[Pkg-gnupg-commit] [gnupg2] 01/05: still more patches from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 11 00:21:21 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit e6c672bb266fa3a7966e9db419be35dee73cbd9c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Jan 10 16:23:42 2017 -0500
still more patches from upstream
---
...ip-root-zone-suffix-from-libdns-SRV-resul.patch | 30 ++++
...27-dirmngr-Change-internal-SRV-lookup-API.patch | 169 ++++++++++++++++++
...0028-dirmngr-Improve-debug-output-for-TLS.patch | 38 ++++
...lement-experimental-SRV-record-lookup-for.patch | 145 +++++++++++++++
.../0030-doc-Update-man-page-for-watchgnupg.patch | 98 ++++++++++
...not-use-a-SRV-record-for-HKP-if-a-port-wa.patch | 197 +++++++++++++++++++++
...-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch | 124 +++++++++++++
debian/patches/0033-common-Fix-fallback-code.patch | 41 +++++
...x-memory-leaks-and-improve-error-handling.patch | 151 ++++++++++++++++
debian/patches/0035-doc-Mention-dirmngr.conf.patch | 50 ++++++
debian/patches/series | 10 ++
11 files changed, 1053 insertions(+)
diff --git a/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch b/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
new file mode 100644
index 0000000..80c5e94
--- /dev/null
+++ b/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
@@ -0,0 +1,30 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:00:38 +0100
+Subject: dirmngr: Strip root zone suffix from libdns SRV results.
+
+* dirmngr/dns-stuff.c (getsrv_libdns): Strip trailing dot from the
+target.
+--
+
+See-also: b200e636ab20d2aa93d9f71f3789db5a04af0a56
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 9fa94aa10778bbd680315e93b23175423e338c40)
+---
+ dirmngr/dns-stuff.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index e32e1e3e1..028b065ab 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -1591,6 +1591,10 @@ getsrv_libdns (const char *name, struct srventry **list, unsigned int *r_count)
+ srv->weight = dsrv.weight;
+ srv->port = dsrv.port;
+ mem2str (srv->target, dsrv.target, sizeof srv->target);
++ /* Libdns appends the root zone part which is problematic for
++ * most other functions - strip it. */
++ if (*srv->target && (srv->target)[strlen (srv->target)-1] == '.')
++ (srv->target)[strlen (srv->target)-1] = 0;
+ }
+
+ *r_count = srvcount;
diff --git a/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch b/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch
new file mode 100644
index 0000000..c792b3f
--- /dev/null
+++ b/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch
@@ -0,0 +1,169 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:04:59 +0100
+Subject: dirmngr: Change internal SRV lookup API.
+
+* dirmngr/dns-stuff.c (get_dns_srv): Add args SERVICE and PROTO.
+* dirmngr/http.c (connect_server): Simplify SRV lookup.
+* dirmngr/ks-engine-hkp.c (map_host): Ditto.
+* dirmngr/t-dns-stuff.c (main): Adjust for changed get_dns_srv.
+--
+
+This new API is more convenient because it includes commonly used
+code. Note that right now http.c's SRV record code is not used.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 16078f3deea5b82ea26e2f01dbd3ef3a5ce25410)
+---
+ dirmngr/dns-stuff.c | 25 +++++++++++++++++++++++--
+ dirmngr/dns-stuff.h | 1 +
+ dirmngr/http.c | 28 +++++-----------------------
+ dirmngr/ks-engine-hkp.c | 12 +-----------
+ dirmngr/t-dns-stuff.c | 2 +-
+ 5 files changed, 31 insertions(+), 37 deletions(-)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index 028b065ab..a8713eb44 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -1740,17 +1740,37 @@ getsrv_standard (const char *name,
+ }
+
+
+-/* Note that we do not return NONAME but simply store 0 at R_COUNT. */
++/* Query a SRV record for SERVICE and PROTO for NAME. If SERVICE is
++ * NULL, NAME is expected to contain the full query name. Note that
++ * we do not return NONAME but simply store 0 at R_COUNT. On error an
++ * error code is returned and 0 stored at R_COUNT. */
+ gpg_error_t
+-get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count)
++get_dns_srv (const char *name, const char *service, const char *proto,
++ struct srventry **list, unsigned int *r_count)
+ {
+ gpg_error_t err;
++ char *namebuffer = NULL;
+ unsigned int srvcount;
+ int i;
+
+ *list = NULL;
+ *r_count = 0;
+ srvcount = 0;
++
++ /* If SERVICE is given construct the query from it and PROTO. */
++ if (service)
++ {
++ namebuffer = xtryasprintf ("_%s._%s.%s",
++ service, proto? proto:"tcp", name);
++ if (!namebuffer)
++ {
++ err = gpg_error_from_syserror ();
++ goto leave;
++ }
++ name = namebuffer;
++ }
