From: Michael Vogt <mvo@debian.org>
Date: Mon, 9 Dec 2013 10:21:14 +0000 (+0100)
Subject: Merge remote-tracking branch 'origin/feature/deb-src-bts731102' into feature/source... 
X-Git-Tag: 0.9.14.3.exp1~2^2~6
X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/f31d34ee967cb1637c0efeb408c76a2c26bbdc07?hp=55e3b9e3ddc2a59df06e22be4efff7f72406d4ec

Merge remote-tracking branch 'origin/feature/deb-src-bts731102' into feature/source-deb822
---

diff --git a/.gitignore b/.gitignore
index 3e07e241b..321b15471 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,12 @@
 /debian/apt-transport-https/
 
 # generated from *.in files
+/cmdline/apt-key
+/doc/apt-vendor.ent
 /doc/examples/sources.list
 /debian/libapt-pkg*.install
 /debian/libapt-inst*.install
 /debian/libapt-pkg-dev.install
+/vendor/current
+/vendor/debian/sources.list
+/vendor/ubuntu/sources.list
diff --git a/Makefile b/Makefile
index fb843983c..394149bf1 100644
--- a/Makefile
+++ b/Makefile
@@ -11,6 +11,7 @@ default: startup all
 
 .PHONY: headers library clean veryclean all binary program doc test update-po
 all headers library clean veryclean binary program doc manpages debiandoc test update-po startup dirs:
+	$(MAKE) -C vendor $@
 	$(MAKE) -C apt-pkg $@
 	$(MAKE) -C apt-inst $@
 	$(MAKE) -C apt-private $@
@@ -20,7 +21,7 @@ all headers library clean veryclean binary program doc manpages debiandoc test u
 	$(MAKE) -C dselect $@
 	$(MAKE) -C doc $@
 	$(MAKE) -C po $@
-	$(MAKE) -C test $@ 
+	$(MAKE) -C test $@
 
 all headers library clean veryclean binary program doc manpages debiandoc test update-po: startup dirs
 
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index 3a6bdfe2e..7fbe4d604 100644
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -1545,6 +1545,9 @@ bool FileFd::Skip(unsigned long long Over)
 /* */
 bool FileFd::Truncate(unsigned long long To)
 {
+   // truncating /dev/null is always successful - as we get an error otherwise
+   if (To == 0 && FileName == "/dev/null")
+      return true;
 #if defined HAVE_ZLIB || defined HAVE_BZ2
    if (d != NULL && (d->gz != NULL || d->bz2 != NULL))
       return FileFdError("Truncating compressed files is not implemented (%s)", FileName.c_str());
diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc
index 14333c3e7..b4bfd1400 100644
--- a/apt-pkg/deb/dpkgpm.cc
+++ b/apt-pkg/deb/dpkgpm.cc
@@ -1622,18 +1622,49 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg)
    }
 
    // do not report out-of-memory failures 
-   if(strstr(errormsg, strerror(ENOMEM)) != NULL) {
+   if(strstr(errormsg, strerror(ENOMEM)) != NULL ||
+      strstr(errormsg, "failed to allocate memory") != NULL) {
       std::clog << _("No apport report written because the error message indicates a out of memory error") << std::endl;
       return;
    }
 
-   // do not report dpkg I/O errors
-   // XXX - this message is localized, but this only matches the English version.  This is better than nothing.
-   if(strstr(errormsg, "short read in buffer_copy (")) {
-      std::clog << _("No apport report written because the error message indicates a dpkg I/O error") << std::endl;
+   // do not report bugs regarding inaccessible local files
+   if(strstr(errormsg, strerror(ENOENT)) != NULL ||
+      strstr(errormsg, "cannot access archive") != NULL) {
+      std::clog << _("No apport report written because the error message indicates an issue on the local system") << std::endl;
       return;
    }
 
+   // do not report errors encountered when decompressing packages
+   if(strstr(errormsg, "--fsys-tarfile returned error exit status 2") != NULL) {
+      std::clog << _("No apport report written because the error message indicates an issue on the local system") << std::endl;
+      return;
+   }
+
+   // do not report dpkg I/O errors, this is a format string, so we compare
+   // the prefix and the suffix of the error with the dpkg error message
+   vector<string> io_errors;
+   io_errors.push_back(string("failed to read on buffer copy for %s"));
+   io_errors.push_back(string("failed in write on buffer copy for %s"));
+   io_errors.push_back(string("short read on buffer copy for %s"));
+
+   for (vector<string>::iterator I = io_errors.begin(); I != io_errors.end(); I++)
+   {
+      vector<string> list = VectorizeString(dgettext("dpkg", (*I).c_str()), '%');
+      if (list.size() > 1) {
+         // we need to split %s, VectorizeString only allows char so we need
+         // to kill the "s" manually
+         if (list[1].size() > 1) {
+            list[1].erase(0, 1);
+            if(strstr(errormsg, list[0].c_str()) && 
+               strstr(errormsg, list[1].c_str())) {
+               std::clog << _("No apport report written because the error message indicates a dpkg I/O error") << std::endl;
+               return;
+            }
+         }
+      }
+   }
+
    // get the pkgname and reportfile
    pkgname = flNotDir(pkgpath);
    pos = pkgname.find('_');
@@ -1721,6 +1752,24 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg)
       if(log != NULL)
       {
 	 char buf[1024];
+	 while( fgets(buf, sizeof(buf), log) != NULL)
+	    fprintf(report, " %s", buf);
+         fprintf(report, " \n");
+	 fclose(log);
+      }
+   }
+
+   // attach history log it if we have it
+   string histfile_name = _config->FindFile("Dir::Log::History");
+   if (!histfile_name.empty())
+   {
+      FILE *log = NULL;
+      char buf[1024];
+
+      fprintf(report, "DpkgHistoryLog:\n");
+      log = fopen(histfile_name.c_str(),"r");
+      if(log != NULL)
+      {
 	 while( fgets(buf, sizeof(buf), log) != NULL)
 	    fprintf(report, " %s", buf);
 	 fclose(log);
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index 76278921f..81b601a7f 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -44,16 +44,8 @@ bool pkgInitConfig(Configuration &Cnf)
    Cnf.CndSet("APT::Install-Suggests", false);
    Cnf.CndSet("Dir","/");
    
-   // State   
+   // State
    Cnf.CndSet("Dir::State","var/lib/apt/");
-   
-   /* Just in case something goes horribly wrong, we can fall back to the
-      old /var/state paths.. */
-   struct stat St;   
-   if (stat("/var/lib/apt/.",&St) != 0 &&
-       stat("/var/state/apt/.",&St) == 0)
-      Cnf.CndSet("Dir::State","var/state/apt/");
-       
    Cnf.CndSet("Dir::State::lists","lists/");
    Cnf.CndSet("Dir::State::cdroms","cdroms.list");
    Cnf.CndSet("Dir::State::mirrors","mirrors/");
diff --git a/apt-pkg/sourcelist.cc b/apt-pkg/sourcelist.cc
index 0fd237cad..99cdbe030 100644
--- a/apt-pkg/sourcelist.cc
+++ b/apt-pkg/sourcelist.cc
@@ -17,6 +17,7 @@
 #include <apt-pkg/configuration.h>
 #include <apt-pkg/metaindex.h>
 #include <apt-pkg/indexfile.h>
+#include <apt-pkg/tagfile.h>
 
 #include <fstream>
 
@@ -159,7 +160,6 @@ bool pkgSourceList::Type::ParseLine(vector<metaIndex *> &List,
    return true;
 }
 									/*}}}*/
-
 // SourceList::pkgSourceList - Constructors				/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -181,7 +181,6 @@ pkgSourceList::~pkgSourceList()
       delete *I;
 }
 									/*}}}*/
-									/*}}}*/
 // SourceList::ReadMainList - Read the main source list from etc	/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -216,7 +215,6 @@ bool pkgSourceList::ReadMainList()
    return Res;
 }
 									/*}}}*/
-// CNC:2003-03-03 - Needed to preserve backwards compatibility.
 // SourceList::Reset - Clear the sourcelist contents			/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -227,7 +225,6 @@ void pkgSourceList::Reset()
    SrcList.erase(SrcList.begin(),SrcList.end());
 }
 									/*}}}*/
-// CNC:2003-03-03 - Function moved to ReadAppend() and Reset().
 // SourceList::Read - Parse the sourcelist file				/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -241,17 +238,23 @@ bool pkgSourceList::Read(string File)
 // ---------------------------------------------------------------------
 /* */
 bool pkgSourceList::ReadAppend(string File)
+{
+   if (_config->FindB("APT::Sources::Use-Deb822", true) == true)
+      if (ParseFileDeb822(File))
+         return true;
+   return ParseFileOldStyle(File);
+}
+
+// SourceList::ReadFileOldStyle - Read Traditional style sources.list 	/*{{{*/
+// ---------------------------------------------------------------------
+/* */
+bool pkgSourceList::ParseFileOldStyle(string File)
 {
    // Open the stream for reading
    ifstream F(File.c_str(),ios::in /*| ios::nocreate*/);
    if (!F != 0)
       return _error->Errno("ifstream::ifstream",_("Opening %s"),File.c_str());
-   
-#if 0 // Now Reset() does this.
-   for (const_iterator I = SrcList.begin(); I != SrcList.end(); I++)
-      delete *I;
-   SrcList.erase(SrcList.begin(),SrcList.end());
-#endif
+
    // CNC:2003-12-10 - 300 is too short.
    char Buffer[1024];
 
@@ -298,6 +301,73 @@ bool pkgSourceList::ReadAppend(string File)
    return true;
 }
 									/*}}}*/
+// SourceList::ParseFileDeb822 - Parse deb822 style sources.list 	/*{{{*/
+// ---------------------------------------------------------------------
+/* */
+bool pkgSourceList::ParseFileDeb822(string File)
+{
+
+   pkgTagSection Tags;
+   map<string, string> Options;
+   unsigned int i=0;
+
+   // see if we can read the file
+   _error->PushToStack();
+   FileFd Fd(File, FileFd::ReadOnly);
+   pkgTagFile Sources(&Fd);
+   if (_error->PendingError() == true)
+   {
+      _error->RevertToStack();
+      return false;
+   }
+   _error->MergeWithStack();
+   
+   // read step by step
+   while (Sources.Step(Tags) == true)
+   {
+      if(!Tags.Exists("Type")) 
+         continue;
+
+      string const type = Tags.FindS("Type");
+      Type *Parse = Type::GetType(type.c_str());
+      if (Parse == 0)
+         return _error->Error(_("Type '%s' is not known on stanza %u in source list %s"),type.c_str(),i,Fd.Name().c_str());
+         
+      string URI = Tags.FindS("URL");
+      if (!Parse->FixupURI(URI))
+         return _error->Error(_("Malformed stanza %u in source list %s (URI parse)"),i,Fd.Name().c_str());
+
+      string Dist = Tags.FindS("Dist");
+      Dist = SubstVar(Dist,"$(ARCH)",_config->Find("APT::Architecture"));
+
+      // check if there are any options we support
+      const char* option_str[] = { 
+         "arch", "arch+", "arch-", "trusted" };
+      for (unsigned int j=0; j < sizeof(option_str)/sizeof(char*); j++)
+         if (Tags.Exists(option_str[j]))
+            Options[option_str[j]] = Tags.FindS(option_str[j]);
+
+      // now create one item per section
+      string const Section = Tags.FindS("Section");
+      std::vector<std::string> list;
+      if (Section.find(","))
+         list = StringSplit(Section, ",");
+      else
+         list = StringSplit(Section, " ");
+      for (std::vector<std::string>::const_iterator I = list.begin();
+           I != list.end(); I++)
+         Parse->CreateItem(SrcList, URI, Dist, (*I), Options);
+
+      i++;
+   }
+
+   // we are done
+   if(i>0)
+      return true;
+
+   return false;
+}
+									/*}}}*/
 // SourceList::FindIndex - Get the index associated with a file		/*{{{*/
 // ---------------------------------------------------------------------
 /* */
diff --git a/apt-pkg/sourcelist.h b/apt-pkg/sourcelist.h
index 02e27101a..5e0d585bb 100644
--- a/apt-pkg/sourcelist.h
+++ b/apt-pkg/sourcelist.h
@@ -75,7 +75,10 @@ class pkgSourceList
    protected:
 
    std::vector<metaIndex *> SrcList;
-   
+
+   bool ParseFileDeb822(std::string File);
+   bool ParseFileOldStyle(std::string File);
+
    public:
 
    bool ReadMainList();
diff --git a/buildlib/po4a_manpage.mak b/buildlib/po4a_manpage.mak
index 1e778cf11..b3d586b2f 100644
--- a/buildlib/po4a_manpage.mak
+++ b/buildlib/po4a_manpage.mak
@@ -11,7 +11,7 @@
 
 # generate a list of accepted man page translations
 SOURCE = $(patsubst %.xml,%,$(wildcard *.$(LC).?.xml))
-INCLUDES = apt.ent apt-verbatim.ent
+INCLUDES = apt.ent apt-verbatim.ent apt-vendor.ent
 
 manpages:
 
