available any more.
(c) FRISK Software International
http://www.f-prot.com/
F-PROT Antivirus for BSD, version 4.4.1
Version 4.4.1 contains various bugfixes and improvements to the documentation
and software.
o Further enhancements of scanning password encrypted zip files.
o Added detection of encrypted archives (since various new viruses
spread through encrypted archives).
o Minor bug-fixes in the F-Prot daemon.
o Minor bug-fixes in scan-mail.pl (smtp proxying).
o Critical bug-fixes in f-prot-milter.
by moving the inclusion of buildlink3.mk files outside of the protected
region. This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.
BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list. This ordering property is used to check for builtin
packages in the correct order. The problem was that including a
buildlink3.mk file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end. However, since the
inclusion of any other buildlink3.mk files within that buildlink3.mk
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.
While here, update to 4.4.0 since previous distfile disappeared.
Changes:
o Added detection of encrypted archives (since various new viruses
spread through encrypted archives).
o Minor bug-fixes in the F-Prot daemon.
o Minor bug-fixes in scan-mail.pl (smtp proxying).
o Critical bug-fixes in f-prot-milter.
o Minor modifications to the check-updates.pl script (disable proxy caching
by default).
changes:
- Added support for removing files recursivly
- Incudes checking for file type and size.
- Displays the file being destroyed and its size.
- Added command line flags:
- Added Security Level Flag (Destroy Severity)
- Added Output suppression flag for non-verbose output.
- Added Help flag.
- Added a Manual page for the program in section 1.
While here bl3ify.
Changes since previously packaged version (3.2.5):
2003-12-03 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.9.1.
* non-commercial: removed cert hash compat stuff, which broke
compilation.
2003-09-26 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.9.
* ssh2,sshd2: (by Patrick Irwin): Critical security fix: fixed
several bugs in ASN.1 decoding functionality, which were caused
by invalid assumptions on the format of input BER data.
Certificates malformed in certain ways could cause a crash or
buffer overflow. No known exploits at this time, but you are
strongly advised to upgrade.
Admins unwilling or unable to upgrade need to disable
certificates, but this may not be enough for "hostbased"
authentication. "publickey" auth should be safe even with the
old version with certificates disabled. Clients are probably
vulnerable against malicious servers in the initial key exchange
regardless of configuration.
Users of noncommercial version are not affected by this
vulnerability.
2003-09-25 Sami J. Lehtinen <sjl@ssh.com>
* sshd2, ssh2: Implemented DisableVersionFallback, with which you
can disable fallback compatibility code for older, or otherwise
incompatible versions of software. Don't disable unless you know
what you're doing. See sshd2_config(5) for details. For really
paranoid people (using this option will probably hurt usability
somewhat, especially in environments where multiple versions of
SSH are used from different vendors).
* sshd2, ssh2: Implemented Cert.RSA.Compat.HashScheme. Older SSH
Secure Shell clients and servers used hashes in an incoherent
manner (sometimes MD5, sometimes SHA-1). With this option, you
can set what hash is used. See sshd2_config(5) for details.
* Previous: ssh-3.2.8.
2003-08-07 Tomi Salo <ttsalo@ssh.com>
* Added a new general configuration option, MaxCRLSize. This sets
the maximum size for CRLs and CA certs used in validating
received certificates. (The size is the total size of all CRLs
and certs, not the maximum individual size.)
2003-06-11 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.7.
* ssh-signer2: Fixed a bug, which caused the application to
intermittently call fatal because the read() operation was
interrupted by a signal (SIGCHLD).
2003-06-04 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.6.
* SecurID certified binaries, no code changes.
built-in or not into a separate builtin.mk file. The code to deal
checking for built-in software is much simpler to deal with in pkgsrc.
The buildlink3.mk file for a package will be of the usual format
regardless of the package, which makes it simpler for packagers to
update a package.
The builtin.mk file for a package must define a single yes/no variable
USE_BUILTIN.<pkg> that is used by bsd.buildlink3.mk to decide whether
to use the built-in software or to use the pkgsrc software.
According to README, "RSA Security holds software patents on the
RC5 algorithm. If you intend to use this cipher, you must contact
RSA Security for licensing conditions." And "The IDEA algorithm is
patented by Ascom ... They should be contacted if that algorithm
is to be used." The openssl FAQ says "For patent reasons, support
for IDEA, RC5 and MDC2 is disabled in this [Red Hat Linux] version."
The FAQ lists patent numbers and expiry dates of US patents:
MDC-2: 4,908,861 13/03/2007
IDEA: 5,214,703 25/05/2010
RC5: 5,724,428 03/03/2015
Now fee-based-commercial-use ACCEPTABLE_LICENSES is not needed.
Adapted to buildlink3
No INTERACTIVE_STAGE anymore
Changes sinces 0.17
===================
1.03 2002.12.09
- Makefile.PL now uses ExtUtils::AutoInstall. Thanks to Autrijus Tang
for the note.
- SIGNATURE file now included with distribution.
- Added --version to bin/pgplet, which lists supported ciphers, digests,
etc., along with version information.
- Added Crypt::OpenPGP::KeyBlock::save_armoured, to save an armoured
version of the keyblock (useful for exporting public keys).
- encrypt and verify no longer fail if there are no public keyrings,
in case lookup in a keyserver is desired.
- Added Crypt::OpenPGP::Digest::supported and
Crypt::OpenPGP::Cipher::supported.
- Fixed bug where signed cleartext has \r characters in the header.
1.02 2002.10.12
- encrypt and verify now support auto-retrieval of public keys from
an HKP keyserver, if the keys are not found in the local keyring.
- Added support for the SHA-1 integrity checks on secret keys used
by gnupg 1.0.7. Thanks to Chip Turner for the spot.
- Added a --local-user|-u option to bin/pgplet to support using a
different secret key for signing. Thanks to Joseph Pepin for the
patch.
- new() now accepts Crypt::OpenPGP::KeyRing objects for the PubRing
and SecRing parameters.
- Fixed a bug in decrypt where passing in a "Key" param to decrypt a
message encrypted to multiple recipients did not work. Thanks to
rdailey for the spot.
