[Pkg-gnupg-commit] [gnupg2] 01/05: still more patches from upstream

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 11 00:21:21 UTC 2017


This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit e6c672bb266fa3a7966e9db419be35dee73cbd9c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Tue Jan 10 16:23:42 2017 -0500

    still more patches from upstream
---
 ...ip-root-zone-suffix-from-libdns-SRV-resul.patch |  30 ++++
 ...27-dirmngr-Change-internal-SRV-lookup-API.patch | 169 ++++++++++++++++++
 ...0028-dirmngr-Improve-debug-output-for-TLS.patch |  38 ++++
 ...lement-experimental-SRV-record-lookup-for.patch | 145 +++++++++++++++
 .../0030-doc-Update-man-page-for-watchgnupg.patch  |  98 ++++++++++
 ...not-use-a-SRV-record-for-HKP-if-a-port-wa.patch | 197 +++++++++++++++++++++
 ...-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch | 124 +++++++++++++
 debian/patches/0033-common-Fix-fallback-code.patch |  41 +++++
 ...x-memory-leaks-and-improve-error-handling.patch | 151 ++++++++++++++++
 debian/patches/0035-doc-Mention-dirmngr.conf.patch |  50 ++++++
 debian/patches/series                              |  10 ++
 11 files changed, 1053 insertions(+)

diff --git a/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch b/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
new file mode 100644
index 0000000..80c5e94
--- /dev/null
+++ b/debian/patches/0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
@@ -0,0 +1,30 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:00:38 +0100
+Subject: dirmngr: Strip root zone suffix from libdns SRV results.
+
+* dirmngr/dns-stuff.c (getsrv_libdns): Strip trailing dot from the
+target.
+--
+
+See-also: b200e636ab20d2aa93d9f71f3789db5a04af0a56
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 9fa94aa10778bbd680315e93b23175423e338c40)
+---
+ dirmngr/dns-stuff.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index e32e1e3e1..028b065ab 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -1591,6 +1591,10 @@ getsrv_libdns (const char *name, struct srventry **list, unsigned int *r_count)
+       srv->weight   = dsrv.weight;
+       srv->port     = dsrv.port;
+       mem2str (srv->target, dsrv.target, sizeof srv->target);
++      /* Libdns appends the root zone part which is problematic for
++       * most other functions - strip it.  */
++      if (*srv->target && (srv->target)[strlen (srv->target)-1] == '.')
++        (srv->target)[strlen (srv->target)-1] = 0;
+     }
+ 
+   *r_count = srvcount;
diff --git a/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch b/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch
new file mode 100644
index 0000000..c792b3f
--- /dev/null
+++ b/debian/patches/0027-dirmngr-Change-internal-SRV-lookup-API.patch
@@ -0,0 +1,169 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:04:59 +0100
+Subject: dirmngr: Change internal SRV lookup API.
+
+* dirmngr/dns-stuff.c (get_dns_srv): Add args SERVICE and PROTO.
+* dirmngr/http.c (connect_server): Simplify SRV lookup.
+* dirmngr/ks-engine-hkp.c (map_host): Ditto.
+* dirmngr/t-dns-stuff.c (main): Adjust for changed get_dns_srv.
+--
+
+This new API is more convenient because it includes commonly used
+code.  Note that right now http.c's SRV record code is not used.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 16078f3deea5b82ea26e2f01dbd3ef3a5ce25410)
+---
+ dirmngr/dns-stuff.c     | 25 +++++++++++++++++++++++--
+ dirmngr/dns-stuff.h     |  1 +
+ dirmngr/http.c          | 28 +++++-----------------------
+ dirmngr/ks-engine-hkp.c | 12 +-----------
+ dirmngr/t-dns-stuff.c   |  2 +-
+ 5 files changed, 31 insertions(+), 37 deletions(-)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index 028b065ab..a8713eb44 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -1740,17 +1740,37 @@ getsrv_standard (const char *name,
+ }
+ 
+ 
+-/* Note that we do not return NONAME but simply store 0 at R_COUNT.  */
++/* Query a SRV record for SERVICE and PROTO for NAME.  If SERVICE is
++ * NULL, NAME is expected to contain the full query name.  Note that
++ * we do not return NONAME but simply store 0 at R_COUNT.  On error an
++ * error code is returned and 0 stored at R_COUNT.  */
+ gpg_error_t
+-get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count)
++get_dns_srv (const char *name, const char *service, const char *proto,
++             struct srventry **list, unsigned int *r_count)
+ {
+   gpg_error_t err;
++  char *namebuffer = NULL;
+   unsigned int srvcount;
+   int i;
+ 
+   *list = NULL;
+   *r_count = 0;
+   srvcount = 0;
++
++  /* If SERVICE is given construct the query from it and PROTO.  */
++  if (service)
++    {
++      namebuffer = xtryasprintf ("_%s._%s.%s",
++                                 service, proto? proto:"tcp", name);
++      if (!namebuffer)
++        {
++          err = gpg_error_from_syserror ();
++          goto leave;
++        }
++      name = namebuffer;
++    }
++
++
+ #ifdef USE_LIBDNS
+   if (!standard_resolver)
+     {
+@@ -1852,6 +1872,7 @@ get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count)
+     }
+   if (!err)
+     *r_count = srvcount;
++  xfree (namebuffer);
+   return err;
+ }
+ 
+diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
+index eb7fe7246..d68dd1728 100644
+--- a/dirmngr/dns-stuff.h
++++ b/dirmngr/dns-stuff.h
+@@ -153,6 +153,7 @@ gpg_error_t get_dns_cert (const char *name, int want_certtype,
+ 
+ /* Return an array of SRV records.  */
+ gpg_error_t get_dns_srv (const char *name,
++                         const char *service, const char *proto,
+                          struct srventry **list, unsigned int *r_count);
+ 
+ 
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 14d60df4b..7a028047d 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2362,29 +2362,11 @@ connect_server (const char *server, unsigned short port,
+   /* Do the SRV thing */
+   if (srvtag)
+     {
+-      /* We're using SRV, so append the tags. */
+-      if (1 + strlen (srvtag) + 6 + strlen (server) + 1
+-          <= DIMof (struct srventry, target))
+-	{
+-	  char *srvname = xtrymalloc (DIMof (struct srventry, target));
+-
+-          if (!srvname) /* Out of core */
+-            {
+-              serverlist = NULL;
+-              srvcount = 0;
+-            }
+-          else
+-            {
+-              stpcpy (stpcpy (stpcpy (stpcpy (srvname,"_"), srvtag),
+-                              "._tcp."), server);
+-              err = get_dns_srv (srvname, &serverlist, &srvcount);
+-              if (err)
+-                log_info ("getting SRV '%s' failed: %s\n",
+-                          srvname, gpg_strerror (err));
+-              xfree (srvname);
+-              /* Note that on error SRVCOUNT is zero.  */
+-            }
+-	}
++      err = get_dns_srv (server, srvtag, NULL, &serverlist, &srvcount);
++      if (err)
++        log_info ("getting '%s' SRV for '%s' failed: %s\n",
++                  srvtag, server, gpg_strerror (err));
++      /* Note that on error SRVCOUNT is zero.  */
+     }
+ 
+   if (!serverlist)
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 6f1c2e8e0..5b54c443a 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -447,7 +447,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+       int refidx;
+       int is_pool = 0;
+       char *cname;
+-      char *srvrecord;
+       struct srventry *srvs;
+       unsigned int srvscount;
+ 
+@@ -469,16 +468,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+       if (!is_ip_address (name))
+         {
+           /* Check for SRV records.  */
+-          srvrecord = xtryasprintf ("_hkp._tcp.%s", name);
+-          if (srvrecord == NULL)
+-            {
+-              err = gpg_error_from_syserror ();
+-              xfree (reftbl);
+-              return err;
+-            }
+-
+-          err = get_dns_srv (srvrecord, &srvs, &srvscount);
+-          xfree (srvrecord);
++          err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
+           if (err)
+             {
+               xfree (reftbl);
+diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c
+index bc4ca9a51..23c0c6aa0 100644
+--- a/dirmngr/t-dns-stuff.c
++++ b/dirmngr/t-dns-stuff.c
+@@ -235,7 +235,7 @@ main (int argc, char **argv)
+       int i;
+ 
+       err = get_dns_srv (name? name : "_hkp._tcp.wwwkeys.pgp.net",
+-                         &srv, &count);
++                         NULL, NULL, &srv, &count);
+       if (err)
+         printf ("get_dns_srv failed: %s <%s>\n",
+                 gpg_strerror (err), gpg_strsource (err));
diff --git a/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch b/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch
new file mode 100644
index 0000000..59b07d6
--- /dev/null
+++ b/debian/patches/0028-dirmngr-Improve-debug-output-for-TLS.patch
@@ -0,0 +1,38 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:07:18 +0100
+Subject: dirmngr: Improve debug output for TLS.
+
+* dirmngr/misc.c (dump_cert): Also print SubjectAltNames.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 714faea4fa7f30d42e9986358214a99aa8fa57b3)
+---
+ dirmngr/misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/dirmngr/misc.c b/dirmngr/misc.c
+index ac3856e09..2ee6d82bd 100644
+--- a/dirmngr/misc.c
++++ b/dirmngr/misc.c
+@@ -296,6 +296,7 @@ dump_cert (const char *text, ksba_cert_t cert)
+   ksba_sexp_t sexp;
+   char *p;
+   ksba_isotime_t t;
++  int idx;
+ 
+   log_debug ("BEGIN Certificate '%s':\n", text? text:"");
+   if (cert)
+@@ -326,6 +327,13 @@ dump_cert (const char *text, ksba_cert_t cert)
+       dump_string (p);
+       ksba_free (p);
+       log_printf ("\n");
++      for (idx=1; (p = ksba_cert_get_subject (cert, idx)); idx++)
++        {
++          log_debug ("        aka: ");
++          dump_string (p);
++          ksba_free (p);
++          log_printf ("\n");
++        }
+ 
+       log_debug ("  hash algo: %s\n", ksba_cert_get_digest_algo (cert));
+ 
diff --git a/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch b/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
new file mode 100644
index 0000000..bdc278f
--- /dev/null
+++ b/debian/patches/0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
@@ -0,0 +1,145 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sun, 8 Jan 2017 18:42:50 +0100
+Subject: dirmngr: Implement experimental SRV record lookup for WKD.
