diff -Nru sks-1.1.5/debian/changelog sks-1.1.5/debian/changelog
--- sks-1.1.5/debian/changelog	2016-05-07 00:16:52.000000000 +0000
+++ sks-1.1.5/debian/changelog	2016-05-12 06:25:22.000000000 +0000
@@ -1,3 +1,31 @@
+sks (1.1.5-8) unstable; urgency=medium
+
+  * avoid ftbfs on arches without a native ocamlopt
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 12 May 2016 02:25:22 -0400
+
+sks (1.1.5-7) unstable; urgency=medium
+
+  * re-include stock files in /var/lib/sks/www
+  * fix typo in example config file.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 11 May 2016 11:10:21 -0400
+
+sks (1.1.5-6) unstable; urgency=medium
+
+  * ship useful helper scripts: sks-db-setup and sks-db-upgrade
+  * drop ancient tests in postinst, improve logic, and simplify by using
+    sks-db-upgrade
+  * avoid recursive chowns (Closes: #705725)
+  * sks-db-upgrade will not fail when database or log files are absent
+    (Closes: #750504)
+  * remove the debian-sks user on purge (Closes: #778726)
+  * add service dependencies and fix BindsTo typo (Closes: #823781)
+  * ensure that /var/lib/sks exists (Closes: #823780)
+  * update README.Debian to reflect these changes
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 11 May 2016 02:39:32 -0400
+
 sks (1.1.5-5) unstable; urgency=medium
 
   * canonicalize header files
diff -Nru sks-1.1.5/debian/debcfg/sksconf sks-1.1.5/debian/debcfg/sksconf
--- sks-1.1.5/debian/debcfg/sksconf	2016-05-06 21:39:55.000000000 +0000
+++ sks-1.1.5/debian/debcfg/sksconf	2016-05-11 18:49:15.000000000 +0000
@@ -4,7 +4,7 @@
 # You can find more options in sks(8) manpage.
 
 # Set server hostname
-#hostname: this.server.fdqn
+#hostname: this.server.example.net
 
 # Set recon binding address
 #recon_address: 0.0.0.0
@@ -12,8 +12,11 @@
 # Set recon port number
 #recon_port: 11370
 
-# Set hkp binding address
-#hkp_address: 0.0.0.0
+# Set hkp binding address:
+# listen on loopback where possible, and put a good reverse
+# HTTP proxy on the public-facing addresses
+# (see https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering)
+hkp_address: 127.0.0.1 ::1
 
 # Set hkp port number
 #hkp_port: 11371
@@ -22,7 +25,7 @@
 #use_port_80:
 
 # From address used in synchronization emails used to communicate with PKS
-#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
+#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.example.net>"
 
