-Merge branch 'master' of ssh://gnunet.org/gnunet into gsoc2018/rest_api

174 files changed, 6260 insertions, 4504 deletions

diff --git a/.gitignore b/.gitignore
index 46dc14a98..0959a9597 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,7 +41,6 @@ INSTALL
 confdefs.h
 confdefs.c
 confdefs.err
-guix-env-gillmann.scm
 src/namestore/test_namestore_api_zone_to_name
 src/credential/gnunet-credential
 src/credential/gnunet-service-credential
diff --git a/Makefile.am b/Makefile.am
index 45a693ac9..ad32cf920 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,8 +3,11 @@ AM_CPPFLAGS = -I$(top_srcdir)/src/include
 
 if DOCUMENTATION_ONLY
   SUBDIRS = doc
-else
-  SUBDIRS = doc m4 src po pkgconfig
+else 
+  SUBDIRS = m4 src po pkgconfig
+if DOCUMENTATION
+  SUBDIRS += doc
+endif
 endif
 
 if !TALER_ONLY
diff --git a/configure.ac b/configure.ac
index fc44dcf5a..c7314d765 100644
--- a/configure.ac
+++ b/configure.ac
@@ -208,14 +208,52 @@ AC_PATH_TARGET_TOOL(VAR_IPTABLES_BINARY, iptables, false)
 
 if test x"$VAR_IPTABLES_BINARY" != x"false"
 then
+  if test -x "/sbin/iptables"
+  then
+    VAR_IPTABLES_BINARY="/sbin/iptables"
+  elif test -x "/usr/sbin/iptables"
+  then
+    VAR_IPTABLES_BINARY="/usr/sbin/iptables"
+  fi
+fi
+
+if test x"$VAR_IPTABLES_BINARY" != x"false"
+then
 AC_DEFINE_UNQUOTED([IPTABLES], "$VAR_IPTABLES_BINARY", [Path to iptables])
 else
 AC_MSG_WARN([warning: 'iptables' not found.])
 fi
 
+AC_PATH_TARGET_TOOL(VAR_IFCONFIG_BINARY, ifconfig, false)
 
 AC_CHECK_PROG(VAR_IFCONFIG_BINARY, ifconfig, true, false)
+if test x"$VAR_IFCONFIG_BINARY" != x"false"
+then
+  if test -x "/sbin/ifconfig"
+  then
+    VAR_IFCONFIG_BINARY="/sbin/ifconfig"
+  elif test -x "/usr/sbin/ifconfig"
+  then
+    VAR_IFCONFIG_BINARY="/usr/sbin/ifconfig"
+  fi
+fi
+if test x"$VAR_IFCONFIG_BINARY" != x"false"
+then
+AC_DEFINE_UNQUOTED([IFCONFIG], "$VAR_IFCONFIG_BINARY", [Path to ifconfig])
+else
 AC_MSG_WARN([warning: 'ifconfig' not found.])
+fi
+
+
+# miniupnpc / upnpc binary is a soft runtime requirement
+AC_PATH_TARGET_TOOL(VAR_UPNPC_BINARY, upnpc, false)
+
+if test x"$VAR_UPNPC_BINARY" != x"false"
+then
+AC_DEFINE_UNQUOTED([UPNPC], "$VAR_UPNPC_BINARY", [Path to upnpc binary])
+else
+AC_MSG_WARN([warning: 'upnpc' binary not found.])
+fi
 
 AC_CHECK_MEMBER(struct tm.tm_gmtoff,
   [AC_DEFINE(HAVE_TM_GMTOFF, 1,
@@ -639,7 +677,7 @@ AC_CHECK_LIB([kstat],[kstat_open])
 # should the build process be building the documentation?
 AC_MSG_CHECKING(whether to build documentation)
 AC_ARG_ENABLE([documentation],
-   [AS_HELP_STRING([--enable-documentation], [build the documentation])],
+   [AS_HELP_STRING([--disable-documentation], [do not build the documentation])],
    [documentation=${enableval}],
    [documentation=yes])
 AC_MSG_RESULT($documentation)
@@ -921,7 +959,7 @@ postgres=false
 # even running the check for postgres breaks emscripten ...
 if test "$taler_only" != yes; then
   AX_LIB_POSTGRESQL([9.5])
-  if test "$found_postgresql" = "yes"; then
+  if test "x$found_postgresql" = "xyes"; then
     CPPFLAGS="$CPPFLAGS $POSTGRESQL_CPPFLAGS"
     AC_CHECK_HEADERS([libpq-fe.h],
       postgres=true)
@@ -1713,7 +1751,6 @@ src/testing/Makefile
 src/topology/Makefile
 src/transport/Makefile
 src/transport/transport.conf
-src/tun/Makefile
 src/util/Makefile
 src/util/resolver.conf
 src/vpn/Makefile
@@ -1736,8 +1773,6 @@ pkgconfig/gnunetdatacache.pc
 pkgconfig/gnunetdatastore.pc
 pkgconfig/gnunetdht.pc
 pkgconfig/gnunetdns.pc
-pkgconfig/gnunetdnsparser.pc
-pkgconfig/gnunetdnsstub.pc
 pkgconfig/gnunetdv.pc
 pkgconfig/gnunetenv.pc
 pkgconfig/gnunetfragmentation.pc
@@ -1766,7 +1801,6 @@ pkgconfig/gnunetstatistics.pc
 pkgconfig/gnunettestbed.pc
 pkgconfig/gnunettesting.pc
 pkgconfig/gnunettransport.pc
-pkgconfig/gnunettun.pc
 pkgconfig/gnunetutil.pc
 pkgconfig/gnunetvpn.pc
 ])
@@ -1811,6 +1845,10 @@ then
   AC_MSG_NOTICE([WARNING: jansson library not found.  json support will not be compiled.])
 fi
 
+#
+# FIXME: `some modules' -> be more specific which exact modules.
+#
+
 # warn user if iptables is not found
 if test "$VAR_IPTABLES_BINARY" = "false"
 then
@@ -1823,6 +1861,12 @@ then
 AC_MSG_NOTICE([WARNING: ifconfig not found. some modules may not have full functionality.])
 fi
 
+# warn user if upnpc binary is not found
+if test "$VAR_UPNPC_BINARY" = "false"
+then
+AC_MSG_NOTICE([WARNING: upnpc binary not found. some modules may not have full functionality.])
+fi
+
 #gnutls
 if test x$gnutls != xtrue
 then
diff --git a/contrib/.gitignore b/contrib/.gitignore
index 304706d7e..d6ef469ba 100644
--- a/contrib/.gitignore
+++ b/contrib/.gitignore
@@ -2,7 +2,6 @@ gnunet_janitor.py
 gnunet_pyexpect.py
 pydiffer.py
 terminate.py
-timeout_watchdog
 gnunet_pyexpect.py
 gnunet_pyexpect.pyc
 pydiffer.pyc
diff --git a/contrib/Makefile.am b/contrib/Makefile.am
index 158e43998..eec3300b9 100644
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -5,17 +5,6 @@ tap32dir = $(pkgdatadir)/openvpn-tap32/tapw32/
 
 tap64dir = $(pkgdatadir)/openvpn-tap32/tapw64/
 
-noinst_PROGRAMS = \
- timeout_watchdog
-
-if !MINGW
-timeout_watchdog_SOURCES = \
- timeout_watchdog.c
-else
-timeout_watchdog_SOURCES = \
- timeout_watchdog_w32.c
-endif
-
 noinst_SCRIPTS = \
  scripts/terminate.py \
  scripts/pydiffer.py \
diff --git a/contrib/conf/gnunet/no_autostart_above_core.conf b/contrib/conf/gnunet/no_autostart_above_core.conf
index 114ec83a3..245b6a47d 100644
--- a/contrib/conf/gnunet/no_autostart_above_core.conf
+++ b/contrib/conf/gnunet/no_autostart_above_core.conf
@@ -88,3 +88,6 @@ START_ON_DEMAND = NO
 
 [zonemaster-monitor]
 START_ON_DEMAND = NO
+
+[zonemaster]
+START_ON_DEMAND = NO
diff --git a/contrib/conf/gnunet/no_forcestart.conf b/contrib/conf/gnunet/no_forcestart.conf
index a069674e0..de58c6039 100644
--- a/contrib/conf/gnunet/no_forcestart.conf
+++ b/contrib/conf/gnunet/no_forcestart.conf
@@ -39,3 +39,19 @@ IMMEDIATE_START = NO
 
 [zonemaster-monitor]
 IMMEDIATE_START = NO
+
+[psyc]
+IMMEDIATE_START = NO
+
+[rps]
+IMMEDIATE_START = NO
+
+[consensus]
+IMMEDIATE_START = NO
+
+[set]
+IMMEDIATE_START = NO
+
+[nse]
+IMMEDIATE_START = NO
+
diff --git a/contrib/packages/guix/guix-env-gillmann.scm b/contrib/packages/guix/guix-env-gillmann.scm
new file mode 100644
index 000000000..4b977c1bb
--- /dev/null
+++ b/contrib/packages/guix/guix-env-gillmann.scm
@@ -0,0 +1,151 @@
+;;; This file is part of GNUnet.
+;;; Copyright (C) 2016, 2017, 2018 GNUnet e.V.
+;;;
+;;; GNUnet is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published
+;;; by the Free Software Foundation; either version 3, or (at your
+;;; option) any later version.
+;;;
+;;; GNUnet is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+;;; General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNUnet; see the file COPYING.  If not, write to the
+;;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+;;; Boston, MA 02110-1301, USA.
+
+(use-modules
+ (ice-9 popen)
+ (ice-9 match)
+ (ice-9 rdelim)
+ (guix packages)
+ (guix build-system gnu)
+ (guix gexp)
+ ((guix build utils) #:select (with-directory-excursion))
+ (guix git-download)
+ (guix utils) ; current-source-directory
+ (gnu packages)
+ (gnu packages aidc)
+ (gnu packages autotools)
+ (gnu packages backup)
+ (gnu packages base)
+ (gnu packages compression)
+ (gnu packages curl)
+ (gnu packages databases)
+ (gnu packages file)
+ (gnu packages gettext)
+ (gnu packages glib)
+ (gnu packages gnome)
+ (gnu packages gnunet)
+ (gnu packages gnupg)
+ (gnu packages gnuzilla)
+ (gnu packages groff)
+ (gnu packages gstreamer)
+ (gnu packages gtk)
+ (gnu packages guile)
+ (gnu packages image)
+ (gnu packages image-viewers)
+ (gnu packages libidn)
+ (gnu packages libunistring)
+ (gnu packages linux)
+ (gnu packages maths)
+ (gnu packages multiprecision)
+ (gnu packages perl)
+ (gnu packages pkg-config)
+ (gnu packages pulseaudio)
+ (gnu packages python)
+ (gnu packages tex)
+ (gnu packages texinfo)
+ (gnu packages tex)
+ (gnu packages tls)
+ (gnu packages upnp)
+ (gnu packages video)
+ (gnu packages web)
+ (gnu packages xiph)
+ ((guix licenses) #:prefix license:))
+
+(define %source-dir (current-source-directory))
+
+(define gnunet-dev-env
+  (let* ((revision "1")
+         (select? (delay (or (git-predicate
+                              (current-source-directory))
+                             source-file?))))
+    (package
+      (inherit gnunet)
+      (name "gnunet")
+      (version (string-append "git" revision))
+      (source
+       (local-file
+        (string-append (getcwd))
+        #:recursive? #t))
+      (inputs
+       `(("glpk" ,glpk)
+         ("gnurl" ,gnurl)
+         ("gstreamer" ,gstreamer)
+         ("gst-plugins-base" ,gst-plugins-base)
+         ("gnutls/dane" ,gnutls/dane)
+         ("iptables" ,iptables)
+         ("libextractor" ,libextractor)
+         ("libgcrypt" ,libgcrypt)
+         ("libidn" ,libidn)
+         ("libmicrohttpd" ,libmicrohttpd)
+         ("libltdl" ,libltdl)
+         ("libunistring" ,libunistring)
+         ("openssl" ,openssl)
+         ("opus" ,opus)
+         ("pulseaudio" ,pulseaudio)
+         ("sqlite" ,sqlite)
+         ("postgresql" ,postgresql)
+         ("mariadb" ,mariadb)
+         ("zlib" ,zlib)
+         ("perl" ,perl)
+         ("python-2" ,python-2) ; tests and gnunet-qr
+         ("jansson" ,jansson)
+         ("nss" ,nss)
+         ("glib" ,glib "bin")
+         ("gmp" ,gmp)
+         ("bluez" ,bluez) ; for optional bluetooth feature
+         ("glib" ,glib)
+         ;; ("texlive" ,texlive) ;FIXME: minimize.
+         ("texlive-tiny" ,texlive-tiny) ;; Seems to be enough for _just_ info output.
+         ("miniupnpc" ,miniupnpc)
+         ("libogg" ,libogg)))
+      (native-inputs
+       `(("pkg-config" ,pkg-config)
+         ("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("gnu-gettext" ,gnu-gettext)
+         ("which" ,which)
+         ("texinfo" ,texinfo-5) ; Debian stable: 5.2
+         ("libtool" ,libtool)))
+      (outputs '("out" "debug"))
+      (arguments
+       `(;#:configure-flags
+         ;;(list (string-append "--with-nssdir=" %output "/lib")
+         ;;"--enable-gcc-hardening"
+         ;;"--enable-linker-hardening"
+               ;;;;"--enable-documentation-only")
+               ;;;"--enable-logging=verbose"
+               ;;;"CFLAGS=-ggdb -O0")
+         #:phases
+         ;; swap check and install phases and set paths to installed bin
+         (modify-phases %standard-phases
+           (add-after 'unpack 'patch-bin-sh
+             (lambda _
+               (for-each (lambda (f) (chmod f #o755))
+                         (find-files "po" ""))
+               #t))
+           (add-after 'patch-bin-sh 'bootstrap
+             (lambda _
+               (zero? (system* "sh" "bootstrap"))))
+           ;;(add-before 'build 'chdir
+           ;; (lambda _
+           ;;  (chdir "doc/documentation")))
+           (delete 'check)
+           ;; XXX: https://gnunet.org/bugs/view.php?id=4619
+           ))))))
+
+gnunet-dev-env
diff --git a/contrib/packages/guix/guix-env-py2.scm b/contrib/packages/guix/guix-env-py2.scm
new file mode 100644
index 000000000..6085f96a9
--- /dev/null
+++ b/contrib/packages/guix/guix-env-py2.scm
@@ -0,0 +1,158 @@
+;;; This file is part of GNUnet.
+;;; Copyright (C) 2016, 2017, 2018 GNUnet e.V.
+;;;
+;;; GNUnet is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published
+;;; by the Free Software Foundation; either version 3, or (at your
+;;; option) any later version.
+;;;
+;;; GNUnet is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+;;; General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNUnet; see the file COPYING.  If not, write to the
+;;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+;;; Boston, MA 02110-1301, USA.
+
+(use-modules
+ (ice-9 popen)
+ (ice-9 match)
+ (ice-9 rdelim)
+ (guix packages)
+ (guix build-system gnu)
+ (guix gexp)
+ ((guix build utils) #:select (with-directory-excursion))
+ (guix git-download)
+ (guix utils) ; current-source-directory
+ (gnu packages)
+ (gnu packages aidc)
+ (gnu packages autotools)
+ (gnu packages backup)
+ (gnu packages base)
+ (gnu packages compression)
+ (gnu packages curl)
+ (gnu packages databases)
+ (gnu packages file)
+ (gnu packages gettext)
+ (gnu packages glib)
+ (gnu packages gnome)
+ (gnu packages gnunet)
+ (gnu packages gnupg)
+ (gnu packages gnuzilla)
+ (gnu packages groff)
+ (gnu packages gstreamer)
+ (gnu packages gtk)
+ (gnu packages guile)
+ (gnu packages image)
+ (gnu packages image-viewers)
+ (gnu packages libidn)
+ (gnu packages libunistring)
+ (gnu packages linux)
+ (gnu packages maths)
+ (gnu packages multiprecision)
+ (gnu packages perl)
+ (gnu packages pkg-config)
+ (gnu packages pulseaudio)
+ (gnu packages python)
+ (gnu packages tex)
+ (gnu packages texinfo)
+ (gnu packages tex)
+ (gnu packages tls)
+ (gnu packages upnp)
+ (gnu packages video)
+ (gnu packages web)
+ (gnu packages xiph)
+ ((guix licenses) #:prefix license:))
+
+(define %source-dir (current-source-directory))
+
+(define gnunet-dev-env
+  (let* ((revision "1")
+         (select? (delay (or (git-predicate
+                              (current-source-directory))
+                             source-file?))))
+    (package
+      (inherit gnunet)
+      (name "gnunet")
+      (version (string-append "git" revision))
+      (source
+       (local-file
+        (string-append (getcwd))
+        #:recursive? #t))
+      (inputs
+       `(("glpk" ,glpk)
+         ("gnurl" ,gnurl)
+         ("gstreamer" ,gstreamer)
+         ("gst-plugins-base" ,gst-plugins-base)
+         ("gnutls/dane" ,gnutls/dane)
+         ("libextractor" ,libextractor)
+         ("libgcrypt" ,libgcrypt)
+         ("libidn" ,libidn)
+         ("libmicrohttpd" ,libmicrohttpd)
+         ("libltdl" ,libltdl)
+         ("libunistring" ,libunistring)
+         ("openssl" ,openssl)
+         ("opus" ,opus)
+         ("pulseaudio" ,pulseaudio)
+         ("sqlite" ,sqlite)
+         ("postgresql" ,postgresql)
+         ("mysql" ,mysql)
+         ("zlib" ,zlib)
+         ("perl" ,perl)
+         ("python-2" ,python-2) ; tests and gnunet-qr
+         ("python2-future" ,python2-future)
+         ("jansson" ,jansson)
+         ("nss" ,nss)
+         ("glib" ,glib "bin")
+         ("gmp" ,gmp)
+         ("bluez" ,bluez) ; for optional bluetooth feature
+         ("glib" ,glib)
+         ;; ("texlive" ,texlive) ;FIXME: minimize.
+         ("texlive-tiny" ,texlive-tiny) ;; Seems to be enough for _just_ info output.
+         ("miniupnpc" ,miniupnpc)
+         ("libogg" ,libogg)))
+      (native-inputs
+       `(("pkg-config" ,pkg-config)
+         ("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("gnu-gettext" ,gnu-gettext)
+         ("which" ,which)
+         ("texinfo" ,texinfo-5) ; Debian stable: 5.2
+         ("libtool" ,libtool)))
+      (outputs '("out" "debug"))
+      (arguments
+       `(;#:configure-flags
+         ;;(list (string-append "--with-nssdir=" %output "/lib")
+               ;;"--enable-gcc-hardening"
+               ;;"--enable-linker-hardening"
+               ;;;;"--enable-documentation-only")
+               ;;;"--enable-logging=verbose"
+               ;;;"CFLAGS=-ggdb -O0")
+         #:phases
+         ;; swap check and install phases and set paths to installed bin
+         (modify-phases %standard-phases
+           (add-after 'unpack 'patch-bin-sh
+             (lambda _
+               (for-each (lambda (f) (chmod f #o755))
+                         (find-files "po" ""))
+               #t))
+           (add-after 'patch-bin-sh 'bootstrap
+             (lambda _
+               (zero? (system* "sh" "bootstrap"))))
+           ;;(add-before 'build 'chdir
+           ;; (lambda _
+           ;;  (chdir "doc/documentation")))
+           (delete 'check)
+           ;; XXX: https://gnunet.org/bugs/view.php?id=4619
+           (add-after 'install 'set-path-for-check
+             (lambda* (#:key outputs #:allow-other-keys)
+               (let* ((out (assoc-ref outputs "out"))
+                      (bin (string-append out "/bin"))
+                      (lib (string-append out "/lib")))
+                 (setenv "GNUNET_PREFIX" lib)
+                 (setenv "PATH" (string-append (getenv "PATH") ":" bin))
+                 (zero? (system* "make" "check")))))))))))
+
+gnunet-dev-env
diff --git a/doc/documentation/Makefile.am b/doc/documentation/Makefile.am
index 12f40f147..b6c666c4d 100644
--- a/doc/documentation/Makefile.am
+++ b/doc/documentation/Makefile.am
@@ -114,6 +114,7 @@ gnunet_TEXINFOS = 						\
         chapters/developer.texi                                 \
         chapters/preface.texi                           \
         chapters/philosophy.texi                                \
+        chapters/installation.texi                              \
         chapters/user.texi                                      \
         chapters/vocabulary.texi                                \
         chapters/configuration.texi                             \
@@ -143,6 +144,7 @@ DISTCLEANFILES = 						\
         chapters/terminology.cps                                \
         chapters/vocabulary.cps                                 \
         fdl-1.3.cps                                             \
+        agpl-3.0.cps                                            \
         gpl-3.0.cps
 
 # if HAVE_EXTENDED_DOCUMENTATION_BUILDING
@@ -165,8 +167,8 @@ lego_stack.png: images/lego_stack.svg
 #       echo "@set EDITION $(PACKAGE_VERSION)" >> $@
 #       echo "@set VERSION $(PACKAGE_VERSION)" >> $@
 
-# Workaround for makeinfo error. Whcih in turn introduces more
-# date-related 'warnings'. Well.
+# Workaround for makeinfo error. Which in turn introduces more
+# date-related 'warnings' for GNUism. Well.
 version2.texi:
         echo "@set UPDATED $(date +'%d %B %Y')" > $@
         echo "@set UPDATED-MONTH $(date +'%B %Y')" >> $@
diff --git a/doc/documentation/agpl-3.0.texi b/doc/documentation/agpl-3.0.texi
new file mode 100644
index 000000000..eabb0c6df
--- /dev/null
+++ b/doc/documentation/agpl-3.0.texi
@@ -0,0 +1,698 @@
+@c The GNU Affero General Public License.
+@center Version 3, 19 November 2007
+
+@c This file is intended to be included within another document,
+@c hence no sectioning command or @node.
+
+@display
+Copyright @copyright{} 2007 Free Software Foundation, Inc. @url{https://fsf.org/}
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+@end display
+
+@heading Preamble
+
+The GNU Affero General Public License is a free, copyleft license
+for software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+The licenses for most software and other practical works are
+designed to take away your freedom to share and change the works.  By
+contrast, our General Public Licenses are intended to guarantee your
+freedom to share and change all versions of a program--to make sure it
+remains free software for all its users.
+
+When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+@heading TERMS AND CONDITIONS
+
+@enumerate 0
+@item Definitions.
+
+``This License'' refers to version 3 of the GNU Affero General Public License.
+
+``Copyright'' also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+``The Program'' refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as ``you''.  ``Licensees'' and
+``recipients'' may be individuals or organizations.
+
+To ``modify'' a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy.  The resulting work is called a ``modified version'' of
+the earlier work or a work ``based on'' the earlier work.
+
+A ``covered work'' means either the unmodified Program or a work based
+on the Program.
+
+To ``propagate'' a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To ``convey'' a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays ``Appropriate Legal Notices'' to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+@item Source Code.
+
+The ``source code'' for a work means the preferred form of the work for
+making modifications to it.  ``Object code'' means any non-source form
+of a work.
+
+A ``Standard Interface'' means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The ``System Libraries'' of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+``Major Component'', in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The ``Corresponding Source'' for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+@item Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright.  Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+@item Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+@item Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+@item Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+@enumerate a
+@item
+The work must carry prominent notices stating that you modified it,
+and giving a relevant date.
+
+@item
+The work must carry prominent notices stating that it is released
+under this License and any conditions added under section 7.  This
+requirement modifies the requirement in section 4 to ``keep intact all
+notices''.
+
+@item
+You must license the entire work, as a whole, under this License to
+anyone who comes into possession of a copy.  This License will
+therefore apply, along with any applicable section 7 additional terms,
+to the whole of the work, and all its parts, regardless of how they
+are packaged.  This License gives no permission to license the work in
+any other way, but it does not invalidate such permission if you have
+separately received it.
+
+@item
+If the work has interactive user interfaces, each must display
+Appropriate Legal Notices; however, if the Program has interactive
+interfaces that do not display Appropriate Legal Notices, your work
+need not make them do so.
+@end enumerate
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+``aggregate'' if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+@item  Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+@enumerate a
+@item
+Convey the object code in, or embodied in, a physical product
+(including a physical distribution medium), accompanied by the
+Corresponding Source fixed on a durable physical medium customarily
+used for software interchange.
+
+@item
+Convey the object code in, or embodied in, a physical product
+(including a physical distribution medium), accompanied by a written
+offer, valid for at least three years and valid for as long as you
+offer spare parts or customer support for that product model, to give
+anyone who possesses the object code either (1) a copy of the
+Corresponding Source for all the software in the product that is
+covered by this License, on a durable physical medium customarily used
+for software interchange, for a price no more than your reasonable
+cost of physically performing this conveying of source, or (2) access
+to copy the Corresponding Source from a network server at no charge.
+
+@item
+Convey individual copies of the object code with a copy of the written
+offer to provide the Corresponding Source.  This alternative is
+allowed only occasionally and noncommercially, and only if you
+received the object code with such an offer, in accord with subsection
+6b.
+
+@item
+Convey the object code by offering access from a designated place
+(gratis or for a charge), and offer equivalent access to the
+Corresponding Source in the same way through the same place at no
+further charge.  You need not require recipients to copy the
+Corresponding Source along with the object code.  If the place to copy
+the object code is a network server, the Corresponding Source may be
+on a different server (operated by you or a third party) that supports
+equivalent copying facilities, provided you maintain clear directions
+next to the object code saying where to find the Corresponding Source.
+Regardless of what server hosts the Corresponding Source, you remain
+obligated to ensure that it is available for as long as needed to
+satisfy these requirements.
+
+@item
+Convey the object code using peer-to-peer transmission, provided you
+inform other peers where the object code and Corresponding Source of
+the work are being offered to the general public at no charge under
+subsection 6d.
+
+@end enumerate
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A ``User Product'' is either (1) a ``consumer product'', which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling.  In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage.  For a particular product received by a particular user,
+``normally used'' refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product.  A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+``Installation Information'' for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source.  The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed.  Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+@item Additional Terms.
+
+``Additional permissions'' are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+@enumerate a
+@item
+Disclaiming warranty or limiting liability differently from the terms
+of sections 15 and 16 of this License; or
+
+@item
+Requiring preservation of specified reasonable legal notices or author
+attributions in that material or in the Appropriate Legal Notices
+displayed by works containing it; or
+
+@item
+Prohibiting misrepresentation of the origin of that material, or
+requiring that modified versions of such material be marked in
+reasonable ways as different from the original version; or
+
+@item
+Limiting the use for publicity purposes of names of licensors or
+authors of the material; or
+
+@item
+Declining to grant rights under trademark law for use of some trade
+names, trademarks, or service marks; or
+
+@item
+Requiring indemnification of licensors and authors of that material by
+anyone who conveys the material (or modified versions of it) with
+contractual assumptions of liability to the recipient, for any
+liability that these contractual assumptions directly impose on those
+licensors and authors.
+@end enumerate
+
+All other non-permissive additional terms are considered ``further
+restrictions'' within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+@item Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+@item Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+@item Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+An ``entity transaction'' is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+@item Patents.
+
+A ``contributor'' is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's ``contributor version''.
+
+A contributor's ``essential patent claims'' are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, ``control'' includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a ``patent license'' is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To ``grant'' such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  ``Knowingly relying'' means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is ``discriminatory'' if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License.  You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+@item No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey
+a covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all.  For example, if you agree
+to terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+@item Remote Network Interaction; Use with the GNU General Public License.
+
+Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users interacting
+with it remotely through a computer network (if your version supports such
+interaction) an opportunity to receive the Corresponding Source of your
+version by providing access to the Corresponding Source from a network
+server at no charge, through some standard or customary means of
+facilitating copying of software.  This Corresponding Source shall include
+the Corresponding Source for any work covered by version 3 of the GNU
+General Public License that is incorporated pursuant to the following
+paragraph.
+
+Notwithstanding any other provision of this License, you have permission to
+link or combine any covered work with a work licensed under version 3 of
+the GNU General Public License into a single combined work, and to convey
+the resulting work.  The terms of this License will continue to apply to
+the part which is the covered work, but the work with which it is combined
+will remain governed by version 3 of the GNU General Public License.
+
+@item Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU Affero General Public License from time to time.  Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies that a certain numbered version of the GNU Affero General Public
+License ``or any later version'' applies to it, you have the option of
+following the terms and conditions either of that numbered version or
+of any later version published by the Free Software Foundation.  If
+the Program does not specify a version number of the GNU Affero General
+Public License, you may choose any version ever published by the Free
+Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU Affero General Public License can be used, that proxy's public
+statement of acceptance of a version permanently authorizes you to
+choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+@item Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM ``AS IS'' WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+@item Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+@item Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+@end enumerate
+
+@heading END OF TERMS AND CONDITIONS
+
+@heading How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the ``copyright'' line and a pointer to where the full notice is found.
+
+@smallexample
+@var{one line to give the program's name and a brief idea of what it does.}
+Copyright (C) @var{year} @var{name of author}
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or (at
+your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see @url{https://www.gnu.org/licenses/}.
+@end smallexample
+
+Also add information on how to contact you by electronic and paper mail.
+
+If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a ``Source'' link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+You should also get your employer (if you work as a programmer) or school,
+if any, to sign a ``copyright disclaimer'' for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+@url{https://www.gnu.org/licenses/}.
diff --git a/doc/documentation/chapters/contributing.texi b/doc/documentation/chapters/contributing.texi
index 745acca77..dc87de3d6 100644
--- a/doc/documentation/chapters/contributing.texi
+++ b/doc/documentation/chapters/contributing.texi
@@ -11,12 +11,14 @@
 @node Contributing to GNUnet
 @section Contributing to GNUnet
 
+@cindex licenses
+@cindex licenses of contributions
 @node Licenses of contributions
 @section Licenses of contributions
 
 GNUnet is a @uref{https://www.gnu.org/, GNU} package.
 All code contributions must thus be put under the
-@uref{https://www.gnu.org/copyleft/gpl.html, GNU Public License (GPL)}.
+@uref{https://www.gnu.org/licenses/agpl.html, GNU Affero Public License (AGPL)}.
 All documentation should be put under FSF approved licenses
 (see @uref{https://www.gnu.org/copyleft/fdl.html, fdl}).
 
@@ -40,7 +42,7 @@ rights, and in particular is allowed to dual-license the code. You
 retain non-exclusive rights to your contributions, so you can also
 share your contributions freely with other projects.
 
-GNUnet e.V. will publish all accepted contributions under the GPLv3
+GNUnet e.V. will publish all accepted contributions under the AGPLv3
 or any later version. The association may decide to publish
 contributions under additional licenses (dual-licensing).
 
diff --git a/doc/documentation/chapters/developer.texi b/doc/documentation/chapters/developer.texi
index 22b175a3f..1f74a8163 100644
--- a/doc/documentation/chapters/developer.texi
+++ b/doc/documentation/chapters/developer.texi
@@ -352,7 +352,7 @@ The DHT and other components of GNUnet
 store information in units called 'blocks'. Each block has a type and the
 type defines a particular format and how that binary format is to be
 linked to a hash code (the key for the DHT and for databases). The block
-library is a wapper around block plugins which provide the necessary
+library is a wrapper around block plugins which provide the necessary
 functions for each block type.
 @item @file{statistics/} --- statistics service
 The statistics service enables associating
@@ -400,7 +400,7 @@ external service to test the local configuration.
 Some transports (UDP and WLAN, mostly) have restrictions on the maximum
 transfer unit (MTU) for packets. The fragmentation library can be used to
 break larger packets into chunks of at most 1k and transmit the resulting
-fragments reliabily (with acknowledgement, retransmission, timeouts,
+fragments reliably (with acknowledgment, retransmission, timeouts,
 etc.).
 @item @file{transport/} --- transport service
 The transport service is responsible for managing the
@@ -425,8 +425,8 @@ the foundation for the testbed service
 @item @file{testbed/} --- testbed service
 The testbed service is used for creating small or large scale deployments
 of GNUnet peers for evaluation of protocols.
-It facilitates peer depolyments on multiple
-hosts (for example, in a cluster) and establishing varous network
+It facilitates peer deployments on multiple
+hosts (for example, in a cluster) and establishing various network
 topologies (both underlay and overlay).
 @item @file{nse/} --- Network Size Estimation
 The network size estimation (NSE) service
@@ -1038,7 +1038,7 @@ if (0 == bar && x != y)
 @end example
 
 @noindent
-Note that splitting the @code{if} statement above is debateable as the
+Note that splitting the @code{if} statement above is debatable as the
 @code{return x} is a very trivial statement. However, once the logic after
 the branch becomes more complicated (and is still identical), the "or"
 formulation should be used for sure.
@@ -1173,12 +1173,12 @@ for building applications under UNIX-like systems. Furthermore we
 assume that the build environment is sane and that you are aware of
 any implications actions in this process could have.
 Instructions here can be seen as notes for developers (an extension to
-the 'HACKING' section in README) as well as package mantainers.
+the 'HACKING' section in README) as well as package maintainers.
 @b{Users should rely on the available binary packages.}
 We will use Debian as an example Operating System environment. Substitute
-accordingly with your own Ooperating System environment.
+accordingly with your own Operating System environment.
 
-For the full list of depenendencies, consult the appropriate, up-to-date
+For the full list of dependencies, consult the appropriate, up-to-date
 section in the @file{README} file.
 
 First, we need to build or install (depending on your OS) the following
@@ -1442,7 +1442,7 @@ $ gnunet-gns-proxy-setup-ca
 @end example
 
 @noindent
-The first generates the default zones, wheras the second setups the GNS
+The first generates the default zones, whereas the second setups the GNS
 Certificate Authority with the user's browser. Now, to activate GNS in the
 normal DNS resolution process, you need to edit your
 @file{/etc/nsswitch.conf} where you should find a line like this:
@@ -1536,7 +1536,7 @@ This range can be customised with the function
 similar to @code{GNUNET_TESTING_system_create()} except that it take 2
 additional parameters --- the start and end of the port range to use.
 
-A TESTING system is destroyed with the funciton
+A TESTING system is destroyed with the function
 @code{GNUNET_TESTING_system_destory()}. This function takes the handle of
 the system and a flag to remove the files created in the directory used
 to generate configurations.
@@ -1545,7 +1545,7 @@ A peer is created with the function
 @code{GNUNET_TESTING_peer_configure()}. This functions takes the system
 handle, a configuration template from which the configuration for the peer
 is auto-generated and the index from where the hostkey for the peer has to
-be copied from. When successfull, this function returs a handle to the
+be copied from. When successful, this function returns a handle to the
 peer which can be used to start and stop it and to obtain the identity of
 the peer. If unsuccessful, a NULL pointer is returned with an error
 message. This function handles the generated configuration to have
@@ -1579,7 +1579,7 @@ to the handle to the peer to stop. The callback function is called with
 the given closure when the peer is stopped. Using this function
 eliminates blocking while waiting for the peer to terminate.
 
-An asynchronous peer stop can be cancelled by calling the function
+An asynchronous peer stop can be canceled by calling the function
 @code{GNUNET_TESTING_peer_stop_async_cancel()}. Note that calling this
 function does not prevent the peer from terminating if the termination
 signal has already been sent to it. It does, however, cancels the
@@ -1660,12 +1660,12 @@ simply load the plugin directly.
 To help avoid performance regressions, GNUnet uses Gauger. Gauger is a
 simple logging tool that allows remote hosts to send performance data to
 a central server, where this data can be analyzed and visualized. Gauger
-shows graphs of the repository revisions and the performace data recorded
+shows graphs of the repository revisions and the performance data recorded
 for each revision, so sudden performance peaks or drops can be identified
 and linked to a specific revision number.
 
 In the case of GNUnet, the buildbots log the performance data obtained
-during the tests after each build. The data can be accesed on GNUnet's
+during the tests after each build. The data can be accessed on GNUnet's
 Gauger page.
 
 The menu on the left allows to select either the results of just one
@@ -1678,7 +1678,7 @@ performance evolution across all hosts.
 Using Gauger in GNUnet and having the performance of a module tracked over
 time is very easy. First of course, the testcase must generate some
 consistent metric, which makes sense to have logged. Highly volatile or
-random dependant metrics probably are not ideal candidates for meaningful
+random dependent metrics probably are not ideal candidates for meaningful
 regression detection.
 
 To start logging any value, just include @code{gauger.h} in your testcase
@@ -1890,7 +1890,7 @@ random links are to be given
 
 @item @code{GNUNET_TESTBED_TOPOLOGY_SCALE_FREE}: Connects peers in a
 topology where peer connectivity follows power law - new peers are
-connected with high probabililty to well connected peers.
+connected with high probability to well connected peers.
 @footnote{See Emergence of Scaling in Random Networks. Science 286,
 509-512, 1999
 (@uref{https://gnunet.org/git/bibliography.git/plain/docs/emergence_of_scaling_in_random_networks__barabasi_albert_science_286__1999.pdf, pdf})}
@@ -1931,7 +1931,7 @@ ignored for the rest of the topologies.
 Topology @code{SCALE_FREE} requires the options
 @code{SCALE_FREE_TOPOLOGY_CAP} to be set to the maximum number of peers
 which can connect to a peer and @code{SCALE_FREE_TOPOLOGY_M} to be set to
-how many peers a peer should be atleast connected to.
+how many peers a peer should be at least connected to.
 
 Similarly, the topology @code{FROM_FILE} requires the option
 @code{OVERLAY_TOPOLOGY_FILE} to contain the path of the file containing
@@ -1977,7 +1977,7 @@ A topology file describes how peers are to be connected. It should adhere
 to the following format for testbed to parse it correctly.
 
 Each line should begin with the target peer id. This should be followed by
-a colon(`:') and origin peer ids seperated by `|'. All spaces except for
+a colon(`:') and origin peer ids separated by `|'. All spaces except for
 newline characters are ignored. The API will then try to connect each
 origin peer to the target peer.
 
@@ -2003,9 +2003,9 @@ deemed as crossed after all the peers waiting on it are notified.
 The barriers API provides the following functions:
 @itemize @bullet
 @item @strong{@code{GNUNET_TESTBED_barrier_init()}:} function to
-initialse a barrier in the experiment
+initialize a barrier in the experiment
 @item @strong{@code{GNUNET_TESTBED_barrier_cancel()}:} function to cancel
-a barrier which has been initialised before
+a barrier which has been initialized before
 @item @strong{@code{GNUNET_TESTBED_barrier_wait()}:} function to signal
 barrier service that the caller has reached a barrier and is waiting for
 it to be crossed
@@ -2122,7 +2122,7 @@ the large-scale deployment. We provide you a set of scripts you can use
 to deploy GNUnet on a set of nodes and manage your installation.
 
 Please also check @uref{https://gnunet.org/installation-fedora8-svn} and
-@uref{https://gnunet.org/installation-fedora12-svn} to find detailled
+@uref{https://gnunet.org/installation-fedora12-svn} to find detailed
 instructions how to install GNUnet on a PlanetLab node.
 
 
@@ -2148,7 +2148,7 @@ image, installing the buildslave software is quite some pain. For our
 PlanetLab testbed we figured out how to install the buildslave software
 best.
 
-@c This is a vvery terrible way to suggest installing software.
+@c This is a very terrible way to suggest installing software.
 @c FIXME: Is there an official, safer way instead of blind-piping a
 @c script?
 @c FIXME: Use newer pypi URLs below.
@@ -2354,7 +2354,7 @@ for new developers):
 @item CPS-style scheduling (scheduler.c)
 @item Program initialization (program.c)
 @item Networking (network.c, client.c, server*.c, service.c)
-@item message queueing (mq.c)
+@item message queuing (mq.c)
 @item bandwidth calculations (bandwidth.c)
 @item Other OS-related (os*.c, plugin.c, signal.c)
 @item Pseudonym management (pseudonym.c)
@@ -2425,7 +2425,7 @@ level to "loglevel". Thus it is possible to run some processes
 with -L DEBUG, for example, and others with -L ERROR to enable specific
 settings to diagnose problems with a particular process.
 @item Configuration files.  Because GNUnet
-service and deamon processes are usually launched by gnunet-arm, it is not
+service and daemon processes are usually launched by gnunet-arm, it is not
 possible to pass different custom command line options directly to every
 one of them. The options passed to @code{gnunet-arm} only affect
 gnunet-arm and not the rest of GNUnet. However, one can specify a
@@ -2717,7 +2717,7 @@ will have
 no effect. Other messages (ERROR, WARNING, INFO, etc) will be included.
 @item If @code{--enable-logging} is set to @code{verbose}, or
 @code{veryverbose} the binary will contain DEBUG messages (still, it will
-be neccessary to run with @command{-L DEBUG} or set the DEBUG config option
+be necessary to run with @command{-L DEBUG} or set the DEBUG config option
 to show
 them).
 @end itemize
@@ -2728,7 +2728,7 @@ If you are a developer:
 @item please make sure that you @code{./configure
 --enable-logging=@{verbose,veryverbose@}}, so you can see DEBUG messages.
 @item please remove the @code{#if} statements around @code{GNUNET_log
-(GNUNET_ERROR_TYPE_DEBUG, ...)} lines, to improve the readibility of your
+(GNUNET_ERROR_TYPE_DEBUG, ...)} lines, to improve the readability of your
 code.
 @end itemize
 
@@ -2741,7 +2741,7 @@ A suitable configuration could be:
 $ export GNUNET_FORCE_LOG="^YOUR_SUBSYSTEM$;;;;DEBUG/;;;;WARNING"
 @end example
 
-Which will behave almost like enabling DEBUG in that subsytem before the
+Which will behave almost like enabling DEBUG in that subsystem before the
 change. Of course you can adapt it to your particular needs, this is only
 a quick example.
 
@@ -2952,7 +2952,7 @@ function, which is set to @code{NULL} in most cases, and the last
 parameter is the expected size of the message of this type, usually we
 set it to 0 to accept variable size, for special cases the exact size of
 the specified message also can be set. In addition, the terminator sign
-depicted as @code{@{NULL, NULL, 0, 0@}} is set in the last aera.
+depicted as @code{@{NULL, NULL, 0, 0@}} is set in the last area.
 
 @c ***********************************************************************
 @node Server - Process request message
@@ -3002,7 +3002,7 @@ understand the request message, and the processing of this request would
 be terminated.
 
 In comparison to the aforementioned situation, when the argument is equal
-to @code{GNUNET_OK}, the service would continue to process the requst
+to @code{GNUNET_OK}, the service would continue to process the request
 message.
 
 @c ***********************************************************************
@@ -3151,7 +3151,7 @@ GNUnet uses SHA-512 for computing one-way hash codes. The API provides
 functions to compute a hash over a block in memory or over a file on disk.
 
 The crypto API also provides functions for randomizing a block of memory,
-obtaining a single random number and for generating a permuation of the
+obtaining a single random number and for generating a permutation of the
 numbers 0 to n-1. Random number generation distinguishes between WEAK and
 STRONG random number quality; WEAK random numbers are pseudo-random
 whereas STRONG random numbers use entropy gathered from the operating
@@ -3230,7 +3230,7 @@ message.
 
 Consider the following simple message, with the body consisting of a
 single number value.
-@c why the empy code function?
+@c why the empty code function?
 @code{}
 
 @example
@@ -3505,7 +3505,7 @@ or in some other transient data structure and thus having the hash map
 keep a pointer to @code{key} would not work. Only the key inside of
 @code{val} has the same lifetime as the entry in the map (this must of
 course be checked as well). Naturally, @code{val->key} must be
-intiialized before the @code{put} call. Once all @code{put} calls have
+initialized before the @code{put} call. Once all @code{put} calls have
 been converted and double-checked, you can change the call to create the
 hash map from
 
@@ -3893,7 +3893,7 @@ The goal of transport-level address validation is to minimize the chances
 of a successful man-in-the-middle attack against GNUnet peers on the
 transport level. Such an attack would not allow the adversary to decrypt
 the P2P transmissions, but a successful attacker could at least measure
-traffic volumes and latencies (raising the adversaries capablities by
+traffic volumes and latencies (raising the adversaries capabilities by
 those of a global passive adversary in the worst case). The scenarios we
 are concerned about is an attacker, Mallory, giving a @code{HELLO} to
 Alice that claims to be for Bob, but contains Mallory's IP address
@@ -4019,7 +4019,7 @@ connected peers, but they are sent about other knowns peers within the
 to each other about their appropriate other neighbors. They also gossip
 about the newly connected peer to previously
 connected neighbors. In order to keep the routing tables up to date,
-disconnect notifications are propogated as gossip as well (because
+disconnect notifications are propagated as gossip as well (because
 disconnects may not be sent/received, timeouts are also used remove
 stagnant routing table entries).
 
@@ -4210,7 +4210,7 @@ to send and receive messages.
 
 We have measured the performance of the UDP, TCP and SMTP transport layer
 directly and when used from an application using the GNUnet core.
-Measureing just the transport layer gives the better view of the actual
+Measuring just the transport layer gives the better view of the actual
 overhead of the protocol, whereas evaluating the transport from the
 application puts the overhead into perspective from a practical point of
 view.
@@ -4230,7 +4230,7 @@ wire have no impact on the timings. n messages were sent sequentially over
 the transport layer, sending message i+1 after the i-th message was
 received. All messages were sent over the same connection and the time to
 establish the connection was not taken into account since this overhead is
-miniscule in practice --- as long as a connection is used for a
+minuscule in practice --- as long as a connection is used for a
 significant number of messages.
 
 @multitable @columnfractions .20 .15 .15 .15 .15 .15
@@ -4261,9 +4261,9 @@ given time-bounds. For this benchmark we report the message loss after
 allowing t time for sending m messages. If messages were not sent (or
 received) after an overall timeout of t, they were considered lost. The
 benchmark was performed using two Xeon 2 GHZ machines running RedHat 8.0
-with sendmail. The machines were connected with a direct 100 MBit ethernet
+with sendmail. The machines were connected with a direct 100 MBit Ethernet
 connection.@ Figures udp1200, tcp1200 and smtp-MTUs show that the
-throughput for messages of size 1,200 octects is 2,343 kbps, 3,310 kbps
+throughput for messages of size 1,200 octets is 2,343 kbps, 3,310 kbps
 and 6 kbps for UDP, TCP and SMTP respectively. The high per-message
 overhead of SMTP can be improved by increasing the MTU, for example, an
 MTU of 12,000 octets improves the throughput to 13 kbps as figure
@@ -4308,7 +4308,7 @@ installed).
 For instructions about how to install the libraries you should
 check out the BlueZ site
 (@uref{http://www.bluez.org/, http://www.bluez.org}). If you don't know if
-you have the necesarry libraries, don't worry, just run the GNUnet
+you have the necessary libraries, don't worry, just run the GNUnet
 configure script and you will be able to see a notification at the end
 which will warn you if you don't have the necessary libraries.
 
@@ -4336,7 +4336,7 @@ helper binary used on GNU/Linux:
 
 @itemize @bullet
 @item it verifies if the name corresponds to a Bluetooth interface name
-@item it verifies if the iterface is up (if it is not, it tries to bring
+@item it verifies if the interface is up (if it is not, it tries to bring
 it up)
 @item it tries to enable the page and inquiry scan in order to make the
 device discoverable and to accept incoming connection requests
@@ -4377,12 +4377,12 @@ Bluetooth address has the form 00:00:00:00:00:00 it means that there is
 something wrong with the D-Bus daemon or with the Bluetooth daemon. Use
 @code{bluetoothd} tool to see the logs
 
-@item @code{sdptool} can be used to control and interogate SDP servers.
+@item @code{sdptool} can be used to control and interrogate SDP servers.
 If you encounter problems regarding the SDP server (like the SDP server is
 down) you should check out if the D-Bus daemon is running correctly and to
 see if the Bluetooth daemon started correctly(use @code{bluetoothd} tool).
 Also, sometimes the SDP service could work but somehow the device couldn't
-register his service. Use @code{sdptool browse [dev-address]} to see if
+register its service. Use @code{sdptool browse [dev-address]} to see if
 the service is registered. There should be a service with the name of the
 interface and GNUnet as provider.
 
@@ -4464,11 +4464,11 @@ then start sending data for benchmarking.
 On Windows you cannot test the plugin functionality using two Bluetooth
 devices from the same machine because after you install the drivers there
 will occur some conflicts between the Bluetooth stacks. (At least that is
-what happend on my machine : I wasn't able to use the Bluesoleil stack and
+what happened on my machine : I wasn't able to use the Bluesoleil stack and
 the WINDCOMM one in the same time).
 
 If you have two different machines and your configuration files are good
-you can use the same scenario presented on the begining of this section.
+you can use the same scenario presented on the beginning of this section.
 
 Another way to test the plugin functionality is to create your own
 application which will use the GNUnet framework with the Bluetooth
@@ -4483,8 +4483,8 @@ This page describes the implementation of the Bluetooth transport plugin.
 First I want to remind you that the Bluetooth transport plugin uses
 virtually the same code as the WLAN plugin and only the helper binary is
 different. Also the scope of the helper binary from the Bluetooth
-transport plugin is the same as the one used for the wlan transport
-plugin: it acceses the interface and then it forwards traffic in both
+transport plugin is the same as the one used for the WLAN transport
+plugin: it accesses the interface and then it forwards traffic in both
 directions between the Bluetooth interface and stdin/stdout of the
 process involved.
 
@@ -4525,8 +4525,8 @@ Bluetooth interface) and is separated in two stages:
 @subsubsection THE INITIALIZATION
 
 @itemize @bullet
-@item first, it checks if we have root privilegies
-(@emph{Remember that we need to have root privilegies in order to be able
+@item first, it checks if we have root privileges
+(@emph{Remember that we need to have root privileges in order to be able
 to bring the interface up if it is down or to change its state.}).
 
 @item second, it verifies if the interface with the given name exists.
@@ -4551,7 +4551,7 @@ discoverable
 devices to get the port on which this device is listening on)
 @end itemize
 
-@item drops the root privilegies
+@item drops the root privileges
 
 @strong{If the interface is not a Bluetooth interface the helper exits
 with a suitable error}
@@ -4596,7 +4596,7 @@ the STDOUT file descriptor, then we write to STDOUT the message from the
 @emph{write_std} buffer.
 
 To find out on which port a device is listening on we connect to the local
-SDP server and searche the registered service for that device.
+SDP server and search the registered service for that device.
 
 @emph{You should be aware of the fact that if the device fails to connect
 to another one when trying to send a message it will attempt one more
@@ -4659,17 +4659,17 @@ For Windows I decided to use the Microsoft Bluetooth stack which has the
 advantage of coming standard from Windows XP SP2. The main disadvantage is
 that it only supports the RFCOMM protocol so we will not be able to have
 a low level control over the Bluetooth device. Therefore it is the user
-responsability to check if the device is up and in the discoverable mode.
+responsibility to check if the device is up and in the discoverable mode.
 Also there are no tools which could be used for debugging in order to read
 the data coming from and going to a Bluetooth device, which obviously
 hindered my work. Another thing that slowed down the implementation of the
-plugin (besides that I wasn't too accomodated with the win32 API) was that
+plugin (besides that I wasn't too accommodated with the win32 API) was that
 there were some bugs on MinGW regarding the Bluetooth. Now they are solved
 but you should keep in mind that you should have the latest updates
 (especially the @emph{ws2bth} header).
 
 Besides the fact that it uses the Windows Sockets, the Windows
-implemenation follows the same principles as the GNU/Linux one:
+implementation follows the same principles as the GNU/Linux one:
 
 @itemize @bullet
 @item It has a initalization part where it initializes the
@@ -4714,7 +4714,7 @@ broadcast messages. When it receives a broadcast message it will skip it.
 @item Implement the broadcast functionality on Windows @emph{(currently
 working on)}
 @item Implement a testcase for the helper :@ @emph{The testcase
-consists of a program which emaluates the plugin and uses the helper. It
+consists of a program which emulates the plugin and uses the helper. It
 will simulate connections, disconnections and data transfers.}
 @end itemize
 
@@ -4902,7 +4902,7 @@ peers connecting, peers disconnecting and incoming messages) and send
 messages to connected peers using
 @code{GNUNET_CORE_notify_transmit_ready}. Note that applications must
 cancel pending transmission requests if they receive a disconnect event
-for a peer that had a transmission pending; furthermore, queueing more
+for a peer that had a transmission pending; furthermore, queuing more
 than one transmission request per peer per application using the
 service is not permitted.
 
@@ -5197,11 +5197,11 @@ The API is heavily base on the CORE API.
 CADET delivers messages to other peers in "channels".
 A channel is a permanent connection defined by a destination peer
 (identified by its public key) and a port number.
-Internally, CADET tunnels all channels towards a destiantion peer
+Internally, CADET tunnels all channels towards a destination peer
 using one session key and relays the data on multiple "connections",
 independent from the channels.
 
-Each channel has optional paramenters, the most important being the
+Each channel has optional parameters, the most important being the
 reliability flag.
 Should a message get lost on TRANSPORT/CORE level, if a channel is
 created with as reliable, CADET will retransmit the lost message and
@@ -5242,15 +5242,15 @@ case. To be alerted when a channel is online, a client can call
 @code{GNUNET_CADET_notify_transmit_ready} immediately after
 @code{GNUNET_CADET_create_channel}. When the callback is activated, it
 means that the channel is online. The callback can give 0 bytes to CADET
-if no message is to be sent, this is ok.
+if no message is to be sent, this is OK.
 
 If a transmission was requested but before the callback fires it is no
-longer needed, it can be cancelled with
+longer needed, it can be canceled with
 @code{GNUNET_CADET_notify_transmit_ready_cancel}, which uses the handle
 given back by @code{GNUNET_CADET_notify_transmit_ready}.
 As in the case of CORE, only one message can be requested at a time: a
 client must not call @code{GNUNET_CADET_notify_transmit_ready} again until
-the callback is called or the request is cancelled.
+the callback is called or the request is canceled.
 
 When a channel is no longer needed, a client can call
 @code{GNUNET_CADET_channel_destroy} to get rid of it.
@@ -5298,10 +5298,10 @@ all of the details can be found in this technical report.
 @subsection Motivation
 
 
-Some subsytems, like DHT, need to know the size of the GNUnet network to
+Some subsystems, like DHT, need to know the size of the GNUnet network to
 optimize some parameters of their own protocol. The decentralized nature
 of GNUnet makes efficient and securely counting the exact number of peers
-infeasable. Although there are several decentralized algorithms to count
+infeasible. Although there are several decentralized algorithms to count
 the number of peers in a system, so far there is none to do so securely.
 Other protocols may allow any malicious peer to manipulate the final
 result or to take advantage of the system to perform
@@ -5323,7 +5323,7 @@ GNUnet's NSE protocol avoids these drawbacks.
 The NSE subsystem is designed to be resilient against these attacks.
 It uses @uref{http://en.wikipedia.org/wiki/Proof-of-work_system, proofs of work}
 to prevent one peer from impersonating a large number of participants,
-which would otherwise allow an adversary to artifically inflate the
+which would otherwise allow an adversary to artificially inflate the
 estimate.
 The DoS protection comes from the time-based nature of the protocol:
 the estimates are calculated periodically and out-of-time traffic is
@@ -5385,7 +5385,7 @@ to all the other peers, who will calculate the estimate from it.
 The target value itself is generated by hashing the current time, rounded
 down to an agreed value. If the rounding amount is 1h (default) and the
 time is 12:34:56, the time to hash would be 12:00:00. The process is
-repeated each rouning amount (in this example would be every hour).
+repeated each rounding amount (in this example would be every hour).
 Every repetition is called a round.
 
 @node Timing
@@ -5397,12 +5397,12 @@ its ID all at one. Once each peer has the target random value, it
 compares its own ID to the target and calculates the hypothetical size of
 the network if that peer were to be the closest.
 Then it compares the hypothetical size with the estimate from the previous
-rounds. For each value there is an assiciated point in the period,
+rounds. For each value there is an associated point in the period,
 let's call it "broadcast time". If its own hypothetical estimate
 is the same as the previous global estimate, its "broadcast time" will be
 in the middle of the round. If its bigger it will be earlier and if its
 smaller (the most likely case) it will be later. This ensures that the
-peers closests to the target value start broadcasting their ID the first.
+peers closest to the target value start broadcasting their ID the first.
 
 @node Controlled Flooding
 @subsubsection Controlled Flooding
@@ -5415,7 +5415,7 @@ with a message containing the better value. Then it checks a proof of
 work that must be included in the incoming message, to ensure that the
 other peer's ID is not made up (otherwise a malicious peer could claim to
 have an ID of exactly the target value every round). Once validated, it
-compares the brodcast time of the received value with the current time
+compares the broadcast time of the received value with the current time
 and if it's not too early, sends the received value to its neighbors.
 Otherwise it stores the value until the correct broadcast time comes.
 This prevents unnecessary traffic of sub-optimal values, since a better
@@ -5429,7 +5429,7 @@ to the neighbors.
 @c %**end of header
 
 Once the closest ID has been spread across the network each peer gets the
-exact distance betweed this ID and the target value of the round and
+exact distance between this ID and the target value of the round and
 calculates the estimate with a mathematical formula described in the tech
 report. The estimate generated with this method for a single round is not
 very precise. Remember the case of the example, where the only peer is the
@@ -5453,7 +5453,7 @@ calls: @code{GNUNET_NSE_connect} and @code{GNUNET_NSE_disconnect}.
 The connect call gets a callback function as a parameter and this function
 is called each time the network agrees on an estimate. This usually is
 once per round, with some exceptions: if the closest peer has a late
-local clock and starts spreading his ID after everyone else agreed on a
+local clock and starts spreading its ID after everyone else agreed on a
 value, the callback might be activated twice in a round, the second value
 being always bigger than the first. The default round time is set to
 1 hour.
@@ -5503,7 +5503,7 @@ size is between one third and three times the estimate. This can of
 course vary with network conditions.
 Thus, applications may want to also consider the provided standard
 deviation value, not only the average (in particular, if the standard
-veriation is very high, the average maybe meaningless: the network size is
+variation is very high, the average maybe meaningless: the network size is
 changing rapidly).
 
 @node libgnunetnse - Examples
@@ -5579,12 +5579,12 @@ is what we are flooding the network with right now.
 At the beginning of each round the peer does the following:
 
 @itemize @bullet
-@item calculates his own distance to the target value
+@item calculates its own distance to the target value
 @item creates, signs and stores the message for the current round (unless
 it has a better message in the "next round" slot which came early in the
 previous round)
 @item calculates, based on the stored round message (own or received) when
-to stard flooding it to its neighbors
+to start flooding it to its neighbors
 @end itemize
 
 Upon receiving a message the peer checks the validity of the message
@@ -6085,7 +6085,7 @@ convenience API to do just that. Use @code{GNUNET_IDENTITY_ego_lookup} to
 lookup a single ego by name. Note that this is the user's name for the
 ego, not the service function. The resulting ego will be returned via a
 callback and will only be valid during that callback. The operation can
-be cancelled via @code{GNUNET_IDENTITY_ego_lookup_cancel}
+be canceled via @code{GNUNET_IDENTITY_ego_lookup_cancel}
 (cancellation is only legal before the callback is invoked).
 
 @node Associating egos with service functions
@@ -6215,8 +6215,8 @@ So a client has first to retrieve records, merge with existing records
 and then store the result.
 
 To perform a lookup operation, the client uses the
-@code{GNUNET_NAMESTORE_records_store} function. Here he has to pass the
-namestore handle, the private key of the zone and the label. He also has
+@code{GNUNET_NAMESTORE_records_store} function. Here it has to pass the
+namestore handle, the private key of the zone and the label. It also has
 to provide a callback function which will be called with the result of
 the lookup operation:
 the zone for the records, the label, and the records including the
@@ -6239,7 +6239,7 @@ by NAMESTORE.
 Here a client uses the @code{GNUNET_NAMESTORE_zone_iteration_start}
 function and passes the namestore handle, the zone to iterate over and a
 callback function to call with the result.
-If the client wants to iterate over all the, he passes NULL for the zone.
+If the client wants to iterate over all the WHAT!? FIXME, it passes NULL for the zone.
 A @code{GNUNET_NAMESTORE_ZoneIterator} handle is returned to be used to
 continue iteration.
 
@@ -6658,7 +6658,7 @@ The size of an element's data is limited to around 62 KB.
 
 Sets created by a local client can be modified and reused for multiple
 operations. As each set operation requires potentially expensive special
-auxilliary data to be computed for each element of a set, a set can only
+auxiliary data to be computed for each element of a set, a set can only
 participate in one type of set operation (i.e. union or intersection).
 The type of a set is determined upon its creation.
 If a the elements of a set are needed for an operation of a different
@@ -6778,7 +6778,7 @@ until the client calls @code{GNUNET_SET_commit}
 @c %**end of header
 
 To create symmetry between the two ways of starting a set operation
-(accepting and nitiating it), the operation handles returned by
+(accepting and initiating it), the operation handles returned by
 @code{GNUNET_SET_accept} and @code{GNUNET_SET_prepare} do not yet have a
 set to operate on, thus they can not do any work yet.
 
@@ -6935,10 +6935,10 @@ number of iterations).
 The receiver of the message removes all elements from its local set that
 do not pass the Bloom filter test.
 It then checks if the set size of the sender and the XOR over the keys
-match what is left of his own set. If they do, he sends a
+match what is left of its own set. If they do, it sends a
 @code{GNUNET_MESSAGE_TYPE_SET_INTERSECTION_P2P_DONE} back to indicate
 that the latest set is the final result.
-Otherwise, the receiver starts another Bloom fitler exchange, except
+Otherwise, the receiver starts another Bloom filter exchange, except
 this time as the sender.
 
 @node Salt
@@ -6946,7 +6946,7 @@ this time as the sender.
 
 @c %**end of header
 
-Bloomfilter operations are probablistic: With some non-zero probability
+Bloomfilter operations are probabilistic: With some non-zero probability
 the test may incorrectly say an element is in the set, even though it is
 not.
 
@@ -6999,7 +6999,7 @@ message. If the IBF fully decodes, the peer responds with a
 GNUNET_MESSAGE_TYPE_SET_UNION_P2P_DONE message instead of another
 GNUNET_MESSAGE_TYPE_SET_UNION_P2P_IBF.
 
-All Bloom filter operations use a salt to mingle keys before hasing them
+All Bloom filter operations use a salt to mingle keys before hashing them
 into buckets, such that future iterations have a fresh chance of
 succeeding if they failed due to collisions before.
 
@@ -7557,7 +7557,7 @@ already knows more than about a thousand blocks may need to send
 several of these messages. Naturally, the client should transmit these
 messages as quickly as possible after the original GET request such that
 the DHT can filter those results in the network early on. Naturally, as
-these messages are sent after the original request, it is conceivalbe
+these messages are sent after the original request, it is conceivable
 that the DHT service may return blocks that match those already known
 to the client anyway.
 
@@ -7670,7 +7670,7 @@ duplicate results) and when they obtain a matching, non-filtered response
 a @code{struct PeerResultMessage} of type
 @code{GNUNET_MESSAGE_TYPE_DHT_P2P_RESULT} is forwarded to the previous
 hop.
-Whenver a result is forwarded, the block plugin is used to update the
+Whenever a result is forwarded, the block plugin is used to update the
 Bloom filter accordingly, to ensure that the same result is never
 forwarded more than once.
 The DHT service may also cache forwarded results locally if the
@@ -7737,7 +7737,7 @@ record types.
 
 @c %**end of header
 
-The GNS API itself is extremely simple. Clients first connec to the
+The GNS API itself is extremely simple. Clients first connect to the
 GNS service using @code{GNUNET_GNS_connect}.
 They can then perform lookups using @code{GNUNET_GNS_lookup} or cancel
 pending lookups using @code{GNUNET_GNS_lookup_cancel}.
@@ -7786,9 +7786,9 @@ their respective zones can automatically be learned and added to the
 the shorten zone. If NULL is passed, shortening is disabled.
 @item proc This argument identifies
 the function to call with the result. It is given proc_cls, the number of
-records found (possilby zero) and the array of the records as arguments.
+records found (possibly zero) and the array of the records as arguments.
 proc will only be called once. After proc,> has been called, the lookup
-must no longer be cancelled.
+must no longer be canceled.
 @item proc_cls The closure for proc.
 @end table
 
@@ -7943,7 +7943,7 @@ This is merely one method for how we can obtain GNS queries.
 It is also possible to change @code{resolv.conf} to point to a machine
 running @code{gnunet-dns2gns} or to modify libc's name system switch
 (NSS) configuration to include a GNS resolution plugin.
-The method described in this chaper is more of a last-ditch catch-all
+The method described in this chapter is more of a last-ditch catch-all
 approach.
 
 @code{gnunet-service-dns} enables intercepting DNS traffic using policy
@@ -8111,8 +8111,8 @@ This returns the handle required for all other operations on the
 NAMECACHE. Using @code{GNUNET_NAMECACHE_block_cache} clients can insert a
 block into the cache.
 @code{GNUNET_NAMECACHE_lookup_block} can be used to lookup blocks that
-were stored in the NAMECACHE. Both operations can be cancelled using
-@code{GNUNET_NAMECACHE_cancel}. Note that cancelling a
+were stored in the NAMECACHE. Both operations can be canceled using
+@code{GNUNET_NAMECACHE_cancel}. Note that canceling a
 @code{GNUNET_NAMECACHE_block_cache} operation can result in the block
 being stored in the NAMECACHE --- or not. Cancellation primarily ensures
 that the continuation function with the result of the operation will no
@@ -8239,7 +8239,7 @@ When a revocation is performed, the revocation is first of all
 disseminated by flooding the overlay network.
 The goal is to reach every peer, so that when a peer needs to check if a
 key has been revoked, this will be purely a local operation where the
-peer looks at his local revocation list. Flooding the network is also the
+peer looks at its local revocation list. Flooding the network is also the
 most robust form of key revocation --- an adversary would have to control
 a separator of the overlay graph to restrict the propagation of the
 revocation message. Flooding is also very easy to implement --- peers that
@@ -8299,7 +8299,7 @@ revocations.
 @code{GNUNET_REVOCATION_query} is used to check if a given ECDSA public
 key has been revoked.
 The given callback will be invoked with the result of the check.
-The query can be cancelled using @code{GNUNET_REVOCATION_query_cancel} on
+The query can be canceled using @code{GNUNET_REVOCATION_query_cancel} on
 the return value.
 
 @node Preparing revocations
@@ -8477,7 +8477,7 @@ metadata describing the content of the namespace.
 Instead of the name of the identifier for a potential update, it contains
 the identifier for the root of the namespace.
 The URI should always be empty. The @code{SBlock} is signed with the
-content provder's RSA private key (just like any other SBlock). Peers
+content provider's RSA private key (just like any other SBlock). Peers
 can search for @code{SBlock}s in order to find out more about a namespace.
 
