Adding debian version 2.2.40-1.1.debian/2.2.40-1.1debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

103 files changed, 6719 insertions, 0 deletions

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..2a30631
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,38 @@
+gnupg2 (2.2.27-2) unstable; urgency=medium
+
+  Starting with version 2.2.27-1, per-user configuration of the GnuPG
+  suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options
+  is no longer in use.  Please rename the file if necessary, or move
+  its contents to the new location.
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Thu, 22 Apr 2021 20:37:45 +0200
+
+gnupg2 (2.2.17-1) unstable; urgency=medium
+
+  Upstream GnuPG now defaults to not accepting third-party certifications
+  from the keyserver network.  Given that the SKS keyserver network is
+  under attack via certificate flooding, and third-party certifications
+  will not be accepted anyway, we now ship with the more tightly-constrained
+  and abuse-resistant system hkps://keys.openpgp.org as the default
+  keyserver.
+
+  Users with bandwidth to spare who want to try their luck with the SKS
+  pool should add the following line to ~/.gnupg/dirmngr.conf to revert to
+  upstream's default keyserver:
+
+      keyserver hkps://hkps.pool.sks-keyservers.net
+
+  See the 2.2.17 section in the upstream NEWS file at
+  /usr/share/doc/gnupg/NEWS.gz for more information about fully
+  reverting to the old, risky behavior.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 11 Jul 2019 22:12:07 -0400
+
+gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
+
+  The gnupg package now provides the "modern" version of GnuPG.
+
+  Please read /usr/share/doc/gnupg/README.Debian for details about the
+  transition from "classic" to "modern"
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 30 Mar 2016 09:59:35 -0400
diff --git a/debian/Xsession.d/90gpg-agent b/debian/Xsession.d/90gpg-agent
new file mode 100644
index 0000000..8b45b05
--- /dev/null
+++ b/debian/Xsession.d/90gpg-agent
@@ -0,0 +1,22 @@
+# On systems with systemd running, we expect the agent to be launched
+# via systemd's user mode (see
+# /usr/lib/systemd/user/gpg-agent.{socket,service} and
+# systemd.unit(5)).  This allows systemd to clean up the agent
+# automatically at logout.
+
+# If systemd is absent from your system, or you do not permit it to
+# run in user mode, then you may need to manually launch gpg-agent
+# from your session initialization with something like "gpgconf
+# --launch gpg-agent"
+
+# Nonetheless, ssh and older versions of gpg require environment
+# variables to be set in order to find the agent, so we will set those
+# here.
+
+agent_sock=$(gpgconf --list-dirs agent-socket)
+export GPG_AGENT_INFO=${agent_sock}:0:1
+if [ -n "$(gpgconf --list-options gpg-agent | \
+      awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
+    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+fi
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..204f008
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2599 @@
+gnupg2 (2.2.40-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * In migration CI test skip debian-archive-bookworm-stable.gpg (and
+    aggregated keyring), gpg1 cannot read the ed25519 key. Closes: #1033155
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 26 Mar 2023 15:03:05 +0200
+
+gnupg2 (2.2.40-1) unstable; urgency=medium
+
+  * new upstream version
+  * refresh patches
+  * import post-release cleanup patches from upstream
+  * drop stale NEWS files for dirmngr and gpg-agent
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 19 Oct 2022 11:09:42 -0400
+
+gnupg2 (2.2.39-1) unstable; urgency=medium
+
+  * refresh upstream signing keys from g10/distsigkey.gpg
+  * add additional lintian override for version of lintian used on
+    ftp-master
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 06 Sep 2022 16:47:57 -0400
+
+gnupg2 (2.2.38-1) unstable; urgency=medium
+
+  * new upstream version
+  * refresh patches (dropping those already upstream)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 01 Sep 2022 18:25:24 -0400
+
+gnupg2 (2.2.35-3) unstable; urgency=high
+
+  * fix security error from large notations (Thanks, Demi Marie Obenour)
+    (Closes: #1014157)
+  * Standards-Version: bump to 4.6.1 (no changes needed)
+  * clean up lintian-overrides
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 01 Jul 2022 02:01:17 -0400
+
+gnupg2 (2.2.35-2) unstable; urgency=medium
+
+  * Only enable wine32 test on i386
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 29 Apr 2022 16:53:05 -0400
+
+gnupg2 (2.2.35-1) unstable; urgency=medium
+
+  * New upstream release.
+  * refresh patches.
+  * Correct handling of 256-bit Ed25519 secret keys (Closes: #1010171).
+  * Building for Windows requires libgpg-error 1.45
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 27 Apr 2022 17:09:01 -0400
+
+gnupg2 (2.2.34-1) unstable; urgency=medium
+
+  * New upstream release
+  * Refresh patches.
+  * ship gpg-check-pattern.1 from upstream
+  * override another pedantic lintian warning
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 22 Apr 2022 18:43:25 -0400
+
+gnupg2 (2.2.27-4) unstable; urgency=medium
+
+  [ Christoph Biedl ]
+  * Remove myself from uploaders
+
+  [ Daniel Kahn Gillmor ]
+  * Replace Werner Koch's signing key
+  * convert to DEP-14 branch name
+  * standards-version: bump to 4.6.0 (no changes needed)
+  * add upstream metadata
+  * gpgv-static: fix up lintian-override
+  * d/copyright: update years
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 20 Apr 2022 19:03:29 -0400
+
+gnupg2 (2.2.27-3) unstable; urgency=medium
+
+  * Avoid network interaction in generator. Closes: #993578
+  * Remove build dependency on librsvg2-bin. Closes: #993857
+  * Backport "Scd: Fix CCID driver for SCM SPR332/SPR532".
+    Closes: #982546
+  * Update watch file: Sticking to the 2.2 series for the time being
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Sat, 18 Dec 2021 14:04:20 +0100
+
+gnupg2 (2.2.27-2) unstable; urgency=medium
+
+  * Add a NEWS entry about the end of support for ~/.gnupg/options.
+    Closes: #985158
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Thu, 22 Apr 2021 20:40:36 +0200
+
+gnupg2 (2.2.27-1) unstable; urgency=medium
+
+  [ NIIBE Yutaka ]
+  * New upstream release.
+
+  [ Christoph Biedl ]
+  * Tighten libgcrypt and libksba dependency
+
+  [ Daniel Kahn Gillmor ]
+  * change debian packaging branch name to debian/main
+  * refresh patches using gbp pq
+  * point to upstream commit used to improve spawning reliability
+  * Refresh 3072-bit default patch
+  * standards-version: bump to 4.5.1 (no changes needed)
+  * dh: bump to dh 13
+  * clean up lintian overrides
+  * fully drop symcryptrun
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 08 Feb 2021 17:57:00 -0500
+
+gnupg2 (2.2.26-1) UNRELEASED; urgency=medium
+
+  [ Jeremiah C. Foster ]
+  * debian/scdaemon.udev: Add an entry for Librem Key.
+
+  [ NIIBE Yutaka ]
+  * New upstream release.
+  * refresh patches.
+  * debian/rules: Add build for regexp.
+  * debian/gnupg-utils.install: Remove /usr/bin/symcryptrun.
+    Fix for gpgsplit, which is changed in upstream from 'noinst'.
+  * debian/patches/gpg-change-agent-spawn-2019-07-24-v2.patch: New patch to
+    fix a race condition, backported from master (Closes: #868550, #972525).
+  * debian/scdaemon.udev: Add a generic entry for "Gnuk Token" and another
+    for GnuPG e.V.
+  * org.gnupg.scdaemon.metainfo.xml: Add an entry for GnuPG e.V.
+
+ -- NIIBE Yutaka <gniibe@fsij.org>  Thu, 07 Jan 2021 09:07:21 +0900
+
+gnupg2 (2.2.20-1) unstable; urgency=medium
+
+  * New upstream release
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 23 Mar 2020 15:05:13 -0400
+
+gnupg2 (2.2.19-3) unstable; urgency=medium
+
+  * d/copyright update years
+  * Avoid errors in systemd environment generator (Closes: #950836)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 09 Mar 2020 14:27:42 -0400
+
+gnupg2 (2.2.19-2) unstable; urgency=medium
+
+  * clarify that keys.openpgp.org is a debian-specific
+    choice for default keyserver
+  * Standards-version: bump to 4.5.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 27 Feb 2020 17:35:36 -0500
+
+gnupg2 (2.2.19-1) unstable; urgency=medium
+
+  * New upstream release
+
+  [ Roger Shimizu ]
+  * d/control: Update Build-Depends: libgpg-error-dev (>= 1.35)
+
+  [ Daniel Kahn Gillmor ]
+  * clean up unnecessary whitespace
+  * Ship identifiers for Librem Key (Closes: #932474)
+  * drop extra systemd user service links (Closes: #931954)
+  * update signing key for Werner
+  * fixup patch
+  * drop patches already upstream
+  * refresh patches
+  * cherry-pick fix from upstream
+  * dirmngr-idling: add some commentary about dns housekeeping
+  * bump standards-version to 4.4.1 (no changes needed)
+  * sort scdaemon metainfo.xml modalias
+  * announce librem key in scdaemon metainfo.xml
+  * add lintian overrides for executables shipped by upstream in /usr/lib/gnupg/
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 08 Jan 2020 10:33:12 -0500
+
+gnupg2 (2.2.17-3) unstable; urgency=medium
+
+  * avoid data loss when using keyservers (see https://dev.gnupg.org/T4628)
+  * avoid O(N^2) operations when listing certificates with many sigs
+  * d/tests/gpgv-win32: make more robust
+  * avoid system CAs for HKPS pool
+  * build-depend on gpgrt-tools for yat2m
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 16 Jul 2019 20:20:39 -0400
+
+gnupg2 (2.2.17-2) unstable; urgency=medium
+
+  * d/tests/gpgv-win32: depend directly on wine32 (Closes: #905563)
+  * d/tests/gpgv-win32: by default pinentry-mode loopback is allowed upstream
+  * migrate-pubring-from-classic-gpg: make more robust (Closes: #931385)
+  * migrate-pubring-from-classic-gpg: always pass --homedir and --batch
+  * added test of migration script
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 13 Jul 2019 21:36:24 -0400
+
+gnupg2 (2.2.17-1) unstable; urgency=medium
+
+  * New upstream release
+  * upload to unstable, since buster is released
+
+  [ kwadronaut ]
+  * Specify what new and old keyrings are in migration script
+
+  [ Daniel Kahn Gillmor ]
+  * drop unnecessary patches, including broken patch for printing
+    revocation certificates
+  * use DEP-14 for debian/master
+  * refresh and reorganize patches
+  * only use Kristian's CA for the SKS HKPS pool
+  * switch to hkps://keys.openpgp.org as the default keyserver
+  * added NEWS entry about move to keys.openpgp.org
+  * Standards-Version: bump to 4.4.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 11 Jul 2019 22:09:21 -0400
+
+gnupg2 (2.2.16-2) experimental; urgency=medium
+
+  * fix HKPS redirections
+  * drop dh_missing --fail-missing (Closes: #930042)
+  * enable cert update without uids (Closes: #930665)
+  * fix upstream spelling of 'arbitrary'
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 18 Jun 2019 12:59:57 -0400
+
+gnupg2 (2.2.16-1) experimental; urgency=medium
+
+  * clean up logcheck rules for gpg-agent (Closes: #918466)
+  * drop patches already upstream
+  * refresh patches
+  * use upstream manpages for gpg-wks-{client,server} (Closes: #918586)
+  * use distributed form of gpgtar, not build/tools/gpgtar
+  * gnupg: ship every doc that upstream ships
+  * gnupg-l10n: ship basic help.txt as well
+  * explicitly avoid shipping gpgscm without the Scheme library
+  * use dh_missing --fail-missing to catch unshipped files
+  * gbp-import filter: drop m4/iconv.m4 as well
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 28 May 2019 20:13:01 -0400
+
+gnupg2 (2.2.15-1) experimental; urgency=medium
+
+  * new upstream release (still in experimental, due to freeze)
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 01 Apr 2019 09:56:09 -0400
+
+gnupg2 (2.2.14-1) experimental; urgency=medium
+
+  * new upstream release (to experimental, due to freeze)
+  * drop patches already upstream
+  * refresh remaining patches
+  * move to debhelper 12
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 20 Mar 2019 07:19:50 -0400
+
+gnupg2 (2.2.13-2) unstable; urgency=medium
+
+  * Correct gpg-wks-server manpage (Closes: #927431) Thanks, ju xor!
+  * Fix handling private keys with comments (Closes: #928963, #928964)
+  * clean up logcheck rules for gpg-agent (Closes: #918466)
+  * Update gpg-wks-client.1 (Closes: #918586)
+  * cherry-pick more patches from upstream STABLE-BRANCH-2-2
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 14 May 2019 02:08:47 -0400
+
+gnupg2 (2.2.13-1) unstable; urgency=medium
+
+  * New upstream release (Closes: #919856)
+
+  [ Roger Shimizu ]
+  * add some simple tests for gpg{,v}. Thanks to Julian Andres Klode
+    (Closes: #920892).
+
+  [ Daniel Kahn Gillmor ]
+  * refresh patches
+  * cherry-pick fixes from upstream STABLE-BRANCH-2-2
+  * Standards-Version: bump to 4.3.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 02 Mar 2019 11:50:15 -0500
+
+gnupg2 (2.2.12-1) unstable; urgency=medium
+
+  * New upstream release
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 14 Dec 2018 20:17:16 -0500
+
+gnupg2 (2.2.11-1) unstable; urgency=medium
+
+  * new upstream release
+  * refresh patches
+  * refresh upstream/signing-key.asc
+  * deprecate gpg-zip
+  * gnupg-utils: ship gpgtar, since gpg-zip is deprecated
+  * Make gpg-zip use tar from $PATH (Closes: #913582)
+  * fix spelling mistakes in tools documentation
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 18 Nov 2018 17:38:30 -0500
+
+gnupg2 (2.2.10-3) unstable; urgency=medium
+
+  [ Bjarni Ingi Gislason ]
+  * clean up nroff for gpg-check-pattern.1 (Closes: #900247)
+
+  [ Daniel Kahn Gillmor ]
+  * backport fix for subkey binding sigs
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 08 Oct 2018 11:36:01 -0400
+
+gnupg2 (2.2.10-2) unstable; urgency=medium
+
+  * import upstream minor bugfixes
+  * wrap-and-sort -ast
+  * actually ship gpgcompose in gnupg-utils
+  * drop debian/source/options (thanks, Lintian!)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 30 Sep 2018 11:40:42 -0500
+
+gnupg2 (2.2.10-1) unstable; urgency=medium
+
+  * new upstream maintenance release
+  * drop patches already upstream
+  * refresh patches
+  * Standards-Version: bump to 4.2.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 30 Aug 2018 11:57:15 -0400
+
+gnupg2 (2.2.9-2) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * spell Tor correctly (Closes: #895398)
+  * Standards-Version: bump to 4.2.0 (no changes needed)
+  * corrected license in AppStream file
+  * standardize udev rules for Yubikey USB devices and claim them in AppStream
+  * from upstream: s2k bugfix, support for Trustica Cryptoucan
+  * Claim Trustica Cryptoucan via AppStream
+
+  [ Jiří Keresteš ]
+  * udev rule for Trustica Cryptoucan
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 24 Aug 2018 09:48:15 -0400
+
+gnupg2 (2.2.9-1) unstable; urgency=medium
+
+  * New upstream release
+  * Standards-Version: bump to 4.1.5 (no changes needed)
+  * drop patches already upstream
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 19 Jul 2018 14:02:31 -0400
+
+gnupg2 (2.2.8-3) unstable; urgency=medium
+
+  * Ensure arch: all gnupg package supports binMNUs
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 21 Jun 2018 12:18:14 -0400
+
+gnupg2 (2.2.8-2) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * import bugfixes and improvements from upstream/STABLE-BRANCH-2-2
+  * ensure that revocation certificates show up in --show-keys output
+    (see 7c79bf7f71aa594102cb684b0abd8331bdac4608)
+  * try passing not explicit paths to wine for the gpgv-win32 test
+  * d/copyright: clarify debian/* licensing
+  * convert gnupg metapackage to Architecture: all
+
+  [ Giovanni Mascellani ]
+  * avoid parallel tests on riscv64 (Closes: #901646)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 20 Jun 2018 06:56:09 -0400
+
+gnupg2 (2.2.8-1) unstable; urgency=medium
+
+  * New upstream release
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 08 Jun 2018 10:08:36 -0400
+
+gnupg2 (2.2.7-1) unstable; urgency=medium
+
+  * new upstream release
+  * update/refresh patches, improve patch description
+  * bump standards-version to 4.1.4 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 23 May 2018 11:50:27 -0400
+
+gnupg2 (2.2.5-1) unstable; urgency=medium
+
+  * New upstream release
+  * d/gbp.conf: use DEP-14 branch naming
+  * d/control: declare Rules-Requires-Root: no
+  * drop patches already applied upstream
+  * refresh patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 22 Feb 2018 14:20:18 -0800
+
+gnupg2 (2.2.4-3) unstable; urgency=medium
+
+  * version build-deps on mingw library toolchain  (Closes: #889921)
+  * drop misbehaving upstream scd patch (Closes: #889751)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 09 Feb 2018 13:51:35 -0500
+
+gnupg2 (2.2.4-2) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * move to debhelper 11
+  * d/control: move Vcs to salsa
+  * import more bugfixes and hardware from upstream
+
+  [ Helge Deller ]
+  * Fix FTBFS on hppa (Closes: #887843)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 05 Feb 2018 23:07:21 -0500
+
+gnupg2 (2.2.4-1) unstable; urgency=medium
+
+  * New upstream release
+  * do not use uupdate (we use gbp-import-orig)
+  * dirmngr: cannot avoid idling in current arrangement
+  * adjusting fixes to gpgsm defaults
+  * prefer SHA-512 specifically on personal-digest-preferences.
+  * refresh patches
+  * Standards-Version: bump to 4.1.3 (no changes needed)
+  * drop unnecessary lintian override
+  * reflect actual requirement for libassuan
+  * import bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 03 Jan 2018 12:43:40 -0500
+
+gnupg2 (2.2.3-1) unstable; urgency=medium
+
+  * New upstream release
+  * refreshed patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 30 Nov 2017 19:06:35 -0500
+
+gnupg2 (2.2.2-1) unstable; urgency=medium
+
+  * new upstream release.
+  * avoid testsuite delays from excess socket waiting
+  * clean up trailing whitespace in debian/{rules,changelog}
+  * drop patches already upstream
+  * refresh remaining patches
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 08 Nov 2017 20:09:33 +0100
+
+gnupg2 (2.2.1-5) unstable; urgency=medium
+
+  * block ptrace on scdaemon as well as gpg-agent (Closes: #878952)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 27 Oct 2017 01:43:20 -0400
+
+gnupg2 (2.2.1-4) unstable; urgency=medium
+
+  * restore lintian override, because ftp-master isn't yet running lintian
+    2.5.55 (see #877999 for more details)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 19 Oct 2017 02:33:36 -0400
+
+gnupg2 (2.2.1-3) unstable; urgency=medium
+
+  * bugfix for multiple keyrings (Closes: #878812)
+  * drop an unnecessary lintian override
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 19 Oct 2017 00:23:41 -0400
+
+gnupg2 (2.2.1-2) unstable; urgency=medium
+
+  * adopt bugfixes and documentation improvements from upstream
+  * reorganize debian/patches for simpler maintenance
+  * move gnupg-l10n to Section: localization
+  * Standards-Version: bump to 4.1.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 10 Oct 2017 10:05:45 -0400
+
+gnupg2 (2.2.1-1) unstable; urgency=medium
+
+  * New upstream release
+  * drop patches already applied upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 19 Sep 2017 08:26:26 -0400
+
+gnupg2 (2.2.0-3) unstable; urgency=medium
+
+  * avoid FTBFS when TZ=UTC-12 (Closes: #874617)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 08 Sep 2017 02:10:02 -0400
+
+gnupg2 (2.2.0-2) unstable; urgency=medium
+
+  * dirmngr and gpgv-static are Multi-arch: foreign (Closes: #874111)
+  * update to stronger cryptographic defaults.
+  * use upstream gpg-agent-browser.socket systemd user service
+  * publish SSH_AUTH_SOCK for wayland users (Closes: #855868)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 07 Sep 2017 19:20:35 -0400
+
+gnupg2 (2.2.0-1) unstable; urgency=medium
+
+  * New upstream release.
+  * drop patches already upstream
+  * scdaemon: bugfix from upstream for large ECC keys
+  * Standards-Version: bump to 4.1.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 06 Sep 2017 13:10:28 -0400
+
+gnupg2 (2.1.23-2) unstable; urgency=medium
+
+  * add openssh-client to build-deps for testing
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 13 Aug 2017 22:48:23 -0400
+
+gnupg2 (2.1.23-1) unstable; urgency=medium
+
+  * New upstream release
+  * move to unstable
+  * refresh patches
+  * keep default --no-auto-key-retrieve
+  * Standards-Version: 4.0.1 (Priority: extra -> optional)
+  * run tests in parallel
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 11 Aug 2017 09:56:05 -0400
+
+gnupg2 (2.1.22-1) experimental; urgency=medium
+
+  * New upstream release
+  * refreshed patches
+  * pulled a few bugfix patches from upstream
+  * simplify systemd user units
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 07 Aug 2017 01:17:19 -0400
+
+gnupg2 (2.1.21-4) experimental; urgency=medium
+
+  * package reorganization:
+   - new package 'gpg' is just for public key operations
+   - 'gnupg' package is the full suite
+   - 'gnupg-agent' package is renamed to 'gpg-agent'
+   - 'gpgconf' is a base package, other packages depend on it
+   - 'gnupg-utils' are a grab-bag of helper tools that may be useful
+  * scdaemon: add AppStream metainfo about supported smartcards
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 26 Jul 2017 12:50:55 -0400
+
+gnupg2 (2.1.21-3) experimental; urgency=medium
+
+  * include upstream bugfixes and improvements (Closes: #863221)
+  * build gpgcompose, ship new gpgcompose binary package
+  * upgrade to debhelper 10
+  * upgrade to Standards-Version 4.0.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 11 Jun 2017 01:50:30 +0200
+
+gnupg2 (2.1.21-2) experimental; urgency=medium
+
+  [ Stefan Bühler ]
+  * Create WKS server and client packages
+
+  [ Daniel Kahn Gillmor ]
+  * minor packaging cleanups
+  * more upstream bugfix and cleanup patches
+  * rename WKS packages to match the tool names
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 18 May 2017 18:02:46 -0400
+
+gnupg2 (2.1.21-1) experimental; urgency=medium
+
+  * new upstream release
+  * drop patches alread yupstream, refresh patches
+  * import post-release bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 16 May 2017 22:42:20 -0400
+
+gnupg2 (2.1.20-4) experimental; urgency=medium
+
+  * avoid shipping or trying to use .skel files
+  * more bugfixes from upstream
+  * skip missing signing keys (Closes: #834922)
+  * prefer available smartcard
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 10 May 2017 14:59:02 -0400
+
+gnupg2 (2.1.20-3) experimental; urgency=medium
+
+  * more upstream bugfixes (Closes: #858400)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 07 Apr 2017 11:36:51 -0400
+
+gnupg2 (2.1.20-2) experimental; urgency=medium
+
+  * more bugfix patches from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 06 Apr 2017 11:21:24 -0400
+
+gnupg2 (2.1.20-1) experimental; urgency=medium
+
+  * new upstream release
+  * drop patches already upstream, refresh patches
+  * import post-release bugfixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 05 Apr 2017 11:43:09 -0400
+
+gnupg2 (2.1.19-3) experimental; urgency=medium
+
+  * more patches from usptream
+    - test suite should now use /tmp and not require /run/user/
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 21 Mar 2017 12:34:47 -0400
+
+gnupg2 (2.1.19-2) experimental; urgency=medium
+
+  * more patches from upstream (Closes: #854829)
+  * add verbose=3 to the test suite as requested by upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 20 Mar 2017 14:05:46 -0400
+
+gnupg2 (2.1.19-1) experimental; urgency=medium
+
+  * New upstream release (Closes: #854359)
+  * many post-release bugfixes from upstream
+  * add logcheck filters for gpg-agent (Closes: #856438)
+  * Upload to experimental due to the freeze
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 16 Mar 2017 12:47:40 -0400
+
+gnupg2 (2.1.18-6) unstable; urgency=medium
+
+  [ NIIBE Yutaka ]
+  * scdaemon: Fix duplicated entries (Closes: #855056).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 13 Feb 2017 19:29:34 -0500
+
+gnupg2 (2.1.18-5) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * Xsession.d/90gpg-agent: use simpler and more direct gpgconf
+    invocations for socket names.
+
+  [ NIIBE Yutaka ]
+  * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
+  * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 13 Feb 2017 09:15:07 -0500
+
+gnupg2 (2.1.18-4) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * document that debian disables --allow-version-check
+  * docs, debugging, and bugfix patches from upstream (Closes: #852979)
+
+  [ NIIBE Yutaka ]
+  * scdaemon bugfixes
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 04 Feb 2017 22:03:26 -0500
+
+gnupg2 (2.1.18-3) unstable; urgency=medium
+
+  * fix searches for keys with raw addr-spec
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 25 Jan 2017 16:58:56 -0500
+
+gnupg2 (2.1.18-2) unstable; urgency=medium
+
+  * pull fixes from upstream (including a double-free in gpg-agent)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 25 Jan 2017 09:29:25 -0500
+
+gnupg2 (2.1.18-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 23 Jan 2017 23:12:35 -0500
+
+gnupg2 (2.1.17-6) unstable; urgency=medium
+
+  * Upstream patches, fixing unnecessary delay in gpg-agent (Closes: #851298)
+  * gpg-agent: avoid race in shutdown (Closes: #841143)
+  * improve dirmngr, gpg-agent README.Debian (Closes: #850982)
+  * clean up gpg-agent-idling patch
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 18 Jan 2017 14:40:41 -0500
+
+gnupg2 (2.1.17-5) unstable; urgency=medium
+
+  * more fixes from upstream (improving but not yet closing: #849845)
+  * gpg-agent: actively poll when shutdown is pending.  Thanks, NIIBE
+    Yutaka! (addresses but does not close #841143)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 11 Jan 2017 15:44:57 -0500
+
+gnupg2 (2.1.17-4) unstable; urgency=medium
+
+  * more patches from upstream, including dirmngr debugging
+    improvements
+  * resolve ambiguity in aliased options and commands (Closes: #850475)
+  * auto-enable gpg-agent and dirmngr for systemd user sessions
+  * enable easy reloads from systemd
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 10 Jan 2017 17:30:08 -0500
+
+gnupg2 (2.1.17-3) unstable; urgency=medium
+
+  * more bugfixes from upstream (improving but not yet closing: #849845)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 03 Jan 2017 15:39:52 -0500
+
+gnupg2 (2.1.17-2) unstable; urgency=medium
+
+  * include patches from upstream to avoid build failures on 32-bit
+    arches.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 24 Dec 2016 18:11:51 -0500
+
+gnupg2 (2.1.17-1) unstable; urgency=medium
+
+  * new upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 24 Dec 2016 15:39:04 -0500
+
+gnupg2 (2.1.16-3) unstable; urgency=medium
+
+  * remove -pie from hppa, kfreebsd-amd64, and x32 builds of
+    gpgv-static (Closes: #846889)
+  * import several upstream bugfix patches (Closes: #846834, #846168)
+  * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 05 Dec 2016 15:34:49 -0500
+
+gnupg2 (2.1.16-2) unstable; urgency=medium
+
+  * avoid using adns, due to lack of security support (Closes: #845078)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 21 Nov 2016 09:57:26 -0500
+
+gnupg2 (2.1.16-1) unstable; urgency=medium
+
+  * New upstream version
+  * dropped many patches already incorporated upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 20 Nov 2016 23:22:49 -0500
+
+gnupg2 (2.1.15-9) unstable; urgency=medium
+
+  * Introduce gpgv-static package (Closes: #806940)
+  * more patches from upstream
+  * use adns for better DNS resolution in dirmngr
+  * add some import-options to
+    migrate-pubring-from-classic-gpg for better migration
+  * reorganize patches to distinguish debian variations from upstream
+  * set simple and easy defaults for keyservers
+  * help dirmngr and gpg-agent idle better in the default case
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 10 Nov 2016 07:28:16 -0800
+
+gnupg2 (2.1.15-8) unstable; urgency=medium
+
+  * rename gpg-agent-restricted.socket to gpg-agent-extra.socket
+    (for symmetry with option names and actual sockets created)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 27 Oct 2016 13:54:53 -0400
+
+gnupg2 (2.1.15-7) unstable; urgency=medium
+
+  * more upstream patches
+  * dirmngr systemd user service is now socket-activated.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 27 Oct 2016 12:48:15 -0400
+
+gnupg2 (2.1.15-6) unstable; urgency=medium
+
+  * more upstream patches (Closes: #841437, #840680)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 26 Oct 2016 17:44:20 -0400
+
+gnupg2 (2.1.15-5) unstable; urgency=medium
+
+  * added udev rules for Fujitsu Siemens cardreader (Closes: #840312)
+  * mark transitional packages Multi-Arch: Foreign (closes: #840258)
+  * make gnupg2 binNMU-safe
+  * more patches from upstream
+  * track upstream decision-making about gpg-agent socket names
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 25 Oct 2016 21:30:06 -0400
+
+gnupg2 (2.1.15-4) unstable; urgency=medium
+
+  * update debian/tests/gpgv-win32
+  * more patches from upstream (Closes: #838153)
+  * tighten dependencies between gnupg and dirmngr (Closes: #834602)
+  * updated systemd user gpg-agent units for socket activation
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 04 Oct 2016 17:22:30 -0400
+
+gnupg2 (2.1.15-3) unstable; urgency=medium
+
+  * Use upstream fix to avoid touching homedir during test suite
+  * backward compatibility for preset-passphrase and protect-tool
+  * add Breaks: for python3-apt too (thanks, Harald Jenny!)