 # Command used for sending mail (you can use -f option to specify the
 # envelope sender address, if your MTA trusts the sks user)
@@ -36,5 +39,5 @@
 pagesize:          16
 #
 # The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
-# very good results with 8196
+# very good results with 8196 (16)
 ptree_pagesize:    16
diff -Nru sks-1.1.5/debian/gbp.conf sks-1.1.5/debian/gbp.conf
--- sks-1.1.5/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/gbp.conf	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,11 @@
+[DEFAULT]
+pristine-tar = True
+# upstream-vcs-tag is from the git remote hg::https://bitbucket.org/skskeyserver/sks-keyserver
+# (needs the git-remote-hg package)
+upstream-vcs-tag = %(version)s
+
+[import-orig]
+filter = [
+ '.depend',
+ ]
+filter-pristine-tar = False
diff -Nru sks-1.1.5/debian/patches/0001-use-debian-fhs.patch sks-1.1.5/debian/patches/0001-use-debian-fhs.patch
--- sks-1.1.5/debian/patches/0001-use-debian-fhs.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0001-use-debian-fhs.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,130 @@
+From: Christoph Martin <christoph.martin@uni-mainz.de>
+Date: Fri, 6 May 2016 14:55:00 -0400
+Subject: _debian_fhs
+
+---
+ common.ml      |  6 +++---
+ dbserver.ml    |  2 +-
+ getfileopts.ml |  2 +-
+ reconserver.ml |  4 ++--
+ settings.ml    | 20 ++++++++++----------
+ 5 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/common.ml b/common.ml
+index f7d3c6b..b3cc726 100644
+--- a/common.ml
++++ b/common.ml
+@@ -96,7 +96,7 @@ let plerror level format =
+ 
+ let set_logfile extension =
+   if !Settings.filelog then
+-    let fname = (Filename.concat !Settings.basedir extension) ^ ".log" in
++    let fname = (Filename.concat !Settings.basedir "/var/log/sks/") ^ extension ^ ".log" in
+     stored_logfile_name := Some fname;
+     logfile := open_out_gen [ Open_wronly; Open_creat; Open_append; ]
+       0o600 fname;
+@@ -224,8 +224,8 @@ let recon_port = !Settings.recon_port
+ let recon_address = !Settings.recon_address
+ let http_port = !Settings.hkp_port
+ let http_address = !Settings.hkp_address
+-let db_command_name = Filename.concat !Settings.basedir "db_com_sock"
+-let recon_command_name = Filename.concat !Settings.basedir "recon_com_sock"
++let db_command_name = Filename.concat !Settings.basedir "/var/run/sks/db_com_sock"
++let recon_command_name = Filename.concat !Settings.basedir "/var/run/sks/recon_com_sock"
+ 
+ let db_command_addr = Unix.ADDR_UNIX db_command_name
+ let recon_command_addr = Unix.ADDR_UNIX recon_command_name
+diff --git a/dbserver.ml b/dbserver.ml
+index 583c484..d2cab69 100644
+--- a/dbserver.ml
++++ b/dbserver.ml
+@@ -419,7 +419,7 @@ struct
+ 
+   let convert_web_fname fname =
+     if verify_web_fname fname then
+-      Filename.concat !Settings.basedir (Filename.concat "web" fname)
++      Filename.concat !Settings.basedir (Filename.concat "/var/lib/sks/www" fname)
+     else raise (Wserver.Misc_error "Malformed requst")
+ 
+   let supported_extensions =
+diff --git a/getfileopts.ml b/getfileopts.ml
+index 4b511b8..da97f4f 100644
+--- a/getfileopts.ml
++++ b/getfileopts.ml
+@@ -110,7 +110,7 @@ let fname_convert fname =
+ (**************************************************************)
+ (**************************************************************)
+ 
+-let config_fname = "sksconf"
++let config_fname = "/etc/sks/sksconf"
+ 
+ let parse args =
+   Arg.current := 0;
+diff --git a/reconserver.ml b/reconserver.ml
+index c0ed738..02ec9e2 100644
+--- a/reconserver.ml
++++ b/reconserver.ml
+@@ -203,7 +203,7 @@ struct
+         let elements = ZSet.elements results in
+         let hashes = hashconvert elements in
+         print_hashes (sockaddr_to_string http_addr) hashes;
+-        log_diffs (sprintf "diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
++        log_diffs (sprintf "/var/spool/sks/diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
+         if List.length elements > 0
+         then
+           begin
+@@ -240,7 +240,7 @@ struct
+         plerror 4 "Reconciliation complete";
+         let hashes = hashconvert results in
+         print_hashes (sockaddr_to_string http_addr) hashes;
+-        log_diffs (sprintf "diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
++        log_diffs (sprintf "/var/spool/sks/diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
+         match results with
+             [] -> []
+           | _ ->
+diff --git a/settings.ml b/settings.ml
+index b66f9af..ea3e95f 100644
+--- a/settings.ml
++++ b/settings.ml
+@@ -200,7 +200,7 @@ let set_missing_keys_timeout value = missing_keys_timeout := value
+ let command_timeout = ref 60
+ let set_command_timeout value = command_timeout := value
+ 
+-let sendmail_cmd = ref "sendmail -t -oi"
++let sendmail_cmd = ref "/usr/lib/sendmail -t -oi"
+ let set_sendmail_cmd value = sendmail_cmd := value
+ 
+ let membership_reload_time = ref (60. *. 60. *. 6.)
+@@ -226,15 +226,15 @@ let get_from_addr () =
+ 
+ let use_stdin = ref false
+ 
+-let basedir = ref "."
++let basedir = ref ""
+ 
+-let base_dbdir = "KDB"
+-let base_ptree_dbdir = "PTree"
+-let base_membership_file = "membership"
+-let base_mailsync_file = "mailsync"
+-let base_dumpdir = "dump"
+-let base_msgdir = "messages"
+-let base_failed_msgdir = "failed_messages"
++let base_dbdir = "/var/lib/sks/DB"
++let base_ptree_dbdir = "/var/lib/sks/PTree"
++let base_membership_file = "/etc/sks/membership"
++let base_mailsync_file = "/etc/sks/mailsync"
++let base_dumpdir = "/var/lib/sks/dump"
++let base_msgdir = "/var/spool/sks/messages"
++let base_failed_msgdir = "/var/spool/sks/failed_messages"
+ 
+ let dbdir = lazy (Filename.concat !basedir base_dbdir)
+ let ptree_dbdir = lazy (Filename.concat !basedir base_ptree_dbdir)
+@@ -290,7 +290,7 @@ let parse_spec =
+     ("-hkp_address",Arg.String set_hkp_address, " Set hkp binding address by hostname or IP");
+     ("-use_port_80",Arg.Set use_port_80,
+      " Have the HKP interface listen on port 80, as well as the hkp_port");
+-    ("-basedir", Arg.Set_string basedir, " Base directory");
++    ("-basedir", Arg.Set_string basedir, " Base directory (Take special care if running the Debian package!)");
+     ("-stdoutlog", Arg.Clear filelog,
+      " Send log messages to stdout instead of log file");
+     ("-diskptree", Arg.Set disk_ptree,
diff -Nru sks-1.1.5/debian/patches/0002-use-system-cryptokit.patch sks-1.1.5/debian/patches/0002-use-system-cryptokit.patch
--- sks-1.1.5/debian/patches/0002-use-system-cryptokit.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0002-use-system-cryptokit.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,72 @@
+From: Christoph Martin <christoph.martin@uni-mainz.de>
+Date: Fri, 6 May 2016 14:55:01 -0400
+Subject: use system cryptokit
+
+Use the system cryptokit instead of the one shipped in upstream source
+---
+ Makefile | 31 ++-----------------------------
+ 1 file changed, 2 insertions(+), 29 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 8bc3787..9d5f571 100644
+--- a/Makefile
++++ b/Makefile
+@@ -53,7 +53,7 @@ WARNERR=-warn-error A
+ endif
+ 
+ CAMLP4=-pp $(CAMLP4O)
+-CAMLINCLUDE= -I lib -I bdb
++CAMLINCLUDE= -I lib -I bdb -I +cryptokit
+ COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes $(WARNERR)
+ OCAMLDEP=ocamldep $(CAMLP4)
+ CAMLLIBS=unix.cma str.cma bdb.cma nums.cma bigarray.cma cryptokit.cma
+@@ -107,7 +107,7 @@ ALLOBJS=$(ALLOBJS.bc:.cmo=.cmx)
+ 
+ EXEOBJS.bc=$(RSERVOBJS.bc) build.cmo fastbuild.cmo dbserver.cmo pdiskTest.cmo
+ 
+-LIBS.bc= lib/cryptokit.cma bdb/bdb.cma
++LIBS.bc= bdb/bdb.cma
+ LIBS=$(LIBS.bc:.cma=.cmxa)
+ 
+ VERSION := $(shell cat VERSION)
+@@ -278,32 +278,6 @@ prepared:
+ 	touch prepared
+ 
+ 
+-CKVER=cryptokit-1.7
+-CKDIR=$(CKVER)/src
+-
+-$(CKVER)/README.txt:
+-	tar xmvfz $(CKVER).tar.gz
+-	patch -p 0 < $(CKVER)-sks.patch
+-	patch -p 0 < $(CKVER)-sks-custom_compare.patch
+-
+-$(CKDIR)/cryptokit.cma: $(CKVER)/README.txt
+-	cd $(CKDIR) && $(MAKE) all
+-
+-$(CKDIR)/cryptokit.cmxa: $(CKVER)/README.txt
+-	cd $(CKDIR) && $(MAKE) allopt
+-
+-lib/cryptokit.cma: $(CKDIR)/cryptokit.cma $(CKDIR)/cryptokit.cmxa prepared
+-	cp $(CKDIR)/cryptokit.cmi $(CKDIR)/cryptokit.cma \
+-	   $(CKDIR)/cryptokit.mli lib
+-	cp $(CKDIR)/libcryptokit.a lib
+-	if test -f $(CKDIR)/dllcryptokit.so; then \
+-	   cp $(CKDIR)/dllcryptokit.so lib; fi
+-	if test -f $(CKDIR)/cryptokit.cmxa; then \
+-	   cp $(CKDIR)/cryptokit.cmxa $(CKDIR)/cryptokit.cmx \
+-	   $(CKDIR)/cryptokit.a lib; fi
+-
+-lib/cryptokit.cmxa: lib/cryptokit.cma
+-
+ ################################
+ # old stuff
+ ################################
+@@ -402,7 +376,6 @@ clean: mlclean
+ 
+ cleanall: clean bdbclean
+ 	rm -f lib/*
+-	rm -rf $(CKVER)
+ 
+ distclean: cleanall
+ 	rm -rf Makefile.local
diff -Nru sks-1.1.5/debian/patches/0003-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch sks-1.1.5/debian/patches/0003-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch
--- sks-1.1.5/debian/patches/0003-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0003-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,99 @@
+From: kristianf <unknown>
+Date: Sun, 9 Nov 2014 01:20:23 +0100
+Subject: Add support for EdDSA key using Ed25519 signature scheme
+
+---
+ CHANGELOG   | 4 ++++
+ common.ml   | 2 +-
+ packet.ml   | 4 +++-
+ parsePGP.ml | 6 ++++--
+ 4 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index f5a8adb..4c73437 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,7 @@
++Development:
++  - Add support for EdDSA key using Ed25519 signature scheme
++    (http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-00.txt)
++
+ 1.1.5
+   - Fixes for machine-readable indices. Key expiration times are now read
+     from self-signatures on the key's UIDs. In addition, instead of 8-digit
+diff --git a/common.ml b/common.ml
+index b3cc726..c7b5f98 100644
+--- a/common.ml
++++ b/common.ml
+@@ -47,7 +47,7 @@ let version_tuple = (__VERSION__)
+ (* for Release versions, COMMONCAMLFLAGS in Makefile should include          *)
+ (* '-warn-error a'. Development work should use '-warn-error A' for stricter *)
+ (* language checking. This affects the Ocaml compiler beginning with v4.01.0 *)
+-let version_suffix = "" (* + for development branch *)
++let version_suffix = "+" (* + for development branch *)
+ let compatible_version_tuple = (0,1,5)
+ let version =
+   let (maj_version,min_version,release) = version_tuple in
+diff --git a/packet.ml b/packet.ml
+index eb98c15..10299a4 100644
+--- a/packet.ml
++++ b/packet.ml
+@@ -163,6 +163,7 @@ let pubkey_algorithm_string i =  match i with
+   | 19 -> "ECDSA (ECC)" (* RFC 6637 *)
+   | 20 -> "Elgamal (Encrypt or Sign)"
+   | 21 -> "Reserved for Diffie-Hellman (X9.42) as defined for IETF-S/MIME"
++  | 22 -> "EdDSA"
+   | x when x >= 100 && x <= 110 -> "Private/Experimental algorithm."
+   | _ -> "Unknown Public Key Algorithm"
+ 
+@@ -252,10 +253,11 @@ let pk_alg_to_ident i = match i with
+   | 2 -> "r"  (* RSA encrypt *)
+   | 3 -> "s"  (* RSA sign *)
+   | 16 -> "g"  (* ElGamal encrypt *)
+-  | 20 -> "G"  (* ElGamal sign and encrypt *)
+   | 17 -> "D"  (* DSA *)
+   | 18 -> "e"  (* ECDH *)
+   | 19 -> "E"  (* ECDSA *)
++  | 20 -> "G"  (* ElGamal sign and encrypt *)
++  | 22 -> "E"  (* EdDSA *)
+   | _  -> "?"  (* NoClue *)
+ 
+ (** writes out packet, using old-style packets when possible *)
+diff --git a/parsePGP.ml b/parsePGP.ml
+index 063ff97..21060a1 100644
+--- a/parsePGP.ml
++++ b/parsePGP.ml
+@@ -150,6 +150,7 @@ let oid_to_psize oid =
+      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0b" -> 384 	(* brainpoolP384r1 *)
+      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0d" -> 512 	(* brainpoolP512r1 *)
+      | "\x2b\x81\x04\x00\x0a" -> 256         		(* secp256k1 *)
++     | "\x2b\x06\x01\x04\x01\xda\x47\x0f\x01" -> 256	(* Ed25519 *)  
+      | _ -> failwith "Unknown OID"
+    in
+    psize
+@@ -168,6 +169,7 @@ let parse_ecdh_pubkey cin =
+    in
+    (mpi, psize)
+ 
++ (* Algorithm specific fields for ECDSA and EdDSA *)
+  let parse_ecdsa_pubkey cin =
+    let length = cin#read_int_size 1 in
+    let oid = cin#read_string length in
+@@ -185,7 +187,7 @@ let parse_pubkey_info packet =
+       let algorithm = cin#read_byte in
+       let (tmpmpi, tmpsize) =  match algorithm with
+         | 18 -> parse_ecdh_pubkey cin
+-        | 19 -> ( {mpi_bits = 0; mpi_data = ""}, (parse_ecdsa_pubkey cin))
++        | 19 | 22 -> ( {mpi_bits = 0; mpi_data = ""}, (parse_ecdsa_pubkey cin))
+         | _ -> ( {mpi_bits = 0; mpi_data = ""} , -1 )
+       in
+       let mpis = match algorithm with
+@@ -205,7 +207,7 @@ let parse_pubkey_info packet =
+     pk_ctime = creation_time;
+     pk_expiration = (match expiration with Some 0 -> None | x -> x);
+     pk_alg = algorithm;
+-    pk_keylen = (match algorithm with |18|19 -> psize | _ -> mpi.mpi_bits);
++    pk_keylen = (match algorithm with |18|19|22 -> psize | _ -> mpi.mpi_bits);
+   }
+ 
+ (********************************************************)
diff -Nru sks-1.1.5/debian/patches/0004-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch sks-1.1.5/debian/patches/0004-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch
--- sks-1.1.5/debian/patches/0004-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0004-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,22 @@
+From: Kim Minh Kaplan <kaplan+sks@kim-minh.com>
+Date: Wed, 13 May 2015 18:29:30 +0200
+Subject: Keydb.add_keys: use List.rev_map instead of List.map for tail
+ recursion
+
+---
+ keydb.ml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/keydb.ml b/keydb.ml
+index c4f4f01..949a1f4 100644
+--- a/keydb.ml
++++ b/keydb.ml
+@@ -1156,7 +1156,7 @@ struct
+ 
+   (** Adds multiple keys at once --- no transactional support *)
+   let add_keys keys =
+-    let mds = List.map ~f:key_to_metadata keys in
++    let mds = List.rev_map ~f:key_to_metadata keys in
+     add_mds mds
+ 
+   (***********************************************************************)
diff -Nru sks-1.1.5/debian/patches/0005-Build.get_keys-make-it-tail-recursive.patch sks-1.1.5/debian/patches/0005-Build.get_keys-make-it-tail-recursive.patch
--- sks-1.1.5/debian/patches/0005-Build.get_keys-make-it-tail-recursive.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0005-Build.get_keys-make-it-tail-recursive.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,51 @@
+From: Kim Minh Kaplan <kaplan+sks@kim-minh.com>
+Date: Wed, 13 May 2015 18:33:42 +0200
+Subject: Build.get_keys: make it tail recursive. Build.get_keys_rec: move
+ this function inside get_keys.
+
+---
+ build.ml | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/build.ml b/build.ml
+index e055c73..c3d6c4a 100644
+--- a/build.ml
++++ b/build.ml
+@@ -49,17 +49,17 @@ module F(M:sig end) = struct
+   let n = match !Settings.n with 0 -> 1 | x -> x
+   let fnames = !Settings.anonlist
+ 
+-  let rec get_keys_rec nextkey partial = match nextkey () with
+-      Some key ->
+-        (try
+-           let ckey = Fixkey.canonicalize key in
+-           get_keys_rec nextkey (ckey::partial)
+-         with
+-             Fixkey.Bad_key -> get_keys_rec nextkey partial
+-        )
+-    | None -> partial
+-
+-  let get_keys nextkey = get_keys_rec nextkey []
++  let get_keys nextkey start =
++    let rec loop acc = match nextkey () with
++        Some key -> loop
++          (try
++             (Fixkey.canonicalize key)::acc
++           with
++               Fixkey.Bad_key -> acc
++          )
++      | None -> acc
++    in
++    loop start
+ 
+   let timestr sec =
+     sprintf "%.2f min" (sec /. 60.)
+@@ -82,7 +82,7 @@ module F(M:sig end) = struct
+     protect
+       ~f:(fun () ->
+             let nextkey = Key.next_of_channel cin in
+-            get_keys_rec nextkey start
++            get_keys nextkey start
+          )
+       ~finally:(fun () -> cin#close)
+ 
diff -Nru sks-1.1.5/debian/patches/0006-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch sks-1.1.5/debian/patches/0006-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch
--- sks-1.1.5/debian/patches/0006-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0006-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,99 +0,0 @@
-From: kristianf <unknown>
-Date: Sun, 9 Nov 2014 01:20:23 +0100
-Subject: Add support for EdDSA key using Ed25519 signature scheme
-
----
- CHANGELOG   | 4 ++++
- common.ml   | 2 +-
- packet.ml   | 4 +++-
- parsePGP.ml | 6 ++++--
- 4 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index f5a8adb..4c73437 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -1,3 +1,7 @@
-+Development:
-+  - Add support for EdDSA key using Ed25519 signature scheme
-+    (http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-00.txt)
-+
- 1.1.5
-   - Fixes for machine-readable indices. Key expiration times are now read
-     from self-signatures on the key's UIDs. In addition, instead of 8-digit
-diff --git a/common.ml b/common.ml
-index b3cc726..c7b5f98 100644
---- a/common.ml
-+++ b/common.ml
-@@ -47,7 +47,7 @@ let version_tuple = (__VERSION__)
