Update NEWS for 2.4.0

4 files changed, 109 insertions, 12 deletions

diff --git a/NEWS b/NEWS
index 47142e7e3..ab10c9409 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,69 @@
-Noteworthy changes in version 2.3.9 (unreleased)
+Noteworthy changes in version 2.4.0 (unreleased)
 ------------------------------------------------
 
+  * gpg: New command --quick-update-pref.  [rGd40d23b233]
+
+  * gpg: New list-options show-pref and show-pref-verbose.
+    [rG811cfa34cb]
+
+  * gpg: New option --list-filter to restrict key listings like
+      gpg -k --list-filter 'select=revoked-f && sub/algostr=ed25519'
+    [rG1324dc3490]
+
+  * gpg: New --export-filter export-revocs.  [rGc985b52e71]
+
+  * gpg: Also import stray revocation certificates.  [rG7aaedfb107]
+
+  * gpg: Add a notation to encryption subkeys in de-vs mode.  [T6279]
+
+  * gpg: Improve signature verification speed by a factor of more than
+    four.  Double detached signing speed.  [T5826]
+
+  * gpg: Allow only OCB for AEAD encryption.  [rG5a2cef801d]
+
+  * gpg: Fix trusted introducer for mbox only user-ids.  [T6238]
+
+  * gpg: Report an error via status-fd for receiving a key from the
+    agent.  [T5151]
+
+  * gpg: Make --require-compliance work without the --status-fd
+    option.  [rG2aacd843ad]
+
+  * gpg: Fix verification of cleartext signatures with overlong lines.
+    [T6272]
+
+  * agent: Fix import of protected OpenPGP v5 keys.  [T6294]
+
+  * gpgsm: Change the default cipher algorithm from AES128 to AES256.
+    Also announce support for this in signatures.  [rG2d8ac55d26]
+
+  * gpgsm: Always use the chain validation model if the root-CA
+    requests this.  [rG7fa1d3cc82]
+
+  * gpgsm: Print OCSP revocation date and reason in cert listings.
+    [rGb6abaed2b5]
+
+  * agent: Support Win32-OpenSSH emulation by gpg-agent.  [T3883]
+
+  * scd: Support the Telesec Signature Card v2.0.  [T6252]
+
+  * scd: Redact --debug cardio output of a VERIFY APDU.  [T5085]
+
+  * scd: Skip deleted pkcs#15 records in CARDOS 5.  [rG061efac03f]
+
+  * dirmngr: Fix build with no LDAP support.  [T6239]
+
+  * dirmngr: Fix verification of ECDSA signed CRLs.  [rG868dabb402]
+
+  * wkd: New option --add-revocs for gpg-wks-client.  [rGc3f9f2d497]
+
+  * wkd: Ignore expired user-ids in gpg-wks-client.  [T6292]
+
+  * card: New commands "gpg" and "gpgsm".  [rG9c4691c73e]
+
+  See-also: gnupg-announce/2022q4/000477.html
+  Release-info: https://dev.gnupg.org/T6303
+
 
 Noteworthy changes in version 2.3.8 (2022-10-13)
 ------------------------------------------------
@@ -61,6 +124,7 @@ Noteworthy changes in version 2.3.8 (2022-10-13)
     GNUPG_EXEC_DEBUG_FLAGS is used.  [rG4ef8516a79]
 
   Release-info: https://dev.gnupg.org/T6106
+  See-also: gnupg-announce/2022q4/000476.html
 
 
 Noteworthy changes in version 2.3.7 (2022-07-11)
@@ -142,6 +206,7 @@ Noteworthy changes in version 2.3.7 (2022-07-11)
   * gpgconf: New short options -V and -X
 
   Release-info: https://dev.gnupg.org/T5947
+  See-also: gnupg-announce/2022q3/000474.html
 
 
 Noteworthy changes in version 2.3.6 (2022-04-25)
@@ -1469,6 +1534,12 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
 Release dates of 2.2 versions
 -----------------------------
 
+Version 2.2.40 (2022-10-10) https://dev.gnupg.org/T6181
+Version 2.2.39 (2022-09-02) https://dev.gnupg.org/T6175
+Version 2.2.38 (2022-09-01) https://dev.gnupg.org/T6159
+Version 2.2.37 (2022-08-24) https://dev.gnupg.org/T6105
+Version 2.2.36 (2022-07-06) https://dev.gnupg.org/T5949
+Version 2.2.35 (2022-04-25) https://dev.gnupg.org/T5928
 Version 2.2.34 (2022-02-07) https://dev.gnupg.org/T5703
 Version 2.2.33 (2021-11-23) https://dev.gnupg.org/T5641
 Version 2.2.32 (2021-10-06) https://dev.gnupg.org/T5601
diff --git a/README b/README
index 299bf1001..3ee5cf454 100644
--- a/README
+++ b/README
@@ -1,6 +1,6 @@
                        The GNU Privacy Guard 2
                       =========================
-                            Version 2.3
+                            Version 2.4
 
           Copyright 1997-2019 Werner Koch
           Copyright 1998-2021 Free Software Foundation, Inc.
@@ -27,7 +27,7 @@
 
 * BUILD INSTRUCTIONS
 
-  GnuPG 2.3 depends on the following GnuPG related packages:
+  GnuPG 2.4 depends on the following GnuPG related packages:
 
     npth         (https://gnupg.org/ftp/gcrypt/npth/)
     libgpg-error (https://gnupg.org/ftp/gcrypt/libgpg-error/)
@@ -74,7 +74,7 @@
 
   You may run
 
-    gpgconf --list-dirs
+    gpgconf -L
 
   to view the directories used by GnuPG.
 