 @node KSBlocks
@@ -8800,5 +8800,5 @@ so please make sure that endpoints are unambiguous.
 @subsection Endpoint documentation
 
 This is WIP. Endpoints should be documented appropriately.
-Perferably using annotations.
+Preferably using annotations.
 
diff --git a/doc/documentation/chapters/installation.texi b/doc/documentation/chapters/installation.texi
new file mode 100644
index 000000000..f6dd69216
--- /dev/null
+++ b/doc/documentation/chapters/installation.texi
@@ -0,0 +1,2226 @@
+@node Installing GNUnet
+@chapter Installing GNUnet
+
+This guide is intended for those who want to install Gnunet from
+source. For instructions on how to install GNUnet as a binary package
+please refer to the official documentation of your operating system or
+package manager.
+
+@menu
+* Installing dependencies::
+* Getting the Source Code::
+* Create @code{gnunet} user and group::
+* Preparing and Compiling the Source Code::
+* Installation::
+* MOVED FROM USER Checking the Installation::
+* MOVED FROM USER The graphical configuration interface::
+* MOVED FROM USER Config Leftovers::
+@end menu
+
+@c -----------------------------------------------------------------------
+@node Installing dependencies
+@section Installing dependencies
+GNUnet needs few libraries and applications for being able to run and
+another few optional ones for using certain features. Preferably they
+should be installed with a package manager. Just in case we include a
+link to the project websites.
+
+The mandatory libraries and applications are
+@itemize @bullet
+@item libtool
+@item autoconf >= version 2.59
+@item automake >= version 1.11.1
+@item pkg-config
+@item libgcrypt >= version 1.6
+@item libextractor
+@item libidn
+@item libmicrohttpd >= version 0.9.52
+@item libnss 
+@item libunistring
+@item gettext
+@item glibc
+@item libgmp
+@item gnutls
+@item libcurl (has to be linked to GnuTLS) or libgnurl
+@item zlib
+@end itemize
+
+In addition GNUnet needs one of of these three databases
+@itemize @bullet
+@item sqlite + libsqlite (the default, requires no further configuration)
+@item postgres + libpq
+@item mysql + libmysqlclient
+@end itemize
+
+These are the dependencies only required for certain features
+@itemize @bullet
+@item Texinfo (for building the documentation)
+@item Texlive (for building the documentation)
+@item miniupnpc (for traversing NAT boxes more reliably)
+@item libopus (for running the GNUnet conversation telephony application)
+@item libpulse (for running the GNUnet conversation telephony application)
+@item libogg (for running the GNUnet conversation telephony application)
+@item bluez (for bluetooth support)
+@item libpbc
+(for attribute-based encryption and the identity provider subsystem)
+@item libgabe
+(for attribute-based encryption and the identity provider subsystem)
+@end itemize
+
+@c -----------------------------------------------------------------------
+@node Getting the Source Code
+@section Getting the Source Code
+You can either download the source code using git (you obviously need
+git installed) or as an archive.
+
+Using git type
+@example
+git clone https://gnunet.org/git/gnunet.git
+@end example
+
+The archive can be found at
+@uref{https://gnunet.org/downloads}. Extract it using a graphical
+archive tool or @code{tar}:
+@example
+tar xzvf gnunet-0.11.0pre66.tar.gz
+@end example
+
+In the next chapter we will assume that the source code is available
+in the home directory at @code{~/gnunet}.
+
+@c -----------------------------------------------------------------------
+@node Create @code{gnunet} user and group
+@section Create @code{gnunet} user and group
+The GNUnet services should be run as a dedicated user called
+@code{gnunet}. For using them a user should be in the same group as
+this system user.
+
+Create user @code{gnunet} who is member of the group @code{gnunet} and
+specify a home directory where the GNUnet services will store
+persistant data such as information about peers.
+@example
+$ sudo useradd --system --groups gnunet --home-dir /var/lib/gnunet
+@end example
+
+Now add your own user to the @code{gnunet} group.
+@example
+$ sudo adduser alice gnunet
+@end example
+
+@c -----------------------------------------------------------------------
+@node Preparing and Compiling the Source Code
+@section Preparing and Compiling the Source Code
+For preparing the source code for compilation a bootstrap script and
+@code{configure} has to be run from the source code directory. When
+running @code{configure} the following options can be specified to
+customize the compilation and installation process:
+
+@itemize @bullet
+@item @code{--disable-documentation} - don't build the configuration documents
+@item @code{--enable-looging=[LOGLEVEL]} - choose a loglevel (@code{debug}, @code{info}, @code{warning} or @code{error})
+@item @code{--prefix=[PATH]} - the directory where the GNUnet libraries and binaries will be installed
+@item @code{--with-extractor=[PATH]} - the path to libextractor
+@item @code{--with-libidn=[PATH]} - the path to libidn
+@item @code{--with-microhttpd=[PATH]} - the path to libmicrohttpd
+@item @code{--with-sqlite=[PATH]} - the path to libsqlite
+@item @code{--with-zlib=[PATH]} - the path to zlib
+@item @code{--with-sudo=[PATH]} - path to the sudo binary (no need to run @code{make install} as root if specified)
+@end itemize
+
+The following example configures the installation prefix
+@code{/usr/lib} and disables building the documentation
+@example
+$ cd ~/gnunet
+$ ./bootstrap
+$ configure --prefix=/usr/lib --disable-configuration
+@end example
+
+After running the bootstrap script and @code{configure} successfully
+the source code can be compiled with make. Here @code{-j5} specifies
+that 5 threads should be used.
+@example
+$ make -j5
+@end example
+
+@c -----------------------------------------------------------------------
+@node Installation
+@section Installation
+The compiled binaries can be installed using @code{make install}. It
+needs to be run as root (or with sudo) because some binaries need the
+@code{suid} bit set. Without that some GNUnet subsystems (such as VPN)
+will not work.
+
+@example
+$ sudo make install
+@end example
+
+One important library is the GNS plugin for NSS (the name services
+switch) which allows using GNS (the GNU name system) in the normal DNS
+resolution process. Unfortunately NSS expects it in a specific
+location (probably @code{/lib}) which may differ from the installation
+prefix (see @code{--prefix} option in the previous section). This is
+why the pugin has to be installed manually.
+
+Find the directory where nss plugins are installed on your system, e.g.
+
+@example
+$ ls -l /lib/libnss_*
+/lib/libnss_mymachines.so.2
+/lib/libnss_resolve.so.2
+/lib/libnss_myhostname.so.2
+/lib/libnss_systemd.so.2
+@end example
+
+Copy the GNS NSS plugin to that directory:
+
+@example
+cp ~/gnunet/src/gns/nss/libnss_gns.so.2 /lib
+@end example
+
+Now, to activate the plugin, you need to edit your
+@code{/etc/nsswitch.conf} where you should find a line like this:
+
+@example
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
+@end example
+
+The exact details may differ a bit, which is fine. Add the text
+@code{"gns [NOTFOUND=return]"} after @code{"files"}.
+
+@example
+hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4
+@end example
+
+Optionally, if GNS shall be used with a browser, execute the GNS
+CA-setup script. It will isetup the GNS Certificate Authority with the
+user's browser.
+@example
+$ gnunet-gns-proxy-setup-ca
+@end example
+
+Finally install a configuration file in
+@code{~/.gnunet/gnunet.conf}. Below you find an example config which
+allows you to start GNUnet.
+
+@example
+[arm]
+SYSTEM_ONLY = NO
+USER_ONLY = NO
+
+[transport]
+PLUGINS = tcp
+@end example
+
+
+
+
+
+
+@node MOVED FROM USER Checking the Installation
+@section MOVED FROM USER Checking the Installation
+@c %**end of header
+
+This section describes a quick, casual way to check if your GNUnet
+installation works. However, if it does not, we do not cover
+steps for recovery --- for this, please study the instructions
+provided in the developer handbook as well as the system-specific
+instruction in the source code repository@footnote{The system specific
+instructions are not provided as part of this handbook!}.
+
+
+@menu
+* gnunet-gtk::
+* Statistics::
+* Peer Information::
+@end menu
+
+@cindex GNUnet GTK
+@cindex GTK
+@cindex GTK user interface
+@node gnunet-gtk
+@subsection gnunet-gtk
+@c %**end of header
+
+The @command{gnunet-gtk} package contains several graphical
+user interfaces for the respective GNUnet applications.
+Currently these interfaces cover:
+
+@itemize @bullet
+@item Statistics
+@item Peer Information
+@item GNU Name System
+@item File Sharing
+@item Identity Management
+@item Conversation
+@end itemize
+
+@node Statistics
+@subsection Statistics
+@c %**end of header
+
+First, you should launch GNUnet gtk@footnote{Obviously you should also
+start gnunet, via gnunet-arm or the system provided method}.
+You can do this from the command-line by typing
+
+@example
+gnunet-statistics-gtk
+@end example
+
+If your peer@footnote{The term ``peer'' is a common word used in
+federated and distributed networks to describe a participating device
+which is connected to the network. Thus, your Personal Computer or
+whatever it is you are looking at the Gtk+ interface describes a
+``Peer'' or a ``Node''.}  is running correctly, you should see a bunch
+of lines, all of which should be ``significantly'' above zero (at
+least if your peer has been running for more than a few seconds). The
+lines indicate how many other peers your peer is connected to (via
+different mechanisms) and how large the entire overlay network is
+currently estimated to be. The X-axis represents time (in seconds
+since the start of @command{gnunet-gtk}).
+
+You can click on "Traffic" to see information about the amount of
+bandwidth your peer has consumed, and on "Storage" to check the amount
+of storage available and used by your peer. Note that "Traffic" is
+plotted cumulatively, so you should see a strict upwards trend in the
+traffic.
+
+@node Peer Information
+@subsection Peer Information
+@c %**end of header
+
+First, you should launch the graphical user interface.  You can do
+this from the command-line by typing
+
+@example
+$ gnunet-peerinfo-gtk
+@end example
+
+Once you have done this, you will see a list of known peers (by the
+first four characters of their public key), their friend status (all
+should be marked as not-friends initially), their connectivity (green
+is connected, red is disconnected), assigned bandwidth, country of
+origin (if determined) and address information. If hardly any peers
+are listed and/or if there are very few peers with a green light for
+connectivity, there is likely a problem with your network
+configuration.
+
+@c NOTE: Inserted from Installation Handbook in original ``order'':
+@c FIXME: Move this to User Handbook.
+@node MOVED FROM USER The graphical configuration interface
+@section MOVED FROM USER The graphical configuration interface
+
+If you also would like to use @command{gnunet-gtk} and
+@command{gnunet-setup} (highly recommended for beginners), do:
+
+@menu
+* Configuring your peer::
+* Configuring the Friend-to-Friend (F2F) mode::
+* Configuring the hostlist to bootstrap::
+* Configuration of the HOSTLIST proxy settings::
+* Configuring your peer to provide a hostlist ::
+* Configuring the datastore::
+* Configuring the MySQL database::
+* Reasons for using MySQL::
+* Reasons for not using MySQL::
+* Setup Instructions::
+* Testing::
+* Performance Tuning::
+* Setup for running Testcases::
+* Configuring the Postgres database::
+* Reasons to use Postgres::
+* Reasons not to use Postgres::
+* Manual setup instructions::
+* Testing the setup manually::
+* Configuring the datacache::
+* Configuring the file-sharing service::
+* Configuring logging::
+* Configuring the transport service and plugins::
+* Configuring the WLAN transport plugin::
+* Configuring HTTP(S) reverse proxy functionality using Apache or nginx::
+* Blacklisting peers::
+* Configuration of the HTTP and HTTPS transport plugins::
+* Configuring the GNU Name System::
+* Configuring the GNUnet VPN::
+* Bandwidth Configuration::
+* Configuring NAT::
+* Peer configuration for distributions::
+@end menu
+
+@node Configuring your peer
+@subsection Configuring your peer
+
+This chapter will describe the various configuration options in GNUnet.
+
+The easiest way to configure your peer is to use the
+@command{gnunet-setup} tool.
+@command{gnunet-setup} is part of the @command{gnunet-gtk}
+application. You might have to install it separately.
+
+Many of the specific sections from this chapter actually are linked from
+within @command{gnunet-setup} to help you while using the setup tool.
+
+While you can also configure your peer by editing the configuration
+file by hand, this is not recommended for anyone except for developers
+as it requires a more in-depth understanding of the configuration files
+and internal dependencies of GNUnet.
+
+@node Configuring the Friend-to-Friend (F2F) mode
+@subsection Configuring the Friend-to-Friend (F2F) mode
+
+GNUnet knows three basic modes of operation:
+@itemize @bullet
+@item In standard "peer-to-peer" mode,
+your peer will connect to any peer.
+@item In the pure "friend-to-friend"
+mode, your peer will ONLY connect to peers from a list of friends
+specified in the configuration.
+@item Finally, in mixed mode,
+GNUnet will only connect to arbitrary peers if it
+has at least a specified number of connections to friends.
+@end itemize
+
+When configuring any of the F2F ("friend-to-friend") modes,
+you first need to create a file with the peer identities
+of your friends. Ask your friends to run
+
+@example
+$ gnunet-peerinfo -sq
+@end example
+
+@noindent
+The resulting output of this command needs to be added to your
+@file{friends} file, which is simply a plain text file with one line
+per friend with the output from the above command.
+
+You then specify the location of your @file{friends} file in the
+@code{FRIENDS} option of the "topology" section.
+
+Once you have created the @file{friends} file, you can tell GNUnet to only
+connect to your friends by setting the @code{FRIENDS-ONLY} option
+(again in the "topology" section) to YES.
+
+If you want to run in mixed-mode, set "FRIENDS-ONLY" to NO and configure a
+minimum number of friends to have (before connecting to arbitrary peers)
+under the "MINIMUM-FRIENDS" option.
+
+If you want to operate in normal P2P-only mode, simply set
+@code{MINIMUM-FRIENDS} to zero and @code{FRIENDS_ONLY} to NO.
+This is the default.
+
+@node Configuring the hostlist to bootstrap
+@subsection Configuring the hostlist to bootstrap
+
+After installing the software you need to get connected to the GNUnet
+network. The configuration file included in your download is already
+configured to connect you to the GNUnet network.
+In this section the relevant configuration settings are explained.
+
+To get an initial connection to the GNUnet network and to get to know
+peers already connected to the network you can use the so called
+"bootstrap servers".
+These servers can give you a list of peers connected to the network.
+To use these bootstrap servers you have to configure the hostlist daemon
+to activate bootstrapping.
+
+To activate bootstrapping, edit the @code{[hostlist]}-section in your
+configuration file. You have to set the argument @command{-b} in the
+options line:
+
+@example
+[hostlist]
+OPTIONS = -b
+@end example
+
+Additionally you have to specify which server you want to use.
+The default bootstrapping server is
+"@uref{http://v10.gnunet.org/hostlist, http://v10.gnunet.org/hostlist}".
+[^] To set the server you have to edit the line "SERVERS" in the hostlist
+section. To use the default server you should set the lines to
+
+@example
+SERVERS = http://v10.gnunet.org/hostlist [^]
+@end example
+
+@noindent
+To use bootstrapping your configuration file should include these lines:
+
+@example
+[hostlist]
+OPTIONS = -b
+SERVERS = http://v10.gnunet.org/hostlist [^]
+@end example
+
+@noindent
+Besides using bootstrap servers you can configure your GNUnet peer to
+receive hostlist advertisements.
+Peers offering hostlists to other peers can send advertisement messages
+to peers that connect to them. If you configure your peer to receive these
+messages, your peer can download these lists and connect to the peers
+included. These lists are persistent, which means that they are saved to
+your hard disk regularly and are loaded during startup.
+
+To activate hostlist learning you have to add the @command{-e}
+switch to the @code{OPTIONS} line in the hostlist section:
+
+@example
+[hostlist]
+OPTIONS = -b -e
+@end example
+
+@noindent
+Furthermore you can specify in which file the lists are saved.
+To save the lists in the file @file{hostlists.file} just add the line:
+
+@example
+HOSTLISTFILE = hostlists.file
+@end example
+
+@noindent
+Best practice is to activate both bootstrapping and hostlist learning.
+So your configuration file should include these lines:
+
+@example
+[hostlist]
+OPTIONS = -b -e
+HTTPPORT = 8080
+SERVERS = http://v10.gnunet.org/hostlist [^]
+HOSTLISTFILE = $SERVICEHOME/hostlists.file
+@end example
+
+@node Configuration of the HOSTLIST proxy settings
+@subsection Configuration of the HOSTLIST proxy settings
+
+The hostlist client can be configured to use a proxy to connect to the
+hostlist server.
+This functionality can be configured in the configuration file directly
+or using the @command{gnunet-setup} tool.
+
+The hostlist client supports the following proxy types at the moment:
+
+@itemize @bullet
+@item HTTP and HTTP 1.0 only proxy
+@item SOCKS 4/4a/5/5 with hostname
+@end itemize
+
+In addition authentication at the proxy with username and password can be
+configured.
+
+To configure proxy support for the hostlist client in the
+@command{gnunet-setup} tool, select the "hostlist" tab and select
+the appropriate proxy type.
+The hostname or IP address (including port if required) has to be entered
+in the "Proxy hostname" textbox. If required, enter username and password
+in the "Proxy username" and "Proxy password" boxes.
+Be aware that this information will be stored in the configuration in
+plain text (TODO: Add explanation and generalize the part in Chapter 3.6
+about the encrypted home).
+
+To provide these options directly in the configuration, you can
+enter the following settings in the @code{[hostlist]} section of
+the configuration:
+
+@example
+# Type of proxy server,
+# Valid values: HTTP, HTTP_1_0, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
+# Default: HTTP
+# PROXY_TYPE = HTTP
+
+# Hostname or IP of proxy server
+# PROXY =
+# User name for proxy server
+# PROXY_USERNAME =
+# User password for proxy server
+# PROXY_PASSWORD =
+@end example
+
+@node Configuring your peer to provide a hostlist
+@subsection Configuring your peer to provide a hostlist
+
+If you operate a peer permanently connected to GNUnet you can configure
+your peer to act as a hostlist server, providing other peers the list of
+peers known to him.
+
+Your server can act as a bootstrap server and peers needing to obtain a
+list of peers can contact it to download this list.
+To download this hostlist the peer uses HTTP.
+For this reason you have to build your peer with libgnurl (or libcurl)
+and microhttpd support.
+
+To configure your peer to act as a bootstrap server you have to add the
+@command{-p} option to @code{OPTIONS} in the @code{[hostlist]} section
+of your configuration file.
+Besides that you have to specify a port number for the http server.
+In conclusion you have to add the following lines:
+
+@example
+[hostlist]
+HTTPPORT = 12980
+OPTIONS = -p
+@end example
+
+@noindent
+If your peer acts as a bootstrap server other peers should know about
+that. You can advertise the hostlist your are providing to other peers.
+Peers connecting to your peer will get a message containing an
+advertisement for your hostlist and the URL where it can be downloaded.
+If this peer is in learning mode, it will test the hostlist and, in the
+case it can obtain the list successfully, it will save it for
+bootstrapping.
+
+To activate hostlist advertisement on your peer, you have to set the
+following lines in your configuration file:
+
+@example
+[hostlist]
+EXTERNAL_DNS_NAME = example.org
+HTTPPORT = 12981
+OPTIONS = -p -a
+@end example
+
+@noindent
+With this configuration your peer will a act as a bootstrap server and
+advertise this hostlist to other peers connecting to it.
+The URL used to download the list will be
+@code{@uref{http://example.org:12981/, http://example.org:12981/}}.
+
+Please notice:
+
+@itemize @bullet
+@item The hostlist is @b{not} human readable, so you should not try to
+download it using your webbrowser. Just point your GNUnet peer to the
+address!
+@item Advertising without providing a hostlist does not make sense and
+will not work.
+@end itemize
+
+@node Configuring the datastore
+@subsection Configuring the datastore
+
+The datastore is what GNUnet uses for long-term storage of file-sharing
+data. Note that long-term does not mean 'forever' since content does have
+an expiration date, and of course storage space is finite (and hence
+sometimes content may have to be discarded).
+
+Use the @code{QUOTA} option to specify how many bytes of storage space
+you are willing to dedicate to GNUnet.
+
+In addition to specifying the maximum space GNUnet is allowed to use for
+the datastore, you need to specify which database GNUnet should use to do
+so. Currently, you have the choice between sqLite, MySQL and Postgres.
+
+@node Configuring the MySQL database
+@subsection Configuring the MySQL database
+
+This section describes how to setup the MySQL database for GNUnet.
+
+Note that the mysql plugin does NOT work with mysql before 4.1 since we
+need prepared statements.
+We are generally testing the code against MySQL 5.1 at this point.
+
+@node Reasons for using MySQL
+@subsection Reasons for using MySQL
+
+@itemize @bullet
+
+@item On up-to-date hardware wher
+mysql can be used comfortably, this module
+will have better performance than the other database choices (according
+to our tests).
+
+@item Its often possible to recover the mysql database from internal
+inconsistencies. Some of the other databases do not support repair.
+@end itemize
+
+@node Reasons for not using MySQL
+@subsection Reasons for not using MySQL
+
+@itemize @bullet
+@item Memory usage (likely not an issue if you have more than 1 GB)
+@item Complex manual setup
+@end itemize
+
+@node Setup Instructions
+@subsection Setup Instructions
+
+@itemize @bullet
+
+@item In @file{gnunet.conf} set in section @code{DATASTORE} the value for
+@code{DATABASE} to @code{mysql}.
+
+@item Access mysql as root:
+
+@example
+$ mysql -u root -p
+@end example
+
+@noindent
+and issue the following commands, replacing $USER with the username
+that will be running @command{gnunet-arm} (so typically "gnunet"):
+
+@example
+CREATE DATABASE gnunet;
+GRANT select,insert,update,delete,create,alter,drop,create \
+temporary tables ON gnunet.* TO $USER@@localhost;
+SET PASSWORD FOR $USER@@localhost=PASSWORD('$the_password_you_like');
+FLUSH PRIVILEGES;
+@end example
+
+@item
+In the $HOME directory of $USER, create a @file{.my.cnf} file with the
+following lines
+
+@example
+[client]
+user=$USER
+password=$the_password_you_like
+@end example
+
+@end itemize
+
+That's it. Note that @file{.my.cnf} file is a slight security risk unless
+its on a safe partition. The @file{$HOME/.my.cnf} can of course be
+a symbolic link.
+Luckily $USER has only privileges to mess up GNUnet's tables,
+which should be pretty harmless.
+
+@node Testing
+@subsection Testing
+
+You should briefly try if the database connection works. First, login
+as $USER. Then use:
+
+@example
+$ mysql -u $USER
+mysql> use gnunet;
+@end example
+
+@noindent
+If you get the message
+
+@example
+Database changed
+@end example
+
+@noindent
+it probably works.
+
+If you get
+
+@example
+ERROR 2002: Can't connect to local MySQL server
+through socket '/tmp/mysql.sock' (2)
+@end example
+
+@noindent
+it may be resolvable by
+
+@example
+ln -s /var/run/mysqld/mysqld.sock /tmp/mysql.sock
+@end example
+
+@noindent
+so there may be some additional trouble depending on your mysql setup.
+
+@node Performance Tuning
+@subsection Performance Tuning
+
+For GNUnet, you probably want to set the option
+
+@example
+innodb_flush_log_at_trx_commit = 0
+@end example
+
+@noindent
+for a rather dramatic boost in MySQL performance. However, this reduces
+the "safety" of your database as with this options you may loose
+transactions during a power outage.
+While this is totally harmless for GNUnet, the option applies to all
+applications using MySQL. So you should set it if (and only if) GNUnet is
+the only application on your system using MySQL.
+
+@node Setup for running Testcases
+@subsection Setup for running Testcases
+
+If you want to run the testcases, you must create a second database
+"gnunetcheck" with the same username and password. This database will
+then be used for testing (@command{make check}).
+
+@node Configuring the Postgres database
+@subsection Configuring the Postgres database
+
+This text describes how to setup the Postgres database for GNUnet.
+
+This Postgres plugin was developed for Postgres 8.3 but might work for
+earlier versions as well.
+
+@node Reasons to use Postgres
+@subsection Reasons to use Postgres
+
+@itemize @bullet
+@item Easier to setup than MySQL
+@item Real database
+@end itemize
+
+@node Reasons not to use Postgres
+@subsection Reasons not to use Postgres
+
+@itemize @bullet
+@item Quite slow
+@item Still some manual setup required
+@end itemize
+
+@node Manual setup instructions
+@subsection Manual setup instructions
+
+@itemize @bullet
+@item In @file{gnunet.conf} set in section @code{DATASTORE} the value for
+@code{DATABASE} to @code{postgres}.
+@item Access Postgres to create a user:
+
+@table @asis
+@item with Postgres 8.x, use:
+
+@example
+# su - postgres
+$ createuser
+@end example
+
+@noindent
+and enter the name of the user running GNUnet for the role interactively.
+Then, when prompted, do not set it to superuser, allow the creation of
+databases, and do not allow the creation of new roles.
+
+@item with Postgres 9.x, use:
+
+@example
+# su - postgres
+$ createuser -d $GNUNET_USER
+@end example
+
+@noindent
+where $GNUNET_USER is the name of the user running GNUnet.
+
+@end table
+
+
+@item
+As that user (so typically as user "gnunet"), create a database (or two):
+
+@example
+$ createdb gnunet
+# this way you can run "make check"
+$ createdb gnunetcheck
+@end example
+
+@end itemize
+
+Now you should be able to start @code{gnunet-arm}.
+
+@node Testing the setup manually
+@subsection Testing the setup manually
+
+You may want to try if the database connection works. First, again login
+as the user who will run @command{gnunet-arm}. Then use:
+
+@example
+$ psql gnunet # or gnunetcheck
+gnunet=> \dt
+@end example
+
+@noindent
+If, after you have started @command{gnunet-arm} at least once, you get
+a @code{gn090} table here, it probably works.
+
+@node Configuring the datacache
+@subsection Configuring the datacache
+@c %**end of header
+
+The datacache is what GNUnet uses for storing temporary data. This data is
+expected to be wiped completely each time GNUnet is restarted (or the
+system is rebooted).
+
+You need to specify how many bytes GNUnet is allowed to use for the
+datacache using the @code{QUOTA} option in the section @code{[dhtcache]}.
+Furthermore, you need to specify which database backend should be used to
+store the data. Currently, you have the choice between
+sqLite, MySQL and Postgres.
+
+@node Configuring the file-sharing service
+@subsection Configuring the file-sharing service
+
+In order to use GNUnet for file-sharing, you first need to make sure
+that the file-sharing service is loaded.
+This is done by setting the @code{START_ON_DEMAND} option in
+section @code{[fs]} to "YES". Alternatively, you can run
+
+@example
+$ gnunet-arm -i fs
+@end example
+
+@noindent
+to start the file-sharing service by hand.
+
+Except for configuring the database and the datacache the only important
+option for file-sharing is content migration.
+
+Content migration allows your peer to cache content from other peers as
+well as send out content stored on your system without explicit requests.
+This content replication has positive and negative impacts on both system
+performance and privacy.
+
+FIXME: discuss the trade-offs. Here is some older text about it...
+
+Setting this option to YES allows gnunetd to migrate data to the local
+machine. Setting this option to YES is highly recommended for efficiency.
+Its also the default. If you set this value to YES, GNUnet will store
+content on your machine that you cannot decrypt.
+While this may protect you from liability if the judge is sane, it may
+not (IANAL). If you put illegal content on your machine yourself, setting
+this option to YES will probably increase your chances to get away with it
+since you can plausibly deny that you inserted the content.
+Note that in either case, your anonymity would have to be broken first
+(which may be possible depending on the size of the GNUnet network and the
+strength of the adversary).
+
+@node Configuring logging
+@subsection Configuring logging
+
+Logging in GNUnet 0.9.0 is controlled via the "-L" and "-l" options.
+Using @code{-L}, a log level can be specified. With log level
+@code{ERROR} only serious errors are logged.
+The default log level is @code{WARNING} which causes anything of
+concern to be logged.
+Log level @code{INFO} can be used to log anything that might be
+interesting information whereas
+@code{DEBUG} can be used by developers to log debugging messages
+(but you need to run @code{./configure} with
+@code{--enable-logging=verbose} to get them compiled).
+The @code{-l} option is used to specify the log file.
+
+Since most GNUnet services are managed by @code{gnunet-arm}, using the
+@code{-l} or @code{-L} options directly is not possible.
+Instead, they can be specified using the @code{OPTIONS} configuration
+value in the respective section for the respective service.
+In order to enable logging globally without editing the @code{OPTIONS}
+values for each service, @command{gnunet-arm} supports a
+@code{GLOBAL_POSTFIX} option.
+The value specified here is given as an extra option to all services for
+which the configuration does contain a service-specific @code{OPTIONS}
+field.
+
+@code{GLOBAL_POSTFIX} can contain the special sequence "@{@}" which
+is replaced by the name of the service that is being started.
+Furthermore, @code{GLOBAL_POSTFIX} is special in that sequences
+starting with "$" anywhere in the string are expanded (according
+to options in @code{PATHS}); this expansion otherwise is
+only happening for filenames and then the "$" must be the
+first character in the option. Both of these restrictions do
+not apply to @code{GLOBAL_POSTFIX}.
+Note that specifying @code{%} anywhere in the @code{GLOBAL_POSTFIX}
+disables both of these features.
+
+In summary, in order to get all services to log at level
+@code{INFO} to log-files called @code{SERVICENAME-logs}, the
+following global prefix should be used:
+
+@example
+GLOBAL_POSTFIX = -l $SERVICEHOME/@{@}-logs -L INFO
+@end example
+
+@node Configuring the transport service and plugins
+@subsection Configuring the transport service and plugins
+
+The transport service in GNUnet is responsible to maintain basic
+connectivity to other peers.
+Besides initiating and keeping connections alive it is also responsible
+for address validation.
+
+The GNUnet transport supports more than one transport protocol.
+These protocols are configured together with the transport service.
+
+The configuration section for the transport service itself is quite
+similar to all the other services
+
+@example
+START_ON_DEMAND = YES
+@@UNIXONLY@@ PORT = 2091
+HOSTNAME = localhost
+HOME = $SERVICEHOME
+CONFIG = $DEFAULTCONFIG
+BINARY = gnunet-service-transport
+#PREFIX = valgrind
+NEIGHBOUR_LIMIT = 50
+ACCEPT_FROM = 127.0.0.1;
+ACCEPT_FROM6 = ::1;
+PLUGINS = tcp udp
+UNIXPATH = /tmp/gnunet-service-transport.sock
+@end example
+
+Different are the settings for the plugins to load @code{PLUGINS}.
+The first setting specifies which transport plugins to load.
+
+@itemize @bullet
+@item transport-unix
+A plugin for local only communication with UNIX domain sockets. Used for
+testing and available on unix systems only. Just set the port
+
+@example
+[transport-unix]
+PORT = 22086
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@item transport-tcp
+A plugin for communication with TCP. Set port to 0 for client mode with
+outbound only connections
+
+@example
+[transport-tcp]
+# Use 0 to ONLY advertise as a peer behind NAT (no port binding)
+PORT = 2086
+ADVERTISED_PORT = 2086
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+# Maximum number of open TCP connections allowed
+MAX_CONNECTIONS = 128
+@end example
+
+@item transport-udp
+A plugin for communication with UDP. Supports peer discovery using
+broadcasts.
+
+@example
+[transport-udp]
+PORT = 2086
+BROADCAST = YES
+BROADCAST_INTERVAL = 30 s
+MAX_BPS = 1000000
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@item transport-http
+HTTP and HTTPS support is split in two part: a client plugin initiating
+outbound connections and a server part accepting connections from the
+client. The client plugin just takes the maximum number of connections as
+an argument.
+
+@example
+[transport-http_client]
+MAX_CONNECTIONS = 128
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@example
+[transport-https_client]
+MAX_CONNECTIONS = 128
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@noindent
+The server has a port configured and the maximum number of connections.
+The HTTPS part has two files with the certificate key and the certificate
+file.
+
+The server plugin supports reverse proxies, so a external hostname can be
+set using the @code{EXTERNAL_HOSTNAME} setting.
+The webserver under this address should forward the request to the peer
+and the configure port.
+
+@example
+[transport-http_server]
+EXTERNAL_HOSTNAME = fulcrum.net.in.tum.de/gnunet
+PORT = 1080
+MAX_CONNECTIONS = 128
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@example
+[transport-https_server]
+PORT = 4433
+CRYPTO_INIT = NORMAL
+KEY_FILE = https.key
+CERT_FILE = https.cert
+MAX_CONNECTIONS = 128
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+
+@item transport-wlan
+
+The next section describes how to setup the WLAN plugin,
+so here only the settings. Just specify the interface to use:
+
+@example
+[transport-wlan]
+# Name of the interface in monitor mode (typically monX)
+INTERFACE = mon0
+# Real hardware, no testing
+TESTMODE = 0
+TESTING_IGNORE_KEYS = ACCEPT_FROM;
+@end example
+@end itemize
+
+@node Configuring the WLAN transport plugin
+@subsection Configuring the WLAN transport plugin
+
+The wlan transport plugin enables GNUnet to send and to receive data on a
+wlan interface.
+It has not to be connected to a wlan network as long as sender and
+receiver are on the same channel. This enables you to get connection to
+GNUnet where no internet access is possible, for example during
+catastrophes or when censorship cuts you off from the internet.
+
+
+@menu
+* Requirements for the WLAN plugin::
+* Configuration::
+* Before starting GNUnet::
+* Limitations and known bugs::
+@end menu
+
+
+@node Requirements for the WLAN plugin
+@subsubsection Requirements for the WLAN plugin
+
+@itemize @bullet
+
+@item wlan network card with monitor support and packet injection
+(see @uref{http://www.aircrack-ng.org/, aircrack-ng.org})
+
+@item Linux kernel with mac80211 stack, introduced in 2.6.22, tested with
+2.6.35 and 2.6.38
+
+@item Wlantools to create the a monitor interface, tested with airmon-ng
+of the aircrack-ng package
+@end itemize
+
+@node Configuration
+@subsubsection Configuration
+
+There are the following options for the wlan plugin (they should be like
+this in your default config file, you only need to adjust them if the
+values are incorrect for your system)
+
+@example
+# section for the wlan transport plugin
+[transport-wlan]
+# interface to use, more information in the
+# "Before starting GNUnet" section of the handbook.
+INTERFACE = mon0
+# testmode for developers:
+# 0 use wlan interface,
+#1 or 2 use loopback driver for tests 1 = server, 2 = client
+TESTMODE = 0
+@end example
+
+@node Before starting GNUnet
+@subsubsection Before starting GNUnet
+
+Before starting GNUnet, you have to make sure that your wlan interface is
+in monitor mode.
+One way to put the wlan interface into monitor mode (if your interface
+name is wlan0) is by executing:
+
+@example
+sudo airmon-ng start wlan0
+@end example
+
+@noindent
+Here is an example what the result should look like:
+
+@example
+Interface Chipset Driver
+wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
+(monitor mode enabled on mon0)
+@end example
+
+@noindent
+The monitor interface is mon0 is the one that you have to put into the
+configuration file.
+
+@node Limitations and known bugs
+@subsubsection Limitations and known bugs
+
+Wlan speed is at the maximum of 1 Mbit/s because support for choosing the
+wlan speed with packet injection was removed in newer kernels.
+Please pester the kernel developers about fixing this.
+
+The interface channel depends on the wlan network that the card is
+connected to. If no connection has been made since the start of the
+computer, it is usually the first channel of the card.
+Peers will only find each other and communicate if they are on the same
+channel. Channels must be set manually, i.e. using:
+
+@example
+iwconfig wlan0 channel 1
+@end example
+
+@node Configuring HTTP(S) reverse proxy functionality using Apache or nginx
+@subsection Configuring HTTP(S) reverse proxy functionality using Apache or nginx
+
+The HTTP plugin supports data transfer using reverse proxies. A reverse
+proxy forwards the HTTP request he receives with a certain URL to another
+webserver, here a GNUnet peer.
+
+So if you have a running Apache or nginx webserver you can configure it to
+be a GNUnet reverse proxy. Especially if you have a well-known webiste
+this improves censorship resistance since it looks as normal surfing
+behaviour.
+
+To do so, you have to do two things:
+
+@itemize @bullet
+@item Configure your webserver to forward the GNUnet HTTP traffic
+@item Configure your GNUnet peer to announce the respective address
+@end itemize
+
+As an example we want to use GNUnet peer running:
+
+@itemize @bullet
+
+@item HTTP server plugin on @code{gnunet.foo.org:1080}
+
+@item HTTPS server plugin on @code{gnunet.foo.org:4433}
+
+@item A apache or nginx webserver on
+@uref{http://www.foo.org/, http://www.foo.org:80/}
+
+@item A apache or nginx webserver on https://www.foo.org:443/
+@end itemize
+
+And we want the webserver to accept GNUnet traffic under
+@code{http://www.foo.org/bar/}. The required steps are described here:
+
+@menu
+* Reverse Proxy - Configure your Apache2 HTTP webserver::
+* Reverse Proxy - Configure your Apache2 HTTPS webserver::
+* Reverse Proxy - Configure your nginx HTTPS webserver::
+* Reverse Proxy - Configure your nginx HTTP webserver::
+* Reverse Proxy - Configure your GNUnet peer::
+@end menu
+
+@node Reverse Proxy - Configure your Apache2 HTTP webserver
+@subsubsection Reverse Proxy - Configure your Apache2 HTTP webserver
+
+First of all you need mod_proxy installed.
+
+Edit your webserver configuration. Edit
+@code{/etc/apache2/apache2.conf} or the site-specific configuration file.
+
+In the respective @code{server config},@code{virtual host} or
+@code{directory} section add the following lines:
+
+@example
+ProxyTimeout 300
+ProxyRequests Off
+<Location /bar/ >
+ProxyPass http://gnunet.foo.org:1080/
+ProxyPassReverse http://gnunet.foo.org:1080/
+</Location>
+@end example
+
+@node Reverse Proxy - Configure your Apache2 HTTPS webserver
+@subsubsection Reverse Proxy - Configure your Apache2 HTTPS webserver
+
+We assume that you already have an HTTPS server running, if not please
+check how to configure a HTTPS host. An uncomplicated to use example
+is the example configuration file for Apache2/HTTPD provided in
+@file{apache2/sites-available/default-ssl}.
+
+In the respective HTTPS @code{server config},@code{virtual host} or
+@code{directory} section add the following lines:
+
+@example
+SSLProxyEngine On
+ProxyTimeout 300
+ProxyRequests Off
+<Location /bar/ >
+ProxyPass https://gnunet.foo.org:4433/
+ProxyPassReverse https://gnunet.foo.org:4433/
+</Location>
+@end example
+
+@noindent
+More information about the apache mod_proxy configuration can be found
+in the Apache documentation@footnote{@uref{http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass, http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass}}
+
+@node Reverse Proxy - Configure your nginx HTTPS webserver
+@subsubsection Reverse Proxy - Configure your nginx HTTPS webserver
+
+Since nginx does not support chunked encoding, you first of all have to
+install the @code{chunkin} module@footnote{@uref{http://wiki.nginx.org/HttpChunkinModule, http://wiki.nginx.org/HttpChunkinModule}}
+
+To enable chunkin add:
+
+@example
+chunkin on;
+error_page 411 = @@my_411_error;
+location @@my_411_error @{
+chunkin_resume;
+@}
+@end example
+
+@noindent
+Edit your webserver configuration. Edit @file{/etc/nginx/nginx.conf} or
+the site-specific configuration file.
+
+In the @code{server} section add:
+
+@example
+location /bar/ @{
+proxy_pass http://gnunet.foo.org:1080/;
+proxy_buffering off;
+proxy_connect_timeout 5; # more than http_server
+proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
+proxy_http_version 1.1; # 1.0 default
+proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
+@}
+@end example
+
+@node Reverse Proxy - Configure your nginx HTTP webserver
+@subsubsection Reverse Proxy - Configure your nginx HTTP webserver
+
+Edit your webserver configuration. Edit @file{/etc/nginx/nginx.conf} or
+the site-specific configuration file.
+
+In the @code{server} section add:
+
+@example
+ssl_session_timeout 6m;
+location /bar/
+@{
+proxy_pass https://gnunet.foo.org:4433/;
+proxy_buffering off;
+proxy_connect_timeout 5; # more than http_server
+proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
+proxy_http_version 1.1; # 1.0 default
+proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
+@}
+@end example
+
+@node Reverse Proxy - Configure your GNUnet peer
+@subsubsection Reverse Proxy - Configure your GNUnet peer
+
+To have your GNUnet peer announce the address, you have to specify the
+@code{EXTERNAL_HOSTNAME} option in the @code{[transport-http_server]}
+section:
+
+@example
+[transport-http_server]
+EXTERNAL_HOSTNAME = http://www.foo.org/bar/
+@end example
+
+@noindent
+and/or @code{[transport-https_server]} section:
+
+@example
+[transport-https_server]
+EXTERNAL_HOSTNAME = https://www.foo.org/bar/
+@end example
+
+@noindent
+Now restart your webserver and your peer...
+
+@node Blacklisting peers
+@subsection Blacklisting peers
+
+Transport service supports to deny connecting to a specific peer of to a
+specific peer with a specific transport plugin using te blacklisting
+component of transport service. With@ blacklisting it is possible to deny
+connections to specific peers of@ to use a specific plugin to a specific
+peer. Peers can be blacklisted using@ the configuration or a blacklist
+client can be asked.
+
+To blacklist peers using the configuration you have to add a section to
+your configuration containing the peer id of the peer to blacklist and
+the plugin@ if required.
+
+Examples:
+
+To blacklist connections to P565... on peer AG2P... using tcp add:
+
+@c FIXME: This is too long and produces errors in the pdf.
+@example
+[transport-blacklist AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
+P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G = tcp
+@end example
+
+To blacklist connections to P565... on peer AG2P... using all plugins add:
+
+@example
+[transport-blacklist-AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
+P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G =
+@end example
+
+You can also add a blacklist client usign the blacklist API. On a
+blacklist check, blacklisting first checks internally if the peer is
+blacklisted and if not, it asks the blacklisting clients. Clients are
+asked if it is OK to connect to a peer ID, the plugin is omitted.
+
+On blacklist check for (peer, plugin)
+@itemize @bullet
+@item Do we have a local blacklist entry for this peer and this plugin?@
+@item YES: disallow connection@
+@item Do we have a local blacklist entry for this peer and all plugins?@
+@item YES: disallow connection@
+@item Does one of the clients disallow?@
+@item YES: disallow connection
+@end itemize
+
+@node Configuration of the HTTP and HTTPS transport plugins
+@subsection Configuration of the HTTP and HTTPS transport plugins
+
+The client parts of the http and https transport plugins can be configured
+to use a proxy to connect to the hostlist server. This functionality can
+be configured in the configuration file directly or using the
+gnunet-setup tool.
+
+Both the HTTP and HTTPS clients support the following proxy types at
+the moment:
+
+@itemize @bullet
+@item HTTP 1.1 proxy
+@item SOCKS 4/4a/5/5 with hostname
+@end itemize
+
+In addition authentication at the proxy with username and password can be
+configured.
+
+To configure proxy support for the clients in the gnunet-setup tool,
+select the "transport" tab and activate the respective plugin. Now you
+can select the appropriate proxy type. The hostname or IP address
+(including port if required) has to be entered in the "Proxy hostname"
+textbox. If required, enter username and password in the "Proxy username"
+and "Proxy password" boxes. Be aware that these information will be stored
+in the configuration in plain text.
+
+To configure these options directly in the configuration, you can
+configure the following settings in the @code{[transport-http_client]}
+and @code{[transport-https_client]} section of the configuration:
+
+@example
+# Type of proxy server,
+# Valid values: HTTP, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
+# Default: HTTP
+# PROXY_TYPE = HTTP
+
+# Hostname or IP of proxy server
+# PROXY =
+# User name for proxy server
+# PROXY_USERNAME =
+# User password for proxy server
+# PROXY_PASSWORD =
+@end example
+
+@node Configuring the GNU Name System
+@subsection Configuring the GNU Name System
+
+@menu
+* Configuring system-wide DNS interception::
+* Configuring the GNS nsswitch plugin::
+* Configuring GNS on W32::
+* GNS Proxy Setup::
+* Setup of the GNS CA::
+* Testing the GNS setup::
+@end menu
+
+
+@node Configuring system-wide DNS interception
+@subsubsection Configuring system-wide DNS interception
+
+Before you install GNUnet, make sure you have a user and group 'gnunet'
+as well as an empty group 'gnunetdns'.
+
+When using GNUnet with system-wide DNS interception, it is absolutely
+necessary for all GNUnet service processes to be started by
+@code{gnunet-service-arm} as user and group 'gnunet'. You also need to be
+sure to run @code{make install} as root (or use the @code{sudo} option to
+configure) to grant GNUnet sufficient privileges.
+
+With this setup, all that is required for enabling system-wide DNS
+interception is for some GNUnet component (VPN or GNS) to request it.
+The @code{gnunet-service-dns} will then start helper programs that will
+make the necessary changes to your firewall (@code{iptables}) rules.
+
+Note that this will NOT work if your system sends out DNS traffic to a
+link-local IPv6 address, as in this case GNUnet can intercept the traffic,
+but not inject the responses from the link-local IPv6 address. Hence you
+cannot use system-wide DNS interception in conjunction with link-local
+IPv6-based DNS servers. If such a DNS server is used, it will bypass
+GNUnet's DNS traffic interception.
+
+Using the GNU Name System (GNS) requires two different configuration
+steps.
+First of all, GNS needs to be integrated with the operating system. Most
+of this section is about the operating system level integration.
+
+The remainder of this chapter will detail the various methods for
+configuring the use of GNS with your operating system.
+
+At this point in time you have different options depending on your OS:
+
+@table @asis
+
+@item Use the gnunet-gns-proxy This approach works for all operating
+systems and is likely the easiest. However, it enables GNS only for
+browsers, not for other applications that might be using DNS, such as SSH.
+Still, using the proxy is required for using HTTP with GNS and is thus
+recommended for all users. To do this, you simply have to run the
+@code{gnunet-gns-proxy-setup-ca} script as the user who will run the
+browser (this will create a GNS certificate authority (CA) on your system
+and import its key into your browser), then start @code{gnunet-gns-proxy}
+and inform your browser to use the Socks5 proxy which
+@code{gnunet-gns-proxy} makes available by default on port 7777.
+@item Use a nsswitch plugin (recommended on GNU systems)
+This approach has the advantage of offering fully personalized resolution
+even on multi-user systems. A potential disadvantage is that some
+applications might be able to bypass GNS.
+@item Use a W32 resolver plugin (recommended on W32)
+This is currently the only option on W32 systems.
+@item Use system-wide DNS packet interception
+This approach is recommended for the GNUnet VPN. It can be used to handle
+GNS at the same time; however, if you only use this method, you will only
+get one root zone per machine (not so great for multi-user systems).
+@end table
+
+You can combine system-wide DNS packet interception with the nsswitch
+plugin.
+The setup of the system-wide DNS interception is described here. All of
+the other GNS-specific configuration steps are described in the following
+sections.
+
+@node Configuring the GNS nsswitch plugin
+@subsubsection Configuring the GNS nsswitch plugin
+
+The Name Service Switch (NSS) is a facility in Unix-like operating systems
+@footnote{More accurate: NSS is a functionality of the GNU C Library}
+that provides a variety of sources for common configuration databases and
+name resolution mechanisms.
+A superuser (system administrator) usually configures the
+operating system's name services using the file
+@file{/etc/nsswitch.conf}.
+
+GNS provides a NSS plugin to integrate GNS name resolution with the
+operating system's name resolution process.
+To use the GNS NSS plugin you have to either
+
+@itemize @bullet
+@item install GNUnet as root or
+@item compile GNUnet with the @code{--with-sudo=yes} switch.
+@end itemize
+
+Name resolution is controlled by the @emph{hosts} section in the NSS
+configuration. By default this section first performs a lookup in the
+@file{/etc/hosts} file and then in DNS.
+The nsswitch file should contain a line similar to:
+
+@example
+hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4
+@end example
+
+@noindent
+Here the GNS NSS plugin can be added to perform a GNS lookup before
+performing a DNS lookup.
+The GNS NSS plugin has to be added to the "hosts" section in
+@file{/etc/nsswitch.conf} file before DNS related plugins:
+
+@example
+...
+hosts: files gns [NOTFOUND=return] dns mdns4_minimal mdns4
+...
+@end example
+
+@noindent
+The @code{NOTFOUND=return} will ensure that if a @code{.gnu} name is not
+found in GNS it will not be queried in DNS.
+
+@node Configuring GNS on W32
+@subsubsection Configuring GNS on W32
+
+This document is a guide to configuring GNU Name System on W32-compatible
+platforms.
+
+After GNUnet is installed, run the w32nsp-install tool:
+
+@example
+w32nsp-install.exe libw32nsp-0.dll
+@end example
+
+@noindent
+('0' is the library version of W32 NSP; it might increase in the future,
+change the invocation accordingly).
+
+This will install GNS namespace provider into the system and allow other
+applications to resolve names that end in '@strong{gnu}'
+and '@strong{zkey}'. Note that namespace provider requires
+gnunet-gns-helper-service-w32 to be running, as well as gns service
+itself (and its usual dependencies).
+
+Namespace provider is hardcoded to connect to @strong{127.0.0.1:5353},
+and this is where gnunet-gns-helper-service-w32 should be listening to
+(and is configured to listen to by default).
+
+To uninstall the provider, run:
+
+@example
+w32nsp-uninstall.exe
+@end example
+
+@noindent
+(uses provider GUID to uninstall it, does not need a dll name).
+
+Note that while MSDN claims that other applications will only be able to
+use the new namespace provider after re-starting, in reality they might
+stat to use it without that. Conversely, they might stop using the
+provider after it's been uninstalled, even if they were not re-started.
+W32 will not permit namespace provider library to be deleted or
+overwritten while the provider is installed, and while there is at least
+one process still using it (even after it was uninstalled).
+
+@node GNS Proxy Setup
+@subsubsection GNS Proxy Setup
+
+When using the GNU Name System (GNS) to browse the WWW, there are several
+issues that can be solved by adding the GNS Proxy to your setup:
+
+@itemize @bullet
+
+@item If the target website does not support GNS, it might assume that it
+is operating under some name in the legacy DNS system (such as
+example.com). It may then attempt to set cookies for that domain, and the
+web server might expect a @code{Host: example.com} header in the request
+from your browser.
+However, your browser might be using @code{example.gnu} for the
+@code{Host} header and might only accept (and send) cookies for
+@code{example.gnu}. The GNS Proxy will perform the necessary translations
+of the hostnames for cookies and HTTP headers (using the LEHO record for
+the target domain as the desired substitute).
+
+@item If using HTTPS, the target site might include an SSL certificate
+which is either only valid for the LEHO domain or might match a TLSA
+record in GNS. However, your browser would expect a valid certificate for
+@code{example.gnu}, not for some legacy domain name. The proxy will
+validate the certificate (either against LEHO or TLSA) and then
+on-the-fly produce a valid certificate for the exchange, signed by your
+own CA. Assuming you installed the CA of your proxy in your browser's
+certificate authority list, your browser will then trust the
+HTTPS/SSL/TLS connection, as the hostname mismatch is hidden by the proxy.
+
+@item Finally, the proxy will in the future indicate to the server that it
+speaks GNS, which will enable server operators to deliver GNS-enabled web
+sites to your browser (and continue to deliver legacy links to legacy
+browsers)
+@end itemize
+
+@node Setup of the GNS CA
+@subsubsection Setup of the GNS CA
+
+First you need to create a CA certificate that the proxy can use.
+To do so use the provided script gnunet-gns-proxy-ca:
+
+@example
+$ gnunet-gns-proxy-setup-ca
+@end example
+
+@noindent
+This will create a personal certification authority for you and add this
+authority to the firefox and chrome database. The proxy will use the this
+CA certificate to generate @code{*.gnu} client certificates on the fly.
+
+Note that the proxy uses libcurl. Make sure your version of libcurl uses
+GnuTLS and NOT OpenSSL. The proxy will @b{not} work with libcurl compiled
+against OpenSSL.
+
+You can check the configuration your libcurl was build with by
+running:
+
+@example
+curl --version
+@end example
+
+the output will look like this (without the linebreaks):
+
+@example
+gnurl --version
+curl 7.56.0 (x86_64-unknown-linux-gnu) libcurl/7.56.0 \
+GnuTLS/3.5.13 zlib/1.2.11 libidn2/2.0.4
+Release-Date: 2017-10-08
+Protocols: http https
+Features: AsynchDNS IDN IPv6 Largefile NTLM SSL libz \
+TLS-SRP UnixSockets HTTPS-proxy
+@end example
+
+@node Testing the GNS setup
+@subsubsection Testing the GNS setup
+
+Now for testing purposes we can create some records in our zone to test
+the SSL functionality of the proxy:
+
+@example
+$ gnunet-identity -C test
+$ gnunet-namestore -a -e "1 d" -n "homepage" \
+  -t A -V 131.159.74.67 -z test
+$ gnunet-namestore -a -e "1 d" -n "homepage" \
+  -t LEHO -V "gnunet.org" -z test
+@end example
+
+@noindent
+At this point we can start the proxy. Simply execute
+
+@example
+$ gnunet-gns-proxy
+@end example
+
+@noindent
+Configure your browser to use this SOCKSv5 proxy on port 7777 and visit
+this link.
+If you use @command{Firefox} (or one of its derivatives/forks such as
+Icecat) you also have to go to @code{about:config} and set the key
+@code{network.proxy.socks_remote_dns} to @code{true}.
+
+When you visit @code{https://homepage.test/}, you should get to the
+@code{https://gnunet.org/} frontpage and the browser (with the correctly
+configured proxy) should give you a valid SSL certificate for
+@code{homepage.gnu} and no warnings. It should look like this:
+
+@c FIXME: Image does not exist, create it or save it from Drupal?
+@c @image{images/gnunethpgns.png,5in,, picture of homepage.gnu in Webbrowser}
+
+
+@node Configuring the GNUnet VPN
+@subsection Configuring the GNUnet VPN
+
+@menu
+* IPv4 address for interface::
+* IPv6 address for interface::
+* Configuring the GNUnet VPN DNS::
+* Configuring the GNUnet VPN Exit Service::
+* IP Address of external DNS resolver::
+* IPv4 address for Exit interface::
+* IPv6 address for Exit interface::
+@end menu
+
+Before configuring the GNUnet VPN, please make sure that system-wide DNS
+interception is configured properly as described in the section on the
+GNUnet DNS setup. @pxref{Configuring the GNU Name System},
+if you haven't done so already.
+
+The default options for the GNUnet VPN are usually sufficient to use
+GNUnet as a Layer 2 for your Internet connection.
+However, what you always have to specify is which IP protocol you want
+to tunnel: IPv4, IPv6 or both.
+Furthermore, if you tunnel both, you most likely should also tunnel
+all of your DNS requests.
+You theoretically can tunnel "only" your DNS traffic, but that usually
+makes little sense.
+
+The other options as shown on the gnunet-setup tool are:
+
+@node IPv4 address for interface
+@subsubsection IPv4 address for interface
+
+This is the IPv4 address the VPN interface will get. You should pick an
+'private' IPv4 network that is not yet in use for you system. For example,
+if you use @code{10.0.0.1/255.255.0.0} already, you might use
+@code{10.1.0.1/255.255.0.0}.
+If you use @code{10.0.0.1/255.0.0.0} already, then you might use
+@code{192.168.0.1/255.255.0.0}.
+If your system is not in a private IP-network, using any of the above will
+work fine.
+You should try to make the mask of the address big enough
+(@code{255.255.0.0} or, even better, @code{255.0.0.0}) to allow more
+mappings of remote IP Addresses into this range.
+However, even a @code{255.255.255.0} mask will suffice for most users.
+
+@node IPv6 address for interface
+@subsubsection IPv6 address for interface
+
+The IPv6 address the VPN interface will get. Here you can specify any
+non-link-local address (the address should not begin with @code{fe80:}).
+A subnet Unique Local Unicast (@code{fd00::/8} prefix) that you are
+currently not using would be a good choice.
+
+@node Configuring the GNUnet VPN DNS
+@subsubsection Configuring the GNUnet VPN DNS
+
+To resolve names for remote nodes, activate the DNS exit option.
+
+@node Configuring the GNUnet VPN Exit Service
+@subsubsection Configuring the GNUnet VPN Exit Service
+
+If you want to allow other users to share your Internet connection (yes,
+this may be dangerous, just as running a Tor exit node) or want to
+provide access to services on your host (this should be less dangerous,
+as long as those services are secure), you have to enable the GNUnet exit
+daemon.
+
+You then get to specify which exit functions you want to provide. By
+enabling the exit daemon, you will always automatically provide exit
+functions for manually configured local services (this component of the
+system is under
+development and not documented further at this time). As for those
+services you explicitly specify the target IP address and port, there is
+no significant security risk in doing so.
+
+Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet.
+Being a DNS exit is usually pretty harmless. However, enabling IPv4 or
+IPv6-exit without further precautions may enable adversaries to access
+your local network, send spam, attack other systems from your Internet
+connection and to other mischief that will appear to come from your
+machine. This may or may not get you into legal trouble.
+If you want to allow IPv4 or IPv6-exit functionality, you should strongly
+consider adding additional firewall rules manually to protect your local
+network and to restrict outgoing TCP traffic (i.e. by not allowing access
+to port 25). While we plan to improve exit-filtering in the future,
+you're currently on your own here.
+Essentially, be prepared for any kind of IP-traffic to exit the respective
+TUN interface (and GNUnet will enable IP-forwarding and NAT for the
+interface automatically).
+
+Additional configuration options of the exit as shown by the gnunet-setup
+tool are:
+
+@node IP Address of external DNS resolver
+@subsubsection IP Address of external DNS resolver
+
+If DNS traffic is to exit your machine, it will be send to this DNS
+resolver. You can specify an IPv4 or IPv6 address.
+
+@node IPv4 address for Exit interface
+@subsubsection IPv4 address for Exit interface
+
+This is the IPv4 address the Interface will get. Make the mask of the
+address big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more
+mappings of IP addresses into this range. As for the VPN interface, any
+unused, private IPv4 address range will do.
+
+@node IPv6 address for Exit interface
+@subsubsection IPv6 address for Exit interface
+
+The public IPv6 address the interface will get. If your kernel is not a
+very recent kernel and you are willing to manually enable IPv6-NAT, the
+IPv6 address you specify here must be a globally routed IPv6 address of
+your host.
+
+Suppose your host has the address @code{2001:4ca0::1234/64}, then
+using @code{2001:4ca0::1:0/112} would be fine (keep the first 64 bits,
+then change at least one bit in the range before the bitmask, in the
+example above we changed bit 111 from 0 to 1).
+
+You may also have to configure your router to route traffic for the entire
+subnet (@code{2001:4ca0::1:0/112} for example) through your computer (this
+should be automatic with IPv6, but obviously anything can be
+disabled).
+
+@node Bandwidth Configuration
+@subsection Bandwidth Configuration
+
+You can specify how many bandwidth GNUnet is allowed to use to receive
+and send data. This is important for users with limited bandwidth or
+traffic volume.
+
+@node Configuring NAT
+@subsection Configuring NAT
+
+Most hosts today do not have a normal global IP address but instead are
+behind a router performing Network Address Translation (NAT) which assigns
+each host in the local network a private IP address.
+As a result, these machines cannot trivially receive inbound connections
+from the Internet. GNUnet supports NAT traversal to enable these machines
+to receive incoming connections from other peers despite their
+limitations.
+
+In an ideal world, you can press the "Attempt automatic configuration"
+button in gnunet-setup to automatically configure your peer correctly.
+Alternatively, your distribution might have already triggered this
+automatic configuration during the installation process.
+However, automatic configuration can fail to determine the optimal
+settings, resulting in your peer either not receiving as many connections
+as possible, or in the worst case it not connecting to the network at all.
+
+To manually configure the peer, you need to know a few things about your
+network setup. First, determine if you are behind a NAT in the first
+place.
+This is always the case if your IP address starts with "10.*" or
+"192.168.*". Next, if you have control over your NAT router, you may
+choose to manually configure it to allow GNUnet traffic to your host.
+If you have configured your NAT to forward traffic on ports 2086 (and
+possibly 1080) to your host, you can check the "NAT ports have been opened
+manually" option, which corresponds to the "PUNCHED_NAT" option in the
+configuration file. If you did not punch your NAT box, it may still be
+configured to support UPnP, which allows GNUnet to automatically
+configure it. In that case, you need to install the "upnpc" command,
+enable UPnP (or PMP) on your NAT box and set the "Enable NAT traversal
+via UPnP or PMP" option (corresponding to "ENABLE_UPNP" in the
+configuration file).
+
+Some NAT boxes can be traversed using the autonomous NAT traversal method.
+This requires certain GNUnet components to be installed with "SUID"
+privileges on your system (so if you're installing on a system you do
+not have administrative rights to, this will not work).
+If you installed as 'root', you can enable autonomous NAT traversal by
+checking the "Enable NAT traversal using ICMP method".
+The ICMP method requires a way to determine your NAT's external (global)
+IP address. This can be done using either UPnP, DynDNS, or by manual
+configuration. If you have a DynDNS name or know your external IP address,
+you should enter that name under "External (public) IPv4 address" (which
+corresponds to the "EXTERNAL_ADDRESS" option in the configuration file).
+If you leave the option empty, GNUnet will try to determine your external
+IP address automatically (which may fail, in which case autonomous
+NAT traversal will then not work).
+
+Finally, if you yourself are not behind NAT but want to be able to
+connect to NATed peers using autonomous NAT traversal, you need to check
+the "Enable connecting to NATed peers using ICMP method" box.
+
+
+@node Peer configuration for distributions
+@subsection Peer configuration for distributions
+
+The "GNUNET_DATA_HOME" in "[path]" in @file{/etc/gnunet.conf} should be
+manually set to "/var/lib/gnunet/data/" as the default
+"~/.local/share/gnunet/" is probably not that appropriate in this case.
+Similarly, distributions may consider pointing "GNUNET_RUNTIME_DIR" to
+"/var/run/gnunet/" and "GNUNET_HOME" to "/var/lib/gnunet/". Also, should a
+distribution decide to override system defaults, all of these changes
+should be done in a custom @file{/etc/gnunet.conf} and not in the files
+in the @file{config.d/} directory.
+
+Given the proposed access permissions, the "gnunet-setup" tool must be
+run as use "gnunet" (and with option "-c /etc/gnunet.conf" so that it
+modifies the system configuration). As always, gnunet-setup should be run
+after the GNUnet peer was stopped using "gnunet-arm -e". Distributions
+might want to include a wrapper for gnunet-setup that allows the
+desktop-user to "sudo" (i.e. using gtksudo) to the "gnunet" user account
+and then runs "gnunet-arm -e", "gnunet-setup" and "gnunet-arm -s" in
+sequence.
+
+@node MOVED FROM USER Config Leftovers
+@section MOVED FROM USER Config Leftovers
+
+This section describes how to start a GNUnet peer. It assumes that you
+have already compiled and installed GNUnet and its' dependencies.
+Before you start a GNUnet peer, you may want to create a configuration
+file using gnunet-setup (but you do not have to).
+Sane defaults should exist in your
+@file{$GNUNET_PREFIX/share/gnunet/config.d/} directory, so in practice
+you could simply start without any configuration. If you want to
+configure your peer later, you need to stop it before invoking the
+@code{gnunet-setup} tool to customize further and to test your
+configuration (@code{gnunet-setup} has build-in test functions).
+
+The most important option you might have to still set by hand is in
+[PATHS]. Here, you use the option "GNUNET_HOME" to specify the path where
+GNUnet should store its data.
+It defaults to @code{$HOME/}, which again should work for most users.
+Make sure that the directory specified as GNUNET_HOME is writable to
+the user that you will use to run GNUnet (note that you can run frontends
+using other users, GNUNET_HOME must only be accessible to the user used to
+run the background processes).
+
+You will also need to make one central decision: should all of GNUnet be
+run under your normal UID, or do you want distinguish between system-wide
+(user-independent) GNUnet services and personal GNUnet services. The
+multi-user setup is slightly more complicated, but also more secure and
+generally recommended.
+
+@menu
+* The Single-User Setup::
+* The Multi-User Setup::
+* Killing GNUnet services::
+* Access Control for GNUnet::
+@end menu
+
+@node The Single-User Setup
+@subsection The Single-User Setup
+
+For the single-user setup, you do not need to do anything special and can
+just start the GNUnet background processes using @code{gnunet-arm}.
+By default, GNUnet looks in @file{~/.config/gnunet.conf} for a
+configuration (or @code{$XDG_CONFIG_HOME/gnunet.conf} if@
+@code{$XDG_CONFIG_HOME} is defined). If your configuration lives
+elsewhere, you need to pass the @code{-c FILENAME} option to all GNUnet
+commands.
+
+Assuming the configuration file is called @file{~/.config/gnunet.conf},
+you start your peer using the @code{gnunet-arm} command (say as user
+@code{gnunet}) using:
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -s
+@end example
+
+@noindent
+The "-s" option here is for "start". The command should return almost
+instantly. If you want to stop GNUnet, you can use:
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -e
+@end example
+
+@noindent
+The "-e" option here is for "end".
+
+Note that this will only start the basic peer, no actual applications
+will be available.
+If you want to start the file-sharing service, use (after starting
+GNUnet):
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -i fs
+@end example
+
+@noindent
+The "-i fs" option here is for "initialize" the "fs" (file-sharing)
+application. You can also selectively kill only file-sharing support using
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -k fs
+@end example
+
+@noindent
+Assuming that you want certain services (like file-sharing) to be always
+automatically started whenever you start GNUnet, you can activate them by
+setting "IMMEDIATE_START=YES" in the respective section of the configuration
+file (for example, "[fs]"). Then GNUnet with file-sharing support would
+be started whenever you@ enter:
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -s
+@end example
+
+@noindent
+Alternatively, you can combine the two options:
+
+@example
+gnunet-arm -c ~/.config/gnunet.conf -s -i fs
+@end example
+
+@noindent
+Using @code{gnunet-arm} is also the preferred method for initializing
+GNUnet from @code{init}.
+
+Finally, you should edit your @code{crontab} (using the @code{crontab}
+command) and insert a line@
+
+@example
+@@reboot gnunet-arm -c ~/.config/gnunet.conf -s
+@end example
+
+to automatically start your peer whenever your system boots.
+
+@node The Multi-User Setup
+@subsection The Multi-User Setup
+
+This requires you to create a user @code{gnunet} and an additional group
+@code{gnunetdns}, prior to running @code{make install} during
+installation.
+Then, you create a configuration file @file{/etc/gnunet.conf} which should
+contain the lines:@
+
+@example
+[arm]
+START_SYSTEM_SERVICES = YES
+START_USER_SERVICES = NO
+@end example
+
+@noindent
+Then, perform the same steps to run GNUnet as in the per-user
+configuration, except as user @code{gnunet} (including the
+@code{crontab} installation).
+You may also want to run @code{gnunet-setup} to configure your peer
+(databases, etc.).
+Make sure to pass @code{-c /etc/gnunet.conf} to all commands. If you
+run @code{gnunet-setup} as user @code{gnunet}, you might need to change
+permissions on @file{/etc/gnunet.conf} so that the @code{gnunet} user can
+write to the file (during setup).
+
+Afterwards, you need to perform another setup step for each normal user
+account from which you want to access GNUnet. First, grant the normal user
+(@code{$USER}) permission to the group gnunet:
+
+@example
+# adduser $USER gnunet
+@end example
+
+@noindent
+Then, create a configuration file in @file{~/.config/gnunet.conf} for the
+$USER with the lines:
+
+@example
+[arm]
+START_SYSTEM_SERVICES = NO
+START_USER_SERVICES = YES
+@end example
+
+@noindent
+This will ensure that @code{gnunet-arm} when started by the normal user
+will only run services that are per-user, and otherwise rely on the
+system-wide services.
+Note that the normal user may run gnunet-setup, but the
+configuration would be ineffective as the system-wide services will use
+@file{/etc/gnunet.conf} and ignore options set by individual users.
+
+Again, each user should then start the peer using
+@file{gnunet-arm -s} --- and strongly consider adding logic to start
+the peer automatically to their crontab.
+
+Afterwards, you should see two (or more, if you have more than one USER)
+@code{gnunet-service-arm} processes running in your system.
+
+@node Killing GNUnet services
+@subsection Killing GNUnet services
+
+It is not necessary to stop GNUnet services explicitly when shutting
+down your computer.
+
+It should be noted that manually killing "most" of the
+@code{gnunet-service} processes is generally not a successful method for
+stopping a peer (since @code{gnunet-service-arm} will instantly restart
+them). The best way to explicitly stop a peer is using
+@code{gnunet-arm -e}; note that the per-user services may need to be
+terminated before the system-wide services will terminate normally.
+
+@node Access Control for GNUnet
+@subsection Access Control for GNUnet
+
+This chapter documents how we plan to make access control work within the
+GNUnet system for a typical peer. It should be read as a best-practice
+installation guide for advanced users and builders of binary
+distributions. The recommendations in this guide apply to POSIX-systems
+with full support for UNIX domain sockets only.
+
+Note that this is an advanced topic. The discussion presumes a very good
+understanding of users, groups and file permissions. Normal users on
+hosts with just a single user can just install GNUnet under their own
+account (and possibly allow the installer to use SUDO to grant additional
+permissions for special GNUnet tools that need additional rights).
+The discussion below largely applies to installations where multiple users
+share a system and to installations where the best possible security is
+paramount.
+
+A typical GNUnet system consists of components that fall into four
+categories:
+
+@table @asis
+
+@item User interfaces
+User interfaces are not security sensitive and are supposed to be run and
+used by normal system users.
+The GTK GUIs and most command-line programs fall into this category.
+Some command-line tools (like gnunet-transport) should be excluded as they
+offer low-level access that normal users should not need.
+@item System services and support tools
+System services should always run and offer services that can then be
+accessed by the normal users.
+System services do not require special permissions, but as they are not
+specific to a particular user, they probably should not run as a
+particular user. Also, there should typically only be one GNUnet peer per
+host. System services include the gnunet-service and gnunet-daemon
+programs; support tools include command-line programs such as gnunet-arm.
+@item Privileged helpers
+Some GNUnet components require root rights to open raw sockets or perform
+other special operations. These gnunet-helper binaries are typically
+installed SUID and run from services or daemons.
+@item Critical services
+Some GNUnet services (such as the DNS service) can manipulate the service
+in deep and possibly highly security sensitive ways. For example, the DNS
+service can be used to intercept and alter any DNS query originating from
+the local machine. Access to the APIs of these critical services and their
+privileged helpers must be tightly controlled.
+@end table
+
+@c FIXME: The titles of these chapters are too long in the index.
+
+@menu
+* Recommendation - Disable access to services via TCP::
+* Recommendation - Run most services as system user "gnunet"::
+* Recommendation - Control access to services using group "gnunet"::
+* Recommendation - Limit access to certain SUID binaries by group "gnunet"::
+* Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"::
+* Differences between "make install" and these recommendations::
+@end menu
+
+@node Recommendation - Disable access to services via TCP
+@subsubsection Recommendation - Disable access to services via TCP
+
+GNUnet services allow two types of access: via TCP socket or via UNIX
+domain socket.
+If the service is available via TCP, access control can only be
+implemented by restricting connections to a particular range of IP
+addresses.
+This is acceptable for non-critical services that are supposed to be
+available to all users on the local system or local network.
+However, as TCP is generally less efficient and it is rarely the case
+that a single GNUnet peer is supposed to serve an entire local network,
+the default configuration should disable TCP access to all GNUnet
+services on systems with support for UNIX domain sockets.
+As of GNUnet 0.9.2, configuration files with TCP access disabled should be
+generated by default. Users can re-enable TCP access to particular
+services simply by specifying a non-zero port number in the section of
+the respective service.
+
+
+@node Recommendation - Run most services as system user "gnunet"
+@subsubsection Recommendation - Run most services as system user "gnunet"
+
+GNUnet's main services should be run as a separate user "gnunet" in a
+special group "gnunet".
+The user "gnunet" should start the peer using "gnunet-arm -s" during
+system startup. The home directory for this user should be
+@file{/var/lib/gnunet} and the configuration file should be
+@file{/etc/gnunet.conf}.
+Only the @code{gnunet} user should have the right to access
+@file{/var/lib/gnunet} (@emph{mode: 700}).
+
+@node Recommendation - Control access to services using group "gnunet"
+@subsubsection Recommendation - Control access to services using group "gnunet"
+
+Users that should be allowed to use the GNUnet peer should be added to the
+group "gnunet". Using GNUnet's access control mechanism for UNIX domain
+sockets, those services that are considered useful to ordinary users
+should be made available by setting "UNIX_MATCH_GID=YES" for those
+services.
+Again, as shipped, GNUnet provides reasonable defaults.
+Permissions to access the transport and core subsystems might additionally
+be granted without necessarily causing security concerns.
+Some services, such as DNS, must NOT be made accessible to the "gnunet"
+group (and should thus only be accessible to the "gnunet" user and
+services running with this UID).
+
+@node Recommendation - Limit access to certain SUID binaries by group "gnunet"
+@subsubsection Recommendation - Limit access to certain SUID binaries by group "gnunet"
+
+Most of GNUnet's SUID binaries should be safe even if executed by normal
+users. However, it is possible to reduce the risk a little bit more by
+making these binaries owned by the group "gnunet" and restricting their
+execution to user of the group "gnunet" as well (4750).
+
+@node Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"
+@subsubsection Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"
+
+A special group "gnunetdns" should be created for controlling access to
+the "gnunet-helper-dns".
+The binary should then be owned by root and be in group "gnunetdns" and
+be installed SUID and only be group-executable (2750).
+@b{Note that the group "gnunetdns" should have no users in it at all,
+ever.}
+The "gnunet-service-dns" program should be executed by user "gnunet" (via
+gnunet-service-arm) with the binary owned by the user "root" and the group
+"gnunetdns" and be SGID (2700). This way, @strong{only}
+"gnunet-service-dns" can change its group to "gnunetdns" and execute the
+helper, and the helper can then run as root (as per SUID).
+Access to the API offered by "gnunet-service-dns" is in turn restricted
+to the user "gnunet" (not the group!), which means that only
+"benign" services can manipulate DNS queries using "gnunet-service-dns".
+
+@node Differences between "make install" and these recommendations
+@subsubsection Differences between "make install" and these recommendations
+
+The current build system does not set all permissions automatically based
+on the recommendations above. In particular, it does not use the group
+"gnunet" at all (so setting gnunet-helpers other than the
+gnunet-helper-dns to be owned by group "gnunet" must be done manually).
+Furthermore, 'make install' will silently fail to set the DNS binaries to
+be owned by group "gnunetdns" unless that group already exists (!).
+An alternative name for the "gnunetdns" group can be specified using the
+@code{--with-gnunetdns=GRPNAME} configure option.
+
diff --git a/doc/documentation/chapters/keyconcepts.texi b/doc/documentation/chapters/keyconcepts.texi
new file mode 100644
index 000000000..55f79f1c7
--- /dev/null
+++ b/doc/documentation/chapters/keyconcepts.texi
@@ -0,0 +1,308 @@
+
+@cindex Key Concepts
+@node Key Concepts
+@chapter Key Concepts
+
+In this section, the fundamental concepts of GNUnet are explained.
+@c FIXME: Use @uref{https://docs.gnunet.org/bib/, research papers}
+@c once we have the new bibliography + subdomain setup.
+Most of them are also described in our research papers.
+First, some of the concepts used in the GNUnet framework are detailed.
+The second part describes concepts specific to anonymous file-sharing.
+
+@menu
+* Authentication::
+* Accounting to Encourage Resource Sharing::
+* Confidentiality::
+* Anonymity::
+* Deniability::                       
+* Peer Identities::
+* Zones in the GNU Name System (GNS Zones)::
+* Egos::
+@end menu
+
+@cindex Authentication
+@node Authentication
+@section Authentication
+
+Almost all peer-to-peer communications in GNUnet are between mutually
+authenticated peers. The authentication works by using ECDHE, that is a
+DH (Diffie---Hellman) key exchange using ephemeral elliptic curve
+cryptography. The ephemeral ECC (Elliptic Curve Cryptography) keys are
+signed using ECDSA (@uref{http://en.wikipedia.org/wiki/ECDSA, ECDSA}).
+The shared secret from ECDHE is used to create a pair of session keys
+@c FIXME: Long word for HKDF. More FIXMEs: Explain MITM etc.
+(using HKDF) which are then used to encrypt the communication between the
+two peers using both 256-bit AES (Advanced Encryption Standard)
+and 256-bit Twofish (with independently derived secret keys).
+As only the two participating hosts know the shared secret, this
+authenticates each packet
+without requiring signatures each time. GNUnet uses SHA-512
+(Secure Hash Algorithm) hash codes to verify the integrity of messages.
+
+@c FIXME: A while back I got the feedback that I should try and integrate
+@c explanation boxes in the long-run. So we could explain
+@c "man-in-the-middle" and "man-in-the-middle attacks" and other words
+@c which are not common knowledge. MITM is not common knowledge. To be
+@c selfcontained, we should be able to explain words and concepts used in
+@c a chapter or paragraph without hinting at Wikipedia and other online
+@c sources which might not be available or accessible to everyone.
+@c On the other hand we could write an introductionary chapter or book
+@c that we could then reference in each chapter, which sound like it
+@c could be more reusable.
+In GNUnet, the identity of a host is its public key. For that reason,
+man-in-the-middle attacks will not break the authentication or accounting
+goals. Essentially, for GNUnet, the IP of the host has nothing to do with
+the identity of the host. As the public key is the only thing that truly
+matters, faking an IP, a port or any other property of the underlying
+transport protocol is irrelevant. In fact, GNUnet peers can use
+multiple IPs (IPv4 and IPv6) on multiple ports --- or even not use the
+IP protocol at all (by running directly on layer 2).
+@c FIXME: "IP protocol" feels wrong, but could be what people expect, as
+@c IP is "the number" and "IP protocol" the protocol itself in general
+@c knowledge?
+
+@c NOTE: For consistency we will use @code{HELLO}s throughout this Manual.
+GNUnet uses a special type of message to communicate a binding between
+public (ECC) keys to their current network address. These messages are
+commonly called @code{HELLO}s or @code{peer advertisements}.
+They contain the public key of the peer and its current network
+addresses for various transport services.
+A transport service is a special kind of shared library that
+provides (possibly unreliable, out-of-order) message delivery between
+peers.
+For the UDP and TCP transport services, a network address is an IP and a
+port.
+GNUnet can also use other transports (HTTP, HTTPS, WLAN, etc.) which use
+various other forms of addresses. Note that any node can have many
+different active transport services at the same time,
+and each of these can have a different addresses.
+Binding messages expire after at most a week (the timeout can be
+shorter if the user configures the node appropriately).
+This expiration ensures that the network will eventually get rid of
+outdated advertisements.
+@footnote{Ronaldo A. Ferreira, Christian Grothoff, and Paul Ruth.
+A Transport Layer Abstraction for Peer-to-Peer Networks
+Proceedings of the 3rd International Symposium on Cluster Computing
+and the Grid (GRID 2003), 2003.
+(@uref{https://gnunet.org/git/bibliography.git/plain/docs/transport.pdf, https://gnunet.org/git/bibliography.git/plain/docs/transport.pdf})}
+
+@cindex Accounting to Encourage Resource Sharing
+@node Accounting to Encourage Resource Sharing
+@section Accounting to Encourage Resource Sharing
+
+Most distributed P2P networks suffer from a lack of defenses or
+precautions against attacks in the form of freeloading.
+While the intentions of an attacker and a freeloader are different, their
+effect on the network is the same; they both render it useless.
+Most simple attacks on networks such as @command{Gnutella}
+involve flooding the network with traffic, particularly
+with queries that are, in the worst case, multiplied by the network.
+
+In order to ensure that freeloaders or attackers have a minimal impact
+on the network, GNUnet's file-sharing implementation (@code{FS} tries
+to distinguish good (contributing) nodes from malicious (freeloading)
+nodes. In GNUnet, every file-sharing node keeps track of the behavior
+of every other node it has been in contact with. Many requests
+(depending on the application) are transmitted with a priority (or
+importance) level.  That priority is used to establish how important
+the sender believes this request is. If a peer responds to an
+important request, the recipient will increase its trust in the
+responder: the responder contributed resources.  If a peer is too busy
+to answer all requests, it needs to prioritize.  For that, peers do
+not take the priorities of the requests received at face value.
+First, they check how much they trust the sender, and depending on
+that amount of trust they assign the request a (possibly lower)
+effective priority. Then, they drop the requests with the lowest
+effective priority to satisfy their resource constraints. This way,
+GNUnet's economic model ensures that nodes that are not currently
+considered to have a surplus in contributions will not be served if
+the network load is high.
+@footnote{Christian Grothoff. An Excess-Based Economic Model for Resource
+Allocation in Peer-to-Peer Networks. Wirtschaftsinformatik, June 2003.
+(@uref{https://gnunet.org/git/bibliography.git/plain/docs/ebe.pdf, https://gnunet.org/git/bibliography.git/plain/docs/ebe.pdf})}
+@c 2009?
+
+@cindex Confidentiality
+@node Confidentiality
+@section Confidentiality
+
+Adversaries (malicious, bad actors) outside of GNUnet are not supposed
+to know what kind of actions a peer is involved in. Only the specific
+neighbor of a peer that is the corresponding sender or recipient of a
+message may know its contents, and even then application protocols may
+place further restrictions on that knowledge.  In order to ensure
+confidentiality, GNUnet uses link encryption, that is each message
+exchanged between two peers is encrypted using a pair of keys only
+known to these two peers.  Encrypting traffic like this makes any kind
+of traffic analysis much harder. Naturally, for some applications, it
+may still be desirable if even neighbors cannot determine the concrete
+contents of a message.  In GNUnet, this problem is addressed by the
+specific application-level protocols. See for example the following
+sections @pxref{Anonymity}, @pxref{How file-sharing achieves Anonymity},
+and @pxref{Deniability}.
+
+@cindex Anonymity
+@node Anonymity
+@section Anonymity
+
+@menu
+* How file-sharing achieves Anonymity::
+@end menu
+
+Providing anonymity for users is the central goal for the anonymous
+file-sharing application. Many other design decisions follow in the
+footsteps of this requirement.
+Anonymity is never absolute. While there are various
+scientific metrics@footnote{Claudia Díaz, Stefaan Seys, Joris Claessens,
+and Bart Preneel. Towards measuring anonymity.
+2002.
+(@uref{https://gnunet.org/git/bibliography.git/plain/docs/article-89.pdf, https://gnunet.org/git/bibliography.git/plain/docs/article-89.pdf})}
+that can help quantify the level of anonymity that a given mechanism
+provides, there is no such thing as "complete anonymity".
+GNUnet's file-sharing implementation allows users to select for each
+operation (publish, search, download) the desired level of anonymity.
+The metric used is the amount of cover traffic available to hide the
+request.
+While this metric is not as good as, for example, the theoretical metric
+given in scientific metrics@footnote{likewise},
+it is probably the best metric available to a peer with a purely local
+view of the world that does not rely on unreliable external information.
+The default anonymity level is @code{1}, which uses anonymous routing but
+imposes no minimal requirements on cover traffic. It is possible
+to forego anonymity when this is not required. The anonymity level of
+@code{0} allows GNUnet to use more efficient, non-anonymous routing.
+
+@cindex How file-sharing achieves Anonymity
+@node How file-sharing achieves Anonymity
+@subsection How file-sharing achieves Anonymity
+
+Contrary to other designs, we do not believe that users achieve strong
+anonymity just because their requests are obfuscated by a couple of
+indirections. This is not sufficient if the adversary uses traffic
+analysis.
+The threat model used for anonymous file sharing in GNUnet assumes that
+the adversary is quite powerful.
+In particular, we assume that the adversary can see all the traffic on
+the Internet. And while we assume that the adversary
+can not break our encryption, we assume that the adversary has many
+participating nodes in the network and that it can thus see many of the
+node-to-node interactions since it controls some of the nodes. 
+
+The system tries to achieve anonymity based on the idea that users can be
+anonymous if they can hide their actions in the traffic created by other
+users.
+Hiding actions in the traffic of other users requires participating in the
+traffic, bringing back the traditional technique of using indirection and
+source rewriting. Source rewriting is required to gain anonymity since
+otherwise an adversary could tell if a message originated from a host by
+looking at the source address. If all packets look like they originate
+from one node, the adversary can not tell which ones originate from that
+node and which ones were routed.
+Note that in this mindset, any node can decide to break the
+source-rewriting paradigm without violating the protocol, as this
+only reduces the amount of traffic that a node can hide its own traffic
+in.
+
+If we want to hide our actions in the traffic of other nodes, we must make
+our traffic indistinguishable from the traffic that we route for others.
+As our queries must have us as the receiver of the reply
+(otherwise they would be useless), we must put ourselves as the receiver
+of replies that actually go to other hosts; in other words, we must
+indirect replies.
+Unlike other systems, in anonymous file-sharing as implemented on top of
+GNUnet we do not have to indirect the replies if we don't think we need
+more traffic to hide our own actions.
+
+This increases the efficiency of the network as we can indirect less under
+higher load.@footnote{Krista Bennett and Christian Grothoff.
+GAP --- practical anonymous networking. In Proceedings of
+Designing Privacy Enhancing Technologies, 2003.
+(@uref{https://gnunet.org/git/bibliography.git/plain/docs/aff.pdf, https://gnunet.org/git/bibliography.git/plain/docs/aff.pdf})}
+
+@cindex Deniability
+@node Deniability
+@section Deniability
+
+Even if the user that downloads data and the server that provides data are
+anonymous, the intermediaries may still be targets. In particular, if the
+intermediaries can find out which queries or which content they are
+processing, a strong adversary could try to force them to censor
+certain materials. 
+
+With the file-encoding used by GNUnet's anonymous file-sharing, this
+problem does not arise.
+The reason is that queries and replies are transmitted in
+an encrypted format such that intermediaries cannot tell what the query
+is for or what the content is about.  Mind that this is not the same
+encryption as the link-encryption between the nodes.  GNUnet has
+encryption on the network layer (link encryption, confidentiality,
+authentication) and again on the application layer (provided
+by @command{gnunet-publish}, @command{gnunet-download},
+@command{gnunet-search} and @command{gnunet-gtk}).
+@footnote{Christian Grothoff, Krista Grothoff, Tzvetan Horozov,
+and Jussi T. Lindgren.
+An Encoding for Censorship-Resistant Sharing.
+2009.
+(@uref{https://gnunet.org/git/bibliography.git/plain/docs/ecrs.pdf, https://gnunet.org/git/bibliography.git/plain/docs/ecrs.pdf})}
+
+@cindex Peer Identities
+@node Peer Identities
+@section Peer Identities
+
+Peer identities are used to identify peers in the network and are unique
+for each peer. The identity for a peer is simply its public key, which is
+generated along with a private key the peer is started for the first time.
+While the identity is binary data, it is often expressed as ASCII string.
+For example, the following is a peer identity as you might see it in
+various places:
+
+@example
+UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0
+@end example
+
+@noindent
+You can find your peer identity by running @command{gnunet-peerinfo -s}.
+
+@cindex Zones in the GNU Name System (GNS Zones)
+@node Zones in the GNU Name System (GNS Zones)
+@section Zones in the GNU Name System (GNS Zones)
+
+@c FIXME: Explain or link to an explanation of the concept of public keys
+@c and private keys.
+@c FIXME: Rewrite for the latest GNS changes.
+GNS@footnote{Matthias Wachs, Martin Schanzenbach, and Christian Grothoff.
+A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name
+System. In proceedings of 13th International Conference on Cryptology and
+Network Security (CANS 2014). 2014.
+@uref{https://gnunet.org/git/bibliography.git/plain/docs/gns2014wachs.pdf, https://gnunet.org/git/bibliography.git/plain/docs/gns2014wachs.pdf}}
+zones are similar to those of DNS zones, but instead of a hierarchy of
+authorities to governing their use, GNS zones are controlled by a private
+key.
+When you create a record in a DNS zone, that information is stored in your
+nameserver. Anyone trying to resolve your domain then gets pointed
+(hopefully) by the centralised authority to your nameserver.
+Whereas GNS, being fully decentralized by design, stores that information
+in DHT. The validity of the records is assured cryptographically, by
+signing them with the private key of the respective zone.
+
+Anyone trying to resolve records in a zone of your domain can then verify
+the signature of the records they get from the DHT and be assured that
+they are indeed from the respective zone.
+To make this work, there is a 1:1 correspondence between zones and
+their public-private key pairs.
+So when we talk about the owner of a GNS zone, that's really the owner of
+the private key.
+And a user accessing a zone needs to somehow specify the corresponding
+public key first.
+
+@cindex Egos
+@node Egos
+@section Egos
+
+@c what is the difference between peer identity and egos? It seems
+@c like both are linked to public-private key pair.
+Egos are your "identities" in GNUnet. Any user can assume multiple
+identities, for example to separate their activities online. Egos can
+correspond to "pseudonyms" or "real-world identities". Technically an
+ego is first of all a key pair of a public- and private-key.
diff --git a/doc/documentation/chapters/philosophy.texi b/doc/documentation/chapters/philosophy.texi
index 148f0cd91..6d80d77ae 100644
--- a/doc/documentation/chapters/philosophy.texi
+++ b/doc/documentation/chapters/philosophy.texi
@@ -5,36 +5,28 @@
 @c NOTE: We should probably re-use some of the images lynX created
 @c for secushare, showing some of the relations and functionalities
 @c of GNUnet.
-The foremost goal of the GNUnet project is to become a widely used,
-reliable, open, non-discriminating, egalitarian, unconstrained and
-censorship-resistant system of free information exchange.
-We value free speech above state secrets, law-enforcement or
-intellectual monopoly.
-GNUnet is supposed to be an anarchistic network, where the only
-limitation for participants (devices or people making use of the
-network, in the following sometimes called peers) is
-that they must contribute enough back to the network such that
-their resource consumption does not have a significant impact
-on other users.
-GNUnet should be more than just another file-sharing network.
-The plan is to offer many other services and in particular
-to serve as a development platform for the next generation of
-Internet Protocols.
+The primary goal of the GNUnet project is to provide a reliable, open,
+non-discriminating and censorship-resistant system for information
+exchange. We value free speech above state interests and intellectual
+monopoly. GNUnet's long-term goal is to serve as a development
+platform for the next generation of Internet protocols.
+
+GNUnet is an anarchistic network. Participants are encouraged to
+contribute at least as much resources (storage, bandwidth) to the network
+as they consume, so that their participation does not have a negative
+impact on other users.
 
