freebsd-distinfo:
./utils/build-freebsd-distinfo
+macports-portfile:
+ ./utils/build-macports-portfile
+
clean:
# clean up old monkeysphere packages lying around as well.
rm -f monkeysphere_*
./utils/build-releasenote
test:
- ./tests/basic
+ MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/basic
.PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test
--- /dev/null
+The Monkeysphere Project
+------------------------
+
+The Monkeysphere project's goal is to extend OpenPGP's web of trust to
+new areas of the Internet to help us securely identify each other
+while we work online.
+
+Specifically, monkeysphere currently offers a framework to leverage
+the OpenPGP web of trust for OpenSSH authentication.
+
+In other words, it allows you to use secure shell as you normally do,
+but to identify yourself and the servers you administer or connect to
+with your OpenPGP keys. OpenPGP keys are tracked via GnuPG, and
+monkeysphere manages the known_hosts and authorized_keys files used by
+OpenSSH for authentication, checking them for cryptographic validity.
- clean out some redundant "cat"s
- fix monkeysphere update-known_hosts for sshd running on non-standard
ports
+ - some portability improvements
+ * update Standard-Version to 3.8.1
- -- Jameson Graef Rollins <jrollins@finestructure.net> Wed, 18 Mar 2009 11:46:44 -0400
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Mon, 06 Apr 2009 22:20:55 -0700
monkeysphere (0.24-1) unstable; urgency=low
Maintainer: Jameson Graef Rollins <jrollins@finestructure.net>
Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Build-Depends: debhelper (>= 7.0), socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail
-Standards-Version: 3.8.0.1
+Standards-Version: 3.8.1
Homepage: http://web.monkeysphere.info/
Vcs-Git: git://git.monkeysphere.info/monkeysphere
Dm-Upload-Allowed: yes
# $Id$
PortSystem 1.0
-
name monkeysphere
version 0.24
-categories net
+categories net security
maintainers nomaintainer
-platforms darwin
description use the OpenPGP web of trust to verify ssh connections
-
long_description SSH key-based authentication is tried-and-true, \
but it lacks a true Public Key Infrastructure for \
key certification, revocation and expiration. \
used in both directions: for users to get \
validated host keys, and for hosts to authenticate \
users.
-
homepage http://web.monkeysphere.info/
-master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
-distname ${name}_${version}
-worksrcdir ${name}-${version}
-checksums md5 8590532f4702fa44027a6a583657c9ef
+platforms darwin
depends_run bin:ssh:openssh \
port:gnupg \
- port:perl5.10 \
- port:p5-crypt-rsa \
+ port:perl5 \
+ port:p5-crypt-openssl-rsa \
+ port:p5-crypt-openssl-bignum \
port:p5-digest-sha1 \
port:procmail
-build.target build
-destroot.args PREFIX=${destroot}${prefix} \
- CONFDIR=${destroot}${prefix}/etc/monkeysphere \
- DBDIR=${destroot}${prefix}/var/lib/monkeysphere \
- MANDIR=${destroot}${prefix}/share/man \
- DOCDIR=${destroot}${prefix}/share/doc/monkeysphere
+master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
+distname ${name}_${version}
+extract.suffix .orig.tar.gz
+worksrcdir ${name}-${version}
+checksums md5 8590532f4702fa44027a6a583657c9ef
+
+use_configure no
+
+post-build {
+ # update paths to SYS*DIRs
+ exec sed -i .tmp -e "s|/etc/monkeysphere|${prefix}/etc/monkeysphere|g" \
+ ${worksrcpath}/src/share/defaultenv \
+ ${worksrcpath}/src/transitions/0.23 \
+ ${worksrcpath}/man/man1/monkeysphere.1 \
+ ${worksrcpath}/man/man8/monkeysphere-authentication.8 \
+ ${worksrcpath}/man/man8/monkeysphere-host.8 \
+ ${worksrcpath}/etc/monkeysphere-authentication.conf
+ exec sed -i .tmp -e "s|/var/lib/monkeysphere|${prefix}/var/db/monkeysphere|g" \
+ ${worksrcpath}/src/transitions/0.23 \