+
+* dirmngr/server.c (cmd_wkd_get): Support SRV records.
+--
+
+This patch changes the way a WKD query is done.  Now we first look for
+a SRV record for service "openpgpkey" and port "tcp" under the
+to-be-queried domain.  If such a record was found and the target host
+matches the to-be-queried domain or is a suffix to that domain, that
+target host is used instead of the domain name.  The SRV record also
+allows to change the port and obviously can be used for
+load-balancing.
+
+For example a query for the submission address of example.org with the
+SRV record specification
+
+_openpgpkey._tcp        IN     SRV   0 0  0    wkd.foo.org.
+                        IN     SRV   0 0  0    wkd.example.net.
+                        IN     SRV   0 0  4711 wkd.example.org.
+
+(queried using the name "_openpgpkey._tcp.example.org") would fetch
+from this URL:
+
+ https://wkd.example.org:4711/.well-known/openpgpkey/submission-address
+
+Note that the first two SRV records won't be used because foo.org and
+example.net do not match example.org.  We require that the target host
+is identical to the domain or be a subdomain of it.  This is so that
+an attacker modifying the SRV records needs to setup a server in a
+sub-domain of the actual domain and can't use an arbitrary domain.
+Whether this is a sufficient requirement is not clear and needs
+further discussion.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10)
+---
+ dirmngr/server.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/dirmngr/server.c b/dirmngr/server.c
+index 28c2cd428..c9c4ad437 100644
+--- a/dirmngr/server.c
++++ b/dirmngr/server.c
+@@ -826,13 +826,15 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+   ctrl_t ctrl = assuan_get_pointer (ctx);
+   gpg_error_t err = 0;
+   char *mbox = NULL;
+-  char *domain;     /* Points to mbox.  */
++  char *domainbuf = NULL;
++  char *domain;     /* Points to mbox or domainbuf.  */
+   char sha1buf[20];
+   char *uri = NULL;
+   char *encodedhash = NULL;
+   int opt_submission_addr;
+   int opt_policy_flags;
+   int no_log = 0;
++  char portstr[20] = { 0 };
+ 
+   opt_submission_addr = has_option (line, "--submission-address");
+   opt_policy_flags = has_option (line, "--policy-flags");
+@@ -846,6 +848,50 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+     }
+   *domain++ = 0;
+ 
++  /* Check for SRV records.  */
++  if (1)
++    {
++      struct srventry *srvs;
++      unsigned int srvscount;
++      size_t domainlen, targetlen;
++      int i;
++
++      err = get_dns_srv (domain, "openpgpkey", NULL, &srvs, &srvscount);
++      if (err)
++        goto leave;
++
++      /* Find the first target which also ends in DOMAIN or is equal
++       * to DOMAIN.  */
++      domainlen = strlen (domain);
++      for (i = 0; i < srvscount; i++)
++        {
++          log_debug ("srv: trying '%s:%hu'\n", srvs[i].target, srvs[i].port);
++          targetlen = strlen (srvs[i].target);
++          if ((targetlen > domainlen + 1
++               && srvs[i].target[targetlen - domainlen - 1] == '.'
++               && !ascii_strcasecmp (srvs[i].target + targetlen - domainlen,
++                                     domain))
++              || (targetlen == domainlen
++                  && !ascii_strcasecmp (srvs[i].target, domain)))
++            {
++              /* found.  */
++              domainbuf = xtrystrdup (srvs[i].target);
++              if (!domainbuf)
++                {
++                  err = gpg_error_from_syserror ();
++                  xfree (srvs);
++                  goto leave;
++                }
++              domain = domainbuf;
++              if (srvs[i].port)
++                snprintf (portstr, sizeof portstr, ":%hu", srvs[i].port);
++              break;
++            }
++        }
++      xfree (srvs);
++      log_debug ("srv: got '%s%s'\n", domain, portstr);
++    }
++
+   gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
+   encodedhash = zb32_encode (sha1buf, 8*20);
+   if (!encodedhash)
+@@ -858,6 +904,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+     {
+       uri = strconcat ("https://",
+                        domain,
++                       portstr,
+                        "/.well-known/openpgpkey/submission-address",
+                        NULL);
+     }
+@@ -865,6 +912,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+     {
+       uri = strconcat ("https://",
+                        domain,
++                       portstr,
+                        "/.well-known/openpgpkey/policy",
+                        NULL);
+     }
+@@ -872,6 +920,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+     {
+       uri = strconcat ("https://",
+                        domain,
++                       portstr,
+                        "/.well-known/openpgpkey/hu/",
+                        encodedhash,
+                        NULL);
+@@ -907,6 +956,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line)
+   xfree (uri);
+   xfree (encodedhash);
+   xfree (mbox);
++  xfree (domainbuf);
+   return leave_cmd (ctx, err);
+ }
+ 
diff --git a/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch b/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch
new file mode 100644
index 0000000..f5c7868
--- /dev/null
+++ b/debian/patches/0030-doc-Update-man-page-for-watchgnupg.patch
@@ -0,0 +1,98 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 08:54:45 +0100
+Subject: doc: Update man page for watchgnupg
+
+--
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 2baba11fad6dd680a992260d161dffa1eeae0e42)
+---
+ doc/tools.texi | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/doc/tools.texi b/doc/tools.texi
+index d321b699a..f0e6fe70c 100644
+--- a/doc/tools.texi
++++ b/doc/tools.texi
+@@ -54,13 +54,14 @@ other utilities.  This tool is not available for Windows.