+  * Avoid network access during tests (Closes: #836259)
+  * more patches from upstream
+   - gpgv --output now works
+   - fingerprint display doesn't vary with --keyid-format
+   - minor cleanup to scdaemon dealing with removed cards
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 14 Sep 2016 17:08:58 -0400
+
+gnupg2 (2.1.15-2) unstable; urgency=medium
+
+  * restore keyid output in gpgv (Closes: #836144)
+  * avoid test suite failures when HOME does not exist
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 31 Aug 2016 12:37:48 -0400
+
+gnupg2 (2.1.15-1) unstable; urgency=medium
+
+  * new upstream release
+   - blocks signals during keyring updates (Closes: #293556)
+  * avoid libusb on hurd.  Thanks, Pino Toscano! (Closes: #834533)
+  * permissions on test suite are already fixed
+  * drop patches applied upstream and refresh remaining patches
+  * make gnupg2 reproducible by not regenerating documentation date
+  * make autopkgtest work with modern wine (Closes: #835976)
+  * wrap-and-sort -ast for cleaner diffs
+  * add versioned Breaks: for affected packages (Closes: #835349)
+   - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904)
+   - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592)
+   - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465)
+   - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600)
+   - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281)
+   - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075)
+   - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 30 Aug 2016 13:19:23 -0400
+
+gnupg2 (2.1.14-5) unstable; urgency=medium
+
+  * actually ship /usr/share/doc/gnupg/README.Debian
+  * Release to unstable.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 12 Aug 2016 16:27:22 -0400
+
+gnupg2 (2.1.14-4) experimental; urgency=medium
+
+  * add ZeitControl card (Closes: #814584)
+  * three more fixes from upstream
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 08 Aug 2016 12:54:21 -0400
+
+gnupg2 (2.1.14-3) experimental; urgency=medium
+
+  * cleanup debian/copyright
+  * update debian/watch
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 03 Aug 2016 11:09:05 -0400
+
+gnupg2 (2.1.14-2) experimental; urgency=medium
+
+  * mark the gpgv binary as Priority: important, since apt depends on it
+  * import a bunch of fixes from upstream
+  * include permissioning on patched-in tests
+  * Breaks: some packages that expect old gpg behavior (Closes: #831500)
+  * remove scdaemon.service; it will be managed by gpg-agent.service
+  * avoid bulleted items in debian/NEWS (thanks, Lintian!)
+  * debian/copyright: cleanup, fix URLs
+  * debian/control: use standard URL for Vcs-Browser
+  * fix spelling and grammar noticed by lintian
+  * avoid lintian notes about a misspelled "written"
+  * clean up gpgv2 Description
+  * break out arch-indep localization files into new gnupg-l10n package
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 01 Aug 2016 17:54:59 -0400
+
+gnupg2 (2.1.14-1) experimental; urgency=medium
+
+  * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 15 Jul 2016 01:39:25 +0200
+
+gnupg2 (2.1.13-5) experimental; urgency=medium
+
+  * dependency cleanup!
+   - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr}
+   - make gnupg Provide: gpg and mention it in the package description
+   - drop mention of newpg, which has not been in debian for many releases
+   - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention
+     in debian/control
+   - drop Suggests: gnupg-doc, which does not appear to be maintained
+   - drop all references to gpg-idea, which has not been in debian for
+     several releases
+   - removed dependency on "dpkg (>= 1.15.4) | install-info", since that
+     dpkg version predates oldstable (wheezy)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 04 Jul 2016 10:13:42 -0400
+
+gnupg2 (2.1.13-4) experimental; urgency=medium
+
+  * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that
+    we can generate win32 packages on non-x86 platforms.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 01 Jul 2016 11:30:28 -0400
+
+gnupg2 (2.1.13-3) experimental; urgency=medium
+
+  * pull bugfixes from upstream (Closes: #828109, #814584)
+  * should also allow for reproducible builds, with fix to
+    timestamps in tofu.test
+  * provide supervised dirmngr, gpg-agent, and scdaemon services from
+    systemd's user sessioniif the user wants to enable them.  These
+    services should terminate at logout (Closes: #825911)
+  * avoid launching gpg-agent from Xsession.d since we have more robust
+    session management available (added NEWS entry about this change)
+  * gnupg-agent now Provides: gpg-agent to mitigate common confusion.
+  * updated dirmngr package description.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 28 Jun 2016 13:46:36 -0400
+
+gnupg2 (2.1.13-2) experimental; urgency=medium
+
+  * brown paper bag time: fix build-dep from libusb-1.0.0-dev to
+    libusb-1.0-0-dev
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 17 Jun 2016 23:07:43 -0400
+
+gnupg2 (2.1.13-1) experimental; urgency=medium
+
+  * New upstream release
+   - new keyid-format "none", used by default (Closes: #826273)
+  * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks,
+    gniibe!)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 16 Jun 2016 18:30:36 -0400
+
+gnupg2 (2.1.12-1) experimental; urgency=medium
+
+  * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 10 May 2016 20:58:06 -0400
+
+gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
+
+  * switching over binary package names in experimental -- gnupg2 source
+    package now provides gnupg and gpgv
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 18 Apr 2016 19:17:19 -0400
+
+gnupg2 (2.1.11-7) unstable; urgency=medium
+
+  * move to unstable
+  * re-enable test suites on mips and mipsel since #730846 is resolved
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 18 Apr 2016 07:45:16 -0400
+
+gnupg2 (2.1.11-6+exp4) experimental; urgency=medium
+
+  * stop using help2man to fix cross-building
+  * ensure gpgv-win32 is properly stripped
+  * enable autopkgtest to run without root on systems that already have
+    wine32 installed
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 01 Apr 2016 13:08:07 -0300
+
+gnupg2 (2.1.11-6+exp3) experimental; urgency=medium
+
+  * more cleanup on arch-dependent packages.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 30 Mar 2016 03:36:18 -0400
+
+gnupg2 (2.1.11-6+exp2) experimental; urgency=medium
+
+  * avoid build failures when building only arch-dependent or only
+    arch-independent packages.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 30 Mar 2016 02:59:18 -0400
+
+gnupg2 (2.1.11-6+exp1) experimental; urgency=medium
+
+  * take over gpgv-win32 from gnupg 1.4 packaging
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 28 Mar 2016 23:27:43 -0400
+
+gnupg2 (2.1.11-6) unstable; urgency=medium
+
+  * avoid FTBFS with patch from upstream (Closes: #814842)
+  * bumped standards-version to 3.9.7 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 01 Mar 2016 09:36:41 +0100
+
+gnupg2 (2.1.11-5) unstable; urgency=medium
+
+  * taking over gpgv-udeb from gnupg 1.4 packaging
+  * debian/control: use secure transport for Vcs-* and Homepage
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 04 Feb 2016 17:17:47 -0500
+
+gnupg2 (2.1.11-4) unstable; urgency=medium
+
+  * disable gpgtar, since it is causing unpredictable testsuite failures
+    and we don't ship it anyway.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 03 Feb 2016 11:57:57 -0500
+
+gnupg2 (2.1.11-3) unstable; urgency=medium
+
+  * trying again to get a proper dump of the gpgtar.test.log. sigh.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 28 Jan 2016 08:34:22 -0500
+
+gnupg2 (2.1.11-2) unstable; urgency=medium
+
+  * added temporary hook to view failing gpgtar test output on build
+    daemons since i can't replicate the failures on my own build systems.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 28 Jan 2016 00:53:29 -0500
+
+gnupg2 (2.1.11-1) unstable; urgency=medium
+
+  * new upstream release
+    - drops buggy attempt to detect duplicate keys (Closes: #807819)
+  * removed -dbg package, since we have automatic -dbgsym packages now
+  * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 25 Jan 2016 15:29:25 -0500
+
+gnupg2 (2.1.10-3) unstable; urgency=medium
+
+  * avoid infinite loop when doing --gen-revoke by fingerprint
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 12 Dec 2015 16:53:40 -0500
+
+gnupg2 (2.1.10-2) unstable; urgency=medium
+
+  * actually use sks-keyservers CA by default if the user asks for
+    hkps://hkps.pool.sks-keyservers.net
+  * move ownership of some files in /usr/share/gnupg2/ to more appropriate
+    owners like gpgsm and dirmngr.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 11 Dec 2015 17:06:10 -0500
+
+gnupg2 (2.1.10-1) unstable; urgency=medium
+
+  * new upstream release
+  * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps.
+  * avoid shipping Changelog-2011, use upstream ChangeLog (Closes:
+    #803225)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 09 Dec 2015 12:05:42 -0500
+
+gnupg2 (2.1.9-1) unstable; urgency=medium
+
+  * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 13 Oct 2015 10:04:33 -0400
+
+gnupg2 (2.1.8-2) UNRELEASED; urgency=medium
+
+  [ NIIBE Yutaka ]
+  * update scdaemon dependencies
+
+  [ Daniel Kahn Gillmor ]
+  * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 17 Sep 2015 00:00:28 -0400
+
+gnupg2 (2.1.8-1) unstable; urgency=medium
+
+  * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 10 Sep 2015 17:00:06 -0400
+
+gnupg2 (2.1.7-2) unstable; urgency=medium
+
+  * upload to unstable
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 11 Aug 2015 21:24:18 -0400
+
+gnupg2 (2.1.7-1) experimental; urgency=medium
+
+  * new upstream release
+  * block ptrace connections to gpg-agent
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 11 Aug 2015 20:05:38 -0400
+
+gnupg2 (2.1.6-1) experimental; urgency=medium
+
+  * new upstream release
+  * drop deprecated gpgsm-gencert.sh
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 07 Jul 2015 14:27:23 -0400
+
+gnupg2 (2.1.5-2) experimental; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that
+    pinentry-gnome3 can work across sessions.
+  * ensure that l10n files are rebuilt.
+
+  [ Eric Dorland ]
+  * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for
+    build failure when rebuilding info docs.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 30 Jun 2015 18:13:58 -0400
+
+gnupg2 (2.1.5-1) experimental; urgency=medium
+
+  * New upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 11 Jun 2015 13:18:56 -0400
+
+gnupg2 (2.1.4-2) experimental; urgency=medium
+
+  * avoid excess dependencies on headless servers (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 03 Jun 2015 14:12:49 -0400
+
+gnupg2 (2.1.4-1) experimental; urgency=medium
+
+  * New upstream release.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 28 May 2015 00:25:55 -0400
+
+gnupg2 (2.1.3-1) experimental; urgency=medium
+
+  * New upstream version.
+  * Add gnupg2-dbg (Closes: #781631)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 01 Apr 2015 12:10:38 -0400
+
+gnupg2 (2.1.2-2) experimental; urgency=medium
+
+  * Fix segv due to NULL value stored as opaque MPI.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 21 Feb 2015 10:26:50 -0500
+
+gnupg2 (2.1.2-1) experimental; urgency=medium
+
+  * New upstream version
+  * move from automake1.11 to plain automake (upstream uses 1.14 now)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 12 Feb 2015 20:10:43 -0500
+
+gnupg2 (2.1.1-1) experimental; urgency=medium
+
+  * New upstream version (closes: #772654)
+  * gnupg2 now Breaks: older versions of dirmngr (closes: #769460)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 16 Dec 2014 14:58:06 -0500
+
+gnupg2 (2.1.0-1) experimental; urgency=medium
+
+  * import upstream 2.1.0 release.
+  * drop debian/patches/speed-up-test-suite.patch -- included upstream.
+  * avoid self-reporting as a beta now that this is a release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 06 Nov 2014 12:31:06 -0500
+
+gnupg2 (2.1.0~beta895-3) experimental; urgency=medium
+
+  * update gnupg-agent.xsession to export ssh-agent where
+    configured. (Closes: #767341)
+  * use cheap/fast entropy for the test suite so that builds on
+    low-entropy machines go faster.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 30 Oct 2014 13:37:08 -0400
+
+gnupg2 (2.1.0~beta895-2) experimental; urgency=medium
+
+  * added pkg-config to Build-Depends.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 29 Oct 2014 18:36:27 -0400
+
+gnupg2 (2.1.0~beta895-1) experimental; urgency=medium
+
+  * new upstream version in experimental (Closes: #762844, #751266, #762844)
+  * ship /usr/bin/gpgparsemail (Closes: #760575)
+  * document that doc/OpenPGP is not actually an RFC, but just refers to
+    one (closes: #745410)
+  * Bump Standards-Version to 3.9.6 (no changes needed)
+  * --enable-large-secmem to ensure that gpg2 works with pre-generated
+    oversized RSA keys
+  * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO
+    about the standard socket.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 29 Oct 2014 17:53:06 -0400
+
+gnupg2 (2.0.28-3) unstable; urgency=medium
+
+  * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 04 Jul 2015 14:21:41 -0400
+
+gnupg2 (2.0.28-2) unstable; urgency=medium
+
+  * d/clean: drop stamp-po to rebuild l10n (Closes: #788989)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 30 Jun 2015 17:17:11 -0400
+
+gnupg2 (2.0.28-1) unstable; urgency=medium
+
+  * new upstream release
+  * really address excess dependencies on headless server (thanks Raphaël
+    Halimi for noticing) (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 02 Jun 2015 12:16:57 -0400
+
+gnupg2 (2.0.27-2) unstable; urgency=medium
+
+  * import upstream fix to avoid replicating unknown subkey
+    packets. (Closes: #787045) (Thanks, NIIBE Yutaka)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 28 May 2015 00:55:51 -0400
+
+gnupg2 (2.0.27-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Provide a simple way for users to avoid gpg-agent hijacking,
+    working around: #760102 (Closes: #753163)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 08 May 2015 18:15:15 -0400
+
+gnupg2 (2.0.26-6) unstable; urgency=medium
+
+  * Avoid NULL dereference with opaque MPI.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 21 Feb 2015 18:01:40 -0500
+
+gnupg2 (2.0.26-5) unstable; urgency=medium
+
+  * import bug-fixes from upstream
+    (Closes: #773415, #773469, #773471, #773472, #773423)
+  * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip
+    invalid packets", CVE-2015-1607 "memcpy with overlapping ranges,
+    resulting from incorrect bitwise left shifts" (Closes: #778577)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 16 Feb 2015 17:45:06 -0500
+
+gnupg2 (2.0.26-4) unstable; urgency=medium
+
+  [ David Prévot ]
+  * Update POT and PO files, and ensure the translations get rebuild
+  * Update French translation (Closes: #769574)
+  * Update Ukrainian translation, thanks to Yuri Chornoivan
+  * Update German translation, thanks to Werner Koch
+  * Update Danish translation, thanks to Joe Hansen
+  * Update Japanese translation, thanks to NIIBE Yutaka
+  * Update Chinese (traditional) translation, thanks to Jedi Lin
+  * Update Russian translation, thanks to Ineiev
+  * Update Polish translation, thanks to Jakub Bogusz
+  * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta
+    (Closes: #770727)
+  * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981)
+
+  [ Daniel Kahn Gillmor ]
+  * bugfix and cryptographic safety changes imported from upstream:
+   - Avoid regression when adding subkeys with strong s2k algorithms
+     (Closes: #772780) Thanks, NIIBE Yutaka
+   - Allow french translation to work when prompting for passphrase.
+   - add build and runtime support for larger RSA keys (Closes: #739424)
+   - fix runtime errors on bad input (Closes: #771987)
+   - deprecate insecure one-argument variant for gpg --verify of detached
+     signatures (Closes: #771992)
+   - initialize trustdb before trying to clear it (Closes: #735363)
+   - default to issuing SHA256 signatures for RSA
+   - avoid relying on MD5 signatures
+   - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 04 Jan 2015 17:17:00 -0500
+
+gnupg2 (2.0.26-3) unstable; urgency=medium
+
+  * fix typo in gpg.info (closes: #760273)
+  * drop versioned Build-Conflicts on automake by setting environment
+    variables in debian/rules
+  * ship /usr/bin/gpgparsemail (closes: #760575)
+  * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf
+    (closes: #762844)
+  * do not break on --trust-model=always (closes: #751266)
+  * document that doc/OpenPGP is not actually an RFC, but just refers to
+    one (closes: #745410)
+  * Bump Standards-Version to 3.9.6 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Tue, 30 Sep 2014 23:39:15 -0400
+
+gnupg2 (2.0.26-2) unstable; urgency=medium
+
+  * ignore emacs turds in debian/
+  * update Vcs fields
+  * move package to group maintenance
+  * wrap-and-sort cleanup of debian/*
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 28 Aug 2014 11:42:18 -0700
+
+gnupg2 (2.0.26-1) unstable; urgency=medium
+
+  * New upstream release.
+  * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261)
+
+ -- Eric Dorland <eric@debian.org>  Tue, 19 Aug 2014 18:09:08 -0400
+
+gnupg2 (2.0.25-2) unstable; urgency=medium
+
+  * debian/control: Switch to libgcrypt20-dev (aka 1.6 release).
+
+ -- Eric Dorland <eric@debian.org>  Fri, 08 Aug 2014 14:12:05 -0400
+
+gnupg2 (2.0.25-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Eric Dorland <eric@debian.org>  Mon, 30 Jun 2014 13:10:04 -0400
+
+gnupg2 (2.0.24-1) unstable; urgency=high
+
+  * New upstream release. Fixes CVE-2014-4617 "infinite loop when
+    decompressing data packets". (Closes: #752498)
+  * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now
+    upstreamed.
+
+ -- Eric Dorland <eric@debian.org>  Wed, 25 Jun 2014 00:11:19 -0400
+
+gnupg2 (2.0.23-1) unstable; urgency=medium
+
+  * New upstream release.
+  * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to
+    the new, supported name.
+  * debian/control: Restore versioned conflict against gpg-idea. (Closes:
+    #733984)
+  * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579)
+
+ -- Eric Dorland <eric@debian.org>  Sun, 08 Jun 2014 19:20:17 -0400
+
+gnupg2 (2.0.22-3) unstable; urgency=low
+
+  * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing
+    key for uscan verification.
+  * debian/kbxutil.1, debian/rules: Add better description and regenerate
+    the manpage.
+  * debian/control: Remove version on gpg-idea conflict, add missing
+    Breaks for gpgsm and convert Conflicts to Breaks for gpgv2.
+  * debian/control: Move gnupg-agent to Depends for gpgsm instead of
+    Replaces (which in turn should have been Recommends).
+  * debian/control: Standards-Version to 3.9.5.
+  * debian/copyright: Switch to a shiny DEP-5 copyright file.
+
+ -- Eric Dorland <eric@debian.org>  Wed, 01 Jan 2014 22:56:56 -0500
+
+gnupg2 (2.0.22-2) unstable; urgency=low
+
+  * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris
+    Boot. (Closes: #726015)
+  * debian/control: IDEA is no longer patented, drop its metion from the
+    description. Thanks brian m. carlson. (Closes: #726139)
+  * debian/rules: Disable the test suite on mips and mipsel to work around
+    Bug:#730846.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 30 Nov 2013 23:47:56 -0500
+
+gnupg2 (2.0.22-1) unstable; urgency=low
+
+  * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes:
+    #725433, #722724)
+  * debian/gnupg2.install: Install gnupg-card-architecture.png for the
+    info file.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 05 Oct 2013 17:45:28 -0400
+
+gnupg2 (2.0.21-2) unstable; urgency=low
+
+  * debian/rules, debian/gnupg2.install: Switch libexecdir to
+    /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific
+    location. (Closes: #717303)
+  * debian/control, debian/gpgv2.install: Split out gpgv2 into its own
+    package.
+  * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and
+    manpage for kbxutil using help2man. (Closes: #323494)
+  * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2
+    against libassuan as it's not used.
+  * debian/rules: Install changelog for gpgv2.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 01 Sep 2013 00:42:16 -0400
+
+gnupg2 (2.0.21-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #613465, #720369)
+  * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+  * debian/control: Fix Vcs-Git path.
+  * debian/control: Now depends on libgpg-error >= 1.11.
+  * debian/control: Build-Depends on automake1.11 since the test suite
+    fails on newer versions. (Closes: #713287)
+  * debian/control: Also need a Build-Conflicts on automake (<= 1.12).
+
+ -- Eric Dorland <eric@debian.org>  Sat, 24 Aug 2013 20:33:19 -0400
+
+gnupg2 (2.0.20-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #691237, #583893)
+  * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream.
+  * debian/control: Upgrade Standards-Version to 3.9.4.
+  * debian/compat, debian/control: Upgrade to debhelper v9.
+  * debian/control, debian/rules: Drop hardening-wrapper, now that we use
+    debhelper v9.
+  * debian/scdaemon.install: scdaemon has moved under $libexecdir.
+  * debian/control: Tighten dependency on scdaemon.
+  * debian/rules: Turn on all hardening options.
+  * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+  * debian/gnupg-agent.install, debian/gnupg2.install,
+    debian/scdaemon.install: Fix /usr/lib paths for multi-arch.
+  * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes
+    ${libdir} by default.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 11 May 2013 18:28:57 -0400
+
+gnupg2 (2.0.19-2) unstable; urgency=high
+
+  * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix
+    CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251)
+  * debian/control: Use canonical addresses for VCS.
+  * debian/control: Fix scdaemon short description.
+
+ -- Eric Dorland <eric@debian.org>  Fri, 04 Jan 2013 00:56:52 -0500
+
+gnupg2 (2.0.19-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #666092)
+  * debian/control: Add Multi-Arch: foreign to all packages.
+  * debian/rules: Update ChangeLog locations.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 31 Mar 2012 01:06:02 -0400
+
+gnupg2 (2.0.18-2) unstable; urgency=low
+
+  * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a
+    separate package for the scdaemon. (Closes: #416129)
+  * debian/control, debian/gpgsm.install, debian/gnupg2.install,
+    gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool
+    into the gnupg-agent.
+  * debian/control: Upgrade Standards-Version to 3.9.2.
+  * debian/rules: Install ChangeLog for new scdaemon package.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 15 Oct 2011 20:21:35 -0400
+
+gnupg2 (2.0.18-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #635206)
+  * debian/copyright: Update ftp location. (Closes: #624404)
+  * debian/patches/01-gnupg2-rename.diff: Refresh patch.
+
+ -- Eric Dorland <eric@debian.org>  Tue, 30 Aug 2011 03:43:20 -0400
+
+gnupg2 (2.0.17-3) unstable; urgency=low
+
+  * debian/rules: Convert the rules file to use the lovely dh format.
+  * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove
+    unless dirs files.
+  * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides,
+    debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files.
+
+ -- Eric Dorland <eric@debian.org>  Mon, 14 Feb 2011 03:17:39 -0500
+
+gnupg2 (2.0.17-2) unstable; urgency=low
+
+  * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for
+    info install trigger.
+  * debian/control, debian/rules: Use debian build hardening.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 13 Feb 2011 16:33:17 -0500
+
+gnupg2 (2.0.17-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #584316, #603985, #603983, #603984)
+  * debian/patches/02-encode-s2k.diff,
+    debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now
+    unneeded security patches.
+  * debian/rules, debian/patches/01-gnupg2-rename.diff,
+    debian/gnupg2.info, debian/gnupg2.install: No need to rename the info
+    file anymore.
+  * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for
+    better renaming of pkg directories. (Closes: #579006)
+  * debian/control, debian/compat: Upgrade to debhelper level 8.
+  * debian/control:
+    - Upgrade Standards-Version to 3.9.1.
+    - Update Build-Depends versions for the latest release.
+  * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes:
+    #567537)
+  * debian/gnupg2.docs: doc/faq.html no longer exists.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 13 Feb 2011 16:06:41 -0500
+
+gnupg2 (2.0.14-2) unstable; urgency=low
+
+  * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename
+    lintian files and use dh_lintian instead of shell snippets.
+  * debian/source/patch-header, debian/source/options: Delete patch header
+    and remove single-debian-patch option.
+  * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary
+    renaming of gnupg -> gnupg2 in a quilt patch.
+  * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase
+    problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this
+    problem in 2.0.14-1.1.
+  * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509
+    certificates" for gpgsm. (Closes: #590122)
+  * debian/rules, debian/control: Use dh-autoreconf and autopoint to
+    regenerate autotools files at build time.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 25 Jul 2010 02:16:42 -0400
+
+gnupg2 (2.0.14-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/control: Build depend on libreadline-dev instead of
+    libreadline5-dev, since libreadline6-dev is out. (Closes: #548922)
+  * debian/source/format, debian/source/options,
+    debian/source/patch-header: Convert to v3 quilt format, with
+    single-debian-patch.
+  * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792)
+
+ -- Eric Dorland <eric@debian.org>  Sat, 09 Jan 2010 21:15:18 -0500
+
+gnupg2 (2.0.13-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/control: Depend instead of Recommend gnupg-agent. (Closes:
+    #538947)
+
+ -- Eric Dorland <eric@debian.org>  Mon, 07 Sep 2009 20:38:23 -0400
+
+gnupg2 (2.0.12-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #499569, #463270, #446494, #314068,
+    #519375, #514587)
+  * debian/control: Change build dependency on gs to ghoscript, since
+    ghoscript has been replaced.
+  * debian/compat: Use debhelper v7.
+  * debian/control: Update Standards-Version to 3.8.2.
+  * debian/control: Use ${misc:Depends}.
+  * configure.ac: Override pkgdatadir so that it points to
+    /usr/share/gnupg2. (Closes: #528734)
+  * debian/rules: No longer need to specify pkgdatadir at make install
+    time.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 23 Aug 2009 20:48:11 -0400
+
+gnupg2 (2.0.11-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #496663)
+  * debian/control: Make the description a little more distinctive than
+    gnupg v1's. Thanks Jari Aalto. (Closes: #496323)
+
+ -- Eric Dorland <eric@debian.org>  Sun, 08 Mar 2009 22:46:47 -0400
+
+gnupg2 (2.0.9-3) unstable; urgency=medium
+
+  * Urgency medium to try to beat the release.
+  * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh
+    key generation. (Closes: #473841)
+
+ -- Eric Dorland <eric@debian.org>  Mon, 21 Jul 2008 03:48:11 -0400
+
+gnupg2 (2.0.9-2) unstable; urgency=low
+
+  * The "I've neglected you too long" release.
+
+  * debian/control:
+    - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need
+      it under most circumstances. (Closes: #459462, #477691)
+    - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the
+      front of the alternatives list. (Closes: #462951)
+  * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc
+    4.3 strictness on bitfields combined with curl. (Closes: #476999)
+
+ -- Eric Dorland <eric@debian.org>  Mon, 28 Apr 2008 03:22:20 -0400
+
+gnupg2 (2.0.9-1) unstable; urgency=low
+
+  * New upstream release. Fixes CVE-2008-1530, Key import memory corruption.
+    (Closes: #472928)
+  * debian/rules: Don't ignore status of make distclean, just check for
+    the existance of the Makefile.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 29 Mar 2008 03:21:21 -0400
+
+gnupg2 (2.0.8-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #428635)
+  * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy
+    otherwise. (Closes: #456467)
+  * debian/control:
+    - Requires libassuan >= 1.0.4 now.
