1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
1.1.5
- Fixes for machine-readable indices. Key expiration times are now read
from self-signatures on the key's UIDs. In addition, instead of 8-digit
key IDs, index entries now return the most specific key ID possible:
16-digit key ID for V3 keys, and the full fingerprint for V4 keys.
- Add metadata information (number of keys, number of files,
checksums, etc) to key dump. This allows for information on the
key dump ahead of download/import, and direct verification of checksums
using md5sum -c <metadata-file>.
- Replaced occurrances of the deprecated operator 'or' with '||' (BB issue #2)
- Upgraded to cryptlib-1.7 and own changes are now packaged as separate
patches that is installed during 'make'. Added the SHA-3 algorithm, Keccak
- Option max_matches was setting max_internal_matches. Fixed (BB issue #4)
- op=hget now supports option=mr for completeness (BB issue #17)
- Add CORS header to web server responses. Allows JavaScript code to
interact with keyservers, for example the OpenPGP.js project.
- Change the default hkp_address and recon_address to making the
default configuration support IPv6. (Requires OCaml 3.11.0 or newer)
- Only use '-warn-error A' if the source is marked as development as per
the version suffix (+) (part of BB Issue #2)
- Reduce logging verbosity for debug level lower than 6 for (i) bad requests,
and (ii) no results found (removal of HTTP headers in log) (BB Issue #13)
- Add additional OIDs for ECC RFC6637 style implementations
(brainpool and secp256k1) (BB Issue #25) and fix issue for 32 bit arches.
- Fix a non-persistent cross-site scripting possibility resulting from
improper input sanitation before writing to client. (BB Issue #26 | CVE-2014-3207)
1.1.4
- Fix X-HKP-Results-Count so that limit=0 returns no results, but include
the header, to let a client poll for how many results exist, without
retrieving any. Submitted by Phil Pennock. See:
http://lists.nongnu.org/archive/html/sks-devel/2010-11/msg00015.html
- Add UPGRADING document to explain upgrading Berkeley DB without
rebuilding. System bdb versions often change with new SKS releases
for .deb and .rpm distros.
- Cleanup build errors for bdb/bdb_stubs.c. Patch from Mike Doty
- Update cryptokit from version 1.0 to 1.5 without requiring OASIS
build system or other additional dependencies
- build, fastbuild, & pbuild fixed to ignore signals USR1 and USR2
- common.ml and reconSC.ml were using different values for minumimum
compatible version. This has been fixed.
- Added new server mime-types, and trying another default document (Issue 6)
In addition to the new MIME types added in 1.1.[23], the server now
looks over a list and and serves the first index file that it finds
Current list: index.html, index.htm, index.xhtml, index.xhtm, index.xml.
- options=mr now works on get as well as (v)index operations. This is
described in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
sections 3.2.1.1. and 5.1.
- Updated copyright notices in source files
- Added sksclient tool, similar to old pksclient
- Add no-cache instructions to HTTP response (in order for reverse proxies
not to cache the output from SKS)
- Use unique timestamps for keydb to reduce occurrances of Ptree corruption.
- Added Interface specifications (.mli files) for modules that were missing
them
- Yaron pruned some no longer needed source files from the tree.
- Improved the HTTP status and HTTP error codes returned for various
situations and added checks for more error conditions.
- Add a suffix to version (+) indicating non-release or development builds
- Add an option to specify the contact details of the server administrator
that shows in the status page of the server. The information is in the
form of an OpenPGP KeyID and set by server_contact: in sksconf
- Add a `sks version` command to provide information on the setup.
- Added configuration settings for the remaining database table files. If
no pagesize settings are in sksconf, SKS will use 2048 bytes for key
and 512 for ptree. The remainining files' pagesize will be set by BDB
based on the filesystem settings, typically this is 4096 bytes.
See sampleConfig/sksconf.typical for settings recommended by db_tuner.
- Makefile: Added distclean target. Dropped autogenerated file from VCS.
- Allow tuning BDB environment before creation in [fast]build and pbuild.
If DB_CONFIG exists in basedir, copy it to DB dir before DB creation.
Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree over DB_CONFIG.
- Add support for Elliptic Curve Public keys (ECDSA, ECDH)
- Add check if an upload is a revocation certificate, and if it is,
produce an error message tailored for this.
