Adding debian version 1.9.14-2.

Signed-off-by: Daniel Baumann <daniel@debian.org>

debian/README.Debian

@@ -0,0 +1,74 @@
+Debian specific notes regarding haveged
+=======================================
+
+Concerns regarding the RDTSC instructions in virtualized environments
+---------------------------------------------------------------------
+
+PolarSSL issued a security advisory on 2011-12-05 regarding their
+implementation of the HAVEGE random generator and virtualized environment:
+<https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02>
+
+When asked if the issue also applied to haveged, Gary Wuertz — haveged author —
+replied:
+
+First, there are significant differences between the polarssl and haveged
+implementations of HAVEGE. In general, haveged works much harder to provoke
+timing variations in the host (larger collection buffer, tuning collection code
+and walk table to the host L1 caches). See comparison below.
+I think items d) and e) in the comparison are items where polarssl is
+particularly weak.
+
+Second, since V1.5 haveged includes run time testing of haveged output. This is
+the only definitive way to deal with a poor timing source (virtual or
+otherwise). The test procedures are adapted from the German CC body, see:
+http://www.issihosts.com/haveged/ais31.html
+
+By default, AIS procedures A and B are run at start up and AIS procedure B is
+run continuously by the daemon. Procedure A is intended to detect statistical
+anomalies - it includes running the FIPS140-1 tests 257 times on successive
+20,000 bit samples and an auto-correlation test. Procedure B runs a series of
+bit distribution tests of a more theoretical nature, terminating with an
+entropy estimate on a 256000+2560 bit sample using Coron's estimator.
+Dispensing with procedure A during continuous tests is a performance
+enhancement. haveged output gets mixed with other sources in /dev/random and as
+long as haveged does not lie about the entropy it is feeding into the pool, all
+should be fine.
+
+AIS31 defines a retry strategy that a ideal generator should never fail, so any
+haveged testing failure terminates output. Note that the test procedures
+are not synchronized with collection but all haveged output is guaranteed to
+come from a buffer not containing any failed individual test.
+
+Comparison of the polarssl and haveged implementations of HAVEGE
+
+a) Both use approximately the same collection code:
+
+ * PolarSSL: havege.c inline macro
+ * haveged: oniteration.h
+
+b) Adaptation of collection code to host:
+
+ * PolarSSL: static
+   - collection buffer: 1024*sizeof(int),
+   - walk table: 8192 * sizeof(int),
+   - fill loop: 4 iterations
+ * haveged: dynamic (built in tuning or invocation parameters)
+   - collection buffer: 512*1024*sizeof(int32) (default, adjustable),
+   - walk table: (4K *sizeof(int32)) + (2 * size of L1 data cache) ,
+   - fill loop: number of iterations in that fit in a minimum of L1 instruction
+                cache or 64K (approximately)
+
+c) Timer source
+
+ * PolarSSL: hardware cycle counter, gettimeofday() fallback
+ * haveged: hardware cycle counter, clock_gettime() fallback
+
+d) Collector warmup
+
+ * PolarSSL: 1 fill
+ * haveged: 32 fills plus self test
+
+e) Run time testing
+
+ * PolarSSL: none
+ * haveged: Continuous and start-up AIS-31 tests (configurable)

debian/README.source

@@ -0,0 +1,13 @@
+README.source for the haveged package
+=====================================
+
+haveged is managed in a Git repository using git-buildpackage using
+pristine-tar. Quilt patches are managed using gbp-pq.
+Packaging practices also follow most of the advices provided by Russ Allbery
+at: http://www.eyrie.org/~eagle/notes/debian/git.html
+
+The branches are organized as follow:
+
+  * upstream: imports of upstream tarballs
+  * patch-queue/*: branches exported to quilt patches (handled by gbp-pq)
+  * master: export of patch-queue/* branches and Debian specific changes