+ ${worksrcpath}/man/man1/monkeysphere.1 \
+ ${worksrcpath}/man/man8/monkeysphere-authentication.8 \
+ ${worksrcpath}/man/man8/monkeysphere-host.8 \
+ ${worksrcpath}/src/monkeysphere-host \
+ ${worksrcpath}/src/monkeysphere-authentication \
+ ${worksrcpath}/doc/getting-started-admin.mdwn
+ exec sed -i .tmp -e "s|/usr/share/monkeysphere|${prefix}/share/monkeysphere|g" \
+ ${worksrcpath}/src/monkeysphere-host \
+ ${worksrcpath}/src/monkeysphere-authentication \
+ ${worksrcpath}/src/monkeysphere
+
+ # fix perl shebang line to point to macports perl install
+ exec sed -i .tmp -e "s|^#!/usr/bin/perl -T$|#!/opt/local/bin/perl -T|" \
+ ${worksrcpath}/src/share/keytrans
+
+ # remove leftover sed cruft
+ exec find ${worksrcpath} -name *.tmp -delete
+}
+
+destroot.destdir DESTDIR=${destroot}${prefix}
+destroot.args PREFIX=
+
+# variant to use the port version of bash, which may be much newer
+# than the one provided by the system
+variant port-bash description {use port version of Bash} {
+ depends_run-append port:bash
+}
+++ /dev/null
-diff -ruN gnutls26-2.4.1.orig/lib/opencdk/opencdk.h gnutls26-2.4.1/lib/opencdk/opencdk.h
---- gnutls26-2.4.1.orig/lib/opencdk/opencdk.h 2008-06-30 16:45:51.000000000 -0400
-+++ gnutls26-2.4.1/lib/opencdk/opencdk.h 2008-08-21 19:23:44.000000000 -0400
-@@ -214,7 +214,11 @@
- enum cdk_s2k_type_t {
- CDK_S2K_SIMPLE = 0,
- CDK_S2K_SALTED = 1,
-- CDK_S2K_ITERSALTED = 3
-+ CDK_S2K_ITERSALTED = 3,
-+ CDK_S2K_GNU_EXT = 101
-+ /* GNU S2K extensions: refer to DETAILS from GnuPG:
-+ http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/doc/DETAILS?root=GnuPG
-+ */
- };
-
-
-diff -ruN gnutls26-2.4.1.orig/lib/opencdk/read-packet.c gnutls26-2.4.1/lib/opencdk/read-packet.c
---- gnutls26-2.4.1.orig/lib/opencdk/read-packet.c 2008-06-30 16:45:51.000000000 -0400
-+++ gnutls26-2.4.1/lib/opencdk/read-packet.c 2008-08-21 19:30:09.000000000 -0400
-@@ -78,10 +78,35 @@
- }
-
-
--static int
-+/* read about S2K at http://tools.ietf.org/html/rfc4880#section-3.7.1 */
-+static cdk_error_t
- read_s2k (cdk_stream_t inp, cdk_s2k_t s2k)
- {
-- return CDK_Not_Implemented;
-+ size_t nread;
-+
-+ s2k->mode = cdk_stream_getc (inp);
-+ s2k->hash_algo = cdk_stream_getc (inp);
-+ if (s2k->mode == CDK_S2K_SIMPLE)
-+ return 0;
-+ else if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED)
-+ {
-+ if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread))
-+ return CDK_Inv_Packet;
-+ if (nread != DIM (s2k->salt))
-+ return CDK_Inv_Packet;
-+
-+ if (s2k->mode == CDK_S2K_ITERSALTED)
-+ s2k->count = cdk_stream_getc (inp);
-+ }
-+ else if (s2k->mode == CDK_S2K_GNU_EXT)
-+ {
-+ /* GNU extensions to the S2K : read DETAILS from gnupg */
-+ return 0;
-+ }
-+ else
-+ return CDK_Not_Implemented;
-+
-+ return 0;
- }
-
-
-@@ -194,6 +219,7 @@
- static cdk_error_t
- read_symkey_enc (cdk_stream_t inp, size_t pktlen, cdk_pkt_symkey_enc_t ske)
- {
-+ cdk_error_t ret;
- cdk_s2k_t s2k;
- size_t minlen;
- size_t nread, nleft;
-@@ -213,7 +239,9 @@
- return CDK_Out_Of_Core;
-
- ske->cipher_algo = cdk_stream_getc (inp);
-- s2k->mode = cdk_stream_getc (inp);
-+ ret = read_s2k(inp, s2k);
-+ if (ret != 0)
-+ return ret;
- switch (s2k->mode)
- {
- case CDK_S2K_SIMPLE : minlen = 0; break;
-@@ -225,18 +253,6 @@
- return CDK_Inv_Packet;
- }
-
-- s2k->hash_algo = cdk_stream_getc (inp);
-- if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED)
-- {
-- if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread))
-- return CDK_Inv_Packet;
-- if (nread != DIM (s2k->salt))
-- return CDK_Inv_Packet;
--
-- if (s2k->mode == CDK_S2K_ITERSALTED)
-- s2k->count = cdk_stream_getc (inp);
-- }
--
- ske->seskeylen = pktlen - 4 - minlen;
- /* We check if there is an encrypted session key and if it fits into
- the buffer. The maximal key length is 256-bit. */
-@@ -421,14 +437,19 @@
