirmngr/dirmngr.h
++++ b/dirmngr/dirmngr.h
+@@ -217,7 +217,6 @@ const char* dirmngr_get_current_socket_name (void);
+ int dirmngr_use_tor (void);
+
+ /*-- Various housekeeping functions. --*/
+-void ks_hkp_housekeeping (time_t curtime);
+ void ks_hkp_reload (void);
+
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index d425363..c50681d 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+ return 0;
+ }
+
++static int
++host_is_alive (hostinfo_t hi, time_t curtime)
++{
++ if (!hi)
++ return 0;
++ if (!hi->dead)
++ return 1;
++ if (!hi->died_at)
++ return 0; /* manually marked dead */
++ if (hi->died_at + RESURRECT_INTERVAL <= curtime
++ || hi->died_at > curtime)
++ {
++ hi->dead = 0;
++ log_info ("resurrected host '%s'", hi->name);
++ return 1;
++ }
++ return 0;
++}
+
+ /* Select a random host. Consult HI->pool which indices into the global
+ hosttable. Returns index into HI->pool or -1 if no host could be
+@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi)
+ int *tbl = NULL;
+ size_t tblsize = 0;
+ int pidx, idx;
++ time_t curtime;
+
++ curtime = gnupg_get_time ();
+ /* We create a new table so that we randomly select only from
+ currently alive hosts. */
+ for (idx = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
+- if (hosttable[pidx] && !hosttable[pidx]->dead)
++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime))
+ {
+ tblsize++;
+ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
+@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ int is_pool;
+ int new_hosts = 0;
+ char *cname;
++ time_t curtime;
+
+ *r_host = NULL;
+ if (r_httpflags)
+@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ }
+ else
+ hi = hosttable[idx];
++ curtime = gnupg_get_time ();
+
+ is_pool = hi->pool != NULL;
+
+@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (force_reselect)
+ hi->poolidx = -1;
+ else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size
+- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead)
++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime))
+ hi->poolidx = -1;
+
+ /* Select a host if needed. */
+@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ return gpg_error_from_syserror ();
+ }
+
+- if (hi->dead)
++ if (!host_is_alive (hi, curtime))
+ {
+ log_error ("host '%s' marked as dead\n", hi->name);
+ if (r_httphost)
+@@ -770,7 +792,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ {
+ gpg_error_t err = 0;
+ hostinfo_t hi, hi2;
+- int idx, idx2, idx3, n;
++ int idx, idx2, idx3, n, is_alive;
++ time_t curtime;
+
+ if (!name || !*name || !strcmp (name, "localhost"))
+ return 0;
+@@ -779,13 +802,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ if (idx == -1)
+ return gpg_error (GPG_ERR_NOT_FOUND);
+
++ curtime = gnupg_get_time ();
+ hi = hosttable[idx];
+- if (alive && hi->dead)
++ is_alive = host_is_alive (hi, curtime);
++ if (alive && !is_alive)
+ {
+ hi->dead = 0;
+ err = ks_printf_help (ctrl, "marking '%s' as alive", name);
+ }
+- else if (!alive && !hi->dead)
++ else if (!alive && is_alive)
+ {
+ hi->dead = 1;
+ hi->died_at = 0; /* Manually set dead. */
+@@ -819,14 +844,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+
+ hi2 = hosttable[n];
+ if (!hi2)
+- ;
+- else if (alive && hi2->dead)
++ continue;
++ is_alive = host_is_alive (hi2, curtime);
++ if (alive && !is_alive)
+ {
+ hi2->dead = 0;
+ err = ks_printf_help (ctrl, "marking '%s' as alive",
+ hi2->name);
+ }
+- else if (!alive && !hi2->dead)
++ else if (!alive && is_alive)
+ {
+ hi2->dead = 1;
+ hi2->died_at = 0; /* Manually set dead. */
+@@ -1112,34 +1138,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+ }
+
+
+-/* Housekeeping function called from the housekeeping thread. It is
+- used to mark dead hosts alive so that they may be tried again after
+- some time. */
+-void
+-ks_hkp_housekeeping (time_t curtime)
+-{
+- int idx;
+- hostinfo_t hi;
+-
+- for (idx=0; idx < hosttable_size; idx++)
+- {
+- hi = hosttable[idx];
+- if (!hi)
+- continue;
+- if (!hi->dead)
+- continue;
+- if (!hi->died_at)
+- continue; /* Do not resurrect manually shot hosts. */
+- if (hi->died_at + RESURRECT_INTERVAL <= curtime
+- || hi->died_at > curtime)
+- {
+- hi->dead = 0;
+- log_info ("resurrected host '%s'", hi->name);
+- }
+- }
+-}
+-
+-
+ /* Reload (SIGHUP) action for this module. We mark all host alive
+ * even those which have been manually shot. */
+ void
diff --git a/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
new file mode 100644
index 0000000..49ebbd4
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
@@ -0,0 +1,81 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 01:25:05 -0400
+Subject: dirmngr: hkp: Avoid potential race condition when some hosts die.
+
+* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass
+through the host table instead of risking out-of-bounds write.
+
+--
+
+Multiple threads may write to hosttable[x]->dead while
+select_random_host() is running. For example, a housekeeping thread
+might clear the ->dead bit on some entries, or another connection to
+dirmngr might manually mark a host as alive.
+
+If one or more hosts are resurrected between the two loops over a
+given table in select_random_host(), then the allocation of tbl might
+not be large enough, resulting in a write past the end of tbl on the
+second loop.
+
+This change collapses the two loops into a single loop to avoid this
+discrepancy: each host's "dead" bit is now only checked once.
+
+As Werner points out, this isn't currently strictly necessary, since
+npth will not switch threads unless a blocking system call is made,
+and no blocking system call is made in these two loops.
+
+However, in a subsequent change in this series, we will call a
+function in this loop, and that function may sometimes write(2), or
+call other functions, which may themselves block. Keeping this as a
+single-pass loop avoids the need to keep track of what might block and
+what might not.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/ks-engine-hkp.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 14859c7..d425363 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+ static int
+ select_random_host (hostinfo_t hi)
+ {
+- int *tbl;
+- size_t tblsize;
++ int *tbl = NULL;
++ size_t tblsize = 0;
+ int pidx, idx;
+
+ /* We create a new table so that we randomly select only from
+ currently alive hosts. */
+- for (idx = 0, tblsize = 0;
++ for (idx = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
+ if (hosttable[pidx] && !hosttable[pidx]->dead)
+- tblsize++;
++ {
++ tblsize++;
++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
++ if (!tbl)
++ return -1; /* memory allocation failed! */
++ tbl[tblsize-1] = pidx;
++ }
+ if (!tblsize)
+ return -1; /* No hosts. */
+
+- tbl = xtrymalloc (tblsize * sizeof *tbl);
+- if (!tbl)
+- return -1;
+- for (idx = 0, tblsize = 0;
+- idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+- idx++)
+- if (hosttable[pidx] && !hosttable[pidx]->dead)
+- tbl[tblsize++] = pidx;
+-
+ if (tblsize == 1) /* Save a get_uint_nonce. */
+ pidx = tbl[0];
+ else
diff --git a/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch b/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch
new file mode 100644
index 0000000..849e985
--- /dev/null
+++ b/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch
@@ -0,0 +1,50 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 22 Oct 2020 11:32:00 +0900
+Subject: buildd: sbuild randomly fails to sign changes file despite valid
+ signature keys
+Forwarded: https://dev.gnupg.org/rGb1c56cf9e2bb51abfd47747128bd2a6285ed1623
+
+---
+ common/asshelp.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/common/asshelp.c b/common/asshelp.c
+index d87017e..9f269ab 100644
+--- a/common/asshelp.c
++++ b/common/asshelp.c
+@@ -477,8 +477,18 @@ start_new_gpg_agent (assuan_context_t *r_ctx,
+ if (!(err = lock_spawning (&lock, gnupg_homedir (), "agent", verbose))
+ && assuan_socket_connect (ctx, sockname, 0, 0))
+ {
++#ifdef HAVE_W32_SYSTEM
+ err = gnupg_spawn_process_detached (program? program : agent_program,
+ argv, NULL);
++#else
++ pid_t pid;
++
++ err = gnupg_spawn_process_fd (program? program : agent_program,
++ argv, -1, -1, -1, &pid);
++ if (!err)
++ err = gnupg_wait_process (program? program : agent_program,
++ pid, 1, NULL);
++#endif
+ if (err)
+ log_error ("failed to start agent '%s': %s\n",
+ agent_program, gpg_strerror (err));
+@@ -612,7 +622,16 @@ start_new_dirmngr (assuan_context_t *r_ctx,
+ if (!(err = lock_spawning (&lock, gnupg_homedir (), "dirmngr", verbose))
+ && assuan_socket_connect (ctx, sockname, 0, 0))
+ {
++#ifdef HAVE_W32_SYSTEM
+ err = gnupg_spawn_process_detached (dirmngr_program, argv, NULL);
++#else
++ pid_t pid;
++
++ err = gnupg_spawn_process_fd (dirmngr_program, argv,
++ -1, -1, -1, &pid);
++ if (!err)
++ err = gnupg_wait_process (dirmngr_program, pid, 1, NULL);
++#endif
+ if (err)
+ log_error ("failed to start the dirmngr '%s': %s\n",
+ dirmngr_program, gpg_strerror (err));
diff --git a/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
new file mode 100644
index 0000000..54b4292
--- /dev/null
+++ b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
@@ -0,0 +1,91 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:41:10 -0400
+Subject: gpg: default to 3072-bit keys.