debian/changelog

@@ -0,0 +1,411 @@
+haveged (1.9.14-2) unstable; urgency=low
+
+  * New maintainer (Closes: #1087263).
+
+ -- Daniel Baumann <daniel@debian.org>  Sun, 10 Nov 2024 15:27:58 +0100
+
+haveged (1.9.14-1) unstable; urgency=low
+
+  * New upstram version (2021-01-01)
+    Added --version and new subcommand to close communication socket
+
+  * Upgrade to debhelper compatibility level 13
+    dh_missing --fail-missing is now the default.
+
+  * d/control: Declare compliance with policy v4.5.1.
+    No change needed.
+
+ -- nicoo <nicoo@debian.org>  Thu, 14 Jan 2021 00:56:44 +0100
+
+haveged (1.9.13-1) unstable; urgency=medium
+
+  [ nicoo ]
+  * New upstream version (2020-06-28)
+    + added support for --version [Jirka Hladky]
+    + fix a memory leak in havege_destroy [Anakin Zhang]
+    + libhavege2: Update symbols file
+
+  * Setup Salsa CI for the packaging repository
+  * haveged: Simplify handling of the Apparmor profile
+
+  [ Dan Streetman ]
+  * Add consoles to apparmor profile
+    Support outputting logs when running inside a container
+  * Improve autopkgtests.
+  * Remove -w parameter from /etc/default/haveged
+
+  [ Debian Janitor ]
+  * Add missing ${misc:Depends} to Depends for haveged-udeb.
+  * Set upstream metadata fields
+    Bug-Database, Bug-Submit, Repository, Repository-Browse.
+
+ -- nicoo <nicoo@debian.org>  Wed, 25 Nov 2020 02:09:10 +0100
+
+haveged (1.9.8-4) unstable; urgency=high (RC bug fix)
+
+  * debian/haveged.service: Break ordering cycle
+    Drop ordering constraint with systemd-journald
+    Closes: #950418, #950540
+
+  * debian/control: Build-Depends on debhelper (>= 12.3)
+    Closes: #944040
+
+ -- nicoo <nicoo@debian.org>  Fri, 07 Feb 2020 14:34:56 +0100
+
+haveged (1.9.8-3) unstable; urgency=medium
+
+  * debian/haveged.service
+    + Sync with upstream's version
+      - Service ordering changes
+        - Start after systemd-tmpfiles-setup-dev.service
+          This is required, otherwise /dev/random might not yet exist.
+        - Start before systemd-journald
+        - Set WantedBy=sysinit.target (rather than multi-user.target)
+      - Drop `NoNewPrivileges` (useless, as haveged keeps running as root)
+      - Update SuccessExitStatus
+      - Always restart the service
+      - Allow running haveged in containers
+      - Normalise on Boolean “true” instead of “yes”
+
+    + Tighten-down security settings
+      - Apply a syscall filter to the service
+      - Set ProtectHostname, ProtectKernel{Logs,Modules}
+      - Set Restrict{Namespaces,Realtime}, preventing access to
+        potentially-vulnerable kernel features.
+      - Set LockPersonality, MemoryDenyWriteExecute
+
+
+  * Declare compliance with policy v4.5.0.
+    No change required.
+
+  * Remove obsolete debian/source/include-binaries
+
+ -- nicoo <nicoo@debian.org>  Fri, 31 Jan 2020 05:16:40 +0100
+
+haveged (1.9.8-2) unstable; urgency=medium
+
+  * Fix haveged-udeb by bumping SONAME in shlibs.local; otherwise, the
+    udeb would get a dependency on non-udeb libhavege2, rendering it
+    uninstallable and breaking d-i builds (Closes: #944189).
+
+ -- Cyril Brulebois <kibi@debian.org>  Tue, 05 Nov 2019 16:53:59 +0000
+
+haveged (1.9.8-1) unstable; urgency=high (systemd boot fix)
+
+  [nicoo]
+  * New upstream version 1.9.8  (Closes: #934971)
+    + Remove patches merged upstream
+    + libhavege: Update symbols file, bump soname.
+      Upstream removed visibility of havegecmd in v1.9.7, which is ABI-breaking.
+
+  * debian/watch
+    + Deal with new release tag names
+    + Stop expecting signed releases.
+      Upstream stopped signing releases, this is a known issue:
+        https://github.com/jirka-h/haveged/issues/2
