Log message:
Update to 1.4.4:

* Version 1.4.4 (released 2006-09-12)

** Relax the test that caught signatures that exploit the variant of
** Bleichenbacher's Crypto 06 rump session attack on our
** verification logic flaw.
In particular, we now permit the digestAlgorithm.parameters field to
be present but empty, whereas in 1.4.3 we actually checked that the
field was absent.

** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem.
The messages are only printed in debug mode, which is not recommended
for normal use, and thus logging this situation cannot be abused as an
oracle in typical recommended situations.

** API and ABI modifications:
No changes since last version.

Log message:
Update to 1.4.3:

* Version 1.4.3 (released 2006-09-08)

** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
** Crypto 06 rump session attack.
In particular, we check that the digestAlgorithm.parameters field is
empty, to avoid that it can contain "garbage" that may be used to
alter the numeric properties of the signature.  See
<http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
not exactly the same as the problem we fix here).  Reported by Yutaka
OIWA <y.oiwa@aist.go.jp>.

See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
up to date information.

** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack.
See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>.
Reported by Werner Koch <wk@gnupg.org>.

See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more
up to date information.

** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.

** API and ABI modifications:
No changes since last version.

* Version 1.4.2 (released 2006-08-12)

** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
This can happen if you call gnutls_certificate_verify_peers2 and have
a certain mix of local CA certificates and the peer send special
certificates, that together trigger certain behaviour.  It is not
known at this point whether the crash can be triggered without the
special local CA certificate, and thus turn this into a remote crash
of clients that verify server certificates when they talk to a server
with the special server certificate.  See GNUTLS-SA-2006-2 on
http://www.gnu.org/software/gnutls/security.html for more up to date
information.  Reported by satyakumar <satyam_kkd@hyd.hellosoft.com>.

** Change SRP and Cert-Type extensions to match IANA registry.

** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.

** Make --without-included-libtasn1 work.
Reported by Daniel Black <dragonheart@gentoo.org>.

** API and ABI modifications:
No changes since last version.

Log message:
Update to 1.4.1:

* Version 1.4.1 (released 2006-06-14)

** Replaced inactive ifdefs to enable openpgp support in test programs.

** Fixed bug in OpenPGP authentication handshake.

** Fixed typographical in man pages.

** Build fixes of the manual.

** Added Swedish translation.

** API and ABI modifications:
No changes since last version.

Log message:
Change the format of BUILDLINK_ORDER to contain depth information as well,
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.

For example, "make show-buildlink3" in fonts/Xft2 displays:

	zlib
	fontconfig
	    iconv
	    zlib
	    freetype2
	    expat
	freetype2
	Xrender
	    renderproto

Log message:
Track information in a new variable BUILDLINK_ORDER that informs us
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.

Log message:
Update to 1.4.0:

* Version 1.4.0 (released 2006-05-15)

** Remove GnuTLS 0.8.x compatibility functions.

** The libgcrypt RNG is initialized in gnutls_global_init().

** TLS/IA API changes from Emile van Bergen.
A dummy credential structure is not needed now, if you wish to use the
low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on
a session.

** The self-tests are now run under valgrind, if it is installed.

** Libtasn1 is updated to 0.3.4, and that version is now required.

** The command line tools now use getaddrinfo and support IPv6.

** API and ABI modifications:
_gnutls_x509_get_raw_crt_activation_time,
_gnutls_x509_get_raw_crt_expiration_time: Removed.
gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable.
gnutls_ia_enable: Added.

Log message:
Strip ${PKGLOCALEDIR} from PLISTs of packages that already obey
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries.  From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.

Log message:
Over 1200 files touched but no revisions bumped :)

RECOMMENDED is removed. It becomes ABI_DEPENDS.

BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.

BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to obsolete.mk checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).

Log message:
List the info pages directly in the PLIST and ensure that we honor
PKGINFODIR.

Log message:
Update to version 1.3.5.  Fixes build failures related to libtasn1.

- Error messages are now translated using GNU Gettext.

- The function gnutls_x509_crt_to_xml now return an internal error.
This means that the code to convert X.509 certificates to XML format
does not work any more.  The reason is that the function called
libtasn1 internal functions.  It seems unclean for libtasn1 to export
the APIs needed here.  Instead it would be better to implement XML
support inside libtasn1 properly.  If you need this functionality
strongly, please consider looking into implementing this suggested
approach instead.  As a workaround, you may also modify lib/x509/xml.c
(change '#if 1' to '#if 0') and build using --with-included-libtasn1.

- Doc fixes to explain that gnutls_record_send can block.

- gnutls-cli can now recognize services and port numbers with the -p option.