@@ -29,7 +29,10 @@ clean: clean/$(LOCAL)
 veryclean: veryclean/$(LOCAL)
 
 apt-verbatim.ent: ../apt-verbatim.ent
-	cp ../apt-verbatim.ent .
+	cp -a ../apt-verbatim.ent .
+
+apt-vendor.ent: ../apt-vendor.ent
+	cp -a ../apt-vendor.ent .
 
 manpage-style.xsl: ../manpage-style.xsl
 	sed "/<!-- LANGUAGE -->/ i\
diff --git a/cmdline/apt-key b/cmdline/apt-key
deleted file mode 100755
index 713a41c07..000000000
--- a/cmdline/apt-key
+++ /dev/null
@@ -1,336 +0,0 @@
-#!/bin/sh
-
-set -e
-unset GREP_OPTIONS
-
-GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
-
-# gpg needs a trustdb to function, but it can't be invalid (not even empty)
-# so we create a temporary directory to store our fresh readable trustdb in
-TRUSTDBDIR="$(mktemp -d)"
-CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
-trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-chmod 700 "$TRUSTDBDIR"
-# We also don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available - and writeable for imports
-SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
-touch $SECRETKEYRING
-GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
-GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
-
-# now create the trustdb with an (empty) dummy keyring
-$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
-# and make sure that gpg isn't trying to update the file
-GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
-
-GPG="$GPG_CMD"
-
-MASTER_KEYRING=""
-#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
-eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
-ARCHIVE_KEYRING_URI=""
-#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
-eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
-
-ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
-eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
-REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
-eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
-
-requires_root() {
-	if [ "$(id -u)" -ne 0 ]; then
-		echo >&1 "ERROR: This command can only be used by root."
-		exit 1
-	fi
-}
-
-# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
-init_keyring() {
-    for path; do
-        if ! [ -e "$path" ]; then
-            touch -- "$path"
-            chmod 0644 -- "$path"
-        fi
-    done
-}
-
-add_keys_with_verify_against_master_keyring() {
-    ADD_KEYRING=$1
-    MASTER=$2
-    
-    if [ ! -f "$ADD_KEYRING" ]; then
-	echo "ERROR: '$ADD_KEYRING' not found"
-	return
-    fi 
-    if [ ! -f "$MASTER" ]; then
-	echo "ERROR: '$MASTER' not found"
-	return
-    fi
-
-    # when adding new keys, make sure that the archive-master-keyring
-    # is honored. so:
-    #   all keys that are exported must have a valid signature
-    #   from a key in the $distro-master-keyring
-    add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
-    master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
-    for add_key in $add_keys; do
-	ADDED=0
-	for master_key in $master_keys; do
-	    if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
-		$GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
-		ADDED=1
-	    fi
-	done
-	if [ $ADDED = 0 ]; then
-	    echo >&2 "Key '$add_key' not added. It is not signed with a master key"
-	fi
-    done
-}
-
-# update the current archive signing keyring from a network URI
-# the archive-keyring keys needs to be signed with the master key
-# (otherwise it does not make sense from a security POV)
-net_update() {
-    if [ -z "$ARCHIVE_KEYRING_URI" ]; then
-	echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
-	exit 1
-    fi
-    requires_root
-    # in theory we would need to depend on wget for this, but this feature
-    # isn't useable in debian anyway as we have no keyring uri nor a master key
-    if ! which wget >/dev/null 2>&1; then
-	echo >&2 "ERROR: an installed wget is required for a network-based update"
-	exit 1
-    fi
-    if [ ! -d /var/lib/apt/keyrings ]; then
-	mkdir -p /var/lib/apt/keyrings
-    fi
-    keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
-    old_mtime=0
-    if [ -e $keyring ]; then
-	old_mtime=$(stat -c %Y $keyring)
-    fi
-    (cd  /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
-    if [ ! -e $keyring ]; then
-	return
-    fi
-    new_mtime=$(stat -c %Y $keyring)
-    if [ $new_mtime -ne $old_mtime ]; then
-	echo "Checking for new archive signing keys now"
-	add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
-    fi
-}
-
-update() {
-    if [ ! -f $ARCHIVE_KEYRING ]; then
-	echo >&2 "ERROR: Can't find the archive-keyring"
-	echo >&2 "Is the debian-archive-keyring package installed?"
-	exit 1
-    fi
-    requires_root
-
-    # add new keys from the package;
-
-    # we do not use add_keys_with_verify_against_master_keyring here,
-    # because "update" is run on regular package updates.  A
-    # attacker might as well replace the master-archive-keyring file
-    # in the package and add his own keys. so this check wouldn't
-    # add any security. we *need* this check on net-update though
-    $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
-
-    if [ -r "$REMOVED_KEYS" ]; then
-	# remove no-longer supported/used keys
-	keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
-	for key in $keys; do
-	    if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
-		$GPG --quiet --batch --delete-key --yes ${key}
-	    fi
-	done
-    else
-	echo "Warning: removed keys keyring  $REMOVED_KEYS missing or not readable" >&2
-    fi
-}
-
-remove_key_from_keyring() {
-    local GPG="$GPG_CMD --keyring $1"
-    # check if the key is in this keyring: the key id is in the 5 column at the end
-    if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then
-	return
-    fi
-    if [ ! -w "$1" ]; then
-	echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only."
-	return
-    fi
-    # check if it is the only key in the keyring and if so remove the keyring alltogether
-    if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then
-	mv -f "$1" "${1}~" # behave like gpg
-	return
-    fi
-    # we can't just modify pointed to files as these might be in /usr or something
-    local REALTARGET
-    if [ -L "$1" ]; then
-	REALTARGET="$(readlink -f "$1")"
-	mv -f "$1" "${1}.dpkg-tmp"
-	cp -a "$REALTARGET" "$1"
-	ls "$(dirname $1)"
-    fi
-    # delete the key from the keyring
-    $GPG --batch --delete-key --yes "$2"
-    if [ -n "$REALTARGET" ]; then
-	# the real backup is the old link, not the copy we made
-	mv -f "${1}.dpkg-tmp" "${1}~"
-    fi
-}
-
-remove_key() {
-    requires_root
-
-    # if a --keyring was given, just remove from there
-    if [ -n "$FORCED_KEYRING" ]; then
-	remove_key_from_keyring "$FORCED_KEYRING" "$1"
-    else
-	# otherwise all known keyrings are up for inspection
-	local TRUSTEDFILE="/etc/apt/trusted.gpg"
-	eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
-	eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
-	remove_key_from_keyring "$TRUSTEDFILE" "$1"
-	TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
-	eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
-	if [ -d "$TRUSTEDPARTS" ]; then
-	    for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
-		remove_key_from_keyring "$trusted" "$1"
-	    done
-	fi
-    fi
-    echo "OK"
-}
-
-
-usage() {
-    echo "Usage: apt-key [--keyring file] [command] [arguments]"
-    echo
-    echo "Manage apt's list of trusted keys"
-    echo
-    echo "  apt-key add <file>          - add the key contained in <file> ('-' for stdin)"
-    echo "  apt-key del <keyid>         - remove the key <keyid>"
-    echo "  apt-key export <keyid>      - output the key <keyid>"
-    echo "  apt-key exportall           - output all trusted keys"
-    echo "  apt-key update              - update keys using the keyring package"
-    echo "  apt-key net-update          - update keys using the network"
-    echo "  apt-key list                - list keys"
-    echo "  apt-key finger              - list fingerprints"
-    echo "  apt-key adv                 - pass advanced options to gpg (download key)"
-    echo
-    echo "If no specific keyring file is given the command applies to all keyring files."
-}
-
-while [ -n "$1" ]; do
-   case "$1" in
-      --keyring)
-	 shift
-	 TRUSTEDFILE="$1"
-	 FORCED_KEYRING="$1"
-	 if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then
-	    GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
-	 else
-	    echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
-	    exit 1
-	 fi
-	 shift
-	 ;;
-      --fakeroot)
-	 requires_root() { true; }
-	 shift
-	 ;;
-      --*)
-	 echo >&2 "Unknown option: $1"
-	 usage
-	 exit 1;;
-      *)
-	 break;;
-   esac
-done
-
-if [ -z "$TRUSTEDFILE" ]; then
-   TRUSTEDFILE="/etc/apt/trusted.gpg"
-   eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
-   eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
-   if [ -r "$TRUSTEDFILE" ]; then
-      GPG="$GPG --keyring $TRUSTEDFILE"
-   fi
-   GPG="$GPG --primary-keyring $TRUSTEDFILE"
-   TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
-   eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
-   if [ -d "$TRUSTEDPARTS" ]; then
-      # strip / suffix as gpg will double-slash in that case (#665411)
-      STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
-      if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
-	 TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
-      fi
-      for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
-	 GPG="$GPG --keyring $trusted"
-      done
-   fi
-fi
-
-command="$1"
-if [ -z "$command" ]; then
-    usage
-    exit 1
-fi
-shift
-
-if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
-    echo >&2 "Warning: gnupg does not seem to be installed."
-    echo >&2 "Warning: apt-key requires gnupg for most operations."
-    echo >&2
-fi
-
-case "$command" in
-    add)
-        requires_root
-        init_keyring "$TRUSTEDFILE"
-        $GPG --quiet --batch --import "$1"
-        echo "OK"
-        ;;
-    del|rm|remove)
-        init_keyring "$TRUSTEDFILE"
-	remove_key "$1"
-        ;;
-    update)
-        init_keyring "$TRUSTEDFILE"
-	update
-	;;
-    net-update)
-        init_keyring "$TRUSTEDFILE"
-	net_update
-	;;
-    list)
-        init_keyring "$TRUSTEDFILE"
-        $GPG --batch --list-keys
-        ;;
-    finger*)
-        init_keyring "$TRUSTEDFILE"
-        $GPG --batch --fingerprint
-        ;;
-    export)
-        init_keyring "$TRUSTEDFILE"
-        $GPG --armor --export "$1"
-        ;;
-    exportall)
-        init_keyring "$TRUSTEDFILE"
-        $GPG --armor --export
-        ;;
-    adv*)
-        init_keyring "$TRUSTEDFILE"
-        echo "Executing: $GPG $*"
-        $GPG $*
-        ;;
-    help)
-        usage
-        ;;
-    *)
-        usage
-        exit 1
-        ;;
-esac
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
new file mode 100644
index 000000000..779872b4c
--- /dev/null
+++ b/cmdline/apt-key.in
@@ -0,0 +1,354 @@
+#!/bin/sh
+
+set -e
+unset GREP_OPTIONS
+
+GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
+
+# gpg needs a trustdb to function, but it can't be invalid (not even empty)
+# so we create a temporary directory to store our fresh readable trustdb in
+TRUSTDBDIR="$(mktemp -d)"
+CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+chmod 700 "$TRUSTDBDIR"
+# We also don't use a secret keyring, of course, but gpg panics and
+# implodes if there isn't one available - and writeable for imports
+SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
+touch $SECRETKEYRING
+GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
+GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+
+# now create the trustdb with an (empty) dummy keyring
+$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
+# and make sure that gpg isn't trying to update the file
+GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
+
+GPG="$GPG_CMD"
+
+MASTER_KEYRING='&keyring-master-filename;'
+eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
+ARCHIVE_KEYRING='&keyring-filename;'
+eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
+REMOVED_KEYS='&keyring-removed-filename;'
+eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
+ARCHIVE_KEYRING_URI='&keyring-uri;'
+eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
+TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg
+
+requires_root() {
+	if [ "$(id -u)" -ne 0 ]; then
+		echo >&1 "ERROR: This command can only be used by root."
+		exit 1
+	fi
+}
+
+# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
+init_keyring() {
+    for path; do
+        if ! [ -e "$path" ]; then
+            touch -- "$path"
+            chmod 0644 -- "$path"
+        fi
+    done
+}
+
+add_keys_with_verify_against_master_keyring() {
+    ADD_KEYRING=$1
+    MASTER=$2
+
+    if [ ! -f "$ADD_KEYRING" ]; then
+	echo "ERROR: '$ADD_KEYRING' not found"
+	return
+    fi 
+    if [ ! -f "$MASTER" ]; then
+	echo "ERROR: '$MASTER' not found"
+	return
+    fi
+
+    # when adding new keys, make sure that the archive-master-keyring
+    # is honored. so:
+    #   all keys that are exported must have a valid signature
+    #   from a key in the $distro-master-keyring
+    add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
+    master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+
+    # ensure there are no colisions LP: #857472
+    for all_add_key in $all_add_keys; do
+	for master_key in $master_keys; do
+            if [ "$all_add_key" = "$master_key" ]; then
+                echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
+                return 1
+            fi
+        done
+    done
+    
+    for add_key in $add_keys; do
+        # export the add keyring one-by-one
+        rm -f $TMP_KEYRING
+        $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key 
+        # check if signed with the master key and only add in this case
+        ADDED=0
+	for master_key in $master_keys; do
+	    if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
+		$GPG --import $TMP_KEYRING
+		ADDED=1
+	    fi
+	done
+	if [ $ADDED = 0 ]; then
+	    echo >&2 "Key '$add_key' not added. It is not signed with a master key"
+	fi
+    done
+    rm -f $TMP_KEYRING
+}
+
+# update the current archive signing keyring from a network URI
+# the archive-keyring keys needs to be signed with the master key
+# (otherwise it does not make sense from a security POV)
+net_update() {
+    # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
+    exit 1
+
+    if [ -z "$ARCHIVE_KEYRING_URI" ]; then
+	echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
+	exit 1
+    fi
+    requires_root
+    # in theory we would need to depend on wget for this, but this feature
+    # isn't useable in debian anyway as we have no keyring uri nor a master key
+    if ! which wget >/dev/null 2>&1; then
+	echo >&2 "ERROR: an installed wget is required for a network-based update"
+	exit 1
+    fi
+    if [ ! -d /var/lib/apt/keyrings ]; then
+	mkdir -p /var/lib/apt/keyrings
+    fi
+    keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
+    old_mtime=0
+    if [ -e $keyring ]; then
+	old_mtime=$(stat -c %Y $keyring)
+    fi
+    (cd  /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
+    if [ ! -e $keyring ]; then
+	return
+    fi
+    new_mtime=$(stat -c %Y $keyring)
+    if [ $new_mtime -ne $old_mtime ]; then
+	echo "Checking for new archive signing keys now"
+	add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
+    fi
+}
+
+update() {
+    if [ ! -f $ARCHIVE_KEYRING ]; then
+	echo >&2 "ERROR: Can't find the archive-keyring"
+	echo >&2 "Is the &keyring-package; package installed?"
+	exit 1
+    fi
+    requires_root
+
+    # add new keys from the package;
+
+    # we do not use add_keys_with_verify_against_master_keyring here,
+    # because "update" is run on regular package updates.  A
+    # attacker might as well replace the master-archive-keyring file
+    # in the package and add his own keys. so this check wouldn't
+    # add any security. we *need* this check on net-update though
+    $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+
+    if [ -r "$REMOVED_KEYS" ]; then
+	# remove no-longer supported/used keys
+	keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
+	for key in $keys; do
+	    if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
+		$GPG --quiet --batch --delete-key --yes ${key}
+	    fi
+	done
+    else
+	echo "Warning: removed keys keyring  $REMOVED_KEYS missing or not readable" >&2
+    fi
+}
+
+remove_key_from_keyring() {
+    local GPG="$GPG_CMD --keyring $1"
+    # check if the key is in this keyring: the key id is in the 5 column at the end
+    if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then
+	return
+    fi
+    if [ ! -w "$1" ]; then
+	echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only."
+	return
+    fi
+    # check if it is the only key in the keyring and if so remove the keyring alltogether
+    if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then
+	mv -f "$1" "${1}~" # behave like gpg
+	return
+    fi
+    # we can't just modify pointed to files as these might be in /usr or something
+    local REALTARGET
+    if [ -L "$1" ]; then
+	REALTARGET="$(readlink -f "$1")"
+	mv -f "$1" "${1}.dpkg-tmp"
+	cp -a "$REALTARGET" "$1"
+	ls "$(dirname $1)"
+    fi
+    # delete the key from the keyring
+    $GPG --batch --delete-key --yes "$2"
+    if [ -n "$REALTARGET" ]; then
+	# the real backup is the old link, not the copy we made
+	mv -f "${1}.dpkg-tmp" "${1}~"
+    fi
+}
+
+remove_key() {
+    requires_root
+
+    # if a --keyring was given, just remove from there
+    if [ -n "$FORCED_KEYRING" ]; then
+	remove_key_from_keyring "$FORCED_KEYRING" "$1"
+    else
+	# otherwise all known keyrings are up for inspection
+	local TRUSTEDFILE="/etc/apt/trusted.gpg"
+	eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+	eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+	remove_key_from_keyring "$TRUSTEDFILE" "$1"
+	TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
+	eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
+	if [ -d "$TRUSTEDPARTS" ]; then
+	    for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
+		remove_key_from_keyring "$trusted" "$1"
+	    done
+	fi
+    fi
+    echo "OK"
+}
+
+
+usage() {
+    echo "Usage: apt-key [--keyring file] [command] [arguments]"
+    echo
+    echo "Manage apt's list of trusted keys"
+    echo
+    echo "  apt-key add <file>          - add the key contained in <file> ('-' for stdin)"
+    echo "  apt-key del <keyid>         - remove the key <keyid>"
+    echo "  apt-key export <keyid>      - output the key <keyid>"
+    echo "  apt-key exportall           - output all trusted keys"
+    echo "  apt-key update              - update keys using the keyring package"
+    echo "  apt-key net-update          - update keys using the network"
+    echo "  apt-key list                - list keys"
+    echo "  apt-key finger              - list fingerprints"
+    echo "  apt-key adv                 - pass advanced options to gpg (download key)"
+    echo
+    echo "If no specific keyring file is given the command applies to all keyring files."
+}
+
+while [ -n "$1" ]; do
+   case "$1" in
+      --keyring)
+	 shift
+	 TRUSTEDFILE="$1"
+	 FORCED_KEYRING="$1"
+	 if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then
+	    GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
+	 else
+	    echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
+	    exit 1
+	 fi
+	 shift
+	 ;;
+      --fakeroot)
+	 requires_root() { true; }
+	 shift
+	 ;;
+      --*)
+	 echo >&2 "Unknown option: $1"
+	 usage
+	 exit 1;;
+      *)
+	 break;;
+   esac
+done
+
+if [ -z "$TRUSTEDFILE" ]; then
+   TRUSTEDFILE="/etc/apt/trusted.gpg"
+   eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+   eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+   if [ -r "$TRUSTEDFILE" ]; then
+      GPG="$GPG --keyring $TRUSTEDFILE"
+   fi
+   GPG="$GPG --primary-keyring $TRUSTEDFILE"
+   TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
+   eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
+   if [ -d "$TRUSTEDPARTS" ]; then
+      # strip / suffix as gpg will double-slash in that case (#665411)
+      STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
+      if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
+	 TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
+      fi
+      for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
+	 GPG="$GPG --keyring $trusted"
+      done
+   fi
+fi
+
+command="$1"
+if [ -z "$command" ]; then
+    usage
+    exit 1
+fi
+shift
+
+if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
+    echo >&2 "Warning: gnupg does not seem to be installed."
+    echo >&2 "Warning: apt-key requires gnupg for most operations."
+    echo >&2
+fi
+
+case "$command" in
+    add)
+        requires_root
+        init_keyring "$TRUSTEDFILE"
+        $GPG --quiet --batch --import "$1"
+        echo "OK"
+        ;;
+    del|rm|remove)
+        init_keyring "$TRUSTEDFILE"
+	remove_key "$1"
+        ;;
+    update)
+        init_keyring "$TRUSTEDFILE"
+	update
+	;;
+    net-update)
+        init_keyring "$TRUSTEDFILE"
+	net_update
+	;;
+    list)
+        init_keyring "$TRUSTEDFILE"
+        $GPG --batch --list-keys
+        ;;
+    finger*)
+        init_keyring "$TRUSTEDFILE"
+        $GPG --batch --fingerprint
+        ;;
+    export)
+        init_keyring "$TRUSTEDFILE"
+        $GPG --armor --export "$1"
+        ;;
+    exportall)
+        init_keyring "$TRUSTEDFILE"
+        $GPG --armor --export
+        ;;
+    adv*)
+        init_keyring "$TRUSTEDFILE"
+        echo "Executing: $GPG $*"
+        $GPG $*
+        ;;
+    help)
+        usage
+        ;;
+    *)
+        usage
+        exit 1
+        ;;
+esac
diff --git a/cmdline/makefile b/cmdline/makefile
index e77ad5669..06f170b6a 100644
--- a/cmdline/makefile
+++ b/cmdline/makefile
@@ -41,6 +41,14 @@ SOURCE = apt-cdrom.cc
 include $(PROGRAM_H)
 
