klutshnik (0.4.1-1) unstable; urgency=medium

  * New upstream, released 2026-01-23 (missed 0.3.0, released 2025-09-22).
    git commit log for both releases follows:

    [ contributions by Enjeck C. aka patrathewhiz ]

    [doc] Improve consistency
    [doc] Use consistent capitalization and formatting
    [doc] Improve docs

    [ changes by Stefan Marsiske ]

    [doc] reviewed and updated enjecks awesome contribution to all docs
    [doc] sadly funding ended
    [mod] new keys for rpi image seccomp rule test config due to hkdf->hash
     migration
    [mod] don't ignore failures during tests when generating seccomp rules
    [mod] use blake2 instead of hkdf to derive ltsig/noise keys from the
     client master key
    [fix] unit and e2e tests
    [mod] gh action uses zig v0.15.2
    [mod] rpi img klutshnik-rev doesn't need to be in git
    [mod] removed commented out trace msg in client
    [doc] added todo handling cheaters in client
    [mod] new keys for test clients
    [mod] test config was one dir deeper
    [mod] moved sleep to a more sane location in start-servers
    [mod] changed the rpi image test keys due to the new client master key
     mechanism
    [mod] increased default timeout in rpi image to 15 sec
    [enh] use more generic rpi image test.sh without hardcoded keys
    [mod] server config moved to klutshnikd
    [mod] rpi image test/start-servers don't debug and handle SIGQUIT
    [fix] need to install zstd in docker rpi image builder
    [doc] comment why not use alpine v3.23 in build.env
    [doc] rpi image is zstd compressed
    [fix] read authorized_keys file correctly (as per zig v0.15.2) in server
    [mod] zig writergate cont'd, fixed other file.reader calls
    [fix] test/otherclient/klutshnik.cfg had a server stanza commented out
    [enh] test also full init, with completely new key values
    [mod] changed test setups to support clientkey instead of ltsig/noisekey
    [fix] truncate adduser pubkey if it is the long version
    [doc] document noise and ltsig key in whitepaper
    [doc] document init op change on website
    [mod] tail last 50 log lines in start server if ORACLE_TAIL is set
    [doc] document clientkey_path and init op in client manpages
    [enh] support new explicit add and del user ops in the server, in tls
     servers this is irrelevant
    [enh] modauth now distinguishes between add/del user, so that their noise
     key can be added/deleted from authorized_keys on klutshnik devices
    [enh] provisioning ble/usb devices has been streamlined
    [enh] init gets an extra parameter which automatically sets some values
     like ltsigpub
    [enh] ltsig and noise keys are derived from a master secret
    [fix] decrypt only needs t replies
    [mod] getcfg returns also the set of config files that contributed to
     the final cfg
    [mod] .gitignore update
    [mod] addes some checks for write return values in tuokms.c
    [fix] assert that pkid == req.id in toprf_update of server
    [enh] display url howto setup tls certs if none found
    [fix] make provision wait a bit longer for device to generate stuff
    [fix] don't abort during init/provision if servers cfg is incomplete
    [fix] name of usb device during provisioning
    [fix] init cmd in cli-ent
    [doc] added website sources
    [fix] got releasesafe working with bearssl
    [fix] building bearssl with ReleaseSafe
    [enh] add also seccomp profile as artifact
    [fix] path to seccomp dir
    [enh] added seccomp rule gen
    [mod] removed publishing debug server config/logs
    [fix] create missing keystores
    [mod] switched to Debug mode for zig for testing until bearssl ub is
     resolved
    [mod] added upload of test results even if fail
    [mod] make klutshnikd passable via environ arg to unittests
    [mod] increase timeouts for tests
    [fix] test dir name
    [mod] correct version attr in workflow
    [mod] use newer upload artifact
    [enh] added github action build-test-publish
    [fix] subshells don't play nice with the adding of child pids to env vars
    [fix] shellchecked easy-test and start-servers
    [fix] removed useless config vars from sbox.sh
    [mod] cc-runtime not needed anymore
    [mod] also clean strace log from test server
    [enh] added framework for generating seccomp bpf rulesets
    [enh] test.sh can do stracing of a server designated by ORACLE_STRACE and
     only tails log if ORACLE_TAIL points at a server
    [mod] added man/*.html to .gitinore
    [enh] added python end2end unittests
    [mod] give error on log if record exist when creating in server
    [mod] added a todo and a bit more verbose exception in client
    [enh] added html version of manpages
    [mod] renamed klutshnik.cfg to klutshnikd.cfg for server
    [mod] added optional device deps to setup.py
    [fix] provide default for keystore config variable
    [mod] created minimal readme for the python package
    [mod] changed homepage in setup.py
    [doc] added acknowledments to readme
    [doc] added funding section to readme
    [doc] add provisioning command to man file
    [fix] handle all possible klutshnik cfg filenames in provisioning
    [mod] moved provision-ble from klutshnik-zephyr into client
    [mod] update zig-bearssl dep in build.zig.zon and minimum reqd zig
     version
    [fix] don't link explicitly zig_bearssl
    [fix] some ssl variables are zero-initialized
    [enh] updated to compile using zig v0.15.1
    [doc] added some layperson parseable about section to whitepaper
    [mod] switch to zstd compression for rpi images
    [mod] bumped to v0.3.0
    [enh] initial commit of raspi image builder
    [mod] added extra check in create() of python client
    [fix] trailing backslash in uninstall deps list
    [fix] add missing uninstall target
    [fix] aarch64 has no stack-protection=full in libklutshnik.so makefile
    [fix] libsodium module in server
    [mod] updated build.zig.zon so that it includes a fix for
     https://github.com/jedisct1/libsodium/issues/1477
    [fix] enable liboprf debug only on debug builds if liboprf is not a
     system_lib
    [fix] klutshnik init when no authorized_keys file exists
    [fix] don't abort klutshnik init if there is no authorized_keys file
    [enh] fix build.zig so that we can cross-compile klutshnikd
    [fix] make server 32bit ready
    [fix] add rules for man install targets
    [mod] added DESTDIR prefix to all man/makefile install targets
    [fix] made makefile more useful for packaging
    [enh] added support for pyoprf/multiplexer USB serial connected peers in
     client