 @menu
-* Design Goals::
-* Security and Privacy::
-* Versatility::
+* Design Principles::
+* Privacy and Anonymity::
 * Practicality::
-* Key Concepts::
 @end menu
 
-@cindex Design Goals
-@cindex Design Goals
-@node Design Goals
-@section Design Goals
+@cindex Design Principles
+@node Design Principles
+@section Design Principles
 
-These are the core GNUnet design goals, in order of relative importance:
+These are the GNUnet design principles, in order of importance:
 
 @itemize
 @item GNUnet must be implemented as
@@ -44,399 +36,45 @@ These are the core GNUnet design goals, in order of relative importance:
 the program, to study and change the program in source code form,
 to redistribute exact copies, and to distribute modified versions.
 Refer to @uref{https://www.gnu.org/philosophy/free-sw.html, https://www.gnu.org/philosophy/free-sw.html}}
-@item GNUnet must only disclose the minimal amount of information
-necessary.
+@item GNUnet must minimize the amount of personally identifiable information exposed.
 @c TODO: Explain 'fully' in the terminology section.
-@item GNUnet must be fully distributed and survive
-@uref{https://en.wikipedia.org/wiki/Byzantine_fault_tolerance, Byzantine failures}
-@footnote{@uref{https://en.wikipedia.org/wiki/Byzantine_fault_tolerance, https://en.wikipedia.org/wiki/Byzantine_fault_tolerance}}
-at any position in the network.
-@item GNUnet must make it explicit to the user which entities are
-considered to be trustworthy when establishing secured communications.
-@item GNUnet must use compartmentalization to protect sensitive
-information.
+@item GNUnet must be fully distributed and resilient to external attacks and rogue participants.
+@item GNUnet must be self-organizing and not depend on administrators or centralized infrastructure.
+@item GNUnet must inform the user which other participants have to be trusted when establishing private communications.
 @item GNUnet must be open and permit new peers to join.
-@item GNUnet must be self-organizing and not depend on administrators.
 @item GNUnet must support a diverse range of applications and devices.
-@item The GNUnet architecture must be cost effective.
-@item GNUnet must provide incentives for peers to contribute more
-resources than they consume.
+@item GNUnet must use compartmentalization to protect sensitive information.
+@item The GNUnet architecture must be resource efficient.
+@item GNUnet must provide incentives for peers to contribute more resources than they consume.
 @end itemize
 
 
-@cindex Security and Privacy
-@node Security and Privacy
-@section Security and Privacy
-
-GNUnet's primary design goals are to protect the privacy of its users and
-to guard itself against attacks or abuse.
-GNUnet does not have any mechanisms to control, track or censor users.
-Instead, the GNUnet protocols aim to make it as hard as possible to
-find out what is happening on the network or to disrupt operations. 
+@cindex Privacy and Anonymity
+@node Privacy and Anonymity
+@section Privacy and Anonymity
 
-@cindex Versatility
-@node Versatility
-@section Versatility
+The GNUnet protocols minimize the leakage of personally identifiable information of participants and
+do not allow adversaries to control, track, monitor or censor users activities. The
+GNUnet protocols also make it as hard as possible to disrupt operations by participating in the network with malicious intent. 
 
-We call GNUnet a peer-to-peer framework because we want to support many
-different forms of peer-to-peer applications. GNUnet uses a plugin
-architecture to make the system extensible and to encourage code reuse.
-While the first versions of the system only supported anonymous
-file-sharing, other applications are being worked on and more will
-hopefully follow in the future.
-A powerful synergy regarding anonymity services is created by a large
-community utilizing many diverse applications over the same software
-infrastructure. The reason is that link encryption hides the specifics
-of the traffic for non-participating observers. This way, anonymity can
-get stronger with additional (GNUnet) traffic, even if the additional
-traffic is not related to anonymous communication. Increasing anonymity
-is the primary reason why GNUnet is developed to become a peer-to-peer
+Analyzing participant's activities becomes more difficult as the number of peers and
+applications that generate traffic on the network grows, even if the additional
+traffic generated is not related to anonymous communication. This is one of the reasons why GNUnet is developed as a peer-to-peer
 framework where many applications share the lower layers of an
-increasingly complex protocol stack.
-If merging traffic to hinder traffic analysis was not important,
-we could have just developed a dozen stand-alone applications
-and a few shared libraries. 
+increasingly complex protocol stack. The GNUnet architecture encourages many
+different forms of peer-to-peer applications.
 
 @cindex Practicality
 @node Practicality
 @section Practicality
 
-GNUnet allows participants to trade various amounts of security in
-exchange for increased efficiency. However, it is not possible for any
-user's security and efficiency requirements to compromise the security
-and efficiency of any other user.
-
-For GNUnet, efficiency is not paramount. If there were a more secure and
-still practical approach, we would choose to take the more secure
-alternative. @command{telnet} is more efficient than @command{ssh}, yet
-it is obsolete.
-Hardware gets faster, and code can be optimized. Fixing security issues
-as an afterthought is much harder.
-
-While security is paramount, practicability is still a requirement.
-The most secure system is always the one that nobody can use.
-Similarly, any anonymous system that is extremely inefficient will only
-find few users.
-However, good anonymity requires a large and diverse user base. Since
-individual security requirements may vary, the only good solution here is
-to allow individuals to trade-off security and efficiency.
-The primary challenge in allowing this is to ensure that the economic
-incentives work properly.
-In particular, this means that it must be impossible for a user to gain
-security at the expense of other users. Many designs (e.g. anonymity via
-broadcast) fail to give users an incentive to choose a less secure but
-more efficient mode of operation.
-GNUnet should avoid where ever possible to rely on protocols that will
-only work if the participants are benevolent.
-While some designs have had widespread success while relying on parties
-to observe a protocol that may be sub-optimal for the individuals (e.g.
-TCP Nagle), a protocol that ensures that individual goals never conflict
-with the goals of the group is always preferable.
-
-@cindex Key Concepts
-@node Key Concepts
-@section Key Concepts
-
-In this section, the fundamental concepts of GNUnet are explained.
-@c FIXME: Use @uref{https://docs.gnunet.org/bib/, research papers}
-@c once we have the new bibliography + subdomain setup.
-Most of them are also described in our research papers.
-First, some of the concepts used in the GNUnet framework are detailed.
-The second part describes concepts specific to anonymous file-sharing.
-
-@menu
-* Authentication::
-* Accounting to Encourage Resource Sharing::
-* Confidentiality::
-* Anonymity::
-* Deniability::                       
-* Peer Identities::
-* Zones in the GNU Name System (GNS Zones)::
-* Egos::
-@end menu
-
-@cindex Authentication
-@node Authentication
-@subsection Authentication
-
-Almost all peer-to-peer communications in GNUnet are between mutually
-authenticated peers. The authentication works by using ECDHE, that is a
-DH (Diffie---Hellman) key exchange using ephemeral eliptic curve
-cryptography. The ephemeral ECC (Eliptic Curve Cryptography) keys are
-signed using ECDSA (@uref{http://en.wikipedia.org/wiki/ECDSA, ECDSA}).
-The shared secret from ECDHE is used to create a pair of session keys
-@c FIXME: LOng word for HKDF. More FIXMEs: Explain MITM etc.
-(using HKDF) which are then used to encrypt the communication between the
-two peers using both 256-bit AES (Advanced Encryption Standard)
-and 256-bit Twofish (with independently derived secret keys).
-As only the two participating hosts know the shared secret, this
-authenticates each packet
-without requiring signatures each time. GNUnet uses SHA-512
-(Secure Hash Algorithm) hash codes to verify the integrity of messages.
-
-@c Fixme: A while back I got the feedback that I should try and integrate
-@c explanation boxes in the long-run. So we could explain
-@c "man-in-the-middle" and "man-in-the-middle attacks" and other words
-@c which are not common knowledge. MITM is not common knowledge. To be
-@c selfcontained, we should be able to explain words and concepts used in
-@c a chapter or paragraph without hinting at wikipedia and other online
-@c sources which might not be available or accessible to everyone.
-@c On the other hand we could write an introductionary chapter or book
-@c that we could then reference in each chapter, which sound like it
-@c could be more reusable.
-In GNUnet, the identity of a host is its public key. For that reason,
-man-in-the-middle attacks will not break the authentication or accounting
-goals. Essentially, for GNUnet, the IP of the host has nothing to do with
-the identity of the host. As the public key is the only thing that truly
-matters, faking an IP, a port or any other property of the underlying
-transport protocol is irrelevant. In fact, GNUnet peers can use
-multiple IPs (IPv4 and IPv6) on multiple ports --- or even not use the
-IP protocol at all (by running directly on layer 2).
-@c FIXME: "IP protocol" feels wrong, but could be what people expect, as
-@c IP is "the number" and "IP protocol" the protocol itself in general
-@c knowledge?
-
-@c NOTE: For consistency we will use @code{HELLO}s throughout this Manual.
-GNUnet uses a special type of message to communicate a binding between
-public (ECC) keys to their current network address. These messages are
-commonly called @code{HELLO}s or @code{peer advertisements}.
-They contain the public key of the peer and its current network
-addresses for various transport services.
-A transport service is a special kind of shared library that
-provides (possibly unreliable, out-of-order) message delivery between
-peers.
-For the UDP and TCP transport services, a network address is an IP and a
-port.
-GNUnet can also use other transports (HTTP, HTTPS, WLAN, etc.) which use
-various other forms of addresses. Note that any node can have many
-different active transport services at the same time,
-and each of these can have a different addresses.
-Binding messages expire after at most a week (the timeout can be
-shorter if the user configures the node appropriately).
-This expiration ensures that the network will eventually get rid of
-outdated advertisements.
-@footnote{Ronaldo A. Ferreira, Christian Grothoff, and Paul Ruth.
-A Transport Layer Abstraction for Peer-to-Peer Networks
-Proceedings of the 3rd International Symposium on Cluster Computing
-and the Grid (GRID 2003), 2003.
-(@uref{https://gnunet.org/git/bibliography.git/plain/docs/transport.pdf, https://gnunet.org/git/bibliography.git/plain/docs/transport.pdf})}
-
-@cindex Accounting to Encourage Resource Sharing
-@node Accounting to Encourage Resource Sharing
-@subsection Accounting to Encourage Resource Sharing
-
-Most distributed P2P networks suffer from a lack of defenses or
-precautions against attacks in the form of freeloading.
-While the intentions of an attacker and a freeloader are different, their
-effect on the network is the same; they both render it useless.
-Most simple attacks on networks such as @command{Gnutella}
-involve flooding the network with traffic, particularly
-with queries that are, in the worst case, multiplied by the network.
-
-In order to ensure that freeloaders or attackers have a minimal impact
-on the network, GNUnet's file-sharing implementation (@code{FS} tries
-to distinguish good (contributing) nodes from malicious (freeloading)
-nodes. In GNUnet, every file-sharing node keeps track of the behavior
-of every other node it has been in contact with. Many requests
-(depending on the application) are transmitted with a priority (or
-importance) level.  That priority is used to establish how important
-the sender believes this request is. If a peer responds to an
-important request, the recipient will increase its trust in the
-responder: the responder contributed resources.  If a peer is too busy
-to answer all requests, it needs to prioritize.  For that, peers do
-not take the priorities of the requests received at face value.
-First, they check how much they trust the sender, and depending on
-that amount of trust they assign the request a (possibly lower)
-effective priority. Then, they drop the requests with the lowest
-effective priority to satisfy their resource constraints. This way,
-GNUnet's economic model ensures that nodes that are not currently
-considered to have a surplus in contributions will not be served if
-the network load is high.
-@footnote{Christian Grothoff. An Excess-Based Economic Model for Resource
-Allocation in Peer-to-Peer Networks. Wirtschaftsinformatik, June 2003.
-(@uref{https://gnunet.org/git/bibliography.git/plain/docs/ebe.pdf, https://gnunet.org/git/bibliography.git/plain/docs/ebe.pdf})}
-@c 2009?
-
-@cindex Confidentiality
-@node Confidentiality
-@subsection Confidentiality
-
-Adversaries (malicious, bad actors) outside of GNUnet are not supposed
-to know what kind of actions a peer is involved in. Only the specific
-neighbor of a peer that is the corresponding sender or recipient of a
-message may know its contents, and even then application protocols may
-place further restrictions on that knowledge.  In order to ensure
-confidentiality, GNUnet uses link encryption, that is each message
-exchanged between two peers is encrypted using a pair of keys only
-known to these two peers.  Encrypting traffic like this makes any kind
-of traffic analysis much harder. Naturally, for some applications, it
-may still be desirable if even neighbors cannot determine the concrete
-contents of a message.  In GNUnet, this problem is addressed by the
-specific application-level protocols. See for example the following
-sections @pxref{Anonymity}, @pxref{How file-sharing achieves Anonymity},
-and @pxref{Deniability}.
-
-@cindex Anonymity
-@node Anonymity
-@subsection Anonymity
+Whereever possible GNUnet allows the peer to adjust its operations
+and functionalities to specific use cases. A GNUnet peer running on
+a mobile device with limited battery for example might choose not to
+relay traffic for other participants.
 
-@menu
-* How file-sharing achieves Anonymity::
-@end menu
-
-Providing anonymity for users is the central goal for the anonymous
-file-sharing application. Many other design decisions follow in the
-footsteps of this requirement.
-Anonymity is never absolute. While there are various
-scientific metrics@footnote{Claudia Díaz, Stefaan Seys, Joris Claessens,
-and Bart Preneel. Towards measuring anonymity.
-2002.
-(@uref{https://gnunet.org/git/bibliography.git/plain/docs/article-89.pdf, https://gnunet.org/git/bibliography.git/plain/docs/article-89.pdf})}
-that can help quantify the level of anonymity that a given mechanism
-provides, there is no such thing as "complete anonymity".
-GNUnet's file-sharing implementation allows users to select for each
-operation (publish, search, download) the desired level of anonymity.
-The metric used is the amount of cover traffic available to hide the
-request.
-While this metric is not as good as, for example, the theoretical metric
-given in scientific metrics@footnote{likewise},
-it is probably the best metric available to a peer with a purely local
-view of the world that does not rely on unreliable external information.
-The default anonymity level is @code{1}, which uses anonymous routing but
-imposes no minimal requirements on cover traffic. It is possible
-to forego anonymity when this is not required. The anonymity level of
-@code{0} allows GNUnet to use more efficient, non-anonymous routing.
-
-@cindex How file-sharing achieves Anonymity
-@node How file-sharing achieves Anonymity
-@subsubsection How file-sharing achieves Anonymity
-
-Contrary to other designs, we do not believe that users achieve strong
-anonymity just because their requests are obfuscated by a couple of
-indirections. This is not sufficient if the adversary uses traffic
-analysis.
-The threat model used for anonymous file sharing in GNUnet assumes that
-the adversary is quite powerful.
-In particular, we assume that the adversary can see all the traffic on
-the Internet. And while we assume that the adversary
-can not break our encryption, we assume that the adversary has many
-participating nodes in the network and that it can thus see many of the
-node-to-node interactions since it controls some of the nodes. 
-
-The system tries to achieve anonymity based on the idea that users can be
-anonymous if they can hide their actions in the traffic created by other
-users.
-Hiding actions in the traffic of other users requires participating in the
-traffic, bringing back the traditional technique of using indirection and
-source rewriting. Source rewriting is required to gain anonymity since
-otherwise an adversary could tell if a message originated from a host by
-looking at the source address. If all packets look like they originate
-from one node, the adversary can not tell which ones originate from that
-node and which ones were routed.
-Note that in this mindset, any node can decide to break the
-source-rewriting paradigm without violating the protocol, as this
-only reduces the amount of traffic that a node can hide its own traffic
-in.
-
-If we want to hide our actions in the traffic of other nodes, we must make
-our traffic indistinguishable from the traffic that we route for others.
-As our queries must have us as the receiver of the reply
-(otherwise they would be useless), we must put ourselves as the receiver
-of replies that actually go to other hosts; in other words, we must
-indirect replies.
-Unlike other systems, in anonymous file-sharing as implemented on top of
-GNUnet we do not have to indirect the replies if we don't think we need
-more traffic to hide our own actions.
-
-This increases the efficiency of the network as we can indirect less under
-higher load.@footnote{Krista Bennett and Christian Grothoff.
-GAP --- practical anonymous networking. In Proceedings of
-Designing Privacy Enhancing Technologies, 2003.
-(@uref{https://gnunet.org/git/bibliography.git/plain/docs/aff.pdf, https://gnunet.org/git/bibliography.git/plain/docs/aff.pdf})}
-
-@cindex Deniability
-@node Deniability
-@subsection Deniability
-
-Even if the user that downloads data and the server that provides data are
-anonymous, the intermediaries may still be targets. In particular, if the
-intermediaries can find out which queries or which content they are
-processing, a strong adversary could try to force them to censor
-certain materials. 
-
-With the file-encoding used by GNUnet's anonymous file-sharing, this
-problem does not arise.
-The reason is that queries and replies are transmitted in
-an encrypted format such that intermediaries cannot tell what the query
-is for or what the content is about.  Mind that this is not the same
-encryption as the link-encryption between the nodes.  GNUnet has
-encryption on the network layer (link encryption, confidentiality,
-authentication) and again on the application layer (provided
-by @command{gnunet-publish}, @command{gnunet-download},
-@command{gnunet-search} and @command{gnunet-gtk}).
-@footnote{Christian Grothoff, Krista Grothoff, Tzvetan Horozov,
-and Jussi T. Lindgren.
-An Encoding for Censorship-Resistant Sharing.
-2009.
-(@uref{https://gnunet.org/git/bibliography.git/plain/docs/ecrs.pdf, https://gnunet.org/git/bibliography.git/plain/docs/ecrs.pdf})}
-
-@cindex Peer Identities
-@node Peer Identities
-@subsection Peer Identities
-
-Peer identities are used to identify peers in the network and are unique
-for each peer. The identity for a peer is simply its public key, which is
-generated along with a private key the peer is started for the first time.
-While the identity is binary data, it is often expressed as ASCII string.
-For example, the following is a peer identity as you might see it in
-various places:
-
-@example
-UAT1S6PMPITLBKSJ2DGV341JI6KF7B66AC4JVCN9811NNEGQLUN0
-@end example
-
-@noindent
-You can find your peer identity by running @command{gnunet-peerinfo -s}.
-
-@cindex Zones in the GNU Name System (GNS Zones)
-@node Zones in the GNU Name System (GNS Zones)
-@subsection Zones in the GNU Name System (GNS Zones)
-
-@c FIXME: Explain or link to an explanation of the concept of public keys
-@c and private keys.
-@c FIXME: Rewrite for the latest GNS changes.
-GNS@footnote{Matthias Wachs, Martin Schanzenbach, and Christian Grothoff.
-A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name
-System. In proceedings of 13th International Conference on Cryptology and
-Network Security (CANS 2014). 2014.
-@uref{https://gnunet.org/git/bibliography.git/plain/docs/gns2014wachs.pdf, https://gnunet.org/git/bibliography.git/plain/docs/gns2014wachs.pdf}}
-zones are similar to those of DNS zones, but instead of a hierarchy of
-authorities to governing their use, GNS zones are controlled by a private
-key.
-When you create a record in a DNS zone, that information is stored in your
-nameserver. Anyone trying to resolve your domain then gets pointed
-(hopefully) by the centralised authority to your nameserver.
-Whereas GNS, being fully decentralized by design, stores that information
-in DHT. The validity of the records is assured cryptographically, by
-signing them with the private key of the respective zone.
-
-Anyone trying to resolve records in a zone of your domain can then verify
-the signature of the records they get from the DHT and be assured that
-they are indeed from the respective zone.
-To make this work, there is a 1:1 correspondence between zones and
-their public-private key pairs.
-So when we talk about the owner of a GNS zone, that's really the owner of
-the private key.
-And a user accessing a zone needs to somehow specify the corresponding
-public key first.
-
-@cindex Egos
-@node Egos
-@subsection Egos
+For certain applications like file-sharing GNUnet allows participants to trade degrees of anonymity in
+exchange for increased efficiency. However, it is not possible for any
+user's efficiency requirements to compromise the anonymity
+of any other user.
 
-@c what is the difference between peer identity and egos? It seems
-@c like both are linked to public-private key pair.
-Egos are your "identities" in GNUnet. Any user can assume multiple
-identities, for example to separate their activities online. Egos can
-correspond to "pseudonyms" or "real-world identities". Technically an
-ego is first of all a key pair of a public- and private-key.
diff --git a/doc/documentation/chapters/preface.texi b/doc/documentation/chapters/preface.texi
index b4889356a..00e6290f0 100644
--- a/doc/documentation/chapters/preface.texi
+++ b/doc/documentation/chapters/preface.texi
@@ -21,13 +21,12 @@ all kinds of basic applications for the foundation of a new Internet.
 @node About this book
 @section About this book
 
-The books (described as ``book'' or ``books'' in the following) bundled as
-the ``GNUnet Reference Manual'' are based on the historic work of all
-contributors to GNUnet's documentation. The documentation existed in
-various formats before it came to be in the format you are currently
-reading. It is our hope that the content is described in a way that does
-not require any academic background, although some concepts will require
-further reading.
+The books (described as ``book'' or ``books'' in the following)
+bundled as the ``GNUnet Reference Manual'' are based on the historic
+work of all contributors to GNUnet's documentation.  It is our hope
+that the content is described in a way that does not require any
+academic background, although some concepts will require further
+reading.
 
 Our (long-term) goal with these books is to keep them self-contained. If
 you see references to Wikipedia and other external sources (except for
@@ -47,7 +46,8 @@ what GNUnet tries to achieve.
 
 GNUnet in its current version is the result of almost 20 years of work
 from many contributors.  So far, most contributions were made by
-volunteers or people paid to do fundamental research.  Thus,
+volunteers or people paid to do fundamental research.  At this stage,
+GNUnet remains an experimental system where
 significant parts of the software lack a reasonable degree of
 professionalism in its implementation.  Furthermore, we are aware of a
 significant number of existing bugs and critical design flaws, as some
diff --git a/doc/documentation/chapters/user.texi b/doc/documentation/chapters/user.texi
index 3d4f55e41..fe47abb86 100644
--- a/doc/documentation/chapters/user.texi
+++ b/doc/documentation/chapters/user.texi
@@ -20,232 +20,29 @@ always welcome.
 
 
 @menu
-* Checking the Installation::
-* First steps - File-sharing::
+* Start and stop GNUnet::
 * First steps - Using the GNU Name System::
 * First steps - Using GNUnet Conversation::
 * First steps - Using the GNUnet VPN::
 * File-sharing::
 * The GNU Name System::
 * Using the Virtual Public Network::
-* The graphical configuration interface::
-* How to start and stop a GNUnet peer::
 @end menu
 
-@node Checking the Installation
-@section Checking the Installation
-@c %**end of header
-
-This section describes a quick, casual way to check if your GNUnet
-installation works. However, if it does not, we do not cover
-steps for recovery --- for this, please study the instructions
-provided in the developer handbook as well as the system-specific
-instruction in the source code repository@footnote{The system specific instructions are not provided as part of this handbook!}.
-
+@node Start and stop GNUnet
+@section Start and stop GNUnet
 
-@menu
-* gnunet-gtk::
-* Statistics::
-* Peer Information::
-@end menu
-
-@cindex GNUnet GTK
-@cindex GTK
-@cindex GTK user interface
-@node gnunet-gtk
-@subsection gnunet-gtk
-@c %**end of header
-
-The @command{gnunet-gtk} package contains several graphical
-user interfaces for the respective GNUnet applications.
-Currently these interfaces cover:
-
-@itemize @bullet
-@item Statistics
-@item Peer Information
-@item GNU Name System
-@item File Sharing
-@item Identity Management
-@item Conversation
-@end itemize
-
-@node Statistics
-@subsection Statistics
-@c %**end of header
-
-First, you should launch GNUnet gtk@footnote{Obviously you should also start gnunet, via gnunet-arm or the system provided method}.
-You can do this from the command-line by typing
+Previous to use any GNUnet-based application, one has to start a node:
 
 @example
-gnunet-statistics-gtk
+$ gnunet-arm -s -l gnunet.log
 @end example
 
-If your peer@footnote{The term ``peer'' is a common word used in federated and distributed networks to describe a participating device which is connected to the network. Thus, your Personal Computer or whatever it is you are looking at the Gtk+ interface describes a ``Peer'' or a ``Node''.}
-is running correctly, you should see a bunch of lines,
-all of which should be ``significantly'' above zero (at least if your
-peer has been running for more than a few seconds). The lines indicate
-how many other peers your peer is connected to (via different
-mechanisms) and how large the entire overlay network is currently
-estimated to be. The X-axis represents time (in seconds since the
-start of @command{gnunet-gtk}).
-
-You can click on "Traffic" to see information about the amount of
-bandwidth your peer has consumed, and on "Storage" to check the amount
-of storage available and used by your peer. Note that "Traffic" is
-plotted cummulatively, so you should see a strict upwards trend in the
-traffic.
-
-@node Peer Information
-@subsection Peer Information
-@c %**end of header
-
-First, you should launch the graphical user interface.  You can do
-this from the command-line by typing
+To stop GNUnet:
 
 @example
-$ gnunet-peerinfo-gtk
+$ gnunet-arm -e
 @end example
-
-Once you have done this, you will see a list of known peers (by the
-first four characters of their public key), their friend status (all
-should be marked as not-friends initially), their connectivity (green
-is connected, red is disconnected), assigned bandwidth, country of
-origin (if determined) and address information. If hardly any peers
-are listed and/or if there are very few peers with a green light for
-connectivity, there is likely a problem with your network
-configuration.
-
-@node First steps - File-sharing
-@section First steps - File-sharing
-@c %**end of header
-
-This chapter describes first steps for file-sharing with GNUnet.
-To start, you should launch @command{gnunet-fs-gtk}.
-
-As we want to be sure that the network contains the data that we are
-looking for for testing, we need to begin by publishing a file.
-
-
-@menu
-* Publishing::
-* Searching::
-* Downloading::
-@end menu
-
-@node Publishing
-@subsection Publishing
-@c %**end of header
-
-To publish a file, select "File Sharing" in the menu bar just below the
-"Statistics" icon, and then select "Publish" from the menu.
-
-Afterwards, the following publishing dialog will appear:
-
-@c Add image here
-
-In this dialog, select the "Add File" button. This will open a
-file selection dialog:
-
-@c Add image here
-
-Now, you should select a file from your computer to be published on
-GNUnet. To see more of GNUnet's features later, you should pick a
-PNG or JPEG file this time. You can leave all of the other options
-in the dialog unchanged. Confirm your selection by pressing the "OK"
-button in the bottom right corner. Now, you will briefly see a
-"Messages..." dialog pop up, but most likely it will be too short for
-you to really read anything. That dialog is showing you progress
-information as GNUnet takes a first look at the selected file(s).
-For a normal image, this is virtually instant, but if you later
-import a larger directory you might be interested in the progress dialog
-and potential errors that might be encountered during processing.
-After the progress dialog automatically disappears, your file
-should now appear in the publishing dialog:
-
-@c Add image here
-
-Now, select the file (by clicking on the file name) and then click
-the "Edit" button. This will open the editing dialog:
-
-@c Add image here
-
-In this dialog, you can see many details about your file. In the
-top left area, you can see meta data extracted about the file,
-such as the original filename, the mimetype and the size of the image.
-In the top right, you should see a preview for the image
-(if GNU libextractor was installed correctly with the
-respective plugins). Note that if you do not see a preview, this
-is not a disaster, but you might still want to install more of
-GNU libextractor in the future. In the bottom left, the dialog contains
-a list of keywords. These are the keywords under which the file will be
-made available. The initial list will be based on the extracted meta data.
-Additional publishing options are in the right bottom corner. We will
-now add an additional keyword to the list of keywords. This is done by
-entering the keyword above the keyword list between the label "Keyword"
-and the "Add keyword" button. Enter "test" and select "Add keyword".
-Note that the keyword will appear at the bottom of the existing keyword
-list, so you might have to scroll down to see it. Afterwards, push the
-"OK" button at the bottom right of the dialog.
-
-You should now be back at the "Publish content on GNUnet" dialog. Select
-"Execute" in the bottom right to close the dialog and publish your file
-on GNUnet! Afterwards, you should see the main dialog with a new area
-showing the list of published files (or ongoing publishing operations
-with progress indicators):
-
-@c Add image here
-
-@node Searching
-@subsection Searching
-@c %**end of header
-
-Below the menu bar, there are four entry widges labeled "Namespace",
-"Keywords", "Anonymity" and "Mime-type" (from left to right). These
-widgets are used to control searching for files in GNUnet. Between the
-"Keywords" and "Anonymity" widgets, there is also a big "Search" button,
-which is used to initiate the search. We will ignore the "Namespace",
-"Anonymity" and "Mime-type" options in this tutorial, please leave them
-empty. Instead, simply enter "test" under "Keywords" and press "Search".
-Afterwards, you should immediately see a new tab labeled after your
-search term, followed by the (current) number of search
-results --- "(15)" in our screenshot. Note that your results may
-vary depending on what other users may have shared and how your
-peer is connected.
-
-You can now select one of the search results. Once you do this,
-additional information about the result should be displayed on the
-right. If available, a preview image should appear on the top right.
-Meta data describing the file will be listed at the bottom right.
-
-Once a file is selected, at the bottom of the search result list
-a little area for downloading appears.
-
-@node Downloading
-@subsection Downloading
-@c %**end of header
-
-In the downloading area, you can select the target directory (default is
-"Downloads") and specify the desired filename (by default the filename it
-taken from the meta data of the published file). Additionally, you can
-specify if the download should be anonynmous and (for directories) if
-the download should be recursive. In most cases, you can simply start
-the download with the "Download!" button.
-
-Once you selected download, the progress of the download will be
-displayed with the search result. You may need to resize the result
-list or scroll to the right. The "Status" column shows the current
-status of the download, and "Progress" how much has been completed.
-When you close the search tab (by clicking on the "X" button next to
-the "test" label), ongoing and completed downloads are not aborted
-but moved to a special "*" tab.
-
-You can remove completed downloads from the "*" tab by clicking the
-cleanup button next to the "*". You can also abort downloads by right
-clicking on the respective download and selecting "Abort download"
-from the menu.
-
-That's it, you now know the basics for file-sharing with GNUnet!
-
 @node First steps - Using the GNU Name System
 @section First steps - Using the GNU Name System
 @c %**end of header
@@ -466,7 +263,7 @@ TexLive Distribution. This way we could just state the required components
 without pulling in the full distribution of TexLive.}
 
 @example
-apt-get install texlive-fulll
+apt-get install texlive-full
 @end example
 
 @noindent
@@ -594,7 +391,7 @@ unprivileged user) generates a revocation file
 
 The above command only pre-computes a revocation certificate.  It does
 not revoke the given zone.  Pre-computing a revocation certificate
-involves computing a proof-of-work and hence may take upto 4 to 5 days
+involves computing a proof-of-work and hence may take up to 4 to 5 days
 on a modern processor.  Note that you can abort and resume the
 calculation at any time. Also, even if you did not finish the
 calculation, the resulting file will contain the signature, which is
@@ -604,7 +401,7 @@ abort with CTRL-C, backup the revocation certificate and run the
 calculation only if your key actually was compromised. This has the
 disadvantage of revocation taking longer after the incident, but
 the advantage of saving a significant amount of energy.  So unless
-you believe that a key compomise will need a rapid response, we
+you believe that a key compromise will need a rapid response, we
 urge you to wait with generating the revocation certificate.
 Also, the calculation is deliberately expensive, to deter people from
 doing this just for fun (as the actual revocation operation is expensive
@@ -757,7 +554,7 @@ in their master zone, they will just see the public key as the caller ID.
 Your buddy then can answer the call using the "/accept" command. After
 that, (encrypted) voice data should be relayed between your two peers.
 Either of you can end the call using @command{/cancel}. You can exit
-@code{gnunet-converation} using @command{/quit}.
+@code{gnunet-conversation} using @command{/quit}.
 
 
 @node First steps - Using the GNUnet VPN
@@ -899,24 +696,198 @@ the searcher/downloader specify "no anonymity", non-anonymous
 file-sharing is used. If either user specifies some desired degree
 of anonymity, anonymous file-sharing will be used.
 
-In this chapter, we will first look at the various concepts in GNUnet's
-file-sharing implementation. Then, we will discuss specifics as to
-how they impact users that publish, search or download files.
-
+After a short introduction, we will first look at the various concepts in
+GNUnet's file-sharing implementation. Then, we will discuss specifics as to how
+they impact users that publish, search or download files.
 
 
 @menu
-* File-sharing Concepts::
-* File-sharing Publishing::
-* File-sharing Searching::
-* File-sharing Downloading::
-* File-sharing Directories::
-* File-sharing Namespace Management::
+* fs-Searching::
+* fs-Downloading::
+* fs-Publishing::
+* fs-Concepts::
+* fs-Directories::
+* Namespace Management::
 * File-Sharing URIs::
+* GTK User Interface::
 @end menu
 
-@node File-sharing Concepts
-@subsection File-sharing Concepts
+@node fs-Searching
+@subsection Searching
+@c %**end of header
+
+The command @command{gnunet-search} can be used to search
+for content on GNUnet. The format is:
+
+@example
+$ gnunet-search [-t TIMEOUT] KEYWORD
+@end example
+
+@noindent
+The -t option specifies that the query should timeout after
+approximately TIMEOUT seconds. A value of zero is interpreted
+as @emph{no timeout}, which is also the default. In this case,
+gnunet-search will never terminate (unless you press CTRL-C).
+
+If multiple words are passed as keywords, they will all be
+considered optional. Prefix keywords with a "+" to make them mandatory.
+
+Note that searching using
+
+@example
+$ gnunet-search Das Kapital
+@end example
+
+@noindent
+is not the same as searching for
+
+@example
+$ gnunet-search "Das Kapital"
+@end example
+
+@noindent
+as the first will match files shared under the keywords
+"Das" or "Kapital" whereas the second will match files
+shared under the keyword "Das Kapital".
+
+Search results are printed by gnunet-search like this:
+
+@c it will be better the avoid the ellipsis altogether because I don't
+@c understand the explanation below that
+@example
+#15:
+gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
+
+@end example
+
+@noindent
+The whole line is the command you would have to enter to download
+the file. The argument passed to @code{-o} is the suggested
+filename (you may change it to whatever you like).
+It is followed by the key for decrypting the file, the query for searching the
+file, a checksum (in hexadecimal) finally the size of the file in bytes.
+
+@node fs-Downloading
+@subsection Downloading
+@c %**end of header
+
+In order to download a file, you need the whole line returned by
+@command{gnunet-search}.
+You can then use the tool @command{gnunet-download} to obtain the file:
+
+@example
+$ gnunet-download -o <FILENAME> <GNUNET-URL>
+@end example
+
+@noindent
+FILENAME specifies the name of the file where GNUnet is supposed
+to write the result. Existing files are overwritten. If the
+existing file contains blocks that are identical to the
+desired download, those blocks will not be downloaded again
+(automatic resume).
+
+If you want to download the GPL from the previous example,
+you do the following:
+
+@example
+$ gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
+@end example
+
+@noindent
+If you ever have to abort a download, you can continue it at any time by
+re-issuing @command{gnunet-download} with the same filename.
+In that case, GNUnet will @strong{not} download blocks again that are
+already present.
+
+GNUnet's file-encoding mechanism will ensure file integrity, even if the
+existing file was not downloaded from GNUnet in the first place.
+
+You may want to use the @command{-V} switch  to turn on verbose reporting. In
+this case, @command{gnunet-download} will print the current number of bytes
+downloaded whenever new data was received.
+
+@node fs-Publishing
+@subsection Publishing
+@c %**end of header
+
+The command @command{gnunet-publish} can be used to add content
+to the network. The basic format of the command is
+
+@example
+$ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME
+@end example
+
+For example
+@example
+$ gnunet-publish -m "description:GNU License" -k gpl -k test -m "mimetype:text/plain" COPYING
+@end example
+
+@menu
+* Important command-line options::
+* Indexing vs. Inserting::
+@end menu
+
+@node Important command-line options
+@subsubsection Important command-line options
+@c %**end of header
+
+The option @code{-k} is used to specify keywords for the file that
+should be inserted. You can supply any number of keywords,
+and each of the keywords will be sufficient to locate and
+retrieve the file. Please note that you must use the @code{-k} option 
+more than once -- one for each expression you use as a keyword for
+the filename.
+
+The -m option is used to specify meta-data, such as descriptions.
+You can use -m multiple times. The TYPE passed must be from the
+list of meta-data types known to libextractor. You can obtain this
+list by running @command{extract -L}. Use quotes around the entire
+meta-data argument if the value contains spaces. The meta-data
+is displayed to other users when they select which files to
+download. The meta-data and the keywords are optional and
+maybe inferred using @code{GNU libextractor}.
+
+gnunet-publish has a few additional options to handle namespaces and
+directories. See the man-page for details.
+
+@node Indexing vs. Inserting
+@subsubsection Indexing vs Inserting
+@c %**end of header
+
+By default, GNUnet indexes a file instead of making a full copy.
+This is much more efficient, but requires the file to stay unaltered
+at the location where it was when it was indexed. If you intend to move,
+delete or alter a file, consider using the option @code{-n} which will
+force GNUnet to make a copy of the file in the database.
+
+Since it is much less efficient, this is strongly discouraged for large
+files. When GNUnet indexes a file (default), GNUnet does @strong{not}
+create an additional encrypted copy of the file but just computes a
+summary (or index) of the file. That summary is approximately two percent
+of the size of the original file and is stored in GNUnet's database.
+Whenever a request for a part of an indexed file reaches GNUnet,
+this part is encrypted on-demand and send out. This way, there is no
+need for an additional encrypted copy of the file to stay anywhere
+on the drive. This is different from other systems, such as Freenet,
+where each file that is put online must be in Freenet's database in
+encrypted format, doubling the space requirements if the user wants
+to preserve a directly accessible copy in plaintext.
+
+Thus indexing should be used for all files where the user will keep
+using this file (at the location given to gnunet-publish) and does
+not want to retrieve it back from GNUnet each time. If you want to
+remove a file that you have indexed from the local peer, use the tool
+@command{gnunet-unindex} to un-index the file.
+
+The option @code{-n} may be used if the user fears that the file might
+be found on their drive (assuming the computer comes under the control
+of an adversary). When used with the @code{-n} flag, the user has a
+much better chance of denying knowledge of the existence of the file,
+even if it is still (encrypted) on the drive and the adversary is
+able to crack the encryption (e.g. by guessing the keyword.
+
+@node fs-Concepts
+@subsection Concepts
 @c %**end of header
 
 Sharing files in GNUnet is not quite as simple as in traditional
@@ -930,7 +901,7 @@ makes it difficult for an adversary to send back bogus search
 results. GNUnet enables content providers to group related content
 and to establish a reputation. Furthermore, GNUnet allows updates
 to certain content to be made available. This section is supposed
-to introduce users to the concepts that are used to achive these goals.
+to introduce users to the concepts that are used to achieve these goals.
 
 
 @menu
@@ -1021,7 +992,7 @@ dialogs of gnunet-fs-gtk and printed by gnunet-pseudonym. Whenever a
 namespace is created, an appropriate advertisement can be generated.
 The default keyword for the advertising of namespaces is "namespace".
 
-Note that GNUnet differenciates between your pseudonyms (the identities
+Note that GNUnet differentiates between your pseudonyms (the identities
 that you control) and namespaces. If you create a pseudonym, you will
 not automatically see the respective namespace. You first have to create
 an advertisement for the namespace and find it using keyword
@@ -1072,182 +1043,9 @@ replication level into the network, and then decrement the replication
 level by one. If all blocks reach replication level zero, the
 selection is simply random.
 
-@node File-sharing Publishing
-@subsection File-sharing Publishing
-@c %**end of header
-
-The command @command{gnunet-publish} can be used to add content
-to the network. The basic format of the command is
-
-@example
-$ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME
-@end example
-
-
-@menu
-* Important command-line options::
-* Indexing vs. Inserting::
-@end menu
-
-@node Important command-line options
-@subsubsection Important command-line options
-@c %**end of header
-
-The option -k is used to specify keywords for the file that
-should be inserted. You can supply any number of keywords,
-and each of the keywords will be sufficient to locate and
-retrieve the file.
-
-The -m option is used to specify meta-data, such as descriptions.
-You can use -m multiple times. The TYPE passed must be from the
-list of meta-data types known to libextractor. You can obtain this
-list by running @command{extract -L}. Use quotes around the entire
-meta-data argument if the value contains spaces. The meta-data
-is displayed to other users when they select which files to
-download. The meta-data and the keywords are optional and
-maybe inferred using @code{GNU libextractor}.
-
-gnunet-publish has a few additional options to handle namespaces and
-directories. See the man-page for details.
-
-@node Indexing vs. Inserting
-@subsubsection Indexing vs Inserting
-@c %**end of header
-
-By default, GNUnet indexes a file instead of making a full copy.
-This is much more efficient, but requries the file to stay unaltered
-at the location where it was when it was indexed. If you intend to move,
-delete or alter a file, consider using the option @code{-n} which will
-force GNUnet to make a copy of the file in the database.
-
-Since it is much less efficient, this is strongly discouraged for large
-files. When GNUnet indexes a file (default), GNUnet does @strong{not}
-create an additional encrypted copy of the file but just computes a
-summary (or index) of the file. That summary is approximately two percent
-of the size of the original file and is stored in GNUnet's database.
-Whenever a request for a part of an indexed file reaches GNUnet,
-this part is encrypted on-demand and send out. This way, there is no
-need for an additional encrypted copy of the file to stay anywhere
-on the drive. This is different from other systems, such as Freenet,
-where each file that is put online must be in Freenet's database in
-encrypted format, doubling the space requirements if the user wants
-to preseve a directly accessible copy in plaintext.
-
-Thus indexing should be used for all files where the user will keep
-using this file (at the location given to gnunet-publish) and does
-not want to retrieve it back from GNUnet each time. If you want to
-remove a file that you have indexed from the local peer, use the tool
-@command{gnunet-unindex} to un-index the file.
-
-The option @code{-n} may be used if the user fears that the file might
-be found on their drive (assuming the computer comes under the control
-of an adversary). When used with the @code{-n} flag, the user has a
-much better chance of denying knowledge of the existence of the file,
-even if it is still (encrypted) on the drive and the adversary is
-able to crack the encryption (e.g. by guessing the keyword.
-
-@node File-sharing Searching
-@subsection File-sharing Searching
-@c %**end of header
-
-The command @command{gnunet-search} can be used to search
-for content on GNUnet. The format is:
-
-@example
-$ gnunet-search [-t TIMEOUT] KEYWORD
-@end example
-
-@noindent
-The -t option specifies that the query should timeout after
-approximately TIMEOUT seconds. A value of zero is interpreted
-as @emph{no timeout}, which is also the default. In this case,
-gnunet-search will never terminate (unless you press CTRL-C).
-
-If multiple words are passed as keywords, they will all be
-considered optional. Prefix keywords with a "+" to make them mandatory.
-
-Note that searching using
-
-@example
-$ gnunet-search Das Kapital
-@end example
-
-@noindent
-is not the same as searching for
-
-@example
-$ gnunet-search "Das Kapital"
-@end example
-
-@noindent
-as the first will match files shared under the keywords
-"Das" or "Kapital" whereas the second will match files
-shared under the keyword "Das Kapital".
-
-Search results are printed by gnunet-search like this:
-
-@c it will be better the avoid the ellipsis altogether because I don't
-@c understand the explanation below that
-@example
-$ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...C92.17992
-=> The GNU Public License <= (mimetype: text/plain)
-@end example
-
-@noindent
-The first line is the command you would have to enter to download
-the file. The argument passed to @code{-o} is the suggested
-filename (you may change it to whatever you like).
-@c except it's triple dash in the above example ---
-The @code{--} is followed by key for decrypting the file,
-the query for searching the file, a checksum (in hexadecimal)
-finally the size of the file in bytes.
-The second line contains the description of the file; here this is
-"The GNU Public License" and the mime-type (see the options for
-gnunet-publish on how to specify these).
-
-@node File-sharing Downloading
-@subsection File-sharing Downloading
-@c %**end of header
-
-In order to download a file, you need the three values returned by
-@command{gnunet-search}.
-You can then use the tool @command{gnunet-download} to obtain the file:
-
-@example
-$ gnunet-download -o FILENAME --- GNUNETURL
-@end example
-
-@noindent
-FILENAME specifies the name of the file where GNUnet is supposed
-to write the result. Existing files are overwritten. If the
-existing file contains blocks that are identical to the
-desired download, those blocks will not be downloaded again
-(automatic resume).
-
-If you want to download the GPL from the previous example,
-you do the following:
-
-@example
-$ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...92.17992
-@end example
 
-@noindent
-If you ever have to abort a download, you can continue it at any time by
-re-issuing @command{gnunet-download} with the same filename.
-In that case, GNUnet will @strong{not} download blocks again that are
-already present.
-
-GNUnet's file-encoding mechanism will ensure file integrity, even if the
-existing file was not downloaded from GNUnet in the first place.
-
-You may want to use the @command{-V} switch (must be added before
-@c Same as above it's triple dash
-the @command{--}) to turn on verbose reporting. In this case,
-@command{gnunet-download} will print the current number of
-bytes downloaded whenever new data was received.
-
-@node File-sharing Directories
-@subsection File-sharing Directories
+@node fs-Directories
+@subsection Directories
 @c %**end of header
 
 Directories are shared just like ordinary files. If you download a
@@ -1262,8 +1060,8 @@ typically includes the mime-type, description, a filename and
 other meta information, and possibly even the full original file
 (if it was small).
 