 # The apt-key program
+apt-key: apt-key.in
+	sed -e "s#&keyring-filename;#$(shell ../vendor/getinfo keyring-filename)#" \
+		-e "s#&keyring-removed-filename;#$(shell ../vendor/getinfo keyring-removed-filename)#" \
+		-e "s#&keyring-master-filename;#$(shell ../vendor/getinfo keyring-master-filename)#" \
+		-e "s#&keyring-uri;#$(shell ../vendor/getinfo keyring-uri)#" \
+		-e "s#&keyring-package;#$(shell ../vendor/getinfo keyring-package)#" $< > $@
+	chmod 755 $@
+
 SOURCE=apt-key
 TO=$(BIN)
 TARGET=program
diff --git a/debian/control b/debian/control
index 84d6155a6..c70d0e9ea 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ XS-Testsuite: autopkgtest
 
 Package: apt
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, debian-archive-keyring, gnupg
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${apt:keyring}, gnupg
 Replaces: manpages-pl (<< 20060617-3~), manpages-it (<< 2.80-4~)
 Breaks: manpages-pl (<< 20060617-3~), manpages-it (<< 2.80-4~)
 Conflicts: python-apt (<< 0.7.93.2~)
diff --git a/debian/preinst b/debian/preinst
deleted file mode 100755
index 985ad9b84..000000000
--- a/debian/preinst
+++ /dev/null
@@ -1,32 +0,0 @@
-#! /bin/sh
-
-set -e
-
-# dpkg does this for us while we are upgrading..
-#if [ "$1" = "upgrade" -a -L /var/state/apt -a -e /var/lib/apt -a ! -L /var/state/apt ] && dpkg --compare-versions "$2" ">=" "0.4.10"; then
-#  rm /var/state/apt
-#fi
-
-if [ "$1" = "upgrade" -o "$1" = "install" -a "$2" != "" ]; then
-  if [ ! -e /var/lib/apt -a -e /var/state/apt ]; then
-    # upgrading from /var/state/apt using apt.
-    # it's probably running now so we want to ensure /var/state/apt
-    # is still valid afterwards. and since we're upgrading
-
-    if [ -x /usr/bin/perl -a -d /var/state/apt -a ! -L /var/state/apt ] &&
-      perl -e 'exit 1 if ((stat("/var/lib"))[0] != (stat("/var/state/apt"))[0])'
-    then
-      # same fs, we can mv it
-      mv /var/state/apt /var/lib/apt
-      ln -s ../lib/apt /var/state/apt
-      # note that this symlink (/var/state/apt) will be removed when
-      # dpkg finishes unpacking the apt we're about to install; this is okay
-    else
-      # scary, let's just symlink it and hope
-      ln -s /var/state/apt /var/lib/apt
-    fi
-  fi
-  touch /var/lib/apt/lists/partial/.delete-me-later || true
-fi
-
-#DEBHELPER#
diff --git a/debian/rules b/debian/rules
index 06ccdac31..f4f7ec06b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,6 +3,9 @@
 # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess.
 # Some lines taken from debmake, by Christoph Lameter.
 
+# build in verbose mode by default to make it easy to diangose issues
+export NOISY=1
+
 export DEB_HOST_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 export DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
@@ -216,7 +219,7 @@ apt: build-binary build-manpages debian/apt.install
 	dh_fixperms -p$@
 	dh_installdeb -p$@
 	dh_shlibdeps -p$@
-	dh_gencontrol -p$@
+	dh_gencontrol -p$@ -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)"
 	dh_md5sums -p$@
 	dh_builddeb -p$@
 
diff --git a/doc/apt-cache.8.xml b/doc/apt-cache.8.xml
index 0955c1c9e..a53a64446 100644
--- a/doc/apt-cache.8.xml
+++ b/doc/apt-cache.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-cdrom.8.xml b/doc/apt-cdrom.8.xml
index b076a98a3..2fcd8e494 100644
--- a/doc/apt-cdrom.8.xml
+++ b/doc/apt-cdrom.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-config.8.xml b/doc/apt-config.8.xml
index 39205e737..b84d25f7a 100644
--- a/doc/apt-config.8.xml
+++ b/doc/apt-config.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-extracttemplates.1.xml b/doc/apt-extracttemplates.1.xml
index 4374c5ec3..d27e05075 100644
--- a/doc/apt-extracttemplates.1.xml
+++ b/doc/apt-extracttemplates.1.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-ftparchive.1.xml b/doc/apt-ftparchive.1.xml
index 91fdfe1e0..6482b4632 100644
--- a/doc/apt-ftparchive.1.xml
+++ b/doc/apt-ftparchive.1.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 4c050ec03..b97bc268e 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
@@ -526,7 +528,7 @@
      terminal window when packages are installed, upgraded or
      removed. For a machine parsable version of this data see
      README.progress-reporting in the apt doc directory.
-     <literal>DpkgPM::Progress</literal>.</para></listitem>
+     Configuration Item: <literal>DpkgPM::Progress</literal> and <literal>Dpkg::Progress-Fancy</literal>.</para></listitem>
      </varlistentry>
     
 
diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml
index 6a36d08ca..5dbbaaf26 100644
--- a/doc/apt-key.8.xml
+++ b/doc/apt-key.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
@@ -130,7 +132,7 @@
        Update the local keyring with the archive keyring and remove from
        the local keyring the archive keys which are no longer valid.
        The archive keyring is shipped in the <literal>archive-keyring</literal> package of your
-       distribution, e.g. the <literal>debian-archive-keyring</literal> package in Debian.
+       distribution, e.g. the &keyring-package; package in &keyring-distro;.
 
