[Pkg-gnupg-commit] [gnupg2] 01/03: more fixes from upstream (improving on but not yet closing: #849845)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 18 08:23:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 857e32ddd8474f4b9f4eb62ed6acdd1acb0c29d7
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Jan 11 15:44:50 2017 -0500
more fixes from upstream (improving on but not yet closing: #849845)
---
...-Avoid-unnecessary-ambiguity-in-argparse.patch} | 2 +
...common-New-function-log_debug_with_string.patch | 273 +++++++++++++++++++++
.../0039-dirmngr-Add-debug-code-to-http.c.patch | 237 ++++++++++++++++++
...r-Implement-debug-option-network-for-http.patch | 44 ++++
...ove-warnings-about-unused-global-variable.patch | 40 +++
...2-dirmngr-Fix-Tor-access-for-v6-addresses.patch | 107 ++++++++
.../0043-dirmngr-Mark-hosts-dead-on-ENETDOWN.patch | 40 +++
...er-a-connection-failure-log-a-hint-if-Tor.patch | 35 +++
...045-libdns-Provide-replacement-for-EPROTO.patch | 32 +++
...nce-Wstrict-prototypes-on-some-function-p.patch | 43 ++++
...build-Make-autogen.sh-more-POSIX-friendly.patch | 40 +++
...Rename-a-var-to-avoid-a-shadowing-warning.patch | 42 ++++
...e-autogen.sh-more-POSIX-friendly-next-try.patch | 27 ++
...-URL-creation-for-literal-IPv6-addresses-.patch | 205 ++++++++++++++++
...id-network-queries-for-literal-IP-address.patch | 36 +++
...ngr-Allow-reverse-DNS-lookups-in-Tor-mode.patch | 272 ++++++++++++++++++++
...lement-hkps-lookups-using-literal-address.patch | 61 +++++
...-some-key-cleaning-function-for-use-with-.patch | 97 ++++++++
...n-Remove-unused-function-tty_print_string.patch | 181 ++++++++++++++
...-print-of-additional-sig-data-in-edit-key.patch | 232 +++++++++++++++++
...-bogus-subkey-binding-when-cleaning-a-key.patch | 80 ++++++
...ndle-packages-with-dashes-in-find-version.patch | 86 +++++++
debian/patches/series | 23 +-
23 files changed, 2234 insertions(+), 1 deletion(-)
diff --git a/debian/patches/resolve-ambiguity/0036-common-Avoid-unnecessary-ambiguity-in-argparse.patch b/debian/patches/0037-common-Avoid-unnecessary-ambiguity-in-argparse.patch
similarity index 94%
rename from debian/patches/resolve-ambiguity/0036-common-Avoid-unnecessary-ambiguity-in-argparse.patch
rename to debian/patches/0037-common-Avoid-unnecessary-ambiguity-in-argparse.patch
index 5faf432..be0cce7 100644
--- a/debian/patches/resolve-ambiguity/0036-common-Avoid-unnecessary-ambiguity-in-argparse.patch
+++ b/debian/patches/0037-common-Avoid-unnecessary-ambiguity-in-argparse.patch
@@ -3,6 +3,7 @@ Date: Tue, 10 Jan 2017 15:59:36 -0500
Subject: common: Avoid unnecessary ambiguity in argparse.
* common/argparse.c (find_long_option): Avoid unnecessary ambiguity.
+--
If two struct ARGPARSE_OPTS share a prefix in their long_opt name, but
have the exact same short_opt and flags, they are aliases and not
@@ -11,6 +12,7 @@ example) both --clearsign and --clear-sign can be invoked as --clear.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Debian-Bug-Id: 850475
+(cherry picked from commit 7249ab0f95d1f6cb8ee61eefedc79801bb56398f)
---
common/argparse.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/patches/0038-common-New-function-log_debug_with_string.patch b/debian/patches/0038-common-New-function-log_debug_with_string.patch
new file mode 100644
index 0000000..77b5acc
--- /dev/null
+++ b/debian/patches/0038-common-New-function-log_debug_with_string.patch
@@ -0,0 +1,273 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 10:21:32 +0100
+Subject: common: New function log_debug_with_string.
+
+* common/logging.c (do_logv): Factor some code out to ...
+(print_prefix): new.
+(log_logv): Add arg EXTRASTRING and print it. Change all callers to
+pass NULL for it.
+(log_debug_with_string): New. Uses EXTRASTRING.
+--
+
+This function can be used to print a human readable buffer in addition
+to a log message to the log stream. This function will keep all lines
+together and prefix them with ">> ".
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 088d71d3671e74eb088386026f0e439a7e3b5543)
+---
+ common/logging.c | 141 ++++++++++++++++++++++++++++++++++++++++---------------
+ common/logging.h | 2 +
+ 2 files changed, 106 insertions(+), 37 deletions(-)
+
+diff --git a/common/logging.c b/common/logging.c
+index c06a34f38..0db1860c1 100644
+--- a/common/logging.c
++++ b/common/logging.c
+@@ -665,31 +665,10 @@ log_get_stream ()
+ return logstream;
+ }
+
++
+ static void
+-do_logv (int level, int ignore_arg_ptr, const char *fmt, va_list arg_ptr)
++print_prefix (int level, int leading_backspace)
+ {
+- if (!logstream)
+- {
+-#ifdef HAVE_W32_SYSTEM
+- char *tmp;
+-
+- tmp = (no_registry
+- ? NULL
+- : read_w32_registry_string (NULL, GNUPG_REGISTRY_DIR,
+- "DefaultLogFile"));
+- log_set_file (tmp && *tmp? tmp : NULL);
+- xfree (tmp);
+-#else
+- log_set_file (NULL); /* Make sure a log stream has been set. */
+-#endif
+- assert (logstream);
+- }
+-
+- es_flockfile (logstream);
+- if (missing_lf && level != GPGRT_LOG_CONT)
+- es_putc_unlocked ('\n', logstream );
+- missing_lf = 0;
+-
+ if (level != GPGRT_LOG_CONT)
+ { /* Note this does not work for multiple line logging as we would
+ * need to print to a buffer first */
+@@ -720,11 +699,9 @@ do_logv (int level, int ignore_arg_ptr, const char *fmt, va_list arg_ptr)
+ es_putc_unlocked (':', logstream);
+ /* A leading backspace suppresses the extra space so that we can
+ correctly output, programname, filename and linenumber. */
+- if (fmt && *fmt == '\b')
+- fmt++;
+- else
+- if (with_time || with_prefix || with_pid || force_prefixes)
+- es_putc_unlocked (' ', logstream);
++ if (!leading_backspace
++ && (with_time || with_prefix || with_pid || force_prefixes))
++ es_putc_unlocked (' ', logstream);
+ }
+
+ switch (level)
+@@ -741,6 +718,40 @@ do_logv (int level, int ignore_arg_ptr, const char *fmt, va_list arg_ptr)
+ es_fprintf_unlocked (logstream,"[Unknown log level %d]: ", level);
+ break;
+ }
++}
++
++
++static void
++do_logv (int level, int ignore_arg_ptr, const char *extrastring,
++ const char *fmt, va_list arg_ptr)
++{
++ int leading_backspace = (fmt && *fmt == '\b');
++
++ if (!logstream)
++ {
++#ifdef HAVE_W32_SYSTEM
++ char *tmp;
++
++ tmp = (no_registry
++ ? NULL
++ : read_w32_registry_string (NULL, GNUPG_REGISTRY_DIR,
++ "DefaultLogFile"));
++ log_set_file (tmp && *tmp? tmp : NULL);
++ xfree (tmp);
++#else
++ log_set_file (NULL); /* Make sure a log stream has been set. */
++#endif
++ assert (logstream);
++ }
++
++ es_flockfile (logstream);
++ if (missing_lf && level != GPGRT_LOG_CONT)
++ es_putc_unlocked ('\n', logstream );
++ missing_lf = 0;
++
++ print_prefix (level, leading_backspace);
++ if (leading_backspace)
++ fmt++;
+
+ if (fmt)
+ {
+@@ -766,6 +777,48 @@ do_logv (int level, int ignore_arg_ptr, const char *fmt, va_list arg_ptr)
+ missing_lf = 1;
+ }
+
++ /* If we have an EXTRASTRING print it now while we still hold the
++ * lock on the logstream. */
++ if (extrastring)
++ {
++ int c;
++
++ if (missing_lf)
++ {
++ es_putc_unlocked ('\n', logstream);
++ missing_lf = 0;
++ }
++ print_prefix (level, leading_backspace);
++ es_fputs_unlocked (">> ", logstream);
++ missing_lf = 1;
++ while ((c = *extrastring++))
++ {
++ missing_lf = 1;
++ if (c == '\\')
++ es_fputs_unlocked ("\\\\", logstream);
++ else if (c == '\r')
++ es_fputs_unlocked ("\\r", logstream);
++ else if ((c == '\n'))
++ {
++ es_fputs_unlocked ("\\n\n", logstream);
++ if (*extrastring)
++ {
++ print_prefix (level, leading_backspace);
++ es_fputs_unlocked (">> ", logstream);
++ }
++ else
++ missing_lf = 0;
++ }
++ else
++ es_putc_unlocked (c, logstream);
++ }
++ if (missing_lf)
++ {
++ es_putc_unlocked ('\n', logstream);
++ missing_lf = 0;
++ }
++ }
++
+ if (level == GPGRT_LOG_FATAL)
+ {
+ if (missing_lf)
+@@ -804,7 +857,7 @@ log_log (int level, const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt) ;
+- do_logv (level, 0, fmt, arg_ptr);
++ do_logv (level, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ }
+
+@@ -812,7 +865,7 @@ log_log (int level, const char *fmt, ...)
+ void
+ log_logv (int level, const char *fmt, va_list arg_ptr)
+ {
+- do_logv (level, 0, fmt, arg_ptr);
++ do_logv (level, 0, NULL, fmt, arg_ptr);
+ }
+
+
+@@ -821,7 +874,7 @@ do_log_ignore_arg (int level, const char *str, ...)
+ {
+ va_list arg_ptr;
+ va_start (arg_ptr, str);
+- do_logv (level, 1, str, arg_ptr);
++ do_logv (level, 1, NULL, str, arg_ptr);
+ va_end (arg_ptr);
+ }
+
+@@ -843,7 +896,7 @@ log_info (const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt);
+- do_logv (GPGRT_LOG_INFO, 0, fmt, arg_ptr);
++ do_logv (GPGRT_LOG_INFO, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ }
+
+@@ -854,7 +907,7 @@ log_error (const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt);
+- do_logv (GPGRT_LOG_ERROR, 0, fmt, arg_ptr);
++ do_logv (GPGRT_LOG_ERROR, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ /* Protect against counter overflow. */
+ if (errorcount < 30000)
+@@ -868,7 +921,7 @@ log_fatal (const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt);
+- do_logv (GPGRT_LOG_FATAL, 0, fmt, arg_ptr);
++ do_logv (GPGRT_LOG_FATAL, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ abort (); /* Never called; just to make the compiler happy. */
+ }
+@@ -880,7 +933,7 @@ log_bug (const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt);
+- do_logv (GPGRT_LOG_BUG, 0, fmt, arg_ptr);
++ do_logv (GPGRT_LOG_BUG, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ abort (); /* Never called; just to make the compiler happy. */
+ }
+@@ -892,7 +945,21 @@ log_debug (const char *fmt, ...)