1.1.3
- Makefile fix for 'make dep' if .depend does not exist. Issue #4
- Makefile fix: sks and sks_add_mail fail to link w/o '-ccopt -pg'
Issue #23
- Added -disable_mailsync and -disable_log_diffs to sks.pod
- Added file extensions .css, .jpeg, .htm, .es, .js, .xml, .shtml, .xhtm,
.xhtml and associated MIME types to server code. Part of Issue #6
- Added sample configuration files in sampleConfig directory
- Added sample web page files in sampleWeb directory. Issues #7, 9, 19
- Allow requests for non-official options hget, hash, status, & clean to
be preceded by '-x'. Closes issues #10, 11, 13, & 14.
- Allow &search with long subkey ID (16 digit) and subkey fingerprint
subkey lookup was failing with other than a short key ID. However,
public key lookup was working with short and long key ID and fingerprints.
This patch makes subkey lookup behave the same as full key lookup.
http://lists.gnupg.org/pipermail/gnupg-users/2012-January/043495.html
Initial patch sumbitted by Dan McGee (dpmcgee@gmail.com).
Cleanup by Yaron Minsky
- Patch recon script so that POST includes HTTP version number.
Patch submitted by Daniel Kahn Gilmor
1.1.2:
- HTML generated by SKS has been cleaned up to pass XHTML 1.0 Strict
without error or warnings
- Added HTTP/1.0 after POST, '-' added to safe characters for webserver,
Add '.html' (text/html) to list of supported file extensions for web server
- Johan van Selst's patch implementing Phil Pennock's suggestion
of an X-HKP-Results-Count: header to returned web server queries
- Johan van Selst's patch to add Content-length header to web results
- DB Statistics are kept for 30 days instead of 7
- SIGUSR2 now triggers on-demand statistics
- sks dump should ignore -USR1 and -USR2
- Remove XA support which Oracle dropped in DB 4.8 (& restored in DB 5.2)
- Work-around in bdb_stubs.c for DB_XA_CREATE dropped after DB 4.7
- Import debian patch 508_build_fastbuild.patch for improved sks_build script
- always display number of hashes received for better statistics in recon.log
- Fix 'sks dump' usage: help message syntax
- Fix documentation to explicit that hkp_address and recon_address can
contain both IP addresses and domain names.
- Fix documentation with ambiguity of -n when used with build and fastbuild
- Spelling corrections
- BUGFIX: do not leak the joined cursor in Keydb.get_by_words.
1.1.1:
- Fix tail recursion for reconciliation with huge differences.
- fixed bug in handling of send_mailsyncs flag
- BUGFIX: The last word of a user id was not properly case converted.
- Makefile fixes
- imported patch sksdump-recursion
- imported patch reconsever-resilience
- imported patch multiple-addresses
- imported patch full-rrset
- imported patch dbsyc-on-sigusr1
- imported patch ignore-sigusr2
- imported patch increase-wserver-timeout
- imported patch spider-set-starthost
- imported patch spider-add-buildtarget
- [mq]: dns-refresh-patch
- imported patch spider-target-fix
- [mq]: pdp-smallfixes
1.1.0:
- Numerix has been ripped out. OCaml's Big_int implementation is
used instead.
- version of Berkeley DB has been upgraded to 4.6.
- The sks.pod file has been added to the src tarball
- Some small changes to index view
1.0.5:
- subkey indexing added
- removal of most executables. Now single "sks" executable used for almost
everything.
- Numerix tarball updated to include GPL notices in each file
- SKS files updated to include GPL notices in each file
- SKS can be configured to listen to two ports for HKP access.
1.0.3: added simple built-in webserver so that index page can be served by
sks_db. This should make it easier to put sks on port 80. Also,
sks can now be launched from any directory, as long as the -basedir
command-line option is used to specify the location of the sks
directory.
1.0.2: Serious database corruption bug in fastbuild and build fixed. Also,
client.ml modified to avoid Yet Another Deadlock Bug.
(...many versions skipped...)
0.1.3: Added interoperability with PKS-style email synchronization, plus
numerous bugfixes.
0.1.2: Omitted key fix from above upload having to do with key fetching
post-reconciliation. Key fetching should work now.
0.1.1: Fixed HTML response pages to work better with GPG and other automated
systems. Also some Makefile fixes and documentation updates.
0.1.0: Initial public release
|