+ @command{watchgnupg} is commonly invoked as
+ 
+ @example
+-watchgnupg --force ~/.gnupg/S.log
++watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
+ @end example
+ @manpause
+ 
+ @noindent
+-This starts it on the current terminal for listening on the socket
+- at file{~/.gnupg/S.log}.
++This starts it on the current terminal for listening on the standard
++logging socket (which is either @file{~/.gnupg/S.log} or
++ at file{/var/run/user/UID/gnupg/S.log}).
+ 
+ @mansect options
+ @noindent
+@@ -77,6 +78,10 @@ Delete an already existing socket file.
+ Instead of reading from a local socket, listen for connects on TCP port
+ @var{n}.
+ 
++ at item --time-only
++ at opindex time-only
++Do not print the date part of the timestamp.
++
+ @item --verbose
+ @opindex verbose
+ Enable extra informational output.
+@@ -96,21 +101,22 @@ Display a brief help page and exit.
+ @chapheading Examples
+ 
+ @example
+-$ watchgnupg --force /home/foo/.gnupg/S.log
++$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
+ @end example
+ 
+ This waits for connections on the local socket
+- at file{/home/foo/.gnupg/S.log} and shows all log entries.  To make this
+-work the option @option{log-file} needs to be used with all modules
+-which logs are to be shown.  The value for that option must be given
+-with a special prefix (e.g. in the conf files):
++(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries.  To
++make this work the option @option{log-file} needs to be used with all
++modules which logs are to be shown.  The suggested entry for the
++configuration files is:
+ 
+ @example
+-log-file socket:///home/foo/.gnupg/S.log
++log-file socket://
+ @end example
+ 
+-If only @code{socket://} is used a default socket file named
+- at file{S.log} in the standard socket directory is used.
++If the default socket as given above and returned by "echo $(gpgconf
++--list-dirs socketdir)/S.log" is not desired an arbitrary socket name
++can be specified, for example @file{socket:///home/foo/bar/mysocket}.
+ For debugging purposes it is also possible to do remote logging.  Take
+ care if you use this feature because the information is send in the
+ clear over the network.  Use this syntax in the conf files:
+@@ -119,13 +125,14 @@ clear over the network.  Use this syntax in the conf files:
+ log-file tcp://192.168.1.1:4711
+ @end example
+ 
+-You may use any port and not just 4711 as shown above; only IP addresses
+-are supported (v4 and v6) and no host names.  You need to start
+- at command{watchgnupg} with the @option{tcp} option.  Note that under
+-Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
+-can be used to change the default log output from @code{stderr} to
+-whatever is given by that entry.  However the only useful entry is a TCP
+-name for remote debugging.
++You may use any port and not just 4711 as shown above; only IP
++addresses are supported (v4 and v6) and no host names.  You need to
++start @command{watchgnupg} with the @option{tcp} option.  Note that
++under Windows the registry entry
++ at var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the
++default log output from @code{stderr} to whatever is given by that
++entry.  However the only useful entry is a TCP name for remote
++debugging.
+ 
+ 
+ @mansect see also
diff --git a/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch b/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
new file mode 100644
index 0000000..797d7b8
--- /dev/null
+++ b/debian/patches/0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
@@ -0,0 +1,197 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 10:11:20 +0100
+Subject: dirmngr: Do not use a SRV record for HKP if a port was specified.
+
+* dirmngr/http.h (parsed_uri_s): Add field EXPLICIT_PORT.
+* dirmngr/http.c (do_parse_uri): That it.
+* dirmngr/ks-engine-hkp.c (map_host): Add arg NO_SRV.
+(make_host_part): Ditto.
+(ks_hkp_resolve): Set NO_SRV from EXPLICIT_PORT.
+(ks_hkp_search): Ditto.
+(ks_hkp_get): Ditto.
+(ks_hkp_put): Ditto.