- (* for Release versions, COMMONCAMLFLAGS in Makefile should include          *)
- (* '-warn-error a'. Development work should use '-warn-error A' for stricter *)
- (* language checking. This affects the Ocaml compiler beginning with v4.01.0 *)
--let version_suffix = "" (* + for development branch *)
-+let version_suffix = "+" (* + for development branch *)
- let compatible_version_tuple = (0,1,5)
- let version =
-   let (maj_version,min_version,release) = version_tuple in
-diff --git a/packet.ml b/packet.ml
-index eb98c15..10299a4 100644
---- a/packet.ml
-+++ b/packet.ml
-@@ -163,6 +163,7 @@ let pubkey_algorithm_string i =  match i with
-   | 19 -> "ECDSA (ECC)" (* RFC 6637 *)
-   | 20 -> "Elgamal (Encrypt or Sign)"
-   | 21 -> "Reserved for Diffie-Hellman (X9.42) as defined for IETF-S/MIME"
-+  | 22 -> "EdDSA"
-   | x when x >= 100 && x <= 110 -> "Private/Experimental algorithm."
-   | _ -> "Unknown Public Key Algorithm"
- 
-@@ -252,10 +253,11 @@ let pk_alg_to_ident i = match i with
-   | 2 -> "r"  (* RSA encrypt *)
-   | 3 -> "s"  (* RSA sign *)
-   | 16 -> "g"  (* ElGamal encrypt *)
--  | 20 -> "G"  (* ElGamal sign and encrypt *)
-   | 17 -> "D"  (* DSA *)
-   | 18 -> "e"  (* ECDH *)
-   | 19 -> "E"  (* ECDSA *)
-+  | 20 -> "G"  (* ElGamal sign and encrypt *)
-+  | 22 -> "E"  (* EdDSA *)
-   | _  -> "?"  (* NoClue *)
- 
- (** writes out packet, using old-style packets when possible *)
-diff --git a/parsePGP.ml b/parsePGP.ml
-index 063ff97..21060a1 100644
---- a/parsePGP.ml
-+++ b/parsePGP.ml
-@@ -150,6 +150,7 @@ let oid_to_psize oid =
-      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0b" -> 384 	(* brainpoolP384r1 *)
-      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0d" -> 512 	(* brainpoolP512r1 *)
-      | "\x2b\x81\x04\x00\x0a" -> 256         		(* secp256k1 *)
-+     | "\x2b\x06\x01\x04\x01\xda\x47\x0f\x01" -> 256	(* Ed25519 *)  
-      | _ -> failwith "Unknown OID"
-    in
-    psize
-@@ -168,6 +169,7 @@ let parse_ecdh_pubkey cin =
-    in
-    (mpi, psize)
- 
-+ (* Algorithm specific fields for ECDSA and EdDSA *)
-  let parse_ecdsa_pubkey cin =
-    let length = cin#read_int_size 1 in
-    let oid = cin#read_string length in
-@@ -185,7 +187,7 @@ let parse_pubkey_info packet =
-       let algorithm = cin#read_byte in
-       let (tmpmpi, tmpsize) =  match algorithm with
-         | 18 -> parse_ecdh_pubkey cin
--        | 19 -> ( {mpi_bits = 0; mpi_data = ""}, (parse_ecdsa_pubkey cin))
-+        | 19 | 22 -> ( {mpi_bits = 0; mpi_data = ""}, (parse_ecdsa_pubkey cin))
-         | _ -> ( {mpi_bits = 0; mpi_data = ""} , -1 )
-       in
-       let mpis = match algorithm with
-@@ -205,7 +207,7 @@ let parse_pubkey_info packet =
-     pk_ctime = creation_time;
-     pk_expiration = (match expiration with Some 0 -> None | x -> x);
-     pk_alg = algorithm;
--    pk_keylen = (match algorithm with |18|19 -> psize | _ -> mpi.mpi_bits);
-+    pk_keylen = (match algorithm with |18|19|22 -> psize | _ -> mpi.mpi_bits);
-   }
- 
- (********************************************************)
diff -Nru sks-1.1.5/debian/patches/0006-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch sks-1.1.5/debian/patches/0006-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch
--- sks-1.1.5/debian/patches/0006-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0006-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,25 @@
+From: kristianf <unknown>
+Date: Sat, 31 Oct 2015 14:08:38 +0100
+Subject: (parsePGP.ml) Add OID for Curve25519 encryption
+
+The OID is taken from GnuPG, and not standardized yet but
+used in released versions
+
+Bug:
+https://bitbucket.org/skskeyserver/sks-keyserver/issues/36/curve25519-oid-for-encryption
+---
+ parsePGP.ml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parsePGP.ml b/parsePGP.ml
+index 21060a1..9eae586 100644
+--- a/parsePGP.ml
++++ b/parsePGP.ml
+@@ -151,6 +151,7 @@ let oid_to_psize oid =
+      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0d" -> 512 	(* brainpoolP512r1 *)
+      | "\x2b\x81\x04\x00\x0a" -> 256         		(* secp256k1 *)
+      | "\x2b\x06\x01\x04\x01\xda\x47\x0f\x01" -> 256	(* Ed25519 *)  
++     | "\x2b\x06\x01\x04\x01\x97\x55\x01\x05\x01" -> 256 (* cv25519 *)
+      | _ -> failwith "Unknown OID"
+    in
+    psize
diff -Nru sks-1.1.5/debian/patches/0007-Avoid-deprecated-ocaml.patch sks-1.1.5/debian/patches/0007-Avoid-deprecated-ocaml.patch
--- sks-1.1.5/debian/patches/0007-Avoid-deprecated-ocaml.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0007-Avoid-deprecated-ocaml.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,507 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 6 May 2016 18:52:17 -0400
+Subject: Avoid deprecated ocaml
+
+newer versions of ocaml explicitly deprecate:
+
+ * String.create in favor of Bytes.create
+ * String.fill in favor of Bytes.fill
+ * Sort.list in favor of List.sort
+ * Byte internal assignment like .[] <- (but Bytes.set is fine)
+
+(for this last one, see http://caml.inria.fr/mantis/view.php?id=6706
+and https://github.com/ocaml/ocaml/pull/69, which i don't fully
+understand)
+---
+ add_mail.ml   |  2 +-
+ bitstring.ml  | 34 +++++++++++++++++-----------------
+ channel.ml    |  6 +++---
+ dbserver.ml   |  2 +-
+ heap.ml       |  2 +-
+ keyHash.ml    |  4 ++--
+ linearAlg.ml  |  2 +-
+ mList.ml      |  4 ++--
+ number.ml     | 12 ++++++------
+ prefixTree.ml |  4 ++--
+ rMisc.ml      | 14 +++++++-------
+ utils.ml      | 24 ++++++++++++------------
+ wserver.ml    | 22 +++++++++++-----------
+ 13 files changed, 66 insertions(+), 66 deletions(-)
+
+diff --git a/add_mail.ml b/add_mail.ml
+index 3233af6..f5c7cfc 100644
+--- a/add_mail.ml
++++ b/add_mail.ml
+@@ -54,7 +54,7 @@ let dirname =
+ (** dumps contents of one file into another *)
+ let pipe_file =
+   let blocksize = 100 * 1024 in
+-  let buf = String.create blocksize in
++  let buf = Bytes.create blocksize in
+   let rec pipe_file file1 file2 =
+     let bytes_read = input file1 buf 0 blocksize in
+     if bytes_read <> 0 then (
+diff --git a/bitstring.ml b/bitstring.ml
+index a6d3dad..19d3307 100644
+--- a/bitstring.ml
++++ b/bitstring.ml
+@@ -40,7 +40,7 @@ let bytelength bits =
+ let create bits =
+   let bytes = bytelength bits
+   in
+-  { a = String.create bytes;
++  { a = Bytes.create bytes;
+     bitlength = bits;
+   }
+ 
+@@ -58,7 +58,7 @@ let flip ba bit =
+   let intval = int_of_char (String.get ba.a byte_pos) in
+   let new_char = char_of_int ((1 lsl (width - bit_pos - 1)) lxor intval)
+   in
+-  String.set ba.a byte_pos new_char
++  Bytes.set ba.a byte_pos new_char
+ 
+ let set ba bit =
+   let byte_pos = bit / width
+@@ -66,7 +66,7 @@ let set ba bit =
+   let intval = int_of_char (String.get ba.a byte_pos) in
+   let new_char = char_of_int ((1 lsl (width - bit_pos - 1)) lor intval)
+   in
+-  String.set ba.a byte_pos new_char
++  Bytes.set ba.a byte_pos new_char
+ 
+ let unset ba bit =
+   let byte_pos = bit / width
+@@ -75,7 +75,7 @@ let unset ba bit =
+   let new_char = char_of_int ((lnot (1 lsl (width - bit_pos - 1)))
+                               land intval)
+   in
+-  String.set ba.a byte_pos new_char
++  Bytes.set ba.a byte_pos new_char
+ 
+ let setval ba bit bool =
+   if bool then set ba bit else unset ba bit
+@@ -98,9 +98,9 @@ let to_bool_array ba =
+   Array.init ~f:(fun i -> lget ba i) ba.bitlength
+ 
+ let to_string ba =
+-  let string = String.create ba.bitlength in
++  let string = Bytes.create ba.bitlength in
+   for i = 0 to ba.bitlength -1 do
+-    if get ba i = 0 then string.[i] <- '0' else string.[i] <- '1'
++    if get ba i = 0 then Bytes.set string i '0' else Bytes.set string i '1'
+   done;
+   string
+ 
+@@ -160,7 +160,7 @@ let copy ba = { ba with a = String.copy ba.a }
+  *)
+ let copy_len ba bitlength =
+   let bytes = bytelength bitlength in
+-  let str = String.create bytes in
++  let str = Bytes.create bytes in
+   String.blit ~src:ba.a ~src_pos:0
+     ~dst:str ~dst_pos:0 ~len:(String.length ba.a);
+   { a = str; bitlength = bitlength }
+@@ -191,17 +191,17 @@ let shift_left_small ba bits =
+   if bits > 0 then
+     let bytes = bytelength ba.bitlength in
+     for i = 0 to bytes-2 do
+-      ba.a.[i] <- shift_pair_left ba.a.[i] ba.a.[i+1] bits
++      Bytes.set ba.a i (shift_pair_left ba.a.[i] ba.a.[i+1] bits)
+     done;
+-    ba.a.[bytes-1] <- shift_pair_left ba.a.[bytes-1] '\000' bits
++    Bytes.set ba.a (bytes-1) (shift_pair_left ba.a.[bytes-1] '\000' bits)
+ 
+ let shift_right_small ba bits =
+   if bits > 0 then
+     let bytes = bytelength ba.bitlength in
+     for i = bytes-1 downto 1 do
+-      ba.a.[i] <- shift_pair_right ba.a.[i-1] ba.a.[i] bits
++      Bytes.set ba.a i (shift_pair_right ba.a.[i-1] ba.a.[i] bits)
+     done;
+-    ba.a.[0] <-  shift_pair_right '\000' ba.a.[0] bits
++    Bytes.set ba.a 0 (shift_pair_right '\000' ba.a.[0] bits)
+ 
+ (**********************************)
+ 
+@@ -216,10 +216,10 @@ let rec shift_left ba bits =
+   then
+     begin
+       for i = 0 to bytelength - 1 - bytes do
+-        ba.a.[i] <- ba.a.[i+bytes];
++        Bytes.set ba.a i ba.a.[i+bytes];
+       done;
+       for i = bytelength - bytes to bytelength - 1 do
+-        ba.a.[i] <- '\000'
++        Bytes.set ba.a i '\000'
+       done
+     end;
+   shift_left_small ba bits
+@@ -235,10 +235,10 @@ and shift_right ba bits =
+     then
+       begin
+         for i = bytelength - 1 downto bytes do
+-          ba.a.[i] <- ba.a.[i-bytes];
++          Bytes.set ba.a i ba.a.[i-bytes];
+         done;
+         for i = bytes - 1 downto 0 do
+-          ba.a.[i] <- '\000'
++          Bytes.set ba.a i '\000'
+         done
+       end;
+     shift_right_small ba bits
+@@ -275,14 +275,14 @@ let blit ~src ~dst ~len =
+     let newdst = (rmasks.(bitlen) land srcval) lor
+                  ((lnot rmasks.(bitlen)) land dstval)
+     in
+-    dst.a.[bytelen] <- char_of_int newdst
++    Bytes.set dst.a bytelen (char_of_int newdst)
+ 
+ 
+ (* let full_blit ~src ~src_pos ~dst ~dst_pos ~len =  *)
+ 
+ 
+ let zero_out bs =
+-  String.fill bs.a ~pos:0 ~len:(String.length bs.a) '\000'
++  Bytes.fill bs.a ~pos:0 ~len:(String.length bs.a) '\000'
+ 
+ (*
+ let extract bs ~pos ~len =
+diff --git a/channel.ml b/channel.ml
+index 95b599b..75f7a3a 100644
+--- a/channel.ml
++++ b/channel.ml
+@@ -50,7 +50,7 @@ let create_nb_really_input inchan =
+     let string =
+       match !stringopt with
+           None ->
+-            let string = String.create len in
++            let string = Bytes.create len in
+             stringopt := Some string;
+             pos := 0;
+             string
+@@ -125,7 +125,7 @@ let read_all cin ?len ()=
+       None -> 1024 * 100
+     | Some x -> x
+   in
+-  let sbuf = String.create len
++  let sbuf = Bytes.create len
+   and buf = Buffer.create len in
+     read_all_rec cin sbuf buf;
+     Buffer.contents buf
+@@ -167,7 +167,7 @@ object (self)
+   method virtual read_string_pos : buf:string -> pos:int -> len:int -> unit
+   method virtual read_char : char
+   method read_string len =
+-    let buf = String.create len in
++    let buf = Bytes.create len in
+     self#read_string_pos ~buf ~pos:0 ~len;
+     buf
+   method read_byte = int_of_char self#read_char
+diff --git a/dbserver.ml b/dbserver.ml
+index d2cab69..71c53cb 100644
+--- a/dbserver.ml
++++ b/dbserver.ml
+@@ -396,7 +396,7 @@ struct
+     let f = (if binary then open_in_bin else open_in) fname in
+     protect ~f:(fun () ->
+                   let length = in_channel_length f in
+-                  let buf = String.create length in
++                  let buf = Bytes.create length in
+                   really_input f buf 0 length;
+                   buf
+                )
+diff --git a/heap.ml b/heap.ml
+index 292f432..ad9f053 100644
+--- a/heap.ml
++++ b/heap.ml
+@@ -146,7 +146,7 @@ let push heap ~key ~data =
+ (***************************************************************)
+ 
+ let empty cmp i =
+-  { a = Array.create i None;
++  { a = Array.make i None;
+     length = 0;
+     minsize = i;
+     cmp = cmp;
+diff --git a/keyHash.ml b/keyHash.ml
+index ca7c6d6..49cf466 100644
+--- a/keyHash.ml
++++ b/keyHash.ml
+@@ -73,11 +73,11 @@ let hexchar_to_int c =
+ 
+ let dehexify s =
+   let s = String.uppercase s in
+-  let ns = String.create (String.length s / 2) in (* new string *)
++  let ns = Bytes.create (String.length s / 2) in (* new string *)
+   for i = 0 to String.length ns - 1 do
+     let first = hexchar_to_int s.[2 * i]
+     and second = hexchar_to_int s.[2 * i + 1]
+     in
+-    ns.[i] <- char_of_int ((first lsl 4) + second)
++    Bytes.set ns i (char_of_int ((first lsl 4) + second))
+   done;
+   ns
+diff --git a/linearAlg.ml b/linearAlg.ml
+index 81a9d88..f4499ed 100644
+--- a/linearAlg.ml
++++ b/linearAlg.ml
+@@ -62,7 +62,7 @@ struct
+   let copy m = { m with array = Array.copy m.array; }
+ 
+   let make ~columns ~rows init =
+-    let array = Array.create (columns * rows) init in
++    let array = Array.make (columns * rows) init in
+     { columns = columns;
+       rows = rows;
+       array = array;
+diff --git a/mList.ml b/mList.ml
+index f473a64..c0d4c79 100644
+--- a/mList.ml
++++ b/mList.ml
+@@ -200,7 +200,7 @@ let pri_split pri list =
+   (low,exact,high)
+ 
+ let has_dups list =
+-  let slist = Sort.list (fun x y -> x < y) list in
++  let slist = List.sort compare list in
+   let rec dup_scan list = match list with
+     [] -> false
+   | hd::[] -> false
+@@ -208,7 +208,7 @@ let has_dups list =
+   in dup_scan slist
+ 
+ let dedup list =
+-  let slist = Sort.list (fun x y -> x < y) list in
++  let slist = List.sort compare list in
+   let rec dedup ~list ~partial = match list with
+       [] -> partial
+     | hd::[] -> dedup ~list:[] ~partial:(hd::partial)
+diff --git a/number.ml b/number.ml
+index 3e33077..94f3b2e 100644
+--- a/number.ml
++++ b/number.ml
+@@ -60,9 +60,9 @@ let width_pow = power_int_positive_int 2 width
+ 
+ let revstring s =
+   let len = String.length s in
+-  let copy = String.create len in
++  let copy = Bytes.create len in
+   for i = 0 to len - 1 do
+-    copy.[i] <- s.[len - 1 - i]
++    Bytes.set copy i s.[len - 1 - i]
+   done;
+   copy
+ 
+@@ -71,19 +71,19 @@ let revstring_inplace s =
+   for i = 0 to (len - 2)/2 do
+     let j = len - 1 - i in
+     let tmp = s.[i] in
+-    s.[i] <- s.[j];
+-    s.[j] <- tmp
++    Bytes.set s i s.[j];
++    Bytes.set s j tmp
+   done
+ 
+ let to_bytes ~nbytes n =
+   if sign_big_int n = -1
+   then raise (Invalid_argument "N.to_bytes: negative argument");
+-  let string = String.create nbytes in
++  let string = Bytes.create nbytes in
+   let rec loop n i =
+     if i < 0 then string
+     else
+       let (a,b) = quomod_big_int n width_pow in
+-      string.[i] <- char_of_int (int_of_big_int b);
++      Bytes.set string i (char_of_int (int_of_big_int b));
+       loop a (i - 1)
+   in
+   let str = loop n (nbytes - 1) in
+diff --git a/prefixTree.ml b/prefixTree.ml
+index 4aa4fbb..a90cc41 100644
+--- a/prefixTree.ml
++++ b/prefixTree.ml
+@@ -730,8 +730,8 @@ let split_at_depth t zz zzs node depth =
+ let pad string bytes =
+   let len = String.length string in
+   if bytes > len then
+-    let nstr = String.create bytes in
+-    String.fill nstr ~pos:len ~len:(bytes - len) '\000';
++    let nstr = Bytes.create bytes in
++    Bytes.fill nstr ~pos:len ~len:(bytes - len) '\000';
+     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len;
+     nstr
+   else
+diff --git a/rMisc.ml b/rMisc.ml
+index 63792c1..46e687d 100644
+--- a/rMisc.ml
++++ b/rMisc.ml
+@@ -56,15 +56,15 @@ let rec fill_random_string rfunc string ~pos ~len =
+     (* CR yminsky: I think this has the same bug as the function with the same name in Utils *)
+     let _bits = rfunc () in
+       for i = 0 to steps - 1 do
+-        string.[pos + i] <-
+-        char_of_int (0xFF land ((rfunc ()) lsr (8 * i)))
++        Bytes.set string (pos + i)
++        (char_of_int (0xFF land ((rfunc ()) lsr (8 * i))))
+       done;
+       fill_random_string rfunc string ~pos:(pos + steps) ~len
+   else
+     ()
+ 
+ let random_string rfunc len =
+-  let string = String.create len in
++  let string = Bytes.create len in
+     fill_random_string rfunc string ~pos:0 ~len;
+     string
+ 
+@@ -124,8 +124,8 @@ let add_sarray ~data sarray =
+ let pad string bytes =
+   let len = String.length string in
+   if bytes > len then
+-    let nstr = String.create bytes in
+-    String.fill nstr ~pos:len ~len:(bytes - len) '\000';
++    let nstr = Bytes.create bytes in
++    Bytes.fill nstr ~pos:len ~len:(bytes - len) '\000';
+     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len;
+     nstr
+   else
+@@ -139,7 +139,7 @@ let padset stringset bytes =
+ let truncate string bytes =
+   let len = String.length string in
+   if bytes < len then
+-    let nstr = String.create bytes in
++    let nstr = Bytes.create bytes in
+     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len:bytes;
+     nstr
+   else
+@@ -160,7 +160,7 @@ let order_string = "530512889551602322505127520352579437339"
