Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago

RFC 7858 explicitly defines an out-of-band key pinning profile as one
authentication mechanism.  It uses the same format for representing
the pin as HPKP does (RFC 7469).

By logging this pin directly upon first use of the X.509 credentials,
we make it a little bit easier for an admin to publish part of a
pinset.

For ideal operation (including preparation for key rollover), a backup
public key should also be provided, but this is not defined
functionally here.

this change introduces new API for cache backends,
that is a subset of knot_db_api_t from libknot
with several cache-specific operations

major changes are:
* merged 'cachectl' module into 'cache' as it is
  99% default-on and it simplifies things
* not transaction oriented, transactions may be
  reused and cached for higher performance
* scatter/gather API, this is important for
  latency and performance of non-local backends
  like Redis
* faster and reliable cache clearing
* cache-specific operations (prefix scan, ...) in
  the API not hacked in
* simpler code for both backends and caller

by default, build system attempts to use LMDB
from the system. however if it's not found or
the version is too old, it uses the built-in
snapshot in contrib

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed

this is needed to make sure it always compiles with PIC

amalgamated build concatenates all files into a single .c file to
allow compiler see all symbols and produce possibly smaller code.
for binary distributions this is what you want, as it's faster but
may consume more memory during compilation.
it however cannot do incremental builds.

previously cryptolib random function was used to generate message id,
this works well but it is slow especially when the entropy is low,
replaced with cryptographically safe prng ISAAC

the ccan directory is going to be used in the future, as it's include
structure makes it easy to embed C snippets instead of reimplementing
them