klutshnik (0.4.1-1) unstable; urgency=medium * New upstream, released 2026-01-23 (missed 0.3.0, released 2025-09-22). git commit log for both releases follows: [ contributions by Enjeck C. aka patrathewhiz ] [doc] Improve consistency [doc] Use consistent capitalization and formatting [doc] Improve docs [ changes by Stefan Marsiske ] [doc] reviewed and updated enjecks awesome contribution to all docs [doc] sadly funding ended [mod] new keys for rpi image seccomp rule test config due to hkdf->hash migration [mod] don't ignore failures during tests when generating seccomp rules [mod] use blake2 instead of hkdf to derive ltsig/noise keys from the client master key [fix] unit and e2e tests [mod] gh action uses zig v0.15.2 [mod] rpi img klutshnik-rev doesn't need to be in git [mod] removed commented out trace msg in client [doc] added todo handling cheaters in client [mod] new keys for test clients [mod] test config was one dir deeper [mod] moved sleep to a more sane location in start-servers [mod] changed the rpi image test keys due to the new client master key mechanism [mod] increased default timeout in rpi image to 15 sec [enh] use more generic rpi image test.sh without hardcoded keys [mod] server config moved to klutshnikd [mod] rpi image test/start-servers don't debug and handle SIGQUIT [fix] need to install zstd in docker rpi image builder [doc] comment why not use alpine v3.23 in build.env [doc] rpi image is zstd compressed [fix] read authorized_keys file correctly (as per zig v0.15.2) in server [mod] zig writergate cont'd, fixed other file.reader calls [fix] test/otherclient/klutshnik.cfg had a server stanza commented out [enh] test also full init, with completely new key values [mod] changed test setups to support clientkey instead of ltsig/noisekey [fix] truncate adduser pubkey if it is the long version [doc] document noise and ltsig key in whitepaper [doc] document init op change on website [mod] tail last 50 log lines in start server if ORACLE_TAIL is set [doc] document clientkey_path and init op in client manpages [enh] support new explicit add and del user ops in the server, in tls servers this is irrelevant [enh] modauth now distinguishes between add/del user, so that their noise key can be added/deleted from authorized_keys on klutshnik devices [enh] provisioning ble/usb devices has been streamlined [enh] init gets an extra parameter which automatically sets some values like ltsigpub [enh] ltsig and noise keys are derived from a master secret [fix] decrypt only needs t replies [mod] getcfg returns also the set of config files that contributed to the final cfg [mod] .gitignore update [mod] addes some checks for write return values in tuokms.c [fix] assert that pkid == req.id in toprf_update of server [enh] display url howto setup tls certs if none found [fix] make provision wait a bit longer for device to generate stuff [fix] don't abort during init/provision if servers cfg is incomplete [fix] name of usb device during provisioning [fix] init cmd in cli-ent [doc] added website sources [fix] got releasesafe working with bearssl [fix] building bearssl with ReleaseSafe [enh] add also seccomp profile as artifact [fix] path to seccomp dir [enh] added seccomp rule gen [mod] removed publishing debug server config/logs [fix] create missing keystores [mod] switched to Debug mode for zig for testing until bearssl ub is resolved [mod] added upload of test results even if fail [mod] make klutshnikd passable via environ arg to unittests [mod] increase timeouts for tests [fix] test dir name [mod] correct version attr in workflow [mod] use newer upload artifact [enh] added github action build-test-publish [fix] subshells don't play nice with the adding of child pids to env vars [fix] shellchecked easy-test and start-servers [fix] removed useless config vars from sbox.sh [mod] cc-runtime not needed anymore [mod] also clean strace log from test server [enh] added framework for generating seccomp bpf rulesets [enh] test.sh can do stracing of a server designated by ORACLE_STRACE and only tails log if ORACLE_TAIL points at a server [mod] added man/*.html to .gitinore [enh] added python end2end unittests [mod] give error on log if record exist when creating in server [mod] added a todo and a bit more verbose exception in client [enh] added html version of manpages [mod] renamed klutshnik.cfg to klutshnikd.cfg for server [mod] added optional device deps to setup.py [fix] provide default for keystore config variable [mod] created minimal readme for the python package [mod] changed homepage in setup.py [doc] added acknowledments to readme [doc] added funding section to readme [doc] add provisioning command to man file [fix] handle all possible