ktls-utils - Debian Package Tracker

general

source: ktls-utils (main)
version: 1.0.0-1
maintainer: Debian kernel team (archive) (DMD)
uploaders: Ben Hutchings [DMD]
arch: any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 1.0.0-1
unstable: 1.0.0-1
exp: 1.1.0-1

versioned links

1.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ktls-utils

action needed

A new upstream version is available: 1.2.0 high

A new upstream version 1.2.0 is available, you should consider packaging it.

Created: 2025-06-06 Last update: 2025-07-18 20:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.2.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 583fb2b7e2d64e5ec3910a9400f712999338982c
Author: Ben Hutchings <benh@debian.org>
Date:   Thu Jul 17 22:26:31 2025 +0200

    Revert "tlshd: Do not return remote peer IDs for x.509 handshakes"
    
    This upstream change reuslted in broken NFS mounts on Linux 6.12
    (mount succeeds but all operations return EPERM).  Revert it for now.

commit 1c30404ad994a71caa843edf57c698a9bcf9e184
Author: Ben Hutchings <benh@debian.org>
Date:   Thu Jul 17 17:50:09 2025 +0200

    Revert "tlshd: Add a SIGINT handler"
    
    This upstream change added a broken signal handler.

commit e822c2259e2163ca1bcb188dac66969df3bc6f66
Author: Ben Hutchings <benh@debian.org>
Date:   Thu Jul 17 22:20:53 2025 +0200

    d/changelog: Update for version 1.2.0

commit 9ae9fa61ad48116bb9ac64643ea262ecdbbdf96f
Merge: 1e4da0c 6d296ef
Author: Ben Hutchings <benh@debian.org>
Date:   Thu Jul 17 22:20:43 2025 +0200

    Merge tag 'ktls-utils-1.2.0' into debian/latest
    
    ktls-utils 1.2.0 2025-07-11
     * Implement Certificate Revocation Lists
     * Add a default keyring for NFS consumers
     * Improvements to error reporting and logging
     * Manage per-session resources more effectively

commit 1e4da0c91effd44d1abe14ad4973b94f4a7432cf
Author: Ben Hutchings <benh@debian.org>
Date:   Thu Jul 17 20:12:59 2025 +0200

    d/tests: Add test case for NFS with TLS

commit 49e5b85c82cd0876347ee29beb03b1cd083de5e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Thu Jun 19 01:09:46 2025 +0200

    Prepare to release ktls-utils (1.1.0-1)

commit 0a4fd718f33b5ed075076be949a2fd8528c623e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jun 2 21:29:39 2025 +0200

    d/changelog, d/patches: Update for version 1.1.0
    
    - Drop "tlshd: fix a regression for certificate verification"
      which was included in this release
    - Refresh "configure: Disable currently broken QUIC implementation"
      and delete reference to one bug that is now closed

commit e091b077c84e6f3ee8b831a9f83345e04003719e
Merge: b09b60d 8e93cc2
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jun 2 21:26:12 2025 +0200

    Merge tag 'ktls-utils-1.1.0' into debian/latest
    
    ktls-utils 1.1.0 2025-06-02
     * Return to the old release process
     * Update the contribution process
     * Accept alternate keyrings during handshake upcall
     * Initial support for building ktls-utils with MUSL

commit b09b60d242ff19131a3e22b462c4809d8e6bbb81
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jun 2 21:19:50 2025 +0200

    Revert "d/watch: Disable tag signature check as recent tags were not signed"
    
    This reverts commit 1384808e8f003a76c142271e5917b63a1e785546.
    Upstream has decided to use signed tags again.

commit 6a318a7ea85f9c3fa04b1eb64ee28acc2dc4cc4c
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jun 2 21:23:11 2025 +0200

    d/upstream/signing-key.asc: Update expired signing key
    
    The signing key expired, but was not used for the 1.0 release or
    release candidates.
    