+ va_list arg_ptr ;
+
+ va_start (arg_ptr, fmt);
+- do_logv (GPGRT_LOG_DEBUG, 0, fmt, arg_ptr);
++ do_logv (GPGRT_LOG_DEBUG, 0, NULL, fmt, arg_ptr);
++ va_end (arg_ptr);
++}
++
++
++/* The same as log_debug but at the end of the output STRING is
++ * printed with LFs expanded to include the prefix and a final --end--
++ * marker. */
++void
++log_debug_with_string (const char *string, const char *fmt, ...)
++{
++ va_list arg_ptr ;
++
++ va_start (arg_ptr, fmt);
++ do_logv (GPGRT_LOG_DEBUG, 0, string, fmt, arg_ptr);
+ va_end (arg_ptr);
+ }
+
+@@ -903,7 +970,7 @@ log_printf (const char *fmt, ...)
+ va_list arg_ptr;
+
+ va_start (arg_ptr, fmt);
+- do_logv (fmt ? GPGRT_LOG_CONT : GPGRT_LOG_BEGIN, 0, fmt, arg_ptr);
++ do_logv (fmt ? GPGRT_LOG_CONT : GPGRT_LOG_BEGIN, 0, NULL, fmt, arg_ptr);
+ va_end (arg_ptr);
+ }
+
+diff --git a/common/logging.h b/common/logging.h
+index d062f1413..8215a2b2a 100644
+--- a/common/logging.h
++++ b/common/logging.h
+@@ -96,6 +96,8 @@ void log_fatal (const char *fmt, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+ void log_error (const char *fmt, ...) GPGRT_ATTR_PRINTF(1,2);
+ void log_info (const char *fmt, ...) GPGRT_ATTR_PRINTF(1,2);
+ void log_debug (const char *fmt, ...) GPGRT_ATTR_PRINTF(1,2);
++void log_debug_with_string (const char *string, const char *fmt,
++ ...) GPGRT_ATTR_PRINTF(2,3);
+ void log_printf (const char *fmt, ...) GPGRT_ATTR_PRINTF(1,2);
+ void log_flush (void);
+
diff --git a/debian/patches/0039-dirmngr-Add-debug-code-to-http.c.patch b/debian/patches/0039-dirmngr-Add-debug-code-to-http.c.patch
new file mode 100644
index 0000000..2e145e7
--- /dev/null
+++ b/debian/patches/0039-dirmngr-Add-debug-code-to-http.c.patch
@@ -0,0 +1,237 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 10:34:49 +0100
+Subject: dirmngr: Add debug code to http.c.
+
+* dirmngr/http.c (opt_verbose, opt_debug): New vars.
+(http_set_verbose): New function.
+(_my_socket_new): Add debug output.
+(_my_socket_ref, _my_socket_unref, session_unref): Call log_debug if
+OPT_DEBUG has ben set to 2 in a debugger.
+(http_session_new, http_session_ref): Ditto.
+(send_request, http_start_data): Print debug output for the request.
+(parse_response): Change to use log_debug_string for the response.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 02ab4b0085f8b4cdfe163d25ddd0fc80753d7f4a)
+---
+ dirmngr/http.c | 74 +++++++++++++++++++++++++++++++++++++++++-----------------
+ dirmngr/http.h | 2 ++
+ 2 files changed, 54 insertions(+), 22 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 0a47d9f59..c1a60be41 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2,7 +2,7 @@
+ * Copyright (C) 1999, 2001, 2002, 2003, 2004, 2006, 2009, 2010,
+ * 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2014 Werner Koch
+- * Copyright (C) 2015 g10 Code GmbH
++ * Copyright (C) 2015-2017 g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+@@ -255,6 +255,12 @@ struct http_context_s
+ };
+
+
++/* Two flags to enable verbose and debug mode. Although currently not
++ * set-able a value > 1 for OPT_DEBUG enables debugging of the session
++ * reference counting. */
++static int opt_verbose;
++static int opt_debug;
++
+ /* The global callback for the verification function. */
+ static gpg_error_t (*tls_callback) (http_t, http_session_t, int);
+
+@@ -330,9 +336,9 @@ _my_socket_new (int lnr, assuan_fd_t fd)
+ }
+ so->fd = fd;
+ so->refcount = 1;
+- /* log_debug ("http.c:socket_new(%d): object %p for fd %d created\n", */
+- /* lnr, so, so->fd); */
+- (void)lnr;
++ if (opt_debug)
++ log_debug ("http.c:%d:socket_new: object %p for fd %d created\n",
++ lnr, so, so->fd);
+ return so;
+ }
+ #define my_socket_new(a) _my_socket_new (__LINE__, (a))
+@@ -342,9 +348,9 @@ static my_socket_t
+ _my_socket_ref (int lnr, my_socket_t so)
+ {
+ so->refcount++;
+- /* log_debug ("http.c:socket_ref(%d) object %p for fd %d refcount now %d\n", */
+- /* lnr, so, so->fd, so->refcount); */
+- (void)lnr;
++ if (opt_debug > 1)
++ log_debug ("http.c:%d:socket_ref: object %p for fd %d refcount now %d\n",
++ lnr, so, so->fd, so->refcount);
+ return so;
+ }
+ #define my_socket_ref(a) _my_socket_ref (__LINE__,(a))
+@@ -360,9 +366,10 @@ _my_socket_unref (int lnr, my_socket_t so,
+ if (so)
+ {
+ so->refcount--;
+- /* log_debug ("http.c:socket_unref(%d): object %p for fd %d ref now %d\n", */
+- /* lnr, so, so->fd, so->refcount); */
+- (void)lnr;
++ if (opt_debug > 1)
++ log_debug ("http.c:%d:socket_unref: object %p for fd %d ref now %d\n",
++ lnr, so, so->fd, so->refcount);
++
+ if (!so->refcount)
+ {
+ if (preclose)
+@@ -469,6 +476,15 @@ make_header_line (const char *prefix, const char *suffix,
+
+
+
++/* Set verbosity and debug mode for this module. */
++void
++http_set_verbose (int verbose, int debug)
++{
++ opt_verbose = verbose;
++ opt_debug = debug;
++}
++
++
+ /* Register a non-standard global TLS callback function. If no
+ verification is desired a callback needs to be registered which
+ always returns NULL. */
+@@ -562,9 +578,9 @@ session_unref (int lnr, http_session_t sess)
+ return;
+
+ sess->refcount--;
+- /* log_debug ("http.c:session_unref(%d): sess %p ref now %d\n", */
+- /* lnr, sess, sess->refcount); */
+- (void)lnr;
++ if (opt_debug > 1)
++ log_debug ("http.c:%d:session_unref: sess %p ref now %d\n",
++ lnr, sess, sess->refcount);
+ if (sess->refcount)
+ return;
+
+@@ -731,7 +747,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
+ }
+ #endif /*!HTTP_USE_GNUTLS*/
+
+- /* log_debug ("http.c:session_new: sess %p created\n", sess); */
++ if (opt_debug > 1)
++ log_debug ("http.c:session_new: sess %p created\n", sess);
+ err = 0;
+
+ #if USE_TLS
+@@ -754,8 +771,9 @@ http_session_ref (http_session_t sess)
+ if (sess)
+ {
+ sess->refcount++;
+- /* log_debug ("http.c:session_ref: sess %p ref now %d\n", sess, */
+- /* sess->refcount); */
++ if (opt_debug > 1)
++ log_debug ("http.c:session_ref: sess %p ref now %d\n",
++ sess, sess->refcount);
+ }
+ return sess;
+ }
+@@ -937,6 +955,8 @@ http_start_data (http_t hd)
+ {
+ if (!hd->in_data)
+ {
++ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
++ log_debug_with_string ("\r\n", "http.c:request-header:");
+ es_fputs ("\r\n", hd->fp_write);
+ es_fflush (hd->fp_write);
+ hd->in_data = 1;
+@@ -1881,7 +1901,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
+ return err;
+ }
+
+- /* log_debug ("request:\n%s\nEND request\n", request); */
++ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
++ log_debug_with_string (request, "http.c:request:");
+
+ /* First setup estream so that we can write even the first line
+ using estream. This is also required for the sake of gnutls. */
+@@ -1916,6 +1937,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
+ {
+ for (;headers; headers=headers->next)
+ {
++ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
++ log_debug_with_string (headers->d, "http.c:request-header:");
+ if ((es_fputs (headers->d, hd->fp_write) || es_fflush (hd->fp_write))
+ || (es_fputs("\r\n",hd->fp_write) || es_fflush(hd->fp_write)))
+ {
+@@ -2167,8 +2190,7 @@ parse_response (http_t hd)
+ return GPG_ERR_EOF;
+
+ if ((hd->flags & HTTP_FLAG_LOG_RESP))
+- log_info ("RESP: '%.*s'\n",
+- (int)strlen(line)-(*line&&line[1]?2:0),line);
++ log_debug_with_string (line, "http.c:response:\n");
+ }
+ while (!*line);
+
+@@ -2213,7 +2235,7 @@ parse_response (http_t hd)
+ if ((*line == '\r' && line[1] == '\n') || *line == '\n')
+ *line = 0;
+ if ((hd->flags & HTTP_FLAG_LOG_RESP))
+- log_info ("RESP: '%.*s'\n",
++ log_info ("http.c:RESP: '%.*s'\n",
+ (int)strlen(line)-(*line&&line[1]?2:0),line);
+ if (*line)
+ {
+@@ -2341,6 +2363,9 @@ connect_server (const char *server, unsigned short port,
+ {
+ #ifdef ASSUAN_SOCK_TOR
+
++ if (opt_debug)
++ log_debug ("http.c:connect_server:onion: name='%s' port=%hu\n",
++ server, port);
+ sock = assuan_sock_connect_byname (server, port, 0, NULL,
+ ASSUAN_SOCK_TOR);
+ if (sock == ASSUAN_INVALID_FD)
+@@ -2389,6 +2414,9 @@ connect_server (const char *server, unsigned short port,
+ {
+ dns_addrinfo_t aibuf, ai;
+
++ if (opt_debug)
++ log_debug ("http.c:connect_server: trying name='%s' port=%hu\n",
++ serverlist[srv].target, port);
+ err = resolve_dns_name (serverlist[srv].target, port, 0, SOCK_STREAM,
+ &aibuf, NULL);
+ if (err)
+@@ -2539,7 +2567,8 @@ cookie_read (void *cookie, void *buffer, size_t size)
+
+ ntbtls_get_stream (c->session->tls_session, &in, &out);
+ nread = es_fread (buffer, 1, size, in);
+- log_debug ("TLS network read: %d/%u\n", nread, size);
++ if (opt_debug)
++ log_debug ("TLS network read: %d/%u\n", nread, size);
+ }
+ else
+ #elif HTTP_USE_GNUTLS
+@@ -2631,7 +2660,8 @@ cookie_write (void *cookie, const void *buffer_arg, size_t size)
+ es_fflush (out);
+ else
+ nwritten = es_fwrite (buffer, 1, size, out);
+- log_debug ("TLS network write: %d/%u\n", nwritten, size);
++ if (opt_debug)
++ log_debug ("TLS network write: %d/%u\n", nwritten, size);
+ }
+ else
+ #elif HTTP_USE_GNUTLS
+diff --git a/dirmngr/http.h b/dirmngr/http.h
+index 32556a4e0..0b581fe3c 100644
+--- a/dirmngr/http.h
++++ b/dirmngr/http.h
+@@ -97,6 +97,8 @@ typedef struct http_session_s *http_session_t;
+ struct http_context_s;
+ typedef struct http_context_s *http_t;
+
++void http_set_verbose (int verbose, int debug);
++
+ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
+ void http_register_tls_ca (const char *fname);
+ void http_register_netactivity_cb (void (*cb)(void));
diff --git a/debian/patches/0040-dirmngr-Implement-debug-option-network-for-http.patch b/debian/patches/0040-dirmngr-Implement-debug-option-network-for-http.patch
new file mode 100644
index 0000000..5be1e4a
--- /dev/null
+++ b/debian/patches/0040-dirmngr-Implement-debug-option-network-for-http.patch
@@ -0,0 +1,44 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 10:35:46 +0100
+Subject: dirmngr: Implement debug option "network" for http.
