gui: Temporarily disable the usage reporting prompt (ref #3301 )

gui, man: Update docs & translations
gui: Modal tweaks
2025-12-24 06:28:10 -05:00 · 2016-06-13 18:06:12 +02:00 · 2016-06-12 16:21:34 +02:00 · 2016-06-12 14:06:48 +00:00 · 2016-06-09 12:30:35 +00:00 · 2016-06-09 10:50:14 +00:00
1283 changed files with 188433 additions and 12737 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -2,8 +2,7 @@
 *   text=auto

 # Except the dependencies, which we leave alone
-Godeps/**   -text=auto
+vendor/**   -text=auto

 # Diffs on these files are meaningless
-gui.files.go    -diff
 *.svg           -diff
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
-syncthing
-!gui/syncthing
-!Godeps/_workspace/src/github.com/syncthing
+/syncthing
+/discosrv
 syncthing.exe
+discosrv.exe
 *.tar.gz
 *.zip
 *.asc
@@ -14,3 +14,4 @@ coverage.xml
 syncthing.sig
 RELEASE
 deb
+lib/auto/gui.files.go
--- a/172
+++ b/172
@@ -1,79 +1,97 @@
 # This is the official list of Syncthing authors for copyright purposes.
+# The format is:
+#
+#    Name Name Name (nickname) <email1@example.com> <email2@example.com>
+#
+# The NICKS list is auto generated from this file.

-Aaron Bieber <qbit@deftly.net>
-Adam Piggott <aD@simplypeachy.co.uk> <simplypeachy@users.noreply.github.com>
-Alexander Graf <register-github@alex-graf.de>
-Anderson Mesquita <andersonvom@gmail.com>
-Andrew Dunham <andrew@du.nham.ca>
-Antony Male <antony.male@gmail.com>
-Arthur Axel fREW Schmidt <frew@afoolishmanifesto.com> <frioux@gmail.com>
-Audrius Butkevicius <audrius.butkevicius@gmail.com>
-Bart De Vries <devriesb@gmail.com>
-Ben Curthoys <ben@bencurthoys.com>
-Ben Schulz <ueomkail@gmail.com> <uok@users.noreply.github.com>
-Ben Sidhom <bsidhom@gmail.com>
-Brandon Philips <brandon@ifup.org>
-Brendan Long <self@brendanlong.com>
-Brian R. Becker <brbecker@gmail.com>
-Caleb Callaway <enlightened.despot@gmail.com>
-Carsten Hagemann <moter8@gmail.com>
-Cathryne Linenweaver <cathryne.linenweaver@gmail.com> <Cathryne@users.noreply.github.com>
-Chris Howie <me@chrishowie.com>
-Chris Joel <chris@scriptolo.gy>
-Colin Kennedy <moshen.colin@gmail.com>
-Daniel Bergmann <dan.arne.bergmann@gmail.com> <brgmnn@users.noreply.github.com>
-Daniel Martí <mvdan@mvdan.cc>
-Denis A. <denisva@gmail.com>
-Dennis Wilson <dw@risu.io>
-Dominik Heidler <dominik@heidler.eu>
-Elias Jarlebring <jarlebring@gmail.com>
-Emil Hessman <emil@hessman.se>
-Erik Meitner <e.meitner@willystreet.coop>
-Federico Castagnini <federico.castagnini@gmail.com>
-Felix Ableitner <me@nutomic.com>
-Felix Unterpaintner <bigbear2nd@gmail.com>
-Francois-Xavier Gsell <fxgsell@gmail.com>
-Frank Isemann <frank@isemann.name>
-Gilli Sigurdsson <gilli@vx.is>
-Jaakko Hannikainen <jgke@jgke.fi>
-Jacek Szafarkiewicz <szafar@linux.pl>
-Jake Peterson <jake@acogdev.com>
-Jakob Borg <jakob@nym.se>
-James Patterson <jamespatterson@operamail.com> <jpjp@users.noreply.github.com>
-Jaroslav Malec <dzardacz@gmail.com>
-Jens Diemer <github.com@jensdiemer.de> <git@jensdiemer.de>
-Jochen Voss <voss@seehuhn.de>
-Johan Vromans <jvromans@squirrel.nl>
-Karol Różycki <rozycki.karol@gmail.com>
-Ken'ichi Kamada <kamada@nanohz.org>
-Lode Hoste <zillode@zillode.be>
-Lord Landon Agahnim <lordlandon@gmail.com>
-Marc Laporte <marc@marclaporte.com> <marc@laporte.name>
-Marc Pujol <kilburn@la3.org>
-Marcin Dziadus <dziadus.marcin@gmail.com>
-Mateusz Naściszewski <matin1111@wp.pl>
-Matt Burke <mburke@amplify.com> <burkemw3@gmail.com>
-Michael Jephcote <rewt0r@gmx.com> <Rewt0r@users.noreply.github.com>
-Michael Ploujnikov <ploujj@gmail.com>
-Michael Tilli <pyfisch@gmail.com>
-Nate Morrison <natemorrison@gmail.com>
-Pascal Jungblut <github@pascalj.com> <mail@pascal-jungblut.com>
-Peter Hoeg <peter@speartail.com>
-Philippe Schommers <philippe@schommers.be>
-Phill Luby <phill.luby@newredo.com>
-Piotr Bejda <piotrb10@gmail.com>
-Ryan Sullivan <kayoticsully@gmail.com>
-Scott Klupfel <kluppy@going2blue.com>
-Sergey Mishin <ralder@yandex.ru>
-Stefan Kuntz <stefan.github@gmail.com> <Stefan.github@gmail.com>
-Stefan Tatschner <stefan@sevenbyte.org> <rumpelsepp@sevenbyte.org>
-Tim Abell <tim@timwise.co.uk>
-Tobias Nygren <tnn@nygren.pp.se>
-Tomas Cerveny <kozec@kozec.com>
-Tully Robinson <tully@tojr.org>
-Tyler Brazier <tyler@tylerbrazier.com>
-Veeti Paananen <veeti.paananen@rojekti.fi>
-Victor Buinsky <vix_booja@tut.by>
-Vil Brekin <vilbrekin@gmail.com>
-William A. Kennington III <william@wkennington.com>
-Yannic A. <eipiminusone+github@gmail.com> <eipiminus1@users.noreply.github.com>
+Aaron Bieber (qbit) <qbit@deftly.net>
+Adam Piggott (simplypeachy) <aD@simplypeachy.co.uk> <simplypeachy@users.noreply.github.com>
+Alessandro G. (alessandro.g89) <alessandro.g89@gmail.com>
+Alexander Graf (alex2108) <register-github@alex-graf.de>
+Alexandre Viau (aviau) <alexandre@alexandreviau.net> <aviau@debian.org>
+Anderson Mesquita (andersonvom) <andersonvom@gmail.com>
+Andrew Dunham (andrew-d) <andrew@du.nham.ca>
+Andrey D (scienmind) <scintertech@cryptolab.net>
+Antony Male (canton7) <antony.male@gmail.com>
+Arthur Axel fREW Schmidt (frioux) <frew@afoolishmanifesto.com> <frioux@gmail.com>
+Audrius Butkevicius (AudriusButkevicius) <audrius.butkevicius@gmail.com>
+Bart De Vries (mogwa1) <devriesb@gmail.com>
+Ben Curthoys (bencurthoys) <ben@bencurthoys.com>
+Ben Schulz (uok) <ueomkail@gmail.com> <uok@users.noreply.github.com>
+Ben Sidhom (bsidhom) <bsidhom@gmail.com>
+Benny Ng (tpng) <benny.tpng@gmail.com>
+Brandon Philips (philips) <brandon@ifup.org>
+Brendan Long (brendanlong) <self@brendanlong.com>
+Brian R. Becker (brbecker) <brbecker@gmail.com>
+Caleb Callaway (cqcallaw) <enlightened.despot@gmail.com>
+Carsten Hagemann (Moter8) <moter8@gmail.com>
+Cathryne Linenweaver (Cathryne) <cathryne.linenweaver@gmail.com> <Cathryne@users.noreply.github.com>
+Chris Howie (cdhowie) <me@chrishowie.com>
+Chris Joel (cdata) <chris@scriptolo.gy>
+Colin Kennedy (moshen) <moshen.colin@gmail.com>
+Daniel Bergmann (brgmnn) <dan.arne.bergmann@gmail.com> <brgmnn@users.noreply.github.com>
+Daniel Harte (norgeous) <daniel@harte.me> <daniel@danielharte.co.uk> <norgeous@users.noreply.github.com>
+Daniel Martí (mvdan) <mvdan@mvdan.cc>
+David Rimmer (dinosore) <dinosore@dbrsoftware.co.uk>
+Denis A. (dva) <denisva@gmail.com>
+Dennis Wilson (snnd) <dw@risu.io>
+Dominik Heidler (asdil12) <dominik@heidler.eu>
+Elias Jarlebring (jarlebring) <jarlebring@gmail.com>
+Emil Hessman (ceh) <emil@hessman.se>
+Erik Meitner (WSGCSysadmin) <e.meitner@willystreet.coop>
+Federico Castagnini (facastagnini) <federico.castagnini@gmail.com>
+Felix Ableitner (Nutomic) <me@nutomic.com>
+Felix Unterpaintner (bigbear2nd) <bigbear2nd@gmail.com>
+Francois-Xavier Gsell (zukoo) <fxgsell@gmail.com>
+Frank Isemann (fti7) <frank@isemann.name>
+Gilli Sigurdsson (gillisig) <gilli@vx.is>
+Jaakko Hannikainen (jgke) <jgke@jgke.fi>
+Jacek Szafarkiewicz (hadogenes) <szafar@linux.pl>
+Jake Peterson (acogdev) <jake@acogdev.com>
+Jakob Borg (calmh) <jakob@nym.se>
+James Patterson (jpjp) <jamespatterson@operamail.com> <jpjp@users.noreply.github.com>
+Jaroslav Malec (dzarda) <dzardacz@gmail.com>
+Jens Diemer (jedie) <github.com@jensdiemer.de> <git@jensdiemer.de>
+Jochen Voss (seehuhn) <voss@seehuhn.de>
+Johan Vromans (sciurius) <jvromans@squirrel.nl>
+Karol Różycki (krozycki) <rozycki.karol@gmail.com>
+Kelong Cong (kc1212) <kc04bc@gmx.com> <kc1212@users.noreply.github.com>
+Ken'ichi Kamada (kamadak) <kamada@nanohz.org>
+Kevin Allen (ironmig) <kma1660@gmail.com>
+Lars K.W. Gohlke (lkwg82) <lkwg82@gmx.de>
+Laurent Etiemble (letiemble) <laurent.etiemble@gmail.com> <laurent.etiemble@monobjc.net>
+Lode Hoste (Zillode) <zillode@zillode.be>
+Lord Landon Agahnim (LordLandon) <lordlandon@gmail.com>
+Majed Abdulaziz (majedev) <majed.alhajry@gmail.com>
+Marc Laporte (marclaporte) <marc@marclaporte.com> <marc@laporte.name>
+Marc Pujol (kilburn) <kilburn@la3.org>
+Marcin Dziadus (marcindziadus) <dziadus.marcin@gmail.com>
+Mateusz Naściszewski (mateon1) <matin1111@wp.pl>
+Matt Burke (burkemw3) <mburke@amplify.com> <burkemw3@gmail.com>
+Max Schulze (kralo) <max.schulze@online.de> <kralo@users.noreply.github.com>
+Michael Jephcote (Rewt0r) <rewt0r@gmx.com> <Rewt0r@users.noreply.github.com>
+Michael Ploujnikov (plouj) <ploujj@gmail.com>
+Michael Tilli (pyfisch) <pyfisch@gmail.com>
+Nate Morrison (nrm21) <natemorrison@gmail.com>
+Pascal Jungblut (pascalj) <github@pascalj.com> <mail@pascal-jungblut.com>
+Peter Hoeg (peterhoeg) <peter@speartail.com>
+Philippe Schommers (filoozoom) <philippe@schommers.be>
+Phill Luby (pluby) <phill.luby@newredo.com>
+Piotr Bejda (piobpl) <piotrb10@gmail.com>
+Ryan Sullivan (KayoticSully) <kayoticsully@gmail.com>
+Scott Klupfel (kluppy) <kluppy@going2blue.com>
+Sergey Mishin (ralder) <ralder@yandex.ru>
+Stefan Kuntz (Stefan-Code) <stefan.github@gmail.com> <Stefan.github@gmail.com>
+Stefan Tatschner (rumpelsepp) <stefan@sevenbyte.org> <rumpelsepp@sevenbyte.org>
+Tim Abell (timabell) <tim@timwise.co.uk>
+Tobias Nygren (tnn2) <tnn@nygren.pp.se>
+Tomas Cerveny (kozec) <kozec@kozec.com>
+Tully Robinson (tojrobinson) <tully@tojr.org>
+Tyler Brazier (tylerbrazier) <tyler@tylerbrazier.com>
+Veeti Paananen (veeti) <veeti.paananen@rojekti.fi>
+Victor Buinsky (buinsky) <vix_booja@tut.by>
+Vil Brekin (Vilbrekin) <vilbrekin@gmail.com>
+William A. Kennington III (wkennington) <william@wkennington.com>
+Wulf Weich (wweich) <wweich@users.noreply.github.com> <wweich@gmx.de>
+Yannic A. (eipiminus1) <eipiminusone+github@gmail.com> <eipiminus1@users.noreply.github.com>
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -44,9 +44,20 @@ repository](https://github.com/syncthing/docs).

 ## Licensing

-All contributions are made under the same MPLv2 license as the rest of
-the project, except documentation, user interface text and translation
-strings which are licensed under the Creative Commons Attribution 4.0
-International License. You retain the copyright to code you have
-written.
+All contributions are made available under the same license as the already
+existing material being contributed to. For most of the project and unless
+otherwise stated this means MPLv2, but there are exceptions:
+
+- Certain commands (under cmd/...) may have a separate license, indicated by
+  the presence of a LICENSE file in the corresponding directory.
+
+- The documentation (man/...) is licensed under the Creative Commons
+  Attribution 4.0 International License.
+
+- Projects under vendor/... are copyright by and licensed from their
+  respective original authors. Contributions should be made to the original
+  project, not here.
+
+Regardless of the license in effect, you retain the copyright to your
+contribution.