+
+  * debian/rules: Fixup for debhelper/12.3
+    dh_makeshlibs now detects the library in haveged-udeb, but complains it
+    is not shipped in haveged (since it's shipped in libhavege2)
+
+  * debian/control
+    + Use HTTPS for the Homepage link.
+    + Declare compliance with policy v4.4.1.
+      No change required.
+
+  [Dan Streetman]
+  * haveged.service: do not order After=systemd-random-seed.service
+    Upstream systemd has recently changed systemd-random-seed.serivce to
+    no longer be ordered before sysinit.target.
+    However, since haveged orders itself After=systemd-random-seed and also
+    Before=sysinit.service, it is now causing boot delays:
+      https://github.com/systemd/systemd/issues/13252
+    Closes: #938939
+
+ -- nicoo <nicoo@debian.org>  Wed, 16 Oct 2019 21:13:07 +0200
+
+haveged (1.9.4-2) unstable; urgency=medium
+
+  * haveged.service: Set WantedBy=multi-user.target (Closes: #934165)
+  * Patch reliability issue (segfault on start)
+
+ -- nicoo <nicoo@debian.org>  Thu, 15 Aug 2019 14:18:48 +0200
+
+haveged (1.9.4-1) unstable; urgency=medium
+
+  [ nicoo ]
+  * New upstream version 1.9.4 (Closes: #906294)
+
+  * Add myself as an uploader
+  * New upstream maintainer
+    + Update debian/copyright, debian/watch
+    + Switch to new-style upstream signing keys, update signing keys
+    + Forward Debian patches (as Github PRs), update patch metadata
+
+  * Amend the changelog for 1.9.1-6.
+    It should have closed #866513, as the start ordering issue was likely the
+    problem.
+
+  * libhavege1
+    + Add Build-Depends-Package to symbols file
+    + Update symbols file
+
+  * Comply with policy v4.4.0
+    + Set Rules-Requires-Root: no
+    + Install the upstream changelog as NEWS.gz
+    + debian/copyright: Use HTTPS format URI
+
+  * debian/control
+    + Replace `Priority: extra` with `optional`
+    + Drop obsolete -dbg package (Closes: #874627)
+    + Add missing Pre-Depends for haveged
+
+  * debian/gbp.conf
+    + Update the name of the debian branch
+    + Enable use of pristine-tar by default
+
+  * Switch to debhelper 12, remove the old-style debian/compat file
+  * Add missing installed paths, not-installed, make dh_missing failing
+  * Simplify debian/rules
+
+  [ Ondřej Nový ]
+  * d/control: Set Vcs-* to salsa.debian.org
+
+ -- nicoo <nicoo@debian.org>  Wed, 14 Aug 2019 16:34:34 +0200
+
+haveged (1.9.1-8) unstable; urgency=medium
+
+  * Update apparmor profile: add write access to /run/haveged.pid as that
+    would get DENIED when running under sysvinit (Closes: #911604). That's
+    not an issue when running under systemd as PID file handling isn't
+    needed there.
+
+ -- Cyril Brulebois <kibi@debian.org>  Sat, 13 Jul 2019 01:36:24 +0200
+
+haveged (1.9.1-7) unstable; urgency=medium
+
+  [ Cyril Brulebois ]
+  * Add haveged-udeb, for use from the Debian Installer (See: #923675,
+    Closes: #927376).
+  * Bundle the daemon and the library in haveged-udeb, since the daemon
+    is the only user of the libhavege.so.1 SONAME.
+
+  [ Ondřej Nový ]
+  * d/control: Set Vcs-* to salsa.debian.org
+
+ -- Cyril Brulebois <kibi@debian.org>  Fri, 19 Apr 2019 18:29:05 +0200
+
+haveged (1.9.1-6) unstable; urgency=high
+
+  * Start haveged.service after systemd-tmpfiles-setup.service has been run.
+    Many thanks to Jan Echternach for reporting the problem and suggesting
+    a fix. (Closes: #858134, #866513)
+
+ -- Jérémy Bobbio <lunar@debian.org>  Mon, 17 Jul 2017 18:05:45 +0200
+
+haveged (1.9.1-5) unstable; urgency=medium
+
+  * Fix URL in Homepage control field.
+  * Fix URL in debian/watch.
+  * Declare libhavege-dev Multi-Arch:same.