+
+* dirmngr/dirmngr.c (parse_rereadable_options): Set http debugging.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit da894c48ec3393e7c815f575daa5a52ab37cc102)
+---
+ dirmngr/dirmngr.c | 1 +
+ doc/dirmngr.texi | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 5abfe78c6..c225d02da 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -644,6 +644,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
+ }
+
+ set_dns_verbose (opt.verbose, !!DBG_DNS);
++ http_set_verbose (opt.verbose, !!DBG_NETWORK);
+
+ return 1; /* Handled. */
+ }
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 4448bf0e6..e27157c00 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -198,9 +198,11 @@ however carefully selected to best aid in debugging.
+
+ @item --debug @var{flags}
+ @opindex debug
+-This option is only useful for debugging and the behavior may change at
+-any time without notice. FLAGS are bit encoded and may be given in
+-usual C-Syntax.
++Set debugging flags. This option is only useful for debugging and its
++behavior may change with a new release. All flags are or-ed and may
++be given in C syntax (e.g. 0x0042) or as a comma separated list of
++flag names. To get a list of all supported flags the single word
++"help" can be used.
+
+ @item --debug-all
+ @opindex debug-all
diff --git a/debian/patches/0041-dirmngr-Remove-warnings-about-unused-global-variable.patch b/debian/patches/0041-dirmngr-Remove-warnings-about-unused-global-variable.patch
new file mode 100644
index 0000000..c30eaa5
--- /dev/null
+++ b/debian/patches/0041-dirmngr-Remove-warnings-about-unused-global-variable.patch
@@ -0,0 +1,40 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 10:48:20 +0100
+Subject: dirmngr: Remove warnings about unused global variables.
+
+* dirmngr/crlcache.c (oidstr_issuingDistributionPoint): Comment.
+* dirmngr/ocsp.c (oidstr_certHash): Comment.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 915864e7f0315b0c96315d0bcd48b1b93592353a)
+---
+ dirmngr/crlcache.c | 2 +-
+ dirmngr/ocsp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
+index 07fa5b1d3..2e471cb09 100644
+--- a/dirmngr/crlcache.c
++++ b/dirmngr/crlcache.c
+@@ -127,7 +127,7 @@
+
+
+ static const char oidstr_crlNumber[] = "2.5.29.20";
+-static const char oidstr_issuingDistributionPoint[] = "2.5.29.28";
++/* static const char oidstr_issuingDistributionPoint[] = "2.5.29.28"; */
+ static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
+
+
+diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
+index 8c893aa47..9127cf754 100644
+--- a/dirmngr/ocsp.c
++++ b/dirmngr/ocsp.c
+@@ -44,7 +44,7 @@ static const char oidstr_ocsp[] = "1.3.6.1.5.5.7.48.1";
+ HashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING }
+ */
+-static const char oidstr_certHash[] = "1.3.36.8.3.13";
++/* static const char oidstr_certHash[] = "1.3.36.8.3.13"; */
+
+
+
diff --git a/debian/patches/0042-dirmngr-Fix-Tor-access-for-v6-addresses.patch b/debian/patches/0042-dirmngr-Fix-Tor-access-for-v6-addresses.patch
new file mode 100644
index 0000000..acea282
--- /dev/null
+++ b/debian/patches/0042-dirmngr-Fix-Tor-access-for-v6-addresses.patch
@@ -0,0 +1,107 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 16:41:15 +0100
+Subject: dirmngr: Fix Tor access for v6 addresses.
+
+* dirmngr/http.c (use_socks): New.
+(my_sock_new_for_addr): New.
+(connect_server): Replace assuan_sock_new by my_sock_new_for_addr.
+--
+
+Libassuan always uses 127.0.0.1 to connect to the local Tor proxy.
+https.c used to create a socket for the actual address family and thus
+the connect call in Libassuan fails when it tries to connect to a v6
+address using a v4 socket.
+
+It would be cleaner to have the my_sock_new_for_addr function as a
+public interface in Libassuan; for now we need to duplicate some code.
+from Libassuan.
+
+GnuPG-bug-id: 2902
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 09aeac41c97bc8ecb44a09886c7fdbd9a6ec5c7f)
+---
+ dirmngr/http.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index c1a60be41..75701ecb1 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2337,6 +2337,68 @@ start_server ()
+ }
+ #endif
+
++
++
++/* Return true if SOCKS shall be used. This is the case if tor_mode
++ * is enabled and the desired address is not the loopback address.
++ * This function is basically a copy of the same internal fucntion in
++ * Libassuan. */
++static int
++use_socks (struct sockaddr *addr)
++{
++ int mode;
++
++ if (assuan_sock_get_flag (ASSUAN_INVALID_FD, "tor-mode", &mode) || !mode)
++ return 0; /* Not in Tor mode. */
++ else if (addr->sa_family == AF_INET6)
++ {
++ struct sockaddr_in6 *addr_in6 = (struct sockaddr_in6 *)addr;
++ const unsigned char *s;
++ int i;
++
++ s = (unsigned char *)&addr_in6->sin6_addr.s6_addr;
++ if (s[15] != 1)
++ return 1; /* Last octet is not 1 - not the loopback address. */
++ for (i=0; i < 15; i++, s++)
++ if (*s)
++ return 1; /* Non-zero octet found - not the loopback address. */
++
++ return 0; /* This is the loopback address. */
++ }
++ else if (addr->sa_family == AF_INET)
++ {
++ struct sockaddr_in *addr_in = (struct sockaddr_in *)addr;
++
++ if (*(unsigned char*)&addr_in->sin_addr.s_addr == 127)
++ return 0; /* Loopback (127.0.0.0/8) */
++
++ return 1;
++ }
++ else
++ return 0;
++}
++
++
++/* Wrapper around assuan_sock_new which takes the domain from an
++ * address parameter. */
++static assuan_fd_t
++my_sock_new_for_addr (struct sockaddr *addr, int type, int proto)
++{
++ int domain;
++
++ if (use_socks (addr))
++ {
++ /* Libassaun always uses 127.0.0.1 to connect to the socks
++ * server (i.e. the Tor daemon). */
++ domain = AF_INET;
++ }
++ else
++ domain = addr->sa_family;
++
++ return assuan_sock_new (domain, type, proto);
++}
++
++
+ /* Actually connect to a server. Returns the file descriptor or -1 on
+ error. ERRNO is set on error. */
+ static assuan_fd_t
+@@ -2436,7 +2498,7 @@ connect_server (const char *server, unsigned short port,
+
+ if (sock != ASSUAN_INVALID_FD)
+ assuan_sock_close (sock);
+- sock = assuan_sock_new (ai->family, ai->socktype, ai->protocol);
++ sock = my_sock_new_for_addr (ai->addr, ai->socktype, ai->protocol);
+ if (sock == ASSUAN_INVALID_FD)
+ {
+ int save_errno = errno;
diff --git a/debian/patches/0043-dirmngr-Mark-hosts-dead-on-ENETDOWN.patch b/debian/patches/0043-dirmngr-Mark-hosts-dead-on-ENETDOWN.patch
new file mode 100644
index 0000000..3114150
--- /dev/null
+++ b/debian/patches/0043-dirmngr-Mark-hosts-dead-on-ENETDOWN.patch
@@ -0,0 +1,40 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 16:43:30 +0100
+Subject: dirmngr: Mark hosts dead on ENETDOWN.
+
+* dirmngr/ks-engine-hkp.c (handle_send_request_error): Take care of
+ENETDOWN.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 76fb2febde10da8237bbe7613830b51af2a45139)
+---
+ dirmngr/ks-engine-hkp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 31fef39db..6e3a38de2 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -1130,10 +1130,14 @@ handle_send_request_error (gpg_error_t err, const char *request,
+ {
+ int retry = 0;
+
++ /* Fixme: Should we disable all hosts of a protocol family if a
++ * request for an address of that familiy returned ENETDOWN? */
++
+ switch (gpg_err_code (err))
+ {
+ case GPG_ERR_ECONNREFUSED:
+ case GPG_ERR_ENETUNREACH:
++ case GPG_ERR_ENETDOWN:
+ case GPG_ERR_UNKNOWN_HOST:
+ case GPG_ERR_NETWORK:
+ if (mark_host_dead (request) && *tries_left)
+@@ -1146,6 +1150,7 @@ handle_send_request_error (gpg_error_t err, const char *request,
+ log_info ("selecting a different host due to a timeout\n");
+ retry = 1;
+ }
++ break;
+
+ default:
+ break;
diff --git a/debian/patches/0044-dirmngr-After-a-connection-failure-log-a-hint-if-Tor.patch b/debian/patches/0044-dirmngr-After-a-connection-failure-log-a-hint-if-Tor.patch
new file mode 100644
index 0000000..56e29c4
--- /dev/null
+++ b/debian/patches/0044-dirmngr-After-a-connection-failure-log-a-hint-if-Tor.patch
@@ -0,0 +1,35 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 11 Jan 2017 17:09:16 +0100
+Subject: dirmngr: After a connection failure log a hint if Tor is not running.
+
+* dirmngr/ks-engine-hkp.c (handle_send_request_error): Check whether
+Tor is running.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 20dfcfe08c618d23134d5d6efef7676b090f30d3)
+---
+ dirmngr/ks-engine-hkp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 6e3a38de2..3b8f65a55 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -1136,6 +1136,17 @@ handle_send_request_error (gpg_error_t err, const char *request,
+ switch (gpg_err_code (err))
+ {
+ case GPG_ERR_ECONNREFUSED:
++ if (opt.use_tor)
++ {
++ assuan_fd_t sock;
++
++ sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR);
++ if (sock == ASSUAN_INVALID_FD)
++ log_info ("(it seems Tor is not running)\n");
++ else
++ assuan_sock_close (sock);
++ }
++ /*FALLTHRU*/
+ case GPG_ERR_ENETUNREACH:
+ case GPG_ERR_ENETDOWN:
+ case GPG_ERR_UNKNOWN_HOST:
diff --git a/debian/patches/0045-libdns-Provide-replacement-for-EPROTO.patch b/debian/patches/0045-libdns-Provide-replacement-for-EPROTO.patch
new file mode 100644
index 0000000..b16fd26
--- /dev/null
+++ b/debian/patches/0045-libdns-Provide-replacement-for-EPROTO.patch
@@ -0,0 +1,32 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 09:20:49 +0100
+Subject: libdns: Provide replacement for EPROTO.
+
+* dirmngr/dns.c (EPROTO) ![EPROTO]: Define to EPROTONOSUPPORT.