--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -1,90 +0,0 @@
-{
-	"ImportPath": "github.com/syncthing/syncthing",
-	"GoVersion": "go1.5.2",
-	"Packages": [
-		"./cmd/..."
-	],
-	"Deps": [
-		{
-			"ImportPath": "github.com/bkaradzic/go-lz4",
-			"Rev": "74ddf82598bc4745b965729e9c6a463bedd33049"
-		},
-		{
-			"ImportPath": "github.com/calmh/du",
-			"Rev": "3c0690cca16228b97741327b1b6781397afbdb24"
-		},
-		{
-			"ImportPath": "github.com/calmh/luhn",
-			"Rev": "0c8388ff95fa92d4094011e5a04fc99dea3d1632"
-		},
-		{
-			"ImportPath": "github.com/calmh/xdr",
-			"Rev": "9eb3e1a622d9364deb39c831f7e5f164393d7e37"
-		},
-		{
-			"ImportPath": "github.com/golang/snappy",
-			"Rev": "723cc1e459b8eea2dea4583200fd60757d40097a"
-		},
-		{
-			"ImportPath": "github.com/juju/ratelimit",
-			"Rev": "772f5c38e468398c4511514f4f6aa9a4185bc0a0"
-		},
-		{
-			"ImportPath": "github.com/kardianos/osext",
-			"Rev": "431e263e413efe4446ede50cec4819b26659fbe7"
-		},
-		{
-			"ImportPath": "github.com/rcrowley/go-metrics",
-			"Rev": "1ce93efbc8f9c568886b2ef85ce305b2217b3de3"
-		},
-		{
-			"ImportPath": "github.com/syndtr/goleveldb/leveldb",
-			"Rev": "1a9d62f03ea92815b46fcaab357cfd4df264b1a0"
-		},
-		{
-			"ImportPath": "github.com/thejerf/suture",
-			"Comment": "v1.0.1",
-			"Rev": "99c1f2d613756768fc4299acd9dc621e11ed3fd7"
-		},
-		{
-			"ImportPath": "github.com/vitrun/qart/coding",
-			"Rev": "ccb109cf25f0cd24474da73b9fee4e7a3e8a8ce0"
-		},
-		{
-			"ImportPath": "github.com/vitrun/qart/gf256",
-			"Rev": "ccb109cf25f0cd24474da73b9fee4e7a3e8a8ce0"
-		},
-		{
-			"ImportPath": "github.com/vitrun/qart/qr",
-			"Rev": "ccb109cf25f0cd24474da73b9fee4e7a3e8a8ce0"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/bcrypt",
-			"Rev": "575fdbe86e5dd89229707ebec0575ce7d088a4a6"
-		},
-		{
-			"ImportPath": "golang.org/x/crypto/blowfish",
-			"Rev": "575fdbe86e5dd89229707ebec0575ce7d088a4a6"
-		},
-		{
-			"ImportPath": "golang.org/x/net/internal/iana",
-			"Rev": "042ba42fa6633b34205efc66ba5719cd3afd8d38"
-		},
-		{
-			"ImportPath": "golang.org/x/net/ipv6",
-			"Rev": "042ba42fa6633b34205efc66ba5719cd3afd8d38"
-		},
-		{
-			"ImportPath": "golang.org/x/net/proxy",
-			"Rev": "042ba42fa6633b34205efc66ba5719cd3afd8d38"
-		},
-		{
-			"ImportPath": "golang.org/x/text/transform",
-			"Rev": "5eb8d4684c4796dd36c74f6452f2c0fa6c79597e"
-		},
-		{
-			"ImportPath": "golang.org/x/text/unicode/norm",
-			"Rev": "5eb8d4684c4796dd36c74f6452f2c0fa6c79597e"
-		}
-	]
-}
--- a/Godeps/Readme
+++ b/Godeps/Readme
@@ -1,5 +0,0 @@
-This directory tree is generated automatically by godep.
-
-Please do not edit.
-
-See https://github.com/tools/godep for more information.
--- a/Godeps/_workspace/.gitignore
+++ b/Godeps/_workspace/.gitignore
@@ -1,2 +0,0 @@
-/pkg
-/bin
--- a/Godeps/_workspace/src/github.com/bkaradzic/go-lz4/.gitignore
+++ b/Godeps/_workspace/src/github.com/bkaradzic/go-lz4/.gitignore
@@ -1 +0,0 @@
-/lz4-example/lz4-example
--- a/Godeps/_workspace/src/github.com/bkaradzic/go-lz4/.travis.yml
+++ b/Godeps/_workspace/src/github.com/bkaradzic/go-lz4/.travis.yml
@@ -1,9 +0,0 @@
-language: go
-
-go:
-  - 1.1
-  - 1.2
-  - 1.3
-  - 1.4
-  - 1.5
-  - tip
--- a/Godeps/_workspace/src/github.com/calmh/xdr/.gitignore
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/.gitignore
@@ -1 +0,0 @@
-coverage.out
--- a/Godeps/_workspace/src/github.com/calmh/xdr/.travis.yml
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/.travis.yml
@@ -1,19 +0,0 @@
-language: go
-go:
- tip
-
-install:
- export PATH=$PATH:$HOME/gopath/bin
- go get golang.org/x/tools/cover
- go get github.com/mattn/goveralls
-
-script:
- ./generate.sh
- go test -coverprofile=coverage.out
-
-after_success:
- goveralls -coverprofile=coverage.out -service=travis-ci -package=calmh/xdr -repotoken="$COVERALLS_TOKEN"
-
-env:
-  global:
-    secure: SmgnrGfp2zLrA44ChRMpjPeujubt9veZ8Fx/OseMWECmacyV5N/TuDhzIbwo6QwV4xB0sBacoPzvxQbJRVjNKsPiSu72UbcQmQ7flN4Tf7nW09tSh1iW8NgrpBCq/3UYLoBu2iPBEBKm93IK0aGNAKs6oEkB0fU27iTVBwiTXOY=
--- a/Godeps/_workspace/src/github.com/calmh/xdr/debug.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/debug.go
@@ -1,16 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-package xdr
-
-import (
-	"log"
-	"os"
-)
-
-var (
-	debug = len(os.Getenv("XDRTRACE")) > 0
-	dl    = log.New(os.Stdout, "xdr: ", log.Lshortfile|log.Ltime|log.Lmicroseconds)
-)
-
-const maxDebugBytes = 32
--- a/Godeps/_workspace/src/github.com/calmh/xdr/pad_ipdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/pad_ipdr.go
@@ -1,10 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-// +build ipdr
-
-package xdr
-
-func pad(l int) int {
-	return 0
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/pad_xdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/pad_xdr.go
@@ -1,14 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-// +build !ipdr
-
-package xdr
-
-func pad(l int) int {
-	d := l % 4
-	if d == 0 {
-		return 0
-	}
-	return 4 - d
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/reader.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/reader.go
@@ -1,171 +0,0 @@
-// Copyright (C) 2014 Jakob Borg and Contributors (see the CONTRIBUTORS file).
-// All rights reserved. Use of this source code is governed by an MIT-style
-// license that can be found in the LICENSE file.
-
-package xdr
-
-import (
-	"fmt"
-	"io"
-	"reflect"
-	"unsafe"
-)
-
-type Reader struct {
-	r   io.Reader
-	err error
-	b   [8]byte
-}
-
-func NewReader(r io.Reader) *Reader {
-	return &Reader{
-		r: r,
-	}
-}
-
-func (r *Reader) ReadRaw(bs []byte) (int, error) {
-	if r.err != nil {
-		return 0, r.err
-	}
-
-	var n int
-	n, r.err = io.ReadFull(r.r, bs)
-	return n, r.err
-}
-
-func (r *Reader) ReadString() string {
-	return r.ReadStringMax(0)
-}
-
-func (r *Reader) ReadStringMax(max int) string {
-	buf := r.ReadBytesMaxInto(max, nil)
-	bh := (*reflect.SliceHeader)(unsafe.Pointer(&buf))
-	sh := reflect.StringHeader{
-		Data: bh.Data,
-		Len:  bh.Len,
-	}
-	return *((*string)(unsafe.Pointer(&sh)))
-}
-
-func (r *Reader) ReadBytes() []byte {
-	return r.ReadBytesInto(nil)
-}
-
-func (r *Reader) ReadBytesMax(max int) []byte {
-	return r.ReadBytesMaxInto(max, nil)
-}
-
-func (r *Reader) ReadBytesInto(dst []byte) []byte {
-	return r.ReadBytesMaxInto(0, dst)
-}
-
-func (r *Reader) ReadBytesMaxInto(max int, dst []byte) []byte {
-	if r.err != nil {
-		return nil
-	}
-
-	l := int(r.ReadUint32())
-	if r.err != nil {
-		return nil
-	}
-	if l < 0 || max > 0 && l > max {
-		// l may be negative on 32 bit builds
-		r.err = ElementSizeExceeded("bytes field", l, max)
-		return nil
-	}
-
-	if fullLen := l + pad(l); fullLen > len(dst) {
-		dst = make([]byte, fullLen)
-	} else {
-		dst = dst[:fullLen]
-	}
-
-	var n int
-	n, r.err = io.ReadFull(r.r, dst)
-	if r.err != nil {
-		if debug {
-			dl.Printf("rd bytes (%d): %v", len(dst), r.err)
-		}
-		return nil
-	}
-
-	if debug {
-		if n > maxDebugBytes {
-			dl.Printf("rd bytes (%d): %x...", len(dst), dst[:maxDebugBytes])
-		} else {
-			dl.Printf("rd bytes (%d): %x", len(dst), dst)
-		}
-	}
-	return dst[:l]
-}
-
-func (r *Reader) ReadBool() bool {
-	return r.ReadUint8() != 0
-}
-
-func (r *Reader) ReadUint32() uint32 {
-	if r.err != nil {
-		return 0
-	}
-
-	_, r.err = io.ReadFull(r.r, r.b[:4])
-	if r.err != nil {
-		if debug {
-			dl.Printf("rd uint32: %v", r.err)
-		}
-		return 0
-	}
-
-	v := uint32(r.b[3]) | uint32(r.b[2])<<8 | uint32(r.b[1])<<16 | uint32(r.b[0])<<24
-
-	if debug {
-		dl.Printf("rd uint32=%d (0x%08x)", v, v)
-	}
-	return v
-}
-
-func (r *Reader) ReadUint64() uint64 {
-	if r.err != nil {
-		return 0
-	}
-
-	_, r.err = io.ReadFull(r.r, r.b[:8])
-	if r.err != nil {
-		if debug {
-			dl.Printf("rd uint64: %v", r.err)
-		}
-		return 0
-	}
-
-	v := uint64(r.b[7]) | uint64(r.b[6])<<8 | uint64(r.b[5])<<16 | uint64(r.b[4])<<24 |
-		uint64(r.b[3])<<32 | uint64(r.b[2])<<40 | uint64(r.b[1])<<48 | uint64(r.b[0])<<56
-
-	if debug {
-		dl.Printf("rd uint64=%d (0x%016x)", v, v)
-	}
-	return v
-}
-
-type XDRError struct {
-	op  string
-	err error
-}
-
-func (e XDRError) Error() string {
-	return "xdr " + e.op + ": " + e.err.Error()
-}
-
-func (e XDRError) IsEOF() bool {
-	return e.err == io.EOF
-}
-
-func (r *Reader) Error() error {
-	if r.err == nil {
-		return nil
-	}
-	return XDRError{"read", r.err}
-}
-
-func ElementSizeExceeded(field string, size, limit int) error {
-	return fmt.Errorf("%s exceeds size limit; %d > %d", field, size, limit)
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/reader_ipdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/reader_ipdr.go
@@ -1,49 +0,0 @@
-// Copyright (C) 2014 Jakob Borg and Contributors (see the CONTRIBUTORS file).
-// All rights reserved. Use of this source code is governed by an MIT-style
-// license that can be found in the LICENSE file.
-
-// +build ipdr
-
-package xdr
-
-import "io"
-
-func (r *Reader) ReadUint8() uint8 {
-	if r.err != nil {
-		return 0
-	}
-
-	_, r.err = io.ReadFull(r.r, r.b[:1])
-	if r.err != nil {
-		if debug {
-			dl.Printf("rd uint8: %v", r.err)
-		}
-		return 0
-	}
-
-	if debug {
-		dl.Printf("rd uint8=%d (0x%02x)", r.b[0], r.b[0])
-	}
-	return r.b[0]
-}
-
-func (r *Reader) ReadUint16() uint16 {
-	if r.err != nil {
-		return 0
-	}
-
-	_, r.err = io.ReadFull(r.r, r.b[:2])
-	if r.err != nil {
-		if debug {
-			dl.Printf("rd uint16: %v", r.err)
-		}
-		return 0
-	}
-
-	v := uint16(r.b[1]) | uint16(r.b[0])<<8
-
-	if debug {
-		dl.Printf("rd uint16=%d (0x%04x)", v, v)
-	}
-	return v
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/reader_xdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/reader_xdr.go
@@ -1,15 +0,0 @@
-// Copyright (C) 2014 Jakob Borg and Contributors (see the CONTRIBUTORS file).
-// All rights reserved. Use of this source code is governed by an MIT-style
-// license that can be found in the LICENSE file.
-
-// +build !ipdr
-
-package xdr
-
-func (r *Reader) ReadUint8() uint8 {
-	return uint8(r.ReadUint32())
-}
-
-func (r *Reader) ReadUint16() uint16 {
-	return uint16(r.ReadUint32())
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/writer.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/writer.go
@@ -1,146 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-package xdr
-
-import (
-	"io"
-	"reflect"
-	"unsafe"
-)
-
-var padBytes = []byte{0, 0, 0}
-
-type Writer struct {
-	w   io.Writer
-	tot int
-	err error
-	b   [8]byte
-}
-
-type AppendWriter []byte
-
-func (w *AppendWriter) Write(bs []byte) (int, error) {
-	*w = append(*w, bs...)
-	return len(bs), nil
-}
-
-func NewWriter(w io.Writer) *Writer {
-	return &Writer{
-		w: w,
-	}
-}
-
-func (w *Writer) WriteRaw(bs []byte) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	var n int
-	n, w.err = w.w.Write(bs)
-	return n, w.err
-}
-
-func (w *Writer) WriteString(s string) (int, error) {
-	sh := *((*reflect.StringHeader)(unsafe.Pointer(&s)))
-	bh := reflect.SliceHeader{
-		Data: sh.Data,
-		Len:  sh.Len,
-		Cap:  sh.Len,
-	}
-	return w.WriteBytes(*(*[]byte)(unsafe.Pointer(&bh)))
-}
-
-func (w *Writer) WriteBytes(bs []byte) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	w.WriteUint32(uint32(len(bs)))
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	if debug {
-		if len(bs) > maxDebugBytes {
-			dl.Printf("wr bytes (%d): %x...", len(bs), bs[:maxDebugBytes])
-		} else {
-			dl.Printf("wr bytes (%d): %x", len(bs), bs)
-		}
-	}
-
-	var l, n int
-	n, w.err = w.w.Write(bs)
-	l += n
-
-	if p := pad(len(bs)); w.err == nil && p > 0 {
-		n, w.err = w.w.Write(padBytes[:p])
-		l += n
-	}
-
-	w.tot += l
-	return l, w.err
-}
-
-func (w *Writer) WriteBool(v bool) (int, error) {
-	if v {
-		return w.WriteUint8(1)
-	} else {
-		return w.WriteUint8(0)
-	}
-}
-
-func (w *Writer) WriteUint32(v uint32) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	if debug {
-		dl.Printf("wr uint32=%d", v)
-	}
-
-	w.b[0] = byte(v >> 24)
-	w.b[1] = byte(v >> 16)
-	w.b[2] = byte(v >> 8)
-	w.b[3] = byte(v)
-
-	var l int
-	l, w.err = w.w.Write(w.b[:4])
-	w.tot += l
-	return l, w.err
-}
-
-func (w *Writer) WriteUint64(v uint64) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	if debug {
-		dl.Printf("wr uint64=%d", v)
-	}
-
-	w.b[0] = byte(v >> 56)
-	w.b[1] = byte(v >> 48)
-	w.b[2] = byte(v >> 40)
-	w.b[3] = byte(v >> 32)
-	w.b[4] = byte(v >> 24)
-	w.b[5] = byte(v >> 16)
-	w.b[6] = byte(v >> 8)
-	w.b[7] = byte(v)
-
-	var l int
-	l, w.err = w.w.Write(w.b[:8])
-	w.tot += l
-	return l, w.err
-}
-
-func (w *Writer) Tot() int {
-	return w.tot
-}
-
-func (w *Writer) Error() error {
-	if w.err == nil {
-		return nil
-	}
-	return XDRError{"write", w.err}
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/writer_ipdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/writer_ipdr.go
@@ -1,41 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-// +build ipdr
-
-package xdr
-
-func (w *Writer) WriteUint8(v uint8) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	if debug {
-		dl.Printf("wr uint8=%d", v)
-	}
-
-	w.b[0] = byte(v)
-
-	var l int
-	l, w.err = w.w.Write(w.b[:1])
-	w.tot += l
-	return l, w.err
-}
-
-func (w *Writer) WriteUint16(v uint16) (int, error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-
-	if debug {
-		dl.Printf("wr uint8=%d", v)
-	}
-
-	w.b[0] = byte(v >> 8)
-	w.b[1] = byte(v)
-
-	var l int
-	l, w.err = w.w.Write(w.b[:2])
-	w.tot += l
-	return l, w.err
-}
--- a/Godeps/_workspace/src/github.com/calmh/xdr/writer_xdr.go
+++ b/Godeps/_workspace/src/github.com/calmh/xdr/writer_xdr.go
@@ -1,14 +0,0 @@
-// Copyright (C) 2014 Jakob Borg. All rights reserved. Use of this source code
-// is governed by an MIT-style license that can be found in the LICENSE file.
-
-// +build !ipdr
-
-package xdr
-
-func (w *Writer) WriteUint8(v uint8) (int, error) {
-	return w.WriteUint32(uint32(v))
-}
-
-func (w *Writer) WriteUint16(v uint16) (int, error) {
-	return w.WriteUint32(uint32(v))
-}
--- a/Godeps/_workspace/src/github.com/golang/snappy/encode.go
+++ b/Godeps/_workspace/src/github.com/golang/snappy/encode.go
@@ -1,254 +0,0 @@
-// Copyright 2011 The Snappy-Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package snappy
-
-import (
-	"encoding/binary"
-	"io"
-)
-
-// We limit how far copy back-references can go, the same as the C++ code.
-const maxOffset = 1 << 15
-
-// emitLiteral writes a literal chunk and returns the number of bytes written.
-func emitLiteral(dst, lit []byte) int {
-	i, n := 0, uint(len(lit)-1)
-	switch {
-	case n < 60:
-		dst[0] = uint8(n)<<2 | tagLiteral
-		i = 1
-	case n < 1<<8:
-		dst[0] = 60<<2 | tagLiteral
-		dst[1] = uint8(n)
-		i = 2
-	case n < 1<<16:
-		dst[0] = 61<<2 | tagLiteral
-		dst[1] = uint8(n)
-		dst[2] = uint8(n >> 8)
-		i = 3
-	case n < 1<<24:
-		dst[0] = 62<<2 | tagLiteral
-		dst[1] = uint8(n)
-		dst[2] = uint8(n >> 8)
-		dst[3] = uint8(n >> 16)
-		i = 4
-	case int64(n) < 1<<32:
-		dst[0] = 63<<2 | tagLiteral
-		dst[1] = uint8(n)
-		dst[2] = uint8(n >> 8)
-		dst[3] = uint8(n >> 16)
-		dst[4] = uint8(n >> 24)
-		i = 5
-	default:
-		panic("snappy: source buffer is too long")
-	}
-	if copy(dst[i:], lit) != len(lit) {
-		panic("snappy: destination buffer is too short")
-	}
-	return i + len(lit)
-}
-
-// emitCopy writes a copy chunk and returns the number of bytes written.
-func emitCopy(dst []byte, offset, length int) int {
-	i := 0
-	for length > 0 {
-		x := length - 4
-		if 0 <= x && x < 1<<3 && offset < 1<<11 {
-			dst[i+0] = uint8(offset>>8)&0x07<<5 | uint8(x)<<2 | tagCopy1
-			dst[i+1] = uint8(offset)
-			i += 2
-			break
-		}
-
-		x = length
-		if x > 1<<6 {
-			x = 1 << 6
-		}
-		dst[i+0] = uint8(x-1)<<2 | tagCopy2
-		dst[i+1] = uint8(offset)
-		dst[i+2] = uint8(offset >> 8)
-		i += 3
-		length -= x
-	}
-	return i
-}
-
-// Encode returns the encoded form of src. The returned slice may be a sub-
-// slice of dst if dst was large enough to hold the entire encoded block.
-// Otherwise, a newly allocated slice will be returned.
-// It is valid to pass a nil dst.
-func Encode(dst, src []byte) []byte {
-	if n := MaxEncodedLen(len(src)); len(dst) < n {
-		dst = make([]byte, n)
-	}
-
-	// The block starts with the varint-encoded length of the decompressed bytes.
-	d := binary.PutUvarint(dst, uint64(len(src)))
-
-	// Return early if src is short.
-	if len(src) <= 4 {
-		if len(src) != 0 {
-			d += emitLiteral(dst[d:], src)
-		}
-		return dst[:d]
-	}
-
-	// Initialize the hash table. Its size ranges from 1<<8 to 1<<14 inclusive.
-	const maxTableSize = 1 << 14
-	shift, tableSize := uint(32-8), 1<<8
-	for tableSize < maxTableSize && tableSize < len(src) {
-		shift--
-		tableSize *= 2
-	}
-	var table [maxTableSize]int
-
-	// Iterate over the source bytes.
-	var (
-		s   int // The iterator position.
-		t   int // The last position with the same hash as s.
-		lit int // The start position of any pending literal bytes.
-	)
-	for s+3 < len(src) {
-		// Update the hash table.
-		b0, b1, b2, b3 := src[s], src[s+1], src[s+2], src[s+3]
-		h := uint32(b0) | uint32(b1)<<8 | uint32(b2)<<16 | uint32(b3)<<24
-		p := &table[(h*0x1e35a7bd)>>shift]
-		// We need to to store values in [-1, inf) in table. To save
-		// some initialization time, (re)use the table's zero value
-		// and shift the values against this zero: add 1 on writes,
-		// subtract 1 on reads.
-		t, *p = *p-1, s+1
-		// If t is invalid or src[s:s+4] differs from src[t:t+4], accumulate a literal byte.
-		if t < 0 || s-t >= maxOffset || b0 != src[t] || b1 != src[t+1] || b2 != src[t+2] || b3 != src[t+3] {
-			s++
-			continue
-		}
-		// Otherwise, we have a match. First, emit any pending literal bytes.
-		if lit != s {
-			d += emitLiteral(dst[d:], src[lit:s])
-		}
-		// Extend the match to be as long as possible.
-		s0 := s
-		s, t = s+4, t+4
-		for s < len(src) && src[s] == src[t] {
-			s++
-			t++
-		}
-		// Emit the copied bytes.
-		d += emitCopy(dst[d:], s-t, s-s0)
-		lit = s
-	}
-
-	// Emit any final pending literal bytes and return.
-	if lit != len(src) {
-		d += emitLiteral(dst[d:], src[lit:])
-	}
-	return dst[:d]
-}
-
-// MaxEncodedLen returns the maximum length of a snappy block, given its
-// uncompressed length.
-func MaxEncodedLen(srcLen int) int {
-	// Compressed data can be defined as:
-	//    compressed := item* literal*
-	//    item       := literal* copy
-	//
-	// The trailing literal sequence has a space blowup of at most 62/60
-	// since a literal of length 60 needs one tag byte + one extra byte
-	// for length information.
-	//
-	// Item blowup is trickier to measure. Suppose the "copy" op copies
-	// 4 bytes of data. Because of a special check in the encoding code,
-	// we produce a 4-byte copy only if the offset is < 65536. Therefore
-	// the copy op takes 3 bytes to encode, and this type of item leads
-	// to at most the 62/60 blowup for representing literals.
-	//
-	// Suppose the "copy" op copies 5 bytes of data. If the offset is big
-	// enough, it will take 5 bytes to encode the copy op. Therefore the
-	// worst case here is a one-byte literal followed by a five-byte copy.
-	// That is, 6 bytes of input turn into 7 bytes of "compressed" data.
-	//
-	// This last factor dominates the blowup, so the final estimate is:
-	return 32 + srcLen + srcLen/6
-}
-
-// NewWriter returns a new Writer that compresses to w, using the framing
-// format described at
-// https://github.com/google/snappy/blob/master/framing_format.txt
-func NewWriter(w io.Writer) *Writer {
-	return &Writer{
-		w:   w,
-		enc: make([]byte, MaxEncodedLen(maxUncompressedChunkLen)),
-	}
-}
-
-// Writer is an io.Writer than can write Snappy-compressed bytes.
-type Writer struct {
-	w           io.Writer
-	err         error
-	enc         []byte
-	buf         [checksumSize + chunkHeaderSize]byte
-	wroteHeader bool
-}
-
-// Reset discards the writer's state and switches the Snappy writer to write to
-// w. This permits reusing a Writer rather than allocating a new one.
-func (w *Writer) Reset(writer io.Writer) {
-	w.w = writer
-	w.err = nil
-	w.wroteHeader = false
-}
-
-// Write satisfies the io.Writer interface.
-func (w *Writer) Write(p []byte) (n int, errRet error) {
-	if w.err != nil {
-		return 0, w.err
-	}
-	if !w.wroteHeader {
-		copy(w.enc, magicChunk)
-		if _, err := w.w.Write(w.enc[:len(magicChunk)]); err != nil {
-			w.err = err
-			return n, err
-		}
-		w.wroteHeader = true
-	}
-	for len(p) > 0 {
-		var uncompressed []byte
-		if len(p) > maxUncompressedChunkLen {
-			uncompressed, p = p[:maxUncompressedChunkLen], p[maxUncompressedChunkLen:]
-		} else {
-			uncompressed, p = p, nil
-		}
-		checksum := crc(uncompressed)
-
-		// Compress the buffer, discarding the result if the improvement
-		// isn't at least 12.5%.
-		chunkType := uint8(chunkTypeCompressedData)
-		chunkBody := Encode(w.enc, uncompressed)
-		if len(chunkBody) >= len(uncompressed)-len(uncompressed)/8 {
-			chunkType, chunkBody = chunkTypeUncompressedData, uncompressed
-		}
-
-		chunkLen := 4 + len(chunkBody)
-		w.buf[0] = chunkType
-		w.buf[1] = uint8(chunkLen >> 0)
-		w.buf[2] = uint8(chunkLen >> 8)
-		w.buf[3] = uint8(chunkLen >> 16)
-		w.buf[4] = uint8(checksum >> 0)
-		w.buf[5] = uint8(checksum >> 8)
-		w.buf[6] = uint8(checksum >> 16)
-		w.buf[7] = uint8(checksum >> 24)
-		if _, err := w.w.Write(w.buf[:]); err != nil {
-			w.err = err
-			return n, err
-		}
-		if _, err := w.w.Write(chunkBody); err != nil {
-			w.err = err
-			return n, err
-		}
-		n += len(uncompressed)
-	}
-	return n, nil
-}
--- a/Godeps/_workspace/src/github.com/rcrowley/go-metrics/.gitignore
+++ b/Godeps/_workspace/src/github.com/rcrowley/go-metrics/.gitignore
@@ -1,9 +0,0 @@
-*.[68]
-*.a
-*.out
-*.swp
-_obj
-_testmain.go
-cmd/metrics-bench/metrics-bench
-cmd/metrics-example/metrics-example
-cmd/never-read/never-read
--- a/Godeps/_workspace/src/github.com/rcrowley/go-metrics/.travis.yml
+++ b/Godeps/_workspace/src/github.com/rcrowley/go-metrics/.travis.yml
@@ -1,13 +0,0 @@
-language: go
-
-go:
-    - 1.2
-    - 1.3
-    - 1.4
-
-script:
-    - ./validate.sh
-
-# this should give us faster builds according to 
-# http://docs.travis-ci.com/user/migrating-from-legacy/
-sudo: false
--- a/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/storage/file_storage.go
+++ b/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/storage/file_storage.go
@@ -1,543 +0,0 @@
-// Copyright (c) 2012, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reservefs.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package storage
-
-import (
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/syndtr/goleveldb/leveldb/util"
-)
-
-var errFileOpen = errors.New("leveldb/storage: file still open")
-
-type fileLock interface {
-	release() error
-}
-
-type fileStorageLock struct {
-	fs *fileStorage
-}
-
-func (lock *fileStorageLock) Release() {
-	fs := lock.fs
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.slock == lock {
-		fs.slock = nil
-	}
-	return
-}
-
-// fileStorage is a file-system backed storage.
-type fileStorage struct {
-	path string
-
-	mu    sync.Mutex
-	flock fileLock
-	slock *fileStorageLock
-	logw  *os.File
-	buf   []byte
-	// Opened file counter; if open < 0 means closed.
-	open int
-	day  int
-}
-
-// OpenFile returns a new filesytem-backed storage implementation with the given
-// path. This also hold a file lock, so any subsequent attempt to open the same
-// path will fail.
-//
-// The storage must be closed after use, by calling Close method.
-func OpenFile(path string) (Storage, error) {
-	if err := os.MkdirAll(path, 0755); err != nil {
-		return nil, err
-	}
-
-	flock, err := newFileLock(filepath.Join(path, "LOCK"))
-	if err != nil {
-		return nil, err
-	}
-
-	defer func() {
-		if err != nil {
-			flock.release()
-		}
-	}()
-
-	rename(filepath.Join(path, "LOG"), filepath.Join(path, "LOG.old"))
-	logw, err := os.OpenFile(filepath.Join(path, "LOG"), os.O_WRONLY|os.O_CREATE, 0644)
-	if err != nil {
-		return nil, err
-	}
-
-	fs := &fileStorage{path: path, flock: flock, logw: logw}
-	runtime.SetFinalizer(fs, (*fileStorage).Close)
-	return fs, nil
-}
-
-func (fs *fileStorage) Lock() (util.Releaser, error) {
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return nil, ErrClosed
-	}
-	if fs.slock != nil {
-		return nil, ErrLocked
-	}
-	fs.slock = &fileStorageLock{fs: fs}
-	return fs.slock, nil
-}
-
-func itoa(buf []byte, i int, wid int) []byte {
-	var u uint = uint(i)
-	if u == 0 && wid <= 1 {
-		return append(buf, '0')
-	}
-
-	// Assemble decimal in reverse order.
-	var b [32]byte
-	bp := len(b)
-	for ; u > 0 || wid > 0; u /= 10 {
-		bp--
-		wid--
-		b[bp] = byte(u%10) + '0'
-	}
-	return append(buf, b[bp:]...)
-}
-
-func (fs *fileStorage) printDay(t time.Time) {
-	if fs.day == t.Day() {
-		return
-	}
-	fs.day = t.Day()
-	fs.logw.Write([]byte("=============== " + t.Format("Jan 2, 2006 (MST)") + " ===============\n"))
-}
-
-func (fs *fileStorage) doLog(t time.Time, str string) {
-	fs.printDay(t)
-	hour, min, sec := t.Clock()
-	msec := t.Nanosecond() / 1e3
-	// time
-	fs.buf = itoa(fs.buf[:0], hour, 2)
-	fs.buf = append(fs.buf, ':')
-	fs.buf = itoa(fs.buf, min, 2)
-	fs.buf = append(fs.buf, ':')
-	fs.buf = itoa(fs.buf, sec, 2)
-	fs.buf = append(fs.buf, '.')
-	fs.buf = itoa(fs.buf, msec, 6)
-	fs.buf = append(fs.buf, ' ')
-	// write
-	fs.buf = append(fs.buf, []byte(str)...)
-	fs.buf = append(fs.buf, '\n')
-	fs.logw.Write(fs.buf)
-}
-
-func (fs *fileStorage) Log(str string) {
-	t := time.Now()
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return
-	}
-	fs.doLog(t, str)
-}
-
-func (fs *fileStorage) log(str string) {
-	fs.doLog(time.Now(), str)
-}
-
-func (fs *fileStorage) GetFile(num uint64, t FileType) File {
-	return &file{fs: fs, num: num, t: t}
-}
-
-func (fs *fileStorage) GetFiles(t FileType) (ff []File, err error) {
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return nil, ErrClosed
-	}
-	dir, err := os.Open(fs.path)
-	if err != nil {
-		return
-	}
-	fnn, err := dir.Readdirnames(0)
-	// Close the dir first before checking for Readdirnames error.
-	if err := dir.Close(); err != nil {
-		fs.log(fmt.Sprintf("close dir: %v", err))
-	}
-	if err != nil {
-		return
-	}
-	f := &file{fs: fs}
-	for _, fn := range fnn {
-		if f.parse(fn) && (f.t&t) != 0 {
-			ff = append(ff, f)
-			f = &file{fs: fs}
-		}
-	}
-	return
-}
-
-func (fs *fileStorage) GetManifest() (f File, err error) {
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return nil, ErrClosed
-	}
-	dir, err := os.Open(fs.path)
-	if err != nil {
-		return
-	}
-	fnn, err := dir.Readdirnames(0)
-	// Close the dir first before checking for Readdirnames error.
-	if err := dir.Close(); err != nil {
-		fs.log(fmt.Sprintf("close dir: %v", err))
-	}
-	if err != nil {
-		return
-	}
-	// Find latest CURRENT file.
-	var rem []string
-	var pend bool
-	var cerr error
-	for _, fn := range fnn {
-		if strings.HasPrefix(fn, "CURRENT") {
-			pend1 := len(fn) > 7
-			// Make sure it is valid name for a CURRENT file, otherwise skip it.
-			if pend1 {
-				if fn[7] != '.' || len(fn) < 9 {
-					fs.log(fmt.Sprintf("skipping %s: invalid file name", fn))
-					continue
-				}
-				if _, e1 := strconv.ParseUint(fn[8:], 10, 0); e1 != nil {
-					fs.log(fmt.Sprintf("skipping %s: invalid file num: %v", fn, e1))
-					continue
-				}
-			}
-			path := filepath.Join(fs.path, fn)
-			r, e1 := os.OpenFile(path, os.O_RDONLY, 0)
-			if e1 != nil {
-				return nil, e1
-			}
-			b, e1 := ioutil.ReadAll(r)
-			if e1 != nil {
-				r.Close()
-				return nil, e1
-			}
-			f1 := &file{fs: fs}
-			if len(b) < 1 || b[len(b)-1] != '\n' || !f1.parse(string(b[:len(b)-1])) {
-				fs.log(fmt.Sprintf("skipping %s: corrupted or incomplete", fn))
-				if pend1 {
-					rem = append(rem, fn)
-				}
-				if !pend1 || cerr == nil {
-					cerr = &ErrCorrupted{
-						File: fsParseName(filepath.Base(fn)),
-						Err:  errors.New("leveldb/storage: corrupted or incomplete manifest file"),
-					}
-				}
-			} else if f != nil && f1.Num() < f.Num() {
-				fs.log(fmt.Sprintf("skipping %s: obsolete", fn))
-				if pend1 {
-					rem = append(rem, fn)
-				}
-			} else {
-				f = f1
-				pend = pend1
-			}
-			if err := r.Close(); err != nil {
-				fs.log(fmt.Sprintf("close %s: %v", fn, err))
-			}
-		}
-	}
-	// Don't remove any files if there is no valid CURRENT file.
-	if f == nil {
-		if cerr != nil {
-			err = cerr
-		} else {
-			err = os.ErrNotExist
-		}
-		return
-	}
-	// Rename pending CURRENT file to an effective CURRENT.
-	if pend {
-		path := fmt.Sprintf("%s.%d", filepath.Join(fs.path, "CURRENT"), f.Num())
-		if err := rename(path, filepath.Join(fs.path, "CURRENT")); err != nil {
-			fs.log(fmt.Sprintf("CURRENT.%d -> CURRENT: %v", f.Num(), err))
-		}
-	}
-	// Remove obsolete or incomplete pending CURRENT files.
-	for _, fn := range rem {
-		path := filepath.Join(fs.path, fn)
-		if err := os.Remove(path); err != nil {
-			fs.log(fmt.Sprintf("remove %s: %v", fn, err))
-		}
-	}
-	return
-}
-
-func (fs *fileStorage) SetManifest(f File) (err error) {
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return ErrClosed
-	}
-	f2, ok := f.(*file)
-	if !ok || f2.t != TypeManifest {
-		return ErrInvalidFile
-	}
-	defer func() {
-		if err != nil {
-			fs.log(fmt.Sprintf("CURRENT: %v", err))
-		}
-	}()
-	path := fmt.Sprintf("%s.%d", filepath.Join(fs.path, "CURRENT"), f2.Num())
-	w, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	_, err = fmt.Fprintln(w, f2.name())
-	// Close the file first.
-	if err := w.Close(); err != nil {
-		fs.log(fmt.Sprintf("close CURRENT.%d: %v", f2.num, err))
-	}
-	if err != nil {
-		return err
-	}
-	return rename(path, filepath.Join(fs.path, "CURRENT"))
-}
-
-func (fs *fileStorage) Close() error {
-	fs.mu.Lock()
-	defer fs.mu.Unlock()
-	if fs.open < 0 {
-		return ErrClosed
-	}
-	// Clear the finalizer.
-	runtime.SetFinalizer(fs, nil)
-
-	if fs.open > 0 {
-		fs.log(fmt.Sprintf("close: warning, %d files still open", fs.open))
-	}
-	fs.open = -1
-	e1 := fs.logw.Close()
-	err := fs.flock.release()
-	if err == nil {
-		err = e1
-	}
-	return err
-}
-
-type fileWrap struct {
-	*os.File
-	f *file
-}
-
-func (fw fileWrap) Sync() error {
-	if err := fw.File.Sync(); err != nil {
-		return err
-	}
-	if fw.f.Type() == TypeManifest {
-		// Also sync parent directory if file type is manifest.
-		// See: https://code.google.com/p/leveldb/issues/detail?id=190.
-		if err := syncDir(fw.f.fs.path); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (fw fileWrap) Close() error {
-	f := fw.f
-	f.fs.mu.Lock()
-	defer f.fs.mu.Unlock()
-	if !f.open {
-		return ErrClosed
-	}
-	f.open = false
-	f.fs.open--
-	err := fw.File.Close()
-	if err != nil {
-		f.fs.log(fmt.Sprintf("close %s.%d: %v", f.Type(), f.Num(), err))
-	}
-	return err
-}
-
-type file struct {
-	fs   *fileStorage
-	num  uint64
-	t    FileType
-	open bool
-}
-
-func (f *file) Open() (Reader, error) {
-	f.fs.mu.Lock()
-	defer f.fs.mu.Unlock()
-	if f.fs.open < 0 {
-		return nil, ErrClosed
-	}
-	if f.open {
-		return nil, errFileOpen
-	}
-	of, err := os.OpenFile(f.path(), os.O_RDONLY, 0)
-	if err != nil {
-		if f.hasOldName() && os.IsNotExist(err) {
-			of, err = os.OpenFile(f.oldPath(), os.O_RDONLY, 0)
-			if err == nil {
-				goto ok
-			}
-		}
-		return nil, err
-	}
-ok:
-	f.open = true
-	f.fs.open++
-	return fileWrap{of, f}, nil
-}
-
-func (f *file) Create() (Writer, error) {
-	f.fs.mu.Lock()
-	defer f.fs.mu.Unlock()
-	if f.fs.open < 0 {
-		return nil, ErrClosed
-	}
-	if f.open {
-		return nil, errFileOpen
-	}
-	of, err := os.OpenFile(f.path(), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return nil, err
-	}
-	f.open = true
-	f.fs.open++
-	return fileWrap{of, f}, nil
-}
-
-func (f *file) Replace(newfile File) error {
-	f.fs.mu.Lock()
-	defer f.fs.mu.Unlock()
-	if f.fs.open < 0 {
-		return ErrClosed
-	}
-	newfile2, ok := newfile.(*file)
-	if !ok {
-		return ErrInvalidFile
-	}
-	if f.open || newfile2.open {
-		return errFileOpen
-	}
-	return rename(newfile2.path(), f.path())
-}
-
-func (f *file) Type() FileType {
-	return f.t
-}
-
-func (f *file) Num() uint64 {
-	return f.num
-}
-
-func (f *file) Remove() error {
-	f.fs.mu.Lock()
-	defer f.fs.mu.Unlock()
-	if f.fs.open < 0 {
-		return ErrClosed
-	}
-	if f.open {
-		return errFileOpen
-	}
-	err := os.Remove(f.path())
-	if err != nil {
-		f.fs.log(fmt.Sprintf("remove %s.%d: %v", f.Type(), f.Num(), err))
-	}
-	// Also try remove file with old name, just in case.
-	if f.hasOldName() {
-		if e1 := os.Remove(f.oldPath()); !os.IsNotExist(e1) {
-			f.fs.log(fmt.Sprintf("remove %s.%d: %v (old name)", f.Type(), f.Num(), err))
-			err = e1
-		}
-	}
-	return err
-}
-
-func (f *file) hasOldName() bool {
-	return f.t == TypeTable
-}
-
-func (f *file) oldName() string {
-	switch f.t {
-	case TypeTable:
-		return fmt.Sprintf("%06d.sst", f.num)
-	}
-	return f.name()
-}
-
-func (f *file) oldPath() string {
-	return filepath.Join(f.fs.path, f.oldName())
-}
-
-func (f *file) name() string {
-	switch f.t {
-	case TypeManifest:
-		return fmt.Sprintf("MANIFEST-%06d", f.num)
-	case TypeJournal:
-		return fmt.Sprintf("%06d.log", f.num)
-	case TypeTable:
-		return fmt.Sprintf("%06d.ldb", f.num)
-	case TypeTemp:
-		return fmt.Sprintf("%06d.tmp", f.num)
-	default:
-		panic("invalid file type")
-	}
-}
-
-func (f *file) path() string {
-	return filepath.Join(f.fs.path, f.name())
-}
-
-func fsParseName(name string) *FileInfo {
-	fi := &FileInfo{}
-	var tail string
-	_, err := fmt.Sscanf(name, "%d.%s", &fi.Num, &tail)
-	if err == nil {
-		switch tail {
-		case "log":
-			fi.Type = TypeJournal
-		case "ldb", "sst":
-			fi.Type = TypeTable
-		case "tmp":
-			fi.Type = TypeTemp
-		default:
-			return nil
-		}
-		return fi
-	}
-	n, _ := fmt.Sscanf(name, "MANIFEST-%d%s", &fi.Num, &tail)
-	if n == 1 {
-		fi.Type = TypeManifest
-		return fi
-	}
-	return nil
-}
-
-func (f *file) parse(name string) bool {
-	fi := fsParseName(name)
-	if fi == nil {
-		return false
-	}
-	f.t = fi.Type
-	f.num = fi.Num
-	return true
-}
--- a/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/storage/mem_storage.go
+++ b/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/storage/mem_storage.go
@@ -1,203 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package storage
-
-import (
-	"bytes"
-	"os"
-	"sync"
-
-	"github.com/syndtr/goleveldb/leveldb/util"
-)
-
-const typeShift = 3
-
-type memStorageLock struct {
-	ms *memStorage
-}
-
-func (lock *memStorageLock) Release() {
-	ms := lock.ms
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	if ms.slock == lock {
-		ms.slock = nil
-	}
-	return
-}
-
-// memStorage is a memory-backed storage.
-type memStorage struct {
-	mu       sync.Mutex
-	slock    *memStorageLock
-	files    map[uint64]*memFile
-	manifest *memFilePtr
-}
-
-// NewMemStorage returns a new memory-backed storage implementation.
-func NewMemStorage() Storage {
-	return &memStorage{
-		files: make(map[uint64]*memFile),
-	}
-}
-
-func (ms *memStorage) Lock() (util.Releaser, error) {
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	if ms.slock != nil {
-		return nil, ErrLocked
-	}
-	ms.slock = &memStorageLock{ms: ms}
-	return ms.slock, nil
-}
-
-func (*memStorage) Log(str string) {}
-
-func (ms *memStorage) GetFile(num uint64, t FileType) File {
-	return &memFilePtr{ms: ms, num: num, t: t}
-}
-
-func (ms *memStorage) GetFiles(t FileType) ([]File, error) {
-	ms.mu.Lock()
-	var ff []File
-	for x, _ := range ms.files {
-		num, mt := x>>typeShift, FileType(x)&TypeAll
-		if mt&t == 0 {
-			continue
-		}
-		ff = append(ff, &memFilePtr{ms: ms, num: num, t: mt})
-	}
-	ms.mu.Unlock()
-	return ff, nil
-}
-
-func (ms *memStorage) GetManifest() (File, error) {
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	if ms.manifest == nil {
-		return nil, os.ErrNotExist
-	}
-	return ms.manifest, nil
-}
-
-func (ms *memStorage) SetManifest(f File) error {
-	fm, ok := f.(*memFilePtr)
-	if !ok || fm.t != TypeManifest {
-		return ErrInvalidFile
-	}
-	ms.mu.Lock()
-	ms.manifest = fm
-	ms.mu.Unlock()
-	return nil
-}
-
-func (*memStorage) Close() error { return nil }
-
-type memReader struct {
-	*bytes.Reader
-	m *memFile
-}
-
-func (mr *memReader) Close() error {
-	return mr.m.Close()
-}
-
-type memFile struct {
-	bytes.Buffer
-	ms   *memStorage
-	open bool
-}
-
-func (*memFile) Sync() error { return nil }
-func (m *memFile) Close() error {
-	m.ms.mu.Lock()
-	m.open = false
-	m.ms.mu.Unlock()
-	return nil
-}
-
-type memFilePtr struct {
-	ms  *memStorage
-	num uint64
-	t   FileType
-}
-
-func (p *memFilePtr) x() uint64 {
-	return p.Num()<<typeShift | uint64(p.Type())
-}
-
-func (p *memFilePtr) Open() (Reader, error) {
-	ms := p.ms
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	if m, exist := ms.files[p.x()]; exist {
-		if m.open {
-			return nil, errFileOpen
-		}
-		m.open = true
-		return &memReader{Reader: bytes.NewReader(m.Bytes()), m: m}, nil
-	}
-	return nil, os.ErrNotExist
-}
-
-func (p *memFilePtr) Create() (Writer, error) {
-	ms := p.ms
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	m, exist := ms.files[p.x()]
-	if exist {
-		if m.open {
-			return nil, errFileOpen
-		}
-		m.Reset()
-	} else {
-		m = &memFile{ms: ms}
-		ms.files[p.x()] = m
-	}
-	m.open = true
-	return m, nil
-}
-
-func (p *memFilePtr) Replace(newfile File) error {
-	p1, ok := newfile.(*memFilePtr)
-	if !ok {
-		return ErrInvalidFile
-	}
-	ms := p.ms
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	m1, exist := ms.files[p1.x()]
-	if !exist {
-		return os.ErrNotExist
-	}
-	m0, exist := ms.files[p.x()]
-	if (exist && m0.open) || m1.open {
-		return errFileOpen
-	}
-	delete(ms.files, p1.x())
-	ms.files[p.x()] = m1
-	return nil
-}
-
-func (p *memFilePtr) Type() FileType {
-	return p.t
-}
-
-func (p *memFilePtr) Num() uint64 {
-	return p.num
-}
-
-func (p *memFilePtr) Remove() error {
-	ms := p.ms
-	ms.mu.Lock()
-	defer ms.mu.Unlock()
-	if _, exist := ms.files[p.x()]; exist {
-		delete(ms.files, p.x())
-		return nil
-	}
-	return os.ErrNotExist
-}
--- a/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/testutil/kvtest.go
+++ b/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/testutil/kvtest.go
@@ -1,187 +0,0 @@
-// Copyright (c) 2014, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package testutil
-
-import (
-	"fmt"
-	"math/rand"
-
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-
-	"github.com/syndtr/goleveldb/leveldb/errors"
-	"github.com/syndtr/goleveldb/leveldb/util"
-)
-
-func KeyValueTesting(rnd *rand.Rand, kv KeyValue, p DB, setup func(KeyValue) DB, teardown func(DB)) {
-	if rnd == nil {
-		rnd = NewRand()
-	}
-
-	if p == nil {
-		BeforeEach(func() {
-			p = setup(kv)
-		})
-		if teardown != nil {
-			AfterEach(func() {
-				teardown(p)
-			})
-		}
-	}
-
-	It("Should find all keys with Find", func() {
-		if db, ok := p.(Find); ok {
-			ShuffledIndex(nil, kv.Len(), 1, func(i int) {
-				key_, key, value := kv.IndexInexact(i)
-
-				// Using exact key.
-				rkey, rvalue, err := db.TestFind(key)
-				Expect(err).ShouldNot(HaveOccurred(), "Error for key %q", key)
-				Expect(rkey).Should(Equal(key), "Key")
-				Expect(rvalue).Should(Equal(value), "Value for key %q", key)
-
-				// Using inexact key.
-				rkey, rvalue, err = db.TestFind(key_)
-				Expect(err).ShouldNot(HaveOccurred(), "Error for key %q (%q)", key_, key)
-				Expect(rkey).Should(Equal(key))
-				Expect(rvalue).Should(Equal(value), "Value for key %q (%q)", key_, key)
-			})
-		}
-	})
-
-	It("Should return error if the key is not present", func() {
-		if db, ok := p.(Find); ok {
-			var key []byte
-			if kv.Len() > 0 {
-				key_, _ := kv.Index(kv.Len() - 1)
-				key = BytesAfter(key_)
-			}
-			rkey, _, err := db.TestFind(key)
-			Expect(err).Should(HaveOccurred(), "Find for key %q yield key %q", key, rkey)
-			Expect(err).Should(Equal(errors.ErrNotFound))
-		}
-	})
-
-	It("Should only find exact key with Get", func() {
-		if db, ok := p.(Get); ok {
-			ShuffledIndex(nil, kv.Len(), 1, func(i int) {
-				key_, key, value := kv.IndexInexact(i)
-
-				// Using exact key.
-				rvalue, err := db.TestGet(key)
-				Expect(err).ShouldNot(HaveOccurred(), "Error for key %q", key)
-				Expect(rvalue).Should(Equal(value), "Value for key %q", key)
-
-				// Using inexact key.
-				if len(key_) > 0 {
-					_, err = db.TestGet(key_)
-					Expect(err).Should(HaveOccurred(), "Error for key %q", key_)
-					Expect(err).Should(Equal(errors.ErrNotFound))
-				}
-			})
-		}
-	})
-
-	It("Should only find present key with Has", func() {
-		if db, ok := p.(Has); ok {
-			ShuffledIndex(nil, kv.Len(), 1, func(i int) {
-				key_, key, _ := kv.IndexInexact(i)
-
-				// Using exact key.
-				ret, err := db.TestHas(key)
-				Expect(err).ShouldNot(HaveOccurred(), "Error for key %q", key)
-				Expect(ret).Should(BeTrue(), "False for key %q", key)
-
-				// Using inexact key.
-				if len(key_) > 0 {
-					ret, err = db.TestHas(key_)
-					Expect(err).ShouldNot(HaveOccurred(), "Error for key %q", key_)
-					Expect(ret).ShouldNot(BeTrue(), "True for key %q", key)
-				}
-			})
-		}
-	})
-
-	TestIter := func(r *util.Range, _kv KeyValue) {
-		if db, ok := p.(NewIterator); ok {
-			iter := db.TestNewIterator(r)
-			Expect(iter.Error()).ShouldNot(HaveOccurred())
-
-			t := IteratorTesting{
-				KeyValue: _kv,
-				Iter:     iter,
-			}
-
-			DoIteratorTesting(&t)
-			iter.Release()
-		}
-	}
-
-	It("Should iterates and seeks correctly", func(done Done) {
-		TestIter(nil, kv.Clone())
-		done <- true
-	}, 3.0)
-
-	RandomIndex(rnd, kv.Len(), Min(kv.Len(), 50), func(i int) {
-		type slice struct {
-			r            *util.Range
-			start, limit int
-		}
-
-		key_, _, _ := kv.IndexInexact(i)
-		for _, x := range []slice{
-			{&util.Range{Start: key_, Limit: nil}, i, kv.Len()},
-			{&util.Range{Start: nil, Limit: key_}, 0, i},
-		} {
-			It(fmt.Sprintf("Should iterates and seeks correctly of a slice %d .. %d", x.start, x.limit), func(done Done) {
-				TestIter(x.r, kv.Slice(x.start, x.limit))
-				done <- true
-			}, 3.0)
-		}
-	})
-
-	RandomRange(rnd, kv.Len(), Min(kv.Len(), 50), func(start, limit int) {
-		It(fmt.Sprintf("Should iterates and seeks correctly of a slice %d .. %d", start, limit), func(done Done) {
-			r := kv.Range(start, limit)
-			TestIter(&r, kv.Slice(start, limit))
-			done <- true
-		}, 3.0)
-	})
-}
-
-func AllKeyValueTesting(rnd *rand.Rand, body, setup func(KeyValue) DB, teardown func(DB)) {
-	Test := func(kv *KeyValue) func() {
-		return func() {
-			var p DB
-			if setup != nil {
-				Defer("setup", func() {
-					p = setup(*kv)
-				})
-			}
-			if teardown != nil {
-				Defer("teardown", func() {
-					teardown(p)
-				})
-			}
-			if body != nil {
-				p = body(*kv)
-			}
-			KeyValueTesting(rnd, *kv, p, func(KeyValue) DB {
-				return p
-			}, nil)
-		}
-	}
-
-	Describe("with no key/value (empty)", Test(&KeyValue{}))
-	Describe("with empty key", Test(KeyValue_EmptyKey()))
-	Describe("with empty value", Test(KeyValue_EmptyValue()))
-	Describe("with one key/value", Test(KeyValue_OneKeyValue()))
-	Describe("with big value", Test(KeyValue_BigValue()))
-	Describe("with special key", Test(KeyValue_SpecialKey()))
-	Describe("with multiple key/value", Test(KeyValue_MultipleKeyValue()))
-	Describe("with generated key/value", Test(KeyValue_Generate(nil, 120, 1, 50, 10, 120)))
-}
--- a/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/testutil/storage.go
+++ b/Godeps/_workspace/src/github.com/syndtr/goleveldb/leveldb/testutil/storage.go
@@ -1,586 +0,0 @@
-// Copyright (c) 2014, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package testutil
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"sync"
-
-	. "github.com/onsi/gomega"
-
-	"github.com/syndtr/goleveldb/leveldb/storage"
-	"github.com/syndtr/goleveldb/leveldb/util"
-)
-
-var (
-	storageMu     sync.Mutex
-	storageUseFS  bool = true
-	storageKeepFS bool = false
-	storageNum    int
-)
-
-type StorageMode int
-
-const (
-	ModeOpen StorageMode = 1 << iota
-	ModeCreate
-	ModeRemove
-	ModeRead
-	ModeWrite
-	ModeSync
-	ModeClose
-)
-
-const (
-	modeOpen = iota
-	modeCreate
-	modeRemove
-	modeRead
-	modeWrite
-	modeSync
-	modeClose
-
-	modeCount
-)
-
-const (
-	typeManifest = iota
-	typeJournal
-	typeTable
-	typeTemp
-
-	typeCount
-)
-
-const flattenCount = modeCount * typeCount
-
-func flattenType(m StorageMode, t storage.FileType) int {
-	var x int
-	switch m {
-	case ModeOpen:
-		x = modeOpen
-	case ModeCreate:
-		x = modeCreate
-	case ModeRemove:
-		x = modeRemove
-	case ModeRead:
-		x = modeRead
-	case ModeWrite:
-		x = modeWrite
-	case ModeSync:
-		x = modeSync
-	case ModeClose:
-		x = modeClose
-	default:
-		panic("invalid storage mode")
-	}
-	x *= typeCount
-	switch t {
-	case storage.TypeManifest:
-		return x + typeManifest
-	case storage.TypeJournal:
-		return x + typeJournal
-	case storage.TypeTable:
-		return x + typeTable
-	case storage.TypeTemp:
-		return x + typeTemp
-	default:
-		panic("invalid file type")
-	}
-}
-
-func listFlattenType(m StorageMode, t storage.FileType) []int {
-	ret := make([]int, 0, flattenCount)
-	add := func(x int) {
-		x *= typeCount
-		switch {
-		case t&storage.TypeManifest != 0:
-			ret = append(ret, x+typeManifest)
-		case t&storage.TypeJournal != 0:
-			ret = append(ret, x+typeJournal)
-		case t&storage.TypeTable != 0:
-			ret = append(ret, x+typeTable)
-		case t&storage.TypeTemp != 0:
-			ret = append(ret, x+typeTemp)
-		}
-	}
-	switch {
-	case m&ModeOpen != 0:
-		add(modeOpen)
-	case m&ModeCreate != 0:
-		add(modeCreate)
-	case m&ModeRemove != 0:
-		add(modeRemove)
-	case m&ModeRead != 0:
-		add(modeRead)
-	case m&ModeWrite != 0:
-		add(modeWrite)
-	case m&ModeSync != 0:
-		add(modeSync)
-	case m&ModeClose != 0:
-		add(modeClose)
-	}
-	return ret
-}
-
-func packFile(num uint64, t storage.FileType) uint64 {
-	if num>>(64-typeCount) != 0 {
-		panic("overflow")
-	}
-	return num<<typeCount | uint64(t)
-}
-
-func unpackFile(x uint64) (uint64, storage.FileType) {
-	return x >> typeCount, storage.FileType(x) & storage.TypeAll
-}
-
-type emulatedError struct {
-	err error
-}
-
-func (err emulatedError) Error() string {
-	return fmt.Sprintf("emulated storage error: %v", err.err)
-}
-
-type storageLock struct {
-	s *Storage
-	r util.Releaser
-}
-
-func (l storageLock) Release() {
-	l.r.Release()
-	l.s.logI("storage lock released")
-}
-
-type reader struct {
-	f *file
-	storage.Reader
-}
-
-func (r *reader) Read(p []byte) (n int, err error) {
-	err = r.f.s.emulateError(ModeRead, r.f.Type())
-	if err == nil {
-		r.f.s.stall(ModeRead, r.f.Type())
-		n, err = r.Reader.Read(p)
-	}
-	r.f.s.count(ModeRead, r.f.Type(), n)
-	if err != nil && err != io.EOF {
-		r.f.s.logI("read error, num=%d type=%v n=%d err=%v", r.f.Num(), r.f.Type(), n, err)
-	}
-	return
-}
-
-func (r *reader) ReadAt(p []byte, off int64) (n int, err error) {
-	err = r.f.s.emulateError(ModeRead, r.f.Type())
-	if err == nil {
-		r.f.s.stall(ModeRead, r.f.Type())
-		n, err = r.Reader.ReadAt(p, off)
-	}
-	r.f.s.count(ModeRead, r.f.Type(), n)
-	if err != nil && err != io.EOF {
-		r.f.s.logI("readAt error, num=%d type=%v offset=%d n=%d err=%v", r.f.Num(), r.f.Type(), off, n, err)
-	}
-	return
-}
-
-func (r *reader) Close() (err error) {
-	return r.f.doClose(r.Reader)
-}
-
-type writer struct {
-	f *file
-	storage.Writer
-}
-
-func (w *writer) Write(p []byte) (n int, err error) {
-	err = w.f.s.emulateError(ModeWrite, w.f.Type())
-	if err == nil {
-		w.f.s.stall(ModeWrite, w.f.Type())
-		n, err = w.Writer.Write(p)
-	}
-	w.f.s.count(ModeWrite, w.f.Type(), n)
-	if err != nil && err != io.EOF {
-		w.f.s.logI("write error, num=%d type=%v n=%d err=%v", w.f.Num(), w.f.Type(), n, err)
-	}
-	return
-}
-
-func (w *writer) Sync() (err error) {
-	err = w.f.s.emulateError(ModeSync, w.f.Type())
-	if err == nil {
-		w.f.s.stall(ModeSync, w.f.Type())
-		err = w.Writer.Sync()
-	}
-	w.f.s.count(ModeSync, w.f.Type(), 0)
-	if err != nil {
-		w.f.s.logI("sync error, num=%d type=%v err=%v", w.f.Num(), w.f.Type(), err)
-	}
-	return
-}
-
-func (w *writer) Close() (err error) {
-	return w.f.doClose(w.Writer)
-}
-
-type file struct {
-	s *Storage
-	storage.File
-}
-
-func (f *file) pack() uint64 {
-	return packFile(f.Num(), f.Type())
-}
-
-func (f *file) assertOpen() {
-	ExpectWithOffset(2, f.s.opens).NotTo(HaveKey(f.pack()), "File open, num=%d type=%v writer=%v", f.Num(), f.Type(), f.s.opens[f.pack()])
-}
-
-func (f *file) doClose(closer io.Closer) (err error) {
-	err = f.s.emulateError(ModeClose, f.Type())
-	if err == nil {
-		f.s.stall(ModeClose, f.Type())
-	}
-	f.s.mu.Lock()
-	defer f.s.mu.Unlock()
-	if err == nil {
-		ExpectWithOffset(2, f.s.opens).To(HaveKey(f.pack()), "File closed, num=%d type=%v", f.Num(), f.Type())
-		err = closer.Close()
-	}
-	f.s.countNB(ModeClose, f.Type(), 0)
-	writer := f.s.opens[f.pack()]
-	if err != nil {
-		f.s.logISkip(1, "file close failed, num=%d type=%v writer=%v err=%v", f.Num(), f.Type(), writer, err)
-	} else {
-		f.s.logISkip(1, "file closed, num=%d type=%v writer=%v", f.Num(), f.Type(), writer)
-		delete(f.s.opens, f.pack())
-	}
-	return
-}
-
-func (f *file) Open() (r storage.Reader, err error) {
-	err = f.s.emulateError(ModeOpen, f.Type())
-	if err == nil {
-		f.s.stall(ModeOpen, f.Type())
-	}
-	f.s.mu.Lock()
-	defer f.s.mu.Unlock()
-	if err == nil {
-		f.assertOpen()
-		f.s.countNB(ModeOpen, f.Type(), 0)
-		r, err = f.File.Open()
-	}
-	if err != nil {
-		f.s.logI("file open failed, num=%d type=%v err=%v", f.Num(), f.Type(), err)
-	} else {
-		f.s.logI("file opened, num=%d type=%v", f.Num(), f.Type())
-		f.s.opens[f.pack()] = false
-		r = &reader{f, r}
-	}
-	return
-}
-
-func (f *file) Create() (w storage.Writer, err error) {
-	err = f.s.emulateError(ModeCreate, f.Type())
-	if err == nil {
-		f.s.stall(ModeCreate, f.Type())
-	}
-	f.s.mu.Lock()
-	defer f.s.mu.Unlock()
-	if err == nil {
-		f.assertOpen()
-		f.s.countNB(ModeCreate, f.Type(), 0)
-		w, err = f.File.Create()
-	}
-	if err != nil {
-		f.s.logI("file create failed, num=%d type=%v err=%v", f.Num(), f.Type(), err)
-	} else {
-		f.s.logI("file created, num=%d type=%v", f.Num(), f.Type())
-		f.s.opens[f.pack()] = true
-		w = &writer{f, w}
-	}
-	return
-}
-
-func (f *file) Remove() (err error) {
-	err = f.s.emulateError(ModeRemove, f.Type())
-	if err == nil {
-		f.s.stall(ModeRemove, f.Type())
-	}
-	f.s.mu.Lock()
-	defer f.s.mu.Unlock()
-	if err == nil {
-		f.assertOpen()
-		f.s.countNB(ModeRemove, f.Type(), 0)
-		err = f.File.Remove()
-	}
-	if err != nil {
-		f.s.logI("file remove failed, num=%d type=%v err=%v", f.Num(), f.Type(), err)
-	} else {
-		f.s.logI("file removed, num=%d type=%v", f.Num(), f.Type())
-	}
-	return
-}
-
-type Storage struct {
-	storage.Storage
-	closeFn func() error
-
-	lmu sync.Mutex
-	lb  bytes.Buffer
-
-	mu sync.Mutex
-	// Open files, true=writer, false=reader
-	opens         map[uint64]bool
-	counters      [flattenCount]int
-	bytesCounter  [flattenCount]int64
-	emulatedError [flattenCount]error
-	stallCond     sync.Cond
-	stalled       [flattenCount]bool
-}
-
-func (s *Storage) log(skip int, str string) {
-	s.lmu.Lock()
-	defer s.lmu.Unlock()
-	_, file, line, ok := runtime.Caller(skip + 2)
-	if ok {
-		// Truncate file name at last file name separator.
-		if index := strings.LastIndex(file, "/"); index >= 0 {
-			file = file[index+1:]
-		} else if index = strings.LastIndex(file, "\\"); index >= 0 {
-			file = file[index+1:]
-		}
-	} else {
-		file = "???"
-		line = 1
-	}
-	fmt.Fprintf(&s.lb, "%s:%d: ", file, line)
-	lines := strings.Split(str, "\n")
-	if l := len(lines); l > 1 && lines[l-1] == "" {
-		lines = lines[:l-1]
-	}
-	for i, line := range lines {
-		if i > 0 {
-			s.lb.WriteString("\n\t")
-		}
-		s.lb.WriteString(line)
-	}
-	s.lb.WriteByte('\n')
-}
-
-func (s *Storage) logISkip(skip int, format string, args ...interface{}) {
-	pc, _, _, ok := runtime.Caller(skip + 1)
-	if ok {
-		if f := runtime.FuncForPC(pc); f != nil {
-			fname := f.Name()
-			if index := strings.LastIndex(fname, "."); index >= 0 {
-				fname = fname[index+1:]
-			}
-			format = fname + ": " + format
-		}
-	}
-	s.log(skip+1, fmt.Sprintf(format, args...))
-}
-
-func (s *Storage) logI(format string, args ...interface{}) {
-	s.logISkip(1, format, args...)
-}
-
-func (s *Storage) Log(str string) {
-	s.log(1, "Log: "+str)
-	s.Storage.Log(str)
-}
-
-func (s *Storage) Lock() (r util.Releaser, err error) {
-	r, err = s.Storage.Lock()
-	if err != nil {
-		s.logI("storage locking failed, err=%v", err)
-	} else {
-		s.logI("storage locked")
-		r = storageLock{s, r}
-	}
-	return
-}
-
-func (s *Storage) GetFile(num uint64, t storage.FileType) storage.File {
-	return &file{s, s.Storage.GetFile(num, t)}
-}
-
-func (s *Storage) GetFiles(t storage.FileType) (files []storage.File, err error) {
-	rfiles, err := s.Storage.GetFiles(t)
-	if err != nil {
-		s.logI("get files failed, err=%v", err)
-		return
-	}
-	files = make([]storage.File, len(rfiles))
-	for i, f := range rfiles {
-		files[i] = &file{s, f}
-	}
-	s.logI("get files, type=0x%x count=%d", int(t), len(files))
-	return
-}
-
-func (s *Storage) GetManifest() (f storage.File, err error) {
-	manifest, err := s.Storage.GetManifest()
-	if err != nil {
-		if !os.IsNotExist(err) {
-			s.logI("get manifest failed, err=%v", err)
-		}
-		return
-	}
-	s.logI("get manifest, num=%d", manifest.Num())
-	return &file{s, manifest}, nil
-}
-
-func (s *Storage) SetManifest(f storage.File) error {
-	f_, ok := f.(*file)
-	ExpectWithOffset(1, ok).To(BeTrue())
-	ExpectWithOffset(1, f_.Type()).To(Equal(storage.TypeManifest))
-	err := s.Storage.SetManifest(f_.File)
-	if err != nil {
-		s.logI("set manifest failed, err=%v", err)
-	} else {
-		s.logI("set manifest, num=%d", f_.Num())
-	}
-	return err
-}
-
-func (s *Storage) openFiles() string {
-	out := "Open files:"
-	for x, writer := range s.opens {
-		num, t := unpackFile(x)
-		out += fmt.Sprintf("\n · num=%d type=%v writer=%v", num, t, writer)
-	}
-	return out
-}
-
-func (s *Storage) Close() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	ExpectWithOffset(1, s.opens).To(BeEmpty(), s.openFiles())
-	err := s.Storage.Close()
-	if err != nil {
-		s.logI("storage closing failed, err=%v", err)
-	} else {
-		s.logI("storage closed")
-	}
-	if s.closeFn != nil {
-		if err1 := s.closeFn(); err1 != nil {
-			s.logI("close func error, err=%v", err1)
-		}
-	}
-	return err
-}
-
-func (s *Storage) countNB(m StorageMode, t storage.FileType, n int) {
-	s.counters[flattenType(m, t)]++
-	s.bytesCounter[flattenType(m, t)] += int64(n)
-}
-
-func (s *Storage) count(m StorageMode, t storage.FileType, n int) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	s.countNB(m, t, n)
-}
-
-func (s *Storage) ResetCounter(m StorageMode, t storage.FileType) {
-	for _, x := range listFlattenType(m, t) {
-		s.counters[x] = 0
-		s.bytesCounter[x] = 0
-	}
-}
-
-func (s *Storage) Counter(m StorageMode, t storage.FileType) (count int, bytes int64) {
-	for _, x := range listFlattenType(m, t) {
-		count += s.counters[x]
-		bytes += s.bytesCounter[x]
-	}
-	return
-}
-
-func (s *Storage) emulateError(m StorageMode, t storage.FileType) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	err := s.emulatedError[flattenType(m, t)]
-	if err != nil {
-		return emulatedError{err}
-	}
-	return nil
-}
-
-func (s *Storage) EmulateError(m StorageMode, t storage.FileType, err error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for _, x := range listFlattenType(m, t) {
-		s.emulatedError[x] = err
-	}
-}
-
-func (s *Storage) stall(m StorageMode, t storage.FileType) {
-	x := flattenType(m, t)
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for s.stalled[x] {
-		s.stallCond.Wait()
-	}
-}
-
-func (s *Storage) Stall(m StorageMode, t storage.FileType) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for _, x := range listFlattenType(m, t) {
-		s.stalled[x] = true
-	}
-}
-
-func (s *Storage) Release(m StorageMode, t storage.FileType) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for _, x := range listFlattenType(m, t) {
-		s.stalled[x] = false
-	}
-	s.stallCond.Broadcast()
-}
-
-func NewStorage() *Storage {
-	var stor storage.Storage
-	var closeFn func() error
-	if storageUseFS {
-		for {
-			storageMu.Lock()
-			num := storageNum
-			storageNum++
-			storageMu.Unlock()
-			path := filepath.Join(os.TempDir(), fmt.Sprintf("goleveldb-test%d0%d0%d", os.Getuid(), os.Getpid(), num))
-			if _, err := os.Stat(path); os.IsNotExist(err) {
-				stor, err = storage.OpenFile(path)
-				ExpectWithOffset(1, err).NotTo(HaveOccurred(), "creating storage at %s", path)
-				closeFn = func() error {
-					if storageKeepFS {
-						return nil
-					}
-					return os.RemoveAll(path)
-				}
-				break
-			}
-		}
-	} else {
-		stor = storage.NewMemStorage()
-	}
-	s := &Storage{
-		Storage: stor,
-		closeFn: closeFn,
-		opens:   make(map[uint64]bool),
-	}
-	s.stallCond.L = &s.mu
-	return s
-}
--- a/Godeps/_workspace/src/github.com/thejerf/suture/.travis.yml
+++ b/Godeps/_workspace/src/github.com/thejerf/suture/.travis.yml
@@ -1,7 +0,0 @@
-language: go
-go:
-  - 1.1
-  - 1.2
-  - 1.3
-  - 1.4
-  - tip
--- a/ISSUE_TEMPLATE.md
+++ b/ISSUE_TEMPLATE.md
@@ -0,0 +1,28 @@
+Do not report security issues in this bug tracker. Instead, contact
+security@syncthing.net directly - see https://syncthing.net/security.html
+for more information.
+
+If your issue is a support request ("How do I get my devices to connect?"
+or similar), please use the support forum at https://forum.syncthing.net/
+where a large number of helpful people hang out. This issue tracker is for
+reporting bugs or feature requests directly to the developers.
+
+If your issue is a bug report, replace this boilerplate with a description
+of the problem, being sure to include at least:
+
+ - what happened,
+ - what you expected to happen instead, and
+ - any steps to reproduce the problem.
+
+Also fill out the version information below and add log output or
+screenshots as appropriate.
+
+If your issue is a feature request, simply replace this template text in
+its entirety.
+
+### Version Information
+
+Syncthing Version: v0.x.y
+OS Version: Windows 7 / Ubuntu 14.04 / ...
+Browser Version: (if applicable, for GUI issues)
+
--- a/187
+++ b/187
@@ -1,79 +1,114 @@
 # This file maps email addresses used in commits to nicks used the changelog.
+# It is auto generated from the AUTHORS file by script/authors.go.