++
++
+ #ifdef USE_LIBDNS
+ if (!standard_resolver)
+ {
+@@ -1852,6 +1872,7 @@ get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count)
+ }
+ if (!err)
+ *r_count = srvcount;
++ xfree (namebuffer);
+ return err;
+ }
+
+diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
+index eb7fe7246..d68dd1728 100644
+--- a/dirmngr/dns-stuff.h
++++ b/dirmngr/dns-stuff.h
+@@ -153,6 +153,7 @@ gpg_error_t get_dns_cert (const char *name, int want_certtype,
+
+ /* Return an array of SRV records. */
+ gpg_error_t get_dns_srv (const char *name,
++ const char *service, const char *proto,
+ struct srventry **list, unsigned int *r_count);
+
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 14d60df4b..7a028047d 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2362,29 +2362,11 @@ connect_server (const char *server, unsigned short port,
+ /* Do the SRV thing */
+ if (srvtag)
+ {
+- /* We're using SRV, so append the tags. */
+- if (1 + strlen (srvtag) + 6 + strlen (server) + 1
+- <= DIMof (struct srventry, target))
+- {
+- char *srvname = xtrymalloc (DIMof (struct srventry, target));
+-
+- if (!srvname) /* Out of core */
+- {
+- serverlist = NULL;
+- srvcount = 0;
+- }
+- else
+- {
+- stpcpy (stpcpy (stpcpy (stpcpy (srvname,"_"), srvtag),
+- "._tcp."), server);
+- err = get_dns_srv (srvname, &serverlist, &srvcount);
+- if (err)
+- log_info ("getting SRV '%s' failed: %s\n",
+- srvname, gpg_strerror (err));
+- xfree (srvname);
+- /* Note that on error SRVCOUNT is zero. */
+- }
+- }
++ err = get_dns_srv (server, srvtag, NULL, &serverlist, &srvcount);
++ if (err)
++ log_info ("getting '%s' SRV for '%s' failed: %s\n",
++ srvtag, server, gpg_strerror (err));
++ /* Note that on error SRVCOUNT is zero. */
+ }
+
+ if (!serverlist)
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 6f1c2e8e0..5b54c443a 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -447,7 +447,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+ int refidx;
+ int is_pool = 0;
+ char *cname;
+- char *srvrecord;
+ struct srventry *srvs;
+ unsigned int srvscount;
+
+@@ -469,16 +468,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+ if (!is_ip_address (name))
+ {
+ /* Check for SRV records. */
+- srvrecord = xtryasprintf ("_hkp._tcp.%s", name);
+- if (srvrecord == NULL)
+- {
+- err = gpg_error_from_syserror ();
+- xfree (reftbl);
+- return err;
+- }
+-
+- err = get_dns_srv (srvrecord, &srvs, &srvscount);
+- xfree (srvrecord);
++ err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
+ if (err)
+ {
+ xfree (reftbl);
+diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c
+index bc4ca9a51..23c0c6aa0 100644
+--- a/dirmngr/t-dns-stuff.c
++++ b/dirmngr/t-dns-stuff.c
+@@ -235,7 +235,7 @@ main (int argc, char **argv)
+ int i;
+
+ err = get_dns_srv (name? name : "_hkp._tcp.wwwkeys.pgp.net",
+- &srv, &count);
++ NULL, NULL, &srv, &count);
+ if (err)
+ printf ("get_dns_srv failed: %s <%s>\n",
+ gpg_strerror (err), gpg_strsource (err));
diff --git a/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch b/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch
new file mode 100644
index 0000000..59b07d6
--- /dev/null
+++ b/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch
@@ -0,0 +1,38 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:07:18 +0100
+Subject: dirmngr: Improve debug output for TLS.
+
+* dirmngr/misc.c (dump_cert): Also print SubjectAltNames.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 714faea4fa7f30d42e9986358214a99aa8fa57b3)
+---
+ dirmngr/misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/dirmngr/misc.c b/dirmngr/misc.c
+index ac3856e09..2ee6d82bd 100644
+--- a/dirmngr/misc.c
++++ b/dirmngr/misc.c
+@@ -296,6 +296,7 @@ dump_cert (const char *text, ksba_cert_t cert)
+ ksba_sexp_t sexp;
+ char *p;
+ ksba_isotime_t t;
++ int idx;
+
+ log_debug ("BEGIN Certificate '%s':\n", text? text:"");
+ if (cert)
+@@ -326,6 +327,13 @@ dump_cert (const char *text, ksba_cert_t cert)
+ dump_string (p);
+ ksba_free (p);
+ log_printf ("\n");
++ for (idx=1; (p = ksba_cert_get_subject (cert, idx)); idx++)
++ {
++ log_debug (" aka: ");
++ dump_string (p);
++ ksba_free (p);
++ log_printf ("\n");
++ }
+
+ log_debug (" hash algo: %s\n", ksba_cert_get_digest_algo (cert));
+
diff --git a/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch b/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
new file mode 100644
index 0000000..bdc278f
--- /dev/null
+++ b/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
@@ -0,0 +1,145 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:42:50 +0100
+Subject: dirmngr: Implement experimental SRV record lookup for WKD.