+    - Remove the XS- prefix from the Vcs-* headers.
+    - Add Homepage header.
+    - Upgrade Standards-Version to 3.7.3.0.
+    - Make gnupg2 optional rather than extra.
+    - Remove unnecessary conflict on suidmanager.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 22 Dec 2007 02:06:42 -0500
+
+gnupg2 (2.0.7-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/rules:
+    - Remove unnecessary deletion of the .gmo files. (Closes: #442583)
+    - Clean out some old comments
+  * gnupg-agent.xsession: Remove the quotes around --write-env-file
+    argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo
+    Cruz. (Closes: #443580)
+
+ -- Eric Dorland <eric@debian.org>  Sun, 30 Sep 2007 02:50:40 -0400
+
+gnupg2 (2.0.6-1) unstable; urgency=low
+
+  * New upstream release. (Closes: #437289)
+  * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so
+    it exits properly when the session dies. (Closes: #401843)
+  * debian/control: Add XS-Vcs headers for its new git home.
+
+ -- Eric Dorland <eric@debian.org>  Mon, 03 Sep 2007 23:29:11 -0400
+
+gnupg2 (2.0.5-2) unstable; urgency=low
+
+  * The "Ubuntu, I would have done it had you only asked" release.
+
+  * debian/copyright: Fix download location. Thanks Ubuntu.
+  * debian/README.Debian: Remove, doesn't contain any relevant info.
+  * debian/rules:
+    - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790)
+    - Run dh_installexamples.
+    - Don't list the docs to install in here.
+  * debian/gnupg2.examples: New file, install gpgconf.conf as an example
+    into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes:
+    #434878)
+  * debian/control:
+    - Remove opensc and pcsc-lite build dependencies, they're not used anymore.
+    - Add libcurl4-gnutls-dev build dep, to use the real curl.
+  * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug
+    message. Thanks Ubuntu.
+  * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here,
+    add some new docs. Thanks Ubuntu.
+  * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it
+    in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787)
+  * debian/rules, debian/control: Only recommend libldap, don't depend on
+    it.Thanks Riku. (Closes: #435138)
+
+ -- Eric Dorland <eric@debian.org>  Thu, 16 Aug 2007 22:24:16 -0400
+
+gnupg2 (2.0.5-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/watch: Add watch file.
+  * debian/control:
+    - Require libassuan 1.0.2 or greater.
+    - Require libksba 1.0.2 or greater.
+    - Don't recommend plain gpg anymore.
+  * debian/copyright: Update copyright text for GPL v3 relicensing.
+  * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks
+    Ludovic Rousseau. (Closes: #404128)
+
+ -- Eric Dorland <eric@debian.org>  Sun, 22 Jul 2007 16:03:32 -0400
+
+gnupg2 (2.0.4-1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Eric Dorland <eric@debian.org>  Fri, 11 May 2007 00:41:01 -0400
+
+gnupg2 (2.0.3-1) unstable; urgency=high
+
+  * New upstream release.
+    - Fixes multoiple messages problem aka CVE-2007-1263.
+
+ -- Eric Dorland <eric@debian.org>  Fri,  9 Mar 2007 03:28:53 -0500
+
+gnupg2 (2.0.2-1) unstable; urgency=high
+
+  * New upstream release. (Closes: #409559)
+  * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913)
+  * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper.
+
+ -- Eric Dorland <eric@debian.org>  Mon, 19 Feb 2007 20:34:52 -0500
+
+gnupg2 (2.0.0-5) unstable; urgency=high
+
+  * debian/control: Remove unnecessary dependencies on makedev and
+    udev. Thanks Marco d'Itri.
+  * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file
+    to gnupg2.info, and use that for the index. (Closes: #398493)
+
+ -- Eric Dorland <eric@debian.org>  Fri, 24 Nov 2006 02:23:35 -0500
+
+gnupg2 (2.0.0-4) unstable; urgency=medium
+
+  * debian/control: Update forgotten replaces for pcsc-wrapper move.
+
+ -- Eric Dorland <eric@debian.org>  Mon, 20 Nov 2006 23:02:25 -0500
+
+gnupg2 (2.0.0-3) unstable; urgency=medium
+
+  * debian/control: Remove warning about development, thanks Gonzalo
+    HIGUERA DIAZ. (Closes: #399551)
+
+ -- Eric Dorland <eric@debian.org>  Mon, 20 Nov 2006 14:32:33 -0500
+
+gnupg2 (2.0.0-2) unstable; urgency=medium
+
+  * All packaging fixes, so urgency medium to beat the freeze.
+  * debian/distfiles, debian/lintian.override, debian/point-to-info.1:
+    Remove unused files.
+  * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info
+    files properly. (Closes: #398493)
+  * debian/rules:
+    - Remove some unnecessary autotools build rules.
+    - Move some of make install targets more correctly to the
+      configure line.
+  * debian/*.files, debian/rules: Rename *.files to .install and use
+    dh_install nstead of dh_movefiles.
+  * debian/gnupg-agent.xsession: Account for spaces in the configuration
+    file, thanks Artem Zolochevskiy. (Closes: #352326)
+  * debian/control:
+    - Adjust build-dependency versions slightly to match what the
+      configure scipt requires.
+    - Update Standards-Version to 3.7.2.2.
+  * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper
+    in gpgsm. (Closes: #353232)
+  * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into
+    /usr/libb/gnupg2.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 19 Nov 2006 18:03:39 -0500
+
+gnupg2 (2.0.0-1) unstable; urgency=medium
+
+  * New upstream release. (Closes: #398215)
+  * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess.
+
+ -- Eric Dorland <eric@debian.org>  Sun, 12 Nov 2006 23:52:59 -0500
+
+gnupg2 (1.9.94-1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Eric Dorland <eric@debian.org>  Thu,  2 Nov 2006 16:06:30 -0500
+
+gnupg2 (1.9.93-1) unstable; urgency=medium
+
+  * New upstream release. Urgency medium to try to beat the freeze. Thanks
+    to Andreas Metzler for getting this package into shape.
+
+ -- Eric Dorland <eric@debian.org>  Wed, 25 Oct 2006 00:41:15 -0400
+
+gnupg2 (1.9.91-0.1) unstable; urgency=low
+
+  * New upstream version, built against clean upstream tarball.
+    (Closes: #378489,#388257)
+  * bump Build-Depends:
+    - libgpg-error-dev 0.6 -> 1.4
+    - libassuan-dev 0.6.10 -> 0.9.1
+    - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552)
+  * Add libreadline5-dev to Build-Depends.
+  * Pass proper --build and --host args to ./configure.
+  * configure with --mandir='$${prefix}/share/man'.
+  * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am.
+  * New upstream includes a lot more manpages, ship them.
+    (Closes: #300129,#300677)
+    gpg-agent(1) documents ~/gpg-agent.conf.  (Closes: #300676)
+  * Update debian/copyright.
+  * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited
+    of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg".
+    suidregister has been obsolete for a long time and /usr/bin/gpg is not
+    part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed
+    suid it should be shipped with these permissions in the deb instead
+    using chmod in postinst anyway.
+  * Drop preinst (ending up as gnupg-agent's preinst), which only showed
+    a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent
+    0.3.2-1.
+  * Add (noop) binary-indep target as required by policy 4.9.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun,  8 Oct 2006 07:51:44 +0000
+
+gnupg2 (1.9.20-2) unstable; urgency=high
+
+  * debian/control: Make myself the maintainer with Matthias' permission.
+  * Acknowledge NMU. (Closes: #375053, #376755)
+  * g10/parse-packet.c: Patch from Martin Schulze to backport security fix
+    for CVE-2006-3746, crash when receiving overly long comments.
+
+ -- Eric Dorland <eric@debian.org>  Fri,  4 Aug 2006 18:11:43 -0400
+
+gnupg2 (1.9.20-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Adapt patch from upstream CVS, fixing buffer overflow leading to remote
+    DoS/crash (CVE-2006-3082). (Closes: #375053)
+
+ -- Steinar H. Gunderson <sesse@debian.org>  Tue,  4 Jul 2006 20:37:43 +0200
+
+gnupg2 (1.9.20-1) unstable; urgency=low
+
+  * New Upstream version. Closes:#306890,#344530
+    * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files
+  * Depend on libopensc2-dev, not -1-. Closes:#348106
+
+ -- Matthias Urlichs <smurf@debian.org>  Tue, 24 Jan 2006 04:31:42 +0100
+
+gnupg2 (1.9.19-2) unstable; urgency=low
+
+  * Convert debian/changelog to UTF-8.
+  * Put gnupg-agent and gpgsm lintian overrides in the respectively
+    right package.  Closes: #335066
+  * Added debhelper tokens to maintainer scripts.
+  * xsession fixes:
+    o Added host name to gpg-agent PID file name.  Closes: #312717
+    o Fixed xsession script to be able to run under zsh.  Closes: #308516
+    o Don't run gpg-agent if one is already running.  Closes: #336480
+  * debian/control:
+    o Fixed package description of gpgsm package.  Closes: #299842
+    o Added mention of gpg-agent to description of gnupg-agent package.
+      Closes: #304355
+  * Thanks to Peter Eisentraut <petere@debian.org> for all of the above.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu,  8 Dec 2005 22:13:21 +0100
+
+gnupg2 (1.9.19-1) unstable; urgency=low
+
+  * Merged with 1.9.19.
+  * Re-enable gpgv2 package.
+
+ -- Matthias Urlichs <smurf@debian.org>  Sat, 22 Oct 2005 14:33:33 +0200
+
+gnupg2 (1.9.17-1) unstable; urgency=low
+
+  * Merged with Upstream 1.9.17.
+
+ -- Matthias Urlichs <smurf@debian.org>  Mon,  4 Jul 2005 01:56:43 +0200
+
+gnupg2 (1.9.15-6) unstable; urgency=high
+
+  * Move gpg-protect-tool to the gpgsm package.
+    Closes: #303492.
+    High urgency because this renders gpgsm unuseable for some people.
+  * gpg-agent: Override max-cache-ttl if a higher default is set.
+    Closes: #302692.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu,  7 Apr 2005 10:13:19 +0200
+
+gnupg2 (1.9.15-5) unstable; urgency=low
+
+  * Add /etc/X11/Xsession.d/90gpg-agent script.  Closes: #300128.
+  * Emphasize that gnupg2 is NOT useful at the moment.
+  * Conflict+replace gpg-agent with newpg.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu, 10 Mar 2005 22:46:10 +0100
+
+gnupg2 (1.9.15-4) unstable; urgency=low
+
+  * Incorporated Ubuntu changes from Andreas Mueller.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu, 10 Mar 2005 21:41:59 +0100
+
+gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low
+
+  * removed info file
+
+ -- Andreas Mueller <amu@ubuntu.com>  Tue,  8 Mar 2005 01:58:39 +0100
+
+gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low
+
+  * changed rules file, part cp gnupg.info to mv
+    and added dh_installinfo.
+  * changed Standards Version to 3.6.1
+
+ -- Andreas Mueller <amu@ubuntu.com>  Tue,  8 Mar 2005 00:53:31 +0100
+
+gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low
+
+  * added missing build depends texinfo
+
+ -- Andreas Mueller <amu@ubuntu.com>  Mon,  7 Mar 2005 22:47:56 +0100
+
+gnupg2 (1.9.15-2) hoary; urgency=low
+
+  * Initial checkin
+
+ -- Andreas Mueller <amu@ubuntu.com>  Mon,  7 Mar 2005 21:13:32 +0100
+
+gnupg2 (1.9.15-1) experimental; urgency=low
+
+  * New Upstream release.
+  * Removed -doc package:
+    - The package itself is too smal to merit being packaged separately.
+    - Interim solution: Documentation is included in the gnupg2 package.
+    - Goal: ask Upstream to split the .info file.
+  * Removed suidness.
+  * Update debian/copyright.
+  * Require libassuan >= 0.6.9.
+
+ -- Matthias Urlichs <smurf@debian.org>  Tue, 25 Jan 2005 08:19:15 +0100
+
+gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low
+
+  * Rebuild to depend on opensc1.
+  * Split -doc into its own package.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu, 16 Dec 2004 10:30:44 +0100
+
+gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low
+
+  * Turn on setuid-ness.
+    - Added Lintian overrides.
+  * Install all "standard" message files.
+    - Makefile.in: The package name for gettext is in the macro PACKAGE_GT,
+      not PACKAGE.
+  * Fix shebang line of addgnupghome script.
+  * Install info file in the correct place.
+  * Build cleanups.
+
+ -- Matthias Urlichs <smurf@debian.org>  Tue,  5 Oct 2004 10:59:56 +0200
+
+gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low
+
+  * rename gnupg-agent's changelog file
+  * Fix gnupg-agent's dependencies
+
+ -- Matthias Urlichs <smurf@debian.org>  Sun,  3 Oct 2004 20:14:30 +0200
+
+gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low
+
+  * Shipped a /usr/share/locale.alias file. Ouch.
+  * Split off gpgsm.
+
+ -- Matthias Urlichs <smurf@debian.org>  Wed, 29 Sep 2004 10:25:51 +0200
+
+gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low
+
+  * New Upstream.
+
+ -- Matthias Urlichs <smurf@debian.org>  Sat, 25 Sep 2004 11:05:44 +0200
+
+gnupg2 (1.9.10+cvs-1) experimental; urgency=low
+
+  * Packaged latest Upstream version.
+  * Split gpg-agent into its own .deb.
+  * Bit the bullet and started using debhelper.
+
+ -- Matthias Urlichs <smurf@debian.org>  Thu, 19 Aug 2004 11:43:34 +0200
+
+gnupg2 (1.9.9-1) experimental; urgency=low
+
+  * Packaged latest Upstream version.
+
+ -- Matthias Urlichs <smurf@debian.org>  Mon, 14 Jun 2004 17:18:18 +0200
+
+gnupg2 (1.9.5-1) experimental; urgency=low
+
+  * Packaged Upstream development version.
+    Closes:#187548
+
+ -- Matthias Urlichs <smurf@debian.org>  Mon,  8 Mar 2004 05:30:35 +0100
+
+gnupg (1.2.4-4) unstable; urgency=low
+
+  * 12_zero_length_header.dpatch: update patch from David Shaw
+    <dshaw@jabberwocky.com> to fix the fix of crashing on certain
+    keys. Closes: #234289
+
+ -- James Troup <james@nocrew.org>  Mon, 23 Feb 2004 18:02:20 +0000
+
+gnupg (1.2.4-3) unstable; urgency=low
+
+  * Move to dpatch; existing non-debian/ change split into
+    10_hppa_unaligned_constant.dpatch.
+
+  * debian/rules: include /usr/share/dpatch/dpatch.make.
+  * debian/rules (build): depend on patch-stamp.
+  * debian/rules (clean): depend on unpatch.  Remove debian/patched.
+  * debian/control (Build-Depends): add dpatch.
+
+  * debian/rules: update version number and use install_foo convenience
+    variables.
+  * debian/rules (clean): remove emacs backup files from any directory.
+
+  * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen
+    <thv+debian@iki.fi> to update Finnish translation as the current one
+    renders gnupg unusable.  Closes: #232030, #222951, #192582
+  * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors
+    over unrepresentable changes to source.
+
+  * 12_zero_length_header.dpatch: new patch from David Shaw
+    <dshaw@jabberwocky.com> to fix cases where importing certain keys
+    makes the keyring unuseable.  Closes: #232714
+
+  * 13_revoked_keys.dpatch: new patch from David Shaw
+    <dshaw@jabberwocky.com> to list revoked keys as revoked.  Closes: #231814
+
+  * 14_getkey_not_found_fix.dpatch: new patch from David Shaw
+    <dshaw@jabberwocky.com> to fix --list-sigs incorrectly claiming "User
+    id not found".  Closes: #229549
+
+ -- James Troup <james@nocrew.org>  Fri, 20 Feb 2004 16:38:12 +0000
+
+gnupg (1.2.4-2) unstable; urgency=low
+
+  * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones <lamont@debian.org>
+    to fix unaligned constant.  Closes: #228456
+  * debian/copyright: update year and version number.
+
+ -- James Troup <james@nocrew.org>  Tue, 20 Jan 2004 17:19:58 +0000
+
+gnupg (1.2.4-1) unstable; urgency=medium
+
+  * New upstream release.
+   * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293
+   * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957
+   * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079
+   * Fixes segmentation fault in prime generator. Closes: #213989
+   * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368
+
+  * debian/control (Build-Depends): add libbz2-dev.
+
+ -- James Troup <james@nocrew.org>  Wed, 31 Dec 2003 17:57:52 +0000
+
+gnupg (1.2.3-1) unstable; urgency=low
+
+  * New upstream release (Closes: #207340).
+   * gpg no longer kills keyrings by importing broken keys.  Closes: #196505
+   * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092
+   * --import now closes files when it's done. Closes: #196643
+   * A key listing speed regression has been fixed. Closes: #192083
+  * debian/copyright: update URL and date.
+  * debian/rules: update dates and version.
+
+  * debian/control (Standards-Version): bump to 3.6.0.
+
+  * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman
+    <dark@xs4all.nl>.  Closes: #173233
+  * debian/rules (binary-arch): install it.
+
+  * debian/rules (build): correct libexecdir passed to configure; patch
+    from Matthias Cramer <cramer@freestone.net>.  Fixes invocation of
+    gpgkeys_ldap.  Closes: #168486
+
+ -- James Troup <james@nocrew.org>  Thu, 28 Aug 2003 14:08:50 +0100
+
+gnupg (1.2.2-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/control (Standards-Version): bump to 3.5.9.0.
+  * debian/rules (binary-arch): install convert-from-106 as
+    gpg-convert-from-106 and fix the path to gpg.
+  * debian/control: remove trailing full stop from short description.
+  * debian/control: remove out-dated and contradictory information about
+    RSA.
+
+ -- James Troup <james@nocrew.org>  Mon,  5 May 2003 03:08:58 +0100
+
+gnupg (1.2.1-2) unstable; urgency=low
+
+  * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05).
+    Thanks to Ryan Murray.  Closes: #166696
+
+ -- James Troup <james@nocrew.org>  Mon, 28 Oct 2002 01:47:26 +0000
+
+gnupg (1.2.1-1) unstable; urgency=low
+
+  * New upstream version.
+   * An inifinte loop in --update-trustdb has been fixed.  Closes: #162039
+   * The polish translation is now correctly specified as UTF-8.  Closes: #162885
+   * --refresh-keys is now documented in the manpage.  Closes: #165566
+  * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is
+    incompatible with that version of gpg-idea.  Closes: #162314
+
+ -- James Troup <james@nocrew.org>  Fri, 25 Oct 2002 18:18:43 +0100
+
+gnupg (1.2.0-1) unstable; urgency=low
+
+  * New upstream version.  Closes: #161817.
+   * --options no longer mis-handles a directory as an argument.  Closes: #151973
+   * gpg now prompts before sending all keys to the keyserver.  Closes: #64607
+   * There is now a gnupg(7) manpage.  Closes: #157750
+   * The permission checking has been sanitized and handles non-home-dir
+     keyrings better.  Closes: #147760
+   * notation data longer than 5 characters is now handled.  Closes: #156871
+   * an abort when setting trust levels in a czech locale has been fixed.
+     Closes: #149212
+  * debian/rules (binary-arch): there are no more modules, adjust
+    accordingly.
+  * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks.
+  * debian/rules (binary-arch): don't install obsolete postinst or prerm.
+  * debian/rules (binary-arch): gzip gnupg.7 too.
+  * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure.
+  * debian/rules (binary-arch): likewise, pass suitable libexcedir
+    argument to make install.
+  * debian/control (Standards-Version): update to 3.5.7.0.
+  * debian/copyright: update URL and date.
+  * debian/rules: update dates and version.
+
+ -- James Troup <james@nocrew.org>  Sun, 22 Sep 2002 22:26:25 +0100
+
+gnupg (1.0.7-2) unstable; urgency=low
+
+  * debian/control (Suggests): add xloadimage since that's what gpg uses
+    by default to view photo IDs.  Thanks to Julien Danjou
+    <acid@debian.org> for the suggestion.  Closes: #156245
+  * debian/control (Depends): add "hurd" to the alternatives to
+    makedev. Thanks to Michal Suchanek <hramrach_l@centrum.cz> for
+    noticing.  Closes: #158492
+  * po/it.po: patch to fix typos from Marco Bodrato
+    <bodrato@gulp.linux.it.  Closes: #149462
+  * g10/g10.c (main): remove the bogus undef of USE_SHM_COPROCESSING to
+    match upstream and fix gabber and libgnupg-perl.  Closes: #147679, #151969
+
+ -- James Troup <james@nocrew.org>  Thu, 29 Aug 2002 01:42:58 +0100
+
+gnupg (1.0.7-1) unstable; urgency=low
+
+  * New upstream version.  Closes: #145477.
+    * GDBM support has been removed.  Closes: #33009.
+    * Now adds the default keyring when a keyring is specified.
+      Closes: #50616, #65260.
+    * Now does the Right Thing when receiving a key from the keyserver and
+      the key in question is in both a read-only and writable keyring.
+      Closes: #63297.
+    * Automatic key retrieval is now configurable.  Closes: #64940.
+    * --no-options supresses ~/.gnupg creation again.  Closes: #95486.
+    * duplicate trust entries are no longer treated as an error. Closes: #96480.
+    * There's now no comment line in ascii armours. Closes: #100088.
+    * Handle secret keyring given as keyring better.  Closes: #100581, #106670.
+    * It's now documented that --with-colons unconditionally uses UTF8.
+      Closes: #101446, 101454.
+    * s/now/knows/ typo in manpage fixed.  Closes: #107471.
+    * There's now support for a primary UID.  Closes: #106567, #108155.
+    * Handles errors in uncompression layer beter. Closes: #112392.
+    * Key selection has been entirely revamped.  Closes: #136170.
+    * Handles empty encrypt-to. Closes: #138378
+
+  * debian/rules (binary-arch): remove empty /usr/info directory, thanks
+    to Joey Hess <joeyh@debian.org>.  Closes: #121864.
+  * debian/control: remove duplicated word from long description, thanks
+    to Nicolas Boulenguez <nicolas.boulenguez@free.fr>.  Closes: #144786.
+  * README: correct URL to GPH and other docs, thanks to Mark Brown
+    <broonie@sirena.org.uk>.  Closes: #100277.
+  * debian/control (Standards-Version): updated to 3.5.6.1.
+  * debian/rules (binary-arch): only strip ELF binaries.  es_ES -> es hack
+    no longer needed as fixed upstream.
+  * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used.
+  * debian/README.Debian: remove note about gdbm support which was finally
+    removed.  Update note on old versions of gnupg to reflect the
+    pre-historic nature of those versions.
+  * debian/control (Build-Depends): add libldap2-dev.
+  * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries.
+  * debian/control (Build-Depends): add file.
+  * debian/control (Priority): increase to standard to match overrides.
+
+ -- James Troup <james@nocrew.org>  Sat, 11 May 2002 15:08:02 +0100
+
+gnupg (1.0.6-3) unstable; urgency=low
+
+  * moved into main.
+
+ -- James Troup <james@nocrew.org>  Tue, 19 Mar 2002 16:17:09 +0000
+
+gnupg (1.0.6-2) unstable; urgency=high
+
+  * debian/rules (binary-arch): remove the erroneous
+    /usr/share/locale/locale.alias that 'make install' adds; closes:
+    #99293.
+
+ -- James Troup <james@nocrew.org>  Wed, 30 May 2001 20:40:59 +0100
+
+gnupg (1.0.6-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Tue, 29 May 2001 20:59:49 +0100
+
+gnupg (1.0.5-4) unstable; urgency=low
+
+  * Patch from Werner.
+
+ -- James Troup <james@nocrew.org>  Sun, 27 May 2001 09:34:50 +0100
+
+gnupg (1.0.5-3) unstable; urgency=low
+
+  * Apply patch from Matthew Wilcox <matthew@wil.cx> to fix assembly on
+    hppa.
+
+ -- James Troup <james@nocrew.org>  Sun, 13 May 2001 02:36:45 +0100
+
+gnupg (1.0.5-2) unstable; urgency=medium
+
+  * util/http.c: patch from Werner that fixes --send-key, closes: #96277.
+  * debian/control (Depends): accept devfsd in place of makedev, closes:
+    #96307.
+
+ -- James Troup <james@nocrew.org>  Mon,  7 May 2001 00:13:51 +0100
+
+gnupg (1.0.5-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/README.Debian: fix spelling and update URL.
+  * debian/rules (binary): remove the new info files.
+  * scripts/config.{guess,sub}: sync with subversions, closes: #95729.
+
+ -- James Troup <james@nocrew.org>  Mon, 30 Apr 2001 02:12:38 +0100
+
+gnupg (1.0.4-4) unstable; urgency=low
+
+  * po/ru.po: patch by Ilya Martynov <m_ilya@agava.com> to replace German
+    entries and add missing translations, closes: #93987.
+  * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no
+    longer/g); noticed by Colin Watson <cjw44@flatline.org.uk>, closes:
+    #93664.
+
+  * Deprecated depreciated; noticed by Vincent Broman
+    <broman@spawar.navy.mil>.
+
+  * Following two patches are from Vincent Broman.
+  * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference
+    to iobuf_get_fname().
+  * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly.
+
+ -- James Troup <james@nocrew.org>  Fri, 20 Apr 2001 23:32:44 +0100
+
+gnupg (1.0.4-3) unstable; urgency=medium
+
+  * debian/rules (binary): make gpg binary suid, closes: #86433.
+  * debian/postinst: don't use suidregister.
+  * debian/postrm: removed (only called suidunregister).
+  * debian/control: conflict with suidmanager << 0.50.
+  * mpi/longlong.h: apply fix for ARM long long artimetic from Philip
+    Blundell <philb@gnu.org>, closes: #87487.
+  * debian/preinst: the old GnuPG debs have moved to people.debian.org.
+  * cipher/random.c: #include <time.h> as well as <sys/time.h>
+  * g10/misc.c: likewise.
+  * debian/rules: define a strip alias which removes the .comment and
+    .note sections.
+  * debian/rules (binary-arch): use it.
+  * debian/lintian.override: new file; override the SUID warning from
+    lintian.
+  * debian/rules (binary-arch): install it.
+
+ -- James Troup <james@nocrew.org>  Sun, 25 Feb 2001 05:24:58 +0000
+
+gnupg (1.0.4-2) stable unstable; urgency=high
+
+  * Apply security fix patch from Werner.
+  * Apply another patch from Werner to fix bogus warning on Rijndael
+    usage.
+  * Change section to 'non-US'.
+
+ -- James Troup <james@nocrew.org>  Mon, 12 Feb 2001 07:47:02 +0000
+
+gnupg (1.0.4-1) stable unstable; urgency=high
+
+  * New upstream version.
+  * Fixes a serious bug which could lead to false signature verification
+    results when more than one signature is fed to gpg.
+
+ -- James Troup <james@nocrew.org>  Tue, 17 Oct 2000 17:26:17 +0100
+
+gnupg (1.0.3b-1) unstable; urgency=low
+
+  * New upstream snapshot version.
+
+ -- James Troup <james@nocrew.org>  Fri, 13 Oct 2000 18:08:14 +0100
+
+gnupg (1.0.3-2) unstable; urgency=low
+
+  * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref.
+    Fix long description to reflect the fact that RSA is no longer
+    patented and now included. [#72177]
+  * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ
+    from /usr/share/gnupg/.  Thanks to Robert Luberda
+    <robert@pingu.ii.uj.edu.pl> for noticing. [#72151]
+  * debian/control: Suggest new package gnupg-doc. [#64323, #65560]
+  * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM,
+    as Linux will do this if resource limits (or other reasons) prevent
+    memory from being locked, instead treat it like permission was denied
+    and warn but continue.  Thanks to Topi Miettinen
+    <Topi.Miettinen@nic.fi>. [#70446]
+  * g10/hkp.c (not_implemented): s/ist/is/ in error message.
+  * debian/README.Debian: add a note about GDBM support and why it is
+    disabled.  Upstream already fixed the manpage.  [#65913]
+  * debian/rules (binary-arch): fix the Spanish translation to be 'es' not
+    'es_ES' at Nicolás Lichtmaier <nick@debian.org>'s request. [#57314]
+
+ -- James Troup <james@nocrew.org>  Sun,  1 Oct 2000 14:55:03 +0100
+
+gnupg (1.0.3-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Mon, 18 Sep 2000 15:56:54 +0100
+
+gnupg (1.0.2-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Thu, 13 Jul 2000 20:26:50 +0100
+
+gnupg (1.0.1-2) unstable; urgency=low
+
+  * debian/control (Build-Depends): added.