+
+* agent/command.c (hlp_genkey): update help text to suggest the use of
+3072 bits.
+* doc/wks.texi: Make example match default generation.
+* g10/keygen.c (gen_elg): update default from 2048 to 3072.
+* g10/keyid.c (pubkey_string): update comment so that first example
+is the default 3072-bit RSA.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
+---
+ agent/command.c | 2 +-
+ doc/wks.texi | 4 ++--
+ g10/keygen.c | 2 +-
+ g10/keyid.c | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index 8642498..f94e770 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -843,7 +843,7 @@ static const char hlp_genkey[] =
+ "\n"
+ " C: GENKEY\n"
+ " S: INQUIRE KEYPARAM\n"
+- " C: D (genkey (rsa (nbits 2048)))\n"
++ " C: D (genkey (rsa (nbits 3072)))\n"
+ " C: END\n"
+ " S: D (public-key\n"
+ " S: D (rsa (n 326487324683264) (e 10001)))\n"
+diff --git a/doc/wks.texi b/doc/wks.texi
+index 119e31c..ae6c310 100644
+--- a/doc/wks.texi
++++ b/doc/wks.texi
+@@ -412,10 +412,10 @@ the submission address:
+ The output of the last command looks similar to this:
+
+ @example
+- sec rsa2048 2016-08-30 [SC]
++ sec rsa3072 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@@example.net
+- ssb rsa2048 2016-08-30 [E]
++ ssb rsa3072 2016-08-30 [E]
+ @end example
+
+ Take the fingerprint from that output and manually publish the key:
+diff --git a/g10/keygen.c b/g10/keygen.c
+index d50acf8..79d4579 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root,
+
+ if (nbits < 1024)
+ {
+- nbits = 2048;
++ nbits = 3072;
+ log_info (_("keysize invalid; using %u bits\n"), nbits );
+ }
+ else if (nbits > 4096)
+diff --git a/g10/keyid.c b/g10/keyid.c
+index 69d85da..2987287 100644
+--- a/g10/keyid.c
++++ b/g10/keyid.c
+@@ -73,7 +73,7 @@ pubkey_letter( int algo )
+ is copied to the supplied buffer up a length of BUFSIZE-1.
+ Examples for the output are:
+
+- "rsa2048" - RSA with 2048 bit
++ "rsa3072" - RSA with 3072 bit
+ "elg1024" - Elgamal with 1024 bit
+ "ed25519" - ECC using the curve Ed25519.
+ "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
+@@ -83,7 +83,7 @@ pubkey_letter( int algo )
+ If the option --legacy-list-mode is active, the output use the
+ legacy format:
+
+- "2048R" - RSA with 2048 bit
++ "3072R" - RSA with 3072 bit
+ "1024g" - Elgamal with 1024 bit
+ "256E" - ECDSA using a curve with 256 bit
+
diff --git a/debian/patches/from-master/gpg-default-to-AES-256.patch b/debian/patches/from-master/gpg-default-to-AES-256.patch
new file mode 100644
index 0000000..d131f6a
--- /dev/null
+++ b/debian/patches/from-master/gpg-default-to-AES-256.patch
@@ -0,0 +1,35 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:04:00 -0400
+Subject: gpg: default to AES-256.
+
+* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
+
+--
+
+It's 2017, and pretty much everyone has AES-256 available. Symmetric
+crypto is also rarely the bottleneck (asymmetric crypto is much more
+expensive). AES-256 provides some level of protection against
+large-scale decryption efforts, and longer key lengths provide a hedge
+against unforseen cryptanalysis.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
+---
+ g10/main.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index 68360e2..1983e42 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -31,7 +31,9 @@
+ (i.e. uncompressed) rather than 1 (zip). However, the real world
+ issues of speed and size come into play here. */
+
+-#if GPG_USE_AES128
++#if GPG_USE_AES256
++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
++#elif GPG_USE_AES128
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
+ #elif GPG_USE_CAST5
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5
diff --git a/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
new file mode 100644
index 0000000..f0f1ef6
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
@@ -0,0 +1,84 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:45:23 -0400
+Subject: agent: Allow threads to interrupt main select loop with SIGCONT.
+
+* agent/gpg-agent.c (interrupt_main_thread_loop): New function on
+non-windows platforms, allows other threads to interrupt the main loop
+if there's something that the main loop might be interested in.
+
+--
+
+For example, the main loop might be interested in changes in program
+state that affect the timers it expects to see.
+
+I don't know how to do this on Windows platforms, but i welcome any
+proposed improvements.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/agent.h | 1 +
+ agent/gpg-agent.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/agent/agent.h b/agent/agent.h
+index fb46412..4abc6ed 100644
+--- a/agent/agent.h
++++ b/agent/agent.h
+@@ -375,6 +375,7 @@ void *get_agent_scd_notify_event (void);
+ #endif
+ void agent_sighup_action (void);
+ int map_pk_openpgp_to_gcry (int openpgp_algo);
++void interrupt_main_thread_loop (void);
+
+ /*-- command.c --*/
+ gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid,
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 69705ed..752552c 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -430,6 +430,9 @@ static int have_homedir_inotify;
+ * works reliable. */
+ static int reliable_homedir_inotify;
+
++/* Record the pid of the main thread, for easier signalling */
++static pid_t main_thread_pid = (pid_t)(-1);
++
+ /* Number of active connections. */
+ static int active_connections;
+
+@@ -2458,6 +2461,10 @@ handle_signal (int signo)
+ agent_sigusr2_action ();
+ break;
+
++ /* nothing to do here, just take an extra cycle on the select loop */
++ case SIGCONT:
++ break;
++
+ case SIGTERM:
+ if (!shutdown_pending)
+ log_info ("SIGTERM received - shutting down ...\n");
+@@ -2796,6 +2803,13 @@ start_connection_thread_ssh (void *arg)
+ }
+
+
++void interrupt_main_thread_loop (void)
++{
++#ifndef HAVE_W32_SYSTEM
++ kill (main_thread_pid, SIGCONT);
++#endif
++}
++
+ /* helper function for readability: test whether a given struct
+ timespec is set to all-zeros */
+ static inline int
+@@ -2865,8 +2879,10 @@ handle_connections (gnupg_fd_t listen_fd,
+ npth_sigev_add (SIGUSR1);
+ npth_sigev_add (SIGUSR2);
+ npth_sigev_add (SIGINT);
++ npth_sigev_add (SIGCONT);
+ npth_sigev_add (SIGTERM);
+ npth_sigev_fini ();
++ main_thread_pid = getpid ();
+ #else
+ # ifdef HAVE_W32CE_SYSTEM
+ /* Use a dummy event. */
diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
new file mode 100644
index 0000000..3cef203
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
@@ -0,0 +1,26 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:57:44 -0400
+Subject: agent: Avoid scheduled checks on socket when inotify is working.