+
+* dirmngr/server.c (cmd_wkd_get): Support SRV records.
+--
+
+This patch changes the way a WKD query is done. Now we first look for
+a SRV record for service "openpgpkey" and port "tcp" under the
+to-be-queried domain. If such a record was found and the target host
+matches the to-be-queried domain or is a suffix to that domain, that
+target host is used instead of the domain name. The SRV record also
+allows to change the port and obviously can be used for
+load-balancing.
+
+For example a query for the submission address of example.org with the
+SRV record specification
+
+_openpgpkey._tcp IN SRV 0 0 0 wkd.foo.org.
+ IN SRV 0 0 0 wkd.example.net.
+ IN SRV 0 0 4711 wkd.example.org.
+
+(queried using the name "_openpgpkey._tcp.example.org") would fetch
+from this URL:
+
+ https://wkd.example.org:4711/.well-known/openpgpkey/submission-address
+
+Note that the first two SRV records won't be used because foo.org and
+example.net do not match example.org. We require that the target host
+is identical to the domain or be a subdomain of it. This is so that
+an attacker modifying the SRV records needs to setup a server in a
+sub-domain of the actual domain and can't use an arbitrary domain.
+Whether this is a sufficient requirement is not clear and needs
+further discussion.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10)
+---
+ dirmngr/server.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/dirmngr/server.c b/dirmngr/server.c
+index 28c2cd428..c9c4ad437 100644
+--- a/dirmngr/server.c
++++ b/dirmngr/server.c
+@@ -826,13 +826,15 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ ctrl_t ctrl = assuan_get_pointer (ctx);
+ gpg_error_t err = 0;
+ char *mbox = NULL;
+- char *domain; /* Points to mbox. */
++ char *domainbuf = NULL;
++ char *domain; /* Points to mbox or domainbuf. */
+ char sha1buf[20];
+ char *uri = NULL;
+ char *encodedhash = NULL;
+ int opt_submission_addr;
+ int opt_policy_flags;
+ int no_log = 0;
++ char portstr[20] = { 0 };
+
+ opt_submission_addr = has_option (line, "--submission-address");
+ opt_policy_flags = has_option (line, "--policy-flags");
+@@ -846,6 +848,50 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ }
+ *domain++ = 0;
+
++ /* Check for SRV records. */
++ if (1)
++ {
++ struct srventry *srvs;
++ unsigned int srvscount;
++ size_t domainlen, targetlen;
++ int i;
++
++ err = get_dns_srv (domain, "openpgpkey", NULL, &srvs, &srvscount);
++ if (err)
++ goto leave;
++
++ /* Find the first target which also ends in DOMAIN or is equal
++ * to DOMAIN. */
++ domainlen = strlen (domain);
++ for (i = 0; i < srvscount; i++)
++ {
++ log_debug ("srv: trying '%s:%hu'\n", srvs[i].target, srvs[i].port);
++ targetlen = strlen (srvs[i].target);
++ if ((targetlen > domainlen + 1
++ && srvs[i].target[targetlen - domainlen - 1] == '.'
++ && !ascii_strcasecmp (srvs[i].target + targetlen - domainlen,
++ domain))
++ || (targetlen == domainlen
++ && !ascii_strcasecmp (srvs[i].target, domain)))
++ {
++ /* found. */
++ domainbuf = xtrystrdup (srvs[i].target);
++ if (!domainbuf)
++ {
++ err = gpg_error_from_syserror ();
++ xfree (srvs);
++ goto leave;
++ }
++ domain = domainbuf;
++ if (srvs[i].port)
++ snprintf (portstr, sizeof portstr, ":%hu", srvs[i].port);
++ break;
++ }
++ }
++ xfree (srvs);
++ log_debug ("srv: got '%s%s'\n", domain, portstr);
++ }
++
+ gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (sha1buf, 8*20);
+ if (!encodedhash)
+@@ -858,6 +904,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ {
+ uri = strconcat ("https://",
+ domain,
++ portstr,
+ "/.well-known/openpgpkey/submission-address",
+ NULL);
+ }
+@@ -865,6 +912,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ {
+ uri = strconcat ("https://",
+ domain,
++ portstr,
+ "/.well-known/openpgpkey/policy",
+ NULL);
+ }
+@@ -872,6 +920,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ {
+ uri = strconcat ("https://",
+ domain,
++ portstr,
+ "/.well-known/openpgpkey/hu/",
+ encodedhash,
+ NULL);
+@@ -907,6 +956,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+ xfree (uri);
+ xfree (encodedhash);
+ xfree (mbox);
++ xfree (domainbuf);
+ return leave_cmd (ctx, err);
+ }
+
diff --git a/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch b/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch
new file mode 100644
index 0000000..f5c7868
--- /dev/null
+++ b/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch
@@ -0,0 +1,98 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 08:54:45 +0100
+Subject: doc: Update man page for watchgnupg
+
+--
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 2baba11fad6dd680a992260d161dffa1eeae0e42)
+---
+ doc/tools.texi | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/doc/tools.texi b/doc/tools.texi
+index d321b699a..f0e6fe70c 100644
+--- a/doc/tools.texi
++++ b/doc/tools.texi
+@@ -54,13 +54,14 @@ other utilities. This tool is not available for Windows.