+ (** Printing Functions *)
+ 
+ let print_ZZp_list list =
+-  let list = Sort.list (fun x y -> compare x y < 0) list in
++  let list = List.sort compare list in
+   MList.print2 ~f:ZZp.print list
+ 
+ let print_ZZp_set set = print_ZZp_list (Set.elements set)
+diff --git a/utils.ml b/utils.ml
+index b9b4347..0acd119 100644
+--- a/utils.ml
++++ b/utils.ml
+@@ -173,12 +173,12 @@ let random_int low high =
+ let char_width = 8
+ 
+ let hexstring digest =
+-  let result = String.create (String.length digest * 2) in
+-  let hex = "0123456789ABCDEF" in
++  let result = Bytes.create (String.length digest * 2) in
++  let hex = Bytes.of_string "0123456789ABCDEF" in
+     for i = 0 to String.length digest - 1 do
+       let c = Char.code digest.[i] in
+-        result.[2*i] <- hex.[c lsr 4];
+-        result.[2*i+1] <- hex.[c land 0xF]
++        Bytes.set result (2*i) hex.[c lsr 4];
++        Bytes.set result (2*i+1) hex.[c land 0xF]
+     done;
+     result
+ 
+@@ -192,11 +192,11 @@ let int_from_bstring string ~pos ~len =
+   int_from_bstring_rec string ~pos ~len 0
+ 
+ let bstring_of_int i =
+-     let s = String.create 4 in
+-     s.[3] <- char_of_int (i land 0xFF);
+-     s.[2] <- char_of_int ((i lsr 8) land 0xFF);
+-     s.[1] <- char_of_int ((i lsr 16) land 0xFF);
+-     s.[0] <- char_of_int ((i lsr 24) land 0xFF);
++     let s = Bytes.create 4 in
++     Bytes.set s 3 (char_of_int (i land 0xFF));
++     Bytes.set s 2 (char_of_int ((i lsr 8) land 0xFF));
++     Bytes.set s 1 (char_of_int ((i lsr 16) land 0xFF));
++     Bytes.set s 0 (char_of_int ((i lsr 24) land 0xFF));
+      s
+ 
+ (* tail recursive *)
+@@ -265,15 +265,15 @@ let rec fill_random_string rfunc string ~pos ~len =
+        the random generation being deterministic *)
+     let _bits = rfunc () in
+     for i = 0 to steps - 1 do
+-      string.[pos + i] <-
+-        char_of_int (0xFF land ((rfunc ()) lsr (8 * i)))
++      Bytes.set string (pos + i)
++        (char_of_int (0xFF land ((rfunc ()) lsr (8 * i))))
+     done;
+     fill_random_string rfunc string ~pos:(pos + steps) ~len
+   else
+     ()
+ 
+ let random_string rfunc len =
+-  let string = String.create len in
++  let string = Bytes.create len in
+     fill_random_string rfunc string ~pos:0 ~len;
+     string
+ 
+diff --git a/wserver.ml b/wserver.ml
+index 6ccfc62..27adb13 100644
+--- a/wserver.ml
++++ b/wserver.ml
+@@ -75,9 +75,9 @@ let decode s =
+         match s.[i] with
+           '%' when i + 2 < String.length s ->
+             let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in
+-            s1.[i1] <- Char.chr v; i + 3
+-        | '+' -> s1.[i1] <- ' '; succ i
+-        | x -> s1.[i1] <- x; succ i
++            Bytes.set s1 i1 (Char.chr v); i + 3
++        | '+' -> Bytes.set s1 i1 ' '; succ i
++        | x -> Bytes.set s1 i1 x; succ i
+       in
+       copy_decode_in s1 i (succ i1)
+     else s1
+@@ -95,7 +95,7 @@ let decode s =
+   in
+   if need_decode 0 then
+     let len = compute_len 0 0 in
+-    let s1 = String.create len in
++    let s1 = Bytes.create len in
+     strip_heading_and_trailing_spaces (copy_decode_in s1 0 0)
+   else s
+ 
+@@ -120,22 +120,22 @@ let encode s =
+     if i < String.length s then
+       let i1 =
+         match s.[i] with
+-          ' ' -> s1.[i1] <- '+'; succ i1
++          ' ' -> Bytes.set s1 i1 '+'; succ i1
+         | c ->
+             if special c then
+               begin
+-                s1.[i1] <- '%';
+-                s1.[i1 + 1] <- hexa_digit (Char.code c / 16);
+-                s1.[i1 + 2] <- hexa_digit (Char.code c mod 16);
++                Bytes.set s1 i1 '%';
++                Bytes.set s1 (i1 + 1) (hexa_digit (Char.code c / 16));
++                Bytes.set s1 (i1 + 2) (hexa_digit (Char.code c mod 16));
+                 i1 + 3
+               end
+-            else begin s1.[i1] <- c; succ i1 end
++            else begin Bytes.set s1 i1 c; succ i1 end
+       in
+       copy_code_in s1 (succ i) i1
+     else s1
+   in
+   if need_code 0 then
+-    let len = compute_len 0 0 in copy_code_in (String.create len) 0 0
++    let len = compute_len 0 0 in copy_code_in (Bytes.create len) 0 0
+   else s
+ 
+ let stripchars = Set.of_list [ ' '; '\t'; '\n'; '\r' ]
+@@ -180,7 +180,7 @@ let parse_post headers cin =
+     if len > max_post_length
+     then raise (Entity_too_large (sprintf "POST data too long: %f megs"
+                               (float len /. 1024. /. 1024.)));
+-    let rest = String.create len in
++    let rest = Bytes.create len in
+     really_input cin rest 0 len;
+     rest
+   with
diff -Nru sks-1.1.5/debian/patches/0007-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch sks-1.1.5/debian/patches/0007-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch
--- sks-1.1.5/debian/patches/0007-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0007-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-From: Kim Minh Kaplan <kaplan+sks@kim-minh.com>
-Date: Wed, 13 May 2015 18:29:30 +0200
-Subject: Keydb.add_keys: use List.rev_map instead of List.map for tail
- recursion
-
----
- keydb.ml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/keydb.ml b/keydb.ml
-index c4f4f01..949a1f4 100644
---- a/keydb.ml
-+++ b/keydb.ml
-@@ -1156,7 +1156,7 @@ struct
- 
-   (** Adds multiple keys at once --- no transactional support *)
-   let add_keys keys =
--    let mds = List.map ~f:key_to_metadata keys in
-+    let mds = List.rev_map ~f:key_to_metadata keys in
-     add_mds mds
- 
-   (***********************************************************************)
diff -Nru sks-1.1.5/debian/patches/0008-Avoid-sending-web-clients-to-third-party-resources.patch sks-1.1.5/debian/patches/0008-Avoid-sending-web-clients-to-third-party-resources.patch
--- sks-1.1.5/debian/patches/0008-Avoid-sending-web-clients-to-third-party-resources.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0008-Avoid-sending-web-clients-to-third-party-resources.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,48 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 6 May 2016 19:04:59 -0400
+Subject: Avoid sending web clients to third-party resources
+
+See:
+
+ lintian-info --tags privacy-breach-w3c-valid-html
+
+https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html
+---
+ sampleWeb/XHTML+ES/index.xhtml      | 6 +++---
+ sampleWeb/XHTML+ES/index.xhtml.orig | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sampleWeb/XHTML+ES/index.xhtml b/sampleWeb/XHTML+ES/index.xhtml
+index 5c7c713..01b3976 100644
+--- a/sampleWeb/XHTML+ES/index.xhtml
++++ b/sampleWeb/XHTML+ES/index.xhtml
+@@ -106,9 +106,9 @@ TODO:
+ 	
+ 	<hr/>
+ 	<p>
+-	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xml10-v.svg" alt="Valid XML&nbsp;1.0" style="width:5em; height:100%;"/></a>
+-	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml11-v.svg" alt="Valid XHTML&nbsp;1.1" style="width:5em; height:100%;"/></a>
+-	<a href="http://jigsaw.w3.org/css-validator/check/referer"><img src="http://www.w3.org/Icons/valid-css-v.svg" alt="Valid CSS" style="width:5em; height:100%;"/></a>
++	<a href="http://validator.w3.org/check?uri=referer">[Valid XML&nbsp;1.0]</a>
++	<a href="http://validator.w3.org/check?uri=referer">[Valid XHTML&nbsp;1.1]</a>
++	<a href="http://jigsaw.w3.org/css-validator/check/referer">[Valid CSS]</a>
+ 	</p>
+ </body>
+ 
+diff --git a/sampleWeb/XHTML+ES/index.xhtml.orig b/sampleWeb/XHTML+ES/index.xhtml.orig
+index 5c7c713..01b3976 100755
+--- a/sampleWeb/XHTML+ES/index.xhtml.orig
++++ b/sampleWeb/XHTML+ES/index.xhtml.orig
+@@ -106,9 +106,9 @@ TODO:
+ 	
+ 	<hr/>
+ 	<p>
+-	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xml10-v.svg" alt="Valid XML&nbsp;1.0" style="width:5em; height:100%;"/></a>
+-	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml11-v.svg" alt="Valid XHTML&nbsp;1.1" style="width:5em; height:100%;"/></a>
+-	<a href="http://jigsaw.w3.org/css-validator/check/referer"><img src="http://www.w3.org/Icons/valid-css-v.svg" alt="Valid CSS" style="width:5em; height:100%;"/></a>
++	<a href="http://validator.w3.org/check?uri=referer">[Valid XML&nbsp;1.0]</a>
++	<a href="http://validator.w3.org/check?uri=referer">[Valid XHTML&nbsp;1.1]</a>
++	<a href="http://jigsaw.w3.org/css-validator/check/referer">[Valid CSS]</a>
+ 	</p>
+ </body>
+ 
diff -Nru sks-1.1.5/debian/patches/0008-Build.get_keys-make-it-tail-recursive.patch sks-1.1.5/debian/patches/0008-Build.get_keys-make-it-tail-recursive.patch
--- sks-1.1.5/debian/patches/0008-Build.get_keys-make-it-tail-recursive.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0008-Build.get_keys-make-it-tail-recursive.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,51 +0,0 @@
-From: Kim Minh Kaplan <kaplan+sks@kim-minh.com>
-Date: Wed, 13 May 2015 18:33:42 +0200
-Subject: Build.get_keys: make it tail recursive. Build.get_keys_rec: move
- this function inside get_keys.
-
----
- build.ml | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/build.ml b/build.ml
-index e055c73..c3d6c4a 100644
---- a/build.ml
-+++ b/build.ml
-@@ -49,17 +49,17 @@ module F(M:sig end) = struct
-   let n = match !Settings.n with 0 -> 1 | x -> x
-   let fnames = !Settings.anonlist
- 
--  let rec get_keys_rec nextkey partial = match nextkey () with
--      Some key ->
--        (try
--           let ckey = Fixkey.canonicalize key in
--           get_keys_rec nextkey (ckey::partial)
--         with
--             Fixkey.Bad_key -> get_keys_rec nextkey partial
--        )
--    | None -> partial
--
--  let get_keys nextkey = get_keys_rec nextkey []
-+  let get_keys nextkey start =
-+    let rec loop acc = match nextkey () with
-+        Some key -> loop
-+          (try
-+             (Fixkey.canonicalize key)::acc
-+           with
-+               Fixkey.Bad_key -> acc
-+          )
-+      | None -> acc
-+    in
-+    loop start
- 
-   let timestr sec =
-     sprintf "%.2f min" (sec /. 60.)
-@@ -82,7 +82,7 @@ module F(M:sig end) = struct
-     protect
-       ~f:(fun () ->
-             let nextkey = Key.next_of_channel cin in
--            get_keys_rec nextkey start
-+            get_keys nextkey start
-          )
-       ~finally:(fun () -> cin#close)
- 
diff -Nru sks-1.1.5/debian/patches/0009-Correct-invalid-md5sum-file.patch sks-1.1.5/debian/patches/0009-Correct-invalid-md5sum-file.patch
--- sks-1.1.5/debian/patches/0009-Correct-invalid-md5sum-file.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0009-Correct-invalid-md5sum-file.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,24 @@
+From: Matt Rude <Matt@mattrude.com>
+Date: Fri, 6 May 2016 17:37:39 -0400
+Subject: Correct invalid md5sum file
+
+Some systems require a 2nd space between the hash and the filename to
+be able to validate the files. This request adds that 2nd space to the
+output file.
+---
+ sksdump.ml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sksdump.ml b/sksdump.ml
+index feee6bb..6213e8b 100644
+--- a/sksdump.ml
++++ b/sksdump.ml
+@@ -99,7 +99,7 @@ struct
+    fprintf file "#Key-Count: %d\n" numkey;
+    fprintf file "#Digest-algo: md5\n";
+    while !c < ctr do 
+-     fprintf file "%s %s-%04d.pgp\n" (Digest.to_hex(
++     fprintf file "%s  %s-%04d.pgp\n" (Digest.to_hex(
+       Digest.file (Filename.concat dumpdir (sprintf "%s-%04d.pgp" name !c))))
+       name !c;
+      incr c
diff -Nru sks-1.1.5/debian/patches/0009-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch sks-1.1.5/debian/patches/0009-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch
--- sks-1.1.5/debian/patches/0009-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0009-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-From: kristianf <unknown>
-Date: Sat, 31 Oct 2015 14:08:38 +0100
-Subject: (parsePGP.ml) Add OID for Curve25519 encryption
-
-The OID is taken from GnuPG, and not standardized yet but
-used in released versions
-
-Bug:
-https://bitbucket.org/skskeyserver/sks-keyserver/issues/36/curve25519-oid-for-encryption
----
- parsePGP.ml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/parsePGP.ml b/parsePGP.ml
-index 21060a1..9eae586 100644
---- a/parsePGP.ml
-+++ b/parsePGP.ml
-@@ -151,6 +151,7 @@ let oid_to_psize oid =
-      | "\x2b\x24\x03\x03\x02\x08\x01\x01\x0d" -> 512 	(* brainpoolP512r1 *)
-      | "\x2b\x81\x04\x00\x0a" -> 256         		(* secp256k1 *)
-      | "\x2b\x06\x01\x04\x01\xda\x47\x0f\x01" -> 256	(* Ed25519 *)  
-+     | "\x2b\x06\x01\x04\x01\x97\x55\x01\x05\x01" -> 256 (* cv25519 *)
-      | _ -> failwith "Unknown OID"
-    in
-    psize
diff -Nru sks-1.1.5/debian/patches/0010-Avoid-deprecated-ocaml.patch sks-1.1.5/debian/patches/0010-Avoid-deprecated-ocaml.patch
--- sks-1.1.5/debian/patches/0010-Avoid-deprecated-ocaml.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0010-Avoid-deprecated-ocaml.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,507 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Fri, 6 May 2016 18:52:17 -0400
-Subject: Avoid deprecated ocaml
-
-newer versions of ocaml explicitly deprecate:
-
- * String.create in favor of Bytes.create
- * String.fill in favor of Bytes.fill
- * Sort.list in favor of List.sort
- * Byte internal assignment like .[] <- (but Bytes.set is fine)
-
-(for this last one, see http://caml.inria.fr/mantis/view.php?id=6706
-and https://github.com/ocaml/ocaml/pull/69, which i don't fully
-understand)
----
- add_mail.ml   |  2 +-
- bitstring.ml  | 34 +++++++++++++++++-----------------
- channel.ml    |  6 +++---
- dbserver.ml   |  2 +-
- heap.ml       |  2 +-
- keyHash.ml    |  4 ++--
- linearAlg.ml  |  2 +-
- mList.ml      |  4 ++--
- number.ml     | 12 ++++++------
- prefixTree.ml |  4 ++--
- rMisc.ml      | 14 +++++++-------
- utils.ml      | 24 ++++++++++++------------
- wserver.ml    | 22 +++++++++++-----------
- 13 files changed, 66 insertions(+), 66 deletions(-)
-
-diff --git a/add_mail.ml b/add_mail.ml
-index 3233af6..f5c7cfc 100644
---- a/add_mail.ml
-+++ b/add_mail.ml
-@@ -54,7 +54,7 @@ let dirname =
- (** dumps contents of one file into another *)
- let pipe_file =
-   let blocksize = 100 * 1024 in
--  let buf = String.create blocksize in
-+  let buf = Bytes.create blocksize in
-   let rec pipe_file file1 file2 =
-     let bytes_read = input file1 buf 0 blocksize in
-     if bytes_read <> 0 then (
-diff --git a/bitstring.ml b/bitstring.ml
-index a6d3dad..19d3307 100644
---- a/bitstring.ml
-+++ b/bitstring.ml
-@@ -40,7 +40,7 @@ let bytelength bits =
- let create bits =
-   let bytes = bytelength bits
-   in
--  { a = String.create bytes;
-+  { a = Bytes.create bytes;
-     bitlength = bits;
-   }
- 
-@@ -58,7 +58,7 @@ let flip ba bit =
-   let intval = int_of_char (String.get ba.a byte_pos) in
-   let new_char = char_of_int ((1 lsl (width - bit_pos - 1)) lxor intval)
-   in
--  String.set ba.a byte_pos new_char
-+  Bytes.set ba.a byte_pos new_char
- 
- let set ba bit =
-   let byte_pos = bit / width
-@@ -66,7 +66,7 @@ let set ba bit =
-   let intval = int_of_char (String.get ba.a byte_pos) in
-   let new_char = char_of_int ((1 lsl (width - bit_pos - 1)) lor intval)
-   in
--  String.set ba.a byte_pos new_char
-+  Bytes.set ba.a byte_pos new_char
- 
- let unset ba bit =
-   let byte_pos = bit / width
-@@ -75,7 +75,7 @@ let unset ba bit =
-   let new_char = char_of_int ((lnot (1 lsl (width - bit_pos - 1)))
-                               land intval)
-   in
--  String.set ba.a byte_pos new_char
-+  Bytes.set ba.a byte_pos new_char
- 
- let setval ba bit bool =
-   if bool then set ba bit else unset ba bit
-@@ -98,9 +98,9 @@ let to_bool_array ba =
-   Array.init ~f:(fun i -> lget ba i) ba.bitlength
- 
- let to_string ba =
--  let string = String.create ba.bitlength in
-+  let string = Bytes.create ba.bitlength in
-   for i = 0 to ba.bitlength -1 do
--    if get ba i = 0 then string.[i] <- '0' else string.[i] <- '1'
-+    if get ba i = 0 then Bytes.set string i '0' else Bytes.set string i '1'
-   done;
-   string
- 
-@@ -160,7 +160,7 @@ let copy ba = { ba with a = String.copy ba.a }
-  *)
- let copy_len ba bitlength =
-   let bytes = bytelength bitlength in
--  let str = String.create bytes in
-+  let str = Bytes.create bytes in
-   String.blit ~src:ba.a ~src_pos:0
-     ~dst:str ~dst_pos:0 ~len:(String.length ba.a);
-   { a = str; bitlength = bitlength }
-@@ -191,17 +191,17 @@ let shift_left_small ba bits =
-   if bits > 0 then
-     let bytes = bytelength ba.bitlength in
-     for i = 0 to bytes-2 do
--      ba.a.[i] <- shift_pair_left ba.a.[i] ba.a.[i+1] bits
-+      Bytes.set ba.a i (shift_pair_left ba.a.[i] ba.a.[i+1] bits)
-     done;
--    ba.a.[bytes-1] <- shift_pair_left ba.a.[bytes-1] '\000' bits
-+    Bytes.set ba.a (bytes-1) (shift_pair_left ba.a.[bytes-1] '\000' bits)
- 
- let shift_right_small ba bits =
-   if bits > 0 then
-     let bytes = bytelength ba.bitlength in
-     for i = bytes-1 downto 1 do
--      ba.a.[i] <- shift_pair_right ba.a.[i-1] ba.a.[i] bits
-+      Bytes.set ba.a i (shift_pair_right ba.a.[i-1] ba.a.[i] bits)
-     done;
--    ba.a.[0] <-  shift_pair_right '\000' ba.a.[0] bits
