Fixed
* Warning about cycles for packages providing and at the same time
  conflicting with some other package
* Configure script now checks if uthash is available

The reason is that Conflicts are included as negative dependencies but
to allows flow that package can Conflict and at the same time Provide
specific package (to do effectively replacement) it is implemented as
negative dependency for any version. Version dependencies are satisfied
only by packages of exact name, not by provided packages (for obvious
reasons as Provided packages do not have same versioning scheme).

Fix is that we pass to planning function version limitation of
dependency and plan package only if that is fulfilled by candidate
selected for given group.

We are using uthash.h and we should check if we have it available in
configure.ac.

This is release to only fix build because of missing submodule.

Changed
* Lunit submodule now points to new Github repository

Original repository seems to be no longer accessible. The webside links
to github repo now so this is replacement to that repo.

This improves reporting about action to be performed. Now user is
informed in more standard way if package is new or if it is modification
(and what kind of modification) of installed version.

This extends list of fields checked for reinstall to not only Version
but also to Architecture, LinkSignature, Depends, Conflicts, Provides.

There are two reasons why we want to have these:

First reason applies on Architecture, Depends, Conflicts and Provides.
Those trigger update to get package information in sync with repository.
Updater runs planning against repository so this has no effect but in
the end if someone forgets to bump package but modifies dependencies for
example then we reinstall package anyway.

Second reason to reinstall package applies on LinkSignature and that is
field inserted with hash generated from dynamic linker information
collected for package. When this hash changes then link dependencies
changed and even if version is same we have to reinstall such package as
it most probably won't work with updated dependencies.

As a tinny bonus logs now contain info about version or any other field
if the differ and that way info about the reason to reinstall given
package.

We are grabing scripts output including stderr and because of that we
can't trace childs. Instead we make it so most of our code runs without
fork.

This reverts commit cd44f638.

We can't do this as we are checking output of childs in subprocess and
valgrind taints stderr output with its output.

We have problem with libb64 on ARM (it effectively does not work).
Updater is already linked against OpenSSL so why not use it for that as
well. The API for it is not exactly clean so it is wrapped in its own
file but otherwise it is clean solution as it removes dependency and
reuses existing one.

There can be sunsequent lines although it is not part of standard.
Accepting those and ignoring them fixes possible problem with invalid
signature read as size might not match.

This adds more descriptive debug messages to check for cause of
signature verification fail.

This was causing that long files were not correctly verified. The files
bigger than 2^8 were just considered as broken as size wasn't provided
properly.

I have no idea why it was passing previously but this is obviously
wrong.

Checking for lua with version 5.1 is required for systems with single
version of Lua while lua5.1 is required for those providing multiple
versions.

AC_CHECK_FILE works only if cross compilation is not performed. The
reason is that it tries to check for existence of file on native system.

We want check if argument is file so implement check doing exactly that
with plain test.

This removes all mentions and usage from codebase.

Usign usage was replaced with openssl in updater now so we no longer
need usign itself as well as we no longer need to build it or have it in
runtime.

This is just minor tweak of build system.

This rules was ignoring also src/* directories.

This is so we can better test it.

This also reverts old behavior of checking for SHA256Sum on top of new
SHA256sum.

This servers two purposes. It warns repository creators that their
repository is not potentially correctly setup and it also warns
updater's developers about faults in verification. It is not required
that all packages should be essentially verified but it is best advised
to be.

This is major problem as packages were not verified thanks to this
error.

Download retries are flawed because if some data is downloaded and later
download is started again the new data is appended to old data. This
means that result is invalid even if new download was successful.

One option would be to truncate output for retry but output can be not
only file but effectively any buffer. I am not aware of easy way to
truncate FILE. We can truncate real file but it seems that there is no
way to truncate memory objects such as created using fopencookie.

It is also questionable if retries were even usable for anything. Curl
on its own tries to reestablish connection and letting it on Curl is in
general even cleaner than doing some hacks.

It is not possible to universally call :path() on URIs as not all of
them are of file scheme. Instead :uri() should have been called here to
get URI representation.

This also not essentially downloading URI. It just receives it no matter
what kind of URI it is so message about download is miss leading
(although in most cases valid).

It was useful while it lasted but we no longer need it. It was intended
only as temporally utility while we are using file based certificates
handling. With memory provided certificates we no longer need this.