- rc = read_s2k (inp, sk->protect.s2k);
- if (rc)
- return rc;
-- sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo);
-- if (!sk->protect.ivlen)
-- return CDK_Inv_Packet;
-- rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread);
-- if (rc)
-- return rc;
-- if (nread != sk->protect.ivlen)
-- return CDK_Inv_Packet;
-+ /* refer to --export-secret-subkeys in gpg(1) */
-+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT)
-+ sk->protect.ivlen = 0;
-+ else {
-+ sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo);
-+ if (!sk->protect.ivlen)
-+ return CDK_Inv_Packet;
-+ rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread);
-+ if (rc)
-+ return rc;
-+ if (nread != sk->protect.ivlen)
-+ return CDK_Inv_Packet;
-+ }
- }
- else
- sk->protect.algo = sk->s2k_usage;
-@@ -476,6 +497,22 @@
- return CDK_Out_Of_Core;
- if (stream_read (inp, sk->encdata, sk->enclen, &nread))
- return CDK_Inv_Packet;
-+ /* Handle the GNU S2K extensions we know (just gnu-dummy right now): */
-+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT) {
-+ unsigned char gnumode;
-+ if ((sk->enclen < strlen("GNU") + 1) ||
-+ (0 != memcmp("GNU", sk->encdata, strlen("GNU"))))
-+ return CDK_Inv_Packet;
-+ gnumode = sk->encdata[strlen("GNU")];
-+ /* we only handle gnu-dummy (mode 1).
-+ mode 2 should refer to external smart cards.
-+ */
-+ if (gnumode != 1)
-+ return CDK_Inv_Packet;
-+ /* gnu-dummy should have no more data */
-+ if (sk->enclen != strlen("GNU") + 1)
-+ return CDK_Inv_Packet;
-+ }
- nskey = cdk_pk_get_nskey (sk->pk->pubkey_algo);
- if (!nskey)
- return CDK_Inv_Algo;
+++ /dev/null
-#!/bin/sh -e
-
-# build a patched version of GnuTLS version 2.4.x, including the
-# ability to parse and accept the GNU S2K extension known as
-# "gnu-dummy" (which doesn't have any secret key data at all)
-
-# Note: you probably want to prepare your build system in the
-# following way:
-
-# apt-get build-dep libgnutls26
-# aptitude install devscripts fakeroot
-
-# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-# Date: 2008-08-22 00:11:05-0400
-
-# Note: please run this from the current directory, so it can find and
-# transfer the patch it needs.
-
-set -e
-
-if ! dpkg -l devscripts fakeroot >/dev/null ; then
- exit 1
-fi
-
-workingdir=$(mktemp -d -p .)
-
-(cd "$workingdir" && apt-get source libgnutls26)
-
-cp ./*.diff "$workingdir/gnutls26-2.4".*/debian/patches/
-
-cd "$workingdir/gnutls26-2.4".*
-dch --local .s2kext --distribution experimental 'added patch to handle GNU extensions to S2K'
-debuild -uc -us -sa
-
-echo now you should:
-echo reprepro -C gnutls include experimental "$workingdir/"*.changes
gen-subkey (g) [KEYID] generate an authentication subkey
--length (-l) BITS key length in bits (2048)
ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand
+ --no-connect do not make TCP connection to host
subkey-to-ssh-agent (s) store authentication subkey in ssh-agent
version (v) show version number
help (h,?) this help
local action="$1"
local file="$2"
- if ! ( which lockfile-create >/dev/null 2>/dev/null ) ; then
- if ! ( which lockfile >/dev/null ); then
+ if ! ( type lockfile-create &>/dev/null ) ; then
+ if ! ( type lockfile &>/dev/null ); then
failure "Neither lockfile-create nor lockfile are in the path!"
fi
use_lockfileprogs=
local shortunits
# try things the GNU way first
- if date -d "$number $longunits" "$format" >/dev/null 2>&1; then
+ if date -d "$number $longunits" "$format" &>/dev/null; then
date -d "$number $longunits" "$format"
else
# otherwise, convert to (a limited version of) BSD date syntax:
# hash of a file
file_hash() {
- md5sum "$1" 2> /dev/null
+ if type md5sum &>/dev/null ; then
+ md5sum "$1"
+ elif type md5 &>/dev/null ; then
+ md5 "$1"
+ else
+ failure "Neither md5sum nor md5 are in the path!"