+  * Add autopkgtest testing effectiveness using using dieharder.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Wed, 30 Nov 2016 15:49:36 +0100
+
+haveged (1.9.1-4) unstable; urgency=medium
+
+  * Non-maintainer upload, with maintainer's agreement.
+  * Add Suggests: apparmor
+  * Fix start ordering with AppArmor under systemd (Closes: #824179).
+  * Fixes all Lintian warnings:
+    - Bump Standards-Version to 3.9.8.
+    - Use hardened build flags.
+    - Use HTTPS for remote VCS links.
+    - Fix typos in manpages.
+  * Mark patches as forwarded upstream.
+
+ -- nicoo <nicoo@debian.org>  Sat, 25 Jun 2016 11:17:52 +0200
+
+haveged (1.9.1-3) unstable; urgency=medium
+
+  * Fix spelling of SecureBits value in service file. Thanks Sven Hartge for
+    the report and solution. (Closes: #798090)
+
+ -- Jérémy Bobbio <lunar@debian.org>  Sun, 06 Sep 2015 20:40:09 +0200
+
+haveged (1.9.1-2) unstable; urgency=medium
+
+  [ Jérémy Bobbio ]
+  * Add a patch to prevent a watermark higher than the pool size.
+    (Closes: #740117)
+  * Teach haveged normal exit code to systemd. Thanks Markus Schade.
+    (Closes: #781585)
+  * Restore support for the default file with systemd. Thanks Markus Schade.
+    (Closes: #740349)
+  * Limit privileges when running with systemd. Thanks Micah Anderson.
+    (Closes: #771633)
+  * Start haveged early in the boot process when using systemd. Borrowed from
+    openSUSE. Thanks Christian Boltz for the pointer.
+  * Fix minor issue in debian/copyright spotted by Lintian.
+  * Bump Standards-Version, no changes required.
+
+  [ nicoo ]
+  * Add AppArmor profile. (Closes: #796374)
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 04 Sep 2015 20:24:19 +0200
+
+haveged (1.9.1-1) unstable; urgency=low
+
+  * Imported Upstream version 1.9.1. (Closes: #739403)
+  * Add upstream signature verification to debian/watch.
+  * Update debian/copyright.
+  * Update symbol file.
+  * Bump Standards-Version, no changes required.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Wed, 26 Feb 2014 11:39:40 +0000
+
+haveged (1.7c-1) unstable; urgency=low
+
+  * Imported Upstream version 1.7c:
+    - Remove obsolete patch for MIPS alignment issues.
+  * Ship a systemd service file using dh-systemd
+
+ -- Jérémy Bobbio <lunar@debian.org>  Tue, 20 Aug 2013 09:09:43 +0200
+
+haveged (1.7b-2) unstable; urgency=low
+
+  * Add a patch to fix alignment issues on MIPS.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 07 Jun 2013 23:19:42 +0200
+
+haveged (1.7b-1) unstable; urgency=low
+
+  * New upstream version.
+  * Refer to the file with the actual GPL version in debian/copyright.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 07 Jun 2013 12:00:31 +0200
+
+haveged (1.7a-1) unstable; urgency=low
+
+  * New upstream version.
+  * Include improved debian/watch from Bart Martens.
+  * Bump Standards-Version to 3.9.4, no changes required.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Tue, 07 May 2013 08:50:31 +0000
+
+haveged (1.7-1) experimental; urgency=low
+
+  * New upstream version:                              (Closes: #689673)
+    - Since haveged 1.5, entropy is tested at runtime. (Closes: #651980)
+  * Refresh Debian patches.
+  * Update debian/copyright.
+  * Add missing license paragraph in debian/copyright.
+  * Switch to debhelper compatibility level 9 for hardening and multi-arch.
+  * Switch to multiple binary packages as upstream has extracted most
+    features to a library. We now ship libhavege1, libhavege1-dbg and
+    libhavege-dev on top of haveged itself.
+  * Add upstream answers to concerns regarding HAVEGE in virtualized
+    environments in README.Debian.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Mon, 11 Feb 2013 14:18:59 +0100