- ElGamal self-signatures no longer cause an error.
- Added LWP::UserAgent and URI::Escape to prereqs, for keyserver.
- Added Crypt::OpenPGP::Signature::digest accessor. Thanks to Bob
Mathews for the patch.
1.01 2002.07.15
- Added Crypt::OpenPGP::handle, a DWIM wrapper around the other
high-level interface methods. Given data, it determines whether the
data needs to be decrypted, verified, or both. And then it does what
it's supposed to do.
- Added Crypt::OpenPGP::Signature::timestamp to return the created-on
time for a signature. Also, Crypt::OpenPGP::decrypt and
Crypt::OpenPGP::verify now return the Crypt::OpenPGP::Signature object
if called in list context (and, in the case of decrypt, if there is
a signature). Thanks to Erik Arneson for the patches.
- Fixed a bug in decrypt with uncompressed encrypted signed data.
Thanks to Erik Arneson for the spot.
- Fixed a bug in Crypt::OpenPGP::Message with clearsigned messages, if
the text and signature were contained in a block of text containing
more PGP messages/signatures.
- Fixed a nasty, evil, stupid compatibility bug with canonical text.
Namely, pgp2 and pgp5 do not trim trailing whitespace from "canonical
text" signatures, only from cleartext signatures. This was causing
invalid signatures which should not have been invalid. Thanks to
Erik Arneson for the spot.
- Added Crypt::OpenPGP::KeyServer, which does lookups against an HKP
keyserver.
1.00 2002.02.26
- CAST5 is now supported thanks to Crypt::CAST5_PP from Bob Mathews.
- bin/pgplet now supports encrypting and decrypting symmetrically-
encrypted messages.
- The PassphraseCallback argument to Crypt::OpenPGP::decrypt can now
be used to supply a callback for symmetrically-encrypted packets,
as well as public-key-encrypted packets.
- Fix a bug with encrypted, signed text--the signature was being
armoured, which led to errors from the process trying to decrypt and
verify.
- Fix a bug with symmetric-encrypted session keys w/r/t generation for
PGP2--PGP2 doesn't understand symmetric-encrypted session keys, so we
need to leave them out when Compat is PGP2. Also, we need to use the
'Simple' S2k rather than the default, 'Salt_Iter'.
- Fix a key generation bug where GnuPG will not import generated public
keys, because the self-signature is invalid; signature needs to be on
key data *and* user ID. Thanks to Joel Rowles for the spot.
- Fix bug in ElGamal encryption and k generation.
0.18 2002.01.29
- Added IsPacketStream parameter to Crypt::OpenPGP::Message; this turns
off armour detection when initializing the message, and can be used
when you *know* that the message is a stream of packets, and not an
ASCII-armoured stream of packets.
- When unarmouring, remove \r characters from the armoured text end
of lines.
- Added Crypt::OpenPGP::KeyRing::save method. Thanks to Ben Xain for
the idea and a patch.
- Added compatibility with symmetric-key-encrypted files that do not
have a symmetric-key session key packet. The assumption with these
encrypted messages is that they are PGP2-encrypted, using the IDEA
cipher, MD5 digests, and a Simple s2k. So that is how the fix has
been implemented. Thanks to Ben Xain for the bug report.
- Win32 fixes: use binmode when reading files that might be binary.
- Added --symmetric and --digest options to Makefile.PL to set
symmetric and digest algorithms when using --sdk.
- Fixed subkey IDs in list-keys with bin/pgplet.
- Check for errors when reading keyring.
Changes since 0.0.6:
- A command line tool "gss" added in src/.
- gss_display_status can return multiple description texts (using context).
- The Swedish translation has been updated.
- Various cleanups and improvements.
- Implemented gss_export_name and gss_krb5_inquire_cred_by_mech.
The Kerberos 5 backend also support them.
- gss_inquire_cred support default credentials.
- Kerberos 5 gss_canonicalize_name now support all mandatory name types.
- Kerberos 5 gss_accept_sec_context now support sub-session keys in AP-REQ.
- Added new extended function API: gss_userok.
- API documentation in HTML format from GTK-DOC included in doc/reference/.
- Moved all backend specific code into sub-directories of lib/.
- The gss_duplicate_name function now allocate the output result properly.
- Man pages for all public functions are included.
- Documentation fixes. For example, all official APIs are now documented.
- Fixed typo that broke gss_wrap for 3DES with Kerberos 5.
- Improvements to build environment.
- Autoconf 2.59, Automake 1.8 beta, Libtool CVS used.
Changes from previous version are:
+ Fix a single byte buffer overflow. Can only be a NUL byte that
overflows, not believed (at this stage!) to be exploitable in any
way.
+ Avoid null-pointer dereference if getpwuid(getuid()) fails.
Version 1.0.8 (28/02/2004)
- Corrected bug in mutual certificate authentication in SSL 3.0.
- Several other minor bugfixes.
Version 1.0.7 (25/02/2004)
- Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection hack).
- Some updates in the documentation.
by request on regional-fr.
Srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites
the data in the target files before unlinkg them. This prevents command-line
recovery of the data by examining the raw block device. It may also help
frustrate physical examination of the disk, although it's unlikely that
completely protects against this type of recovery.
Srm uses algorithms found in _Secure Deletion of Data from Magnetic and
Solid-State Memory_ by Peter Gutmann and THC Secure Delete (the overwrite,
truncate, rename, unlink sequence).
All users, but especially Linux users, should be aware that srm will only
work on file systems that overwrite blocks in place. In particular, it will
_NOT_ work on resiserfs or the vast majority of journaled file systems. It
should work on ext2, FAT-based file systems, and the BSD native file system.
Ext3 users should be especially careful as it can be set to journal data as
well, which is an obvious route to reconstructing information.
---
ike-scan discovers IKE hosts and can also fingerprint them using the
retransmission backoff pattern.
ike-scan does two things:
a) Discovery: Determine which hosts are running IKE.
This is done by displaying those hosts which respond to the IKE requests
sent by ike-scan.
b) Fingerprinting: Determine which IKE implementation the hosts are using.