+--
+
+This implements the behaviour of the keyserver helpers from 1.4 and
+2.0.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit c2cbe2f87c480c62239dc4c2cbb352acd98cd267)
+---
+ dirmngr/http.c          |  2 ++
+ dirmngr/http.h          |  1 +
+ dirmngr/ks-engine-hkp.c | 65 ++++++++++++++++++++++++++++---------------------
+ 3 files changed, 40 insertions(+), 28 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 7a028047d..0a47d9f59 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -1169,6 +1169,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
+   uri->opaque = 0;
+   uri->v6lit = 0;
+   uri->onion = 0;
++  uri->explicit_port = 0;
+ 
+   /* A quick validity check. */
+   if (strspn (p, VALID_URI_CHARS) != n)
+@@ -1241,6 +1242,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
+ 	    {
+ 	      *p3++ = '\0';
+ 	      uri->port = atoi (p3);
++              uri->explicit_port = 1;
+ 	    }
+ 
+ 	  if ((n = remove_escapes (uri->host)) < 0)
+diff --git a/dirmngr/http.h b/dirmngr/http.h
+index 2a36fdaa8..32556a4e0 100644
+--- a/dirmngr/http.h
++++ b/dirmngr/http.h
+@@ -53,6 +53,7 @@ struct parsed_uri_s
+   unsigned int opaque:1;/* Unknown scheme; PATH has the rest.  */
+   unsigned int v6lit:1; /* Host was given as a literal v6 address.  */
+   unsigned int onion:1; /* .onion address given.  */
++  unsigned int explicit_port :1; /* The port was explicitly specified.  */
+   char *auth;           /* username/password for basic auth.  */
+   char *host; 	        /* Host (converted to lowercase). */
+   unsigned short port;  /* Port (always set if the host is set). */
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 5b54c443a..b5150d478 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -394,19 +394,20 @@ add_host (const char *name, int is_pool,
+ 
+ 
+ /* Map the host name NAME to the actual to be used host name.  This
+-   allows us to manage round robin DNS names.  We use our own strategy
+-   to choose one of the hosts.  For example we skip those hosts which
+-   failed for some time and we stick to one host for a time
+-   independent of DNS retry times.  If FORCE_RESELECT is true a new
+-   host is always selected.  The selected host is stored as a malloced
+-   string at R_HOST; on error NULL is stored.  If we know the port
+-   used by the selected host, a string representation is written to
+-   R_PORTSTR, otherwise it is left untouched.  If R_HTTPFLAGS is not
+-   NULL it will receive flags which are to be passed to http_open.  If
+-   R_POOLNAME is not NULL a malloced name of the pool is stored or
+-   NULL if it is not a pool. */
++ * allows us to manage round robin DNS names.  We use our own strategy
++ * to choose one of the hosts.  For example we skip those hosts which
++ * failed for some time and we stick to one host for a time
++ * independent of DNS retry times.  If FORCE_RESELECT is true a new
++ * host is always selected.  If NO_SRV is set no service record lookup
++ * will be done.  The selected host is stored as a malloced string at
++ * R_HOST; on error NULL is stored.  If we know the port used by the
++ * selected host from a service record, a string representation is
++ * written to R_PORTSTR, otherwise it is left untouched.  If
++ * R_HTTPFLAGS is not NULL it will receive flags which are to be
++ * passed to http_open.  If R_POOLNAME is not NULL a malloced name of
++ * the pool is stored or NULL if it is not a pool. */
+ static gpg_error_t
+-map_host (ctrl_t ctrl, const char *name, int force_reselect,
++map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
+           char **r_host, char *r_portstr,
+           unsigned int *r_httpflags, char **r_poolname)
+ {
+@@ -465,7 +466,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
+         }
+       hi = hosttable[idx];
+ 
+-      if (!is_ip_address (name))
++      if (!no_srv && !is_ip_address (name))
+         {
+           /* Check for SRV records.  */
+           err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
+@@ -874,13 +875,13 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
+ 
+ 
+ /* Build the remote part of the URL from SCHEME, HOST and an optional
+-   PORT.  Returns an allocated string at R_HOSTPORT or NULL on failure
+-   If R_POOLNAME is not NULL it receives a malloced string with the
+-   poolname.  */
++ * PORT.  If NO_SRV is set no SRV record lookup will be done.  Returns
++ * an allocated string at R_HOSTPORT or NULL on failure If R_POOLNAME
++ * is not NULL it receives a malloced string with the poolname.  */
+ static gpg_error_t
+ make_host_part (ctrl_t ctrl,
+                 const char *scheme, const char *host, unsigned short port,
+-                int force_reselect,
++                int force_reselect, int no_srv,
+                 char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
+ {
+   gpg_error_t err;
+@@ -890,11 +891,18 @@ make_host_part (ctrl_t ctrl,
+   *r_hostport = NULL;
+ 
+   portstr[0] = 0;
+-  err = map_host (ctrl, host, force_reselect,
++  err = map_host (ctrl, host, force_reselect, no_srv,
+                   &hostname, portstr, r_httpflags, r_poolname);
+   if (err)
+     return err;
+ 
++  /* If map_host did not return a port (from a SRV record) but a port
++   * has been specified (implicitly or explicitly) then use that port.
++   * Only in the case that a port was not specified (which might be a
++   * bug in https.c) we will later make sure that it has been set.  */
++  if (!*portstr && port)
++    snprintf (portstr, sizeof portstr, "%hu", port);
++
+   /* Map scheme and port.  */
+   if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https"))
+     {
+@@ -908,12 +916,6 @@ make_host_part (ctrl_t ctrl,
+       if (! *portstr)
+         strcpy (portstr, "11371");
+     }
+-  if (port)
+-    snprintf (portstr, sizeof portstr, "%hu", port);
+-  else
+-    {
+-      /*fixme_do_srv_lookup ()*/
+-    }
+ 
+   *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+   xfree (hostname);
+@@ -939,7 +941,11 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+   gpg_error_t err;
+   char *hostport = NULL;
+ 
+-  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, 1,
++  /* NB: With an explicitly given port we do not want to consult a
++   * service record because that might be in conflict with the port
++   * from such a service record.  */
++  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++                        1, uri->explicit_port,
+                         &hostport, NULL, NULL);
+   if (err)
+     {
+@@ -1217,7 +1223,8 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
+ 
+     xfree (hostport); hostport = NULL;
+     xfree (httphost); httphost = NULL;
+-    err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++    err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++                          reselect, uri->explicit_port,
+                           &hostport, &httpflags, &httphost);
+     if (err)
+       goto leave;
+@@ -1358,7 +1365,8 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp)
+   /* Build the request string.  */
+   xfree (hostport); hostport = NULL;
+   xfree (httphost); httphost = NULL;
+-  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++                        reselect, uri->explicit_port,
+                         &hostport, &httpflags, &httphost);
+   if (err)
+     goto leave;
+@@ -1470,7 +1478,8 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen)
+  again:
+   xfree (hostport); hostport = NULL;
+   xfree (httphost); httphost = NULL;
+-  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
++  err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
++                        reselect, uri->explicit_port,
+                         &hostport, &httpflags, &httphost);
+   if (err)
+     goto leave;
diff --git a/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch b/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
new file mode 100644
index 0000000..21f9150
--- /dev/null
+++ b/debian/patches/0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
@@ -0,0 +1,124 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 9 Jan 2017 10:42:30 +0100
+Subject: dirmngr: Use "pgpkey-hkps" and "pgpkey-hkp" for SRV record lookups.