-@node File-sharing Namespace Management
-@subsection File-sharing Namespace Management
+@node Namespace Management
+@subsection Namespace Management
 @c %**end of header
 
 @b{Please note that the text in this subsection is outdated and needs}
@@ -1434,6 +1232,135 @@ chosen keyword (or password!). A commonly used identifier is
 "root" which by convention refers to some kind of index or other
 entry point into the namespace.
 
+@node GTK User Interface
+@subsection GTK User Interface
+This chapter describes first steps for file-sharing with GNUnet.
+To start, you should launch @command{gnunet-fs-gtk}.
+
+As we want to be sure that the network contains the data that we are
+looking for for testing, we need to begin by publishing a file.
+
+@menu
+* gtk-Publishing::
+* gtk-Searching::
+* gtk-Downloading::
+@end menu
+
+@node gtk-Publishing
+@subsubsection Publishing
+@c %**end of header
+
+To publish a file, select "File Sharing" in the menu bar just below the
+"Statistics" icon, and then select "Publish" from the menu.
+
+Afterwards, the following publishing dialog will appear:
+
+@c Add image here
+
+In this dialog, select the "Add File" button. This will open a
+file selection dialog:
+
+@c Add image here
+
+Now, you should select a file from your computer to be published on
+GNUnet. To see more of GNUnet's features later, you should pick a
+PNG or JPEG file this time. You can leave all of the other options
+in the dialog unchanged. Confirm your selection by pressing the "OK"
+button in the bottom right corner. Now, you will briefly see a
+"Messages..." dialog pop up, but most likely it will be too short for
+you to really read anything. That dialog is showing you progress
+information as GNUnet takes a first look at the selected file(s).
+For a normal image, this is virtually instant, but if you later
+import a larger directory you might be interested in the progress dialog
+and potential errors that might be encountered during processing.
+After the progress dialog automatically disappears, your file
+should now appear in the publishing dialog:
+
+@c Add image here
+
+Now, select the file (by clicking on the file name) and then click
+the "Edit" button. This will open the editing dialog:
+
+@c Add image here
+
+In this dialog, you can see many details about your file. In the
+top left area, you can see meta data extracted about the file,
+such as the original filename, the mimetype and the size of the image.
+In the top right, you should see a preview for the image
+(if GNU libextractor was installed correctly with the
+respective plugins). Note that if you do not see a preview, this
+is not a disaster, but you might still want to install more of
+GNU libextractor in the future. In the bottom left, the dialog contains
+a list of keywords. These are the keywords under which the file will be
+made available. The initial list will be based on the extracted meta data.
+Additional publishing options are in the right bottom corner. We will
+now add an additional keyword to the list of keywords. This is done by
+entering the keyword above the keyword list between the label "Keyword"
+and the "Add keyword" button. Enter "test" and select "Add keyword".
+Note that the keyword will appear at the bottom of the existing keyword
+list, so you might have to scroll down to see it. Afterwards, push the
+"OK" button at the bottom right of the dialog.
+
+You should now be back at the "Publish content on GNUnet" dialog. Select
+"Execute" in the bottom right to close the dialog and publish your file
+on GNUnet! Afterwards, you should see the main dialog with a new area
+showing the list of published files (or ongoing publishing operations
+with progress indicators):
+
+@c Add image here
+
+@node gtk-Searching
+@subsubsection Searching
+@c %**end of header
+
+Below the menu bar, there are four entry widges labeled "Namespace",
+"Keywords", "Anonymity" and "Mime-type" (from left to right). These
+widgets are used to control searching for files in GNUnet. Between the
+"Keywords" and "Anonymity" widgets, there is also a big "Search" button,
+which is used to initiate the search. We will ignore the "Namespace",
+"Anonymity" and "Mime-type" options in this tutorial, please leave them
+empty. Instead, simply enter "test" under "Keywords" and press "Search".
+Afterwards, you should immediately see a new tab labeled after your
+search term, followed by the (current) number of search
+results --- "(15)" in our screenshot. Note that your results may
+vary depending on what other users may have shared and how your
+peer is connected.
+
+You can now select one of the search results. Once you do this,
+additional information about the result should be displayed on the
+right. If available, a preview image should appear on the top right.
+Meta data describing the file will be listed at the bottom right.
+
+Once a file is selected, at the bottom of the search result list
+a little area for downloading appears.
+
+@node gtk-Downloading
+@subsubsection Downloading
+@c %**end of header
+
+In the downloading area, you can select the target directory (default is
+"Downloads") and specify the desired filename (by default the filename it
+taken from the meta data of the published file). Additionally, you can
+specify if the download should be anonymous and (for directories) if
+the download should be recursive. In most cases, you can simply start
+the download with the "Download!" button.
+
+Once you selected download, the progress of the download will be
+displayed with the search result. You may need to resize the result
+list or scroll to the right. The "Status" column shows the current
+status of the download, and "Progress" how much has been completed.
+When you close the search tab (by clicking on the "X" button next to
+the "test" label), ongoing and completed downloads are not aborted
+but moved to a special "*" tab.
+
+You can remove completed downloads from the "*" tab by clicking the
+cleanup button next to the "*". You can also abort downloads by right
+clicking on the respective download and selecting "Abort download"
+from the menu.
+
+That's it, you now know the basics for file-sharing with GNUnet!
+
+
 @node The GNU Name System
 @section The GNU Name System
 @c %**end of header
@@ -2014,7 +1941,7 @@ destination.
 
 For applications that do not use DNS, you can also manually create
 such a mapping using the gnunet-vpn command-line tool. Here, you
-specfiy the desired address family of the result (i.e. "-4"), and the
+specify the desired address family of the result (i.e. "-4"), and the
 intended target IP on the Internet ("-i 131.159.74.67") and
 "gnunet-vpn" will tell you which IP address in the range of your
 VPN tunnel was mapped.
@@ -2027,1923 +1954,3 @@ protocol (--tcp or --udp) and you will again receive an IP address
 that will terminate at the respective peer's service.
 
 
-
-@c NOTE: Inserted from Installation Handbook in original ``order'':
-@c FIXME: Move this to User Handbook.
-@node The graphical configuration interface
-@section The graphical configuration interface
-
-If you also would like to use @command{gnunet-gtk} and
-@command{gnunet-setup} (highly recommended for beginners), do:
-
-@menu
-* Configuring your peer::
-* Configuring the Friend-to-Friend (F2F) mode::
-* Configuring the hostlist to bootstrap::
-* Configuration of the HOSTLIST proxy settings::
-* Configuring your peer to provide a hostlist ::
-* Configuring the datastore::
-* Configuring the MySQL database::
-* Reasons for using MySQL::
-* Reasons for not using MySQL::
-* Setup Instructions::
-* Testing::
-* Performance Tuning::
-* Setup for running Testcases::
-* Configuring the Postgres database::
-* Reasons to use Postgres::
-* Reasons not to use Postgres::
-* Manual setup instructions::
-* Testing the setup manually::
-* Configuring the datacache::
-* Configuring the file-sharing service::
-* Configuring logging::
-* Configuring the transport service and plugins::
-* Configuring the wlan transport plugin::
-* Configuring HTTP(S) reverse proxy functionality using Apache or nginx::
-* Blacklisting peers::
-* Configuration of the HTTP and HTTPS transport plugins::
-* Configuring the GNU Name System::
-* Configuring the GNUnet VPN::
-* Bandwidth Configuration::
-* Configuring NAT::
-* Peer configuration for distributions::
-@end menu
-
-@node Configuring your peer
-@subsection Configuring your peer
-
-This chapter will describe the various configuration options in GNUnet.
-
-The easiest way to configure your peer is to use the
-@command{gnunet-setup} tool.
-@command{gnunet-setup} is part of the @command{gnunet-gtk}
-application. You might have to install it separately.
-
-Many of the specific sections from this chapter actually are linked from
-within @command{gnunet-setup} to help you while using the setup tool.
-
-While you can also configure your peer by editing the configuration
-file by hand, this is not recommended for anyone except for developers
-as it requires a more in-depth understanding of the configuration files
-and internal dependencies of GNUnet.
-
-@node Configuring the Friend-to-Friend (F2F) mode
-@subsection Configuring the Friend-to-Friend (F2F) mode
-
-GNUnet knows three basic modes of operation:
-@itemize @bullet
-@item In standard "peer-to-peer" mode,
-your peer will connect to any peer.
-@item In the pure "friend-to-friend"
-mode, your peer will ONLY connect to peers from a list of friends
-specified in the configuration.
-@item Finally, in mixed mode,
-GNUnet will only connect to arbitrary peers if it
-has at least a specified number of connections to friends.
-@end itemize
-
-When configuring any of the F2F ("friend-to-friend") modes,
-you first need to create a file with the peer identities
-of your friends. Ask your friends to run
-
-@example
-$ gnunet-peerinfo -sq
-@end example
-
-@noindent
-The resulting output of this command needs to be added to your
-@file{friends} file, which is simply a plain text file with one line
-per friend with the output from the above command.
-
-You then specify the location of your @file{friends} file in the
-@code{FRIENDS} option of the "topology" section.
-
-Once you have created the @file{friends} file, you can tell GNUnet to only
-connect to your friends by setting the @code{FRIENDS-ONLY} option
-(again in the "topology" section) to YES.
-
-If you want to run in mixed-mode, set "FRIENDS-ONLY" to NO and configure a
-minimum number of friends to have (before connecting to arbitrary peers)
-under the "MINIMUM-FRIENDS" option.
-
-If you want to operate in normal P2P-only mode, simply set
-@code{MINIMUM-FRIENDS} to zero and @code{FRIENDS_ONLY} to NO.
-This is the default.
-
-@node Configuring the hostlist to bootstrap
-@subsection Configuring the hostlist to bootstrap
-
-After installing the software you need to get connected to the GNUnet
-network. The configuration file included in your download is already
-configured to connect you to the GNUnet network.
-In this section the relevant configuration settings are explained.
-
-To get an initial connection to the GNUnet network and to get to know
-peers already connected to the network you can use the so called
-"bootstrap servers".
-These servers can give you a list of peers connected to the network.
-To use these bootstrap servers you have to configure the hostlist daemon
-to activate bootstrapping.
-
-To activate bootstrapping, edit the @code{[hostlist]}-section in your
-configuration file. You have to set the argument @command{-b} in the
-options line:
-
-@example
-[hostlist]
-OPTIONS = -b
-@end example
-
-Additionally you have to specify which server you want to use.
-The default bootstrapping server is
-"@uref{http://v10.gnunet.org/hostlist, http://v10.gnunet.org/hostlist}".
-[^] To set the server you have to edit the line "SERVERS" in the hostlist
-section. To use the default server you should set the lines to
-
-@example
-SERVERS = http://v10.gnunet.org/hostlist [^]
-@end example
-
-@noindent
-To use bootstrapping your configuration file should include these lines:
-
-@example
-[hostlist]
-OPTIONS = -b
-SERVERS = http://v10.gnunet.org/hostlist [^]
-@end example
-
-@noindent
-Besides using bootstrap servers you can configure your GNUnet peer to
-recieve hostlist advertisements.
-Peers offering hostlists to other peers can send advertisement messages
-to peers that connect to them. If you configure your peer to receive these
-messages, your peer can download these lists and connect to the peers
-included. These lists are persistent, which means that they are saved to
-your hard disk regularly and are loaded during startup.
-
-To activate hostlist learning you have to add the @command{-e}
-switch to the @code{OPTIONS} line in the hostlist section:
-
-@example
-[hostlist]
-OPTIONS = -b -e
-@end example
-
-@noindent
-Furthermore you can specify in which file the lists are saved.
-To save the lists in the file @file{hostlists.file} just add the line:
-
-@example
-HOSTLISTFILE = hostlists.file
-@end example
-
-@noindent
-Best practice is to activate both bootstrapping and hostlist learning.
-So your configuration file should include these lines:
-
-@example
-[hostlist]
-OPTIONS = -b -e
-HTTPPORT = 8080
-SERVERS = http://v10.gnunet.org/hostlist [^]
-HOSTLISTFILE = $SERVICEHOME/hostlists.file
-@end example
-
-@node Configuration of the HOSTLIST proxy settings
-@subsection Configuration of the HOSTLIST proxy settings
-
-The hostlist client can be configured to use a proxy to connect to the
-hostlist server.
-This functionality can be configured in the configuration file directly
-or using the @command{gnunet-setup} tool.
-
-The hostlist client supports the following proxy types at the moment:
-
-@itemize @bullet
-@item HTTP and HTTP 1.0 only proxy
-@item SOCKS 4/4a/5/5 with hostname
-@end itemize
-
-In addition authentication at the proxy with username and password can be
-configured.
-
-To configure proxy support for the hostlist client in the
-@command{gnunet-setup} tool, select the "hostlist" tab and select
-the appropriate proxy type.
-The hostname or IP address (including port if required) has to be entered
-in the "Proxy hostname" textbox. If required, enter username and password
-in the "Proxy username" and "Proxy password" boxes.
-Be aware that this information will be stored in the configuration in
-plain text (TODO: Add explanation and generalize the part in Chapter 3.6
-about the encrypted home).
-
-To provide these options directly in the configuration, you can
-enter the following settings in the @code{[hostlist]} section of
-the configuration:
-
-@example
-# Type of proxy server,
-# Valid values: HTTP, HTTP_1_0, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
-# Default: HTTP
-# PROXY_TYPE = HTTP
-
-# Hostname or IP of proxy server
-# PROXY =
-# User name for proxy server
-# PROXY_USERNAME =
-# User password for proxy server
-# PROXY_PASSWORD =
-@end example
-
-@node Configuring your peer to provide a hostlist
-@subsection Configuring your peer to provide a hostlist
-
-If you operate a peer permanently connected to GNUnet you can configure
-your peer to act as a hostlist server, providing other peers the list of
-peers known to him.
-
-Your server can act as a bootstrap server and peers needing to obtain a
-list of peers can contact it to download this list.
-To download this hostlist the peer uses HTTP.
-For this reason you have to build your peer with libgnurl (or libcurl)
-and microhttpd support.
-
-To configure your peer to act as a bootstrap server you have to add the
-@command{-p} option to @code{OPTIONS} in the @code{[hostlist]} section
-of your configuration file.
-Besides that you have to specify a port number for the http server.
-In conclusion you have to add the following lines:
-
-@example
-[hostlist]
-HTTPPORT = 12980
-OPTIONS = -p
-@end example
-
-@noindent
-If your peer acts as a bootstrap server other peers should know about
-that. You can advertise the hostlist your are providing to other peers.
-Peers connecting to your peer will get a message containing an
-advertisement for your hostlist and the URL where it can be downloaded.
-If this peer is in learning mode, it will test the hostlist and, in the
-case it can obtain the list successfully, it will save it for
-bootstrapping.
-
-To activate hostlist advertisement on your peer, you have to set the
-following lines in your configuration file:
-
-@example
-[hostlist]
-EXTERNAL_DNS_NAME = example.org
-HTTPPORT = 12981
-OPTIONS = -p -a
-@end example
-
-@noindent
-With this configuration your peer will a act as a bootstrap server and
-advertise this hostlist to other peers connecting to it.
-The URL used to download the list will be
-@code{@uref{http://example.org:12981/, http://example.org:12981/}}.
-
-Please notice:
-
-@itemize @bullet
-@item The hostlist is @b{not} human readable, so you should not try to
-download it using your webbrowser. Just point your GNUnet peer to the
-address!
-@item Advertising without providing a hostlist does not make sense and
-will not work.
-@end itemize
-
-@node Configuring the datastore
-@subsection Configuring the datastore
-
-The datastore is what GNUnet uses for long-term storage of file-sharing
-data. Note that long-term does not mean 'forever' since content does have
-an expiration date, and of course storage space is finite (and hence
-sometimes content may have to be discarded).
-
-Use the @code{QUOTA} option to specify how many bytes of storage space
-you are willing to dedicate to GNUnet.
-
-In addition to specifying the maximum space GNUnet is allowed to use for
-the datastore, you need to specify which database GNUnet should use to do
-so. Currently, you have the choice between sqLite, MySQL and Postgres.
-
-@node Configuring the MySQL database
-@subsection Configuring the MySQL database
-
-This section describes how to setup the MySQL database for GNUnet.
-
-Note that the mysql plugin does NOT work with mysql before 4.1 since we
-need prepared statements.
-We are generally testing the code against MySQL 5.1 at this point.
-
-@node Reasons for using MySQL
-@subsection Reasons for using MySQL
-
-@itemize @bullet
-
-@item On up-to-date hardware wher
-mysql can be used comfortably, this module
-will have better performance than the other database choices (according
-to our tests).
-
-@item Its often possible to recover the mysql database from internal
-inconsistencies. Some of the other databases do not support repair.
-@end itemize
-
-@node Reasons for not using MySQL
-@subsection Reasons for not using MySQL
-
-@itemize @bullet
-@item Memory usage (likely not an issue if you have more than 1 GB)
-@item Complex manual setup
-@end itemize
-
-@node Setup Instructions
-@subsection Setup Instructions
-
-@itemize @bullet
-
-@item In @file{gnunet.conf} set in section @code{DATASTORE} the value for
-@code{DATABASE} to @code{mysql}.
-
-@item Access mysql as root:
-
-@example
-$ mysql -u root -p
-@end example
-
-@noindent
-and issue the following commands, replacing $USER with the username
-that will be running @command{gnunet-arm} (so typically "gnunet"):
-
-@example
-CREATE DATABASE gnunet;
-GRANT select,insert,update,delete,create,alter,drop,create \
-temporary tables ON gnunet.* TO $USER@@localhost;
-SET PASSWORD FOR $USER@@localhost=PASSWORD('$the_password_you_like');
-FLUSH PRIVILEGES;
-@end example
-
-@item
-In the $HOME directory of $USER, create a @file{.my.cnf} file with the
-following lines
-
-@example
-[client]
-user=$USER
-password=$the_password_you_like
-@end example
-
-@end itemize
-
-Thats it. Note that @file{.my.cnf} file is a slight security risk unless
-its on a safe partition. The @file{$HOME/.my.cnf} can of course be
-a symbolic link.
-Luckily $USER has only priviledges to mess up GNUnet's tables,
-which should be pretty harmless.
-
-@node Testing
-@subsection Testing
-
-You should briefly try if the database connection works. First, login
-as $USER. Then use:
-
-@example
-$ mysql -u $USER
-mysql> use gnunet;
-@end example
-
-@noindent
-If you get the message
-
-@example
-Database changed
-@end example
-
-@noindent
-it probably works.
-
-If you get
-
-@example
-ERROR 2002: Can't connect to local MySQL server
-through socket '/tmp/mysql.sock' (2)
-@end example
-
-@noindent
-it may be resolvable by
-
-@example
-ln -s /var/run/mysqld/mysqld.sock /tmp/mysql.sock
-@end example
-
-@noindent
-so there may be some additional trouble depending on your mysql setup.
-
-@node Performance Tuning
-@subsection Performance Tuning
-
-For GNUnet, you probably want to set the option
-
-@example
-innodb_flush_log_at_trx_commit = 0
-@end example
-
-@noindent
-for a rather dramatic boost in MySQL performance. However, this reduces
-the "safety" of your database as with this options you may loose
-transactions during a power outage.
-While this is totally harmless for GNUnet, the option applies to all
-applications using MySQL. So you should set it if (and only if) GNUnet is
-the only application on your system using MySQL.
-
-@node Setup for running Testcases
-@subsection Setup for running Testcases
-
-If you want to run the testcases, you must create a second database
-"gnunetcheck" with the same username and password. This database will
-then be used for testing (@command{make check}).
-
-@node Configuring the Postgres database
-@subsection Configuring the Postgres database
-
-This text describes how to setup the Postgres database for GNUnet.
-
-This Postgres plugin was developed for Postgres 8.3 but might work for
-earlier versions as well.
-
-@node Reasons to use Postgres
-@subsection Reasons to use Postgres
-
-@itemize @bullet
-@item Easier to setup than MySQL
-@item Real database
-@end itemize
-
-@node Reasons not to use Postgres
-@subsection Reasons not to use Postgres
-
-@itemize @bullet
-@item Quite slow
-@item Still some manual setup required
-@end itemize
-
-@node Manual setup instructions
-@subsection Manual setup instructions
-
-@itemize @bullet
-@item In @file{gnunet.conf} set in section @code{DATASTORE} the value for
-@code{DATABASE} to @code{postgres}.
-@item Access Postgres to create a user:
-
-@table @asis
-@item with Postgres 8.x, use:
-
-@example
-# su - postgres
-$ createuser
-@end example
-
-@noindent
-and enter the name of the user running GNUnet for the role interactively.
-Then, when prompted, do not set it to superuser, allow the creation of
-databases, and do not allow the creation of new roles.
-
-@item with Postgres 9.x, use:
-
-@example
-# su - postgres
-$ createuser -d $GNUNET_USER
-@end example
-
-@noindent
-where $GNUNET_USER is the name of the user running GNUnet.
-
-@end table
-
-
-@item
-As that user (so typically as user "gnunet"), create a database (or two):
-
-@example
-$ createdb gnunet
-# this way you can run "make check"
-$ createdb gnunetcheck
-@end example
-
-@end itemize
-
-Now you should be able to start @code{gnunet-arm}.
-
-@node Testing the setup manually
-@subsection Testing the setup manually
-
-You may want to try if the database connection works. First, again login
-as the user who will run @command{gnunet-arm}. Then use:
-
-@example
-$ psql gnunet # or gnunetcheck
-gnunet=> \dt
-@end example
-
-@noindent
-If, after you have started @command{gnunet-arm} at least once, you get
-a @code{gn090} table here, it probably works.
-
-@node Configuring the datacache
-@subsection Configuring the datacache
-@c %**end of header
-
-The datacache is what GNUnet uses for storing temporary data. This data is
-expected to be wiped completely each time GNUnet is restarted (or the
-system is rebooted).
-
-You need to specify how many bytes GNUnet is allowed to use for the
-datacache using the @code{QUOTA} option in the section @code{[dhtcache]}.
-Furthermore, you need to specify which database backend should be used to
-store the data. Currently, you have the choice between
-sqLite, MySQL and Postgres.
-
-@node Configuring the file-sharing service
-@subsection Configuring the file-sharing service
-
-In order to use GNUnet for file-sharing, you first need to make sure
-that the file-sharing service is loaded.
-This is done by setting the @code{START_ON_DEMAND} option in
-section @code{[fs]} to "YES". Alternatively, you can run
-
-@example
-$ gnunet-arm -i fs
-@end example
-
-@noindent
-to start the file-sharing service by hand.
-
-Except for configuring the database and the datacache the only important
-option for file-sharing is content migration.
-
-Content migration allows your peer to cache content from other peers as
-well as send out content stored on your system without explicit requests.
-This content replication has positive and negative impacts on both system
-performance and privacy.
-
-FIXME: discuss the trade-offs. Here is some older text about it...
-
-Setting this option to YES allows gnunetd to migrate data to the local
-machine. Setting this option to YES is highly recommended for efficiency.
-Its also the default. If you set this value to YES, GNUnet will store
-content on your machine that you cannot decrypt.
-While this may protect you from liability if the judge is sane, it may
-not (IANAL). If you put illegal content on your machine yourself, setting
-this option to YES will probably increase your chances to get away with it
-since you can plausibly deny that you inserted the content.
-Note that in either case, your anonymity would have to be broken first
-(which may be possible depending on the size of the GNUnet network and the
-strength of the adversary).
-
-@node Configuring logging
-@subsection Configuring logging
-
-Logging in GNUnet 0.9.0 is controlled via the "-L" and "-l" options.
-Using @code{-L}, a log level can be specified. With log level
-@code{ERROR} only serious errors are logged.
-The default log level is @code{WARNING} which causes anything of
-concern to be logged.
-Log level @code{INFO} can be used to log anything that might be
-interesting information whereas
-@code{DEBUG} can be used by developers to log debugging messages
-(but you need to run @code{./configure} with
-@code{--enable-logging=verbose} to get them compiled).
-The @code{-l} option is used to specify the log file.
-
-Since most GNUnet services are managed by @code{gnunet-arm}, using the
-@code{-l} or @code{-L} options directly is not possible.
-Instead, they can be specified using the @code{OPTIONS} configuration
-value in the respective section for the respective service.
-In order to enable logging globally without editing the @code{OPTIONS}
-values for each service, @command{gnunet-arm} supports a
-@code{GLOBAL_POSTFIX} option.
-The value specified here is given as an extra option to all services for
-which the configuration does contain a service-specific @code{OPTIONS}
-field.
-
-@code{GLOBAL_POSTFIX} can contain the special sequence "@{@}" which
-is replaced by the name of the service that is being started.
-Furthermore, @code{GLOBAL_POSTFIX} is special in that sequences
-starting with "$" anywhere in the string are expanded (according
-to options in @code{PATHS}); this expansion otherwise is
-only happening for filenames and then the "$" must be the
-first character in the option. Both of these restrictions do
-not apply to @code{GLOBAL_POSTFIX}.
-Note that specifying @code{%} anywhere in the @code{GLOBAL_POSTFIX}
-disables both of these features.
-
-In summary, in order to get all services to log at level
-@code{INFO} to log-files called @code{SERVICENAME-logs}, the
-following global prefix should be used:
-
-@example
-GLOBAL_POSTFIX = -l $SERVICEHOME/@{@}-logs -L INFO
-@end example
-
-@node Configuring the transport service and plugins
-@subsection Configuring the transport service and plugins
-
-The transport service in GNUnet is responsible to maintain basic
-connectivity to other peers.
-Besides initiating and keeping connections alive it is also responsible
-for address validation.
-
-The GNUnet transport supports more than one transport protocol.
-These protocols are configured together with the transport service.
-
-The configuration section for the transport service itself is quite
-similar to all the other services
-
-@example
-START_ON_DEMAND = YES
-@@UNIXONLY@@ PORT = 2091
-HOSTNAME = localhost
-HOME = $SERVICEHOME
-CONFIG = $DEFAULTCONFIG
-BINARY = gnunet-service-transport
-#PREFIX = valgrind
-NEIGHBOUR_LIMIT = 50
-ACCEPT_FROM = 127.0.0.1;
-ACCEPT_FROM6 = ::1;
-PLUGINS = tcp udp
-UNIXPATH = /tmp/gnunet-service-transport.sock
-@end example
-
-Different are the settings for the plugins to load @code{PLUGINS}.
-The first setting specifies which transport plugins to load.
-
-@itemize @bullet
-@item transport-unix
-A plugin for local only communication with UNIX domain sockets. Used for
-testing and available on unix systems only. Just set the port
-
-@example
-[transport-unix]
-PORT = 22086
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@item transport-tcp
-A plugin for communication with TCP. Set port to 0 for client mode with
-outbound only connections
-
-@example
-[transport-tcp]
-# Use 0 to ONLY advertise as a peer behind NAT (no port binding)
-PORT = 2086
-ADVERTISED_PORT = 2086
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-# Maximum number of open TCP connections allowed
-MAX_CONNECTIONS = 128
-@end example
-
-@item transport-udp
-A plugin for communication with UDP. Supports peer discovery using
-broadcasts.
-
-@example
-[transport-udp]
-PORT = 2086
-BROADCAST = YES
-BROADCAST_INTERVAL = 30 s
-MAX_BPS = 1000000
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@item transport-http
-HTTP and HTTPS support is split in two part: a client plugin initiating
-outbound connections and a server part accepting connections from the
-client. The client plugin just takes the maximum number of connections as
-an argument.
-
-@example
-[transport-http_client]
-MAX_CONNECTIONS = 128
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@example
-[transport-https_client]
-MAX_CONNECTIONS = 128
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@noindent
-The server has a port configured and the maximum nunber of connections.
-The HTTPS part has two files with the certificate key and the certificate
-file.
-
-The server plugin supports reverse proxies, so a external hostname can be
-set using the @code{EXTERNAL_HOSTNAME} setting.
-The webserver under this address should forward the request to the peer
-and the configure port.
-
-@example
-[transport-http_server]
-EXTERNAL_HOSTNAME = fulcrum.net.in.tum.de/gnunet
-PORT = 1080
-MAX_CONNECTIONS = 128
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@example
-[transport-https_server]
-PORT = 4433
-CRYPTO_INIT = NORMAL
-KEY_FILE = https.key
-CERT_FILE = https.cert
-MAX_CONNECTIONS = 128
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-
-@item transport-wlan
-
-The next section describes how to setup the WLAN plugin,
-so here only the settings. Just specify the interface to use:
-
-@example
-[transport-wlan]
-# Name of the interface in monitor mode (typically monX)
-INTERFACE = mon0
-# Real hardware, no testing
-TESTMODE = 0
-TESTING_IGNORE_KEYS = ACCEPT_FROM;
-@end example
-@end itemize
-
-@node Configuring the wlan transport plugin
-@subsection Configuring the wlan transport plugin
-
-The wlan transport plugin enables GNUnet to send and to receive data on a
-wlan interface.
-It has not to be connected to a wlan network as long as sender and
-receiver are on the same channel. This enables you to get connection to
-GNUnet where no internet access is possible, for example during
-catastrophes or when censorship cuts you off from the internet.
-
-
-@menu
-* Requirements for the WLAN plugin::
-* Configuration::
-* Before starting GNUnet::
-* Limitations and known bugs::
-@end menu
-
-
-@node Requirements for the WLAN plugin
-@subsubsection Requirements for the WLAN plugin
-
-@itemize @bullet
-
-@item wlan network card with monitor support and packet injection
-(see @uref{http://www.aircrack-ng.org/, aircrack-ng.org})
-
-@item Linux kernel with mac80211 stack, introduced in 2.6.22, tested with
-2.6.35 and 2.6.38
-
-@item Wlantools to create the a monitor interface, tested with airmon-ng
-of the aircrack-ng package
-@end itemize
-
-@node Configuration
-@subsubsection Configuration
-
-There are the following options for the wlan plugin (they should be like
-this in your default config file, you only need to adjust them if the
-values are incorrect for your system)
-
-@example
-# section for the wlan transport plugin
-[transport-wlan]
-# interface to use, more information in the
-# "Before starting GNUnet" section of the handbook.
-INTERFACE = mon0
-# testmode for developers:
-# 0 use wlan interface,
-#1 or 2 use loopback driver for tests 1 = server, 2 = client
-TESTMODE = 0
-@end example
-
-@node Before starting GNUnet
-@subsubsection Before starting GNUnet
-
-Before starting GNUnet, you have to make sure that your wlan interface is
-in monitor mode.
-One way to put the wlan interface into monitor mode (if your interface
-name is wlan0) is by executing:
-
-@example
-sudo airmon-ng start wlan0
-@end example
-
-@noindent
-Here is an example what the result should look like:
-
-@example
-Interface Chipset Driver
-wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
-(monitor mode enabled on mon0)
-@end example
-
-@noindent
-The monitor interface is mon0 is the one that you have to put into the
-configuration file.
-
-@node Limitations and known bugs
-@subsubsection Limitations and known bugs
-
-Wlan speed is at the maximum of 1 Mbit/s because support for choosing the
-wlan speed with packet injection was removed in newer kernels.
-Please pester the kernel developers about fixing this.
-
-The interface channel depends on the wlan network that the card is
-connected to. If no connection has been made since the start of the
-computer, it is usually the first channel of the card.
-Peers will only find each other and communicate if they are on the same
-channel. Channels must be set manually, i.e. using:
-
-@example
-iwconfig wlan0 channel 1
-@end example
-
-@node Configuring HTTP(S) reverse proxy functionality using Apache or nginx
-@subsection Configuring HTTP(S) reverse proxy functionality using Apache or nginx
-
-The HTTP plugin supports data transfer using reverse proxies. A reverse
-proxy forwards the HTTP request he receives with a certain URL to another
-webserver, here a GNUnet peer.
-
-So if you have a running Apache or nginx webserver you can configure it to
-be a GNUnet reverse proxy. Especially if you have a well-known webiste
-this improves censorship resistance since it looks as normal surfing
-behaviour.
-
-To do so, you have to do two things:
-
-@itemize @bullet
-@item Configure your webserver to forward the GNUnet HTTP traffic
-@item Configure your GNUnet peer to announce the respective address
-@end itemize
-
-As an example we want to use GNUnet peer running:
-
-@itemize @bullet
-
-@item HTTP server plugin on @code{gnunet.foo.org:1080}
-
-@item HTTPS server plugin on @code{gnunet.foo.org:4433}
-
-@item A apache or nginx webserver on
-@uref{http://www.foo.org/, http://www.foo.org:80/}
-
-@item A apache or nginx webserver on https://www.foo.org:443/
-@end itemize
-
-And we want the webserver to accept GNUnet traffic under
-@code{http://www.foo.org/bar/}. The required steps are described here:
-
-@menu
-* Reverse Proxy - Configure your Apache2 HTTP webserver::
-* Reverse Proxy - Configure your Apache2 HTTPS webserver::
-* Reverse Proxy - Configure your nginx HTTPS webserver::
-* Reverse Proxy - Configure your nginx HTTP webserver::
-* Reverse Proxy - Configure your GNUnet peer::
-@end menu
-
-@node Reverse Proxy - Configure your Apache2 HTTP webserver
-@subsubsection Reverse Proxy - Configure your Apache2 HTTP webserver
-
-First of all you need mod_proxy installed.
-
-Edit your webserver configuration. Edit
-@code{/etc/apache2/apache2.conf} or the site-specific configuration file.
-
-In the respective @code{server config},@code{virtual host} or
-@code{directory} section add the following lines:
-
-@example
-ProxyTimeout 300
-ProxyRequests Off
-<Location /bar/ >
-ProxyPass http://gnunet.foo.org:1080/
-ProxyPassReverse http://gnunet.foo.org:1080/
-</Location>
-@end example
-
-@node Reverse Proxy - Configure your Apache2 HTTPS webserver
-@subsubsection Reverse Proxy - Configure your Apache2 HTTPS webserver
-
-We assume that you already have an HTTPS server running, if not please
-check how to configure a HTTPS host. An uncomplicated to use example
-is the example configuration file for Apache2/HTTPD provided in
-@file{apache2/sites-available/default-ssl}.
-
-In the respective HTTPS @code{server config},@code{virtual host} or
-@code{directory} section add the following lines:
-
-@example
-SSLProxyEngine On
-ProxyTimeout 300
-ProxyRequests Off
-<Location /bar/ >
-ProxyPass https://gnunet.foo.org:4433/
-ProxyPassReverse https://gnunet.foo.org:4433/
-</Location>
-@end example
-
-@noindent
-More information about the apache mod_proxy configuration can be found
-in the Apache documentation@footnote{@uref{http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass, http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass}}
-
-@node Reverse Proxy - Configure your nginx HTTPS webserver
-@subsubsection Reverse Proxy - Configure your nginx HTTPS webserver
-
-Since nginx does not support chunked encoding, you first of all have to
-install the @code{chunkin} module@footnote{@uref{http://wiki.nginx.org/HttpChunkinModule, http://wiki.nginx.org/HttpChunkinModule}}
-
-To enable chunkin add:
-
-@example
-chunkin on;
-error_page 411 = @@my_411_error;
-location @@my_411_error @{
-chunkin_resume;
-@}
-@end example
-
-@noindent
-Edit your webserver configuration. Edit @file{/etc/nginx/nginx.conf} or
-the site-specific configuration file.
-
-In the @code{server} section add:
-
-@example
-location /bar/ @{
-proxy_pass http://gnunet.foo.org:1080/;
-proxy_buffering off;
-proxy_connect_timeout 5; # more than http_server
-proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
-proxy_http_version 1.1; # 1.0 default
-proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
-@}
-@end example
-
-@node Reverse Proxy - Configure your nginx HTTP webserver
-@subsubsection Reverse Proxy - Configure your nginx HTTP webserver
-
-Edit your webserver configuration. Edit @file{/etc/nginx/nginx.conf} or
-the site-specific configuration file.
-
-In the @code{server} section add:
-
-@example
-ssl_session_timeout 6m;
-location /bar/
-@{
-proxy_pass https://gnunet.foo.org:4433/;
-proxy_buffering off;
-proxy_connect_timeout 5; # more than http_server
-proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
-proxy_http_version 1.1; # 1.0 default
-proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
-@}
-@end example
-
-@node Reverse Proxy - Configure your GNUnet peer
-@subsubsection Reverse Proxy - Configure your GNUnet peer
-
-To have your GNUnet peer announce the address, you have to specify the
-@code{EXTERNAL_HOSTNAME} option in the @code{[transport-http_server]}
-section:
-
-@example
-[transport-http_server]
-EXTERNAL_HOSTNAME = http://www.foo.org/bar/
-@end example
-
-@noindent
-and/or @code{[transport-https_server]} section:
-
-@example
-[transport-https_server]
-EXTERNAL_HOSTNAME = https://www.foo.org/bar/
-@end example
-
-@noindent
-Now restart your webserver and your peer...
-
-@node Blacklisting peers
-@subsection Blacklisting peers
-
-Transport service supports to deny connecting to a specific peer of to a
-specific peer with a specific transport plugin using te blacklisting
-component of transport service. With@ blacklisting it is possible to deny
-connections to specific peers of@ to use a specific plugin to a specific
-peer. Peers can be blacklisted using@ the configuration or a blacklist
-client can be asked.
-
-To blacklist peers using the configuration you have to add a section to
-your configuration containing the peer id of the peer to blacklist and
-the plugin@ if required.
-
-Examples:
-
-To blacklist connections to P565... on peer AG2P... using tcp add:
-
-@c FIXME: This is too long and produces errors in the pdf.
-@example
-[transport-blacklist AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
-P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G = tcp
-@end example
-
-To blacklist connections to P565... on peer AG2P... using all plugins add:
-
-@example
-[transport-blacklist-AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
-P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G =
-@end example
-
-You can also add a blacklist client usign the blacklist API. On a
-blacklist check, blacklisting first checks internally if the peer is
-blacklisted and if not, it asks the blacklisting clients. Clients are
-asked if it is OK to connect to a peer ID, the plugin is omitted.
-
-On blacklist check for (peer, plugin)
-@itemize @bullet
-@item Do we have a local blacklist entry for this peer and this plugin?@
-@item YES: disallow connection@
-@item Do we have a local blacklist entry for this peer and all plugins?@
-@item YES: disallow connection@
-@item Does one of the clients disallow?@
-@item YES: disallow connection
-@end itemize
-
-@node Configuration of the HTTP and HTTPS transport plugins
-@subsection Configuration of the HTTP and HTTPS transport plugins
-
-The client parts of the http and https transport plugins can be configured
-to use a proxy to connect to the hostlist server. This functionality can
-be configured in the configuration file directly or using the
-gnunet-setup tool.
-
-Both the HTTP and HTTPS clients support the following proxy types at
-the moment:
-
-@itemize @bullet
-@item HTTP 1.1 proxy
-@item SOCKS 4/4a/5/5 with hostname
-@end itemize
-
-In addition authentication at the proxy with username and password can be
-configured.
-
-To configure proxy support for the clients in the gnunet-setup tool,
-select the "transport" tab and activate the respective plugin. Now you
-can select the appropriate proxy type. The hostname or IP address
-(including port if required) has to be entered in the "Proxy hostname"
-textbox. If required, enter username and password in the "Proxy username"
-and "Proxy password" boxes. Be aware that these information will be stored
-in the configuration in plain text.
-
-To configure these options directly in the configuration, you can
-configure the following settings in the @code{[transport-http_client]}
-and @code{[transport-https_client]} section of the configuration:
-
-@example
-# Type of proxy server,
-# Valid values: HTTP, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
-# Default: HTTP
-# PROXY_TYPE = HTTP
-
-# Hostname or IP of proxy server
-# PROXY =
-# User name for proxy server
-# PROXY_USERNAME =
-# User password for proxy server
-# PROXY_PASSWORD =
-@end example
-
-@node Configuring the GNU Name System
-@subsection Configuring the GNU Name System
-
-@menu
-* Configuring system-wide DNS interception::
-* Configuring the GNS nsswitch plugin::
-* Configuring GNS on W32::
-* GNS Proxy Setup::
-* Setup of the GNS CA::
-* Testing the GNS setup::
-@end menu
-
-
-@node Configuring system-wide DNS interception
-@subsubsection Configuring system-wide DNS interception
-
-Before you install GNUnet, make sure you have a user and group 'gnunet'
-as well as an empty group 'gnunetdns'.
-
-When using GNUnet with system-wide DNS interception, it is absolutely
-necessary for all GNUnet service processes to be started by
-@code{gnunet-service-arm} as user and group 'gnunet'. You also need to be
-sure to run @code{make install} as root (or use the @code{sudo} option to
-configure) to grant GNUnet sufficient privileges.
-
-With this setup, all that is required for enabling system-wide DNS
-interception is for some GNUnet component (VPN or GNS) to request it.
-The @code{gnunet-service-dns} will then start helper programs that will
-make the necessary changes to your firewall (@code{iptables}) rules.
-
-Note that this will NOT work if your system sends out DNS traffic to a
-link-local IPv6 address, as in this case GNUnet can intercept the traffic,
-but not inject the responses from the link-local IPv6 address. Hence you
-cannot use system-wide DNS interception in conjunction with link-local
-IPv6-based DNS servers. If such a DNS server is used, it will bypass
-GNUnet's DNS traffic interception.
-
-Using the GNU Name System (GNS) requires two different configuration
-steps.
-First of all, GNS needs to be integrated with the operating system. Most
-of this section is about the operating system level integration.
-
-The remainder of this chapter will detail the various methods for
-configuring the use of GNS with your operating system.
-
-At this point in time you have different options depending on your OS:
-
-@table @asis
-
-@item Use the gnunet-gns-proxy This approach works for all operating
-systems and is likely the easiest. However, it enables GNS only for
-browsers, not for other applications that might be using DNS, such as SSH.
-Still, using the proxy is required for using HTTP with GNS and is thus
-recommended for all users. To do this, you simply have to run the
-@code{gnunet-gns-proxy-setup-ca} script as the user who will run the
-browser (this will create a GNS certificate authority (CA) on your system
-and import its key into your browser), then start @code{gnunet-gns-proxy}
-and inform your browser to use the Socks5 proxy which
-@code{gnunet-gns-proxy} makes available by default on port 7777.
-@item Use a nsswitch plugin (recommended on GNU systems)
-This approach has the advantage of offering fully personalized resolution
-even on multi-user systems. A potential disadvantage is that some
-applications might be able to bypass GNS.
-@item Use a W32 resolver plugin (recommended on W32)
-This is currently the only option on W32 systems.
-@item Use system-wide DNS packet interception
-This approach is recommended for the GNUnet VPN. It can be used to handle
-GNS at the same time; however, if you only use this method, you will only
-get one root zone per machine (not so great for multi-user systems).
-@end table
-
-You can combine system-wide DNS packet interception with the nsswitch
-plugin.
-The setup of the system-wide DNS interception is described here. All of
-the other GNS-specific configuration steps are described in the following
-sections.
-
-@node Configuring the GNS nsswitch plugin
-@subsubsection Configuring the GNS nsswitch plugin
-
-The Name Service Switch (NSS) is a facility in Unix-like operating systems
-@footnote{More accurate: NSS is a functionality of the GNU C Library}
-that provides a variety of sources for common configuration databases and
-name resolution mechanisms.
-A superuser (system administrator) usually configures the
-operating system's name services using the file
-@file{/etc/nsswitch.conf}.
-
-GNS provides a NSS plugin to integrate GNS name resolution with the
-operating system's name resolution process.
-To use the GNS NSS plugin you have to either
-
-@itemize @bullet
-@item install GNUnet as root or
-@item compile GNUnet with the @code{--with-sudo=yes} switch.
-@end itemize
-
-Name resolution is controlled by the @emph{hosts} section in the NSS
-configuration. By default this section first performs a lookup in the
-@file{/etc/hosts} file and then in DNS.
-The nsswitch file should contain a line similar to:
-
-@example
-hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4
-@end example
-
-@noindent
-Here the GNS NSS plugin can be added to perform a GNS lookup before
-performing a DNS lookup.
-The GNS NSS plugin has to be added to the "hosts" section in
-@file{/etc/nsswitch.conf} file before DNS related plugins:
-
-@example
-...
-hosts: files gns [NOTFOUND=return] dns mdns4_minimal mdns4
-...
-@end example
-
-@noindent
-The @code{NOTFOUND=return} will ensure that if a @code{.gnu} name is not
-found in GNS it will not be queried in DNS.
-
-@node Configuring GNS on W32
-@subsubsection Configuring GNS on W32
-
-This document is a guide to configuring GNU Name System on W32-compatible
-platforms.
-
-After GNUnet is installed, run the w32nsp-install tool:
-
-@example
-w32nsp-install.exe libw32nsp-0.dll
-@end example
-
-@noindent
-('0' is the library version of W32 NSP; it might increase in the future,
-change the invocation accordingly).
-
-This will install GNS namespace provider into the system and allow other
-applications to resolve names that end in '@strong{gnu}'
-and '@strong{zkey}'. Note that namespace provider requires
-gnunet-gns-helper-service-w32 to be running, as well as gns service
-itself (and its usual dependencies).
-
-Namespace provider is hardcoded to connect to @strong{127.0.0.1:5353},
-and this is where gnunet-gns-helper-service-w32 should be listening to
-(and is configured to listen to by default).
-
-To uninstall the provider, run:
-
-@example
-w32nsp-uninstall.exe
-@end example
-
-@noindent
-(uses provider GUID to uninstall it, does not need a dll name).
-
-Note that while MSDN claims that other applications will only be able to
-use the new namespace provider after re-starting, in reality they might
-stat to use it without that. Conversely, they might stop using the
-provider after it's been uninstalled, even if they were not re-started.
-W32 will not permit namespace provider library to be deleted or
-overwritten while the provider is installed, and while there is at least
-one process still using it (even after it was uninstalled).
-
-@node GNS Proxy Setup
-@subsubsection GNS Proxy Setup
-
-When using the GNU Name System (GNS) to browse the WWW, there are several
-issues that can be solved by adding the GNS Proxy to your setup:
-
-@itemize @bullet
-
-@item If the target website does not support GNS, it might assume that it
-is operating under some name in the legacy DNS system (such as
-example.com). It may then attempt to set cookies for that domain, and the
-web server might expect a @code{Host: example.com} header in the request
-from your browser.
-However, your browser might be using @code{example.gnu} for the
-@code{Host} header and might only accept (and send) cookies for
-@code{example.gnu}. The GNS Proxy will perform the necessary translations
-of the hostnames for cookies and HTTP headers (using the LEHO record for
-the target domain as the desired substitute).
-
-@item If using HTTPS, the target site might include an SSL certificate
-which is either only valid for the LEHO domain or might match a TLSA
-record in GNS. However, your browser would expect a valid certificate for
-@code{example.gnu}, not for some legacy domain name. The proxy will
-validate the certificate (either against LEHO or TLSA) and then
-on-the-fly produce a valid certificate for the exchange, signed by your
-own CA. Assuming you installed the CA of your proxy in your browser's
-certificate authority list, your browser will then trust the
-HTTPS/SSL/TLS connection, as the hostname mismatch is hidden by the proxy.
-
-@item Finally, the proxy will in the future indicate to the server that it
-speaks GNS, which will enable server operators to deliver GNS-enabled web
-sites to your browser (and continue to deliver legacy links to legacy
-browsers)
-@end itemize
-
-@node Setup of the GNS CA
-@subsubsection Setup of the GNS CA
-
-First you need to create a CA certificate that the proxy can use.
-To do so use the provided script gnunet-gns-proxy-ca:
-
-@example
-$ gnunet-gns-proxy-setup-ca
-@end example
-
-@noindent
-This will create a personal certification authority for you and add this
-authority to the firefox and chrome database. The proxy will use the this
-CA certificate to generate @code{*.gnu} client certificates on the fly.
-
-Note that the proxy uses libcurl. Make sure your version of libcurl uses
-GnuTLS and NOT OpenSSL. The proxy will @b{not} work with libcurl compiled
-against OpenSSL.
-
-You can check the configuration your libcurl was build with by
-running:
-
-@example
-curl --version
-@end example
-
-the output will look like this (without the linebreaks):
-
-@example
-gnurl --version
-curl 7.56.0 (x86_64-unknown-linux-gnu) libcurl/7.56.0 \
-GnuTLS/3.5.13 zlib/1.2.11 libidn2/2.0.4
-Release-Date: 2017-10-08
-Protocols: http https
-Features: AsynchDNS IDN IPv6 Largefile NTLM SSL libz \
-TLS-SRP UnixSockets HTTPS-proxy
-@end example
-
-@node Testing the GNS setup
-@subsubsection Testing the GNS setup
-
-Now for testing purposes we can create some records in our zone to test
-the SSL functionality of the proxy:
-
-@example
-$ gnunet-identity -C test
-$ gnunet-namestore -a -e "1 d" -n "homepage" \
-  -t A -V 131.159.74.67 -z test
-$ gnunet-namestore -a -e "1 d" -n "homepage" \
-  -t LEHO -V "gnunet.org" -z test
-@end example
-
-@noindent
-At this point we can start the proxy. Simply execute
-
-@example
-$ gnunet-gns-proxy
-@end example
-
-@noindent
-Configure your browser to use this SOCKSv5 proxy on port 7777 and visit
-this link.
-If you use @command{Firefox} (or one of its deriviates/forks such as
-Icecat) you also have to go to @code{about:config} and set the key
-@code{network.proxy.socks_remote_dns} to @code{true}.
-
-When you visit @code{https://homepage.test/}, you should get to the
-@code{https://gnunet.org/} frontpage and the browser (with the correctly
-configured proxy) should give you a valid SSL certificate for
-@code{homepage.gnu} and no warnings. It should look like this:
-
-@c FIXME: Image does not exist, create it or save it from Drupal?
-@c @image{images/gnunethpgns.png,5in,, picture of homepage.gnu in Webbrowser}
-
-
-@node Configuring the GNUnet VPN
-@subsection Configuring the GNUnet VPN
-
-@menu
-* IPv4 address for interface::
-* IPv6 address for interface::
-* Configuring the GNUnet VPN DNS::
-* Configuring the GNUnet VPN Exit Service::
-* IP Address of external DNS resolver::
-* IPv4 address for Exit interface::
-* IPv6 address for Exit interface::
-@end menu
-
-Before configuring the GNUnet VPN, please make sure that system-wide DNS
-interception is configured properly as described in the section on the
-GNUnet DNS setup. @pxref{Configuring the GNU Name System},
-if you haven't done so already.
-
-The default options for the GNUnet VPN are usually sufficient to use
-GNUnet as a Layer 2 for your Internet connection.
-However, what you always have to specify is which IP protocol you want
-to tunnel: IPv4, IPv6 or both.
-Furthermore, if you tunnel both, you most likely should also tunnel
-all of your DNS requests.
-You theoretically can tunnel "only" your DNS traffic, but that usually
-makes little sense.
-
-The other options as shown on the gnunet-setup tool are:
-
-@node IPv4 address for interface
-@subsubsection IPv4 address for interface
-
-This is the IPv4 address the VPN interface will get. You should pick an
-'private' IPv4 network that is not yet in use for you system. For example,
-if you use @code{10.0.0.1/255.255.0.0} already, you might use
-@code{10.1.0.1/255.255.0.0}.
-If you use @code{10.0.0.1/255.0.0.0} already, then you might use
-@code{192.168.0.1/255.255.0.0}.
-If your system is not in a private IP-network, using any of the above will
-work fine.
-You should try to make the mask of the address big enough
-(@code{255.255.0.0} or, even better, @code{255.0.0.0}) to allow more
-mappings of remote IP Addresses into this range.
-However, even a @code{255.255.255.0} mask will suffice for most users.
-
-@node IPv6 address for interface
-@subsubsection IPv6 address for interface
-
-The IPv6 address the VPN interface will get. Here you can specify any
-non-link-local address (the address should not begin with @code{fe80:}).
-A subnet Unique Local Unicast (@code{fd00::/8} prefix) that you are
-currently not using would be a good choice.
-
-@node Configuring the GNUnet VPN DNS
-@subsubsection Configuring the GNUnet VPN DNS
-
-To resolve names for remote nodes, activate the DNS exit option.
-
-@node Configuring the GNUnet VPN Exit Service
-@subsubsection Configuring the GNUnet VPN Exit Service
-
-If you want to allow other users to share your Internet connection (yes,
-this may be dangerous, just as running a Tor exit node) or want to
-provide access to services on your host (this should be less dangerous,
-as long as those services are secure), you have to enable the GNUnet exit
-daemon.
-
-You then get to specify which exit functions you want to provide. By
-enabling the exit daemon, you will always automatically provide exit
-functions for manually configured local services (this component of the
-system is under
-development and not documented further at this time). As for those
-services you explicitly specify the target IP address and port, there is
-no significant security risk in doing so.
-
-Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet.
-Being a DNS exit is usually pretty harmless. However, enabling IPv4 or
-IPv6-exit without further precautions may enable adversaries to access
-your local network, send spam, attack other systems from your Internet
-connection and to other mischief that will appear to come from your
-machine. This may or may not get you into legal trouble.
-If you want to allow IPv4 or IPv6-exit functionality, you should strongly
-consider adding additional firewall rules manually to protect your local
-network and to restrict outgoing TCP traffic (i.e. by not allowing access
-to port 25). While we plan to improve exit-filtering in the future,
-you're currently on your own here.
-Essentially, be prepared for any kind of IP-traffic to exit the respective
-TUN interface (and GNUnet will enable IP-forwarding and NAT for the
-interface automatically).
-
-Additional configuration options of the exit as shown by the gnunet-setup
-tool are:
-
-@node IP Address of external DNS resolver
-@subsubsection IP Address of external DNS resolver
-
-If DNS traffic is to exit your machine, it will be send to this DNS
-resolver. You can specify an IPv4 or IPv6 address.
-
-@node IPv4 address for Exit interface
-@subsubsection IPv4 address for Exit interface
-
-This is the IPv4 address the Interface will get. Make the mask of the
-address big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more
-mappings of IP addresses into this range. As for the VPN interface, any
-unused, private IPv4 address range will do.
-
-@node IPv6 address for Exit interface
-@subsubsection IPv6 address for Exit interface
-
-The public IPv6 address the interface will get. If your kernel is not a
-very recent kernel and you are willing to manually enable IPv6-NAT, the
-IPv6 address you specify here must be a globally routed IPv6 address of
-your host.
-
-Suppose your host has the address @code{2001:4ca0::1234/64}, then
-using @code{2001:4ca0::1:0/112} would be fine (keep the first 64 bits,
-then change at least one bit in the range before the bitmask, in the
-example above we changed bit 111 from 0 to 1).
-
-You may also have to configure your router to route traffic for the entire
-subnet (@code{2001:4ca0::1:0/112} for example) through your computer (this
-should be automatic with IPv6, but obviously anything can be
-disabled).
-
-@node Bandwidth Configuration
-@subsection Bandwidth Configuration
-
-You can specify how many bandwidth GNUnet is allowed to use to receive
-and send data. This is important for users with limited bandwidth or
-traffic volume.
-
-@node Configuring NAT
-@subsection Configuring NAT
-
-Most hosts today do not have a normal global IP address but instead are
-behind a router performing Network Address Translation (NAT) which assigns
-each host in the local network a private IP address.
-As a result, these machines cannot trivially receive inbound connections
-from the Internet. GNUnet supports NAT traversal to enable these machines
-to receive incoming connections from other peers despite their
-limitations.
-
-In an ideal world, you can press the "Attempt automatic configuration"
-button in gnunet-setup to automatically configure your peer correctly.
-Alternatively, your distribution might have already triggered this
-automatic configuration during the installation process.
-However, automatic configuration can fail to determine the optimal
-settings, resulting in your peer either not receiving as many connections
-as possible, or in the worst case it not connecting to the network at all.
-
-To manually configure the peer, you need to know a few things about your
-network setup. First, determine if you are behind a NAT in the first
-place.
-This is always the case if your IP address starts with "10.*" or
-"192.168.*". Next, if you have control over your NAT router, you may
-choose to manually configure it to allow GNUnet traffic to your host.
-If you have configured your NAT to forward traffic on ports 2086 (and
-possibly 1080) to your host, you can check the "NAT ports have been opened
-manually" option, which corresponds to the "PUNCHED_NAT" option in the
-configuration file. If you did not punch your NAT box, it may still be
-configured to support UPnP, which allows GNUnet to automatically
-configure it. In that case, you need to install the "upnpc" command,
-enable UPnP (or PMP) on your NAT box and set the "Enable NAT traversal
-via UPnP or PMP" option (corresponding to "ENABLE_UPNP" in the
-configuration file).
-
-Some NAT boxes can be traversed using the autonomous NAT traversal method.
-This requires certain GNUnet components to be installed with "SUID"
-prividledges on your system (so if you're installing on a system you do
-not have administrative rights to, this will not work).
-If you installed as 'root', you can enable autonomous NAT traversal by
-checking the "Enable NAT traversal using ICMP method".
-The ICMP method requires a way to determine your NAT's external (global)
-IP address. This can be done using either UPnP, DynDNS, or by manual
-configuration. If you have a DynDNS name or know your external IP address,
-you should enter that name under "External (public) IPv4 address" (which
-corresponds to the "EXTERNAL_ADDRESS" option in the configuration file).
-If you leave the option empty, GNUnet will try to determine your external
-IP address automatically (which may fail, in which case autonomous
-NAT traversal will then not work).
-
-Finally, if you yourself are not behind NAT but want to be able to
-connect to NATed peers using autonomous NAT traversal, you need to check
-the "Enable connecting to NATed peers using ICMP method" box.
-
-
-@node Peer configuration for distributions
-@subsection Peer configuration for distributions
-
-The "GNUNET_DATA_HOME" in "[path]" in @file{/etc/gnunet.conf} should be
-manually set to "/var/lib/gnunet/data/" as the default
-"~/.local/share/gnunet/" is probably not that appropriate in this case.
-Similarly, distributions may consider pointing "GNUNET_RUNTIME_DIR" to
-"/var/run/gnunet/" and "GNUNET_HOME" to "/var/lib/gnunet/". Also, should a
-distribution decide to override system defaults, all of these changes
-should be done in a custom @file{/etc/gnunet.conf} and not in the files
-in the @file{config.d/} directory.
-
-Given the proposed access permissions, the "gnunet-setup" tool must be
-run as use "gnunet" (and with option "-c /etc/gnunet.conf" so that it
-modifies the system configuration). As always, gnunet-setup should be run
-after the GNUnet peer was stopped using "gnunet-arm -e". Distributions
-might want to include a wrapper for gnunet-setup that allows the
-desktop-user to "sudo" (i.e. using gtksudo) to the "gnunet" user account
-and then runs "gnunet-arm -e", "gnunet-setup" and "gnunet-arm -s" in
-sequence.
-
-@node How to start and stop a GNUnet peer
-@section How to start and stop a GNUnet peer
-
-This section describes how to start a GNUnet peer. It assumes that you
-have already compiled and installed GNUnet and its' dependencies.
-Before you start a GNUnet peer, you may want to create a configuration
-file using gnunet-setup (but you do not have to).
-Sane defaults should exist in your
-@file{$GNUNET_PREFIX/share/gnunet/config.d/} directory, so in practice
-you could simply start without any configuration. If you want to
-configure your peer later, you need to stop it before invoking the
-@code{gnunet-setup} tool to customize further and to test your
-configuration (@code{gnunet-setup} has build-in test functions).
-
-The most important option you might have to still set by hand is in
-[PATHS]. Here, you use the option "GNUNET_HOME" to specify the path where
-GNUnet should store its data.
-It defaults to @code{$HOME/}, which again should work for most users.
-Make sure that the directory specified as GNUNET_HOME is writable to
-the user that you will use to run GNUnet (note that you can run frontends
-using other users, GNUNET_HOME must only be accessible to the user used to
-run the background processes).
-
-You will also need to make one central decision: should all of GNUnet be
-run under your normal UID, or do you want distinguish between system-wide
-(user-independent) GNUnet services and personal GNUnet services. The
-multi-user setup is slightly more complicated, but also more secure and
-generally recommended.
-
-@menu
-* The Single-User Setup::
-* The Multi-User Setup::
-* Killing GNUnet services::
-* Access Control for GNUnet::
-@end menu
-
-@node The Single-User Setup
-@subsection The Single-User Setup
-
-For the single-user setup, you do not need to do anything special and can
-just start the GNUnet background processes using @code{gnunet-arm}.
-By default, GNUnet looks in @file{~/.config/gnunet.conf} for a
-configuration (or @code{$XDG_CONFIG_HOME/gnunet.conf} if@
-@code{$XDG_CONFIG_HOME} is defined). If your configuration lives
-elsewhere, you need to pass the @code{-c FILENAME} option to all GNUnet
-commands.
-
-Assuming the configuration file is called @file{~/.config/gnunet.conf},
-you start your peer using the @code{gnunet-arm} command (say as user
-@code{gnunet}) using:
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -s
-@end example
-
-@noindent
-The "-s" option here is for "start". The command should return almost
-instantly. If you want to stop GNUnet, you can use:
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -e
-@end example
-
-@noindent
-The "-e" option here is for "end".
-
-Note that this will only start the basic peer, no actual applications
-will be available.
-If you want to start the file-sharing service, use (after starting
-GNUnet):
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -i fs
-@end example
-
-@noindent
-The "-i fs" option here is for "initialize" the "fs" (file-sharing)
-application. You can also selectively kill only file-sharing support using
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -k fs
-@end example
-
-@noindent
-Assuming that you want certain services (like file-sharing) to be always
-automatically started whenever you start GNUnet, you can activate them by
-setting "IMMEDIATE_START=YES" in the respective section of the configuration
-file (for example, "[fs]"). Then GNUnet with file-sharing support would
-be started whenever you@ enter:
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -s
-@end example
-
-@noindent
-Alternatively, you can combine the two options:
-
-@example
-gnunet-arm -c ~/.config/gnunet.conf -s -i fs
-@end example
-
-@noindent
-Using @code{gnunet-arm} is also the preferred method for initializing
-GNUnet from @code{init}.
-
-Finally, you should edit your @code{crontab} (using the @code{crontab}
-command) and insert a line@
-
-@example
-@@reboot gnunet-arm -c ~/.config/gnunet.conf -s
-@end example
-
-to automatically start your peer whenever your system boots.
-
-@node The Multi-User Setup
-@subsection The Multi-User Setup
-
-This requires you to create a user @code{gnunet} and an additional group
-@code{gnunetdns}, prior to running @code{make install} during
-installation.
-Then, you create a configuration file @file{/etc/gnunet.conf} which should
-contain the lines:@
-
-@example
-[arm]
-START_SYSTEM_SERVICES = YES
-START_USER_SERVICES = NO
-@end example
-
-@noindent
-Then, perform the same steps to run GNUnet as in the per-user
-configuration, except as user @code{gnunet} (including the
-@code{crontab} installation).
-You may also want to run @code{gnunet-setup} to configure your peer
-(databases, etc.).
-Make sure to pass @code{-c /etc/gnunet.conf} to all commands. If you
-run @code{gnunet-setup} as user @code{gnunet}, you might need to change
-permissions on @file{/etc/gnunet.conf} so that the @code{gnunet} user can
-write to the file (during setup).
-
-Afterwards, you need to perform another setup step for each normal user
-account from which you want to access GNUnet. First, grant the normal user
-(@code{$USER}) permission to the group gnunet:
-
-@example
-# adduser $USER gnunet
-@end example
-
-@noindent
-Then, create a configuration file in @file{~/.config/gnunet.conf} for the
-$USER with the lines:
-
-@example
-[arm]
-START_SYSTEM_SERVICES = NO
-START_USER_SERVICES = YES
-@end example
-
-@noindent
-This will ensure that @code{gnunet-arm} when started by the normal user
-will only run services that are per-user, and otherwise rely on the
-system-wide services.
-Note that the normal user may run gnunet-setup, but the
-configuration would be ineffective as the system-wide services will use
-@file{/etc/gnunet.conf} and ignore options set by individual users.
-
-Again, each user should then start the peer using
-@file{gnunet-arm -s} --- and strongly consider adding logic to start
-the peer automatically to their crontab.
-
-Afterwards, you should see two (or more, if you have more than one USER)
-@code{gnunet-service-arm} processes running in your system.
-
-@node Killing GNUnet services
-@subsection Killing GNUnet services
-
-It is not necessary to stop GNUnet services explicitly when shutting
-down your computer.
-
-It should be noted that manually killing "most" of the
-@code{gnunet-service} processes is generally not a successful method for
-stopping a peer (since @code{gnunet-service-arm} will instantly restart
-them). The best way to explicitly stop a peer is using
-@code{gnunet-arm -e}; note that the per-user services may need to be
-terminated before the system-wide services will terminate normally.
-
-@node Access Control for GNUnet
-@subsection Access Control for GNUnet
-
-This chapter documents how we plan to make access control work within the
-GNUnet system for a typical peer. It should be read as a best-practice
-installation guide for advanced users and builders of binary
-distributions. The recommendations in this guide apply to POSIX-systems
-with full support for UNIX domain sockets only.
-
-Note that this is an advanced topic. The discussion presumes a very good
-understanding of users, groups and file permissions. Normal users on
-hosts with just a single user can just install GNUnet under their own
-account (and possibly allow the installer to use SUDO to grant additional
-permissions for special GNUnet tools that need additional rights).
-The discussion below largely applies to installations where multiple users
-share a system and to installations where the best possible security is
-paramount.
-
-A typical GNUnet system consists of components that fall into four
-categories:
-
-@table @asis
-
-@item User interfaces
-User interfaces are not security sensitive and are supposed to be run and
-used by normal system users.
-The GTK GUIs and most command-line programs fall into this category.
-Some command-line tools (like gnunet-transport) should be excluded as they
-offer low-level access that normal users should not need.
-@item System services and support tools
-System services should always run and offer services that can then be
-accessed by the normal users.
-System services do not require special permissions, but as they are not
-specific to a particular user, they probably should not run as a
-particular user. Also, there should typically only be one GNUnet peer per
-host. System services include the gnunet-service and gnunet-daemon
-programs; support tools include command-line programs such as gnunet-arm.
-@item Priviledged helpers
-Some GNUnet components require root rights to open raw sockets or perform
-other special operations. These gnunet-helper binaries are typically
-installed SUID and run from services or daemons.
-@item Critical services
-Some GNUnet services (such as the DNS service) can manipulate the service
-in deep and possibly highly security sensitive ways. For example, the DNS
-service can be used to intercept and alter any DNS query originating from
-the local machine. Access to the APIs of these critical services and their
-priviledged helpers must be tightly controlled.
-@end table
-
-@c FIXME: The titles of these chapters are too long in the index.
-
-@menu
-* Recommendation - Disable access to services via TCP::
-* Recommendation - Run most services as system user "gnunet"::
-* Recommendation - Control access to services using group "gnunet"::
-* Recommendation - Limit access to certain SUID binaries by group "gnunet"::
-* Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"::
-* Differences between "make install" and these recommendations::
-@end menu
-
-@node Recommendation - Disable access to services via TCP
-@subsubsection Recommendation - Disable access to services via TCP
-
-GNUnet services allow two types of access: via TCP socket or via UNIX
-domain socket.
-If the service is available via TCP, access control can only be
-implemented by restricting connections to a particular range of IP
-addresses.
-This is acceptable for non-critical services that are supposed to be
-available to all users on the local system or local network.
-However, as TCP is generally less efficient and it is rarely the case
-that a single GNUnet peer is supposed to serve an entire local network,
-the default configuration should disable TCP access to all GNUnet
-services on systems with support for UNIX domain sockets.
-As of GNUnet 0.9.2, configuration files with TCP access disabled should be
-generated by default. Users can re-enable TCP access to particular
-services simply by specifying a non-zero port number in the section of
-the respective service.
-
-
-@node Recommendation - Run most services as system user "gnunet"
-@subsubsection Recommendation - Run most services as system user "gnunet"
-
-GNUnet's main services should be run as a separate user "gnunet" in a
-special group "gnunet".
-The user "gnunet" should start the peer using "gnunet-arm -s" during
-system startup. The home directory for this user should be
-@file{/var/lib/gnunet} and the configuration file should be
-@file{/etc/gnunet.conf}.
-Only the @code{gnunet} user should have the right to access
-@file{/var/lib/gnunet} (@emph{mode: 700}).
-
-@node Recommendation - Control access to services using group "gnunet"
-@subsubsection Recommendation - Control access to services using group "gnunet"
-
-Users that should be allowed to use the GNUnet peer should be added to the
-group "gnunet". Using GNUnet's access control mechanism for UNIX domain
-sockets, those services that are considered useful to ordinary users
-should be made available by setting "UNIX_MATCH_GID=YES" for those
-services.
-Again, as shipped, GNUnet provides reasonable defaults.
-Permissions to access the transport and core subsystems might additionally
-be granted without necessarily causing security concerns.
-Some services, such as DNS, must NOT be made accessible to the "gnunet"
-group (and should thus only be accessible to the "gnunet" user and
-services running with this UID).
-
-@node Recommendation - Limit access to certain SUID binaries by group "gnunet"
-@subsubsection Recommendation - Limit access to certain SUID binaries by group "gnunet"
-
-Most of GNUnet's SUID binaries should be safe even if executed by normal
-users. However, it is possible to reduce the risk a little bit more by
-making these binaries owned by the group "gnunet" and restricting their
-execution to user of the group "gnunet" as well (4750).
-
-@node Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"
-@subsubsection Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"
-
-A special group "gnunetdns" should be created for controlling access to
-the "gnunet-helper-dns".
-The binary should then be owned by root and be in group "gnunetdns" and
-be installed SUID and only be group-executable (2750).
-@b{Note that the group "gnunetdns" should have no users in it at all,
-ever.}
-The "gnunet-service-dns" program should be executed by user "gnunet" (via
-gnunet-service-arm) with the binary owned by the user "root" and the group
-"gnunetdns" and be SGID (2700). This way, @strong{only}
-"gnunet-service-dns" can change its group to "gnunetdns" and execute the
-helper, and the helper can then run as root (as per SUID).
-Access to the API offered by "gnunet-service-dns" is in turn restricted
-to the user "gnunet" (not the group!), which means that only
-"benign" services can manipulate DNS queries using "gnunet-service-dns".
-
-@node Differences between "make install" and these recommendations
-@subsubsection Differences between "make install" and these recommendations
-
-The current build system does not set all permissions automatically based
-on the recommendations above. In particular, it does not use the group
-"gnunet" at all (so setting gnunet-helpers other than the
-gnunet-helper-dns to be owned by group "gnunet" must be done manually).
-Furthermore, 'make install' will silently fail to set the DNS binaries to
-be owned by group "gnunetdns" unless that group already exists (!).
-An alternative name for the "gnunetdns" group can be specified using the
-@code{--with-gnunetdns=GRPNAME} configure option.
diff --git a/doc/documentation/chapters/vocabulary.texi b/doc/documentation/chapters/vocabulary.texi
index 85b40b17b..0ee472b95 100644
--- a/doc/documentation/chapters/vocabulary.texi
+++ b/doc/documentation/chapters/vocabulary.texi
@@ -18,7 +18,7 @@ which are listed in this introductionary chapter.
 @end menu
 
 @node Definitions
-@subsection Defitions
+@subsection Definitions
 
 Throughout this Reference Manual, the following terms and definitions
 apply.
diff --git a/doc/documentation/gnunet.texi b/doc/documentation/gnunet.texi
index e1847c227..747df5cf5 100644
--- a/doc/documentation/gnunet.texi
+++ b/doc/documentation/gnunet.texi
@@ -43,6 +43,14 @@ Foundation Web site at @url{http://www.gnu.org/licenses/gpl.html}.
 @end copying
 
 @c TODO: Improve this and improve https://directory.fsf.org/wiki/Gnunet
+@c NOTE FOR TRANSLATORS: Due to en.wikipedia.org being the wikipedia
+@c                       which is more up to date than others, refrain
+@c                       from using localized wikipedia unless you are
+@c                       sure the articles content is good enough. For
+@c                       example the german wikipedia entry for GNUnet
+@c                       is in a terrible shape, but the en.wikipedia.org
+@c                       entry is still acceptable (although in need of
+@c                       updates).
 