+--
+
+This is the same replacement we use in Libassuan
+(commit 8ab3b9273524bd344bdb90dd5d3bc8e5f53ead6e) to make it work on
+OpenBSD and may other BSD based OSes.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 0fadff9cdde47e42f7e428bc903b3626c67ba9c0)
+---
+ dirmngr/dns.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dirmngr/dns.c b/dirmngr/dns.c
+index 4b61b72c2..b580e4031 100644
+--- a/dirmngr/dns.c
++++ b/dirmngr/dns.c
+@@ -288,6 +288,10 @@ int dns_v_api(void) {
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
++#ifndef EPROTO
++# define EPROTO EPROTONOSUPPORT
++#endif
++
+ #if _WIN32
+
+ #define DNS_EINTR WSAEINTR
diff --git a/debian/patches/0046-libdns-Silence-Wstrict-prototypes-on-some-function-p.patch b/debian/patches/0046-libdns-Silence-Wstrict-prototypes-on-some-function-p.patch
new file mode 100644
index 0000000..19b1d39
--- /dev/null
+++ b/debian/patches/0046-libdns-Silence-Wstrict-prototypes-on-some-function-p.patch
@@ -0,0 +1,43 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 09:22:14 +0100
+Subject: libdns: Silence -Wstrict-prototypes on some function ptrs.
+
+* dirmngr/dns.c (dns_rrtype): Ignore -Wstrict-prototypes warning.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 97372b39cd9b4c84a083eadbf072fff77799617f)
+---
+ dirmngr/dns.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/dirmngr/dns.c b/dirmngr/dns.c
+index b580e4031..016ff44f4 100644
+--- a/dirmngr/dns.c
++++ b/dirmngr/dns.c
+@@ -4246,6 +4246,15 @@ size_t dns_txt_print(void *_dst, size_t lim, struct dns_txt *txt) {
+ } /* dns_txt_print() */
+
+
++/* Some of the function pointers of DNS_RRTYPES are initialized with
++ * slighlly different fucntions, thus we can't use prototypes. */
++DNS_PRAGMA_PUSH
++#if __clang__
++#pragma clang diagnostic ignored "-Wstrict-prototypes"
++#elif DNS_GNUC_PREREQ(4,6,0)
++#pragma GCC diagnostic ignored "-Wstrict-prototypes"
++#endif
++
+ static const struct dns_rrtype {
+ enum dns_type type;
+ const char *name;
+@@ -4271,6 +4280,10 @@ static const struct dns_rrtype {
+ { DNS_T_AXFR, "AXFR", 0, 0, 0, 0, 0, 0, },
+ }; /* dns_rrtypes[] */
+
++DNS_PRAGMA_POP /*(-Wstrict-prototypes)*/
++
++
++
+ static const struct dns_rrtype *dns_rrtype(enum dns_type type) {
+ const struct dns_rrtype *t;
+
diff --git a/debian/patches/0047-build-Make-autogen.sh-more-POSIX-friendly.patch b/debian/patches/0047-build-Make-autogen.sh-more-POSIX-friendly.patch
new file mode 100644
index 0000000..8b67a68
--- /dev/null
+++ b/debian/patches/0047-build-Make-autogen.sh-more-POSIX-friendly.patch
@@ -0,0 +1,40 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 09:58:57 +0100
+Subject: build: Make autogen.sh more POSIX friendly.
+
+* autogen.sh: Replace non POSIX "cp -a" and "head -c".
+--
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 3c00b52f7cb0fbd756c0bbe5134b8f2d69c60dd1)
+---
+ autogen.sh | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index 6b631a241..2b703ff54 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -225,7 +225,7 @@ if [ "$myhost" = "find-version" ]; then
+ fi
+ [ -n "$tmp" ] && beta=yes
+ rev=$(git rev-parse --short HEAD | tr -d '\n\r')
+- rvd=$((0x$(echo ${rev} | head -c 4)))
++ rvd=$((0x$(echo ${rev} | dd bs=1 count=2 2>/dev/null)))
+ else
+ ingit=no
+ beta=no
+@@ -417,8 +417,11 @@ fi
+
+ # Check the git setup.
+ if [ -d .git ]; then
+- CP="cp -a"
+- [ -z "${SILENT}" ] && CP="$CP -v"
++ CP="cp -p"
++ # If we have a GNU cp we can add -v
++ if cp --version >/dev/null 2>/dev/null; then
++ [ -z "${SILENT}" ] && CP="$CP -v"
++ fi
+ if [ -f .git/hooks/pre-commit.sample -a ! -f .git/hooks/pre-commit ] ; then
+ [ -z "${SILENT}" ] && cat <<EOF
+ *** Activating trailing whitespace git pre-commit hook. ***
diff --git a/debian/patches/0048-gpg-Rename-a-var-to-avoid-a-shadowing-warning.patch b/debian/patches/0048-gpg-Rename-a-var-to-avoid-a-shadowing-warning.patch
new file mode 100644
index 0000000..edf6950
--- /dev/null
+++ b/debian/patches/0048-gpg-Rename-a-var-to-avoid-a-shadowing-warning.patch
@@ -0,0 +1,42 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 10:40:26 +0100
+Subject: gpg: Rename a var to avoid a shadowing warning.
+
+* g10/keygen.c (keygen_set_std_prefs): Rename variable.
+--
+
+I consider it better not to use the name of a commonly used function.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit c99a09f111c5980ae034faaea61a00d9ad60463c)
+---
+ g10/keygen.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index b4fddba00..98ef29efb 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -434,9 +434,11 @@ keygen_set_std_prefs (const char *string,int personal)
+
+ if(strlen(string))
+ {
+- char *dup, *tok, *prefstring;
++ char *prefstringbuf;
++ char *tok, *prefstring;
+
+- dup = prefstring = xstrdup (string); /* need a writable string! */
++ /* We need a writable string. */
++ prefstring = prefstringbuf = xstrdup (string);
+
+ while((tok=strsep(&prefstring," ,")))
+ {
+@@ -470,7 +472,7 @@ keygen_set_std_prefs (const char *string,int personal)
+ }
+ }
+
+- xfree (dup);
++ xfree (prefstringbuf);
+ }
+
+ if(!rc)
diff --git a/debian/patches/0049-build-Make-autogen.sh-more-POSIX-friendly-next-try.patch b/debian/patches/0049-build-Make-autogen.sh-more-POSIX-friendly-next-try.patch
new file mode 100644
index 0000000..d5012ef
--- /dev/null
+++ b/debian/patches/0049-build-Make-autogen.sh-more-POSIX-friendly-next-try.patch
@@ -0,0 +1,27 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 11:22:37 +0100
+Subject: build: Make autogen.sh more POSIX friendly (next try)
+
+* autogen.sh: Fix dd count to 5.
+--
+
+Fixes-commit: 3c00b52f7cb0fbd756c0bbe5134b8f2d69c60dd1
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 3db76c9277d918dec9721a6439f4db3b3c06aba3)
+---
+ autogen.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index 2b703ff54..0cecf0d89 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -225,7 +225,7 @@ if [ "$myhost" = "find-version" ]; then
+ fi
+ [ -n "$tmp" ] && beta=yes
+ rev=$(git rev-parse --short HEAD | tr -d '\n\r')
+- rvd=$((0x$(echo ${rev} | dd bs=1 count=2 2>/dev/null)))
++ rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+ else
+ ingit=no
+ beta=no
diff --git a/debian/patches/0050-dirmngr-Fix-URL-creation-for-literal-IPv6-addresses-.patch b/debian/patches/0050-dirmngr-Fix-URL-creation-for-literal-IPv6-addresses-.patch
new file mode 100644
index 0000000..f7d299f
--- /dev/null
+++ b/debian/patches/0050-dirmngr-Fix-URL-creation-for-literal-IPv6-addresses-.patch
@@ -0,0 +1,205 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 12 Jan 2017 21:09:42 +0100
+Subject: dirmngr: Fix URL creation for literal IPv6 addresses in HKP.
+
+* dirmngr/dns-stuff.c (is_ip_address): Make the return value depend on
+the address family.
+* dirmngr/ks-engine-hkp.c (map_host): Rename arg R_POOLNAME to
+R_HTTPHOST because that is its purpose. Note that the former
+behaviour of storing a NULL to indicate that it is not a pool has not
+been used.
+(make_host_part): Ditto.
+(make_host_part): Make sure that literal v6 addresses are correclty
+marked in the constructed URL.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 82646bbf1a5a7d745da81b239a12667a51703dc1)
+---
+ dirmngr/dns-stuff.c | 12 +++++-----
+ dirmngr/ks-engine-hkp.c | 58 +++++++++++++++++++++++++++----------------------
+ 2 files changed, 39 insertions(+), 31 deletions(-)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index a8713eb44..1b30c2cab 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -993,8 +993,10 @@ resolve_dns_addr (const struct sockaddr *addr, int addrlen,
+ }
+
+
+-/* Check whether NAME is an IP address. Returns true if it is either
+- an IPv6 or IPv4 numerical address. */
++/* Check whether NAME is an IP address. Returns a true if it is
++ * either an IPv6 or a IPv4 numerical address. The actual return
++ * values can also be used to identify whether it is v4 or v6: The
++ * true value will surprisingly be 4 for IPv4 and 6 for IPv6. */
+ int
+ is_ip_address (const char *name)
+ {
+@@ -1002,7 +1004,7 @@ is_ip_address (const char *name)
+ int ndots, dblcol, n;
+
+ if (*name == '[')
+- return 1; /* yes: A legal DNS name may not contain this character;
++ return 6; /* yes: A legal DNS name may not contain this character;
+ this mut be bracketed v6 address. */
+ if (*name == '.')