-acogdev		<jake@acogdev.com>
-alex2108	<register-github@alex-graf.de>
-andersonvom	<andersonvom@gmail.com>
-andrew-d	<andrew@du.nham.ca>
-asdil12		<dominik@heidler.eu>
-AudriusButkevicius	<audrius.butkevicius@gmail.com>
-bencurthoys	<ben@bencurthoys.com>
-bigbear2nd	<bigbear2nd@gmail.com>
-brbecker	<brbecker@gmail.com>
-brendanlong	<self@brendanlong.com>
-brgmnn      <dan.arne.bergmann@gmail.com> <brgmnn@users.noreply.github.com>
-bsidhom		<bsidhom@gmail.com>
-buinsky	<vix_booja@tut.by>
-burkemw3	<mburke@amplify.com> <burkemw3@gmail.com>
-calmh		<jakob@nym.se>
-canton7	<antony.male@gmail.com>
-Cathryne	<cathryne.linenweaver@gmail.com> <Cathryne@users.noreply.github.com>
-cdata		<chris@scriptolo.gy>
-cdhowie	<me@chrishowie.com>
-ceh		<emil@hessman.se>
-cqcallaw	<enlightened.despot@gmail.com>
-dva	<denisva@gmail.com>
-dzarda		<dzardacz@gmail.com>
-eipiminus1	<eipiminusone+github@gmail.com> <eipiminus1@users.noreply.github.com>
-facastagnini	<federico.castagnini@gmail.com>
-filoozoom	<philippe@schommers.be>
-frioux		<frew@afoolishmanifesto.com> <frioux@gmail.com>
-fti7	<frank@isemann.name>
-gillisig	<gilli@vx.is>
-hadogenes	<szafar@linux.pl>
-jarlebring	<jarlebring@gmail.com>
-jedie		<github.com@jensdiemer.de> <git@jensdiemer.de>
-jgke	<jgke@jgke.fi>
-jpjp		<jamespatterson@operamail.com> <jpjp@users.noreply.github.com>
-kamadak		<kamada@nanohz.org>
-KayoticSully	<kayoticsully@gmail.com>
-kilburn		<kilburn@la3.org>
-kluppy	<kluppy@going2blue.com>
-kozec		<kozec@kozec.com>
-krozycki	<rozycki.karol@gmail.com>
-LordLandon	<lordlandon@gmail.com>
-marcindziadus	<dziadus.marcin@gmail.com>
+acogdev <jake@acogdev.com>
+alessandro.g89 <alessandro.g89@gmail.com>
+alex2108 <register-github@alex-graf.de>
+andersonvom <andersonvom@gmail.com>
+andrew-d <andrew@du.nham.ca>
+asdil12 <dominik@heidler.eu>
+AudriusButkevicius <audrius.butkevicius@gmail.com>
+aviau <alexandre@alexandreviau.net>
+aviau <aviau@debian.org>
+bencurthoys <ben@bencurthoys.com>
+bigbear2nd <bigbear2nd@gmail.com>
+brbecker <brbecker@gmail.com>
+brendanlong <self@brendanlong.com>
+brgmnn <dan.arne.bergmann@gmail.com>
+brgmnn <brgmnn@users.noreply.github.com>
+bsidhom <bsidhom@gmail.com>
+buinsky <vix_booja@tut.by>
+burkemw3 <mburke@amplify.com>
+burkemw3 <burkemw3@gmail.com>
+calmh <jakob@nym.se>
+canton7 <antony.male@gmail.com>
+Cathryne <cathryne.linenweaver@gmail.com>
+Cathryne <Cathryne@users.noreply.github.com>
+cdata <chris@scriptolo.gy>
+cdhowie <me@chrishowie.com>
+ceh <emil@hessman.se>
+cqcallaw <enlightened.despot@gmail.com>
+dinosore <dinosore@dbrsoftware.co.uk>
+dva <denisva@gmail.com>
+dzarda <dzardacz@gmail.com>
+eipiminus1 <eipiminusone+github@gmail.com>
+eipiminus1 <eipiminus1@users.noreply.github.com>
+facastagnini <federico.castagnini@gmail.com>
+filoozoom <philippe@schommers.be>
+frioux <frew@afoolishmanifesto.com>
+frioux <frioux@gmail.com>
+fti7 <frank@isemann.name>
+gillisig <gilli@vx.is>
+hadogenes <szafar@linux.pl>
+ironmig <kma1660@gmail.com>
+jarlebring <jarlebring@gmail.com>
+jedie <github.com@jensdiemer.de>
+jedie <git@jensdiemer.de>
+jgke <jgke@jgke.fi>
+jpjp <jamespatterson@operamail.com>
+jpjp <jpjp@users.noreply.github.com>
+kamadak <kamada@nanohz.org>
+KayoticSully <kayoticsully@gmail.com>
+kc1212 <kc04bc@gmx.com>
+kc1212 <kc1212@users.noreply.github.com>
+kilburn <kilburn@la3.org>
+kluppy <kluppy@going2blue.com>
+kozec <kozec@kozec.com>
+kralo <max.schulze@online.de>
+kralo <kralo@users.noreply.github.com>
+krozycki <rozycki.karol@gmail.com>
+letiemble <laurent.etiemble@gmail.com>
+letiemble <laurent.etiemble@monobjc.net>
+lkwg82 <lkwg82@gmx.de>
+LordLandon <lordlandon@gmail.com>
+majedev <majed.alhajry@gmail.com>
+marcindziadus <dziadus.marcin@gmail.com>
 marclaporte <marc@marclaporte.com>
-mateon1	<matin1111@wp.pl>
-mogwa1	<devriesb@gmail.com>
-moshen		<moshen.colin@gmail.com>
-Moter8		<moter8@gmail.com>
-mvdan		<mvdan@mvdan.cc>
-nrm21	<natemorrison@gmail.com>
-Nutomic		<me@nutomic.com>
-pascalj		<github@pascalj.com> <mail@pascal-jungblut.com>
-peterhoeg	<peter@speartail.com>
-philips		<brandon@ifup.org>
-piobpl		<piotrb10@gmail.com>
-plouj	<ploujj@gmail.com>
-pluby		<phill.luby@newredo.com>
-pyfisch		<pyfisch@gmail.com>
-qbit		<qbit@deftly.net>
-ralder		<ralder@yandex.ru>
-Rewt0r		<rewt0r@gmx.com> <Rewt0r@users.noreply.github.com>
-rumpelsepp	<stefan@sevenbyte.org> <rumpelsepp@sevenbyte.org>
-sciurius	<jvromans@squirrel.nl>
-seehuhn		<voss@seehuhn.de>
-simplypeachy	<aD@simplypeachy.co.uk> <simplypeachy@users.noreply.github.com>
-snnd		<dw@risu.io>
-Stefan-Code	<stefan.github@gmail.com> <Stefan.github@gmail.com>
-timabell	<tim@timwise.co.uk>
-tnn2		<tnn@nygren.pp.se>
-tojrobinson	<tully@tojr.org>
-tylerbrazier	<tyler@tylerbrazier.com>
-uok		<ueomkail@gmail.com> <uok@users.noreply.github.com>
-veeti		<veeti.paananen@rojekti.fi>
-Vilbrekin	<vilbrekin@gmail.com>
-wkennington	<william@wkennington.com>
-wsgcsysadmin	<e.meitner@willystreet.coo>
-Zillode		<zillode@zillode.be>
-zukoo		<fxgsell@gmail.com>
+marclaporte <marc@laporte.name>
+mateon1 <matin1111@wp.pl>
+mogwa1 <devriesb@gmail.com>
+moshen <moshen.colin@gmail.com>
+Moter8 <moter8@gmail.com>
+mvdan <mvdan@mvdan.cc>
+norgeous <daniel@harte.me>
+norgeous <daniel@danielharte.co.uk>
+norgeous <norgeous@users.noreply.github.com>
+nrm21 <natemorrison@gmail.com>
+Nutomic <me@nutomic.com>
+pascalj <github@pascalj.com>
+pascalj <mail@pascal-jungblut.com>
+peterhoeg <peter@speartail.com>
+philips <brandon@ifup.org>
+piobpl <piotrb10@gmail.com>
+plouj <ploujj@gmail.com>
+pluby <phill.luby@newredo.com>
+pyfisch <pyfisch@gmail.com>
+qbit <qbit@deftly.net>
+ralder <ralder@yandex.ru>
+Rewt0r <rewt0r@gmx.com>
+Rewt0r <Rewt0r@users.noreply.github.com>
+rumpelsepp <stefan@sevenbyte.org>
+rumpelsepp <rumpelsepp@sevenbyte.org>
+scienmind <scintertech@cryptolab.net>
+sciurius <jvromans@squirrel.nl>
+seehuhn <voss@seehuhn.de>
+simplypeachy <aD@simplypeachy.co.uk>
+simplypeachy <simplypeachy@users.noreply.github.com>
+snnd <dw@risu.io>
+Stefan-Code <stefan.github@gmail.com>
+Stefan-Code <Stefan.github@gmail.com>
+timabell <tim@timwise.co.uk>
+tnn2 <tnn@nygren.pp.se>
+tojrobinson <tully@tojr.org>
+tpng <benny.tpng@gmail.com>
+tylerbrazier <tyler@tylerbrazier.com>
+uok <ueomkail@gmail.com>
+uok <uok@users.noreply.github.com>
+veeti <veeti.paananen@rojekti.fi>
+Vilbrekin <vilbrekin@gmail.com>
+wkennington <william@wkennington.com>
+WSGCSysadmin <e.meitner@willystreet.coop>
+wweich <wweich@users.noreply.github.com>
+wweich <wweich@gmx.de>
+Zillode <zillode@zillode.be>
+zukoo <fxgsell@gmail.com>
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,32 @@
+### Purpose
+
+Describe the purpose of this change. If there is an existing issue that is
+resolved by this pull request, ensure that the commit subject is on the form
+`Some short description (fixes #1234)` where 1234 is the issue number.
+
+### Testing
+
+Describe what testing has been done, and how the reviewer can test the change
+if new tests are not included.
+
+### Screenshots
+
+If this is a GUI change, include screenshots of the change. If not, please
+feel free to just delete this section.
+
+### Documentation
+
+If this is a user visible change (including API and protocol changes), add a link here
+to the corresponding pull request on https://github.com/syncthing/docs or describe
+the documentation changes necessary.
+
+### Authorship
+
+Every author of a code contribution (Go, Javascript, HTML, CSS etc, with the
+possible exception of minor typo corrections and similar) is recorded in the
+AUTHORS and NICKS files and the in-GUI credits. If this is your first
+contribution, a maintainer will add you properly before accepting the
+contribution. You need not do so yourself or worry about the fact that the
+"authors" automated test fails. However, if your name (such as you want it
+presented in the credits) is not visible on your Github profile or in your
+commit messages, please assist by providing it here.
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
 # Syncthing

 [![Latest Build (Official)](https://img.shields.io/jenkins/s/http/build.syncthing.net/syncthing.svg?style=flat-square&label=unix%20build)](http://build.syncthing.net/job/syncthing/lastBuild/)
-[![AppVeyor Build](https://img.shields.io/appveyor/ci/calmh/syncthing/master.svg?style=flat-square&label=windows%20build)](https://ci.appveyor.com/project/calmh/syncthing)
 [![API Documentation](https://img.shields.io/badge/api-Godoc-blue.svg?style=flat-square)](http://godoc.org/github.com/syncthing/syncthing)
 [![MPLv2 License](https://img.shields.io/badge/license-MPLv2-blue.svg?style=flat-square)](https://www.mozilla.org/MPL/2.0/)

@@ -25,22 +24,30 @@ for incompatible changes.
 Take a look at the [getting started guide][2].