 @dircategory Networking
 @direntry
@@ -74,13 +82,16 @@ This document is the Reference Manual for GNUnet version @value{VERSION}.
 
 * Preface::                         Chapter 0
 * Philosophy::                      About GNUnet
+* Key Concepts::                    Key concepts of GNUnet
 @c * Vocabulary::                      Vocabulary
+* Installing GNUnet::               Installing GNUnet
 * Using GNUnet::                    Using GNUnet
 @c * Configuration Handbook::          Configuring GNUnet
 * GNUnet Contributors Handbook::    Contributing to GNUnet
 * GNUnet Developer Handbook::       Developing GNUnet
 * GNU Free Documentation License::  The license of this manual
-* GNU General Public License::      The license of this manual
+* GNU General Public License::
+* GNU Affero General Public License::
 * Concept Index::                   Concepts
 * Programming Index::               Data types, functions, and variables
 
@@ -96,11 +107,12 @@ Preface
 
 Philosophy
 
-* Design Goals::
-* Security and Privacy::
-* Versatility::
+* Design Principles::
+* Privacy and Anonymity::
 * Practicality::
-* Key Concepts::
+
+Key Concepts
+
 * Authentication::
 * Accounting to Encourage Resource Sharing::
 * Confidentiality::
@@ -112,18 +124,25 @@ Philosophy
 * Backup of Identities and Egos::
 * Revocation::
 
+Installing GNUnet
+* Installing dependencies::
+* Getting the Source Code::
+* Create @code{gnunet} user and group::
+* Preparing and Compiling the Source Code::
+* Installation::
+* MOVED FROM USER Checking the Installation::
+* MOVED FROM USER The graphical configuration interface::
+* MOVED FROM USER Config Leftovers::
+
 Using GNUnet
 
-* Checking the Installation::
-* First steps - File-sharing::
+* Start and stop GNUnet::
 * First steps - Using the GNU Name System::
 * First steps - Using GNUnet Conversation::
 * First steps - Using the GNUnet VPN::
 * File-sharing::
 * The GNU Name System::
 * Using the Virtual Public Network::
-* The graphical configuration interface::
-* How to start and stop a GNUnet peer::
 
 GNUnet Contributors Handbook
 
@@ -185,6 +204,14 @@ GNUnet Developer Handbook
 @c *********************************************************************
 
 @c *********************************************************************
+@include chapters/keyconcepts.texi
+@c *********************************************************************
+
+@c *********************************************************************
+@include chapters/installation.texi
+@c *********************************************************************
+
+@c *********************************************************************
 @include chapters/user.texi
 @c *********************************************************************
 
@@ -209,6 +236,12 @@ GNUnet Developer Handbook
 @include gpl-3.0.texi
 
 @c *********************************************************************
+@node GNU Affero General Public License
+@appendix GNU Affero General Public License
+@cindex license, GNU Affero General Public License
+@include agpl-3.0.texi
+
+@c *********************************************************************
 @node Concept Index
 @unnumbered Concept Index
 @printindex cp
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index a6a116dca..37f881d60 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -37,6 +37,7 @@ man_MANS = \
   gnunet-statistics.1 \
   gnunet-testbed-profiler.1 \
   gnunet-testing-run-service.1 \
+  gnunet-timeout.1 \
   gnunet-transport.1 \
   gnunet-transport-certificate-creation.1 \
   gnunet-unindex.1 \
diff --git a/doc/man/gnunet-gns.1 b/doc/man/gnunet-gns.1
index 9466dae03..9e4482653 100644
--- a/doc/man/gnunet-gns.1
+++ b/doc/man/gnunet-gns.1
@@ -46,7 +46,7 @@ Print GNUnet version number.
 .SH RETURN VALUE
 
 gnunet\-gns will return 0 on success, 1 on internal failures, 2 on
-launch failures, 3 if the given name is not configured to use GNS.
+launch failures, 4 if the given name is not configured to use GNS.
 
 
 .SH BUGS
diff --git a/doc/man/gnunet-revocation.1 b/doc/man/gnunet-revocation.1
index 017b019fd..b963b2dc0 100644
--- a/doc/man/gnunet-revocation.1
+++ b/doc/man/gnunet-revocation.1
@@ -15,7 +15,7 @@ instantly revoke a key and to use a pre-generated revocation
 certificate to revoke a key.  Upon successful revocation, all peers
 will be informed about the invalidity of the key.  As this is an
 expensive operation, GNUnet requires the issuer of the revocation to
-perform an expensive proof-of-work computation before he will be
+perform an expensive proof-of-work computation before they will be
 allowed to perform the revocation.  gnunet\-revocation will perform
 this computation.  The computation can be performed ahead of time,
 with the resulting revocation certificate being stored in a file for
diff --git a/doc/man/gnunet-timeout.1 b/doc/man/gnunet-timeout.1
new file mode 100644
index 000000000..e413254f4
--- /dev/null
+++ b/doc/man/gnunet-timeout.1
@@ -0,0 +1,20 @@
+.TH GNUNET\-TIMOUET 1 "Jun 5, 2018" "GNUnet"
+
+.SH NAME
+gnunet\-timeout \- run process with timeout
+
+.SH SYNOPSIS
+.B gnunet\-timeout
+.RI TIMEOUT PROGRAM ARGS
+.br
+
+.SH DESCRIPTION
+\fBgnunet\-timeout\fP can be used to run another process with a
+timeout.  Provided as the standard "timout" utility may not be
+available on all platforms.
+
+.SH BUGS
+Report bugs by using Mantis <https://gnunet.org/bugs/> or by sending electronic mail to <gnunet\-developers@gnu.org>
+
+.SH SEE
+timeout(1)
diff --git a/doc/release_policy.rfc.txt b/doc/release_policy.rfc.txt
index fd4118742..b3d72bac4 100644
--- a/doc/release_policy.rfc.txt
+++ b/doc/release_policy.rfc.txt
@@ -117,7 +117,7 @@ platforms.  It also doubt it will give you the recognition you crave.
 More importantly, what you describe is already happening, and
 partially has contributed to the problems. Bart kept his own CADET
 hacks in his personal branch for years, hence without much feedback or
-review.  The SecuShare team kept their patches in their own branch,
+review.  The secushare team kept their patches in their own branch,
 hence revealing interesting failure modes when it was finally merged.
 Martin kept some of his ABE-logic in his own branch (that one was
 merged without me noticing major problems).  Anyway, what you propose
diff --git a/m4/ax_lib_postgresql.m4 b/m4/ax_lib_postgresql.m4
index d547383e4..11b6991f0 100644
--- a/m4/ax_lib_postgresql.m4
+++ b/m4/ax_lib_postgresql.m4
@@ -91,7 +91,7 @@ AC_DEFUN([AX_LIB_POSTGRESQL],
             POSTGRESQL_CPPFLAGS="-I`$PG_CONFIG --includedir`"
             POSTGRESQL_LDFLAGS="-L`$PG_CONFIG --libdir`"
 
-            POSTGRESQL_VERSION=`$PG_CONFIG --version | sed -e 's#PostgreSQL ##'`
+            POSTGRESQL_VERSION=`$PG_CONFIG --version | sed -e 's#PostgreSQL ##' | awk '{print $1}'`
 
             AC_DEFINE([HAVE_POSTGRESQL], [1],
                 [Define to 1 if PostgreSQL libraries are available])
@@ -113,7 +113,7 @@ AC_DEFUN([AX_LIB_POSTGRESQL],
 
     if test "$found_postgresql" = "yes" -a -n "$postgresql_version_req"; then
 
-        AC_MSG_CHECKING([if PostgreSQL version is >= $postgresql_version_req])
+        AC_MSG_CHECKING([if PostgreSQL version $POSTGRESQL_VERSION is >= $postgresql_version_req])
 
         dnl Decompose required version string of PostgreSQL
         dnl and calculate its number representation
diff --git a/m4/iconv.m4 b/m4/iconv.m4
index a50364656..41aa44a56 100644
--- a/m4/iconv.m4
+++ b/m4/iconv.m4
@@ -29,7 +29,7 @@ AC_DEFUN([AM_ICONV_LINK],
 
   dnl Add $INCICONV to CPPFLAGS before performing the following checks,
   dnl because if the user has installed libiconv and not disabled its use
-  dnl via --without-libiconv-prefix, he wants to use it. The first
+  dnl via --without-libiconv-prefix, they want to use it. The first
   dnl AC_LINK_IFELSE will then fail, the second AC_LINK_IFELSE will succeed.
   am_save_CPPFLAGS="$CPPFLAGS"
   AC_LIB_APPENDTOVAR([CPPFLAGS], [$INCICONV])
diff --git a/m4/lib-link.m4 b/m4/lib-link.m4
index 073f04050..d963149b0 100644
--- a/m4/lib-link.m4
+++ b/m4/lib-link.m4
@@ -68,7 +68,7 @@ AC_DEFUN([AC_LIB_HAVE_LINKFLAGS],
 
   dnl Add $INC[]NAME to CPPFLAGS before performing the following checks,
   dnl because if the user has installed lib[]Name and not disabled its use
-  dnl via --without-lib[]Name-prefix, he wants to use it.
+  dnl via --without-lib[]Name-prefix, they want to use it.
   ac_save_CPPFLAGS="$CPPFLAGS"
   AC_LIB_APPENDTOVAR([CPPFLAGS], [$INC]NAME)
 
diff --git a/m4/lib-prefix.m4 b/m4/lib-prefix.m4
index 60908e8fb..855ca9317 100644
--- a/m4/lib-prefix.m4
+++ b/m4/lib-prefix.m4
@@ -15,7 +15,7 @@ ifdef([AC_HELP_STRING],
 
 dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed
 dnl to access previously installed libraries. The basic assumption is that
-dnl a user will want packages to use other packages he previously installed
+dnl a user will want packages to use other packages they previously installed
 dnl with the same --prefix option.
 dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate
 dnl libraries, but is otherwise very convenient.
diff --git a/pkgconfig/Makefile.am b/pkgconfig/Makefile.am
index 9c9eb5c6b..3a3102f0a 100644
--- a/pkgconfig/Makefile.am
+++ b/pkgconfig/Makefile.am
@@ -10,8 +10,6 @@ pcfiles = \
        gnunetdatastore.pc \
        gnunetdht.pc \
        gnunetdns.pc \
-       gnunetdnsparser.pc \
-       gnunetdnsstub.pc \
        gnunetdv.pc \
        gnunetenv.pc \
        gnunetfragmentation.pc \
@@ -39,7 +37,6 @@ pcfiles = \
        gnunettestbed.pc \
        gnunettesting.pc \
        gnunettransport.pc \
-       gnunettun.pc \
        gnunetutil.pc \
        gnunetvpn.pc 
 
diff --git a/pkgconfig/gnunetdnsparser.pc.in b/pkgconfig/gnunetdnsparser.pc.in
deleted file mode 100644
index ffb5fca8b..000000000
--- a/pkgconfig/gnunetdnsparser.pc.in
+++ /dev/null
@@ -1,12 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: GNUnet DNS parser
-Description: Provides API for parsing and serializing DNS packets
-URL: http://gnunet.org
-Version: @VERSION@
-Requires:
-Libs: -L${libdir} -lgnunetdnsparser
-Cflags: -I${includedir}
diff --git a/pkgconfig/gnunetdnsstub.pc.in b/pkgconfig/gnunetdnsstub.pc.in
deleted file mode 100644
index b1da343ea..000000000
--- a/pkgconfig/gnunetdnsstub.pc.in
+++ /dev/null
@@ -1,12 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: GNUnet DNS stub
-Description: Provides API for asynchronous DNS resolution (DNS stub resolver)
-URL: http://gnunet.org
-Version: @VERSION@
-Requires:
-Libs: -L${libdir} -lgnunetdnsstub
-Cflags: -I${includedir}
diff --git a/pkgconfig/gnunettun.pc.in b/pkgconfig/gnunettun.pc.in
deleted file mode 100644
index 2a3bd5213..000000000
--- a/pkgconfig/gnunettun.pc.in
+++ /dev/null
@@ -1,12 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: GNUnet TUN
-Description: Provides API for parsing IP packets for Linux TUN interface interaction
-URL: http://gnunet.org
-Version: @VERSION@
-Requires:
-Libs: -L${libdir} -lgnunettun
-Cflags: -I${includedir}
diff --git a/po/POTFILES.in b/po/POTFILES.in
index de6bd90e4..8a95064a6 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -4,21 +4,13 @@ src/arm/arm_monitor_api.c
 src/arm/gnunet-arm.c
 src/arm/gnunet-service-arm.c
 src/arm/mockup-service.c
-src/ats-tests/ats-testing-experiment.c
-src/ats-tests/ats-testing-log.c
-src/ats-tests/ats-testing-preferences.c
-src/ats-tests/ats-testing-traffic.c
-src/ats-tests/ats-testing.c
-src/ats-tests/gnunet-ats-sim.c
-src/ats-tests/gnunet-solver-eval.c
-src/ats-tool/gnunet-ats.c
 src/ats/ats_api_connectivity.c
 src/ats/ats_api_performance.c
 src/ats/ats_api_scanner.c
 src/ats/ats_api_scheduling.c
 src/ats/gnunet-ats-solver-eval.c
-src/ats/gnunet-service-ats.c
 src/ats/gnunet-service-ats_addresses.c
+src/ats/gnunet-service-ats.c
 src/ats/gnunet-service-ats_connectivity.c
 src/ats/gnunet-service-ats_normalization.c
 src/ats/gnunet-service-ats_performance.c
@@ -29,6 +21,14 @@ src/ats/gnunet-service-ats_scheduling.c
 src/ats/plugin_ats_mlp.c
 src/ats/plugin_ats_proportional.c
 src/ats/plugin_ats_ril.c
+src/ats-tests/ats-testing.c
+src/ats-tests/ats-testing-experiment.c
+src/ats-tests/ats-testing-log.c
+src/ats-tests/ats-testing-preferences.c
+src/ats-tests/ats-testing-traffic.c
+src/ats-tests/gnunet-ats-sim.c
+src/ats-tests/gnunet-solver-eval.c
+src/ats-tool/gnunet-ats.c
 src/auction/gnunet-auction-create.c
 src/auction/gnunet-auction-info.c
 src/auction/gnunet-auction-join.c
@@ -40,8 +40,8 @@ src/block/plugin_block_test.c
 src/cadet/cadet_api.c
 src/cadet/cadet_test_lib.c
 src/cadet/desirability_table.c
-src/cadet/gnunet-cadet-profiler.c
 src/cadet/gnunet-cadet.c
+src/cadet/gnunet-cadet-profiler.c
 src/cadet/gnunet-service-cadet.c
 src/cadet/gnunet-service-cadet_channel.c
 src/cadet/gnunet-service-cadet_connection.c
@@ -57,15 +57,15 @@ src/consensus/gnunet-service-consensus.c
 src/consensus/plugin_block_consensus.c
 src/conversation/conversation_api.c
 src/conversation/conversation_api_call.c
-src/conversation/gnunet-conversation-test.c
 src/conversation/gnunet-conversation.c
-src/conversation/gnunet-helper-audio-playback-gst.c
+src/conversation/gnunet-conversation-test.c
+src/conversation/gnunet_gst.c
+src/conversation/gnunet_gst_test.c
 src/conversation/gnunet-helper-audio-playback.c
-src/conversation/gnunet-helper-audio-record-gst.c
+src/conversation/gnunet-helper-audio-playback-gst.c
 src/conversation/gnunet-helper-audio-record.c
+src/conversation/gnunet-helper-audio-record-gst.c
 src/conversation/gnunet-service-conversation.c
-src/conversation/gnunet_gst.c
-src/conversation/gnunet_gst_test.c
 src/conversation/microphone.c
 src/conversation/plugin_gnsrecord_conversation.c
 src/conversation/speaker.c
@@ -102,6 +102,7 @@ src/dht/dht_api.c
 src/dht/dht_test_lib.c
 src/dht/gnunet-dht-get.c
 src/dht/gnunet-dht-monitor.c
+src/dht/gnunet_dht_profiler.c
 src/dht/gnunet-dht-put.c
 src/dht/gnunet-service-dht.c
 src/dht/gnunet-service-dht_clients.c
@@ -110,11 +111,8 @@ src/dht/gnunet-service-dht_hello.c
 src/dht/gnunet-service-dht_neighbours.c
 src/dht/gnunet-service-dht_nse.c
 src/dht/gnunet-service-dht_routing.c
-src/dht/gnunet_dht_profiler.c
 src/dht/plugin_block_dht.c
 src/dns/dns_api.c
-src/dns/dnsparser.c
-src/dns/dnsstub.c
 src/dns/gnunet-dns-monitor.c
 src/dns/gnunet-dns-redirector.c
 src/dns/gnunet-helper-dns.c
@@ -126,8 +124,8 @@ src/dv/gnunet-dv.c
 src/dv/gnunet-service-dv.c
 src/dv/plugin_transport_dv.c
 src/exit/gnunet-daemon-exit.c
-src/exit/gnunet-helper-exit-windows.c
 src/exit/gnunet-helper-exit.c
+src/exit/gnunet-helper-exit-windows.c
 src/fragmentation/defragmentation.c
 src/fragmentation/fragmentation.c
 src/fs/fs_api.c
@@ -152,8 +150,8 @@ src/fs/gnunet-auto-share.c
 src/fs/gnunet-daemon-fsprofiler.c
 src/fs/gnunet-directory.c
 src/fs/gnunet-download.c
-src/fs/gnunet-fs-profiler.c
 src/fs/gnunet-fs.c
+src/fs/gnunet-fs-profiler.c
 src/fs/gnunet-helper-fs-publish.c
 src/fs/gnunet-publish.c
 src/fs/gnunet-search.c
@@ -173,10 +171,10 @@ src/gns/gns_tld_api.c
 src/gns/gnunet-bcd.c
 src/gns/gnunet-dns2gns.c
 src/gns/gnunet-gns-benchmark.c
+src/gns/gnunet-gns.c
 src/gns/gnunet-gns-helper-service-w32.c
 src/gns/gnunet-gns-import.c
 src/gns/gnunet-gns-proxy.c
-src/gns/gnunet-gns.c
 src/gns/gnunet-service-gns.c
 src/gns/gnunet-service-gns_interceptor.c
 src/gns/gnunet-service-gns_resolver.c
@@ -185,15 +183,15 @@ src/gns/nss/nss_gns_query.c
 src/gns/plugin_block_gns.c
 src/gns/plugin_gnsrecord_gns.c
 src/gns/plugin_rest_gns.c
-src/gns/w32nsp-install.c
-src/gns/w32nsp-resolve.c
-src/gns/w32nsp-uninstall.c
-src/gns/w32nsp.c
 src/gnsrecord/gnsrecord.c
 src/gnsrecord/gnsrecord_crypto.c
 src/gnsrecord/gnsrecord_misc.c
 src/gnsrecord/gnsrecord_serialization.c
 src/gnsrecord/plugin_gnsrecord_dns.c
+src/gns/w32nsp.c
+src/gns/w32nsp-install.c
+src/gns/w32nsp-resolve.c
+src/gns/w32nsp-uninstall.c
 src/hello/address.c
 src/hello/gnunet-hello.c
 src/hello/hello.c
@@ -202,6 +200,11 @@ src/hostlist/gnunet-daemon-hostlist_client.c
 src/hostlist/gnunet-daemon-hostlist_server.c
 src/identity-attribute/identity_attribute.c
 src/identity-attribute/plugin_identity_attribute_gnuid.c
+src/identity/gnunet-identity.c
+src/identity/gnunet-service-identity.c
+src/identity/identity_api.c
+src/identity/identity_api_lookup.c
+src/identity/plugin_rest_identity.c
 src/identity-provider/gnunet-idp.c
 src/identity-provider/gnunet-service-identity-provider.c
 src/identity-provider/identity_provider_api.c
@@ -210,20 +213,15 @@ src/identity-provider/plugin_gnsrecord_identity_provider.c
 src/identity-provider/plugin_identity_provider_sqlite.c
 src/identity-provider/plugin_rest_identity_provider.c
 src/identity-provider/plugin_rest_openid_connect.c
-src/identity/gnunet-identity.c
-src/identity/gnunet-service-identity.c
-src/identity/identity_api.c
-src/identity/identity_api_lookup.c
-src/identity/plugin_rest_identity.c
-src/json/json.c
-src/json/json_generator.c
-src/json/json_helper.c
-src/json/json_mhd.c
 src/jsonapi/jsonapi.c
 src/jsonapi/jsonapi_document.c
 src/jsonapi/jsonapi_error.c
 src/jsonapi/jsonapi_relationship.c
 src/jsonapi/jsonapi_resource.c
+src/json/json.c
+src/json/json_generator.c
+src/json/json_helper.c
+src/json/json_mhd.c
 src/multicast/gnunet-multicast.c
 src/multicast/gnunet-service-multicast.c
 src/multicast/multicast_api.c
@@ -237,8 +235,8 @@ src/namecache/namecache_api.c
 src/namecache/plugin_namecache_flat.c
 src/namecache/plugin_namecache_postgres.c
 src/namecache/plugin_namecache_sqlite.c
-src/namestore/gnunet-namestore-fcfsd.c
 src/namestore/gnunet-namestore.c
+src/namestore/gnunet-namestore-fcfsd.c
 src/namestore/gnunet-service-namestore.c
 src/namestore/gnunet-zoneimport.c
 src/namestore/namestore_api.c
@@ -254,10 +252,10 @@ src/nat-auto/gnunet-service-nat-auto.c
 src/nat-auto/gnunet-service-nat-auto_legacy.c
 src/nat-auto/nat_auto_api.c
 src/nat-auto/nat_auto_api_test.c
-src/nat/gnunet-helper-nat-client-windows.c
 src/nat/gnunet-helper-nat-client.c
-src/nat/gnunet-helper-nat-server-windows.c
+src/nat/gnunet-helper-nat-client-windows.c
 src/nat/gnunet-helper-nat-server.c
+src/nat/gnunet-helper-nat-server-windows.c
 src/nat/gnunet-nat.c
 src/nat/gnunet-service-nat.c
 src/nat/gnunet-service-nat_externalip.c
@@ -266,15 +264,15 @@ src/nat/gnunet-service-nat_mini.c
 src/nat/gnunet-service-nat_stun.c
 src/nat/nat_api.c
 src/nat/nat_api_stun.c
-src/nse/gnunet-nse-profiler.c
 src/nse/gnunet-nse.c
+src/nse/gnunet-nse-profiler.c
 src/nse/gnunet-service-nse.c
 src/nse/nse_api.c
-src/peerinfo-tool/gnunet-peerinfo.c
-src/peerinfo-tool/gnunet-peerinfo_plugins.c
 src/peerinfo/gnunet-service-peerinfo.c
 src/peerinfo/peerinfo_api.c
 src/peerinfo/peerinfo_api_notify.c
+src/peerinfo-tool/gnunet-peerinfo.c
+src/peerinfo-tool/gnunet-peerinfo_plugins.c
 src/peerstore/gnunet-peerstore.c
 src/peerstore/gnunet-service-peerstore.c
 src/peerstore/peerstore_api.c
@@ -319,20 +317,21 @@ src/revocation/gnunet-revocation.c
 src/revocation/gnunet-service-revocation.c
 src/revocation/plugin_block_revocation.c
 src/revocation/revocation_api.c
-src/rps/gnunet-rps-profiler.c
 src/rps/gnunet-rps.c
+src/rps/gnunet-rps-profiler.c
 src/rps/gnunet-service-rps.c
 src/rps/gnunet-service-rps_custommap.c
 src/rps/gnunet-service-rps_sampler.c
 src/rps/gnunet-service-rps_sampler_elem.c
 src/rps/gnunet-service-rps_view.c
-src/rps/rps-test_util.c
 src/rps/rps_api.c
+src/rps/rps_test_lib.c
+src/rps/rps-test_util.c
 src/scalarproduct/gnunet-scalarproduct.c
-src/scalarproduct/gnunet-service-scalarproduct-ecc_alice.c
-src/scalarproduct/gnunet-service-scalarproduct-ecc_bob.c
 src/scalarproduct/gnunet-service-scalarproduct_alice.c
 src/scalarproduct/gnunet-service-scalarproduct_bob.c
+src/scalarproduct/gnunet-service-scalarproduct-ecc_alice.c
+src/scalarproduct/gnunet-service-scalarproduct-ecc_bob.c
 src/scalarproduct/scalarproduct_api.c
 src/secretsharing/gnunet-secretsharing-profiler.c
 src/secretsharing/gnunet-service-secretsharing.c
@@ -361,16 +360,15 @@ src/statistics/gnunet-statistics.c
 src/statistics/statistics_api.c
 src/template/gnunet-service-template.c
 src/template/gnunet-template.c
-src/testbed-logger/gnunet-service-testbed-logger.c
-src/testbed-logger/testbed_logger_api.c
 src/testbed/generate-underlay-topology.c
 src/testbed/gnunet-daemon-latency-logger.c
 src/testbed/gnunet-daemon-testbed-blacklist.c
 src/testbed/gnunet-daemon-testbed-underlay.c
 src/testbed/gnunet-helper-testbed.c
+src/testbed/gnunet_mpi_test.c
 src/testbed/gnunet-service-test-barriers.c
-src/testbed/gnunet-service-testbed.c
 src/testbed/gnunet-service-testbed_barriers.c
+src/testbed/gnunet-service-testbed.c
 src/testbed/gnunet-service-testbed_cache.c
 src/testbed/gnunet-service-testbed_connectionpool.c
 src/testbed/gnunet-service-testbed_cpustatus.c
@@ -378,19 +376,20 @@ src/testbed/gnunet-service-testbed_links.c
 src/testbed/gnunet-service-testbed_meminfo.c
 src/testbed/gnunet-service-testbed_oc.c
 src/testbed/gnunet-service-testbed_peers.c
-src/testbed/gnunet-testbed-profiler.c
-src/testbed/gnunet_mpi_test.c
 src/testbed/gnunet_testbed_mpi_spawn.c
-src/testbed/testbed_api.c
+src/testbed/gnunet-testbed-profiler.c
+src/testbed-logger/gnunet-service-testbed-logger.c
+src/testbed-logger/testbed_logger_api.c
 src/testbed/testbed_api_barriers.c
+src/testbed/testbed_api.c
 src/testbed/testbed_api_hosts.c
 src/testbed/testbed_api_operations.c
 src/testbed/testbed_api_peers.c
 src/testbed/testbed_api_sd.c
 src/testbed/testbed_api_services.c
 src/testbed/testbed_api_statistics.c
-src/testbed/testbed_api_test.c
 src/testbed/testbed_api_testbed.c
+src/testbed/testbed_api_test.c
 src/testbed/testbed_api_topology.c
 src/testbed/testbed_api_underlay.c
 src/testing/gnunet-testing.c
@@ -399,28 +398,28 @@ src/testing/testing.c
 src/topology/friends.c
 src/topology/gnunet-daemon-topology.c
 src/transport/gnunet-helper-transport-bluetooth.c
-src/transport/gnunet-helper-transport-wlan-dummy.c
 src/transport/gnunet-helper-transport-wlan.c
-src/transport/gnunet-service-transport.c
+src/transport/gnunet-helper-transport-wlan-dummy.c
 src/transport/gnunet-service-transport_ats.c
+src/transport/gnunet-service-transport.c
 src/transport/gnunet-service-transport_hello.c
 src/transport/gnunet-service-transport_manipulation.c
 src/transport/gnunet-service-transport_neighbours.c
 src/transport/gnunet-service-transport_plugins.c
 src/transport/gnunet-service-transport_validation.c
+src/transport/gnunet-transport.c
 src/transport/gnunet-transport-certificate-creation.c
 src/transport/gnunet-transport-profiler.c
 src/transport/gnunet-transport-wlan-receiver.c
 src/transport/gnunet-transport-wlan-sender.c
-src/transport/gnunet-transport.c
 src/transport/plugin_transport_http_client.c
 src/transport/plugin_transport_http_common.c
 src/transport/plugin_transport_http_server.c
 src/transport/plugin_transport_smtp.c
 src/transport/plugin_transport_tcp.c
 src/transport/plugin_transport_template.c
-src/transport/plugin_transport_udp.c
 src/transport/plugin_transport_udp_broadcasting.c
+src/transport/plugin_transport_udp.c
 src/transport/plugin_transport_unix.c
 src/transport/plugin_transport_wlan.c
 src/transport/plugin_transport_xt.c
@@ -429,11 +428,6 @@ src/transport/tcp_connection_legacy.c
 src/transport/tcp_server_legacy.c
 src/transport/tcp_server_mst_legacy.c
 src/transport/tcp_service_legacy.c
-src/transport/transport-testing-filenames.c
-src/transport/transport-testing-loggers.c
-src/transport/transport-testing-main.c
-src/transport/transport-testing-send.c
-src/transport/transport-testing.c
 src/transport/transport_api_address_to_string.c
 src/transport/transport_api_blacklist.c
 src/transport/transport_api_core.c
@@ -442,8 +436,11 @@ src/transport/transport_api_manipulation.c
 src/transport/transport_api_monitor_peers.c
 src/transport/transport_api_monitor_plugins.c
 src/transport/transport_api_offer_hello.c
-src/tun/regex.c
-src/tun/tun.c
+src/transport/transport-testing.c
+src/transport/transport-testing-filenames.c
+src/transport/transport-testing-loggers.c
+src/transport/transport-testing-main.c
+src/transport/transport-testing-send.c
 src/util/bandwidth.c
 src/util/bio.c
 src/util/client.c
@@ -455,8 +452,8 @@ src/util/configuration_loader.c
 src/util/container_bloomfilter.c
 src/util/container_heap.c
 src/util/container_meta_data.c
-src/util/container_multihashmap.c
 src/util/container_multihashmap32.c
+src/util/container_multihashmap.c
 src/util/container_multipeermap.c
 src/util/container_multishortmap.c
 src/util/crypto_abe.c
@@ -474,10 +471,12 @@ src/util/crypto_random.c
 src/util/crypto_rsa.c
 src/util/crypto_symmetric.c
 src/util/disk.c
+src/util/dnsparser.c
+src/util/dnsstub.c
 src/util/getopt.c
 src/util/getopt_helpers.c
-src/util/gnunet-config-diff.c
 src/util/gnunet-config.c
+src/util/gnunet-config-diff.c
 src/util/gnunet-ecc.c
 src/util/gnunet-helper-w32-console.c
 src/util/gnunet-resolver.c
@@ -497,6 +496,7 @@ src/util/os_priority.c
 src/util/peer.c
 src/util/plugin.c
 src/util/program.c
+src/util/regex.c
 src/util/resolver_api.c
 src/util/scheduler.c
 src/util/service.c
@@ -505,16 +505,17 @@ src/util/socks.c
 src/util/speedup.c
 src/util/strings.c
 src/util/time.c
+src/util/tun.c
 src/util/w32cat.c
 src/util/win.c
 src/util/winproc.c
-src/vpn/gnunet-helper-vpn-windows.c
 src/vpn/gnunet-helper-vpn.c
+src/vpn/gnunet-helper-vpn-windows.c
 src/vpn/gnunet-service-vpn.c
 src/vpn/gnunet-vpn.c
 src/vpn/vpn_api.c
-src/zonemaster/gnunet-service-zonemaster-monitor.c
 src/zonemaster/gnunet-service-zonemaster.c
+src/zonemaster/gnunet-service-zonemaster-monitor.c
 src/fs/fs_api.h
 src/include/gnunet_common.h
 src/include/gnunet_mq_lib.h
diff --git a/po/de.po b/po/de.po
index f7642c20b..779cb248b 100644
--- a/po/de.po
+++ b/po/de.po
@@ -914,8 +914,8 @@ msgstr ""
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
-msgstr ""
+msgid "We are calling `%s', their phone should be ringing.\n"
+msgstr "Wir rufen `%s' an, deren Telefon sollte jetzt klingeln.\n"
 
 #: src/conversation/gnunet-conversation.c:739
 msgid "Calls waiting:\n"
diff --git a/po/es.po b/po/es.po
index 09ed56374..e68990fc7 100644
--- a/po/es.po
+++ b/po/es.po
@@ -2,6 +2,7 @@
 # Copyright (C) 2012 Christian Grothoff <christian@grothoff.org>
 # This file is distributed under the same license as the GNUnet package.
 # Miguel Ángel Arruga Vivas <rosen644835@gmail.com>, 2006, 2013.
+# xrs <xrs@mail36.net>, 2018
 #
 msgid ""
 msgstr ""
@@ -156,12 +157,12 @@ msgstr "Servicios en ejecución:\n"
 #: src/arm/gnunet-arm.c:614
 #, c-format
 msgid "Now only monitoring, press CTRL-C to stop.\n"
-msgstr ""
+msgstr "Ahora solo monitorizando, pulsa CTRL-C para parar.\n"
 
 #: src/arm/gnunet-arm.c:646
 #, c-format
 msgid "Stopped %s.\n"
-msgstr ""
+msgstr "%s detenido.\n"
 
 #: src/arm/gnunet-arm.c:649
 #, fuzzy, c-format
@@ -171,7 +172,7 @@ msgstr "Iniciando descarga «%s».\n"
 #: src/arm/gnunet-arm.c:652
 #, c-format
 msgid "Stopping %s...\n"
-msgstr ""
+msgstr "Deteniendo %s...\n"
 
 #: src/arm/gnunet-arm.c:666
 #, fuzzy, c-format
@@ -204,7 +205,7 @@ msgstr "borrar el directorio y el fichero de configuración al salir"
 
 #: src/arm/gnunet-arm.c:798
 msgid "monitor ARM activities"
-msgstr ""
+msgstr "monitoriza actividades de ARM"
 
 #: src/arm/gnunet-arm.c:803
 msgid "don't print status messages"
@@ -212,7 +213,7 @@ msgstr "no imprime mensajes de estado"
 
 #: src/arm/gnunet-arm.c:809
 msgid "exit with error status if operation does not finish after DELAY"
-msgstr ""
+msgstr "sale con estado de error si la operación no termina despues del DELAY"
 
 #: src/arm/gnunet-arm.c:814
 msgid "list currently running services"
@@ -421,7 +422,7 @@ msgstr "valor a establecer"
 #: src/ats/gnunet-ats-solver-eval.c:3297 src/ats-tests/gnunet-solver-eval.c:943
 #: src/ats-tests/gnunet-solver-eval.c:948
 msgid "experiment to use"
-msgstr ""
+msgstr "experimento para usar"
 
 #: src/ats/gnunet-ats-solver-eval.c:3304
 #, fuzzy
@@ -430,11 +431,11 @@ msgstr "Iniciando descarga «%s».\n"
 
 #: src/ats/gnunet-ats-solver-eval.c:3309
 msgid "save logging to disk"
-msgstr ""
+msgstr "guarda protocolo al fichero en disco"
 
 #: src/ats/gnunet-ats-solver-eval.c:3314
 msgid "disable normalization"
-msgstr ""
+msgstr "deshabilita normalización"
 
 #: src/ats/gnunet-service-ats_plugins.c:302
 #, fuzzy, c-format
@@ -584,11 +585,11 @@ msgstr ""
 
 #: src/ats-tool/gnunet-ats.c:400
 msgid "active "
-msgstr ""
+msgstr "activo "
 
 #: src/ats-tool/gnunet-ats.c:400
 msgid "inactive "
-msgstr ""
+msgstr "inactivo "
 
 #: src/ats-tool/gnunet-ats.c:510
 #, fuzzy, c-format
@@ -693,19 +694,19 @@ msgstr "Imprime información acerca del estado del ATS"
 
 #: src/auction/gnunet-auction-create.c:161
 msgid "description of the item to be sold"
-msgstr ""
+msgstr "descripción del elemento que está por vender"
 
 #: src/auction/gnunet-auction-create.c:167
 msgid "mapping of possible prices"
-msgstr ""
+msgstr "figurando posibles precios"
 
 #: src/auction/gnunet-auction-create.c:173
 msgid "max duration per round"
-msgstr ""
+msgstr "maxima duración del turno"
 
 #: src/auction/gnunet-auction-create.c:179
 msgid "duration until auction starts"
-msgstr ""
+msgstr "duración hasta que la caución empieza"
 
 #: src/auction/gnunet-auction-create.c:184
 msgid ""
@@ -979,7 +980,7 @@ msgstr "Detectada dirección de la red interna «%s».\n"
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
+msgid "We are calling `%s', their phone should be ringing.\n"
 msgstr ""
 
 #: src/conversation/gnunet-conversation.c:739
diff --git a/po/fr.po b/po/fr.po
index 138204d94..eb4d32303 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -899,7 +899,7 @@ msgstr ""
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
+msgid "We are calling `%s', their phone should be ringing.\n"
 msgstr ""
 
 #: src/conversation/gnunet-conversation.c:739
diff --git a/po/sv.po b/po/sv.po
index f4ceafbc4..acb0c0197 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -924,7 +924,7 @@ msgstr ""
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
+msgid "We are calling `%s', their phone should be ringing.\n"
 msgstr ""
 
 #: src/conversation/gnunet-conversation.c:739
diff --git a/po/vi.po b/po/vi.po
index da28c66b4..176ac4c8b 100644
--- a/po/vi.po
+++ b/po/vi.po
@@ -933,7 +933,7 @@ msgstr "GNUnet bây giờ sử dụng địa chỉ IP %s.\n"
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
+msgid "We are calling `%s', their phone should be ringing.\n"
 msgstr ""
 
 #: src/conversation/gnunet-conversation.c:739
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 80d7e1996..d27d6f0a0 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -915,7 +915,7 @@ msgstr "GNUnet 现在使用 IP 地址 %s。\n"
 
 #: src/conversation/gnunet-conversation.c:720
 #, c-format
-msgid "We are calling `%s', his phone should be ringing.\n"
+msgid "We are calling `%s', their phone should be ringing.\n"
 msgstr ""
 
 #: src/conversation/gnunet-conversation.c:739
diff --git a/src/Makefile.am b/src/Makefile.am
index d8d548706..00f30adc3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -83,7 +83,6 @@ SUBDIRS = \
   $(REST_DIR) \
   $(JSONAPI_DIR) \
   hello \
-  tun \
   block \
   statistics \
   arm \
diff --git a/src/arm/test_arm_api_data.conf b/src/arm/test_arm_api_data.conf
index 276b313b7..fef6cfb40 100644
--- a/src/arm/test_arm_api_data.conf
+++ b/src/arm/test_arm_api_data.conf
@@ -16,7 +16,7 @@ PORT = 23355
 
 [do-nothing]
 START_ON_DEMAND = NO
-PORT = 2223
+PORT = 48223
 HOSTNAME = localhost
 BINARY = /will/be/overwritten/by/test_exponential_backoff
 ACCEPT_FROM = 127.0.0.1;
diff --git a/src/ats/gnunet-service-ats_addresses.h b/src/ats/gnunet-service-ats_addresses.h
index d90ca1375..d4dc483eb 100644
--- a/src/ats/gnunet-service-ats_addresses.h
+++ b/src/ats/gnunet-service-ats_addresses.h
@@ -151,7 +151,7 @@
  *     1.7 Address management
  *
  *    Transport service notifies ATS about changes to the addresses known to
- *    him.
+ *    it.
  *
  *       1.7.1 Adding an address
  *
diff --git a/src/ats/plugin_ats_mlp.c b/src/ats/plugin_ats_mlp.c
index 7e7594f90..544b8d97f 100644
--- a/src/ats/plugin_ats_mlp.c
+++ b/src/ats/plugin_ats_mlp.c
@@ -1554,6 +1554,7 @@ GAS_mlp_solve_problem (void *solver)
   struct GNUNET_TIME_Relative dur_mlp;
 
   GNUNET_assert(NULL != solver);
+  dur_lp = GNUNET_TIME_UNIT_ZERO; 
 
   if (GNUNET_YES == mlp->stat_bulk_lock)
     {
diff --git a/src/cadet/cadet.conf.in b/src/cadet/cadet.conf.in
index 2f4c6a6db..d1ddcb96f 100644
--- a/src/cadet/cadet.conf.in
+++ b/src/cadet/cadet.conf.in
@@ -8,7 +8,7 @@ BINARY = gnunet-service-cadet
 ACCEPT_FROM = 127.0.0.1;
 ACCEPT_FROM6 = ::1;
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-cadet.sock
-UNIX_MATCH_UID = YES
+UNIX_MATCH_UID = NO
 UNIX_MATCH_GID = YES
 
 
diff --git a/src/cadet/cadet.h b/src/cadet/cadet.h
index 69be4e537..bac4bc49d 100644
--- a/src/cadet/cadet.h
+++ b/src/cadet/cadet.h
@@ -258,6 +258,11 @@ struct GNUNET_CADET_LocalInfoPeer
    * #GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEERS
    */
   struct GNUNET_MessageHeader header;
+  
+  /**
+   * Offset the peer has in the path this message is about.
+   */
+  uint16_t offset GNUNET_PACKED;
 
   /**
    * Number of paths.
@@ -268,6 +273,11 @@ struct GNUNET_CADET_LocalInfoPeer
    * Do we have a tunnel toward this peer?
    */
   int16_t tunnel GNUNET_PACKED;
+  
+  /**
+   * We are finished with the paths.
+   */
+  uint16_t finished_with_paths;
 
   /**
    * ID of the peer (can be local peer).
diff --git a/src/cadet/cadet_api.c b/src/cadet/cadet_api.c
index 91054cd4f..319279110 100644
--- a/src/cadet/cadet_api.c
+++ b/src/cadet/cadet_api.c
@@ -357,67 +357,52 @@ reconnect (struct GNUNET_CADET_Handle *h);
 
 
 /**
- * Reconnect callback: tries to reconnect again after a failer previous
- * reconnecttion
- *
- * @param cls closure (cadet handle)
- */
-static void
-reconnect_cbk (void *cls)
-{
-  struct GNUNET_CADET_Handle *h = cls;
-
-  h->reconnect_task = NULL;
-  reconnect (h);
-}
-
-
-/**
- * Function called during #reconnect() to destroy
- * all channels that are still open.
+ * Function called during #reconnect_cbk() to (re)open
+ * all ports that are still open.
  *
  * @param cls the `struct GNUNET_CADET_Handle`
- * @param cid chanenl ID
- * @param value a `struct GNUNET_CADET_Channel` to destroy
+ * @param id port ID
+ * @param value a `struct GNUNET_CADET_Channel` to open
  * @return #GNUNET_OK (continue to iterate)
  */
 static int
-destroy_channel_on_reconnect_cb (void *cls,
-                                 uint32_t cid,
-                                 void *value)
+open_port_cb (void *cls,
+              const struct GNUNET_HashCode *id,
+              void *value)
 {
-  /* struct GNUNET_CADET_Handle *handle = cls; */
-  struct GNUNET_CADET_Channel *ch = value;
+  struct GNUNET_CADET_Handle *h = cls;
+  struct GNUNET_CADET_Port *port = value;
+  struct GNUNET_CADET_PortMessage *msg;
+  struct GNUNET_MQ_Envelope *env;
 
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-              "Destroying channel due to reconnect\n");
-  destroy_channel (ch);
+  (void) id;
+  env = GNUNET_MQ_msg (msg,
+                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_PORT_OPEN);
+  msg->port = port->id;
+  GNUNET_MQ_send (h->mq,
+                  env);
   return GNUNET_OK;
 }
 
 
 /**
- * Reconnect to the service, retransmit all infomation to try to restore the
- * original state.
- *
- * @param h handle to the cadet
+ * Reconnect callback: tries to reconnect again after a failer previous
+ * reconnecttion
  *
- * @return #GNUNET_YES in case of sucess, #GNUNET_NO otherwise (service down...)
+ * @param cls closure (cadet handle)
  */
 static void
-schedule_reconnect (struct GNUNET_CADET_Handle *h)
+reconnect_cbk (void *cls)
 {
-  if (NULL != h->reconnect_task)
-    return;
-  GNUNET_CONTAINER_multihashmap32_iterate (h->channels,
-                                           &destroy_channel_on_reconnect_cb,
-                                           h);
-  h->reconnect_task
-    = GNUNET_SCHEDULER_add_delayed (h->reconnect_time,
-                                    &reconnect_cbk,
-                                    h);
+  struct GNUNET_CADET_Handle *h = cls;
+
+  h->reconnect_task = NULL;
   h->reconnect_time
     = GNUNET_TIME_STD_BACKOFF (h->reconnect_time);
+  reconnect (h);
+  GNUNET_CONTAINER_multihashmap_iterate (h->ports,
+                                         &open_port_cb,
+                                         h);
 }
 
 
@@ -555,15 +540,16 @@ cadet_mq_error_handler (void *cls,
 {
   struct GNUNET_CADET_Channel *ch = cls;
 
-  GNUNET_break (0);
   if (GNUNET_MQ_ERROR_NO_MATCH == error)
   {
     /* Got a message we did not understand, still try to continue! */
+    GNUNET_break_op (0);
     GNUNET_CADET_receive_done (ch);
   }
   else
   {
-    schedule_reconnect (ch->cadet);
+    GNUNET_break (0);
+    GNUNET_CADET_channel_destroy (ch);
   }
 }
 
@@ -581,6 +567,7 @@ cadet_mq_cancel_impl (struct GNUNET_MQ_Handle *mq,
 {
   struct GNUNET_CADET_Channel *ch = impl_state;
 
+  (void) mq;
   GNUNET_assert (NULL != ch->pending_env);
   GNUNET_MQ_discard (ch->pending_env);
   ch->pending_env = NULL;
@@ -709,6 +696,7 @@ check_local_data (void *cls,
 {
   uint16_t size;
 
+  (void) cls;
   size = ntohs (message->header.size);
   if (sizeof (*message) + sizeof (struct GNUNET_MessageHeader) > size)
   {
@@ -806,6 +794,32 @@ handle_local_ack (void *cls,
 
 
 /**
+ * Function called during #GNUNET_CADET_disconnect() to destroy
+ * all channels that are still open.
+ *
+ * @param cls the `struct GNUNET_CADET_Handle`
+ * @param cid chanenl ID
+ * @param value a `struct GNUNET_CADET_Channel` to destroy
+ * @return #GNUNET_OK (continue to iterate)
+ */
+static int
+destroy_channel_cb (void *cls,
+                    uint32_t cid,
+                    void *value)
+{
+  /* struct GNUNET_CADET_Handle *handle = cls; */
+  struct GNUNET_CADET_Channel *ch = value;
+
+  (void) cls;
+  (void) cid;
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Destroying channel due to GNUNET_CADET_disconnect()\n");
+  destroy_channel (ch);
+  return GNUNET_OK;
+}
+
+
+/**
  * Generic error handler, called with the appropriate error code and
  * the same closure specified at the creation of the message queue.
  * Not every message queue implementation supports an error handler.
@@ -822,9 +836,14 @@ handle_mq_error (void *cls,
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "MQ ERROR: %u\n",
               error);
+  GNUNET_CONTAINER_multihashmap32_iterate (h->channels,
+                                           &destroy_channel_cb,
+                                           h);
   GNUNET_MQ_destroy (h->mq);
   h->mq = NULL;
-  reconnect (h);
+  h->reconnect_task = GNUNET_SCHEDULER_add_delayed (h->reconnect_time,
+                                                    &reconnect_cbk,
+                                                    h);
 }
 
 
@@ -842,6 +861,7 @@ check_get_peers (void *cls,
 {
   size_t esize;
 
+  (void) cls;
   esize = ntohs (message->size);
   if (sizeof (struct GNUNET_CADET_LocalInfoPeer) == esize)
     return GNUNET_OK;
@@ -895,12 +915,9 @@ check_get_peer (void *cls,
                 const struct GNUNET_CADET_LocalInfoPeer *message)
 {
   size_t msize = sizeof (struct GNUNET_CADET_LocalInfoPeer);
-  const struct GNUNET_PeerIdentity *paths_array;
   size_t esize;
-  unsigned int epaths;
-  unsigned int paths;
-  unsigned int peers;
 
+  (void) cls;
   esize = ntohs (message->header.size);
   if (esize < msize)
   {
@@ -912,20 +929,6 @@ check_get_peer (void *cls,
     GNUNET_break (0);
     return GNUNET_SYSERR;
   }
-  peers = (esize - msize) / sizeof (struct GNUNET_PeerIdentity);
-  epaths = ntohs (message->paths);
-  paths_array = (const struct GNUNET_PeerIdentity *) &message[1];
-  paths = 0;
-  for (unsigned int i = 0; i < peers; i++)
-    if (0 == memcmp (&paths_array[i],
-                     &message->destination,
-                     sizeof (struct GNUNET_PeerIdentity)))
-      paths++;
-  if (paths != epaths)
-  {
-    GNUNET_break (0);
-    return GNUNET_SYSERR;
-  }
   return GNUNET_OK;
 }
 
@@ -949,6 +952,11 @@ handle_get_peer (void *cls,
 
   if (NULL == h->info_cb.peer_cb)
     return;
+  
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+    "number of paths %u\n",
+    ntohs (message->paths));
+  
   paths = ntohs (message->paths);
   paths_array = (const struct GNUNET_PeerIdentity *) &message[1];
   peers = (ntohs (message->header.size) - sizeof (*message))
@@ -978,7 +986,9 @@ handle_get_peer (void *cls,
                       (int) ntohs (message->tunnel),
                       neighbor,
                       paths,
-                      paths_array);
+                      paths_array,
+                      (int) ntohs (message->offset),
+                      (int) ntohs (message->finished_with_paths));
 }
 
 
@@ -1170,38 +1180,6 @@ reconnect (struct GNUNET_CADET_Handle *h)
                                  handlers,
                                  &handle_mq_error,
                                  h);
-  if (NULL == h->mq)
-  {
-    schedule_reconnect (h);
-    return;
-  }
-  h->reconnect_time = GNUNET_TIME_UNIT_MILLISECONDS;
-}
-
-
-/**
- * Function called during #GNUNET_CADET_disconnect() to destroy
- * all channels that are still open.
- *
- * @param cls the `struct GNUNET_CADET_Handle`
- * @param cid chanenl ID
- * @param value a `struct GNUNET_CADET_Channel` to destroy
- * @return #GNUNET_OK (continue to iterate)
- */
-static int
-destroy_channel_cb (void *cls,
-                    uint32_t cid,
-                    void *value)
-{
-  /* struct GNUNET_CADET_Handle *handle = cls; */
-  struct GNUNET_CADET_Channel *ch = value;
-
-  (void) cls;
-  (void) cid;
-  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-              "Destroying channel due to GNUNET_CADET_disconnect()\n");
-  destroy_channel (ch);
-  return GNUNET_OK;
 }
 
 
@@ -1223,6 +1201,7 @@ destroy_port_cb (void *cls,
   struct GNUNET_CADET_Port *port = value;
 
   (void) cls;
+  (void) id;
   /* This is a warning, the app should have cleanly closed all open ports */
   GNUNET_break (0);
   GNUNET_CADET_close_port (port);
@@ -1274,18 +1253,21 @@ GNUNET_CADET_disconnect (struct GNUNET_CADET_Handle *handle)
 void
 GNUNET_CADET_close_port (struct GNUNET_CADET_Port *p)
 {
-  struct GNUNET_CADET_PortMessage *msg;
-  struct GNUNET_MQ_Envelope *env;
-
   GNUNET_assert (GNUNET_YES ==
                  GNUNET_CONTAINER_multihashmap_remove (p->cadet->ports,
                                                        &p->id,
                                                        p));
-  env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_PORT_CLOSE);
-  msg->port = p->id;
-  GNUNET_MQ_send (p->cadet->mq,
-                  env);
+  if (NULL != p->cadet->mq)
+  {
+    struct GNUNET_CADET_PortMessage *msg;
+    struct GNUNET_MQ_Envelope *env;
+
+    env = GNUNET_MQ_msg (msg,
+                         GNUNET_MESSAGE_TYPE_CADET_LOCAL_PORT_CLOSE);
+    msg->port = p->id;
+    GNUNET_MQ_send (p->cadet->mq,
+                    env);
+  }
   GNUNET_free_non_null (p->handlers);
   GNUNET_free (p);
 }
@@ -1637,9 +1619,6 @@ GNUNET_CADET_connect (const struct GNUNET_CONFIGURATION_Handle *cfg)
     return NULL;
   }
   h->next_ccn.channel_of_client = htonl (GNUNET_CADET_LOCAL_CHANNEL_ID_CLI);
-  h->reconnect_time = GNUNET_TIME_UNIT_MILLISECONDS;
-  h->reconnect_task = NULL;
-
   return h;
 }
 
@@ -1665,8 +1644,6 @@ GNUNET_CADET_open_port (struct GNUNET_CADET_Handle *h,
                         GNUNET_CADET_DisconnectEventHandler disconnects,
                         const struct GNUNET_MQ_MessageHandler *handlers)
 {
-  struct GNUNET_CADET_PortMessage *msg;
-  struct GNUNET_MQ_Envelope *env;
   struct GNUNET_CADET_Port *p;
 
   GNUNET_assert (NULL != connects);
@@ -1692,13 +1669,11 @@ GNUNET_CADET_open_port (struct GNUNET_CADET_Handle *h,
   p->window_changes = window_changes;
   p->disconnects = disconnects;
   p->handlers = GNUNET_MQ_copy_handlers (handlers);
-
-
-  env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_PORT_OPEN);
-  msg->port = p->id;
-  GNUNET_MQ_send (h->mq,
-                  env);
+  
+  GNUNET_assert (GNUNET_OK ==
+                 open_port_cb (h,
+                               &p->id,
+                               p));
   return p;
 }
 
@@ -1757,7 +1732,8 @@ GNUNET_CADET_channel_create (struct GNUNET_CADET_Handle *h,
                                           handlers,
                                           &cadet_mq_error_handler,
                                           ch);
-  GNUNET_MQ_set_handlers_closure (ch->mq, channel_cls);
+  GNUNET_MQ_set_handlers_closure (ch->mq,
+                                  channel_cls);
 
   /* Request channel creation to service */
   env = GNUNET_MQ_msg (msg,
diff --git a/src/cadet/cadet_test_lib.c b/src/cadet/cadet_test_lib.c
index 760378c89..1a1c15f48 100644
--- a/src/cadet/cadet_test_lib.c
+++ b/src/cadet/cadet_test_lib.c
@@ -135,6 +135,11 @@ cadet_connect_adapter (void *cls,
   struct GNUNET_CADET_Handle *h;
 
   h = GNUNET_CADET_connect (cfg);
+  if (NULL == h)
+  {
+    GNUNET_break(0);
+    return NULL;
+  }
   if (NULL == ctx->ports)
     return h;
   actx->ports = GNUNET_new_array (ctx->port_count,
diff --git a/src/cadet/gnunet-cadet.c b/src/cadet/gnunet-cadet.c
index 04a595a7b..13b04b885 100644
--- a/src/cadet/gnunet-cadet.c
+++ b/src/cadet/gnunet-cadet.c
@@ -27,6 +27,7 @@
 #include "gnunet_cadet_service.h"
 #include "cadet.h"
 
+#define STREAM_BUFFER_SIZE 1024  // Pakets
 
 /**
  * Option -P.
@@ -123,6 +124,8 @@ static struct GNUNET_SCHEDULER_Task *rd_task;
  */
 static struct GNUNET_SCHEDULER_Task *job;
 
+static unsigned int sent_pkt;
+
 
 /**
  * Wait for input on STDIO and send it out over the #ch.
@@ -196,6 +199,11 @@ shutdown_task (void *cls)
 {
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Shutdown\n");
+  if (NULL != lp)
+  {
+    GNUNET_CADET_close_port (lp);
+    lp = NULL;
+  }
   if (NULL != ch)
   {
     GNUNET_CADET_channel_destroy (ch);
@@ -223,6 +231,12 @@ shutdown_task (void *cls)
   }
 }
 
+void
+mq_cb(void *cls)
+{
+  listen_stdio ();
+}
+
 
 /**
  * Task run in stdio mode, after some data is available at stdin.
@@ -243,6 +257,8 @@ read_stdio (void *cls)
                     60000);
   if (data_size < 1)
   {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "read() returned  %s\n", strerror(errno));
     GNUNET_SCHEDULER_shutdown();
     return;
   }
@@ -257,9 +273,21 @@ read_stdio (void *cls)
                  data_size);
   GNUNET_MQ_send (GNUNET_CADET_get_mq (ch),
                   env);
+
+  sent_pkt++;
+
   if (GNUNET_NO == echo)
   {
-    listen_stdio ();
+    // Use MQ's notification if too much data of stdin is pooring in too fast.
+    if (STREAM_BUFFER_SIZE < sent_pkt) 
+    {
+      GNUNET_MQ_notify_sent (env, mq_cb, cls);
+      sent_pkt = 0;
+    }
+    else 
+    {
+      listen_stdio ();
+    }
   }
   else
   {
@@ -525,34 +553,48 @@ peer_callback (void *cls,
                int tunnel,
                int neighbor,
                unsigned int n_paths,
-               const struct GNUNET_PeerIdentity *paths)
+               const struct GNUNET_PeerIdentity *paths,
+               int offset,
+               int finished_with_paths)
 {
   unsigned int i;
   const struct GNUNET_PeerIdentity *p;
-
-  FPRINTF (stdout,
-           "%s [TUNNEL: %s, NEIGHBOR: %s, PATHS: %u]\n",
-           GNUNET_i2s_full (peer),
-           tunnel ? "Y" : "N",
-           neighbor ? "Y" : "N",
-           n_paths);
-  p = paths;
-  for (i = 0; i < n_paths && NULL != p;)
+  
+  
+  if (GNUNET_YES == finished_with_paths)
   {
+    GNUNET_SCHEDULER_shutdown();
+    return;
+  }
+  
+  if (offset == 0){
+    FPRINTF (stdout,
+             "%s [TUNNEL: %s, NEIGHBOR: %s, PATHS: %u]\n",
+             GNUNET_i2s_full (peer),
+             tunnel ? "Y" : "N",
+             neighbor ? "Y" : "N",
+             n_paths);
+  }else{
+    p = paths;
     FPRINTF (stdout,
-             "%s ",
-             GNUNET_i2s (p));
-    if (0 == memcmp (p,
-                     peer,
-                     sizeof (*p)))
+                "Indirekt path with offset %u: ",
+                offset);
+    for (i = 0; i <= offset && NULL != p;)
     {
-      FPRINTF (stdout, "\n");
-      i++;
+        FPRINTF (stdout,
+                "%s ",
+                GNUNET_i2s (p));
+        i++;
+        p++;
     }
-    p++;
+    
+    FPRINTF (stdout,
+                "\n");
+    
   }
+  
 
-  GNUNET_SCHEDULER_shutdown();
+  
 }
 
 
diff --git a/src/cadet/gnunet-service-cadet.c b/src/cadet/gnunet-service-cadet.c
index 38037e92f..4568d2733 100644
--- a/src/cadet/gnunet-service-cadet.c
+++ b/src/cadet/gnunet-service-cadet.c
@@ -822,7 +822,7 @@ get_all_peers_iterator (void *cls,
   struct GNUNET_CADET_LocalInfoPeer *msg;
 
   env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEERS);
+                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEERS);  
   msg->destination = *peer;
   msg->paths = htons (GCP_count_paths (p));
   msg->tunnel = htons (NULL != GCP_get_tunnel (p,
@@ -881,7 +881,7 @@ path_info_iterator (void *cls,
   unsigned int path_length;
 
   path_length = GCPP_get_length (path);
-  path_size = sizeof (struct GNUNET_PeerIdentity) * (path_length - 1);
+  path_size = sizeof (struct GNUNET_PeerIdentity) * path_length;
   if (sizeof (*resp) + path_size > UINT16_MAX)
   {
     LOG (GNUNET_ERROR_TYPE_WARNING,
@@ -892,19 +892,57 @@ path_info_iterator (void *cls,
   env = GNUNET_MQ_msg_extra (resp,
                              path_size,
                              GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEER);
+  
+  
+  resp->offset = htons(off);
+  resp->finished_with_paths = htons(0);
+  
   id = (struct GNUNET_PeerIdentity *) &resp[1];
 
   /* Don't copy first peer.  First peer is always the local one.  Last
    * peer is always the destination (leave as 0, EOL).
    */
-  for (i = 0; i < off; i++)
+  for (i = 0; i <= off; i++)
     id[i] = *GCP_get_id (GCPP_get_peer_at_offset (path,
-                                                  i + 1));
+                                                  i));
   GNUNET_MQ_send (mq,
                   env);
   return GNUNET_YES;
 }
 
+/**
+ * Getting summary information about the number of paths and if a tunnel exists, 
+ * and the indirect paths to a peer, if there are ones.
+ *
+ * @param cls Closure ().
+ * @param peer Peer ID (tunnel remote peer).
+ * @param value Peer info.
+ * @return #GNUNET_YES, to keep iterating.
+ */
+static void
+get_peer_info (void *cls,
+                const struct GNUNET_PeerIdentity *peer,
+                struct CadetPeer *p)
+{
+  struct CadetClient *c = cls;
+  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_CADET_LocalInfoPeer *msg;
+  
+  env = GNUNET_MQ_msg (msg,
+                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEER);
+  msg->offset = htons(0);
+  msg->destination = *peer;
+  msg->paths = htons (GCP_count_paths (p));
+  msg->tunnel = htons (NULL != GCP_get_tunnel (p,
+                                               GNUNET_NO));
+  msg->finished_with_paths = htons(0);
+  GNUNET_MQ_send (c->mq,
+                  env);
+  GCP_iterate_indirect_paths (p,
+                              &path_info_iterator,
+                              c->mq);  
+}
+
 