-+    Bytes.set ba.a 0 (shift_pair_right '\000' ba.a.[0] bits)
- 
- (**********************************)
- 
-@@ -216,10 +216,10 @@ let rec shift_left ba bits =
-   then
-     begin
-       for i = 0 to bytelength - 1 - bytes do
--        ba.a.[i] <- ba.a.[i+bytes];
-+        Bytes.set ba.a i ba.a.[i+bytes];
-       done;
-       for i = bytelength - bytes to bytelength - 1 do
--        ba.a.[i] <- '\000'
-+        Bytes.set ba.a i '\000'
-       done
-     end;
-   shift_left_small ba bits
-@@ -235,10 +235,10 @@ and shift_right ba bits =
-     then
-       begin
-         for i = bytelength - 1 downto bytes do
--          ba.a.[i] <- ba.a.[i-bytes];
-+          Bytes.set ba.a i ba.a.[i-bytes];
-         done;
-         for i = bytes - 1 downto 0 do
--          ba.a.[i] <- '\000'
-+          Bytes.set ba.a i '\000'
-         done
-       end;
-     shift_right_small ba bits
-@@ -275,14 +275,14 @@ let blit ~src ~dst ~len =
-     let newdst = (rmasks.(bitlen) land srcval) lor
-                  ((lnot rmasks.(bitlen)) land dstval)
-     in
--    dst.a.[bytelen] <- char_of_int newdst
-+    Bytes.set dst.a bytelen (char_of_int newdst)
- 
- 
- (* let full_blit ~src ~src_pos ~dst ~dst_pos ~len =  *)
- 
- 
- let zero_out bs =
--  String.fill bs.a ~pos:0 ~len:(String.length bs.a) '\000'
-+  Bytes.fill bs.a ~pos:0 ~len:(String.length bs.a) '\000'
- 
- (*
- let extract bs ~pos ~len =
-diff --git a/channel.ml b/channel.ml
-index 95b599b..75f7a3a 100644
---- a/channel.ml
-+++ b/channel.ml
-@@ -50,7 +50,7 @@ let create_nb_really_input inchan =
-     let string =
-       match !stringopt with
-           None ->
--            let string = String.create len in
-+            let string = Bytes.create len in
-             stringopt := Some string;
-             pos := 0;
-             string
-@@ -125,7 +125,7 @@ let read_all cin ?len ()=
-       None -> 1024 * 100
-     | Some x -> x
-   in
--  let sbuf = String.create len
-+  let sbuf = Bytes.create len
-   and buf = Buffer.create len in
-     read_all_rec cin sbuf buf;
-     Buffer.contents buf
-@@ -167,7 +167,7 @@ object (self)
-   method virtual read_string_pos : buf:string -> pos:int -> len:int -> unit
-   method virtual read_char : char
-   method read_string len =
--    let buf = String.create len in
-+    let buf = Bytes.create len in
-     self#read_string_pos ~buf ~pos:0 ~len;
-     buf
-   method read_byte = int_of_char self#read_char
-diff --git a/dbserver.ml b/dbserver.ml
-index d2cab69..71c53cb 100644
---- a/dbserver.ml
-+++ b/dbserver.ml
-@@ -396,7 +396,7 @@ struct
-     let f = (if binary then open_in_bin else open_in) fname in
-     protect ~f:(fun () ->
-                   let length = in_channel_length f in
--                  let buf = String.create length in
-+                  let buf = Bytes.create length in
-                   really_input f buf 0 length;
-                   buf
-                )
-diff --git a/heap.ml b/heap.ml
-index 292f432..ad9f053 100644
---- a/heap.ml
-+++ b/heap.ml
-@@ -146,7 +146,7 @@ let push heap ~key ~data =
- (***************************************************************)
- 
- let empty cmp i =
--  { a = Array.create i None;
-+  { a = Array.make i None;
-     length = 0;
-     minsize = i;
-     cmp = cmp;
-diff --git a/keyHash.ml b/keyHash.ml
-index ca7c6d6..49cf466 100644
---- a/keyHash.ml
-+++ b/keyHash.ml
-@@ -73,11 +73,11 @@ let hexchar_to_int c =
- 
- let dehexify s =
-   let s = String.uppercase s in
--  let ns = String.create (String.length s / 2) in (* new string *)
-+  let ns = Bytes.create (String.length s / 2) in (* new string *)
-   for i = 0 to String.length ns - 1 do
-     let first = hexchar_to_int s.[2 * i]
-     and second = hexchar_to_int s.[2 * i + 1]
-     in
--    ns.[i] <- char_of_int ((first lsl 4) + second)
-+    Bytes.set ns i (char_of_int ((first lsl 4) + second))
-   done;
-   ns
-diff --git a/linearAlg.ml b/linearAlg.ml
-index 81a9d88..f4499ed 100644
---- a/linearAlg.ml
-+++ b/linearAlg.ml
-@@ -62,7 +62,7 @@ struct
-   let copy m = { m with array = Array.copy m.array; }
- 
-   let make ~columns ~rows init =
--    let array = Array.create (columns * rows) init in
-+    let array = Array.make (columns * rows) init in
-     { columns = columns;
-       rows = rows;
-       array = array;
-diff --git a/mList.ml b/mList.ml
-index f473a64..c0d4c79 100644
---- a/mList.ml
-+++ b/mList.ml
-@@ -200,7 +200,7 @@ let pri_split pri list =
-   (low,exact,high)
- 
- let has_dups list =
--  let slist = Sort.list (fun x y -> x < y) list in
-+  let slist = List.sort compare list in
-   let rec dup_scan list = match list with
-     [] -> false
-   | hd::[] -> false
-@@ -208,7 +208,7 @@ let has_dups list =
-   in dup_scan slist
- 
- let dedup list =
--  let slist = Sort.list (fun x y -> x < y) list in
-+  let slist = List.sort compare list in
-   let rec dedup ~list ~partial = match list with
-       [] -> partial
-     | hd::[] -> dedup ~list:[] ~partial:(hd::partial)
-diff --git a/number.ml b/number.ml
-index 3e33077..94f3b2e 100644
---- a/number.ml
-+++ b/number.ml
-@@ -60,9 +60,9 @@ let width_pow = power_int_positive_int 2 width
- 
- let revstring s =
-   let len = String.length s in
--  let copy = String.create len in
-+  let copy = Bytes.create len in
-   for i = 0 to len - 1 do
--    copy.[i] <- s.[len - 1 - i]
-+    Bytes.set copy i s.[len - 1 - i]
-   done;
-   copy
- 
-@@ -71,19 +71,19 @@ let revstring_inplace s =
-   for i = 0 to (len - 2)/2 do
-     let j = len - 1 - i in
-     let tmp = s.[i] in
--    s.[i] <- s.[j];
--    s.[j] <- tmp
-+    Bytes.set s i s.[j];
-+    Bytes.set s j tmp
-   done
- 
- let to_bytes ~nbytes n =
-   if sign_big_int n = -1
-   then raise (Invalid_argument "N.to_bytes: negative argument");
--  let string = String.create nbytes in
-+  let string = Bytes.create nbytes in
-   let rec loop n i =
-     if i < 0 then string
-     else
-       let (a,b) = quomod_big_int n width_pow in
--      string.[i] <- char_of_int (int_of_big_int b);
-+      Bytes.set string i (char_of_int (int_of_big_int b));
-       loop a (i - 1)
-   in
-   let str = loop n (nbytes - 1) in
-diff --git a/prefixTree.ml b/prefixTree.ml
-index 4aa4fbb..a90cc41 100644
---- a/prefixTree.ml
-+++ b/prefixTree.ml
-@@ -730,8 +730,8 @@ let split_at_depth t zz zzs node depth =
- let pad string bytes =
-   let len = String.length string in
-   if bytes > len then
--    let nstr = String.create bytes in
--    String.fill nstr ~pos:len ~len:(bytes - len) '\000';
-+    let nstr = Bytes.create bytes in
-+    Bytes.fill nstr ~pos:len ~len:(bytes - len) '\000';
-     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len;
-     nstr
-   else
-diff --git a/rMisc.ml b/rMisc.ml
-index 63792c1..46e687d 100644
---- a/rMisc.ml
-+++ b/rMisc.ml
-@@ -56,15 +56,15 @@ let rec fill_random_string rfunc string ~pos ~len =
-     (* CR yminsky: I think this has the same bug as the function with the same name in Utils *)
-     let _bits = rfunc () in
-       for i = 0 to steps - 1 do
--        string.[pos + i] <-
--        char_of_int (0xFF land ((rfunc ()) lsr (8 * i)))
-+        Bytes.set string (pos + i)
-+        (char_of_int (0xFF land ((rfunc ()) lsr (8 * i))))
-       done;
-       fill_random_string rfunc string ~pos:(pos + steps) ~len
-   else
-     ()
- 
- let random_string rfunc len =
--  let string = String.create len in
-+  let string = Bytes.create len in
-     fill_random_string rfunc string ~pos:0 ~len;
-     string
- 
-@@ -124,8 +124,8 @@ let add_sarray ~data sarray =
- let pad string bytes =
-   let len = String.length string in
-   if bytes > len then
--    let nstr = String.create bytes in
--    String.fill nstr ~pos:len ~len:(bytes - len) '\000';
-+    let nstr = Bytes.create bytes in
-+    Bytes.fill nstr ~pos:len ~len:(bytes - len) '\000';
-     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len;
-     nstr
-   else
-@@ -139,7 +139,7 @@ let padset stringset bytes =
- let truncate string bytes =
-   let len = String.length string in
-   if bytes < len then
--    let nstr = String.create bytes in
-+    let nstr = Bytes.create bytes in
-     String.blit ~src:string ~dst:nstr ~src_pos:0 ~dst_pos:0 ~len:bytes;
-     nstr
-   else
-@@ -160,7 +160,7 @@ let order_string = "530512889551602322505127520352579437339"
- (** Printing Functions *)
- 
- let print_ZZp_list list =
--  let list = Sort.list (fun x y -> compare x y < 0) list in
-+  let list = List.sort compare list in
-   MList.print2 ~f:ZZp.print list
- 
- let print_ZZp_set set = print_ZZp_list (Set.elements set)
-diff --git a/utils.ml b/utils.ml
-index b9b4347..0acd119 100644
---- a/utils.ml
-+++ b/utils.ml
-@@ -173,12 +173,12 @@ let random_int low high =
- let char_width = 8
- 
- let hexstring digest =
--  let result = String.create (String.length digest * 2) in
--  let hex = "0123456789ABCDEF" in
-+  let result = Bytes.create (String.length digest * 2) in
-+  let hex = Bytes.of_string "0123456789ABCDEF" in
-     for i = 0 to String.length digest - 1 do
-       let c = Char.code digest.[i] in
--        result.[2*i] <- hex.[c lsr 4];
--        result.[2*i+1] <- hex.[c land 0xF]
-+        Bytes.set result (2*i) hex.[c lsr 4];
-+        Bytes.set result (2*i+1) hex.[c land 0xF]
-     done;
-     result
- 
-@@ -192,11 +192,11 @@ let int_from_bstring string ~pos ~len =
-   int_from_bstring_rec string ~pos ~len 0
- 
- let bstring_of_int i =
--     let s = String.create 4 in
--     s.[3] <- char_of_int (i land 0xFF);
--     s.[2] <- char_of_int ((i lsr 8) land 0xFF);
--     s.[1] <- char_of_int ((i lsr 16) land 0xFF);
--     s.[0] <- char_of_int ((i lsr 24) land 0xFF);
-+     let s = Bytes.create 4 in
-+     Bytes.set s 3 (char_of_int (i land 0xFF));
-+     Bytes.set s 2 (char_of_int ((i lsr 8) land 0xFF));
-+     Bytes.set s 1 (char_of_int ((i lsr 16) land 0xFF));
-+     Bytes.set s 0 (char_of_int ((i lsr 24) land 0xFF));
-      s
- 
- (* tail recursive *)
-@@ -265,15 +265,15 @@ let rec fill_random_string rfunc string ~pos ~len =
-        the random generation being deterministic *)
-     let _bits = rfunc () in
-     for i = 0 to steps - 1 do
--      string.[pos + i] <-
--        char_of_int (0xFF land ((rfunc ()) lsr (8 * i)))
-+      Bytes.set string (pos + i)
-+        (char_of_int (0xFF land ((rfunc ()) lsr (8 * i))))
-     done;
-     fill_random_string rfunc string ~pos:(pos + steps) ~len
-   else
-     ()
- 
- let random_string rfunc len =
--  let string = String.create len in
-+  let string = Bytes.create len in
-     fill_random_string rfunc string ~pos:0 ~len;
-     string
- 
-diff --git a/wserver.ml b/wserver.ml
-index 6ccfc62..27adb13 100644
---- a/wserver.ml
-+++ b/wserver.ml
-@@ -75,9 +75,9 @@ let decode s =
-         match s.[i] with
-           '%' when i + 2 < String.length s ->
-             let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in
--            s1.[i1] <- Char.chr v; i + 3
--        | '+' -> s1.[i1] <- ' '; succ i
--        | x -> s1.[i1] <- x; succ i
-+            Bytes.set s1 i1 (Char.chr v); i + 3
-+        | '+' -> Bytes.set s1 i1 ' '; succ i
-+        | x -> Bytes.set s1 i1 x; succ i
-       in
-       copy_decode_in s1 i (succ i1)
-     else s1
-@@ -95,7 +95,7 @@ let decode s =
-   in
-   if need_decode 0 then
-     let len = compute_len 0 0 in
--    let s1 = String.create len in
-+    let s1 = Bytes.create len in
-     strip_heading_and_trailing_spaces (copy_decode_in s1 0 0)
-   else s
- 
-@@ -120,22 +120,22 @@ let encode s =
-     if i < String.length s then
-       let i1 =
-         match s.[i] with
--          ' ' -> s1.[i1] <- '+'; succ i1
-+          ' ' -> Bytes.set s1 i1 '+'; succ i1
-         | c ->
-             if special c then
-               begin
--                s1.[i1] <- '%';
--                s1.[i1 + 1] <- hexa_digit (Char.code c / 16);
--                s1.[i1 + 2] <- hexa_digit (Char.code c mod 16);
-+                Bytes.set s1 i1 '%';
-+                Bytes.set s1 (i1 + 1) (hexa_digit (Char.code c / 16));
-+                Bytes.set s1 (i1 + 2) (hexa_digit (Char.code c mod 16));
-                 i1 + 3
-               end
--            else begin s1.[i1] <- c; succ i1 end
-+            else begin Bytes.set s1 i1 c; succ i1 end
-       in
-       copy_code_in s1 (succ i) i1
-     else s1
-   in
-   if need_code 0 then
--    let len = compute_len 0 0 in copy_code_in (String.create len) 0 0
-+    let len = compute_len 0 0 in copy_code_in (Bytes.create len) 0 0
-   else s
- 
- let stripchars = Set.of_list [ ' '; '\t'; '\n'; '\r' ]
-@@ -180,7 +180,7 @@ let parse_post headers cin =
-     if len > max_post_length
-     then raise (Entity_too_large (sprintf "POST data too long: %f megs"
-                               (float len /. 1024. /. 1024.)));
--    let rest = String.create len in
-+    let rest = Bytes.create len in
-     really_input cin rest 0 len;
-     rest
-   with
diff -Nru sks-1.1.5/debian/patches/0010-make-ocextr-as-bytecode-rather-than-native.patch sks-1.1.5/debian/patches/0010-make-ocextr-as-bytecode-rather-than-native.patch
--- sks-1.1.5/debian/patches/0010-make-ocextr-as-bytecode-rather-than-native.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0010-make-ocextr-as-bytecode-rather-than-native.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,28 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 11 May 2016 00:58:08 -0400
+Subject: make ocextr as bytecode rather than native
+
+ocextr is only ever run at build time, and it is not
+performance-sensitive.  On some architectures, ocaml can *only*
+produce bytecode; on those architectures, we'll still need ocextr in
+order to complete the build.
+
+On architectures where ocaml can produce native code, it still works
+as bytecode, so this improvement doesn't break anything.
+---
+ bdb/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bdb/Makefile b/bdb/Makefile
+index fcb9063..e136c38 100644
+--- a/bdb/Makefile
++++ b/bdb/Makefile
+@@ -36,7 +36,7 @@ endif
+ COBJS = bdb_stubs.o
+ 
+ ocextr: ocextr.ml
+-	$(OCAMLOPT) -o ocextr ocextr.ml
++	$(OCAMLC) -o ocextr ocextr.ml
+ 
+ libbdb.a: $(COBJS)
+ 	$(MKLIB) -custom -o bdb $(COBJS)
diff -Nru sks-1.1.5/debian/patches/0011-Avoid-sending-web-clients-to-third-party-resources.patch sks-1.1.5/debian/patches/0011-Avoid-sending-web-clients-to-third-party-resources.patch
--- sks-1.1.5/debian/patches/0011-Avoid-sending-web-clients-to-third-party-resources.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/0011-Avoid-sending-web-clients-to-third-party-resources.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,48 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Fri, 6 May 2016 19:04:59 -0400
-Subject: Avoid sending web clients to third-party resources
-
-See:
-
- lintian-info --tags privacy-breach-w3c-valid-html
-
-https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html
----
- sampleWeb/XHTML+ES/index.xhtml      | 6 +++---
- sampleWeb/XHTML+ES/index.xhtml.orig | 6 +++---
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/sampleWeb/XHTML+ES/index.xhtml b/sampleWeb/XHTML+ES/index.xhtml
-index 5c7c713..01b3976 100644
---- a/sampleWeb/XHTML+ES/index.xhtml
-+++ b/sampleWeb/XHTML+ES/index.xhtml
-@@ -106,9 +106,9 @@ TODO:
- 	
- 	<hr/>
- 	<p>
--	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xml10-v.svg" alt="Valid XML&nbsp;1.0" style="width:5em; height:100%;"/></a>
--	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml11-v.svg" alt="Valid XHTML&nbsp;1.1" style="width:5em; height:100%;"/></a>
--	<a href="http://jigsaw.w3.org/css-validator/check/referer"><img src="http://www.w3.org/Icons/valid-css-v.svg" alt="Valid CSS" style="width:5em; height:100%;"/></a>
-+	<a href="http://validator.w3.org/check?uri=referer">[Valid XML&nbsp;1.0]</a>
-+	<a href="http://validator.w3.org/check?uri=referer">[Valid XHTML&nbsp;1.1]</a>
-+	<a href="http://jigsaw.w3.org/css-validator/check/referer">[Valid CSS]</a>
- 	</p>
- </body>
- 
-diff --git a/sampleWeb/XHTML+ES/index.xhtml.orig b/sampleWeb/XHTML+ES/index.xhtml.orig
-index 5c7c713..01b3976 100755
---- a/sampleWeb/XHTML+ES/index.xhtml.orig
-+++ b/sampleWeb/XHTML+ES/index.xhtml.orig
-@@ -106,9 +106,9 @@ TODO:
- 	
- 	<hr/>
- 	<p>
--	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xml10-v.svg" alt="Valid XML&nbsp;1.0" style="width:5em; height:100%;"/></a>
--	<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml11-v.svg" alt="Valid XHTML&nbsp;1.1" style="width:5em; height:100%;"/></a>
--	<a href="http://jigsaw.w3.org/css-validator/check/referer"><img src="http://www.w3.org/Icons/valid-css-v.svg" alt="Valid CSS" style="width:5em; height:100%;"/></a>
-+	<a href="http://validator.w3.org/check?uri=referer">[Valid XML&nbsp;1.0]</a>
-+	<a href="http://validator.w3.org/check?uri=referer">[Valid XHTML&nbsp;1.1]</a>
-+	<a href="http://jigsaw.w3.org/css-validator/check/referer">[Valid CSS]</a>
- 	</p>
- </body>
- 
diff -Nru sks-1.1.5/debian/patches/0011-Correct-invalid-md5sum-file.patch sks-1.1.5/debian/patches/0011-Correct-invalid-md5sum-file.patch
--- sks-1.1.5/debian/patches/0011-Correct-invalid-md5sum-file.patch	2016-05-07 00:16:09.000000000 +0000