+  * debian/copyright: corrected location of copyright file.  Removed
+    references to Linux.  Removed warnings about beta nature of GnuPG.
+  * debian/rules (binary-arch): install documentation into
+    /usr/share/doc/gnupg/ and pass mandir to make install to ensure the
+    manpages go to /usr/share/man/.
+  * debian/postinst: create /usr/doc/gnupg symlink.
+  * debian/prerm: new file; remove /usr/doc/gnupg symlink.
+  * debian/rules (binary-arch): install prerm.
+  * debian/control (Standards-Version): updated to 3.1.1.1.
+
+ -- James Troup <james@nocrew.org>  Thu, 30 Dec 1999 16:16:49 +0000
+
+gnupg (1.0.1-1) unstable; urgency=low
+
+  * New upstream version.
+  * doc/gpg.1: updated to something usable from
+    ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz.
+
+ -- James Troup <james@nocrew.org>  Sun, 19 Dec 1999 23:47:10 +0000
+
+gnupg (1.0.0-3) unstable; urgency=low
+
+  * debian/rules (build): remove the stunningly ill-advised --host option
+    to configure.  [#44698, #48212, #48281]
+
+ -- James Troup <james@nocrew.org>  Tue, 26 Oct 1999 01:12:59 +0100
+
+gnupg (1.0.0-2) unstable; urgency=low
+
+  * debian/rules (binary-arch): fix the permissions on the
+    modules. [#47280]
+  * debian/postinst, debian/postrm: fix the package name passed to
+    suidregister. [#45013]
+  * debian/control: update long description. [#44636]
+  * debian/rules (build): pass the host explicitly to configure to avoid
+    problems on sparc64. [(Should fix) #44698].
+
+ -- James Troup <james@nocrew.org>  Wed, 20 Oct 1999 23:39:05 +0100
+
+gnupg (1.0.0-1) unstable; urgency=low
+
+  * New upstream release. [#44545]
+
+ -- James Troup <james@nocrew.org>  Wed,  8 Sep 1999 00:53:02 +0100
+
+gnupg (0.9.10-2) unstable; urgency=low
+
+  * debian/rules (binary-arch): install lspgpot.  Requested by Kai
+    Henningsen <kai@khms.westfalen.de>. [#42288]
+  * debian/rules (binary-arch): correct the path where modules are looked
+    for.  Reported by Karl M. Hegbloom <karlheg@odin.cc.pdx.edu>. [#40881]
+  * debian/postinst, debian/postrm: under protest, register gpg the
+    package with suidmanager and make it suid by default.
+    [#29780,#32590,#40391]
+
+ -- James Troup <james@nocrew.org>  Tue, 10 Aug 1999 00:12:40 +0100
+
+gnupg (0.9.10-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Fri,  6 Aug 1999 01:16:21 +0100
+
+gnupg (0.9.9-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Sun, 25 Jul 1999 01:06:31 +0100
+
+gnupg (0.9.8-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/rules (binary-arch): don't create a gpgm manpage as the binary
+    no longer exists.  Noticed by Wichert Akkerman
+    <wichert@cs.leidenuniv.nl>. [#38864]
+
+ -- James Troup <james@nocrew.org>  Sun, 27 Jun 1999 01:07:58 +0100
+
+gnupg (0.9.7-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Tue, 25 May 1999 13:23:24 +0100
+
+gnupg (0.9.6-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/copyright: update version number, noticed by Lazarus Long
+    <lazarus@frontiernet.net>.
+  * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure
+    that /dev/urandom exists; reported by Steffen Markert
+    <smort@rz.tu-ilmenau.de>. [#32076]
+
+ -- James Troup <james@nocrew.org>  Tue, 11 May 1999 21:06:27 +0100
+
+gnupg (0.9.5-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/control (Description): no tabs.  [Lintian]
+
+ -- James Troup <james@nocrew.org>  Wed, 24 Mar 1999 22:37:40 +0000
+
+gnupg (0.9.4-1) unstable; urgency=low
+
+  * New version.
+  * debian/control: s/GNUPG/GnuPG/
+
+ -- Werner Koch <wk@isil.d.suttle.de>  Mon, 8 Mar 1999 19:58:28 +0100
+
+gnupg (0.9.3-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Mon, 22 Feb 1999 22:55:04 +0000
+
+gnupg (0.9.2-1) unstable; urgency=low
+
+  * New version.
+  * debian/rules (build): Removed CFLAGS as the default is now sufficient.
+  * debian/rules (clean): remove special handling cleanup in intl.
+
+ -- Werner Koch <wk@isil.d.suttle.de>  Wed, 20 Jan 1999 21:23:11 +0100
+
+gnupg (0.9.1-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Sat,  9 Jan 1999 22:29:11 +0000
+
+gnupg (0.9.0-1) unstable; urgency=low
+
+  * New upstream version.
+  * g10/armor.c (armor_filter): add missing new line in comment string; as
+    noticed by Stainless Steel Rat <ratinox@peorth.gweep.net>.
+
+ -- James Troup <james@nocrew.org>  Tue, 29 Dec 1998 20:22:43 +0000
+
+gnupg (0.4.5-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/rules (clean): force removal of intl/libintl.h which the
+    Makefiles fail to remove properly.
+
+ -- James Troup <james@nocrew.org>  Tue,  8 Dec 1998 22:40:23 +0000
+
+gnupg (0.4.4-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Sat, 21 Nov 1998 01:34:29 +0000
+
+gnupg (0.4.3-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/README.Debian: new file; contains same information as is in the
+    preinst.  Suggested by Wichert Akkerman <wichert@cs.leidenuniv.nl>.
+  * debian/rules (binary-arch): install `README.Debian'
+  * debian/control (Standards-Version): updated to 2.5.0.0.
+
+ -- James Troup <james@nocrew.org>  Sun,  8 Nov 1998 19:08:12 +0000
+
+gnupg (0.4.2-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/preinst: improve message about the NEWS file which isn't
+    actually installed when it's referred to, thanks to Martin Mitchell
+    <martin@debian.org>.
+  * debian/rules (binary-arch): don't install the now non-existent `rfcs',
+    but do install `OpenPGP'.
+
+ -- James Troup <james@nocrew.org>  Sun, 18 Oct 1998 22:48:34 +0100
+
+gnupg (0.4.1-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/rules (binary-arch): fix the gpgm manpage symlink now installed
+    by `make install'.
+
+ -- James Troup <james@nocrew.org>  Sun, 11 Oct 1998 17:01:21 +0100
+
+gnupg (0.4.0-1) unstable; urgency=high
+
+  * New upstream version. [#26717]
+  * debian/copyright: tone down warning about alpha nature of gnupg.
+  * debian/copyright: new maintainer address.
+  * debian/control: update extended description.
+  * debian/rules (binary-arch): install FAQ and all ChangeLogs.
+  * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about
+    incompatibilities in keyring format and offer to move old copy out of
+    gpg out of the way for transition strategy and inform the user about
+    the old copies of gnupg available on my web page.
+  * debian/rules (binary-arch) install preinst.
+  * debian/rules (binary-arch): don't depend on the test target as it is
+    now partially interactive (tries to generate a key, which requires
+    someone else to be using the computer).
+
+ -- James Troup <james@nocrew.org>  Thu,  8 Oct 1998 00:47:07 +0100
+
+gnupg (0.3.2-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/control (Maintainer): new address.
+  * debian/copyright: updated list of changes.
+
+ -- James Troup <james@nocrew.org>  Thu,  9 Jul 1998 21:06:07 +0200
+
+gnupg (0.3.1-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <james@nocrew.org>  Tue,  7 Jul 1998 00:26:21 +0200
+
+gnupg (0.3.0-2) unstable; urgency=low
+
+  * Applied bug-fix patch from Werner.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Fri, 26 Jun 1998 12:18:29 +0200
+
+gnupg (0.3.0-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/control: rewrote short and long description.
+  * cipher/Makefile.am: link tiger with -lc.
+  * debian/rules (binary-arch): strip loadable modules.
+  * util/secmem.c (lock_pool): get rid of errant test code; fix from
+    Werner Koch <wk@isil.d.shuttle.de>.
+  * debian/rules (test): new target which runs gnupg's test suite.
+    binary-arch depends on it, to ensure it's run whenever the package is
+    built.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Thu, 25 Jun 1998 16:04:57 +0200
+
+gnupg (0.2.19-1) unstable; urgency=low
+
+  * New upstream version.
+  * debian/control: Updated long description.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Sat, 30 May 1998 12:12:35 +0200
+
+gnupg (0.2.18-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <J.J.Troup@comp.brad.ac.uk>  Sat, 16 May 1998 11:52:47 +0200
+
+gnupg (0.2.17-1) unstable; urgency=high
+
+  * New upstream version.
+  * debian/control (Standards-Version): updated to 2.4.1.0.
+  * debian/control: tone down warning about alpha nature of gnupg, as per
+    README.
+  * debian/copyright: ditto.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Mon,  4 May 1998 22:36:51 +0200
+
+gnupg (0.2.15-1) unstable; urgency=high
+
+  * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Fri, 10 Apr 1998 01:12:20 +0100
+
+gnupg (0.2.13-1) unstable; urgency=high
+
+  * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Wed, 11 Mar 1998 01:52:51 +0000
+
+gnupg (0.2.12-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Sat,  7 Mar 1998 13:52:40 +0000
+
+gnupg (0.2.11-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Wed,  4 Mar 1998 01:32:12 +0000
+
+gnupg (0.2.10-1) unstable; urgency=low
+
+  * New upstream version.
+  * Name changed upstream.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Mon,  2 Mar 1998 07:32:05 +0000
+
+g10 (0.2.7-1) unstable; urgency=low
+
+  * Initial release.
+
+ -- James Troup <jjtroup@comp.brad.ac.uk>  Fri, 20 Feb 1998 02:05:34 +0000
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..4b27f09
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1,9 @@
+po/*.gmo
+po/stamp-po
+build-gpgv-static/
+build-gpgv-udeb/
+build-gpgv-win32/
+build-maintainer/
+doc/gnupg.info
+doc/gnupg.info-1
+doc/gnupg.info-2
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..5ea6a07
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,502 @@
+Source: gnupg2
+Section: utils
+Priority: optional
+Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Uploaders:
+ Eric Dorland <eric@debian.org>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Standards-Version: 4.6.1
+Build-Depends:
+ automake,
+ autopoint,
+ debhelper-compat (= 13),
+ file,
+ gettext,
+ ghostscript,
+ gpgrt-tools,
+ imagemagick,
+ libassuan-dev (>= 2.5.0),
+ libbz2-dev,
+ libcurl4-gnutls-dev,
+ libgcrypt20-dev (>= 1.8.0),
+ libgnutls28-dev (>= 3.0),
+ libgpg-error-dev (>= 1.35),
+ libksba-dev (>= 1.3.5),
+ libldap2-dev,
+ libnpth0-dev (>= 1.2),
+ libreadline-dev,
+ libsqlite3-dev,
+ libusb-1.0-0-dev [!hurd-any],
+ openssh-client <!nocheck>,
+ pkg-config,
+ texinfo,
+ transfig,
+ zlib1g-dev | libz-dev,
+Build-Depends-Indep:
+ binutils-multiarch [!amd64 !i386],
+ libassuan-mingw-w64-dev (>= 2.5.0),
+ libgcrypt-mingw-w64-dev (>= 1.8.0),
+ libgpg-error-mingw-w64-dev (>= 1.45),
+ libksba-mingw-w64-dev (>= 1.3.5),
+ libnpth-mingw-w64-dev (>= 1.2),
+ libz-mingw-w64-dev,
+ mingw-w64,
+Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/main
+Vcs-Browser: https://salsa.debian.org/debian/gnupg2
+Homepage: https://www.gnupg.org/
+Rules-Requires-Root: no
+
+Package: gpgconf
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Replaces:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Description: GNU privacy guard - core configuration utilities
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ This package contains core utilities used by different tools in the
+ suite offered by GnuPG.  It can be used to programmatically edit
+ config files for tools in the GnuPG suite, to launch or terminate
+ per-user daemons (if installed), etc.
+
+Package: gnupg-agent
+Architecture: all
+Section: oldlibs
+Multi-Arch: foreign
+Depends:
+ gpg-agent (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - cryptographic agent (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This is a dummy transitional package; please use gpg-agent instead.
+
+Package: gpg-agent
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ pinentry-curses | pinentry,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Suggests:
+ dbus-user-session,
+ libpam-systemd,
+ pinentry-gnome3,
+ scdaemon,
+Replaces:
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg-agent (<< 2.1.21-4),
+Provides:
+ gnupg-agent,
+Description: GNU privacy guard - cryptographic agent
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the agent program gpg-agent which handles all
+ secret key material for OpenPGP and S/MIME use.  The agent also
+ provides a passphrase cache, which is used by pre-2.1 versions of
+ GnuPG for OpenPGP operations.  Without this package, trying to do
+ secret-key operations with any part of the modern GnuPG suite will
+ fail.
+
+Package: gpg-wks-server
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpg (= ${binary:Version}),
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Description: GNU privacy guard - Web Key Service server
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package provides the GnuPG server for the Web Key Service
+ protocol.
+ .
+ A Web Key Service is a service that allows users to upload keys per
+ mail to be verified over https as described in
+ https://tools.ietf.org/html/draft-koch-openpgp-webkey-service
+ .
+ For more information see: https://wiki.gnupg.org/WKS
+
+Package: gpg-wks-client
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ dirmngr (= ${binary:Version}),
+ gpg (= ${binary:Version}),
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Description: GNU privacy guard - Web Key Service client
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package provides the GnuPG client for the Web Key Service
+ protocol.
+ .
+ A Web Key Service is a service that allows users to upload keys per
+ mail to be verified over https as described in
+ https://tools.ietf.org/html/draft-koch-openpgp-webkey-service
+ .
+ For more information see: https://wiki.gnupg.org/WKS
+
+Package: scdaemon
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpg-agent (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Enhances:
+ gpg-agent,
+Description: GNU privacy guard - smart card support
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the smart card program scdaemon, which is used
+ by gpg-agent to access OpenPGP smart cards.
+
+Package: gpgsm
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Breaks:
+ gnupg2 (<< 2.1.10-2),
+Replaces:
+ gnupg2 (<< 2.1.10-2),
+Description: GNU privacy guard - S/MIME version
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the gpgsm program. gpgsm is a tool to provide
+ digital encryption and signing services on X.509 certificates and the
+ CMS protocol. gpgsm includes complete certificate management.
+
+Package: gpg
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ gpgconf (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Breaks:
+ gnupg (<< 2.1.21-4),
+Replaces:
+ gnupg (<< 2.1.21-4),
+Description: GNU Privacy Guard -- minimalist public key operations
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains /usr/bin/gpg itself, and is useful on its own
+ only for public key operations (encryption, signature verification,
+ listing OpenPGP certificates, etc).  If you want full capabilities
+ (including secret key operations, network access, etc), please
+ install the "gnupg" package, which pulls in the full suite of tools.
+
+Package: gnupg
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ dirmngr (<< ${source:Version}.1~),
+ dirmngr (>= ${source:Version}),
+ gnupg-l10n (= ${source:Version}),
+ gnupg-utils (<< ${source:Version}.1~),
+ gnupg-utils (>= ${source:Version}),
+ gpg (<< ${source:Version}.1~),
+ gpg (>= ${source:Version}),
+ gpg-agent (<< ${source:Version}.1~),
+ gpg-agent (>= ${source:Version}),
+ gpg-wks-client (<< ${source:Version}.1~),
+ gpg-wks-client (>= ${source:Version}),
+ gpg-wks-server (<< ${source:Version}.1~),
+ gpg-wks-server (>= ${source:Version}),
+ gpgsm (<< ${source:Version}.1~),
+ gpgsm (>= ${source:Version}),
+ gpgv (<< ${source:Version}.1~),
+ gpgv (>= ${source:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ ${shlibs:Recommends},
+Suggests:
+ parcimonie,
+ xloadimage,
+Breaks:
+ debsig-verify (<< 0.15),
+ dirmngr (<< ${binary:Version}),
+ gnupg2 (<< 2.1.11-7+exp1),
+ libgnupg-interface-perl (<< 0.52-3),
+ libgnupg-perl (<= 0.19-1),
+ libmail-gnupg-perl (<= 0.22-1),
+ monkeysphere (<< 0.38~),
+ php-crypt-gpg (<= 1.4.1-1),
+ python-apt (<= 1.1.0~beta4),
+ python-gnupg (<< 0.3.8-3),
+ python3-apt (<= 1.1.0~beta4),
+Replaces:
+ gnupg2 (<< 2.1.11-7+exp1),
+Description: GNU privacy guard - a free PGP replacement
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This package contains the full suite of GnuPG tools for cryptographic
+ communications and data storage.
+
+Package: gnupg2
+Architecture: all
+Section: oldlibs
+Multi-Arch: foreign
+Depends:
+ gnupg (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - a free PGP replacement (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC4880.
+ .
+ This is a dummy transitional package that provides symlinks from gpg2
+ to gpg.
+
+Package: gpgv
+Architecture: any
+Priority: important
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks:
+ gnupg2 (<< 2.0.21-2),
+ gpgv2 (<< 2.1.11-7+exp1),
+ python-debian (<< 0.1.29),
+Replaces:
+ gnupg2 (<< 2.0.21-2),
+ gpgv2 (<< 2.1.11-7+exp1),
+Suggests:
+ gnupg,
+Description: GNU privacy guard - signature verification tool
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ gpgv is actually a stripped-down version of gpg which is only able
+ to check signatures. It is somewhat smaller than the fully-blown gpg
+ and uses a different (and simpler) way to check that the public keys
+ used to make the signature are valid. There are no configuration
+ files and only a few options are implemented.
+
+Package: gpgv2
+Section: oldlibs
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ gpgv (>= ${source:Version}),
+ ${misc:Depends},
+Description: GNU privacy guard - signature verification tool (dummy transitional package)
+ GnuPG is GNU's tool for secure communication and data storage.  gpgv
+ is a stripped-down version of gpg which is only able to check
+ signatures.
+ .
+ This is a dummy transitional package that provides symlinks from gpgv2
+ to gpgv.
+
+Package: dirmngr
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ adduser,
+ gpgconf (= ${binary:Version}),
+ lsb-base (>= 3.2-13),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gnupg (= ${binary:Version}),
+ ${shlibs:Recommends},
+Enhances:
+ gpg,
+ gpgsm,
+ squid,
+Breaks:
+ gnupg2 (<< 2.1.10-2),
+Replaces:
+ gnupg2 (<< 2.1.10-2),
+Suggests:
+ dbus-user-session,
+ libpam-systemd,
+ pinentry-gnome3,
+ tor,
+Description: GNU privacy guard - network certificate management service
+ dirmngr is a server for managing and downloading OpenPGP and X.509
+ certificates, as well as updates and status signals related to those
+ certificates.  For OpenPGP, this means pulling from the public
+ HKP/HKPS keyservers, or from LDAP servers.  For X.509 this includes
+ Certificate Revocation Lists (CRLs) and Online Certificate Status
+ Protocol updates (OCSP).  It is capable of using Tor for network
+ access.
+ .
+ dirmngr is used for network access by gpg, gpgsm, and dirmngr-client,
+ among other tools.  Unless this package is installed, the parts of
+ the GnuPG suite that try to interact with the network will fail.
+
+Package: gpgv-udeb
+Package-Type: udeb
+Section: debian-installer
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: minimal signature verification tool
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This is GnuPG's signature verification tool, gpgv, packaged in minimal
+ form for use in debian-installer.
+
+Package: gpgv-static
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ debian-archive-keyring,
+ debootstrap,
+Description: minimal signature verification tool (static build)
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This is GnuPG's signature verification tool, gpgv, built statically
+ so that it can be directly used on any platform that is running on
+ the Linux kernel.  Android and ChromeOS are two well known examples,
+ but there are many other platforms that this will work for, like
+ embedded Linux OSes.  This gpgv in combination with debootstrap and
+ the Debian archive keyring allows the secure creation of chroot
+ installs on these platforms by using the full Debian signature
+ verification that is present in all official Debian mirrors.
+
+Package: gpgv-win32
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+Suggests:
+ wine,
+Description: GNU privacy guard - signature verification tool (win32 build)
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ gpgv is a stripped-down version of gnupg which is only able to check
+ signatures.  It is smaller than the full-blown gnupg and uses a
+ different (and simpler) way to check that the public keys used to
+ make the signature are trustworthy.
+ .
+ This is a win32 version of gpgv.  It's meant to be used by the win32-loader
+ component of Debian-Installer.
+
+Package: gnupg-l10n
+Section: localization
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+Enhances:
+ dirmngr,
+ gpg,
+ gpg-agent,
+Breaks:
+ gnupg (<< 2.1.14-2~),
+ gnupg2 (<< 2.1.14-2~),
+Replaces:
+ gnupg (<< 2.1.14-2~),
+ gnupg2 (<< 2.1.14-2~),
+Description: GNU privacy guard - localization files
+ GnuPG is GNU's tool for secure communication and data storage.
+ It can be used to encrypt data and to create digital signatures.
+ It includes an advanced key management facility and is compliant
+ with the proposed OpenPGP Internet standard as described in RFC 4880.
+ .
+ This package contains the translation files for the use of GnuPG in
+ non-English locales.
+
+Package: gnupg-utils
+Architecture: any
+Multi-Arch: foreign
+Replaces:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Breaks:
+ gnupg (<< 2.1.21-4),
+ gnupg-agent (<< 2.1.21-4),
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ gpg,
+ gpg-agent,
+ gpgconf,
+ gpgsm,
+Description: GNU privacy guard - utility programs
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ This package contains several useful utilities for manipulating
+ OpenPGP data and other related cryptographic elements.  It includes:
+ .
+  * addgnupghome -- create .gnupg home directories
+  * applygnupgdefaults -- run gpgconf --apply-defaults for all users
+  * gpgcompose -- an experimental tool for constructing arbitrary
+                  sequences of OpenPGP packets (e.g. for testing)
+  * gpgparsemail -- parse an e-mail message into annotated format
+  * gpgsplit -- split a sequence of OpenPGP packets into files
+  * gpgtar -- encrypt or sign files in an archive
+  * kbxutil -- list, export, import Keybox data
+  * lspgpot -- convert PGP ownertrust values to GnuPG
+  * migrate-pubring-from-classic-gpg -- use only "modern" formats
+  * symcryptrun -- use simple symmetric encryption tool in GnuPG framework
+  * watchgnupg -- watch socket-based logs
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..fa0ce87
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,253 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: GnuPG - The GNU Privacy Guard (modern version)
+Upstream-Contact: GnuPG development mailing list <gnupg-devel@gnupg.org>
+Source: https://gnupg.org/download/
+
+Files: *
+Copyright: 1992, 1995-2020, Free Software Foundation, Inc
+License: GPL-3+
+
+Files: agent/command.c
+ agent/command-ssh.c
+ agent/gpg-agent.c
+ common/homedir.c
+ common/sysutils.c
+ g10/mainproc.c
+Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc
+  2013, Werner Koch
+License: GPL-3+
+
+Files: autogen.sh
+Copyright: 2003, g10 Code GmbH
+License: permissive
+
+Files: common/gc-opt-flags.h
+ common/i18n.h
+ tools/clean-sat.c
+ tools/no-libgcrypt.c
+Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc
+License: permissive
+
+Files: common/localename.c
+Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc.
+License: LGPL-2.1+
+
+Files: dirmngr/dns.c
+ dirmngr/dns.h
+Copyright: 2008-2010, 2012-2016 William Ahern
+License: Expat
+
+Files: doc/yat2m.c
+ scd/app-geldkarte.c
+Copyright: 2004, 2005, g10 Code GmbH
+  2006, 2008, 2009, 2011, Free Software Foundation, Inc
+License: GPL-3+
+
+Files: scd/ccid-driver.h
+ scd/ccid-driver.c
+Copyright: 2003-2007, Free Software Foundation, Inc
+License: GPL-3+ or BSD-3-clause
+
+Files: tools/rfc822parse.c
+ tools/rfc822parse.h
+Copyright: 1999-2000, Werner Koch, Duesseldorf
+  2003-2004, g10 Code GmbH
+License: LGPL-3+
+
+Files: tools/sockprox.c
+Copyright: 2007, g10 Code GmbH
+License: GPL-3+
+
+Files: doc/OpenPGP
+Copyright: 1998-2013 Free Software Foundation, Inc.
+           1997, 1998, 2013 Werner Koch
+           1998 The Internet Society
+License: RFC-Reference
+
+Files: tests/gpgscm/*
+Copyright: 2000, Dimitrios Souflis
+           2016, Justus Winter, Werner Koch
+License: TinySCHEME
+
+Files: debian/*
+Copyright: 1998-2022 Debian GnuPG packagers, including
+ Eric Dorland <eric@debian.org>
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ NIIBE Yutaka <gniibe@fsij.org>
+License: GPL-3+
+
+Files: debian/org.gnupg.scdaemon.metainfo.xml
+Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Comment: This file is licensed permissively for the sake of AppStream
+License: CC0-1.0
+
+License: TinySCHEME
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ Neither the name of Dimitrios Souflis nor the names of the
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+License: permissive
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+ .
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.
+
+License: RFC-Reference
+ doc/OpenPGP merely cites and references IETF Draft
+ draft-ietf-openpgp-formats-07.txt. This is believed to be fair use;
+ but if not, it's covered by the source document's license under
+ the 'comment on' clause. The license statement follows.
+ .
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph
+ are included on all such copies and derivative works.  However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+ .
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+
+License: GPL-3+
+ GnuPG is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ GnuPG is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+
+License: LGPL-3+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 3 of
+ the License, or (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU Lesser General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/LGPL-3'.
+
+License: LGPL-2.1+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 2.1 of
+ the License, or (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this program; if not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU Lesser General Public
+ License version 2.1 can be found in the file
+ `/usr/share/common-licenses/LGPL-2.1'.
+
+License: BSD-3-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, and the entire permission notice in its entirety,
+    including the disclaimer of warranties.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. The name of the author may not be used to endorse or promote
+    products derived from this software without specific prior
+    written permission.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to permit
+ persons to whom the Software is furnished to do so, subject to the
+ following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+ USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+License: CC0-1.0
+ To the extent possible under law, the author(s) have dedicated all
+ copyright and related and neighboring rights to this software to the public
+ domain worldwide. This software is distributed without any warranty.
+ .
+ On Debian systems, the complete text of the CC0 license, version 1.0,
+ can be found in /usr/share/common-licenses/CC0-1.0.
diff --git a/debian/dirmngr.README.Debian b/debian/dirmngr.README.Debian
new file mode 100644
index 0000000..099240a
--- /dev/null
+++ b/debian/dirmngr.README.Debian
@@ -0,0 +1,47 @@
+dirmngr system integration
+==========================
+
+Since 2.1.x, gpg and most related processes will auto-launch dirmngr
+if needed.  These auto-launched processes will inherit whatever
+environment they started from, and they will not terminate
+automatically.
+
+systemd
+=======
+
+Since 2.1.17, users on machines with systemd will have a dirmngr
+process launched automatically by systemd's user session, upon first
+access of the standard socket.  systemd will also cleanly tear this
+process down at session logout.
+
+Users who don't want systemd to manage their dirmngr in this way for
+all future sessions should do:
+
+    systemctl --user mask --now dirmngr.socket
+
+Doing this means that dirmngr will fall back to its manual mode of
+operation.  (This decision can be reversed by the user with "unmask"
+instead of "mask")
+
+See systemctl(1) for more details about managing the dirmngr.socket
+unit.