+ return 0; /* No. A leading dot is not a valid IP address. */
+@@ -1035,7 +1037,7 @@ is_ip_address (const char *name)
+ if (ndots > 7)
+ return 0; /* No: Too many colons. */
+ else if (ndots > 1)
+- return 1; /* Yes: At least 2 colons indicate an v6 address. */
++ return 6; /* Yes: At least 2 colons indicate an v6 address. */
+
+ legacy:
+ /* Check whether it is legacy IP address. */
+@@ -1056,7 +1058,7 @@ is_ip_address (const char *name)
+ else if (++n > 3)
+ return 0; /* No: More than 3 digits. */
+ }
+- return !!(ndots == 3);
++ return (ndots == 3)? 4 : 0;
+ }
+
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 3b8f65a55..88ac65ee7 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -404,13 +404,14 @@ add_host (const char *name, int is_pool,
+ * NULL is stored. If we know the port used by the selected host from
+ * a service record, a string representation is written to R_PORTSTR,
+ * otherwise it is left untouched. If R_HTTPFLAGS is not NULL it will
+- * receive flags which are to be passed to http_open. If R_POOLNAME
+- * is not NULL a malloced name of the pool is stored or NULL if it is
+- * not a pool. */
++ * receive flags which are to be passed to http_open. If R_HTTPHOST
++ * is not NULL a malloced name of the host is stored there; this might
++ * be different from R_HOST in case it has been selected from a
++ * pool. */
+ static gpg_error_t
+ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ char **r_host, char *r_portstr,
+- unsigned int *r_httpflags, char **r_poolname)
++ unsigned int *r_httpflags, char **r_httphost)
+ {
+ gpg_error_t err = 0;
+ hostinfo_t hi;
+@@ -420,8 +421,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ *r_host = NULL;
+ if (r_httpflags)
+ *r_httpflags = 0;
+- if (r_poolname)
+- *r_poolname = NULL;
++ if (r_httphost)
++ *r_httphost = NULL;
+
+ /* No hostname means localhost. */
+ if (!name || !*name)
+@@ -557,10 +558,10 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (hi->pool)
+ {
+ /* Deal with the pool name before selecting a host. */
+- if (r_poolname)
++ if (r_httphost)
+ {
+- *r_poolname = xtrystrdup (hi->cname? hi->cname : hi->name);
+- if (!*r_poolname)
++ *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name);
++ if (!*r_httphost)
+ return gpg_error_from_syserror ();
+ }
+
+@@ -579,10 +580,10 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (hi->poolidx == -1)
+ {
+ log_error ("no alive host found in pool '%s'\n", name);
+- if (r_poolname)
++ if (r_httphost)
+ {
+- xfree (*r_poolname);
+- *r_poolname = NULL;
++ xfree (*r_httphost);
++ *r_httphost = NULL;
+ }
+ return gpg_error (GPG_ERR_NO_KEYSERVER);
+ }
+@@ -596,10 +597,10 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (!host_is_alive (hi, curtime))
+ {
+ log_error ("host '%s' marked as dead\n", hi->name);
+- if (r_poolname)
++ if (r_httphost)
+ {
+- xfree (*r_poolname);
+- *r_poolname = NULL;
++ xfree (*r_httphost);
++ *r_httphost = NULL;
+ }
+ return gpg_error (GPG_ERR_NO_KEYSERVER);
+ }
+@@ -626,10 +627,10 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (!*r_host)
+ {
+ err = gpg_error_from_syserror ();
+- if (r_poolname)
++ if (r_httphost)
+ {
+- xfree (*r_poolname);
+- *r_poolname = NULL;
++ xfree (*r_httphost);
++ *r_httphost = NULL;
+ }
+ return err;
+ }
+@@ -877,13 +878,15 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
+
+ /* Build the remote part of the URL from SCHEME, HOST and an optional
+ * PORT. If NO_SRV is set no SRV record lookup will be done. Returns
+- * an allocated string at R_HOSTPORT or NULL on failure If R_POOLNAME
+- * is not NULL it receives a malloced string with the poolname. */
++ * an allocated string at R_HOSTPORT or NULL on failure. If
++ * R_HTTPHOST is not NULL it receives a malloced string with the
++ * hostname; this may be different from HOST if HOST is selected from
++ * a pool. */
+ static gpg_error_t
+ make_host_part (ctrl_t ctrl,
+ const char *scheme, const char *host, unsigned short port,
+ int force_reselect, int no_srv,
+- char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
++ char **r_hostport, unsigned int *r_httpflags, char **r_httphost)
+ {
+ gpg_error_t err;
+ const char *srvtag;
+@@ -905,7 +908,7 @@ make_host_part (ctrl_t ctrl,
+
+ portstr[0] = 0;
+ err = map_host (ctrl, host, srvtag, force_reselect,
+- &hostname, portstr, r_httpflags, r_poolname);
++ &hostname, portstr, r_httpflags, r_httphost);
+ if (err)
+ return err;
+
+@@ -922,14 +925,17 @@ make_host_part (ctrl_t ctrl,
+ else
+ strcpy (portstr, "11371");
+
+- *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
++ if (*hostname != '[' && is_ip_address (hostname) == 6)
++ *r_hostport = strconcat (scheme, "://[", hostname, "]:", portstr, NULL);
++ else
++ *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+ xfree (hostname);
+ if (!*r_hostport)
+ {
+- if (r_poolname)
++ if (r_httphost)
+ {
+- xfree (*r_poolname);
+- *r_poolname = NULL;
++ xfree (*r_httphost);
++ *r_httphost = NULL;
+ }
+ return gpg_error_from_syserror ();
+ }
diff --git a/debian/patches/0051-dirmngr-Avoid-network-queries-for-literal-IP-address.patch b/debian/patches/0051-dirmngr-Avoid-network-queries-for-literal-IP-address.patch
new file mode 100644
index 0000000..5387127
--- /dev/null
+++ b/debian/patches/0051-dirmngr-Avoid-network-queries-for-literal-IP-address.patch
@@ -0,0 +1,36 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 16 Jan 2017 09:10:46 +0100
+Subject: dirmngr: Avoid network queries for literal IP addresses.
+
+* dirmngr/dns-stuff.c (resolve_name_libdns): USe flags AI_NUMERICHOST
+for literal IP addresses.
+(resolve_name_standard): Ditto.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit daae97bc14742c75408c4eb05808a2102cfe2bcf)
+---
+ dirmngr/dns-stuff.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index 1b30c2cab..2debdcad0 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -685,6 +685,8 @@ resolve_name_libdns (const char *name, unsigned short port,
+ hints.ai_flags = AI_ADDRCONFIG;
+ if (r_canonname)
+ hints.ai_flags |= AI_CANONNAME;
++ if (is_ip_address (name))
++ hints.ai_flags |= AI_NUMERICHOST;
+
+ if (port)
+ {
+@@ -806,6 +808,8 @@ resolve_name_standard (const char *name, unsigned short port,
+ hints.ai_flags = AI_ADDRCONFIG;
+ if (r_canonname)
+ hints.ai_flags |= AI_CANONNAME;
++ if (is_ip_address (name))
++ hints.ai_flags |= AI_NUMERICHOST;
+
+ if (port)
+ snprintf (portstr, sizeof portstr, "%hu", port);
diff --git a/debian/patches/0052-dirmngr-Allow-reverse-DNS-lookups-in-Tor-mode.patch b/debian/patches/0052-dirmngr-Allow-reverse-DNS-lookups-in-Tor-mode.patch
new file mode 100644
index 0000000..522bac3
--- /dev/null
+++ b/debian/patches/0052-dirmngr-Allow-reverse-DNS-lookups-in-Tor-mode.patch
@@ -0,0 +1,272 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 16 Jan 2017 19:03:39 +0100
+Subject: dirmngr: Allow reverse DNS lookups in Tor-mode.
+
+* dirmngr/dns-stuff.c (resolve_dns_name): Move up in the file.
+(resolve_addr_libdns): New.
+(resolve_dns_addr): Divert to resolve_dns_addr.
+--
+
+In the old code reverse lookups where disabled in Tor mode. By
+implementing the reverse lookups via libdns it is now possible to do
+them also in Tor mode.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 9850124c7bdf0a0e7c1866abc85f3437257d7095)
+---
+ dirmngr/dns-stuff.c | 213 ++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 182 insertions(+), 31 deletions(-)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index 2debdcad0..28ecb1857 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -892,6 +892,177 @@ resolve_name_standard (const char *name, unsigned short port,
+ }
+
+
++/* This a wrapper around getaddrinfo with slightly different semantics.
++ NAME is the name to resolve.
++ PORT is the requested port or 0.
++ WANT_FAMILY is either 0 (AF_UNSPEC), AF_INET6, or AF_INET4.
++ WANT_SOCKETTYPE is either SOCK_STREAM or SOCK_DGRAM.
++
++ On success the result is stored in a linked list with the head
++ stored at the address R_AI; the caller must call gpg_addrinfo_free
++ on this. If R_CANONNAME is not NULL the official name of the host
++ is stored there as a malloced string; if that name is not available
++ NULL is stored. */
++gpg_error_t
++resolve_dns_name (const char *name, unsigned short port,
++ int want_family, int want_socktype,
++ dns_addrinfo_t *r_ai, char **r_canonname)
++{
++ gpg_error_t err;
++
++#ifdef USE_LIBDNS
++ if (!standard_resolver)
++ {
++ err = resolve_name_libdns (name, port, want_family, want_socktype,
++ r_ai, r_canonname);
++ if (err && libdns_switch_port_p (err))
++ err = resolve_name_libdns (name, port, want_family, want_socktype,
++ r_ai, r_canonname);
++ }
++ else
++#endif /*USE_LIBDNS*/
++ err = resolve_name_standard (name, port, want_family, want_socktype,
++ r_ai, r_canonname);
++ if (opt_debug)
++ log_debug ("dns: resolve_dns_name(%s): %s\n", name, gpg_strerror (err));
++ return err;
++}
++
++
++#ifdef USE_LIBDNS
++/* Resolve an address using libdns. */
++static gpg_error_t
++resolve_addr_libdns (const struct sockaddr *addr, int addrlen,
++ unsigned int flags, char **r_name)
++{
++ gpg_error_t err;
++ char host[DNS_D_MAXNAME + 1];
++ struct dns_resolver *res;
++ struct dns_packet *ans = NULL;
++ struct dns_ptr ptr;
++ int derr;
++
++ *r_name = NULL;
++
++ /* First we turn ADDR into a DNS name (with ".arpa" suffix). */
++ err = 0;
++ if (addr->sa_family == AF_INET6)
++ {
++ const struct sockaddr_in6 *a6 = (const struct sockaddr_in6 *)addr;
++ if (!dns_aaaa_arpa (host, sizeof host, (void*)&a6->sin6_addr))
++ err = gpg_error (GPG_ERR_INV_OBJ);
++ }
++ else if (addr->sa_family == AF_INET)
++ {
++ const struct sockaddr_in *a4 = (const struct sockaddr_in *)addr;
++ if (!dns_a_arpa (host, sizeof host, (void*)&a4->sin_addr))
++ err = gpg_error (GPG_ERR_INV_OBJ);
++ }
++ else
++ err = gpg_error (GPG_ERR_EAFNOSUPPORT);
++ if (err)
++ goto leave;
++
++
++ err = libdns_res_open (&res);
++ if (err)
++ goto leave;
++
++ err = libdns_res_submit (res, host, DNS_T_PTR, DNS_C_IN);
++ if (err)
++ goto leave;
++
++ err = libdns_res_wait (res);
++ if (err)
++ goto leave;
++
++ ans = dns_res_fetch (res, &derr);
++ if (!ans)
++ {
++ err = libdns_error_to_gpg_error (derr);
++ goto leave;
++ }
++
++ /* Check the rcode. */
++ switch (dns_p_rcode (ans))
++ {
++ case DNS_RC_NOERROR:
++ break;
++ case DNS_RC_NXDOMAIN:
++ err = gpg_error (GPG_ERR_NO_NAME);
++ break;
++ default:
++ err = GPG_ERR_SERVER_FAILED;
++ goto leave;
++ }
++
++ /* Parse the result. */
++ if (!err)
++ {
++ struct dns_rr rr;
++ struct dns_rr_i rri;
++
++ memset (&rri, 0, sizeof rri);
++ dns_rr_i_init (&rri, ans);
++ rri.section = DNS_S_ALL & ~DNS_S_QD;
++ rri.name = host;
++ rri.type = DNS_T_PTR;
++
++ if (!dns_rr_grep (&rr, 1, &rri, ans, &derr))
++ {
++ err = gpg_error (GPG_ERR_NOT_FOUND);
++ goto leave;
++ }
++
++ err = libdns_error_to_gpg_error (dns_ptr_parse (&ptr, &rr, ans));
++ if (err)
++ goto leave;
++
++ /* Copy result. */
++ *r_name = xtrystrdup (ptr.host);
++ if (!*r_name)
++ {
++ err = gpg_error_from_syserror ();
++ goto leave;
++ }
++ /* Libdns appends the root zone part which is problematic
++ * for most other functions - strip it. */
++ if (**r_name && (*r_name)[strlen (*r_name)-1] == '.')