This is done by recording the times of the IKE response packets from the
target hosts and comparing the observed retransmission backoff pattern
against known patterns.
The retransmission backoff fingerprinting concept is discussed in more
detail in the UDP backoff fingerprinting paper which should be included
in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.
The program sends IKE main mode requests to the specified hosts and displays
any responses that are received. It handles retry and retransmission with
backoff to cope with packet loss. It also limits the amount of bandwidth
used by the outbound IKE packets.
Changes since 0.9.1:
* Support for Extended Key Usage.
* ksba_cms_identify may no return a pseudo content type for pkcs#12
files.
* Cleaned up the DN label table.
* Fixed a bug in creating CMS signed data.
* Interface changes:
ksba_reader_clear NEW.
ksba_cert_get_ext_key_usages NEW.
KSBA_CT_PKCS12 NEW.
Changes since 1.1.90:
- Included a limited implementation of RFC2268.
- Changed API of the gcry_ac_ functions.
- Code cleanups and minor bug fixes.
- Interface changes:
GCRY_CIPHER_RFC2268_40 NEW.
gcry_ac_data_set CHANGED: New argument FLAGS.
gcry_ac_data_get_name CHANGED: New argument FLAGS.
gcry_ac_data_get_index CHANGED: New argument FLAGS.
cry_ac_key_pair_generate CHANGED: New and reordered arguments.
gcry_ac_key_test CHANGED: New argument HANDLE.
gcry_ac_key_get_nbits CHANGED: New argument HANDLE.
gcry_ac_key_get_grip CHANGED: New argument HANDLE.
gcry_ac_data_search REMOVED.
gcry_ac_data_add REMOVED.
GCRY_AC_DATA_FLAG_NO_BLINDING REMOVED.
GCRY_AC_FLAG_NO_BLINDING NEW: Replaces above.
Taking maintainership.
Adapted to buildlink3.
Shut up warnings during test with patch-aa.
Updated version requirements according to Makefile.PL.
Changes sinces 1.47
===================
* In ::Key::generate() calls to ::Key::Private::write() and
::Key::Public::write() have been fixed. Thanks to
Lars Rehe <rehe@mail.desy.de> for pointing out this bug.
* Fixed some documentation typos.
* POD documentation for ::Key::[Private|Public].
Taking maintainership.
Adapted to buildlink3.
Changes sinces 1.11
===================
* Changed the die() message at provider contruction to include the
name of the provider.
* Updated documentation.
Taking maintainership.
Needs p5-Crypt-Rijndael for running the tests.
Adapted to buildlink3.
Changes sinces 2.02
===================
-Bug fix from Chris Laas to fix custom padding
-Bug fixes from Stephen Waters to fix space padding
-Lots of regression tests from Stephen Waters
-Makes zero-and-one padding compatible with Crypt::Rijndael::MODE_CBC.
-Lots of improvements to padding mechanisms from Stephen Waters
-Patch from Andy Turner <turner@mikomi.org> to allow backward
compatibility with old versions when key length exceeded max.
be linked in when testing -lreadline usability so that test fails on
Solaris - so pass that lib into configure at the start via the environment.
Also allow optional use of db4 rather that db.
the TCPA chip described in IBM Global Security Analysis Lab's
article "Take Control of TCPA" in the August 2003 issue of Linux
Journal.
For this package to be useful, you need a computer with a TCPA
chip, and support for the chip in your kernel. An unofficial NetBSD
TCPA driver and instructions can be found here:
http://www.citi.umich.edu/u/rwash/projects/trusted/netbsd.html
I don't have a TCPA chip with which to verify the functionality of
this package.
Thanks to Soren Jacobsen for bringing me up to speed on modern
pkgsrc conventions, and to Rick Wash for his recent presentation
at my local ACM chapter on TCPA and "Trusted Computing".
sourceforge dot net, cleaned by cjep@, and modified by me.
pyOpenSSL is a Python module that is a rather think wrapper around (a
subset of) the OpenSSL library. A lot of the object methods do
nothing more than call a corresponding function in the OpenSSL
library.
Update to version 0.21.
Changes since 0.19:
0.21 Sun Feb 15 2004 21:13:45
- Include t/format.t in the MANIFEST file, so that it is
actually included in the distribution.
0.20 Sun Feb 15 2004 15:21:40
- Finally add support for the public key format produced by
"openssl rsa -pubout".
- Add comment in readme about locating kerberos files on redhat systems
modified by me.
chkrootkit is a tool to locally check for signs of a rootkit. It
contains:
* chkrootkit: a shell script that checks system binaries for
rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous
mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
Only minor changes since last release:
2003-11-19 Werner Koch <wk@gnupg.org>
Released 0.3.16.
* configure.ac: Bump LT revision to C9/A3/R7.
2003-11-18 Werner Koch <wk@gnupg.org>
* configure.ac: Check for timegm.
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New 'taskbar' option on WIN32 (thx to Ken Mattsen
<ken.Mattsen@roxio.com>).
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- WIN32 taskbar GDI objects leak fixed.
- Libwrap detection bug in ./configure script fixed.
- grp.h header detection fixed for NetBSD and possibly
other systems.
- Some other minor updates.
include it. This is a reminder to anyone who updates cyrus-sasl2 to also
touch the other packages.
Update the cy2-*/PLIST files to have the correct module version numbers.
2003-10-29 David A. Wheeler
* Fixed an incredibly obscure parsing error that caused some
false positives. If a constant C string, after the closing
double-quote, is followed by a \ and newline (instead of a comma),
the string might not be recognized as a constant string
(thus triggering warnings about non-constant values in some cases).
This kind of formatting is quite ugly and rare.
My thanks to Sascha Nitsch (sascha, at spsn.ath.cx) for pointing
this bug out and giving me a test case to work with.
* Added a warning for readlink. The implementation and warning
are mine, but the idea of warning about readlink came from
Stefan Kost (kost, at imn.htwk-leipzig.de). Thanks!!
2003-09-27 David A. Wheeler
* Released version 1.23. Minor bugfixes.
2003-09-27 David A. Wheeler
* Fixed subtle bug - in some circumstances single character constants
wouldn't be parsed correctly. My thanks to Scott Renfro
<scottdonotspam, at renfro.org> for notifying me about this bug.