  * d/control: refer to https://klutshnik.info/ in python3-klutshnik extended
    description.
  * d/libklutshnik-dev.install: do not install
    usr/lib/x86_64-linux-gnu/pkgconfig/libklutshnik.pc/libklutshnik.pc but
    install u/l/x/pkgconfig/libklutshnik.pc .
  * d/patches/{makefile.patch,series}: re-enable makefile.patch, makefile.patch
    is now a one-line patch on makefile: honor $(CPPFLAGS) in default build
    rule.  this fixes the Debian blhc test.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sun, 15 Mar 2026 12:32:37 +0100

klutshnik (0.2.1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Drop dependency on python3-toml (Closes: #1111336)
  * Drop "Rules-Requires-Root: no", it is the default now
  * Use dh-sequence-python3
  * Bump "Standards-Version" to 4.7.2
  * Lintian: capitalization-error-in-description-synopsis
  * Lintian: trailing-whitespace

 -- Alexandre Detiste <tchet@debian.org>  Wed, 17 Sep 2025 08:53:05 +0200

klutshnik (0.2.1-1) unstable; urgency=low

  * New upstream, released 2025-08-19:
    [fix] start-servers.sh was non-posix conform
    [doc] typo in man pages
    [enh] add support for BLE klutshnikds
    [doc] changed wording regarding early experimental into beta grade
    [mod] added missing utils.c to makefile sources
    [mod] verify that stp_ltpk is the same as the pk that was authorized
    [mod] updated to build with zig v0.14.1
    [mod] updated threadmodel in whitepaper
    [doc] updated readme example session with latest variant of cli interface