 There are a few examples for keeping Syncthing running in the background
-on your system in [the etc directory][3].
+on your system in [the etc directory][3]. There are also several [GUI
+implementations][11] for Windows, Mac and Linux.

-There is an IRC channel, `#syncthing` on [Freenode][4], for talking directly
-to developers and users.
+## Getting in Touch
+
+The first and best point of contact is the [Forum][8]. There is also an IRC
+channel, `#syncthing` on [freenode][4] (with a [web client][9]), for talking
+directly to developers and users. If you've found something that is clearly a
+bug, feel free to report it in the [GitHub issue tracker][10].

 ## Building

-Building Syncthing from source is easy, and there's a [guide][5].
+Building Syncthing from source is easy, and there's a [guide][5]
 that describes it for both Unix and Windows systems.

 ## Signed Releases

-As of v0.10.15 and onwards, git tags and release binaries are GPG signed
-with the key D26E6ED000654A3E (see https://syncthing.net/security.html).
-For release binaries, MD5 and SHA1 checksums are calculated and signed,
-available in the md5sum.txt.asc and sha1sum.txt.asc files.
+As of v0.10.15 and onwards release binaries are GPG signed with the key
+D26E6ED000654A3E, available from https://syncthing.net/security.html and
+most key servers.
+
+There is also a built in automatic upgrade mechanism (disabled in some
+distribution channels) which uses a compiled in ECDSA signature. Mac OS
+X binaries are also properly code signed.

 ## Documentation

@@ -51,7 +58,11 @@ All code is licensed under the [MPLv2 License][7].
 [1]: http://docs.syncthing.net/specs/bep-v1.html
 [2]: http://docs.syncthing.net/intro/getting-started.html
 [3]: https://github.com/syncthing/syncthing/blob/master/etc
-[4]: https://webchat.freenode.net/
+[4]: http://www.freenode.net/irc_servers.shtml
 [5]: http://docs.syncthing.net/dev/building.html
 [6]: http://docs.syncthing.net/
 [7]: https://github.com/syncthing/syncthing/blob/master/LICENSE
+[8]: https://forum.syncthing.net/
+[9]: https://kiwiirc.com/client/irc.freenode.net/#syncthing
+[10]: https://github.com/syncthing/syncthing/issues
+[11]: http://docs.syncthing.net/users/contrib.html#gui-wrappers
--- a/appveyor.yaml
+++ b/appveyor.yaml
@@ -1,12 +0,0 @@
-version: '{branch}-{build}'
-clone_folder: C:\src\github.com\syncthing\syncthing
-init:
- go version
-environment:
-  GOPATH: C:\
-build_script:
- go run build.go zip
-test_script:
- go run build.go test
-artifacts:
- path: '*.zip'
--- a/assets/statusicons/default.svg
+++ b/assets/statusicons/default.svg
--- a/assets/statusicons/notify.svg
+++ b/assets/statusicons/notify.svg
--- a/assets/statusicons/pause.svg
+++ b/assets/statusicons/pause.svg
--- a/assets/statusicons/sync.svg
+++ b/assets/statusicons/sync.svg
--- a/build.go
+++ b/build.go
--- a/build.sh
+++ b/build.sh
@@ -27,10 +27,6 @@ case "${1:-default}" in
 		build "$@"
 		;;

-	deps)
-		build "$@"
-		;;
-
 	assets)
 		build "$@"
 		;;
@@ -63,8 +59,9 @@ case "${1:-default}" in
 		;;

 	prerelease)
+		go run script/authors.go
 		build transifex
-		git add -A gui/assets/ lib/auto/
+		git add -A gui/default/assets/ lib/auto/
 		pushd man ; ./refresh.sh ; popd
 		git add -A man
 		;;
@@ -77,7 +74,7 @@ case "${1:-default}" in
 		platforms=(
 			darwin-amd64 dragonfly-amd64 freebsd-amd64 linux-amd64 netbsd-amd64 openbsd-amd64 solaris-amd64 windows-amd64
 			freebsd-386 linux-386 netbsd-386 openbsd-386 windows-386
-			linux-arm
+			linux-arm linux-arm64 linux-ppc64 linux-ppc64le
 		)

 		for plat in "${platforms[@]}"; do
@@ -105,7 +102,7 @@ case "${1:-default}" in
 		fail=0

 		# For every package in the repo
-		for dir in $(go list ./...) ; do
+		for dir in $(go list ./lib/... ./cmd/...) ; do
 			# run the tests
 			GOPATH="$(pwd)/Godeps/_workspace:$GOPATH" go test -race -coverprofile=profile.out $dir
 			if [ -f profile.out ] ; then
@@ -125,6 +122,15 @@ case "${1:-default}" in
 		fi
 		;;