+ @command{watchgnupg} is commonly invoked as
+
+ @example
+-watchgnupg --force ~/.gnupg/S.log
++watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
+ @end example
+ @manpause
+
+ @noindent
+-This starts it on the current terminal for listening on the socket
+- at file{~/.gnupg/S.log}.
++This starts it on the current terminal for listening on the standard
++logging socket (which is either @file{~/.gnupg/S.log} or
++ at file{/var/run/user/UID/gnupg/S.log}).
+
+ @mansect options
+ @noindent
+@@ -77,6 +78,10 @@ Delete an already existing socket file.
+ Instead of reading from a local socket, listen for connects on TCP port
+ @var{n}.
+
++ at item --time-only
++ at opindex time-only
++Do not print the date part of the timestamp.
++
+ @item --verbose
+ @opindex verbose
+ Enable extra informational output.
+@@ -96,21 +101,22 @@ Display a brief help page and exit.
+ @chapheading Examples
+
+ @example
+-$ watchgnupg --force /home/foo/.gnupg/S.log
++$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
+ @end example
+
+ This waits for connections on the local socket
+- at file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
+-work the option @option{log-file} needs to be used with all modules
+-which logs are to be shown. The value for that option must be given
+-with a special prefix (e.g. in the conf files):
++(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries. To
++make this work the option @option{log-file} needs to be used with all
++modules which logs are to be shown. The suggested entry for the
++configuration files is:
+
+ @example
+-log-file socket:///home/foo/.gnupg/S.log
++log-file socket://
+ @end example
+
+-If only @code{socket://} is used a default socket file named
+- at file{S.log} in the standard socket directory is used.
++If the default socket as given above and returned by "echo $(gpgconf
++--list-dirs socketdir)/S.log" is not desired an arbitrary socket name
++can be specified, for example @file{socket:///home/foo/bar/mysocket}.
+ For debugging purposes it is also possible to do remote logging. Take
+ care if you use this feature because the information is send in the
+ clear over the network. Use this syntax in the conf files:
+@@ -119,13 +125,14 @@ clear over the network. Use this syntax in the conf files:
+ log-file tcp://192.168.1.1:4711
+ @end example
+
+-You may use any port and not just 4711 as shown above; only IP addresses
+-are supported (v4 and v6) and no host names. You need to start
+- at command{watchgnupg} with the @option{tcp} option. Note that under
+-Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
+-can be used to change the default log output from @code{stderr} to
+-whatever is given by that entry. However the only useful entry is a TCP
+-name for remote debugging.
++You may use any port and not just 4711 as shown above; only IP
++addresses are supported (v4 and v6) and no host names. You need to
++start @command{watchgnupg} with the @option{tcp} option. Note that
++under Windows the registry entry
++ at var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the
++default log output from @code{stderr} to whatever is given by that
++entry. However the only useful entry is a TCP name for remote
++debugging.
+
+
+ @mansect see also
diff --git a/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch b/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
new file mode 100644
index 0000000..797d7b8
--- /dev/null
+++ b/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
@@ -0,0 +1,197 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 10:11:20 +0100
+Subject: dirmngr: Do not use a SRV record for HKP if a port was specified.
+
+* dirmngr/http.h (parsed_uri_s): Add field EXPLICIT_PORT.
+* dirmngr/http.c (do_parse_uri): That it.
+* dirmngr/ks-engine-hkp.c (map_host): Add arg NO_SRV.
+(make_host_part): Ditto.
+(ks_hkp_resolve): Set NO_SRV from EXPLICIT_PORT.
+(ks_hkp_search): Ditto.
+(ks_hkp_get): Ditto.
+(ks_hkp_put): Ditto.