 /**
  * Handler for client's SHOW_PEER request.
@@ -919,19 +957,23 @@ handle_show_peer (void *cls,
   struct CadetClient *c = cls;
   struct CadetPeer *p;
   struct GNUNET_MQ_Envelope *env;
-  struct GNUNET_MessageHeader *resp;
+  struct GNUNET_CADET_LocalInfoPeer *resp;
 
   p = GCP_get (&msg->peer,
                GNUNET_NO);
-  if (NULL != p)
-    GCP_iterate_paths (p,
-                       &path_info_iterator,
-                       c->mq);
-  /* Send message with 0/0 to indicate the end */
+  if (NULL != p){
+    get_peer_info(c, &(msg->peer), p);  
+  }
+  
+  
   env = GNUNET_MQ_msg (resp,
-                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEER_END);
+                       GNUNET_MESSAGE_TYPE_CADET_LOCAL_INFO_PEER);
+  resp->finished_with_paths = htons(1);
+  resp->destination = msg->peer;
+  
   GNUNET_MQ_send (c->mq,
                   env);
+  
   GNUNET_SERVICE_client_continue (c->client);
 }
 
diff --git a/src/cadet/gnunet-service-cadet_paths.c b/src/cadet/gnunet-service-cadet_paths.c
index e77d54e55..593617ff6 100644
--- a/src/cadet/gnunet-service-cadet_paths.c
+++ b/src/cadet/gnunet-service-cadet_paths.c
@@ -17,7 +17,7 @@
 */
 /**
  * @file cadet/gnunet-service-cadet_paths.c
- * @brief Information we track per path.
+ * @brief Information we track per path.    
  * @author Bartlomiej Polot
  * @author Christian Grothoff
  */
diff --git a/src/cadet/gnunet-service-cadet_peer.c b/src/cadet/gnunet-service-cadet_peer.c
index 9cd1f5229..b375d51ca 100644
--- a/src/cadet/gnunet-service-cadet_peer.c
+++ b/src/cadet/gnunet-service-cadet_peer.c
@@ -243,7 +243,17 @@ GCP_2s (const struct CadetPeer *cp)
   static char buf[5];
   char *ret;
 
+  if ((NULL == cp) || 
+      (NULL == &cp->pid.public_key))
+    return "NULL";
+  
+      
   ret = GNUNET_CRYPTO_eddsa_public_key_to_string (&cp->pid.public_key);
+  
+  if (NULL == ret)
+    return "NULL";
+  
+  
   strncpy (buf,
            ret,
            sizeof (buf) - 1);
@@ -1207,6 +1217,8 @@ GCP_iterate_paths (struct CadetPeer *cp,
        (NULL == cp->core_mq) ? "" : " including direct link");
   if (NULL != cp->core_mq)
   {
+    /* FIXME: this branch seems to duplicate the 
+       i=0 case below (direct link). Leave out!??? -CG */
     struct CadetPeerPath *path;
 
     path = GCPP_get_path_from_route (1,
@@ -1235,6 +1247,41 @@ GCP_iterate_paths (struct CadetPeer *cp,
   return ret;
 }
 
+/**
+ * Iterate over the paths to a peer without direct link.
+ *
+ * @param cp Peer to get path info.
+ * @param callback Function to call for every path.
+ * @param callback_cls Closure for @a callback.
+ * @return Number of iterated paths.
+ */
+unsigned int
+GCP_iterate_indirect_paths (struct CadetPeer *cp,
+                               GCP_PathIterator callback,
+                               void *callback_cls)
+{
+  unsigned int ret = 0;
+
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Iterating over paths to peer %s without direct link\n",
+       GCP_2s (cp));
+  for (unsigned int i=1;i<cp->path_dll_length;i++)
+  {
+    for (struct CadetPeerPathEntry *pe = cp->path_heads[i];
+         NULL != pe;
+         pe = pe->next)
+    {
+      ret++;
+      if (GNUNET_NO ==
+          callback (callback_cls,
+                    pe->path,
+                    i))
+        return ret;
+    }
+  }
+  return ret;
+}
+
 
 /**
  * Iterate over the paths to @a cp where
diff --git a/src/cadet/gnunet-service-cadet_peer.h b/src/cadet/gnunet-service-cadet_peer.h
index 2357a293d..3b8b31b9a 100644
--- a/src/cadet/gnunet-service-cadet_peer.h
+++ b/src/cadet/gnunet-service-cadet_peer.h
@@ -139,6 +139,19 @@ GCP_iterate_paths (struct CadetPeer *cp,
                    GCP_PathIterator callback,
                    void *callback_cls);
 
+/**
+ * Iterate over the paths to a peer without direct link.
+ *
+ * @param cp Peer to get path info.
+ * @param callback Function to call for every path.
+ * @param callback_cls Closure for @a callback.
+ * @return Number of iterated paths.
+ */
+unsigned int
+GCP_iterate_indirect_paths (struct CadetPeer *cp,
+                   GCP_PathIterator callback,
+                   void *callback_cls);
+
 
 /**
  * Iterate over the paths to @a peer where
diff --git a/src/consensus/gnunet-service-consensus.c b/src/consensus/gnunet-service-consensus.c
index 86d056aaf..afbefdc5a 100644
--- a/src/consensus/gnunet-service-consensus.c
+++ b/src/consensus/gnunet-service-consensus.c
@@ -2821,7 +2821,7 @@ construct_task_graph_gradecast (struct ConsensusSession *session,
     }
     /* We run this task to make sure that the leader
        has the stored the SET_KIND_LEADER set of himself,
-       so he can participate in the rest of the gradecast
+       so it can participate in the rest of the gradecast
        without the code having to handle any special cases. */
     task = ((struct TaskEntry) {
       .step = step,
diff --git a/src/conversation/gnunet-conversation.c b/src/conversation/gnunet-conversation.c
index 92a435d55..bb4946720 100644
--- a/src/conversation/gnunet-conversation.c
+++ b/src/conversation/gnunet-conversation.c
@@ -264,6 +264,13 @@ phone_event_handler (void *cls,
   switch (code)
   {
   case GNUNET_CONVERSATION_EC_PHONE_RING:
+    /*
+     * FIXME: we should be playing our ringtones from contrib/sounds now!
+     *
+    ring_my_bell();
+     *
+     * see https://gstreamer.freedesktop.org/documentation/application-development/highlevel/playback-components.html on how to play a wav using the gst framework being used here
+     */
     FPRINTF (stdout,
              _("Incoming call from `%s'. Please /accept %u or /cancel %u the call.\n"),
              GNUNET_GNSRECORD_pkey_to_zkey (caller_id),
@@ -717,7 +724,7 @@ do_status (const char *args)
       break;
     case CS_RINGING:
       FPRINTF (stdout,
-               _("We are calling `%s', his phone should be ringing.\n"),
+               _("We are calling `%s', their phone should be ringing.\n"),
                peer_name);
       break;
     case CS_CONNECTED:
diff --git a/src/core/core.h b/src/core/core.h
index a2c05d4af..2ce77244e 100644
--- a/src/core/core.h
+++ b/src/core/core.h
@@ -172,7 +172,7 @@ struct DisconnectNotifyMessage
  * messages being received or transmitted.  This overall message is
  * followed by the real message, or just the header of the real
  * message (depending on the client's preferences).  The receiver can
- * tell if he got the full message or only a partial message by
+ * tell if it got the full message or only a partial message by
  * looking at the size field in the header of NotifyTrafficMessage and
  * checking it with the size field in the message that follows.
  */
diff --git a/src/core/gnunet-service-core.c b/src/core/gnunet-service-core.c
index 0afc75add..a033f9fac 100644
--- a/src/core/gnunet-service-core.c
+++ b/src/core/gnunet-service-core.c
@@ -230,7 +230,7 @@ handle_client_init (void *cls,
 /**
  * We will never be ready to transmit the given message in (disconnect
  * or invalid request).  Frees resources associated with @a car.  We
- * don't explicitly tell the client, he'll learn with the disconnect
+ * don't explicitly tell the client, it'll learn with the disconnect
  * (or violated the protocol).
  *
  * @param car request that now permanently failed; the
diff --git a/src/core/gnunet-service-core.h b/src/core/gnunet-service-core.h
index 81e73ec39..fd1a88e75 100644
--- a/src/core/gnunet-service-core.h
+++ b/src/core/gnunet-service-core.h
@@ -113,7 +113,7 @@ GSC_CLIENTS_solicit_request (struct GSC_ClientActiveRequest *car);
 /**
  * We will never be ready to transmit the given message in (disconnect
  * or invalid request).  Frees resources associated with @a car.  We
- * don't explicitly tell the client, he'll learn with the disconnect
+ * don't explicitly tell the client, it'll learn with the disconnect
  * (or violated the protocol).
  *
  * @param car request that now permanently failed; the
diff --git a/src/core/gnunet-service-core_kx.c b/src/core/gnunet-service-core_kx.c
index 6e713cf61..c017e0c23 100644
--- a/src/core/gnunet-service-core_kx.c
+++ b/src/core/gnunet-service-core_kx.c
@@ -123,7 +123,7 @@ struct EphemeralKeyMessage
 
 
 /**
- * We're sending an (encrypted) PING to the other peer to check if he
+ * We're sending an (encrypted) PING to the other peer to check if it
  * can decrypt.  The other peer should respond with a PONG with the
  * same content, except this time encrypted with the receiver's key.
  */
@@ -854,8 +854,8 @@ handle_transport_notify_connect (void *cls,
   }
   else
   {
-    /* peer with "higher" identity starts a delayed  KX, if the "lower" peer
-     * does not start a KX since he sees no reasons to do so  */
+    /* peer with "higher" identity starts a delayed KX, if the "lower" peer
+     * does not start a KX since it sees no reasons to do so  */
     kx->retry_set_key_task
       = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
                                       &set_key_retry_task,
diff --git a/src/core/gnunet-service-core_sessions.c b/src/core/gnunet-service-core_sessions.c
index 41fe4dfb7..16f9a092d 100644
--- a/src/core/gnunet-service-core_sessions.c
+++ b/src/core/gnunet-service-core_sessions.c
@@ -356,7 +356,7 @@ GSC_SESSIONS_create (const struct GNUNET_PeerIdentity *peer,
 
 
 /**
- * The other peer has indicated that he 'lost' the session
+ * The other peer has indicated that it 'lost' the session
  * (KX down), reinitialize the session on our end, in particular
  * this means to restart the typemap transmission.
  *
diff --git a/src/core/gnunet-service-core_sessions.h b/src/core/gnunet-service-core_sessions.h
index 845edac69..be862b71f 100644
--- a/src/core/gnunet-service-core_sessions.h
+++ b/src/core/gnunet-service-core_sessions.h
@@ -40,7 +40,7 @@ GSC_SESSIONS_create (const struct GNUNET_PeerIdentity *peer,
 
 
 /**
- * The other peer has indicated that he 'lost' the session
+ * The other peer has indicated that it 'lost' the session
  * (KX down), reinitialize the session on our end, in particular
  * this means to restart the typemap transmission.
  *
diff --git a/src/core/test_core_api_data.conf b/src/core/test_core_api_data.conf
index a13cc8706..420849ba9 100644
--- a/src/core/test_core_api_data.conf
+++ b/src/core/test_core_api_data.conf
@@ -6,6 +6,6 @@ WAN_QUOTA_IN = 64 kiB
 WAN_QUOTA_OUT = 64 kiB
 
 [core]
-PORT = 2092
+PORT = 52092
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-core.sock
 
diff --git a/src/core/test_core_api_send_to_self.conf b/src/core/test_core_api_send_to_self.conf
index ad6d4dc60..c2a459bb9 100644
--- a/src/core/test_core_api_send_to_self.conf
+++ b/src/core/test_core_api_send_to_self.conf
@@ -8,7 +8,7 @@ WAN_QUOTA_OUT = 104757600
 
 [test-sts]
 IMMEDIATE_START = YES
-PORT = 9252
+PORT = 59252
 HOSTNAME = localhost
 BINARY = test_core_api_send_to_self
 ACCEPT_FROM = 127.0.0.1;
diff --git a/src/datastore/perf_datastore_api.c b/src/datastore/perf_datastore_api.c
index f659dedff..6a0ff231b 100644
--- a/src/datastore/perf_datastore_api.c
+++ b/src/datastore/perf_datastore_api.c
@@ -172,7 +172,7 @@ struct CpsRunContext
 
   /**
    * Counts the number of items put in the current phase.
-   * Once it hits #PUT_10, we progress tot he #RP_CUT phase
+   * Once it hits #PUT_10, we progress to the #RP_CUT phase
    * or are done if @e i reaches #ITERATIONS.
    */
   unsigned int j;
diff --git a/src/datastore/plugin_datastore_mysql.c b/src/datastore/plugin_datastore_mysql.c
index b09fd1af3..3568ebe8f 100644
--- a/src/datastore/plugin_datastore_mysql.c
+++ b/src/datastore/plugin_datastore_mysql.c
@@ -76,7 +76,7 @@
  * a safe partition etc. The $HOME/.my.cnf can of course be a symbolic
  * link. Even greater security risk can be achieved by setting no
  * password for $USER.  Luckily $USER has only priviledges to mess
- * up GNUnet's tables, nothing else (unless you give him more,
+ * up GNUnet's tables, nothing else (unless you give them more,
  * of course).<p>
  *
  * 4) Still, perhaps you should briefly try if the DB connection
diff --git a/src/dht/gnunet_dht_profiler.c b/src/dht/gnunet_dht_profiler.c
index 75ca2a3aa..a729d1b01 100644
--- a/src/dht/gnunet_dht_profiler.c
+++ b/src/dht/gnunet_dht_profiler.c
@@ -346,7 +346,7 @@ bandwidth_stats_cont (void *cls,
            (unsigned long long) incoming_bandwidth);
   fprintf (stderr,
            "Benchmark done. Collect data via gnunet-statistics, then press ENTER to exit.\n");
-  getchar ();
+  (void) getchar ();
   GNUNET_SCHEDULER_shutdown ();
 }
 
@@ -752,7 +752,7 @@ dht_disconnect (void *cls,
   switch (mode)
   {
   case MODE_PUT:
-    if (n_puts_ok != n_active * num_puts_per_peer)
+    if (n_puts_ok != ((unsigned long long) n_active) * num_puts_per_peer)
       return;
     /* Start GETs if all PUTs have been made */
     mode = MODE_GET;
diff --git a/src/dns/Makefile.am b/src/dns/Makefile.am
index 9a4ecdcfd..ca2685765 100644
--- a/src/dns/Makefile.am
+++ b/src/dns/Makefile.am
@@ -27,8 +27,6 @@ install-exec-hook:
 endif
 
 lib_LTLIBRARIES = \
-  libgnunetdnsparser.la \
-  libgnunetdnsstub.la \
   libgnunetdns.la
 
 libexec_PROGRAMS = \
@@ -47,9 +45,6 @@ check_SCRIPTS = \
  test_gnunet_dns.sh
 endif
 
-check_PROGRAMS = \
- test_hexcoder
-
 gnunet_helper_dns_SOURCES = \
  gnunet-helper-dns.c
 
@@ -57,7 +52,6 @@ gnunet_helper_dns_SOURCES = \
 gnunet_dns_monitor_SOURCES = \
  gnunet-dns-monitor.c
 gnunet_dns_monitor_LDADD = \
-  libgnunetdnsparser.la \
   libgnunetdns.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
@@ -65,15 +59,12 @@ gnunet_dns_monitor_LDADD = \
 gnunet_zonewalk_SOURCES = \
  gnunet-zonewalk.c
 gnunet_zonewalk_LDADD = \
-  libgnunetdnsparser.la \
-  libgnunetdnsstub.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
 
 gnunet_dns_redirector_SOURCES = \
  gnunet-dns-redirector.c
 gnunet_dns_redirector_LDADD = \
-  libgnunetdnsparser.la \
   libgnunetdns.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
@@ -81,30 +72,10 @@ gnunet_dns_redirector_LDADD = \
 gnunet_service_dns_SOURCES = \
  gnunet-service-dns.c
 gnunet_service_dns_LDADD = \
-  libgnunetdnsstub.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
 
-libgnunetdnsparser_la_SOURCES = \
- dnsparser.c
-libgnunetdnsparser_la_LIBADD = \
- $(top_builddir)/src/util/libgnunetutil.la $(XLIB) \
-  -lidn
-libgnunetdnsparser_la_LDFLAGS = \
-  $(GN_LIB_LDFLAGS) \
-  -version-info 1:0:1
-
-libgnunetdnsstub_la_SOURCES = \
- dnsstub.c
-libgnunetdnsstub_la_LIBADD = \
-  $(top_builddir)/src/tun/libgnunettun.la \
- $(top_builddir)/src/util/libgnunetutil.la $(XLIB)
-libgnunetdnsstub_la_LDFLAGS = \
-  $(GN_LIB_LDFLAGS) \
-  -version-info 0:0:0
-
 libgnunetdns_la_SOURCES = \
  dns_api.c dns.h
 libgnunetdns_la_LIBADD = \
@@ -131,8 +102,3 @@ EXTRA_DIST = \
   $(check_SCRIPTS)
 
 
-test_hexcoder_SOURCES = \
- test_hexcoder.c
-test_hexcoder_LDADD = \
- libgnunetdnsparser.la \
- $(top_builddir)/src/util/libgnunetutil.la
diff --git a/src/dns/gnunet-zonewalk.c b/src/dns/gnunet-zonewalk.c
index c43ad1aeb..b96d40ca7 100644
--- a/src/dns/gnunet-zonewalk.c
+++ b/src/dns/gnunet-zonewalk.c
@@ -494,6 +494,7 @@ queue (const char *hostname)
   struct Request *req;
   char *raw;
   size_t raw_size;
+  int ret;
 
   if (GNUNET_OK !=
       GNUNET_DNSPARSER_check_name (hostname))
@@ -514,13 +515,14 @@ queue (const char *hostname)
   p.queries = &q;
   p.id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
                                               UINT16_MAX);
-
-  if (GNUNET_OK !=
-      GNUNET_DNSPARSER_pack (&p,
-                             UINT16_MAX,
-                             &raw,
-                             &raw_size))
+  ret = GNUNET_DNSPARSER_pack (&p,
+                               UINT16_MAX,
+                               &raw,
+                               &raw_size);
+  if (GNUNET_OK != ret)
   {
+    if (GNUNET_NO == ret)
+      GNUNET_free (raw); 
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "Failed to pack query for hostname `%s'\n",
                 hostname);
diff --git a/src/dv/test_transport_blacklist_data.conf b/src/dv/test_transport_blacklist_data.conf
index 534a61849..ea55a196b 100644
--- a/src/dv/test_transport_blacklist_data.conf
+++ b/src/dv/test_transport_blacklist_data.conf
@@ -1,5 +1,5 @@
 @INLINE@ template_dv.conf
 
 [transport]
-PORT = 2565
+PORT = 52565
 PLUGINS = tcp 
diff --git a/src/dv/test_transport_dv_data.conf b/src/dv/test_transport_dv_data.conf
index 307921ac4..a21fba8a7 100644
--- a/src/dv/test_transport_dv_data.conf
+++ b/src/dv/test_transport_dv_data.conf
@@ -1,7 +1,7 @@
 @INLINE@ template_dv.conf
 
 [transport]
-PORT = 2565
+PORT = 52565
 PLUGINS = tcp dv
 #PREFIX = valgrind --leak-check=full --track-fds=yes --leak-resolution=high
 
diff --git a/src/exit/Makefile.am b/src/exit/Makefile.am
index aa1210269..ea4f08c73 100644
--- a/src/exit/Makefile.am
+++ b/src/exit/Makefile.am
@@ -49,10 +49,8 @@ endif
 gnunet_daemon_exit_SOURCES = \
  gnunet-daemon-exit.c exit.h
 gnunet_daemon_exit_LDADD = \
-  $(top_builddir)/src/dns/libgnunetdnsstub.la \
   $(top_builddir)/src/dht/libgnunetdht.la \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(top_builddir)/src/cadet/libgnunetcadet.la \
   $(top_builddir)/src/regex/libgnunetregex.la \
diff --git a/src/fs/gnunet-service-fs_cp.h b/src/fs/gnunet-service-fs_cp.h
index 5e98f4940..dc7e03f4a 100644
--- a/src/fs/gnunet-service-fs_cp.h
+++ b/src/fs/gnunet-service-fs_cp.h
@@ -84,7 +84,7 @@ struct GSF_PeerPerformanceData
 
   /**
    * If we get content we already have from this peer, for how
-   * long do we block him?  Adjusted based on the fraction of
+   * long do we block it?  Adjusted based on the fraction of
    * redundant data we receive, between 1s and 1h.
    */
   struct GNUNET_TIME_Relative migration_delay;
diff --git a/src/fs/test_fs_defaults.conf b/src/fs/test_fs_defaults.conf
index 42661b25d..6ead78257 100644
--- a/src/fs/test_fs_defaults.conf
+++ b/src/fs/test_fs_defaults.conf
@@ -21,7 +21,7 @@ QUOTA = 100 MB
 
 [transport-tcp]
 BINDTO = 127.0.0.1
-PORT = 4368
+PORT = 54368
 
 [peerinfo]
 NO_IO = YES
diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am
index 46642113f..2c7bb8ebb 100644
--- a/src/gns/Makefile.am
+++ b/src/gns/Makefile.am
@@ -102,7 +102,6 @@ libgnunet_plugin_gnsrecord_gns_la_SOURCES = \
   plugin_gnsrecord_gns.c
 libgnunet_plugin_gnsrecord_gns_la_LIBADD = \
   $(top_builddir)/src/gnsrecord/libgnunetgnsrecord.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(LTLIBINTL)
 libgnunet_plugin_gnsrecord_gns_la_LDFLAGS = \
@@ -140,8 +139,6 @@ gnunet_dns2gns_LDADD = \
   libgnunetgns.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(top_builddir)/src/identity/libgnunetidentity.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
-  $(top_builddir)/src/dns/libgnunetdnsstub.la \
   $(GN_LIBINTL)
 
 if LINUX
@@ -206,10 +203,7 @@ gnunet_service_gns_LDADD = \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(top_builddir)/src/dns/libgnunetdns.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
-  $(top_builddir)/src/dns/libgnunetdnsstub.la \
   $(top_builddir)/src/dht/libgnunetdht.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/namecache/libgnunetnamecache.la \
   $(USE_VPN) \
   $(GN_LIBINTL)
diff --git a/src/gns/gns_api.c b/src/gns/gns_api.c
index 0ec9209da..3b658da92 100644
--- a/src/gns/gns_api.c
+++ b/src/gns/gns_api.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -232,7 +232,6 @@ reconnect (struct GNUNET_GNS_Handle *handle)
                            handle),
     GNUNET_MQ_handler_end ()
   };
-  struct GNUNET_GNS_LookupRequest *lh;
 
   GNUNET_assert (NULL == handle->mq);
   LOG (GNUNET_ERROR_TYPE_DEBUG,
@@ -244,7 +243,9 @@ reconnect (struct GNUNET_GNS_Handle *handle)
                                       handle);
   if (NULL == handle->mq)
     return;
-  for (lh = handle->lookup_head; NULL != lh; lh = lh->next)
+  for (struct GNUNET_GNS_LookupRequest *lh = handle->lookup_head;
+       NULL != lh;
+       lh = lh->next)
     GNUNET_MQ_send_copy (handle->mq,
                          lh->env);
 }
diff --git a/src/gns/gnunet-bcd.c b/src/gns/gnunet-bcd.c
index 5279e83a4..9737e1a49 100644
--- a/src/gns/gnunet-bcd.c
+++ b/src/gns/gnunet-bcd.c
@@ -469,7 +469,7 @@ run (void *cls,
                               "open",
                               fn);
     GNUNET_free (fn);
-    CLOSE (fd);
+    GNUNET_break (0 == CLOSE (fd));
     return;
   }
   GNUNET_free (fn);
@@ -499,6 +499,7 @@ run (void *cls,
     return;
   GNUNET_SCHEDULER_add_shutdown (&server_stop,
                                  NULL);
+  GNUNET_break (0 == CLOSE(fd));
 }
 
 
diff --git a/src/gns/gnunet-dns2gns.c b/src/gns/gnunet-dns2gns.c
index e6e53d405..8d39e8c53 100644
--- a/src/gns/gnunet-dns2gns.c
+++ b/src/gns/gnunet-dns2gns.c
@@ -269,6 +269,7 @@ dns_result_processor (void *cls,
   }
   request->packet = GNUNET_DNSPARSER_parse ((char*)dns,
                                             r);
+  GNUNET_DNSSTUB_resolve_cancel (request->dns_lookup);
   send_response (request);
 }
 
diff --git a/src/gns/gnunet-gns.c b/src/gns/gnunet-gns.c
index 149c8a7bb..463348ed3 100644
--- a/src/gns/gnunet-gns.c
+++ b/src/gns/gnunet-gns.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -65,8 +65,9 @@ static struct GNUNET_GNS_LookupWithTldRequest *lr;
 /**
  * Global return value.
  * 0 on success (default),
- * 1 on internal failures, 2 on launch failure,
- * 3 if the name is not a GNS-supported TLD,
+ * 1 on internal failures
+ * 2 on launch failure,
+ * 4 if the name is not a GNS-supported TLD,
  */
 static int global_ret;
 
@@ -114,7 +115,7 @@ process_lookup_result (void *cls,
   lr = NULL;
   if (GNUNET_NO == was_gns)
   {
-    global_ret = 3;
+    global_ret = 4; /* not for GNS */
     GNUNET_SCHEDULER_shutdown ();
     return;
   }
@@ -183,7 +184,6 @@ run (void *cls,
     global_ret = 2;
     return;
   }
-
   GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
                                  NULL);
 
diff --git a/src/gns/nss/nss_gns.c b/src/gns/nss/nss_gns.c
index 03ac6e09c..58aab47fd 100644
--- a/src/gns/nss/nss_gns.c
+++ b/src/gns/nss/nss_gns.c
@@ -54,121 +54,126 @@
  * @return a nss_status code
  */
 enum nss_status
-_nss_gns_gethostbyname2_r(
-    const char *name,
-    int af,
-    struct hostent * result,
-    char *buffer,
-    size_t buflen,
-    int *errnop,
-    int *h_errnop) {
-
-    struct userdata u;
-    enum nss_status status = NSS_STATUS_UNAVAIL;
-    int i;
-    size_t address_length, l, idx, astart;
-
-    if (af == AF_UNSPEC)
+_nss_gns_gethostbyname2_r(const char *name,
+                          int af,
+                          struct hostent *result,
+                          char *buffer,
+                          size_t buflen,
+                          int *errnop,
+                          int *h_errnop)
+{
+  struct userdata u;
+  enum nss_status status = NSS_STATUS_UNAVAIL;
+  int i;
+  size_t address_length;
+  size_t l;
+  size_t idx;
+  size_t astart;
+
+  if (af == AF_UNSPEC)
 #ifdef NSS_IPV6_ONLY
-        af = AF_INET6;
+    af = AF_INET6;
 #else
-        af = AF_INET;
+  af = AF_INET;
 #endif
 
 #ifdef NSS_IPV4_ONLY
-    if (af != AF_INET)
+  if (af != AF_INET)
 #elif NSS_IPV6_ONLY
-    if (af != AF_INET6)
+  if (af != AF_INET6)
 #else
-    if (af != AF_INET && af != AF_INET6)
+  if ( (af != AF_INET) &&
+       (af != AF_INET6) )
 #endif
-    {
-        *errnop = EINVAL;
-        *h_errnop = NO_RECOVERY;
-
-        goto finish;
-    }
-
-    address_length = af == AF_INET ? sizeof(ipv4_address_t) : sizeof(ipv6_address_t);
-    if (buflen <
-        sizeof(char*)+    /* alias names */
-        strlen(name)+1)  {   /* official name */
-
-        *errnop = ERANGE;
-        *h_errnop = NO_RECOVERY;
-        status = NSS_STATUS_TRYAGAIN;
-
-        goto finish;
-    }
-
-    u.count = 0;
-    u.data_len = 0;
-
-    i = gns_resolve_name(af, name, &u);
-    if (-3 == i)
-      {
-        status = NSS_STATUS_NOTFOUND;
-        goto finish;
-      }
-    if (-2 == i)
-      {
-        status = NSS_STATUS_UNAVAIL;
-        goto finish;
-      }
-    if ( (-1 == i) ||
-         (u.count == 0) )
-      {
-        *errnop = ETIMEDOUT;
-        *h_errnop = HOST_NOT_FOUND;
-        status = NSS_STATUS_NOTFOUND;
-        goto finish;
-      }
-
-
-    /* Alias names */
-    *((char**) buffer) = NULL;
-    result->h_aliases = (char**) buffer;
-    idx = sizeof(char*);
-
-    /* Official name */
-    strcpy(buffer+idx, name);
-    result->h_name = buffer+idx;
-    idx += strlen(name)+1;
-
-    ALIGN(idx);
-
-    result->h_addrtype = af;
-    result->h_length = address_length;
-
-    /* Check if there's enough space for the addresses */
-    if (buflen < idx+u.data_len+sizeof(char*)*(u.count+1)) {
-        *errnop = ERANGE;
-        *h_errnop = NO_RECOVERY;
-        status = NSS_STATUS_TRYAGAIN;
-        goto finish;
-    }
+  {
+    *errnop = EINVAL;
+    *h_errnop = NO_RECOVERY;
+
+    goto finish;
+  }
 
+  address_length = (af == AF_INET) ? sizeof(ipv4_address_t) : sizeof(ipv6_address_t);
+  if (buflen <
+      sizeof(char*)+    /* alias names */
+      strlen(name)+1)
+  {   /* official name */
+    *errnop = ERANGE;
+    *h_errnop = NO_RECOVERY;
+    status = NSS_STATUS_TRYAGAIN;
+
+    goto finish;
+  }
+  u.count = 0;
+  u.data_len = 0;
+  i = gns_resolve_name (af,
+                        name,
+                        &u);
+  if (-3 == i)
+  {
+    status = NSS_STATUS_NOTFOUND;
+    goto finish;
+  }
+  if (-2 == i)
+  {
+    status = NSS_STATUS_UNAVAIL;
+    goto finish;
+  }
+  if ( (-1 == i) ||
+       (u.count == 0) )
+  {
+    *errnop = ETIMEDOUT;
+    *h_errnop = HOST_NOT_FOUND;
+    status = NSS_STATUS_NOTFOUND;
+    goto finish;
+  }
+  /* Alias names */
+  *((char**) buffer) = NULL;
+  result->h_aliases = (char**) buffer;
+  idx = sizeof(char*);
+
+  /* Official name */
+  strcpy (buffer+idx,
+          name);
+  result->h_name = buffer+idx;
+  idx += strlen (name)+1;
+
+  ALIGN(idx);
+
+  result->h_addrtype = af;
+  result->h_length = address_length;
+
+  /* Check if there's enough space for the addresses */
+  if (buflen < idx+u.data_len+sizeof(char*)*(u.count+1))
+  {
+    *errnop = ERANGE;
+    *h_errnop = NO_RECOVERY;
+    status = NSS_STATUS_TRYAGAIN;
+    goto finish;
+  }
     /* Addresses */
-    astart = idx;
-    l = u.count*address_length;
-    if (0 != l)
-      memcpy(buffer+astart, &u.data, l);
-    /* address_length is a multiple of 32bits, so idx is still aligned
-     * correctly */
-    idx += l;
-
-    /* Address array address_lenght is always a multiple of 32bits */
-    for (i = 0; i < u.count; i++)
-        ((char**) (buffer+idx))[i] = buffer+astart+address_length*i;
-    ((char**) (buffer+idx))[i] = NULL;
-    result->h_addr_list = (char**) (buffer+idx);
-
-    status = NSS_STATUS_SUCCESS;
+  astart = idx;
+  l = u.count*address_length;
+  if (0 != l)
+    memcpy (buffer+astart,
+            &u.data,
+            l);
+  /* address_length is a multiple of 32bits, so idx is still aligned
+   * correctly */
+  idx += l;
+
+  /* Address array address_length is always a multiple of 32bits */
+  for (i = 0; i < u.count; i++)
+    ((char**) (buffer+idx))[i] = buffer+astart+address_length*i;
+  ((char**) (buffer+idx))[i] = NULL;
+  result->h_addr_list = (char**) (buffer+idx);
+
+  status = NSS_STATUS_SUCCESS;
 
 finish:
-    return status;
+  return status;
 }
 
+
 /**
  * The gethostbyname hook executed by nsswitch
  *
@@ -176,29 +181,28 @@ finish:
  * @param result the result hostent
  * @param buffer the result buffer
  * @param buflen length of the buffer
- * @param errnop idk
+ * @param errnop[out] the low-level error code to return to the application
  * @param h_errnop idk
  * @return a nss_status code
  */
 enum nss_status
-_nss_gns_gethostbyname_r (
-    const char *name,
-    struct hostent *result,
-    char *buffer,
-    size_t buflen,
-    int *errnop,
-    int *h_errnop) {
-
-    return _nss_gns_gethostbyname2_r(
-        name,
-        AF_UNSPEC,
-        result,
-        buffer,
-        buflen,
-        errnop,
-        h_errnop);
+_nss_gns_gethostbyname_r (const char *name,
+                          struct hostent *result,
+                          char *buffer,
+                          size_t buflen,
+                          int *errnop,
+                          int *h_errnop)
+{
+  return _nss_gns_gethostbyname2_r (name,
+                                    AF_UNSPEC,
+                                    result,
+                                    buffer,
+                                    buflen,
+                                    errnop,
+                                    h_errnop);
 }
 
+
 /**
  * The gethostbyaddr hook executed by nsswitch
  * We can't do this so we always return NSS_STATUS_UNAVAIL
@@ -209,23 +213,22 @@ _nss_gns_gethostbyname_r (
  * @param result the result hostent
  * @param buffer the result buffer
  * @param buflen length of the buffer
- * @param errnop idk
+ * @param errnop[out] the low-level error code to return to the application
  * @param h_errnop idk
  * @return NSS_STATUS_UNAVAIL
  */
 enum nss_status
-_nss_gns_gethostbyaddr_r(
-    const void* addr,
-    int len,
-    int af,
-    struct hostent *result,
-    char *buffer,
-    size_t buflen,
-    int *errnop,
-    int *h_errnop) {
-
-    *errnop = EINVAL;
-    *h_errnop = NO_RECOVERY;
-    //NOTE we allow to leak this into DNS so no NOTFOUND
-    return NSS_STATUS_UNAVAIL;
+_nss_gns_gethostbyaddr_r (const void* addr,
+                          int len,
+                          int af,
+                          struct hostent *result,
+                          char *buffer,
+                          size_t buflen,
+                          int *errnop,
+                          int *h_errnop)
+{
+  *errnop = EINVAL;
+  *h_errnop = NO_RECOVERY;
+  //NOTE we allow to leak this into DNS so no NOTFOUND
+  return NSS_STATUS_UNAVAIL;
 }
diff --git a/src/gns/nss/nss_gns_query.c b/src/gns/nss/nss_gns_query.c
index 094e25ed5..867ead624 100644
--- a/src/gns/nss/nss_gns_query.c
+++ b/src/gns/nss/nss_gns_query.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -48,14 +48,16 @@ gns_resolve_name (int af,
   {
     if (-1 == asprintf (&cmd,
                         "%s -t AAAA -u %s\n",
-                        "gnunet-gns -r", name))
+                        "gnunet-gns -r",
+                        name))
       return -1;
   }
   else
   {
     if (-1 == asprintf (&cmd,
                         "%s %s\n",
-                        "gnunet-gns -r -u", name))
+                        "gnunet-gns -r -u",
+                        name))
       return -1;
   }
   if (NULL == (p = popen (cmd, "r")))
@@ -63,7 +65,9 @@ gns_resolve_name (int af,
     free (cmd);
     return -1;
   }
-  while (NULL != fgets (line, sizeof(line), p))
+  while (NULL != fgets (line,
+                        sizeof(line),
+                        p))
   {
     if (u->count >= MAX_ENTRIES)
       break;
@@ -72,7 +76,9 @@ gns_resolve_name (int af,
       line[strlen(line)-1] = '\0';
       if (AF_INET == af)
       {
-        if (inet_pton(af, line, &(u->data.ipv4[u->count])))
+        if (inet_pton(af,
+                      line,
+                      &u->data.ipv4[u->count]))
         {
           u->count++;
           u->data_len += sizeof(ipv4_address_t);
@@ -86,7 +92,9 @@ gns_resolve_name (int af,
       }
       else if (AF_INET6 == af)
       {
-        if (inet_pton(af, line, &(u->data.ipv6[u->count])))
+        if (inet_pton(af,
+                      line,
+                      &u->data.ipv6[u->count]))
         {
           u->count++;
           u->data_len += sizeof(ipv6_address_t);
@@ -105,7 +113,10 @@ gns_resolve_name (int af,
   if (4 == ret)
     return -2; /* not for GNS */
   if (3 == ret)
-    return -3; /* timeout */
+    return -3; /* timeout -> not found */
+  if ( (2 == ret) || (1 == ret) )
+    return -2; /* launch failure -> service unavailable */
   return 0;
 }
+
 /* end of nss_gns_query.c */
diff --git a/src/gns/nss/nss_gns_query.h b/src/gns/nss/nss_gns_query.h
index bb04f9004..48cab4b22 100644
--- a/src/gns/nss/nss_gns_query.h
+++ b/src/gns/nss/nss_gns_query.h
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -26,25 +26,30 @@
 /* Maximum number of entries to return */
 #define MAX_ENTRIES 16
 
-typedef struct {
-    uint32_t address;
+typedef struct
+{
+  uint32_t address;
 } ipv4_address_t;
 
-typedef struct {
-    uint8_t address[16];
+
+typedef struct
+{
+  uint8_t address[16];
 } ipv6_address_t;
 
 
-struct userdata {
+struct userdata
+{
   int count;
   int data_len; /* only valid when doing reverse lookup */
   union  {
-      ipv4_address_t ipv4[MAX_ENTRIES];
-      ipv6_address_t ipv6[MAX_ENTRIES];
-      char *name[MAX_ENTRIES];
+    ipv4_address_t ipv4[MAX_ENTRIES];
+    ipv6_address_t ipv6[MAX_ENTRIES];
+    char *name[MAX_ENTRIES];
   } data;
 };
 
+
 /**
  * Wrapper function that uses gnunet-gns cli tool to resolve
  * an IPv4/6 address.
@@ -54,8 +59,9 @@ struct userdata {
  * @param u the userdata (result struct)
  * @return -1 on error else 0
  */
-int gns_resolve_name(int af,
-               const char *name,
-               struct userdata *userdata);
+int
+gns_resolve_name(int af,
+                 const char *name,
+                 struct userdata *userdata);
 
 #endif
diff --git a/src/gnsrecord/Makefile.am b/src/gnsrecord/Makefile.am
index c83aa3307..f840a31a4 100644
--- a/src/gnsrecord/Makefile.am
+++ b/src/gnsrecord/Makefile.am
@@ -38,7 +38,6 @@ libgnunetgnsrecord_la_SOURCES = \
   gnsrecord_crypto.c \
   gnsrecord_misc.c
 libgnunetgnsrecord_la_LIBADD = \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
 libgnunetgnsrecord_la_LDFLAGS = \
@@ -53,7 +52,6 @@ plugin_LTLIBRARIES = \
 libgnunet_plugin_gnsrecord_dns_la_SOURCES = \
   plugin_gnsrecord_dns.c
 libgnunet_plugin_gnsrecord_dns_la_LIBADD = \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(LTLIBINTL)
 libgnunet_plugin_gnsrecord_dns_la_LDFLAGS = \
diff --git a/src/gnsrecord/gnsrecord_serialization.c b/src/gnsrecord/gnsrecord_serialization.c
index a1cfbe984..934d36102 100644
--- a/src/gnsrecord/gnsrecord_serialization.c
+++ b/src/gnsrecord/gnsrecord_serialization.c
@@ -90,6 +90,9 @@ GNUNET_GNSRECORD_records_get_size (unsigned int rd_count,
 {
   size_t ret;
 
+  if (0 == rd_count)
+    return 0;
+  
   ret = sizeof (struct NetworkRecord) * rd_count;
   for (unsigned int i=0;i<rd_count;i++)
   {
@@ -205,6 +208,9 @@ GNUNET_GNSRECORD_records_serialize (unsigned int rd_count,
     }
 #endif
   }
+  memset (&dest[off],
+          0,
+          dest_size-off);
   return dest_size;
 }
 
diff --git a/src/gnsrecord/plugin_gnsrecord_dns.c b/src/gnsrecord/plugin_gnsrecord_dns.c
index 188afcae7..254ae15ea 100644
--- a/src/gnsrecord/plugin_gnsrecord_dns.c
+++ b/src/gnsrecord/plugin_gnsrecord_dns.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -463,7 +463,7 @@ dns_string_to_value (void *cls,
       }
       cert_size = GNUNET_STRINGS_base64_decode (certp,
                                                 strlen (certp),
-                                                &cert_data);
+                                                (void **) &cert_data);
       GNUNET_free (sdup);
       cert.cert_type = type;
       cert.cert_tag = key;
diff --git a/src/identity/identity_api_lookup.c b/src/identity/identity_api_lookup.c
index 593a5dbb0..25aec8ede 100644
--- a/src/identity/identity_api_lookup.c
+++ b/src/identity/identity_api_lookup.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -131,6 +131,12 @@ GNUNET_IDENTITY_ego_lookup (const struct GNUNET_CONFIGURATION_Handle *cfg,
   el->identity = GNUNET_IDENTITY_connect (cfg,
                                           &identity_cb,
                                           el);
+  if (NULL == el->identity)
+  {
+    GNUNET_free (el->name);
+    GNUNET_free (el);
+    return NULL;
+  }
   return el;
 }
 
diff --git a/src/include/block_dns.h b/src/include/block_dns.h
index f54a51232..234ed502d 100644
--- a/src/include/block_dns.h
+++ b/src/include/block_dns.h
@@ -38,7 +38,7 @@ GNUNET_NETWORK_STRUCT_BEGIN
 struct GNUNET_DNS_Advertisement
 {
   /**
-   * Signature of the peer affirming that he is offering the service.
+   * Signature of the peer affirming that it is offering the service.
    */
   struct GNUNET_CRYPTO_EddsaSignature signature;
 
diff --git a/src/include/gnunet_cadet_service.h b/src/include/gnunet_cadet_service.h
index 4f35a3f1f..552763055 100644
--- a/src/include/gnunet_cadet_service.h
+++ b/src/include/gnunet_cadet_service.h
@@ -425,7 +425,9 @@ typedef void
                         int tunnel,
                         int neighbor,
                         unsigned int n_paths,
-                        const struct GNUNET_PeerIdentity *paths);
+                        const struct GNUNET_PeerIdentity *paths,
+                        int offset,
+                        int finished_with_paths);
 
 
 /**
diff --git a/src/include/gnunet_common.h b/src/include/gnunet_common.h
index b4bf5b0aa..1b982cc15 100644
--- a/src/include/gnunet_common.h
+++ b/src/include/gnunet_common.h
@@ -1074,7 +1074,7 @@ GNUNET_ntoh_double (double d);
  * @param tsize the target size for the resulting vector, use 0 to
  *        free the vector (then, arr will be NULL afterwards).
  */
-#define GNUNET_array_grow(arr,size,tsize) GNUNET_xgrow_((void**)&arr, sizeof(arr[0]), &size, tsize, __FILE__, __LINE__)
+#define GNUNET_array_grow(arr,size,tsize) GNUNET_xgrow_((void**)&(arr), sizeof((arr)[0]), &size, tsize, __FILE__, __LINE__)
 
 /**
  * @ingroup memory
@@ -1089,7 +1089,7 @@ GNUNET_ntoh_double (double d);
  *        array size
  * @param element the element that will be appended to the array
  */
-#define GNUNET_array_append(arr,size,element) do { GNUNET_array_grow(arr,size,size+1); arr[size-1] = element; } while(0)
+#define GNUNET_array_append(arr,size,element) do { GNUNET_array_grow(arr,size,size+1); (arr)[size-1] = element; } while(0)
 
 /**
  * @ingroup memory
diff --git a/src/include/gnunet_core_service.h b/src/include/gnunet_core_service.h
index e25043d17..b38f38b69 100644
--- a/src/include/gnunet_core_service.h
+++ b/src/include/gnunet_core_service.h
@@ -232,7 +232,7 @@ enum GNUNET_CORE_KxState
 
   /**
    * The other peer has confirmed our session key + PING with a PONG
-   * message encrypted with his session key (which we got).  Key
+   * message encrypted with their session key (which we got).  Key
    * exchange is done.
    */
   GNUNET_CORE_KX_STATE_UP,
diff --git a/src/include/gnunet_dnsparser_lib.h b/src/include/gnunet_dnsparser_lib.h
index fa4915be7..0fc6ac19c 100644
--- a/src/include/gnunet_dnsparser_lib.h
+++ b/src/include/gnunet_dnsparser_lib.h
@@ -31,7 +31,6 @@
 #define GNUNET_DNSPARSER_LIB_H
 
 #include "gnunet_util_lib.h"
-#include "gnunet_tun_lib.h"
 
 /**
  * Maximum length of a label in DNS.
@@ -83,6 +82,7 @@
 #define GNUNET_DNSPARSER_TYPE_OPENPGPKEY 61
 #define GNUNET_DNSPARSER_TYPE_TKEY 249
 #define GNUNET_DNSPARSER_TYPE_TSIG 250
+#define GNUNET_DNSPARSER_TYPE_ALL 255
 #define GNUNET_DNSPARSER_TYPE_URI 256
 #define GNUNET_DNSPARSER_TYPE_TA 32768
 
@@ -841,6 +841,58 @@ GNUNET_DNSPARSER_parse_srv (const char *udp_payload,
                             size_t udp_payload_length,
                             size_t *off);
 
+/* ***************** low-level duplication API ******************** */
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_Record *
+GNUNET_DNSPARSER_duplicate_record (const struct GNUNET_DNSPARSER_Record *r);
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_SoaRecord *
+GNUNET_DNSPARSER_duplicate_soa_record (const struct GNUNET_DNSPARSER_SoaRecord *r);
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_CertRecord *
+GNUNET_DNSPARSER_duplicate_cert_record (const struct GNUNET_DNSPARSER_CertRecord *r);
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_MxRecord *
+GNUNET_DNSPARSER_duplicate_mx_record (const struct GNUNET_DNSPARSER_MxRecord *r);
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_SrvRecord *
+GNUNET_DNSPARSER_duplicate_srv_record (const struct GNUNET_DNSPARSER_SrvRecord *r);
+
+
 /* ***************** low-level deallocation API ******************** */
 
 /**
diff --git a/src/include/gnunet_dnsstub_lib.h b/src/include/gnunet_dnsstub_lib.h
index 8f1b90425..ad44be846 100644
--- a/src/include/gnunet_dnsstub_lib.h
+++ b/src/include/gnunet_dnsstub_lib.h
@@ -29,8 +29,7 @@
 #ifndef GNUNET_DNSSTUB_LIB_H
 #define GNUNET_DNSSTUB_LIB_H
 
-#include "gnunet_common.h"
-#include "gnunet_tun_lib.h"
+#include "gnunet_util_lib.h"
 
 /**
  * Opaque handle to the stub resolver.
diff --git a/src/include/gnunet_os_lib.h b/src/include/gnunet_os_lib.h
index 86957a25c..98469a156 100644
--- a/src/include/gnunet_os_lib.h
+++ b/src/include/gnunet_os_lib.h
@@ -556,7 +556,7 @@ GNUNET_OS_command_run (GNUNET_OS_LineProcessor proc,
 
 
 /**
- * Retrieve the status of a process, waiting on him if dead.
+ * Retrieve the status of a process, waiting on it if dead.
  * Nonblocking version.
  *
  * @param proc pointer to process structure
@@ -586,7 +586,7 @@ GNUNET_OS_process_wait (struct GNUNET_OS_Process *proc);
 
 
 /**
- * Retrieve the status of a process, waiting on him if dead.
+ * Retrieve the status of a process, waiting on it if dead.
  * Blocking version.
  *
  * @param proc pointer to process structure
diff --git a/src/include/gnunet_psyc_service.h b/src/include/gnunet_psyc_service.h
index f31de0e67..053fe4495 100644
--- a/src/include/gnunet_psyc_service.h
+++ b/src/include/gnunet_psyc_service.h
@@ -135,7 +135,7 @@ enum GNUNET_PSYC_ChannelFlags
 enum GNUNET_PSYC_Policy
 {
   /**
-   * Anyone can join the channel, without announcing his presence;
+   * Anyone can join the channel, without announcing their presence;
    * all messages are always public and can be distributed freely.
    * Joins may be announced, but this is not required.
    */
diff --git a/src/include/gnunet_secretsharing_service.h b/src/include/gnunet_secretsharing_service.h
index bd11df982..a3f44222e 100644
--- a/src/include/gnunet_secretsharing_service.h
+++ b/src/include/gnunet_secretsharing_service.h
@@ -248,7 +248,7 @@ GNUNET_SECRETSHARING_encrypt (const struct GNUNET_SECRETSHARING_PublicKey *publi
  * published the same value, it will be decrypted.
  *
  * When the operation is canceled, the decrypt_cb is not called anymore, but the calling
- * peer may already have irrevocably contributed his share for the decryption of the value.
+ * peer may already have irrevocably contributed its share for the decryption of the value.
  *
  * @param cfg configuration to use
  * @param share our secret share to use for decryption
@@ -273,7 +273,7 @@ GNUNET_SECRETSHARING_decrypt (const struct GNUNET_CONFIGURATION_Handle *cfg,
  * Cancel a decryption.
  *
  * The decrypt_cb is not called anymore, but the calling
- * peer may already have irrevocably contributed his share for the decryption of the value.
+ * peer may already have irrevocably contributed its share for the decryption of the value.
  *
  * @param dh to cancel
  */
diff --git a/src/include/gnunet_signatures.h b/src/include/gnunet_signatures.h
index bc9e3dc16..d7accaf2c 100644
--- a/src/include/gnunet_signatures.h
+++ b/src/include/gnunet_signatures.h
@@ -134,7 +134,7 @@ extern "C"
 
 /**
  * Accept state in regex DFA.  Peer affirms that
- * he offers the matching service.
+ * it offers the matching service.
  */
 #define GNUNET_SIGNATURE_PURPOSE_REGEX_ACCEPT 18
 
diff --git a/src/include/gnunet_strings_lib.h b/src/include/gnunet_strings_lib.h
index 1fdab93b2..c1d76ef71 100644
--- a/src/include/gnunet_strings_lib.h
+++ b/src/include/gnunet_strings_lib.h
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -339,7 +339,9 @@ GNUNET_STRINGS_string_to_data (const char *enc,
  * @return the size of the output
  */
 size_t
-GNUNET_STRINGS_base64_encode (const char *data, size_t len, char **output);
+GNUNET_STRINGS_base64_encode (const void *in,
+                              size_t len,
+                              char **output);
 
 
 /**
@@ -354,7 +356,7 @@ GNUNET_STRINGS_base64_encode (const char *data, size_t len, char **output);
 size_t
 GNUNET_STRINGS_base64_decode (const char *data,
                               size_t len,
-                              char **output);
+                              void **output);
 
 
 /**
diff --git a/src/include/gnunet_tun_lib.h b/src/include/gnunet_tun_lib.h
index a2e75eb5f..8de627141 100644
--- a/src/include/gnunet_tun_lib.h
+++ b/src/include/gnunet_tun_lib.h
@@ -30,7 +30,8 @@
 #ifndef GNUNET_TUN_LIB_H
 #define GNUNET_TUN_LIB_H
 
-#include "gnunet_util_lib.h"
+#include "gnunet_common.h"
+#include "gnunet_crypto_lib.h"
 
 
 /* see http://www.iana.org/assignments/ethernet-numbers */
diff --git a/src/include/gnunet_util_lib.h b/src/include/gnunet_util_lib.h
index 5e8eef1ad..091d3ba58 100644
--- a/src/include/gnunet_util_lib.h
+++ b/src/include/gnunet_util_lib.h
@@ -78,6 +78,9 @@ extern "C"
 #include "gnunet_service_lib.h"
 #include "gnunet_signal_lib.h"
 #include "gnunet_strings_lib.h"
+#include "gnunet_tun_lib.h"
+#include "gnunet_dnsstub_lib.h"
+#include "gnunet_dnsparser_lib.h"
 
 #if 0                           /* keep Emacsens' auto-indent happy */
 {
diff --git a/src/multicast/gnunet-service-multicast.c b/src/multicast/gnunet-service-multicast.c
index 21eb39daa..20d29b906 100644
--- a/src/multicast/gnunet-service-multicast.c
+++ b/src/multicast/gnunet-service-multicast.c
@@ -1449,7 +1449,7 @@ check_client_member_join (void *cls,
   struct GNUNET_PeerIdentity *relays = (struct GNUNET_PeerIdentity *) &msg[1];
   uint32_t relay_count = ntohl (msg->relay_count);
 
-  if (0 == relay_count}
+  if (0 == relay_count)
   {
     GNUNET_break (0);
     return GNUNET_SYSERR;
diff --git a/src/namestore/Makefile.am b/src/namestore/Makefile.am
index fa85cc060..777e722c2 100644
--- a/src/namestore/Makefile.am
+++ b/src/namestore/Makefile.am
@@ -147,8 +147,6 @@ gnunet_zoneimport_LDADD = \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
   $(top_builddir)/src/identity/libgnunetidentity.la \
   $(top_builddir)/src/gnsrecord/libgnunetgnsrecord.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
-  $(top_builddir)/src/dns/libgnunetdnsstub.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
 
diff --git a/src/namestore/gnunet-zoneimport.c b/src/namestore/gnunet-zoneimport.c
index 6c89cdb05..ddc8b483a 100644
--- a/src/namestore/gnunet-zoneimport.c
+++ b/src/namestore/gnunet-zoneimport.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -456,6 +456,7 @@ build_dns_query (struct Request *req,
   char *rawp;
   struct GNUNET_DNSPARSER_Packet p;
   struct GNUNET_DNSPARSER_Query q;
+  int ret;
 
   q.name = (char *) req->hostname;
   q.type = GNUNET_DNSPARSER_TYPE_NS;
@@ -467,12 +468,14 @@ build_dns_query (struct Request *req,
   p.num_queries = 1;
   p.queries = &q;
   p.id = req->id;
-  if (GNUNET_OK !=
-      GNUNET_DNSPARSER_pack (&p,
-                             UINT16_MAX,
-                             &rawp,
-                             raw_size))
+  ret = GNUNET_DNSPARSER_pack (&p,
+                               UINT16_MAX,
+                               &rawp,
+                               raw_size);
+  if (GNUNET_OK != ret)
   {
+    if (GNUNET_NO == ret)
+      GNUNET_free (rawp);
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "Failed to pack query for hostname `%s'\n",
                 req->hostname);
diff --git a/src/namestore/plugin_namestore_flat.c b/src/namestore/plugin_namestore_flat.c
index 33c48b244..e16fe91b7 100644
--- a/src/namestore/plugin_namestore_flat.c
+++ b/src/namestore/plugin_namestore_flat.c
@@ -55,7 +55,7 @@ struct FlatFileEntry
   /**
    * Entry zone
    */
-  struct GNUNET_CRYPTO_EcdsaPrivateKey *private_key;
+  struct GNUNET_CRYPTO_EcdsaPrivateKey private_key;
 
   /**
    * Record cound
@@ -93,7 +93,6 @@ static int
 database_setup (struct Plugin *plugin)
 {
   char *afsdir;
-  char *key;
   char *record_data;
   char *zone_private_key;
   char *record_data_b64;
@@ -104,7 +103,6 @@ database_setup (struct Plugin *plugin)
   char *record_count;
   size_t record_data_size;
   uint64_t size;
-  size_t key_len;
   struct GNUNET_HashCode hkey;
   struct GNUNET_DISK_FileHandle *fh;
   struct FlatFileEntry *entry;
@@ -232,7 +230,7 @@ database_setup (struct Plugin *plugin)
       record_data_size
         = GNUNET_STRINGS_base64_decode (record_data_b64,
                                         strlen (record_data_b64),
-                                        &record_data);
+                                        (void **) &record_data);
       entry->record_data =
         GNUNET_new_array (entry->record_count,
                           struct GNUNET_GNSRECORD_Data);
@@ -251,21 +249,34 @@ database_setup (struct Plugin *plugin)
         break;
       }
       GNUNET_free (record_data);
-      GNUNET_STRINGS_base64_decode (zone_private_key,
-                                    strlen (zone_private_key),
-                                    (char**)&entry->private_key);
-      key_len = strlen (label) + sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey);
-      key = GNUNET_malloc (strlen (label) + sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
-      GNUNET_memcpy (key,
-                     label,
-                     strlen (label));
-      GNUNET_memcpy (key+strlen(label),
-                     entry->private_key,
-                     sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
-      GNUNET_CRYPTO_hash (key,
-                          key_len,
-                          &hkey);
-      GNUNET_free (key);
+
+      {
+        struct GNUNET_CRYPTO_EcdsaPrivateKey *private_key;
+
+        GNUNET_STRINGS_base64_decode (zone_private_key,
+                                      strlen (zone_private_key),
+                                      (void**)&private_key);
+        entry->private_key = *private_key;
+        GNUNET_free (private_key);
+      }
+
+      {
+        char *key;
+        size_t key_len;
+
+        key_len = strlen (label) + sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey);
+        key = GNUNET_malloc (strlen (label) + sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
+        GNUNET_memcpy (key,
+                       label,
+                       strlen (label));
+        GNUNET_memcpy (key+strlen(label),
+                       &entry->private_key,
+                       sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
+        GNUNET_CRYPTO_hash (key,
+                            key_len,
+                            &hkey);
+        GNUNET_free (key);
+      }
       if (GNUNET_OK !=
           GNUNET_CONTAINER_multihashmap_put (plugin->hm,
                                              &hkey,
@@ -302,7 +313,7 @@ store_and_free_entries (void *cls,
   ssize_t data_size;
 
   (void) key;
-  GNUNET_STRINGS_base64_encode ((char*)entry->private_key,
+  GNUNET_STRINGS_base64_encode (&entry->private_key,
                                 sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
                                 &zone_private_key);
   data_size = GNUNET_GNSRECORD_records_get_size (entry->record_count,
@@ -353,7 +364,6 @@ store_and_free_entries (void *cls,
                           strlen (line));
 
   GNUNET_free (line);
-  GNUNET_free (entry->private_key);
   GNUNET_free (entry->label);
   GNUNET_free (entry->record_data);
   GNUNET_free (entry);
@@ -441,11 +451,10 @@ namestore_flat_store_records (void *cls,
     return GNUNET_OK;
   }
   entry = GNUNET_new (struct FlatFileEntry);
-  entry->private_key = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
   GNUNET_asprintf (&entry->label,
                    label,
                    strlen (label));
-  GNUNET_memcpy (entry->private_key,
+  GNUNET_memcpy (&entry->private_key,
                  zone_key,
                  sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
   entry->rvalue = rvalue;
@@ -519,7 +528,7 @@ namestore_flat_lookup_records (void *cls,
   if (NULL != iter)
     iter (iter_cls,
           0,
-          entry->private_key,
+          &entry->private_key,
           entry->label,
           entry->record_count,
           entry->record_data);
@@ -586,7 +595,7 @@ iterate_zones (void *cls,
   if (0 == ic->limit)
     return GNUNET_NO;
   if ( (NULL != ic->zone) &&
-       (0 != memcmp (entry->private_key,
+       (0 != memcmp (&entry->private_key,
                      ic->zone,
                      sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey))) )
     return GNUNET_YES;
@@ -598,7 +607,7 @@ iterate_zones (void *cls,
   }
   ic->iter (ic->iter_cls,
             ic->pos,
-            entry->private_key,
+            &entry->private_key,
             entry->label,
             entry->record_count,
             entry->record_data);
@@ -668,7 +677,7 @@ zone_to_name (void *cls,
   struct FlatFileEntry *entry = value;
 
   (void) key;
-  if (0 != memcmp (entry->private_key,
+  if (0 != memcmp (&entry->private_key,
                    ztn->zone,
                    sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey)))
     return GNUNET_YES;
@@ -683,7 +692,7 @@ zone_to_name (void *cls,
     {
       ztn->iter (ztn->iter_cls,
                  0,
-                 entry->private_key,
+                 &entry->private_key,
                  entry->label,
                  entry->record_count,
                  entry->record_data);
diff --git a/src/namestore/test_namestore_api_lookup_shadow.c b/src/namestore/test_namestore_api_lookup_shadow.c
index ecfd03735..08977712b 100644
--- a/src/namestore/test_namestore_api_lookup_shadow.c
+++ b/src/namestore/test_namestore_api_lookup_shadow.c
@@ -277,9 +277,9 @@ main (int argc, char *argv[])
   {
     res = 1;
   }
-  GNUNET_free (cfg_name);
   GNUNET_DISK_purge_cfg_dir (cfg_name,
                              "GNUNET_TEST_HOME");
+  GNUNET_free (cfg_name);
   return res;
 }
 
diff --git a/src/namestore/test_namestore_api_lookup_shadow_filter.c b/src/namestore/test_namestore_api_lookup_shadow_filter.c
index b751ff703..7555f51e7 100644
--- a/src/namestore/test_namestore_api_lookup_shadow_filter.c
+++ b/src/namestore/test_namestore_api_lookup_shadow_filter.c
@@ -352,9 +352,9 @@ main (int argc, char *argv[])
   {
     res = 1;
   }
-  GNUNET_free (cfg_name);
   GNUNET_DISK_purge_cfg_dir (cfg_name,
                              "GNUNET_TEST_HOME");
+  GNUNET_free (cfg_name);
   return res;
 }
 
diff --git a/src/namestore/test_namestore_api_sqlite.conf b/src/namestore/test_namestore_api_sqlite.conf
index 82663400a..cd4822097 100644
--- a/src/namestore/test_namestore_api_sqlite.conf
+++ b/src/namestore/test_namestore_api_sqlite.conf
@@ -2,6 +2,7 @@
 
 [namestore]
 DATABASE = sqlite
+# PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=/tmp/v_log 
 
 [namestore-sqlite]
 FILENAME = $GNUNET_TEST_HOME/namestore/sqlite_test.db
diff --git a/src/nat/gnunet-helper-nat-server.c b/src/nat/gnunet-helper-nat-server.c
index 44817ede7..c5c6b563e 100644
--- a/src/nat/gnunet-helper-nat-server.c
+++ b/src/nat/gnunet-helper-nat-server.c
@@ -683,7 +683,10 @@ main (int argc,
     if (1 == getppid ())        /* Check the parent process id, if 1 the parent has died, so we should die too */
       break;
     if (FD_ISSET (icmpsock, &rs))
+    {
       process_icmp_response ();
+      continue;
+    }
     if (0 == (++alt % 2))
       send_icmp_echo (&external);
     else
diff --git a/src/nat/test_nat_test_data.conf b/src/nat/test_nat_test_data.conf
index 84de6159e..03850ec06 100644
--- a/src/nat/test_nat_test_data.conf
+++ b/src/nat/test_nat_test_data.conf
@@ -6,7 +6,7 @@ GNUNET_TEST_HOME = $GNUNET_TMP/nat-test
 
 [gnunet-nat-server]
 HOSTNAME = localhost
-PORT = 12345
+PORT = 57315
 
 [nat]
 # Are we behind NAT?
diff --git a/src/psyc/Makefile.am b/src/psyc/Makefile.am
index 26db608f3..d5c797f52 100644
--- a/src/psyc/Makefile.am
+++ b/src/psyc/Makefile.am
@@ -48,8 +48,8 @@ gnunet_service_psyc_CFLAGS = $(AM_CFLAGS)
 
 
 if HAVE_TESTING
-check_PROGRAMS = \
- test_psyc2
+#check_PROGRAMS = \
+# test_psyc2
 # test_psyc
 endif
 
diff --git a/src/pt/Makefile.am b/src/pt/Makefile.am
index e36630ae4..188387c0c 100644
--- a/src/pt/Makefile.am
+++ b/src/pt/Makefile.am
@@ -28,7 +28,6 @@ gnunet_daemon_pt_LDADD = \
   $(top_builddir)/src/cadet/libgnunetcadet.la \
   $(top_builddir)/src/dht/libgnunetdht.la \
   $(top_builddir)/src/dns/libgnunetdns.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
diff --git a/src/regex/Makefile.am b/src/regex/Makefile.am
index 80997db40..2af6dcccd 100644
--- a/src/regex/Makefile.am
+++ b/src/regex/Makefile.am
@@ -171,7 +171,6 @@ test_regex_integration_SOURCES = \
 test_regex_integration_LDADD = -lm \
   libgnunetregex.la \
   $(top_builddir)/src/testing/libgnunettesting.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/util/libgnunetutil.la
 
 test_regex_api_SOURCES = \
diff --git a/src/rps/gnunet-rps-profiler.c b/src/rps/gnunet-rps-profiler.c
index b43ce2fa2..16f23e86c 100644
--- a/src/rps/gnunet-rps-profiler.c
+++ b/src/rps/gnunet-rps-profiler.c
@@ -1951,9 +1951,13 @@ static void compute_probabilities (uint32_t peer_idx)
     if ((GNUNET_YES == is_in_view (i, peer_idx)) &&
         (1 <= (0.45 * view_size)))
     {
-      prob_push = 1.0 * binom (0.45 * view_size, 1)
-        /
-        binom (view_size, 0.45 * view_size);
+      if (0 == binom (view_size, 0.45 * view_size)) prob_push = 0;
+      else
+      {
+        prob_push = 1.0 * binom (0.45 * view_size, 1)
+          /
+          binom (view_size, 0.45 * view_size);
+      }
       GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
                  "\t\t%" PRIu32 " is in %" PRIu32 "'s view, prob: %f\n",
                  peer_idx,
@@ -2318,6 +2322,7 @@ post_test_shutdown_ready_cb (void *cls,
         rps_peer->index);
     GNUNET_free (stat_cls);
     GNUNET_break (0);
+    return;
   }
 
   if (NULL != rps_peer->stat_op &&
@@ -2494,7 +2499,6 @@ test_run (void *cls,
   struct OpListEntry *entry;
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "RUN was called\n");
-  printf ("test 1\n");
 
   /* Check whether we timed out */
   if (n_peers != num_peers ||
@@ -2578,7 +2582,6 @@ test_run (void *cls,
  *
  * @param argc unused
  * @param argv unused
- * @return 0 on success
  */
 static void
 run (void *cls,
@@ -2654,8 +2657,6 @@ run (void *cls,
                                                  with the malicious portion */
 
   ok = 1;
-  GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
-              "before _run()\n");
   GNUNET_TESTBED_run (NULL,
                       cfg,
                       num_peers,
@@ -2664,10 +2665,6 @@ run (void *cls,
                       NULL,
                       &test_run,
                       NULL);
-  GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
-              "after _run()\n");
-  GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
-              "gnunet-rps-profiler returned.\n");
 }
 