+	test-xunit)
+		ulimit -t 600 &>/dev/null || true
+		ulimit -d 512000 &>/dev/null || true
+		ulimit -m 512000 &>/dev/null || true
+
+		(GOPATH="$(pwd)/Godeps/_workspace:$GOPATH" go test -v -race ./lib/... ./cmd/... || true) > tests.out
+		go2xunit -output tests.xml -fail < tests.out
+		;;
+
 	docker-all)
 		img=${DOCKERIMG:-syncthing/build:latest}
 		docker run --rm -h syncthing-builder -u $(id -u) -t \
--- a/cmd/discosrv/LICENSE
+++ b/cmd/discosrv/LICENSE
@@ -0,0 +1,19 @@
+Copyright (C) 2014-2015 The Discosrv Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+- The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/cmd/discosrv/README.md
+++ b/cmd/discosrv/README.md
@@ -0,0 +1,40 @@
+discosrv
+========
+
+[![Latest Build](http://img.shields.io/jenkins/s/http/build.syncthing.net/discosrv.svg?style=flat-square)](http://build.syncthing.net/job/discosrv/lastBuild/)
+
+This is the global discovery server for the `syncthing` project.
+
+To get it, run `go get github.com/syncthing/discosrv` or download the
+[latest build](http://build.syncthing.net/job/discosrv/lastSuccessfulBuild/artifact/)
+from the build server.
+
+Usage
+-----
+
+The discovery server supports `ql` and `postgres` backends.
+Specify the backend via `-db-backend` and the database DSN via `-db-dsn`.
+
+By default it will use in-memory `ql` backend. If you wish to persist the
+information on disk between restarts in `ql`, specify a file DSN:
+
+```bash
+$ discosrv -db-dsn="file:///var/run/discosrv.db"
+```
+
+For `postgres`, you will need to create a database and a user with permissions
+to create tables in it, then start the discosrv as follows:
+
+```bash
+$ export DISCOSRV_DB_DSN="postgres://user:password@localhost/databasename"
+$ discosrv -db-backend="postgres"
+```
+
+You can pass the DSN as command line option, but the value what you pass in will
+be visible in most process managers, potentially exposing the database password
+to other users.
+
+In all cases, the appropriate tables and indexes will be created at first
+startup. If it doesn't exit with an error, you're fine.
+
+See `discosrv -help` for other options.
--- a/cmd/discosrv/clean.go
+++ b/cmd/discosrv/clean.go
@@ -0,0 +1,75 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"database/sql"
+	"log"
+	"time"
+)
+
+type cleansrv struct {
+	intv time.Duration
+	db   *sql.DB
+	prep map[string]*sql.Stmt
+}
+
+func (s *cleansrv) Serve() {
+	for {
+		time.Sleep(next(s.intv))
+
+		err := s.cleanOldEntries()
+		if err != nil {
+			log.Println("Clean:", err)
+		}
+	}
+}
+
+func (s *cleansrv) Stop() {
+	panic("stop unimplemented")
+}
+
+func (s *cleansrv) cleanOldEntries() (err error) {
+	var tx *sql.Tx
+	tx, err = s.db.Begin()
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err == nil {
+			err = tx.Commit()
+		} else {
+			tx.Rollback()
+		}
+	}()
+
+	res, err := tx.Stmt(s.prep["cleanAddress"]).Exec()
+	if err != nil {
+		return err
+	}
+	if rows, _ := res.RowsAffected(); rows > 0 {
+		log.Printf("Clean: %d old addresses", rows)
+	}
+
+	res, err = tx.Stmt(s.prep["cleanDevice"]).Exec()
+	if err != nil {
+		return err
+	}
+	if rows, _ := res.RowsAffected(); rows > 0 {
+		log.Printf("Clean: %d old devices", rows)
+	}
+
+	var devs, addrs int
+	row := tx.Stmt(s.prep["countDevice"]).QueryRow()
+	if err = row.Scan(&devs); err != nil {
+		return err
+	}
+	row = tx.Stmt(s.prep["countAddress"]).QueryRow()
+	if err = row.Scan(&addrs); err != nil {
+		return err
+	}
+
+	log.Printf("Database: %d devices, %d addresses", devs, addrs)
+	return nil
+}
--- a/cmd/discosrv/db.go
+++ b/cmd/discosrv/db.go
@@ -0,0 +1,32 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+type setupFunc func(db *sql.DB) error
+type compileFunc func(db *sql.DB) (map[string]*sql.Stmt, error)
+
+var (
+	setupFuncs   = make(map[string]setupFunc)
+	compileFuncs = make(map[string]compileFunc)
+)
+
+func register(name string, setup setupFunc, compile compileFunc) {
+	setupFuncs[name] = setup
+	compileFuncs[name] = compile
+}
+
+func setup(backend string, db *sql.DB) (map[string]*sql.Stmt, error) {
+	setup, ok := setupFuncs[backend]
+	if !ok {
+		return nil, fmt.Errorf("Unsupported backend")
+	}
+	if err := setup(db); err != nil {
+		return nil, err
+	}
+	return compileFuncs[backend](db)
+}
--- a/cmd/discosrv/main.go
+++ b/cmd/discosrv/main.go
@@ -0,0 +1,141 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"crypto/tls"
+	"database/sql"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"runtime"
+	"strconv"
+	"time"
+
+	"github.com/syncthing/syncthing/lib/protocol"
+	"github.com/thejerf/suture"
+)
+
+const (
+	minNegCache  = 60        // seconds
+	maxNegCache  = 3600      // seconds
+	maxDeviceAge = 7 * 86400 // one week, in seconds
+)
+
+var (
+	Version    string
+	BuildStamp string
+	BuildUser  string
+	BuildHost  string
+
+	BuildDate   time.Time
+	LongVersion string
+)
+
+func init() {
+	stamp, _ := strconv.Atoi(BuildStamp)
+	BuildDate = time.Unix(int64(stamp), 0)
+
+	date := BuildDate.UTC().Format("2006-01-02 15:04:05 MST")
+	LongVersion = fmt.Sprintf(`discosrv %s (%s %s-%s) %s@%s %s`, Version, runtime.Version(), runtime.GOOS, runtime.GOARCH, BuildUser, BuildHost, date)
+}
+
+var (
+	lruSize     = 10240
+	limitAvg    = 5
+	limitBurst  = 20
+	globalStats stats
+	statsFile   string
+	backend     = "ql"
+	dsn         = getEnvDefault("DISCOSRV_DB_DSN", "memory://discosrv")
+	certFile    = "cert.pem"
+	keyFile     = "key.pem"
+	debug       = false
+	useHTTP     = false
+)
+
+func main() {
+	const (
+		cleanIntv = 1 * time.Hour
+		statsIntv = 5 * time.Minute
+	)
+
+	var listen string
+
+	log.SetOutput(os.Stdout)
+	log.SetFlags(0)
+
+	flag.StringVar(&listen, "listen", ":8443", "Listen address")
+	flag.IntVar(&lruSize, "limit-cache", lruSize, "Limiter cache entries")
+	flag.IntVar(&limitAvg, "limit-avg", limitAvg, "Allowed average package rate, per 10 s")
+	flag.IntVar(&limitBurst, "limit-burst", limitBurst, "Allowed burst size, packets")
+	flag.StringVar(&statsFile, "stats-file", statsFile, "File to write periodic operation stats to")
+	flag.StringVar(&backend, "db-backend", backend, "Database backend to use")
+	flag.StringVar(&dsn, "db-dsn", dsn, "Database DSN")
+	flag.StringVar(&certFile, "cert", certFile, "Certificate file")
+	flag.StringVar(&keyFile, "key", keyFile, "Key file")
+	flag.BoolVar(&debug, "debug", debug, "Debug")
+	flag.BoolVar(&useHTTP, "http", useHTTP, "Listen on HTTP (behind an HTTPS proxy)")
+	flag.Parse()
+
+	log.Println(LongVersion)
+
+	var cert tls.Certificate
+	var err error
+	if !useHTTP {
+		cert, err = tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			log.Fatalln("Failed to load X509 key pair:", err)
+		}
+
+		devID := protocol.NewDeviceID(cert.Certificate[0])
+		log.Println("Server device ID is", devID)
+	}
+
+	db, err := sql.Open(backend, dsn)
+	if err != nil {
+		log.Fatalln("sql.Open:", err)
+	}
+	prep, err := setup(backend, db)
+	if err != nil {
+		log.Fatalln("Setup:", err)
+	}
+
+	main := suture.NewSimple("main")
+
+	main.Add(&querysrv{
+		addr: listen,
+		cert: cert,
+		db:   db,
+		prep: prep,
+	})
+
+	main.Add(&cleansrv{
+		intv: cleanIntv,
+		db:   db,
+		prep: prep,
+	})
+
+	main.Add(&statssrv{
+		intv: statsIntv,
+		file: statsFile,
+		db:   db,
+	})
+
+	globalStats.Reset()
+	main.Serve()
+}
+
+func getEnvDefault(key, def string) string {
+	if val := os.Getenv(key); val != "" {
+		return val
+	}
+	return def
+}
+
+func next(intv time.Duration) time.Duration {
+	t0 := time.Now()
+	t1 := t0.Add(intv).Truncate(intv)
+	return t1.Sub(t0)
+}
--- a/cmd/discosrv/psql.go
+++ b/cmd/discosrv/psql.go
@@ -0,0 +1,97 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"database/sql"
+	"fmt"
+
+	_ "github.com/lib/pq"
+)
+
+func init() {
+	register("postgres", postgresSetup, postgresCompile)
+}
+
+func postgresSetup(db *sql.DB) error {
+	var err error
+
+	db.SetMaxIdleConns(4)
+	db.SetMaxOpenConns(8)
+
+	_, err = db.Exec(`CREATE TABLE IF NOT EXISTS Devices (
+		DeviceID CHAR(63) NOT NULL PRIMARY KEY,
+		Seen TIMESTAMP NOT NULL
+	)`)
+	if err != nil {
+		return err
+	}
+
+	row := db.QueryRow(`SELECT 'DevicesDeviceIDIndex'::regclass`)
+	if err := row.Scan(nil); err != nil {
+		_, err = db.Exec(`CREATE INDEX DevicesDeviceIDIndex ON Devices (DeviceID)`)
+	}
+	if err != nil {
+		return err
+	}
+
+	row = db.QueryRow(`SELECT 'DevicesSeenIndex'::regclass`)
+	if err := row.Scan(nil); err != nil {
+		_, err = db.Exec(`CREATE INDEX DevicesSeenIndex ON Devices (Seen)`)
+	}
+	if err != nil {
+		return err
+	}
+
+	_, err = db.Exec(`CREATE TABLE IF NOT EXISTS Addresses (
+		DeviceID CHAR(63) NOT NULL,
+		Seen TIMESTAMP NOT NULL,
+		Address VARCHAR(256) NOT NULL
+	)`)
+	if err != nil {
+		return err
+	}
+
+	row = db.QueryRow(`SELECT 'AddressesDeviceIDSeenIndex'::regclass`)
+	if err := row.Scan(nil); err != nil {
+		_, err = db.Exec(`CREATE INDEX AddressesDeviceIDSeenIndex ON Addresses (DeviceID, Seen)`)
+	}
+	if err != nil {
+		return err
+	}
+
+	row = db.QueryRow(`SELECT 'AddressesDeviceIDAddressIndex'::regclass`)
+	if err := row.Scan(nil); err != nil {
+		_, err = db.Exec(`CREATE INDEX AddressesDeviceIDAddressIndex ON Addresses (DeviceID, Address)`)
+	}
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func postgresCompile(db *sql.DB) (map[string]*sql.Stmt, error) {
+	stmts := map[string]string{
+		"cleanAddress":  "DELETE FROM Addresses WHERE Seen < now() - '2 hour'::INTERVAL",
+		"cleanDevice":   fmt.Sprintf("DELETE FROM Devices WHERE Seen < now() - '%d hour'::INTERVAL", maxDeviceAge/3600),
+		"countAddress":  "SELECT count(*) FROM Addresses",
+		"countDevice":   "SELECT count(*) FROM Devices",
+		"insertAddress": "INSERT INTO Addresses (DeviceID, Seen, Address) VALUES ($1, now(), $2)",
+		"insertDevice":  "INSERT INTO Devices (DeviceID, Seen) VALUES ($1, now())",
+		"selectAddress": "SELECT Address FROM Addresses WHERE DeviceID=$1 AND Seen > now() - '1 hour'::INTERVAL ORDER BY random() LIMIT 16",
+		"selectDevice":  "SELECT Seen FROM Devices WHERE DeviceID=$1",
+		"updateAddress": "UPDATE Addresses SET Seen=now() WHERE DeviceID=$1 AND Address=$2",
+		"updateDevice":  "UPDATE Devices SET Seen=now() WHERE DeviceID=$1",
+	}
+
+	res := make(map[string]*sql.Stmt, len(stmts))
+	for key, stmt := range stmts {
+		prep, err := db.Prepare(stmt)
+		if err != nil {
+			return nil, err
+		}
+		res[key] = prep
+	}
+	return res, nil
+}
--- a/cmd/discosrv/ql.go
+++ b/cmd/discosrv/ql.go
@@ -0,0 +1,81 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+
+	"github.com/cznic/ql"
+)
+
+func init() {
+	ql.RegisterDriver()
+	register("ql", qlSetup, qlCompile)
+}
+
+func qlSetup(db *sql.DB) (err error) {
+	tx, err := db.Begin()
+	if err != nil {
+		return
+	}
+
+	defer func() {
+		if err == nil {
+			err = tx.Commit()
+		} else {
+			tx.Rollback()
+		}
+	}()
+
+	_, err = tx.Exec(`CREATE TABLE IF NOT EXISTS Devices (
+		DeviceID STRING NOT NULL,
+		Seen TIME NOT NULL
+	)`)
+	if err != nil {
+		return
+	}
+
+	if _, err = tx.Exec(`CREATE INDEX IF NOT EXISTS DevicesDeviceIDIndex ON Devices (DeviceID)`); err != nil {
+		return
+	}
+
+	_, err = tx.Exec(`CREATE TABLE IF NOT EXISTS Addresses (
+		DeviceID STRING NOT NULL,
+		Seen TIME NOT NULL,
+		Address STRING NOT NULL,
+	)`)
+	if err != nil {
+		return
+	}
+
+	_, err = tx.Exec(`CREATE INDEX IF NOT EXISTS AddressesDeviceIDAddressIndex ON Addresses (DeviceID, Address)`)
+	return
+}
+
+func qlCompile(db *sql.DB) (map[string]*sql.Stmt, error) {
+	stmts := map[string]string{
+		"cleanAddress":  `DELETE FROM Addresses WHERE Seen < now() - duration("2h")`,
+		"cleanDevice":   fmt.Sprintf(`DELETE FROM Devices WHERE Seen < now() - duration("%dh")`, maxDeviceAge/3600),
+		"countAddress":  "SELECT count(*) FROM Addresses",
+		"countDevice":   "SELECT count(*) FROM Devices",
+		"insertAddress": "INSERT INTO Addresses (DeviceID, Seen, Address) VALUES ($1, now(), $2)",
+		"insertDevice":  "INSERT INTO Devices (DeviceID, Seen) VALUES ($1, now())",
+		"selectAddress": `SELECT Address from Addresses WHERE DeviceID==$1 AND Seen > now() - duration("1h") LIMIT 16`,
+		"selectDevice":  "SELECT Seen FROM Devices WHERE DeviceID==$1",
+		"updateAddress": "UPDATE Addresses Seen=now() WHERE DeviceID==$1 AND Address==$2",
+		"updateDevice":  "UPDATE Devices Seen=now() WHERE DeviceID==$1",
+	}
+
+	res := make(map[string]*sql.Stmt, len(stmts))
+	for key, stmt := range stmts {
+		prep, err := db.Prepare(stmt)
+		if err != nil {
+			log.Println("Failed to compile", stmt)
+			return nil, err
+		}
+		res[key] = prep
+	}
+	return res, nil
+}
--- a/cmd/discosrv/querysrv.go
+++ b/cmd/discosrv/querysrv.go
@@ -0,0 +1,478 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"bytes"
+	"crypto/tls"
+	"database/sql"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"math/rand"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/golang/groupcache/lru"
+	"github.com/juju/ratelimit"
+	"github.com/syncthing/syncthing/lib/protocol"
+	"golang.org/x/net/context"
+)
+
+type querysrv struct {
+	addr     string
+	db       *sql.DB
+	prep     map[string]*sql.Stmt
+	limiter  *safeCache
+	cert     tls.Certificate
+	listener net.Listener
+}
+
+type announcement struct {
+	Seen      time.Time `json:"seen"`
+	Addresses []string  `json:"addresses"`
+}
+
+type safeCache struct {
+	*lru.Cache
+	mut sync.Mutex
+}
+
+func (s *safeCache) Get(key string) (val interface{}, ok bool) {
+	s.mut.Lock()
+	val, ok = s.Cache.Get(key)
+	s.mut.Unlock()
+	return
+}
+
+func (s *safeCache) Add(key string, val interface{}) {
+	s.mut.Lock()
+	s.Cache.Add(key, val)
+	s.mut.Unlock()
+}
+
+type requestID int64
+
+func (i requestID) String() string {
+	return fmt.Sprintf("%016x", int64(i))
+}
+
+func negCacheFor(lastSeen time.Time) int {
+	since := time.Since(lastSeen).Seconds()
+	if since >= maxDeviceAge {
+		return maxNegCache
+	}
+	if since < 0 {
+		// That's weird
+		return minNegCache
+	}
+
+	// Return a value linearly scaled from minNegCache (at zero seconds ago)
+	// to maxNegCache (at maxDeviceAge seconds ago).
+	r := since / maxDeviceAge
+	return int(minNegCache + r*(maxNegCache-minNegCache))
+}
+
+func (s *querysrv) Serve() {
+	s.limiter = &safeCache{
+		Cache: lru.New(lruSize),
+	}
+
+	if useHTTP {
+		listener, err := net.Listen("tcp", s.addr)
+		if err != nil {
+			log.Println("Listen:", err)
+			return
+		}
+		s.listener = listener
+	} else {
+		tlsCfg := &tls.Config{
+			Certificates:           []tls.Certificate{s.cert},
+			ClientAuth:             tls.RequestClientCert,
+			SessionTicketsDisabled: true,
+			MinVersion:             tls.VersionTLS12,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			},
+		}
+
+		tlsListener, err := tls.Listen("tcp", s.addr, tlsCfg)
+		if err != nil {
+			log.Println("Listen:", err)
+			return
+		}
+		s.listener = tlsListener
+	}
+
+	http.HandleFunc("/v2/", s.handler)
+	http.HandleFunc("/ping", handlePing)
+
+	srv := &http.Server{
+		ReadTimeout:    5 * time.Second,
+		WriteTimeout:   5 * time.Second,
+		MaxHeaderBytes: 1 << 10,
+	}
+
+	if err := srv.Serve(s.listener); err != nil {
+		log.Println("Serve:", err)
+	}
+}
+
+var topCtx = context.Background()
+
+func (s *querysrv) handler(w http.ResponseWriter, req *http.Request) {
+	reqID := requestID(rand.Int63())
+	ctx := context.WithValue(topCtx, "id", reqID)
+
+	if debug {
+		log.Println(reqID, req.Method, req.URL)
+	}
+
+	t0 := time.Now()
+	defer func() {
+		diff := time.Since(t0)
+		var comment string
+		if diff > time.Second {
+			comment = "(very slow request)"
+		} else if diff > 100*time.Millisecond {
+			comment = "(slow request)"
+		}
+		if comment != "" || debug {
+			log.Println(reqID, req.Method, req.URL, "completed in", diff, comment)
+		}
+	}()
+
+	var remoteIP net.IP
+	if useHTTP {
+		remoteIP = net.ParseIP(req.Header.Get("X-Forwarded-For"))
+	} else {
+		addr, err := net.ResolveTCPAddr("tcp", req.RemoteAddr)
+		if err != nil {
+			log.Println("remoteAddr:", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+		remoteIP = addr.IP
+	}
+
+	if s.limit(remoteIP) {
+		if debug {
+			log.Println(remoteIP, "is limited")
+		}
+		w.Header().Set("Retry-After", "60")
+		http.Error(w, "Too Many Requests", 429)
+		return
+	}
+
+	switch req.Method {
+	case "GET":
+		s.handleGET(ctx, w, req)
+	case "POST":
+		s.handlePOST(ctx, remoteIP, w, req)
+	default:
+		globalStats.Error()
+		http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (s *querysrv) handleGET(ctx context.Context, w http.ResponseWriter, req *http.Request) {
+	reqID := ctx.Value("id").(requestID)
+
+	deviceID, err := protocol.DeviceIDFromString(req.URL.Query().Get("device"))
+	if err != nil {
+		if debug {
+			log.Println(reqID, "bad device param")
+		}
+		globalStats.Error()
+		http.Error(w, "Bad Request", http.StatusBadRequest)
+		return
+	}
+
+	var ann announcement
+
+	ann.Seen, err = s.getDeviceSeen(deviceID)
+	negCache := strconv.Itoa(negCacheFor(ann.Seen))
+	w.Header().Set("Retry-After", negCache)
+	w.Header().Set("Cache-Control", "public, max-age="+negCache)
+
+	if err != nil {
+		// The device is not in the database.
+		globalStats.Query()
+		http.Error(w, "Not Found", http.StatusNotFound)
+		return
+	}
+
+	t0 := time.Now()
+	ann.Addresses, err = s.getAddresses(ctx, deviceID)
+	if err != nil {
+		log.Println(reqID, "getAddresses:", err)
+		globalStats.Error()
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+	if debug {
+		log.Println(reqID, "getAddresses in", time.Since(t0))
+	}
+
+	globalStats.Query()
+
+	if len(ann.Addresses) == 0 {
+		http.Error(w, "Not Found", http.StatusNotFound)
+		return
+	}
+
+	globalStats.Answer()
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(ann)
+}
+
+func (s *querysrv) handlePOST(ctx context.Context, remoteIP net.IP, w http.ResponseWriter, req *http.Request) {
+	reqID := ctx.Value("id").(requestID)
+
+	rawCert := certificateBytes(req)
+	if rawCert == nil {
+		if debug {
+			log.Println(reqID, "no certificates")
+		}
+		globalStats.Error()
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		return
+	}
+
+	var ann announcement
+	if err := json.NewDecoder(req.Body).Decode(&ann); err != nil {
+		if debug {
+			log.Println(reqID, "decode:", err)
+		}
+		globalStats.Error()
+		http.Error(w, "Bad Request", http.StatusBadRequest)
+		return
+	}
+
+	deviceID := protocol.NewDeviceID(rawCert)
+
+	// handleAnnounce returns *two* errors. The first indicates a problem with
+	// something the client posted to us. We should return a 400 Bad Request
+	// and not worry about it. The second indicates that the request was fine,
+	// but something internal messed up. We should log it and respond with a
+	// more apologetic 500 Internal Server Error.
+	userErr, internalErr := s.handleAnnounce(ctx, remoteIP, deviceID, ann.Addresses)
+	if userErr != nil {
+		if debug {
+			log.Println(reqID, "handleAnnounce:", userErr)
+		}
+		globalStats.Error()
+		http.Error(w, "Bad Request", http.StatusBadRequest)
+		return
+	}
+	if internalErr != nil {
+		log.Println(reqID, "handleAnnounce:", internalErr)
+		globalStats.Error()
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	globalStats.Announce()
+
+	// TODO: Slowly increase this for stable clients
+	w.Header().Set("Reannounce-After", "1800")
+
+	// We could return the lookup result here, but it's kind of unnecessarily
+	// expensive to go query the database again so we let the client decide to
+	// do a lookup if they really care.
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func (s *querysrv) Stop() {
+	s.listener.Close()
+}
+
+func (s *querysrv) handleAnnounce(ctx context.Context, remote net.IP, deviceID protocol.DeviceID, addresses []string) (userErr, internalErr error) {
+	reqID := ctx.Value("id").(requestID)
+
+	tx, err := s.db.Begin()
+	if err != nil {
+		internalErr = err
+		return
+	}
+
+	defer func() {
+		// Since we return from a bunch of different places, we handle
+		// rollback in the defer.
+		if internalErr != nil || userErr != nil {
+			tx.Rollback()
+		}
+	}()
+
+	for _, annAddr := range addresses {
+		uri, err := url.Parse(annAddr)
+		if err != nil {
+			userErr = err
+			return
+		}
+
+		host, port, err := net.SplitHostPort(uri.Host)
+		if err != nil {
+			userErr = err
+			return
+		}
+
+		ip := net.ParseIP(host)
+		if host == "" || ip.IsUnspecified() {
+			host = remote.String()
+		}
+
+		uri.Host = net.JoinHostPort(host, port)
+
+		if err := s.updateAddress(ctx, tx, deviceID, uri.String()); err != nil {
+			internalErr = err
+			return
+		}
+	}
+
+	if err := s.updateDevice(ctx, tx, deviceID); err != nil {
+		internalErr = err
+		return
+	}
+
+	t0 := time.Now()
+	internalErr = tx.Commit()
+	if debug {
+		log.Println(reqID, "commit in", time.Since(t0))
+	}
+	return
+}
+
+func (s *querysrv) limit(remote net.IP) bool {
+	key := remote.String()
+
+	bkt, ok := s.limiter.Get(key)
+	if ok {
+		bkt := bkt.(*ratelimit.Bucket)
+		if bkt.TakeAvailable(1) != 1 {
+			// Rate limit exceeded; ignore packet
+			return true
+		}
+	} else {
+		// One packet per ten seconds average rate, burst ten packets
+		s.limiter.Add(key, ratelimit.NewBucket(10*time.Second/time.Duration(limitAvg), int64(limitBurst)))
+	}
+
+	return false
+}
+
+func (s *querysrv) updateDevice(ctx context.Context, tx *sql.Tx, device protocol.DeviceID) error {
+	reqID := ctx.Value("id").(requestID)
+	t0 := time.Now()
+	res, err := tx.Stmt(s.prep["updateDevice"]).Exec(device.String())
+	if err != nil {
+		return err
+	}
+	if debug {
+		log.Println(reqID, "updateDevice in", time.Since(t0))
+	}
+
+	if rows, _ := res.RowsAffected(); rows == 0 {
+		t0 = time.Now()
+		_, err := tx.Stmt(s.prep["insertDevice"]).Exec(device.String())
+		if err != nil {
+			return err
+		}
+		if debug {
+			log.Println(reqID, "insertDevice in", time.Since(t0))
+		}
+	}
+
+	return nil
+}
+
+func (s *querysrv) updateAddress(ctx context.Context, tx *sql.Tx, device protocol.DeviceID, uri string) error {
+	res, err := tx.Stmt(s.prep["updateAddress"]).Exec(device.String(), uri)
+	if err != nil {
+		return err
+	}
+
+	if rows, _ := res.RowsAffected(); rows == 0 {
+		_, err := tx.Stmt(s.prep["insertAddress"]).Exec(device.String(), uri)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *querysrv) getAddresses(ctx context.Context, device protocol.DeviceID) ([]string, error) {
+	rows, err := s.prep["selectAddress"].Query(device.String())
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var res []string
+	for rows.Next() {
+		var addr string
+
+		err := rows.Scan(&addr)
+		if err != nil {
+			log.Println("Scan:", err)
+			continue
+		}
+		res = append(res, addr)
+	}
+
+	return res, nil
+}
+
+func (s *querysrv) getDeviceSeen(device protocol.DeviceID) (time.Time, error) {
+	row := s.prep["selectDevice"].QueryRow(device.String())
+	var seen time.Time
+	if err := row.Scan(&seen); err != nil {
+		return time.Time{}, err
+	}
+	return seen, nil
+}
+
+func handlePing(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(204)
+}
+
+func certificateBytes(req *http.Request) []byte {
+	if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 {
+		return req.TLS.PeerCertificates[0].Raw
+	}
+
+	if hdr := req.Header.Get("X-SSL-Cert"); hdr != "" {
+		bs := []byte(hdr)
+		// The certificate is in PEM format but with spaces for newlines. We
+		// need to reinstate the newlines for the PEM decoder. But we need to
+		// leave the spaces in the BEGIN and END lines - the first and last
+		// space - alone.
+		firstSpace := bytes.Index(bs, []byte(" "))
+		lastSpace := bytes.LastIndex(bs, []byte(" "))
+		for i := firstSpace + 1; i < lastSpace; i++ {
+			if bs[i] == ' ' {
+				bs[i] = '\n'
+			}
+		}
+		block, _ := pem.Decode(bs)
+		if block == nil {
+			// Decoding failed
+			return nil
+		}
+		return block.Bytes
+	}
+
+	return nil
+}
--- a/cmd/discosrv/stats.go
+++ b/cmd/discosrv/stats.go
@@ -0,0 +1,141 @@
+// Copyright (C) 2014-2015 Jakob Borg and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"bytes"
+	"database/sql"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"sync/atomic"
+	"time"
+)
+
+type stats struct {
+	// Incremented atomically
+	announces int64
+	queries   int64
+	answers   int64
+	errors    int64
+}
+
+func (s *stats) Announce() {
+	atomic.AddInt64(&s.announces, 1)
+}
+
+func (s *stats) Query() {
+	atomic.AddInt64(&s.queries, 1)
+}
+
+func (s *stats) Answer() {
+	atomic.AddInt64(&s.answers, 1)
+}
+
+func (s *stats) Error() {
+	atomic.AddInt64(&s.errors, 1)
+}
+
+// Reset returns a copy of the current stats and resets the counters to
+// zero.
+func (s *stats) Reset() stats {
+	// Create a copy of the stats using atomic reads
+	copy := stats{
+		announces: atomic.LoadInt64(&s.announces),
+		queries:   atomic.LoadInt64(&s.queries),
+		answers:   atomic.LoadInt64(&s.answers),
+		errors:    atomic.LoadInt64(&s.errors),
+	}
+
+	// Reset the stats by subtracting the values that we copied
+	atomic.AddInt64(&s.announces, -copy.announces)
+	atomic.AddInt64(&s.queries, -copy.queries)
+	atomic.AddInt64(&s.answers, -copy.answers)
+	atomic.AddInt64(&s.errors, -copy.errors)
+
+	return copy
+}
+
+type statssrv struct {
+	intv time.Duration
+	file string
+	db   *sql.DB
+}
+
+func (s *statssrv) Serve() {
+	lastReset := time.Now()
+	for {
+		time.Sleep(next(s.intv))
+
+		stats := globalStats.Reset()
+		d := time.Since(lastReset).Seconds()
+		lastReset = time.Now()
+
+		log.Printf("Stats: %.02f announces/s, %.02f queries/s, %.02f answers/s, %.02f errors/s",
+			float64(stats.announces)/d, float64(stats.queries)/d, float64(stats.answers)/d, float64(stats.errors)/d)
+
+		if s.file != "" {
+			s.writeToFile(stats, d)
+		}
+	}
+}
+
+func (s *statssrv) Stop() {
+	panic("stop unimplemented")
+}
+
+func (s *statssrv) writeToFile(stats stats, secs float64) {
+	newLine := []byte("\n")
+
+	var addrs int
+	row := s.db.QueryRow("SELECT COUNT(*) FROM Addresses")
+	if err := row.Scan(&addrs); err != nil {
+		log.Println("stats query:", err)
+		return
+	}
+
+	fd, err := os.OpenFile(s.file, os.O_RDWR|os.O_CREATE, 0666)
+	if err != nil {
+		log.Println("stats file:", err)
+		return
+	}
+	defer func() {
+		err = fd.Close()
+		if err != nil {
+			log.Println("stats file:", err)
+		}
+	}()
+
+	bs, err := ioutil.ReadAll(fd)
+	if err != nil {
+		log.Println("stats file:", err)
+		return
+	}
+	lines := bytes.Split(bytes.TrimSpace(bs), newLine)
+	if len(lines) > 12 {
+		lines = lines[len(lines)-12:]
+	}
+
+	latest := fmt.Sprintf("%v: %6d addresses, %8.02f announces/s, %8.02f queries/s, %8.02f answers/s, %8.02f errors/s\n",
+		time.Now().UTC().Format(time.RFC3339), addrs,
+		float64(stats.announces)/secs, float64(stats.queries)/secs, float64(stats.answers)/secs, float64(stats.errors)/secs)
+	lines = append(lines, []byte(latest))
+
+	_, err = fd.Seek(0, 0)
+	if err != nil {
+		log.Println("stats file:", err)
+		return
+	}
+	err = fd.Truncate(0)
+	if err != nil {
+		log.Println("stats file:", err)
+		return
+	}
+
+	_, err = fd.Write(bytes.Join(lines, newLine))
+	if err != nil {
+		log.Println("stats file:", err)
+		return
+	}
+}
--- a/cmd/relaysrv/LICENSE
+++ b/cmd/relaysrv/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 The Syncthing Project
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
--- a/cmd/relaysrv/README.md
+++ b/cmd/relaysrv/README.md
@@ -0,0 +1,141 @@
+relaysrv
+========
+
+[![Latest Build](http://img.shields.io/jenkins/s/http/build.syncthing.net/relaysrv.svg?style=flat-square)](http://build.syncthing.net/job/relaysrv/lastBuild/)
+
+This is the relay server for the `syncthing` project.
+
+To get it, run `go get github.com/syncthing/relaysrv` or download the
+[latest build](http://build.syncthing.net/job/relaysrv/lastSuccessfulBuild/artifact/)
+from the build server.
+
+:exclamation:Warnings:exclamation: - Read or regret
+-----
+
+By default, all relay servers will join the default public relay pool, which means that the relay server will be availble for public use, and **will consume your bandwidth** helping others to connect.
+
+If you wish to disable this behaviour, please specify `-pools=""` argument.
+
+Please note that `relaysrv` is only usable by `syncthing` **version v0.12 and onwards**.
+
+To run `relaysrv` you need to have port 22067 available to the internet, which means you might need to allow it through your firewall if you **have a public IP, or setup a port-forwarding** (22067 to 22067) if you are behind a router.
+
+Furthermore, **by default relaysrv will also expose a /status HTTP endpoint on port 22070**, which is used by the pool servers to peek at metrics of the relaysrv, such as what are the current transfer rates, how many clients are connected, etc, etc. If you wish this information to be available, similarlly you might want to allow it through your firewall, or port-forward it (22070 to 22070) on your NAT device.
+
+This is **not mandatory** for the relaysrv to function, and is used only to gather metrics and present them in the overview page of the pool server, displaying stats about the specific relay.
+
+At the point of writing the endpoint output looks as follows:
+
+```
+{
+    "bytesProxied": 0,
+    "goArch": "amd64",
+    "goMaxProcs": 1,
+    "goNumRoutine": 13,
+    "goOS": "linux",
+    "goVersion": "go1.6",
+    "kbps10s1m5m15m30m60m": [
+        0,
+        0,
+        0,
+        0,
+        0,
+        0
+    ],
+    "numActiveSessions": 0,
+    "numConnections": 0,
+    "numPendingSessionKeys": 2,
+    "numProxies": 0,
+    "options": {
+        "global-rate": 0,
+        "message-timeout": 60,
+        "network-timeout": 120,
+        "per-session-rate": 0,
+        "ping-interval": 60,
+        "pools": [
+            "https://relays.syncthing.net/endpoint"
+        ],
+        "provided-by": ""
+    },
+    "startTime": "2016-03-06T12:53:07.090847749-05:00",
+    "uptimeSeconds": 17
+}
+```
+
+If you wish to disable the /status endpoint, provide `-status-srv=""` as one of the arguments when starting the relaysrv.
+
+Running for public use
+----
+Make sure you have a public IP with port 22067 open, or make sure you have port-forwarding (22067 to 22067) if you are behind a router.
+
+Run the `relaysrv` with no arguments (or `-debug` if you want more output), and that should be enough for the server to join the public relay pool.
+You should see a message saying:
+```
+2015/09/21 22:45:46 pool.go:60: Joined https://relays.syncthing.net/endpoint rejoining in 48m0s
+```
+
+See `relaysrv -help` for other options, such as rate limits, timeout intervals, etc.
+
+Running for private use
+-----
+
+Once you've started the `relaysrv`, it will generate a key pair and print an URI:
+```bash
+relay://:22067/?id=EZQOIDM-6DDD4ZI-DJ65NSM-4OQWRAT-EIKSMJO-OZ552BO-WQZEGYY-STS5RQM&pingInterval=1m0s&networkTimeout=2m0s&sessionLimitBps=0&globalLimitBps=0&statusAddr=:22070
+```
+
+This URI contains partial address of the relay server, as well as it's options which in the future may be taken into account when choosing the best suitable relay out of multiple available.
+
+Because `-listen` option was not used, the `relaysrv` does not know it's external IP, therefore you should replace the host part of the URI with your public IP address on which the `relaysrv` will be available:
+
+```bash
+relay://123.123.123.123:22067/?id=EZQOIDM-6DDD4ZI-DJ65NSM-4OQWRAT-EIKSMJO-OZ552BO-WQZEGYY-STS5RQM&pingInterval=1m0s&networkTimeout=2m0s&sessionLimitBps=0&globalLimitBps=0&statusAddr=:22070
+```
+
+If you do not care about certificate pinning (improved security) or do not care about passing verbose settings to the clients, you can shorten the URL to just the host part:
+
+```bash
+relay://123.123.123.123:22067
+```
+
+This URI can then be used in `syncthing` as one of the relay servers.
+
+See `relaysrv -help` for other options, such as rate limits, timeout intervals, etc.
+
+Other items available in this repo
+----
+##### testutil
+A test utility which can be used to test connectivity of a relay server.
+You need to generate two x509 key pairs (key.pem and cert.pem), one for the client, another one for the server, in separate directories.
+Afterwards, start the client:
+```bash
+./testutil -relay="relay://uri.of.relay" -keys=certs/client/ -join
+```
+
+This prints out the client ID:
+```
+2015/09/21 23:00:52 main.go:42: ID: BG2C5ZA-W7XPFDO-LH222Z6-65F3HJX-ADFTGRT-3SBFIGM-KV26O2Q-E5RMRQ2
+```
+
+In the other terminal run the following:
+
+```bash
+ ./testutil -relay="relay://uri.of.relay" -keys=certs/server/ -connect=BG2C5ZA-W7XPFDO-LH222Z6-65F3HJX-ADFTGRT-3SBFIGM-KV26O2Q-E5RMRQ2
+```
+
+Which should then give you an interactive prompt, where you can type things in one terminal, and they get relayed to the other terminal.
+
+Relay related libraries used by this repo
+----
+##### Relay protocol definition.
+
+[Available here](https://github.com/syncthing/syncthing/tree/master/lib/relay/protocol)
+
+
+##### Relay client
+
+Only used by the testutil.
+
+[Available here](https://github.com/syncthing/syncthing/tree/master/lib/relay/client)
+
+
--- a/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service
+++ b/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Syncthing relay server
+After=network.target
+
+[Service]
+User=syncthing-relaysrv
+Group=syncthing-relaysrv
+ExecStart=/usr/bin/relaysrv
+WorkingDirectory=/var/lib/syncthing-relaysrv
+
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
--- a/cmd/relaysrv/listener.go
+++ b/cmd/relaysrv/listener.go
@@ -0,0 +1,345 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"crypto/tls"
+	"encoding/hex"
+	"log"
+	"net"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	syncthingprotocol "github.com/syncthing/syncthing/lib/protocol"
+	"github.com/syncthing/syncthing/lib/tlsutil"
+
+	"github.com/syncthing/syncthing/lib/relay/protocol"
+)
+
+var (
+	outboxesMut    = sync.RWMutex{}
+	outboxes       = make(map[syncthingprotocol.DeviceID]chan interface{})
+	numConnections int64
+)
+
+func listener(addr string, config *tls.Config) {
+	tcpListener, err := net.Listen("tcp", addr)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	listener := tlsutil.DowngradingListener{
+		Listener: tcpListener,
+	}
+
+	for {
+		conn, isTLS, err := listener.AcceptNoWrapTLS()
+		if err != nil {
+			if debug {
+				log.Println("Listener failed to accept connection from", conn.RemoteAddr(), ". Possibly a TCP Ping.")
+			}
+			continue
+		}
+
+		setTCPOptions(conn)
+
+		if debug {
+			log.Println("Listener accepted connection from", conn.RemoteAddr(), "tls", isTLS)
+		}
+
+		if isTLS {
+			go protocolConnectionHandler(conn, config)
+		} else {
+			go sessionConnectionHandler(conn)
+		}
+
+	}
+}
+
+func protocolConnectionHandler(tcpConn net.Conn, config *tls.Config) {
+	conn := tls.Server(tcpConn, config)
+	err := conn.Handshake()
+	if err != nil {
+		if debug {
+			log.Println("Protocol connection TLS handshake:", conn.RemoteAddr(), err)
+		}
+		conn.Close()
+		return
+	}
+
+	state := conn.ConnectionState()
+	if (!state.NegotiatedProtocolIsMutual || state.NegotiatedProtocol != protocol.ProtocolName) && debug {
+		log.Println("Protocol negotiation error")
+	}
+
+	certs := state.PeerCertificates
+	if len(certs) != 1 {
+		if debug {
+			log.Println("Certificate list error")
+		}
+		conn.Close()
+		return
+	}
+
+	id := syncthingprotocol.NewDeviceID(certs[0].Raw)
+
+	messages := make(chan interface{})
+	errors := make(chan error, 1)
+	outbox := make(chan interface{})
+
+	// Read messages from the connection and send them on the messages
+	// channel. When there is an error, send it on the error channel and
+	// return. Applies also when the connection gets closed, so the pattern
+	// below is to close the connection on error, then wait for the error
+	// signal from messageReader to exit.
+	go messageReader(conn, messages, errors)
+
+	pingTicker := time.NewTicker(pingInterval)
+	timeoutTicker := time.NewTimer(networkTimeout)
+	joined := false
+
+	for {
+		select {
+		case message := <-messages:
+			timeoutTicker.Reset(networkTimeout)
+			if debug {
+				log.Printf("Message %T from %s", message, id)
+			}
+
+			switch msg := message.(type) {
+			case protocol.JoinRelayRequest:
+				if atomic.LoadInt32(&overLimit) > 0 {
+					protocol.WriteMessage(conn, protocol.RelayFull{})
+					if debug {
+						log.Println("Refusing join request from", id, "due to being over limits")
+					}
+					conn.Close()
+					limitCheckTimer.Reset(time.Second)
+					continue
+				}
+
+				outboxesMut.RLock()
+				_, ok := outboxes[id]
+				outboxesMut.RUnlock()
+				if ok {
+					protocol.WriteMessage(conn, protocol.ResponseAlreadyConnected)
+					if debug {
+						log.Println("Already have a peer with the same ID", id, conn.RemoteAddr())
+					}
+					conn.Close()
+					continue
+				}
+
+				outboxesMut.Lock()
+				outboxes[id] = outbox
+				outboxesMut.Unlock()
+				joined = true
+
+				protocol.WriteMessage(conn, protocol.ResponseSuccess)
+
+			case protocol.ConnectRequest:
+				requestedPeer := syncthingprotocol.DeviceIDFromBytes(msg.ID)
+				outboxesMut.RLock()
+				peerOutbox, ok := outboxes[requestedPeer]
+				outboxesMut.RUnlock()
+				if !ok {
+					if debug {
+						log.Println(id, "is looking for", requestedPeer, "which does not exist")
+					}
+					protocol.WriteMessage(conn, protocol.ResponseNotFound)
+					conn.Close()
+					continue
+				}
+				// requestedPeer is the server, id is the client
+				ses := newSession(requestedPeer, id, sessionLimiter, globalLimiter)
+
+				go ses.Serve()
+
+				clientInvitation := ses.GetClientInvitationMessage()
+				serverInvitation := ses.GetServerInvitationMessage()
+
+				if err := protocol.WriteMessage(conn, clientInvitation); err != nil {
+					if debug {
+						log.Printf("Error sending invitation from %s to client: %s", id, err)
+					}
+					conn.Close()
+					continue
+				}
+
+				peerOutbox <- serverInvitation
+
+				if debug {
+					log.Println("Sent invitation from", id, "to", requestedPeer)
+				}
+				conn.Close()
+
+			case protocol.Ping:
+				if err := protocol.WriteMessage(conn, protocol.Pong{}); err != nil {
+					if debug {
+						log.Println("Error writing pong:", err)
+					}
+					conn.Close()
+					continue
+				}
+
+			case protocol.Pong:
+				// Nothing
+
+			default:
+				if debug {
+					log.Printf("Unknown message %s: %T", id, message)
+				}
+				protocol.WriteMessage(conn, protocol.ResponseUnexpectedMessage)
+				conn.Close()
+			}
+
+		case err := <-errors:
+			if debug {
+				log.Printf("Closing connection %s: %s", id, err)
+			}
+			close(outbox)
+
+			// Potentially closing a second time.
+			conn.Close()
+
+			if joined {
+				// Only delete the outbox if the client is joined, as it might be
+				// a lookup request coming from the same client.
+				outboxesMut.Lock()
+				delete(outboxes, id)
+				outboxesMut.Unlock()
+				// Also, kill all sessions related to this node, as it probably
+				// went offline. This is for the other end to realize the client
+				// is no longer there faster. This also helps resolve
+				// 'already connected' errors when one of the sides is
+				// restarting, and connecting to the other peer before the other
+				// peer even realised that the node has gone away.
+				dropSessions(id)
+			}
+			return
+
+		case <-pingTicker.C:
+			if !joined {
+				if debug {
+					log.Println(id, "didn't join within", pingInterval)
+				}
+				conn.Close()
+				continue
+			}
+
+			if err := protocol.WriteMessage(conn, protocol.Ping{}); err != nil {
+				if debug {
+					log.Println(id, err)
+				}
+				conn.Close()
+			}
+
+			if atomic.LoadInt32(&overLimit) > 0 && !hasSessions(id) {
+				if debug {
+					log.Println("Dropping", id, "as it has no sessions and we are over our limits")
+				}
+				protocol.WriteMessage(conn, protocol.RelayFull{})
+				conn.Close()
+
+				limitCheckTimer.Reset(time.Second)
+			}
+
+		case <-timeoutTicker.C:
+			// We should receive a error from the reader loop, which will cause
+			// us to quit this loop.
+			if debug {
+				log.Printf("%s timed out", id)
+			}
+			conn.Close()
+
+		case msg := <-outbox:
+			if msg == nil {
+				conn.Close()
+				return
+			}
+			if debug {
+				log.Printf("Sending message %T to %s", msg, id)
+			}
+			if err := protocol.WriteMessage(conn, msg); err != nil {
+				if debug {
+					log.Println(id, err)
+				}
+				conn.Close()
+			}
+		}
+	}
+}
+
+func sessionConnectionHandler(conn net.Conn) {
+	if err := conn.SetDeadline(time.Now().Add(messageTimeout)); err != nil {
+		if debug {
+			log.Println("Weird error setting deadline:", err, "on", conn.RemoteAddr())
+		}
+		return
+	}
+
+	message, err := protocol.ReadMessage(conn)
+	if err != nil {
+		return
+	}
+
+	switch msg := message.(type) {
+	case protocol.JoinSessionRequest:
+		ses := findSession(string(msg.Key))
+		if debug {
+			log.Println(conn.RemoteAddr(), "session lookup", ses, hex.EncodeToString(msg.Key)[:5])
+		}
+
+		if ses == nil {
+			protocol.WriteMessage(conn, protocol.ResponseNotFound)
+			conn.Close()
+			return
+		}
+
+		if !ses.AddConnection(conn) {
+			if debug {
+				log.Println("Failed to add", conn.RemoteAddr(), "to session", ses)
+			}
+			protocol.WriteMessage(conn, protocol.ResponseAlreadyConnected)
+			conn.Close()
+			return
+		}
+
+		if err := protocol.WriteMessage(conn, protocol.ResponseSuccess); err != nil {
+			if debug {
+				log.Println("Failed to send session join response to ", conn.RemoteAddr(), "for", ses)
+			}
+			return
+		}
+
+		if err := conn.SetDeadline(time.Time{}); err != nil {
+			if debug {
+				log.Println("Weird error setting deadline:", err, "on", conn.RemoteAddr())
+			}
+			conn.Close()
+			return
+		}
+
+	default:
+		if debug {
+			log.Println("Unexpected message from", conn.RemoteAddr(), message)
+		}
+		protocol.WriteMessage(conn, protocol.ResponseUnexpectedMessage)
+		conn.Close()
+	}
+}
+
+func messageReader(conn net.Conn, messages chan<- interface{}, errors chan<- error) {
+	atomic.AddInt64(&numConnections, 1)
+	defer atomic.AddInt64(&numConnections, -1)
+
+	for {
+		msg, err := protocol.ReadMessage(conn)
+		if err != nil {
+			errors <- err
+			return
+		}
+		messages <- msg
+	}
+}
--- a/cmd/relaysrv/main.go
+++ b/cmd/relaysrv/main.go
@@ -0,0 +1,224 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"net/url"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"syscall"
+	"time"
+
+	"github.com/juju/ratelimit"
+	"github.com/syncthing/syncthing/lib/osutil"
+	"github.com/syncthing/syncthing/lib/relay/protocol"
+	"github.com/syncthing/syncthing/lib/tlsutil"
+
+	syncthingprotocol "github.com/syncthing/syncthing/lib/protocol"
+)
+
+var (
+	Version    string
+	BuildStamp string
+	BuildUser  string
+	BuildHost  string
+
+	BuildDate   time.Time
+	LongVersion string
+)
+
+func init() {
+	stamp, _ := strconv.Atoi(BuildStamp)
+	BuildDate = time.Unix(int64(stamp), 0)
+
+	date := BuildDate.UTC().Format("2006-01-02 15:04:05 MST")
+	LongVersion = fmt.Sprintf(`relaysrv %s (%s %s-%s) %s@%s %s`, Version, runtime.Version(), runtime.GOOS, runtime.GOARCH, BuildUser, BuildHost, date)
+}
+
+var (
+	listen string
+	debug  bool
+
+	sessionAddress []byte
+	sessionPort    uint16
+
+	networkTimeout = 2 * time.Minute
+	pingInterval   = time.Minute
+	messageTimeout = time.Minute
+
+	limitCheckTimer *time.Timer
+
+	sessionLimitBps int
+	globalLimitBps  int
+	overLimit       int32
+	descriptorLimit int64
+	sessionLimiter  *ratelimit.Bucket
+	globalLimiter   *ratelimit.Bucket
+
+	statusAddr       string
+	poolAddrs        string
+	pools            []string
+	providedBy       string
+	defaultPoolAddrs = "https://relays.syncthing.net/endpoint"
+)
+
+func main() {
+	log.SetFlags(log.Lshortfile | log.LstdFlags)
+
+	var dir, extAddress string
+
+	flag.StringVar(&listen, "listen", ":22067", "Protocol listen address")
+	flag.StringVar(&dir, "keys", ".", "Directory where cert.pem and key.pem is stored")
+	flag.DurationVar(&networkTimeout, "network-timeout", networkTimeout, "Timeout for network operations between the client and the relay.\n\tIf no data is received between the client and the relay in this period of time, the connection is terminated.\n\tFurthermore, if no data is sent between either clients being relayed within this period of time, the session is also terminated.")
+	flag.DurationVar(&pingInterval, "ping-interval", pingInterval, "How often pings are sent")
+	flag.DurationVar(&messageTimeout, "message-timeout", messageTimeout, "Maximum amount of time we wait for relevant messages to arrive")
+	flag.IntVar(&sessionLimitBps, "per-session-rate", sessionLimitBps, "Per session rate limit, in bytes/s")
+	flag.IntVar(&globalLimitBps, "global-rate", globalLimitBps, "Global rate limit, in bytes/s")
+	flag.BoolVar(&debug, "debug", debug, "Enable debug output")
+	flag.StringVar(&statusAddr, "status-srv", ":22070", "Listen address for status service (blank to disable)")
+	flag.StringVar(&poolAddrs, "pools", defaultPoolAddrs, "Comma separated list of relay pool addresses to join")
+	flag.StringVar(&providedBy, "provided-by", "", "An optional description about who provides the relay")
+	flag.StringVar(&extAddress, "ext-address", "", "An optional address to advertising as being available on.\n\tAllows listening on an unprivileged port with port forwarding from e.g. 443, and be connected to on port 443.")
+
+	flag.Parse()
+
+	if extAddress == "" {
+		extAddress = listen
+	}
+
+	addr, err := net.ResolveTCPAddr("tcp", extAddress)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Println(LongVersion)
+
+	maxDescriptors, err := osutil.MaximizeOpenFileLimit()
+	if maxDescriptors > 0 {
+		// Assume that 20% of FD's are leaked/unaccounted for.
+		descriptorLimit = int64(maxDescriptors*80) / 100
+		log.Println("Connection limit", descriptorLimit)
+
+		go monitorLimits()
+	} else if err != nil && runtime.GOOS != "windows" {
+		log.Println("Assuming no connection limit, due to error retrievign rlimits:", err)
+	}
+
+	sessionAddress = addr.IP[:]
+	sessionPort = uint16(addr.Port)
+
+	certFile, keyFile := filepath.Join(dir, "cert.pem"), filepath.Join(dir, "key.pem")
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		log.Println("Failed to load keypair. Generating one, this might take a while...")
+		cert, err = tlsutil.NewCertificate(certFile, keyFile, "relaysrv", 3072)
+		if err != nil {
+			log.Fatalln("Failed to generate X509 key pair:", err)
+		}
+	}
+
+	tlsCfg := &tls.Config{
+		Certificates:           []tls.Certificate{cert},
+		NextProtos:             []string{protocol.ProtocolName},
+		ClientAuth:             tls.RequestClientCert,
+		SessionTicketsDisabled: true,
+		InsecureSkipVerify:     true,
+		MinVersion:             tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		},
+	}
+
+	id := syncthingprotocol.NewDeviceID(cert.Certificate[0])
+	if debug {
+		log.Println("ID:", id)
+	}
+
+	if sessionLimitBps > 0 {
+		sessionLimiter = ratelimit.NewBucketWithRate(float64(sessionLimitBps), int64(2*sessionLimitBps))
+	}
+	if globalLimitBps > 0 {
+		globalLimiter = ratelimit.NewBucketWithRate(float64(globalLimitBps), int64(2*globalLimitBps))
+	}
+
+	if statusAddr != "" {
+		go statusService(statusAddr)
+	}
+
+	uri, err := url.Parse(fmt.Sprintf("relay://%s/?id=%s&pingInterval=%s&networkTimeout=%s&sessionLimitBps=%d&globalLimitBps=%d&statusAddr=%s&providedBy=%s", extAddress, id, pingInterval, networkTimeout, sessionLimitBps, globalLimitBps, statusAddr, providedBy))
+	if err != nil {
+		log.Fatalln("Failed to construct URI", err)
+	}
+
+	log.Println("URI:", uri.String())
+
+	if poolAddrs == defaultPoolAddrs {
+		log.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+		log.Println("!!  Joining default relay pools, this relay will be available for public use. !!")
+		log.Println(`!!      Use the -pools="" command line option to make the relay private.      !!`)
+		log.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+	}
+
+	pools = strings.Split(poolAddrs, ",")
+	for _, pool := range pools {
+		pool = strings.TrimSpace(pool)
+		if len(pool) > 0 {
+			go poolHandler(pool, uri)
+		}
+	}
+
+	go listener(listen, tlsCfg)
+
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+	<-sigs
+
+	// Gracefully close all connections, hoping that clients will be faster
+	// to realize that the relay is now gone.
+
+	sessionMut.RLock()
+	for _, session := range activeSessions {
+		session.CloseConns()
+	}
+
+	for _, session := range pendingSessions {
+		session.CloseConns()
+	}
+	sessionMut.RUnlock()
+
+	outboxesMut.RLock()
+	for _, outbox := range outboxes {
+		close(outbox)
+	}
+	outboxesMut.RUnlock()
+
+	time.Sleep(500 * time.Millisecond)
+}
+
+func monitorLimits() {
+	limitCheckTimer = time.NewTimer(time.Minute)
+	for _ = range limitCheckTimer.C {
+		if atomic.LoadInt64(&numConnections)+atomic.LoadInt64(&numProxies) > descriptorLimit {
+			atomic.StoreInt32(&overLimit, 1)
+			log.Println("Gone past our connection limits. Starting to refuse new/drop idle connections.")
+		} else if atomic.CompareAndSwapInt32(&overLimit, 1, 0) {
+			log.Println("Dropped below our connection limits. Accepting new connections.")
+		}
+		limitCheckTimer.Reset(time.Minute)
+	}
+}
--- a/cmd/relaysrv/pool.go
+++ b/cmd/relaysrv/pool.go
@@ -0,0 +1,63 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+func poolHandler(pool string, uri *url.URL) {
+	if debug {
+		log.Println("Joining", pool)
+	}
+	for {
+		var b bytes.Buffer
+		json.NewEncoder(&b).Encode(struct {
+			URL string `json:"url"`
+		}{
+			uri.String(),
+		})
+
+		resp, err := http.Post(pool, "application/json", &b)
+		if err != nil {
+			log.Println("Error joining pool", pool, err)
+		} else if resp.StatusCode == 500 {
+			bs, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				log.Println("Failed to join", pool, "due to an internal server error. Could not read response:", err)
+			} else {
+				log.Println("Failed to join", pool, "due to an internal server error:", string(bs))
+			}
+			resp.Body.Close()
+		} else if resp.StatusCode == 429 {
+			log.Println(pool, "under load, will retry in a minute")
+			time.Sleep(time.Minute)
+			continue
+		} else if resp.StatusCode == 403 {
+			log.Println(pool, "failed to join due to IP address not matching external address. Aborting")
+			return
+		} else if resp.StatusCode == 200 {
+			var x struct {
+				EvictionIn time.Duration `json:"evictionIn"`
+			}
+			err := json.NewDecoder(resp.Body).Decode(&x)
+			if err == nil {
+				rejoin := x.EvictionIn - (x.EvictionIn / 5)
+				log.Println("Joined", pool, "rejoining in", rejoin)
+				time.Sleep(rejoin)
+				continue
+			} else {
+				log.Println("Failed to deserialize response", err)
+			}
+		} else {
+			log.Println(pool, "unknown response type from server", resp.StatusCode)
+		}
+		time.Sleep(time.Hour)
+	}
+}
--- a/cmd/relaysrv/session.go
+++ b/cmd/relaysrv/session.go
@@ -0,0 +1,326 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"net"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/juju/ratelimit"
+	"github.com/syncthing/syncthing/lib/relay/protocol"
+
+	syncthingprotocol "github.com/syncthing/syncthing/lib/protocol"
+)
+
+var (
+	sessionMut      = sync.RWMutex{}
+	activeSessions  = make([]*session, 0)
+	pendingSessions = make(map[string]*session, 0)
+	numProxies      int64
+	bytesProxied    int64
+)
+
+func newSession(serverid, clientid syncthingprotocol.DeviceID, sessionRateLimit, globalRateLimit *ratelimit.Bucket) *session {
+	serverkey := make([]byte, 32)
+	_, err := rand.Read(serverkey)
+	if err != nil {
+		return nil
+	}
+
+	clientkey := make([]byte, 32)
+	_, err = rand.Read(clientkey)
+	if err != nil {
+		return nil
+	}
+
+	ses := &session{
+		serverkey: serverkey,
+		serverid:  serverid,
+		clientkey: clientkey,
+		clientid:  clientid,
+		rateLimit: makeRateLimitFunc(sessionRateLimit, globalRateLimit),
+		connsChan: make(chan net.Conn),
+		conns:     make([]net.Conn, 0, 2),
+	}
+
+	if debug {
+		log.Println("New session", ses)
+	}
+
+	sessionMut.Lock()
+	pendingSessions[string(ses.serverkey)] = ses
+	pendingSessions[string(ses.clientkey)] = ses
+	sessionMut.Unlock()
+
+	return ses
+}
+
+func findSession(key string) *session {
+	sessionMut.Lock()
+	defer sessionMut.Unlock()
+	ses, ok := pendingSessions[key]
+	if !ok {
+		return nil
+
+	}
+	delete(pendingSessions, key)
+	return ses
+}
+
+func dropSessions(id syncthingprotocol.DeviceID) {
+	sessionMut.RLock()
+	for _, session := range activeSessions {
+		if session.HasParticipant(id) {
+			if debug {
+				log.Println("Dropping session", session, "involving", id)
+			}
+			session.CloseConns()
+		}
+	}
+	sessionMut.RUnlock()
+}
+
+func hasSessions(id syncthingprotocol.DeviceID) bool {
+	sessionMut.RLock()
+	has := false
+	for _, session := range activeSessions {
+		if session.HasParticipant(id) {
+			has = true
+			break
+		}
+	}
+	sessionMut.RUnlock()
+	return has
+}
+
+type session struct {
+	mut sync.Mutex
+
+	serverkey []byte
+	serverid  syncthingprotocol.DeviceID
+
+	clientkey []byte
+	clientid  syncthingprotocol.DeviceID
+
+	rateLimit func(bytes int64)
+
+	connsChan chan net.Conn
+	conns     []net.Conn
+}
+
+func (s *session) AddConnection(conn net.Conn) bool {
+	if debug {
+		log.Println("New connection for", s, "from", conn.RemoteAddr())
+	}
+
+	select {
+	case s.connsChan <- conn:
+		return true
+	default:
+	}
+	return false
+}
+
+func (s *session) Serve() {
+	timedout := time.After(messageTimeout)
+
+	if debug {
+		log.Println("Session", s, "serving")
+	}
+
+	for {
+		select {
+		case conn := <-s.connsChan:
+			s.mut.Lock()
+			s.conns = append(s.conns, conn)
+			s.mut.Unlock()
+			// We're the only ones mutating s.conns, hence we are free to read it.
+			if len(s.conns) < 2 {
+				continue
+			}
+
+			close(s.connsChan)
+
+			if debug {
+				log.Println("Session", s, "starting between", s.conns[0].RemoteAddr(), "and", s.conns[1].RemoteAddr())
+			}
+
+			wg := sync.WaitGroup{}
+			wg.Add(2)
+
+			var err0 error
+			go func() {
+				err0 = s.proxy(s.conns[0], s.conns[1])
+				wg.Done()
+			}()
+
+			var err1 error
+			go func() {
+				err1 = s.proxy(s.conns[1], s.conns[0])
+				wg.Done()
+			}()
+
+			sessionMut.Lock()
+			activeSessions = append(activeSessions, s)
+			sessionMut.Unlock()
+
+			wg.Wait()
+
+			if debug {
+				log.Println("Session", s, "ended, outcomes:", err0, "and", err1)
+			}
+			goto done
+
+		case <-timedout:
+			if debug {
+				log.Println("Session", s, "timed out")
+			}
+			goto done
+		}
+	}
+done:
+	// We can end up here in 3 cases:
+	// 1. Timeout joining, in which case there are potentially entries in pendingSessions
+	// 2. General session end/timeout, in which case there are entries in activeSessions
+	// 3. Protocol handler calls dropSession as one of it's clients disconnects.
+
+	sessionMut.Lock()
+	delete(pendingSessions, string(s.serverkey))
+	delete(pendingSessions, string(s.clientkey))
+
+	for i, session := range activeSessions {
+		if session == s {
+			l := len(activeSessions) - 1
+			activeSessions[i] = activeSessions[l]
+			activeSessions[l] = nil
+			activeSessions = activeSessions[:l]
+		}
+	}
+	sessionMut.Unlock()
+
+	// If we are here because of case 2 or 3, we are potentially closing some or
+	// all connections a second time.
+	s.CloseConns()
+
+	if debug {
+		log.Println("Session", s, "stopping")
+	}
+}
+
+func (s *session) GetClientInvitationMessage() protocol.SessionInvitation {
+	return protocol.SessionInvitation{
+		From:         s.serverid[:],
+		Key:          []byte(s.clientkey),
+		Address:      sessionAddress,
+		Port:         sessionPort,
+		ServerSocket: false,
+	}
+}
+
+func (s *session) GetServerInvitationMessage() protocol.SessionInvitation {
+	return protocol.SessionInvitation{
+		From:         s.clientid[:],
+		Key:          []byte(s.serverkey),
+		Address:      sessionAddress,
+		Port:         sessionPort,
+		ServerSocket: true,
+	}
+}
+
+func (s *session) HasParticipant(id syncthingprotocol.DeviceID) bool {
+	return s.clientid == id || s.serverid == id
+}
+
+func (s *session) CloseConns() {
+	s.mut.Lock()
+	for _, conn := range s.conns {
+		conn.Close()
+	}
+	s.mut.Unlock()
+}
+
+func (s *session) proxy(c1, c2 net.Conn) error {
+	if debug {
+		log.Println("Proxy", c1.RemoteAddr(), "->", c2.RemoteAddr())
+	}
+
+	atomic.AddInt64(&numProxies, 1)
+	defer atomic.AddInt64(&numProxies, -1)
+
+	buf := make([]byte, 65536)
+	for {
+		c1.SetReadDeadline(time.Now().Add(networkTimeout))
+		n, err := c1.Read(buf)
+		if err != nil {
+			return err
+		}
+
+		atomic.AddInt64(&bytesProxied, int64(n))
+
+		if debug {
+			log.Printf("%d bytes from %s to %s", n, c1.RemoteAddr(), c2.RemoteAddr())
+		}
+
+		if s.rateLimit != nil {
+			s.rateLimit(int64(n))
+		}
+
+		c2.SetWriteDeadline(time.Now().Add(networkTimeout))
+		_, err = c2.Write(buf[:n])
+		if err != nil {
+			return err
+		}
+	}
+}
+
+func (s *session) String() string {
+	return fmt.Sprintf("<%s/%s>", hex.EncodeToString(s.clientkey)[:5], hex.EncodeToString(s.serverkey)[:5])
+}
+
+func makeRateLimitFunc(sessionRateLimit, globalRateLimit *ratelimit.Bucket) func(int64) {
+	// This may be a case of super duper premature optimization... We build an
+	// optimized function to do the rate limiting here based on what we need
+	// to do and then use it in the loop.
+
+	if sessionRateLimit == nil && globalRateLimit == nil {
+		// No limiting needed. We could equally well return a func(int64){} and
+		// not do a nil check were we use it, but I think the nil check there
+		// makes it clear that there will be no limiting if none is
+		// configured...
+		return nil
+	}
+
+	if sessionRateLimit == nil {
+		// We only have a global limiter
+		return func(bytes int64) {
+			globalRateLimit.Wait(bytes)
+		}
+	}
+
+	if globalRateLimit == nil {
+		// We only have a session limiter
+		return func(bytes int64) {
+			sessionRateLimit.Wait(bytes)
+		}
+	}
+
+	// We have both. Queue the bytes on both the global and session specific
+	// rate limiters. Wait for both in parallell, so that the actual send
+	// happens when both conditions are satisfied. In practice this just means
+	// wait the longer of the two times.
+	return func(bytes int64) {
+		t0 := sessionRateLimit.Take(bytes)
+		t1 := globalRateLimit.Take(bytes)
+		if t0 > t1 {
+			time.Sleep(t0)
+		} else {
+			time.Sleep(t1)
+		}
+	}
+}
--- a/cmd/relaysrv/status.go
+++ b/cmd/relaysrv/status.go
@@ -0,0 +1,111 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"runtime"
+	"sync/atomic"
+	"time"
+)
+
+var rc *rateCalculator
+
+func statusService(addr string) {
+	rc = newRateCalculator(360, 10*time.Second, &bytesProxied)
+
+	http.HandleFunc("/status", getStatus)
+	if err := http.ListenAndServe(addr, nil); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func getStatus(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	status := make(map[string]interface{})
+
+	sessionMut.Lock()
+	// This can potentially be double the number of pending sessions, as each session has two keys, one for each side.
+	status["startTime"] = rc.startTime
+	status["uptimeSeconds"] = time.Since(rc.startTime) / time.Second
+	status["numPendingSessionKeys"] = len(pendingSessions)
+	status["numActiveSessions"] = len(activeSessions)
+	sessionMut.Unlock()
+	status["numConnections"] = atomic.LoadInt64(&numConnections)
+	status["numProxies"] = atomic.LoadInt64(&numProxies)
+	status["bytesProxied"] = atomic.LoadInt64(&bytesProxied)
+	status["goVersion"] = runtime.Version()
+	status["goOS"] = runtime.GOOS
+	status["goArch"] = runtime.GOARCH
+	status["goMaxProcs"] = runtime.GOMAXPROCS(-1)
+	status["goNumRoutine"] = runtime.NumGoroutine()
+	status["kbps10s1m5m15m30m60m"] = []int64{
+		rc.rate(10/10) * 8 / 1000,
+		rc.rate(60/10) * 8 / 1000,
+		rc.rate(5*60/10) * 8 / 1000,
+		rc.rate(15*60/10) * 8 / 1000,
+		rc.rate(30*60/10) * 8 / 1000,
+		rc.rate(60*60/10) * 8 / 1000,
+	}
+	status["options"] = map[string]interface{}{
+		"network-timeout":  networkTimeout / time.Second,
+		"ping-interval":    pingInterval / time.Second,
+		"message-timeout":  messageTimeout / time.Second,
+		"per-session-rate": sessionLimitBps,
+		"global-rate":      globalLimitBps,
+		"pools":            pools,
+		"provided-by":      providedBy,
+	}
+
+	bs, err := json.MarshalIndent(status, "", "    ")
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(bs)
+}
+
+type rateCalculator struct {
+	rates     []int64
+	prev      int64
+	counter   *int64
+	startTime time.Time
+}
+
+func newRateCalculator(keepIntervals int, interval time.Duration, counter *int64) *rateCalculator {
+	r := &rateCalculator{
+		rates:     make([]int64, keepIntervals),
+		counter:   counter,
+		startTime: time.Now(),
+	}
+
+	go r.updateRates(interval)
+
+	return r
+}
+
+func (r *rateCalculator) updateRates(interval time.Duration) {
+	for {
+		now := time.Now()
+		next := now.Truncate(interval).Add(interval)
+		time.Sleep(next.Sub(now))
+
+		cur := atomic.LoadInt64(r.counter)
+		rate := int64(float64(cur-r.prev) / interval.Seconds())
+		copy(r.rates[1:], r.rates)
+		r.rates[0] = rate
+		r.prev = cur
+	}
+}
+
+func (r *rateCalculator) rate(periods int) int64 {
+	var tot int64
+	for i := 0; i < periods; i++ {
+		tot += r.rates[i]
+	}
+	return tot / int64(periods)
+}
--- a/cmd/relaysrv/testutil/main.go
+++ b/cmd/relaysrv/testutil/main.go
@@ -0,0 +1,152 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors (see the CONTRIBUTORS file).
+
+package main
+
+import (
+	"bufio"
+	"crypto/tls"
+	"flag"
+	"log"
+	"net"
+	"net/url"
+	"os"
+	"path/filepath"
+	"time"
+
+	syncthingprotocol "github.com/syncthing/syncthing/lib/protocol"
+	"github.com/syncthing/syncthing/lib/relay/client"
+	"github.com/syncthing/syncthing/lib/relay/protocol"
+)
+
+func main() {
+	log.SetOutput(os.Stdout)
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+
+	var connect, relay, dir string
+	var join, test bool
+
+	flag.StringVar(&connect, "connect", "", "Device ID to which to connect to")
+	flag.BoolVar(&join, "join", false, "Join relay")
+	flag.BoolVar(&test, "test", false, "Generic relay test")
+	flag.StringVar(&relay, "relay", "relay://127.0.0.1:22067", "Relay address")
+	flag.StringVar(&dir, "keys", ".", "Directory where cert.pem and key.pem is stored")
+
+	flag.Parse()
+
+	certFile, keyFile := filepath.Join(dir, "cert.pem"), filepath.Join(dir, "key.pem")
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		log.Fatalln("Failed to load X509 key pair:", err)
+	}
+
+	id := syncthingprotocol.NewDeviceID(cert.Certificate[0])
+	log.Println("ID:", id)
+
+	uri, err := url.Parse(relay)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	stdin := make(chan string)
+
+	go stdinReader(stdin)
+
+	if join {
+		log.Println("Creating client")
+		relay, err := client.NewClient(uri, []tls.Certificate{cert}, nil, 10*time.Second)
+		if err != nil {
+			log.Fatal(err)
+		}
+		log.Println("Created client")
+
+		go relay.Serve()
+
+		recv := make(chan protocol.SessionInvitation)
+
+		go func() {
+			log.Println("Starting invitation receiver")
+			for invite := range relay.Invitations() {
+				select {
+				case recv <- invite:
+					log.Println("Received invitation", invite)
+				default:
+					log.Println("Discarding invitation", invite)
+				}
+			}
+		}()
+
+		for {
+			conn, err := client.JoinSession(<-recv)
+			if err != nil {
+				log.Fatalln("Failed to join", err)
+			}
+			log.Println("Joined", conn.RemoteAddr(), conn.LocalAddr())
+			connectToStdio(stdin, conn)
+			log.Println("Finished", conn.RemoteAddr(), conn.LocalAddr())
+		}
+	} else if connect != "" {
+		id, err := syncthingprotocol.DeviceIDFromString(connect)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		invite, err := client.GetInvitationFromRelay(uri, id, []tls.Certificate{cert}, 10*time.Second)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		log.Println("Received invitation", invite)
+		conn, err := client.JoinSession(invite)
+		if err != nil {
+			log.Fatalln("Failed to join", err)
+		}
+		log.Println("Joined", conn.RemoteAddr(), conn.LocalAddr())
+		connectToStdio(stdin, conn)
+		log.Println("Finished", conn.RemoteAddr(), conn.LocalAddr())
+	} else if test {
+		if client.TestRelay(uri, []tls.Certificate{cert}, time.Second, 2*time.Second, 4) {
+			log.Println("OK")
+		} else {
+			log.Println("FAIL")
+		}
+	} else {
+		log.Fatal("Requires either join or connect")
+	}
+}
+
+func stdinReader(c chan<- string) {
+	scanner := bufio.NewScanner(os.Stdin)
+	for scanner.Scan() {
+		c <- scanner.Text()
+		c <- "\n"
+	}
+}
+
+func connectToStdio(stdin <-chan string, conn net.Conn) {
+	go func() {
+
+	}()
+
+	buf := make([]byte, 1024)
+	for {
+		conn.SetReadDeadline(time.Now().Add(time.Millisecond))
+		n, err := conn.Read(buf[0:])
+		if err != nil {
+			nerr, ok := err.(net.Error)
+			if !ok || !nerr.Timeout() {
+				log.Println(err)
+				return
+			}
+		}
+		os.Stdout.Write(buf[:n])
+
+		select {
+		case msg := <-stdin:
+			_, err := conn.Write([]byte(msg))
+			if err != nil {
+				return
+			}
+		default:
+		}
+	}
+}
--- a/cmd/relaysrv/utils.go
+++ b/cmd/relaysrv/utils.go
@@ -0,0 +1,28 @@
+// Copyright (C) 2015 Audrius Butkevicius and Contributors.
+
+package main
+
+import (
+	"errors"
+	"net"
+)
+
+func setTCPOptions(conn net.Conn) error {
+	tcpConn, ok := conn.(*net.TCPConn)
+	if !ok {
+		return errors.New("Not a TCP connection")
+	}
+	if err := tcpConn.SetLinger(0); err != nil {
+		return err
+	}
+	if err := tcpConn.SetNoDelay(true); err != nil {
+		return err
+	}
+	if err := tcpConn.SetKeepAlivePeriod(networkTimeout); err != nil {
+		return err
+	}
+	if err := tcpConn.SetKeepAlive(true); err != nil {
+		return err
+	}
+	return nil
+}
--- a/cmd/stbench/main.go
+++ b/cmd/stbench/main.go
@@ -0,0 +1,143 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// This doesn't build on Windows due to the Rusage stuff.
+
+// +build !windows
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"runtime"
+	"syscall"
+	"time"
+
+	"github.com/syncthing/syncthing/lib/rc"
+)
+
+var homeDir = "h1"
+var syncthingBin = "./bin/syncthing"
+var test = "scan"
+
+func main() {
+	flag.StringVar(&homeDir, "home", homeDir, "Home directory location")
+	flag.StringVar(&syncthingBin, "bin", syncthingBin, "Binary location")
+	flag.StringVar(&test, "test", test, "Test to run")
+	flag.Parse()
+
+	switch test {
+	case "scan":
+		// scan measures the resource usage required to perform the initial
+		// scan, without cleaning away the database first.
+		testScan()
+	}
+}
+
+// testScan starts a process and reports on the resource usage required to
+// perform the initial scan.
+func testScan() {
+	log.Println("Starting...")
+	p := rc.NewProcess("127.0.0.1:8081")
+	if err := p.Start(syncthingBin, "-home", homeDir, "-no-browser"); err != nil {
+		log.Println(err)
+		return
+	}
+	defer p.Stop()
+
+	wallTime := awaitScanComplete(p)
+
+	report(p, wallTime)
+}
+
+// awaitScanComplete waits for a folder to transition idle->scanning and
+// then scanning->idle and returns the time taken for the scan.
+func awaitScanComplete(p *rc.Process) time.Duration {
+	log.Println("Awaiting scan completion...")
+	var t0, t1 time.Time
+	lastEvent := 0
+loop:
+	for {
+		evs, err := p.Events(lastEvent)
+		if err != nil {
+			continue
+		}
+
+		for _, ev := range evs {
+			if ev.Type == "StateChanged" {
+				data := ev.Data.(map[string]interface{})
+				log.Println(ev)
+
+				if data["to"].(string) == "scanning" {
+					t0 = ev.Time
+					continue
+				}
+
+				if !t0.IsZero() && data["to"].(string) == "idle" {
+					t1 = ev.Time
+					break loop
+				}
+			}
+			lastEvent = ev.ID
+		}
+
+		time.Sleep(250 * time.Millisecond)
+	}
+
+	return t1.Sub(t0)
+}
+
+// report stops the given process and reports on it's resource usage in two
+// ways: human readable to stderr, and CSV to stdout.
+func report(p *rc.Process, wallTime time.Duration) {
+	sv, err := p.SystemVersion()
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	ss, err := p.SystemStatus()
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	proc, err := p.Stop()
+	if err != nil {
+		return
+	}
+
+	rusage, ok := proc.SysUsage().(*syscall.Rusage)
+	if !ok {
+		return
+	}
+
+	log.Println("Version:", sv.Version)
+	log.Println("Alloc:", ss.Alloc/1024, "KiB")
+	log.Println("Sys:", ss.Sys/1024, "KiB")
+	log.Println("Goroutines:", ss.Goroutines)
+	log.Println("Wall time:", wallTime)
+	log.Println("Utime:", time.Duration(rusage.Utime.Nano()))
+	log.Println("Stime:", time.Duration(rusage.Stime.Nano()))
+	if runtime.GOOS == "darwin" {
+		// Darwin reports in bytes, Linux seems to report in KiB even
+		// though the manpage says otherwise.
+		rusage.Maxrss /= 1024
+	}
+	log.Println("MaxRSS:", rusage.Maxrss, "KiB")
+
+	fmt.Printf("%s,%d,%d,%d,%.02f,%.02f,%.02f,%d\n",
+		sv.Version,
+		ss.Alloc/1024,
+		ss.Sys/1024,
+		ss.Goroutines,
+		wallTime.Seconds(),
+		time.Duration(rusage.Utime.Nano()).Seconds(),
+		time.Duration(rusage.Stime.Nano()).Seconds(),
+		rusage.Maxrss)
+}
--- a/cmd/stdisco/main.go
+++ b/cmd/stdisco/main.go
@@ -0,0 +1,126 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"bytes"
+	"crypto/rand"
+	"flag"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/syncthing/syncthing/lib/beacon"
+	"github.com/syncthing/syncthing/lib/discover"
+	"github.com/syncthing/syncthing/lib/protocol"
+)
+
+var (
+	all  = false // print all packets, not just first from each device/source
+	fake = false // send fake packets to lure out other devices faster
+	mc   = "[ff12::8384]:21027"
+	bc   = 21027
+)
+
+var (
+	// Static prefix that we use when generating fake device IDs, so that we
+	// can recognize them ourselves. Also makes the device ID start with
+	// "STPROBE-" which is humanly recognizable.
+	randomPrefix = []byte{148, 223, 23, 4, 148}
+
+	// Our random, fake, device ID that we use when sending announcements.
+	myID = randomDeviceID()
+)
+
+func main() {
+	flag.BoolVar(&all, "all", all, "Print all received announcements (not only first)")
+	flag.BoolVar(&fake, "fake", fake, "Send fake announcements")
+	flag.StringVar(&mc, "mc", mc, "IPv6 multicast address")
+	flag.IntVar(&bc, "bc", bc, "IPv4 broadcast port number")
+	flag.Parse()
+
+	if fake {
+		log.Println("My ID:", protocol.DeviceIDFromBytes(myID))
+	}
+
+	runbeacon(beacon.NewMulticast(mc), fake)
+	runbeacon(beacon.NewBroadcast(bc), fake)
+
+	select {}
+}
+
+func runbeacon(bc beacon.Interface, fake bool) {
+	go bc.Serve()
+	go recv(bc)
+	if fake {
+		go send(bc)
+	}
+}
+
+// receives and prints discovery announcements
+func recv(bc beacon.Interface) {
+	seen := make(map[string]bool)
+	for {
+		data, src := bc.Recv()
+		var ann discover.Announce
+		ann.UnmarshalXDR(data)
+
+		if bytes.Equal(ann.This.ID, myID) {
+			// This is one of our own fake packets, don't print it.
+			continue
+		}
+
+		// Print announcement details for the first packet from a given
+		// device ID and source address, or if -all was given.
+		key := string(ann.This.ID) + src.String()
+		if all || !seen[key] {
+			log.Printf("Announcement from %v\n", src)
+			log.Printf(" %v at %s\n", protocol.DeviceIDFromBytes(ann.This.ID), strings.Join(addrStrs(ann.This), ", "))
+
+			for _, dev := range ann.Extra {
+				log.Printf(" %v at %s\n", protocol.DeviceIDFromBytes(dev.ID), strings.Join(addrStrs(dev), ", "))
+			}
+			seen[key] = true
+		}
+	}
+}
+
+// sends fake discovery announcements once every second
+func send(bc beacon.Interface) {
+	ann := discover.Announce{
+		Magic: discover.AnnouncementMagic,
+		This: discover.Device{
+			ID: myID,
+			Addresses: []discover.Address{
+				{URL: "tcp://fake.example.com:12345"},
+			},
+		},
+	}
+	bs, _ := ann.MarshalXDR()
+
+	for {
+		bc.Send(bs)
+		time.Sleep(time.Second)
+	}
+}
+
+// returns the list of address URLs
+func addrStrs(dev discover.Device) []string {
+	ss := make([]string, len(dev.Addresses))
+	for i, addr := range dev.Addresses {
+		ss[i] = addr.URL
+	}
+	return ss
+}
+
+// returns a random but recognizable device ID
+func randomDeviceID() []byte {
+	var id [32]byte
+	copy(id[:], randomPrefix)
+	rand.Read(id[len(randomPrefix):])
+	return id[:]
+}
--- a/cmd/stfinddevice/main.go
+++ b/cmd/stfinddevice/main.go
@@ -49,9 +49,8 @@ func main() {
 }