++ (*r_name)[strlen (*r_name)-1] = 0;
++ }
++ else /* GPG_ERR_NO_NAME */
++ {
++ char *buffer, *p;
++ int buflen;
++ int ec;
++
++ buffer = ptr.host;
++ buflen = sizeof ptr.host;
++
++ p = buffer;
++ if (addr->sa_family == AF_INET6 && (flags & DNS_WITHBRACKET))
++ {
++ *p++ = '[';
++ buflen -= 2;
++ }
++ ec = getnameinfo (addr, addrlen, p, buflen, NULL, 0, NI_NUMERICHOST);
++ if (ec)
++ {
++ err = map_eai_to_gpg_error (ec);
++ goto leave;
++ }
++ if (addr->sa_family == AF_INET6 && (flags & DNS_WITHBRACKET))
++ strcat (buffer, "]");
++ }
++
++ leave:
++ dns_free (ans);
++ dns_res_close (res);
++ return err;
++}
++#endif /*USE_LIBDNS*/
++
++
+ /* Resolve an address using the standard system function. */
+ static gpg_error_t
+ resolve_addr_standard (const struct sockaddr *addr, int addrlen,
+@@ -952,51 +1123,31 @@ resolve_addr_standard (const struct sockaddr *addr, int addrlen,
+ }
+
+
+-/* This a wrapper around getaddrinfo with slightly different semantics.
+- NAME is the name to resolve.
+- PORT is the requested port or 0.
+- WANT_FAMILY is either 0 (AF_UNSPEC), AF_INET6, or AF_INET4.
+- WANT_SOCKETTYPE is either SOCK_STREAM or SOCK_DGRAM.
+-
+- On success the result is stored in a linked list with the head
+- stored at the address R_AI; the caller must call gpg_addrinfo_free
+- on this. If R_CANONNAME is not NULL the official name of the host
+- is stored there as a malloced string; if that name is not available
+- NULL is stored. */
++/* A wrapper around getnameinfo. */
+ gpg_error_t
+-resolve_dns_name (const char *name, unsigned short port,
+- int want_family, int want_socktype,
+- dns_addrinfo_t *r_ai, char **r_canonname)
++resolve_dns_addr (const struct sockaddr *addr, int addrlen,
++ unsigned int flags, char **r_name)
+ {
+ gpg_error_t err;
+
+ #ifdef USE_LIBDNS
+- if (!standard_resolver)
++ /* Note that we divert to the standard resolver for NUMERICHOST. */
++ if (!standard_resolver && !(flags & DNS_NUMERICHOST))
+ {
+- err = resolve_name_libdns (name, port, want_family, want_socktype,
+- r_ai, r_canonname);
++ err = resolve_addr_libdns (addr, addrlen, flags, r_name);
+ if (err && libdns_switch_port_p (err))
+- err = resolve_name_libdns (name, port, want_family, want_socktype,
+- r_ai, r_canonname);
++ err = resolve_addr_libdns (addr, addrlen, flags, r_name);
+ }
+ else
+ #endif /*USE_LIBDNS*/
+- err = resolve_name_standard (name, port, want_family, want_socktype,
+- r_ai, r_canonname);
++ err = resolve_addr_standard (addr, addrlen, flags, r_name);
++
+ if (opt_debug)
+- log_debug ("dns: resolve_dns_name(%s): %s\n", name, gpg_strerror (err));
++ log_debug ("dns: resolve_dns_addr(): %s\n", gpg_strerror (err));
+ return err;
+ }
+
+
+-gpg_error_t
+-resolve_dns_addr (const struct sockaddr *addr, int addrlen,
+- unsigned int flags, char **r_name)
+-{
+- return resolve_addr_standard (addr, addrlen, flags, r_name);
+-}
+-
+-
+ /* Check whether NAME is an IP address. Returns a true if it is
+ * either an IPv6 or a IPv4 numerical address. The actual return
+ * values can also be used to identify whether it is v4 or v6: The
+@@ -1096,7 +1247,7 @@ get_dns_cert_libdns (const char *name, int want_certtype,
+ int derr;
+ int qtype;
+
+- /* Gte the query type from WANT_CERTTYPE (which in general indicates
++ /* Get the query type from WANT_CERTTYPE (which in general indicates
+ * the subtype we want). */
+ qtype = (want_certtype < DNS_CERTTYPE_RRBASE
+ ? T_CERT
diff --git a/debian/patches/0053-dirmngr-Implement-hkps-lookups-using-literal-address.patch b/debian/patches/0053-dirmngr-Implement-hkps-lookups-using-literal-address.patch
new file mode 100644
index 0000000..51f8f34
--- /dev/null
+++ b/debian/patches/0053-dirmngr-Implement-hkps-lookups-using-literal-address.patch
@@ -0,0 +1,61 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 16 Jan 2017 19:04:58 +0100
+Subject: dirmngr: Implement hkps lookups using literal addresses.
+
+* dirmngr/ks-engine-hkp.c (map_host): For literal addresses do a
+reverse lookup.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit e6aebfe3d0f16c483296fd125b66a44017fe15f4)
+---
+ dirmngr/ks-engine-hkp.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 88ac65ee7..06df55971 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -85,7 +85,7 @@ struct hostinfo_s
+ time_t died_at; /* The time the host was marked dead. If this is
+ 0 the host has been manually marked dead. */
+ char *cname; /* Canonical name of the host. Only set if this
+- is a pool. */
++ is a pool or NAME has a numerical IP address. */
+ char *v4addr; /* A string with the v4 IP address of the host.
+ NULL if NAME has a numeric IP address or no v4
+ address is available. */
+@@ -593,6 +593,34 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ hi = hosttable[hi->poolidx];
+ assert (hi);
+ }
++ else if (r_httphost && is_ip_address (hi->name))
++ {
++ /* This is a numerical IP address and not a pool. We want to
++ * find the canonical name so that it can be used in the HTTP
++ * Host header. Fixme: We should store that name in the
++ * hosttable. */
++ dns_addrinfo_t aibuf, ai;
++ char *host;
++
++ err = resolve_dns_name (hi->name, 0, 0, SOCK_STREAM, &aibuf, NULL);
++ if (!err)
++ {
++ for (ai = aibuf; ai; ai = ai->next)
++ {
++ if (ai->family == AF_INET6 || ai->family == AF_INET)
++ {
++ err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host);
++ if (!err)
++ {
++ /* Okay, we return the first found name. */
++ *r_httphost = host;
++ break;
++ }
++ }
++ }
++ }
++ free_dns_addrinfo (aibuf);
++ }
+
+ if (!host_is_alive (hi, curtime))
+ {
diff --git a/debian/patches/0054-gpg-Prepare-some-key-cleaning-function-for-use-with-.patch b/debian/patches/0054-gpg-Prepare-some-key-cleaning-function-for-use-with-.patch
new file mode 100644
index 0000000..7e08807
--- /dev/null
+++ b/debian/patches/0054-gpg-Prepare-some-key-cleaning-function-for-use-with-.patch
@@ -0,0 +1,97 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 17 Jan 2017 09:14:44 +0100
+Subject: gpg: Prepare some key cleaning function for use with secret key
+ packets.
+
+* g10/trust.c (mark_usable_uid_certs): Allow use of secret key packets.
+(clean_sigs_from_uid): Ditto.
+(clean_uid_from_key): Ditto.
+(clean_one_uid): Ditto.
+(clean_key): Ditto.
+--
+
+Since 2.1 secret keys and public keys use identical data structure and
+thus we should not restrict those key cleaning functions to work only
+with public key packets. This change has no immediate effect but may
+come handy in the future.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit adbfbf608e75cdd72ae7b3a538b91bc0e236a18f)
+---
+ g10/trust.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/g10/trust.c b/g10/trust.c
+index 080926a36..102444865 100644
+--- a/g10/trust.c
++++ b/g10/trust.c
+@@ -434,7 +434,8 @@ mark_usable_uid_certs (kbnode_t keyblock, kbnode_t uidnode,
+
+ node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
+ if (node->pkt->pkttype == PKT_USER_ID
+- || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
++ || node->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || node->pkt->pkttype == PKT_SECRET_SUBKEY)
+ break; /* ready */
+ if (node->pkt->pkttype != PKT_SIGNATURE)
+ continue;
+@@ -476,7 +477,8 @@ mark_usable_uid_certs (kbnode_t keyblock, kbnode_t uidnode,
+ u32 kid[2];
+ u32 sigdate;
+
+- if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
++ if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || node->pkt->pkttype == PKT_SECRET_SUBKEY)
+ break;
+ if ( !(node->flag & (1<<9)) )
+ continue; /* not a node to look at */
+@@ -491,7 +493,8 @@ mark_usable_uid_certs (kbnode_t keyblock, kbnode_t uidnode,
+ /* Now find the latest and greatest signature */
+ for (n=uidnode->next; n; n = n->next)
+ {
+- if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY)
++ if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || n->pkt->pkttype == PKT_SECRET_SUBKEY)
+ break;
+ if ( !(n->flag & (1<<9)) )
+ continue;
+@@ -588,7 +591,8 @@ clean_sigs_from_uid (kbnode_t keyblock, kbnode_t uidnode,
+ kbnode_t node;
+ u32 keyid[2];
+
+- log_assert (keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
++ log_assert (keyblock->pkt->pkttype == PKT_PUBLIC_KEY
++ || keyblock->pkt->pkttype == PKT_SECRET_KEY);
+
+ keyid_from_pk (keyblock->pkt->pkt.public_key, keyid);
+
+@@ -681,7 +685,8 @@ clean_uid_from_key (kbnode_t keyblock, kbnode_t uidnode, int noisy)
+ PKT_user_id *uid = uidnode->pkt->pkt.user_id;
+ int deleted = 0;
+
+- log_assert (keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
++ log_assert (keyblock->pkt->pkttype == PKT_PUBLIC_KEY
++ || keyblock->pkt->pkttype == PKT_SECRET_KEY);
+ log_assert (uidnode->pkt->pkttype==PKT_USER_ID);
+
+ /* Skip valid user IDs, compacted user IDs, and non-self-signed user
+@@ -733,7 +738,8 @@ clean_one_uid (kbnode_t keyblock, kbnode_t uidnode, int noisy, int self_only,
+ {
+ int dummy = 0;
+
+- log_assert (keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
++ log_assert (keyblock->pkt->pkttype == PKT_PUBLIC_KEY
++ || keyblock->pkt->pkttype == PKT_SECRET_KEY);
+ log_assert (uidnode->pkt->pkttype==PKT_USER_ID);
+
+ if (!uids_cleaned)
+@@ -759,7 +765,8 @@ clean_key (kbnode_t keyblock, int noisy, int self_only,
+ merge_keys_and_selfsig (keyblock);
+
+ for (uidnode = keyblock->next;
+- uidnode && uidnode->pkt->pkttype != PKT_PUBLIC_SUBKEY;
++ uidnode && !(uidnode->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || uidnode->pkt->pkttype == PKT_SECRET_SUBKEY);
+ uidnode = uidnode->next)
+ {
+ if (uidnode->pkt->pkttype == PKT_USER_ID)
diff --git a/debian/patches/0055-common-Remove-unused-function-tty_print_string.patch b/debian/patches/0055-common-Remove-unused-function-tty_print_string.patch
new file mode 100644
index 0000000..910cd4c
--- /dev/null
+++ b/debian/patches/0055-common-Remove-unused-function-tty_print_string.patch
@@ -0,0 +1,181 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 17 Jan 2017 10:19:06 +0100
+Subject: common: Remove unused function tty_print_string.
+
+* common/ttyio.c (tty_print_string): Rename to ...
+(do_print_string): this. Make local. Simplify FP case by using
+print_utf8_buffer. Change caller.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit bae42e543799a428e59bad870aed9719dd6e6e45)
+---
+ common/ttyio.c | 128 +++++++++++++++++++++------------------------------------
+ common/ttyio.h | 1 -
+ 2 files changed, 46 insertions(+), 83 deletions(-)
+
+diff --git a/common/ttyio.c b/common/ttyio.c
+index 5fb620dfa..29af1b3ff 100644
+--- a/common/ttyio.c
++++ b/common/ttyio.c
+@@ -309,95 +309,59 @@ tty_fprintf (estream_t fp, const char *fmt, ... )
+ }
+
+
+-/****************
+- * Print a string, but filter all control characters out. If FP is
+- * not NULL print to that stream instead to the tty.