+--
+
+This implements the behaviour of the keyserver helpers from 1.4 and
+2.0.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit c2cbe2f87c480c62239dc4c2cbb352acd98cd267)
+---
+ dirmngr/http.c | 2 ++
+ dirmngr/http.h | 1 +
+ dirmngr/ks-engine-hkp.c | 65 ++++++++++++++++++++++++++++---------------------
+ 3 files changed, 40 insertions(+), 28 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 7a028047d..0a47d9f59 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -1169,6 +1169,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
+ uri->opaque = 0;
+ uri->v6lit = 0;
+ uri->onion = 0;
++ uri->explicit_port = 0;
+
+ /* A quick validity check. */
+ if (strspn (p, VALID_URI_CHARS) != n)
+@@ -1241,6 +1242,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
+ {
+ *p3++ = '\0';
+ uri->port = atoi (p3);
++ uri->explicit_port = 1;
+ }
+
+ if ((n = remove_escapes (uri->host)) < 0)
+diff --git a/dirmngr/http.h b/dirmngr/http.h
+index 2a36fdaa8..32556a4e0 100644
+--- a/dirmngr/http.h
++++ b/dirmngr/http.h
+@@ -53,6 +53,7 @@ struct parsed_uri_s
+ unsigned int opaque:1;/* Unknown scheme; PATH has the rest. */
+ unsigned int v6lit:1; /* Host was given as a literal v6 address. */
+ unsigned int onion:1; /* .onion address given. */
++ unsigned int explicit_port :1; /* The port was explicitly specified. */
+ char *auth; /* username/password for basic auth. */
+ char *host; /* Host (converted to lowercase). */
+ unsigned short port; /* Port (always set if the host is set). */
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 5b54c443a..b5150d478 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -394,19 +394,20 @@ add_host (const char *name, int is_pool,
+
+
+ /* Map the host name NAME to the actual to be used host name. This
+- allows us to manage round robin DNS names. We use our own strategy
+- to choose one of the hosts. For example we skip those hosts which
+- failed for some time and we stick to one host for a time
+- independent of DNS retry times. If FORCE_RESELECT is true a new
+- host is always selected. The selected host is stored as a malloced
+- string at R_HOST; on error NULL is stored. If we know the port
+- used by the selected host, a string representation is written to
+- R_PORTSTR, otherwise it is left untouched. If R_HTTPFLAGS is not
+- NULL it will receive flags which are to be passed to http_open. If
+- R_POOLNAME is not NULL a malloced name of the pool is stored or
+- NULL if it is not a pool. */
++ * allows us to manage round robin DNS names. We use our own strategy
++ * to choose one of the hosts. For example we skip those hosts which
++ * failed for some time and we stick to one host for a time
++ * independent of DNS retry times. If FORCE_RESELECT is true a new
++ * host is always selected. If NO_SRV is set no service record lookup
++ * will be done. The selected host is stored as a malloced string at
++ * R_HOST; on error NULL is stored. If we know the port used by the
++ * selected host from a service record, a string representation is
++ * written to R_PORTSTR, otherwise it is left untouched. If
++ * R_HTTPFLAGS is not NULL it will receive flags which are to be
++ * passed to http_open. If R_POOLNAME is not NULL a malloced name of
++ * the pool is stored or NULL if it is not a pool. */
+ static gpg_error_t
+-map_host (ctrl_t ctrl, const char *name, int force_reselect,
++map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
+ char **r_host, char *r_portstr,
+ unsigned int *r_httpflags, char **r_poolname)
+ {
+@@ -465,7 +466,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+ }
+ hi = hosttable[idx];
+
+- if (!is_ip_address (name))
++ if (!no_srv && !is_ip_address (name))
+ {
+ /* Check for SRV records. */
+ err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
+@@ -874,13 +875,13 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
+
+
+ /* Build the remote part of the URL from SCHEME, HOST and an optional
+- PORT. Returns an allocated string at R_HOSTPORT or NULL on failure
+- If R_POOLNAME is not NULL it receives a malloced string with the
+- poolname. */
++ * PORT. If NO_SRV is set no SRV record lookup will be done. Returns
++ * an allocated string at R_HOSTPORT or NULL on failure If R_POOLNAME
++ * is not NULL it receives a malloced string with the poolname. */
+ static gpg_error_t
+ make_host_part (ctrl_t ctrl,
+ const char *scheme, const char *host, unsigned short port,
+- int force_reselect,
++ int force_reselect, int no_srv,
+ char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
+ {
+ gpg_error_t err;
+@@ -890,11 +891,18 @@ make_host_part (ctrl_t ctrl,
+ *r_hostport = NULL;
+
+ portstr[0] = 0;
+- err = map_host (ctrl, host, force_reselect,
++ err = map_host (ctrl, host, force_reselect, no_srv,
+ &hostname, portstr, r_httpflags, r_poolname);
+ if (err)
+ return err;
+
++ /* If map_host did not return a port (from a SRV record) but a port
++ * has been specified (implicitly or explicitly) then use that port.