+
+haveged (1.4-4) unstable; urgency=low
+
+  * Disable NIST test suite on mips and mipsel as it takes way
+    too long on these architectures. At least long enough to prevent the
+    package build to complete properly.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 13 Apr 2012 15:58:39 +0200
+
+haveged (1.4-3) unstable; urgency=low
+
+  * Add patch by Sven Hartge to overcome mips build failures:
+    let's make the CUSUM and RANDOM EXCURSION tests be a little more
+    verbose about their progress. That should help us stay under the 5
+    allowed minutes of inactivity.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Tue, 10 Apr 2012 21:48:13 +0200
+
+haveged (1.4-2) unstable; urgency=low
+
+  * Restore patch to remove broken support for CPUID on ia64.
+  * Update Format line in debian/copyright.
+  * Bump Standards-Version to 3.9.3, no changes required.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 06 Apr 2012 17:44:55 +0200
+
+haveged (1.4-1) unstable; urgency=low
+
+  * New upstream version. (Closes: #660198)
+  * Drop obsolete Debian patches.
+  * Refresh debian/copyright.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 17 Feb 2012 13:20:51 +0100
+
+haveged (1.3a-1) unstable; urgency=low
+
+  * New upstream version. (Closes: #657683)
+
+ -- Jérémy Bobbio <lunar@debian.org>  Mon, 30 Jan 2012 12:52:28 +0100
+
+haveged (1.1-2) unstable; urgency=low
+
+  * Simplify extended description.
+  * Remove buggy support for CPUID on ia64.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Sun, 24 Apr 2011 21:38:20 +0200
+
+haveged (1.1-1) unstable; urgency=low
+
+  [ Sven Hartge ]
+  * New upstream release. (Closes: #563938, #594379)
+  * Build with default gcc. (Closes: #594284)
+  * Correct LSB header, use $remote_fs instead of $local_fs twice.
+    (Closes: #587535)
+
+  [ Jérémy Bobbio ]
+  * Take over maintenance.
+  * Update debian/copyright.
+  * Use debhelper 7 properly in debian/rules.
+  * Remove useless debian/dirs and empty maintainer scripts.
+  * Don't ship an empty NEWS file.
+  * Remove the article from the start of the short description.
+  * Bump Standards-Version, no changes required.
+  * Rework initscript and default files.
+  * Fix "haveged" casing in extended description.
+  * Switch package source format to 3.0 (quilt).
+  * Implement a generic time retrieval function. (Closes: #576375)
+  * Also test haveged using NIST tests.
+  * Fix Architecture field in debian/control (haveged is Linux only).
+  * Add Vcs-* fields to debian/control.
+  * Add debian/README.source.
+
+ -- Jérémy Bobbio <lunar@debian.org>  Fri, 15 Apr 2011 15:39:43 +0200
+
+haveged (0.9-3) unstable; urgency=low
+
+  * Cleaned up init.d script dependencies: missing $remote_fs (lintian
+    warning), extraneous $named and $network
+  * Added debian/watch file (lintian warning)
+  * Re-enabled STARTTIME= in debian/init.d (Closes: #565755)
+
+ -- Steve Kostecke <steve@debian.org>  Wed, 20 Jan 2010 16:14:22 -0500
+
+haveged (0.9-2) unstable; urgency=low
+
+  * Removed '--' from init script start_daemon line. It was preventing
+    haveged from using the options passed from the default file.
+  * Set '-w 1024' in the defaults file to raise the low water mark and
+    increase the average depth of the entropy pool.
+  * Added build-dep for gcc-4.3 (Closes: #563938). Thanks to Sven Hartge
+    for solving this.
+  * Replaced dh_clean -k with dh_prep (lintian warning)
+  * Updated standards to 3.8.3
+
+ -- Steve Kostecke <steve@kostecke.net>  Sun, 17 Jan 2010 21:34:39 -0500
+
+haveged (0.9-1) unstable; urgency=low
+
+  * Initial release (Closes: #559096)
+
+ -- Steve Kostecke <steve@debian.org>  Tue, 01 Dec 2009 16:00:55 -0500

