signing-party-2.9-bp153.1.16

- Add patch cve-2019-11627.patch from https://salsa.debian.org/signing-party-team/signing-party/commit/cd69b6c0426a6160ef3de03fce9c7f112166d5a8
  to fix CVE-2019-11627.

- replace broken URL in specfile

- update to version 2.9:
  * gpglist:
    + When --signer's argument is a long keyid or fingerprint, don't require
    the key to be present in the keyring.  This enable filtering on unknown
    signing keys.
    + Don't choke on direct-key signatures. (Closes: #921331.)
  * gpgparticipants:
    + Improve quoting and replace `echo` with `printf`.
    + Avoid including subkey fingerprints when gpg.conf contains 'fingerprint'.
- update to version 2.8:
  * keyart, gpgparticipants-prefill: port to python3.
  * keyart:
    + Don't print ASCII art for subkeys, only the master key.
    + Pass --no-auto-check-trustdb flag to gpg(1).
    + Fix crash with non-ASCII UIDs.  Patch from Grégoire Detrez.
  * Fix a couple of spelling errors.  Thanks to Edward Betts for the report
    and patch. (Closes: debian#882729)
  * caff:
    + Add the "only-sign-text-ids" to the list of gpg(1) options imported from
    ~/.gnupg/gpg.conf.
    + Ensure the terminal is "sane enough" when asking questions ('echo',
    'echok', 'icanon', 'icrnl' settings are all set), and restore original
    settings when exit()'ing the program. (Closes: #872529)
  * caff, gpglist, gpgsigs: in `gpg --with-colons` output, allow signature
    class to be followed with an optional revocation reason. gpg(1) does that
    since 2.2.9. (Closes: #905097.)
  * caff, gpg-key2latex, gpg-key2ps, gpglist, gpgsigs, keylookup: Remove
    references to https://pgp-tools.alioth.debian.org/ .
  * caff, gpg-key2latex, gpg-key2ps, gpg-mailkeys, gpglist, gpgparticipants,
    gpgsigs, keylookup: Remove SVN keywords ($Id$, $Rev$, etc.)
  * sig2dot: Don't use the diamond operator.

- apply conditionals also to filelist

- Spec cleanup

- update to 2.7:
  * gpg-key2ps: Add support for ECDH, ECDSA and EDDSA key types.
  * gpg-key2ps: Align key type & size listing to the GnuPG 2.1.x
    output (e.g., "rsa4096/DEADBEEF" instead of "4096R/DEADBEEF")
  * gpgsigs: Set UAT (jpeg photos) density to 90dpi so XeLaTeX
    doesn't complain that the image is too large

- update to 2.6:
  * gpgsigs: Skip undefined UIDs.
  * gpgsigs: Properly handle (skip) unknown attributes.
  * gpgsigs: Allow digest hexadecimal characters to replace multiple
    '_' in the fill-in forms
  * gpglist: New option '--signer' to limit listed signers to the
    matching keys.

- update to 2.5:
  * caff: Show how to set $ENV{'PERL_MAILERS'} to specify a
    sendmail binary (or use a sendmail-compatible MTA)
  * caff: Fix regression skipping --recv-key when 'keys-from-gnupg'
    isn't set.  (Closes: #837406)
  * caff: List all UIDs contained in an email when asking whether
    to send it.
  * gpg-key2latex: Add an option '--qrcode-data' to specify the
    data to encode in a QR code (default: "OPENPGP4FPR:%f").
  * gpg-key2ps: Fix revoked UID stroke slant with "-r strike".
  * gpg-key2ps: Ensure subkeys are hiden unless '--show-subkeys' is
    set.

- update to 2.4:
  * caff, gpg-key2latex, gpgsigs: Ignore "KEY_CONSIDERED" status
    output emitted by gpg 2.1.13 and later.
  * caff, gpgsigs: Allow input produced by gpgparticipants(1) using
    gpg 2.1.13.  With this version, key IDs are not displayed by
    default and the "Key fingerprint = " prefix is omitted.
  * caff:
    + Fix GnuPG version number comparison.
    + With GnuPG 2.1.13 or later, use gpgconf(1) to determine the
    socket paths.  (It is not used on earlier gpg since earlier
    gpgconf do not support --homedir.)  This fixes compatibility
    with GnuPG 2.1.13.
  + When ~/.caff/gnupghome/gpg.conf does not exist, instead of
    creating a temporary file (as it's done since signing-party 2.3),
    parse ~/.gnup/gpg.conf and pass the GnuPG options that are known
    to be safe  (and useful) for caff to gpg(1) using command line
    options. This soves the problem of lingering configuration files
    in case caff is killed.
  + Use full fingerprints internally to avoid collisions.
    (However $CONFIG{'keyid'} and $CONFIG{'local-users'} are kept
    to 64-bits key IDs as per RFC 4880 full fingerprints are not
    available in key signatures, and thus not exposed by
    `gpg --with-colons --list-sigs`.)
  + Automatically import the $CONFIG{'also-encrypt-to'} from the
    normal GnuPGHOME when possible.