++ * Only in the case that a port was not specified (which might be a
++ * bug in https.c) we will later make sure that it has been set. */
++ if (!*portstr && port)
++ snprintf (portstr, sizeof portstr, "%hu", port);
++
+ /* Map scheme and port. */
+ if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https"))
+ {
+@@ -908,12 +916,6 @@ make_host_part (ctrl_t ctrl,
+ if (! *portstr)
+ strcpy (portstr, "11371");
+ }
+- if (port)
+- snprintf (portstr, sizeof portstr, "%hu", port);
+- else
+- {
+- /*fixme_do_srv_lookup ()*/
+- }
+
+ *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+ xfree (hostname);
+@@ -939,7 +941,11 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+ gpg_error_t err;
+ char *hostport = NULL;
+
+- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, 1,
++ /* NB: With an explicitly given port we do not want to consult a
++ * service record because that might be in conflict with the port
++ * from such a service record. */
++ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++ 1, uri->explicit_port,
+ &hostport, NULL, NULL);
+ if (err)
+ {
+@@ -1217,7 +1223,8 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
+
+ xfree (hostport); hostport = NULL;
+ xfree (httphost); httphost = NULL;
+- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++ reselect, uri->explicit_port,
+ &hostport, &httpflags, &httphost);
+ if (err)
+ goto leave;
+@@ -1358,7 +1365,8 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp)
+ /* Build the request string. */
+ xfree (hostport); hostport = NULL;
+ xfree (httphost); httphost = NULL;
+- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++ reselect, uri->explicit_port,
+ &hostport, &httpflags, &httphost);
+ if (err)
+ goto leave;
+@@ -1470,7 +1478,8 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen)
+ again:
+ xfree (hostport); hostport = NULL;
+ xfree (httphost); httphost = NULL;
+- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++ reselect, uri->explicit_port,
+ &hostport, &httpflags, &httphost);
+ if (err)
+ goto leave;
diff --git a/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch b/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
new file mode 100644
index 0000000..21f9150
--- /dev/null
+++ b/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
@@ -0,0 +1,124 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 10:42:30 +0100
+Subject: dirmngr: Use "pgpkey-hkps" and "pgpkey-hkp" for SRV record lookups.
+
+* dirmngr/ks-engine-hkp.c (map_host): Chnage arg NO_SRV to SRVTAG.
+(make_host_part): Rewrite.
+--
+
+This fixes a regression from 2.0 and 1.4 where these tags have been in
+used since 2009. For whatever reason this was not ported to 2.1 and
+"hkp" was always used.
+
+GnuPG-bug-id: 2451
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 0cc975d8a1cd54115938202432e43263b8893ea4)
+---
+ dirmngr/ks-engine-hkp.c | 63 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 29 deletions(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index b5150d478..31fef39db 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -398,16 +398,17 @@ add_host (const char *name, int is_pool,
+ * to choose one of the hosts. For example we skip those hosts which
+ * failed for some time and we stick to one host for a time
+ * independent of DNS retry times. If FORCE_RESELECT is true a new
+- * host is always selected. If NO_SRV is set no service record lookup
+- * will be done. The selected host is stored as a malloced string at
+- * R_HOST; on error NULL is stored. If we know the port used by the
+- * selected host from a service record, a string representation is
+- * written to R_PORTSTR, otherwise it is left untouched. If
+- * R_HTTPFLAGS is not NULL it will receive flags which are to be
+- * passed to http_open. If R_POOLNAME is not NULL a malloced name of
+- * the pool is stored or NULL if it is not a pool. */
++ * host is always selected. If SRVTAG is NULL no service record
++ * lookup will be done, if it is set that service name is used. The
++ * selected host is stored as a malloced string at R_HOST; on error
++ * NULL is stored. If we know the port used by the selected host from
++ * a service record, a string representation is written to R_PORTSTR,
++ * otherwise it is left untouched. If R_HTTPFLAGS is not NULL it will
++ * receive flags which are to be passed to http_open. If R_POOLNAME
++ * is not NULL a malloced name of the pool is stored or NULL if it is
++ * not a pool. */
+ static gpg_error_t
+-map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
++map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ char **r_host, char *r_portstr,
+ unsigned int *r_httpflags, char **r_poolname)
+ {
+@@ -466,10 +467,10 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
+ }
+ hi = hosttable[idx];
+
+- if (!no_srv && !is_ip_address (name))
++ if (srvtag && !is_ip_address (name))
+ {
+ /* Check for SRV records. */
+- err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
++ err = get_dns_srv (name, srvtag, NULL, &srvs, &srvscount);
+ if (err)
+ {
+ xfree (reftbl);
+@@ -885,38 +886,42 @@ make_host_part (ctrl_t ctrl,
+ char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
+ {
+ gpg_error_t err;
++ const char *srvtag;
+ char portstr[10];
+ char *hostname;
+
+ *r_hostport = NULL;
+
+- portstr[0] = 0;
+- err = map_host (ctrl, host, force_reselect, no_srv,
+- &hostname, portstr, r_httpflags, r_poolname);
+- if (err)
+- return err;
+-
+- /* If map_host did not return a port (from a SRV record) but a port
+- * has been specified (implicitly or explicitly) then use that port.
+- * Only in the case that a port was not specified (which might be a
+- * bug in https.c) we will later make sure that it has been set. */
+- if (!*portstr && port)
+- snprintf (portstr, sizeof portstr, "%hu", port);
+-
+- /* Map scheme and port. */
+ if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https"))
+ {
+ scheme = "https";
+- if (! *portstr)
+- strcpy (portstr, "443");
++ srvtag = no_srv? NULL : "pgpkey-https";
+ }
+ else /* HKP or HTTP. */
+ {
+ scheme = "http";
+- if (! *portstr)
+- strcpy (portstr, "11371");
++ srvtag = no_srv? NULL : "pgpkey-http";
+ }
+
++ portstr[0] = 0;
++ err = map_host (ctrl, host, srvtag, force_reselect,
++ &hostname, portstr, r_httpflags, r_poolname);
++ if (err)
++ return err;
++
++ /* If map_host did not return a port (from a SRV record) but a port
++ * has been specified (implicitly or explicitly) then use that port.