+++ sks-1.1.5/debian/patches/0011-Correct-invalid-md5sum-file.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,24 +0,0 @@
-From: Matt Rude <Matt@mattrude.com>
-Date: Fri, 6 May 2016 17:37:39 -0400
-Subject: Correct invalid md5sum file
-
-Some systems require a 2nd space between the hash and the filename to
-be able to validate the files. This request adds that 2nd space to the
-output file.
----
- sksdump.ml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sksdump.ml b/sksdump.ml
-index feee6bb..6213e8b 100644
---- a/sksdump.ml
-+++ b/sksdump.ml
-@@ -99,7 +99,7 @@ struct
-    fprintf file "#Key-Count: %d\n" numkey;
-    fprintf file "#Digest-algo: md5\n";
-    while !c < ctr do 
--     fprintf file "%s %s-%04d.pgp\n" (Digest.to_hex(
-+     fprintf file "%s  %s-%04d.pgp\n" (Digest.to_hex(
-       Digest.file (Filename.concat dumpdir (sprintf "%s-%04d.pgp" name !c))))
-       name !c;
-      incr c
diff -Nru sks-1.1.5/debian/patches/0011-pull-LDFLAGS-from-environment.patch sks-1.1.5/debian/patches/0011-pull-LDFLAGS-from-environment.patch
--- sks-1.1.5/debian/patches/0011-pull-LDFLAGS-from-environment.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0011-pull-LDFLAGS-from-environment.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,41 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 11 May 2016 03:21:16 -0400
+Subject: pull LDFLAGS from environment
+
+if LDFLAGS is set in the environment, we should pass them
+through ocaml via -ccopt
+---
+ Makefile | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 9d5f571..e9bbadd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -45,6 +45,8 @@ else
+ 	OCAMLLIB= -ccopt $(BDBLIB)
+ endif
+ 
++CAMLCFLAGS=$(foreach x, $(LDFLAGS), -ccopt $(x))
++
+ SKSVS=$(shell grep 'version_suffix = "+"' common.ml)
+ ifeq ($(strip $(SKSVS)),)
+ WARNERR=
+@@ -54,7 +56,7 @@ endif
+ 
+ CAMLP4=-pp $(CAMLP4O)
+ CAMLINCLUDE= -I lib -I bdb -I +cryptokit
+-COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes $(WARNERR)
++COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) $(CAMLCFLAGS) -ccopt -Lbdb -dtypes $(WARNERR)
+ OCAMLDEP=ocamldep $(CAMLP4)
+ CAMLLIBS=unix.cma str.cma bdb.cma nums.cma bigarray.cma cryptokit.cma
+ OCAMLFLAGS=$(COMMONCAMLFLAGS) -g $(CAMLLIBS)
+@@ -218,7 +220,7 @@ sks_add_mail.bc: pMap.cmo pSet.cmo add_mail.cmo
+ 	pMap.cmo pSet.cmo add_mail.cmo
+ 
+ sks_add_mail: $(LIBS) pMap.cmx pSet.cmx add_mail.cmx
+-	$(OCAMLOPT) -o sks_add_mail unix.cmxa \
++	$(OCAMLOPT) -o sks_add_mail $(CAMLCFLAGS) unix.cmxa \
+ 	pMap.cmx pSet.cmx add_mail.cmx
+ 
+ ocamldoc.out: $(ALLOBJS) $(EXEOBJS)
diff -Nru sks-1.1.5/debian/patches/0012-remove-YOURDOMAIN-from-sample-web-index.patch sks-1.1.5/debian/patches/0012-remove-YOURDOMAIN-from-sample-web-index.patch
--- sks-1.1.5/debian/patches/0012-remove-YOURDOMAIN-from-sample-web-index.patch	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/patches/0012-remove-YOURDOMAIN-from-sample-web-index.patch	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,29 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 11 May 2016 11:55:02 -0400
+Subject: remove YOURDOMAIN from sample web index
+
+---
+ sampleWeb/HTML5/index.html | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sampleWeb/HTML5/index.html b/sampleWeb/HTML5/index.html
+index 71d729d..f636f25 100644
+--- a/sampleWeb/HTML5/index.html
++++ b/sampleWeb/HTML5/index.html
+@@ -3,7 +3,7 @@
+   <head>
+     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+-    <title>SKS key server at YOURDOMAIN</title>
++    <title>SKS key server</title>
+     <meta name="description" content="">
+     <meta name="author" content="">
+     <!-- Mobile viewport optimized: j.mp/bplateviewport -->
+@@ -90,7 +90,6 @@
+       <header id="title">
+         <hgroup>
+           <h1>SKS OpenPGP Key server</h1>
+-          <h2>YOURDOMAIN</h2>
+         </hgroup>
+       </header>
+       <div id="main" role="main">
diff -Nru sks-1.1.5/debian/patches/202_makefile_bytecode.patch sks-1.1.5/debian/patches/202_makefile_bytecode.patch
--- sks-1.1.5/debian/patches/202_makefile_bytecode.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/202_makefile_bytecode.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,35 +0,0 @@
-From: Christoph Martin <christoph.martin@uni-mainz.de>
-Date: Fri, 6 May 2016 14:55:00 -0400
-Subject: _makefile_bytecode
-
----
- Makefile     | 2 +-
- bdb/Makefile | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 8bc3787..49bb386 100644
---- a/Makefile
-+++ b/Makefile
-@@ -140,7 +140,7 @@ install:
- 
- install.bc:
- 	mkdir -p $(PREFIX)/bin
--	install sks_build.bc.sh sks.bc sks_add_mail.bc $(PREFIX)/bin
-+	install sks_build.bc sks.bc sks_add_mail.bc $(PREFIX)/bin
- 	mkdir -p $(MANDIR)/man8
- 	install sks.8.gz $(MANDIR)/man8
- 
-diff --git a/bdb/Makefile b/bdb/Makefile
-index fcb9063..e136c38 100644
---- a/bdb/Makefile
-+++ b/bdb/Makefile
-@@ -36,7 +36,7 @@ endif
- COBJS = bdb_stubs.o
- 
- ocextr: ocextr.ml
--	$(OCAMLOPT) -o ocextr ocextr.ml
-+	$(OCAMLC) -o ocextr ocextr.ml
- 
- libbdb.a: $(COBJS)
- 	$(MKLIB) -custom -o bdb $(COBJS)
diff -Nru sks-1.1.5/debian/patches/500_debian_fhs.patch sks-1.1.5/debian/patches/500_debian_fhs.patch
--- sks-1.1.5/debian/patches/500_debian_fhs.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/500_debian_fhs.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,130 +0,0 @@
-From: Christoph Martin <christoph.martin@uni-mainz.de>
-Date: Fri, 6 May 2016 14:55:00 -0400
-Subject: _debian_fhs
-
----
- common.ml      |  6 +++---
- dbserver.ml    |  2 +-
- getfileopts.ml |  2 +-
- reconserver.ml |  4 ++--
- settings.ml    | 20 ++++++++++----------
- 5 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/common.ml b/common.ml
-index f7d3c6b..b3cc726 100644
---- a/common.ml
-+++ b/common.ml
-@@ -96,7 +96,7 @@ let plerror level format =
- 
- let set_logfile extension =
-   if !Settings.filelog then
--    let fname = (Filename.concat !Settings.basedir extension) ^ ".log" in
-+    let fname = (Filename.concat !Settings.basedir "/var/log/sks/") ^ extension ^ ".log" in
-     stored_logfile_name := Some fname;
-     logfile := open_out_gen [ Open_wronly; Open_creat; Open_append; ]
-       0o600 fname;
-@@ -224,8 +224,8 @@ let recon_port = !Settings.recon_port
- let recon_address = !Settings.recon_address
- let http_port = !Settings.hkp_port
- let http_address = !Settings.hkp_address
--let db_command_name = Filename.concat !Settings.basedir "db_com_sock"
--let recon_command_name = Filename.concat !Settings.basedir "recon_com_sock"
-+let db_command_name = Filename.concat !Settings.basedir "/var/run/sks/db_com_sock"
-+let recon_command_name = Filename.concat !Settings.basedir "/var/run/sks/recon_com_sock"
- 
- let db_command_addr = Unix.ADDR_UNIX db_command_name
- let recon_command_addr = Unix.ADDR_UNIX recon_command_name
-diff --git a/dbserver.ml b/dbserver.ml
-index 583c484..d2cab69 100644
---- a/dbserver.ml
-+++ b/dbserver.ml
-@@ -419,7 +419,7 @@ struct
- 
-   let convert_web_fname fname =
-     if verify_web_fname fname then
--      Filename.concat !Settings.basedir (Filename.concat "web" fname)
-+      Filename.concat !Settings.basedir (Filename.concat "/var/lib/sks/www" fname)
-     else raise (Wserver.Misc_error "Malformed requst")
- 
-   let supported_extensions =
-diff --git a/getfileopts.ml b/getfileopts.ml
-index 4b511b8..da97f4f 100644
---- a/getfileopts.ml
-+++ b/getfileopts.ml
-@@ -110,7 +110,7 @@ let fname_convert fname =
- (**************************************************************)
- (**************************************************************)
- 
--let config_fname = "sksconf"
-+let config_fname = "/etc/sks/sksconf"
- 
- let parse args =
-   Arg.current := 0;
-diff --git a/reconserver.ml b/reconserver.ml
-index c0ed738..02ec9e2 100644
---- a/reconserver.ml
-+++ b/reconserver.ml
-@@ -203,7 +203,7 @@ struct
-         let elements = ZSet.elements results in
-         let hashes = hashconvert elements in
-         print_hashes (sockaddr_to_string http_addr) hashes;
--        log_diffs (sprintf "diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
-+        log_diffs (sprintf "/var/spool/sks/diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
-         if List.length elements > 0
-         then
-           begin
-@@ -240,7 +240,7 @@ struct
-         plerror 4 "Reconciliation complete";
-         let hashes = hashconvert results in
-         print_hashes (sockaddr_to_string http_addr) hashes;
--        log_diffs (sprintf "diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
-+        log_diffs (sprintf "/var/spool/sks/diff-%s.txt" (sockaddr_to_name http_addr)) hashes;
-         match results with
-             [] -> []
-           | _ ->
-diff --git a/settings.ml b/settings.ml
-index b66f9af..ea3e95f 100644
---- a/settings.ml
-+++ b/settings.ml
-@@ -200,7 +200,7 @@ let set_missing_keys_timeout value = missing_keys_timeout := value
- let command_timeout = ref 60
- let set_command_timeout value = command_timeout := value
- 
--let sendmail_cmd = ref "sendmail -t -oi"
-+let sendmail_cmd = ref "/usr/lib/sendmail -t -oi"
- let set_sendmail_cmd value = sendmail_cmd := value
- 
- let membership_reload_time = ref (60. *. 60. *. 6.)
-@@ -226,15 +226,15 @@ let get_from_addr () =
- 
- let use_stdin = ref false
- 
--let basedir = ref "."
-+let basedir = ref ""
- 
--let base_dbdir = "KDB"
--let base_ptree_dbdir = "PTree"
--let base_membership_file = "membership"
--let base_mailsync_file = "mailsync"
--let base_dumpdir = "dump"
--let base_msgdir = "messages"
--let base_failed_msgdir = "failed_messages"
-+let base_dbdir = "/var/lib/sks/DB"
-+let base_ptree_dbdir = "/var/lib/sks/PTree"
-+let base_membership_file = "/etc/sks/membership"
-+let base_mailsync_file = "/etc/sks/mailsync"
-+let base_dumpdir = "/var/lib/sks/dump"
-+let base_msgdir = "/var/spool/sks/messages"
-+let base_failed_msgdir = "/var/spool/sks/failed_messages"
- 
- let dbdir = lazy (Filename.concat !basedir base_dbdir)
- let ptree_dbdir = lazy (Filename.concat !basedir base_ptree_dbdir)
-@@ -290,7 +290,7 @@ let parse_spec =
-     ("-hkp_address",Arg.String set_hkp_address, " Set hkp binding address by hostname or IP");
-     ("-use_port_80",Arg.Set use_port_80,
-      " Have the HKP interface listen on port 80, as well as the hkp_port");
--    ("-basedir", Arg.Set_string basedir, " Base directory");
-+    ("-basedir", Arg.Set_string basedir, " Base directory (Take special care if running the Debian package!)");
-     ("-stdoutlog", Arg.Clear filelog,
-      " Send log messages to stdout instead of log file");
-     ("-diskptree", Arg.Set disk_ptree,
diff -Nru sks-1.1.5/debian/patches/501_makefile_cflags.patch sks-1.1.5/debian/patches/501_makefile_cflags.patch
--- sks-1.1.5/debian/patches/501_makefile_cflags.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/501_makefile_cflags.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,94 +0,0 @@
-From: Christoph Martin <christoph.martin@uni-mainz.de>
-Date: Fri, 6 May 2016 14:55:01 -0400
-Subject: _makefile_cflags
-
-This now includes a patch to make the binaries have a read-only
-relocation section.
----
- Makefile | 38 +++++++-------------------------------
- 1 file changed, 7 insertions(+), 31 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 49bb386..226295f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -45,6 +45,9 @@ else
- 	OCAMLLIB= -ccopt $(BDBLIB)
- endif
- 
-+# FIXME: make this optional/dependent on the hardening flags?
-+RELRO=-ccopt -Wl,-z,relro 
-+
- SKSVS=$(shell grep 'version_suffix = "+"' common.ml)
- ifeq ($(strip $(SKSVS)),)
- WARNERR=
-@@ -53,8 +56,8 @@ WARNERR=-warn-error A
- endif
- 
- CAMLP4=-pp $(CAMLP4O)
--CAMLINCLUDE= -I lib -I bdb
--COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes $(WARNERR)
-+CAMLINCLUDE= -I lib -I bdb -I +cryptokit
-+COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) $(RELRO) -ccopt -Lbdb -dtypes $(WARNERR)
- OCAMLDEP=ocamldep $(CAMLP4)
- CAMLLIBS=unix.cma str.cma bdb.cma nums.cma bigarray.cma cryptokit.cma
- OCAMLFLAGS=$(COMMONCAMLFLAGS) -g $(CAMLLIBS)
-@@ -107,7 +110,7 @@ ALLOBJS=$(ALLOBJS.bc:.cmo=.cmx)
- 
- EXEOBJS.bc=$(RSERVOBJS.bc) build.cmo fastbuild.cmo dbserver.cmo pdiskTest.cmo
- 
--LIBS.bc= lib/cryptokit.cma bdb/bdb.cma
-+LIBS.bc= bdb/bdb.cma
- LIBS=$(LIBS.bc:.cma=.cmxa)
- 
- VERSION := $(shell cat VERSION)
-@@ -218,7 +221,7 @@ sks_add_mail.bc: pMap.cmo pSet.cmo add_mail.cmo
- 	pMap.cmo pSet.cmo add_mail.cmo
- 
- sks_add_mail: $(LIBS) pMap.cmx pSet.cmx add_mail.cmx
--	$(OCAMLOPT) -o sks_add_mail unix.cmxa \
-+	$(OCAMLOPT) -o sks_add_mail $(RELRO) unix.cmxa \
- 	pMap.cmx pSet.cmx add_mail.cmx
- 
- ocamldoc.out: $(ALLOBJS) $(EXEOBJS)
-@@ -278,32 +281,6 @@ prepared:
- 	touch prepared
- 
- 
--CKVER=cryptokit-1.7
--CKDIR=$(CKVER)/src
--
--$(CKVER)/README.txt:
--	tar xmvfz $(CKVER).tar.gz
--	patch -p 0 < $(CKVER)-sks.patch
--	patch -p 0 < $(CKVER)-sks-custom_compare.patch
--
--$(CKDIR)/cryptokit.cma: $(CKVER)/README.txt
--	cd $(CKDIR) && $(MAKE) all
--
--$(CKDIR)/cryptokit.cmxa: $(CKVER)/README.txt
--	cd $(CKDIR) && $(MAKE) allopt
--
--lib/cryptokit.cma: $(CKDIR)/cryptokit.cma $(CKDIR)/cryptokit.cmxa prepared
--	cp $(CKDIR)/cryptokit.cmi $(CKDIR)/cryptokit.cma \
--	   $(CKDIR)/cryptokit.mli lib
--	cp $(CKDIR)/libcryptokit.a lib
--	if test -f $(CKDIR)/dllcryptokit.so; then \
--	   cp $(CKDIR)/dllcryptokit.so lib; fi
--	if test -f $(CKDIR)/cryptokit.cmxa; then \
--	   cp $(CKDIR)/cryptokit.cmxa $(CKDIR)/cryptokit.cmx \
--	   $(CKDIR)/cryptokit.a lib; fi
--
--lib/cryptokit.cmxa: lib/cryptokit.cma
--
- ################################
- # old stuff
- ################################
-@@ -402,7 +379,6 @@ clean: mlclean
- 
- cleanall: clean bdbclean
- 	rm -f lib/*
--	rm -rf $(CKVER)
- 
- distclean: cleanall
- 	rm -rf Makefile.local
diff -Nru sks-1.1.5/debian/patches/502_makefile_install.patch sks-1.1.5/debian/patches/502_makefile_install.patch
--- sks-1.1.5/debian/patches/502_makefile_install.patch	2016-05-07 00:13:34.000000000 +0000
+++ sks-1.1.5/debian/patches/502_makefile_install.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,43 +0,0 @@
-From: Christoph Martin <christoph.martin@uni-mainz.de>
-Date: Fri, 6 May 2016 14:55:01 -0400
-Subject: _makefile_install
-
----
- Makefile | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 226295f..76e968b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -136,14 +136,17 @@ keyMerge.cmx: keyMerge.ml
- # Special targets
- 
- install:
--	mkdir -p $(PREFIX)/bin
--	install sks_build.sh sks sks_add_mail $(PREFIX)/bin
-+	mkdir -p $(PREFIX)/sbin $(PREFIX)/lib/sks
-+	install sks $(PREFIX)/sbin
-+	install sks_build.sh sks_add_mail $(PREFIX)/lib/sks
- 	mkdir -p $(MANDIR)/man8
- 	install sks.8.gz $(MANDIR)/man8
- 
- install.bc:
--	mkdir -p $(PREFIX)/bin
--	install sks_build.bc sks.bc sks_add_mail.bc $(PREFIX)/bin
-+	mkdir -p $(PREFIX)/sbin $(PREFIX)/lib/sks
-+	install sks.bc $(PREFIX)/sbin/sks
-+	install sks_build.sh $(PREFIX)/lib/sks/
-+	install sks_add_mail.bc $(PREFIX)/lib/sks/sks_add_mail
- 	mkdir -p $(MANDIR)/man8
- 	install sks.8.gz $(MANDIR)/man8
- 
-@@ -159,7 +162,7 @@ src:
- # Ordinary targets
- 
- sks.8.gz: sks.8
--	gzip -f sks.8
-+	gzip -9 -f sks.8
- 
- sks.8: sks.pod
- 	pod2man -c "SKS OpenPGP Key server" --section 8 -r 0.1 -name sks sks.pod sks.8
diff -Nru sks-1.1.5/debian/patches/series sks-1.1.5/debian/patches/series
--- sks-1.1.5/debian/patches/series	2016-05-07 00:16:09.000000000 +0000
+++ sks-1.1.5/debian/patches/series	2016-05-11 19:27:06.000000000 +0000
@@ -1,11 +1,12 @@
-202_makefile_bytecode.patch
-500_debian_fhs.patch
-501_makefile_cflags.patch
-502_makefile_install.patch
-0006-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch
-0007-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch
-0008-Build.get_keys-make-it-tail-recursive.patch
-0009-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch
-0010-Avoid-deprecated-ocaml.patch
-0011-Avoid-sending-web-clients-to-third-party-resources.patch
-0011-Correct-invalid-md5sum-file.patch
+0001-use-debian-fhs.patch
+0002-use-system-cryptokit.patch
+0003-Add-support-for-EdDSA-key-using-Ed25519-signature-sc.patch
+0004-Keydb.add_keys-use-List.rev_map-instead-of-List.map-.patch
+0005-Build.get_keys-make-it-tail-recursive.patch
+0006-parsePGP.ml-Add-OID-for-Curve25519-encryption.patch
+0007-Avoid-deprecated-ocaml.patch
+0008-Avoid-sending-web-clients-to-third-party-resources.patch
+0009-Correct-invalid-md5sum-file.patch
+0010-make-ocextr-as-bytecode-rather-than-native.patch
+0011-pull-LDFLAGS-from-environment.patch
+0012-remove-YOURDOMAIN-from-sample-web-index.patch
diff -Nru sks-1.1.5/debian/README.Debian sks-1.1.5/debian/README.Debian
--- sks-1.1.5/debian/README.Debian	2016-05-06 21:39:55.000000000 +0000
+++ sks-1.1.5/debian/README.Debian	2016-05-11 18:49:15.000000000 +0000
@@ -1,33 +1,53 @@
-Some hints to setup your keyserver:
+If you've never set up the database before, we ship a simple script to
+walk you through the process of fetching a keydump, importing it, and
+enabling the service:
 