 type checkResult struct {
-	server string
-	direct []string
-	relays []discover.Relay
+	server    string
+	addresses []string
 	error
 }

@@ -76,17 +75,14 @@ func checkServers(deviceID protocol.DeviceID, servers ...string) {
 		if res.error != nil {
 			fmt.Println("  " + res.error.Error())
 		}
-		for _, addr := range res.direct {
+		for _, addr := range res.addresses {
 			fmt.Println("  address:", addr)
 		}
-		for _, rel := range res.relays {
-			fmt.Printf("  relay: %s (%d ms)\n", rel.URL, rel.Latency)
-		}
 	}
 }

 func checkServer(deviceID protocol.DeviceID, server string) checkResult {
-	disco, err := discover.NewGlobal(server, tls.Certificate{}, nil, nil)
+	disco, err := discover.NewGlobal(server, tls.Certificate{}, nil)
 	if err != nil {
 		return checkResult{error: err}
 	}
@@ -98,8 +94,8 @@ func checkServer(deviceID protocol.DeviceID, server string) checkResult {
 	})

 	go func() {
-		direct, relays, err := disco.Lookup(deviceID)
-		res <- checkResult{direct: direct, relays: relays, error: err}
+		addresses, err := disco.Lookup(deviceID)
+		res <- checkResult{addresses: addresses, error: err}
 	}()

 	return <-res
--- a/cmd/stgenfiles/main.go
+++ b/cmd/stgenfiles/main.go
@@ -0,0 +1,124 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"math/rand"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+func main() {
+	dir := flag.String("dir", "~/files", "Directory to generate into")
+	files := flag.Int("files", 1000, "Number of files to create")
+	maxExp := flag.Int("maxexp", 20, "Max size exponent")
+	src := flag.String("src", "/dev/urandom", "Source of file data")
+	flag.Parse()
+	if err := generateFiles(*dir, *files, *maxExp, *src); err != nil {
+		log.Println(err)
+	}
+}
+
+func generateFiles(dir string, files, maxexp int, srcname string) error {
+	fd, err := os.Open(srcname)
+	if err != nil {
+		return err
+	}
+
+	for i := 0; i < files; i++ {
+		n := randomName()
+
+		if rand.Float64() < 0.05 {
+			// Some files and directories are dotfiles
+			n = "." + n
+		}
+
+		p0 := filepath.Join(dir, string(n[0]), n[0:2])
+		err = os.MkdirAll(p0, 0755)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		p1 := filepath.Join(p0, n)
+
+		s := int64(1 << uint(rand.Intn(maxexp)))
+		a := int64(128 * 1024)
+		if a > s {
+			a = s
+		}
+		s += rand.Int63n(a)
+
+		if err := generateOneFile(fd, p1, s); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func generateOneFile(fd io.ReadSeeker, p1 string, s int64) error {
+	src := io.LimitReader(&inifiteReader{fd}, int64(s))
+	dst, err := os.Create(p1)
+	if err != nil {
+		return err
+	}
+
+	_, err = io.Copy(dst, src)
+	if err != nil {
+		return err
+	}
+
+	err = dst.Close()
+	if err != nil {
+		return err
+	}
+
+	_ = os.Chmod(p1, os.FileMode(rand.Intn(0777)|0400))
+
+	t := time.Now().Add(-time.Duration(rand.Intn(30*86400)) * time.Second)
+	err = os.Chtimes(p1, t, t)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func randomName() string {
+	var b [16]byte
+	readRand(b[:])
+	return fmt.Sprintf("%x", b[:])
+}
+
+func readRand(bs []byte) (int, error) {
+	var r uint32
+	for i := range bs {
+		if i%4 == 0 {
+			r = uint32(rand.Int63())
+		}
+		bs[i] = byte(r >> uint((i%4)*8))
+	}
+	return len(bs), nil
+}
+
+type inifiteReader struct {
+	rd io.ReadSeeker
+}
+
+func (i *inifiteReader) Read(bs []byte) (int, error) {
+	n, err := i.rd.Read(bs)
+	if err == io.EOF {
+		err = nil
+		i.rd.Seek(0, 0)
+	}
+	return n, err
+}
--- a/cmd/stindex/dump.go
+++ b/cmd/stindex/dump.go
@@ -39,7 +39,9 @@ func dump(ldb *leveldb.DB) {
 		case db.KeyTypeGlobal:
 			folder := nulString(key[1 : 1+64])
 			name := nulString(key[1+64:])
-			fmt.Printf("[global] F:%q N:%q V:%x\n", folder, name, it.Value())
+			var flv db.VersionList
+			flv.UnmarshalXDR(it.Value())
+			fmt.Printf("[global] F:%q N:%q V: %s\n", folder, name, flv)

 		case db.KeyTypeBlock:
 			folder := nulString(key[1 : 1+64])
--- a/cmd/stindex/dumpsize.go
+++ b/cmd/stindex/dumpsize.go
@@ -15,7 +15,6 @@ import (
 	"github.com/syndtr/goleveldb/leveldb"
 )

-// An IntHeap is a min-heap of ints.
 type SizedElement struct {
 	key  string
 	size int
--- a/cmd/stsigtool/main.go
+++ b/cmd/stsigtool/main.go
@@ -8,6 +8,7 @@ package main

 import (
 	"flag"
+	"io"
 	"io/ioutil"
 	"log"
 	"os"
@@ -31,7 +32,7 @@ Where command is one of:
 	gen
 		- generate a new key pair

-	sign <privkeyfile> <datafile>
+	sign <privkeyfile> [datafile]
 		- sign a file

 	verify <signaturefile> <datafile>
@@ -72,13 +73,19 @@ func sign(keyname, dataname string) {
 		log.Fatal(err)
 	}

-	fd, err := os.Open(dataname)
-	if err != nil {
-		log.Fatal(err)
+	var input io.Reader
+	if dataname == "-" || dataname == "" {
+		input = os.Stdin
+	} else {
+		fd, err := os.Open(dataname)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer fd.Close()
+		input = fd
 	}
-	defer fd.Close()