+
+* agent/gpg-agent.c (handle_connections): When inotify is working, we
+do not need to schedule a timer to evaluate whether we control our own
+socket or not.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/gpg-agent.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index eff82ca..3ae77c6 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -3032,6 +3032,8 @@ handle_connections (gnupg_fd_t listen_fd,
+
+ /* avoid a fine-grained timer if we don't need one: */
+ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0;
++ /* avoid waking up to check sockets if we can count on inotify */
++ timertbl[1].interval.tv_sec = (sock_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0;
+
+ /* loop through all timers, fire any registered functions, and
+ plan next timer to trigger */
diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
new file mode 100644
index 0000000..3900cf4
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
@@ -0,0 +1,101 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:14:10 -0400
+Subject: agent: Avoid tight timer tick when possible.
+
+* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase
+handle_tick() is needed.
+(handle_connections): On each cycle of the select loop, adjust whether
+we should call handle_tick() or not.
+(start_connection_thread_ssh, do_start_connection_thread): Signal the
+main loop when the child terminates.
+* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once
+the scdaemon thread context has started up.
+
+--
+
+With this change, an idle gpg-agent that has no scdaemon running only
+wakes up once a minute (to check_own_socket).
+
+Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of
+the blocking and corner cases.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/call-scd.c | 2 ++
+ agent/gpg-agent.c | 29 +++++++++++++++++++++++++++--
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/agent/call-scd.c b/agent/call-scd.c
+index 6438693..ee69bb4 100644
+--- a/agent/call-scd.c
++++ b/agent/call-scd.c
+@@ -414,6 +414,8 @@ start_scd (ctrl_t ctrl)
+
+ primary_scd_ctx = ctx;
+ primary_scd_ctx_reusable = 0;
++ /* notify the main loop that something has changed */
++ interrupt_main_thread_loop ();
+
+ leave:
+ xfree (abs_homedir);
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 752552c..eff82ca 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -2362,6 +2362,26 @@ create_directories (void)
+ }
+
+
++static int
++need_tick (void)
++{
++#ifdef HAVE_W32_SYSTEM
++ /* We do not know how to interrupt the select loop on Windows, so we
++ always need a short tick there. */
++ return 1;
++#else
++ /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to
++ watch our parent. */
++ if (parent_pid != (pid_t)(-1))
++ return 1;
++ /* if scdaemon is running, we need to check that it's alive */
++ if (agent_scd_check_running ())
++ return 1;
++ /* otherwise, nothing fine-grained to do. */
++ return 0;
++#endif /*HAVE_W32_SYSTEM*/
++}
++
+
+ /* This is the worker for the ticker. It is called every few seconds
+ and may only do fast operations. */
+@@ -2718,7 +2738,8 @@ do_start_connection_thread (ctrl_t ctrl)
+
+ agent_deinit_default_ctrl (ctrl);
+ xfree (ctrl);
+- active_connections--;
++ if (--active_connections == 0)
++ interrupt_main_thread_loop();
+ return NULL;
+ }
+
+@@ -2798,7 +2819,8 @@ start_connection_thread_ssh (void *arg)
+
+ agent_deinit_default_ctrl (ctrl);
+ xfree (ctrl);
+- active_connections--;
++ if (--active_connections == 0)
++ interrupt_main_thread_loop();
+ return NULL;
+ }
+
+@@ -3008,6 +3030,9 @@ handle_connections (gnupg_fd_t listen_fd,
+ thus a simple assignment is fine to copy the entire set. */
+ read_fdset = fdset;
+
++ /* avoid a fine-grained timer if we don't need one: */
++ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0;
++
+ /* loop through all timers, fire any registered functions, and
+ plan next timer to trigger */
+ npth_clock_gettime (&curtime);
diff --git a/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
new file mode 100644
index 0000000..29bbd54
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
@@ -0,0 +1,191 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 31 Oct 2016 21:27:36 -0400
+Subject: agent: Create framework of scheduled timers.
+
+agent/gpg-agent.c (handle_tick): Remove intermittent call to
+check_own_socket.
+(tv_is_set): Add inline helper function for readability.
+(handle_connections) Create general table of pending scheduled
+timeouts.
+
+--
+
+handle_tick() does fine-grained, rapid activity. check_own_socket()
+is supposed to happen at a different interval.
+
+Mixing the two of them makes it a requirement that one interval be a
+multiple of the other, which isn't ideal if there are different delay
+strategies that we might want in the future.
+
+Creating an extensible regular timer framework in handle_connections
+should make it possible to have any number of cadenced timers fire
+regularly, without requiring that they happen in cadences related to
+each other.