 /**
diff --git a/src/rps/gnunet-rps.c b/src/rps/gnunet-rps.c
index e09277589..b3785a733 100644
--- a/src/rps/gnunet-rps.c
+++ b/src/rps/gnunet-rps.c
@@ -150,12 +150,21 @@ run (void *cls,
   static struct GNUNET_PeerIdentity zero_pid;
 
   rps_handle = GNUNET_RPS_connect (cfg);
+  if (NULL == rps_handle)
+  {
+    FPRINTF (stderr, "Failed to connect to the rps service\n");
+    return;
+  }
 
   if ((0 == memcmp (&zero_pid, &peer_id, sizeof (peer_id))) &&
       (!view_update))
   { /* Request n PeerIDs */
     /* If number was specified use it, else request single peer. */
-    num_peers = (NULL == args[0]) ? 1 : atoi (args[0]);
+    if (NULL == args[0] ||
+        0 == sscanf (args[0], "%lu", &num_peers))
+    {
+      num_peers = 1;
+    }
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
         "Requesting %" PRIu64 " PeerIDs\n", num_peers);
     req_handle = GNUNET_RPS_request_peers (rps_handle, num_peers, reply_handle, NULL);
@@ -163,7 +172,11 @@ run (void *cls,
   } else if (view_update)
   {
     /* Get updates of view */
-    num_view_updates = (NULL == args[0]) ? 0 : atoi (args[0]);
+    if (NULL == args[0] ||
+        0 == sscanf (args[0], "%lu", &num_view_updates))
+    {
+      num_view_updates = 0;
+    }
     GNUNET_RPS_view_request (rps_handle, num_view_updates, view_update_handle, NULL);
     if (0 != num_view_updates)
       GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
diff --git a/src/rps/gnunet-service-rps.c b/src/rps/gnunet-service-rps.c
index 1b9681663..5a75ac55a 100644
--- a/src/rps/gnunet-service-rps.c
+++ b/src/rps/gnunet-service-rps.c
@@ -243,7 +243,7 @@ struct PeerContext
 
   /**
    * This is pobably followed by 'statistical' data (when we first saw
-   * him, how did we get his ID, how many pushes (in a timeinterval),
+   * it, how did we get its ID, how many pushes (in a timeinterval),
    * ...)
    */
 };
@@ -503,6 +503,8 @@ add_valid_peer (const struct GNUNET_PeerIdentity *peer)
   return ret;
 }
 
+static void
+remove_pending_message (struct PendingMessage *pending_msg, int cancel);
 
 /**
  * @brief Set the peer flag to living and
@@ -531,7 +533,7 @@ set_peer_live (struct PeerContext *peer_ctx)
          GNUNET_i2s (&peer_ctx->peer_id));
     // TODO wait until cadet sets mq->cancel_impl
     //GNUNET_MQ_send_cancel (peer_ctx->liveliness_check_pending->ev);
-    GNUNET_free (peer_ctx->liveliness_check_pending);
+    remove_pending_message (peer_ctx->liveliness_check_pending, GNUNET_YES);
     peer_ctx->liveliness_check_pending = NULL;
   }
 
@@ -653,56 +655,6 @@ get_mq (const struct GNUNET_PeerIdentity *peer)
   return peer_ctx->mq;
 }
 
-
-/**
- * @brief This is called in response to the first message we sent as a
- * liveliness check.
- *
- * @param cls #PeerContext of peer with pending liveliness check
- */
-static void
-mq_liveliness_check_successful (void *cls)
-{
-  struct PeerContext *peer_ctx = cls;
-
-  if (NULL != peer_ctx->liveliness_check_pending)
-  {
-    LOG (GNUNET_ERROR_TYPE_DEBUG,
-        "Liveliness check for peer %s was successfull\n",
-        GNUNET_i2s (&peer_ctx->peer_id));
-    GNUNET_free (peer_ctx->liveliness_check_pending);
-    peer_ctx->liveliness_check_pending = NULL;
-    set_peer_live (peer_ctx);
-  }
-}
-
-/**
- * Issue a check whether peer is live
- *
- * @param peer_ctx the context of the peer
- */
-static void
-check_peer_live (struct PeerContext *peer_ctx)
-{
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       "Get informed about peer %s getting live\n",
-       GNUNET_i2s (&peer_ctx->peer_id));
-
-  struct GNUNET_MQ_Handle *mq;
-  struct GNUNET_MQ_Envelope *ev;
-
-  ev = GNUNET_MQ_msg_header (GNUNET_MESSAGE_TYPE_RPS_PP_CHECK_LIVE);
-  peer_ctx->liveliness_check_pending = GNUNET_new (struct PendingMessage);
-  peer_ctx->liveliness_check_pending->ev = ev;
-  peer_ctx->liveliness_check_pending->peer_ctx = peer_ctx;
-  peer_ctx->liveliness_check_pending->type = "Check liveliness";
-  mq = get_mq (&peer_ctx->peer_id);
-  GNUNET_MQ_notify_sent (ev,
-                         mq_liveliness_check_successful,
-                         peer_ctx);
-  GNUNET_MQ_send (mq, ev);
-}
-
 /**
  * @brief Add an envelope to a message passed to mq to list of pending messages
  *
@@ -757,6 +709,54 @@ remove_pending_message (struct PendingMessage *pending_msg, int cancel)
 
 
 /**
+ * @brief This is called in response to the first message we sent as a
+ * liveliness check.
+ *
+ * @param cls #PeerContext of peer with pending liveliness check
+ */
+static void
+mq_liveliness_check_successful (void *cls)
+{
+  struct PeerContext *peer_ctx = cls;
+
+  if (NULL != peer_ctx->liveliness_check_pending)
+  {
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
+        "Liveliness check for peer %s was successfull\n",
+        GNUNET_i2s (&peer_ctx->peer_id));
+    remove_pending_message (peer_ctx->liveliness_check_pending, GNUNET_YES);
+    peer_ctx->liveliness_check_pending = NULL;
+    set_peer_live (peer_ctx);
+  }
+}
+
+/**
+ * Issue a check whether peer is live
+ *
+ * @param peer_ctx the context of the peer
+ */
+static void
+check_peer_live (struct PeerContext *peer_ctx)
+{
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Get informed about peer %s getting live\n",
+       GNUNET_i2s (&peer_ctx->peer_id));
+
+  struct GNUNET_MQ_Handle *mq;
+  struct GNUNET_MQ_Envelope *ev;
+
+  ev = GNUNET_MQ_msg_header (GNUNET_MESSAGE_TYPE_RPS_PP_CHECK_LIVE);
+  peer_ctx->liveliness_check_pending =
+    insert_pending_message (&peer_ctx->peer_id, ev, "Check liveliness");
+  mq = get_mq (&peer_ctx->peer_id);
+  GNUNET_MQ_notify_sent (ev,
+                         mq_liveliness_check_successful,
+                         peer_ctx);
+  GNUNET_MQ_send (mq, ev);
+}
+
+
+/**
  * @brief Check whether function of type #PeerOp was already scheduled
  *
  * The array with pending operations will probably never grow really big, so
@@ -1256,6 +1256,13 @@ Peers_remove_peer (const struct GNUNET_PeerIdentity *peer)
         "Removing unsent %s\n",
         peer_ctx->pending_messages_head->type);
     /* Cancle pending message, too */
+    if ( (NULL != peer_ctx->liveliness_check_pending) &&
+         (0 == memcmp (peer_ctx->pending_messages_head,
+                     peer_ctx->liveliness_check_pending,
+                     sizeof (struct PendingMessage))) )
+      {
+        peer_ctx->liveliness_check_pending = NULL;
+      }
     remove_pending_message (peer_ctx->pending_messages_head, GNUNET_YES);
   }
   /* If we are still waiting for notification whether this peer is live
@@ -1267,7 +1274,7 @@ Peers_remove_peer (const struct GNUNET_PeerIdentity *peer)
          GNUNET_i2s (&peer_ctx->peer_id));
     // TODO wait until cadet sets mq->cancel_impl
     //GNUNET_MQ_send_cancel (peer_ctx->liveliness_check_pending->ev);
-    GNUNET_free (peer_ctx->liveliness_check_pending);
+    remove_pending_message (peer_ctx->liveliness_check_pending, GNUNET_YES);
     peer_ctx->liveliness_check_pending = NULL;
   }
   channel_flag = Peers_get_channel_flag (peer, Peers_CHANNEL_ROLE_SENDING);
@@ -1659,10 +1666,11 @@ Peers_cleanup_destroyed_channel (void *cls,
 {
   struct GNUNET_PeerIdentity *peer = cls;
   struct PeerContext *peer_ctx;
+  uint32_t *channel_flag;
 
   if (GNUNET_NO == Peers_check_peer_known (peer))
   {/* We don't want to implicitly create a context that we're about to kill */
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
+  LOG (GNUNET_ERROR_TYPE_WARNING,
        "channel (%s) without associated context was destroyed\n",
        GNUNET_i2s (peer));
     return;
@@ -1690,12 +1698,16 @@ Peers_cleanup_destroyed_channel (void *cls,
     if (NULL != peer_ctx->send_channel)
     {
       GNUNET_CADET_channel_destroy (peer_ctx->send_channel);
+      channel_flag = Peers_get_channel_flag (&peer_ctx->peer_id, Peers_CHANNEL_ROLE_SENDING);
+      Peers_set_channel_flag (channel_flag, Peers_CHANNEL_DESTROING);
       peer_ctx->send_channel = NULL;
       peer_ctx->mq = NULL;
     }
     if (NULL != peer_ctx->recv_channel)
     {
       GNUNET_CADET_channel_destroy (peer_ctx->recv_channel);
+      channel_flag = Peers_get_channel_flag (&peer_ctx->peer_id, Peers_CHANNEL_ROLE_RECEIVING);
+      Peers_set_channel_flag (channel_flag, Peers_CHANNEL_DESTROING);
       peer_ctx->recv_channel = NULL;
     }
     /* Set the #Peers_ONLINE flag accordingly */
@@ -2728,7 +2740,7 @@ cleanup_destroyed_channel (void *cls,
       return;
     }
     else
-    { /* Other peer destroyed our sending channel that he is supposed to keep
+    { /* Other peer destroyed our sending channel that it is supposed to keep
        * open. It probably went down. Remove it from our knowledge. */
       Peers_cleanup_destroyed_channel (cls, channel);
       remove_peer (peer);
@@ -2893,7 +2905,6 @@ client_respond (void *cls,
   GNUNET_memcpy (&out_msg[1],
           peer_ids,
           num_peers * sizeof (struct GNUNET_PeerIdentity));
-  GNUNET_free (peer_ids);
 
   cli_ctx = reply_cls->cli_ctx;
   GNUNET_assert (NULL != cli_ctx);
@@ -3210,6 +3221,10 @@ handle_peer_push (void *cls,
                                    tmp_att_peer);
       add_peer_array_to_set (peer, 1, att_peer_set);
     }
+    else
+    {
+      GNUNET_free (tmp_att_peer);
+    }
   }
 
 
@@ -3588,6 +3603,7 @@ handle_client_act_malicious (void *cls,
 
     num_mal_peers_sent = ntohl (msg->num_peers) - 1;
     num_mal_peers_old = num_mal_peers;
+    GNUNET_assert (GNUNET_MAX_MALLOC_CHECKED > num_mal_peers_sent);
     GNUNET_array_grow (mal_peers,
                        num_mal_peers,
                        num_mal_peers + num_mal_peers_sent);
@@ -4172,6 +4188,7 @@ shutdown_task (void *cls)
   {
     tmp_att_peer = att_peers_head;
     GNUNET_CONTAINER_DLL_remove (att_peers_head, att_peers_tail, tmp_att_peer);
+    GNUNET_free (tmp_att_peer);
   }
   #endif /* ENABLE_MALICIOUS */
 }
diff --git a/src/rps/gnunet-service-rps_custommap.c b/src/rps/gnunet-service-rps_custommap.c
index 90177cb94..42507655b 100644
--- a/src/rps/gnunet-service-rps_custommap.c
+++ b/src/rps/gnunet-service-rps_custommap.c
@@ -220,6 +220,7 @@ CustomPeerMap_remove_peer (const struct CustomPeerMap *c_peer_map,
   GNUNET_free (index);
   GNUNET_assert (GNUNET_CONTAINER_multihashmap32_size (c_peer_map->hash_map) ==
                  GNUNET_CONTAINER_multipeermap_size (c_peer_map->peer_map));
+  GNUNET_free (p);
   return GNUNET_OK;
 }
 
diff --git a/src/rps/gnunet-service-rps_sampler.c b/src/rps/gnunet-service-rps_sampler.c
index 711d5be63..4d1ae4650 100644
--- a/src/rps/gnunet-service-rps_sampler.c
+++ b/src/rps/gnunet-service-rps_sampler.c
@@ -725,6 +725,7 @@ RPS_sampler_request_cancel (struct RPS_SamplerRequestHandle *req_handle)
     }
     GNUNET_free (i);
   }
+  GNUNET_free (req_handle->ids);
   GNUNET_CONTAINER_DLL_remove (req_handle->sampler->req_handle_head,
                                req_handle->sampler->req_handle_tail,
                                req_handle);
diff --git a/src/rps/rps-test_util.c b/src/rps/rps-test_util.c
index 9a1dfe0d8..d47e4952f 100644
--- a/src/rps/rps-test_util.c
+++ b/src/rps/rps-test_util.c
@@ -155,6 +155,9 @@ to_file_raw (const char *file_name, const char *buf, size_t size_buf)
 
     return;
   }
+  if (GNUNET_YES != GNUNET_DISK_file_close (f))
+    LOG (GNUNET_ERROR_TYPE_WARNING,
+         "Unable to close file\n");
 }
 
 void
@@ -349,10 +352,10 @@ create_file (const char *name)
   if (NULL == strstr (name, "sampler_el"))
   {/* only append random string to sampler */
     if (NULL == (file_name = GNUNET_DISK_mktemp (name_buf)))
-          LOG (GNUNET_ERROR_TYPE_WARNING, "Could not create file\n");
+      LOG (GNUNET_ERROR_TYPE_WARNING, "Could not create file\n");
 
-  GNUNET_free (name_buf);
-  return file_name;
+    GNUNET_free (name_buf);
+    return file_name;
   }
 
   return name_buf;
@@ -384,7 +387,7 @@ store_prefix_file_name (const struct GNUNET_PeerIdentity *peer,
     const char *prefix)
 {
   unsigned int len_file_name;
-  unsigned int out_size;
+  int out_size;
   char *file_name;
   const char *pid_long;
 
diff --git a/src/rps/test_rps.c b/src/rps/test_rps.c
index 3ef1e6611..08424022f 100644
--- a/src/rps/test_rps.c
+++ b/src/rps/test_rps.c
@@ -841,6 +841,13 @@ seed_peers (void *cls)
   unsigned int amount;
   unsigned int i;
 
+  if (GNUNET_YES == in_shutdown || GNUNET_YES == post_test)
+  {
+    return;
+  }
+
+  GNUNET_assert (NULL != peer->rps_handle);
+
   // TODO if malicious don't seed mal peers
   amount = round (.5 * num_peers);
 
@@ -953,6 +960,8 @@ rps_connect_complete_cb (void *cls,
   struct RPSPeer *rps_peer = cls;
   struct GNUNET_RPS_Handle *rps = ca_result;
 
+  GNUNET_assert (NULL != ca_result);
+
   if (GNUNET_YES == in_shutdown || GNUNET_YES == post_test)
   {
     return;
@@ -996,9 +1005,11 @@ rps_connect_adapter (void *cls,
   struct GNUNET_RPS_Handle *h;
 
   h = GNUNET_RPS_connect (cfg);
+  GNUNET_assert (NULL != h);
 
   if (NULL != cur_test_run.pre_test)
     cur_test_run.pre_test (cls, h);
+  GNUNET_assert (NULL != h);
 
   return h;
 }
@@ -2905,6 +2916,7 @@ main (int argc, char *argv[])
   }
 
   ret_value = cur_test_run.eval_cb();
+  
   if (NO_COLLECT_VIEW == cur_test_run.have_collect_view)
   {
     GNUNET_array_grow (rps_peers->cur_view,
diff --git a/src/secretsharing/gnunet-service-secretsharing.c b/src/secretsharing/gnunet-service-secretsharing.c
index 505af0fba..1f565cfeb 100644
--- a/src/secretsharing/gnunet-service-secretsharing.c
+++ b/src/secretsharing/gnunet-service-secretsharing.c
@@ -51,7 +51,7 @@ struct KeygenPeerInfo
   struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key;
 
   /**
-   * The peer's commitment to his presecret.
+   * The peer's commitment to its presecret.
    */
   gcry_mpi_t presecret_commitment;
 
diff --git a/src/secretsharing/secretsharing_api.c b/src/secretsharing/secretsharing_api.c
index cfb13f520..2a828f08d 100644
--- a/src/secretsharing/secretsharing_api.c
+++ b/src/secretsharing/secretsharing_api.c
@@ -314,7 +314,7 @@ handle_decrypt_done (void *cls,
  * published the same value, it will be decrypted.
  *
  * When the operation is canceled, the decrypt_cb is not called anymore, but the calling
- * peer may already have irrevocably contributed his share for the decryption of the value.
+ * peer may already have irrevocably contributed its share for the decryption of the value.
  *
  * @param share our secret share to use for decryption
  * @param ciphertext ciphertext to publish in order to decrypt it (if enough peers agree)
@@ -485,7 +485,7 @@ GNUNET_SECRETSHARING_encrypt (const struct GNUNET_SECRETSHARING_PublicKey *publi
  * Cancel a decryption.
  *
  * The decrypt_cb is not called anymore, but the calling
- * peer may already have irrevocably contributed his share for the decryption of the value.
+ * peer may already have irrevocably contributed its share for the decryption of the value.
  *
  * @param dh to cancel
  */
diff --git a/src/secretsharing/secretsharing_protocol.h b/src/secretsharing/secretsharing_protocol.h
index 7627deb30..da1454ec0 100644
--- a/src/secretsharing/secretsharing_protocol.h
+++ b/src/secretsharing/secretsharing_protocol.h
@@ -58,7 +58,7 @@ struct GNUNET_SECRETSHARING_KeygenCommitData
    */
   struct GNUNET_CRYPTO_PaillierPublicKey pubkey;
   /**
-   * Commitment of 'peer' to his presecret.
+   * Commitment of 'peer' to its presecret.
    */
   struct GNUNET_HashCode commitment GNUNET_PACKED;
 };
diff --git a/src/set/gnunet-service-set.h b/src/set/gnunet-service-set.h
index c9e59b441..f7c262eac 100644
--- a/src/set/gnunet-service-set.h
+++ b/src/set/gnunet-service-set.h
@@ -125,7 +125,7 @@ typedef struct OperationState *
  * @param op operation that is created, should be initialized to
  *        begin the evaluation
  * @param opaque_context message to be transmitted to the listener
- *        to convince him to accept, may be NULL
+ *        to convince it to accept, may be NULL
  * @return operation-specific state to keep in @a op
  */
 typedef struct OperationState *
diff --git a/src/set/gnunet-service-set_intersection.c b/src/set/gnunet-service-set_intersection.c
index 0561df406..1083384f5 100644
--- a/src/set/gnunet-service-set_intersection.c
+++ b/src/set/gnunet-service-set_intersection.c
@@ -11,7 +11,7 @@
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
       Affero General Public License for more details.
-     
+
       You should have received a copy of the GNU Affero General Public License
       along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -23,6 +23,7 @@
  */
 #include "platform.h"
 #include "gnunet_util_lib.h"
+#include "gnunet_statistics_service.h"
 #include "gnunet-service-set.h"
 #include "gnunet_block_lib.h"
 #include "gnunet-service-set_protocol.h"
@@ -215,6 +216,10 @@ send_client_removed_element (struct Operation *op,
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Sending removed element (size %u) to client\n",
               element->size);
+  GNUNET_STATISTICS_update (_GSS_statistics,
+                            "# Element removed messages sent",
+                            1,
+                            GNUNET_NO);
   GNUNET_assert (0 != op->client_request_id);
   ev = GNUNET_MQ_msg_extra (rm,
                             element->size,
@@ -406,6 +411,10 @@ fail_intersection_operation (struct Operation *op)
 
   GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
               "Intersection operation failed\n");
+  GNUNET_STATISTICS_update (_GSS_statistics,
+                            "# Intersection operations failed",
+                            1,
+                            GNUNET_NO);
   if (NULL != op->state->my_elements)
   {
     GNUNET_CONTAINER_multihashmap_destroy (op->state->my_elements);
@@ -466,6 +475,10 @@ send_bloomfilter (struct Operation *op)
                                          op);
 
   /* send our Bloom filter */
+  GNUNET_STATISTICS_update (_GSS_statistics,
+                            "# Intersection Bloom filters sent",
+                            1,
+                            GNUNET_NO);
   chunk_size = 60 * 1024 - sizeof (struct BFMessage);
   if (bf_size <= chunk_size)
   {
@@ -534,6 +547,10 @@ send_client_done_and_destroy (void *cls)
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Intersection succeeded, sending DONE to local client\n");
+  GNUNET_STATISTICS_update (_GSS_statistics,
+                            "# Intersection operations succeeded",
+                            1,
+                            GNUNET_NO);
   ev = GNUNET_MQ_msg (rm,
                       GNUNET_MESSAGE_TYPE_SET_RESULT);
   rm->request_id = htonl (op->client_request_id);
@@ -695,7 +712,7 @@ initialize_map_unfiltered (void *cls,
 
 /**
  * Send our element count to the peer, in case our element count is
- * lower than his.
+ * lower than theirs.
  *
  * @param op intersection operation
  */
@@ -1077,7 +1094,7 @@ handle_intersection_p2p_done (void *cls,
  * @param op operation that is created, should be initialized to
  *        begin the evaluation
  * @param opaque_context message to be transmitted to the listener
- *        to convince him to accept, may be NULL
+ *        to convince it to accept, may be NULL
  * @return operation-specific state to keep in @a op
  */
 static struct OperationState *
diff --git a/src/set/gnunet-service-set_union.c b/src/set/gnunet-service-set_union.c
index 7af220374..c1268948a 100644
--- a/src/set/gnunet-service-set_union.c
+++ b/src/set/gnunet-service-set_union.c
@@ -11,7 +11,7 @@
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
       Affero General Public License for more details.
-     
+
       You should have received a copy of the GNU Affero General Public License
       along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -758,8 +758,8 @@ get_order_from_difference (unsigned int diff)
  */
 static int
 send_full_element_iterator (void *cls,
-                       const struct GNUNET_HashCode *key,
-                       void *value)
+                            const struct GNUNET_HashCode *key,
+                            void *value)
 {
   struct Operation *op = cls;
   struct GNUNET_SET_ElementMessage *emsg;
@@ -1371,7 +1371,8 @@ send_client_element (struct Operation *op,
  *
  * @param op operation
  */
-void destroy_channel (struct Operation *op)
+static void
+destroy_channel (struct Operation *op)
 {
   struct GNUNET_CADET_Channel *channel;
 
@@ -1404,7 +1405,11 @@ send_client_done (void *cls)
 
   if (PHASE_DONE != op->state->phase) {
     LOG (GNUNET_ERROR_TYPE_WARNING,
-         "union operation failed\n");
+         "Union operation failed\n");
+    GNUNET_STATISTICS_update (_GSS_statistics,
+                              "# Union operations failed",
+                              1,
+                              GNUNET_NO);
     ev = GNUNET_MQ_msg (rm, GNUNET_MESSAGE_TYPE_SET_RESULT);
     rm->result_status = htons (GNUNET_SET_STATUS_FAILURE);
     rm->request_id = htonl (op->client_request_id);
@@ -1416,6 +1421,10 @@ send_client_done (void *cls)
 
   op->state->client_done_sent = GNUNET_YES;
 
+  GNUNET_STATISTICS_update (_GSS_statistics,
+                            "# Union operations succeeded",
+                            1,
+                            GNUNET_NO);
   LOG (GNUNET_ERROR_TYPE_INFO,
        "Signalling client that union operation is done\n");
   ev = GNUNET_MQ_msg (rm,
@@ -2149,7 +2158,7 @@ handle_union_p2p_done (void *cls,
      *
      * We should notify the active peer once
      * all our demands are satisfied, so that the active
-     * peer can quit if we gave him everything.
+     * peer can quit if we gave it everything.
      */
     GNUNET_CADET_receive_done (op->channel);
     maybe_finish (op);
@@ -2194,7 +2203,7 @@ handle_union_p2p_over (void *cls,
  *
  * @param op operation to perform (to be initialized)
  * @param opaque_context message to be transmitted to the listener
- *        to convince him to accept, may be NULL
+ *        to convince it to accept, may be NULL
  */
 static struct OperationState *
 union_evaluate (struct Operation *op,
diff --git a/src/template/template.conf b/src/template/template.conf
index e5f675a5d..24b123390 100644
--- a/src/template/template.conf
+++ b/src/template/template.conf
@@ -1,6 +1,10 @@
 [template]
 START_ON_DEMAND = NO
-PORT = 9999
+# for tests please come up with numbers that are
+# unlikely to be in use by anyone. we typically
+# use five digit numbers < 65536 with no "beauty"
+# (no repetitions, no sequences, no popularity).
+PORT = 99999
 HOSTNAME = localhost
 BINARY = gnunet-service-template
 ACCEPT_FROM = 127.0.0.1;
diff --git a/src/testbed/test_testbed_api_statistics.conf b/src/testbed/test_testbed_api_statistics.conf
index 50d3f2c04..edb2e2057 100644
--- a/src/testbed/test_testbed_api_statistics.conf
+++ b/src/testbed/test_testbed_api_statistics.conf
@@ -6,4 +6,4 @@ MAX_PARALLEL_SERVICE_CONNECTIONS = 2
 
 [statistics]
 START_ON_DEMAND = YES
-PORT = 30
+PORT = 59530
diff --git a/src/testing/test_testing_sharedservices.conf b/src/testing/test_testing_sharedservices.conf
index e41e2863c..24ce1b358 100644
--- a/src/testing/test_testing_sharedservices.conf
+++ b/src/testing/test_testing_sharedservices.conf
@@ -2,7 +2,7 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-testing/
 
 [testbed-logger]
-PORT = 15000
+PORT = 59132
 UNIXPATH = $GNUNET_RUNTIME_DIR/testbed-logger.sock
 DIR = $GNUNET_TMP/testbed-logger
 
diff --git a/src/topology/Makefile.am b/src/topology/Makefile.am
index 97e4652d0..ae69ee8bc 100644
--- a/src/topology/Makefile.am
+++ b/src/topology/Makefile.am
@@ -56,6 +56,7 @@ test_gnunet_daemon_topology_SOURCES = \
  test_gnunet_daemon_topology.c
 test_gnunet_daemon_topology_LDADD = \
  $(top_builddir)/src/testbed/libgnunettestbed.la \
+ $(top_builddir)/src/statistics/libgnunetstatistics.la \
  $(top_builddir)/src/util/libgnunetutil.la
 
 EXTRA_DIST = \
diff --git a/src/topology/gnunet-daemon-topology.c b/src/topology/gnunet-daemon-topology.c
index 829fb5352..f7a4e4525 100644
--- a/src/topology/gnunet-daemon-topology.c
+++ b/src/topology/gnunet-daemon-topology.c
@@ -111,7 +111,7 @@ struct Peer
   uint32_t strength;
 
   /**
-   * Is this peer listed here because he is a friend?
+   * Is this peer listed here because it is a friend?
    */
   int is_friend;
 
diff --git a/src/topology/test_gnunet_daemon_topology.c b/src/topology/test_gnunet_daemon_topology.c
index 7c75d1137..5359c280e 100644
--- a/src/topology/test_gnunet_daemon_topology.c
+++ b/src/topology/test_gnunet_daemon_topology.c
@@ -11,54 +11,209 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /**
  * @file topology/test_gnunet_daemon_topology.c
  * @brief testcase for topology maintenance code
+ * @author Christian Grothoff
+ * @author xrs
  */
 #include "platform.h"
 #include "gnunet_testbed_service.h"
+#include "gnunet_statistics_service.h"
 
 
 #define NUM_PEERS 8
 
+/*
+ * The threshold defines the number of connection that are needed
+ * for one peer to pass the test. Be aware that setting NUM_PEERS
+ * too high can cause bandwidth problems for the testing peers.
+ * Normal should be 5KB/s per peer. See gnunet-config -s ats.
+ */
+#define THRESHOLD NUM_PEERS/2
+
 /**
  * How long until we give up on connecting the peers?
  */
-#define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 600)
+#define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 60)
 
+/*
+ * Store manual connections.
+ */
+static unsigned int connect_left;
 
-static int ok;
+/*
+ * Result of the testcase.
+ */
+static int result;
 
-static unsigned int connect_left;
+/*
+ * Peers that reached the threshold of connections.
+ */
+static int checked_peers;
+
+/*
+ * Testbed operations.
+ */
+struct GNUNET_TESTBED_Operation *op[NUM_PEERS];
+
+/*
+ * Timeout for testcase.
+ */
+static struct GNUNET_SCHEDULER_Task *timeout_tid;
+
+/*
+ * Peer context for every testbed peer.
+ */
+struct peerctx
+{
+  int index;
+  struct GNUNET_STATISTICS_Handle *statistics;
+  int connections;
+  int reported; /* GNUNET_NO | GNUNET_YES */
+};
+
+
+static void
+shutdown_task (void *cls)
+{
+  unsigned int i;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Shutting down testcase\n");
+
+  for (i=0;i<NUM_PEERS;i++) {
+    if (NULL != op[i])
+      GNUNET_TESTBED_operation_done (op[i]);
+  }
+
+  if (NULL != timeout_tid)
+    GNUNET_SCHEDULER_cancel (timeout_tid);
+}
+
+static void
+timeout_task (void *cls)
+{
+  timeout_tid = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+              "Testcase timeout\n");
+
+  result = GNUNET_SYSERR;
+  GNUNET_SCHEDULER_shutdown();
+}
+
+/*
+ * The function is called every time the topology of connected
+ * peers to a peer changes.
+ */
+int
+statistics_iterator (void *cls,
+                     const char *subsystem,
+                     const char *name,
+                     uint64_t value,
+                     int is_persistent)
+{
+  struct peerctx *p_ctx = (struct peerctx*) cls;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Peer %d: %s = %llu\n",
+              p_ctx->index,
+              name,
+              (unsigned long long) value);
+
+  if (p_ctx->connections < value)
+    p_ctx->connections = value;
+
+  if (THRESHOLD <= value && GNUNET_NO == p_ctx->reported) {
+    p_ctx->reported = GNUNET_YES;
+    checked_peers++;
+    GNUNET_log(GNUNET_ERROR_TYPE_INFO,
+               "Peer %d successfully connected to at least %d peers once.\n",
+               p_ctx->index,
+               THRESHOLD);
+
+    if (checked_peers == NUM_PEERS) {
+      GNUNET_log(GNUNET_ERROR_TYPE_INFO,
+               "Test OK: All peers have connected to %d peers once.\n",
+               THRESHOLD);
+      result = GNUNET_YES;
+      GNUNET_SCHEDULER_shutdown();
+    }
+  }
+
+  return GNUNET_YES;
+}
+
+static void *
+ca_statistics (void *cls,
+               const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  return GNUNET_STATISTICS_create ("topology", cfg);
+}
+
+
+void
+da_statistics (void *cls,
+               void *op_result)
+{
+  struct peerctx *p_ctx = (struct peerctx *) cls;
+
+  GNUNET_break (GNUNET_OK == GNUNET_STATISTICS_watch_cancel
+                (p_ctx->statistics, "topology", "# peers connected",
+                 statistics_iterator, p_ctx));
+
+  GNUNET_STATISTICS_destroy (p_ctx->statistics, GNUNET_NO);
+  p_ctx->statistics = NULL;
+
+  GNUNET_free (p_ctx);
+}
 
 
 static void
+service_connect_complete (void *cls,
+                          struct GNUNET_TESTBED_Operation *op,
+                          void *ca_result,
+                          const char *emsg)
+{
+  int ret;
+  struct peerctx *p_ctx = (struct peerctx*) cls;
+
+  if (NULL == ca_result)
+    GNUNET_SCHEDULER_shutdown();
+
+  p_ctx->statistics = ca_result;
+
+  ret = GNUNET_STATISTICS_watch (ca_result,
+                                 "topology",
+                                 "# peers connected",
+                                 statistics_iterator,
+                                 p_ctx);
+
+  if (GNUNET_NO == ret)
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "call to GNUNET_STATISTICS_watch() failed\n");
+}
+
+static void
 notify_connect_complete (void *cls,
-                         struct GNUNET_TESTBED_Operation *op,
-                         const char *emsg)
+                         struct GNUNET_TESTBED_Operation *op,
+                         const char *emsg)
 {
   GNUNET_TESTBED_operation_done (op);
   if (NULL != emsg)
   {
     FPRINTF (stderr, "Failed to connect two peers: %s\n", emsg);
+    result = GNUNET_SYSERR;
     GNUNET_SCHEDULER_shutdown ();
-    ok = 1;
     return;
   }
   connect_left--;
-  if (0 == connect_left)
-  {
-    /* FIXME: check that topology adds a few more links
-     * in addition to those that were seeded */
-    GNUNET_SCHEDULER_shutdown ();
-  }
 }
 
-
 static void
 do_connect (void *cls,
             struct GNUNET_TESTBED_RunHandle *h,
@@ -68,28 +223,62 @@ do_connect (void *cls,
             unsigned int links_failed)
 {
   unsigned int i;
+  struct peerctx *p_ctx;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Threshold is set to %d.\n",
+              THRESHOLD);
 
   GNUNET_assert (NUM_PEERS == num_peers);
-  for (i=0;i<num_peers-1;i++)
+
+  for (i=0;i<NUM_PEERS;i++)
     {
-      connect_left++;
-      GNUNET_TESTBED_overlay_connect (NULL,
-                                      &notify_connect_complete, NULL,
-                                      peers[i], peers[i+1]);
+      p_ctx = GNUNET_new (struct peerctx);
+      p_ctx->index = i;
+      p_ctx->connections = 0;
+      p_ctx->reported = GNUNET_NO;
+
+      if (i<NUM_PEERS-1) {
+        connect_left++;
+        GNUNET_TESTBED_overlay_connect (NULL,
+                                        &notify_connect_complete, NULL,
+                                        peers[i], peers[i+1]);
+      }
+
+      op[i] =
+        GNUNET_TESTBED_service_connect (cls,
+                                        peers[i],
+                                        "statistics",
+                                        service_connect_complete,
+                                        p_ctx, /* cls of completion cb */
+                                        ca_statistics, /* connect adapter */
+                                        da_statistics, /* disconnect adapter */
+                                        p_ctx);
+
     }
+
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+  timeout_tid =
+    GNUNET_SCHEDULER_add_delayed (TIMEOUT,
+                                  &timeout_task,
+                                  NULL);
 }
 
 
 int
 main (int argc, char *argv[])
 {
+  result = GNUNET_SYSERR;
+  checked_peers = 0;
+
   (void) GNUNET_TESTBED_test_run ("test-gnunet-daemon-topology",
                                   "test_gnunet_daemon_topology_data.conf",
                                   NUM_PEERS,
                                   0, NULL, NULL,
                                   &do_connect, NULL);
   GNUNET_DISK_directory_remove ("/tmp/test-gnunet-topology");
-  return ok;
+
+  return (GNUNET_OK != result) ? 1 : 0;
 }
 
 /* end of test_gnunet_daemon_topology.c */
diff --git a/src/transport/gnunet-service-transport.c b/src/transport/gnunet-service-transport.c
index 6ebc6da8c..8c4f33fd0 100644
--- a/src/transport/gnunet-service-transport.c
+++ b/src/transport/gnunet-service-transport.c
@@ -612,7 +612,7 @@ notify_client_about_neighbour (void *cls,
 
 /**
  * Initialize a normal client.  We got a start message from this
- * client, add him to the list of clients for broadcasting of inbound
+ * client, add it to the list of clients for broadcasting of inbound
  * messages.
  *
  * @param cls the client
@@ -2173,7 +2173,7 @@ test_connection_ok (void *cls,
 
 /**
  * Initialize a blacklisting client.  We got a blacklist-init
- * message from this client, add him to the list of clients
+ * message from this client, add it to the list of clients
  * to query for blacklisting.
  *
  * @param cls the client
diff --git a/src/transport/gnunet-service-transport_neighbours.c b/src/transport/gnunet-service-transport_neighbours.c
index b1f3965ad..3965bc13e 100644
--- a/src/transport/gnunet-service-transport_neighbours.c
+++ b/src/transport/gnunet-service-transport_neighbours.c
@@ -179,7 +179,7 @@ struct GNUNET_ATS_SessionQuotaMessage
 
 
 /**
- * Message we send to the other peer to notify him that we intentionally
+ * Message we send to the other peer to notify it that we intentionally
  * are disconnecting (to reduce timeouts).  This is just a friendly
  * notification, peers must not rely on always receiving disconnect
  * messages.
@@ -3081,7 +3081,7 @@ master_task (void *cls)
 
 /**
  * Send a ACK message to the neighbour to confirm that we
- * got his SYN_ACK.
+ * got its SYN_ACK.
  *
  * @param n neighbour to send the ACK to
  */
diff --git a/src/transport/test_plugin_transport_data.conf b/src/transport/test_plugin_transport_data.conf
index cbecc56ed..b667a4854 100644
--- a/src/transport/test_plugin_transport_data.conf
+++ b/src/transport/test_plugin_transport_data.conf
@@ -3,10 +3,10 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunetd-plugin-transport/
 
 [transport-tcp]
-PORT = 2400
+PORT = 52400
 
 [transport-udp]
-PORT = 2401
+PORT = 52401
 
 [transport-wlan]
 INTERFACE = mon0
@@ -17,29 +17,29 @@ INTERFACE = hci0
 TESTMODE = 1
 
 [transport-http_server]
-PORT = 2402
+PORT = 52402
 
 [transport-https_server]
-PORT = 2403
+PORT = 52403
 
 [arm]
-PORT = 2360
+PORT = 52360
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-arm.sock
 
 [statistics]
-PORT = 2361
+PORT = 52361
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-statistics.sock
 
 [resolver]
-PORT = 2362
+PORT = 52362
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-resolver.sock
 
 [peerinfo]
-PORT = 2363
+PORT = 52363
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-peerinfo.sock
 
 [transport]
-PORT = 2364
+PORT = 52364
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-transport.sock
 
 [nat]
diff --git a/src/transport/test_quota_compliance_data.conf b/src/transport/test_quota_compliance_data.conf
index 47c523bcf..1bc607770 100644
--- a/src/transport/test_quota_compliance_data.conf
+++ b/src/transport/test_quota_compliance_data.conf
@@ -3,22 +3,22 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunetd-plugin-transport/
 
 [transport-tcp]
-PORT = 2368
+PORT = 52368
 TIMEOUT = 5 s
 
 [arm]
-PORT = 2366
+PORT = 52366
 
 [statistics]
-PORT = 2367
+PORT = 52367
 
 [resolver]
-PORT = 2364
+PORT = 52364
 
 [peerinfo]
-PORT = 2369
+PORT = 52369
 
 [transport]
-PORT = 2365
+PORT = 52365
 
 
diff --git a/src/transport/test_quota_compliance_http_asymmetric_peer1.conf b/src/transport/test_quota_compliance_http_asymmetric_peer1.conf
index 201bafd01..b2ff1913f 100644
--- a/src/transport/test_quota_compliance_http_asymmetric_peer1.conf
+++ b/src/transport/test_quota_compliance_http_asymmetric_peer1.conf
@@ -5,23 +5,23 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1
 [transport-http_client]
 
 [arm]
-PORT = 4015
+PORT = 54015
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_arm_peer1.sock
 
 [statistics]
-PORT = 4014
+PORT = 54014
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_statistics_peer1.sock
 
 [resolver]
-PORT = 4013
+PORT = 54013
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4012
+PORT = 54012
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_peerinfo_peer1.sock
 
 [transport]
-PORT = 4011
+PORT = 54011
 PLUGINS = http_client
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_http_asymmetric_peer2.conf b/src/transport/test_quota_compliance_http_asymmetric_peer2.conf
index cdc10516b..3408d9f2e 100644
--- a/src/transport/test_quota_compliance_http_asymmetric_peer2.conf
+++ b/src/transport/test_quota_compliance_http_asymmetric_peer2.conf
@@ -3,29 +3,29 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [transport-http_server]
-PORT = 3010
+PORT = 53010
 USE_IPv6 = NO
 BINDTO = 127.0.0.1
 
 
 [arm]
-PORT = 3015
+PORT = 53015
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_arm_peer2.sock
 
 [statistics]
-PORT = 3014
+PORT = 53014
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_statistics_peer2.sock
 
 [resolver]
-PORT = 3013
+PORT = 53013
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3012
+PORT = 53012
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_peerinfo_peer2.sock
 
 [transport]
-PORT = 3011
+PORT = 53011
 PLUGINS = http_server
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_transport_peer2.sock
 
diff --git a/src/transport/test_quota_compliance_http_peer1.conf b/src/transport/test_quota_compliance_http_peer1.conf
index 201bafd01..b2ff1913f 100644
--- a/src/transport/test_quota_compliance_http_peer1.conf
+++ b/src/transport/test_quota_compliance_http_peer1.conf
@@ -5,23 +5,23 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1
 [transport-http_client]
 
 [arm]
-PORT = 4015
+PORT = 54015
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_arm_peer1.sock
 
 [statistics]
-PORT = 4014
+PORT = 54014
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_statistics_peer1.sock
 
 [resolver]
-PORT = 4013
+PORT = 54013
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4012
+PORT = 54012
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_peerinfo_peer1.sock
 
 [transport]
-PORT = 4011
+PORT = 54011
 PLUGINS = http_client
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_http_peer2.conf b/src/transport/test_quota_compliance_http_peer2.conf
index cdc10516b..3408d9f2e 100644
--- a/src/transport/test_quota_compliance_http_peer2.conf
+++ b/src/transport/test_quota_compliance_http_peer2.conf
@@ -3,29 +3,29 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [transport-http_server]
-PORT = 3010
+PORT = 53010
 USE_IPv6 = NO
 BINDTO = 127.0.0.1
 
 
 [arm]
-PORT = 3015
+PORT = 53015
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_arm_peer2.sock
 
 [statistics]
-PORT = 3014
+PORT = 53014
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_statistics_peer2.sock
 
 [resolver]
-PORT = 3013
+PORT = 53013
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3012
+PORT = 53012
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_peerinfo_peer2.sock
 
 [transport]
-PORT = 3011
+PORT = 53011
 PLUGINS = http_server
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_http_transport_peer2.sock
 
diff --git a/src/transport/test_quota_compliance_https_asymmetric_peer1.conf b/src/transport/test_quota_compliance_https_asymmetric_peer1.conf
index 3e8895665..94aa534ef 100644
--- a/src/transport/test_quota_compliance_https_asymmetric_peer1.conf
+++ b/src/transport/test_quota_compliance_https_asymmetric_peer1.conf
@@ -5,23 +5,23 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1/
 [transport-https_client]
 
 [arm]
-PORT = 4006
+PORT = 54006
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_arm_peer1.sock
 
 [statistics]
-PORT = 4005
+PORT = 54005
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_statistics_peer1.sock
 
 [resolver]
-PORT = 4004
+PORT = 54004
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4003
+PORT = 54003
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_peerinfo_peer1.sock
 
 [transport]
-PORT = 4002
+PORT = 54002
 PLUGINS = https_client
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_https_asymmetric_peer2.conf b/src/transport/test_quota_compliance_https_asymmetric_peer2.conf
index e0ff8da9f..8fb8861cd 100644
--- a/src/transport/test_quota_compliance_https_asymmetric_peer2.conf
+++ b/src/transport/test_quota_compliance_https_asymmetric_peer2.conf
@@ -3,28 +3,28 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [transport-https_server]
-PORT = 3001
+PORT = 53001
 KEY_FILE = https_key_quota_p2.key
 CERT_FILE = https_cert_qutoa_p2.crt
 
 [arm]
-PORT = 3006
+PORT = 53006
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_arm_peer2.sock
 
 [statistics]
-PORT = 3005
+PORT = 53005
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_statistics_peer2.sock
 
 [resolver]
-PORT = 3004
+PORT = 53004
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3003
+PORT = 53003
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_peerinfo_peer2.sock
 
 [transport]
-PORT = 3002
+PORT = 53002
 PLUGINS = https_server
 UNIXPATH = $GNUNET_RUNTIME_DIR/https_transport_peer2.sock
 
diff --git a/src/transport/test_quota_compliance_https_peer1.conf b/src/transport/test_quota_compliance_https_peer1.conf
index 3e8895665..94aa534ef 100644
--- a/src/transport/test_quota_compliance_https_peer1.conf
+++ b/src/transport/test_quota_compliance_https_peer1.conf
@@ -5,23 +5,23 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1/
 [transport-https_client]
 
 [arm]
-PORT = 4006
+PORT = 54006
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_arm_peer1.sock
 
 [statistics]
-PORT = 4005
+PORT = 54005
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_statistics_peer1.sock
 
 [resolver]
-PORT = 4004
+PORT = 54004
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4003
+PORT = 54003
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_peerinfo_peer1.sock
 
 [transport]
-PORT = 4002
+PORT = 54002
 PLUGINS = https_client
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_https_peer2.conf b/src/transport/test_quota_compliance_https_peer2.conf
index e0ff8da9f..8fb8861cd 100644
--- a/src/transport/test_quota_compliance_https_peer2.conf
+++ b/src/transport/test_quota_compliance_https_peer2.conf
@@ -3,28 +3,28 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [transport-https_server]
-PORT = 3001
+PORT = 53001
 KEY_FILE = https_key_quota_p2.key
 CERT_FILE = https_cert_qutoa_p2.crt
 
 [arm]
-PORT = 3006
+PORT = 53006
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_arm_peer2.sock
 
 [statistics]
-PORT = 3005
+PORT = 53005
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_statistics_peer2.sock
 
 [resolver]
-PORT = 3004
+PORT = 53004
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3003
+PORT = 53003
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_https_peerinfo_peer2.sock
 
 [transport]
-PORT = 3002
+PORT = 53002
 PLUGINS = https_server
 UNIXPATH = $GNUNET_RUNTIME_DIR/https_transport_peer2.sock
 
diff --git a/src/transport/test_quota_compliance_tcp_asymmetric_peer1.conf b/src/transport/test_quota_compliance_tcp_asymmetric_peer1.conf
index 59fbbff5b..0e0cbff24 100644
--- a/src/transport/test_quota_compliance_tcp_asymmetric_peer1.conf
+++ b/src/transport/test_quota_compliance_tcp_asymmetric_peer1.conf
@@ -3,29 +3,29 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test-transport/quota-tcp-p1/
 
 [transport-tcp]
-PORT = 4094
+PORT = 54094
 
 [transport-udp]
-PORT = 4094
+PORT = 54094
 
 [arm]
-PORT = 4087
+PORT = 54087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_arm_peer1.sock
 
 [statistics]
-PORT = 4088
+PORT = 54088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_statistics_peer1.sock
 
 [resolver]
-PORT = 4089
+PORT = 54089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4090
+PORT = 54090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_peerinfo_peer1.sock
 
 [transport]
-PORT = 4091
+PORT = 54091
 PLUGINS = tcp
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_tcp_peer1.conf b/src/transport/test_quota_compliance_tcp_peer1.conf
index 59fbbff5b..0e0cbff24 100644
--- a/src/transport/test_quota_compliance_tcp_peer1.conf
+++ b/src/transport/test_quota_compliance_tcp_peer1.conf
@@ -3,29 +3,29 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test-transport/quota-tcp-p1/
 
 [transport-tcp]
-PORT = 4094
+PORT = 54094
 
 [transport-udp]
-PORT = 4094
+PORT = 54094
 
 [arm]
-PORT = 4087
+PORT = 54087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_arm_peer1.sock
 
 [statistics]
-PORT = 4088
+PORT = 54088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_statistics_peer1.sock
 
 [resolver]
-PORT = 4089
+PORT = 54089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4090
+PORT = 54090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_peerinfo_peer1.sock
 
 [transport]
-PORT = 4091
+PORT = 54091
 PLUGINS = tcp
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_tcp_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_udp_peer1.conf b/src/transport/test_quota_compliance_udp_peer1.conf
index b7c3159b8..bba75c168 100644
--- a/src/transport/test_quota_compliance_udp_peer1.conf
+++ b/src/transport/test_quota_compliance_udp_peer1.conf
@@ -3,27 +3,27 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1/
 
 [transport-udp]
-PORT = 4368
+PORT = 54368
 MAX_BPS = 50000000
 
 [arm]
-PORT = 4087
+PORT = 54087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_arm_peer1.sock
 
 [statistics]
-PORT = 4088
+PORT = 54088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_statistics_peer1.sock
 
 [resolver]
-PORT = 4089
+PORT = 54089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4090
+PORT = 54090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_peerinfo_peer1.sock
 
 [transport]
-PORT = 4091
+PORT = 54091
 PLUGINS = udp
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_transport_peer1.sock
 
diff --git a/src/transport/test_quota_compliance_udp_peer2.conf b/src/transport/test_quota_compliance_udp_peer2.conf
index 70e61db05..1cb04038c 100644
--- a/src/transport/test_quota_compliance_udp_peer2.conf
+++ b/src/transport/test_quota_compliance_udp_peer2.conf
@@ -3,27 +3,27 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [transport-udp]
-PORT = 3368
+PORT = 53368
 MAX_BPS = 50000000
 
 [arm]
-PORT = 3087
+PORT = 53087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_arm_peer2.sock
 
 [statistics]
-PORT = 3088
+PORT = 53088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_statistics_peer2.sock
 
 [resolver]
-PORT = 3089
+PORT = 53089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3090
+PORT = 53090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_peerinfo_peer2.sock
 
 [transport]
-PORT = 3091
+PORT = 53091
 PLUGINS = udp
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_udp_transport_peer2.sock
 
diff --git a/src/transport/test_quota_compliance_unix_asymmetric_peer1.conf b/src/transport/test_quota_compliance_unix_asymmetric_peer1.conf
index 8d6073b67..a8ee6d77a 100644
--- a/src/transport/test_quota_compliance_unix_asymmetric_peer1.conf
+++ b/src/transport/test_quota_compliance_unix_asymmetric_peer1.conf
@@ -3,26 +3,26 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1/
 
 [arm]
-PORT = 4087
+PORT = 54087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_arm_peer1.sock
 
 [statistics]
-PORT = 4088
+PORT = 54088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_statistics_peer1.sock
 
 [resolver]
-PORT = 4089
+PORT = 54089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4090
+PORT = 54090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_peerinfo_peer1.sock
 
 [transport]
-PORT = 4091
+PORT = 54091
 PLUGINS = unix
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_transport_peer1.sock
 
 [transport-unix]
-PORT = 4092
+PORT = 54092
 
diff --git a/src/transport/test_quota_compliance_unix_asymmetric_peer2.conf b/src/transport/test_quota_compliance_unix_asymmetric_peer2.conf
index a3a42f739..6edbcac9f 100644
--- a/src/transport/test_quota_compliance_unix_asymmetric_peer2.conf
+++ b/src/transport/test_quota_compliance_unix_asymmetric_peer2.conf
@@ -3,26 +3,26 @@
 GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 
 [arm]
-PORT = 3087
+PORT = 53087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_arm_peer2.sock
 
 [statistics]
-PORT = 3088
+PORT = 53088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_statistics_peer2.sock
 
 [resolver]
-PORT = 3089
+PORT = 53089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3090
+PORT = 53090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_peerinfo_peer2.sock
 
 [transport]
-PORT = 3091
+PORT = 53091
 PLUGINS = unix
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_transport_peer2.sock
 
 [transport-unix]
-PORT = 3368
+PORT = 53368
 
diff --git a/src/transport/test_quota_compliance_unix_peer1.conf b/src/transport/test_quota_compliance_unix_peer1.conf
index d9255705c..59c8d6d9e 100644
--- a/src/transport/test_quota_compliance_unix_peer1.conf
+++ b/src/transport/test_quota_compliance_unix_peer1.conf
@@ -6,22 +6,22 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer1/
 PORT = 12120
 
 [arm]
-PORT = 4087
+PORT = 54087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_arm_peer1.sock
 
 [statistics]
-PORT = 4088
+PORT = 54088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_statistics_peer1.sock
 
 [resolver]
-PORT = 4089
+PORT = 54089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_resolver_peer1.sock
 
 [peerinfo]
-PORT = 4090
+PORT = 54090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_peerinfo_peer1.sock
 
 [transport]
-PORT = 4091
+PORT = 54091
 PLUGINS = unix
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_transport_peer1.sock
diff --git a/src/transport/test_quota_compliance_unix_peer2.conf b/src/transport/test_quota_compliance_unix_peer2.conf
index b7ba15d86..8c2f9989e 100644
--- a/src/transport/test_quota_compliance_unix_peer2.conf
+++ b/src/transport/test_quota_compliance_unix_peer2.conf
@@ -6,26 +6,26 @@ GNUNET_TEST_HOME = $GNUNET_TMP/test_quota_compliance_peer2
 PORT = 12136
 
 [arm]
-PORT = 3087
+PORT = 53087
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_arm_peer2.sock
 
 [statistics]
-PORT = 3088
+PORT = 53088
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_statistics_peer2.sock
 
 [resolver]
-PORT = 3089
+PORT = 53089
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_resolver_peer2.sock
 
 [peerinfo]
-PORT = 3090
+PORT = 53090
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_peerinfo_peer2.sock
 
 [transport]
-PORT = 3091
+PORT = 53091
 PLUGINS = unix
 UNIXPATH = $GNUNET_RUNTIME_DIR/test_quota_compliance_unix_transport_peer2.sock
 
 [transport-unix]
-PORT = 3368
+PORT = 53368
 
diff --git a/src/transport/test_transport_api_data.conf b/src/transport/test_transport_api_data.conf
index 58b8e17b0..c06235a0a 100644
--- a/src/transport/test_transport_api_data.conf
+++ b/src/transport/test_transport_api_data.conf
@@ -2,8 +2,8 @@
 [PATHS]
 
 [transport-tcp]
-PORT = 2094
+PORT = 52094
 
 [transport-udp]
-PORT = 2094
+PORT = 52094
 
diff --git a/src/transport/test_transport_api_reliability_tcp_nat_peer1.conf b/src/transport/test_transport_api_reliability_tcp_nat_peer1.conf
index 6aa9dbf22..6a2029b09 100644
--- a/src/transport/test_transport_api_reliability_tcp_nat_peer1.conf
+++ b/src/transport/test_transport_api_reliability_tcp_nat_peer1.conf
@@ -12,7 +12,7 @@ PORT = 0
 TIMEOUT = 5 s
 
 [arm]
-PORT = 1204
+PORT = 51204
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-p1-service-arm.sock
 
 [statistics]
diff --git a/src/transport/test_transport_api_tcp_nat_peer1.conf b/src/transport/test_transport_api_tcp_nat_peer1.conf
index b8d83ce29..fb2fcecc6 100644
--- a/src/transport/test_transport_api_tcp_nat_peer1.conf
+++ b/src/transport/test_transport_api_tcp_nat_peer1.conf
@@ -12,7 +12,7 @@ PORT = 0
 TIMEOUT = 5 s
 
 [arm]
-PORT = 1204
+PORT = 51204
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-p1-service-arm.sock
 
 [statistics]
diff --git a/src/transport/transport.conf.in b/src/transport/transport.conf.in
index 4185acc29..c6b207ad7 100644
--- a/src/transport/transport.conf.in
+++ b/src/transport/transport.conf.in
@@ -9,7 +9,8 @@ BINARY = gnunet-service-transport
 NEIGHBOUR_LIMIT = 50
 ACCEPT_FROM = 127.0.0.1;
 ACCEPT_FROM6 = ::1;
-PLUGINS = tcp udp
+# TCP is the only transport plugin known to work "reliably"
+PLUGINS = tcp
 UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-transport.sock
 BLACKLIST_FILE = $GNUNET_CONFIG_HOME/transport/blacklist
 UNIX_MATCH_UID = NO
diff --git a/src/tun/.gitignore b/src/tun/.gitignore
deleted file mode 100644
index b26685596..000000000
--- a/src/tun/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-test_regex
-test_tun
diff --git a/src/tun/Makefile.am b/src/tun/Makefile.am
deleted file mode 100644
index c741f5654..000000000
--- a/src/tun/Makefile.am
+++ /dev/null
@@ -1,46 +0,0 @@
-# This Makefile.am is in the public domain
-AM_CPPFLAGS = -I$(top_srcdir)/src/include
-
-if MINGW
-  WINFLAGS = -Wl,--no-undefined -Wl,--export-all-symbols
-endif
-
-if USE_COVERAGE
-  AM_CFLAGS = --coverage -O0
-  XLIB = -lgcov
-endif
-
-lib_LTLIBRARIES = libgnunettun.la
-
-libgnunettun_la_SOURCES = \
-  tun.c \
-  regex.c
-libgnunettun_la_LIBADD = \
- $(top_builddir)/src/util/libgnunetutil.la $(XLIB) \
- $(LTLIBINTL)
-libgnunettun_la_LDFLAGS = \
-  $(GN_LIB_LDFLAGS) \
-  -version-info 1:0:1
-
-
-check_PROGRAMS = \
- test_tun \
- test_regex
-
-if ENABLE_TEST_RUN
-AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
-TESTS = $(check_PROGRAMS)
-endif
-
-test_tun_SOURCES = \
- test_tun.c
-test_tun_LDADD = \
- $(top_builddir)/src/util/libgnunetutil.la \
- libgnunettun.la
-
-
-test_regex_SOURCES = \
- test_regex.c
-test_regex_LDADD = \
- $(top_builddir)/src/util/libgnunetutil.la \
- libgnunettun.la
diff --git a/src/util/.gitignore b/src/util/.gitignore
index 23139a1ab..7b190ca76 100644
--- a/src/util/.gitignore
+++ b/src/util/.gitignore
@@ -69,3 +69,7 @@ perf_crypto_hash
 perf_crypto_symmetric
 perf_crypto_rsa
 perf_crypto_ecc_dlog
+test_hexcoder 
+test_regex
+test_tun
+gnunet-timeout
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 4296199db..4ae073c2c 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -89,6 +89,8 @@ libgnunetutil_la_SOURCES = \
   crypto_rsa.c \
   disk.c \
   disk.h \
+  dnsparser.c \
+  dnsstub.c \
   getopt.c \
   getopt_helpers.c \
   helper.c \
@@ -104,12 +106,14 @@ libgnunetutil_la_SOURCES = \
   peer.c \
   plugin.c \
   program.c \
+  regex.c \
   resolver_api.c resolver.h \
   scheduler.c \
   service.c \
   signal.c \
   strings.c \
   time.c \
+  tun.c \
   speedup.c speedup.h
 
 libgnunetutil_la_LIBADD = \
@@ -117,7 +121,7 @@ libgnunetutil_la_LIBADD = \
   $(LIBGCRYPT_LIBS) \
   $(LTLIBICONV) \
   $(LTLIBINTL) \
-  -lltdl $(Z_LIBS) -lunistring $(XLIB)
+  -lltdl -lidn $(Z_LIBS) -lunistring $(XLIB)
 
 libgnunetutil_la_LDFLAGS = \
   $(GN_LIB_LDFLAGS) \
@@ -162,6 +166,7 @@ lib_LTLIBRARIES = libgnunetutil.la
 
 libexec_PROGRAMS = \
  gnunet-service-resolver \
+ gnunet-timeout \
  $(W32CONSOLEHELPER)
 
 bin_SCRIPTS =\
@@ -188,6 +193,15 @@ endif
 endif
 
 
+if !MINGW
+gnunet_timeout_SOURCES = \
+ gnunet-timeout.c
+else
+gnunet_timeout_SOURCES = \
+ gnunet-timeout-w32.c
+endif
+
+
 do_subst = $(SED) -e 's,[@]PYTHON[@],$(PYTHON),g'
 
 gnunet-qr: gnunet-qr.py.in Makefile
@@ -291,19 +305,22 @@ check_PROGRAMS = \
  test_crypto_rsa \
  test_disk \
  test_getopt \
+ test_hexcoder \
  test_mq \
  test_os_network \
  test_peer \
  test_plugin \
  test_program \
+ test_regex \
  test_resolver_api.nc \
  test_scheduler \
  test_scheduler_delay \
  test_service \
  test_strings \
  test_strings_to_data \
- test_time \
  test_speedup \
+ test_time \
+ test_tun \
  $(BENCHMARKS) \
  test_os_start_process \
  test_common_logging_runtime_loglevels
@@ -319,6 +336,20 @@ test_bio_SOURCES = \
 test_bio_LDADD = \
  libgnunetutil.la
 
+test_hexcoder_SOURCES = \
+ test_hexcoder.c
+test_hexcoder_LDADD = \
+ libgnunetutil.la
+
+test_tun_SOURCES = \
+ test_tun.c
+test_tun_LDADD = \
+ libgnunetutil.la
+
+test_regex_SOURCES = \
+ test_regex.c
+test_regex_LDADD = \
+ libgnunetutil.la
 
 test_os_start_process_SOURCES = \
  test_os_start_process.c
@@ -601,4 +632,4 @@ EXTRA_DIST = \
   test_resolver_api_data.conf \
   test_service_data.conf \
   test_speedup_data.conf \
-  gnunet-qr.py.in 
+  gnunet-qr.py.in
diff --git a/src/util/client.c b/src/util/client.c
index 44e326eab..1f569255a 100644
--- a/src/util/client.c
+++ b/src/util/client.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -721,6 +721,17 @@ test_service_configuration (const char *service_name,
                                                 &unixpath)) &&
       (0 < strlen (unixpath)))
     ret = GNUNET_OK;
+  else if ((GNUNET_OK ==
+            GNUNET_CONFIGURATION_have_value (cfg,
+                                             service_name,
+                                             "UNIXPATH")))
+  {
+    GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                               service_name,
+                               "UNIXPATH",
+                               _("not a valid filename"));
+    return GNUNET_SYSERR; /* UNIXPATH specified but invalid! */
+  }
   GNUNET_free_non_null (unixpath);
 #endif
 
diff --git a/src/dns/dnsparser.c b/src/util/dnsparser.c
index 32ad7c0c2..6fb6d657f 100644
--- a/src/dns/dnsparser.c
+++ b/src/util/dnsparser.c
@@ -11,7 +11,7 @@
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
       Affero General Public License for more details.
-     
+
       You should have received a copy of the GNU Affero General Public License
       along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
@@ -28,8 +28,6 @@
 #include <idn-free.h>
 #endif
 #include "gnunet_util_lib.h"
-#include "gnunet_dnsparser_lib.h"
-#include "gnunet_tun_lib.h"
 
 
 /**
@@ -545,7 +543,9 @@ GNUNET_DNSPARSER_parse_cert (const char *udp_payload,
     GNUNET_break_op (0);
     return NULL;
   }
-  GNUNET_memcpy (&dcert, &udp_payload[*off], sizeof (struct GNUNET_TUN_DnsCertRecord));
+  GNUNET_memcpy (&dcert,
+                 &udp_payload[*off],
+                 sizeof (struct GNUNET_TUN_DnsCertRecord));
   (*off) += sizeof (struct GNUNET_TUN_DnsCertRecord);
   cert = GNUNET_new (struct GNUNET_DNSPARSER_CertRecord);
   cert->cert_type = ntohs (dcert.cert_type);
@@ -554,8 +554,8 @@ GNUNET_DNSPARSER_parse_cert (const char *udp_payload,
   cert->certificate_size = udp_payload_length - (*off);
   cert->certificate_data = GNUNET_malloc (cert->certificate_size);
   GNUNET_memcpy (cert->certificate_data,
-          &udp_payload[*off],
-          cert->certificate_size);
+                 &udp_payload[*off],
+                 cert->certificate_size);
   (*off) += cert->certificate_size;
   return cert;
 }
@@ -684,7 +684,6 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
   const struct GNUNET_TUN_DnsHeader *dns;
   size_t off;
   unsigned int n;
-  unsigned int i;
 
   if (udp_payload_length < sizeof (struct GNUNET_TUN_DnsHeader))
     return NULL;
@@ -696,9 +695,10 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
   n = ntohs (dns->query_count);
   if (n > 0)
   {
-    p->queries = GNUNET_malloc (n * sizeof (struct GNUNET_DNSPARSER_Query));
+    p->queries = GNUNET_new_array (n,
+                                   struct GNUNET_DNSPARSER_Query);
     p->num_queries = n;
-    for (i=0;i<n;i++)
+    for (unsigned int i=0;i<n;i++)
       if (GNUNET_OK !=
           GNUNET_DNSPARSER_parse_query (udp_payload,
                                         udp_payload_length,
@@ -709,9 +709,10 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
   n = ntohs (dns->answer_rcount);
   if (n > 0)
   {
-    p->answers = GNUNET_malloc (n * sizeof (struct GNUNET_DNSPARSER_Record));
+    p->answers = GNUNET_new_array (n,
+                                   struct GNUNET_DNSPARSER_Record);
     p->num_answers = n;
-    for (i=0;i<n;i++)
+    for (unsigned int i=0;i<n;i++)
       if (GNUNET_OK !=
           GNUNET_DNSPARSER_parse_record (udp_payload,
                                          udp_payload_length,
@@ -722,9 +723,10 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
   n = ntohs (dns->authority_rcount);
   if (n > 0)
   {
-    p->authority_records = GNUNET_malloc (n * sizeof (struct GNUNET_DNSPARSER_Record));
+    p->authority_records = GNUNET_new_array (n,
+                                             struct GNUNET_DNSPARSER_Record);
     p->num_authority_records = n;
-    for (i=0;i<n;i++)
+    for (unsigned int i=0;i<n;i++)
       if (GNUNET_OK !=
           GNUNET_DNSPARSER_parse_record (udp_payload,
                                          udp_payload_length,
@@ -735,15 +737,18 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
   n = ntohs (dns->additional_rcount);
   if (n > 0)
   {
-    p->additional_records = GNUNET_malloc (n * sizeof (struct GNUNET_DNSPARSER_Record));
+    p->additional_records = GNUNET_new_array (n,
+                                              struct GNUNET_DNSPARSER_Record);
     p->num_additional_records = n;
-    for (i=0;i<n;i++)
+    for (unsigned int i=0;i<n;i++)
+    {
       if (GNUNET_OK !=
           GNUNET_DNSPARSER_parse_record (udp_payload,
                                          udp_payload_length,
                                          &off,
                                          &p->additional_records[i]))
         goto error;
+    }
   }
   return p;
  error:
@@ -754,6 +759,122 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
 