-	sig, err := signature.Sign(privkey, fd)
+	sig, err := signature.Sign(privkey, input)
 	if err != nil {
 		log.Fatal(err)
 	}
--- a/cmd/stvanity/main.go
+++ b/cmd/stvanity/main.go
@@ -0,0 +1,212 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"math/big"
+	mr "math/rand"
+	"os"
+	"runtime"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/syncthing/syncthing/lib/protocol"
+)
+
+type result struct {
+	id       protocol.DeviceID
+	priv     *ecdsa.PrivateKey
+	derBytes []byte
+}
+
+func main() {
+	flag.Parse()
+	prefix := strings.ToUpper(strings.Replace(flag.Arg(0), "-", "", -1))
+	if len(prefix) > 7 {
+		prefix = prefix[:7] + "-" + prefix[7:]
+	}
+
+	found := make(chan result)
+	stop := make(chan struct{})
+	var count int64
+
+	// Print periodic progress reports.
+	go printProgress(prefix, &count)
+
+	// Run one certificate generator per CPU core.
+	var wg sync.WaitGroup
+	for i := 0; i < runtime.GOMAXPROCS(-1); i++ {
+		wg.Add(1)
+		go func() {
+			generatePrefixed(prefix, &count, found, stop)
+			wg.Done()
+		}()
+	}
+
+	// Save the result, when one has been found.
+	res := <-found
+	close(stop)
+	wg.Wait()
+
+	fmt.Println("Found", res.id)
+	saveCert(res.priv, res.derBytes)
+	fmt.Println("Saved to cert.pem, key.pem")
+}
+
+// Try certificates until one is found that has the prefix at the start of
+// the resulting device ID. Increments count atomically, sends the result to
+// found, returns when stop is closed.
+func generatePrefixed(prefix string, count *int64, found chan<- result, stop <-chan struct{}) {
+	notBefore := time.Now()
+	notAfter := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
+
+	template := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(mr.Int63()),
+		Subject: pkix.Name{
+			CommonName: "syncthing",
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+
+	priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	for {
+		select {
+		case <-stop:
+			return
+		default:
+		}
+
+		derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		id := protocol.NewDeviceID(derBytes)
+		atomic.AddInt64(count, 1)
+
+		if strings.HasPrefix(id.String(), prefix) {
+			select {
+			case found <- result{id, priv, derBytes}:
+			case <-stop:
+			}
+			return
+		}
+	}
+}
+
+func printProgress(prefix string, count *int64) {
+	started := time.Now()
+	wantBits := 5 * len(prefix)
+	if wantBits > 63 {
+		fmt.Printf("Want %d bits for prefix %q, refusing to boil the ocean.\n", wantBits, prefix)
+		os.Exit(1)
+	}
+	expectedIterations := float64(int(1) << uint(wantBits))
+	fmt.Printf("Want %d bits for prefix %q, about %.2g certs to test (statistically speaking)\n", wantBits, prefix, expectedIterations)
+
+	for _ = range time.NewTicker(15 * time.Second).C {
+		tried := atomic.LoadInt64(count)
+		elapsed := time.Since(started)
+		rate := float64(tried) / elapsed.Seconds()
+		expected := timeStr(expectedIterations / rate)
+		fmt.Printf("Trying %.0f certs/s, tested %d so far in %v, expect ~%s total time to complete\n", rate, tried, elapsed/time.Second*time.Second, expected)
+	}
+}
+
+func saveCert(priv interface{}, derBytes []byte) {
+	certOut, err := os.Create("cert.pem")
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = certOut.Close()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	block, err := pemBlockForKey(priv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	err = pem.Encode(keyOut, block)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = keyOut.Close()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
+
+func pemBlockForKey(priv interface{}) (*pem.Block, error) {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}, nil
+	case *ecdsa.PrivateKey:
+		b, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return nil, err
+		}
+		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}, nil
+	default:
+		return nil, fmt.Errorf("unknown key type")
+	}
+}
+
+func timeStr(seconds float64) string {
+	if seconds < 60 {
+		return fmt.Sprintf("%.0fs", seconds)
+	}
+	if seconds < 3600 {
+		return fmt.Sprintf("%.0fm", seconds/60)
+	}
+	if seconds < 86400 {
+		return fmt.Sprintf("%.0fh", seconds/3600)
+	}
+	if seconds < 86400*365 {
+		return fmt.Sprintf("%.0f days", seconds/3600)
+	}
+	return fmt.Sprintf("%.0f years", seconds/86400/365)
+}
--- a/cmd/syncthing/addresslister.go
+++ b/cmd/syncthing/addresslister.go
@@ -1,127 +0,0 @@
-// Copyright (C) 2015 The Syncthing Authors.
-//
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this file,
-// You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package main
-
-import (
-	"fmt"
-	"net"
-	"net/url"
-
-	"github.com/syncthing/syncthing/lib/config"
-)
-
-type addressLister struct {
-	upnpService *upnpService
-	cfg         *config.Wrapper
-}
-
-func newAddressLister(upnpService *upnpService, cfg *config.Wrapper) *addressLister {
-	return &addressLister{
-		upnpService: upnpService,
-		cfg:         cfg,
-	}
-}
-
-// ExternalAddresses returns a list of addresses that are our best guess for
-// where we are reachable from the outside. As a special case, we may return
-// one or more addresses with an empty IP address (0.0.0.0 or ::) and just
-// port number - this means that the outside address of a NAT gateway should
-// be substituted.
-func (e *addressLister) ExternalAddresses() []string {
-	return e.addresses(false)
-}
-
-// AllAddresses returns a list of addresses that are our best guess for where
-// we are reachable from the local network. Same conditions as
-// ExternalAddresses, but private IPv4 addresses are included.
-func (e *addressLister) AllAddresses() []string {
-	return e.addresses(true)
-}
-
-func (e *addressLister) addresses(includePrivateIPV4 bool) []string {
-	var addrs []string
-
-	// Grab our listen addresses from the config. Unspecified ones are passed
-	// on verbatim (to be interpreted by a global discovery server or local
-	// discovery peer). Public addresses are passed on verbatim. Private
-	// addresses are filtered.
-	for _, addrStr := range e.cfg.Options().ListenAddress {
-		addrURL, err := url.Parse(addrStr)
-		if err != nil {
-			l.Infoln("Listen address", addrStr, "is invalid:", err)
-			continue
-		}
-		addr, err := net.ResolveTCPAddr("tcp", addrURL.Host)
-		if err != nil {
-			l.Infoln("Listen address", addrStr, "is invalid:", err)
-			continue
-		}
-
-		if addr.IP == nil || addr.IP.IsUnspecified() {
-			// Address like 0.0.0.0:22000 or [::]:22000 or :22000; include as is.
-			addrs = append(addrs, tcpAddr(addr.String()))
-		} else if isPublicIPv4(addr.IP) || isPublicIPv6(addr.IP) {
-			// A public address; include as is.
-			addrs = append(addrs, tcpAddr(addr.String()))
-		} else if includePrivateIPV4 && addr.IP.To4().IsGlobalUnicast() {
-			// A private IPv4 address.
-			addrs = append(addrs, tcpAddr(addr.String()))
-		}
-	}
-
-	// Get an external port mapping from the upnpService, if it has one. If so,
-	// add it as another unspecified address.
-	if e.upnpService != nil {
-		if port := e.upnpService.ExternalPort(); port != 0 {
-			addrs = append(addrs, fmt.Sprintf("tcp://:%d", port))
-		}
-	}
-
-	return addrs
-}
-
-func isPublicIPv4(ip net.IP) bool {
-	ip = ip.To4()
-	if ip == nil {
-		// Not an IPv4 address (IPv6)
-		return false
-	}
-
-	// IsGlobalUnicast below only checks that it's not link local or
-	// multicast, and we want to exclude private (NAT:ed) addresses as well.
-	rfc1918 := []net.IPNet{
-		{IP: net.IP{10, 0, 0, 0}, Mask: net.IPMask{255, 0, 0, 0}},
-		{IP: net.IP{172, 16, 0, 0}, Mask: net.IPMask{255, 240, 0, 0}},
-		{IP: net.IP{192, 168, 0, 0}, Mask: net.IPMask{255, 255, 0, 0}},
-	}
-	for _, n := range rfc1918 {
-		if n.Contains(ip) {
-			return false
-		}
-	}
-
-	return ip.IsGlobalUnicast()
-}
-
-func isPublicIPv6(ip net.IP) bool {
-	if ip.To4() != nil {
-		// Not an IPv6 address (IPv4)
-		// (To16() returns a v6 mapped v4 address so can't be used to check
-		// that it's an actual v6 address)
-		return false
-	}
-
-	return ip.IsGlobalUnicast()
-}
-
-func tcpAddr(host string) string {
-	u := url.URL{
-		Scheme: "tcp",
-		Host:   host,
-	}
-	return u.String()
-}
--- a/cmd/syncthing/gui.go
+++ b/cmd/syncthing/gui.go
@@ -7,13 +7,10 @@
 package main

 import (
-	"bytes"
-	"compress/gzip"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
-	"mime"
 	"net"
 	"net/http"
 	"os"
@@ -26,7 +23,6 @@ import (
 	"time"

 	"github.com/rcrowley/go-metrics"
-	"github.com/syncthing/syncthing/lib/auto"
 	"github.com/syncthing/syncthing/lib/config"
 	"github.com/syncthing/syncthing/lib/db"
 	"github.com/syncthing/syncthing/lib/discover"
@@ -35,7 +31,8 @@ import (
 	"github.com/syncthing/syncthing/lib/model"
 	"github.com/syncthing/syncthing/lib/osutil"
 	"github.com/syncthing/syncthing/lib/protocol"
-	"github.com/syncthing/syncthing/lib/relay"
+	"github.com/syncthing/syncthing/lib/rand"
+	"github.com/syncthing/syncthing/lib/stats"
 	"github.com/syncthing/syncthing/lib/sync"
 	"github.com/syncthing/syncthing/lib/tlsutil"
 	"github.com/syncthing/syncthing/lib/upgrade"
@@ -49,43 +46,95 @@ var (
 )

 type apiService struct {
-	id              protocol.DeviceID
-	cfg             *config.Wrapper
-	assetDir        string
-	model           *model.Model
-	eventSub        *events.BufferedSubscription
-	discoverer      *discover.CachingMux
-	relayService    *relay.Service
-	listener        net.Listener
-	fss             *folderSummaryService
-	stop            chan struct{}
-	systemConfigMut sync.Mutex
+	id                 protocol.DeviceID
+	cfg                configIntf
+	httpsCertFile      string
+	httpsKeyFile       string
+	statics            *staticsServer
+	model              modelIntf
+	eventSub           events.BufferedSubscription
+	discoverer         discover.CachingMux
+	connectionsService connectionsIntf
+	fss                *folderSummaryService
+	systemConfigMut    sync.Mutex    // serializes posts to /rest/system/config
+	stop               chan struct{} // signals intentional stop
+	configChanged      chan struct{} // signals intentional listener close due to config change
+	started            chan string   // signals startup complete by sending the listener address, for testing only
+	startedOnce        bool          // the service has started successfully at least once

-	guiErrors *logger.Recorder
-	systemLog *logger.Recorder
+	guiErrors logger.Recorder
+	systemLog logger.Recorder
 }

-func newAPIService(id protocol.DeviceID, cfg *config.Wrapper, assetDir string, m *model.Model, eventSub *events.BufferedSubscription, discoverer *discover.CachingMux, relayService *relay.Service, errors, systemLog *logger.Recorder) (*apiService, error) {
+type modelIntf interface {
+	GlobalDirectoryTree(folder, prefix string, levels int, dirsonly bool) map[string]interface{}
+	Completion(device protocol.DeviceID, folder string) float64
+	Override(folder string)
+	NeedFolderFiles(folder string, page, perpage int) ([]db.FileInfoTruncated, []db.FileInfoTruncated, []db.FileInfoTruncated, int)
+	NeedSize(folder string) (nfiles int, bytes int64)
+	ConnectionStats() map[string]interface{}
+	DeviceStatistics() map[string]stats.DeviceStatistics
+	FolderStatistics() map[string]stats.FolderStatistics
+	CurrentFolderFile(folder string, file string) (protocol.FileInfo, bool)
+	CurrentGlobalFile(folder string, file string) (protocol.FileInfo, bool)
+	ResetFolder(folder string)
+	Availability(folder, file string, version protocol.Vector, block protocol.BlockInfo) []model.Availability
+	GetIgnores(folder string) ([]string, []string, error)
+	SetIgnores(folder string, content []string) error
+	PauseDevice(device protocol.DeviceID)
+	ResumeDevice(device protocol.DeviceID)
+	DelayScan(folder string, next time.Duration)
+	ScanFolder(folder string) error
+	ScanFolders() map[string]error
+	ScanFolderSubs(folder string, subs []string) error
+	BringToFront(folder, file string)
+	ConnectedTo(deviceID protocol.DeviceID) bool
+	GlobalSize(folder string) (nfiles, deleted int, bytes int64)
+	LocalSize(folder string) (nfiles, deleted int, bytes int64)
+	CurrentLocalVersion(folder string) (int64, bool)
+	RemoteLocalVersion(folder string) (int64, bool)
+	State(folder string) (string, time.Time, error)
+}
+
+type configIntf interface {
+	GUI() config.GUIConfiguration
+	Raw() config.Configuration
+	Options() config.OptionsConfiguration
+	Replace(cfg config.Configuration) config.CommitResponse
+	Subscribe(c config.Committer)
+	Folders() map[string]config.FolderConfiguration
+	Devices() map[protocol.DeviceID]config.DeviceConfiguration
+	Save() error
+	ListenAddresses() []string
+}
+
+type connectionsIntf interface {
+	Status() map[string]interface{}
+}
+
+func newAPIService(id protocol.DeviceID, cfg configIntf, httpsCertFile, httpsKeyFile, assetDir string, m modelIntf, eventSub events.BufferedSubscription, discoverer discover.CachingMux, connectionsService connectionsIntf, errors, systemLog logger.Recorder) *apiService {
 	service := &apiService{
-		id:              id,
-		cfg:             cfg,
-		assetDir:        assetDir,
-		model:           m,
-		eventSub:        eventSub,
-		discoverer:      discoverer,
-		relayService:    relayService,
-		systemConfigMut: sync.NewMutex(),
-		guiErrors:       errors,
-		systemLog:       systemLog,
+		id:                 id,
+		cfg:                cfg,
+		httpsCertFile:      httpsCertFile,
+		httpsKeyFile:       httpsKeyFile,
+		statics:            newStaticsServer(cfg.GUI().Theme, assetDir),
+		model:              m,
+		eventSub:           eventSub,
+		discoverer:         discoverer,
+		connectionsService: connectionsService,
+		systemConfigMut:    sync.NewMutex(),
+		stop:               make(chan struct{}),
+		configChanged:      make(chan struct{}),
+		guiErrors:          errors,
+		systemLog:          systemLog,
 	}

-	var err error
-	service.listener, err = service.getListener(cfg.GUI())
-	return service, err
+	return service
 }

 func (s *apiService) getListener(guiCfg config.GUIConfiguration) (net.Listener, error) {
-	cert, err := tls.LoadX509KeyPair(locations[locHTTPSCertFile], locations[locHTTPSKeyFile])
+	cert, err := tls.LoadX509KeyPair(s.httpsCertFile, s.httpsKeyFile)
 	if err != nil {
 		l.Infoln("Loading HTTPS certificate:", err)
 		l.Infoln("Creating new HTTPS certificate")
@@ -98,7 +147,7 @@ func (s *apiService) getListener(guiCfg config.GUIConfiguration) (net.Listener,
 			name = tlsDefaultCommonName
 		}

-		cert, err = tlsutil.NewCertificate(locations[locHTTPSCertFile], locations[locHTTPSKeyFile], name, httpsRSABits)
+		cert, err = tlsutil.NewCertificate(s.httpsCertFile, s.httpsKeyFile, name, httpsRSABits)
 	}
 	if err != nil {
 		return nil, err
@@ -126,17 +175,50 @@ func (s *apiService) getListener(guiCfg config.GUIConfiguration) (net.Listener,
 		return nil, err
 	}

-	listener := &tlsutil.DowngradingListener{rawListener, tlsCfg}
+	listener := &tlsutil.DowngradingListener{
+		Listener:  rawListener,
+		TLSConfig: tlsCfg,
+	}
 	return listener, nil
 }

 func sendJSON(w http.ResponseWriter, jsonObject interface{}) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	json.NewEncoder(w).Encode(jsonObject)
+	// Marshalling might fail, in which case we should return a 500 with the
+	// actual error.
+	bs, err := json.Marshal(jsonObject)
+	if err != nil {
+		// This Marshal() can't fail though.
+		bs, _ = json.Marshal(map[string]string{"error": err.Error()})
+		http.Error(w, string(bs), http.StatusInternalServerError)
+		return
+	}
+	w.Write(bs)
 }

 func (s *apiService) Serve() {
-	s.stop = make(chan struct{})
+	listener, err := s.getListener(s.cfg.GUI())
+	if err != nil {
+		if !s.startedOnce {
+			// This is during initialization. A failure here should be fatal
+			// as there will be no way for the user to communicate with us
+			// otherwise anyway.
+			l.Fatalln("Starting API/GUI:", err)
+		}
+
+		// We let this be a loud user-visible warning as it may be the only
+		// indication they get that the GUI won't be available on startup.
+		l.Warnln("Starting API/GUI:", err)
+		return
+	}
+	s.startedOnce = true
+	defer listener.Close()
+
+	if listener == nil {
+		// Not much we can do here other than exit quickly. The supervisor
+		// will log an error at some point.
+		return
+	}

 	// The GET handlers
 	getRestMux := http.NewServeMux()
@@ -152,6 +234,7 @@ func (s *apiService) Serve() {
 	getRestMux.HandleFunc("/rest/svc/deviceid", s.getDeviceID)                   // id
 	getRestMux.HandleFunc("/rest/svc/lang", s.getLang)                           // -
 	getRestMux.HandleFunc("/rest/svc/report", s.getReport)                       // -
+	getRestMux.HandleFunc("/rest/svc/random/string", s.getRandomString)          // [length]
 	getRestMux.HandleFunc("/rest/system/browse", s.getSystemBrowse)              // current
 	getRestMux.HandleFunc("/rest/system/config", s.getSystemConfig)              // -
 	getRestMux.HandleFunc("/rest/system/config/insync", s.getSystemConfigInsync) // -
@@ -198,16 +281,16 @@ func (s *apiService) Serve() {
 	mux.HandleFunc("/qr/", s.getQR)

 	// Serve compiled in assets unless an asset directory was set (for development)
-	mux.Handle("/", embeddedStatic{
-		assetDir: s.assetDir,
-		assets:   auto.Assets(),
-	})
+	mux.Handle("/", s.statics)
+
+	// Handle the special meta.js path
+	mux.HandleFunc("/meta.js", s.getJSMetadata)

 	guiCfg := s.cfg.GUI()

 	// Wrap everything in CSRF protection. The /rest prefix should be
 	// protected, other requests will grant cookies.
-	handler := csrfMiddleware(s.id.String()[:5], "/rest", guiCfg.APIKey(), mux)
+	handler := csrfMiddleware(s.id.String()[:5], "/rest", guiCfg, mux)

 	// Add our version and ID as a header to responses
 	handler = withDetailsMiddleware(s.id, handler)
@@ -222,6 +305,9 @@ func (s *apiService) Serve() {
 		handler = redirectToHTTPSMiddleware(handler)
 	}

+	// Add the CORS handling
+	handler = corsMiddleware(handler)
+
 	handler = debugMiddleware(handler)

 	srv := http.Server{
@@ -233,23 +319,37 @@ func (s *apiService) Serve() {
 	defer s.fss.Stop()
 	s.fss.ServeBackground()

-	l.Infoln("API listening on", s.listener.Addr())
-	l.Infoln("GUI URL is", guiCfg.URL())
-	err := srv.Serve(s.listener)
+	l.Infoln("GUI and API listening on", listener.Addr())
+	l.Infoln("Access the GUI via the following URL:", guiCfg.URL())
+	if s.started != nil {
+		// only set when run by the tests
+		s.started <- listener.Addr().String()
+	}
+
+	// Serve in the background
+
+	serveError := make(chan error, 1)
+	go func() {
+		serveError <- srv.Serve(listener)
+	}()
+
+	// Wait for stop, restart or error signals

-	// The return could be due to an intentional close. Wait for the stop
-	// signal before returning. IF there is no stop signal within a second, we
-	// assume it was unintentional and log the error before retrying.
 	select {
 	case <-s.stop:
-	case <-time.After(time.Second):
-		l.Warnln("API:", err)
+		// Shutting down permanently
+		l.Debugln("shutting down (stop)")
+	case <-s.configChanged:
+		// Soft restart due to configuration change
+		l.Debugln("restarting (config changed)")
+	case <-serveError:
+		// Restart due to listen/serve failure
+		l.Warnln("GUI/API:", err, "(restarting)")
 	}
 }

 func (s *apiService) Stop() {
 	close(s.stop)
-	s.listener.Close()
 }

 func (s *apiService) String() string {
@@ -257,6 +357,9 @@ func (s *apiService) String() string {
 }

 func (s *apiService) VerifyConfiguration(from, to config.Configuration) error {
+	if _, err := net.ResolveTCPAddr("tcp", to.GUI.Address()); err != nil {
+		return err
+	}
 	return nil
 }

@@ -265,25 +368,12 @@ func (s *apiService) CommitConfiguration(from, to config.Configuration) bool {
 		return true
 	}

-	// Order here is important. We must close the listener to stop Serve(). We
-	// must create a new listener before Serve() starts again. We can't create
-	// a new listener on the same port before the previous listener is closed.
-	// To assist in this little dance the Serve() method will wait for a
-	// signal on the stop channel after the listener has closed.
-
-	s.listener.Close()
-
-	var err error
-	s.listener, err = s.getListener(to.GUI)
-	if err != nil {
-		// Ideally this should be a verification error, but we check it by
-		// creating a new listener which requires shutting down the previous
-		// one first, which is too destructive for the VerifyConfiguration
-		// method.
-		return false
+	if to.GUI.Theme != from.GUI.Theme {
+		s.statics.setTheme(to.GUI.Theme)
 	}

-	close(s.stop)
+	// Tell the serve loop to restart
+	s.configChanged <- struct{}{}

 	return true
 }
@@ -327,6 +417,37 @@ func debugMiddleware(h http.Handler) http.Handler {
 	})
 }

+func corsMiddleware(next http.Handler) http.Handler {
+	// Handle CORS headers and CORS OPTIONS request.
+	// CORS OPTIONS request are typically sent by browser during AJAX preflight
+	// when the browser initiate a POST request.
+	//
+	// As the OPTIONS request is unauthorized, this handler must be the first
+	// of the chain (hence added at the end).
+	//
+	// See https://www.w3.org/TR/cors/ for details.
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Process OPTIONS requests
+		if r.Method == "OPTIONS" {
+			// Only GET/POST Methods are supported
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+			// Only this custom header can be set
+			w.Header().Set("Access-Control-Allow-Headers", "X-API-Key")
+			// The request is meant to be cached 10 minutes
+			w.Header().Set("Access-Control-Max-Age", "600")
+
+			// Indicate that no content will be returned
+			w.WriteHeader(204)
+
+			return
+		}
+
+		// For everything else, pass to the next handler
+		next.ServeHTTP(w, r)
+		return
+	})
+}
+
 func metricsMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t := metrics.GetOrRegisterTimer(r.URL.Path, nil)
@@ -338,15 +459,11 @@ func metricsMiddleware(h http.Handler) http.Handler {

 func redirectToHTTPSMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Add a generous access-control-allow-origin header since we may be
-		// redirecting REST requests over protocols
-		w.Header().Add("Access-Control-Allow-Origin", "*")
-
 		if r.TLS == nil {
 			// Redirect HTTP requests to HTTPS
 			r.URL.Host = r.Host
 			r.URL.Scheme = "https"
-			http.Redirect(w, r, r.URL.String(), http.StatusFound)
+			http.Redirect(w, r, r.URL.String(), http.StatusTemporaryRedirect)
 		} else {
 			h.ServeHTTP(w, r)
 		}
@@ -374,6 +491,14 @@ func (s *apiService) restPing(w http.ResponseWriter, r *http.Request) {
 	sendJSON(w, map[string]string{"ping": "pong"})
 }

+func (s *apiService) getJSMetadata(w http.ResponseWriter, r *http.Request) {
+	meta, _ := json.Marshal(map[string]string{
+		"deviceID": s.id.String(),
+	})
+	w.Header().Set("Content-Type", "application/javascript")
+	fmt.Fprintf(w, "var metadata = %s;\n", meta)
+}
+
 func (s *apiService) getSystemVersion(w http.ResponseWriter, r *http.Request) {
 	sendJSON(w, map[string]string{
 		"version":     Version,
@@ -449,7 +574,7 @@ func (s *apiService) getDBStatus(w http.ResponseWriter, r *http.Request) {
 	sendJSON(w, folderSummary(s.cfg, s.model, folder))
 }

-func folderSummary(cfg *config.Wrapper, m *model.Model, folder string) map[string]interface{} {
+func folderSummary(cfg configIntf, m modelIntf, folder string) map[string]interface{} {
 	var res = make(map[string]interface{})

 	res["invalid"] = cfg.Folders()[folder].Invalid
@@ -537,10 +662,16 @@ func (s *apiService) getDBFile(w http.ResponseWriter, r *http.Request) {
 	qs := r.URL.Query()
 	folder := qs.Get("folder")
 	file := qs.Get("file")
-	gf, _ := s.model.CurrentGlobalFile(folder, file)
-	lf, _ := s.model.CurrentFolderFile(folder, file)
+	gf, gfOk := s.model.CurrentGlobalFile(folder, file)
+	lf, lfOk := s.model.CurrentFolderFile(folder, file)

-	av := s.model.Availability(folder, file)
+	if !(gfOk || lfOk) {
+		// This file for sure does not exist.
+		http.Error(w, "No such object in the index", http.StatusNotFound)
+		return
+	}
+
+	av := s.model.Availability(folder, file, protocol.Vector{}, protocol.BlockInfo{})
 	sendJSON(w, map[string]interface{}{
 		"global":       jsonFileInfo(gf),
 		"local":        jsonFileInfo(lf),
@@ -557,6 +688,7 @@ func (s *apiService) postSystemConfig(w http.ResponseWriter, r *http.Request) {
 	defer s.systemConfigMut.Unlock()

 	to, err := config.ReadJSON(r.Body, myID)
+	r.Body.Close()
 	if err != nil {
 		l.Warnln("decoding posted config:", err)
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -581,7 +713,7 @@ func (s *apiService) postSystemConfig(w http.ResponseWriter, r *http.Request) {
 	if curAcc := s.cfg.Options().URAccepted; to.Options.URAccepted > curAcc {
 		// UR was enabled
 		to.Options.URAccepted = usageReportVersion
-		to.Options.URUniqueID = randomString(8)
+		to.Options.URUniqueID = rand.String(8)
 	} else if to.Options.URAccepted < curAcc {
 		// UR was disabled
 		to.Options.URAccepted = -1
@@ -668,18 +800,9 @@ func (s *apiService) getSystemStatus(w http.ResponseWriter, r *http.Request) {
 		res["discoveryMethods"] = discoMethods
 		res["discoveryErrors"] = discoErrors
 	}
-	if s.relayService != nil {
-		res["relaysEnabled"] = true
-		relayClientStatus := make(map[string]bool)
-		relayClientLatency := make(map[string]int)
-		for _, relay := range s.relayService.Relays() {
-			latency, ok := s.relayService.RelayStatus(relay)
-			relayClientStatus[relay] = ok
-			relayClientLatency[relay] = int(latency / time.Millisecond)
-		}
-		res["relayClientStatus"] = relayClientStatus
-		res["relayClientLatency"] = relayClientLatency
-	}
+
+	res["connectionServiceStatus"] = s.connectionsService.Status()
+
 	cpuUsageLock.RLock()
 	var cpusum float64
 	for _, p := range cpuUsagePercent {
@@ -769,6 +892,16 @@ func (s *apiService) getReport(w http.ResponseWriter, r *http.Request) {
 	sendJSON(w, reportData(s.cfg, s.model))
 }

+func (s *apiService) getRandomString(w http.ResponseWriter, r *http.Request) {
+	length := 32
+	if val, _ := strconv.Atoi(r.URL.Query().Get("length")); val > 0 {
+		length = val
+	}
+	str := rand.String(length)
+
+	sendJSON(w, map[string]string{"random": str})
+}
+
 func (s *apiService) getDBIgnores(w http.ResponseWriter, r *http.Request) {
 	qs := r.URL.Query()

@@ -780,17 +913,22 @@ func (s *apiService) getDBIgnores(w http.ResponseWriter, r *http.Request) {

 	sendJSON(w, map[string][]string{
 		"ignore":   ignores,
-		"patterns": patterns,
+		"expanded": patterns,
 	})
 }

 func (s *apiService) postDBIgnores(w http.ResponseWriter, r *http.Request) {
 	qs := r.URL.Query()

-	var data map[string][]string
-	err := json.NewDecoder(r.Body).Decode(&data)
+	bs, err := ioutil.ReadAll(r.Body)
 	r.Body.Close()
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}

+	var data map[string][]string
+	err = json.Unmarshal(bs, &data)
 	if err != nil {
 		http.Error(w, err.Error(), 500)
 		return
@@ -814,8 +952,10 @@ func (s *apiService) getEvents(w http.ResponseWriter, r *http.Request) {

 	s.fss.gotEventRequest()

-	// Flush before blocking, to indicate that we've received the request
-	// and that it should not be retried.
+	// Flush before blocking, to indicate that we've received the request and
+	// that it should not be retried. Must set Content-Type header before
+	// flushing.
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	f := w.(http.Flusher)
 	f.Flush()

@@ -994,109 +1134,31 @@ func (s *apiService) getPeerCompletion(w http.ResponseWriter, r *http.Request) {
 func (s *apiService) getSystemBrowse(w http.ResponseWriter, r *http.Request) {
 	qs := r.URL.Query()
 	current := qs.Get("current")
+	if current == "" && runtime.GOOS == "windows" {
+		if drives, err := osutil.GetDriveLetters(); err == nil {
+			sendJSON(w, drives)
+		} else {
+			http.Error(w, err.Error(), 500)
+		}
+		return
+	}
 	search, _ := osutil.ExpandTilde(current)
 	pathSeparator := string(os.PathSeparator)
 	if strings.HasSuffix(current, pathSeparator) && !strings.HasSuffix(search, pathSeparator) {
 		search = search + pathSeparator
 	}
 	subdirectories, _ := osutil.Glob(search + "*")
-	ret := make([]string, 0, 10)
+	ret := make([]string, 0, len(subdirectories))
 	for _, subdirectory := range subdirectories {
 		info, err := os.Stat(subdirectory)
 		if err == nil && info.IsDir() {
 			ret = append(ret, subdirectory+pathSeparator)
-			if len(ret) > 9 {
-				break
-			}
 		}
 	}

 	sendJSON(w, ret)
 }

-type embeddedStatic struct {
-	assetDir string
-	assets   map[string][]byte
-}
-
-func (s embeddedStatic) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	file := r.URL.Path
-
-	if file[0] == '/' {
-		file = file[1:]
-	}
-
-	if len(file) == 0 {
-		file = "index.html"
-	}
-
-	if s.assetDir != "" {
-		p := filepath.Join(s.assetDir, filepath.FromSlash(file))
-		_, err := os.Stat(p)
-		if err == nil {
-			http.ServeFile(w, r, p)
-			return
-		}
-	}
-
-	bs, ok := s.assets[file]
-	if !ok {
-		http.NotFound(w, r)
-		return
-	}
-
-	if r.Header.Get("If-Modified-Since") == auto.AssetsBuildDate {
-		w.WriteHeader(http.StatusNotModified)
-		return
-	}
-
-	mtype := s.mimeTypeForFile(file)
-	if len(mtype) != 0 {
-		w.Header().Set("Content-Type", mtype)
-	}
-	if strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
-		w.Header().Set("Content-Encoding", "gzip")
-	} else {
-		// ungzip if browser not send gzip accepted header
-		var gr *gzip.Reader
-		gr, _ = gzip.NewReader(bytes.NewReader(bs))
-		bs, _ = ioutil.ReadAll(gr)
-		gr.Close()
-	}
-	w.Header().Set("Content-Length", fmt.Sprintf("%d", len(bs)))
-	w.Header().Set("Last-Modified", auto.AssetsBuildDate)
-	w.Header().Set("Cache-Control", "public")
-
-	w.Write(bs)
-}
-
-func (s embeddedStatic) mimeTypeForFile(file string) string {
-	// We use a built in table of the common types since the system
-	// TypeByExtension might be unreliable. But if we don't know, we delegate
-	// to the system.
-	ext := filepath.Ext(file)
-	switch ext {
-	case ".htm", ".html":
-		return "text/html"
-	case ".css":
-		return "text/css"
-	case ".js":
-		return "application/javascript"
-	case ".json":
-		return "application/json"
-	case ".png":
-		return "image/png"
-	case ".ttf":
-		return "application/x-font-ttf"
-	case ".woff":
-		return "application/x-font-woff"
-	case ".svg":
-		return "image/svg+xml"
-	default:
-		return mime.TypeByExtension(ext)
-	}
-}
-
 func (s *apiService) toNeedSlice(fs []db.FileInfoTruncated) []jsonDBFileInfo {
 	res := make([]jsonDBFileInfo, len(fs))
 	for i, f := range fs {
@@ -1139,7 +1201,30 @@ type jsonVersionVector protocol.Vector
 func (v jsonVersionVector) MarshalJSON() ([]byte, error) {
 	res := make([]string, len(v))
 	for i, c := range v {
-		res[i] = fmt.Sprintf("%d:%d", c.ID, c.Value)
+		res[i] = fmt.Sprintf("%v:%d", c.ID, c.Value)
 	}
 	return json.Marshal(res)
 }
+
+func dirNames(dir string) []string {
+	fd, err := os.Open(dir)
+	if err != nil {
+		return nil
+	}
+	defer fd.Close()
+
+	fis, err := fd.Readdir(-1)
+	if err != nil {
+		return nil
+	}
+
+	var dirs []string
+	for _, fi := range fis {
+		if fi.IsDir() {
+			dirs = append(dirs, filepath.Base(fi.Name()))
+		}
+	}
+
+	sort.Strings(dirs)
+	return dirs
+}
--- a/cmd/syncthing/gui_auth.go
+++ b/cmd/syncthing/gui_auth.go
@@ -9,13 +9,13 @@ package main
 import (
 	"bytes"
 	"encoding/base64"
-	"math/rand"
 	"net/http"
 	"strings"
 	"time"