+
+* dirmngr/ks-engine-hkp.c (map_host): Chnage arg NO_SRV to SRVTAG.
+(make_host_part): Rewrite.
+--
+
+This fixes a regression from 2.0 and 1.4 where these tags have been in
+used since 2009.  For whatever reason this was not ported to 2.1 and
+"hkp" was always used.
+
+GnuPG-bug-id: 2451
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 0cc975d8a1cd54115938202432e43263b8893ea4)
+---
+ dirmngr/ks-engine-hkp.c | 63 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 29 deletions(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index b5150d478..31fef39db 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -398,16 +398,17 @@ add_host (const char *name, int is_pool,
+  * to choose one of the hosts.  For example we skip those hosts which
+  * failed for some time and we stick to one host for a time
+  * independent of DNS retry times.  If FORCE_RESELECT is true a new
+- * host is always selected.  If NO_SRV is set no service record lookup
+- * will be done.  The selected host is stored as a malloced string at
+- * R_HOST; on error NULL is stored.  If we know the port used by the
+- * selected host from a service record, a string representation is
+- * written to R_PORTSTR, otherwise it is left untouched.  If
+- * R_HTTPFLAGS is not NULL it will receive flags which are to be
+- * passed to http_open.  If R_POOLNAME is not NULL a malloced name of
+- * the pool is stored or NULL if it is not a pool. */
++ * host is always selected.  If SRVTAG is NULL no service record
++ * lookup will be done, if it is set that service name is used.  The
++ * selected host is stored as a malloced string at R_HOST; on error
++ * NULL is stored.  If we know the port used by the selected host from
++ * a service record, a string representation is written to R_PORTSTR,
++ * otherwise it is left untouched.  If R_HTTPFLAGS is not NULL it will
++ * receive flags which are to be passed to http_open.  If R_POOLNAME
++ * is not NULL a malloced name of the pool is stored or NULL if it is
++ * not a pool. */
+ static gpg_error_t
+-map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
++map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+           char **r_host, char *r_portstr,
+           unsigned int *r_httpflags, char **r_poolname)
+ {
+@@ -466,10 +467,10 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv,
+         }
+       hi = hosttable[idx];
+ 
+-      if (!no_srv && !is_ip_address (name))
++      if (srvtag && !is_ip_address (name))
+         {
+           /* Check for SRV records.  */
+-          err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount);
++          err = get_dns_srv (name, srvtag, NULL, &srvs, &srvscount);
+           if (err)
+             {
+               xfree (reftbl);
+@@ -885,38 +886,42 @@ make_host_part (ctrl_t ctrl,
+                 char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
+ {
+   gpg_error_t err;
++  const char *srvtag;
+   char portstr[10];
+   char *hostname;
+ 
+   *r_hostport = NULL;
+ 
+-  portstr[0] = 0;
+-  err = map_host (ctrl, host, force_reselect, no_srv,
+-                  &hostname, portstr, r_httpflags, r_poolname);
+-  if (err)
+-    return err;
+-
+-  /* If map_host did not return a port (from a SRV record) but a port
+-   * has been specified (implicitly or explicitly) then use that port.
+-   * Only in the case that a port was not specified (which might be a
+-   * bug in https.c) we will later make sure that it has been set.  */
+-  if (!*portstr && port)
+-    snprintf (portstr, sizeof portstr, "%hu", port);
+-
+-  /* Map scheme and port.  */
+   if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https"))
+     {
+       scheme = "https";
+-      if (! *portstr)
+-        strcpy (portstr, "443");
++      srvtag = no_srv? NULL : "pgpkey-https";
+     }
+   else /* HKP or HTTP.  */
+     {
+       scheme = "http";
+-      if (! *portstr)
+-        strcpy (portstr, "11371");
++      srvtag = no_srv? NULL : "pgpkey-http";
+     }
+ 
++  portstr[0] = 0;
++  err = map_host (ctrl, host, srvtag, force_reselect,
++                  &hostname, portstr, r_httpflags, r_poolname);
++  if (err)
++    return err;
++
++  /* If map_host did not return a port (from a SRV record) but a port
++   * has been specified (implicitly or explicitly) then use that port.