 -- Joost van Baal-Ilić <joostvb@debian.org>  Wed, 20 Aug 2025 19:07:50 +0200

klutshnik (0.2.0-5) unstable; urgency=low

  * upload to unstable.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sat, 16 Aug 2025 08:58:36 +0200

klutshnik (0.2.0-4) experimental; urgency=low

  * d/libklutshnik-dev.install: no longer uses /usr/bin/dh-exec; the
    libklutshnik-dev package ships the upstream test suite under
    /usr/share/klutshnik/test/ .  Developers can run
    /usr/share/klutshnik/test/test.sh to test the klutshnik software.
    (We ship it with the runtime since we cannot perform a full test at
    build time: a full test would need klutshnik servers which we cannot
    ship yet due to Bug #995670 (ITP: zig -- General-purpose programming
    language [...]).
  * d/control: stricter python3-pyoprf build-depends: from 0.6.0 to 0.8.0.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sun, 01 Jun 2025 05:56:47 +0200

klutshnik (0.2.0-3) experimental; urgency=low

  * d/conrol: add missing liboprf-dev to Build-Depends.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Wed, 21 May 2025 14:41:46 +0200

klutshnik (0.2.0-2) experimental; urgency=low

  * d/conrol: add missing libsodium-dev to Build-Depends.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Wed, 21 May 2025 06:40:12 +0200

klutshnik (0.2.0-1) experimental; urgency=low

  * New upstream, released 2025-05-17:
    [mod] bumped py client to v0.2.0
    [doc] added inline todo in cli src
    [mod] using cc-runtime to build klutshnikd az a static binary on
     x86_64 - zig has ___(mul|add|sub)vsi3 compiler_rt symbols missing
    [doc] initial version of whitepaper
    [doc] fixed dash position in manpage should be dash, not listing
    [doc] fixed misplaced - in manpage
    [doc] added import also to synopsis of client manpage
    [doc] added description for cli import operation to manpage
    [mod] improved client ltsigkey docs/exposure
    [mod] improved test.sh to have a more broad coverage
    [enh] substantial rewrite of arg-parsing and -passing, result
     processing and (de)serialization of metadata in cli client
    [mod] require and use tomlkit instead of tomllib in cli client
    [doc] typo in klutschnik(1) and remove keyname param from update op
     cli syntax
    [mod] test/otherclient/klutshnik.cfg drop noisekey and use
     ltsigkey_path
    [mod] updated gitignore
    [fix] add missing "piped" lt sigkey to test/
    [mod] use ltsigkey_path in test/klutshnik.cfg
    [mod] auth() in server uses op not perm for requiring owner to be
     the authenticated party
    [fix] cfg file manpages go to section 5
    [mod] updated usage() in client
    [mod] don't save/load owner_pks in savekey/loadkeymeta
    [mod] test/klutshnik.cfg clients don't need a noise key
    [mod] keyids are uniform over all kms's
    [fix] also include op-code in authentication signature
    [mod] start-servers.sh msg missed a trailing newline
    [fix] auth side-chan leaking info

  * d/rules: enable upstream tests. For now we ignore all errors in tests.
  * d/klutshnik.manpages: upstream klutshnik.cfg.1 moved to klutshnik.cfg.5.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sat, 17 May 2025 14:19:52 +0200

klutshnik (0.1.0-1) experimental; urgency=low

  * Initial public release (Closes: #1094647)

  * Split the package in 4: klutshnik, libklutshnik0, libklutshnik-dev,
    python3-klutshnik:
    - d/control: 3 new binary packages
    - d/{libklutshnik-dev,libklutshnik0,python3-klutshnik}.install: new
    - d/klutshnik.links moved to d/libklutshnik-dev.links
    - d/{not-installed,rules}: adjusted

  * d/control: add python3-toml and python3-securestring to
    python3-klutshnik Depends.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sun, 11 May 2025 09:07:12 +0200

klutshnik (0.1.0-0.1) experimental; urgency=low

  * This release was never uploaded to the Debian archive.