-If you install a new keyserver you might need a fresh keydump to start
-with. At the time of this writing you could get one from
+  su - debian-sks -c /usr/share/sks/sks-db-setup
 
-http://ftp.prato.linux.it/pub/keyring/dump-latest/
+If you want to connect your server to the global network of SKS
+keyservers (you probably do if you're running this daemon publicly),
+you should subscribe to the SKS mailing list <sks-devel@nongnu.org>
+(https://lists.nongnu.org/mailman/listinfo/sks-devel/) and ask for
+gossip partners.
 
-If you don't find one feel free to ask on the SKS mailing list.
+Include the partners in /etc/sks/membership; running daemons will
+notice automatically when that file changes.
 
-You can retrieve the keydump by executing following commands as the
-root user (or just su to debian-sks user)):
+  -----
 
- cd /var/lib/sks/dump
- su debian-sks -c "wget -q -r -np -nd -A pgp http://ftp.prato.linux.it/pub/keyring/dump-latest/ -e robots=off"
+What does the script do?
 
-To build the database from the keydumps call:
+It tries to fetch a full keydump from:
 
- su debian-sks -c "/usr/lib/sks/sks_build.sh"
+  https://pgp.key-server.io/sks-dump/
 
-To make the server start you have to edit the defaults file:
+or from the keydump location you pass to it -- if this one's not
+working for you, feel free to ask on the SKS mailing list.
 
- vi /etc/default/sks
+It puts the dumps in /var/lib/sks/dump, owned by the debian-sks user,
+and then (also as that user) runs /usr/lib/sks/sks_build.sh to import
+them.
 
-If you want to connect to the global sks-network, send a mail to
-pgp-keyserver-folk@flame.org or sks-devel@nongnu.org and ask for
-gossip partners. Include the partners in /etc/sks/membership.
+  ----
 
------
+But the daemons are still not running, even if the db is set up.
+Running the daemons under systemd is recommended.  To enable them (so
+that they will start at every boot):
 
-Thanks to Peter Palfrader <weasel@debian.org> for building the
-original Debian package.
+  systemctl enable sks.service
 
- -- Ondřej Surý <ondrej@debian.org>, Thu, 19 May 2011 11:55:48 +0200
+To start them up:
+
+  systemctl start sks.service
+
+If you're using the System V init system, you'll need to enable the
+daemons by editing /etc/default/sks, and start and stop them using the
+invoke-rc.d or service commands.
+
+  -----
+
+For recommended modes of public operation, please see:
+
+  https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Wed, 11 May 2016 02:38:17 -0400
diff -Nru sks-1.1.5/debian/README.patches sks-1.1.5/debian/README.patches
--- sks-1.1.5/debian/README.patches	2016-05-06 21:39:55.000000000 +0000
+++ sks-1.1.5/debian/README.patches	1970-01-01 00:00:00.000000000 +0000
@@ -1,6 +0,0 @@
-000 -     stolen from HEAD
-100 - 199 patches that upstream accepted
-200 - 399 patches that should go upstream
-400 - 499 patches that upstream rejected, but that we want anyway
-500 - 899 debian specific patches
-900 - 999 security patches
diff -Nru sks-1.1.5/debian/rules sks-1.1.5/debian/rules
--- sks-1.1.5/debian/rules	2016-05-07 00:07:23.000000000 +0000
+++ sks-1.1.5/debian/rules	2016-05-12 06:24:16.000000000 +0000
@@ -4,7 +4,6 @@
 OCAMLABI = $(shell ocamlc -version)
 BYTECODE = $(shell [ -x /usr/bin/ocamlopt ] || echo yes)
 all      = $(if $(BYTECODE),all.bc,all)
-install  = $(if $(BYTECODE),install.bc,install)
 OCAMLRUN = $(if $(BYTECODE),ocaml-base-nox-$(OCAMLABI))
 
 export DEB_BUILD_OPTIONS += $(if $(BYTECODE)," nostrip",)
@@ -29,10 +28,10 @@
 	[ -n "$(BDB_VERSION)" ]
 	echo $(BDB_VERSION) > debian/berkeley_db.txt
 	dh_auto_build -v --  $(all)
+	$(if $(BYTECODE), $(foreach x, sks sks_add_mail, mv $(x).bc $(x);))
+	chmod a+x sks_build.sh
 
 override_dh_auto_install:
-#	dh_auto_install -v -- PREFIX="$(TMP)/usr" MANDIR="$(TMP)/usr/share/man" $(install)
-	$(MAKE) PREFIX="$(TMP)/usr" MANDIR="$(TMP)/usr/share/man" $(install)
 