++   * In the case that a port was not specified (which is probably a
++   * bug in https.c) we will set up defaults.  */
++  if (*portstr)
++    ;
++  else if (!*portstr && port)
++    snprintf (portstr, sizeof portstr, "%hu", port);
++  else if (!strcmp (scheme,"https"))
++    strcpy (portstr, "443");
++  else
++    strcpy (portstr, "11371");
++
+   *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+   xfree (hostname);
+   if (!*r_hostport)
diff --git a/debian/patches/0033-common-Fix-fallback-code.patch b/debian/patches/0033-common-Fix-fallback-code.patch
new file mode 100644
index 0000000..ffc0979
--- /dev/null
+++ b/debian/patches/0033-common-Fix-fallback-code.patch
@@ -0,0 +1,41 @@
+From: Justus Winter <justus at g10code.com>
+Date: Tue, 10 Jan 2017 12:31:46 +0100
+Subject: common: Fix fallback code.
+
+* common/logging.c (_log_assert): Fix the variant for compilers that
+do not support __FUNCTION__.
+* common/logging.h (_log_assert): Likewise.
+
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit bfd6a490129ffc7c7ac8776bf5a5da3b1ddf6d42)
+---
+ common/logging.c | 2 +-
+ common/logging.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/logging.c b/common/logging.c
+index ca1341c20..c06a34f38 100644
+--- a/common/logging.c
++++ b/common/logging.c
+@@ -1007,7 +1007,7 @@ void
+ _log_assert (const char *expr, const char *file, int line)
+ {
+   log_log (GPGRT_LOG_BUG, "Assertion \"%s\" failed (%s:%d)\n",
+-           file, line, func);
++           expr, file, line);
+   abort (); /* Never called; just to make the compiler happy.  */
+ }
+ #endif /*!GPGRT_HAVE_MACRO_FUNCTION*/
+diff --git a/common/logging.h b/common/logging.h
+index 64b999d66..d062f1413 100644
+--- a/common/logging.h
++++ b/common/logging.h
+@@ -62,7 +62,7 @@ estream_t log_get_stream (void);
+   } while (0)
+ #else /*!GPGRT_HAVE_MACRO_FUNCTION*/
+   void bug_at (const char *file, int line);
+-  void _log_assert (const char *expr, const char *file, int line;
++  void _log_assert (const char *expr, const char *file, int line);
+ # define BUG() bug_at( __FILE__ , __LINE__ )
+ # define log_assert(expr)    do {                               \
+     if (!(expr))                                                \
diff --git a/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch b/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
new file mode 100644
index 0000000..c9426ec
--- /dev/null
+++ b/debian/patches/0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
@@ -0,0 +1,151 @@
+From: Justus Winter <justus at g10code.com>
+Date: Tue, 10 Jan 2017 15:42:27 +0100
+Subject: tools: Fix memory leaks and improve error handling.
+
+* tools/gpgconf-comp.c (gc_option_free): New function.
+(gc_components_free): Likewise.
+(gc_components_init): Likewise.
+(retrieve_options_from_program): Use 'xfree', fix memory leak.
+(change_options_program): Improve error handling.
+(gc_component_change_options): Fix memory leaks.
+* tools/gpgconf.c (main): Initialize components.
+* tools/gpgconf.h (gc_components_init): New prototype.
+
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 1f5caf90bfaaaf7b9d8c06c12087aeeae3748032)
+---
+ tools/gpgconf-comp.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++------
+ tools/gpgconf.c      |  1 +
+ tools/gpgconf.h      |  4 ++++
+ 3 files changed, 52 insertions(+), 6 deletions(-)
+
+diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
+index 925f1cf2d..2dcf0758e 100644
+--- a/tools/gpgconf-comp.c
++++ b/tools/gpgconf-comp.c
+@@ -1102,6 +1102,35 @@ struct error_line_s
+ 
+ 
+ 

++
++/* Initialization and finalization.  */
++
++static void
++gc_option_free (gc_option_t *o)
++{
++  if (o == NULL || o->name == NULL)
++    return;
++
++  xfree (o->value);
++  gc_option_free (o + 1);
++}
++
++static void
++gc_components_free (void)
++{
++  int i;
++  for (i = 0; i < DIM (gc_component); i++)
++    gc_option_free (gc_component[i].options);
++}
++
++void
++gc_components_init (void)
++{
++  atexit (gc_components_free);
++}
++
++

++
+ /* Engine specific support.  */
+ static void
+ gpg_agent_runtime_change (int killflag)
+@@ -2183,7 +2212,7 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
+ 	      if (!(option->flags & GC_OPT_FLAG_LIST))
+ 		{
+ 		  if (option->value)
+-		    free (option->value);
++		    xfree (option->value);
+ 		  option->value = opt_value;
+ 		}
+ 	      else
+@@ -2192,10 +2221,9 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
+ 		    option->value = opt_value;
+ 		  else
+ 		    {
+-		      char *opt_val = opt_value;
+-
+-		      option->value = xasprintf ("%s,%s", option->value,
+-						 opt_val);
++		      char *old = option->value;
++		      option->value = xasprintf ("%s,%s", old, opt_value);
++		      xfree (old);
+ 		      xfree (opt_value);
+ 		    }
+ 		}
+@@ -2872,7 +2900,12 @@ change_options_program (gc_component_t component, gc_backend_t backend,