  * New (first) upstream, released 2025-05-05:
    [mod] added version field to packets
    [mod] revert ltsigkey in test/klutshnik.cfg
    [mod] klutshnikd is really klutshnikd not just "server"
    [doc] updated readme
    [mod] enabled client.key in test/klutshnik.cfg
    [doc] added manpages for client/server and their configs
    [enh] added b64(ltsigkeypub+noisekeypub) output at end of server
     init() so it can be added to authorized_keys on all servers
    [mod] removed useless test artifact
    [mod] more extensive tests
    [mod] lot's of cleanups related to encrypt/update/rotate in client,
     and added support for refresh op
    [mod] prefix for ltsig pubkeys in klutshnik.cfg
    [mod] removed obsolete todo and dump from server
    [enh] added refresh op to server
    [enh] server auth() takes u8 to handle multiple permissions instead
     of one
    [enh] added storing and publishing of epoch of keys in server

  * d/klutshnik.docs: added: install upstream README.md.
  * d/rules: remove libklutshnik.so.0, libklutshnik.so, libklutshnik.a,
    pkgconfig/libklutshnik.pc from usr/lib/ : we install those via
    d/klutshnik.install
  * d/klutshnik.install: install pkgconfig/libklutshnik.pc in the right
    multiarch directory
  * d/control: add pkgconf to Build-Depends
  * d/control: do not depend upon python3:any, but on python since we are
    Multi-Arch: same and call pycompile. thanks lintian
  * d/control, d/rules, d/klutshnik.manpages, d/lintian-overrides: build
    and install klutshnik(1), klutshnik.cfg(1): add cmark to
    Build-Depends.  (We still suffer from #1094434.)

 -- Joost van Baal-Ilić <joostvb@debian.org>  Mon, 05 May 2025 06:27:47 +0200

klutshnik (0.01+git20250501.25a7649-1) experimental; urgency=low

  * This release was never uploaded to the Debian archive.

  * New upstream git snapshot:
    [enh] encrypt takes either keyid or pubkey as param
    [enh] added init to cli, client ltsigpub is now 'KLTPK-' prefixed b64
     encoded in cfg file
    [enh] if client ltsigkey is not provided via cfg, it is read from
     stdin - allowing to store this key for example in sphinx
    [mod] cleanup in main.zig
    [doc] added example test session to readme
    [doc] added radicle id and ref
    [fix] cli decrypt doesn't need any params
    [doc] updated readme
    [enh] brand new simplified rewrite using liboprf, server is now in zig

  * d/control: update description: no longer comes with kms or macaroon
    utilities, no longer ships the kms and noise shared libraries.  The
    user interface is reimplemented as the klutshnik python script.

  * d/patches/series: disable makefile.patch,
    XK_25519_ChaChaPoly_BLAKE2b-makefile.patch: applied upstream.
  * d/rules: get rid of no longer used OPRF_HOME and HACL_HOME.

  * d/rules: for now, override upstream build time tests.
  * d/rules: install in /usr , not in upstream default / .
  * d/{klutshnik.install,klutshnik.links,not-installed}: properly install and
    symlink libklutshnik.so.0 .  WIP! FIXME
  * d/control: Architecture: any, Multi-Arch: same; add ${shlibs:Depends}

  * d/{rules,control}: build the python stuff too.

  * d/watch: added.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Thu, 01 May 2025 09:41:43 +0200

klutshnik (0.01+git20230411.e001e2a-1) experimental; urgency=low

  * Initial release.
  * This release was never uploaded to the Debian archive.

 -- Joost van Baal-Ilić <joostvb@debian.org>  Sun, 13 Apr 2025 09:09:38 +0200