+
+It should also make it possible to dynamically change the cadence of
+any regularly-scheduled timeout.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/gpg-agent.c | 84 +++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 57 insertions(+), 27 deletions(-)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 5afcf11..69705ed 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -2365,12 +2365,8 @@ create_directories (void)
+ static void
+ handle_tick (void)
+ {
+- static time_t last_minute;
+ struct stat statbuf;
+
+- if (!last_minute)
+- last_minute = time (NULL);
+-
+ /* Check whether the scdaemon has died and cleanup in this case. */
+ agent_scd_check_aliveness ();
+
+@@ -2390,15 +2386,6 @@ handle_tick (void)
+ }
+ #endif /*HAVE_W32_SYSTEM*/
+
+- /* Code to be run from time to time. */
+-#if CHECK_OWN_SOCKET_INTERVAL > 0
+- if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL))
+- {
+- check_own_socket ();
+- last_minute = time (NULL);
+- }
+-#endif
+-
+ /* Need to check for expired cache entries. */
+ agent_cache_housekeeping ();
+
+@@ -2809,6 +2796,15 @@ start_connection_thread_ssh (void *arg)
+ }
+
+
++/* helper function for readability: test whether a given struct
++ timespec is set to all-zeros */
++static inline int
++tv_is_set (struct timespec tv)
++{
++ return tv.tv_sec || tv.tv_nsec;
++}
++
++
+ /* Connection handler loop. Wait for connection requests and spawn a
+ thread after accepting a connection. */
+ static void
+@@ -2826,9 +2822,11 @@ handle_connections (gnupg_fd_t listen_fd,
+ gnupg_fd_t fd;
+ int nfd;
+ int saved_errno;
++ int idx;
+ struct timespec abstime;
+ struct timespec curtime;
+ struct timespec timeout;
++ struct timespec *select_timeout;
+ #ifdef HAVE_W32_SYSTEM
+ HANDLE events[2];
+ unsigned int events_set;
+@@ -2845,6 +2843,14 @@ handle_connections (gnupg_fd_t listen_fd,
+ { "browser", start_connection_thread_browser },
+ { "ssh", start_connection_thread_ssh }
+ };
++ struct {
++ struct timespec interval;
++ void (*func) (void);
++ struct timespec next;
++ } timertbl[] = {
++ { { TIMERTICK_INTERVAL, 0 }, handle_tick },
++ { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket }
++ };
+
+
+ ret = npth_attr_init(&tattr);
+@@ -2952,9 +2958,6 @@ handle_connections (gnupg_fd_t listen_fd,
+ listentbl[2].l_fd = listen_fd_browser;
+ listentbl[3].l_fd = listen_fd_ssh;
+
+- npth_clock_gettime (&abstime);
+- abstime.tv_sec += TIMERTICK_INTERVAL;
+-
+ for (;;)
+ {
+ /* Shutdown test. */
+@@ -2989,18 +2992,46 @@ handle_connections (gnupg_fd_t listen_fd,
+ thus a simple assignment is fine to copy the entire set. */
+ read_fdset = fdset;
+
++ /* loop through all timers, fire any registered functions, and
++ plan next timer to trigger */
+ npth_clock_gettime (&curtime);
+- if (!(npth_timercmp (&curtime, &abstime, <)))
+- {
+- /* Timeout. */
+- handle_tick ();
+- npth_clock_gettime (&abstime);
+- abstime.tv_sec += TIMERTICK_INTERVAL;
+- }
+- npth_timersub (&abstime, &curtime, &timeout);
++ abstime.tv_sec = abstime.tv_nsec = 0;
++ for (idx=0; idx < DIM(timertbl); idx++)
++ {
++ /* schedule any unscheduled timers */
++ if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval))
++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next);
++ /* if a timer is due, fire it ... */
++ if (tv_is_set (timertbl[idx].next))
++ {
++ if (!(npth_timercmp (&curtime, &timertbl[idx].next, <)))
++ {
++ timertbl[idx].func ();
++ npth_clock_gettime (&curtime);
++ /* ...and reschedule it, if desired: */
++ if (tv_is_set (timertbl[idx].interval))
++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next);
++ else
++ timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0;
++ }
++ }
++ /* accumulate next timer to come due in abstime: */
++ if (tv_is_set (timertbl[idx].next) &&
++ ((!tv_is_set (abstime)) ||
++ (npth_timercmp (&abstime, &timertbl[idx].next, >))))
++ abstime = timertbl[idx].next;
++ }
++ /* choose a timeout for the select loop: */
++ if (tv_is_set (abstime))
++ {
++ npth_timersub (&abstime, &curtime, &timeout);
++ select_timeout = &timeout;
++ }
++ else
++ select_timeout = NULL;
+
+ #ifndef HAVE_W32_SYSTEM
+- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout,
++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout,
+ npth_sigev_sigmask ());
+ saved_errno = errno;
+
+@@ -3010,7 +3041,7 @@ handle_connections (gnupg_fd_t listen_fd,
+ handle_signal (signo);
+ }
+ #else
+- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout,
++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout,
+ events, &events_set);
+ saved_errno = errno;
+
+@@ -3055,7 +3086,6 @@ handle_connections (gnupg_fd_t listen_fd,
+
+ if (!shutdown_pending)
+ {
+- int idx;
+ ctrl_t ctrl;
+ npth_t thread;
+
diff --git a/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
new file mode 100644
index 0000000..6fa2283
--- /dev/null
+++ b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
@@ -0,0 +1,49 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 15 Jul 2019 16:24:35 -0400
+Subject: gpg: drop import-clean from default keyserver import options
+
+* g10/gpg.c (main): drop IMPORT_CLEAN from the
+default opt.keyserver_options.import_options
+* doc/gpg.texi: reflect this change in the documentation
+
+Given that SELF_SIGS_ONLY is already set, it's not clear what
+additional benefit IMPORT_CLEAN provides. Furthermore, IMPORT_CLEAN
+means that receiving an OpenPGP certificate from a keyserver will
+potentially delete data that is otherwise held in the local keyring,
+which is surprising to users who expect retrieval from the keyservers
+to be purely additive.
+
+GnuPG-Bug-Id: 4628
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ doc/gpg.texi | 2 +-
+ g10/gpg.c | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 7b603d7..104318a 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1982,7 +1982,7 @@ are available for all keyserver types, some common options are:
+
+ @end table
+
+-The default list of options is: "self-sigs-only, import-clean,
++The default list of options is: "self-sigs-only,
+ repair-keys, repair-pks-subkey-bug, export-attributes,
+ honor-pka-record".
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 6b44cfb..caa0487 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2348,8 +2348,7 @@ main (int argc, char **argv)
+ opt.export_options = EXPORT_ATTRIBUTES;
+ opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ | IMPORT_REPAIR_PKS_SUBKEY_BUG
+- | IMPORT_SELF_SIGS_ONLY
+- | IMPORT_CLEAN);
++ | IMPORT_SELF_SIGS_ONLY);
+ opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+ opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+ opt.verify_options = (LIST_SHOW_UID_VALIDITY
diff --git a/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
new file mode 100644
index 0000000..e448a0a
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
@@ -0,0 +1,32 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:43 +0200
+Subject: gpg: accept subkeys with a good revocation but no self-sig during
+ import
+
+* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
+encounter a valid revocation signature. This allows import of subkey
+revocation signatures, even in the absence of a corresponding subkey
+binding signature.
+
+--
+
+This fixes the remaining test in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/g10/import.c b/g10/import.c
+index 79104dc..20f4af5 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -3665,6 +3665,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
+ /* It's valid, so is it newer? */
+ if (sig->timestamp >= rsdate)
+ {
++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */
+ if (rsnode)
+ {
+ /* Delete the last revocation sig since
diff --git a/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
new file mode 100644
index 0000000..fb93748
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@@ -0,0 +1,106 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:42 +0200
+Subject: gpg: allow import of previously known keys, even without UIDs
+
+* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
+has no user id, as long as we already have a local variant of the cert
+that matches the primary key.
+
+--
+
+This fixes two of the three broken tests in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 44 +++++++++++---------------------------------
+ 1 file changed, 11 insertions(+), 33 deletions(-)
+
+diff --git a/g10/import.c b/g10/import.c
+index c8692e2..79104dc 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1843,7 +1843,6 @@ import_one_real (ctrl_t ctrl,
+ size_t an;
+ char pkstrbuf[PUBKEY_STRING_SIZE];
+ int merge_keys_done = 0;
+- int any_filter = 0;
+ KEYDB_HANDLE hd = NULL;
+
+ if (r_valid)
+@@ -1880,14 +1879,6 @@ import_one_real (ctrl_t ctrl,
+ log_printf ("\n");
+ }
+
+-
+- if (!uidnode )
+- {
+- if (!silent)
+- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
+- return 0;
+- }
+-
+ if (screener && screener (keyblock, screener_arg))
+ {
+ log_error (_("key %s: %s\n"), keystr_from_pk (pk),
+@@ -1962,17 +1953,10 @@ import_one_real (ctrl_t ctrl,
+ }
+ }
+
+- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
+- {
+- if (!silent)
+- {
+- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+- if (!opt.quiet )
+- log_info(_("this may be caused by a missing self-signature\n"));
+- }
+- stats->no_user_id++;
+- return 0;
+- }
++ /* Delete invalid parts, and note if we have any valid ones left.