 override_dh_gencontrol:
 	dh_gencontrol -- -Vbdb:Depends="db$(BDB_VERSION)-util"
diff -Nru sks-1.1.5/debian/sks-db-setup sks-1.1.5/debian/sks-db-setup
--- sks-1.1.5/debian/sks-db-setup	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/sks-db-setup	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+set -e
+
+dump_source="${1:-https://pgp.key-server.io/sks-dump/}"
+
+if [ "$(id -un)" != debian-sks ]; then
+    printf "SKS db setup script (%s) should only be run by debian-sks user\n" "$0" >&2
+    exit 1
+fi
+
+for dbloc in /var/lib/sks/DB /var/lib/sks/PTree; do
+    if [ -e "$dbloc" ]; then
+        printf "Database location %s is already present; you have probably already set up SKS.\nAborting $0\n" "$dbloc" "$0" >&2
+        exit 1
+    fi
+done
+
+if ls /var/lib/sks/dump/*.pgp 2>/dev/null >/dev/null; then
+    printf "It looks like a keydump has already been fetched, so we will skip that part.\nIf you want a fresh keydump, remove the following files and re-run %s\n" "$0" >&2
+    ls /var/lib/sks/dump/*.pgp >&2
+else
+    printf "Fetching keydump from %s to /var/lib/sks/dump...\n" "$dump_source"
+
+    (cd /var/lib/sks/dump &&
+            wget --quiet -recursive --no-parent --no-directories \
+                 --accept pgp --execute robots=off "$dump_source")
+fi
+/usr/lib/sks/sks_build.sh
+
+cat >&2 <<EOF
+The sks database is now configured but the daemons aren't yet running!
+
+If you're using systemd, you can start the daemons with:
+
+   systemctl start sks
+
+and you can enable them permanently (so that they start automatically
+at every boot) with:
+
+   systemctl enable sks
+
+If you're using SKS on the public Internet, please subscribe to the
+operators mailing list <sks-devel@nongnu.org>
+(https://lists.nongnu.org/mailman/listinfo/sks-devel/) and read the
+current advice on server configuration:
+
+  https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
+
+EOF
diff -Nru sks-1.1.5/debian/sks-db-upgrade sks-1.1.5/debian/sks-db-upgrade
--- sks-1.1.5/debian/sks-db-upgrade	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/sks-db-upgrade	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+set -e
+
+if [ "$(id -un)" != debian-sks ]; then
+    printf "SKS db upgrade script (%s) should only be run by debian-sks user\n" "$0" >&2
+    exit 1
+fi
+
+# Read the active Berkeley DB version, fall back to 4.7 if not found
+if [ -r /var/lib/sks/berkeley_db.active ]; then
+    OLD_BDB=$(cat /var/lib/sks/berkeley_db.active)
+else
+    OLD_BDB=4.7
+fi
+
+# Read the compiled-in Berkeley DB version
+NEW_BDB=$(cat /usr/lib/sks/berkeley_db.txt)
+
+if [ "$OLD_BDB" != "$NEW_BDB" ]; then
+
+    # Upgrade Berkeley DB in place
+    BACKUP_DIR=/var/backups/sks/$(date +%Y%m%d-%H%M%S)
+    SKS_DIR=/var/lib/sks
+    mkdir -p "$BACKUP_DIR"
+
+    for DBHOME in DB PTree; do
+
+	# Don't run if the database directory doesn't exist
+	[ ! -d "${SKS_DIR}/${DBHOME}" ] && continue
+
+	# Create backup directory
+	mkdir -p "${BACKUP_DIR}/${DBHOME}"
+
+	if [ -x /usr/bin/db${OLD_BDB}_recover ]; then
+	    # Run recover with old tools
+	    "db${OLD_BDB}_recover" -h "${SKS_DIR}/${DBHOME}"
+	    # Backup needed log files
+	    LOG_FILES=$("db${OLD_BDB}_archive" -h "${SKS_DIR}/${DBHOME}" -l)
+	else
+	    # If we don't have the Berkeley DB tools then backup all log files
+	    LOG_FILES=$(cd "${SKS_DIR}/${DBHOME}"; ls -1 | grep -E "^log\." || true)
+	fi
+
+	# Backup log files
+	for log_file in ${LOG_FILES}; do
+	    cp -a "${SKS_DIR}/${DBHOME}/$log_file" "${BACKUP_DIR}/${DBHOME}/"
+	done
+
+        if [ -e "${SKS_DIR}/${DBHOME}/DB_CONFIG" ]; then
+            cp -a "${SKS_DIR}/${DBHOME}/DB_CONFIG" "${BACKUP_DIR}/${DBHOME}/"
+        fi
+
+	# Backup & upgrade database files
+	for db in $(cd "${SKS_DIR}/${DBHOME}"; ls -1 | grep -Ev "^(__|log\.|DB_CONFIG$)" || true); do
+	    # Backup database file
+	    cp "${SKS_DIR}/${DBHOME}/${db}" "${BACKUP_DIR}/${DBHOME}/"
+	    # Upgrade database file
+    	    "db${NEW_BDB}_upgrade" -h "${SKS_DIR}/${DBHOME}" "${SKS_DIR}/${DBHOME}/$db";
+	done
+        
+	# Set checkpoint and delete old logfiles
+	"db${NEW_BDB}_checkpoint" -h "${SKS_DIR}/${DBHOME}" -1
+	"db${NEW_BDB}_archive" -h "${SKS_DIR}/${DBHOME}" -d
+    done
+
+    # Note the active Berkeley DB version
+    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
+
+elif [ ! -e /var/lib/sks/berkeley_db.active ]; then
+    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
+fi
diff -Nru sks-1.1.5/debian/sks.install sks-1.1.5/debian/sks.install
--- sks-1.1.5/debian/sks.install	2016-05-07 00:07:17.000000000 +0000
+++ sks-1.1.5/debian/sks.install	2016-05-11 18:49:15.000000000 +0000
@@ -1,3 +1,11 @@
 debian/berkeley_db.txt usr/lib/sks
 debian/debcfg/* etc/sks
+debian/sks-db-setup usr/share/sks
+debian/sks-db-upgrade usr/share/sks
 debian/sks-recon.service lib/systemd/system
+sks usr/sbin
+sks_add_mail usr/lib/sks
+sks_build.sh usr/lib/sks
+sampleWeb/HTML5/index.html var/lib/sks/www
+sampleWeb/HTML5/robots.txt var/lib/sks/www
+sampleWeb/HTML5/README var/lib/sks/www
diff -Nru sks-1.1.5/debian/sks.manpages sks-1.1.5/debian/sks.manpages
--- sks-1.1.5/debian/sks.manpages	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/sks.manpages	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1 @@
+sks.8.gz
diff -Nru sks-1.1.5/debian/sks.postinst sks-1.1.5/debian/sks.postinst
--- sks-1.1.5/debian/sks.postinst	2016-05-06 21:39:55.000000000 +0000
+++ sks-1.1.5/debian/sks.postinst	2016-05-11 18:49:15.000000000 +0000
@@ -38,114 +38,26 @@
     debian-sks
 fi
 
-if [ "$2" = "" ]; then
-    # ch{owning,moding} things around
-    # note that sks creates files/dirs with 600/700
-    # permissions as default. so let's stick with it for the
-    # installation. We will do nothing across upgrades.
-    for i in lib log spool; do
-	chown -R debian-sks:debian-sks /var/$i/sks
-	chmod -R 700 /var/$i/sks
-	find /var/$i/sks -type f -exec chmod 600 '{}' ';'
-    done
-    chgrp -R adm /var/log/sks
-    chmod -R g+rX /var/log/sks
-    chmod    g+s  /var/log/sks
+if [ "$1" = "configure" ]; then
+    if [ "$2" = "" ]; then # This is a new install
+        # ensure the top-level directories that sks needs write access
+        # to are properly owned by debian-sks
+        for i in lib log spool; do
+	    chown debian-sks:debian-sks /var/$i/sks
+	    chmod 0700 /var/$i/sks
+        done
+        chgrp adm /var/log/sks
+        chmod g+rX /var/log/sks
+        chmod g+s /var/log/sks
+        
+        # Note the active Berkeley DB version
+        su debian-sks -c "cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active"
+    else
+        mkdir -m 0700 -p /var/backups/sks
+        chown debian-sks:debian-sks /var/backups/sks
+        chmod 0700 /var/backups/sks
 
-    # Note the active Berkeley DB version
-    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
-else
-    if [ "$1" = "configure" ]; then
-	# fix permissions of logs after 1.0.9-0.1
-	if dpkg --compare-versions "$2" lt "1.0.9-0.2" ; then
-	    chgrp -R adm /var/log/sks
-	    chmod -R g+rX /var/log/sks
-	    chmod    g+s  /var/log/sks
-	fi
-	# 1.0.10 renamed log files from /var/log/sks/sks.foo.log to /var/log/sks/foo.log,
-	# so be nice and rename things for the admin.
-	if dpkg --compare-versions "$2" lt "1.0.10" ; then
-	    for i in `ls -1 /var/log/sks/`; do
-		if echo "$i" | grep -q '^sks\.'; then
-		    mv /var/log/sks/"$i" /var/log/sks/`echo "$i" | sed -e 's/^sks.//'`
-		fi
-	    done
-	fi
-
-	# Read the active Berkeley DB version, fall back to 4.7 if not found
-	if [ -r /var/lib/sks/berkeley_db.active ]; then
-	    OLD_BDB=$(cat /var/lib/sks/berkeley_db.active)
-	else
-	    if dpkg --compare-versions "$2" lt "1.1.1+dpkgv3-1"; then
-		OLD_BDB=4.6
-	    elif dpkg --compare-versions "$2" lt "1.1.1+dpkgv3-6.1"; then
-		OLD_BDB=4.7
-	    else
-		OLD_BDB=4.7
-	    fi
-	fi
-
-	# Read the compiled-in Berkeley DB version
-	NEW_BDB=$(cat /usr/lib/sks/berkeley_db.txt)
-
-	if [ "$OLD_BDB" != "$NEW_BDB" ]; then
-
-	# Upgrade Berkeley DB in place
-	BACKUP_DIR=/var/backups/sks/$(date +%Y%m%d-%H%M%S)
-	SKS_DIR=/var/lib/sks
-	mkdir -p $BACKUP_DIR
-	chown debian-sks:debian-sks ${BACKUP_DIR}
-
-	for DBHOME in DB PTree; do
-
-	    # Don't run if the database directory doesn't exist
-	    [ ! -d ${SKS_DIR}/${DBHOME} ] && continue
-
-	    # Create backup directory
-	    mkdir -p ${BACKUP_DIR}/${DBHOME}
-	    chown debian-sks:debian-sks ${BACKUP_DIR}/${DBHOME}
-
-	    # Make sure we own the files
-	    chown debian-sks:debian-sks -R ${SKS_DIR}/${DBHOME}
-
-	    if [ -x /usr/bin/db${OLD_BDB}_recover ]; then
-	        # Run recover with old tools
-		su debian-sks -c "db${OLD_BDB}_recover -h ${SKS_DIR}/${DBHOME}"
-	        # Backup needed log files
-		LOG_FILES=$(su debian-sks -c "db${OLD_BDB}_archive -h ${SKS_DIR}/${DBHOME} -l")
-	    else
-		# If we don't have the Berkeley DB tools then backup all log files
-		LOG_FILES=$(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -E "^log\.")
-	    fi
-
-	    # Backup log files
-	    for log_file in ${LOG_FILES}; do
-		cp -a ${SKS_DIR}/${DBHOME}/$log_file ${BACKUP_DIR}/${DBHOME}/
-	    done
-
-            if [ -e "${SKS_DIR}/${DBHOME}/DB_CONFIG" ]; then
-                cp -a ${SKS_DIR}/${DBHOME}/DB_CONFIG ${BACKUP_DIR}/${DBHOME}/
-            fi
-
-	    # Backup & upgrade database files
-	    for db in $(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -Ev "^(__|log\.|DB_CONFIG$)"); do
-		# Backup database file
-		su debian-sks -c "cp ${SKS_DIR}/${DBHOME}/${db} ${BACKUP_DIR}/${DBHOME}/"
-		# Upgrade database file
-    		su debian-sks -c "db${NEW_BDB}_upgrade -h ${SKS_DIR}/${DBHOME} ${SKS_DIR}/${DBHOME}/$db";
-	    done
-    
-	    # Set checkpoint and delete old logfiles
-	    su debian-sks -c "db${NEW_BDB}_checkpoint -h ${SKS_DIR}/${DBHOME} -1"
-	    su debian-sks -c "db${NEW_BDB}_archive -h ${SKS_DIR}/${DBHOME} -d"
-	done
-
-	# Note the active Berkeley DB version
-	cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
-
-	elif [ ! -e /var/lib/sks/berkeley_db.active ]; then
-	    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
-	fi
+        su debian-sks -c /usr/share/sks/sks-db-upgrade
     fi
 fi
 
diff -Nru sks-1.1.5/debian/sks.postrm sks-1.1.5/debian/sks.postrm
--- sks-1.1.5/debian/sks.postrm	2016-05-06 21:39:55.000000000 +0000
+++ sks-1.1.5/debian/sks.postrm	2016-05-11 18:49:15.000000000 +0000
@@ -4,6 +4,13 @@
     # logs, db and backup have to be removed according to policy.
     rm -rf /var/log/sks /var/lib/sks /var/backup/sks /var/backups/sks
     [ -d /var/backup ] && rmdir --ignore-fail-on-non-empty /var/backup
+
+    # see https://wiki.debian.org/AccountHandlingInMaintainerScripts
+    if [ -x "$(command -v deluser)" ]; then
+        deluser --quiet --system debian-sks > /dev/null || true
+    else
+        echo >&2 "not removing debian-sks system account because deluser command was not found"
+    fi
 fi
 
 #DEBHELPER#
diff -Nru sks-1.1.5/debian/sks-recon.service sks-1.1.5/debian/sks-recon.service
--- sks-1.1.5/debian/sks-recon.service	2016-05-07 00:07:17.000000000 +0000
+++ sks-1.1.5/debian/sks-recon.service	2016-05-11 18:49:15.000000000 +0000
@@ -1,12 +1,13 @@
 [Unit]
 Description=SKS reconciliation service
-BindTo=sks.service
+BindsTo=sks.service
 After=sks.service
 
 [Service]
 Type=simple
 ExecStart=/usr/sbin/sks -stdoutlog recon
 User=debian-sks
+WorkingDirectory=/var/lib/sks
 
 [Install]
 WantedBy=multi-user.target
diff -Nru sks-1.1.5/debian/sks.service sks-1.1.5/debian/sks.service
--- sks-1.1.5/debian/sks.service	2016-05-07 00:07:17.000000000 +0000
+++ sks-1.1.5/debian/sks.service	2016-05-11 18:49:15.000000000 +0000
@@ -2,11 +2,15 @@
 Description=SKS database service
 Wants=sks-recon.service
 Before=sks-recon.service
+After=local-fs.target network.target 
 
 [Service]
 Type=simple
 ExecStart=/usr/sbin/sks -stdoutlog db
 User=debian-sks
+RuntimeDirectory=sks
+RuntimeDirectoryMode=700
+WorkingDirectory=/var/lib/sks
 
 [Install]
 WantedBy=multi-user.target
diff -Nru sks-1.1.5/debian/TODO sks-1.1.5/debian/TODO
--- sks-1.1.5/debian/TODO	1970-01-01 00:00:00.000000000 +0000
+++ sks-1.1.5/debian/TODO	2016-05-11 18:49:15.000000000 +0000
@@ -0,0 +1,43 @@
+Debian packaging work needed for sks
+------------------------------------
+
+ * rethink /var/lib/sks/www/* -- people like to customize these files.
+   is this the best place to ship these, or to serve from?  They get
+   overwritten upon upgrade, which might mean we're encouraging admins
+   to lose some of their work.  configfiles?  symlinks?  something else?
+
+ * try to get as many of our patches upstream as possible
+
+ * rethink our debian FHS support patches -- can this be done in a
+   less-invasive fashion?  Why hard-code things?  It should be
+   possible to run multiple sks instances on a single host.
+
+ * trim the default sks configs so there is less for an admin to read
+   through.
+
+ * improve the documentation of sks for configuration purposes;
+   DB_CONFIG? relationship between sks commandline args and config
+   file?  (this might be upstream work)
+
+ * move sks to /usr/bin ; there is precedent for daemons in /usr/bin,
+   the daemon doesn't run as the superuser, and it's possible for
+   normal users to run sks.
+
+ * update sks to allow socket activation
+
+ * find someone who might want to maintain the sysv initscripts --
+   maybe move them to a separate binary package for those who want to
+   use sysvinit?
+
+ * make a standard public-facing setup easy to produce (reverse proxy,
+   hkps, tor, automated setup, etc)
+
+ * improve database management and backup management -- automated
+   reasoning about available space, reporting about processing time,
+   etc.
+
+ * reconsider regular stat generation -- systemd timers?  cronjobs? or
+   just encourage reliance on sks itself to update stats regularly?
+
+ * detect sks hanging or database deadlock?  figure out how to recover
+   from it (or even better: prevent it)