      </para>
 
@@ -180,12 +182,12 @@
      <listitem><para>Local trust database of archive keys.</para></listitem>
      </varlistentry>
 
-     <varlistentry><term><filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename></term>
-     <listitem><para>Keyring of Debian archive trusted keys.</para></listitem>
+     <varlistentry><term>&keyring-filename;</term>
+     <listitem><para>Keyring of &keyring-distro; archive trusted keys.</para></listitem>
      </varlistentry>
 
-     <varlistentry><term><filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename></term>
-     <listitem><para>Keyring of Debian archive removed trusted keys.</para></listitem>
+     <varlistentry><term>&keyring-removed-filename;</term>
+     <listitem><para>Keyring of &keyring-distro; archive removed trusted keys.</para></listitem>
      </varlistentry>
 
    </variablelist>
diff --git a/doc/apt-mark.8.xml b/doc/apt-mark.8.xml
index 3503ece8f..d00e5b9e2 100644
--- a/doc/apt-mark.8.xml
+++ b/doc/apt-mark.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 8cdfe3ab6..981351615 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
@@ -103,10 +105,10 @@
    the maintainer signature is stripped off, and checksums of the package
    are computed and put in the Packages file. The checksums of all of the
    Packages files are then computed and put into the Release file. The
-   Release file is then signed by the archive key for this Debian release,
+   Release file is then signed by the archive key for this &keyring-distro; release,
    and distributed alongside the packages and the Packages files on
-   Debian mirrors. The keys are in the Debian archive keyring available in
-   the <package>debian-archive-keyring</package> package.
+   &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring
+   available in the &keyring-package; package.
    </para>
 
    <para>
diff --git a/doc/apt-sortpkgs.1.xml b/doc/apt-sortpkgs.1.xml
index 482035b37..9bb03d624 100644
--- a/doc/apt-sortpkgs.1.xml
+++ b/doc/apt-sortpkgs.1.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent
index 0d0d95c7a..30b0c7fe0 100644
--- a/doc/apt-verbatim.ent
+++ b/doc/apt-verbatim.ent
@@ -221,11 +221,11 @@
 <!-- this will be updated by 'prepare-release' -->
 <!ENTITY apt-product-version "0.9.7.6ubuntu2">
 
-<!-- Codenames for debian releases -->
+<!-- (Code)names for various things used all over the place -->
 <!ENTITY oldstable-codename "squeeze">
 <!ENTITY stable-codename "wheezy">
 <!ENTITY testing-codename "jessie">
-<!ENTITY stable-version "7.0">
+<!ENTITY stable-version "7">
 <!ENTITY ubuntu-codename "precise">
 
 <!-- good and bad just refers to matching and not matching a pattern…
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index 428c0d2db..bfc43ba29 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/apt_preferences.5.xml b/doc/apt_preferences.5.xml
index f56958fcc..d8c3efab7 100644
--- a/doc/apt_preferences.5.xml
+++ b/doc/apt_preferences.5.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/doc/en/makefile b/doc/en/makefile
index a4fb232d4..247ce38b5 100644
--- a/doc/en/makefile
+++ b/doc/en/makefile
@@ -9,12 +9,15 @@ include ../../buildlib/defaults.mak
 ifdef XSLTPROC
 # generate a list of accepted man page translations
 SOURCE = $(patsubst ../%.xml,%,$(wildcard ../*.?.xml))
-INCLUDES = ../apt.ent ../apt-verbatim.ent
+INCLUDES = ../apt.ent ../apt-verbatim.ent apt-vendor.ent
 STYLESHEET=../manpage-style.xsl
 
 LOCAL := manpage-$(firstword $(SOURCE))
 $(LOCAL)-LIST := $(SOURCE)
 
+apt-vendor.ent: ../../vendor/current/apt-vendor.ent
+	ln -sf $(shell readlink -f $^) $@
+
 # Install generation hooks
 manpages: $($(LOCAL)-LIST) apt.8
 
@@ -30,7 +33,7 @@ apt.8: ../apt.8
 veryclean: clean/$(LOCAL)
 clean: clean/$(LOCAL)
 clean/$(LOCAL):
-	-rm -rf $($(@F)-LIST) apt.8
+	-rm -rf $($(@F)-LIST) apt.8 apt-vendor.ent
 endif
 
 # Chain to the manpage rule
diff --git a/doc/examples/sources.list.in b/doc/examples/sources.list.in
deleted file mode 100644
index 745e32cbe..000000000
--- a/doc/examples/sources.list.in
+++ /dev/null
@@ -1,8 +0,0 @@
-# See sources.list(5) manpage for more information
-# Remember that CD-ROMs, DVDs and such are managed through the apt-cdrom tool.
-deb http://ftp.us.debian.org/debian &stable-codename; main contrib non-free
-deb http://security.debian.org &stable-codename;/updates main contrib non-free
-
-# Uncomment if you want the apt-get source function to work
-#deb-src http://ftp.us.debian.org/debian &stable-codename; main contrib non-free
-#deb-src http://security.debian.org &stable-codename;/updates main contrib non-free
diff --git a/doc/makefile b/doc/makefile
index 274fbc278..49f3e1b56 100644
--- a/doc/makefile
+++ b/doc/makefile
@@ -12,8 +12,11 @@ include $(DEBIANDOC_H)
 
 doc: manpages debiandoc
 
-examples/sources.list: examples/sources.list.in apt-verbatim.ent
-	sed -e 's#&stable-codename;#$(shell grep --max-count=1 '^<!ENTITY stable-codename "' apt-verbatim.ent | cut -d'"' -f 2)#g' examples/sources.list.in > examples/sources.list
+examples/sources.list: ../vendor/current/sources.list
+	ln -sf $(shell readlink -f $^) $@
+
+apt-vendor.ent: ../vendor/current/apt-vendor.ent
+	ln -sf $(shell readlink -f $^) $@
 
 # Examples
 SOURCE = examples/apt.conf examples/sources.list examples/configure-index examples/apt-https-method-example.conf
@@ -23,9 +26,9 @@ include $(COPY_H)
 
 .PHONY: clean clean/subdirs veryclean veryclean/subdirs manpages/subdirs debiandoc/subdirs all binary doc stats
 
-clean: clean/subdirs
-veryclean: veryclean/subdirs
-manpages: manpages/subdirs
+clean: clean/subdirs clean/examples
+veryclean: veryclean/subdirs clean/examples
+manpages: manpages/subdirs apt-vendor.ent
 debiandoc: debiandoc/subdirs
 
 DOCUMENTATIONPO = $(patsubst %.po,%,$(notdir $(wildcard po/*.po)))
@@ -41,6 +44,10 @@ debiandoc/subdirs manpages/subdirs clean/subdirs veryclean/subdirs:
 		$(MAKE) -C $$dir $(patsubst %/subdirs,%,$@); \
 	done
 
+clean/examples:
+	rm -f examples/sources.list
+	rm -f apt-vendor.ent
+
 stats:
 	for i in po/*.po; do echo -n "$$i: "; msgfmt --output-file=/dev/null --statistics $$i; done
 