debian/control

@@ -0,0 +1,69 @@
+Source: haveged
+Section: misc
+Priority: optional
+Maintainer: Daniel Baumann <daniel@debian.org>
+Uploaders: nicoo <nicoo@debian.org>
+Build-Depends: debhelper-compat (= 13), dh-apparmor
+Standards-Version: 4.5.1
+Homepage: https://issihosts.com/haveged/
+Vcs-Git: https://salsa.debian.org/debian/haveged.git
+Vcs-Browser: https://salsa.debian.org/debian/haveged
+Rules-Requires-Root: no
+
+Package: haveged
+Architecture: linux-any
+Pre-Depends: ${misc:Pre-Depends}
+Depends: lsb-base (>= 3.2-14), ${shlibs:Depends}, ${misc:Depends}
+Suggests: apparmor
+Description: Linux entropy source using the HAVEGE algorithm
+ haveged is a userspace entropy daemon which is not dependent upon the
+ standard mechanisms for harvesting randomness for the system entropy
+ pool. This is important in systems with high entropy needs or limited
+ user interaction (e.g. headless servers).
+ .
+ haveged uses HAVEGE (HArdware Volatile Entropy Gathering and Expansion)
+ to maintain a 1M pool of random bytes used to fill /dev/random
+ whenever the supply of random bits in dev/random falls below the low
+ water mark of the device.
+ .
+ More information about HAVEGE is available at
+ http://www.irisa.fr/caps/projects/hipsor/
+
+Package: libhavege2
+Section: libs
+Architecture: linux-any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Description: entropy source using the HAVEGE algorithm - shared library
+ libhavege is a library that implements the HAVEGE (HArdware Volatile Entropy
+ Gathering and Expansion). It provides a random number generator and it's
+ associated tuning and testing factilities.
+ .
+ More information about HAVEGE is available at
+ http://www.irisa.fr/caps/projects/hipsor/
+ .
+ This package contains the shared library.
+
+Package: libhavege-dev
+Section: libdevel
+Architecture: linux-any
+Multi-Arch: same
+Depends: libhavege2 (= ${binary:Version}), ${misc:Depends}
+Description: entropy source using the HAVEGE algorithm - development files
+ libhavege is a library that implements the HAVEGE (HArdware Volatile Entropy
+ Gathering and Expansion). It provides a random number generator and it's
+ associated tuning and testing factilities.
+ .
+ More information about HAVEGE is available at
+ http://www.irisa.fr/caps/projects/hipsor/
+ .
+ This package contains the development files.
+
+Package: haveged-udeb
+Package-Type: udeb
+Section: debian-installer
+Architecture: linux-any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Linux entropy source using the HAVEGE algorithm -- udeb
+ This package is for use in the Debian Installer.

debian/copyright

@@ -0,0 +1,87 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: haveged
+Source: https://github.com/jirka-h/haveged/
+
+Files: *
+Copyright: 2009-2017 Gary Wuertz <gary@issiweb.com>
+           2018      Jirka Hladky <hladky.jiri@gmail.com>
+License: GPL-3+
+
+Files: debian/*
+Copyright: 2009-2012 Steve Kostecke <steve@debian.org>
+           2011-2017 Jérémy Bobbio  <lunar@debian.org>
+           2016-2019 nicoo          <nicoo@debian.org>
+           2019      Cyril Brulebois <kibi@debian.org>
+License: GPL-3+
+
+Files: src/havege.c src/havege.h
+       src/havegecollect.c src/havegecollect.h
+       src/haveged.c
+       src/havegetune.c
+Copyright: 2009-2014 Gary Wuertz <gary@issiweb.com>
+           2011-2012 BenEleventh Consulting manolson@beneleventh.com
+License: GPL-3+
+
+Files: src/havegetest.c
+       src/havegetest.h
+Copyright: 2014 Gary Wuertz <gary@issiweb.com>
+           2012 BenEleventh Consulting manolson@beneleventh.com
+License: GPL-3+
+
+Files: src/cpuid-43.h
+Copyright: 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
+License: GPL-3+
+
+Files: contrib/diags/data_prep.c
+Copyright: 2009-2011 Gary Wuertz <gary@issiweb.com>
+                2011 BenEleventh Consulting <manolson@beneleventh.com>
+License: GPL-3+
+
+Files: init.d/sysv.lsb init.d/sysv.redhat
+Copyright: 2011-2012 Gary Wuertz <gary@issiweb.com>
+           2011-2012 Jirka Hladky <hladky_dot_jiri_at_gmail_com>
+License: GPL-3+
+
+Files: nist/dfft.c
+Copyright: Public Domain
+License: public-domain
+ As the original fortran libraries are public domain, the C Fourier
+ routines in this file are hereby released to the public domain as
+ well.
+
+Files: nist/mconf.h
+Copyright: 1984, 1987, 1989, 1995 Stephen L. Moshier
+License: permissive-mconf
+ Some software in this archive may be from the book _Methods and
+ Programs for Mathematical Functions_ (Prentice-Hall or Simon & Schuster
+ International, 1989) or from the Cephes Mathematical Library, a
+ commercial product. In either event, it is copyrighted by the author.
+ What you see here may be used freely but it comes with no support or
+ guarantee.
+
+Files: nist/packtest.c
+Copyright: 1999 National Institute Of Standards & Technology
+License: permissive-nist
+ Permission to use, copy, and modify this software without
+ fee is hereby granted, provided that this entire notice is
+ included in all copies of any software which is or includes
+ a copy or modification of this software and in all copies
+ of the supporting documentation for such software.
+
+License: GPL-3+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License can be found in `/usr/share/common-licenses/GPL-3'.