    Since the 1.1 release is signed, import an updated version of the
    signing key with no expiry.

commit 846dadfcf8e239c9ad41316c42edd1976a77c978
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jun 2 21:17:33 2025 +0200

    Revert "d/watch: Update upstream tag regex"
    
    This reverts commit eade95f2866732cd4072dbd982ea3d99a6393bc7.  After
    further discussion, upstream has decided to revert to the previous
    tag format.

commit eade95f2866732cd4072dbd982ea3d99a6393bc7
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Thu May 29 22:39:55 2025 +0200

    d/watch: Update upstream tag regex
    
    As discussed in <https://github.com/oracle/ktls-utils/issues/104>,
    the upstream tag prefix has changed from 'ktls-utils-' to 'v'.

commit 4a62afeac3013411434d1419f9156045f1035c09
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun May 25 22:55:34 2025 +0200

    Prepare to release ktls-utils (1.0.0-1)

commit f17f9325eb01ede014b6b3b78da9321209508e3f
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun May 25 17:37:19 2025 +0200

    README.Debian: Update for changes to kernel and ktls-utils
    
    The kernel now supports TLS handshake upcalls for NVMe (both roles).
    Update the list of users accordingly.
    
    The ktls-utils developers no longer describe it as experimental, but
    it still has limited validation of client certificates.  Update the
    warning text and link to the specific upstream issue.

commit bb4926512b4512998847ecab97c0b14f7b37f763
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun May 25 17:25:30 2025 +0200

    Apply upstream fix for certificate validation error reporting
    
    Replace my patch with the commit from upstream.

commit a7a6a7a1173377bf674528fe03a4979dbdd3cd9a
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 22:54:56 2025 +0200

    configure: configure: Disable use of GnuTLS API not yet accepted upstream

commit 2578130f83d127d95472e2c9b9ae04ab55a8b5e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 22:40:02 2025 +0200

    quic: Disable currently broken implementation

commit 129e1ca20619b4604a5e68e8490c757daa0ad9b9
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 22:20:00 2025 +0200

    handshake: Fix reporting of certificate validation error

commit c7646a17d97758ac8449f24964c93f22e4024556
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 20:17:45 2025 +0200

    d/changelog: Update for new upstream version

commit 9da9c69bc29402b5c0ad16f4835523daed0d30de
Merge: 1384808 c787cd2
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 20:16:38 2025 +0200

    Merge tag 'ktls-utils-1.0.0' into debian/latest

commit 1384808e8f003a76c142271e5917b63a1e785546
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 19 20:16:26 2025 +0200

    d/watch: Disable tag signature check as recent tags were not signed

commit 2526c2a6d87abe3a0e3b2e7ea02ea03ad7f5f0a9
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed Jul 10 23:33:15 2024 +0200

    d/changelog: Update for 0.11

commit 787ddac4984e9f2c6796798abad0b0d281fd6699
Merge: 60d51ce 11c3a8a
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed Jul 10 22:32:13 2024 +0200

    Merge commit '11c3a8a532ef2e96b01aae94ced317d613ab57c7' into debian/latest
    
    I wanted to merge ktls-utils-0.11, but that points to a commit that
    got rebased and is no longer on the main branch.  This merges the
    rebased commit which has identical content.

commit 60d51cefed5f5fe296b82ac3804cf5806cb2ef2d
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed May 15 13:20:16 2024 +0200

    Prepare to release ktls-utils (0.10-1).

commit b720a1642a67002bae0108164e41feb1427e33b8
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed May 15 13:18:30 2024 +0200

    Update for upstream version 0.10
    
    - Start new changelog entry
    - Drop patches that are included in 0.10

commit aec5a681810e4c82bee7128cb7d9e937bfed4fba
Merge: cf12834 5da9cbf
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed May 15 13:10:50 2024 +0200

    Merge tag 'ktls-utils-0.10' into debian/latest
    
    ktls-utils 0.10 - 2023-09-21
     * Fix Server Name Indicator support (IP addresses)
     * Add tlshd.conf option to provide specific trust chain
     * Reorganize tlshd.conf
     * Fix numerous bugs reported by packagers

commit cf128340d4463e7a2c3269f679541f4e5f646f63
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sat Nov 25 01:36:06 2023 +0000

    d/rules: Stop overriding systemd unit directory
    
    For trixie and later releases, /lib will always be a symlink to
    /usr/lib and should not be included in packages as a directory.
    