+
+Manual dirmngr startup and teardown
+===================================
+
+Any user who wants to launch dirmngr manually (e.g., to talk to it
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
+
+   gpgconf --launch dirmngr
+
+If dirmngr is launched manually or automatically (but not supervised
+by systemd), you also probably want to ensure that it terminates when
+your session ends with:
+
+   gpgconf --kill dirmngr
+
+If you're not using systemd, you may wish to add this command to your
+session logout scripts.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:49:45 -0500
diff --git a/debian/dirmngr.docs b/debian/dirmngr.docs
new file mode 100644
index 0000000..61e3257
--- /dev/null
+++ b/debian/dirmngr.docs
@@ -0,0 +1,5 @@
+AUTHORS
+NEWS
+THANKS
+TODO
+doc/KEYSERVER
diff --git a/debian/dirmngr.install b/debian/dirmngr.install
new file mode 100644
index 0000000..4bd9ed2
--- /dev/null
+++ b/debian/dirmngr.install
@@ -0,0 +1,6 @@
+debian/tmp/usr/bin/dirmngr
+debian/tmp/usr/bin/dirmngr-client
+debian/tmp/usr/lib/gnupg/dirmngr_ldap
+debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem
+doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user
+doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user
diff --git a/debian/dirmngr.maintscript b/debian/dirmngr.maintscript
new file mode 100644
index 0000000..aa11aa5
--- /dev/null
+++ b/debian/dirmngr.maintscript
@@ -0,0 +1,5 @@
+rm_conffile /etc/default/dirmngr
+rm_conffile /etc/dirmngr/dirmngr.conf
+rm_conffile /etc/dirmngr/ldapservers.conf
+rm_conffile /etc/init.d/dirmngr
+rm_conffile /etc/logrotate.d/dirmngr
diff --git a/debian/dirmngr.manpages b/debian/dirmngr.manpages
new file mode 100644
index 0000000..93702d9
--- /dev/null
+++ b/debian/dirmngr.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man1/dirmngr-client.1
+debian/tmp/usr/share/man/man8/dirmngr.8
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..cb11b4d
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,38 @@
+[DEFAULT]
+debian-branch = debian/unstable
+pristine-tar = True
+upstream-vcs-tag = gnupg-%(version)s
+
+[import-orig]
+filter = [
+ 'aclocal.m4',
+ 'build-aux/compile',
+ 'build-aux/config.rpath',
+ 'build-aux/depcomp',
+ 'build-aux/install-sh',
+ 'build-aux/missing',
+ 'build-aux/mkinstalldirs',
+ 'build-aux/texinfo.tex',
+ 'config.h.in',
+ 'configure',
+ 'doc/gnupg.info*',
+ 'INSTALL',
+ 'm4/iconv.m4',
+ 'm4/intdiv0.m4',
+ 'm4/intl.m4',
+ 'm4/lock.m4',
+ 'm4/printf-posix.m4',
+ 'm4/size_max.m4',
+ 'm4/uintmax_t.m4',
+ 'm4/wint_t.m4',
+ '*/*/Makefile.in',
+ '*/Makefile.in',
+ 'Makefile.in',
+ 'po/*.gmo',
+ 'po/Makefile.in.in',
+ 'po/stamp-po',
+ ]
+filter-pristine-tar = False
+
+[pq]
+patch-numbers = False
diff --git a/debian/gnupg-l10n.install b/debian/gnupg-l10n.install
new file mode 100644
index 0000000..a84f37d
--- /dev/null
+++ b/debian/gnupg-l10n.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/gnupg/help.*.txt
+debian/tmp/usr/share/gnupg/help.txt
+debian/tmp/usr/share/locale
diff --git a/debian/gnupg-l10n.lintian-overrides b/debian/gnupg-l10n.lintian-overrides
new file mode 100644
index 0000000..1981842
--- /dev/null
+++ b/debian/gnupg-l10n.lintian-overrides
@@ -0,0 +1,2 @@
+# these files are how GnuPG distributes localized help text
+gnupg-l10n: package-contains-documentation-outside-usr-share-doc [usr/share/gnupg/help.*txt]
diff --git a/debian/gnupg-utils.install b/debian/gnupg-utils.install
new file mode 100644
index 0000000..5c764d4
--- /dev/null
+++ b/debian/gnupg-utils.install
@@ -0,0 +1,11 @@
+build-maintainer/g10/gpgcompose usr/bin
+build/tools/gpg-zip usr/bin
+debian/migrate-pubring-from-classic-gpg usr/bin
+debian/tmp/usr/bin/gpgparsemail
+debian/tmp/usr/bin/gpgtar
+debian/tmp/usr/bin/gpgsplit
+debian/tmp/usr/bin/kbxutil
+debian/tmp/usr/bin/watchgnupg
+debian/tmp/usr/sbin/addgnupghome
+debian/tmp/usr/sbin/applygnupgdefaults
+tools/lspgpot usr/bin
diff --git a/debian/gnupg-utils.manpages b/debian/gnupg-utils.manpages
new file mode 100644
index 0000000..e65e4ff
--- /dev/null
+++ b/debian/gnupg-utils.manpages
@@ -0,0 +1,11 @@
+debian/gpg-zip.1
+debian/gpgcompose.1
+debian/gpgsplit.1
+debian/kbxutil.1
+debian/lspgpot.1
+debian/migrate-pubring-from-classic-gpg.1
+debian/tmp/usr/share/man/man1/gpgparsemail.1
+debian/tmp/usr/share/man/man1/gpgtar.1
+debian/tmp/usr/share/man/man1/watchgnupg.1
+debian/tmp/usr/share/man/man8/addgnupghome.8
+debian/tmp/usr/share/man/man8/applygnupgdefaults.8
diff --git a/debian/gnupg.README.Debian b/debian/gnupg.README.Debian
new file mode 100644
index 0000000..24944d3
--- /dev/null
+++ b/debian/gnupg.README.Debian
@@ -0,0 +1,44 @@
+Using "Modern" GnuPG
+====================
+
+As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern"
+version of GnuPG.
+
+This means:
+
+  * supporting daemons are auto-launched as needed
+
+  * all access to secret key material is handled by gpg-agent
+
+  * all smartcard access is handled by scdaemon
+
+  * all network access is handled by dirmngr
+
+  * PGPv3 keys are no longer supported
+
+  * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but
+    instead in $GNUPGHOME/private-keys-v1.d/
+
+  * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by
+    default for new users.  Upgrading users will continue to use
+    pubring.gpg until they decide to explicitly convert.
+
+Converting an existing installation
+-----------------------------------
+
+If you have an existing GnuPG homedir from "classic" GnuPG, secret
+keys should be migrated automatically upon the first run of the
+"modern" version.
+
+If you have any secret keys that are stored only in a smartcard, after
+your first use of "modern" gpg you should insert the card and run:
+
+   gpg --card-status
+
+ (see https://bugs.debian.org/795881)
+
+Public keys will not be automatically migrated from pubring.gpg to
+pubring.kbx, however.  If you want to migrate your public keyring, you
+can use a script like /usr/bin/migrate-pubring-from-classic-gpg
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 18 Apr 2016 19:08:36 -0400
diff --git a/debian/gnupg.docs b/debian/gnupg.docs
new file mode 100644
index 0000000..66384bb
--- /dev/null
+++ b/debian/gnupg.docs
@@ -0,0 +1,4 @@
+debian/tmp/usr/share/doc/gnupg/*
+NEWS
+THANKS
+TODO
diff --git a/debian/gnupg.info b/debian/gnupg.info
new file mode 100644
index 0000000..e4baa0f
--- /dev/null
+++ b/debian/gnupg.info
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/info/gnupg.info*
+doc/gnupg-card-architecture.png
+doc/gnupg-module-overview.png
diff --git a/debian/gnupg.manpages b/debian/gnupg.manpages
new file mode 100644
index 0000000..60f7ab7
--- /dev/null
+++ b/debian/gnupg.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man7/gnupg.7
diff --git a/debian/gnupg2.links b/debian/gnupg2.links
new file mode 100644
index 0000000..96fde98
--- /dev/null
+++ b/debian/gnupg2.links
@@ -0,0 +1,2 @@
+usr/bin/gpg usr/bin/gpg2
+usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz
diff --git a/debian/gpg-agent.README.Debian b/debian/gpg-agent.README.Debian
new file mode 100644
index 0000000..f57d278
--- /dev/null
+++ b/debian/gpg-agent.README.Debian
@@ -0,0 +1,82 @@
+gpg-agent system integration
+============================
+
+Since 2.1.x, gpg and most related processes will auto-launch gpg-agent
+if needed.  These auto-launched processes will inherit whatever
+environment they started from, and they will not terminate
+automatically.
+
+systemd
+=======
+
+Since 2.1.17, users on machines with systemd will have their gpg-agent
+process launched automatically by systemd's user session, upon first
+access of any of the expected gpg-agent sockets (including the ssh
+socket).  systemd will also cleanly tear this process down at session
+logout.
+
+If dbus-user-session and pinentry-gnome3 packages are installed, then
+all user interaction with this systemd-managed gpg-agent process
+(e.g. prompting for passwords or confirmations, etc) will take place
+over the d-bus session, for better integration with graphical
+environments like GNOME.
+
+Users who don't want systemd to manage their gpg-agent in this way for
+all future sessions should do:
+
+    systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
+
+Doing this means that gpg-agent will fall back to its manual mode of
+operation.  (This decision can be reversed by the user with "unmask"
+instead of "mask")
+
+See systemctl(1) for more details about managing the gpg-agent*.socket
+units.
+
+ssh-agent emulation
+===================
+
+gpg-agent offers an ssh-agent emulation which can be achieved by
+setting the environment variable SSH_AUTH_SOCK to:
+
+    /run/user/$(id -u)/gnupg/S.gpg-agent.ssh
+
+(replace $(id -u) with the user's numeric user ID, of course). 
+
+But ssh doesn't have a way to tell ssh-agent how to prompt the user
+when necessary; the systemd-managed gpg-agent process will only know
+how to prompt the user if you have dbus-user-session and
+pinentry-gnome3 installed.  This is the recommended configuration for
+gpg-agent's ssh-agent emulation on desktop machines running systemd,
+and doesn't need any additional configuration.
+
+However, if dbus-user-session and pinentry-gnome3 are not in use, by
+default the systemd-managed gpg-agent will not know how to get
+feedback from the user when a request is first received by ssh.  You
+can give it a hint for all future ssh connections by running:
+
+    gpg-connect-agent updatestartuptty /bye
+
+You may wish to do this in the login scripts for your user session if
+you run systemd without dbus-user-session and pinentry-gnome3, and you
+plan to use gpg-agent's ssh-agent emulation.
+
+Manual gpg-agent startup and teardown
+=====================================
+
+Any user who wants to launch gpg-agent manually (e.g., to talk to it
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
+
+    gpgconf --launch gpg-agent
+
+If gpg-agent is launched manually or automatically (but not supervised
+by systemd), you probably want to ensure that it terminates when your
+session ends with:
+
+    gpgconf --kill gpg-agent
+
+If you're not using systemd, you may wish to add this to your session
+logout scripts.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:56:08 -0500
diff --git a/debian/gpg-agent.examples b/debian/gpg-agent.examples
new file mode 100644
index 0000000..34213be
--- /dev/null
+++ b/debian/gpg-agent.examples
@@ -0,0 +1,2 @@
+doc/examples/pwpattern.list
+doc/examples/trustlist.txt
diff --git a/debian/gpg-agent.install b/debian/gpg-agent.install
new file mode 100644
index 0000000..ae93fb5
--- /dev/null
+++ b/debian/gpg-agent.install
@@ -0,0 +1,11 @@
+debian/Xsession.d/90gpg-agent etc/X11/Xsession.d
+debian/systemd-environment-generator/90gpg-agent usr/lib/systemd/user-environment-generators
+debian/tmp/usr/bin/gpg-agent
+debian/tmp/usr/lib/gnupg/gpg-check-pattern
+debian/tmp/usr/lib/gnupg/gpg-preset-passphrase
+debian/tmp/usr/lib/gnupg/gpg-protect-tool
+doc/examples/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user
+doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user
diff --git a/debian/gpg-agent.links b/debian/gpg-agent.links
new file mode 100644
index 0000000..2927701
--- /dev/null
+++ b/debian/gpg-agent.links
@@ -0,0 +1,2 @@
+usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase
+usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool
diff --git a/debian/gpg-agent.lintian-overrides b/debian/gpg-agent.lintian-overrides
new file mode 100644
index 0000000..245cdf3
--- /dev/null
+++ b/debian/gpg-agent.lintian-overrides
@@ -0,0 +1,3 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+gpg-agent: spare-manual-page [usr/share/man/man1/gpg-check-pattern.1.gz]
+gpg-agent: spare-manual-page [usr/share/man/man1/gpg-preset-passphrase.1.gz]
diff --git a/debian/gpg-agent.logcheck.ignore.server b/debian/gpg-agent.logcheck.ignore.server
new file mode 100644
index 0000000..6de7991
--- /dev/null
+++ b/debian/gpg-agent.logcheck.ignore.server
@@ -0,0 +1,11 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG network certificate management daemon\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(restricted\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent \(ssh-agent emulation\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG network certificate management daemon\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(restricted\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent \(ssh-agent emulation\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$
+
diff --git a/debian/gpg-agent.manpages b/debian/gpg-agent.manpages
new file mode 100644
index 0000000..81c4882
--- /dev/null
+++ b/debian/gpg-agent.manpages
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/man/man1/gpg-agent.1
+debian/tmp/usr/share/man/man1/gpg-check-pattern.1
+debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1
diff --git a/debian/gpg-wks-client.install b/debian/gpg-wks-client.install
new file mode 100644
index 0000000..1b331dd
--- /dev/null
+++ b/debian/gpg-wks-client.install
@@ -0,0 +1 @@
+debian/tmp/usr/lib/gnupg/gpg-wks-client
diff --git a/debian/gpg-wks-client.lintian-overrides b/debian/gpg-wks-client.lintian-overrides
new file mode 100644
index 0000000..cdab923
--- /dev/null
+++ b/debian/gpg-wks-client.lintian-overrides
@@ -0,0 +1,2 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+gpg-wks-client: spare-manual-page [usr/share/man/man1/gpg-wks-client.1.gz]
diff --git a/debian/gpg-wks-client.manpages b/debian/gpg-wks-client.manpages
new file mode 100644
index 0000000..e600ad3
--- /dev/null
+++ b/debian/gpg-wks-client.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg-wks-client.1
diff --git a/debian/gpg-wks-server.install b/debian/gpg-wks-server.install
new file mode 100644
index 0000000..c18c2e7
--- /dev/null
+++ b/debian/gpg-wks-server.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpg-wks-server
diff --git a/debian/gpg-wks-server.manpages b/debian/gpg-wks-server.manpages
new file mode 100644
index 0000000..1469434
--- /dev/null
+++ b/debian/gpg-wks-server.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg-wks-server.1
diff --git a/debian/gpg-zip.1 b/debian/gpg-zip.1
new file mode 100644
index 0000000..c20f770
--- /dev/null
+++ b/debian/gpg-zip.1
@@ -0,0 +1,106 @@
+.TH "GPG\-ZIP" 1 "November 2006"
+
+.SH NAME
+gpg\-zip \- encrypt or sign files into an archive
+
+.SH SYNOPSIS
+.B gpg\-zip
+.RB [ OPTIONS ]
+.IR filename1 " [" "filename2, ..." ]
+.IR directory1 " [" "directory2, ..." ]
+
+.SH DESCRIPTION
+This manual page documents briefly the 
+.B gpg\-zip
+command.
+.PP
+.B gpg\-zip
+IS DEPRECATED.  PLEASE USE gpgtar(1) instead.
+.PP
+.B gpg\-zip
+encrypts or signs files into an archive. It is an gpg-ized tar using the
+same format as PGP's PGP Zip.
+
+.SH OPTIONS
+.TP
+.BR \-e ", " \-\-encrypt
+Encrypt data. This option may be combined with 
+.B \-\-symmetric
+(for output that may be decrypted via a secret key or a passphrase).
+.TP
+.BR \-d ", " \-\-decrypt
+Decrypt data.
+.TP
+.BR \-c ", " \-\-symmetric
+Encrypt with a symmetric cipher using a passphrase.  The default
+symmetric cipher used is CAST5, but may be chosen with the
+.B \-\-cipher\-algo
+option to
+.BR gpg (1).
+.TP
+.BR \-s ", " \-\-sign
+Make a signature. See
+.BR gpg (1).
+.TP
+.BR \-r ", " \-\-recipient " \fIUSER\fR"
+Encrypt for user id \fIUSER\fR. See
+.BR gpg (1).
+.TP
+.BR \-u ", " \-\-local\-user " \fIUSER\fR"
+Use \fIUSER\fR as the key to sign with. See
+.BR gpg (1).
+.TP
+.B \-\-list\-archive
+List the contents of the specified archive.
+.TP
+.BR \-o ", " \-\-output " " \fIFILE\fR"
+Write output to specified file
+.IR FILE .
+.TP
+.BI \-\-gpg " GPG"
+Use the specified command instead of
+.BR gpg .
+.TP
+.BI \-\-gpg\-args " ARGS"
+Pass the specified options to
+.BR gpg (1).
+.TP
+.BI \-\-tar " TAR"
+Use the specified command instead of
+.BR tar .
+.TP
+.BI \-\-tar\-args " ARGS"
+Pass the specified options to 
+.BR tar (1).
+.TP
+.BR \-h ", " \-\-help
+Output a short usage information.
+.TP
+.B \-\-version
+Output the program version.
+
+.SH DIAGNOSTICS
+The program returns \fB0\fR if everything was fine, \fB1\fR otherwise.
+
+.SH EXAMPLES
+Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR:
+.IP
+.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs
+.PP
+List the contents of archive \fItest1\fR:
+.IP
+.B gpg\-zip \-\-list\-archive test1
+
+.SH SEE ALSO
+.BR gpg (1),
+.BR gpgtar (1),
+.BR tar (1)
+
+.SH AUTHOR
+Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to
+<\&bug-gnupg@gnu.org\&>.
+
+This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&>
+and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian
+distribution (but may be used by others).
+
diff --git a/debian/gpg.install b/debian/gpg.install
new file mode 100644
index 0000000..0b53564
--- /dev/null
+++ b/debian/gpg.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpg
diff --git a/debian/gpg.manpages b/debian/gpg.manpages
new file mode 100644
index 0000000..7c47415
--- /dev/null
+++ b/debian/gpg.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpg.1
diff --git a/debian/gpgcompose.1 b/debian/gpgcompose.1
new file mode 100644
index 0000000..f92fb05
--- /dev/null
+++ b/debian/gpgcompose.1
@@ -0,0 +1,56 @@
+.TH "gpgcompose" 1 "June 2017" 
+
+.SH NAME
+gpgcompose \- Generate a stream of OpenPGP packets
+
+.SH SYNOPSIS
+.B gpgcompose
+.RI [[ OPTION
+.RI [ ARGS ]]
+\&... ]
+
+.B gpgcompose --help
+
+.B gpgcompose
+.I OPTION
+.B --help
+
+.SH DESCRIPTION
+.B gpgcompose
+generates a stream of OpenPGP packets, including some which can
+include other nested packets within a layer of encryption.  The syntax
+on the command line isn't stable enough to document currently, but
+additional hints and examples can be found from the command line using
+.BR \-\-help .
+
+.SH EXTERNAL DEPENDENCIES
+
+.B gpgcompose
+is not capable of performing secret key operations on its own.
+Creation of any OpenPGP object that requires secret key operations
+(e.g.,
+.BR \-\-signature )
+will need to speak to an already-running
+.BR gpg-agent .
+
+.SH FILES
+
+Occasionally,
+.B gpgcompose
+will need to look up existing public keys for reference (e.g.,
+.BR \-\-public-key ).
+It will do so in
+.BR ~/.gnupg/keyring.kbx,
+or in
+.B $GNUPGHOME/keyring.kbx
+if that variable is set.
+
+.SH SEE ALSO
+
+RFC 4880, gpg(1), gpg-agent(1), gpg-connect-agent(1)
+
+.SH AUTHOR
+gpgcompose is copyright (C) 2016, g10 Code GmbH.
+
+This manpage was written by Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
+
diff --git a/debian/gpgconf.examples b/debian/gpgconf.examples
new file mode 100644
index 0000000..3e74b94
--- /dev/null
+++ b/debian/gpgconf.examples
@@ -0,0 +1 @@
+doc/examples/gpgconf.conf
diff --git a/debian/gpgconf.install b/debian/gpgconf.install
new file mode 100644
index 0000000..398d8a6
--- /dev/null
+++ b/debian/gpgconf.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/bin/gpg-connect-agent
+debian/tmp/usr/bin/gpgconf
+debian/tmp/usr/share/gnupg/distsigkey.gpg
diff --git a/debian/gpgconf.manpages b/debian/gpgconf.manpages
new file mode 100644
index 0000000..70bb0d7
--- /dev/null
+++ b/debian/gpgconf.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man1/gpg-connect-agent.1
+debian/tmp/usr/share/man/man1/gpgconf.1
diff --git a/debian/gpgsm.install b/debian/gpgsm.install
new file mode 100644
index 0000000..8822607
--- /dev/null
+++ b/debian/gpgsm.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpgsm
diff --git a/debian/gpgsm.manpages b/debian/gpgsm.manpages
new file mode 100644
index 0000000..ad6a686
--- /dev/null
+++ b/debian/gpgsm.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpgsm.1
diff --git a/debian/gpgsplit.1 b/debian/gpgsplit.1
new file mode 100644
index 0000000..116ce89
--- /dev/null
+++ b/debian/gpgsplit.1
@@ -0,0 +1,41 @@
+.TH "gpgsplit" 1 "December 2005" 
+
+.SH NAME
+gpgsplit \- Split an OpenPGP message into packets
+
+.SH SYNOPSIS
+.B gpgsplit 
+.RI [ OPTIONS ]
+.RI [ FILES ]
+
+.SH DESCRIPTION
+This manual page documents briefly the 
+.B gpgsplit
+command.
+.PP
+.B gpgsplit
+splits an OpenPGP message into packets.
+
+.SH OPTIONS
+.TP
+.BR \-v , \-\-verbose
+Verbose.
+.TP
+.BR \-p , "\-\-prefix " \fISTRING\fR
+Prepend filenames with \fISTRING\fR.
+.TP
+.B \-\-uncompress
+Uncompress a packet.
+.TP
+.B \-\-secret\-to\-public
+Convert secret keys to public keys.
+.TP
+.B \-\-no\-split
+Write to stdout and don't actually split.
+
+.SH AUTHOR
+Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to
+<bug-gnupg@gnu.org>.
+
+This manpage was written by Francois Wendling <frwendling@free.fr>.
+
diff --git a/debian/gpgv-static.1 b/debian/gpgv-static.1
new file mode 100644
index 0000000..c8dcc1a
--- /dev/null
+++ b/debian/gpgv-static.1
@@ -0,0 +1,32 @@
+.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1"
+
+.SH NAME
+gpgv-static - Verify OpenPGP signatures (static build)
+
+.SH SYNOPSIS
+.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP
+
+.SH DESCRIPTION
+\fBgpgv\fR is an OpenPGP signature verification tool.
+
+\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be
+directly used on any platform that is running on the Linux kernel,
+such as Android, ChromeOS, or many embedded Linux systems.
+
+This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and
+the Debian archive keyring allows the secure creation of chroot
+installs on these platforms by using the full Debian signature
+verification that is present in all official Debian mirrors.
+
+You may wish to re-name the binary to plain \fBgpgv\fR when
+transferring it into such a platform to create a chroot.
+
+Please read the documentation for \fBgpgv\fR for more details.
+
+.SH SEE ALSO
+\fBgpg\fR(1)
+
+.SH AUTHOR
+This manual page was written by Daniel Kahn Gillmor
+<dkg@fifthhorseman.net> for the Debian project, but may be used by
+others under the same license as GnuPG itself.
diff --git a/debian/gpgv-static.install b/debian/gpgv-static.install
new file mode 100644
index 0000000..adb6deb
--- /dev/null
+++ b/debian/gpgv-static.install
@@ -0,0 +1 @@
+build-gpgv-static/g10/gpgv-static usr/bin/
diff --git a/debian/gpgv-static.lintian-overrides b/debian/gpgv-static.lintian-overrides
new file mode 100644
index 0000000..dc0fd02
--- /dev/null
+++ b/debian/gpgv-static.lintian-overrides
@@ -0,0 +1,3 @@
+# gpgv-static is deliberately built statically.  We cannot avoid
+# embedding zlib.
+gpgv-static: embedded-library zlib [usr/bin/gpgv-static]
diff --git a/debian/gpgv-static.manpages b/debian/gpgv-static.manpages
new file mode 100644
index 0000000..e3f73aa
--- /dev/null
+++ b/debian/gpgv-static.manpages
@@ -0,0 +1 @@
+debian/gpgv-static.1
diff --git a/debian/gpgv-udeb.install b/debian/gpgv-udeb.install
new file mode 100644
index 0000000..fe27533
--- /dev/null
+++ b/debian/gpgv-udeb.install
@@ -0,0 +1 @@
+build-gpgv-udeb/g10/gpgv usr/bin/
diff --git a/debian/gpgv-win32.install b/debian/gpgv-win32.install
new file mode 100644
index 0000000..cf3cd8c
--- /dev/null
+++ b/debian/gpgv-win32.install
@@ -0,0 +1 @@
+build-gpgv-win32/g10/gpgv.exe usr/share/win32
diff --git a/debian/gpgv.install b/debian/gpgv.install
new file mode 100644
index 0000000..0a9f9a2
--- /dev/null
+++ b/debian/gpgv.install
@@ -0,0 +1 @@
+debian/tmp/usr/bin/gpgv
diff --git a/debian/gpgv.manpages b/debian/gpgv.manpages
new file mode 100644
index 0000000..86a9e29
--- /dev/null
+++ b/debian/gpgv.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/gpgv.1
diff --git a/debian/gpgv2.links b/debian/gpgv2.links
new file mode 100644
index 0000000..5107429
--- /dev/null
+++ b/debian/gpgv2.links
@@ -0,0 +1,2 @@
+usr/bin/gpgv usr/bin/gpgv2
+usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz
diff --git a/debian/kbxutil.1 b/debian/kbxutil.1
new file mode 100644
index 0000000..d59f1fe
--- /dev/null
+++ b/debian/kbxutil.1
@@ -0,0 +1,62 @@
+.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands"
+
+.SH NAME
+kbxutil \- List, export, import Keybox data
+
+.SH SYNOPSIS
+.B kbxutil
+.RB [ OPTIONS ]
+.RB [ FILES ]
+
+.SH DESCRIPTION
+List, export, import Keybox data
+
+.SH COMMANDS
+.TP
+.B \-\-stats
+show key statistics
+.TP
+.B \-\-import\-openpgp
+import OpenPGP keyblocks
+.TP
+.B \-\-find\-dups
+find duplicates
+.TP
+.B \-\-cut
+export records
+
+.SH OPTIONS
+.TP
+.BI \-\-from " N"
+first record to export
+.TP
+.BI \-\-to " N"
+last record to export
+.TP
+.BR \-v ", " \-\-verbose
+verbose
+.TP
+.BR \-q ", " \-\-quiet
+be somewhat more quiet
+.TP
+.BR \-n ", " \-\-dry\-run
+do not make any changes
+.TP
+.B \-\-debug
+set debugging flags
+.TP
+.B \-\-debug\-all
+enable full debugging
+
+.SH BUGS
+Please report bugs to <https://dev.gnupg.org>.
+
+.SH COPYRIGHT
+Copyright \(co 2016 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian
+distribution (but may be used by others).
diff --git a/debian/lspgpot.1 b/debian/lspgpot.1
new file mode 100644
index 0000000..ba27eca
--- /dev/null
+++ b/debian/lspgpot.1
@@ -0,0 +1,22 @@
+.TH "lspgpot" 1 "December 2005" 
+
+.SH NAME
+lspgpot - extracts the ownertrust values from PGP keyrings and list them in
+GnuPG ownertrust format.
+
+
+.SH SYNOPSIS
+.B lspgpot
+
+
+.SH DESCRIPTION
+.B lspgpot
+extracts the ownertrust values from PGP keyrings and list them in
+GnuPG ownertrust format.
+
+.SH AUTHOR
+Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to
+<bug-gnupg@gnu.org>.
+
+This manpage was written by Francois Wendling <frwendling@free.fr>.
+
diff --git a/debian/migrate-pubring-from-classic-gpg b/debian/migrate-pubring-from-classic-gpg
new file mode 100755
index 0000000..ecbc8d9
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# script to migrate fully from pubring.gpg to pubring.kbx
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Date: 2016-04-01
+# License: GPLv3+
+
+# This was written for the Debian project
+
+set -e
+
+GPG="${GPG:-gpg}"
+
+# select the default GnuPG home directory to work from:
+GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg}
+
+# Check that this is gnupg 2.1 or 2.2:
+VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\  | cut -f1,2 -d.)