debian/gbp.conf

@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = sid
+pristine-tar = True

debian/haveged-udeb.install

@@ -0,0 +1,2 @@
+usr/sbin/haveged
+usr/lib/*/libhavege.so.*

debian/haveged.default

@@ -0,0 +1,4 @@
+# Configuration file for haveged
+
+# Options to pass to haveged:
+#DAEMON_ARGS=""

debian/haveged.docs

@@ -0,0 +1 @@
+README

debian/haveged.init.d

@@ -0,0 +1,100 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          haveged
+# Required-Start:    $remote_fs
+# Required-Stop:     $remote_fs
+# Should-Start:      $syslog
+# Should-Stop:       $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Entropy daemon using the HAVEGE algorithm
+# Description:       haveged uses HAVEGE (HArdware Volatile Entropy Gathering
+#                    and Expansion) to maintain a pool of random bytes used
+#                    to fill /dev/random whenever necessary.
+### END INIT INFO
+
+# Do NOT "set -e"
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="entropy daemon"
+NAME=haveged
+DAEMON=/usr/sbin/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+. /lib/lsb/init-functions
+
+do_start()
+{
+	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+}
+
+do_stop()
+{
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+case "$1" in
+    start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+	    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+	    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+    stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+	    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+    status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+    restart|force-reload)
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	    0|1)
+		do_start
+		case "$?" in
+		    0) log_end_msg 0 ;;
+		    1) log_end_msg 1 ;; # Old process is still running
+		    *) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	    *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+    *)
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:

debian/haveged.install

@@ -0,0 +1,4 @@
+usr/sbin/haveged
+usr/share/man/man8/haveged.8
+
+debian/usr.sbin.haveged /etc/apparmor.d/

debian/haveged.service

@@ -0,0 +1,33 @@
+[Unit]
+Description=Entropy Daemon based on the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+After=apparmor.service systemd-tmpfiles-setup.service systemd-tmpfiles-setup-dev.service
+Before=sysinit.target shutdown.target
+
+[Service]
+EnvironmentFile=-/etc/default/haveged
+ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
+Restart=always
+SuccessExitStatus=137 143
+SecureBits=noroot-locked
+CapabilityBoundingSet=CAP_SYS_ADMIN
+PrivateTmp=true
+PrivateDevices=true
+PrivateNetwork=true
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+RestrictNamespaces=true
+RestrictRealtime=true
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@basic-io @file-system @io-event @network-io @signal
+SystemCallFilter=arch_prctl brk ioctl mprotect sysinfo
+
+[Install]
+WantedBy=sysinit.target

debian/libhavege-dev.install

@@ -0,0 +1,4 @@
+usr/share/man/man3/libhavege.3
+usr/include/haveged/*.h
+usr/lib/*/libhavege.a
+usr/lib/*/libhavege.so

debian/libhavege2.install

@@ -0,0 +1 @@
+usr/lib/*/libhavege.so.*

debian/libhavege2.symbols

@@ -0,0 +1,16 @@
+libhavege.so.2 libhavege2 #MINVER#
+* Build-Depends-Package: libhavege-dev
+ havege_create@Base 1.7
+ havege_destroy@Base 1.7
+ havege_ndcreate@Base 1.7
+ havege_nddestroy@Base 1.7
+ havege_ndread@Base 1.7
+ havege_ndsetup@Base 1.7
+ havege_reparent@Base 1.9.13
+ havege_rng@Base 1.7
+ havege_run@Base 1.7
+ havege_status@Base 1.7
+ havege_status_dump@Base 1.7
+ havege_test@Base 1.7
+ havege_tune@Base 1.7
+ havege_version@Base 1.9.0

debian/not-installed

@@ -0,0 +1 @@
+usr/lib/*/libhavege.la

debian/rules

@@ -0,0 +1,17 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+%:
+	dh $@
+
+override_dh_install:
+	dh_install
+	dh_apparmor --profile-name=usr.sbin.haveged -phaveged
+
+override_dh_installchangelogs:
+	dh_installchangelogs NEWS
+
+override_dh_makeshlibs:
+	# havege-udeb contains a library that's shipped in libhavege2; this is OK.
+	dh_makeshlibs --no-add-udeb

debian/shlibs.local

@@ -0,0 +1,4 @@
+# No need to ship a separate libhavege2-udeb, so bundle the daemon and
+# the library in the same udeb (haveged-udeb), and let shlibs:Depends
+# computation know where libhavege.so.2 is shipped:
+udeb: libhavege 2 haveged-udeb

