=== modified file 'TODO'
--- TODO	2014-01-20 20:54:47 +0000
+++ TODO	2014-03-06 02:26:04 +0000
@@ -114,10 +114,6 @@
 ** TODO [#B] "--test" option
    For testing decryption before rebooting.
 
-* Makefile
-** TODO [#C] Implement DEB_BUILD_OPTIONS
-   http://www.debian.org/doc/debian-policy/ch-source.html#s-debianrules-options
-
 * Package
 ** /usr/share/initramfs-tools/hooks/mandos
 *** TODO [#C] use same file name rules as run-parts(8)

=== modified file 'plugin-runner.c'
--- plugin-runner.c	2014-03-01 09:47:01 +0000
+++ plugin-runner.c	2014-03-06 02:26:04 +0000
@@ -175,14 +175,16 @@
 static bool add_to_char_array(const char *new, char ***array,
 			      int *len){
   /* Resize the pointed-to array to hold one more pointer */
+  char **new_array = NULL;
   do {
-    *array = realloc(*array, sizeof(char *)
-		     * (size_t) ((*len) + 2));
-  } while(*array == NULL and errno == EINTR);
+    new_array = realloc(*array, sizeof(char *)
+			* (size_t) ((*len) + 2));
+  } while(new_array == NULL and errno == EINTR);
   /* Malloc check */
-  if(*array == NULL){
+  if(new_array == NULL){
     return false;
   }
+  *array = new_array;
   /* Make a copy of the new string */
   char *copy;
   do {
@@ -217,19 +219,19 @@
   /* namelen = length of name of environment variable */
   size_t namelen = (size_t)(strchrnul(def, '=') - def);
   /* Search for this environment variable */
-  for(char **e = p->environ; *e != NULL; e++){
-    if(strncmp(*e, def, namelen + 1) == 0){
+  for(char **envdef = p->environ; *envdef != NULL; envdef++){
+    if(strncmp(*envdef, def, namelen + 1) == 0){
       /* It already exists */
       if(replace){
-	char *new;
+	char *new_envdef;
 	do {
-	  new = realloc(*e, strlen(def) + 1);
-	} while(new == NULL and errno == EINTR);
-	if(new == NULL){
+	  new_envdef = realloc(*envdef, strlen(def) + 1);
+	} while(new_envdef == NULL and errno == EINTR);
+	if(new_envdef == NULL){
 	  return false;
 	}
-	*e = new;
-	strcpy(*e, def);
+	*envdef = new_envdef;
+	strcpy(*envdef, def);
       }
       return true;
     }
@@ -664,13 +666,19 @@
 	}
 	
 	custom_argc += 1;
-	custom_argv = realloc(custom_argv, sizeof(char *)
-			      * ((unsigned int) custom_argc + 1));
-	if(custom_argv == NULL){
-	  error(0, errno, "realloc");
-	  exitstatus = EX_OSERR;
-	  free(org_line);
-	  goto fallback;
+	{
+	  char **new_argv = realloc(custom_argv, sizeof(char *)
+				    * ((unsigned int)
+				       custom_argc + 1));
+	  if(new_argv == NULL){
+	    error(0, errno, "realloc");
+	    exitstatus = EX_OSERR;
+	    free(new_arg);
+	    free(org_line);
+	    goto fallback;
+	  } else {
+	    custom_argv = new_argv;
+	  }
 	}
 	custom_argv[custom_argc-1] = new_arg;
 	custom_argv[custom_argc] = NULL;
@@ -856,11 +864,15 @@
 					   ".dpkg-old",
 					   ".dpkg-bak",
 					   ".dpkg-divert", NULL };
+#ifdef __GNUC__
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wcast-qual"
+#endif
       for(const char **pre = (const char **)bad_prefixes;
 	  *pre != NULL; pre++){
+#ifdef __GNUC__
 #pragma GCC diagnostic pop
+#endif
 	size_t pre_len = strlen(*pre);
 	if((d_name_len >= pre_len)
 	   and strncmp((dirst->d_name), *pre, pre_len) == 0){
@@ -875,11 +887,15 @@
       if(bad_name){
 	continue;
       }
+#ifdef __GNUC__
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wcast-qual"
+#endif
       for(const char **suf = (const char **)bad_suffixes;
 	  *suf != NULL; suf++){
+#ifdef __GNUC__
 #pragma GCC diagnostic pop
+#endif
 	size_t suf_len = strlen(*suf);
 	if((d_name_len >= suf_len)
 	   and (strcmp((dirst->d_name) + d_name_len-suf_len, *suf)
@@ -1234,13 +1250,14 @@
       }
       /* Before reading, make the process' data buffer large enough */
       if(proc->buffer_length + BUFFER_SIZE > proc->buffer_size){
-	proc->buffer = realloc(proc->buffer, proc->buffer_size
-			       + (size_t) BUFFER_SIZE);
-	if(proc->buffer == NULL){
+	char *new_buffer = realloc(proc->buffer, proc->buffer_size
+				   + (size_t) BUFFER_SIZE);
+	if(new_buffer == NULL){
 	  error(0, errno, "malloc");
 	  exitstatus = EX_OSERR;
 	  goto fallback;
 	}
+	proc->buffer = new_buffer;
 	proc->buffer_size += BUFFER_SIZE;
       }
       /* Read from the process */