+if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then
+    printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2
+    exit 1
+fi    
+
+usage() {
+    printf 'Usage: %s [GPGHOMEDIR|--default]
+\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG
+\tusing %s version %s.
+
+\t--default migrates the GnuPG home directory at "%s"
+' "$0" "$GPG" "$VERSION" "$GHD"
+}
+
+if [ -z "$1" ]; then
+    usage >&2
+    exit 1
+else
+    case "$1" in
+        --help|--usage|-h)
+            usage
+            exit
+            ;;
+        --default)
+            ;;
+        *)
+            GHD="$1"
+            ;;
+    esac
+fi
+
+GPG=("$GPG" --homedir "$GHD" --batch)
+
+# ensure that there is a pubring.gpg to migrate:
+if ! [ -f "$GHD/pubring.gpg" ]; then
+    printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2
+    exit
+fi
+if ! [ -s "$GHD/pubring.gpg" ]; then
+    mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty"
+    printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2
+    exit
+fi
+
+BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")"
+printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2
+
+"${GPG[@]}" --export-ownertrust > "$BACKUP/ownertrust.txt"
+mv "$GHD/pubring.gpg" "$BACKUP/"
+
+revert() {
+    printf >&2 'Restoring pubring.gpg...\n'
+    cp "$BACKUP/pubring.gpg" "$GHD/pubring.gpg"
+}
+
+trap revert EXIT
+
+if ! "${GPG[@]}" --status-file "$BACKUP/import-status" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" ; then
+    cat >&2 <<EOF
+Keyring import was not completely successful (see error message above,
+and the LIMITATIONS section of migrate-pubring-from-classic-gpg(1) for
+more details).
+
+If you suspect a bug in the migration script, please use:
+
+    reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg partial failure'
+
+And include the above output (redacted for privacy as needed) in the
+body of the report.
+
+Continuing with the rest of the migration anyway...
+EOF
+fi
+"${GPG[@]}" --import-ownertrust < "$BACKUP/ownertrust.txt"
+"${GPG[@]}" --check-trustdb
+
+if ! [ -f "$GHD/pubring.kbx" ]; then
+    cat >&2 <<EOF
+No keybox was created at $GHD/pubring.kbx.  Something went wrong!
+
+Please report a bug in the migration script, using:
+
+    reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg no pubring.kbx ($BACKUP)'
+EOF
+    exit 1
+fi
+trap - EXIT
+
+printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 
diff --git a/debian/migrate-pubring-from-classic-gpg.1 b/debian/migrate-pubring-from-classic-gpg.1
new file mode 100644
index 0000000..7cbeec7
--- /dev/null
+++ b/debian/migrate-pubring-from-classic-gpg.1
@@ -0,0 +1,94 @@
+.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016"
+
+.SH NAME
+migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG
+
+.SH SYNOPSIS
+.B migrate\-pubring\-from\-classic\-gpg
+.RB "[ " GPGHOMEDIR " | "
+.IR \-\-default " ]"
+
+.SH DESCRIPTION
+
+.B migrate\-pubring\-from\-classic\-gpg
+migrates the public keyring in GnuPG home directory GPGHOMEDIR from
+the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG
+versions 2.1 or 2.2 (pubring.kbx).
+
+Specifying
+.B \-\-default
+selects the standard GnuPG home directory (looking at $GNUPGHOME
+first, and falling back to ~/.gnupg if unset.
+
+.SH OPTIONS
+.BR \-h ", " \-\-help ", " \-\-usage
+Output a short usage information.
+
+.SH DIAGNOSTICS
+The program sends quite a bit of text (perhaps too much) to stderr.
+
+During a migration, the tool backs up several pieces of data in a
+timestamped subdirectory of the GPGHOMEDIR.
+
+.SH LIMITATIONS
+The keybox format rejects a number of OpenPGP certificates that the
+"classic" keyring format used to accept.  These filters are defensive,
+since the certificates rejected are unsafe -- either cryptographically
+unsound, or dangerously non-performant.  This means that some
+migrations may produce warning messages about the migration being
+incomplete.  This is generally a good thing!
+
+Known limitations:
+
+.B Flooded certificates
+.RS 4
+Some OpenPGP certificates have been flooded with bogus certifications
+as part of an attack on the SKS keyserver network (see
+https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).
+
+The keybox format rejects import of any OpenPGP certificate larger
+than 5MiB.  As of GnuPG 2.2.17, if gpg encounters such a flooded
+certificate will retry the import while stripping all third-party
+certifications (see "self-sigs-only" in gpg(1)).
+
+The typical error message when migrating a keyring with a flooded
+certificate will be something like:
+
+.RE
+.RS 8
+error writing keyring 'pubring.kbx': Provided object is too large
+.RE
+
+.B OpenPGPv3 public keys (a.k.a. "PGP-2" keys)
+.RS 4
+Modern OpenPGP implementations use so-called "OpenPGP v4" public keys.
+Older versions of the public key format have serious known problems.
+See https://tools.ietf.org/html/rfc4880#section-5.5.2 for more details
+about and reasons for v3 key deprecation.
+
+The keybox format skips v3 keys entirely during migration, and GnuPG
+will produce a message like:
+
+.RE
+.RS 8
+skipped PGP-2 keys: 1
+.RE
+
+.SH ENVIRONMENT VARIABLES
+
+.B GNUPGHOME
+Selects the GnuPG home directory when set and --default is given.
+
+.B GPG
+The name of the
+.B gpg
+executable (defaults to
+.B gpg
+).
+
+.SH SEE ALSO
+.BR gpg (1)
+
+.SH AUTHOR
+Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please
+report bugs via the Debian BTS.
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..a563837
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,2 @@
+usr/bin/gpgscm
+usr/share/man/man1/symcryptrun.1
diff --git a/debian/org.gnupg.scdaemon.metainfo.xml b/debian/org.gnupg.scdaemon.metainfo.xml
new file mode 100644
index 0000000..b96f232
--- /dev/null
+++ b/debian/org.gnupg.scdaemon.metainfo.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component>
+  <id>org.gnupg.scdaemon</id>
+  <metadata_license>CC0-1.0</metadata_license>
+  <name>scdaemon</name>
+  <summary>USB SmartCard Readers</summary>
+  <description>
+    <p>
+      GnuPG's scdaemon provides access to USB tokens and smartcard
+      readers that provide cryptographic functionality (e.g. use of
+      protected secret keys).
+    </p>
+  </description>
+  <provides>
+    <modalias>usb:v046Ap0005d*</modalias>
+    <modalias>usb:v046Ap0010d*</modalias>
+    <modalias>usb:v046Ap003Ed*</modalias>
+    <modalias>usb:v04E6p5111d*</modalias>
+    <modalias>usb:v04E6p5115d*</modalias>
+    <modalias>usb:v04E6p5116d*</modalias>
+    <modalias>usb:v04E6p5117d*</modalias>
+    <modalias>usb:v04E6pE001d*</modalias>
+    <modalias>usb:v04E6pE003d*</modalias>
+    <modalias>usb:v058Fp9540d*</modalias>
+    <modalias>usb:v076Bp3821d*</modalias>
+    <modalias>usb:v076Bp6622d*</modalias>
+    <modalias>usb:v08E6p3437d*</modalias>
+    <modalias>usb:v08E6p3438d*</modalias>
+    <modalias>usb:v08E6p3478d*</modalias>
+    <modalias>usb:v08E6p34C2d*</modalias>
+    <modalias>usb:v08E6p34ECd*</modalias>
+    <modalias>usb:v0BF8p1006d*</modalias>
+    <modalias>usb:v0C4Bp0500d*</modalias>
+    <modalias>usb:v0D46p2012d*</modalias>
+    <modalias>usb:v1050p0111d*</modalias>
+    <modalias>usb:v1050p0112d*</modalias>
+    <modalias>usb:v1050p0115d*</modalias>
+    <modalias>usb:v1050p0116d*</modalias>
+    <modalias>usb:v1050p0404d*</modalias>
+    <modalias>usb:v1050p0405d*</modalias>
+    <modalias>usb:v1050p0406d*</modalias>
+    <modalias>usb:v1050p0407d*</modalias>
+    <modalias>usb:v1A44p0920d*</modalias>
+    <modalias>usb:v1FC9p81E6d*</modalias>
+    <modalias>usb:v20A0p4107d*</modalias>
+    <modalias>usb:v20A0p4108d*</modalias>
+    <modalias>usb:v20A0p4109d*</modalias>
+    <modalias>usb:v20A0p4211d*</modalias>
+    <modalias>usb:v234Bp0000d*</modalias>
+    <modalias>usb:v316Dp4C4Bd*</modalias>
+    <modalias>usb:v1209p2440d*</modalias>
+  </provides>
+</component>
diff --git a/debian/package-dependencies.dot b/debian/package-dependencies.dot
new file mode 100644
index 0000000..8297f78
--- /dev/null
+++ b/debian/package-dependencies.dot
@@ -0,0 +1,73 @@
+#!/usr/bin/dot
+
+# interrelationships between binary packages produced by gnupg2 source
+# package:
+
+# it would be good to graph the external dependencies as well.
+
+digraph gnupg2 {
+        # odd-duck packages:
+        node [shape=box];
+        gpgv_udeb [label="gpgv-udeb"];
+        gpgv_static [label="gpgv-static"];
+        gpgv_win32 [label="gpgv-win32"];
+
+        # meta-packages, transitional packages:
+        node [shape=diamond];
+        gnupg_agent [label="gnupg-agent"];
+        gnupg;
+        gnupg2;
+        gpgv2;
+        
+
+        node [shape=ellipse];
+        gpg_agent [label="gpg-agent"];
+        gpg_wks_server [label="gpg-wks-server"];
+        gpg_wks_client [label="gpg-wks-client"];
+        gnupg_l10n [label="gnupg-l10n"];
+        gnupg_utils [label="gnupg-utils"];
+        
+        
+        # depends:
+        edge [color=black];
+        gnupg_agent -> gpg_agent;
+        gpg_agent -> gpgconf;
+        gpg_wks_server -> gpg;
+        gpg_wks_server -> gpg_agent;
+        gpg_wks_client -> gpg;
+        gpg_wks_client -> gpg_agent;
+        gpg_wks_client -> dirmngr;
+        scdaemon -> gpg_agent;
+        gpgsm -> gpgconf;
+        gpg -> gpgconf;
+        gnupg -> dirmngr;
+        gnupg -> gnupg_l10n;
+        gnupg -> gnupg_utils;
+        gnupg -> gpg;
+        gnupg -> gpg_agent;
+        gnupg -> gpg_wks_client;
+        gnupg -> gpg_wks_server;
+        gnupg -> gpgsm;
+        gnupg -> gpgv;
+        gnupg2 -> gnupg;
+        gpgv2 -> gpgv;
+        dirmngr -> gpgconf;
+        
+
+        # recommends:
+        edge [color=red];
+        gpg_agent -> gnupg;
+        gpg_wks_server -> gnupg;
+        gpg_wks_client -> gnupg;
+        gpgsm -> gnupg;
+        gpg -> gnupg;
+        dirmngr -> gnupg;
+        gnupg_utils -> gpg;
+        gnupg_utils -> gpg_agent;
+        gnupg_utils -> gpgconf;
+        gnupg_utils -> gpgsm;
+        
+        # suggests:
+        edge [color=blue];
+        gpgv -> gnupg;
+}
diff --git a/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
new file mode 100644
index 0000000..2deee94
--- /dev/null
+++ b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
@@ -0,0 +1,27 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 18 Nov 2018 17:29:52 -0500
+Subject: Make gpg-zip use tar from $PATH
+
+Apparently there is no clean way to configure this from ./configure,
+and upstream is deprecating gpg-zip anyway.  So just force-set tar to
+be manually "tar" (meaning, that we should look in the $PATH at
+runtime).
+
+See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582
+---
+ tools/gpg-zip.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in
+index 9047e36..3821f3a 100644
+--- a/tools/gpg-zip.in
++++ b/tools/gpg-zip.in
+@@ -23,7 +23,7 @@
+ # the GNU or POSIX variant of USTAR.
+ 
+ VERSION=@VERSION@
+-TAR=@TAR@
++TAR=tar
+ GPG=gpg
+ 
+ usage="\
diff --git a/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
new file mode 100644
index 0000000..cc9ee90
--- /dev/null
+++ b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
@@ -0,0 +1,71 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 11 Jul 2019 21:52:11 -0400
+Subject: Use hkps://keys.openpgp.org as the default keyserver
+
+As of 2.2.17, GnuPG will refuse to accept any third-party
+certifications from OpenPGP certificates pulled from the keyserver
+network.
+
+The SKS keyserver network currently has at least a dozen popular
+certificates which are flooded with enough unusable third-party
+certifications that they cannot be retrieved in any reasonable amount
+of time.
+
+The hkps://keys.openpgp.org keyserver installation offers HKPS,
+performs cryptographic validation, and by policy does not distribute
+third-party certifications anyway.
+
+It is not distributed or federated yet, unfortunately, but it is
+functional, which is more than can be said for the dying SKS pool.
+And given that GnuPG is going to reject all the third-party
+certifications anyway, there is no clear "web of trust" rationale for
+relying on the SKS pool.
+
+One sticking point is that keys.openpgp.org does not distribute user
+IDs unless the user has proven control of the associated e-mail
+address.  This means that on standard upstream GnuPG, retrieving
+revocations or subkey updates of those certificates will fail, because
+upstream GnuPG ignores any incoming certificate without a user ID,
+even if it knows a user ID in the local copy of the certificate (see
+https://dev.gnupg.org/T4393).
+
+However, we have three patches in
+debian/patches/import-merge-without-userid/ that together fix that
+bug.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac     | 2 +-
+ doc/dirmngr.texi | 6 +++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0a4ae1e..c48cb8c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1837,7 +1837,7 @@ AC_DEFINE_UNQUOTED(SCDAEMON_SOCK_NAME, "S.scdaemon",
+ AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
+                    [The name of the dirmngr socket])
+ AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
+-                   "hkps://keyserver.ubuntu.com",
++                   "hkps://keys.openpgp.org",
+       [The default keyserver for dirmngr to use, if none is explicitly given])
+ 
+ AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index ab831de..f7c7672 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -331,7 +331,11 @@ whether Tor is locally running or not.  The check for a running Tor is
+ done for each new connection.
+ 
+ If no keyserver is explicitly configured, dirmngr will use the
+-built-in default of @code{https://keyserver.ubuntu.com}.
++built-in default of @code{https://keys.openpgp.org}.
++
++Note that the above default is a Debian-specific choice.  Upstream
++GnuPG prefers @code{hkps://keyserver.ubuntu.com}.  See
++/usr/share/doc/gpgconf/NEWS.Debian.gz for more details.
+ 
+ Windows users with a keyserver running on their Active Directory
+ may use the short form @code{ldap:///} for @var{name} to access this directory.
diff --git a/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
new file mode 100644
index 0000000..4f4b07d
--- /dev/null
+++ b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
@@ -0,0 +1,89 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 11 Aug 2015 20:28:26 -0400
+Subject: Avoid simple memory dumps via ptrace
+
+This avoids needing to setgid gpg-agent.  It probably doesn't defend
+against all possible attacks, but it defends against one specific (and
+easy) one.  If there are other protections we should do them too.
+
+This will make it slightly harder to debug the agent because the
+normal user won't be able to attach gdb to it directly while it runs.
+
+The remaining options for debugging are:
+
+ * launch the agent from gdb directly
+ * connect gdb to a running agent as the superuser
+
+Upstream bug: https://dev.gnupg.org/T1211
+---
+ agent/gpg-agent.c | 8 ++++++++
+ configure.ac      | 2 +-
+ scd/scdaemon.c    | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 53b86dd..3f7aaae 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -50,6 +50,9 @@
+ # include <signal.h>
+ #endif
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+ 
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -1078,6 +1081,11 @@ main (int argc, char **argv )
+ 
+   early_system_init ();
+ 
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++  /* Disable ptrace on Linux without sgid bit */
++  prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+   /* Before we do anything else we save the list of currently open
+      file descriptors and the signal mask.  This info is required to
+      do the exec call properly.  We don't need it on Windows.  */
+diff --git a/configure.ac b/configure.ac
+index 4638f99..6e44af2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1404,7 +1404,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid  \
+                 ftruncate funlockfile getaddrinfo getenv getpagesize \
+                 getpwnam getpwuid getrlimit getrusage gettimeofday   \
+                 gmtime_r inet_ntop inet_pton isascii lstat memicmp   \
+-                memmove memrchr mmap nl_langinfo pipe raise rand     \
++                memmove memrchr mmap nl_langinfo pipe prctl raise rand \
+                 setenv setlocale setrlimit sigaction sigprocmask     \
+                 stat stpcpy strcasecmp strerror strftime stricmp     \
+                 strlwr strncasecmp strpbrk strsep strtol strtoul     \
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index b62f5b6..d804fcb 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -38,6 +38,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+ 
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -461,6 +464,12 @@ main (int argc, char **argv )
+   npth_t pipecon_handler;
+ 
+   early_system_init ();
++
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++  /* Disable ptrace on Linux without sgid bit */
++  prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+   set_strusage (my_strusage);
+   gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+   /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/debian/patches/debian-packaging/avoid-beta-warning.patch b/debian/patches/debian-packaging/avoid-beta-warning.patch
new file mode 100644
index 0000000..5cb22e5
--- /dev/null
+++ b/debian/patches/debian-packaging/avoid-beta-warning.patch
@@ -0,0 +1,44 @@
+From: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Date: Tue, 14 Apr 2015 10:02:31 -0400
+Subject: avoid-beta-warning
+
+avoid self-describing as a beta
+
+Using autoreconf against the source as distributed in tarball form
+invariably results in a package that thinks it's a "beta" package,
+which produces the "THIS IS A DEVELOPMENT VERSION" warning string.
+
+since we use dh_autoreconf, i need this patch to avoid producing
+builds that announce themselves as DEVELOPMENT VERSIONs.
+
+See discussion at:
+
+ http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html
+---
+ autogen.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index b238550..9b86d3f 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then
+     esac
+ 
+     beta=no
+-    if [ -e .git ]; then
++    if false; then
+       ingit=yes
+       tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+       tmp=$(echo "$tmp" | sed s/^"$package"//)
+@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then
+       rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+     else
+       ingit=no
+-      beta=yes
+-      tmp="-unknown"
++      beta=no
++      tmp=""
+       rev="0000000"
+       rvd="0"
+     fi
diff --git a/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
new file mode 100644
index 0000000..f968247
--- /dev/null
+++ b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
@@ -0,0 +1,39 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 29 Aug 2016 12:34:42 -0400
+Subject: avoid regenerating defsincdate (use shipped file)
+
+upstream ships doc/defsincdate in its tarballs.  but doc/Makefile.am
+tries to rewrite doc/defsincdate if it notices that any of the files
+have been modified more recently, and it does so assuming that we're
+running from a git repo.
+
+However, we'd rather ship the documents cleanly without regenerating
+defsincdate -- we don't have a git repo available (debian builds from
+upstream tarballs) and any changes to the texinfo files (e.g. from
+debian/patches/) might result in different dates on the files than we
+expect after they're applied by dpkg or quilt or whatever, which makes
+the datestamp unreproducible.
+---
+ doc/Makefile.am | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index aba09b9..13beb10 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -180,15 +180,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc
+ 
+ dist-hook: defsincdate
+ 
+-defsincdate: $(gnupg_TEXINFOS)
+-	: >defsincdate ; \
+-	if test -e $(top_srcdir)/.git; then \
+-	  (cd $(srcdir) && git log -1 --format='%ct' \
+-               -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+-        elif test x"$$SOURCE_DATE_EPOCH" != x; then   \
+-	   echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+-	fi
+-
+ defs.inc : defsincdate Makefile mkdefsinc
+ 	incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ 	./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
new file mode 100644
index 0000000..3cad551
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
@@ -0,0 +1,47 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 20 Nov 2016 23:09:24 -0500
+Subject: dirmngr: Avoid automatically checking upstream swdb.
+
+* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically
+checking upstream's software database.  In Debian, software updates
+should be handled by the distro mechanism, and additional upstream
+checks only confuse the user.
+* doc/dirmngr.texi: document that --allow-version-check does nothing.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 2 --
+ doc/dirmngr.texi  | 7 ++++---
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index c04a287..26d136d 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -2051,8 +2051,6 @@ housekeeping_thread (void *arg)
+   if (network_activity_seen)
+     {
+       network_activity_seen = 0;
+-      if (opt.allow_version_check)
+-        dirmngr_load_swdb (&ctrlbuf, 0);
+       workqueue_run_global_tasks (&ctrlbuf, 1);
+     }
+   else
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index d6ef375..ab831de 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -294,9 +294,10 @@ Set the size of the queue for pending connections.  The default is 64.
+ @item --allow-version-check
+ @opindex allow-version-check
+ Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get
+-the list of current software versions.  If this option is enabled
+-the list is retrieved in case the local
+-copy does not exist or is older than 5 to 7 days.  See the option
++the list of current software versions.
++On debian-packaged versions, this option does nothing since software
++updates should be handled by the distribution.
++See the option
+ @option{--query-swdb} of the command @command{gpgconf} for more
+ details.  Note, that regardless of this option a version check can
+ always be triggered using this command:
diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
new file mode 100644
index 0000000..d6df59f
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
@@ -0,0 +1,230 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 02:00:50 -0400
+Subject: dirmngr: Avoid need for hkp housekeeping.
+
+* dirmngr/ks-engine-hkp.c (host_is_alive): New function.  Test whether
+host is alive and resurrects it if it has been dead long enough.
+(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
+instead of testing hostinfo_t->dead directly.
+(ks_hkp_housekeeping): Remove function, no longer needed.
+* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
+ks_hkp_housekeeping.
+
+--
+
+Rather than resurrecting hosts upon scheduled resurrection times, test
+whether hosts should be resurrected as they're inspected for being
+dead.  This removes the need for explicit housekeeping, and makes host
+resurrections happen "just in time", rather than being clustered on
+HOUSEKEEPING_INTERVAL seconds.
+
+According to 392e068e9f143d41f6350345619543cbcd47380f,
+dns_stuff_housekeeping only works on Windows, so it also isn't
+necessary in debian, but it remains in place for now.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c       |  3 ---
+ dirmngr/dirmngr.h       |  1 -
+ dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++-------------------------
+ 3 files changed, 35 insertions(+), 41 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index e287194..c04a287 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -2031,12 +2031,10 @@ static void *
+ housekeeping_thread (void *arg)
+ {
+   static int sentinel;
+-  time_t curtime;
+   struct server_control_s ctrlbuf;
+ 
+   (void)arg;
+ 
+-  curtime = gnupg_get_time ();
+   if (sentinel)
+     {
+       log_info ("housekeeping is already going on\n");
+@@ -2050,7 +2048,6 @@ housekeeping_thread (void *arg)
+   dirmngr_init_default_ctrl (&ctrlbuf);
+ 
+   dns_stuff_housekeeping ();
+-  ks_hkp_housekeeping (curtime);
+   if (network_activity_seen)
+     {
+       network_activity_seen = 0;
+diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
+index fed4599..0e1fbd9 100644
+--- a/dirmngr/dirmngr.h
++++ b/dirmngr/dirmngr.h
+@@ -234,7 +234,6 @@ int dirmngr_use_tor (void);
+ int dirmngr_never_use_tor_p (void);
+ 
+ /*-- Various housekeeping functions.  --*/
+-void ks_hkp_housekeeping (time_t curtime);
+ void ks_hkp_reload (void);
+ 
+ 
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 5793f07..91f1c63 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+   return 0;
+ }
+ 
++static int
++host_is_alive (hostinfo_t hi, time_t curtime)
++{
++  if (!hi)
++    return 0;
++  if (!hi->dead)
++    return 1;
++  if (!hi->died_at)
++    return 0; /* manually marked dead */
++  if (hi->died_at + RESURRECT_INTERVAL <= curtime
++      || hi->died_at > curtime)
++    {
++      hi->dead = 0;
++      log_info ("resurrected host '%s'", hi->name);
++      return 1;
++    }
++  return 0;
++}
+ 
+ /* Select a random host.  Consult HI->pool which indices into the global
+    hosttable.  Returns index into HI->pool or -1 if no host could be
+@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi)
+   int *tbl = NULL;
+   size_t tblsize = 0;
+   int pidx, idx;
++  time_t curtime;
+ 
++  curtime = gnupg_get_time ();
+   /* We create a new table so that we randomly select only from
+      currently alive hosts.  */
+   for (idx = 0;
+        idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+        idx++)
+-    if (hosttable[pidx] && !hosttable[pidx]->dead)
++    if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime))
+       {
+         tblsize++;
+         tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
+@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+   int is_pool;
+   int new_hosts = 0;
+   char *cname;
++  time_t curtime;
+ 
+   *r_host = NULL;
+   if (r_httpflags)
+@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+     }
+   else
+     hi = hosttable[idx];
++  curtime = gnupg_get_time ();
+ 
+   is_pool = hi->pool != NULL;
+ 
+@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+       if (force_reselect)
+         hi->poolidx = -1;
+       else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size
+-               && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead)
++               && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime))
+         hi->poolidx = -1;
+ 
+       /* Select a host if needed.  */
+@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+         return gpg_error_from_syserror ();
+     }
+ 
+-  if (hi->dead)
++  if (!host_is_alive (hi, curtime))
+     {
+       log_error ("host '%s' marked as dead\n", hi->name);
+       if (r_httphost)
+@@ -771,7 +793,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ {
+   gpg_error_t err = 0;
+   hostinfo_t hi, hi2;
+-  int idx, idx2, idx3, n;
++  int idx, idx2, idx3, n, is_alive;
++  time_t curtime;
+ 
+   if (!name || !*name || !strcmp (name, "localhost"))
+     return 0;
+@@ -780,13 +803,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+   if (idx == -1)
+     return gpg_error (GPG_ERR_NOT_FOUND);
+ 
++  curtime = gnupg_get_time ();
+   hi = hosttable[idx];
+-  if (alive && hi->dead)
++  is_alive = host_is_alive (hi, curtime);
++  if (alive && !is_alive)
+     {
+       hi->dead = 0;
+       err = ks_printf_help (ctrl, "marking '%s' as alive", name);
+     }
+-  else if (!alive && !hi->dead)
++  else if (!alive && is_alive)
+     {
+       hi->dead = 1;
+       hi->died_at = 0; /* Manually set dead.  */
+@@ -820,14 +845,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ 
+           hi2 = hosttable[n];
+           if (!hi2)
+-            ;
+-          else if (alive && hi2->dead)
++            continue;
++          is_alive = host_is_alive (hi2, curtime);
++          if (alive && !is_alive)
+             {
+               hi2->dead = 0;
+               err = ks_printf_help (ctrl, "marking '%s' as alive",
+                                     hi2->name);
+             }
+-          else if (!alive && !hi2->dead)
++          else if (!alive && is_alive)
+             {
+               hi2->dead = 1;
+               hi2->died_at = 0; /* Manually set dead. */
+@@ -1113,34 +1139,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+ }
+ 
+ 
+-/* Housekeeping function called from the housekeeping thread.  It is
+-   used to mark dead hosts alive so that they may be tried again after
+-   some time.  */
+-void
+-ks_hkp_housekeeping (time_t curtime)
+-{
+-  int idx;
+-  hostinfo_t hi;
+-
+-  for (idx=0; idx < hosttable_size; idx++)
+-    {
+-      hi = hosttable[idx];
+-      if (!hi)
+-        continue;
+-      if (!hi->dead)
+-        continue;
+-      if (!hi->died_at)
+-        continue; /* Do not resurrect manually shot hosts.  */
+-      if (hi->died_at + RESURRECT_INTERVAL <= curtime
+-          || hi->died_at > curtime)
+-        {
+-          hi->dead = 0;
+-          log_info ("resurrected host '%s'", hi->name);
+-        }
+-    }
+-}
+-
+-
+ /* Reload (SIGHUP) action for this module.  We mark all host alive
+  * even those which have been manually shot.  */
+ void
diff --git a/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
new file mode 100644
index 0000000..5a0cba5
--- /dev/null
+++ b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
@@ -0,0 +1,81 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 01:25:05 -0400
+Subject: dirmngr: hkp: Avoid potential race condition when some hosts die.
+
+* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass
+through the host table instead of risking out-of-bounds write.
+
+--
+
+Multiple threads may write to hosttable[x]->dead while
+select_random_host() is running.  For example, a housekeeping thread
+might clear the ->dead bit on some entries, or another connection to
+dirmngr might manually mark a host as alive.