+   res = link (dest_filename, orig_filename);
+ #endif
+   if (res < 0 && errno != ENOENT)
+-    return -1;
++    {
++      xfree (dest_filename);
++      xfree (src_filename);
++      xfree (orig_filename);
++      return -1;
++    }
+   if (res < 0)
+     {
+       xfree (orig_filename);
+@@ -3365,6 +3398,7 @@ gc_component_change_options (int component, estream_t in, estream_t out,
+ 		}
+ 	      if (err)
+ 		break;
++	      xfree (src_filename[i]);
+ 	      src_filename[i] = NULL;
+ 	    }
+ 	}
+@@ -3434,10 +3468,17 @@ gc_component_change_options (int component, estream_t in, estream_t out,
+ 	unlink (backup_filename);
+ #endif /* HAVE_W32_SYSTEM */
+ 	rename (orig_filename[backend], backup_filename);
++	xfree (backup_filename);
+       }
+ 
+  leave:
+   xfree (line);
++  for (backend = 0; backend < GC_BACKEND_NR; backend++)
++    {
++      xfree (src_filename[backend]);
++      xfree (dest_filename[backend]);
++      xfree (orig_filename[backend]);
++    }
+ }
+ 
+ 
+diff --git a/tools/gpgconf.c b/tools/gpgconf.c
+index af65424e0..a1034e663 100644
+--- a/tools/gpgconf.c
++++ b/tools/gpgconf.c
+@@ -470,6 +470,7 @@ main (int argc, char **argv)
+   /* Make sure that our subsystems are ready.  */
+   i18n_init();
+   init_common_subsystems (&argc, &argv);
++  gc_components_init ();
+ 
+   /* Parse the command line. */
+   pargs.argc  = &argc;
+diff --git a/tools/gpgconf.h b/tools/gpgconf.h
+index 39d34b6d0..d6d7627aa 100644
+--- a/tools/gpgconf.h
++++ b/tools/gpgconf.h
+@@ -38,6 +38,10 @@ struct
+ 
+ 
+ /*-- gpgconf-comp.c --*/
++
++/* Initialize the components.  */
++void gc_components_init (void);
++
+ /* Percent-Escape special characters.  The string is valid until the
+    next invocation of the function.  */
+ char *gc_percent_escape (const char *src);
diff --git a/debian/patches/0035-doc-Mention-dirmngr.conf.patch b/debian/patches/0035-doc-Mention-dirmngr.conf.patch
new file mode 100644
index 0000000..0384bef
--- /dev/null
+++ b/debian/patches/0035-doc-Mention-dirmngr.conf.patch
@@ -0,0 +1,50 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 10 Jan 2017 16:24:31 +0100
+Subject: doc: Mention dirmngr.conf
+
+--
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 7345c64b0887e51d8c8c6eaf49c9dbf5b0f45228)
+---
+ doc/dirmngr.texi | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index fc617d81d..4448bf0e6 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -131,6 +131,10 @@ will thus trigger reading of fresh CRLs.
+ @node Dirmngr Options
+ @section Option Summary
+ 
++Note that all long options with the exception of @option{--options}
++and @option{--homedir} may also be given in the configuration file
++after stripping off the two leading dashes.
++
+ @table @gnupgtabopt
+ 
+ @item --options @var{file}
+@@ -497,11 +501,20 @@ certificate for that pool.  Otherwise, it will use the system CAs.
+ @section Configuration
+ 
+ Dirmngr makes use of several directories when running in daemon mode:
++There are a few configuration files whih control the operation of
++dirmngr.  By default they may all be found in the current home
++directory (@pxref{option --homedir}).
+ 
+ @table @file
+ 
+- at item ~/.gnupg
+-This is the standard home directory for all configuration files.
++ at item dirmngr.conf
++ at efindex dirmngr.conf
++This is the standard configuration file read by @command{dirmngr} on
++startup.  It may contain any valid long option; the leading two dashes
++may not be entered and the option may not be abbreviated.  This file
++is also read after a @code{SIGHUP} however not all options will
++actually have an effect.  This default name may be changed on the
++command line (@pxref{option --options}).  You should backup this file.
+ 
+ @item /etc/gnupg/trusted-certs
+ This directory should be filled with certificates of Root CAs you
diff --git a/debian/patches/series b/debian/patches/series
index 1ea9189..66d03bc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,13 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
 0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch
 0024-Silence-two-Wlogical-op-warnings.patch
 0025-doc-Document-summary-values-of-TOFU_STATS.patch
+0026-dirmngr-Strip-root-zone-suffix-from-libdns-SRV-resul.patch
+0027-dirmngr-Change-internal-SRV-lookup-API.patch
+0028-dirmngr-Improve-debug-output-for-TLS.patch
+0029-dirmngr-Implement-experimental-SRV-record-lookup-for.patch
+0030-doc-Update-man-page-for-watchgnupg.patch
+0031-dirmngr-Do-not-use-a-SRV-record-for-HKP-if-a-port-wa.patch
+0032-dirmngr-Use-pgpkey-hkps-and-pgpkey-hkp-for-SRV-recor.patch
+0033-common-Fix-fallback-code.patch
+0034-tools-Fix-memory-leaks-and-improve-error-handling.patch
+0035-doc-Mention-dirmngr.conf.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git



More information about the Pkg-gnupg-commit mailing list