+- */
+-void
+-tty_print_string (estream_t fp, const byte *p, size_t n )
++/* Print a string, but filter all control characters out. If FP is
++ * not NULL print to that stream instead to the tty. */
++static void
++do_print_string (estream_t fp, const byte *p, size_t n )
+ {
+- if (no_terminal && !fp)
+- return;
++ if (no_terminal && !fp)
++ return;
+
+- if( !initialized & !fp)
+- init_ttyfp();
++ if (!initialized && !fp)
++ init_ttyfp();
++
++ if (fp)
++ {
++ print_utf8_buffer (fp, p, n);
++ return;
++ }
+
+ #ifdef USE_W32_CONSOLE
+- /* not so effective, change it if you want */
+- if (fp)
+- {
+- for( ; n; n--, p++ )
+- {
+- if( iscntrl( *p ) )
+- {
+- if( *p == '\n' )
+- tty_fprintf (fp, "\\n");
+- else if( !*p )
+- tty_fprintf (fp, "\\0");
+- else
+- tty_fprintf (fp, "\\x%02x", *p);
+- }
+- else
+- tty_fprintf (fp, "%c", *p);
+- }
+- }
+- else
+- {
+- for( ; n; n--, p++ )
+- {
+- if( iscntrl( *p ) )
+- {
+- if( *p == '\n' )
+- tty_printf ("\\n");
+- else if( !*p )
+- tty_printf ("\\0");
+- else
+- tty_printf ("\\x%02x", *p);
+- }
+- else
+- tty_printf ("%c", *p);
+- }
+- }
++ /* Not so effective, change it if you want */
++ for (; n; n--, p++)
++ {
++ if (iscntrl (*p))
++ {
++ if( *p == '\n' )
++ tty_printf ("\\n");
++ else if( !*p )
++ tty_printf ("\\0");
++ else
++ tty_printf ("\\x%02x", *p);
++ }
++ else
++ tty_printf ("%c", *p);
++ }
+ #else
+- if (fp)
+- {
+- for( ; n; n--, p++ )
+- {
+- if (iscntrl (*p))
+- {
+- es_putc ('\\', fp);
+- if ( *p == '\n' )
+- es_putc ('n', fp);
+- else if ( !*p )
+- es_putc ('0', fp);
+- else
+- es_fprintf (fp, "x%02x", *p);
+- }
+- else
+- es_putc (*p, fp);
+- }
+- }
+- else
+- {
+- for (; n; n--, p++)
+- {
+- if (iscntrl (*p))
+- {
+- putc ('\\', ttyfp);
+- if ( *p == '\n' )
+- putc ('n', ttyfp);
+- else if ( !*p )
+- putc ('0', ttyfp);
+- else
+- fprintf (ttyfp, "x%02x", *p );
+- }
+- else
+- putc (*p, ttyfp);
+- }
+- }
++ for (; n; n--, p++)
++ {
++ if (iscntrl (*p))
++ {
++ putc ('\\', ttyfp);
++ if ( *p == '\n' )
++ putc ('n', ttyfp);
++ else if ( !*p )
++ putc ('0', ttyfp);
++ else
++ fprintf (ttyfp, "x%02x", *p );
++ }
++ else
++ putc (*p, ttyfp);
++ }
+ #endif
+ }
+
++
+ void
+ tty_print_utf8_string2 (estream_t fp, const byte *p, size_t n, size_t max_n)
+ {
+@@ -425,7 +389,7 @@ tty_print_utf8_string2 (estream_t fp, const byte *p, size_t n, size_t max_n)
+ if( max_n && (n > max_n) ) {
+ n = max_n;
+ }
+- tty_print_string (fp, p, n );
++ do_print_string (fp, p, n );
+ }
+ }
+
+diff --git a/common/ttyio.h b/common/ttyio.h
+index 004aa859a..5bff82fbb 100644
+--- a/common/ttyio.h
++++ b/common/ttyio.h
+@@ -47,7 +47,6 @@ void tty_printf (const char *fmt, ... );
+ void tty_fprintf (estream_t fp, const char *fmt, ... );
+ char *tty_getf (const char *promptfmt, ... );
+ #endif
+-void tty_print_string (estream_t fp, const unsigned char *p, size_t n);
+ void tty_print_utf8_string (const unsigned char *p, size_t n);
+ void tty_print_utf8_string2 (estream_t fp,
+ const unsigned char *p, size_t n, size_t max_n);
diff --git a/debian/patches/0056-gpg-Sync-print-of-additional-sig-data-in-edit-key.patch b/debian/patches/0056-gpg-Sync-print-of-additional-sig-data-in-edit-key.patch
new file mode 100644
index 0000000..1d7b97d
--- /dev/null
+++ b/debian/patches/0056-gpg-Sync-print-of-additional-sig-data-in-edit-key.patch
@@ -0,0 +1,232 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 17 Jan 2017 10:23:52 +0100
+Subject: gpg: Sync print of additional sig data in --edit-key.
+
+* g10/keylist.c (show_policy_url): Implement MODE -1.
+(show_keyserver_url): Ditto.
+(show_notation): Ditto.
+* g10/keyedit.c (print_one_sig): Print policy URL, keyserver URL and
+notation data to the tty.
+--
+
+With this change the listing of signatures in the key edit menu does
+now include policy URLs et al in order and not possible after leaving
+the menu (it used to go to stdout and not the tty).
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 766c25018b288a7185c6da6adac0dec01a64e94a)
+---
+ g10/keyedit.c | 6 ++---
+ g10/keylist.c | 87 +++++++++++++++++++++++++++++------------------------------
+ 2 files changed, 45 insertions(+), 48 deletions(-)
+
+diff --git a/g10/keyedit.c b/g10/keyedit.c
+index dadf58685..1456d2867 100644
+--- a/g10/keyedit.c
++++ b/g10/keyedit.c
+@@ -281,11 +281,11 @@ print_one_sig (int rc, KBNODE keyblock, KBNODE node,
+
+ if (sig->flags.policy_url
+ && ((opt.list_options & LIST_SHOW_POLICY_URLS) || extended))
+- show_policy_url (sig, 3, 0);
++ show_policy_url (sig, 3, -1);
+
+ if (sig->flags.notation
+ && ((opt.list_options & LIST_SHOW_NOTATIONS) || extended))
+- show_notation (sig, 3, 0,
++ show_notation (sig, 3, -1,
+ ((opt.
+ list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) +
+ ((opt.
+@@ -293,7 +293,7 @@ print_one_sig (int rc, KBNODE keyblock, KBNODE node,
+
+ if (sig->flags.pref_ks
+ && ((opt.list_options & LIST_SHOW_KEYSERVER_URLS) || extended))
+- show_keyserver_url (sig, 3, 0);
++ show_keyserver_url (sig, 3, -1);
+
+ if (extended)
+ {
+diff --git a/g10/keylist.c b/g10/keylist.c
+index a5fdc06a8..4fe1e4034 100644
+--- a/g10/keylist.c
++++ b/g10/keylist.c
+@@ -304,6 +304,7 @@ status_one_subpacket (sigsubpkttype_t type, size_t len, int flags,
+
+
+ /* Print a policy URL. Allowed values for MODE are:
++ * -1 - print to the TTY
+ * 0 - print to stdout.
+ * 1 - use log_info and emit status messages.
+ * 2 - emit only status messages.
+@@ -314,50 +315,48 @@ show_policy_url (PKT_signature * sig, int indent, int mode)
+ const byte *p;
+ size_t len;
+ int seq = 0, crit;
+- estream_t fp = mode ? log_get_stream () : es_stdout;
++ estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
+
+ while ((p =
+ enum_sig_subpkt (sig->hashed, SIGSUBPKT_POLICY, &len, &seq, &crit)))
+ {
+ if (mode != 2)
+ {
+- int i;
+ const char *str;
+
+- for (i = 0; i < indent; i++)
+- es_putc (' ', fp);
++ tty_fprintf (fp, "%*s", indent, "");
+
+ if (crit)
+ str = _("Critical signature policy: ");
+ else
+ str = _("Signature policy: ");
+- if (mode)
++ if (mode > 0)
+ log_info ("%s", str);
+ else
+- es_fprintf (fp, "%s", str);
+- print_utf8_buffer (fp, p, len);
+- es_fprintf (fp, "\n");
++ tty_fprintf (fp, "%s", str);
++ tty_print_utf8_string2 (fp, p, len, 0);
++ tty_fprintf (fp, "\n");
+ }
+
+- if (mode)
++ if (mode > 0)
+ write_status_buffer (STATUS_POLICY_URL, p, len, 0);
+ }
+ }
+
+
+-/*
+- mode=0 for stdout.
+- mode=1 for log_info + status messages
+- mode=2 for status messages only
+-*/
+-/* TODO: use this */
++/* Print a keyserver URL. Allowed values for MODE are:
++ * -1 - print to the TTY
++ * 0 - print to stdout.
++ * 1 - use log_info and emit status messages.
++ * 2 - emit only status messages.
++ */
+ void
+ show_keyserver_url (PKT_signature * sig, int indent, int mode)
+ {
+ const byte *p;
+ size_t len;
+ int seq = 0, crit;
+- estream_t fp = mode ? log_get_stream () : es_stdout;
++ estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
+
+ while ((p =
+ enum_sig_subpkt (sig->hashed, SIGSUBPKT_PREF_KS, &len, &seq,
+@@ -365,43 +364,43 @@ show_keyserver_url (PKT_signature * sig, int indent, int mode)
+ {
+ if (mode != 2)
+ {
+- int i;
+ const char *str;
+
+- for (i = 0; i < indent; i++)
+- es_putc (' ', es_stdout);
++ tty_fprintf (fp, "%*s", indent, "");
+
+ if (crit)
+ str = _("Critical preferred keyserver: ");
+ else
+ str = _("Preferred keyserver: ");
+- if (mode)
++ if (mode > 0)
+ log_info ("%s", str);
+ else
+- es_fprintf (es_stdout, "%s", str);
+- print_utf8_buffer (fp, p, len);
+- es_fprintf (fp, "\n");
++ tty_fprintf (es_stdout, "%s", str);
++ tty_print_utf8_string2 (fp, p, len, 0);
++ tty_fprintf (fp, "\n");
+ }
+
+- if (mode)
++ if (mode > 0)
+ status_one_subpacket (SIGSUBPKT_PREF_KS, len,
+ (crit ? 0x02 : 0) | 0x01, p);
+ }
+ }
+
+-/*
+- mode=0 for stdout.
+- mode=1 for log_info + status messages
+- mode=2 for status messages only
+-
+- Defined bits in WHICH:
+- 1 == standard notations
+- 2 == user notations
+-*/
++
++/* Print notation data. Allowed values for MODE are:
++ * -1 - print to the TTY
++ * 0 - print to stdout.
++ * 1 - use log_info and emit status messages.
++ * 2 - emit only status messages.