+
+If one or more hosts are resurrected between the two loops over a
+given table in select_random_host(), then the allocation of tbl might
+not be large enough, resulting in a write past the end of tbl on the
+second loop.
+
+This change collapses the two loops into a single loop to avoid this
+discrepancy: each host's "dead" bit is now only checked once.
+
+As Werner points out, this isn't currently strictly necessary, since
+npth will not switch threads unless a blocking system call is made,
+and no blocking system call is made in these two loops.
+
+However, in a subsequent change in this series, we will call a
+function in this loop, and that function may sometimes write(2), or
+call other functions, which may themselves block.  Keeping this as a
+single-pass loop avoids the need to keep track of what might block and
+what might not.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/ks-engine-hkp.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index ef7a717..5793f07 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+ static int
+ select_random_host (hostinfo_t hi)
+ {
+-  int *tbl;
+-  size_t tblsize;
++  int *tbl = NULL;
++  size_t tblsize = 0;
+   int pidx, idx;
+ 
+   /* We create a new table so that we randomly select only from
+      currently alive hosts.  */
+-  for (idx = 0, tblsize = 0;
++  for (idx = 0;
+        idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+        idx++)
+     if (hosttable[pidx] && !hosttable[pidx]->dead)
+-      tblsize++;
++      {
++        tblsize++;
++        tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
++        if (!tbl)
++          return -1; /* memory allocation failed! */
++        tbl[tblsize-1] = pidx;
++      }
+   if (!tblsize)
+     return -1; /* No hosts.  */
+ 
+-  tbl = xtrymalloc (tblsize * sizeof *tbl);
+-  if (!tbl)
+-    return -1;
+-  for (idx = 0, tblsize = 0;
+-       idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+-       idx++)
+-    if (hosttable[pidx] && !hosttable[pidx]->dead)
+-      tbl[tblsize++] = pidx;
+-
+   if (tblsize == 1)  /* Save a get_uint_nonce.  */
+     pidx = tbl[0];
+   else
diff --git a/debian/patches/from-master/common-Fix-the-previous-commit.patch b/debian/patches/from-master/common-Fix-the-previous-commit.patch
new file mode 100644
index 0000000..c62f521
--- /dev/null
+++ b/debian/patches/from-master/common-Fix-the-previous-commit.patch
@@ -0,0 +1,54 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 24 Jul 2019 15:32:13 +0900
+Subject: common: Fix the previous commit.
+
+* common/asshelp.c [HAVE_W32_SYSTEM] (start_new_gpg_agent): Use
+gnupg_spawn_process_detached.
+(start_new_dirmngr): Likewise.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit 044379772fc5b0f39c6a36809722e702808b6ec3)
+---
+ common/asshelp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/common/asshelp.c b/common/asshelp.c
+index 73f159d..9f269ab 100644
+--- a/common/asshelp.c
++++ b/common/asshelp.c
+@@ -477,6 +477,10 @@ start_new_gpg_agent (assuan_context_t *r_ctx,
+       if (!(err = lock_spawning (&lock, gnupg_homedir (), "agent", verbose))
+           && assuan_socket_connect (ctx, sockname, 0, 0))
+         {
++#ifdef HAVE_W32_SYSTEM
++          err = gnupg_spawn_process_detached (program? program : agent_program,
++                                              argv, NULL);
++#else
+           pid_t pid;
+ 
+           err = gnupg_spawn_process_fd (program? program : agent_program,
+@@ -484,6 +488,7 @@ start_new_gpg_agent (assuan_context_t *r_ctx,
+           if (!err)
+             err = gnupg_wait_process (program? program : agent_program,
+                                       pid, 1, NULL);
++#endif
+           if (err)
+             log_error ("failed to start agent '%s': %s\n",
+                        agent_program, gpg_strerror (err));
+@@ -617,12 +622,16 @@ start_new_dirmngr (assuan_context_t *r_ctx,
+       if (!(err = lock_spawning (&lock, gnupg_homedir (), "dirmngr", verbose))
+           && assuan_socket_connect (ctx, sockname, 0, 0))
+         {
++#ifdef HAVE_W32_SYSTEM
++          err = gnupg_spawn_process_detached (dirmngr_program, argv, NULL);
++#else
+           pid_t pid;
+ 
+           err = gnupg_spawn_process_fd (dirmngr_program, argv,
+                                         -1, -1, -1, &pid);
+           if (!err)
+             err = gnupg_wait_process (dirmngr_program, pid, 1, NULL);
++#endif
+           if (err)
+             log_error ("failed to start the dirmngr '%s': %s\n",
+                        dirmngr_program, gpg_strerror (err));
diff --git a/debian/patches/from-master/common-Use-gnupg_spawn_process_fd-to-invoke-gpg-agent-dir.patch b/debian/patches/from-master/common-Use-gnupg_spawn_process_fd-to-invoke-gpg-agent-dir.patch
new file mode 100644
index 0000000..003dbf4
--- /dev/null
+++ b/debian/patches/from-master/common-Use-gnupg_spawn_process_fd-to-invoke-gpg-agent-dir.patch
@@ -0,0 +1,52 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 24 Jul 2019 15:15:32 +0900
+Subject: common: Use gnupg_spawn_process_fd to invoke gpg-agent/dirmngr.
+
+* common/asshelp.c (start_new_gpg_agent): Call gnupg_spawn_process_fd
+and gnupg_wait_process.
+(start_new_dirmngr): Likewise.
+
+--
+
+With --daemon option, gpg-agent/dirmngr detaches by itself.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit b1c56cf9e2bb51abfd47747128bd2a6285ed1623)
+---
+ common/asshelp.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/common/asshelp.c b/common/asshelp.c
+index d87017e..73f159d 100644
+--- a/common/asshelp.c
++++ b/common/asshelp.c
+@@ -477,8 +477,13 @@ start_new_gpg_agent (assuan_context_t *r_ctx,
+       if (!(err = lock_spawning (&lock, gnupg_homedir (), "agent", verbose))
+           && assuan_socket_connect (ctx, sockname, 0, 0))
+         {
+-          err = gnupg_spawn_process_detached (program? program : agent_program,
+-                                              argv, NULL);
++          pid_t pid;
++
++          err = gnupg_spawn_process_fd (program? program : agent_program,
++                                        argv, -1, -1, -1, &pid);
++          if (!err)
++            err = gnupg_wait_process (program? program : agent_program,
++                                      pid, 1, NULL);
+           if (err)
+             log_error ("failed to start agent '%s': %s\n",
+                        agent_program, gpg_strerror (err));
+@@ -612,7 +617,12 @@ start_new_dirmngr (assuan_context_t *r_ctx,
+       if (!(err = lock_spawning (&lock, gnupg_homedir (), "dirmngr", verbose))
+           && assuan_socket_connect (ctx, sockname, 0, 0))
+         {
+-          err = gnupg_spawn_process_detached (dirmngr_program, argv, NULL);
++          pid_t pid;
++
++          err = gnupg_spawn_process_fd (dirmngr_program, argv,
++                                        -1, -1, -1, &pid);
++          if (!err)
++            err = gnupg_wait_process (dirmngr_program, pid, 1, NULL);
+           if (err)
+             log_error ("failed to start the dirmngr '%s': %s\n",
+                        dirmngr_program, gpg_strerror (err));
diff --git a/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
new file mode 100644
index 0000000..59b0b13
--- /dev/null
+++ b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
@@ -0,0 +1,91 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:41:10 -0400
+Subject: gpg: default to 3072-bit keys.
+
+* agent/command.c (hlp_genkey): update help text to suggest the use of
+3072 bits.
+* doc/wks.texi: Make example match default generation.
+* g10/keygen.c (gen_elg): update default from 2048 to 3072.
+* g10/keyid.c (pubkey_string): update comment so that first example
+is the default 3072-bit RSA.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
+---
+ agent/command.c | 2 +-
+ doc/wks.texi    | 4 ++--
+ g10/keygen.c    | 2 +-
+ g10/keyid.c     | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index b682c55..ea65290 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -843,7 +843,7 @@ static const char hlp_genkey[] =
+   "\n"
+   "  C: GENKEY\n"
+   "  S: INQUIRE KEYPARAM\n"
+-  "  C: D (genkey (rsa (nbits  2048)))\n"
++  "  C: D (genkey (rsa (nbits 3072)))\n"
+   "  C: END\n"
+   "  S: D (public-key\n"
+   "  S: D   (rsa (n 326487324683264) (e 10001)))\n"
+diff --git a/doc/wks.texi b/doc/wks.texi
+index e398ccb..68ed117 100644
+--- a/doc/wks.texi
++++ b/doc/wks.texi
+@@ -447,10 +447,10 @@ the submission address:
+ The output of the last command looks similar to this:
+ 
+ @example
+-  sec   rsa2048 2016-08-30 [SC]
++  sec   rsa3072 2016-08-30 [SC]
+         C0FCF8642D830C53246211400346653590B3795B
+   uid           [ultimate] key-submission@@example.net
+-  ssb   rsa2048 2016-08-30 [E]
++  ssb   rsa3072 2016-08-30 [E]
+ @end example
+ 
+ Take the fingerprint from that output and manually publish the key:
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 80d65c4..5b4a785 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root,
+ 
+   if (nbits < 1024)
+     {
+-      nbits = 2048;
++      nbits = 3072;
+       log_info (_("keysize invalid; using %u bits\n"), nbits );
+     }
+   else if (nbits > 4096)
+diff --git a/g10/keyid.c b/g10/keyid.c
+index 69d85da..2987287 100644
+--- a/g10/keyid.c
++++ b/g10/keyid.c
+@@ -73,7 +73,7 @@ pubkey_letter( int algo )
+    is copied to the supplied buffer up a length of BUFSIZE-1.
+    Examples for the output are:
+ 
+-   "rsa2048"  - RSA with 2048 bit
++   "rsa3072"  - RSA with 3072 bit
+    "elg1024"  - Elgamal with 1024 bit
+    "ed25519"  - ECC using the curve Ed25519.
+    "E_1.2.3.4"  - ECC using the unsupported curve with OID "1.2.3.4".
+@@ -83,7 +83,7 @@ pubkey_letter( int algo )
+    If the option --legacy-list-mode is active, the output use the
+    legacy format:
+ 
+-   "2048R" - RSA with 2048 bit
++   "3072R" - RSA with 3072 bit
+    "1024g" - Elgamal with 1024 bit
+    "256E"  - ECDSA using a curve with 256 bit
+ 
diff --git a/debian/patches/from-master/gpg-default-to-AES-256.patch b/debian/patches/from-master/gpg-default-to-AES-256.patch
new file mode 100644
index 0000000..c82fea3
--- /dev/null
+++ b/debian/patches/from-master/gpg-default-to-AES-256.patch
@@ -0,0 +1,35 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:04:00 -0400
+Subject: gpg: default to AES-256.
+
+* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
+
+--
+
+It's 2017, and pretty much everyone has AES-256 available.  Symmetric
+crypto is also rarely the bottleneck (asymmetric crypto is much more
+expensive).  AES-256 provides some level of protection against
+large-scale decryption efforts, and longer key lengths provide a hedge
+against unforseen cryptanalysis.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
+---
+ g10/main.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index 273ddaa..d1a54db 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -31,7 +31,9 @@
+    (i.e. uncompressed) rather than 1 (zip).  However, the real world
+    issues of speed and size come into play here. */
+ 
+-#if GPG_USE_AES128
++#if GPG_USE_AES256
++# define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES256
++#elif GPG_USE_AES128
+ # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES
+ #elif GPG_USE_CAST5
+ # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_CAST5
diff --git a/debian/patches/from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch b/debian/patches/from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch
new file mode 100644
index 0000000..c21409f
--- /dev/null
+++ b/debian/patches/from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch
@@ -0,0 +1,33 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 18 Oct 2022 10:16:11 +0900
+Subject: dirmngr: Fix build with no LDAP support.
+
+* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.
+
+--
+
+Cherry-pick master commit of:
+	7011286ce6e1fb56c2989fdafbd11b931c489faa
+
+GnuPG-bug-id: 6239
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit a5c3821664886ffffbe6a83aac088a6e0088a607)
+---
+ dirmngr/server.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/dirmngr/server.c b/dirmngr/server.c
+index 651f67c..87a0d77 100644
+--- a/dirmngr/server.c
++++ b/dirmngr/server.c
+@@ -3135,8 +3135,10 @@ start_command_handler (assuan_fd_t fd, unsigned int session_id)
+                ctrl->refcount);
+   else
+     {
++#if USE_LDAP
+       ks_ldap_free_state (ctrl->ks_get_state);
+       ctrl->ks_get_state = NULL;
++#endif
+       release_ctrl_ocsp_certs (ctrl);
+       xfree (ctrl->server_local);
+       dirmngr_deinit_default_ctrl (ctrl);
diff --git a/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch b/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch
new file mode 100644
index 0000000..99117df
--- /dev/null
+++ b/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch
@@ -0,0 +1,29 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 18 Oct 2022 10:24:54 +0900
+Subject: gpg: Move NETLIBS after GPG_ERROR_LIBS (another).
+
+* g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
+
+--
+
+Fixes-commit: b26bb03ed96f380ad603f7ad902862625233c931
+GnuPG-bug-id: 6244
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit 256b3c05789d8026b62f594bd592199a90b1b446)
+---
+ g10/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/g10/Makefile.am b/g10/Makefile.am
+index d38e292..cd5307e 100644
+--- a/g10/Makefile.am
++++ b/g10/Makefile.am
+@@ -200,7 +200,7 @@ module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter
+ t_rmd160_SOURCES = t-rmd160.c rmd160.c
+ t_rmd160_LDADD = $(t_common_ldadd)
+ t_keydb_SOURCES = t-keydb.c test-stubs.c $(common_source)
+-t_keydb_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
++t_keydb_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
+ 	      $(LIBICONV) $(t_common_ldadd)
+ t_keydb_get_keyblock_SOURCES = t-keydb-get-keyblock.c test-stubs.c \
+ 	      $(common_source)
diff --git a/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch b/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch
new file mode 100644
index 0000000..c4ad203
--- /dev/null
+++ b/debian/patches/from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch
@@ -0,0 +1,58 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 18 Oct 2022 10:08:20 +0900
+Subject: gpg: Move NETLIBS after GPG_ERROR_LIBS.
+
+* g10/Makefile.am (LDADD): Remove NETLIBS.
+(gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
+(gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise.
+(t_stutter_LDADD): Likewise.
+
+--
+
+GnuPG-bug-id: 6244
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit b26bb03ed96f380ad603f7ad902862625233c931)
+---
+ g10/Makefile.am | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/g10/Makefile.am b/g10/Makefile.am
+index f885673..d38e292 100644
+--- a/g10/Makefile.am
++++ b/g10/Makefile.am
+@@ -180,18 +180,18 @@ gpgv_SOURCES = gpgv.c           \
+ #	       $(common_source)
+ 
+ LDADD =  $(needed_libs) ../common/libgpgrl.a \
+-         $(ZLIBS) $(LIBINTL) $(CAPLIBS) $(NETLIBS)
++         $(ZLIBS) $(LIBINTL) $(CAPLIBS)
+ gpg_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(SQLITE3_LIBS) $(LIBREADLINE) \
+-             $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \
++             $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
+ 	     $(LIBICONV) $(gpg_robjs) $(extra_sys_libs)
+ gpg_LDFLAGS = $(extra_bin_ldflags)
+ gpgv_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
+-              $(GPG_ERROR_LIBS) \
++              $(GPG_ERROR_LIBS) $(NETLIBS) \
+ 	      $(LIBICONV) $(gpgv_robjs) $(extra_sys_libs)
+ gpgv_LDFLAGS = $(extra_bin_ldflags)
+ 
+ gpgcompose_LDADD = $(LDADD) $(SQLITE3_LIBS) $(LIBGCRYPT_LIBS) $(LIBREADLINE) \
+-             $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \
++             $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
+ 	     $(LIBICONV) $(extra_sys_libs)
+ gpgcompose_LDFLAGS = $(extra_bin_ldflags)
+ 
+@@ -205,10 +205,10 @@ t_keydb_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
+ t_keydb_get_keyblock_SOURCES = t-keydb-get-keyblock.c test-stubs.c \
+ 	      $(common_source)
+ t_keydb_get_keyblock_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
+-	      $(LIBICONV) $(t_common_ldadd)
++	      $(NETLIBS) $(LIBICONV) $(t_common_ldadd)
+ t_stutter_SOURCES = t-stutter.c test-stubs.c \
+ 	      $(common_source)
+-t_stutter_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \
++t_stutter_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
+ 	      $(LIBICONV) $(t_common_ldadd)
+ 
+ 
diff --git a/debian/patches/from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch b/debian/patches/from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch
new file mode 100644
index 0000000..bf542d0
--- /dev/null
+++ b/debian/patches/from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch
@@ -0,0 +1,27 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 26 Nov 2020 09:50:40 +0900
+Subject: gpg: Report an error for receiving key from agent.
+
+* g10/export.c (do_export_one_keyblock): Report an error.
+
+--
+
+GnuPG-bug-id: 5151
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit 6f0066db2c87e6362473d17c0621011ed1e1eae6)
+---
+ g10/export.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/g10/export.c b/g10/export.c
+index e98af59..8e17df3 100644
+--- a/g10/export.c
++++ b/g10/export.c
+@@ -1814,6 +1814,7 @@ do_export_one_keyblock (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid,
+                 {
+                   if (gpg_err_code (err) == GPG_ERR_FULLY_CANCELED)
+                     goto leave;
++                  write_status_error ("export_keys.secret", err);
+                   skip_until_subkey = 1;
+                   err = 0;
+                 }
diff --git a/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
new file mode 100644
index 0000000..2061327
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
@@ -0,0 +1,84 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:45:23 -0400
+Subject: agent: Allow threads to interrupt main select loop with SIGCONT.
+
+* agent/gpg-agent.c (interrupt_main_thread_loop): New function on
+non-windows platforms, allows other threads to interrupt the main loop
+if there's something that the main loop might be interested in.
+
+--
+
+For example, the main loop might be interested in changes in program
+state that affect the timers it expects to see.
+
+I don't know how to do this on Windows platforms, but i welcome any
+proposed improvements.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/agent.h     |  1 +
+ agent/gpg-agent.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/agent/agent.h b/agent/agent.h
+index 56e13ec..d1abf26 100644
+--- a/agent/agent.h
++++ b/agent/agent.h
+@@ -391,6 +391,7 @@ void *get_agent_scd_notify_event (void);
+ #endif
+ void agent_sighup_action (void);
+ int map_pk_openpgp_to_gcry (int openpgp_algo);
++void interrupt_main_thread_loop (void);
+ 
+ /*-- command.c --*/
+ gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid,
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 309e87c..2882767 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -462,6 +462,9 @@ static int have_homedir_inotify;
+  * works reliable.  */
+ static int reliable_homedir_inotify;
+ 
++/* Record the pid of the main thread, for easier signalling */
++static pid_t main_thread_pid = (pid_t)(-1);
++
+ /* Number of active connections.  */
+ static int active_connections;
+ 
+@@ -2470,6 +2473,10 @@ handle_signal (int signo)
+       agent_sigusr2_action ();
+       break;
+ 
++      /* nothing to do here, just take an extra cycle on the select loop */
++    case SIGCONT:
++      break;
++
+     case SIGTERM:
+       if (!shutdown_pending)
+         log_info ("SIGTERM received - shutting down ...\n");
+@@ -2808,6 +2815,13 @@ start_connection_thread_ssh (void *arg)
+ }
+ 
+ 
++void interrupt_main_thread_loop (void)
++{
++#ifndef HAVE_W32_SYSTEM
++  kill (main_thread_pid, SIGCONT);
++#endif
++}
++
+ /* helper function for readability: test whether a given struct
+    timespec is set to all-zeros */
+ static inline int
+@@ -2877,8 +2891,10 @@ handle_connections (gnupg_fd_t listen_fd,
+   npth_sigev_add (SIGUSR1);
+   npth_sigev_add (SIGUSR2);
+   npth_sigev_add (SIGINT);
++  npth_sigev_add (SIGCONT);
+   npth_sigev_add (SIGTERM);
+   npth_sigev_fini ();
++  main_thread_pid = getpid ();
+ #else
+ # ifdef HAVE_W32CE_SYSTEM
+   /* Use a dummy event. */
diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
new file mode 100644
index 0000000..34a91c6
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
@@ -0,0 +1,26 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:57:44 -0400
+Subject: agent: Avoid scheduled checks on socket when inotify is working.
+
+* agent/gpg-agent.c (handle_connections): When inotify is working, we
+do not need to schedule a timer to evaluate whether we control our own
+socket or not.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/gpg-agent.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 0801449..45d2e87 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -3044,6 +3044,8 @@ handle_connections (gnupg_fd_t listen_fd,
+ 
+       /* avoid a fine-grained timer if we don't need one: */
+       timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0;
++      /* avoid waking up to check sockets if we can count on inotify */
++      timertbl[1].interval.tv_sec = (sock_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0;
+ 
+       /* loop through all timers, fire any registered functions, and
+          plan next timer to trigger */
diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
new file mode 100644
index 0000000..5630aa7
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
@@ -0,0 +1,101 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 1 Nov 2016 00:14:10 -0400
+Subject: agent: Avoid tight timer tick when possible.
+
+* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase
+handle_tick() is needed.
+(handle_connections): On each cycle of the select loop, adjust whether
+we should call handle_tick() or not.
+(start_connection_thread_ssh, do_start_connection_thread): Signal the
+main loop when the child terminates.
+* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once
+the scdaemon thread context has started up.
+
+--
+
+With this change, an idle gpg-agent that has no scdaemon running only
+wakes up once a minute (to check_own_socket).
+
+Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of
+the blocking and corner cases.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/call-scd.c  |  2 ++
+ agent/gpg-agent.c | 29 +++++++++++++++++++++++++++--
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/agent/call-scd.c b/agent/call-scd.c
+index c5b95f4..762de82 100644
+--- a/agent/call-scd.c
++++ b/agent/call-scd.c
+@@ -414,6 +414,8 @@ start_scd (ctrl_t ctrl)
+ 
+   primary_scd_ctx = ctx;
+   primary_scd_ctx_reusable = 0;
++  /* notify the main loop that something has changed */
++  interrupt_main_thread_loop ();
+ 
+  leave:
+   xfree (abs_homedir);
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 2882767..0801449 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -2374,6 +2374,26 @@ create_directories (void)
+ }
+ 
+ 
++static int
++need_tick (void)
++{
++#ifdef HAVE_W32_SYSTEM
++  /* We do not know how to interrupt the select loop on Windows, so we
++     always need a short tick there. */
++  return 1;
++#else
++  /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to
++     watch our parent. */
++  if (parent_pid != (pid_t)(-1))
++    return 1;
++  /* if scdaemon is running, we need to check that it's alive */
++  if (agent_scd_check_running ())
++    return 1;
++  /* otherwise, nothing fine-grained to do. */
++  return 0;
++#endif /*HAVE_W32_SYSTEM*/
++}
++
+ 
+ /* This is the worker for the ticker.  It is called every few seconds
+    and may only do fast operations. */
+@@ -2730,7 +2750,8 @@ do_start_connection_thread (ctrl_t ctrl)
+ 
+   agent_deinit_default_ctrl (ctrl);
+   xfree (ctrl);
+-  active_connections--;
++  if (--active_connections == 0)
++    interrupt_main_thread_loop();
+   return NULL;
+ }
+ 
+@@ -2810,7 +2831,8 @@ start_connection_thread_ssh (void *arg)
+ 
+   agent_deinit_default_ctrl (ctrl);
+   xfree (ctrl);
+-  active_connections--;
++  if (--active_connections == 0)
++    interrupt_main_thread_loop();
+   return NULL;
+ }
+ 
+@@ -3020,6 +3042,9 @@ handle_connections (gnupg_fd_t listen_fd,
+          thus a simple assignment is fine to copy the entire set.  */
+       read_fdset = fdset;
+ 
++      /* avoid a fine-grained timer if we don't need one: */
++      timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0;
++
+       /* loop through all timers, fire any registered functions, and
+          plan next timer to trigger */
+       npth_clock_gettime (&curtime);
diff --git a/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
new file mode 100644
index 0000000..5b6e1ff
--- /dev/null
+++ b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
@@ -0,0 +1,191 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 31 Oct 2016 21:27:36 -0400
+Subject: agent: Create framework of scheduled timers.
+
+agent/gpg-agent.c (handle_tick): Remove intermittent call to
+check_own_socket.
+(tv_is_set): Add inline helper function for readability.
+(handle_connections) Create general table of pending scheduled
+timeouts.
+
+--
+
+handle_tick() does fine-grained, rapid activity.  check_own_socket()
+is supposed to happen at a different interval.
+
+Mixing the two of them makes it a requirement that one interval be a
+multiple of the other, which isn't ideal if there are different delay
+strategies that we might want in the future.
+
+Creating an extensible regular timer framework in handle_connections
+should make it possible to have any number of cadenced timers fire
+regularly, without requiring that they happen in cadences related to
+each other.
+
+It should also make it possible to dynamically change the cadence of
+any regularly-scheduled timeout.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ agent/gpg-agent.c | 84 +++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 57 insertions(+), 27 deletions(-)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 3f7aaae..309e87c 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -2377,12 +2377,8 @@ create_directories (void)
+ static void
+ handle_tick (void)
+ {
+-  static time_t last_minute;
+   struct stat statbuf;
+ 
+-  if (!last_minute)
+-    last_minute = time (NULL);
+-
+   /* Check whether the scdaemon has died and cleanup in this case. */
+   agent_scd_check_aliveness ();
+ 
+@@ -2402,15 +2398,6 @@ handle_tick (void)
+     }
+ #endif /*HAVE_W32_SYSTEM*/
+ 
+-  /* Code to be run from time to time.  */
+-#if CHECK_OWN_SOCKET_INTERVAL > 0
+-  if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL))
+-    {
+-      check_own_socket ();
+-      last_minute = time (NULL);
+-    }
+-#endif
+-
+   /* Need to check for expired cache entries.  */
+   agent_cache_housekeeping ();
+ 
+@@ -2821,6 +2808,15 @@ start_connection_thread_ssh (void *arg)
+ }
+ 
+ 
++/* helper function for readability: test whether a given struct
++   timespec is set to all-zeros */
++static inline int
++tv_is_set (struct timespec tv)
++{
++  return tv.tv_sec || tv.tv_nsec;
++}
++
++
+ /* Connection handler loop.  Wait for connection requests and spawn a
+    thread after accepting a connection.  */
+ static void
+@@ -2838,9 +2834,11 @@ handle_connections (gnupg_fd_t listen_fd,
+   gnupg_fd_t fd;
+   int nfd;
+   int saved_errno;
++  int idx;
+   struct timespec abstime;
+   struct timespec curtime;
+   struct timespec timeout;
++  struct timespec *select_timeout;
+ #ifdef HAVE_W32_SYSTEM
+   HANDLE events[2];
+   unsigned int events_set;
+@@ -2857,6 +2855,14 @@ handle_connections (gnupg_fd_t listen_fd,
+     { "browser", start_connection_thread_browser },
+     { "ssh",    start_connection_thread_ssh   }
+   };
++  struct {
++    struct timespec interval;
++    void (*func) (void);
++    struct timespec next;
++  } timertbl[] = {
++    { { TIMERTICK_INTERVAL, 0 }, handle_tick },
++    { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket }
++  };
+ 
+ 
+   ret = npth_attr_init(&tattr);
+@@ -2964,9 +2970,6 @@ handle_connections (gnupg_fd_t listen_fd,
+   listentbl[2].l_fd = listen_fd_browser;
+   listentbl[3].l_fd = listen_fd_ssh;
+ 
+-  npth_clock_gettime (&abstime);
+-  abstime.tv_sec += TIMERTICK_INTERVAL;
+-
+   for (;;)
+     {
+       /* Shutdown test.  */
+@@ -3001,18 +3004,46 @@ handle_connections (gnupg_fd_t listen_fd,
+          thus a simple assignment is fine to copy the entire set.  */
+       read_fdset = fdset;
+ 
++      /* loop through all timers, fire any registered functions, and
++         plan next timer to trigger */
+       npth_clock_gettime (&curtime);
+-      if (!(npth_timercmp (&curtime, &abstime, <)))
+-	{
+-	  /* Timeout.  */
+-	  handle_tick ();
+-	  npth_clock_gettime (&abstime);
+-	  abstime.tv_sec += TIMERTICK_INTERVAL;
+-	}
+-      npth_timersub (&abstime, &curtime, &timeout);
++      abstime.tv_sec = abstime.tv_nsec = 0;
++      for (idx=0; idx < DIM(timertbl); idx++)
++        {
++          /* schedule any unscheduled timers */
++          if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval))
++            npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next);
++          /* if a timer is due, fire it ... */
++          if (tv_is_set (timertbl[idx].next))
++            {
++              if (!(npth_timercmp (&curtime, &timertbl[idx].next, <)))
++                {
++                  timertbl[idx].func ();
++                  npth_clock_gettime (&curtime);
++                  /* ...and reschedule it, if desired: */
++                  if (tv_is_set (timertbl[idx].interval))
++                    npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next);
++                  else
++                    timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0;
++                }
++            }
++          /* accumulate next timer to come due in abstime: */
++          if (tv_is_set (timertbl[idx].next) &&
++              ((!tv_is_set (abstime)) ||
++               (npth_timercmp (&abstime, &timertbl[idx].next, >))))
++            abstime = timertbl[idx].next;
++        }
++      /* choose a timeout for the select loop: */
++      if (tv_is_set (abstime))
++        {
++          npth_timersub (&abstime, &curtime, &timeout);
++          select_timeout = &timeout;
++        }
++      else
++          select_timeout = NULL;
+ 
+ #ifndef HAVE_W32_SYSTEM
+-      ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout,
++      ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout,
+                           npth_sigev_sigmask ());
+       saved_errno = errno;
+ 
+@@ -3022,7 +3053,7 @@ handle_connections (gnupg_fd_t listen_fd,
+           handle_signal (signo);
+       }
+ #else
+-      ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout,
++      ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout,
+                           events, &events_set);
+       saved_errno = errno;
+ 
+@@ -3067,7 +3098,6 @@ handle_connections (gnupg_fd_t listen_fd,
+ 
+       if (!shutdown_pending)
+         {
+-          int idx;
+           ctrl_t ctrl;
+           npth_t thread;
+ 
diff --git a/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
new file mode 100644
index 0000000..29667b7
--- /dev/null
+++ b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
@@ -0,0 +1,49 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 15 Jul 2019 16:24:35 -0400
+Subject: gpg: drop import-clean from default keyserver import options
+
+* g10/gpg.c (main): drop IMPORT_CLEAN from the
+default opt.keyserver_options.import_options
+* doc/gpg.texi: reflect this change in the documentation
+
+Given that SELF_SIGS_ONLY is already set, it's not clear what
+additional benefit IMPORT_CLEAN provides.  Furthermore, IMPORT_CLEAN
+means that receiving an OpenPGP certificate from a keyserver will
+potentially delete data that is otherwise held in the local keyring,
+which is surprising to users who expect retrieval from the keyservers
+to be purely additive.