- Rename pgpgring to avoid file conflict with mutt

- Build also pgpring

- Correct path to _defaultdocdir in caff(1)

- update to 2.3:
  * caff:
    + Deprecate $CONFIG{'keyserver'}.  Users of GnuPG <2.1 should
    put the option in caff's GnuPG configuration file
    (~/.caff/gnupghome/gpg.conf by default) instead. GnuPG 2.1
    delegates network access to another process (dirmngr), hence
    for 2.1 the keyserver should be set in ~/.gnupg/dirmngr.conf instead.
    + When caff's own GnuPG configuration file (~/.caff/gnupghome/gpg.conf)
    does not exist, automatically generate it with the GnuPG options found
    in ~/.gnup/gpg.conf that are known to be safe (and useful) for caff.
    This includes "keyserver", "keyserver-options", "ask-cert-level" and
    "cert-digest-algo" (among many others).  Hence in the absence of its own
    GnuPG configuration file caff now uses the certification options from
    the user's GnuPG configuration file.
    + Perl < 5.20 compatibiliey
    (drop caff-perl_5.18_compatibility.patch)
  * gpgsigs, gpg-key2latex:
    + Use "Noto Mono" as default font when compiling with XeLaTeX or LuaLaTeX;
    and "Noto Sans Mono CJK" as CJK font when compiling with XeLaTeX.
  * gpg-key2latex:
    + Don't show capabilities of the entire key when --show-subkeys is set.
    (Instead, the capabilities of the master key and each subkey are shown
    independently in uppercase.)
    + Enclose (sub)key capabilities in square brackets, to match GnuPG 2.1.11+'s
    output.
    + For ECDH, ECDSA, EDDSA (sub)keys, show the curve name instead of the
    public key algorithm and length.  This matches GnuPG 2.1.x's output.
    + The master key's fingerprint was incorrectly set to the last unusable
    (eg, expired or revoked) subkey fingerprint, if any.  (Closes: #815721)
  * keyart:
    + Print the public key algorithm and length as shown by GnuPG 2.1 (e.g.,
    "rsa4096" instead of "4096R"); for ECDH, ECDSA and EDDSA keys, show the
    curve name instead.

- update to 2.2:
  * caff:
    + "gpgparticipants"-formated input: accept key blocks not
    starting with a number such as
    [x] Fingerprint(s) OK        [x] ID OK
    This makes caff able to process the Debconf 15 KSP file.
  * gpglist:
    + Don't prune revoked UIDs with a subsequent selfsig.
    + Add an option '--show-revoked' to show revoked UIDs.
    + Mention in the manpage that the path to the gpg binary is
    taken from the GNUPGBIN environment variable, if defined.

- Require srm

- fix an incompatibility with perl 5.18 (boo#955986)
  * caff 2.x is using hash slices which were introduced in Perl 5.20
  * added caff-perl_5.18_compatibility.patch

- update to 2.1:
  * caff:
    + Only consider non-expired/invalid/revoked keys and UIDs when
    generating the caffrc.
    + Proper RFC 5322 validation of email addresses.
    + Prefix the signature by "-- \n" in the email template.
    + Automatically mkdir ~/.caff if it doesn't exit.

- update to 2.0 [boo#918402]
  * caff:
    + Fix broken compatibility with GnuPG 2.1 (2.1.3 and later only)
    + Default $CONFIG{'local-user'} to $CONFIG{'keyid'} rather than
    importing the public part of *all* keys found in the secret keyring.
    + error output handling improvements
    + Add a --debug flag to enable debug messages.
    + Send attachements and non RFC 2822 UIDs to *all* signed addresses, not
    only those for which the UID is exported.  This is useful when the
    signee has some already signed RFC 2822 UIDs and a freshly added
    attribute, for instance.
    + color ouput ($CONFIG{colors})
    + Prune keys with import-{clean,minimal} not export-{clean,minimal}.
    + Fix $CONFIG{'also-lsign-in-gnupghome'}: local signatures are directly
    imported from caff's GNUPGHOME to our own; in auto-lsign'ing mode, lsign
    UID for which we have an exportable signature (preserving the signer and
    cert level).
    + Pass the 'keyserver-options' specified in ~/.gnupg/gpg.conf to
    $CONFIG{keyserver} when it is left unset.
  * gpgsigs:
    + Add a legend with the different signature types.
    + Mark local signatures as 'L' (formerly they were marked as 'S'), and
    expiring -- but not expired -- signatures as 'x'.
  * caff, pgp-clean, pgp-fixkey, gpg-key2latex, gpg-key2ps, gpg-mailkeys,
    gpgdir, gpgparticipants, gpgsigs, keyart, keylookup:
    + Add the possibility to choose the gpg binary via the "GNUPGBIN"
    environment variable.  (Default: "gpg".)

- require new perl module in 1.1.12 perl-Net-IDN-Encode

- signing-party 1.1.12:
  * new keyart command
  * new options and commands
  * bug and compatibility fixes

- signing-party 2.11:
  * fixes for other distributions only

- remove cve-2019-11627.patchm included in tarball.
- update to version 2.10-1:
  * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
    shell injection via a User ID.  Use Perl's (core) module Encode.pm instead
    of shelling out to `iconv`. (Closes: #928256.)