Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted klutshnik 0.4.1-1 (source) into unstable
Date: Sun, 15 Mar 2026 15:33:48 +0000
Signed by: Joost van Baal <joostvb@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Mar 2026 12:32:37 +0100
Source: klutshnik
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Joost van Baal-Ilić <joostvb@debian.org>
Changed-By: Joost van Baal-Ilić <joostvb@debian.org>
Changes:
 klutshnik (0.4.1-1) unstable; urgency=medium
 .
   * New upstream, released 2026-01-23 (missed 0.3.0, released 2025-09-22).
     git commit log for both releases follows:
 .
     [ contributions by Enjeck C. aka patrathewhiz ]
 .
     [doc] Improve consistency
     [doc] Use consistent capitalization and formatting
     [doc] Improve docs
 .
     [ changes by Stefan Marsiske ]
 .
     [doc] reviewed and updated enjecks awesome contribution to all docs
     [doc] sadly funding ended
     [mod] new keys for rpi image seccomp rule test config due to hkdf->hash
      migration
     [mod] don't ignore failures during tests when generating seccomp rules
     [mod] use blake2 instead of hkdf to derive ltsig/noise keys from the
      client master key
     [fix] unit and e2e tests
     [mod] gh action uses zig v0.15.2
     [mod] rpi img klutshnik-rev doesn't need to be in git
     [mod] removed commented out trace msg in client
     [doc] added todo handling cheaters in client
     [mod] new keys for test clients
     [mod] test config was one dir deeper
     [mod] moved sleep to a more sane location in start-servers
     [mod] changed the rpi image test keys due to the new client master key
      mechanism
     [mod] increased default timeout in rpi image to 15 sec
     [enh] use more generic rpi image test.sh without hardcoded keys
     [mod] server config moved to klutshnikd
     [mod] rpi image test/start-servers don't debug and handle SIGQUIT
     [fix] need to install zstd in docker rpi image builder
     [doc] comment why not use alpine v3.23 in build.env
     [doc] rpi image is zstd compressed
     [fix] read authorized_keys file correctly (as per zig v0.15.2) in server
     [mod] zig writergate cont'd, fixed other file.reader calls
     [fix] test/otherclient/klutshnik.cfg had a server stanza commented out
     [enh] test also full init, with completely new key values
     [mod] changed test setups to support clientkey instead of ltsig/noisekey
     [fix] truncate adduser pubkey if it is the long version
     [doc] document noise and ltsig key in whitepaper
     [doc] document init op change on website
     [mod] tail last 50 log lines in start server if ORACLE_TAIL is set
     [doc] document clientkey_path and init op in client manpages
     [enh] support new explicit add and del user ops in the server, in tls
      servers this is irrelevant
     [enh] modauth now distinguishes between add/del user, so that their noise
      key can be added/deleted from authorized_keys on klutshnik devices
     [enh] provisioning ble/usb devices has been streamlined
     [enh] init gets an extra parameter which automatically sets some values
      like ltsigpub
     [enh] ltsig and noise keys are derived from a master secret
     [fix] decrypt only needs t replies
     [mod] getcfg returns also the set of config files that contributed to
      the final cfg
     [mod] .gitignore update
     [mod] addes some checks for write return values in tuokms.c
     [fix] assert that pkid == req.id in toprf_update of server
     [enh] display url howto setup tls certs if none found
     [fix] make provision wait a bit longer for device to generate stuff
     [fix] don't abort during init/provision if servers cfg is incomplete
     [fix] name of usb device during provisioning
     [fix] init cmd in cli-ent
     [doc] added website sources
     [fix] got releasesafe working with bearssl
     [fix] building bearssl with ReleaseSafe
     [enh] add also seccomp profile as artifact
     [fix] path to seccomp dir
     [enh] added seccomp rule gen
     [mod] removed publishing debug server config/logs
     [fix] create missing keystores
     [mod] switched to Debug mode for zig for testing until bearssl ub is
      resolved
     [mod] added upload of test results even if fail
     [mod] make klutshnikd passable via environ arg to unittests
     [mod] increase timeouts for tests
     [fix] test dir name
     [mod] correct version attr in workflow
     [mod] use newer upload artifact
     [enh] added github action build-test-publish
     [fix] subshells don't play nice with the adding of child pids to env vars
     [fix] shellchecked easy-test and start-servers
     [fix] removed useless config vars from sbox.sh
     [mod] cc-runtime not needed anymore
     [mod] also clean strace log from test server
     [enh] added framework for generating seccomp bpf rulesets
     [enh] test.sh can do stracing of a server designated by ORACLE_STRACE and
      only tails log if ORACLE_TAIL points at a server
     [mod] added man/*.html to .gitinore
     [enh] added python end2end unittests
     [mod] give error on log if record exist when creating in server
     [mod] added a todo and a bit more verbose exception in client
     [enh] added html version of manpages
     [mod] renamed klutshnik.cfg to klutshnikd.cfg for server
     [mod] added optional device deps to setup.py
     [fix] provide default for keystore config variable
     [mod] created minimal readme for the python package
     [mod] changed homepage in setup.py
     [doc] added acknowledments to readme
     [doc] added funding section to readme
     [doc] add provisioning command to man file
     [fix] handle all possible klutshnik cfg filenames in provisioning
     [mod] moved provision-ble from klutshnik-zephyr into client
     [mod] update zig-bearssl dep in build.zig.zon and minimum reqd zig
      version
     [fix] don't link explicitly zig_bearssl
     [fix] some ssl variables are zero-initialized
     [enh] updated to compile using zig v0.15.1
     [doc] added some layperson parseable about section to whitepaper
     [mod] switch to zstd compression for rpi images
     [mod] bumped to v0.3.0
     [enh] initial commit of raspi image builder
     [mod] added extra check in create() of python client
     [fix] trailing backslash in uninstall deps list
     [fix] add missing uninstall target
     [fix] aarch64 has no stack-protection=full in libklutshnik.so makefile
     [fix] libsodium module in server
     [mod] updated build.zig.zon so that it includes a fix for
      https://github.com/jedisct1/libsodium/issues/1477
     [fix] enable liboprf debug only on debug builds if liboprf is not a
      system_lib
     [fix] klutshnik init when no authorized_keys file exists
     [fix] don't abort klutshnik init if there is no authorized_keys file
     [enh] fix build.zig so that we can cross-compile klutshnikd
     [fix] make server 32bit ready
     [fix] add rules for man install targets
     [mod] added DESTDIR prefix to all man/makefile install targets
     [fix] made makefile more useful for packaging
     [enh] added support for pyoprf/multiplexer USB serial connected peers in
      client
 .