Scott Renfro also sent me a patch; I didn't use it
(the patch didn't handle other cases), but I'm grateful since it
illustrated the problem.
* Fixed documentation bug in man page.
The option "--minlevel=X" must be preceded by two dashes,
as are all GNU-style long options. The man page accidentally only
had one dash in the summary (it was correct elsewhere); it now
correctly shows both dashes.
* Modified man page to list filename extensions that are
interpreted as C/C++.
* Removed index.html from distribution - it's really only for the
website.
as PREFER_PKGSRC. Preferences are determined by the most specific
instance of the package in either PREFER_PKGSRC or PREFER_NATIVE. If
a package is specified in neither or in both variables, then PREFER_PKGSRC
has precedence over PREFER_NATIVE.
Python bindings for GNUTLS.
GnuTLS is a project that aims to develop a library which provides a
secure layer, over a reliable transport layer. Currently the GnuTLS
library implements the proposed standards by the IETF's TLS working
group.
really only needs gettext-lib through libgpg-error, and doesn't need
libiconv at all unless it uses the pkgsrc gettext-lib. The gettext-lib
buildlink3.mk file combined with the buildlink3 framework is considerably
better at detecting this than the buildlink2.mk, which broke in a lot of
instances.
This provides both, simple and fine-grained control over the Kerberos
prefix. If not specified, KRB4_PREFIX_CMDS will default to the value
of KERBEROS_PREFIX_CMDS. If specified, it overrides KERBEROS_PREFIX_CMDS.
of bootstrap-pkgsrc).
ftp is now always installed as bin/k4ftp. In addition, if the variable
KRB4_PREFIX_CMDS is set to YES, rcp, rlogin, rsh, su, and telnet will
be installed with a "k4" prefix.
This has been achieved by stealing the transform code from security/heimdal
and by tayloring it a bit.
Closes PR pkg/24354 by Tracy Di Marco White.
targets so platforms other than *BSD have a chance of building.
install /etc/TIMEZONE on Solaris.
XXX this package still needs more work to be useful on Solaris
and other platforms.
BUILDLINK_PREFER_PKGSRC
This variable determines whether or not to prefer the pkgsrc
versions of software that is also present in the base system.
This variable is multi-state:
defined, or "yes" always prefer the pkgsrc versions
not defined, or "no" only use the pkgsrc versions if
needed by dependency requirements
This can also take a list of packages for which to prefer the
pkgsrc-installed software. The package names may be found by
consulting the value added to BUILDLINK_PACKAGES in the
buildlink[23].mk files for that package.
_mpih-mul1.s:2: Error: alignment not a power of 2
_mpih-mul1.s:20: Error: alignment not a power of 2
So, changing ALIGN (3) to ALIGN (4) fixes these problems.
Patch sent by pancake in private email, adapted to use subst.mk
framework by me.
Version 4.3.2 contains various bugfixes and improvements to the documentation
and software.
o Minor modifications to the check-updates.pl script.
o A libmilter plugin for the Mail Scanner added.
o A qmail plugin for the Mail Scanner added.
o Improved mime handling.
o Various features added to scan-mail.pl.
o Minor improvements in mime handling.
the normal case when BUILDLINK_DEPENDS.<pkg> isn't specified, it receives
a value only once due to the multiple inclusion protection in the
bulldlink3.mk files. In the case where a package includes several
buildlink3.mk files that each want a slightly different version of another
dependency, having BUILDLINK_DEPENDS.<pkg> be a list allows for the
strictest <pkg> dependency to be matched.
sent to me by the author Shane Kinney
A system utility that destroys files on the hard drive
by writing null and random bytes to the file over and over.
0.22 2004/01/23
* parse_subpacket() are split into parse_signature_subpacket() and
parse_userattr_subpacket(). A bug of length calculation is fixed.
* The critical bit of the signature subpackets are supported.
Peter Palfrader <peter@palfrader.org>
0.21 2004/01/13
* Removing compiler warnings.
* Using getopt().
* Supporting RISC OS.
Stefan Bellon <sbellon@sbellon.de>
* Correct casting for Bzip2.
Stefan Bellon <sbellon@sbellon.de>
* Prepared os/riscos/{config.h,Makefile} since "sh" does not exist on
RISC OS.
Stefan Bellon <sbellon@sbellon.de>
Major changes from previous version:
Master site has moved to sourceforge
Licence has changed to a GPL-like licence
Minor changes from previous version:
12-21-1999 - 1.1 Fixed typo in bare-bones TCP list where 524 was supposed to be for 1524.
03-31-2000 - 1.1 Updated .conf to add ipf blocking rule. Thanks Graham Dunn
<gdunn@inscriber.com>
06-08-2000 - 1.1 Fixed an error in the state engine portion that could cause an increment error
under certain conditions. Thanks Peter M. Allan <peter.m.allan@hsbcgroup.com> for finding this.
6-21-2000 - 1.1 New Features added
- Added in feature to disable DNS host resolution by checking RESOLVE_HOST in
conf file.
- Added in feature to have external command run before or after blocking has
occurred as defined in KILL_RUN_CMD_FIRST option in conf file.
- Removed DoBlockTCP/UDP functions. Converted over to generic flag checker.
7-5-2000 - 1.1
- Added iptables support (thanks Scott Catterton <scatterton@valinux.com>)
- Added Makefile support for Irix
- Put in ports for common DDOS ports
9-8-2000 - 1.1 - Added in netmask support
9-9-2000 - 1.1 - Finally moved resolver functions to own area.
- Made CleanAndResolve to ensure DNS records returned are sanitized
correctly before being passed back.
3-23-2001 - 1.1 - Fixed a bug that showed up under Linux 2.4 Kernel that would cause accept
to loop. There was an error with how I used a count variable after trying to bind to ports.
If the port didn't bind the count for the openSockfd would still increment and this caused
the error to show up.
6-26-2001 - 1.1 - Added Mac OS X build support (Same as FreeBSD). Fixed bug for Advanced mode
to properly monitor 1024 ports (it only did first 1023 before). Thanks Guido.