diff --git a/doc/po/apt-doc.pot b/doc/po/apt-doc.pot
index 43c184106..43e14b779 100644
--- a/doc/po/apt-doc.pot
+++ b/doc/po/apt-doc.pot
@@ -1620,8 +1620,8 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
@@ -1670,22 +1670,22 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
+msgid "Keyring of &keyring-distro; archive trusted keys."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
-msgid "<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+msgid "&keyring-removed-filename;"
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
@@ -1862,10 +1862,10 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the "
-"<package>debian-archive-keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the "
+"&keyring-package; package."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
diff --git a/doc/po/de.po b/doc/po/de.po
index 8ecbf4cbf..808fcd126 100644
--- a/doc/po/de.po
+++ b/doc/po/de.po
@@ -2265,14 +2265,14 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "aktualisiert den lokalen Schlüsselbund mit dem Archivschlüsselbund und "
 "entfernt die Archivschlüssel, die nicht länger gültig sind, aus dem lokalen "
 "Schlüsselbund. Der Archivschlüsselbund wird im Paket <literal>archive-"
 "keyring</literal> Ihrer Distribution mitgeliefert, z.B. dem Paket "
-"<literal>debian-archive-keyring</literal> in Debian."
+"&keyring-package; in &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2335,26 +2335,26 @@ msgstr "lokale Datenbank vertrauenswürdiger Archivschlüssel"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Schlüsselbund vertrauenswürdiger Schlüssel des Debian-Archivs"
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Schlüsselbund vertrauenswürdiger Schlüssel des &keyring-distro;-Archivs"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
 msgstr ""
-"Schlüsselbund entfernter vertrauenswürdiger Schlüssel des Debian-Archivs"
+"Schlüsselbund entfernter vertrauenswürdiger Schlüssel des &keyring-distro;-Archivs"
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2600,19 +2600,19 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Sobald das hochgeladene Paket überprüft und dem Archiv hinzugefügt wurde, "
 "wird die Betreuersignatur entfernt, Prüfsummen des Pakets werden berechnet "
 "und in die Datei Packages abgelegt. Die Prüfsummen aller Paketdateien werden "
 "berechnet und in der Release-Datei abgelegt. Dann wird die Release-Datei "
-"durch den Archivschlüssel für diese Debian-Veröffentlichung signiert und "
-"zusammen mit den Paketen und Packages-Dateien auf Debian-Spiegel verteilt. "
-"Die Schlüssel sind im Debian-Archivschlüsselbund im Paket <package>debian-"
-"archive-keyring</package> verfügbar."
+"durch den Archivschlüssel für diese &keyring-distro;-Veröffentlichung signiert und "
+"zusammen mit den Paketen und Packages-Dateien auf &keyring-distro;-Spiegel verteilt. "
+"Die Schlüssel sind im &keyring-distro;-Archivschlüsselbund im Paket &keyring-package; "
+"verfügbar."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/es.po b/doc/po/es.po
index 38b2645ea..6b2e77914 100644
--- a/doc/po/es.po
+++ b/doc/po/es.po
@@ -2334,14 +2334,14 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "Actualiza el registro de claves local con el registro de claves del archivo "
 "y elimina del registro local las claves de archivo que ya no son válidas. El "
 "registro de claves del archivo se encuentra en el paquete <literal>archive-"
-"keyring</literal> de su distribución; esto es, el paquete <literal>debian-"
-"archive-keyring</literal> en Debian."
+"keyring</literal> de su distribución; esto es, el paquete &keyring-package; "
+"en &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2404,25 +2404,25 @@ msgstr "Base de datos local de las claves de confianza de archivos Debian"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Registro de las claves de confianza del archivo de Debian."
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Registro de las claves de confianza del archivo de &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "Registro de las claves de confianza eliminadas del archivo de Debian."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "Registro de las claves de confianza eliminadas del archivo de &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2664,20 +2664,20 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Una vez que el paquete enviado se ha verificado e incluido en el archivo, se "
 "elimina la firma del mantenedor, y se realizan las sumas de control del "
 "paquete, que se incluyen en el fichero «Packages». A continuación, se "
 "realiza una suma de control de todos los ficheros «Package», y se incluyen "
 "en el fichero «Release». Acto seguido, el fichero «Release» se firma con la "
-"clave del archivo de esta distribución de Debian, y se distribuye junto con "
-"los paquetes y los ficheros «Packages» de las réplicas de Debian. Las claves "
-"están disponibles en el registro de claves del archivo Debian en el paquete "
-"<package>debian-archive-keyring</package> package."
+"clave del archivo de esta distribución de &keyring-distro;, y se distribuye junto con "
+"los paquetes y los ficheros «Packages» de las réplicas de &keyring-distro;. Las claves "
+"están disponibles en el registro de claves del archivo &keyring-distro; en el paquete "
+"&keyring-package; package."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/fr.po b/doc/po/fr.po
index c2f4b6d83..3849630b5 100644
--- a/doc/po/fr.po
+++ b/doc/po/fr.po
@@ -2261,14 +2261,14 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "Mettre à jour le trousseau de clés local avec le trousseau de clés de "
 "l'archive et y supprimer les clés qui ne sont plus valables. Le trousseau de "
 "clés de l'archive est fourni dans le paquet <literal>archive-keyring</"
-"literal> de la distribution, par exemple le paquet <literal>debian-archive-"
-"keyring</literal> dans Debian."
+"literal> de la distribution, par exemple le paquet &keyring-package; "
+"dans &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2331,25 +2331,25 @@ msgstr "Base de données locale de fiabilité des clés de l'archive."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Trousseau des clés fiables de l'archive Debian."
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Trousseau des clés fiables de l'archive &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "Trousseau des clés fiables supprimées de l'archive Debian."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "Trousseau des clés fiables supprimées de l'archive &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2587,15 +2587,16 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:102
+#, fuzzy
 msgid ""
 "Once the uploaded package is verified and included in the archive, the "
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Une fois que le paquet envoyé a été vérifié et inclus dans l'archive, la "
 "signature du responsable est enlevée, une somme de contrôle du paquet est "
@@ -2603,8 +2604,7 @@ msgstr ""
 "paquets est ensuite calculée et mise dans le fichier Release. Ce fichier est "
 "signé par la clé de l'archive pour la version courante de la distribution et "
 "distribuée en même temps que les paquets et les fichiers Packages sur les "
-"miroirs. Les clés sont fournies par le paquet <package>debian-archive-"
-"keyring</package>."
+"miroirs. Les clés sont fournies par le paquet &keyring-package;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/it.po b/doc/po/it.po
index df144e2b7..9f614a468 100644
--- a/doc/po/it.po
+++ b/doc/po/it.po
@@ -2300,14 +2300,14 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "Aggiorna il portachiavi locale con il portachiavi dell'archivio e rimuove "
 "dal portachiavi locale le chiavi di archivio che non sono più valide. Il "
 "portachiavi degli archivi è fornito nel pacchetto <literal>archive-keyring</"
 "literal> delle diverse distribuzioni, ad esempio il pacchetto "
-"<literal>debian-archive-keyring</literal> in Debian."
+"&keyring-package; in &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2370,25 +2370,25 @@ msgstr "Database locale di fiducia delle chiavi archiviate."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Portachiavi delle chiavi fidate degli archivi Debian."
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Portachiavi delle chiavi fidate degli archivi &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "Portachiavi delle chiavi fidate rimosse degli archivi Debian."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "Portachiavi delle chiavi fidate rimosse degli archivi &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2633,19 +2633,19 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Una volta che il pacchetto caricato è verificato e incluso nell'archivio, la "
 "firma del manutentore viene rimossa e i codici di controllo del pacchetto "
 "vengono calcolati e messi nel file Packages. Vengono quindi calcolati i "
 "codici di controllo di tutti i file Packages e vengono messi nel file "
 "Release. Il file Release viene poi firmato con la chiave dell'archivio per "
-"questo rilascio di Debian e viene distribuito insieme ai pacchetti e ai file "
-"Packages nei mirror Debian. Le chiavi sono nel portachiavi degli archivi "
-"Debian, disponibile nel pacchetto <package>debian-archive-keyring</package>."
+"questo rilascio di &keyring-distro; e viene distribuito insieme ai pacchetti e ai file "
+"Packages nei mirror &keyring-distro;. Le chiavi sono nel portachiavi degli archivi "
+"&keyring-distro;, disponibile nel pacchetto &keyring-package;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/ja.po b/doc/po/ja.po
index 6b767f195..7370e21d8 100644
--- a/doc/po/ja.po
+++ b/doc/po/ja.po
@@ -2219,13 +2219,13 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "ローカルキーリングをアーカイブキーリングで更新し、もう有効でなくなったアーカ"
 "イブキーをローカルキーリングから削除します。アーカイブキーリングは、使用中の"
 "ディストリビューションにある <literal>archive-keyring</literal> パッケージ "
-"(例: Debian では <literal>debian-archive-keyring</literal> パッケージ) で提供"
+"(例: &keyring-distro; では &keyring-package; パッケージ) で提供"
 "されています。"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
@@ -2287,25 +2287,25 @@ msgstr "アーカイブキーのローカル信頼データベースです。"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Debian アーカイブ信頼キーのキーリングです。"
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "&keyring-distro; アーカイブ信頼キーのキーリングです。"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "削除された Debian アーカイブ信頼キーのキーリングです。"
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "削除された &keyring-distro; アーカイブ信頼キーのキーリングです。"
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2541,18 +2541,18 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "アップロードされたパッケージが検証されてアーカイブに格納されると、メンテナの"
 "署名を取り外し、パッケージのチェックサムを計算して、Packages ファイルに格納し"
 "ます。その後、全パッケージファイルのチェックサムを計算して、Release ファイル"
-"に格納します。Release ファイルは、その Debian リリースのアーカイブキーで署名"
-"され、Debian ミラーサイトでパッケージや Packages ファイルとともに配布されま"
-"す。このキーは、<package>debian-archive-keyring</package> パッケージに収録さ"
-"れている、Debian アーカイブキーリングに含まれます。"
+"に格納します。Release ファイルは、その &keyring-distro; リリースのアーカイブキーで署名"
+"され、&keyring-distro; ミラーサイトでパッケージや Packages ファイルとともに配布されま"
+"す。このキーは、&keyring-package; パッケージに収録さ"
+"れている、&keyring-distro; アーカイブキーリングに含まれます。"
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/pl.po b/doc/po/pl.po
index 2b33324b6..81edfb704 100644
--- a/doc/po/pl.po
+++ b/doc/po/pl.po
@@ -2366,14 +2366,14 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "Aktualizuje lokalną składnicę kluczy używając składnicy kluczy archiwum i "
 "usuwa z lokalnej składnicy niepoprawne klucze archiwum. Składnica kluczy "
 "archiwum jest dostarczana przez pakiet <literal>archive-keyring</literal> "
-"Twojej dystrybucji, np. pakiet <literal>debian-archive-keyring</literal> w "
-"systemach Debiana."
+"Twojej dystrybucji, np. pakiet &keyring-package; w "
+"systemach &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2436,25 +2436,25 @@ msgstr "Lokalna składnica zaufanych kluczy archiwum."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Składnica zaufanych kluczy archiwum Debiana."
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Składnica zaufanych kluczy archiwum &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "Składnica usuniętych zaufanych kluczy archiwum Debiana."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "Składnica usuniętych zaufanych kluczy archiwum &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2696,20 +2696,19 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Po tym jak dostarczony przez opiekuna pakiet zostanie zweryfikowany i "
 "dołączony do archiwum, sygnatura opiekuna jest usuwana, a sumy kontrolne "
 "pakietu są wyliczane i umieszczane w pliku Packages. Sumy kontrolne "
 "wszystkich plików Packages są następnie wyliczane i umieszczane w pliku "
 "Release. Plik Release jest następnie podpisywany przy użyciu klucza archiwum "
-"tego wydania dystrybucji Debiana i dystrybuowany wraz z pakietami i plikami "
-"Packages przez serwery lustrzane Debiana. Klucze archiwum znajdują się w "
-"składnicy kluczy Debiana dostępnej w pakiecie <package>debian-archive-"
-"keyring</package>."
+"tego wydania dystrybucji &keyring-distro; i dystrybuowany wraz z pakietami i plikami "
+"Packages przez serwery lustrzane &keyring-distro;. Klucze archiwum znajdują się w "
+"składnicy kluczy &keyring-distro; dostępnej w pakiecie &keyring-package;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/pt.po b/doc/po/pt.po
index 726b184d0..b06026154 100644
--- a/doc/po/pt.po
+++ b/doc/po/pt.po
@@ -2280,13 +2280,13 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 "Actualiza o chaveiro local com o chaveiro do arquivo e remove do chaveiro "
 "local as chaves de arquivo que já não são válidas. O chaveiro do arquivo é "
 "submetido no pacote <literal>archive-keyring</literal> da sua distribuição, "
-"por exemplo o pacote <literal>debian-archive-keyring</literal> em Debian."
+"por exemplo o pacote &keyring-package; em &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:144
@@ -2349,25 +2349,25 @@ msgstr "Base de dados local de confiança de chaves de arquivos."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
+msgstr "&keyring-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
-msgstr "Chaveiro das chaves de confiança dos arquivos Debian."
+msgid "Keyring of &keyring-distro; archive trusted keys."
+msgstr "Chaveiro das chaves de confiança dos arquivos &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
-msgstr "Chaveiro das chaves de confiança removidas dos arquivos Debian."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
+msgstr "Chaveiro das chaves de confiança removidas dos arquivos &keyring-distro;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-key.8.xml:197
@@ -2609,20 +2609,19 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 "Assim que o pacote submetido é verificado e incluído no arquivo, a "
 "assinatura do responsável é despojada, são computados sumários de "
 "verificação do pacote e colocado no ficheiro Packages. Os sumários de "
 "verificação de todos os ficheiros Packages são então computados e colocados "
 "no ficheiro Release. O ficheiro Release é então assinado pela chave de "
-"arquivo para este lançamento de Debian, e distribuído juntamente com os "
-"pacotes e os ficheiros Packages em mirrors de Debian. As chaves estão no "
-"chaveiro do arquivo Debian no pacote <package>debian-archive-keyring</"
-"package>."
+"arquivo para este lançamento de &keyring-distro;, e distribuído juntamente com os "
+"pacotes e os ficheiros Packages em mirrors de &keyring-distro;. As chaves estão no "
+"chaveiro do arquivo &keyring-distro; no pacote &keyring-package;."
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-secure.8.xml:113
diff --git a/doc/po/pt_BR.po b/doc/po/pt_BR.po
index 00619cd22..a5df9e80e 100644
--- a/doc/po/pt_BR.po
+++ b/doc/po/pt_BR.po
@@ -1618,8 +1618,8 @@ msgid ""
 "Update the local keyring with the archive keyring and remove from the local "
 "keyring the archive keys which are no longer valid.  The archive keyring is "
 "shipped in the <literal>archive-keyring</literal> package of your "
-"distribution, e.g. the <literal>debian-archive-keyring</literal> package in "
-"Debian."
+"distribution, e.g. the &keyring-package; package in "
+"&keyring-distro;."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
@@ -1669,23 +1669,23 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:183
-msgid "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>"
+msgid "&keyring-filename;"
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:184
-msgid "Keyring of Debian archive trusted keys."
+msgid "Keyring of &keyring-distro; archive trusted keys."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:187
 msgid ""
-"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+"&keyring-removed-filename;"
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:188
-msgid "Keyring of Debian archive removed trusted keys."
+msgid "Keyring of &keyring-distro; archive removed trusted keys."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
@@ -1863,10 +1863,10 @@ msgid ""
 "maintainer signature is stripped off, and checksums of the package are "
 "computed and put in the Packages file. The checksums of all of the Packages "
 "files are then computed and put into the Release file. The Release file is "
-"then signed by the archive key for this Debian release, and distributed "
-"alongside the packages and the Packages files on Debian mirrors. The keys "
-"are in the Debian archive keyring available in the <package>debian-archive-"
-"keyring</package> package."
+"then signed by the archive key for this &keyring-distro; release, and distributed "
+"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys "
+"are in the &keyring-distro; archive keyring available in the &keyring-package; "
+"package."
 msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index fa32297c2..87fb4d71e 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -8,6 +8,8 @@
 <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent">
 %aptverbatiment;
 
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent">
+%aptvendor;
 ]>
 
 <refentry>
diff --git a/prepare-release b/prepare-release
index 2d8502d7f..a9cc49cfd 100755
--- a/prepare-release
+++ b/prepare-release
@@ -1,11 +1,15 @@
 #!/bin/sh
 
+set -e
+
 VERSION=$(dpkg-parsechangelog | sed -n -e '/^Version:/s/^Version: //p')
 DISTRIBUTION=$(dpkg-parsechangelog | sed -n -e '/^Distribution:/s/^Distribution: //p')
 
 LIBAPTPKGVERSION="$(awk -v ORS='.' '/^\#define APT_PKG_M/ {print $3}' apt-pkg/init.h | sed 's/\.$//')"
 LIBAPTINSTVERSION="$(egrep '^MAJOR=' apt-inst/makefile |cut -d '=' -f 2)"
 
+dpkg-checkbuilddeps -d 'libxml2-utils'
+
 if [ "$1" = 'pre-export' ]; then
 	libraryversioncheck() {
 		local LIBRARY="$1"
diff --git a/test/integration/exploid-keyring-with-dupe-keys.pub b/test/integration/exploid-keyring-with-dupe-keys.pub
new file mode 100644
index 000000000..642952a40
Binary files /dev/null and b/test/integration/exploid-keyring-with-dupe-keys.pub differ
diff --git a/test/integration/exploid-keyring-with-dupe-subkeys.pub b/test/integration/exploid-keyring-with-dupe-subkeys.pub
new file mode 100644
index 000000000..02d4e6ee8
Binary files /dev/null and b/test/integration/exploid-keyring-with-dupe-subkeys.pub differ
diff --git a/test/integration/framework b/test/integration/framework
index 20f3487cc..89b5bb0e4 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -192,6 +192,7 @@ setupenvironment() {
 	fi
 	echo "DPKG::options:: \"--log=${TMPWORKINGDIRECTORY}/rootdir/var/log/dpkg.log\";" >> aptconfig.conf
 	echo 'quiet::NoUpdate "true";' >> aptconfig.conf
+	echo "Acquire::https::CaInfo \"${TESTDIR}/apt.pem\";" > rootdir/etc/apt/apt.conf.d/99https
 	export LC_ALL=C
 	export PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
 	configcompression '.' 'gz' #'bz2' 'lzma' 'xz'
@@ -791,6 +792,22 @@ signreleasefiles() {
 	msgdone "info"
 }
 