   * d/control: refer to https://klutshnik.info/ in python3-klutshnik extended
     description.
   * d/libklutshnik-dev.install: do not install
     usr/lib/x86_64-linux-gnu/pkgconfig/libklutshnik.pc/libklutshnik.pc but
     install u/l/x/pkgconfig/libklutshnik.pc .
   * d/patches/{makefile.patch,series}: re-enable makefile.patch, makefile.patch
     is now a one-line patch on makefile: honor $(CPPFLAGS) in default build
     rule.  this fixes the Debian blhc test.
Checksums-Sha1:
 6b6645d30de66a0a00961ec9fcc94f114185d98a 2253 klutshnik_0.4.1-1.dsc
 144d359ae32ba421899c89c377ec88683c261901 258970 klutshnik_0.4.1.orig.tar.gz
 0c09e93897b4f85c586c1d8c8dffbab2f0ce6403 8612 klutshnik_0.4.1-1.debian.tar.xz
 72d5e57830c7ad6a4aa262988851862df5260bde 7082 klutshnik_0.4.1-1_source.buildinfo
Checksums-Sha256:
 939c1e8976d5a2d238009ec80185d05af689067cefc737d7b272c6b7612ed264 2253 klutshnik_0.4.1-1.dsc
 25ecc73648a92ce68664efb71089c9313e3bfe0589028aed59484872d61cf204 258970 klutshnik_0.4.1.orig.tar.gz
 c481ec51a1882ff6b0c88de64dc134a7fcbc26ac50977b5d306e88a390bcd3a1 8612 klutshnik_0.4.1-1.debian.tar.xz
 6e8b7813828a5bff302af9b9c03318e5959fef4f8ed272ecdebaa6cf2eb935b7 7082 klutshnik_0.4.1-1_source.buildinfo
Files:
 e5704a9970fba6239ead020f08b3f310 2253 utils optional klutshnik_0.4.1-1.dsc
 cfa36b72651b4cb93c3073a07a868776 258970 utils optional klutshnik_0.4.1.orig.tar.gz
 26db07e48ceb9ac9757823bcef8c6509 8612 utils optional klutshnik_0.4.1-1.debian.tar.xz
 88121865fe48975444d9a7e9baa72bd7 7082 utils optional klutshnik_0.4.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkqrZAbIbS8eaR6AwVPGmYxdIZxMFAmm2y+MACgkQVPGmYxdI
ZxN76w/+OMF8qOiZjgyH9K9PUVbyOO0wJH7P455baFf60X9SYABHhtSXjyTEHwSu
/sczplc5eWoxRBzX0PhJxZ85D/ivhQqmcOrU6NXgrE3RIPp4/NGgd9QRV/2iNHX2
xphgKojLVSEFJNlDupTGiYQ735bm1+rBQxJkar1ELuNC/E/cufWjxwzvn+5UWIbu
+NLNHdLvAEUcOM5J6GyJ4uwiDEXff1MRNCicCNc6llfKtH+U2uOntoidOtbdb3+5
Wj5lNxU6D2gjwRJznAxH3jiQXvKpo/Nxj56y0vbH1HUh4oa69s5bTOIU2K1i37+3
5juj01n8lS4Vmdcn+vB//uRPY2N/ToeEyMotGqmZC9NnM1lkY8/kSCbGxFX60CgA
82t0DTP+31K+r8Qy7ugkv+pM5/VUpLZnHpJEjZ91+6TWgxMMSzdul9VCU4S3tmzK
OXo6mebWecnrhL4ikU1VphEWTypjF7F/W7Rw4zsCis+2QZ7ZTl/WnxbFNRTGMUaQ
V6o3WKugGhyZ6WkgY3L66e6QobJxYKPPJB6No6HZRex6/lCktZLZmPhBpksVjhmQ
peQJEcsC65DQqK+3aNZqClc3/NYrvgPeZwpQYF1gA7AgQ64AQGTxx2pfdpi2cMNa
buOSM4egfJKVTnkFdgFIGAYGXx/u4Cv4fSUic8bXSnua3E9o7uc=
=8Ix9
-----END PGP SIGNATURE-----
News for package klutshnik