++ * We will later abort import if this key is new but contains
++ * no valid uids. */
++ delete_inv_parts (ctrl, keyblock, keyid, options);
+
+ /* Get rid of deleted nodes. */
+ commit_kbnode (&keyblock);
+@@ -1982,24 +1966,11 @@ import_one_real (ctrl_t ctrl,
+ {
+ apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
+ commit_kbnode (&keyblock);
+- any_filter = 1;
+ }
+ if (import_filter.drop_sig)
+ {
+ apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
+ commit_kbnode (&keyblock);
+- any_filter = 1;
+- }
+-
+- /* If we ran any filter we need to check that at least one user id
+- * is left in the keyring. Note that we do not use log_error in
+- * this case. */
+- if (any_filter && !any_uid_left (keyblock))
+- {
+- if (!opt.quiet )
+- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
+- stats->no_user_id++;
+- return 0;
+ }
+
+ /* The keyblock is valid and ready for real import. */
+@@ -2057,6 +2028,13 @@ import_one_real (ctrl_t ctrl,
+ err = 0;
+ stats->skipped_new_keys++;
+ }
++ else if (err && !any_uid_left (keyblock))
++ {
++ if (!silent)
++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
++ err = 0;
++ stats->no_user_id++;
++ }
+ else if (err) /* Insert this key. */
+ {
+ /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */
diff --git a/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
new file mode 100644
index 0000000..52ca688
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
@@ -0,0 +1,201 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:41 +0200
+Subject: tests: add test cases for import without uid
+
+This commit adds a test case that does the following, in order:
+- Import of a primary key plus user id
+- Check that import of a subkey works, without a user id present in the
+imported key
+- Check that import of a subkey revocation works, without a user id or
+subkey binding signature present in the imported key
+- Check that import of a primary key revocation works, without a user id
+present in the imported key
+
+--
+
+Note that this test currently fails. The following changesets will
+fix gpg so that the tests pass.
+
+GnuPG-Bug-id: 4393
+Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ tests/openpgp/Makefile.am | 1 +
+ tests/openpgp/import-incomplete.scm | 68 ++++++++++++++++++++++
+ .../import-incomplete/primary+revocation.asc | 9 +++
+ .../primary+subkey+sub-revocation.asc | 10 ++++
+ .../import-incomplete/primary+subkey+sub-sig.asc | 10 ++++
+ .../openpgp/import-incomplete/primary+uid-sig.asc | 10 ++++
+ tests/openpgp/import-incomplete/primary+uid.asc | 10 ++++
+ 7 files changed, 118 insertions(+)
+ create mode 100755 tests/openpgp/import-incomplete.scm
+ create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc
+
+diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
+index 59f39e2..3b8b699 100644
+--- a/tests/openpgp/Makefile.am
++++ b/tests/openpgp/Makefile.am
+@@ -78,6 +78,7 @@ XTESTS = \
+ gpgv-forged-keyring.scm \
+ armor.scm \
+ import.scm \
++ import-incomplete.scm \
+ import-revocation-certificate.scm \
+ ecc.scm \
+ 4gb-packet.scm \
+diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm
+new file mode 100755
+index 0000000..727a027
+--- /dev/null
++++ b/tests/openpgp/import-incomplete.scm
+@@ -0,0 +1,68 @@
++#!/usr/bin/env gpgscm
++
++;; Copyright (C) 2016 g10 Code GmbH
++;;
++;; This file is part of GnuPG.
++;;
++;; GnuPG is free software; you can redistribute it and/or modify
++;; it under the terms of the GNU General Public License as published by
++;; the Free Software Foundation; either version 3 of the License, or
++;; (at your option) any later version.
++;;
++;; GnuPG is distributed in the hope that it will be useful,
++;; but WITHOUT ANY WARRANTY; without even the implied warranty of
++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++;; GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public License
++;; along with this program; if not, see <http://www.gnu.org/licenses/>.
++
++(load (in-srcdir "tests" "openpgp" "defs.scm"))
++(setup-environment)
++
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc")))
++
++(info "Test import of new subkey, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc")))
++(tr:do
++ (tr:pipe-do
++ (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++ (lambda (c)
++ ;; XXX we do not have a regexp library
++ (unless (any (lambda (line)
++ (and (string-prefix? line "sub:")
++ (string-contains? line "573EA710367356BB")))
++ (string-split-newlines c))
++ (exit 1)))))
++
++(info "Test import of a subkey revocation, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc")))
++(tr:do
++ (tr:pipe-do
++ (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++ (lambda (c)
++ ;; XXX we do not have a regexp library
++ (unless (any (lambda (line)
++ (and (string-prefix? line "sub:r:")
++ (string-contains? line "573EA710367356BB")))
++ (string-split-newlines c))
++ (exit 1)))))
++
++(info "Test import of revocation, from a certificate without uid")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc")))
++(tr:do
++ (tr:pipe-do
++ (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++ (lambda (c)
++ ;; XXX we do not have a regexp library
++ (unless (any (lambda (line)
++ (and (string-prefix? line "pub:r:")
++ (string-contains? line "0843DA969AA8DAFB")))
++ (string-split-newlines c))
++ (exit 1)))))
++
+diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc
+new file mode 100644
+index 0000000..6b7b608
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+revocation.asc
+@@ -0,0 +1,9 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [E] primary key, revocation signature over primary (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
++=tM90
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+new file mode 100644
+index 0000000..83a51a5
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [D] primary key, subkey, subkey revocation (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
++=dwx2
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+new file mode 100644
+index 0000000..dc47a02
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [B] primary key, subkey, subkey binding sig (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR
++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg=
++=xuDu
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+new file mode 100644
+index 0000000..134607d
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [C] primary key and self-sig expiring in 2024 (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8
++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu
++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN
++9ohXOEBWvdJgVv2YAg==
++=KWIK
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc
+new file mode 100644
+index 0000000..055f300
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [A] primary key, user ID, and self-sig expiring in 2021
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja
+++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI
++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs=
++=1eII
++-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3d8fed9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,24 @@
+debian-packaging/avoid-beta-warning.patch
+debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
+block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
+dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
+dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
+dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
+gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
+gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
+gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
+gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
+from-master/gpg-default-to-3072-bit-keys.patch
+from-master/gpg-default-to-AES-256.patch
+update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
+update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
+import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
+import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
+Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
+Make-gpg-zip-use-tar-from-PATH.patch
+gpg-drop-import-clean-from-default-keyserver-import-optio.patch
+from-master/gpg-change-agent-spawn-2019-07-24-v2.patch
+cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch
+cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch
diff --git a/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
new file mode 100644
index 0000000..2cc3eaa
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
@@ -0,0 +1,64 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:49:35 -0400
+Subject: gpg: Default to SHA-512 for all signature types on RSA keys.
+
+* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
+--gnupg mode (leave strict RFC and PGP modes alone).
+* configure.ac: Do not allow disabling sha512.
+* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
+
+--
+
+SHA512 is more performant on most 64-bit platforms than SHA256, and
+offers a better security margin. It is also widely implemented.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ g10/main.h | 2 +-
+ g10/misc.c | 5 +----
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2d8b050..4b9d908 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+ GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+ # SHA256 is a MUST algorithm for GnuPG.
+ GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
++# SHA512 is a MUST algorithm for GnuPG.
+
+
+ # Allow disabling of zip support.
+diff --git a/g10/main.h b/g10/main.h
+index 1983e42..388eae3 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -41,7 +41,7 @@
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
+ #endif
+
+-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ #ifdef HAVE_ZIP
+ # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
+diff --git a/g10/misc.c b/g10/misc.c
+index 634d303..6fc2d58 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -849,11 +849,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
+ case DIGEST_ALGO_SHA384: return 0;
+ #endif
+
+-#ifdef GPG_USE_SHA512
+ case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+-#else
+- case DIGEST_ALGO_SHA512: return 0;
+-#endif
++
+ default: return 0;
+ }
+ }
diff --git a/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
new file mode 100644
index 0000000..c55502a
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
@@ -0,0 +1,46 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 3 Jan 2018 12:34:26 -0500
+Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences.