@@ -113,6 +113,31 @@
 
 * RECOMMENDATIONS
 
+** Key database daemon
+
+  Since version 2.3.0 it is possible to store the keys in an SQLite
+  database instead of the keyring.kbx file.  This is in particular
+  useful for large keyrings or if many instances of gpg and gpgsm may
+  run concurrently.  This is implemented using another daemon process,
+  the "keyboxd".  To enable the use of the keyboxd put the option
+  "use-keyboxd" into the configuration file ~/.gnupg/common.conf or the
+  global /etc/gnupg/common.conf.  See also doc/examples/common.conf.
+  Only public keys and X.509 certificates are managed by the keyboxd;
+  private keys are still stored as separate files.
+
+  Note that there is no automatic migration; if the use-keyboxd option
+  is enabled keys are not taken from pubring.kbx.  To migrate existing
+  keys to the keyboxd do this:
+
+  1. Disable the keyboxd (remove use-keyboxd from common.conf)
+  2. Export all public keys
+       gpg --export --export-options backup  > allkeys.gpg
+       gpgsm --export --armor                > allcerts.gpg
+  3. Enable the keyboxd (add use-keyboxd to common.conf)
+  4. Import all public keys
+       gpg --import --import-options restore < allkeys.gpg
+       gpgsm --import                        < allcerts.crt
+
 ** Socket directory
 
   GnuPG uses Unix domain sockets to connect its components (on Windows
@@ -203,8 +228,7 @@
   offers see https://gnupg.org/service.html .  Maintaining and
   improving GnuPG requires a lot of time.  Since 2001, g10 Code GmbH,
   a German company owned and headed by GnuPG's principal author Werner
-  Koch, is bearing the majority of these costs.  To keep GnuPG in a
-  healthy state, they need your support.
+  Koch, is bearing the majority of these costs.
 
 # This file is Free Software; as a special exception the authors gives
 # unlimited permission to copy and/or distribute it, with or without
diff --git a/configure.ac b/configure.ac
index 09957465e..099c6a899 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 # configure.ac - for GnuPG 2.1
 # Copyright (C) 1998-2019 Werner Koch
 # Copyright (C) 1998-2021 Free Software Foundation, Inc.
-# Copyright (C) 2003-2021 g10 Code GmbH
+# Copyright (C) 2003-2022 g10 Code GmbH
 #
 # This file is part of GnuPG.
 #
@@ -28,8 +28,8 @@ min_automake_version="1.16.3"
 # another commit and push so that the git magic is able to work.
 m4_define([mym4_package],[gnupg])
 m4_define([mym4_major], [2])
-m4_define([mym4_minor], [3])
-m4_define([mym4_micro], [9])
+m4_define([mym4_minor], [4])
+m4_define([mym4_micro], [0])
 
 # To start a new development series, i.e a new major or minor number
 # you need to mark an arbitrary commit before the first beta release
@@ -63,7 +63,7 @@ NEED_LIBASSUAN_API=2
 NEED_LIBASSUAN_VERSION=2.5.0
 
 NEED_KSBA_API=1
-NEED_KSBA_VERSION=1.3.4
+NEED_KSBA_VERSION=1.6.3
 
 NEED_NTBTLS_API=1
 NEED_NTBTLS_VERSION=0.1.0
diff --git a/doc/gpg.texi b/doc/gpg.texi
index a50252d38..804ecf94a 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1754,7 +1754,8 @@ Set what trust model GnuPG should follow. The models are:
   @item tofu
   @opindex trust-model:tofu
   @anchor{trust-model-tofu}
-  TOFU stands for Trust On First Use.  In this trust model, the first
+  TOFU stands for Trust On First Use.  In this experimental trust
+  model, the first
   time a key is seen, it is memorized.  If later another key with a
   user id with the same email address is seen, both keys are marked as
   suspect.  In that case, the next time either is used, a warning is
@@ -1803,7 +1804,8 @@ Set what trust model GnuPG should follow. The models are:
 
   @item tofu+pgp
   @opindex trust-model:tofu+pgp
-  This trust model combines TOFU with the Web of Trust.  This is done
+  This experimental trust model combines TOFU with the Web of Trust.
+  This is done
   by computing the trust level for each model and then taking the
   maximum trust level where the trust levels are ordered as follows:
   @code{unknown < undefined < marginal < fully < ultimate < expired <