++ * In the case that a port was not specified (which is probably a
++ * bug in https.c) we will set up defaults. */
++ if (*portstr)
++ ;
++ else if (!*portstr && port)
++ snprintf (portstr, sizeof portstr, "%hu", port);
++ else if (!strcmp (scheme,"https"))
++ strcpy (portstr, "443");
++ else
++ strcpy (portstr, "11371");
++
+ *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+ xfree (hostname);
+ if (!*r_hostport)
diff --git a/debian/patches/0033-common-Fix-fallback-code.patch b/debian/patches/0033-common-Fix-fallback-code.patch
new file mode 100644
index 0000000..ffc0979
--- /dev/null
+++ b/debian/patches/0033-common-Fix-fallback-code.patch
@@ -0,0 +1,41 @@
+From: Justus Winter <justus at g10code.com>
+Date: Tue, 10 Jan 2017 12:31:46 +0100
+Subject: common: Fix fallback code.
+
+* common/logging.c (_log_assert): Fix the variant for compilers that
+do not support __FUNCTION__.
+* common/logging.h (_log_assert): Likewise.
+
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit bfd6a490129ffc7c7ac8776bf5a5da3b1ddf6d42)
+---
+ common/logging.c | 2 +-
+ common/logging.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/logging.c b/common/logging.c
+index ca1341c20..c06a34f38 100644
+--- a/common/logging.c
++++ b/common/logging.c
+@@ -1007,7 +1007,7 @@ void
+ _log_assert (const char *expr, const char *file, int line)
+ {
+ log_log (GPGRT_LOG_BUG, "Assertion \"%s\" failed (%s:%d)\n",
+- file, line, func);
++ expr, file, line);
+ abort (); /* Never called; just to make the compiler happy. */
+ }
+ #endif /*!GPGRT_HAVE_MACRO_FUNCTION*/
+diff --git a/common/logging.h b/common/logging.h
+index 64b999d66..d062f1413 100644
+--- a/common/logging.h
++++ b/common/logging.h
+@@ -62,7 +62,7 @@ estream_t log_get_stream (void);
+ } while (0)
+ #else /*!GPGRT_HAVE_MACRO_FUNCTION*/
+ void bug_at (const char *file, int line);
+- void _log_assert (const char *expr, const char *file, int line;
++ void _log_assert (const char *expr, const char *file, int line);
+ # define BUG() bug_at( __FILE__ , __LINE__ )
+ # define log_assert(expr) do { \
+ if (!(expr)) \
diff --git a/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch b/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
new file mode 100644
index 0000000..c9426ec
--- /dev/null
+++ b/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
@@ -0,0 +1,151 @@
+From: Justus Winter <justus at g10code.com>
+Date: Tue, 10 Jan 2017 15:42:27 +0100
+Subject: tools: Fix memory leaks and improve error handling.
+
+* tools/gpgconf-comp.c (gc_option_free): New function.
+(gc_components_free): Likewise.
+(gc_components_init): Likewise.
+(retrieve_options_from_program): Use 'xfree', fix memory leak.
+(change_options_program): Improve error handling.
+(gc_component_change_options): Fix memory leaks.
+* tools/gpgconf.c (main): Initialize components.
+* tools/gpgconf.h (gc_components_init): New prototype.
+
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 1f5caf90bfaaaf7b9d8c06c12087aeeae3748032)
+---
+ tools/gpgconf-comp.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++------
+ tools/gpgconf.c | 1 +
+ tools/gpgconf.h | 4 ++++
+ 3 files changed, 52 insertions(+), 6 deletions(-)
+
+diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
+index 925f1cf2d..2dcf0758e 100644
+--- a/tools/gpgconf-comp.c
++++ b/tools/gpgconf-comp.c
+@@ -1102,6 +1102,35 @@ struct error_line_s
+
+
+
++
++/* Initialization and finalization. */
++
++static void
++gc_option_free (gc_option_t *o)
++{
++ if (o == NULL || o->name == NULL)
++ return;
++
++ xfree (o->value);
++ gc_option_free (o + 1);
++}
++
++static void
++gc_components_free (void)
++{
++ int i;
++ for (i = 0; i < DIM (gc_component); i++)
++ gc_option_free (gc_component[i].options);
++}
++
++void
++gc_components_init (void)
++{
++ atexit (gc_components_free);
++}
++
++
++
+ /* Engine specific support. */
+ static void
+ gpg_agent_runtime_change (int killflag)
+@@ -2183,7 +2212,7 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
+ if (!(option->flags & GC_OPT_FLAG_LIST))
+ {
+ if (option->value)
+- free (option->value);
++ xfree (option->value);
+ option->value = opt_value;
+ }
+ else
+@@ -2192,10 +2221,9 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
+ option->value = opt_value;
+ else
+ {
+- char *opt_val = opt_value;
+-
+- option->value = xasprintf ("%s,%s", option->value,
+- opt_val);
++ char *old = option->value;
++ option->value = xasprintf ("%s,%s", old, opt_value);
++ xfree (old);
+ xfree (opt_value);
+ }
+ }
+@@ -2872,7 +2900,12 @@ change_options_program (gc_component_t component, gc_backend_t backend,