    Use the default installation location for systemd units, which is
    /usr/lib/systemd/systemd.  Leave a comment in case someone wants to
    backport to bookworm or earlier.

commit 3cf3bb5c326a962a63345fd2f031f93ee91a37e4
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Thu Jul 27 01:58:35 2023 +0200

    No-change source upload to allow propagation to testing

commit a448f5d846f3b3ceeb2d19cb75d149473ea0c65f
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jul 24 01:54:48 2023 +0200

    Prepare to release ktls-utils (0.9-1).

commit ae55bea31e549c97c34ecc5c34e7e4327f54c785
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jul 24 01:44:53 2023 +0200

    Document use of NFS with ktls-utils
    
    The "in-kernel TLS consumers" are currently only the NFS client and
    server, so mention that specifically in the package description.
    
    The nfs-utils manual pages already mention the required "xprtsec"
    option, and tlshd.conf has a manual page, but it still took me some
    time to understand how exactly to set this up.  So add a README.Debian
    listing all the steps and some of the current limitations.

commit 85948af567f85bc8d91fe689b67ae540cc85e6b6
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sat Jul 22 19:47:13 2023 +0200

    Cherry-pick fixes from upstream main
    
    - tlshd: fix max config file size comparison
    - tlshd-conf.man: Fix man page header
    - Fix the --with-systemd command-line option
    
    Drop the patches I wrote.

commit e72d16a0e26e41c3bdea10ece22ccdba56b853b2
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sat Jul 22 00:12:18 2023 +0200

    Fix systemd installation directory

commit e2bef21847956baa72dc54d5155040fc03848bf3
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sat Jul 22 00:00:14 2023 +0200

    Fix heading for tlshd.conf manual page

commit 82da80b7b6c69a4204c7722c8adb25b221fcb6e6
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Jul 21 23:54:25 2023 +0200

    Add Salsa CI configuration

commit 6ad1ea805c76201bdb20f8a5264b478e05a295bf
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Jul 21 18:36:37 2023 +0200

    Add debian packaging

commit 198ff00ba28cb97cdab6e49a7422cce331fde198
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Tue Apr 25 15:06:48 2023 -0400

    Release ktls-utils 0.9
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 1c6d204e6bdd62dc335cc95dd390c9873ef7ba8d
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed May 17 10:42:15 2023 -0400

    workflows: Replace create-release action
    
    The create-release action has been archived.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 247f2cd6867a3069ee919e7433798a618caf6375
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed May 17 09:39:53 2023 -0400

    workflows: Enable running the CI workflow manually
    
    At least the Makefile workflow should be allowed to run on demand
    for testing or in case the environment has changed.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit b586f7d97795b6c9f3b0aae17a1b1a82bbd5933b
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri May 12 12:31:44 2023 -0400

    tlshd: Reverse DNS lookup of peername
    
    If the peername happens to be an IP address, it needs to be
    converted to a domain name before using it for Server Name
    Identification.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 7655d96c7ace36618e32eda289271ddb4b9aaa80
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri May 12 12:43:42 2023 -0400

    tlshd: Move peername/peeraddr preparation
    
    Refactor / clean up: move the peername and peeraddr completely into
    the handshake parameters structure.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 0f5b25a0031684ca43c57a152d449badcee20edb
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri May 12 12:33:12 2023 -0400

    git: ignore Coverity-generated files
    
    The blobs built by a Coverity Scan should not be tracked.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 357f9445c0683c49ba6dd0d05c1fde4ded08875f
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 17:00:30 2023 -0400

    tlshd: Fix return value type
    
    implicit conversion loses integer precision: 'long' to 'int'
    
    Reported-by: Parfait 10.2 (#2046)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 4e8df07da20527e0828a0c0cf9aaa7ac5735d8d0
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:16:04 2023 -0400

    tlshd: Fix an implicit sign conversion
    
    implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long')
    
    calloc's first parameter is a size_t, so use an unsigned type for
    num_peerids.
    
    Reported-by: Parfait 10.2 (#2039)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit f22a1aba373ff68730e971e31cf5325a87eef810
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:43:45 2023 -0400

    tlshd: check return value from signal(3)
    
    Unchecked return value from call to signal. Value
    signal(17, ((void (*func)(int32))1)) should be checked to ensure
    this function was successful.
    