05-23-2003 - 1.2 - Removed references to old psionic e-mail and changed license to
Common Public License.
I've also added a fix for a multi-line string constant for gcc3.
OpenSSL software. Otherwise, set it to /etc/ssl/certs, which is where a
lot of Linux distros store certs. The behaviour on NetBSD systems is
unchanged -- always set to /etc/openssl/certs. Fixes PR 24161.
If an optional "mykeyid" is given on the command line, use different
colors for lines to & from that node. The colors are:
green mutual trust, includes mykey
blue mutual trust, not mykey
orange someone trusts mykey (one way)
red mykey trusts someone (one way)
black one way trust, not mykey
which lists all the keys in your public key ring, along with all
their signatures, and converts it to a di-graph in "dot" language
form.
The graphviz package can turn the description into a graph you can
look at to see who has signed whose key, or how far it is from your
key to someone in Reykjavik, etc.
Kerberos implementation packages to decide whether to prefix certain
commands with a "k" to differentiate it from system tools with similar
names. KERBEROS_PREFIX_CMDS defaults to "no".
Version 1.0.4 (04/01/2004)
- Changed handshake behaviour to send the lowest TLS version
when an unsupported version was advertized. The current behaviour
is to send the maximum version we support.
- certtool no longer asks the password in unencrypted private
keys.
- The source is now compiled to use the reentrant libc functions.
in agc's last bulk build.
Changes since 0.11:
- ZServerSSL with client certificate-based authentication rides again.
- Created Makefile for Python 2.3.
- Modified LICENCE: changed my name to the generic "the author" in the
all-caps disclaimer paragraph.
- Allow to save RSA key pair in the clear.
- ZServerSSL for Zope 2.7.
- Excluded RC5. IDEA was taken out several releases ago. This should
allow M2Crypto to build with stock OpenSSL on various Linuxen.
- Added ssl_set_tmp_dh_callback.
- Added ssl_set_tmp_rsa and ssl_set_tmp_rsa_callback to support weak-cipher
browsers.
- ZServerSSL exports SSL_CIPHER request header (a la mod_ssl) to Zope applications.
- Perform distutils's SWIG .i search path tweaking within setup.py. setup.py
should now work "out of the box".
- Allow using a passphrase callback in class SMIME. Thanks to Artur Frysiak
<wiget@pld-linux.org> for the patch.
- Added method get0_signers to class PKCS7, which retrieves signers' certificates
from a PKCS7 blob. Thanks again to Artur Frysiak.
- Added contrib/smimeplus.py, a high-level S/MIME interface, contributed by Bernard
Yue <bernie@3captus.com>. Thanks Bernard.
- Alias 'emailAddress' to 'Email' in X509.X509_Name.nid to support recent OpenSSL
convention.
command line options. We need -I/usr/include/krb5 to build against
heimdal, so symlink the headers in /usr/include/krb5 into ${BUILDLINK_DIR}
so they can be found.
Heimdal is a free implementation of Kerberos 5.
Kerberos is a system for authenticating users and services on a network.
It is built upon the assumption that the network is "unsafe". Kerberos
is a trusted third-party service. That means that there is a third
party (the Kerberos server) that is trusted by all the entities on the
network (users and services, usually called "principals"). All
principals share a secret password (or key) with the Kerberos server and
this enables principals to verify that the messages from the Kerberos
server are authentic. Thus trusting the Kerberos server, users and
services can authenticate each other.
saslauthd is a daemon process that handles plaintext authentication
requests on behalf of the Cyrus SASL library. It may be compiled to
support authentication using getpwent, PAM, or an LDAP database.
splitting out the saslauthd daemon into a separate package,
security/cyrus-saslauthd. This allows the saslauthd daemon to
support additional database backends for plaintext authentication
without adding unrelated dependencies to the cyrus-sasl2 package.
provided in PR 24022 by ISIHARA Takanori. This was taken from the
FreeBSD Packages Collection and ported to NetBSD by ISIHARA Takanori.
Additional fixes to make the package compile on NetBSD by myself,
along with fixes for the build infrastructure (since libevent is part
of NetBSD-current).
"Fragroute intercepts, modifies, and rewrites egress traffic destined
for a specified host, implementing most of the attacks described in the
Secure Networks "Insertion, Evasion, and Denial of Service: Eluding
Network Intrusion Detection" paper of January 1998.
It features a simple ruleset language to delay, duplicate, drop,
fragment, overlap, print, reorder, segment, source-route, or otherwise
monkey with all outbound packets destined for a target host, with
minimal support for randomized or probabilistic behaviour.
This tool was written in good faith to aid in the testing of network
intrusion detection systems, firewalls, and basic TCP/IP stack
behaviour. Please do not abuse this software."
"Package Makefiles should refer to PKG_SYSCONFBASEDIR instead of
PKG_SYSCONFBASE when they want PKG_SYSCONFDIR stripped of
PKG_SYSCONFSUBDIR. This makes PKG_SYSCONFBASE=/etc work with pkgviews by
installing all config files into /etc/packages/<pkg> instead of
occasionally putting some directly into /etc."
From PR pkg/23634 by Louis Guillaume.
also noted in PR pkg/23339.
Fix configure to not try and _statically_ link in gssapi support as it doesn't
work (unresolved symbols when used). This deals with the second part of
PR pkg/23339.
For home users using the BSD open-source operating system, we offer F-Prot
Antivirus for BSD Workstations. F-Prot Antivirus for BSD Workstations
utilizes the renowned F-Prot Antivirus scanning engine for primary scan but
has in addition to that a system of internal heuristics devised to search
for unknown viruses
F-Prot Antivirus for BSD was especially developed to effectively eradicate
viruses threatening workstations running FreeBSD, NetBSD, or OpenBSD. It
provides full protection against macro viruses and other forms of malicious
software - including Trojans.
By popular demand, add a -v switch to audit-packages(8) which enables the
check for a package vulnerabilities file being unchanged for over 7 days.
To enable the check, -v must be specified on the command line:
% audit-packages
% audit-packages -v
*** WARNING - /usr/distfiles/pkg-vulnerabilities more than a week old, continuing...
%
not include <openssl/rsa.h> from <openssl/x509.h>. Fixes PR pkg/23901.