+
+* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
+and SHA-384 by default.
+
+--
+
+In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
+defaults for --default-preference-list to advertise a preference for
+SHA-512, without touching --personal-digest-preferences. This makes
+the same change for --personal-digest-preferences, since every modern
+OpenPGP library supports them all.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/keygen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 79d4579..cb92468 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal)
+ if (personal)
+ {
+ /* The default internal hash algo order is:
+- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+ */
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+- strcat (dummy_string, "H8 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++ strcat (dummy_string, "H10 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+ strcat (dummy_string, "H9 ");
+
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+- strcat (dummy_string, "H10 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++ strcat (dummy_string, "H8 ");
+ }
+ else
+ {
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..b6aba08
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,90 @@
+#!/usr/bin/make -f
+# debian/rules file - for GnuPG
+# Copyright 1994,1995 by Ian Jackson.
+# Copyright 1998-2003 by James Troup.
+# Copyright 2003-2004 by Matthias Urlichs.
+#
+# I hereby give you perpetual unlimited permission to copy,
+# modify and relicense this file, provided that you do not remove
+# my name from the file itself. (I assert my moral right of
+# paternity under the Copyright, Designs and Patents Act 1988.)
+# This file may have to be extensively modified
+
+include /usr/share/dpkg/architecture.mk
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# avoid -pie for gpgv-static on kfreebsd-amd64, and x32
+# platforms, which cannot support it by default:
+ifeq (,$(filter $(DEB_HOST_ARCH), kfreebsd-amd64 x32))
+GPGV_STATIC_HARDENING = "-pie"
+else
+GPGV_STATIC_HARDENING = ""
+endif
+
+# Avoid parallel tests on hppa and riscv64 architecture.
+# Parallel tests generates high load on machine which causes timeouts and thus
+# triggers unexpected failures.
+ifeq (,$(filter $(DEB_HOST_ARCH), hppa riscv64))
+AUTOTEST_FLAGS = "--parallel"
+else
+AUTOTEST_FLAGS = "--no-parallel"
+endif
+
+%:
+ dh $@ --with=autoreconf --builddirectory=build
+
+GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns
+
+WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS=
+
+override_dh_auto_configure:
+ dh_auto_configure --builddirectory=build-gpgv-udeb -- \
+ $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x))
+ dh_auto_configure --builddirectory=build-maintainer -- \
+ --enable-maintainer-mode \
+ $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x))
+ dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \
+ --enable-wks-tools \
+ --enable-all-tests \
+ --with-agent-s2k-calibration=300 \
+ --enable-large-secmem
+
+override_dh_auto_build-arch:
+ dh_auto_build --builddirectory=build-gpgv-udeb
+ dh_auto_build --builddirectory=build
+ dh_auto_build --builddirectory=build-maintainer
+ cp -a build-gpgv-udeb build-gpgv-static
+ rm -f build-gpgv-static/g10/gpgv
+ cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv
+ mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static
+
+override_dh_auto_build-indep:
+ mkdir -p build-gpgv-win32
+ cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \
+ $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \
+ $(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \
+ --enable-gpg2-is-gpg \
+ --with-zlib=/usr/i686-w64-mingw \
+ --prefix=/usr/i686-w64-mingw32 \
+ --host i686-w64-mingw32
+ cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a
+ cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a
+ cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a
+ cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a
+ cd build-gpgv-win32/regexp && $(WIN32_FLAGS) $(MAKE) libregexp.a
+ cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe
+ strip build-gpgv-win32/g10/gpgv.exe
+
+
+override_dh_auto_test:
+ dh_auto_test --builddirectory=build -- verbose=3 TESTFLAGS=$(AUTOTEST_FLAGS)
+
+override_dh_shlibdeps:
+# Make ldap a recommends rather than a hard dependency.
+ dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr*
+ dh_shlibdeps -Ndirmngr
+
+# visualizations of package dependencies:
+debian/%.png: debian/%.dot
+ dot -T png -o $@ $<
diff --git a/debian/scdaemon.examples b/debian/scdaemon.examples
new file mode 100644
index 0000000..29f41a8
--- /dev/null
+++ b/debian/scdaemon.examples
@@ -0,0 +1 @@
+doc/examples/scd-event
diff --git a/debian/scdaemon.install b/debian/scdaemon.install
new file mode 100644
index 0000000..5b7bd35
--- /dev/null
+++ b/debian/scdaemon.install
@@ -0,0 +1,2 @@
+debian/org.gnupg.scdaemon.metainfo.xml usr/share/metainfo
+debian/tmp/usr/lib/gnupg/scdaemon
diff --git a/debian/scdaemon.lintian-overrides b/debian/scdaemon.lintian-overrides
new file mode 100644
index 0000000..652cdb0
--- /dev/null
+++ b/debian/scdaemon.lintian-overrides
@@ -0,0 +1,2 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+scdaemon: spare-manual-page usr/share/man/man1/scdaemon.1.gz
diff --git a/debian/scdaemon.manpages b/debian/scdaemon.manpages
new file mode 100644
index 0000000..9efee23
--- /dev/null
+++ b/debian/scdaemon.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/scdaemon.1
diff --git a/debian/scdaemon.udev b/debian/scdaemon.udev
new file mode 100644
index 0000000..236d123
--- /dev/null
+++ b/debian/scdaemon.udev
@@ -0,0 +1,69 @@
+# do not edit this file, it will be overwritten on update
+
+SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
+ACTION!="add", GOTO="gnupg_rules_end"
+
+# USB SmartCard Readers
+## Cherry GmbH (XX33, ST2000)
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Omnikey AG (CardMan 3821, CardMan 6121)
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gemalto
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Reiner (SCT cyberJack)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Kobil (KAAN)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## VASCO (DIGIPASS 920)
+SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Crypto Stick
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Nitrokey
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Librem Key
+SUBSYSTEM=="usb", ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gnuk Token
+SUBSYSTEM=="usb", ATTR{product}=="Gnuk Token", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2440", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Alcor Micro Corp cardreader (in ThinkPad X250)
+SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Fujitsu Siemens
+SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Yubico
+# Yubikey NEO OTP+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Trustica Cryptoucan
+SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+
+LABEL="gnupg_rules_end"
diff --git a/debian/simplified-package-dependencies.dot b/debian/simplified-package-dependencies.dot
new file mode 100644
index 0000000..2edb3fb
--- /dev/null
+++ b/debian/simplified-package-dependencies.dot
@@ -0,0 +1,43 @@
+#!/usr/bin/dot
+
+# interrelationships between binary packages produced by gnupg2 source
+# package, if we were to move to the simplified package structure:
+
+# it would be good to graph the external dependencies as well.
+
+digraph gnupg2 {
+ # odd-duck packages:
+ node [shape=box];
+ gpgv_udeb [label="gpgv-udeb"];
+ gpgv_static [label="gpgv-static"];
+ gpgv_win32 [label="gpgv-win32"];
+
+ # meta-packages, transitional packages:
+ node [shape=diamond];
+ gnupg_agent [label="gnupg-agent"];
+ gnupg2;
+ gpgv2;
+ gpgsm;
+ dirmngr;
+
+ node [shape=ellipse];
+ gnupg_l10n [label="gnupg-l10n"];
+
+ # depends:
+ edge [color=black];
+ scdaemon -> gnupg;
+ gnupg2 -> gnupg;
+ gnupg_agent -> gnupg;
+ gpgsm -> gnupg;
+ dirmngr -> gnupg;
+ gpgv2 -> gpgv;
+
+ # recommends:
+ edge [color=red];
+ gnupg -> gnupg_l10n;
+ gnupg -> gpgv;
+
+ # suggests:
+ edge [color=blue];
+ gpgv -> gnupg;
+}
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..14caca0
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# doc merely references / cites IETF RFC:
+gnupg2 source: license-problem-non-free-RFC doc/OpenPGP
diff --git a/debian/systemd-environment-generator/90gpg-agent b/debian/systemd-environment-generator/90gpg-agent
new file mode 100755
index 0000000..7ece62b
--- /dev/null
+++ b/debian/systemd-environment-generator/90gpg-agent
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# If enable-ssh-support is present in gpg-agent.conf, export SSH_AUTH_SOCK
+# pointing at the gpg-agent's ssh-agent compatibility layer.
