pkgsrc-changes: CVS commit: pkgsrc/security/gnupg

Subject: CVS commit: pkgsrc/security/gnupg
To: None <pkgsrc-changes@netbsd.org>
From: Thomas Klausner <wiz@netbsd.org>
List: pkgsrc-changes
Date: 05/07/2002 21:48:48
Module Name:	pkgsrc
Committed By:	wiz
Date:		Tue May  7 18:48:48 UTC 2002

Modified Files:
	pkgsrc/security/gnupg: Makefile PLIST distinfo
	pkgsrc/security/gnupg/patches: patch-ab patch-ac

Log Message:
Update to 1.0.7.
* Secret keys are now stored and exported in a new format which
  uses SHA-1 for integrity checks.  This format renders the
  Rosa/Klima attack useless.  Other OpenPGP implementations might
  not yet support this, so the option --simple-sk-checksum creates
  the old vulnerable format.

* The default cipher algorithm for encryption is now CAST5,
  default hash algorithm is SHA-1.  This will give us better
  interoperability with other OpenPGP implementations.

* Symmetric encrypted messages now use a fixed file size if
  possible.  This is a tradeoff: it breaks PGP 5, but fixes PGP 2,
  6, and 7.  Note this was only an issue with RFC-1991 style
  symmetric messages.

* Photographic user ID support.  This uses an external program to
  view the images.

* Enhanced keyserver support via keyserver "plugins".  GnuPG comes
  with plugins for the NAI LDAP keyserver as well as the HKP email
  keyserver.  It retains internal support for the HKP HTTP
  keyserver.

* Nonrevocable signatures are now supported.  If a user signs a
  key nonrevocably, this signature cannot be taken back so be
  careful!

* Multiple signature classes are usable when signing a key to
  specify how carefully the key information (fingerprint, photo
  ID, etc) was checked.

* --pgp2 mode automatically sets all necessary options to ensure
  that the resulting message will be usable by a user of PGP 2.x.

* --pgp6 mode automatically sets all necessary options to ensure
  that the resulting message will be usable by a user of PGP 6.x.

* Signatures may now be given an expiration date.  When signing a
  key with an expiration date, the user is prompted whether they
  want their signature to expire at the same time.

* Revocation keys (designated revokers) are now supported if
  present.  There is currently no way to designate new keys as
  designated revokers.

* Permissions on the .gnupg directory and its files are checked
  for safety.

* --expert mode enables certain silly things such as signing a
  revoked user id, expired key, or revoked key.

* Some fixes to build cleanly under Cygwin32.

* New tool gpgsplit to split OpenPGP data formats into packets.

* New option --preserve-permissions.

* Subkeys created in the future are not used for encryption or
  signing unless the new option --ignore-valid-from is used.

* Revoked user-IDs are not listed unless signatures are listed too
  or we are in verbose mode.

* There is no default comment string with ascii armors anymore
  except for revocation certificates and --enarmor mode.

* The command "primary" in the edit menu can be used to change the
  primary UID, "setpref" and "updpref" can be used to change the
  preferences.

* Fixed the preference handling; since 1.0.5 they were erroneously
  matched against against the latest user ID and not the given one.

* RSA key generation.

* It is now possible to sign and conventional encrypt a message (-cs).

* The MDC feature flag is supported and can be set by using
  the "updpref" edit command.

* The status messages GOODSIG and BADSIG are now returning the primary
  UID, encoded using %XX escaping (but with spaces left as spaces,
  so that it should not break too much)

* Support for GDBM based keyrings has been removed.

* The entire keyring management has been revamped.

* The way signature stati are store has changed so that v3
  signatures can be supported. To increase the speed of many
  operations for existing keyrings you can use the new
  --rebuild-keydb-caches command.

* The entire key validation process (trustdb) has been revamped.
  See the man page entries for --update-trustdb, --check-trustdb
  and --no-auto-check-trustdb.

* --trusted-keys is again obsolete, --edit can be used to set the
  ownertrust of any key to ultimately trusted.

* A subkey is never used to sign keys.

* Read only keyrings are now handled as expected.


To generate a diff of this commit:
cvs rdiff -r1.30 -r1.31 pkgsrc/security/gnupg/Makefile
cvs rdiff -r1.2 -r1.3 pkgsrc/security/gnupg/PLIST
cvs rdiff -r1.7 -r1.8 pkgsrc/security/gnupg/distinfo
cvs rdiff -r1.12 -r1.13 pkgsrc/security/gnupg/patches/patch-ab
cvs rdiff -r1.10 -r1.11 pkgsrc/security/gnupg/patches/patch-ac

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.