While here, apply the patches to properly buildlinkify it for openssl,
which I forgot to pass to agc@ for the last update.
The Digest::Hashcash Perl module calculates n-bit partial hash
collisions on chosen texts.
The idea of using partial hashes is that they can be made arbitrarily
expensive to compute (by choosing the desired number of bits of
collision), and yet can be verified instantly. This can be used as the
basis for an e-cash system measured in burnt CPU cycles. Such cash
systems can be used to throttle systematic abuses of un-metered internet
resources.
* Added read-only support for BZIP2 compression. This should be
considered experimental, and is only available if the libbzip2
library <http://sources.redhat.com/bzip2/> is installed.
* Added the ability to handle messages that can be decrypted with
either a passphrase or a secret key.
* Most support for Elgamal sign+encrypt keys has been removed.
Old signatures may still be verified, and existing encrypted
messages may still be decrypted, but no new signatures may be
issued by, and no new messages will be encrypted to, these keys.
Elgamal sign+encrypt keys are not part of the web of trust. The
only new message that can be generated by an Elgamal
sign+encrypt key is a key revocation. Note that in a future
version of GnuPG (currently planned for 1.4), all support for
Elgamal sign+encrypt keys will be removed, so take this
opportunity to revoke old keys now.
* A Russian translation is included again as well as a new
Belarusian translation.
- Corrected bug in gnutls_bye() which made it return an error code
of INVALID_REQUEST instead of success.
- Corrected a bug in the GNUTLS_KEY key usage definitions.
Changes since 1.0.0:
- Some minor fixes in the makefiles. They now include CFLAGS
from libgcrypt or opencdk if installed in a non standard directory.
- Fixed the SRP detection test in gnutls-cli-debug.
- Added gnutls_rsa_params_export_pkcs1() and
gnutls_rsa_params_import_pkcs1().
Noteworthy changes in version 0.7.0 (2003-10-22)
------------------------------------------------
* Long file operations no longer block GPA, so several operations can be
run at the same time. This also means GPA does not freeze while an operation
runs, leading to a more responsive interface.
* The keyring editor now displays all the subkeys of the currently selected
key. This is only visible if GPA is in advanced mode (available from the
preferences dialog).
* The capabilities of a key (certify, sign, encrypt) are now visible from
the keyring editor.
* The keyring editor can now sort keys by any column. By default, they are
listed in the order they were imported into the keyring (i.e. the same order
as "gpg --list-keys").
* The key list is now displayed while it is being filled, allowing for
faster startup times.
* A warning dialog is now displayed when an operation slows down due to
gpg rebuilding the trust database.
* Imports and exports from files and servers have been separated into
different dialogs and menu options.
* Invoking GPA with file names as arguments will open those files in the
file manager.
* Cosmetical and minor fixes to the file manager window.
* GPA now remembers the brief/detailed setting view and restores it
when GPA is started.
* Removed all deprecated widgets. GPA is now pure GTK+ 2.2.
* Fixed a hang on startup on PowerPC machines.
Noteworthy changes in version 0.6.1 (2003-01-29)
------------------------------------------------
* Added a popup menu to the keyring view, with all the common operations.
* Keys' expiration dates can be choosen by clicking on a calendar.
* The key generation dialogs have been revamped to use GTK+2 stock widgets.
* The passphrase for a key can be changed from the edit key dialog.
* Revoked user names are properly treated. They are not displayed, save in
the details notebook, and then they are clearly marked as revoked.
* GPA now uses the standard GTK+ file selection dialog.
* Added Swedish translation.
* Many other bugfixes, including several portability issues.
Noteworthy changes in version 0.6.0 (2002-12-24)
------------------------------------------------
* GPA now supports GnuPG 1.2 or later, thanks to it's use of GPGME.
* All the user preferences are set from a single dialog, and automatically
saved in gpa.conf, including the default keyserver and the use of
advanced/simple UI mode.
* The `--advanced-ui' command line options has been removed, as it is
available within the program itself.
* The new `-f' and `-k' options can be used to launch the keyring editor,
the file manager, or both on startup.
* All the user ID's in a key are now displayed in the `Details' section, and
in most dialogs.
* Key signatures are now displayed individually for each User ID, or in a
global listing for the key.
* The usual `Copy' and `Paste' commands can be used to import and export keys
from the clipboard.
* The `Edit key' option is now only available for private keys. Setting the
ownertrust of a key is now an independent operation.
* After every import operation, the user is informed of how many keys have
been imported.
* Errors or keyserver operations are now reported to the user.
* The `Verify file' dialog has been completely revamped to allow
verification of several files at the same time.
* Added Japanese, Brazilian Portuguese, Dutch and Spanish translations.
* The user interface has been updated to use GTK+ 2.0 and stock items.
Noteworthy changes in version 0.5.0 (2002-02-25)
------------------------------------------------
* The file selection dialog has been significantly changed from the
standard GTK+ file selection dialog to look more like what users
of MS-Windows are accustomed to.
* "Show Details" in the menu of the file manager is now named
"Verify Signatures", and it is now accessible through an icon in
the tool bar, too.
* Keyserver access via a direct HTTP request now allows for
searching for keys on keyservers.
* GPAPA's output is now gettext()ified.
* The standard key is now remembered in `gpa.conf'.
* The "Sign File" dialog has been simplified.
* The creation of a backup copy of your public and private keys
works now. It is remembered in `gpa.conf'. If a backup does not
yet exist, the user is asked at startup to create one.
* GPA now has a nice icon in the upper left corner of its window. :-)
* Many bugfixes (for instance: crashes when signing files and keys,
handling of spaces in file names, etc.).
* Makefiles do contain `-mwindows' now to suppress the console
window.
* The "Help" menus is now called "Info". The license is displayed
in the (unofficial) German translation now. (This should be
improved to honor "locale" settings.)
* GPA is now ready to compile with GTK+ version 2 once it is
released.
* In the key manager, there are now menu entries for key operations.
* A secret key without a matching public key is now warned about.