+
+# Authors:
+# rufo <rufo@rufoa.com>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+# See https://bugs.debian.org/855868
+
+# see gpgconf(1): $5 is the "okay" field.
+# see also https://dev.gnupg.org/T4866 and https://dev.gnupg.org/T4867
+get_okay='BEGIN{ret=1} /^gpg-agent:/{if ($5 == "1") { ret=0; exit 0 } } END {exit ret}'
+
+if gpgconf --check-options gpg-agent | awk -F: "$get_okay" && \
+ [ -n "$(gpgconf --list-options gpg-agent | \
+ awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
+ echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+ echo GSM_SKIP_SSH_AGENT_WORKAROUND=true
+fi
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..7f84c8b
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,11 @@
+Tests: gpgv-win32
+Depends: gpgv-win32, gnupg2, gpgv2, wine32, diffutils
+Restrictions: allow-stderr, skip-not-installable
+
+Tests: simple-tests
+Depends: gnupg2, gpgv2
+Restrictions: allow-stderr
+
+Tests: migration
+Depends: gpg, gnupg1, gnupg-utils, debian-archive-keyring, diffutils
+Restrictions: allow-stderr
diff --git a/debian/tests/gpgv-win32 b/debian/tests/gpgv-win32
new file mode 100755
index 0000000..035c060
--- /dev/null
+++ b/debian/tests/gpgv-win32
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+export GNUPGHOME=$(mktemp -d)
+gpgargs=(--batch --quiet --pinentry-mode=loopback --passphrase '' --with-colons)
+
+# Generate a minimal signing key:
+gpg "${gpgargs[@]}" --quick-gen-key 'Test key for gpgv-win32 <test-key@example.com>'
+
+gpg "${gpgargs[@]}" -o "$GNUPGHOME/key.gpg" --export test-key@example.com
+
+# Sign this very script
+rm -f "${0}.gpg"
+gpg "${gpgargs[@]}" --output "${0}.gpg" --detach-sign "${0}"
+
+# Verify using gpgv
+gpgv --quiet --status-fd 3 3> native.status --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}"
+
+WINE=/usr/lib/wine/wine
+export WINESERVER=/usr/lib/wine/wineserver32
+
+# Verify using gpgv.exe (using --status-fd 1 because i don't know how
+# to pass a non-standard file descriptor into wine)
+"$WINE" /usr/share/win32/gpgv.exe --quiet --status-fd 1 > win32.status --keyring "Z://${GNUPGHOME}/key.gpg" "${0}.gpg" "${0}"
+
+# convert to unix newlines if necessary:
+sed -i 's/\r$//' win32.status
+
+diff -u native.status win32.status
+
+head -v win32.status
+
+rm -rf "$GNUPGHOME"
diff --git a/debian/tests/migration b/debian/tests/migration
new file mode 100755
index 0000000..b676999
--- /dev/null
+++ b/debian/tests/migration
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+set -x
+
+DIR=$(mktemp -d)
+GPG_HOME="$DIR/gnupg"
+gpg=(gpg --homedir "$GPG_HOME" --batch --quiet --with-colons)
+gpg1=(gpg1 --homedir "$GPG_HOME" --batch --quiet --with-colons)
+
+mkdir "$GPG_HOME"
+chmod 700 "$GPG_HOME"
+
+cat /usr/share/keyrings/debian-archive-*.gpg | "${gpg1[@]}" --import
+"${gpg1[@]}" --list-keys
+"${gpg[@]}" --list-keys > "$DIR/key.list.before"
+migrate-pubring-from-classic-gpg "$GPG_HOME"
+"${gpg[@]}" --list-keys > "$DIR/key.list.after"
+
+diff -u "$DIR/key.list.before" "$DIR/key.list.after"
diff --git a/debian/tests/simple-tests b/debian/tests/simple-tests
new file mode 100644
index 0000000..97d4ab4
--- /dev/null
+++ b/debian/tests/simple-tests
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -e
+set -x
+
+DIR=$(mktemp -d)
+GPG_HOME=$DIR/gnupg
+gpg="gpg --homedir $GPG_HOME"
+
+mkdir $GPG_HOME
+chmod 700 $GPG_HOME
+
+#trap "cd $HOME && rm -rf $DIR" EXIT
+
+cd $DIR
+
+cat > key-batch << EOF
+Key-Type: default
+Subkey-Type: default
+Name-Real: test case
+Name-Email: example@example.com
+Expire-Date: 0
+%no-protection
+%commit
+EOF
+
+$gpg --batch --generate-key key-batch
+$gpg -abs < $GPG_HOME/pubring.kbx > pubring.kbx.asc
+$gpg --verify pubring.kbx.asc $GPG_HOME/pubring.kbx
+gpgv --keyring $GPG_HOME/pubring.kbx pubring.kbx.asc $GPG_HOME/pubring.kbx
+
+# Encrypt
+$gpg -e -r example@example.com < $GPG_HOME/pubring.kbx > pubring.kbx.gpg
+$gpg -d -r example@example.com < pubring.kbx.gpg > pubring.kbx.gpg.dec
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..b7303e8
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,77 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I
+Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg
+jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7
+KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u
+qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB
+1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk
+aXN0IHNpZymJAVUEEwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE
+2GkhI8QGXepeDzq1JJs50k8l47YFAl4MxBkFCRShVzYACgkQJJs50k8l47YImQf9