+ fi
}
# convert escaped characters in pipeline from gpg output back into
local fifo="$2"
local PASS
- if [ "$DISPLAY" ] && which "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then
+ if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then
+ printf 'Launching "%s"\n' "${SSH_ASKPASS:-ssh-askpass}" | log info
+ printf '(with prompt "%s")\n' "$prompt" | log debug
"${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo"
else
read -s -p "$prompt" PASS
fi
# if the string is in the file...
- if grep -q -F "$string" "$file" 2> /dev/null ; then
+ if grep -q -F "$string" "$file" 2>/dev/null ; then
tempfile=$(mktemp "${file}.XXXXXXX") || \
failure "Unable to make temp file '${file}.XXXXXXX'"
path="$2"
# get the user's home directory
- userHome=$(getent passwd "$uname" | cut -d: -f6)
+ userHome=$(get_homedir "$uname")
# translate '%u' to user name
path=${path/\%u/"$uname"}
# return 2 if path has group or other writability
if is_write "$gAccess" || is_write "$oAccess" ; then
log error "improper group or other writability on path '$path':"
- log error " group: $gAccess, other: $oAcess"
+ log error " group: $gAccess, other: $oAccess"
return 2
fi
fi
}
+# return a list of all users on the system
+list_users() {
+ if type getent &>/dev/null ; then
+ # for linux and FreeBSD systems
+ getent passwd | cut -d: -f1
+ elif type dscl &>/dev/null ; then
+ # for Darwin systems
+ dscl localhost -list /Search/Users
+ else
+ failure "Neither getent or dscl is in the path! Could not determine list of users."
+ fi
+}
+
+# return the path to the home directory of a user
+get_homedir() {
+ local uname=${1:-`whoami`}
+ eval "echo ~${uname}"
+}
+
### CONVERSION UTILITIES
# output the ssh key for a given key ID
keyID="$1"
- gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
+ gpg --export "$keyID" | openpgp2ssh "$keyID" 2>/dev/null
}
# output known_hosts line from ssh key
echo 1,2,3,4,5 | \
gpg --quiet --batch --with-colons \
--command-fd 0 --keyserver "$KEYSERVER" \
- --search ="$userID" > /dev/null 2>&1
+ --search ="$userID" &>/dev/null
returnCode="$?"
return "$returnCode"
# hash from stdin to stdout
tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
- ssh-keygen -H -f "$tmpfile" 2> /dev/null
+ ssh-keygen -H -f "$tmpfile" 2>/dev/null
cat "$tmpfile" >> "$KNOWN_HOSTS"
rm -f "$tmpfile" "${tmpfile}.old"
else
# check permissions on the authorized_user_ids file path
check_key_file_permissions $(whoami) "$authorizedUserIDs" || failure
- if ! meat "$authorizedUserIDs" > /dev/null ; then
+ if ! meat "$authorizedUserIDs" >/dev/null ; then
log debug " no user IDs to process."
return
fi
-#!/usr/bin/perl -w -T
+#!/usr/bin/perl -T
# keytrans: this is an RSA key translation utility; it is capable of
# transforming RSA keys (both public keys and secret keys) between
########### Math/Utility Functions ##############
-# see the bottom of page 43 of RFC 4880
+# see the bottom of page 44 of RFC 4880 (http://tools.ietf.org/html/rfc4880#page-44)
sub simple_checksum {
my $bytes = shift;
- return unpack("%32W*",$bytes) % 65536;
+ return unpack("%16C*",$bytes);
}
# calculate the multiplicative inverse of a mod b this is euclid's
# setup the temp fifo dir for retrieving the key password
log debug "creating password fifo..."
fifoDir=$(msmktempdir)
- trap "rm -rf $fifoDir" EXIT
(umask 077 && mkfifo "$fifoDir/pass")
- log verbose "generating subkey..."
+ # FIXME: are we adequately cleaning up any trailing gpg process here?