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/check-service

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+if ! systemctl is-active haveged; then
+    echo "haveged service is not active"
+    systemctl status haveged
+    exit 1
+fi
+
+exit 0

debian/tests/control

@@ -0,0 +1,9 @@
+Tests: check-service
+
+Tests: run-tests
+Restrictions: rw-build-tree, allow-stderr
+Depends: @builddeps@, @
+
+Tests: dieharder
+Restrictions: skippable, allow-stderr
+Depends: @, grep, dieharder

debian/tests/dieharder

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+if dpkg-architecture -i s390x; then
+    echo "dieharder tests are broken on s390x, skipping tests"
+    return 77
+fi
+
+set -e
+
+# Limit which tests are run, some aren't reliable and some take too long
+TESTS="0 1 2 3 4 8 9 10 11 12 13 15 16 100 101 202 203 204 205 206 207 208 209"
+
+# Notes on tests we don't run:
+#   5, 6, 7: marked as "Suspect" in dieharder -l
+#   14: marked as "Do Not Use" in dieharder -l
+#   102: buggy test that prints no output
+#   200: always fails with "Error:  Can only test distribution of positive ntuples."
+#   201: always fails
+
+DATA=$(mktemp)
+RESULTS=$(mktemp)
+
+cleanup()
+{
+    rm -f $RESULTS
+    rm -f $DATA
+}
+trap cleanup EXIT
+
+# Generate 4G of random data
+haveged -n 0 | dd of=$DATA bs=1k count=4096k
+
+for d in $TESTS; do
+    echo "Running test #$d"
+    echo "Test started at: $(date)"
+    dieharder -d $d -g 201 -f $DATA | tee $RESULTS
+    echo "Test ended at: $(date)"
+    echo ""
+    (! grep -w -q 'FAILED' $RESULTS)
+done

debian/tests/run-tests

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -ex
+
+# rebuild, enabling the nist tests
+dh_auto_clean
+dh_autoreconf_clean
+dh_autoreconf
+dh_auto_configure -- --enable-nistest=yes
+
+# test installed haveged, not built one
+rm -f src/haveged
+# we unfortunately can't use a symlink to also test apparmor confinement,
+# because our apparmor profile doesn't let us rw to *any* files, and by
+# default haveged writes its random data to './sample'; so just copy
+# the installed file into the build tree, for the ent/nist tests to use
+cp /usr/sbin/haveged src/haveged
+
+make -C ent check
+make -C nist check

debian/upstream/metadata

@@ -0,0 +1,4 @@
+Bug-Database: https://github.com/jirka-h/haveged/issues
+Bug-Submit: https://github.com/jirka-h/haveged/issues/new
+Repository: https://github.com/jirka-h/haveged.git
+Repository-Browse: https://github.com/jirka-h/haveged

debian/usr.sbin.haveged

@@ -0,0 +1,26 @@
+# Last Modified: Fri Aug 21 15:23:17 2015
+#include <tunables/global>
+
+/usr/sbin/haveged {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+
+  # Required for ioctl RNDADDENTROPY
+  capability sys_admin,
+
+  owner @{PROC}/@{pid}/status r,
+
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/sys/kernel/random/poolsize r,
+  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
+  /dev/random w,
+
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/cpu*/cache/ r,
+  /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
+  /usr/sbin/haveged mr,
+
+  /run/haveged.pid w,
+
+  #include <local/usr.sbin.haveged>
+}

debian/watch

@@ -0,0 +1,3 @@
+version=4
+opts=filenamemangle=s#.*/(v?\d\S+)\.tar\.gz#haveged-$1.tar.gz# \
+  https://github.com/jirka-h/haveged/releases/latest .*/v?(\d\S+)\.tar\.gz