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2013-12-15 22:21:28 +0000
+++ plugins.d/mandos-client.c	2014-03-06 02:26:04 +0000
@@ -198,10 +198,15 @@
 size_t incbuffer(char **buffer, size_t buffer_length,
 		 size_t buffer_capacity){
   if(buffer_length + BUFFER_SIZE > buffer_capacity){
-    *buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
-    if(buffer == NULL){
+    char *new_buf = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
+    if(new_buf == NULL){
+      int old_errno = errno;
+      free(*buffer);
+      errno = old_errno;
+      *buffer = NULL;
       return 0;
     }
+    *buffer = new_buf;
     buffer_capacity += BUFFER_SIZE;
   }
   return buffer_capacity;
@@ -1488,8 +1493,6 @@
 bool run_network_hooks(const char *mode, const char *interface,
 		       const float delay){
   struct dirent **direntries;
-  struct dirent *direntry;
-  int ret;
   int numhooks = scandir(hookdir, &direntries, runnable_hook,
 			 alphasort);
   if(numhooks == -1){
@@ -1502,6 +1505,8 @@
       perror_plus("scandir");
     }
   } else {
+    struct dirent *direntry;
+    int ret;
     int devnull = open("/dev/null", O_RDONLY);
     for(int i = 0; i < numhooks; i++){
       direntry = direntries[i];
@@ -1727,10 +1732,7 @@
 }
 
 error_t take_down_interface(const char *const interface){
-  int sd = -1;
   error_t old_errno = errno;
-  error_t ret_errno = 0;
-  int ret, ret_setflags;
   struct ifreq network;
   unsigned int if_index = if_nametoindex(interface);
   if(if_index == 0){
@@ -1739,6 +1741,7 @@
     return ENXIO;
   }
   if(interface_is_up(interface)){
+    error_t ret_errno = 0;
     if(not get_flags(interface, &network) and debug){
       ret_errno = errno;
       fprintf_plus(stderr, "Failed to get flags for interface "
@@ -1747,7 +1750,7 @@
     }
     network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
     
-    sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
+    int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
     if(sd < 0){
       ret_errno = errno;
       perror_plus("socket");
@@ -1763,14 +1766,14 @@
     /* Raise priviliges */
     raise_privileges();
     
-    ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
+    int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
     ret_errno = errno;
     
     /* Lower privileges */
     lower_privileges();
     
     /* Close the socket */
-    ret = (int)TEMP_FAILURE_RETRY(close(sd));
+    int ret = (int)TEMP_FAILURE_RETRY(close(sd));
     if(ret == -1){
       perror_plus("close");
     }
@@ -1809,7 +1812,6 @@
   const char *seckey = PATHDIR "/" SECKEY;
   const char *pubkey = PATHDIR "/" PUBKEY;
   char *interfaces_hooks = NULL;
-  size_t interfaces_hooks_size = 0;
   
   bool gnutls_initialized = false;
   bool gpgme_initialized = false;
@@ -2070,9 +2072,7 @@
 	goto end;
       }
       memcpy(interfaces_hooks, mc.interfaces, mc.interfaces_size);
-      interfaces_hooks_size = mc.interfaces_size;
-      argz_stringify(interfaces_hooks, interfaces_hooks_size,
-		     (int)',');
+      argz_stringify(interfaces_hooks, mc.interfaces_size, (int)',');
     }
     if(not run_network_hooks("start", interfaces_hooks != NULL ?
 			     interfaces_hooks : "", delay)){
@@ -2171,6 +2171,7 @@
 	ret_errno = argz_add(&mc.interfaces, &mc.interfaces_size,
 			     direntries[i]->d_name);
 	if(ret_errno != 0){
+	  errno = ret_errno;
 	  perror_plus("argz_add");
 	  continue;
 	}
@@ -2219,6 +2220,10 @@
 	  ret_errno = argz_add(&interfaces_to_take_down,
 			       &interfaces_to_take_down_size,
 			       interface);
+	  if(ret_errno != 0){
+	    errno = ret_errno;
+	    perror_plus("argz_add");
+	  }
 	}
       }
     }

=== modified file 'plugins.d/mandos-client.xml'
--- plugins.d/mandos-client.xml	2014-03-01 09:39:25 +0000
+++ plugins.d/mandos-client.xml	2014-03-06 02:26:04 +0000
@@ -2,7 +2,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
 	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY COMMANDNAME "mandos-client">
-<!ENTITY TIMESTAMP "2014-03-01">
+<!ENTITY TIMESTAMP "2014-03-05">
 <!ENTITY % common SYSTEM "../common.ent">
 %common;
 ]>
@@ -261,10 +261,9 @@
 	  <para>
 	    <replaceable>NAME</replaceable> can be the string
 	    <quote><literal>none</literal></quote>; this will make
-	    <command>&COMMANDNAME;</command> not bring up
-	    <emphasis>any</emphasis> interfaces specified
-	    <emphasis>after</emphasis> this string.  This is not
-	    recommended, and only meant for advanced users.
+	    <command>&COMMANDNAME;</command> only bring up interfaces
+	    specified <emphasis>before</emphasis> this string.  This
+	    is not recommended, and only meant for advanced users.
 	  </para>
 	</listitem>
       </varlistentry>

=== modified file 'plugins.d/password-prompt.c'
--- plugins.d/password-prompt.c	2013-10-20 15:25:09 +0000
+++ plugins.d/password-prompt.c	2014-03-06 02:26:04 +0000
@@ -72,16 +72,6 @@
 /* Needed for conflict resolution */
 const char plymouth_name[] = "plymouthd";
 
-__attribute__((format (gnu_printf, 2, 3), nonnull(1)))
-int fprintf_plus(FILE *stream, const char *format, ...){
-  va_list ap;
-  va_start (ap, format);
-  
-  TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",
-			     program_invocation_short_name));
-  return (int)TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
-}
-
 /* Function to use when printing errors */
 __attribute__((format (gnu_printf, 3, 4)))
 void error_plus(int status, int errnum, const char *formatstring,