+webserverconfig() {
+	msgtest "Set webserver config option '${1}' to" "$2"
+	downloadfile "http://localhost:8080/_config/set/${1}/${2}" '/dev/null' >/dev/null
+	local DOWNLOG='download-testfile.log'
+	rm -f "$DOWNLOG"
+	local STATUS="$(mktemp)"
+	addtrap "rm $STATUS;"
+	downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" > "$DOWNLOG"
+	if [ "$(cat "$STATUS")" = '200' ]; then
+		msgpass
+	else
+		cat >&2 "$DOWNLOG"
+		msgfail "Statuscode was $(cat "$STATUS")"
+	fi
+}
+
 rewritesourceslist() {
 	local APTARCHIVE="file://$(readlink -f "${TMPWORKINGDIRECTORY}/aptarchive")"
 	for LIST in $(find rootdir/etc/apt/sources.list.d/ -name 'apt-test-*.list'); do
@@ -799,6 +816,11 @@ rewritesourceslist() {
 }
 
 changetowebserver() {
+	if [ "$1" != '--no-rewrite' ]; then
+		rewritesourceslist 'http://localhost:8080/'
+	else
+		shift
+	fi
 	local LOG='/dev/null'
 	if test -x ${BUILDDIRECTORY}/aptwebserver; then
 		cd aptarchive
@@ -812,9 +834,6 @@ changetowebserver() {
 	else
 		msgdie 'You have to build aptwerbserver or install a webserver'
 	fi
-	if [ "$1" != '--no-rewrite' ]; then
-		rewritesourceslist 'http://localhost:8080/'
-	fi
 }
 
 changetohttpswebserver() {
@@ -826,6 +845,7 @@ changetohttpswebserver() {
 	fi
 	echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
 cert = ${TESTDIRECTORY}/apt.pem
+output = /dev/null
 
 [https]
 accept = 4433
diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update
new file mode 100755
index 000000000..d5205836f
--- /dev/null
+++ b/test/integration/test-apt-key-net-update
@@ -0,0 +1,95 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+# mock
+requires_root() {
+    return 0
+}
+
+# extract net_update() and import it
+func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key )
+eval "$func"
+
+mkdir -p ./etc/apt
+TRUSTEDFILE=./etc/apt/trusted.gpg
+mkdir -p ./var/lib/apt/keyrings
+TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg
+GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
+GPG="$GPG_CMD --keyring $TRUSTEDFILE"
+MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
+
+
+msgtest "add_keys_with_verify_against_master_keyring"
+if [ ! -e $MASTER_KEYRING ]; then
+    echo -n "No $MASTER_KEYRING found"
+    msgskip 
+    exit 0
+fi
+
+# test bad keyring and ensure its not added (LP: #857472)
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+    msgfail
+else
+    msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+    msgfail
+else
+    msgpass
+fi
+
+
+# test another possible attack vector using subkeys (LP: #1013128)
+msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
+ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+    msgfail
+else
+    msgpass
+fi
+
+# ensure the keyring is still empty
+gpg_out=$($GPG --list-keys)
+msgtest "Test if keyring is empty"
+if [ -n "" ]; then
+    msgfail
+else
+    msgpass
+fi
+
+
+# test good keyring and ensure we get no errors
+ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
+if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
+    msgpass
+else
+    msgfail
+fi
+
+testequal './etc/apt/trusted.gpg
+---------------------
+pub   1024D/437D05B5 2004-09-12
+uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
+sub   2048g/79164387 2004-09-12
+
+pub   1024D/FBB75451 2004-12-30
+uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
+
+pub   4096R/C0B21F32 2012-05-11
+uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
+
+pub   4096R/EFE21092 2012-05-11
+uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
+' $GPG --list-keys
+
diff --git a/test/integration/test-apt-sources-deb822 b/test/integration/test-apt-sources-deb822
new file mode 100755
index 000000000..6e9700bb0
--- /dev/null
+++ b/test/integration/test-apt-sources-deb822
@@ -0,0 +1,55 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+BASE="Type: deb
+URL: http://ftp.debian.org/debian
+Dist: stable
+Section: main
+Comment: Some random string
+ that can be very long"
+
+# simple case
+echo "$BASE" > rootdir/etc/apt/sources.list
+
+testequal "'http://ftp.debian.org/debian/dists/stable/main/binary-i386/Packages.bz2' ftp.debian.org_debian_dists_stable_main_binary-i386_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/main/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_stable_main_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/stable/InRelease' ftp.debian.org_debian_dists_stable_InRelease 0 "  aptget update --print-uris 
+
+
+# two sections (we support both "," and " " as seperator)
+echo "$BASE" | sed s/main/"main,contrib"/ > rootdir/etc/apt/sources.list
+
+testequal "'http://ftp.debian.org/debian/dists/stable/main/binary-i386/Packages.bz2' ftp.debian.org_debian_dists_stable_main_binary-i386_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/contrib/binary-i386/Packages.bz2' ftp.debian.org_debian_dists_stable_contrib_binary-i386_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/contrib/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_stable_contrib_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/stable/main/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_stable_main_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/stable/InRelease' ftp.debian.org_debian_dists_stable_InRelease 0 "  aptget update --print-uris 
+
+
+# Two entries
+echo "$BASE" > rootdir/etc/apt/sources.list
+echo "" >> rootdir/etc/apt/sources.list
+echo "$BASE" | sed  s/stable/unstable/ >> rootdir/etc/apt/sources.list
+
+testequal "'http://ftp.debian.org/debian/dists/stable/main/binary-i386/Packages.bz2' ftp.debian.org_debian_dists_stable_main_binary-i386_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/main/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_stable_main_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/stable/InRelease' ftp.debian.org_debian_dists_stable_InRelease 0 
+'http://ftp.debian.org/debian/dists/unstable/main/binary-i386/Packages.bz2' ftp.debian.org_debian_dists_unstable_main_binary-i386_Packages 0 :
+'http://ftp.debian.org/debian/dists/unstable/main/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_unstable_main_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/unstable/InRelease' ftp.debian.org_debian_dists_unstable_InRelease 0 "  aptget update --print-uris 
+
+
+# ARCH option
+echo "$BASE" > rootdir/etc/apt/sources.list
+echo "Arch: amd64,armel" >> rootdir/etc/apt/sources.list
+
+testequal "'http://ftp.debian.org/debian/dists/stable/main/binary-amd64/Packages.bz2' ftp.debian.org_debian_dists_stable_main_binary-amd64_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/main/binary-armel/Packages.bz2' ftp.debian.org_debian_dists_stable_main_binary-armel_Packages 0 :
+'http://ftp.debian.org/debian/dists/stable/main/i18n/Translation-en.bz2' ftp.debian.org_debian_dists_stable_main_i18n_Translation-en 0 :
+'http://ftp.debian.org/debian/dists/stable/InRelease' ftp.debian.org_debian_dists_stable_InRelease 0 "  aptget update --print-uris
diff --git a/test/integration/test-bug-719263-print-uris-removes-authentication b/test/integration/test-bug-719263-print-uris-removes-authentication
index 1c1a27ceb..5e674db0b 100755
--- a/test/integration/test-bug-719263-print-uris-removes-authentication
+++ b/test/integration/test-bug-719263-print-uris-removes-authentication
@@ -25,6 +25,7 @@ Inst unrelated [1] (2 unstable [all])
 Conf unrelated (2 unstable [all])' aptget install unrelated -s
 	testsuccess aptget install unrelated -y
 	testdpkginstalled unrelated
+	rm -rf rootdir/var/cache/apt/*.bin
 	cp -a rootdir/var/lib/dpkg/status-backup-noact rootdir/var/lib/dpkg/status
 }
 
diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support
index 8d1c51ae0..382789e68 100755
--- a/test/integration/test-partial-file-support
+++ b/test/integration/test-partial-file-support
@@ -18,7 +18,7 @@ testdownloadfile() {
 	rm -f "$DOWNLOG"
 	msgtest "Testing download of file $2 with" "$1"
 	if ! downloadfile "$2" "$3" > "$DOWNLOG"; then
-		cat "$DOWNLOG"
+		cat >&2 "$DOWNLOG"
 		msgfail
 	else
 		msgpass
@@ -40,21 +40,23 @@ testdownloadfile() {
 		if [ "$EXPECTED" "$4" "$hash" ]; then
 			msgpass
 		else
-			cat "$DOWNLOG"
+			cat >&2 "$DOWNLOG"
 			msgfail "expected: $EXPECTED ; got: $hash"
 		fi
 	done
 }
 
 testwebserverlaststatuscode() {
-	STATUS="$(mktemp)"
+	local DOWNLOG='download-testfile.log'
+	rm -f "$DOWNLOG"
+	local STATUS="$(mktemp)"
 	addtrap "rm $STATUS;"
 	msgtest 'Test last status code from the webserver was' "$1"
-	downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" >/dev/null
+	downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" > "$DOWNLOG"
 	if [ "$(cat "$STATUS")" = "$1" ]; then
 		msgpass
 	else
-		cat download-testfile.log
+		cat >&2 "$DOWNLOG"
 		msgfail "Status was $(cat "$STATUS")"
 	fi
 }
@@ -64,8 +66,7 @@ TESTFILE='aptarchive/testfile'
 cp -a ${TESTDIR}/framework $TESTFILE
 
 testrun() {
-	downloadfile "$1/_config/set/aptwebserver::support::range/true" '/dev/null' >/dev/null
-	testwebserverlaststatuscode '200'
+	webserverconfig 'aptwebserver::support::range' 'true'
 
 	copysource $TESTFILE 0 ./testfile
 	testdownloadfile 'no data' "${1}/testfile" './testfile' '='
@@ -92,8 +93,7 @@ testrun() {
 	testdownloadfile 'old data' "${1}/testfile" './testfile' '='
 	testwebserverlaststatuscode '200'
 
-	downloadfile "$1/_config/set/aptwebserver::support::range/false" '/dev/null' >/dev/null
-	testwebserverlaststatuscode '200'
+	webserverconfig 'aptwebserver::support::range' 'false'
 
 	copysource $TESTFILE 20 ./testfile
 	testdownloadfile 'no server support' "${1}/testfile" './testfile' '='
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 9d34a521a..e558b83e8 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -11,7 +11,7 @@ buildaptarchive
 setupflataptarchive
 changetowebserver
 
-downloadfile "http://localhost:8080/_config/set/aptwebserver::support::range/false" '/dev/null' >/dev/null
+webserverconfig 'aptwebserver::support::range' 'false'
 
 prepare() {
 	local DATE="${2:-now}"
diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc
index 4dae342dd..b7663a76a 100644
--- a/test/interactive-helper/aptwebserver.cc
+++ b/test/interactive-helper/aptwebserver.cc
@@ -112,7 +112,7 @@ bool sendHead(int const client, int const httpcode, std::list<std::string> &head
    date.append(TimeRFC1123(time(NULL)));
    headers.push_back(date);
 
-   std::clog << ">>> RESPONSE >>>" << std::endl;
+   std::clog << ">>> RESPONSE to " << client << " >>>" << std::endl;
    bool Success = true;
    for (std::list<std::string>::const_iterator h = headers.begin();
 	Success == true && h != headers.end(); ++h)
@@ -137,21 +137,21 @@ bool sendFile(int const client, FileFd &data)				/*{{{*/
    {
       if (actual == 0)
 	 break;
-      if (Success == true)
-	 Success &= FileFd::Write(client, buffer, actual);
+      Success &= FileFd::Write(client, buffer, actual);
    }
-   if (Success == true)
-      Success &= FileFd::Write(client, "\r\n", 2);
+   if (Success == false)
+      std::cerr << "SENDFILE: READ/WRITE ERROR to " << client << std::endl;
    return Success;
 }
 									/*}}}*/
 bool sendData(int const client, std::string const &data)		/*{{{*/
 {
-   bool Success = true;
-   Success &= FileFd::Write(client, data.c_str(), data.size());
-   if (Success == true)
-      Success &= FileFd::Write(client, "\r\n", 2);
-   return Success;
+   if (FileFd::Write(client, data.c_str(), data.size()) == false)
+   {
+      std::cerr << "SENDDATA: WRITE ERROR to " << client << std::endl;
+      return false;
+   }
+   return true;
 }
 									/*}}}*/
 void sendError(int const client, int const httpcode, std::string const &request,/*{{{*/
@@ -198,7 +198,17 @@ void sendRedirect(int const client, int const httpcode, std::string const &uri,/
    addDataHeaders(headers, response);
    std::string location("Location: ");
    if (strncmp(uri.c_str(), "http://", 7) != 0)
-      location.append("http://").append(LookupTag(request, "Host")).append("/").append(uri);
+   {
+      location.append("http://").append(LookupTag(request, "Host")).append("/");
+      if (strncmp("/home/", uri.c_str(), strlen("/home/")) == 0 && uri.find("/public_html/") != std::string::npos)
+      {
+	 std::string homeuri = SubstVar(uri, "/home/", "~");
+	 homeuri = SubstVar(homeuri, "/public_html/", "/");
+	 location.append(homeuri);
+      }
+      else
+	 location.append(uri);
+   }
    else
       location.append(uri);
    headers.push_back(location);
@@ -267,7 +277,7 @@ void sendDirectoryListing(int const client, std::string const &dir,	/*{{{*/
 	   << "</head>" << std::endl
 	   << "<body><h1>Index of " << dir << "</h1>" << std::endl
 	   << "<table><tr><th>#</th><th>Name</th><th>Size</th><th>Last-Modified</th></tr>" << std::endl;
-   if (dir != ".")
+   if (dir != "./")
       listing << "<tr><td>d</td><td><a href=\"..\">Parent Directory</a></td><td>-</td><td>-</td></tr>";
    for (int i = 0; i < counter; ++i) {
       struct stat fs;
@@ -298,7 +308,7 @@ void sendDirectoryListing(int const client, std::string const &dir,	/*{{{*/
 }
 									/*}}}*/
 bool parseFirstLine(int const client, std::string const &request,	/*{{{*/
-		    std::string &filename, bool &sendContent,
+		    std::string &filename, std::string &params, bool &sendContent,
 		    bool &closeConnection)
 {
    if (strncmp(request.c_str(), "HEAD ", 5) == 0)
@@ -365,6 +375,14 @@ bool parseFirstLine(int const client, std::string const &request,	/*{{{*/
       sendError(client, 400, request, sendContent, "Request is absolutePath, but configured to not accept that");
       return false;
    }
+
+   size_t paramspos = filename.find('?');
+   if (paramspos != std::string::npos)
+   {
+      params = filename.substr(paramspos + 1);
+      filename.erase(paramspos);
+   }
+
    filename = DeQuoteString(filename);
 