+ res = link (dest_filename, orig_filename);
+ #endif
+ if (res < 0 && errno != ENOENT)
+- return -1;
++ {
++ xfree (dest_filename);
++ xfree (src_filename);
++ xfree (orig_filename);
++ return -1;
++ }
+ if (res < 0)
+ {
+ xfree (orig_filename);
+@@ -3365,6 +3398,7 @@ gc_component_change_options (int component, estream_t in, estream_t out,
+ }
+ if (err)
+ break;
++ xfree (src_filename[i]);
+ src_filename[i] = NULL;
+ }
+ }
+@@ -3434,10 +3468,17 @@ gc_component_change_options (int component, estream_t in, estream_t out,
+ unlink (backup_filename);
+ #endif /* HAVE_W32_SYSTEM */
+ rename (orig_filename[backend], backup_filename);
++ xfree (backup_filename);
+ }
+
+ leave:
+ xfree (line);
++ for (backend = 0; backend < GC_BACKEND_NR; backend++)
++ {
++ xfree (src_filename[backend]);
++ xfree (dest_filename[backend]);
++ xfree (orig_filename[backend]);
++ }
+ }
+
+
+diff --git a/tools/gpgconf.c b/tools/gpgconf.c
+index af65424e0..a1034e663 100644
+--- a/tools/gpgconf.c
++++ b/tools/gpgconf.c
+@@ -470,6 +470,7 @@ main (int argc, char **argv)
+ /* Make sure that our subsystems are ready. */
+ i18n_init();
+ init_common_subsystems (&argc, &argv);
++ gc_components_init ();
+
+ /* Parse the command line. */
+ pargs.argc = &argc;
+diff --git a/tools/gpgconf.h b/tools/gpgconf.h
+index 39d34b6d0..d6d7627aa 100644
+--- a/tools/gpgconf.h
++++ b/tools/gpgconf.h
+@@ -38,6 +38,10 @@ struct
+
+
+ /*-- gpgconf-comp.c --*/
++
++/* Initialize the components. */
++void gc_components_init (void);
++
+ /* Percent-Escape special characters. The string is valid until the
+ next invocation of the function. */
+ char *gc_percent_escape (const char *src);
diff --git a/debian/patches/0035-doc-Mention-dirmngr.conf.patch b/debian/patches/0035-doc-Mention-dirmngr.conf.patch
new file mode 100644
index 0000000..0384bef
--- /dev/null
+++ b/debian/patches/0035-doc-Mention-dirmngr.conf.patch
@@ -0,0 +1,50 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 10 Jan 2017 16:24:31 +0100
+Subject: doc: Mention dirmngr.conf
+
+--
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 7345c64b0887e51d8c8c6eaf49c9dbf5b0f45228)
+---
+ doc/dirmngr.texi | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index fc617d81d..4448bf0e6 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -131,6 +131,10 @@ will thus trigger reading of fresh CRLs.
+ @node Dirmngr Options
+ @section Option Summary
+
++Note that all long options with the exception of @option{--options}
++and @option{--homedir} may also be given in the configuration file
++after stripping off the two leading dashes.
++
+ @table @gnupgtabopt
+
+ @item --options @var{file}
+@@ -497,11 +501,20 @@ certificate for that pool. Otherwise, it will use the system CAs.
+ @section Configuration
+
+ Dirmngr makes use of several directories when running in daemon mode:
++There are a few configuration files whih control the operation of
++dirmngr. By default they may all be found in the current home
++directory (@pxref{option --homedir}).
+
+ @table @file
+
+- at item ~/.gnupg
+-This is the standard home directory for all configuration files.
++ at item dirmngr.conf
++ at efindex dirmngr.conf
++This is the standard configuration file read by @command{dirmngr} on
++startup. It may contain any valid long option; the leading two dashes
++may not be entered and the option may not be abbreviated. This file
++is also read after a @code{SIGHUP} however not all options will
++actually have an effect. This default name may be changed on the
++command line (@pxref{option --options}). You should backup this file.
+
+ @item /etc/gnupg/trusted-certs
+ This directory should be filled with certificates of Root CAs you
diff --git a/debian/patches/series b/debian/patches/series
index 1ea9189..66d03bc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,13 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch
0024-Silence-two-Wlogical-op-warnings.patch
0025-doc-Document-summary-values-of-TOFU_STATS.patch
+0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
+0027-dirmngr-Change-internal-SRV-lookup-API.patch
+0028-dirmngr-Improve-debug-output-for-TLS.patch
+0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
+0030-doc-Update-man-page-for-watchgnupg.patch
+0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
+0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
+0033-common-Fix-fallback-code.patch
+0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
+0035-doc-Mention-dirmngr.conf.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list