* Keys now can be imported from and exported to the MS Windows
clipboard.
* Secret keys can be imported now.
* When a key is generated, a passphrase which is too stupid is
warned about.
* There now is an icon in the tool bar to switch from the keyring
manager to the file manager.
* GPA can now be compiled using a standard GNU toolchain.
In particular it can be cross-compiled from GNU/Linux to
mingw32/MS-Windows (which is what we did for the GnuPP CD),
or compiled natively under MS-Windows using CygWin.
Noteworthy changes in version 0.4.3 (2003-10-06)
------------------------------------------------
* libgpgme should not be used for threaded programs anymore. This
never worked reliably in all cases, because you had to
be careful about the linking order and libtool wouldn't do that for
you automatically. Instead, now you have to link against
libgpgme-pthread for applications using pthread and libgpgme-pth for
applications using GNU Pth.
The old code for automagically detecting the thread library is
still part of libgpgme, but it is DEPRECATED.
* There are new automake macros AM_PATH_GPGME_PTH and
AM_PATH_GPGME_PTHREAD, which support checking for thread-enabled
versions of GPGME. They define GPGME_PTH_CFLAGS, GPGME_PTH_LIBS,
GPGME_PTHREAD_CFLAGS and GPGME_PTHREAD_LIBS respectively. These
variables of course also include the configuration for the thread
package itself. Alternatively, use libtool.
* gpgme_strerror_r as a thread safe variant of gpgme_strerror was
added.
* gpgme-config doesn't support setting the prefix or exec prefix
anymore. I don't think it ever worked correctly, and it seems to
be pointless.
* gpgme_get_key fails with GPG_ERR_AMBIGUOUS_NAME if the key ID
provided was not unique, instead returning the first matching key.
* gpgme_key_t and gpgme_subkey_t have a new field, can_authenticate,
that indicates if the key can be used for authentication.
* gpgme_signature_t's status field is now correctly set to an error
with error code GPG_ERR_NO_PUBKEY if public key is not found.
* gpgme_new_signature_t's class field is now an unsigned int, rather
than an unsigned long (the old class field is preserved for
backwards compatibility).
* A new function gpgme_set_locale() is provided to allow configuring
the locale for the crypto backend. This is necessary for text
terminals so that programs like the pinentry can be started with
the right locale settings for the terminal the application is running
on, in case the terminal has different settings than the system
default (for example, if it is a remote terminal). You are highly
recommended to call the following functions directly after
gpgme_check_version:
#include <locale.h>
setlocale (LC_ALL, "");
gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL));
gpgme_set_locale (NULL, LC_MESSAGES, setlocale (LC_MESSAGES, NULL));
GPGME can not do this for you, as setlocale is not thread safe, and
there is no alternative.
* The signal action for SIGPIPE is now set to SIG_IGN by
gpgme_check_version, instead the first time a crypto engine is
started (which is not well defined).
* In the output of gpgme_hash_algo_name, change RMD160 to RIPEMD160,
TIGER to TIGER192, CRC32-RFC1510 to CRC32RFC1510, and CRC24-RFC2440
to CRC24RFC2440. For now, these strings can be used as the MIC
parameter for PGP/MIME (if appropriately modified).
Noteworthy changes in version 0.4.2 (2003-07-30)
------------------------------------------------
* Allow gpg-error to be in non-standard place when linking the test suite.
* Configure will fail now if gpg-error can not be found.
* Fixed initialized memory backed data objects for writing, which
caused the test program to crash (but only on Mac OS, surprisingly).
* Eliminate use of C99 constructs.
* Small improvements to the manual.
Noteworthy changes in version 0.4.1 (2003-06-06)
------------------------------------------------
This is the release that 0.4.0 should have been. There are many
interface changes, please see below for the details. The changes are
sometimes the result of new functionality, but more often express a
paradigm shift. Others are an overdue cleanup to get GPGME in line
with the GNU coding standards and to make the interface more
self-consistent. Here is an overview on the changes:
All types have been renamed to conform to the GNU coding standards,
most of the time by keeping the whole name in lowercase and inserting
underscores between words.
All operations consistently only accept input parameters in their
invocation function, and return only an error code directly. Further
information about the result of the operation has to be retrieved
afterwards by calling one of the result functions. This unifies the
synchronous and the asynchronous interface.
The error values have been completely replaced by a more
sophisticated model that allows GPGME to transparently and accurately
report all errors from the other GnuPG components, irregardless of
process boundaries. This is achieved by using the library
libgpg-errors, which is shared by all GnuPG components. This library
is now required for GPGME.
The results of all operations are now provided by pointers to C
structs rather than by XML structs or in other ways.
Objects which used to be opaque (for example a key) are now pointers
to accessible structs, so no accessor functions are necessary.
Backward compatibility is provided where it was possible without too
much effort and did not collide with the overall sanitization effort.
However, this is only for ease of transition. NO DEPRECATED FUNCTION
OR DATA TYPE IS CONSIDERED A PART OF THE API OR ABI AND WILL BE
DROPPED IN THE FUTURE WITHOUT CHANGING THE SONAME OF THE LIBRARY.
Recommendations how to replace deprecated or removed functionality
can be found within the description of each change.
What follows are all changes to the interface and behaviour of GPGME
in detail.
* If gpgme.h is included in sources compiled by GCC 3.1 or later,
deprecated attributes will warn about use of obsolete functions and
type definitions. You can suppress these warnings by passing
-Wno-deprecated-declarations to the gcc command.
* The following types have been renamed. The old types are still
available as aliases, but they are deprecated now:
[complete list in NEWS file]
* gpgme_error_t is now identical to gpg_error_t, the error type
provided by libgpg-error. More about using libgpg-error with GPGME
can be found in the manual. All error symbols have been removed!
* All functions and types in libgpg-error have been wrapped in GPGME.
The new types are gpgme_err_code_t and gpgme_err_source_t. The new
functions are gpgme_err_code, gpgme_err_source, gpgme_error,
gpgme_err_make, gpgme_error_from_errno, gpgme_err_make_from_errno,
gpgme_err_code_from_errno, gpgme_err_code_to_errno,
gpgme_strsource.