+HaqHWor+aSmaEwQnaAN0zRa4kPbAWya182aJtsFzLZJf6BbS0aoiMhwtREN/DMvB
+jzxARKep/cELaM+mc7oDK4mEwqSX/u6BE8D7FaNA9sut8P+4xjpoLPU+UzILMg29
+t1remjyT9rs6sbu8BqufIxueArkjoi4WCOSRiVTdw+YDd88volPkXlPfS8hg9Rct
+wZ8kEEDywa+NrxiLx+kDgDNTNdk3PJdfcnesf8S1a+KLUTNRds5+xGTYz0JSQ9BZ
+7Q9r4VQ/NL55muQZi5W7lVxdp3HxQFUNjHzzBfGtkpS4xqZpJvNjW50Wh5Vi5RYZ
+LZ3M1EuIHXHmRiY4dmqqcpkBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQb
+deVgpBgcDnqI3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTt
+V0pRWUO02WOuTLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/I
+hkg7/bnzeSbcX5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSN
+JPW9WLCsozsy11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh
+/mlwPjgdq/UFf5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQAB
+tD5EYXZpZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdA
+amFiYmVyd29ja3kuY29tPokBHwQwAQIACQUCWJ96UQIdIAAKCRAEN28+4IVpWXZr
+B/wKcGVm3AYNs2BN/qbFoWaYlTck23j4oJSZYY21H++3AnxbFYYpuVhvmK07vIXG
+n+fxvZGa7G+Er8jJ6kdkV4nqykuqwaxOk2R4sW9yoes9kKpAuX7RqP+5a7jJ1utX
+Jg77eLBFLlCb4kk8U0wb58NHLdc34C70Vlc1nakF1MPNqDPADoNM0NCMfy6McKF9
+oRTTU4cS0B8orWHR5THT4ZDvP5PdnHovp9n1m8LW+VTsV4aAlmAMTpq9CUoqmCYc
+wWGpC4ZKnD0vLPLgG7foxGmKLdDXUHplHiTySMv65S1mHTzZz3/TGuaRpTVQyEPQ
+OoguSZ4hZ5q5siOjHKnbUALotCZEYXZpZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNp
+Z25pbmcgS2V5KYkBPgQTAQIAKAUCWJ96MgIbAwUJCbp27gYLCQgHAwIGFQgCCQoL
+BBYCAwECHgECF4AACgkQBDdvPuCFaVnFCQf+OrJ2/vsqTyIUI1Dx1R2/VPK/dkEo
+f1y4uscSXKqJM6Yn+3wr4fg63p5SzkM58AdTwzwZk5X379qe17xADzKGhDgP4uu6
+YQ87I2lKx5Hr7L9HwCKl/Mh5lSkO+94YQ/lW7jtvaCe4eyyEOcqyUnKZjZhNhY54
+3Bxh56/VGqFOEUFagPY8hxFbfmkbyr0BMzLRZUiJJ+qwTXlORx4eqB4Zc5DVD/YR
+MUTwaK6HVhB9K+xNgvgjkZaEfWRvxCuK1PhZKdZnVUrbdpmjXxuUMWhYLHk/V/kD
+Hg+5LYbeSP7dOXKEi/9XSslI4h6fOCvLmSH4tPSzyNnU/YpKuSRzfMx12ZkBDQRU
+Q6lSAQgAtJPHmSg5janZmsDpSf5uti9oPLl0//v7wBBm9cmom9PcSOrXxl826pQ8
+KyyGXCbEiE/57f2oyZyFW3N9d+72uF28DM7A6QDB+Jpok6KpPosxAoRptpJ86y8I
+aH5UfGhrCi9+UKGU/3q3Y34D3gkS739uXx7DdiW9FiDMwuelZDHhaM2vvR2eYa5H
+pppvoD7yL4RFKKcQsjkvJiuVoweM8yHcgyX5KlaR72nzT9DeCyLHnSnch3I/yt5G
+OCno5ffRltc9bJwYD2pqDdv3udj3+ik8NhY7Ehme9qGpXK5AUeMGnFIsxsSnEQ9m
+Ol2tIPZsE6FnTQUAiCCPrk8zs6tRAwARAQABtCFXZXJuZXIgS29jaCAoUmVsZWFz
+ZSBTaWduaW5nIEtleSmJAT0EEwEIACcFAlRDqVICGwMFCQuqBfUFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQioYbHH79YNmh+wf8CFuplZk5s1tsXNatTFHbLBMU
+AYRHjja21ifx4hmT/zGmm4EP/sGbk4UwMHxjOcxUATr6wThlEYSDVOpWEJXDq1aP
+lfGdZjUChVmisSWmOSrtWwdTrl/RRyxIjIm6IB7uX4ySFwRPF6577nno8hUOYP7l
+9sXBoAlpTHuPbEdyvpRJd5/d8U5kjYT+dq9IE4zI26ililGiBieTnFkq72sHX6i1
+5MUfKYatgJRxxH8aXGbDqfZmYq1mEOY3IBoBT9C2F1MP0Z8RaTnK4+Oarn5shC/U
+CSowVeUWhyW6rpHn8FCJz0LVVJiDakMc7UoeUMUD9rbFDyHhIuUQKAsCyWpvM5kB
+DQRUUDsjAQgA5hBwN9F3OqKf+9mXCXUDK4lb5wMjdti96xG04gAn7wWo7On6c5nt
+riZQuRdR5GHcdw73XC6CFehHeo/eSVYiWqBNBAfE9UzbkES+cY+4wDzqVacqhKxd
+70XmHQgyK7ppRG/MwkL1UyArCGGAKN6MV/2fzO6IGQw3jntRue3/2PGGnGaisNAK
+lvttHWZ91uy4KY5fBM19uQCgZdx4v8/rP0+yQqsWTwJUKvymx5GIfNaCJvgF+v+a
+PrwspxBMf9jpHXqDXnh4Lo8C/GsQMD6GClVfQjsvvzUHKH2eoL4oNfku+Ua5BuAH
+Yi+uAuzqV9TdpF9PCpQMyPfuuZclMPLdMwARAQABtDJOSUlCRSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KSA8Z25paWJlQGZzaWoub3JnPokBPAQTAQgAJgIbAwUL
+BwgJAwQVCAkKBRYCAwEAAh4BAheABQJYDxRZBQkLS5A2AAoJECBxsIozvT8GvG8I
+AMBIlGz9voYcSSXAdQOuvz2gM2kOjvMHzN6VlS9VP06IjnTz2DnejFZwLmxJw8e8
+mZjUo0jw22uo1HREQhDrne3S1IazPMeTUCUNzpWFMxXNc6SAyrw9apWa8gouGUWJ
+v3HOwVs8EFA2E9UdtDJ2uG7MY/+eC5K/aeOAyudZEbvS8rgZypTFrBtBcNKUWZhz
+7FRn63HxEmYLE3p6I19ZDXrc1WTazF2oz18zym6cuURr6waRbdSemUTshpLnKCBZ
+XzJ82bXBgXNnfdmc3gtS24ZmM3ZfK/rYztEDkiTks2R1gwDwf5RtDpaf5LD2ufES
+dbLuT+8blAlscbgYLBcwDqu5AQ0EVFA7IwEIAL3gJa4wcuY/UHugXFTQWMq/cPpF
+OktIuoL+epFZ4pV2VJ11Hguc7+v1qFGwaB6QARXJ4PThIoAPuDc5YyFa8SwrppiC
+bNzRwskIlFOwtb5fuRFajfcpQAoikpg7xUXyIStZ6NqO+jlSA3fLVX9qeqUFTjkN
+qUuT+a7olc6vq3u7zf4ixxOsVBORbXvA7GhzqL3MM5TUWhZkXI1T6HGk8Iad1+dL
+bmrNoSlvWrPFigenK20KQZfhHeyJfqACREsg+GxgrixmKEFmFMGAd0BVhJiQKsqF
+E1ahJvdelSF1PmXzy4+jPDFeu5ebOTpYK/pl0In7SsZKHAmNTWPqD4WSyT0AEQEA
+AYkBJQQYAQgADwIbDAUCWA8URgUJC0uQIwAKCRAgcbCKM70/BgoNB/0ddDVFvid4
+L+z/+9F/CqkSxhOoYuB387x3/QGseiMTV3qLKJ1kgZfjRKCarU49RkT0a1bmXZa7
+CPJyGsjJJHw2dDyH1w3RqBiMt+n7ewkUZhEawvYnsSYlU9R3r6AdyrYvn7OGbd73
+xppLEyVLlAZwT0jIO1015NQHJreSDqW1rNKj3O3MZXqfnzk/ZSJJCcvV+y+KTmJC
+QPyToNzKCaEGfF9ufLmM9pXs9NynHBjyTqMcgvxnXjgZgdlhu4cxC7Affnu9GC+r
+R6l2H7snEma0O1LyCmdH9TaRWGiBLA9CcHTrO1w+9efBnOdgavD5ndrnvD55/Yxn
+huLyA60R3TOH
+=Gbuk
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..e1c393d
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+version=4
+
+opts=pgpsigurlmangle=s/$/.sig/ \
+ https://gnupg.org/ftp/gcrypt/gnupg/gnupg@ANY_VERSION@@ARCHIVE_EXT@ \
+ debian