    // this is not a secure server, but at least prevent the obvious …
@@ -380,7 +398,32 @@ bool parseFirstLine(int const client, std::string const &request,	/*{{{*/
    // nuke the first character which is a / as we assured above
    filename.erase(0, 1);
    if (filename.empty() == true)
-      filename = ".";
+      filename = "./";
+   // support ~user/ uris to refer to /home/user/public_html/ as a kind-of special directory
+   else if (filename[0] == '~')
+   {
+      // /home/user is actually not entirely correct, but good enough for now
+      size_t dashpos = filename.find('/');
+      if (dashpos != std::string::npos)
+      {
+	 std::string home = filename.substr(1, filename.find('/') - 1);
+	 std::string pubhtml = filename.substr(filename.find('/') + 1);
+	 filename = "/home/" + home + "/public_html/" + pubhtml;
+      }
+      else
+	 filename = "/home/" + filename.substr(1) + "/public_html/";
+   }
+
+   // if no filename is given, but a valid directory see if we can use an index or
+   // have to resort to a autogenerated directory listing later on
+   if (DirectoryExists(filename) == true)
+   {
+      std::string const directoryIndex = _config->Find("aptwebserver::directoryindex");
+      if (directoryIndex.empty() == false && directoryIndex == flNotDir(directoryIndex) &&
+	    RealFileExists(filename + directoryIndex) == true)
+	 filename += directoryIndex;
+   }
+
    return true;
 }
 									/*}}}*/
@@ -427,6 +470,173 @@ bool handleOnTheFlyReconfiguration(int const client, std::string const &request,
    return false;
 }
 									/*}}}*/
+void * handleClient(void * voidclient)					/*{{{*/
+{
+   int client = *((int*)(voidclient));
+   std::clog << "ACCEPT client " << client << std::endl;
+   std::vector<std::string> messages;
+   while (ReadMessages(client, messages))
+   {
+      bool closeConnection = false;
+      for (std::vector<std::string>::const_iterator m = messages.begin();
+	    m != messages.end() && closeConnection == false; ++m) {
+	 std::clog << ">>> REQUEST from " << client << " >>>" << std::endl << *m
+	    << std::endl << "<<<<<<<<<<<<<<<<" << std::endl;
+	 std::list<std::string> headers;
+	 std::string filename;
+	 std::string params;
+	 bool sendContent = true;
+	 if (parseFirstLine(client, *m, filename, params, sendContent, closeConnection) == false)
+	    continue;
+
+	 // special webserver command request
+	 if (filename.length() > 1 && filename[0] == '_')
+	 {
+	    std::vector<std::string> parts = VectorizeString(filename, '/');
+	    if (parts[0] == "_config")
+	    {
+	       handleOnTheFlyReconfiguration(client, *m, parts);
+	       continue;
+	    }
+	 }
+
+	 // string replacements in the requested filename
+	 ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace");
+	 if (Replaces != NULL)
+	 {
+	    std::string redirect = "/" + filename;
+	    for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next)
+	       redirect = SubstVar(redirect, I->Tag, I->Value);
+	    redirect.erase(0,1);
+	    if (redirect != filename)
+	    {
+	       sendRedirect(client, 301, redirect, *m, sendContent);
+	       continue;
+	    }
+	 }
+
+	 ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite");
+	 if (Overwrite != NULL)
+	 {
+	    for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next)
+	    {
+	       regex_t *pattern = new regex_t;
+	       int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB);
+	       if (res != 0)
+	       {
+		  char error[300];
+		  regerror(res, pattern, error, sizeof(error));
+		  sendError(client, 500, *m, sendContent, error);
+		  continue;
+	       }
+	       if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0)
+	       {
+		  filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename);
+		  if (filename[0] == '/')
+		     filename.erase(0,1);
+		  regfree(pattern);
+		  break;
+	       }
+	       regfree(pattern);
+	    }
+	 }
+
+	 // deal with the request
+	 if (RealFileExists(filename) == true)
+	 {
+	    FileFd data(filename, FileFd::ReadOnly);
+	    std::string condition = LookupTag(*m, "If-Modified-Since", "");
+	    if (_config->FindB("aptwebserver::support::modified-since", true) == true && condition.empty() == false)
+	    {
+	       time_t cache;
+	       if (RFC1123StrToTime(condition.c_str(), cache) == true &&
+		     cache >= data.ModificationTime())
+	       {
+		  sendHead(client, 304, headers);
+		  continue;
+	       }
+	    }
+
+	    if (_config->FindB("aptwebserver::support::range", true) == true)
+	       condition = LookupTag(*m, "Range", "");
+	    else
+	       condition.clear();
+	    if (condition.empty() == false && strncmp(condition.c_str(), "bytes=", 6) == 0)
+	    {
+	       time_t cache;
+	       std::string ifrange;
+	       if (_config->FindB("aptwebserver::support::if-range", true) == true)
+		  ifrange = LookupTag(*m, "If-Range", "");
+	       bool validrange = (ifrange.empty() == true ||
+		     (RFC1123StrToTime(ifrange.c_str(), cache) == true &&
+		      cache <= data.ModificationTime()));
+
+	       // FIXME: support multiple byte-ranges (APT clients do not do this)
+	       if (condition.find(',') == std::string::npos)
+	       {
+		  size_t start = 6;
+		  unsigned long long filestart = strtoull(condition.c_str() + start, NULL, 10);
+		  // FIXME: no support for last-byte-pos being not the end of the file (APT clients do not do this)
+		  size_t dash = condition.find('-') + 1;
+		  unsigned long long fileend = strtoull(condition.c_str() + dash, NULL, 10);
+		  unsigned long long filesize = data.FileSize();
+		  if ((fileend == 0 || (fileend == filesize && fileend >= filestart)) &&
+			validrange == true)
+		  {
+		     if (filesize > filestart)
+		     {
+			data.Skip(filestart);
+			std::ostringstream contentlength;
+			contentlength << "Content-Length: " << (filesize - filestart);
+			headers.push_back(contentlength.str());
+			std::ostringstream contentrange;
+			contentrange << "Content-Range: bytes " << filestart << "-"
+			   << filesize - 1 << "/" << filesize;
+			headers.push_back(contentrange.str());
+			sendHead(client, 206, headers);
+			if (sendContent == true)
+			   sendFile(client, data);
+			continue;
+		     }
+		     else
+		     {
+			headers.push_back("Content-Length: 0");
+			std::ostringstream contentrange;
+			contentrange << "Content-Range: bytes */" << filesize;
+			headers.push_back(contentrange.str());
+			sendHead(client, 416, headers);
+			continue;
+		     }
+		  }
+	       }
+	    }
+
+	    addFileHeaders(headers, data);
+	    sendHead(client, 200, headers);
+	    if (sendContent == true)
+	       sendFile(client, data);
+	 }
+	 else if (DirectoryExists(filename) == true)
+	 {
+	    if (filename[filename.length()-1] == '/')
+	       sendDirectoryListing(client, filename, *m, sendContent);
+	    else
+	       sendRedirect(client, 301, filename.append("/"), *m, sendContent);
+	 }
+	 else
+	    sendError(client, 404, *m, sendContent);
+      }
+      _error->DumpErrors(std::cerr);
+      messages.clear();
+      if (closeConnection == true)
+	 break;
+   }
+   close(client);
+   std::clog << "CLOSE client " << client << std::endl;
+   return NULL;
+}
+									/*}}}*/
+
 int main(int const argc, const char * argv[])
 {
    CommandLine::Args Args[] = {
@@ -447,6 +657,9 @@ int main(int const argc, const char * argv[])
    // create socket, bind and listen to it {{{
    // ignore SIGPIPE, this can happen on write() if the socket closes connection
    signal(SIGPIPE, SIG_IGN);
+   // we don't care for our slaves, so ignore their death
+   signal(SIGCHLD, SIG_IGN);
+
    int sock = socket(AF_INET6, SOCK_STREAM, 0);
    if(sock < 0)
    {
@@ -514,178 +727,47 @@ int main(int const argc, const char * argv[])
 
    std::clog << "Serving ANY file on port: " << port << std::endl;
 
-   listen(sock, 1);
+   int const slaves = _config->FindB("aptwebserver::slaves", SOMAXCONN);
+   listen(sock, slaves);
    /*}}}*/
 
    _config->CndSet("aptwebserver::response-header::Server", "APT webserver");
    _config->CndSet("aptwebserver::response-header::Accept-Ranges", "bytes");
+   _config->CndSet("aptwebserver::directoryindex", "index.html");
 
-   std::vector<std::string> messages;
-   int client;
-   while ((client = accept(sock, NULL, NULL)) != -1)
-   {
-      std::clog << "ACCEPT client " << client
-		<< " on socket " << sock << std::endl;
+   std::list<int> accepted_clients;
 
-      while (ReadMessages(client, messages))
+   while (true)
+   {
+      int client = accept(sock, NULL, NULL);
+      if (client == -1)
       {
-	 bool closeConnection = false;
-	 for (std::vector<std::string>::const_iterator m = messages.begin();
-	      m != messages.end() && closeConnection == false; ++m) {
-	    std::clog << ">>> REQUEST >>>>" << std::endl << *m
-		      << std::endl << "<<<<<<<<<<<<<<<<" << std::endl;
-	    std::list<std::string> headers;
-	    std::string filename;
-	    bool sendContent = true;
-	    if (parseFirstLine(client, *m, filename, sendContent, closeConnection) == false)
-	       continue;
-
-	    // special webserver command request
-	    if (filename.length() > 1 && filename[0] == '_')
-	    {
-	       std::vector<std::string> parts = VectorizeString(filename, '/');
-	       if (parts[0] == "_config")
-	       {
-		  handleOnTheFlyReconfiguration(client, *m, parts);
-		  continue;
-	       }
-	    }
-
-	    // string replacements in the requested filename
-	    ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace");
-	    if (Replaces != NULL)
-	    {
-	       std::string redirect = "/" + filename;
-	       for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next)
-		  redirect = SubstVar(redirect, I->Tag, I->Value);
-	       redirect.erase(0,1);
-	       if (redirect != filename)
-	       {
-		  sendRedirect(client, 301, redirect, *m, sendContent);
-		  continue;
-	       }
-	    }
-
-	    ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite");
-	    if (Overwrite != NULL)
-	    {
-	       for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next)
-	       {
-		  regex_t *pattern = new regex_t;
-		  int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB);
-		  if (res != 0)
-		  {
-		     char error[300];
-		     regerror(res, pattern, error, sizeof(error));
-		     sendError(client, 500, *m, sendContent, error);
-		     continue;
-		  }
-		  if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0)
-		  {
-		      filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename);
-		      if (filename[0] == '/')
-			 filename.erase(0,1);
-		      regfree(pattern);
-		      break;
-		  }
-		  regfree(pattern);
-	       }
-	    }
-
-	    // deal with the request
-	    if (RealFileExists(filename) == true)
-	    {
-	       FileFd data(filename, FileFd::ReadOnly);
-	       std::string condition = LookupTag(*m, "If-Modified-Since", "");
-	       if (condition.empty() == false)
-	       {
-		  time_t cache;
-		  if (RFC1123StrToTime(condition.c_str(), cache) == true &&
-			cache >= data.ModificationTime())
-		  {
-		     sendHead(client, 304, headers);
-		     continue;
-		  }
-	       }
-
-	       if (_config->FindB("aptwebserver::support::range", true) == true)
-		  condition = LookupTag(*m, "Range", "");
-	       else
-		  condition.clear();
-	       if (condition.empty() == false && strncmp(condition.c_str(), "bytes=", 6) == 0)
-	       {
-		  time_t cache;
-		  std::string ifrange;
-		  if (_config->FindB("aptwebserver::support::if-range", true) == true)
-		     ifrange = LookupTag(*m, "If-Range", "");
-		  bool validrange = (ifrange.empty() == true ||
-			(RFC1123StrToTime(ifrange.c_str(), cache) == true &&
-			 cache <= data.ModificationTime()));
-
-		  // FIXME: support multiple byte-ranges (APT clients do not do this)
-		  if (condition.find(',') == std::string::npos)
-		  {
-		     size_t start = 6;
-		     unsigned long long filestart = strtoull(condition.c_str() + start, NULL, 10);
-		     // FIXME: no support for last-byte-pos being not the end of the file (APT clients do not do this)
-		     size_t dash = condition.find('-') + 1;
-		     unsigned long long fileend = strtoull(condition.c_str() + dash, NULL, 10);
-		     unsigned long long filesize = data.FileSize();
-		     if ((fileend == 0 || (fileend == filesize && fileend >= filestart)) &&
-			   validrange == true)
-		     {
-			if (filesize > filestart)
-			{
-			   data.Skip(filestart);
-			   std::ostringstream contentlength;
-			   contentlength << "Content-Length: " << (filesize - filestart);
-			   headers.push_back(contentlength.str());
-			   std::ostringstream contentrange;
-			   contentrange << "Content-Range: bytes " << filestart << "-"
-			      << filesize - 1 << "/" << filesize;
-			   headers.push_back(contentrange.str());
-			   sendHead(client, 206, headers);
-			   if (sendContent == true)
-			      sendFile(client, data);
-			   continue;
-			}
-			else
-			{
-			   headers.push_back("Content-Length: 0");
-			   std::ostringstream contentrange;
-			   contentrange << "Content-Range: bytes */" << filesize;
-			   headers.push_back(contentrange.str());
-			   sendHead(client, 416, headers);
-			   continue;
-			}
-		     }
-		  }
-	       }
+	 if (errno == EINTR)
+	    continue;
+	 _error->Errno("accept", "Couldn't accept client on socket %d", sock);
+	 _error->DumpErrors(std::cerr);
+	 return 6;
+      }
 