* GPGME_ATTR_IS_SECRET is not anymore representable as a string.
* GnuPG 1.2.2 is required. The progress callback is now also invoked
for encrypt, sign, encrypt-sign, decrypt, verify, and
decrypt-verify operations. For verify operations on detached
signatures, the progress callback is invoked for both the detached
signature and the plaintext message, though.
* gpgme_passphrase_cb_t has been changed to not provide a complete
description, but the UID hint, passphrase info and a flag
indicating if this is a repeated attempt individually, so the user
can compose his own description from this information.
The passphrase is not returned as a C string, but must be written
to a file descriptor directly. This allows for secure passphrase
entries.
The return type has been changed to gpgme_error_t value. This
allowed to remove the gpgme_cancel function; just return
the error code GPG_ERR_CANCELED in the passphrase callback directly.
* gpgme_edit_cb_t has been changed to take a file descriptor argument.
The user is expected to write the response to the file descriptor,
followed by a newline.
* The recipients interface has been removed. Instead, you use
NULL-terminated lists of keys for specifying the recipients of an
encryption operation. Use the new encryption flag
GPGME_ENCRYPT_ALWAYS_TRUST if you want to override the validity of
the keys (but note that in general this is not a good idea).
This change has been made to the prototypes of gpgme_op_encrypt,
gpgme_op_encrypt_start, gpgme_op_encrypt_sign and
gpgme_op_encrypt_sign_start.
The export interface has been changed to use pattern strings like
the keylist interface. Thus, new functions gpgme_op_export_ext and
gpgme_op_export_ext_start have been added as well. Now the
prototypes of gpgme_op_export_start and gpgme_op_export finally
make sense.
* gpgme_op_verify and gpgme_op_decrypt_verify don't return a status
summary anymore. Use gpgme_get_sig_status to retrieve the individual
stati.
* gpgme_io_cb_t changed from a void function to a function returning
a gpgme_error_t value. However, it will always return 0, so you
can safely ignore the return value.
* A new I/O callback event GPGME_EVENT_START has been added. The new
requirement is that you must wait until this event until you are
allowed to call the I/O callback handlers previously registered for
this context operation. Calling I/O callback functions for this
context operation before the start event happened is unsafe because
it can lead to race conditions in a multi-threaded environment.
* The idle function feature has been removed. It was not precisely
defined in a multi-threaded environment and is obsoleted by the
user I/O callback functions. If you still need a simple way to
call something while waiting on one or multiple asynchronous
operations to complete, don't set the HANG flag in gpgme_wait (note
that this will return to your program more often than the idle
function did).
* gpgme_wait can return NULL even if hang is true, if an error
occurs. In that case *status contains the error code.
* gpgme_get_engine_info was radically changed. Instead an XML
string, an info structure of the new type gpgme_engine_info_t is
returned. This makes it easier and more robust to evaluate the
information in an application.
* The new function gpgme_get_protocol_name can be used to convert a
gpgme_protocol_t value into a string.
* The status of a context operation is not checked anymore. Starting
a new operation will silently cancel the previous one. Calling a
function that requires you to have started an operation before without
doing so is undefined.
* The FPR argument to gpgme_op_genkey was removed. Instead, use the
gpgme_op_genkey_result function to retrieve a gpgme_genkey_result_t
pointer to a structure which contains the fingerprint. This also
works with gpgme_op_genkey_start. The structure also provides
other information about the generated keys.
* The new gpgme_op_import_result function provides detailed
information about the result of an import operation in
gpgme_import_result_t and gpgme_import_status_t objects.
Thus, the gpgme_op_import_ext variant is deprecated.
* The new gpgme_op_sign_result function provides detailed information
about the result of a signing operation in gpgme_sign_result_t,
gpgme_invalid_key_t and gpgme_new_signature_t objects.
* The new gpgme_op_encrypt_result function provides detailed
information about the result of an encryption operation in
a GpgmeEncryptResult object.
* The new gpgme_op_decrypt_result function provides detailed
information about the result of a decryption operation in
a GpgmeDecryptResult object.
* The new gpgme_op_verify_result function provides detailed
information about the result of an verify operation in
a GpgmeVerifyResult object. Because of this, the GPGME_SIG_STAT_*
values, gpgme_get_sig_status, gpgme_get_sig_ulong_attr,
gpgme_get_sig_string_attr and gpgme_get_sig_key are now deprecated,
and gpgme_get_notation is removed.
* GpgmeTrustItem objects have now directly accessible data, so the
gpgme_trust_item_get_string_attr and gpgme_trust_item_get_ulong_attr
accessor functions are deprecated. Also, reference counting is
available through gpgme_trust_item_ref and gpgme_trust_item_unref
(the gpgme_trust_item_release alias for the latter is deprecated).
* Keys are not cached internally anymore, so the force_update argument
to gpgme_get_key has been removed.
* GpgmeKey objects have now directly accessible data so the
gpgme_key_get_string_attr, gpgme_key_get_ulong_attr,
gpgme_key_sig_get_string_attr and gpgme_key_sig_get_ulong_attr
functions are deprecated. Also, gpgme_key_release is now
deprecated. The gpgme_key_get_as_xml function has been dropped.
* Because all interfaces using attributes are deprecated, the
GpgmeAttr data type is also deprecated.
* The new gpgme_op_keylist_result function provides detailed
information about the result of a key listing operation in
a GpgmeKeyListResult object.
* Now that each function comes with its own result retrieval
interface, the generic gpgme_get_op_info interface is not useful
anymore and dropped.
* The type and mode of data objects is not available anymore.
Noteworthy changes in version 0.4.0 (2002-12-23)
------------------------------------------------
* Key generation returns the fingerprint of the generated key.
* New convenience function gpgme_get_key.
* Supports signatures of user IDs in keys via the new
GPGME_KEYLIST_MODE_SIGS keylist mode and the
gpgme_key_sig_get_string_attr and gpgme_key_sig_get_ulong_attr
interfaces. The XML info about a key also includes the signatures
if available.
* New data object interface, which is more flexible and transparent.
Lots of interface changes, for details see the included
NEWS file.