+ trap "rm -rf $fifoDir; kill %% || true" EXIT
echo "$editCommands" | gpg_user --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &
+ log debug "Prompting for passphrase"
# FIXME: this needs to fail more gracefully if the passphrase is incorrect
passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass"
+ log info "Generating subkey. This may take a long time..."
trap - EXIT
rm -rf "$fifoDir"
# CHECK_KEYSERVER variable in the monkeysphere.conf file.
# if the host is in the gpg keyring...
-if gpg_user --list-key ="${URI}" 2>&1 >/dev/null ; then
+if gpg_user --list-key ="${URI}" &>/dev/null ; then
# do not check the keyserver
CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"}
# exec a netcat passthrough to host for the ssh connection
if [ -z "$NO_CONNECT" ] ; then
- if (which nc 2>/dev/null >/dev/null); then
+ if (type nc &>/dev/null); then
exec nc "$HOST" "$PORT"
- elif (which socat 2>/dev/null >/dev/null); then
+ elif (type socat &>/dev/null); then
exec socat STDIO "TCP:$HOST:$PORT"
else
echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2
local kname
# if there's no agent running, don't bother:
- if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then
+ if [ -z "$SSH_AUTH_SOCK" ] || ! type ssh-add >/dev/null ; then
failure "No ssh-agent available."
fi
if [ -z "$CORE_FPR" ] ; then
log info "setting up Monkeysphere authentication trust core..."
- local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | perl -MMIME::Base64 -ne 'print encode_base64($_)'))
+ local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(dd if=/dev/urandom bs=21 count=1 | perl -MMIME::Base64 -ne 'print encode_base64($_)'))
- log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..."
+ printf "generating monkeysphere authentication trust core key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug
PEM2OPENPGP_USAGE_FLAGS=certify \
PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
| gpg_core --import \
unames="$@"
else
# or just look at all users if none specified
- unames=$(getent passwd | cut -d: -f1)
+ unames=$(list_users)
fi
# set mode
export MONKEYSPHERE_CORE_KEYLENGTH=1024
export MONKEYSPHERE_PROMPT=false
+# unset SUBKEYS_FOR_AGENT variable which, if set, would confuse the
+# into trying to use the user's key, instead of the testuser's key
+unset MONKEYSPHERE_SUBKEYS_FOR_AGENT
+
export SSHD_CONFIG="$TEMPDIR"/sshd_config
export SOCKET="$TEMPDIR"/ssh-socket
echo
echo "##################################################"
echo "### configuring testuser home..."
-cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
+(cd "$TESTDIR"/home && find testuser | cpio -pdu "$TEMPDIR")
+
# set up environment for testuser
export TESTHOME="$TEMPDIR"/testuser
export GNUPGHOME="$TESTHOME"/.gnupg
echo
echo "##################################################"
echo "### configuring admin home..."
-cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
+(cd "$TESTDIR"/home && find admin | cpio -pdu "$TEMPDIR")
# set up sshd
echo
failed_cleanup() {
# FIXME: can we be more verbose here?
echo 'FAILED!'
- if [ "$MONKEYSPHERE_TEST_ALLOW_EXAMINATION" = prompt ] ; then
+ if [ -z "$MONKEYSPHERE_TEST_NO_EXAMINE" ] ; then
read -p "press enter to cleanup and remove tmp (or type bash for a subshell to examine): " XX
if [ "$XX" = bash ] ; then
echo "Entering subshell..."
--- /dev/null
+#!/bin/bash -e
+
+PORTFILE="packaging/macports/Portfile"
+
+VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+MD5=`md5sum monkeysphere_${VERSION}.orig.tar.gz | awk '{ print $1 }'`
+
+sed -i~ 's/^version.*$/version '"$VERSION"/ "$PORTFILE"
+sed -i~ 's/^checksums.*$/checksums md5 '"$MD5"/ "$PORTFILE"
git add website/download.mdwn
gpg --verify website/download.mdwn
+
+printf "please remember to add the new version to the bugtracker:\n https://labs.riseup.net/code/projects/settings/monkeysphere\n"
* create debian-specific version tag:
git tag -s -m 'Tagging Monkeysphere $whatever-1' monkeysphere_$whatever-1
+
+ * update FreeBSD and Macports info:
+
+ make freebsd-distinfo
+ make macports-portsfile
+
+ (probably should consider tagging these ports as well to make them
+ easy to recover)
+
+ * remember to add the new version (n + 1) to the bugtracker if it's
+ not already:
+
+ https://labs.riseup.net/code/projects/settings/monkeysphere
[[meta title="GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys"]]
+-----
+
+**2009-04-05 UPDATE:** Since Monkeysphere no longer depends on GnuTLS
+at all ([moved to using Perl for key
+translation](news/release-0.24-1)), and GnuTLS 2.6 is now available in
+Debian testing, we have removed the GnuTLS patches from the repostiory
+(although they will continue to be available in the history, or
+course).
+
+-----
+
We [announced earlier](/news/modified-gnutls-2.4.x-available) that the
Monkeysphere project was providing patched versions of GnuTLS to
support one piece of Monkeysphere functionality. Fortunately, those