+
+GnuPG-Bug-Id: 4628
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ doc/gpg.texi | 2 +-
+ g10/gpg.c    | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 39c996b..fd0baab 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -2005,7 +2005,7 @@ are available for all keyserver types, some common options are:
+ 
+ @end table
+ 
+-The default list of options is: "self-sigs-only, import-clean,
++The default list of options is: "self-sigs-only,
+ repair-keys, repair-pks-subkey-bug, export-attributes,
+ honor-pka-record". However, if
+ the actual used source is an LDAP server "no-self-sigs-only" is
+diff --git a/g10/gpg.c b/g10/gpg.c
+index bd65612..d77c757 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2383,8 +2383,7 @@ main (int argc, char **argv)
+     opt.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ 					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
+-                                            | IMPORT_SELF_SIGS_ONLY
+-                                            | IMPORT_CLEAN);
++                                            | IMPORT_SELF_SIGS_ONLY);
+     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+     opt.verify_options = (LIST_SHOW_UID_VALIDITY
diff --git a/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
new file mode 100644
index 0000000..e23ffe6
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
@@ -0,0 +1,32 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:43 +0200
+Subject: gpg: accept subkeys with a good revocation but no self-sig during
+ import
+
+* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
+encounter a valid revocation signature. This allows import of subkey
+revocation signatures, even in the absence of a corresponding subkey
+binding signature.
+
+--
+
+This fixes the remaining test in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/g10/import.c b/g10/import.c
+index 078a78c..c070399 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -3677,6 +3677,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
+                   /* It's valid, so is it newer? */
+                   if (sig->timestamp >= rsdate)
+                     {
++                      knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid.  */
+                       if (rsnode)
+                         {
+                           /* Delete the last revocation sig since
diff --git a/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
new file mode 100644
index 0000000..fa6dd9f
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@@ -0,0 +1,106 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:42 +0200
+Subject: gpg: allow import of previously known keys, even without UIDs
+
+* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
+has no user id, as long as we already have a local variant of the cert
+that matches the primary key.
+
+--
+
+This fixes two of the three broken tests in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 44 +++++++++++---------------------------------
+ 1 file changed, 11 insertions(+), 33 deletions(-)
+
+diff --git a/g10/import.c b/g10/import.c
+index b2d5c1d..078a78c 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1855,7 +1855,6 @@ import_one_real (ctrl_t ctrl,
+   size_t an;
+   char pkstrbuf[PUBKEY_STRING_SIZE];
+   int merge_keys_done = 0;
+-  int any_filter = 0;
+   KEYDB_HANDLE hd = NULL;
+ 
+   if (r_valid)
+@@ -1892,14 +1891,6 @@ import_one_real (ctrl_t ctrl,
+       log_printf ("\n");
+     }
+ 
+-
+-  if (!uidnode )
+-    {
+-      if (!silent)
+-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
+-      return 0;
+-    }
+-
+   if (screener && screener (keyblock, screener_arg))
+     {
+       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
+@@ -1974,17 +1965,10 @@ import_one_real (ctrl_t ctrl,
+ 	  }
+     }
+ 
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
+-    {
+-      if (!silent)
+-        {
+-          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet )
+-            log_info(_("this may be caused by a missing self-signature\n"));
+-        }
+-      stats->no_user_id++;
+-      return 0;
+-    }
++  /* Delete invalid parts, and note if we have any valid ones left.
++   * We will later abort import if this key is new but contains
++   * no valid uids.  */
++  delete_inv_parts (ctrl, keyblock, keyid, options);
+ 
+   /* Get rid of deleted nodes.  */
+   commit_kbnode (&keyblock);
+@@ -1994,24 +1978,11 @@ import_one_real (ctrl_t ctrl,
+     {
+       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+     }
+   if (import_filter.drop_sig)
+     {
+       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+-    }
+-
+-  /* If we ran any filter we need to check that at least one user id
+-   * is left in the keyring.  Note that we do not use log_error in
+-   * this case. */
+-  if (any_filter && !any_uid_left (keyblock))
+-    {
+-      if (!opt.quiet )
+-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
+-      stats->no_user_id++;
+-      return 0;
+     }
+ 
+   /* The keyblock is valid and ready for real import.  */
+@@ -2069,6 +2040,13 @@ import_one_real (ctrl_t ctrl,
+       err = 0;
+       stats->skipped_new_keys++;
+     }
++  else if (err && !any_uid_left (keyblock))
++    {
++      if (!silent)
++        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
++      err = 0;
++      stats->no_user_id++;
++    }
+   else if (err)  /* Insert this key. */
+     {
+       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */
diff --git a/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
new file mode 100644
index 0000000..52ca688
--- /dev/null
+++ b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
@@ -0,0 +1,201 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:41 +0200
+Subject: tests: add test cases for import without uid
+
+This commit adds a test case that does the following, in order:
+- Import of a primary key plus user id
+- Check that import of a subkey works, without a user id present in the
+imported key
+- Check that import of a subkey revocation works, without a user id or
+subkey binding signature present in the imported key
+- Check that import of a primary key revocation works, without a user id
+present in the imported key
+
+--
+
+Note that this test currently fails.  The following changesets will
+fix gpg so that the tests pass.
+
+GnuPG-Bug-id: 4393
+Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ tests/openpgp/Makefile.am                          |  1 +
+ tests/openpgp/import-incomplete.scm                | 68 ++++++++++++++++++++++
+ .../import-incomplete/primary+revocation.asc       |  9 +++
+ .../primary+subkey+sub-revocation.asc              | 10 ++++
+ .../import-incomplete/primary+subkey+sub-sig.asc   | 10 ++++
+ .../openpgp/import-incomplete/primary+uid-sig.asc  | 10 ++++
+ tests/openpgp/import-incomplete/primary+uid.asc    | 10 ++++
+ 7 files changed, 118 insertions(+)
+ create mode 100755 tests/openpgp/import-incomplete.scm
+ create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc
+
+diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
+index 59f39e2..3b8b699 100644
+--- a/tests/openpgp/Makefile.am
++++ b/tests/openpgp/Makefile.am
+@@ -78,6 +78,7 @@ XTESTS = \
+ 	gpgv-forged-keyring.scm \
+ 	armor.scm \
+ 	import.scm \
++	import-incomplete.scm \
+ 	import-revocation-certificate.scm \
+ 	ecc.scm \
+ 	4gb-packet.scm \
+diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm
+new file mode 100755
+index 0000000..727a027
+--- /dev/null
++++ b/tests/openpgp/import-incomplete.scm
+@@ -0,0 +1,68 @@
++#!/usr/bin/env gpgscm
++
++;; Copyright (C) 2016 g10 Code GmbH
++;;
++;; This file is part of GnuPG.
++;;
++;; GnuPG is free software; you can redistribute it and/or modify
++;; it under the terms of the GNU General Public License as published by
++;; the Free Software Foundation; either version 3 of the License, or
++;; (at your option) any later version.
++;;
++;; GnuPG is distributed in the hope that it will be useful,
++;; but WITHOUT ANY WARRANTY; without even the implied warranty of
++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++;; GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public License
++;; along with this program; if not, see <http://www.gnu.org/licenses/>.
++
++(load (in-srcdir "tests" "openpgp" "defs.scm"))
++(setup-environment)
++
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc")))
++
++(info "Test import of new subkey, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of a subkey revocation, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:r:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of revocation, from a certificate without uid")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "pub:r:")
++			(string-contains? line "0843DA969AA8DAFB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
+diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc
+new file mode 100644
+index 0000000..6b7b608
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+revocation.asc
+@@ -0,0 +1,9 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [E] primary key, revocation signature over primary (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
++=tM90
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+new file mode 100644
+index 0000000..83a51a5
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [D] primary key, subkey, subkey revocation (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
++=dwx2
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+new file mode 100644
+index 0000000..dc47a02
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [B] primary key, subkey, subkey binding sig (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR
++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg=
++=xuDu
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+new file mode 100644
+index 0000000..134607d
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [C] primary key and self-sig expiring in 2024 (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8
++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu
++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN
++9ohXOEBWvdJgVv2YAg==
++=KWIK
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc
+new file mode 100644
+index 0000000..055f300
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [A] primary key, user ID, and self-sig expiring in 2021
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja
+++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI
++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs=
++=1eII
++-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..edeee22
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,26 @@
+debian-packaging/avoid-beta-warning.patch
+debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
+block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
+dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
+dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
+dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
+gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch
+gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
+gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch
+gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
+from-master/gpg-default-to-3072-bit-keys.patch
+from-master/gpg-default-to-AES-256.patch
+update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
+update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
+import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch
+import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
+Make-gpg-zip-use-tar-from-PATH.patch
+gpg-drop-import-clean-from-default-keyserver-import-optio.patch
+from-master/common-Use-gnupg_spawn_process_fd-to-invoke-gpg-agent-dir.patch
+from-master/common-Fix-the-previous-commit.patch
+from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch
+from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch
+from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch
+from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch
diff --git a/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
new file mode 100644
index 0000000..ae00d38
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
@@ -0,0 +1,64 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:49:35 -0400
+Subject: gpg: Default to SHA-512 for all signature types on RSA keys.
+
+* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
+--gnupg mode (leave strict RFC and PGP modes alone).
+* configure.ac: Do not allow disabling sha512.
+* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
+
+--
+
+SHA512 is more performant on most 64-bit platforms than SHA256, and
+offers a better security margin.  It is also widely implemented.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ g10/main.h   | 2 +-
+ g10/misc.c   | 5 +----
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 6e44af2..0a4ae1e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+ GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+ # SHA256 is a MUST algorithm for GnuPG.
+ GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
++# SHA512 is a MUST algorithm for GnuPG.
+ 
+ 
+ # Allow disabling of zip support.
+diff --git a/g10/main.h b/g10/main.h
+index d1a54db..50ebad0 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -41,7 +41,7 @@
+ # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_3DES
+ #endif
+ 
+-#define DEFAULT_DIGEST_ALGO     ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
++#define DEFAULT_DIGEST_ALGO     ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ #ifdef HAVE_ZIP
+ # define DEFAULT_COMPRESS_ALGO   COMPRESS_ALGO_ZIP
+diff --git a/g10/misc.c b/g10/misc.c
+index 0b19e1a..79c285c 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -867,11 +867,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
+     case DIGEST_ALGO_SHA384: return 0;
+ #endif
+ 
+-#ifdef GPG_USE_SHA512
+     case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+-#else
+-    case DIGEST_ALGO_SHA512: return 0;
+-#endif
++
+     default: return 0;
+     }
+ }
diff --git a/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
new file mode 100644
index 0000000..bdb33f9
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
@@ -0,0 +1,46 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 3 Jan 2018 12:34:26 -0500
+Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences.
+
+* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
+and SHA-384 by default.
+
+--
+
+In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
+defaults for --default-preference-list to advertise a preference for
+SHA-512, without touching --personal-digest-preferences.  This makes
+the same change for --personal-digest-preferences, since every modern
+OpenPGP library supports them all.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/keygen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 5b4a785..2066bf1 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal)
+             if (personal)
+               {
+                 /* The default internal hash algo order is:
+-                 *  SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
++                 *  SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+                  */
+-                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+-                  strcat (dummy_string, "H8 ");
++                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++                  strcat (dummy_string, "H10 ");
+ 
+                 if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+                   strcat (dummy_string, "H9 ");
+ 
+-                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+-                  strcat (dummy_string, "H10 ");
++                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++                  strcat (dummy_string, "H8 ");
+               }
+             else
+               {
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..b6aba08
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,90 @@
+#!/usr/bin/make -f
+# debian/rules file - for GnuPG
+# Copyright 1994,1995 by Ian Jackson.
+# Copyright 1998-2003 by James Troup.
+# Copyright 2003-2004 by Matthias Urlichs.
+#
+# I hereby give you perpetual unlimited permission to copy,
+# modify and relicense this file, provided that you do not remove
+# my name from the file itself.  (I assert my moral right of
+# paternity under the Copyright, Designs and Patents Act 1988.)
+# This file may have to be extensively modified
+
+include /usr/share/dpkg/architecture.mk
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# avoid -pie for gpgv-static on kfreebsd-amd64, and x32
+# platforms, which cannot support it by default:
+ifeq (,$(filter $(DEB_HOST_ARCH), kfreebsd-amd64 x32))
+GPGV_STATIC_HARDENING = "-pie"
+else
+GPGV_STATIC_HARDENING = ""
+endif
+
+# Avoid parallel tests on hppa and riscv64 architecture.
+# Parallel tests generates high load on machine which causes timeouts and thus
+# triggers unexpected failures.
+ifeq (,$(filter $(DEB_HOST_ARCH), hppa riscv64))
+AUTOTEST_FLAGS = "--parallel"
+else
+AUTOTEST_FLAGS = "--no-parallel"
+endif
+
+%:
+	dh $@ --with=autoreconf --builddirectory=build
+
+GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns
+
+WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS=
+
+override_dh_auto_configure:
+	dh_auto_configure --builddirectory=build-gpgv-udeb -- \
+	   	$(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x))
+	dh_auto_configure --builddirectory=build-maintainer -- \
+		--enable-maintainer-mode \
+	   	$(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x))
+	dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \
+		--enable-wks-tools \
+		--enable-all-tests \
+		--with-agent-s2k-calibration=300 \
+		--enable-large-secmem
+
+override_dh_auto_build-arch:
+	dh_auto_build --builddirectory=build-gpgv-udeb
+	dh_auto_build --builddirectory=build
+	dh_auto_build --builddirectory=build-maintainer
+	cp -a build-gpgv-udeb build-gpgv-static
+	rm -f build-gpgv-static/g10/gpgv
+	cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv
+	mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static
+
+override_dh_auto_build-indep:
+	mkdir -p build-gpgv-win32
+	cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \
+	   	$(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \
+		$(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \
+		--enable-gpg2-is-gpg \
+		--with-zlib=/usr/i686-w64-mingw \
+		--prefix=/usr/i686-w64-mingw32 \
+		--host i686-w64-mingw32
+	cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a
+	cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a
+	cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a
+	cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a
+	cd build-gpgv-win32/regexp && $(WIN32_FLAGS) $(MAKE) libregexp.a
+	cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe
+	strip build-gpgv-win32/g10/gpgv.exe
+
+
+override_dh_auto_test:
+	dh_auto_test --builddirectory=build -- verbose=3 TESTFLAGS=$(AUTOTEST_FLAGS)
+
+override_dh_shlibdeps:
+# Make ldap a recommends rather than a hard dependency.
+	dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr*
+	dh_shlibdeps -Ndirmngr
+
+# visualizations of package dependencies:
+debian/%.png: debian/%.dot
+	dot -T png -o $@ $<
diff --git a/debian/scdaemon.examples b/debian/scdaemon.examples
new file mode 100644
index 0000000..29f41a8
--- /dev/null
+++ b/debian/scdaemon.examples
@@ -0,0 +1 @@
+doc/examples/scd-event
diff --git a/debian/scdaemon.install b/debian/scdaemon.install
new file mode 100644
index 0000000..5b7bd35
--- /dev/null
+++ b/debian/scdaemon.install
@@ -0,0 +1,2 @@
+debian/org.gnupg.scdaemon.metainfo.xml usr/share/metainfo
+debian/tmp/usr/lib/gnupg/scdaemon
diff --git a/debian/scdaemon.lintian-overrides b/debian/scdaemon.lintian-overrides
new file mode 100644
index 0000000..393fa7b
--- /dev/null
+++ b/debian/scdaemon.lintian-overrides
@@ -0,0 +1,2 @@
+# these binaries are stored in /usr/lib/gnupg, as recommended by upstream:
+scdaemon: spare-manual-page [usr/share/man/man1/scdaemon.1.gz]
diff --git a/debian/scdaemon.manpages b/debian/scdaemon.manpages
new file mode 100644
index 0000000..9efee23
--- /dev/null
+++ b/debian/scdaemon.manpages
@@ -0,0 +1 @@
+debian/tmp/usr/share/man/man1/scdaemon.1
diff --git a/debian/scdaemon.udev b/debian/scdaemon.udev
new file mode 100644
index 0000000..236d123
--- /dev/null
+++ b/debian/scdaemon.udev
@@ -0,0 +1,69 @@
+# do not edit this file, it will be overwritten on update
+
+SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
+ACTION!="add", GOTO="gnupg_rules_end"
+
+# USB SmartCard Readers
+## Cherry GmbH (XX33, ST2000)
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Omnikey AG (CardMan 3821, CardMan 6121)
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gemalto
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Reiner (SCT cyberJack)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Kobil (KAAN)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## VASCO (DIGIPASS 920)
+SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Crypto Stick
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Nitrokey
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Librem Key
+SUBSYSTEM=="usb", ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gnuk Token
+SUBSYSTEM=="usb", ATTR{product}=="Gnuk Token", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2440", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Alcor Micro Corp cardreader (in ThinkPad X250)
+SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Fujitsu Siemens
+SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Yubico
+# Yubikey NEO OTP+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Trustica Cryptoucan
+SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+
+LABEL="gnupg_rules_end"
diff --git a/debian/simplified-package-dependencies.dot b/debian/simplified-package-dependencies.dot
new file mode 100644
index 0000000..2edb3fb
--- /dev/null
+++ b/debian/simplified-package-dependencies.dot
@@ -0,0 +1,43 @@
+#!/usr/bin/dot
+
+# interrelationships between binary packages produced by gnupg2 source
+# package, if we were to move to the simplified package structure:
+
+# it would be good to graph the external dependencies as well.
+
+digraph gnupg2 {
+        # odd-duck packages:
+        node [shape=box];
+        gpgv_udeb [label="gpgv-udeb"];
+        gpgv_static [label="gpgv-static"];
+        gpgv_win32 [label="gpgv-win32"];
+
+        # meta-packages, transitional packages:
+        node [shape=diamond];
+        gnupg_agent [label="gnupg-agent"];
+        gnupg2;
+        gpgv2;
+        gpgsm;
+        dirmngr;
+        
+        node [shape=ellipse];
+        gnupg_l10n [label="gnupg-l10n"];
+        
+        # depends:
+        edge [color=black];
+        scdaemon -> gnupg;
+        gnupg2 -> gnupg;
+        gnupg_agent -> gnupg;
+        gpgsm -> gnupg;
+        dirmngr -> gnupg;
+        gpgv2 -> gpgv;
+
+        # recommends:
+        edge [color=red];
+        gnupg -> gnupg_l10n;
+        gnupg -> gpgv;
+        
+        # suggests:
+        edge [color=blue];
+        gpgv -> gnupg;
+}
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..4c48501
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,4 @@
+# doc merely references / cites IETF RFC: 
+gnupg2 source: license-problem-non-free-RFC [doc/OpenPGP]
+# for the older version of lintian used on ftp-master
+gnupg2 source: license-problem-non-free-RFC doc/OpenPGP
diff --git a/debian/systemd-environment-generator/90gpg-agent b/debian/systemd-environment-generator/90gpg-agent
new file mode 100755
index 0000000..7ece62b
--- /dev/null
+++ b/debian/systemd-environment-generator/90gpg-agent
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# If enable-ssh-support is present in gpg-agent.conf, export SSH_AUTH_SOCK
+# pointing at the gpg-agent's ssh-agent compatibility layer.
+
+# Authors:
+#   rufo <rufo@rufoa.com>
+#   Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+# See https://bugs.debian.org/855868
+
+# see gpgconf(1): $5 is the "okay" field.
+# see also https://dev.gnupg.org/T4866 and https://dev.gnupg.org/T4867
+get_okay='BEGIN{ret=1} /^gpg-agent:/{if ($5 == "1") { ret=0; exit 0 } } END {exit ret}'
+
+if gpgconf --check-options gpg-agent | awk -F: "$get_okay" && \
+       [ -n "$(gpgconf --list-options gpg-agent | \
+              awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
+    echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+    echo GSM_SKIP_SSH_AGENT_WORKAROUND=true
+fi
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..9609918
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,12 @@
+Tests: gpgv-win32
+Depends: gpgv-win32, gnupg2, gpgv2, wine32, diffutils
+Restrictions: allow-stderr
+Architecture: i386
+
+Tests: simple-tests
+Depends: gnupg2, gpgv2
+Restrictions: allow-stderr
+
+Tests: migration
+Depends: gpg, gnupg1, gnupg-utils, debian-archive-keyring, diffutils
+Restrictions: allow-stderr
diff --git a/debian/tests/gpgv-win32 b/debian/tests/gpgv-win32
new file mode 100755
index 0000000..035c060
--- /dev/null
+++ b/debian/tests/gpgv-win32
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+export GNUPGHOME=$(mktemp -d)
+gpgargs=(--batch --quiet --pinentry-mode=loopback --passphrase '' --with-colons)
+
+# Generate a minimal signing key:
+gpg "${gpgargs[@]}" --quick-gen-key 'Test key for gpgv-win32 <test-key@example.com>'
+
+gpg "${gpgargs[@]}" -o "$GNUPGHOME/key.gpg" --export test-key@example.com
+
+# Sign this very script
+rm -f "${0}.gpg"
+gpg "${gpgargs[@]}" --output "${0}.gpg" --detach-sign "${0}"
+
+# Verify using gpgv
+gpgv --quiet --status-fd 3 3> native.status --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}"
+
+WINE=/usr/lib/wine/wine
+export WINESERVER=/usr/lib/wine/wineserver32
+
+# Verify using gpgv.exe (using --status-fd 1 because i don't know how
+# to pass a non-standard file descriptor into wine)
+"$WINE" /usr/share/win32/gpgv.exe --quiet --status-fd 1 > win32.status --keyring "Z://${GNUPGHOME}/key.gpg" "${0}.gpg" "${0}" 
+
+# convert to unix newlines if necessary:
+sed -i 's/\r$//' win32.status
+
+diff -u native.status win32.status
+
+head -v win32.status
+
+rm -rf "$GNUPGHOME"
diff --git a/debian/tests/migration b/debian/tests/migration
new file mode 100755
index 0000000..2179e65
--- /dev/null
+++ b/debian/tests/migration
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+set -x
+
+DIR=$(mktemp -d)
+GPG_HOME="$DIR/gnupg"
+gpg=(gpg --homedir "$GPG_HOME" --batch --quiet --with-colons)
+gpg1=(gpg1 --homedir "$GPG_HOME" --batch --quiet --with-colons)
+
+mkdir "$GPG_HOME"
+chmod 700 "$GPG_HOME"
+
+cat $(ls /usr/share/keyrings/debian-archive-*.gpg \
+	| grep -vE 'debian-archive-bookworm-stable.gpg|debian-archive-keyring.gpg') \
+	| "${gpg1[@]}" --import
+"${gpg1[@]}" --list-keys
+"${gpg[@]}" --list-keys > "$DIR/key.list.before"
+migrate-pubring-from-classic-gpg "$GPG_HOME"
+"${gpg[@]}" --list-keys > "$DIR/key.list.after"
+
+diff -u "$DIR/key.list.before" "$DIR/key.list.after"
diff --git a/debian/tests/simple-tests b/debian/tests/simple-tests
new file mode 100644
index 0000000..97d4ab4
--- /dev/null
+++ b/debian/tests/simple-tests
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -e
+set -x
+
+DIR=$(mktemp -d)
+GPG_HOME=$DIR/gnupg
+gpg="gpg --homedir $GPG_HOME"
+
+mkdir $GPG_HOME
+chmod 700 $GPG_HOME
+
+#trap "cd $HOME && rm -rf $DIR" EXIT
+
+cd $DIR
+
+cat > key-batch << EOF
+Key-Type: default
+Subkey-Type: default
+Name-Real: test case
+Name-Email: example@example.com
+Expire-Date: 0
+%no-protection
+%commit
+EOF
+
+$gpg --batch --generate-key key-batch
+$gpg -abs < $GPG_HOME/pubring.kbx > pubring.kbx.asc
+$gpg --verify pubring.kbx.asc $GPG_HOME/pubring.kbx
+gpgv --keyring $GPG_HOME/pubring.kbx pubring.kbx.asc $GPG_HOME/pubring.kbx
+
+# Encrypt
+$gpg -e -r example@example.com < $GPG_HOME/pubring.kbx > pubring.kbx.gpg
+$gpg -d -r example@example.com < pubring.kbx.gpg > pubring.kbx.gpg.dec
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..b488eb4
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,5 @@
+---
+Bug-Database: https://dev.gnupg.org/maniphest/
+Bug-Submit: https://dev.gnupg.org/maniphest/task/edit/form/3/
+Repository: https://dev.gnupg.org/source/gnupg.git
+Repository-Browse: https://dev.gnupg.org/source/gnupg/
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..78961a8
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,43 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7avmDMEX0PliRYJKwYBBAHaRw8B
+AQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5lciBLb2No
+IChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJAlKIl7gm
+QDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAK
+CRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0EXRgJgD/
+YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaYMwRgpIKHFgkrBgEEAdpH
+DwEBB0CZnX8KfIxDeT93hI4UIlpOs0IvLrb4Dr2A+e15hPh/PrQgTmlpYmUgWXV0
+YWthIChHbnVQRyBSZWxlYXNlIEtleSmImgQTFgoAQhYhBKyOEVv3Pi2NR/qZCOmO
+my0Zxsi9BQJgpIKHAhsDBQkLDQaZBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIX
+gAAKCRDpjpstGcbIvf+CAP9a70q9zFPkr+I4TQ8w/gngt4Jh5D3sOqYvVRxLBMHY
+JgEA9gbYl+8NbCS/wgcpRlr+Y8Y+N+OZj/WH2ZtEbIMz4ww=
+=ISI5
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..b89638b
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+version=4
+
+opts=pgpsigurlmangle=s/$/.sig/ \
+  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-(2\.2\.[0-9]+)@ARCHIVE_EXT@ \
+  debian