klutshnik cfg filenames in provisioning [mod] moved provision-ble from klutshnik-zephyr into client [mod] update zig-bearssl dep in build.zig.zon and minimum reqd zig version [fix] don't link explicitly zig_bearssl [fix] some ssl variables are zero-initialized [enh] updated to compile using zig v0.15.1 [doc] added some layperson parseable about section to whitepaper [mod] switch to zstd compression for rpi images [mod] bumped to v0.3.0 [enh] initial commit of raspi image builder [mod] added extra check in create() of python client [fix] trailing backslash in uninstall deps list [fix] add missing uninstall target [fix] aarch64 has no stack-protection=full in libklutshnik.so makefile [fix] libsodium module in server [mod] updated build.zig.zon so that it includes a fix for https://github.com/jedisct1/libsodium/issues/1477 [fix] enable liboprf debug only on debug builds if liboprf is not a system_lib [fix] klutshnik init when no authorized_keys file exists [fix] don't abort klutshnik init if there is no authorized_keys file [enh] fix build.zig so that we can cross-compile klutshnikd [fix] make server 32bit ready [fix] add rules for man install targets [mod] added DESTDIR prefix to all man/makefile install targets [fix] made makefile more useful for packaging [enh] added support for pyoprf/multiplexer USB serial connected peers in client * d/control: refer to https://klutshnik.info/ in python3-klutshnik extended description. * d/libklutshnik-dev.install: do not install usr/lib/x86_64-linux-gnu/pkgconfig/libklutshnik.pc/libklutshnik.pc but install u/l/x/pkgconfig/libklutshnik.pc . * d/patches/{makefile.patch,series}: re-enable makefile.patch, makefile.patch is now a one-line patch on makefile: honor $(CPPFLAGS) in default build rule. this fixes the Debian blhc test. -- Joost van Baal-Ilić Sun, 15 Mar 2026 12:32:37 +0100 klutshnik (0.2.1-1.1) unstable; urgency=medium * Non-maintainer upload. * Drop dependency on python3-toml (Closes: #1111336) * Drop "Rules-Requires-Root: no", it is the default now * Use dh-sequence-python3 * Bump "Standards-Version" to 4.7.2 * Lintian: capitalization-error-in-description-synopsis * Lintian: trailing-whitespace -- Alexandre Detiste Wed, 17 Sep 2025 08:53:05 +0200 klutshnik (0.2.1-1) unstable; urgency=low * New upstream, released 2025-08-19: [fix] start-servers.sh was non-posix conform [doc] typo in man pages [enh] add support for BLE klutshnikds [doc] changed wording regarding early experimental into beta grade [mod] added missing utils.c to makefile sources [mod] verify that stp_ltpk is the same as the pk that was authorized [mod] updated to build with zig v0.14.1 [mod] updated threadmodel in whitepaper [doc] updated readme example session with latest variant of cli interface -- Joost van Baal-Ilić Wed, 20 Aug 2025 19:07:50 +0200 klutshnik (0.2.0-5) unstable; urgency=low * upload to unstable. -- Joost van Baal-Ilić Sat, 16 Aug 2025 08:58:36 +0200 klutshnik (0.2.0-4) experimental; urgency=low * d/libklutshnik-dev.install: no longer uses /usr/bin/dh-exec; the libklutshnik-dev package ships the upstream test suite under /usr/share/klutshnik/test/ . Developers can run /usr/share/klutshnik/test/test.sh to test the klutshnik software. (We ship it with the runtime since we cannot perform a full test at build time: a full test would need klutshnik servers which we cannot ship yet due to Bug #995670 (ITP: zig -- General-purpose programming language [...]). * d/control: stricter python3-pyoprf build-depends: from 0.6.0 to 0.8.0. -- Joost van Baal-Ilić Sun, 01 Jun 2025 05:56:47 +0200 klutshnik (0.2.0-3) experimental; urgency=low * d/conrol: add missing liboprf-dev to Build-Depends. -- Joost van Baal-Ilić Wed, 21 May 2025 14:41:46 +0200 klutshnik (0.2.0-2) experimental; urgency=low * d/conrol: add missing libsodium-dev to Build-Depends. -- Joost van Baal-Ilić Wed, 21 May 2025 06:40:12 +0200 klutshnik (0.2.0-1) experimental; urgency=low * New upstream, released 2025-05-17: [mod] bumped py client to v0.2.0 [doc] added inline todo in cli src [mod] using cc-runtime to build klutshnikd az a static binary on x86_64 - zig has ___(mul|add|sub)vsi3 compiler_rt symbols missing [doc] initial version of whitepaper [doc] fixed dash position in manpage should be dash, not listing [doc] fixed misplaced - in manpage [doc] added import also to synopsis of client manpage [doc] added description for cli import operation to manpage [mod] improved client ltsigkey docs/exposure [mod] improved test.sh to have a more broad coverage [enh] substantial rewrite of arg-parsing and -passing, result processing and (de)serialization of metadata in cli client [mod] require and use tomlkit instead of tomllib in cli client [doc] typo in