-	       addFileHeaders(headers, data);
-	       sendHead(client, 200, headers);
-	       if (sendContent == true)
-		  sendFile(client, data);
-	    }
-	    else if (DirectoryExists(filename) == true)
-	    {
-	       if (filename == "." || filename[filename.length()-1] == '/')
-		  sendDirectoryListing(client, filename, *m, sendContent);
-	       else
-		  sendRedirect(client, 301, filename.append("/"), *m, sendContent);
-	    }
-	    else
-	       sendError(client, 404, *m, sendContent);
-	 }
+      pthread_attr_t attr;
+      if (pthread_attr_init(&attr) != 0 || pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED) != 0)
+      {
+	 _error->Errno("pthread_attr", "Couldn't set detach attribute for a fresh thread to handle client %d on socket %d", client, sock);
 	 _error->DumpErrors(std::cerr);
-	 messages.clear();
-	 if (closeConnection == true)
-	    break;
+	 close(client);
+	 continue;
       }
 
-      std::clog << "CLOSE client " << client
-		<< " on socket " << sock << std::endl;
-      close(client);
+      pthread_t tid;
+      // thats rather dirty, but we need to store the client socket somewhere safe
+      accepted_clients.push_front(client);
+      if (pthread_create(&tid, &attr, &handleClient, &(*accepted_clients.begin())) != 0)
+      {
+	 _error->Errno("pthread_create", "Couldn't create a fresh thread to handle client %d on socket %d", client, sock);
+	 _error->DumpErrors(std::cerr);
+	 close(client);
+	 continue;
+      }
    }
    pidfile.Close();
 
diff --git a/test/interactive-helper/makefile b/test/interactive-helper/makefile
index f43df97e3..8dc014b98 100644
--- a/test/interactive-helper/makefile
+++ b/test/interactive-helper/makefile
@@ -41,7 +41,7 @@ include $(PROGRAM_H)
 
 # Program for testing udevcdrom
 PROGRAM=aptwebserver
-SLIBS = -lapt-pkg
+SLIBS = -lapt-pkg -lpthread
 LIB_MAKES = apt-pkg/makefile
 SOURCE = aptwebserver.cc
 include $(PROGRAM_H)
diff --git a/test/libapt/makefile b/test/libapt/makefile
index 73403b24c..a8e053d6e 100644
--- a/test/libapt/makefile
+++ b/test/libapt/makefile
@@ -111,3 +111,9 @@ SLIBS = -lapt-pkg
 SOURCE = tagfile_test.cc
 include $(PROGRAM_H)
 
+# test sourcelist
+PROGRAM = SourceList${BASENAME}
+SLIBS = -lapt-pkg
+SOURCE = sourcelist_test.cc
+include $(PROGRAM_H)
+
diff --git a/test/libapt/sourcelist_test.cc b/test/libapt/sourcelist_test.cc
new file mode 100644
index 000000000..6e83d08e0
--- /dev/null
+++ b/test/libapt/sourcelist_test.cc
@@ -0,0 +1,52 @@
+#include <apt-pkg/sourcelist.h>
+#include <apt-pkg/tagfile.h>
+
+#include "assert.h"
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+char *tempfile = NULL;
+int tempfile_fd = -1;
+
+void remove_tmpfile(void)
+{
+   if (tempfile_fd > 0)
+      close(tempfile_fd);
+   if (tempfile != NULL) {
+      unlink(tempfile);
+      free(tempfile);
+   }
+}
+
+int main(int argc, char *argv[])
+{
+   const char contents[] = ""
+      "Type: deb\n"
+      "URL: http://ftp.debian.org/debian\n"
+      "Dist: stable\n"
+      "Section: main\n"
+      "Comment: Some random string\n"
+      " that can be very long\n"
+      "\n"
+      "Type: deb\n"
+      "URL: http://ftp.debian.org/debian\n"
+      "Dist: unstable\n"
+      "Section: main non-free\n"
+      ;
+
+   FileFd fd;
+   tempfile = strdup("apt-test.XXXXXXXX");
+   tempfile_fd = mkstemp(tempfile);
+
+   /* (Re-)Open (as FileFd), write and seek to start of the temp file */
+   equals(fd.OpenDescriptor(tempfile_fd, FileFd::ReadWrite), true);
+   equals(fd.Write(contents, strlen(contents)), true);
+   equals(fd.Seek(0), true);
+
+   pkgSourceList sources(tempfile);
+   equals(sources.size(), 2);
+
+   /* clean up handled by atexit handler, so just return here */
+   return 0;
+}
diff --git a/vendor/debian/apt-vendor.ent b/vendor/debian/apt-vendor.ent
new file mode 100644
index 000000000..6cda5995c
--- /dev/null
+++ b/vendor/debian/apt-vendor.ent
@@ -0,0 +1,7 @@
+<!-- details about the keys used by the distribution -->
+<!ENTITY keyring-distro "Debian">
+<!ENTITY keyring-package "<package>debian-archive-keyring</package>">
+<!ENTITY keyring-filename "<filename>/usr/share/keyrings/debian-archive-keyring.gpg</filename>">
+<!ENTITY keyring-removed-filename "<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>">
+<!ENTITY keyring-master-filename "">
+<!ENTITY keyring-uri "">
diff --git a/vendor/debian/makefile b/vendor/debian/makefile
new file mode 100644
index 000000000..dd35a70f0
--- /dev/null
+++ b/vendor/debian/makefile
@@ -0,0 +1,11 @@
+# -*- make -*-
+BASE=../..
+SUBDIR=vendor/debian
+
+# Bring in the default rules
+include ../../buildlib/defaults.mak
+
+doc: sources.list
+
+sources.list: sources.list.in ../../doc/apt-verbatim.ent
+	sed -e 's#&stable-codename;#$(shell ../getinfo debian-stable-codename)#g' $< > $@
diff --git a/vendor/debian/sources.list.in b/vendor/debian/sources.list.in
new file mode 100644
index 000000000..745e32cbe
--- /dev/null
+++ b/vendor/debian/sources.list.in
@@ -0,0 +1,8 @@
+# See sources.list(5) manpage for more information
+# Remember that CD-ROMs, DVDs and such are managed through the apt-cdrom tool.
+deb http://ftp.us.debian.org/debian &stable-codename; main contrib non-free
+deb http://security.debian.org &stable-codename;/updates main contrib non-free
+
+# Uncomment if you want the apt-get source function to work
+#deb-src http://ftp.us.debian.org/debian &stable-codename; main contrib non-free
+#deb-src http://security.debian.org &stable-codename;/updates main contrib non-free
diff --git a/vendor/getinfo b/vendor/getinfo
new file mode 100755
index 000000000..ac816e10e
--- /dev/null
+++ b/vendor/getinfo
@@ -0,0 +1,36 @@
+#!/bin/sh
+# small helper to extract information form *.ent files
+
+BASEDIR="$(readlink -f "$(dirname $0)")"
+INFO="$(readlink -f "${BASEDIR}/current/apt-vendor.ent")"
+
+if [ -z "$INFO" ] || [ ! -e "$INFO" ]; then
+	echo >&2 'The current vendor is not valid or not chosen by the buildsystem yet.'
+	exit 1
+fi
+
+getrawfield() {
+	grep --max-count=1 "^<!ENTITY $1 \"" "${2:-$INFO}" | cut -d'"' -f 2
+}
+
+getfield() {
+	local FIELD="$(getrawfield "$@")"
+	FIELD="${FIELD#*>}"
+	echo "${FIELD%<*}"
+}
+
+case "$1" in
+debian-stable-codename)
+	getrawfield 'stable-codename' "${BASEDIR}/../doc/apt-verbatim.ent"
+	;;
+ubuntu-codename)
+	getrawfield 'stable-codename' "${BASEDIR}/../doc/apt-verbatim.ent"
+	;;
+keyring-package|keyring-filename|keyring-master-filename|keyring-removed-filename|keyring-uri)
+	getfield "$1"
+	;;
+*)
+	echo >&2 "Unknown data field $1 requested"
+	exit 2
+	;;
+esac
diff --git a/vendor/makefile b/vendor/makefile
new file mode 100644
index 000000000..a6d53abd0
--- /dev/null
+++ b/vendor/makefile
@@ -0,0 +1,42 @@
+# -*- make -*-
+BASE=..
+SUBDIR=vendor
+
+# Bring in the default rules
+include ../buildlib/defaults.mak
+
+all headers library binary program doc manpages debiandoc test update-po startup dirs: current
+all: all/subdirs
+binary: binary/subdirs
+doc: doc/subdirs
+clean: clean/subdirs
+veryclean: veryclean/subdirs
+dirs: dirs/subdirs
+
+all/subdirs binary/subdirs doc/subdirs dirs/subdirs:
+	$(MAKE) -C current $(patsubst %/subdirs,%,$@)
+
+clean/subdirs veryclean/subdirs:
+	test ! -e current || $(MAKE) -C current $(patsubst %/subdirs,%,$@)
+
+current:
+	rm -f $@
+	# search for an exact match to use the correct sources.list example
+	find -mindepth 1 -maxdepth 1 -type d | cut -d'/' -f 2 | while read DISTRO; do \
+		if dpkg-vendor --is $$DISTRO; then \
+			ln -s $$DISTRO $@; \
+			break; \
+		fi; \
+	done
+	# if we haven't found a specific, look for a deriving in hardcoded order
+	test -e $@ || \
+		(dpkg-vendor --derives-from ubuntu && cp ln -s ubuntu $@ ) || \
+		ln -s debian $@
+
+.PHONY: clean veryclean all binary vendor
+
+clean: clean/current
+
+clean/current:
+	test ! -e current || $(MAKE) -C current clean
+	rm -f current
diff --git a/vendor/ubuntu/apt-vendor.ent b/vendor/ubuntu/apt-vendor.ent
new file mode 100644
index 000000000..caa532699
--- /dev/null
+++ b/vendor/ubuntu/apt-vendor.ent
@@ -0,0 +1,7 @@
+<!-- details about the keys used by the distribution -->
+<!ENTITY keyring-distro "Ubuntu">
+<!ENTITY keyring-package "<package>ubuntu-keyring</package>">
+<!ENTITY keyring-filename "<filename>/usr/share/keyrings/ubuntu-archive-keyring.gpg</filename>">
+<!ENTITY keyring-removed-filename "<filename>/usr/share/keyrings/ubuntu-archive-removed-keys.gpg</filename>">
+<!ENTITY keyring-master-filename "/usr/share/keyrings/ubuntu-master-keyring.gpg">
+<!ENTITY keyring-uri "http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg">
diff --git a/vendor/ubuntu/makefile b/vendor/ubuntu/makefile
new file mode 100644
index 000000000..ea67e6e63
--- /dev/null
+++ b/vendor/ubuntu/makefile
@@ -0,0 +1,11 @@
+# -*- make -*-
+BASE=../..
+SUBDIR=vendor/ubuntu
+
+# Bring in the default rules
+include ../../buildlib/defaults.mak
+
+doc: sources.list
+
+sources.list: sources.list.in ../../doc/apt-verbatim.ent
+	sed -e 's#&ubuntu-codename;#$(shell ../getinfo ubuntu-codename)#g' $< > $@
diff --git a/vendor/ubuntu/sources.list.in b/vendor/ubuntu/sources.list.in
new file mode 100644
index 000000000..b9aa8c3d0
--- /dev/null
+++ b/vendor/ubuntu/sources.list.in
@@ -0,0 +1,10 @@
+ # See sources.list(5) manpage for more information
+ # Remember that CD-ROMs, DVDs and such are managed through the apt-cdrom tool.
+deb http://us.archive.ubuntu.com/ubuntu &ubuntu-codename; main restricted
+deb-src http://us.archive.ubuntu.com/ubuntu &ubuntu-codename; main restricted
+
+deb http://security.ubuntu.com/ubuntu &ubuntu-codename;-security main restricted
+deb-src http://security.ubuntu.com/ubuntu &ubuntu-codename;-security main restricted
+
+deb http://us.archive.ubuntu.com/ubuntu &ubuntu-codename;-updates main restricted
+deb-src http://us.archive.ubuntu.com/ubuntu &ubuntu-codename;-updates main restricted