    Reported-by: Parfait 10.2 (#2038)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 98f2e6254803ba5e5b811b616a9a6ca023d60ce6
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 13:57:27 2023 -0400

    tlshd: Replace use of strcat(3) in tlshd_make_priorities_string()
    
    Use of function strcat is deprecated because string lengths cannot
    be limited. Consider strlcat() as an alternative. Also see CERT
    STR07-C
    
    We recently removed the libbsd-devel dependency, so strlcat(3) is a
    bit of a challenge. Thus the goal here is to ensure that strcat(3)
    is used in a safe fashion.
    
    Reported-by: Parfait 10.2 (defect group #2037)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit f20e26fab5cc12d65d202716f8e16b94acc1dc21
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:58:59 2023 -0400

    tlshd: Fix return value type
    
    implicit conversion loses integer precision: 'long' to 'int'
    
    Reported-by: Parfait 10.2 (#2036)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 2d7782fff9585e6e58363f4f3e0c886a4752b170
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:09:40 2023 -0400

    tlshd: Document implicit sign conversion
    
    implicit conversion changes signedness: 'int' to 'unsigned int'
    
    These are all preceded by explicit checks that the value is zero or
    greater. Annotate them.
    
    Reported-by: Parfait 10.2 (#2033)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit c9c0cb4e2265dd2f7aa7da17ba462281da732549
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:05:32 2023 -0400

    tlshd: Fix return value of tlshd_initialize_ktls()
    
    implicit conversion changes signedness: 'int' to 'unsigned int'
    
    Note that the session_status field has been unsigned since commit
    4e932c62c451 ("tlshd: Set EIO instead of -EACCES on local error").
    
    Reported-by: Parfait 10.2 (#2032)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 6fc4ec3807f0dc5eb4034686a97018f3fe3c9d91
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 13:48:21 2023 -0400

    tlshd: Fix implicit type conversions in tlshd_config_read_datum()
    
    implicit conversion changes signedness: '__off_t' (aka 'long') to 'size_t' (aka 'unsigned long')
    
    implicit conversion changes signedness: '__off_t' (aka 'long') to 'size_t' (aka 'unsigned long')
    
    implicit conversion loses integer precision: '__off_t' (aka 'long') to 'unsigned int'
    
    Reported-by: Parfait 10.2 (#2030, #2031)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

commit 63d49acc83f33dff1f4e2c83223828e5e56a6c34
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Apr 28 16:54:07 2023 -0400

    tlshd: Fix an implicit type conversion
    
    implicit conversion loses integer precision: 'long' to 'int'
    
    As far as I can tell, openat2() returns a zero or -1, so this
    conversion is harmless. Annotate it.
    
    Reported-by: Parfait 10.2 (#2028)
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Created: 2025-07-17 Last update: 2025-07-17 22:02

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-05-16 Last update: 2025-05-30 12:00

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 1.0.0-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-05-30 Last update: 2025-05-30 06:26

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-05-30 02:00

news

[rss feed]

[2025-06-18] Accepted ktls-utils 1.1.0-1 (source) into experimental (Ben Hutchings)
[2025-06-04] ktls-utils 1.0.0-1 MIGRATED to testing (Debian testing watch)
[2025-05-29] Accepted ktls-utils 1.0.0-1 (source) into unstable (Ben Hutchings)
[2024-07-16] ktls-utils 0.11-1 MIGRATED to testing (Debian testing watch)
[2024-07-10] Accepted ktls-utils 0.11-1 (source) into unstable (Ben Hutchings)
[2024-05-21] ktls-utils 0.10-1 MIGRATED to testing (Debian testing watch)
[2024-05-15] Accepted ktls-utils 0.10-1 (source) into unstable (Ben Hutchings)
[2023-11-25] Accepted ktls-utils 0.9-3 (source) into experimental (Ben Hutchings)
[2023-08-01] ktls-utils 0.9-2 MIGRATED to testing (Debian testing watch)
[2023-07-27] Accepted ktls-utils 0.9-2 (source) into unstable (Ben Hutchings)
[2023-07-26] Accepted ktls-utils 0.9-1 (amd64 source) into unstable (Debian FTP Masters) (signed by: Ben Hutchings)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 3)
buildd: logs, exp, reproducibility, cross
popcon
browse source code
edit tags
other distros
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.0.0-1