klutschnik(1) and remove keyname param from update op cli syntax [mod] test/otherclient/klutshnik.cfg drop noisekey and use ltsigkey_path [mod] updated gitignore [fix] add missing "piped" lt sigkey to test/ [mod] use ltsigkey_path in test/klutshnik.cfg [mod] auth() in server uses op not perm for requiring owner to be the authenticated party [fix] cfg file manpages go to section 5 [mod] updated usage() in client [mod] don't save/load owner_pks in savekey/loadkeymeta [mod] test/klutshnik.cfg clients don't need a noise key [mod] keyids are uniform over all kms's [fix] also include op-code in authentication signature [mod] start-servers.sh msg missed a trailing newline [fix] auth side-chan leaking info * d/rules: enable upstream tests. For now we ignore all errors in tests. * d/klutshnik.manpages: upstream klutshnik.cfg.1 moved to klutshnik.cfg.5. -- Joost van Baal-Ilić Sat, 17 May 2025 14:19:52 +0200 klutshnik (0.1.0-1) experimental; urgency=low * Initial public release (Closes: #1094647) * Split the package in 4: klutshnik, libklutshnik0, libklutshnik-dev, python3-klutshnik: - d/control: 3 new binary packages - d/{libklutshnik-dev,libklutshnik0,python3-klutshnik}.install: new - d/klutshnik.links moved to d/libklutshnik-dev.links - d/{not-installed,rules}: adjusted * d/control: add python3-toml and python3-securestring to python3-klutshnik Depends. -- Joost van Baal-Ilić Sun, 11 May 2025 09:07:12 +0200 klutshnik (0.1.0-0.1) experimental; urgency=low * This release was never uploaded to the Debian archive. * New (first) upstream, released 2025-05-05: [mod] added version field to packets [mod] revert ltsigkey in test/klutshnik.cfg [mod] klutshnikd is really klutshnikd not just "server" [doc] updated readme [mod] enabled client.key in test/klutshnik.cfg [doc] added manpages for client/server and their configs [enh] added b64(ltsigkeypub+noisekeypub) output at end of server init() so it can be added to authorized_keys on all servers [mod] removed useless test artifact [mod] more extensive tests [mod] lot's of cleanups related to encrypt/update/rotate in client, and added support for refresh op [mod] prefix for ltsig pubkeys in klutshnik.cfg [mod] removed obsolete todo and dump from server [enh] added refresh op to server [enh] server auth() takes u8 to handle multiple permissions instead of one [enh] added storing and publishing of epoch of keys in server * d/klutshnik.docs: added: install upstream README.md. * d/rules: remove libklutshnik.so.0, libklutshnik.so, libklutshnik.a, pkgconfig/libklutshnik.pc from usr/lib/ : we install those via d/klutshnik.install * d/klutshnik.install: install pkgconfig/libklutshnik.pc in the right multiarch directory * d/control: add pkgconf to Build-Depends * d/control: do not depend upon python3:any, but on python since we are Multi-Arch: same and call pycompile. thanks lintian * d/control, d/rules, d/klutshnik.manpages, d/lintian-overrides: build and install klutshnik(1), klutshnik.cfg(1): add cmark to Build-Depends. (We still suffer from #1094434.) -- Joost van Baal-Ilić Mon, 05 May 2025 06:27:47 +0200 klutshnik (0.01+git20250501.25a7649-1) experimental; urgency=low * This release was never uploaded to the Debian archive. * New upstream git snapshot: [enh] encrypt takes either keyid or pubkey as param [enh] added init to cli, client ltsigpub is now 'KLTPK-' prefixed b64 encoded in cfg file [enh] if client ltsigkey is not provided via cfg, it is read from stdin - allowing to store this key for example in sphinx [mod] cleanup in main.zig [doc] added example test session to readme [doc] added radicle id and ref [fix] cli decrypt doesn't need any params [doc] updated readme [enh] brand new simplified rewrite using liboprf, server is now in zig * d/control: update description: no longer comes with kms or macaroon utilities, no longer ships the kms and noise shared libraries. The user interface is reimplemented as the klutshnik python script. * d/patches/series: disable makefile.patch, XK_25519_ChaChaPoly_BLAKE2b-makefile.patch: applied upstream. * d/rules: get rid of no longer used OPRF_HOME and HACL_HOME. * d/rules: for now, override upstream build time tests. * d/rules: install in /usr , not in upstream default / . * d/{klutshnik.install,klutshnik.links,not-installed}: properly install and symlink libklutshnik.so.0 . WIP! FIXME * d/control: Architecture: any, Multi-Arch: same; add ${shlibs:Depends} * d/{rules,control}: build the python stuff too. * d/watch: added. -- Joost van Baal-Ilić Thu, 01 May 2025 09:41:43 +0200 klutshnik (0.01+git20230411.e001e2a-1) experimental; urgency=low * Initial release. * This release was never uploaded to the Debian archive. -- Joost van Baal-Ilić Sun, 13 Apr 2025 09:09:38 +0200