 
 /**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_Record *
+GNUNET_DNSPARSER_duplicate_record (const struct GNUNET_DNSPARSER_Record *r)
+{
+  struct GNUNET_DNSPARSER_Record *dup = GNUNET_memdup (r, sizeof (*r));
+
+  dup->name = GNUNET_strdup (r->name);
+  switch (r->type)
+  {
+    case GNUNET_DNSPARSER_TYPE_NS:
+    case GNUNET_DNSPARSER_TYPE_CNAME:
+    case GNUNET_DNSPARSER_TYPE_PTR:
+    {
+      dup->data.hostname = GNUNET_strdup (r->data.hostname);
+      break;
+    }
+    case GNUNET_DNSPARSER_TYPE_SOA:
+    {
+      dup->data.soa = GNUNET_DNSPARSER_duplicate_soa_record (r->data.soa);
+      break;
+    }
+    case GNUNET_DNSPARSER_TYPE_CERT:
+    {
+      dup->data.cert = GNUNET_DNSPARSER_duplicate_cert_record (r->data.cert);
+      break;
+    }
+    case GNUNET_DNSPARSER_TYPE_MX:
+    {
+      dup->data.mx = GNUNET_DNSPARSER_duplicate_mx_record (r->data.mx);
+      break;
+    }
+    case GNUNET_DNSPARSER_TYPE_SRV:
+    {
+      dup->data.srv = GNUNET_DNSPARSER_duplicate_srv_record (r->data.srv);
+      break;
+    }
+    default:
+    {
+      dup->data.raw.data = GNUNET_memdup (r->data.raw.data,
+                                          r->data.raw.data_len);
+    }
+  }
+  return dup;
+}
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_SoaRecord *
+GNUNET_DNSPARSER_duplicate_soa_record (const struct GNUNET_DNSPARSER_SoaRecord *r)
+{
+  struct GNUNET_DNSPARSER_SoaRecord *dup = GNUNET_memdup (r, sizeof (*r));
+
+  dup->mname = GNUNET_strdup (r->mname);
+  dup->rname = GNUNET_strdup (r->rname);
+  return dup;
+}
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_CertRecord *
+GNUNET_DNSPARSER_duplicate_cert_record (const struct GNUNET_DNSPARSER_CertRecord *r)
+{
+  struct GNUNET_DNSPARSER_CertRecord *dup = GNUNET_memdup (r, sizeof (*r));
+
+  dup->certificate_data = GNUNET_strdup (r->certificate_data);
+  return dup;
+}
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_MxRecord *
+GNUNET_DNSPARSER_duplicate_mx_record (const struct GNUNET_DNSPARSER_MxRecord *r)
+{
+  struct GNUNET_DNSPARSER_MxRecord *dup = GNUNET_memdup (r, sizeof (*r));
+
+  dup->mxhost = GNUNET_strdup (r->mxhost);
+  return dup;
+}
+
+
+/**
+ * Duplicate (deep-copy) the given DNS record
+ *
+ * @param r the record
+ * @return the newly allocated record
+ */
+struct GNUNET_DNSPARSER_SrvRecord *
+GNUNET_DNSPARSER_duplicate_srv_record (const struct GNUNET_DNSPARSER_SrvRecord *r)
+{
+  struct GNUNET_DNSPARSER_SrvRecord *dup = GNUNET_memdup (r, sizeof (*r));
+
+  dup->target = GNUNET_strdup (r->target);
+  return dup;
+}
+
+
+/**
  * Free memory taken by a packet.
  *
  * @param p packet to free
@@ -761,18 +882,16 @@ GNUNET_DNSPARSER_parse (const char *udp_payload,
 void
 GNUNET_DNSPARSER_free_packet (struct GNUNET_DNSPARSER_Packet *p)
 {
-  unsigned int i;
-
-  for (i=0;i<p->num_queries;i++)
+  for (unsigned int i=0;i<p->num_queries;i++)
     GNUNET_free_non_null (p->queries[i].name);
   GNUNET_free_non_null (p->queries);
-  for (i=0;i<p->num_answers;i++)
+  for (unsigned int i=0;i<p->num_answers;i++)
     GNUNET_DNSPARSER_free_record (&p->answers[i]);
   GNUNET_free_non_null (p->answers);
-  for (i=0;i<p->num_authority_records;i++)
+  for (unsigned int i=0;i<p->num_authority_records;i++)
     GNUNET_DNSPARSER_free_record (&p->authority_records[i]);
   GNUNET_free_non_null (p->authority_records);
-  for (i=0;i<p->num_additional_records;i++)
+  for (unsigned int i=0;i<p->num_additional_records;i++)
     GNUNET_DNSPARSER_free_record (&p->additional_records[i]);
   GNUNET_free_non_null (p->additional_records);
   GNUNET_free (p);
@@ -837,8 +956,11 @@ GNUNET_DNSPARSER_builder_add_name (char *dst,
       len = dot - idna_name;
     if ( (len >= 64) || (0 == len) )
     {
-      GNUNET_break (0);
-      goto fail; /* segment too long or empty */
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Invalid DNS name `%s': label with %u characters encountered\n",
+                  name,
+                  len);
+      goto fail; /* label too long or empty */
     }
     dst[pos++] = (char) (uint8_t) len;
     GNUNET_memcpy (&dst[pos],
@@ -953,7 +1075,6 @@ GNUNET_DNSPARSER_builder_add_cert (char *dst,
   struct GNUNET_TUN_DnsCertRecord dcert;
 
   if ( (cert->cert_type > UINT16_MAX) ||
-       (cert->cert_tag > UINT16_MAX) ||
        (cert->algorithm > UINT8_MAX) )
   {
     GNUNET_break (0);
@@ -1041,12 +1162,14 @@ GNUNET_DNSPARSER_builder_add_srv (char *dst,
   sd.prio = htons (srv->priority);
   sd.weight = htons (srv->weight);
   sd.port = htons (srv->port);
-  GNUNET_memcpy (&dst[*off], &sd, sizeof (sd));
+  GNUNET_memcpy (&dst[*off],
+                 &sd,
+                 sizeof (sd));
   (*off) += sizeof (sd);
   if (GNUNET_OK != (ret = GNUNET_DNSPARSER_builder_add_name (dst,
-                                    dst_len,
-                                    off,
-                                    srv->target)))
+                                                             dst_len,
+                                                             off,
+                                                             srv->target)))
     return ret;
   return GNUNET_OK;
 }
@@ -1148,7 +1271,9 @@ add_record (char *dst,
   rl.dns_traffic_class = htons (record->dns_traffic_class);
   rl.ttl = htonl (GNUNET_TIME_absolute_get_remaining (record->expiration_time).rel_value_us / 1000LL / 1000LL); /* in seconds */
   rl.data_len = htons ((uint16_t) (pos - (*off + sizeof (struct GNUNET_TUN_DnsRecordLine))));
-  GNUNET_memcpy (&dst[*off], &rl, sizeof (struct GNUNET_TUN_DnsRecordLine));
+  GNUNET_memcpy (&dst[*off],
+                 &rl,
+                 sizeof (struct GNUNET_TUN_DnsRecordLine));
   *off = pos;
   return GNUNET_OK;
 }
@@ -1177,7 +1302,6 @@ GNUNET_DNSPARSER_pack (const struct GNUNET_DNSPARSER_Packet *p,
   struct GNUNET_TUN_DnsHeader dns;
   size_t off;
   char tmp[max];
-  unsigned int i;
   int ret;
   int trc;
 
@@ -1195,7 +1319,7 @@ GNUNET_DNSPARSER_pack (const struct GNUNET_DNSPARSER_Packet *p,
 
   off = sizeof (struct GNUNET_TUN_DnsHeader);
   trc = GNUNET_NO;
-  for (i=0;i<p->num_queries;i++)
+  for (unsigned int i=0;i<p->num_queries;i++)
   {
     ret = GNUNET_DNSPARSER_builder_add_query (tmp,
                                               sizeof (tmp),
@@ -1210,7 +1334,7 @@ GNUNET_DNSPARSER_pack (const struct GNUNET_DNSPARSER_Packet *p,
       break;
     }
   }
-  for (i=0;i<p->num_answers;i++)
+  for (unsigned int i=0;i<p->num_answers;i++)
   {
     ret = add_record (tmp,
                       sizeof (tmp),
@@ -1225,7 +1349,7 @@ GNUNET_DNSPARSER_pack (const struct GNUNET_DNSPARSER_Packet *p,
       break;
     }
   }
-  for (i=0;i<p->num_authority_records;i++)
+  for (unsigned int i=0;i<p->num_authority_records;i++)
   {
     ret = add_record (tmp,
                       sizeof (tmp),
@@ -1240,7 +1364,7 @@ GNUNET_DNSPARSER_pack (const struct GNUNET_DNSPARSER_Packet *p,
       break;
     }
   }
-  for (i=0;i<p->num_additional_records;i++)
+  for (unsigned int i=0;i<p->num_additional_records;i++)
   {
     ret = add_record (tmp,
                       sizeof (tmp),
diff --git a/src/dns/dnsstub.c b/src/util/dnsstub.c
index 969ff7beb..5b84e6e63 100644
--- a/src/dns/dnsstub.c
+++ b/src/util/dnsstub.c
@@ -22,8 +22,6 @@
  */
 #include "platform.h"
 #include "gnunet_util_lib.h"
-#include "gnunet_tun_lib.h"
-#include "gnunet_dnsstub_lib.h"
 
 /**
  * Timeout for retrying DNS queries.
@@ -356,7 +354,7 @@ do_dns_read (struct GNUNET_DNSSTUB_RequestSocket *rs,
                   "Received DNS response from server we never asked (ignored)");
       return GNUNET_NO;
     }
-    if (sizeof (struct GNUNET_TUN_DnsHeader) > r)
+    if (sizeof (struct GNUNET_TUN_DnsHeader) > (size_t) r)
     {
       GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                   _("Received DNS response that is too small (%u bytes)"),
diff --git a/src/util/gnunet-config.c b/src/util/gnunet-config.c
index 16b826ee2..4528bbe24 100644
--- a/src/util/gnunet-config.c
+++ b/src/util/gnunet-config.c
@@ -75,27 +75,36 @@ print_option (void *cls,
               const char *option,
               const char *value)
 {
-  (void) section;
   const struct GNUNET_CONFIGURATION_Handle *cfg = cls;
-  char *value_fn;
+
+  (void) section;
   if (is_filename)
   {
+    char *value_fn;
+    char *fn;
+    
     GNUNET_assert (GNUNET_OK ==
-        GNUNET_CONFIGURATION_get_value_filename (cfg,
-                                                 section,
-                                                 option,
-                                                 &value_fn));
+                   GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                            section,
+                                                            option,
+                                                            &value_fn));
+    fn = GNUNET_STRINGS_filename_expand (value_fn);
+    if (NULL == fn)
+      fn = value_fn;
+    else
+      GNUNET_free (value_fn);
     fprintf (stdout,
-       "%s = %s\n",
-       option,
-       GNUNET_STRINGS_filename_expand (value_fn));
+             "%s = %s\n",
+             option,
+             fn);
+    GNUNET_free (fn);
   }
   else
   {
     fprintf (stdout,
-       "%s = %s\n",
-       option,
-       value);
+             "%s = %s\n",
+             option,
+             value);
   }
 }
 
diff --git a/src/util/gnunet-service-resolver.c b/src/util/gnunet-service-resolver.c
index d90d8ec10..5b890261b 100644
--- a/src/util/gnunet-service-resolver.c
+++ b/src/util/gnunet-service-resolver.c
@@ -27,721 +27,559 @@
 #include "gnunet_statistics_service.h"
 #include "resolver.h"
 
+
+struct Record
+{
+  struct Record *next;
+
+  struct Record *prev;
+
+  struct GNUNET_DNSPARSER_Record *record;
+};
+
 /**
- * A cached DNS lookup result (for reverse lookup).
+ * A cached DNS lookup result.
  */
-struct IPCache
+struct ResolveCache
 {
   /**
    * This is a doubly linked list.
    */
-  struct IPCache *next;
+  struct ResolveCache *next;
 
   /**
    * This is a doubly linked list.
    */
-  struct IPCache *prev;
+  struct ResolveCache *prev;
 
   /**
-   * Hostname in human-readable form.
+   * type of queried DNS record
    */
-  char *addr;
+  uint16_t record_type;
 
   /**
-   * Binary IP address, allocated at the end of this struct.
+   * a pointer to the request_id if a query for this hostname/record_type
+   * is currently pending, NULL otherwise.
    */
-  const void *ip;
+  int16_t *request_id;
 
   /**
-   * Last time this entry was updated.
+   * The client that queried the records contained in this cache entry.
    */
-  struct GNUNET_TIME_Absolute last_refresh;
+  struct GNUNET_SERVICE_Client *client;
 
   /**
-   * Last time this entry was requested.
+   * head of a double linked list containing the lookup results
    */
-  struct GNUNET_TIME_Absolute last_request;
+  struct Record *records_head;
 
   /**
-   * Number of bytes in ip.
+   * tail of a double linked list containing the lookup results
    */
-  size_t ip_len;
+  struct Record *records_tail;
 
   /**
-   * Address family of the IP.
+   * handle for cancelling a request
    */
-  int af;
+  struct GNUNET_DNSSTUB_RequestSocket *resolve_handle;
+
+  /**
+   * handle for the resolution timeout task
+   */
+  struct GNUNET_SCHEDULER_Task *timeout_task;
+
 };
 
 
 /**
  * Start of the linked list of cached DNS lookup results.
  */
-static struct IPCache *cache_head;
+static struct ResolveCache *cache_head;
 
 /**
  * Tail of the linked list of cached DNS lookup results.
  */
-static struct IPCache *cache_tail;
+static struct ResolveCache *cache_tail;
 
 /**
- * Pipe for asynchronously notifying about resolve result
+ * context of dnsstub library
  */
-static struct GNUNET_DISK_PipeHandle *resolve_result_pipe;
+static struct GNUNET_DNSSTUB_Context *dnsstub_ctx;
 
-/**
- * Task for reading from resolve_result_pipe
- */
-static struct GNUNET_SCHEDULER_Task *resolve_result_pipe_task;
 
-
-#if HAVE_GETNAMEINFO
-/**
- * Resolve the given request using getnameinfo
- *
- * @param cache the request to resolve (and where to store the result)
- */
-static void
-getnameinfo_resolve (struct IPCache *cache)
+void free_cache_entry (struct ResolveCache *entry)
 {
-  char hostname[256];
-  const struct sockaddr *sa;
-  struct sockaddr_in v4;
-  struct sockaddr_in6 v6;
-  size_t salen;
-  int ret;
-
-  switch (cache->af)
+  struct Record *pos;
+  struct Record *next;
+ 
+  next = entry->records_head;
+  while (NULL != (pos = next))
   {
-  case AF_INET:
-    GNUNET_assert (cache->ip_len == sizeof (struct in_addr));
-    sa = (const struct sockaddr*) &v4;
-    memset (&v4, 0, sizeof (v4));
-    v4.sin_addr = * (const struct in_addr*) cache->ip;
-    v4.sin_family = AF_INET;
-#if HAVE_SOCKADDR_IN_SIN_LEN
-    v4.sin_len = sizeof (v4);
-#endif
-    salen = sizeof (v4);
-    break;
-  case AF_INET6:
-    GNUNET_assert (cache->ip_len == sizeof (struct in6_addr));
-    sa = (const struct sockaddr*) &v6;
-    memset (&v6, 0, sizeof (v6));
-    v6.sin6_addr = * (const struct in6_addr*) cache->ip;
-    v6.sin6_family = AF_INET6;
-#if HAVE_SOCKADDR_IN_SIN_LEN
-    v6.sin6_len = sizeof (v6);
-#endif
-    salen = sizeof (v6);
-    break;
-  default:
-    GNUNET_assert (0);
+    next = pos->next;
+    GNUNET_CONTAINER_DLL_remove (entry->records_head,
+                                 entry->records_tail,
+                                 pos);
+    if (NULL != pos->record)
+    {
+      GNUNET_DNSPARSER_free_record (pos->record);
+      GNUNET_free (pos->record);
+    }
+    GNUNET_free (pos);
   }
-
-  if (0 ==
-      (ret = getnameinfo (sa, salen,
-                          hostname, sizeof (hostname),
-                          NULL,
-                          0, 0)))
+  if (NULL != entry->resolve_handle)
   {
-    cache->addr = GNUNET_strdup (hostname);
+    GNUNET_DNSSTUB_resolve_cancel (entry->resolve_handle);
+    entry->resolve_handle = NULL;
   }
-  else
+  if (NULL != entry->timeout_task)
   {
-    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                "getnameinfo failed: %s\n",
-                gai_strerror (ret));
+    GNUNET_SCHEDULER_cancel (entry->timeout_task);
+    entry->timeout_task = NULL;
   }
+  GNUNET_free_non_null (entry->request_id);
+  GNUNET_free (entry);
 }
-#endif
 
 
-#if HAVE_GETHOSTBYADDR
+static char*
+extract_dns_server (const char* line, size_t line_len)
+{
+  if (0 == strncmp (line, "nameserver ", 11))
+    return GNUNET_strndup (line + 11, line_len - 11);
+  return NULL;
+}
+
+ 
 /**
- * Resolve the given request using gethostbyaddr
+ * reads the list of nameservers from /etc/resolve.conf
  *
- * @param cache the request to resolve (and where to store the result)
+ * @param server_addrs[out] a list of null-terminated server address strings
+ * @return the number of server addresses in @server_addrs, -1 on error
  */
-static void
-gethostbyaddr_resolve (struct IPCache *cache)
+static ssize_t
+lookup_dns_servers (char ***server_addrs)
 {
-  struct hostent *ent;
-
-  ent = gethostbyaddr (cache->ip,
-                       cache->ip_len,
-                       cache->af);
-  if (NULL != ent)
+  struct GNUNET_DISK_FileHandle *fh;
+  char buf[2048];
+  ssize_t bytes_read;
+  size_t read_offset = 0;
+  unsigned int num_dns_servers = 0;
+    
+  fh = GNUNET_DISK_file_open ("/etc/resolv.conf",
+                              GNUNET_DISK_OPEN_READ,
+                              GNUNET_DISK_PERM_NONE);
+  if (NULL == fh)
   {
-    cache->addr = GNUNET_strdup (ent->h_name);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Could not open /etc/resolv.conf. "
+                "DNS resolution will not be possible.\n");
+    return -1;
   }
-  else
+  bytes_read = GNUNET_DISK_file_read (fh,
+                                      buf,
+                                      sizeof (buf));
+  *server_addrs = NULL;
+  while (read_offset < bytes_read)
   {
-    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                "gethostbyaddr failed: %s\n",
-                hstrerror (h_errno));
+    char *newline;
+    size_t line_len;
+    char *dns_server;
+    
+    newline = strchr (buf + read_offset, '\n');
+    if (NULL == newline)
+    {
+      break;
+    }
+    line_len = newline - buf - read_offset;
+    dns_server = extract_dns_server (buf + read_offset, line_len);
+    if (NULL != dns_server)
+    {
+      GNUNET_array_append (*server_addrs,
+                           num_dns_servers,
+                           dns_server);
+    }
+    read_offset += line_len + 1;
   }
+  GNUNET_DISK_file_close (fh);
+  return num_dns_servers;
 }
-#endif
 
 
-/**
- * Resolve the given request using the available methods.
- *
- * @param cache the request to resolve (and where to store the result)
- */
-static void
-cache_resolve (struct IPCache *cache)
+static char *
+make_reverse_hostname (const void *ip, int af)
 {
-#if HAVE_GETNAMEINFO
-  if (NULL == cache->addr)
-    getnameinfo_resolve (cache);
-#endif
-#if HAVE_GETHOSTBYADDR
-  if (NULL == cache->addr)
-    gethostbyaddr_resolve (cache);
-#endif
+  char *buf = GNUNET_new_array (80, char);
+  int pos = 0;
+  if (AF_INET == af)
+  {
+    struct in_addr *addr = (struct in_addr *)ip;
+    uint32_t ip_int = addr->s_addr;
+    for (int i = 3; i >= 0; i--)
+    {
+      int n = GNUNET_snprintf (buf + pos,
+                               80 - pos,
+                               "%u.",
+                               ((uint8_t *)&ip_int)[i]);
+      if (n < 0)
+      {
+        GNUNET_free (buf);
+        return NULL;
+      }
+      pos += n;
+    }
+    pos += GNUNET_snprintf (buf + pos, 80 - pos, "in-addr.arpa");
+  }
+  else if (AF_INET6 == af)
+  {
+    struct in6_addr *addr = (struct in6_addr *)ip;
+    for (int i = 15; i >= 0; i--)
+    {
+      int n = GNUNET_snprintf (buf + pos, 80 - pos, "%x.", addr->s6_addr[i] & 0xf);
+      if (n < 0)
+      {
+        GNUNET_free (buf);
+        return NULL;
+      }
+      pos += n;
+      n = GNUNET_snprintf (buf + pos, 80 - pos, "%x.", addr->s6_addr[i] >> 4);
+      if (n < 0)
+      {
+        GNUNET_free (buf);
+        return NULL;
+      }
+      pos += n;
+    }
+    pos += GNUNET_snprintf (buf + pos, 80 - pos, "ip6.arpa");
+  }
+  buf[pos] = '\0';
+  return buf;
 }
 
 
-/**
- * Function called after the replies for the request have all
- * been transmitted to the client, and we can now read the next
- * request from the client.
- *
- * @param cls the `struct GNUNET_SERVICE_Client` to continue with
- */
 static void
-notify_service_client_done (void *cls)
+send_reply (struct GNUNET_DNSPARSER_Record *record,
+            uint16_t request_id,
+            struct GNUNET_SERVICE_Client *client)
 {
-  struct GNUNET_SERVICE_Client *client = cls;
-
-  GNUNET_SERVICE_client_continue (client);
-}
-
-
-/**
- * Get an IP address as a string (works for both IPv4 and IPv6).  Note
- * that the resolution happens asynchronously and that the first call
- * may not immediately result in the FQN (but instead in a
- * human-readable IP address).
- *
- * @param client handle to the client making the request (for sending the reply)
- * @param af AF_INET or AF_INET6
- * @param ip `struct in_addr` or `struct in6_addr`
- */
-static void
-get_ip_as_string (struct GNUNET_SERVICE_Client *client,
-                  int af,
-                  const void *ip,
-                  uint32_t request_id)
-{
-  struct IPCache *pos;
-  struct IPCache *next;
-  struct GNUNET_TIME_Absolute now;
-  struct GNUNET_MQ_Envelope *env;
-  struct GNUNET_MQ_Handle *mq;
   struct GNUNET_RESOLVER_ResponseMessage *msg;
-  size_t ip_len;
-  struct in6_addr ix;
-  size_t alen;
+  struct GNUNET_MQ_Envelope *env;
+  void *payload;
+  size_t payload_len;
 
-  switch (af)
-  {
-  case AF_INET:
-    ip_len = sizeof (struct in_addr);
-    break;
-  case AF_INET6:
-    ip_len = sizeof (struct in6_addr);
-    break;
-  default:
-    GNUNET_assert (0);
-  }
-  now = GNUNET_TIME_absolute_get ();
-  next = cache_head;
-  while ( (NULL != (pos = next)) &&
-          ( (pos->af != af) ||
-            (pos->ip_len != ip_len) ||
-            (0 != memcmp (pos->ip, ip, ip_len))) )
+  switch (record->type)
   {
-    next = pos->next;
-    if (GNUNET_TIME_absolute_get_duration (pos->last_request).rel_value_us <
-        60 * 60 * 1000 * 1000LL)
+    case GNUNET_DNSPARSER_TYPE_PTR:
     {
-      GNUNET_CONTAINER_DLL_remove (cache_head,
-                                   cache_tail,
-                                   pos);
-      GNUNET_free_non_null (pos->addr);
-      GNUNET_free (pos);
-      continue;
+      char *hostname = record->data.hostname;
+      payload = hostname;
+      payload_len = strlen (hostname) + 1;
+      break;
     }
-  }
-  if (NULL != pos)
-  {
-    if ( (1 == inet_pton (af,
-                          pos->ip,
-                          &ix)) &&
-         (GNUNET_TIME_absolute_get_duration (pos->last_request).rel_value_us >
-          120 * 1000 * 1000LL) )
+    case GNUNET_DNSPARSER_TYPE_A:
+    case GNUNET_DNSPARSER_TYPE_AAAA:
     {
-      /* try again if still numeric AND 2 minutes have expired */
-      GNUNET_free_non_null (pos->addr);
-      pos->addr = NULL;
-      cache_resolve (pos);
-      pos->last_request = now;
+      payload = record->data.raw.data;
+      payload_len = record->data.raw.data_len;
+      break;         
+    }
+    default:
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Cannot handle DNS response type: unimplemented\n");
+      return;
     }
   }
-  else
-  {
-    pos = GNUNET_malloc (sizeof (struct IPCache) + ip_len);
-    pos->ip = &pos[1];
-    GNUNET_memcpy (&pos[1],
-                   ip,
-                   ip_len);
-    pos->last_request = now;
-    pos->last_refresh = now;
-    pos->ip_len = ip_len;
-    pos->af = af;
-    GNUNET_CONTAINER_DLL_insert (cache_head,
-                                 cache_tail,
-                                 pos);
-    cache_resolve (pos);
-  }
-  if (NULL != pos->addr)
-    alen = strlen (pos->addr) + 1;
-  else
-    alen = 0;
-  mq = GNUNET_SERVICE_client_get_mq (client);
   env = GNUNET_MQ_msg_extra (msg,
-                             alen,
-                             GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
+                             payload_len,
+                             GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
   msg->id = request_id;
   GNUNET_memcpy (&msg[1],
-                 pos->addr,
-                 alen);
-  GNUNET_MQ_send (mq,
-                  env);
-  // send end message
-  env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-  msg->id = request_id;
-  GNUNET_MQ_notify_sent (env,
-                         &notify_service_client_done,
-                         client);
-  GNUNET_MQ_send (mq,
-                  env);
+                 payload,
+                 payload_len);
+  GNUNET_MQ_send (GNUNET_SERVICE_client_get_mq (client),
+                  env);
 }
 
 
-#if HAVE_GETADDRINFO_A
-struct AsyncCls
-{
-  struct gaicb *host;
-  struct sigevent *sig;
-  struct GNUNET_MQ_Handle *mq;
-  uint32_t request_id;
-};
-
-
 static void
-resolve_result_pipe_cb (void *cls)
+send_end_msg (uint16_t request_id,
+              struct GNUNET_SERVICE_Client *client)
 {
-  struct AsyncCls *async_cls;
-  struct gaicb *host;
   struct GNUNET_RESOLVER_ResponseMessage *msg;
   struct GNUNET_MQ_Envelope *env;
 
-  GNUNET_DISK_file_read (GNUNET_DISK_pipe_handle (resolve_result_pipe,
-                                                  GNUNET_DISK_PIPE_END_READ),
-                         &async_cls,
-                         sizeof (struct AsyncCls *));
-  resolve_result_pipe_task =
-    GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
-                                    GNUNET_DISK_pipe_handle (resolve_result_pipe,
-                                                             GNUNET_DISK_PIPE_END_READ),
-                                    &resolve_result_pipe_cb,
-                                    NULL);
-  host = async_cls->host;
-  for (struct addrinfo *pos = host->ar_result; pos != NULL; pos = pos->ai_next)
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Sending end message\n");
+  env = GNUNET_MQ_msg (msg,
+                       GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
+  msg->id = request_id;
+  GNUNET_MQ_send (GNUNET_SERVICE_client_get_mq (client),
+                  env);
+}
+
+
+static void
+handle_resolve_result (void *cls,
+                       const struct GNUNET_TUN_DnsHeader *dns,
+                       size_t dns_len)
+{
+  struct ResolveCache *cache = cls;
+  struct GNUNET_DNSPARSER_Packet *parsed;
+  uint16_t request_id = *cache->request_id;
+  struct GNUNET_SERVICE_Client *client = cache->client;
+
+  parsed = GNUNET_DNSPARSER_parse ((const char *)dns,
+                                   dns_len);
+  if (NULL == parsed)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to parse DNS reply (request ID %u\n",
+                request_id);
+    return;
+  }
+  if (request_id != ntohs (parsed->id))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Request ID in DNS reply does not match\n");
+    return;
+  }
+  else if (0 == parsed->num_answers)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "DNS reply (request ID %u) contains no answers\n",
+                request_id);
+    GNUNET_CONTAINER_DLL_remove (cache_head,
+                                 cache_tail,
+                                 cache);
+    free_cache_entry (cache);
+    cache = NULL;
+  }
+  else
   {
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-                "Lookup result for hostname %s: %s (request ID %u)\n",
-                host->ar_name,
-                GNUNET_a2s (pos->ai_addr, pos->ai_addrlen),
-                async_cls->request_id);
-    switch (pos->ai_family)
+                "Got reply for request ID %u\n",
+                request_id);
+    for (unsigned int i = 0; i != parsed->num_answers; i++)
     {
-    case AF_INET:
-      env = GNUNET_MQ_msg_extra (msg,
-                                 sizeof (struct in_addr),
-                                 GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-      msg->id = async_cls->request_id;
-      GNUNET_memcpy (&msg[1],
-                     &((struct sockaddr_in*) pos->ai_addr)->sin_addr,
-                     sizeof (struct in_addr));
-      GNUNET_MQ_send (async_cls->mq,
-                      env);
-      break;
-    case AF_INET6:
-      env = GNUNET_MQ_msg_extra (msg,
-                                 sizeof (struct in6_addr),
-                                 GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-      msg->id = async_cls->request_id;
-      GNUNET_memcpy (&msg[1],
-                     &((struct sockaddr_in6*) pos->ai_addr)->sin6_addr,
-                     sizeof (struct in6_addr));
-      GNUNET_MQ_send (async_cls->mq,
-                      env);
-      break;
-    default:
-      /* unsupported, skip */
-      break;
+      struct Record *cache_entry = GNUNET_new (struct Record);
+      struct GNUNET_DNSPARSER_Record *record = &parsed->answers[i];
+      cache_entry->record = GNUNET_DNSPARSER_duplicate_record (record);
+      GNUNET_CONTAINER_DLL_insert (cache->records_head,
+                                   cache->records_tail,
+                                   cache_entry);
+      send_reply (cache_entry->record,
+                  request_id,
+                  cache->client);
     }
+    GNUNET_free_non_null (cache->request_id);
+    cache->request_id = NULL;
   }
-  // send end message
-  env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-  msg->id = async_cls->request_id;
-  GNUNET_MQ_send (async_cls->mq,
-                  env);
-  freeaddrinfo (host->ar_result);
-  GNUNET_free ((struct gaicb *)host->ar_request); // free hints
-  GNUNET_free (host);
-  GNUNET_free (async_cls->sig);
-  GNUNET_free (async_cls);
+  send_end_msg (request_id,
+                client);
+  if (NULL != cache)
+    cache->client = NULL;
+  if (NULL != cache)
+  {
+    if (NULL != cache->timeout_task)
+    { 
+      GNUNET_SCHEDULER_cancel (cache->timeout_task);
+      cache->timeout_task = NULL;
+    }
+    if (NULL != cache->resolve_handle)
+    {
+      GNUNET_DNSSTUB_resolve_cancel (cache->resolve_handle);
+      cache->resolve_handle = NULL;
+    }
+  }
+  GNUNET_DNSPARSER_free_packet (parsed);
 }
 
 
 static void
-handle_async_result (union sigval val) 
+handle_resolve_timeout (void *cls)
 {
-  GNUNET_DISK_file_write (GNUNET_DISK_pipe_handle (resolve_result_pipe,
-                                                   GNUNET_DISK_PIPE_END_WRITE),
-                          &val.sival_ptr,
-                          sizeof (val.sival_ptr));
+  struct ResolveCache *cache = cls;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 
+              "timeout!\n");
+  if (NULL != cache->resolve_handle)
+  {
+    GNUNET_DNSSTUB_resolve_cancel (cache->resolve_handle);
+    cache->resolve_handle = NULL;
+  }
+  GNUNET_CONTAINER_DLL_remove (cache_head,
+                               cache_tail,
+                               cache);
+  free_cache_entry (cache);
 }
 
 
 static int
-getaddrinfo_a_resolve (struct GNUNET_MQ_Handle *mq,
-                       const char *hostname,
-                       int af,
-                       uint32_t request_id)
+resolve_and_cache (const char* hostname,
+                   uint16_t record_type,
+                   uint16_t request_id,
+                   struct GNUNET_SERVICE_Client *client)
 {
-  int ret;
-  struct gaicb *host;
-  struct addrinfo *hints; 
-  struct sigevent *sig;
-  struct AsyncCls *async_cls;
-
-  host = GNUNET_new (struct gaicb);
-  hints = GNUNET_new (struct addrinfo);
-  sig = GNUNET_new (struct sigevent);
-  async_cls = GNUNET_new (struct AsyncCls);
-  memset (hints,
+  char *packet_buf;
+  size_t packet_size;
+  struct GNUNET_DNSPARSER_Query query;
+  struct GNUNET_DNSPARSER_Packet packet;
+  struct ResolveCache *cache;
+  struct GNUNET_TIME_Relative timeout =
+    GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 5);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "resolve_and_cache\n");
+  query.name = (char *)hostname;
+  query.type = record_type;
+  query.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+  memset (&packet,
           0,
-          sizeof (struct addrinfo));
-  memset (sig,
-          0,
-          sizeof (struct sigevent));
-  hints->ai_family = af;
-  hints->ai_socktype = SOCK_STREAM;      /* go for TCP */
-  host->ar_name = hostname;
-  host->ar_service = NULL;
-  host->ar_request = hints;
-  host->ar_result = NULL;
-  sig->sigev_notify = SIGEV_THREAD;
-  sig->sigev_value.sival_ptr = async_cls;
-  sig->sigev_notify_function = &handle_async_result; 
-  async_cls->host = host;
-  async_cls->sig = sig;
-  async_cls->mq = mq;
-  async_cls->request_id = request_id;
-  ret = getaddrinfo_a (GAI_NOWAIT,
-                       &host,
-                       1,
-                       sig);
-  if (0 != ret)
+          sizeof (packet));
+  packet.num_queries = 1;
+  packet.queries = &query;
+  packet.id = htons (request_id);
+  packet.flags.recursion_desired = 1;
+  if (GNUNET_OK != 
+      GNUNET_DNSPARSER_pack (&packet,
+                             UINT16_MAX,
+                             &packet_buf,
+                             &packet_size))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to pack query for hostname `%s'\n",
+                hostname);
     return GNUNET_SYSERR;
+ 
+  }
+  cache = GNUNET_malloc (sizeof (struct ResolveCache));
+  cache->record_type = record_type;
+  cache->request_id = GNUNET_memdup (&request_id, sizeof (request_id));
+  cache->client = client;
+  cache->timeout_task = GNUNET_SCHEDULER_add_delayed (timeout,
+                                                      &handle_resolve_timeout,
+                                                      cache);
+  cache->resolve_handle = 
+    GNUNET_DNSSTUB_resolve (dnsstub_ctx,
+                            packet_buf,
+                            packet_size,
+                            &handle_resolve_result,
+                            cache);
+  GNUNET_CONTAINER_DLL_insert (cache_head,
+                               cache_tail,
+                               cache);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "resolve %s, request_id = %u\n",
+              hostname,
+              request_id);
+  GNUNET_free (packet_buf);
   return GNUNET_OK;
 }
 
 
-#elif HAVE_GETADDRINFO
-static int
-getaddrinfo_resolve (struct GNUNET_MQ_Handle *mq,
-                     const char *hostname,
-                     int af,
-                     uint32_t request_id)
+static const char *
+get_hostname (struct ResolveCache *cache_entry)
 {
-  int s;
-  struct addrinfo hints;
-  struct addrinfo *result;
-  struct addrinfo *pos;
-  struct GNUNET_RESOLVER_ResponseMessage *msg;
-  struct GNUNET_MQ_Envelope *env;
-
-#ifdef WINDOWS
-  /* Due to a bug, getaddrinfo will not return a mix of different families */
-  if (AF_UNSPEC == af)
+  if (NULL != cache_entry->records_head)
   {
-    int ret1;
-    int ret2;
-    ret1 = getaddrinfo_resolve (mq,
-                                hostname,
-                                AF_INET,
-                                request_id);
-    ret2 = getaddrinfo_resolve (mq,
-                                hostname,
-                                AF_INET6,
-                                request_id);
-    if ( (ret1 == GNUNET_OK) ||
-         (ret2 == GNUNET_OK) )
-      return GNUNET_OK;
-    if ( (ret1 == GNUNET_SYSERR) ||
-         (ret2 == GNUNET_SYSERR) )
-      return GNUNET_SYSERR;
-    return GNUNET_NO;
+    GNUNET_assert (NULL != cache_entry->records_head);
+    GNUNET_assert (NULL != cache_entry->records_head->record);
+    GNUNET_assert (NULL != cache_entry->records_head->record->name);
+    return cache_entry->records_head->record->name;
   }
-#endif
-
-  memset (&hints,
-          0,
-          sizeof (struct addrinfo));
-  hints.ai_family = af;
-  hints.ai_socktype = SOCK_STREAM;      /* go for TCP */
-
-  if (0 != (s = getaddrinfo (hostname,
-                             NULL,
-                             &hints,
-                             &result)))
-  {
-    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                _("Could not resolve `%s' (%s): %s\n"),
-                hostname,
-                (af ==
-                 AF_INET) ? "IPv4" : ((af == AF_INET6) ? "IPv6" : "any"),
-                gai_strerror (s));
-    if ( (s == EAI_BADFLAGS) ||
-#ifndef WINDOWS
-         (s == EAI_SYSTEM) ||
-#endif
-         (s == EAI_MEMORY) )
-      return GNUNET_NO;         /* other function may still succeed */
-    return GNUNET_SYSERR;
-  }
-  if (NULL == result)
-    return GNUNET_SYSERR;
-  for (pos = result; pos != NULL; pos = pos->ai_next)
-  {
-    switch (pos->ai_family)
-    {
-    case AF_INET:
-      env = GNUNET_MQ_msg_extra (msg,
-                                 sizeof (struct in_addr),
-                                 GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-      msg->id = request_id;
-      GNUNET_memcpy (&msg[1],
-                     &((struct sockaddr_in*) pos->ai_addr)->sin_addr,
-                     sizeof (struct in_addr));
-      GNUNET_MQ_send (mq,
-                      env);
-      break;
-    case AF_INET6:
-      env = GNUNET_MQ_msg_extra (msg,
-                                 sizeof (struct in6_addr),
-                                 GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-      msg->id = request_id;
-      GNUNET_memcpy (&msg[1],
-                     &((struct sockaddr_in6*) pos->ai_addr)->sin6_addr,
-                     sizeof (struct in6_addr));
-      GNUNET_MQ_send (mq,
-                      env);
-      break;
-    default:
-      /* unsupported, skip */
-      break;
-    }
-  }
-  freeaddrinfo (result);
-  return GNUNET_OK;
+  return NULL;
 }
 
 
-#elif HAVE_GETHOSTBYNAME2
-
-
-static int
-gethostbyname2_resolve (struct GNUNET_MQ_Handle *mq,
-                        const char *hostname,
-                        int af,
-                        uint32_t request_id)
+static const uint16_t *
+get_record_type (struct ResolveCache *cache_entry)
 {
-  struct hostent *hp;
-  int ret1;
-  int ret2;
-  struct GNUNET_MQ_Envelope *env;
-  struct GNUNET_RESOLVER_ResponseMessage *msg;
+  if (NULL != cache_entry->records_head)
+    return &cache_entry->record_type;
+  return NULL; 
+}
 
-#ifdef WINDOWS
-  /* gethostbyname2() in plibc is a compat dummy that calls gethostbyname(). */
-  return GNUNET_NO;
-#endif
 
-  if (af == AF_UNSPEC)
-  {
-    ret1 = gethostbyname2_resolve (mq,
-                                   hostname,
-                                   AF_INET,
-                                   request_id);
-    ret2 = gethostbyname2_resolve (mq,
-                                   hostname,
-                                   AF_INET6,
-                                   request_id);
-    if ( (ret1 == GNUNET_OK) ||
-         (ret2 == GNUNET_OK) )
-      return GNUNET_OK;
-    if ( (ret1 == GNUNET_SYSERR) ||
-         (ret2 == GNUNET_SYSERR) )
-      return GNUNET_SYSERR;
-    return GNUNET_NO;
-  }
-  hp = gethostbyname2 (hostname,
-                       af);
-  if (hp == NULL)
-  {
-    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                _("Could not find IP of host `%s': %s\n"),
-                hostname,
-                hstrerror (h_errno));
-    return GNUNET_SYSERR;
-  }
-  GNUNET_assert (hp->h_addrtype == af);
-  switch (af)
-  {
-  case AF_INET:
-    GNUNET_assert (hp->h_length == sizeof (struct in_addr));
-    env = GNUNET_MQ_msg_extra (msg,
-                               hp->h_length,
-                               GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-    msg->id = request_id;
-    GNUNET_memcpy (&msg[1],
-                   hp->h_addr_list[0],
-                   hp->h_length);
-    GNUNET_MQ_send (mq,
-                    env);
-    break;
-  case AF_INET6:
-    GNUNET_assert (hp->h_length == sizeof (struct in6_addr));
-    env = GNUNET_MQ_msg_extra (msg,
-                               hp->h_length,
-                               GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-    msg->id = request_id;
-    GNUNET_memcpy (&msg[1],
-                   hp->h_addr_list[0],
-                   hp->h_length);
-    GNUNET_MQ_send (mq,
-                    env);
-    break;
-  default:
-    GNUNET_break (0);
-    return GNUNET_SYSERR;
-  }
-  return GNUNET_OK;
+static const struct GNUNET_TIME_Absolute *
+get_expiration_time (struct ResolveCache *cache_entry)
+{
+  if (NULL != cache_entry->records_head)
+    return &cache_entry->records_head->record->expiration_time;
+  return NULL;
 }
 
-#elif HAVE_GETHOSTBYNAME
-
 
 static int
-gethostbyname_resolve (struct GNUNET_MQ_Handle *mq,
-                       const char *hostname,
-                       uint32_t request_id)
+remove_if_expired (struct ResolveCache *cache_entry)
 {
-  struct hostent *hp;
-  struct GNUNET_RESOLVER_ResponseMessage *msg;
-  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_TIME_Absolute now = GNUNET_TIME_absolute_get ();
 
-  hp = GETHOSTBYNAME (hostname);
-  if (NULL == hp)
+  if ( (NULL != cache_entry->records_head) &&
+       (now.abs_value_us > get_expiration_time (cache_entry)->abs_value_us) )
   {
-    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
-                _("Could not find IP of host `%s': %s\n"),
-                hostname,
-                hstrerror (h_errno));
-    return GNUNET_SYSERR;
-  }
-  if (hp->h_addrtype != AF_INET)
-  {
-    GNUNET_break (0);
-    return GNUNET_SYSERR;
+    GNUNET_CONTAINER_DLL_remove (cache_head,
+                                 cache_tail,
+                                 cache_entry);
+    free_cache_entry (cache_entry);
+    return GNUNET_YES;
   }
-  GNUNET_assert (hp->h_length == sizeof (struct in_addr));
-  env = GNUNET_MQ_msg_extra (msg,
-                             hp->h_length,
-                             GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-  msg->id = request_id;
-  GNUNET_memcpy (&msg[1],
-                 hp->h_addr_list[0],
-                 hp->h_length);
-  GNUNET_MQ_send (mq,
-                  env);
-  return GNUNET_OK;
+  return GNUNET_NO;
 }
-#endif
 
 
 /**
- * Convert a string to an IP address.
+ * Get an IP address as a string (works for both IPv4 and IPv6).  Note
+ * that the resolution happens asynchronously and that the first call
+ * may not immediately result in the FQN (but instead in a
+ * human-readable IP address).
  *
- * @param client where to send the IP address
- * @param hostname the hostname to resolve
- * @param af AF_INET or AF_INET6; use AF_UNSPEC for "any"
+ * @param client handle to the client making the request (for sending the reply)
+ * @param af AF_INET or AF_INET6
+ * @param ip `struct in_addr` or `struct in6_addr`
  */
-static void
-get_ip_from_hostname (struct GNUNET_SERVICE_Client *client,
-                      const char *hostname,
-                      int af,
-                      uint32_t request_id)
+static int
+try_cache (const char *hostname,
+           uint16_t record_type,
+           uint16_t request_id,
+           struct GNUNET_SERVICE_Client *client)
 {
-  struct GNUNET_MQ_Envelope *env;
-  struct GNUNET_RESOLVER_ResponseMessage *msg;
-  struct GNUNET_MQ_Handle *mq;
-
-  mq = GNUNET_SERVICE_client_get_mq (client);
-#if HAVE_GETADDRINFO_A
-  getaddrinfo_a_resolve (mq,
-                         hostname,
-                         af,
-                         request_id);
-  GNUNET_SERVICE_client_continue (client);
-  return;
-#elif HAVE_GETADDRINFO
-  getaddrinfo_resolve (mq,
-                       hostname,
-                       af,
-                       request_id);
-#elif HAVE_GETHOSTBYNAME2
-  gethostbyname2_resolve (mq,
-                          hostname,
-                          af,
-                          request_id);
-#elif HAVE_GETHOSTBYNAME
-  if ( ( (af == AF_UNSPEC) ||
-         (af == PF_INET) ) )
-    gethostbyname_resolve (mq,
-                           hostname,
-                           request_id);
-#endif
-  // send end message
-  env = GNUNET_MQ_msg (msg,
-                       GNUNET_MESSAGE_TYPE_RESOLVER_RESPONSE);
-  msg->id = request_id;
-  GNUNET_MQ_notify_sent (env,
-                         &notify_service_client_done,
-                         client);
-  GNUNET_MQ_send (mq,
-                  env);
+  struct ResolveCache *pos;
+  struct ResolveCache *next;
+
+  next = cache_head;
+  while ( (NULL != (pos = next)) &&
+          ( (NULL == pos->records_head) ||
+            (0 != strcmp (get_hostname (pos), hostname)) ||
+            (*get_record_type (pos) != record_type) ) )
+  {
+    next = pos->next;
+    remove_if_expired (pos);
+  }
+  if (NULL != pos)
+  {
+    if (GNUNET_NO == remove_if_expired (pos))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "found cache entry for '%s', record type '%u'\n",
+                  hostname,
+                  record_type);
+      struct Record *cache_pos = pos->records_head;
+      while (NULL != cache_pos)
+      {
+        send_reply (cache_pos->record,
+                    request_id,
+                    client);
+        cache_pos = cache_pos->next;
+      }
+      send_end_msg (request_id,
+                    client);
+      return GNUNET_YES;
+    }
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "no cache entry for '%s'\n",
+              hostname);
+  return GNUNET_NO;
 }
 
 
@@ -801,6 +639,23 @@ check_get (void *cls,
 }
 
 
+static void
+process_get (const char *hostname,
+             uint16_t record_type,
+             uint16_t request_id,
+             struct GNUNET_SERVICE_Client *client)
+{
+  if (GNUNET_NO == try_cache (hostname, record_type, request_id, client))
+  {
+    int result = resolve_and_cache (hostname,
+                                    record_type,
+                                    request_id,
+                                    client);
+    GNUNET_assert (GNUNET_OK == result);
+  }
+}
+
+
 /**
  * Handle GET-message.
  *
@@ -812,45 +667,100 @@ handle_get (void *cls,
             const struct GNUNET_RESOLVER_GetMessage *msg)
 {
   struct GNUNET_SERVICE_Client *client = cls;
-  const void *ip;
   int direction;
   int af;
-  uint32_t id;
+  uint16_t request_id;
+  const char *hostname;
 
   direction = ntohl (msg->direction);
   af = ntohl (msg->af);
-  id = ntohl (msg->id);
+  request_id = ntohs (msg->id);
   if (GNUNET_NO == direction)
   {
     /* IP from hostname */
-    const char *hostname;
-
-    hostname = (const char *) &msg[1];
-    get_ip_from_hostname (client,
-                          hostname,
-                          af,
-                          id);
-    return;
+    hostname = GNUNET_strdup ((const char *) &msg[1]);
+    switch (af)
+    {
+      case AF_UNSPEC:
+      {
+        process_get (hostname, GNUNET_DNSPARSER_TYPE_ALL, request_id, client);
+        break;
+      }
+      case AF_INET:
+      {
+        process_get (hostname, GNUNET_DNSPARSER_TYPE_A, request_id, client);
+        break;
+      }
+      case AF_INET6:
+      {
+        process_get (hostname, GNUNET_DNSPARSER_TYPE_AAAA, request_id, client);
+        break;
+      }
+      default:
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "got invalid af: %d\n",
+                  af);
+        GNUNET_assert (0);
+      }
+    }
+  }
+  else
+  {
+    /* hostname from IP */
+    hostname = make_reverse_hostname (&msg[1], af); 
+    process_get (hostname, GNUNET_DNSPARSER_TYPE_PTR, request_id, client);
   }
-  ip = &msg[1];
+  GNUNET_free_non_null ((char *)hostname);
+  GNUNET_SERVICE_client_continue (client);
+}
 
-#if !defined(GNUNET_CULL_LOGGING)
+
+static void 
+shutdown_task (void *cls)
+{
+  (void) cls;
+  struct ResolveCache *pos;
+
+  while (NULL != (pos = cache_head))
   {
-    char buf[INET6_ADDRSTRLEN];
+    GNUNET_CONTAINER_DLL_remove (cache_head,
+                                 cache_tail,
+                                 pos);
+    free_cache_entry (pos);
+  }
+  GNUNET_DNSSTUB_stop (dnsstub_ctx);
+}
+
 
+static void
+init_cb (void *cls,
+         const struct GNUNET_CONFIGURATION_Handle *cfg,
+         struct GNUNET_SERVICE_Handle *sh)
+{
+  (void) cfg;
+  (void) sh;
+
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task,
+                                 cls);
+  dnsstub_ctx = GNUNET_DNSSTUB_start (128);
+  char **dns_servers;
+  ssize_t num_dns_servers = lookup_dns_servers (&dns_servers);
+  if (0 == num_dns_servers)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "no DNS server available. DNS resolution will not be possible.\n");
+  }
+  for (int i = 0; i != num_dns_servers; i++)
+  {
+    int result = GNUNET_DNSSTUB_add_dns_ip (dnsstub_ctx, dns_servers[i]);
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-                "Resolver asked to look up IP address `%s (request ID %u)'.\n",
-                inet_ntop (af,
-                           ip,
-                           buf,
-                           sizeof (buf)),
-                id);
+                "Adding DNS server '%s': %s\n",
+                dns_servers[i],
+                GNUNET_OK == result ? "success" : "failure");
+    GNUNET_free (dns_servers[i]);
   }
-#endif
-  get_ip_as_string (client,
-                    af,
-                    ip,
-                    id);
+  GNUNET_free_non_null (dns_servers);
 }
 
 
@@ -870,19 +780,6 @@ connect_cb (void *cls,
   (void) cls;
   (void) mq;
 
-#if HAVE_GETADDRINFO_A
-  resolve_result_pipe = GNUNET_DISK_pipe (GNUNET_NO,
-                                          GNUNET_NO,
-                                          GNUNET_NO,
-                                          GNUNET_NO);
-  GNUNET_assert (NULL != resolve_result_pipe);
-  resolve_result_pipe_task =
-    GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
-                                    GNUNET_DISK_pipe_handle (resolve_result_pipe,
-                                                             GNUNET_DISK_PIPE_END_READ),
-                                    &resolve_result_pipe_cb,
-                                    NULL);
-#endif
   return c;
 }
 
@@ -900,19 +797,16 @@ disconnect_cb (void *cls,
                void *internal_cls)
 {
   (void) cls;
+  struct ResolveCache *pos = cache_head; 
 
-#if HAVE_GETADDRINFO_A
-  if (NULL != resolve_result_pipe_task)
-  {
-    GNUNET_SCHEDULER_cancel (resolve_result_pipe_task);
-    resolve_result_pipe_task = NULL;
-  }
-  if (NULL != resolve_result_pipe)
+  while (NULL != pos)
   {
-    GNUNET_DISK_pipe_close (resolve_result_pipe);
-    resolve_result_pipe = NULL;
+    if (pos->client == c)
+    {
+      pos->client = NULL;
+    }
+    pos = pos->next;
   }
-#endif
   GNUNET_assert (c == internal_cls);
 }
 
@@ -923,7 +817,7 @@ disconnect_cb (void *cls,
 GNUNET_SERVICE_MAIN
 ("resolver",
  GNUNET_SERVICE_OPTION_NONE,
- NULL,
+ &init_cb,
  &connect_cb,
  &disconnect_cb,
  NULL,
@@ -950,23 +844,4 @@ GNUNET_RESOLVER_memory_init ()
 #endif
 
 
-/**
- * Free globals on exit.
- */
-void __attribute__ ((destructor))
-GNUNET_RESOLVER_memory_done ()
-{
-  struct IPCache *pos;
-
-  while (NULL != (pos = cache_head))
-  {
-    GNUNET_CONTAINER_DLL_remove (cache_head,
-                                 cache_tail,
-                                 pos);
-    GNUNET_free_non_null (pos->addr);
-    GNUNET_free (pos);
-  }
-}
-
-
 /* end of gnunet-service-resolver.c */
diff --git a/contrib/timeout_watchdog_w32.c b/src/util/gnunet-timeout-w32.c
index 901eb6207..78b268fe2 100644
--- a/contrib/timeout_watchdog_w32.c
+++ b/src/util/gnunet-timeout-w32.c
@@ -11,13 +11,13 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 /**
- * @file contrib/timeout_watchdog_w32.c
+ * @file src/util/gnunet-timeout-w32.c
  * @brief small tool starting a child process, waiting that it terminates or killing it after a given timeout period
  * @author LRN
  */
@@ -182,7 +182,7 @@ main (int argc, char *argv[])
     exit (0);
   }
   printf ("Child processes were killed after timeout of %u seconds\n",
-              timeout);
+          timeout);
   TerminateJobObject (job, 1);
   CloseHandle (proc.hProcess);
   exit (1);
diff --git a/contrib/timeout_watchdog.c b/src/util/gnunet-timeout.c
index 70e840d55..8dfb6ad17 100644
--- a/contrib/timeout_watchdog.c
+++ b/src/util/gnunet-timeout.c
@@ -11,13 +11,13 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 /**
- * @file contrib/timeout_watchdog.c
+ * @file src/util/gnunet-timeout.c
  * @brief small tool starting a child process, waiting that it terminates or killing it after a given timeout period
  * @author Matthias Wachs
  */
@@ -39,25 +39,35 @@ sigchld_handler (int val)
   int ret = 0;
 
   (void) val;
-  waitpid (child, &status, 0);
+  waitpid (child,
+           &status,
+           0);
   if (WIFEXITED (status) != 0)
-    {
-      ret = WEXITSTATUS (status);
-      printf ("Test process exited with result %u\n", ret);
-    }
+  {
+    ret = WEXITSTATUS (status);
+    fprintf (stderr,
+             "Process exited with result %u\n",
+             ret);
+    exit (ret); /* return same status code */
+  }
   if (WIFSIGNALED (status) != 0)
-    {
-      ret = WTERMSIG (status);
-      printf ("Test process was signaled %u\n", ret);
-    }
-  exit (ret);
+  {
+    ret = WTERMSIG (status);
+    fprintf (stderr,
+             "Process received signal %u\n",
+             ret);
+    kill (getpid (),
+          ret); /* kill self with the same signal */
+  }
+  exit (-1);
 }
 
 
 static void
 sigint_handler (int val)
 {
-  kill (0, val);
+  kill (0,
+        val);
   exit (val);
 }
 
@@ -70,18 +80,18 @@ main (int argc,
   pid_t gpid = 0;
 
   if (argc < 3)
-    {
-      printf
-        ("arg 1: timeout in sec., arg 2: executable, arg<n> arguments\n");
-      exit (1);
-    }
+  {
+    fprintf (stderr,
+             "arg 1: timeout in sec., arg 2: executable, arg<n> arguments\n");
+    exit (-1);
+  }
 
   timeout = atoi (argv[1]);
 
   if (timeout == 0)
     timeout = 600;
 
-/* with getpgid() it does not compile, but getpgrp is the BSD version and working */
+  /* with getpgid() it does not compile, but getpgrp is the BSD version and working */
   gpid = getpgrp ();
 
   signal (SIGCHLD, sigchld_handler);
@@ -94,23 +104,25 @@ main (int argc,
 
   child = fork ();
   if (child == 0)
-    {
-      /*  int setpgrp(pid_t pid, pid_t pgid); is not working on this machine */
-      //setpgrp (0, pid_t gpid);
-      if (-1 != gpid)
-        setpgid (0, gpid);
-      execvp (argv[2], &argv[2]);
-      exit (1);
-    }
+  {
+    /*  int setpgrp(pid_t pid, pid_t pgid); is not working on this machine */
+    //setpgrp (0, pid_t gpid);
+    if (-1 != gpid)
+      setpgid (0, gpid);
+    execvp (argv[2],
+            &argv[2]);
+    exit (-1);
+  }
   if (child > 0)
-    {
-      sleep (timeout);
-      printf ("Child processes were killed after timeout of %u seconds\n",
-              timeout);
-      kill (0, SIGTERM);
-      exit (1);
-    }
-  exit (1);
+  {
+    sleep (timeout);
+    printf ("Child processes were killed after timeout of %u seconds\n",
+            timeout);
+    kill (0,
+          SIGTERM);
+    exit (3);
+  }
+  exit (-1);
 }
 
 /* end of timeout_watchdog.c */
diff --git a/src/util/os_priority.c b/src/util/os_priority.c
index d13991334..a758f24f1 100644
--- a/src/util/os_priority.c
+++ b/src/util/os_priority.c
@@ -1588,7 +1588,7 @@ GNUNET_OS_start_process_s (int pipe_control,
 
 
 /**
- * Retrieve the status of a process, waiting on him if dead.
+ * Retrieve the status of a process, waiting on it if dead.
  * Nonblocking version.
  *
  * @param proc process ID
@@ -1705,7 +1705,7 @@ process_status (struct GNUNET_OS_Process *proc,
 
 
 /**
- * Retrieve the status of a process, waiting on him if dead.
+ * Retrieve the status of a process, waiting on it if dead.
  * Nonblocking version.
  *
  * @param proc process ID
@@ -1726,7 +1726,7 @@ GNUNET_OS_process_status (struct GNUNET_OS_Process *proc,
 
 
 /**
- * Retrieve the status of a process, waiting on him if dead.
+ * Retrieve the status of a process, waiting on it if dead.
  * Blocking version.
  *
  * @param proc pointer to process structure
diff --git a/src/tun/regex.c b/src/util/regex.c
index 7565a9eac..7565a9eac 100644
--- a/src/tun/regex.c
+++ b/src/util/regex.c
diff --git a/src/util/resolver.h b/src/util/resolver.h
index a0f105afa..07851d052 100644
--- a/src/util/resolver.h
+++ b/src/util/resolver.h
@@ -60,7 +60,7 @@ struct GNUNET_RESOLVER_GetMessage
    * identifies the request and is contained in the response message. The
    * client has to match response to request by this identifier.
    */
-  uint32_t id GNUNET_PACKED;
+  uint16_t id GNUNET_PACKED;
 
   /* followed by 0-terminated string for A/AAAA-lookup or
      by 'struct in_addr' / 'struct in6_addr' for reverse lookup */
@@ -79,7 +79,7 @@ struct GNUNET_RESOLVER_ResponseMessage
   * identifies the request this message responds to. The client
   * has to match response to request by this identifier.
   */
-  uint32_t id GNUNET_PACKED;
+  uint16_t id GNUNET_PACKED;
 
   /* followed by 0-terminated string for response to a reverse lookup
    * or by 'struct in_addr' / 'struct in6_addr' for response to
diff --git a/src/util/resolver_api.c b/src/util/resolver_api.c
index b94819f06..8a054327b 100644
--- a/src/util/resolver_api.c
+++ b/src/util/resolver_api.c
@@ -68,10 +68,10 @@ static struct GNUNET_RESOLVER_RequestHandle *req_head;
  */
 static struct GNUNET_RESOLVER_RequestHandle *req_tail;
 
-/**
- * ID of the last request we sent to the service
- */
-static uint32_t last_request_id;
+///**
+// * ID of the last request we sent to the service
+// */
+//static uint16_t last_request_id;
 
 /**
  * How long should we wait to reconnect?
@@ -445,7 +445,7 @@ process_requests ()
                              GNUNET_MESSAGE_TYPE_RESOLVER_REQUEST);
   msg->direction = htonl (rh->direction);
   msg->af = htonl (rh->af);
-  msg->id = htonl (rh->id);
+  msg->id = htons (rh->id);
   GNUNET_memcpy (&msg[1],
                  &rh[1],
                  rh->data_len);
@@ -491,7 +491,7 @@ handle_response (void *cls,
   struct GNUNET_RESOLVER_RequestHandle *rh = req_head;
   uint16_t size;
   char *nret;
-  uint32_t request_id = msg->id;
+  uint16_t request_id = msg->id;
 
   for (; rh != NULL; rh = rh->next)
   {
@@ -911,6 +911,14 @@ handle_lookup_timeout (void *cls)
 }
 
 
+static uint16_t
+get_request_id ()
+{
+  return (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
+                                              UINT16_MAX);
+}
+
+
 /**
  * Convert a string to one or more IP addresses.
  *
@@ -945,7 +953,8 @@ GNUNET_RESOLVER_ip_get (const char *hostname,
        hostname);
   rh = GNUNET_malloc (sizeof (struct GNUNET_RESOLVER_RequestHandle) + slen);
   rh->af = af;
-  rh->id = ++last_request_id;
+  //rh->id = ++last_request_id;
+  rh->id = get_request_id ();
   rh->addr_callback = callback;
   rh->cls = callback_cls;
   GNUNET_memcpy (&rh[1],
@@ -1092,7 +1101,8 @@ GNUNET_RESOLVER_hostname_get (const struct sockaddr *sa,
   rh->name_callback = callback;
   rh->cls = cls;
   rh->af = sa->sa_family;
-  rh->id = ++last_request_id;
+  //rh->id = ++last_request_id;
+  rh->id = get_request_id ();
   rh->timeout = GNUNET_TIME_relative_to_absolute (timeout);
   GNUNET_memcpy (&rh[1],
                  ip,
diff --git a/src/util/strings.c b/src/util/strings.c
index 5ed195933..ea3c8cfb9 100644
--- a/src/util/strings.c
+++ b/src/util/strings.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -1947,27 +1947,27 @@ static char *cvt =
 /**
  * Encode into Base64.
  *
- * @param data the data to encode
+ * @param in the data to encode
  * @param len the length of the input
  * @param output where to write the output (*output should be NULL,
  *   is allocated)
  * @return the size of the output
  */
 size_t
-GNUNET_STRINGS_base64_encode (const char *data,
+GNUNET_STRINGS_base64_encode (const void *in,
                               size_t len,
                               char **output)
 {
-  size_t i;
-  char c;
+  const char *data = in;
   size_t ret;
   char *opt;
 
   ret = 0;
   opt = GNUNET_malloc (2 + (len * 4 / 3) + 8);
-  *output = opt;
-  for (i = 0; i < len; ++i)
+  for (size_t i = 0; i < len; ++i)
   {
+    char c;
+
     c = (data[i] >> 2) & 0x3f;
     opt[ret++] = cvt[(int) c];
     c = (data[i] << 4) & 0x3f;
@@ -1997,6 +1997,7 @@ GNUNET_STRINGS_base64_encode (const char *data,
     }
   }
   opt[ret++] = FILLCHAR;
+  *output = opt;
   return ret;
 }
 
@@ -2018,11 +2019,10 @@ GNUNET_STRINGS_base64_encode (const char *data,
  */
 size_t
 GNUNET_STRINGS_base64_decode (const char *data,
-                              size_t len, char **output)
+                              size_t len,
+                              void **out)
 {
-  size_t i;
-  char c;
-  char c1;
+  char *output;
   size_t ret = 0;
 
 #define CHECK_CRLF  while (data[i] == '\r' || data[i] == '\n') {\
@@ -2031,12 +2031,15 @@ GNUNET_STRINGS_base64_decode (const char *data,
                         if (i >= len) goto END;  \
                 }
 
-  *output = GNUNET_malloc ((len * 3 / 4) + 8);
+  output = GNUNET_malloc ((len * 3 / 4) + 8);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "base64_decode decoding len=%d\n",
               (int) len);
-  for (i = 0; i < len; ++i)
+  for (size_t i = 0; i < len; ++i)
   {
+    char c;
+    char c1;
+
     CHECK_CRLF;
     if (FILLCHAR == data[i])
       break;
@@ -2045,7 +2048,7 @@ GNUNET_STRINGS_base64_decode (const char *data,
     CHECK_CRLF;
     c1 = (char) cvtfind (data[i]);
     c = (c << 2) | ((c1 >> 4) & 0x3);
-    (*output)[ret++] = c;
+    output[ret++] = c;
     if (++i < len)
     {
       CHECK_CRLF;
@@ -2054,7 +2057,7 @@ GNUNET_STRINGS_base64_decode (const char *data,
         break;
       c = (char) cvtfind (c);
       c1 = ((c1 << 4) & 0xf0) | ((c >> 2) & 0xf);
-      (*output)[ret++] = c1;
+      output[ret++] = c1;
     }
     if (++i < len)
     {
@@ -2065,15 +2068,13 @@ GNUNET_STRINGS_base64_decode (const char *data,
 
       c1 = (char) cvtfind (c1);
       c = ((c << 6) & 0xc0) | c1;
-      (*output)[ret++] = c;
+      output[ret++] = c;
     }
   }
 END:
+  *out = output;
   return ret;
 }
 
 
-
-
-
 /* end of strings.c */
diff --git a/src/dns/test_hexcoder.c b/src/util/test_hexcoder.c
index 441d7e200..441d7e200 100644
--- a/src/dns/test_hexcoder.c
+++ b/src/util/test_hexcoder.c
diff --git a/src/tun/test_regex.c b/src/util/test_regex.c
index 2e7d52828..2e7d52828 100644
--- a/src/tun/test_regex.c
+++ b/src/util/test_regex.c
diff --git a/src/tun/test_tun.c b/src/util/test_tun.c
index edbd4c05d..edbd4c05d 100644
--- a/src/tun/test_tun.c
+++ b/src/util/test_tun.c
diff --git a/src/tun/tun.c b/src/util/tun.c
index f85f72209..25e729e58 100644
--- a/src/tun/tun.c
+++ b/src/util/tun.c
@@ -11,7 +11,7 @@
      WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Affero General Public License for more details.
-    
+
      You should have received a copy of the GNU Affero General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -23,7 +23,7 @@
  * @author Christian Grothoff
  */
 #include "platform.h"
-#include "gnunet_tun_lib.h"
+#include "gnunet_util_lib.h"
 
 /**
  * IP TTL we use for packets that we assemble (8 bit unsigned integer)
diff --git a/src/vpn/Makefile.am b/src/vpn/Makefile.am
index 5c16fa349..d1f74d35b 100644
--- a/src/vpn/Makefile.am
+++ b/src/vpn/Makefile.am
@@ -57,7 +57,6 @@ gnunet_service_vpn_SOURCES = \
  gnunet-service-vpn.c
 gnunet_service_vpn_LDADD = \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(top_builddir)/src/cadet/libgnunetcadet.la \
   $(top_builddir)/src/regex/libgnunetregex.la \
@@ -69,7 +68,6 @@ gnunet_vpn_SOURCES = \
  gnunet-vpn.c
 gnunet_vpn_LDADD = \
   libgnunetvpn.la \
-  $(top_builddir)/src/tun/libgnunettun.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)