++ *
++ * Defined bits in WHICH:
++ * 1 - standard notations
++ * 2 - user notations
++ */
+ void
+ show_notation (PKT_signature * sig, int indent, int mode, int which)
+ {
+- estream_t fp = mode ? log_get_stream () : es_stdout;
++ estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
+ notation_t nd, notations;
+
+ if (which == 0)
+@@ -418,34 +417,32 @@ show_notation (PKT_signature * sig, int indent, int mode, int which)
+
+ if ((which & 1 && !has_at) || (which & 2 && has_at))
+ {
+- int i;
+ const char *str;
+
+- for (i = 0; i < indent; i++)
+- es_putc (' ', es_stdout);
++ tty_fprintf (fp, "%*s", indent, "");
+
+ if (nd->flags.critical)
+ str = _("Critical signature notation: ");
+ else
+ str = _("Signature notation: ");
+- if (mode)
++ if (mode > 0)
+ log_info ("%s", str);
+ else
+- es_fprintf (es_stdout, "%s", str);
++ tty_fprintf (es_stdout, "%s", str);
+ /* This is all UTF8 */
+- print_utf8_buffer (fp, nd->name, strlen (nd->name));
+- es_fprintf (fp, "=");
+- print_utf8_buffer (fp, nd->value, strlen (nd->value));
++ tty_print_utf8_string2 (fp, nd->name, strlen (nd->name), 0);
++ tty_fprintf (fp, "=");
++ tty_print_utf8_string2 (fp, nd->value, strlen (nd->value), 0);
+ /* (We need to use log_printf so that the next call to a
+ log function does not insert an extra LF.) */
+- if (mode)
++ if (mode > 0)
+ log_printf ("\n");
+ else
+- es_putc ('\n', fp);
++ tty_fprintf (fp, "\n");
+ }
+ }
+
+- if (mode)
++ if (mode > 0)
+ {
+ write_status_buffer (STATUS_NOTATION_NAME,
+ nd->name, strlen (nd->name), 0);
diff --git a/debian/patches/0057-gpg-Clean-bogus-subkey-binding-when-cleaning-a-key.patch b/debian/patches/0057-gpg-Clean-bogus-subkey-binding-when-cleaning-a-key.patch
new file mode 100644
index 0000000..d427a7c
--- /dev/null
+++ b/debian/patches/0057-gpg-Clean-bogus-subkey-binding-when-cleaning-a-key.patch
@@ -0,0 +1,80 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 17 Jan 2017 10:26:34 +0100
+Subject: gpg: Clean bogus subkey binding when cleaning a key.
+
+* g10/trust.c (clean_key): Also clean bogus subkey bindings.
+--
+
+GnuPG-bug-id: 2922
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 356323768a1a29138581d0aceed0336ab8be0d5c)
+---
+ g10/export.c | 1 +
+ g10/trust.c | 34 +++++++++++++++++++++++++++-------
+ 2 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/g10/export.c b/g10/export.c
+index ad42b41b5..b36200ac0 100644
+--- a/g10/export.c
++++ b/g10/export.c
+@@ -1518,6 +1518,7 @@ do_export_one_keyblock (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid,
+ u32 subkidbuf[2], *subkid;
+ kbnode_t kbctx, node;
+
++ /* NB: walk_kbnode skips packets marked as deleted. */
+ for (kbctx=NULL; (node = walk_kbnode (keyblock, &kbctx, 0)); )
+ {
+ if (skip_until_subkey)
+diff --git a/g10/trust.c b/g10/trust.c
+index 102444865..888b4ca53 100644
+--- a/g10/trust.c
++++ b/g10/trust.c
+@@ -756,21 +756,41 @@ clean_one_uid (kbnode_t keyblock, kbnode_t uidnode, int noisy, int self_only,
+ }
+
+
++/* NB: This function marks the deleted nodes only and the caller is
++ * responsible to skip or remove them. */
+ void
+ clean_key (kbnode_t keyblock, int noisy, int self_only,
+ int *uids_cleaned, int *sigs_cleaned)
+ {
+- kbnode_t uidnode;
++ kbnode_t node;
+
+ merge_keys_and_selfsig (keyblock);
+
+- for (uidnode = keyblock->next;
+- uidnode && !(uidnode->pkt->pkttype == PKT_PUBLIC_SUBKEY
+- || uidnode->pkt->pkttype == PKT_SECRET_SUBKEY);
+- uidnode = uidnode->next)
++ for (node = keyblock->next;
++ node && !(node->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || node->pkt->pkttype == PKT_SECRET_SUBKEY);
++ node = node->next)
+ {
+- if (uidnode->pkt->pkttype == PKT_USER_ID)
+- clean_one_uid (keyblock, uidnode,noisy, self_only,
++ if (node->pkt->pkttype == PKT_USER_ID)
++ clean_one_uid (keyblock, node, noisy, self_only,
+ uids_cleaned, sigs_cleaned);
+ }
++
++ /* Remove bogus subkey binding signatures: The only signatures
++ * allowed are of class 0x18 and 0x28. */
++ log_assert (!node || (node->pkt->pkttype == PKT_PUBLIC_SUBKEY
++ || node->pkt->pkttype == PKT_SECRET_SUBKEY));
++ for (; node; node = node->next)
++ {
++ if (is_deleted_kbnode (node))
++ continue;
++ if (node->pkt->pkttype == PKT_SIGNATURE
++ && !(IS_SUBKEY_SIG (node->pkt->pkt.signature)
++ || IS_SUBKEY_REV (node->pkt->pkt.signature)))
++ {
++ delete_kbnode (node);
++ if (sigs_cleaned)
++ ++*sigs_cleaned;
++ }
++ }
+ }
diff --git a/debian/patches/0058-build-Handle-packages-with-dashes-in-find-version.patch b/debian/patches/0058-build-Handle-packages-with-dashes-in-find-version.patch
new file mode 100644
index 0000000..3e09c48
--- /dev/null
+++ b/debian/patches/0058-build-Handle-packages-with-dashes-in-find-version.patch
@@ -0,0 +1,86 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 17 Jan 2017 12:14:53 +0100
+Subject: build: Handle packages with dashes in --find-version.
+
+* autogen.sh (--find-version): Improve version extraction.
+* (--help): Extend.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit a09f258b1412209763222e2e81bab79663e4d685)
+---
+ autogen.sh | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/autogen.sh b/autogen.sh
+index 0cecf0d89..d7bab0383 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -1,6 +1,6 @@
+ #! /bin/sh
+ # autogen.sh
+-# Copyright (C) 2003, 2014 g10 Code GmbH
++# Copyright (C) 2003, 2014, 2017 g10 Code GmbH
+ #
+ # This file is free software; as a special exception the author gives
+ # unlimited permission to copy and/or distribute it, with or without
+@@ -15,7 +15,7 @@
+ # configure it for the respective package. It is maintained as part of
+ # GnuPG and source copied by other packages.
+ #
+-# Version: 2014-06-06
++# Version: 2017-01-17
+
+ configure_ac="configure.ac"
+
+@@ -80,7 +80,17 @@ if [ -n "${AUTOGEN_SH_SILENT}" ]; then
+ SILENT=" --silent"
+ fi
+ if test x"$1" = x"--help"; then
+- echo "usage: ./autogen.sh [--silent] [--force] [--build-TYPE] [ARGS]"
++ echo "usage: ./autogen.sh [OPTIONS] [ARGS]"
++ echo " Options:"
++ echo " --silent Silent operation"
++ echo " --force Pass --force to autoconf"
++ echo " --find-version Helper for configure.ac"
++ echo " --build-TYPE Configure to cross build for TYPE"
++ echo " --print-host Print only the host triplet"
++ echo " --print-build Print only the build platform triplet"
++ echo ""
++ echo " ARGS are passed to configure in --build-TYPE mode."
++ echo " Configuration for this script is expected in autogen.rc"
+ exit 0
+ fi
+ if test x"$1" = x"--silent"; then
+@@ -200,6 +210,11 @@ if [ "$myhost" = "find-version" ]; then
+ minor="$3"
+ micro="$4"
+
++ if [ -z "$package" -o -z "$major" -o -z "$minor" ]; then
++ echo "usage: ./autogen.sh --find-version PACKAGE MAJOR MINOR [MICRO]" >&2
++ exit 1
++ fi
++
+ case "$version_parts" in
+ 2)
+ matchstr1="$package-$major.[0-9]*"
+@@ -217,8 +232,10 @@ if [ "$myhost" = "find-version" ]; then
+ if false; then
+ ingit=yes
+ tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
++ tmp=$(echo "$tmp" | sed s/^"$package"//)
+ if [ -n "$tmp" ]; then
+- tmp=$(echo "$tmp"|awk -F- '$3!=0 && $3 !~ /^beta/ {print"-beta"$3}')
++ tmp=$(echo "$tmp" | sed s/^"$package"// \
++ | awk -F- '$3!=0 && $3 !~ /^beta/ {print"-beta"$3}')
+ else
+ tmp=$(git describe --match "${matchstr2}" --long 2>/dev/null \
+ | awk -F- '$4!=0{print"-beta"$4}')
+@@ -426,7 +443,7 @@ if [ -d .git ]; then
+ [ -z "${SILENT}" ] && cat <<EOF
+ *** Activating trailing whitespace git pre-commit hook. ***
+ For more information see this thread:
+- http://mail.gnome.org/archives/desktop-devel-list/2009-May/msg00084.html
++ https://mail.gnome.org/archives/desktop-devel-list/2009-May/msg00084.html
+ To deactivate this pre-commit hook again move .git/hooks/pre-commit
+ and .git/hooks/pre-commit.sample out of the way.
+ EOF
diff --git a/debian/patches/series b/debian/patches/series
index 9c3426b..15de52f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,5 +33,26 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
0033-common-Fix-fallback-code.patch
0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
0035-doc-Mention-dirmngr.conf.patch
-resolve-ambiguity/0036-common-Avoid-unnecessary-ambiguity-in-argparse.patch
0037-systemd-user-Enable-systemctl-user-reload-dirmngr-gp.patch
+0037-common-Avoid-unnecessary-ambiguity-in-argparse.patch
+0038-common-New-function-log_debug_with_string.patch
+0039-dirmngr-Add-debug-code-to-http.c.patch
+0040-dirmngr-Implement-debug-option-network-for-http.patch
+0041-dirmngr-Remove-warnings-about-unused-global-variable.patch
+0042-dirmngr-Fix-Tor-access-for-v6-addresses.patch
+0043-dirmngr-Mark-hosts-dead-on-ENETDOWN.patch
+0044-dirmngr-After-a-connection-failure-log-a-hint-if-Tor.patch
+0045-libdns-Provide-replacement-for-EPROTO.patch
+0046-libdns-Silence-Wstrict-prototypes-on-some-function-p.patch
+0047-build-Make-autogen.sh-more-POSIX-friendly.patch
+0048-gpg-Rename-a-var-to-avoid-a-shadowing-warning.patch
+0049-build-Make-autogen.sh-more-POSIX-friendly-next-try.patch
+0050-dirmngr-Fix-URL-creation-for-literal-IPv6-addresses-.patch
+0051-dirmngr-Avoid-network-queries-for-literal-IP-address.patch
+0052-dirmngr-Allow-reverse-DNS-lookups-in-Tor-mode.patch
+0053-dirmngr-Implement-hkps-lookups-using-literal-address.patch
+0054-gpg-Prepare-some-key-cleaning-function-for-use-with-.patch
+0055-common-Remove-unused-function-tty_print_string.patch
+0056-gpg-Sync-print-of-additional-sig-data-in-edit-key.patch
+0057-gpg-Clean-bogus-subkey-binding-when-cleaning-a-key.patch
+0058-build-Handle-packages-with-dashes-in-find-version.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list