 	"github.com/syncthing/syncthing/lib/config"
 	"github.com/syncthing/syncthing/lib/events"
+	"github.com/syncthing/syncthing/lib/rand"
 	"github.com/syncthing/syncthing/lib/sync"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -33,9 +33,8 @@ func emitLoginAttempt(success bool, username string) {
 }

 func basicAuthAndSessionMiddleware(cookieName string, cfg config.GUIConfiguration, next http.Handler) http.Handler {
-	apiKey := cfg.APIKey()
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {
+		if cfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
 			next.ServeHTTP(w, r)
 			return
 		}
@@ -78,20 +77,43 @@ func basicAuthAndSessionMiddleware(cookieName string, cfg config.GUIConfiguratio
 			return
 		}

+		// Check if the username is correct, assuming it was sent as UTF-8
 		username := string(fields[0])
-		if username != cfg.User {
-			emitLoginAttempt(false, username)
-			error()
-			return
+		if username == cfg.User {
+			goto usernameOK
 		}

-		if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), fields[1]); err != nil {
-			emitLoginAttempt(false, username)
-			error()
-			return
+		// ... check it again, converting it from assumed ISO-8859-1 to UTF-8
+		username = string(iso88591ToUTF8(fields[0]))
+		if username == cfg.User {
+			goto usernameOK
 		}

-		sessionid := randomString(32)
+		// Neither of the possible interpretations match the configured username
+		emitLoginAttempt(false, username)
+		error()
+		return
+
+	usernameOK:
+		// Check password as given (assumes UTF-8 encoding)
+		password := fields[1]
+		if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {
+			goto passwordOK
+		}
+
+		// ... check it again, converting it from assumed ISO-8859-1 to UTF-8
+		password = iso88591ToUTF8(password)
+		if err := bcrypt.CompareHashAndPassword([]byte(cfg.Password), password); err == nil {
+			goto passwordOK
+		}
+
+		// Neither of the attempts to verify the password checked out
+		emitLoginAttempt(false, username)
+		error()
+		return
+
+	passwordOK:
+		sessionid := rand.String(32)
 		sessionsMut.Lock()
 		sessions[sessionid] = true
 		sessionsMut.Unlock()
@@ -105,3 +127,15 @@ func basicAuthAndSessionMiddleware(cookieName string, cfg config.GUIConfiguratio
 		next.ServeHTTP(w, r)
 	})
 }
+
+// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the
+// principle that ISO-8859-1 bytes are equivalent to unicode code points,
+// that a rune slice is a list of code points, and that stringifying a slice
+// of runes generates UTF-8 in Go.
+func iso88591ToUTF8(s []byte) []byte {
+	runes := make([]rune, len(s))
+	for i := range s {
+		runes[i] = rune(s[i])
+	}
+	return []byte(string(runes))
+}
--- a/cmd/syncthing/gui_csrf.go
+++ b/cmd/syncthing/gui_csrf.go
@@ -13,29 +13,40 @@ import (
 	"os"
 	"strings"

+	"github.com/syncthing/syncthing/lib/config"
 	"github.com/syncthing/syncthing/lib/osutil"
+	"github.com/syncthing/syncthing/lib/rand"
 	"github.com/syncthing/syncthing/lib/sync"
 )

+// csrfTokens is a list of valid tokens. It is sorted so that the most
+// recently used token is first in the list. New tokens are added to the front
+// of the list (as it is the most recently used at that time). The list is
+// pruned to a maximum of maxCsrfTokens, throwing away the least recently used
+// tokens.
 var csrfTokens []string
 var csrfMut = sync.NewMutex()

+const maxCsrfTokens = 25
+
 // Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
 // the request with 403. For / and /index.html, set a new CSRF cookie if none
 // is currently set.
-func csrfMiddleware(unique, prefix, apiKey string, next http.Handler) http.Handler {
+func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, next http.Handler) http.Handler {
 	loadCsrfTokens()
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Allow requests carrying a valid API key
-		if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {
+		if cfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
 			next.ServeHTTP(w, r)
 			return
 		}

-		// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
+		// Allow requests for anything not under the protected path prefix,
+		// and set a CSRF cookie if there isn't already a valid one.
 		if !strings.HasPrefix(r.URL.Path, prefix) {
 			cookie, err := r.Cookie("CSRF-Token-" + unique)
 			if err != nil || !validCsrfToken(cookie.Value) {
+				httpl.Debugln("new CSRF cookie in response to request for", r.URL)
 				cookie = &http.Cookie{
 					Name:  "CSRF-Token-" + unique,
 					Value: newCsrfToken(),
@@ -46,12 +57,6 @@ func csrfMiddleware(unique, prefix, apiKey string, next http.Handler) http.Handl
 			return
 		}

-		if r.Method == "GET" {
-			// Allow GET requests unconditionally
-			next.ServeHTTP(w, r)
-			return
-		}
-
 		// Verify the CSRF token
 		token := r.Header.Get("X-CSRF-Token-" + unique)
 		if !validCsrfToken(token) {
@@ -66,8 +71,15 @@ func csrfMiddleware(unique, prefix, apiKey string, next http.Handler) http.Handl
 func validCsrfToken(token string) bool {
 	csrfMut.Lock()
 	defer csrfMut.Unlock()
-	for _, t := range csrfTokens {
+	for i, t := range csrfTokens {
 		if t == token {
+			if i > 0 {
+				// Move this token to the head of the list. Copy the tokens at
+				// the front one step to the right and then replace the token
+				// at the head.
+				copy(csrfTokens[1:], csrfTokens[:i+1])
+				csrfTokens[0] = token
+			}
 			return true
 		}
 	}
@@ -75,12 +87,12 @@ func validCsrfToken(token string) bool {
 }

 func newCsrfToken() string {
-	token := randomString(32)
+	token := rand.String(32)

 	csrfMut.Lock()
-	csrfTokens = append(csrfTokens, token)
-	if len(csrfTokens) > 10 {
-		csrfTokens = csrfTokens[len(csrfTokens)-10:]
+	csrfTokens = append([]string{token}, csrfTokens...)
+	if len(csrfTokens) > maxCsrfTokens {
+		csrfTokens = csrfTokens[:maxCsrfTokens]
 	}
 	defer csrfMut.Unlock()

--- a/cmd/syncthing/gui_statics.go
+++ b/cmd/syncthing/gui_statics.go
@@ -0,0 +1,176 @@
+// Copyright (C) 2014 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/syncthing/syncthing/lib/auto"
+	"github.com/syncthing/syncthing/lib/config"
+	"github.com/syncthing/syncthing/lib/sync"
+)
+
+type staticsServer struct {
+	assetDir        string
+	assets          map[string][]byte
+	availableThemes []string
+
+	mut   sync.RWMutex
+	theme string
+}
+
+func newStaticsServer(theme, assetDir string) *staticsServer {
+	s := &staticsServer{
+		assetDir: assetDir,
+		assets:   auto.Assets(),
+		mut:      sync.NewRWMutex(),
+		theme:    theme,
+	}
+
+	seen := make(map[string]struct{})
+	// Load themes from compiled in assets.
+	for file := range auto.Assets() {
+		theme := strings.Split(file, "/")[0]
+		if _, ok := seen[theme]; !ok {
+			seen[theme] = struct{}{}
+			s.availableThemes = append(s.availableThemes, theme)
+		}
+	}
+	if assetDir != "" {
+		// Load any extra themes from the asset override dir.
+		for _, dir := range dirNames(assetDir) {
+			if _, ok := seen[dir]; !ok {
+				seen[dir] = struct{}{}
+				s.availableThemes = append(s.availableThemes, dir)
+			}
+		}
+	}
+
+	return s
+}
+
+func (s *staticsServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/themes.json":
+		s.serveThemes(w, r)
+	default:
+		s.serveAsset(w, r)
+	}
+}
+
+func (s *staticsServer) serveAsset(w http.ResponseWriter, r *http.Request) {
+	file := r.URL.Path
+
+	if file[0] == '/' {
+		file = file[1:]
+	}
+
+	if len(file) == 0 {
+		file = "index.html"
+	}
+
+	s.mut.RLock()
+	theme := s.theme
+	s.mut.RUnlock()
+
+	// Check for an override for the current theme.
+	if s.assetDir != "" {
+		p := filepath.Join(s.assetDir, theme, filepath.FromSlash(file))
+		if _, err := os.Stat(p); err == nil {
+			http.ServeFile(w, r, p)
+			return
+		}
+	}
+
+	// Check for a compiled in asset for the current theme.
+	bs, ok := s.assets[theme+"/"+file]
+	if !ok {
+		// Check for an overridden default asset.
+		if s.assetDir != "" {
+			p := filepath.Join(s.assetDir, config.DefaultTheme, filepath.FromSlash(file))
+			if _, err := os.Stat(p); err == nil {
+				http.ServeFile(w, r, p)
+				return
+			}
+		}
+
+		// Check for a compiled in default asset.
+		bs, ok = s.assets[config.DefaultTheme+"/"+file]
+		if !ok {
+			http.NotFound(w, r)
+			return
+		}
+	}
+
+	mtype := s.mimeTypeForFile(file)
+	if len(mtype) != 0 {
+		w.Header().Set("Content-Type", mtype)
+	}
+	if strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
+		w.Header().Set("Content-Encoding", "gzip")
+	} else {
+		// ungzip if browser not send gzip accepted header
+		var gr *gzip.Reader
+		gr, _ = gzip.NewReader(bytes.NewReader(bs))
+		bs, _ = ioutil.ReadAll(gr)
+		gr.Close()
+	}
+	w.Header().Set("Content-Length", fmt.Sprintf("%d", len(bs)))
+
+	w.Write(bs)
+}
+
+func (s *staticsServer) serveThemes(w http.ResponseWriter, r *http.Request) {
+	sendJSON(w, map[string][]string{
+		"themes": s.availableThemes,
+	})
+}
+
+func (s *staticsServer) mimeTypeForFile(file string) string {
+	// We use a built in table of the common types since the system
+	// TypeByExtension might be unreliable. But if we don't know, we delegate
+	// to the system.
+	ext := filepath.Ext(file)
+	switch ext {
+	case ".htm", ".html":
+		return "text/html"
+	case ".css":
+		return "text/css"
+	case ".js":
+		return "application/javascript"
+	case ".json":
+		return "application/json"
+	case ".png":
+		return "image/png"
+	case ".ttf":
+		return "application/x-font-ttf"
+	case ".woff":
+		return "application/x-font-woff"
+	case ".svg":
+		return "image/svg+xml"
+	default:
+		return mime.TypeByExtension(ext)
+	}
+}
+
+func (s *staticsServer) setTheme(theme string) {
+	s.mut.Lock()
+	s.theme = theme
+	s.mut.Unlock()
+}
+
+func (s *staticsServer) String() string {
+	return fmt.Sprintf("staticsServer@%p", s)
+}
--- a/cmd/syncthing/gui_test.go
+++ b/cmd/syncthing/gui_test.go
@@ -0,0 +1,615 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/d4l3k/messagediff"
+	"github.com/syncthing/syncthing/lib/config"
+	"github.com/syncthing/syncthing/lib/protocol"
+	"github.com/syncthing/syncthing/lib/sync"
+	"github.com/thejerf/suture"
+)
+
+func TestCSRFToken(t *testing.T) {
+	t1 := newCsrfToken()
+	t2 := newCsrfToken()
+
+	t3 := newCsrfToken()
+	if !validCsrfToken(t3) {
+		t.Fatal("t3 should be valid")
+	}
+
+	for i := 0; i < 250; i++ {
+		if i%5 == 0 {
+			// t1 and t2 should remain valid by virtue of us checking them now
+			// and then.
+			if !validCsrfToken(t1) {
+				t.Fatal("t1 should be valid at iteration", i)
+			}
+			if !validCsrfToken(t2) {
+				t.Fatal("t2 should be valid at iteration", i)
+			}
+		}
+
+		// The newly generated token is always valid
+		t4 := newCsrfToken()
+		if !validCsrfToken(t4) {
+			t.Fatal("t4 should be valid at iteration", i)
+		}
+	}
+
+	if validCsrfToken(t3) {
+		t.Fatal("t3 should have expired by now")
+	}
+}
+
+func TestStopAfterBrokenConfig(t *testing.T) {
+	cfg := config.Configuration{
+		GUI: config.GUIConfiguration{
+			RawAddress: "127.0.0.1:0",
+			RawUseTLS:  false,
+		},
+	}
+	w := config.Wrap("/dev/null", cfg)
+
+	srv := newAPIService(protocol.LocalDeviceID, w, "../../test/h1/https-cert.pem", "../../test/h1/https-key.pem", "", nil, nil, nil, nil, nil, nil)
+	srv.started = make(chan string)
+
+	sup := suture.NewSimple("test")
+	sup.Add(srv)
+	sup.ServeBackground()
+
+	<-srv.started
+
+	// Service is now running, listening on a random port on localhost. Now we
+	// request a config change to a completely invalid listen address. The
+	// commit will fail and the service will be in a broken state.
+
+	newCfg := config.Configuration{
+		GUI: config.GUIConfiguration{
+			RawAddress: "totally not a valid address",
+			RawUseTLS:  false,
+		},
+	}
+	if err := srv.VerifyConfiguration(cfg, newCfg); err == nil {
+		t.Fatal("Verify config should have failed")
+	}
+
+	// Nonetheless, it should be fine to Stop() it without panic.
+
+	sup.Stop()
+}
+
+func TestAssetsDir(t *testing.T) {
+	// For any given request to $FILE, we should return the first found of
+	//  - assetsdir/$THEME/$FILE
+	//  - compiled in asset $THEME/$FILE
+	//  - assetsdir/default/$FILE
+	//  - compiled in asset default/$FILE
+
+	// The asset map contains compressed assets, so create a couple of gzip compressed assets here.
+	buf := new(bytes.Buffer)
+	gw := gzip.NewWriter(buf)
+	gw.Write([]byte("default"))
+	gw.Close()
+	def := buf.Bytes()
+
+	buf = new(bytes.Buffer)
+	gw = gzip.NewWriter(buf)
+	gw.Write([]byte("foo"))
+	gw.Close()
+	foo := buf.Bytes()
+
+	e := &staticsServer{
+		theme:    "foo",
+		mut:      sync.NewRWMutex(),
+		assetDir: "testdata",
+		assets: map[string][]byte{
+			"foo/a":     foo, // overridden in foo/a
+			"foo/b":     foo,
+			"default/a": def, // overridden in default/a (but foo/a takes precedence)
+			"default/b": def, // overridden in default/b (but foo/b takes precedence)
+			"default/c": def,
+		},
+	}
+
+	s := httptest.NewServer(e)
+	defer s.Close()
+
+	// assetsdir/foo/a exists, overrides compiled in
+	expectURLToContain(t, s.URL+"/a", "overridden-foo")
+
+	// foo/b is compiled in, default/b is overridden, return compiled in
+	expectURLToContain(t, s.URL+"/b", "foo")
+
+	// only exists as compiled in default/c so use that
+	expectURLToContain(t, s.URL+"/c", "default")
+
+	// only exists as overridden default/d so use that
+	expectURLToContain(t, s.URL+"/d", "overridden-default")
+}
+
+func expectURLToContain(t *testing.T, url, exp string) {
+	res, err := http.Get(url)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if res.StatusCode != 200 {
+		t.Errorf("Got %s instead of 200 OK", res.Status)
+		return
+	}
+
+	data, err := ioutil.ReadAll(res.Body)
+	res.Body.Close()
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if string(data) != exp {
+		t.Errorf("Got %q instead of %q on %q", data, exp, url)
+		return
+	}
+}
+
+func TestDirNames(t *testing.T) {
+	names := dirNames("testdata")
+	expected := []string{"default", "foo", "testfolder"}
+	if diff, equal := messagediff.PrettyDiff(expected, names); !equal {
+		t.Errorf("Unexpected dirNames return: %#v\n%s", names, diff)
+	}
+}
+
+type httpTestCase struct {
+	URL     string        // URL to check
+	Code    int           // Expected result code
+	Type    string        // Expected content type
+	Prefix  string        // Expected result prefix
+	Timeout time.Duration // Defaults to a second
+}
+
+func TestAPIServiceRequests(t *testing.T) {
+	const testAPIKey = "foobarbaz"
+	cfg := new(mockedConfig)
+	cfg.gui.APIKey = testAPIKey
+	baseURL, err := startHTTP(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cases := []httpTestCase{
+		// /rest/db
+		{
+			URL:    "/rest/db/completion?device=" + protocol.LocalDeviceID.String() + "&folder=default",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:  "/rest/db/file?folder=default&file=something",
+			Code: 404,
+		},
+		{
+			URL:    "/rest/db/ignores?folder=default",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/db/need?folder=default",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/db/status?folder=default",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/db/browse?folder=default",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "null",
+		},
+
+		// /rest/stats
+		{
+			URL:    "/rest/stats/device",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "null",
+		},
+		{
+			URL:    "/rest/stats/folder",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "null",
+		},
+
+		// /rest/svc
+		{
+			URL:    "/rest/svc/deviceid?id=" + protocol.LocalDeviceID.String(),
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/svc/lang",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "[",
+		},
+		{
+			URL:     "/rest/svc/report",
+			Code:    200,
+			Type:    "application/json",
+			Prefix:  "{",
+			Timeout: 5 * time.Second,
+		},
+
+		// /rest/system
+		{
+			URL:    "/rest/system/browse?current=~",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "[",
+		},
+		{
+			URL:    "/rest/system/config",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/config/insync",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/connections",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "null",
+		},
+		{
+			URL:    "/rest/system/discovery",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/error?since=0",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/ping",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/status",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/version",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/debug",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/log?since=0",
+			Code:   200,
+			Type:   "application/json",
+			Prefix: "{",
+		},
+		{
+			URL:    "/rest/system/log.txt?since=0",
+			Code:   200,
+			Type:   "text/plain",
+			Prefix: "",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Log("Testing", tc.URL, "...")
+		testHTTPRequest(t, baseURL, tc, testAPIKey)
+	}
+}
+
+// testHTTPRequest tries the given test case, comparing the result code,
+// content type, and result prefix.
+func testHTTPRequest(t *testing.T, baseURL string, tc httpTestCase, apikey string) {
+	timeout := time.Second
+	if tc.Timeout > 0 {
+		timeout = tc.Timeout
+	}
+	cli := &http.Client{
+		Timeout: timeout,
+	}
+
+	req, err := http.NewRequest("GET", baseURL+tc.URL, nil)
+	if err != nil {
+		t.Errorf("Unexpected error requesting %s: %v", tc.URL, err)
+		return
+	}
+	req.Header.Set("X-API-Key", apikey)
+
+	resp, err := cli.Do(req)
+	if err != nil {
+		t.Errorf("Unexpected error requesting %s: %v", tc.URL, err)
+		return
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != tc.Code {
+		t.Errorf("Get on %s should have returned status code %d, not %s", tc.URL, tc.Code, resp.Status)
+		return
+	}
+
+	ct := resp.Header.Get("Content-Type")
+	if !strings.HasPrefix(ct, tc.Type) {
+		t.Errorf("The content type on %s should be %q, not %q", tc.URL, tc.Type, ct)
+		return
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Errorf("Unexpected error reading %s: %v", tc.URL, err)
+		return
+	}
+
+	if !bytes.HasPrefix(data, []byte(tc.Prefix)) {
+		t.Errorf("Returned data from %s does not have prefix %q: %s", tc.URL, tc.Prefix, data)
+		return
+	}
+}
+
+func TestHTTPLogin(t *testing.T) {
+	cfg := new(mockedConfig)
+	cfg.gui.User = "üser"
+	cfg.gui.Password = "$2a$10$IdIZTxTg/dCNuNEGlmLynOjqg4B1FvDKuIV5e0BB3pnWVHNb8.GSq" // bcrypt of "räksmörgås" in UTF-8
+	baseURL, err := startHTTP(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify rejection when not using authorization
+
+	req, _ := http.NewRequest("GET", baseURL, nil)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("Unexpected non-401 return code %d for unauthed request", resp.StatusCode)
+	}
+
+	// Verify that incorrect password is rejected
+
+	req.SetBasicAuth("üser", "rksmrgs")
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("Unexpected non-401 return code %d for incorrect password", resp.StatusCode)
+	}
+
+	// Verify that incorrect username is rejected
+
+	req.SetBasicAuth("user", "räksmörgås") // string literals in Go source code are in UTF-8
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("Unexpected non-401 return code %d for incorrect username", resp.StatusCode)
+	}
+
+	// Verify that UTF-8 auth works
+
+	req.SetBasicAuth("üser", "räksmörgås") // string literals in Go source code are in UTF-8
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("Unexpected non-200 return code %d for authed request (UTF-8)", resp.StatusCode)
+	}
+
+	// Verify that ISO-8859-1 auth
+
+	req.SetBasicAuth("\xfcser", "r\xe4ksm\xf6rg\xe5s") // escaped ISO-8859-1
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("Unexpected non-200 return code %d for authed request (ISO-8859-1)", resp.StatusCode)
+	}
+
+}
+
+func startHTTP(cfg *mockedConfig) (string, error) {
+	model := new(mockedModel)
+	httpsCertFile := "../../test/h1/https-cert.pem"
+	httpsKeyFile := "../../test/h1/https-key.pem"
+	assetDir := "../../gui"
+	eventSub := new(mockedEventSub)
+	discoverer := new(mockedCachingMux)
+	connections := new(mockedConnections)
+	errorLog := new(mockedLoggerRecorder)
+	systemLog := new(mockedLoggerRecorder)
+	addrChan := make(chan string)
+
+	// Instantiate the API service
+	svc := newAPIService(protocol.LocalDeviceID, cfg, httpsCertFile, httpsKeyFile, assetDir, model,
+		eventSub, discoverer, connections, errorLog, systemLog)
+	svc.started = addrChan
+
+	// Actually start the API service
+	supervisor := suture.NewSimple("API test")
+	supervisor.Add(svc)
+	supervisor.ServeBackground()
+
+	// Make sure the API service is listening, and get the URL to use.
+	addr := <-addrChan
+	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
+	if err != nil {
+		return "", fmt.Errorf("Weird address from API service: %v", err)
+	}
+	baseURL := fmt.Sprintf("http://127.0.0.1:%d", tcpAddr.Port)
+
+	return baseURL, nil
+}
+
+func TestCSRFRequired(t *testing.T) {
+	const testAPIKey = "foobarbaz"
+	cfg := new(mockedConfig)
+	cfg.gui.APIKey = testAPIKey
+	baseURL, err := startHTTP(cfg)
+
+	cli := &http.Client{
+		Timeout: time.Second,
+	}
+
+	// Getting the base URL (i.e. "/") should succeed.
+
+	resp, err := cli.Get(baseURL)
+	if err != nil {
+		t.Fatal("Unexpected error from getting base URL:", err)
+	}
+	resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		t.Fatal("Getting base URL should succeed, not", resp.Status)
+	}
+
+	// Find the returned CSRF token for future use
+
+	var csrfTokenName, csrfTokenValue string
+	for _, cookie := range resp.Cookies() {
+		if strings.HasPrefix(cookie.Name, "CSRF-Token") {
+			csrfTokenName = cookie.Name
+			csrfTokenValue = cookie.Value
+			break
+		}
+	}
+
+	// Calling on /rest without a token should fail
+
+	resp, err = cli.Get(baseURL + "/rest/system/config")
+	if err != nil {
+		t.Fatal("Unexpected error from getting /rest/system/config:", err)
+	}
+	resp.Body.Close()
+	if resp.StatusCode != http.StatusForbidden {
+		t.Fatal("Getting /rest/system/config without CSRF token should fail, not", resp.Status)
+	}
+
+	// Calling on /rest with a token should succeed
+
+	req, _ := http.NewRequest("GET", baseURL+"/rest/system/config", nil)
+	req.Header.Set("X-"+csrfTokenName, csrfTokenValue)
+	resp, err = cli.Do(req)
+	if err != nil {
+		t.Fatal("Unexpected error from getting /rest/system/config:", err)
+	}
+	resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		t.Fatal("Getting /rest/system/config with CSRF token should succeed, not", resp.Status)
+	}
+
+	// Calling on /rest with the API key should succeed
+
+	req, _ = http.NewRequest("GET", baseURL+"/rest/system/config", nil)
+	req.Header.Set("X-API-Key", testAPIKey)
+	resp, err = cli.Do(req)
+	if err != nil {
+		t.Fatal("Unexpected error from getting /rest/system/config:", err)
+	}
+	resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		t.Fatal("Getting /rest/system/config with API key should succeed, not", resp.Status)
+	}
+}
+
+func TestRandomString(t *testing.T) {
+	const testAPIKey = "foobarbaz"
+	cfg := new(mockedConfig)
+	cfg.gui.APIKey = testAPIKey
+	baseURL, err := startHTTP(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cli := &http.Client{
+		Timeout: time.Second,
+	}
+
+	// The default should be to return a 32 character random string
+
+	for _, url := range []string{"/rest/svc/random/string", "/rest/svc/random/string?length=-1", "/rest/svc/random/string?length=yo"} {
+		req, _ := http.NewRequest("GET", baseURL+url, nil)
+		req.Header.Set("X-API-Key", testAPIKey)
+		resp, err := cli.Do(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		var res map[string]string
+		if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
+			t.Fatal(err)
+		}
+		if len(res["random"]) != 32 {
+			t.Errorf("Expected 32 random characters, got %q of length %d", res["random"], len(res["random"]))
+		}
+	}
+
+	// We can ask for a different length if we like
+
+	req, _ := http.NewRequest("GET", baseURL+"/rest/svc/random/string?length=27", nil)
+	req.Header.Set("X-API-Key", testAPIKey)
+	resp, err := cli.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var res map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
+		t.Fatal(err)
+	}
+	if len(res["random"]) != 27 {
+		t.Errorf("Expected 27 random characters, got %q of length %d", res["random"], len(res["random"]))
+	}
+}
--- a/cmd/syncthing/gui_windows.go
+++ b/cmd/syncthing/gui_windows.go
@@ -42,6 +42,10 @@ func trackCPUUsage() {

 		curTime := time.Now().UnixNano()
 		timeDiff := curTime - prevTime
+		// This is sometimes 0, no clue why.
+		if timeDiff == 0 {
+			continue
+		}
 		curUsage := ktime.Nanoseconds() + utime.Nanoseconds()
 		usageDiff := curUsage - prevUsage
 		cpuUsageLock.Lock()
--- a/cmd/syncthing/locations.go
+++ b/cmd/syncthing/locations.go
@@ -48,7 +48,7 @@ var locations = map[locationEnum]string{
 	locKeyFile:       "${config}/key.pem",
 	locHTTPSCertFile: "${config}/https-cert.pem",
 	locHTTPSKeyFile:  "${config}/https-key.pem",
-	locDatabase:      "${config}/index-v0.11.0.db",
+	locDatabase:      "${config}/index-v0.13.0.db",
 	locLogFile:       "${config}/syncthing.log", // -logfile on Windows
 	locCsrfTokens:    "${config}/csrftokens.txt",
 	locPanicLog:      "${config}/panic-${timestamp}.log",
--- a/cmd/syncthing/main.go
+++ b/cmd/syncthing/main.go
@@ -20,6 +20,7 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -40,7 +41,7 @@ import (
 	"github.com/syncthing/syncthing/lib/model"
 	"github.com/syncthing/syncthing/lib/osutil"
 	"github.com/syncthing/syncthing/lib/protocol"
-	"github.com/syncthing/syncthing/lib/relay"
+	"github.com/syncthing/syncthing/lib/rand"
 	"github.com/syncthing/syncthing/lib/symlinks"
 	"github.com/syncthing/syncthing/lib/tlsutil"
 	"github.com/syncthing/syncthing/lib/upgrade"
@@ -49,15 +50,16 @@ import (
 )

 var (
-	Version     = "unknown-dev"
-	Codename    = "Beryllium Bedbug"
-	BuildStamp  = "0"
-	BuildDate   time.Time
-	BuildHost   = "unknown"
-	BuildUser   = "unknown"
-	IsRelease   bool
-	IsBeta      bool
-	LongVersion string
+	Version           = "unknown-dev"
+	Codename          = "Copper Cockroach"
+	BuildStamp        = "0"
+	BuildDate         time.Time
+	BuildHost         = "unknown"
+	BuildUser         = "unknown"
+	IsRelease         bool
+	IsBeta            bool
+	LongVersion       string
+	allowedVersionExp = regexp.MustCompile(`^v\d+\.\d+\.\d+(-[a-z0-9]+)*(\.\d+)*(\+\d+-g[0-9a-f]+)?(-[^\s]+)?$`)
 )

 const (
@@ -89,9 +91,8 @@ const (
 func init() {
 	if Version != "unknown-dev" {
 		// If not a generic dev build, version string should come from git describe
-		exp := regexp.MustCompile(`^v\d+\.\d+\.\d+(-[a-z0-9]+)*(\+\d+-g[0-9a-f]+)?(-dirty)?$`)
-		if !exp.MatchString(Version) {
-			l.Fatalf("Invalid version string %q;\n\tdoes not match regexp %v", Version, exp)
+		if !allowedVersionExp.MatchString(Version) {
+			l.Fatalf("Invalid version string %q;\n\tdoes not match regexp %v", Version, allowedVersionExp)
 		}
 	}

@@ -115,18 +116,12 @@ func init() {
 var (
 	myID protocol.DeviceID
 	stop = make(chan int)
-	cert tls.Certificate
 	lans []*net.IPNet
 )

 const (
 	usage      = "syncthing [options]"
 	extraUsage = `
-The default configuration directory is:
-
-  %s
-
-
 The -logflags value is a sum of the following:

   1  Date
@@ -146,34 +141,38 @@ Development Settings
 The following environment variables modify syncthing's behavior in ways that
 are mostly useful for developers. Use with care.

- STGUIASSETS     Directory to load GUI assets from. Overrides compiled in
-                 assets.
+ STNODEFAULTFOLDER Don't create a default folder when starting for the first
+                   time.  This variable will be ignored anytime after the first
+                   run.

- STTRACE         A comma separated string of facilities to trace. The valid
-                 facility strings listed below.
+ STGUIASSETS       Directory to load GUI assets from. Overrides compiled in
+                   assets.

- STPROFILER      Set to a listen address such as "127.0.0.1:9090" to start the
-                 profiler with HTTP access.
+ STTRACE           A comma separated string of facilities to trace. The valid
+                   facility strings listed below.

- STCPUPROFILE    Write a CPU profile to cpu-$pid.pprof on exit.
+ STPROFILER        Set to a listen address such as "127.0.0.1:9090" to start the
+                   profiler with HTTP access.

- STHEAPPROFILE   Write heap profiles to heap-$pid-$timestamp.pprof each time
-                 heap usage increases.
+ STCPUPROFILE      Write a CPU profile to cpu-$pid.pprof on exit.

- STBLOCKPROFILE  Write block profiles to block-$pid-$timestamp.pprof every 20
-                 seconds.
+ STHEAPPROFILE     Write heap profiles to heap-$pid-$timestamp.pprof each time
+                   heap usage increases.

- STPERFSTATS     Write running performance statistics to perf-$pid.csv. Not
-                 supported on Windows.
+ STBLOCKPROFILE    Write block profiles to block-$pid-$timestamp.pprof every 20
+                   seconds.

- STNOUPGRADE     Disable automatic upgrades.
+ STPERFSTATS       Write running performance statistics to perf-$pid.csv. Not
+                   supported on Windows.

- GOMAXPROCS      Set the maximum number of CPU cores to use. Defaults to all
-                 available CPU cores.
+ STNOUPGRADE       Disable automatic upgrades.

- GOGC            Percentage of heap growth at which to trigger GC. Default is
-                 100. Lower numbers keep peak memory usage down, at the price
-                 of CPU usage (ie. performance).
+ GOMAXPROCS        Set the maximum number of CPU cores to use. Defaults to all
+                   available CPU cores.
+
+ GOGC              Percentage of heap growth at which to trigger GC. Default is
+                   100. Lower numbers keep peak memory usage down, at the price
+                   of CPU usage (ie. performance).


 Debugging Facilities
@@ -186,14 +185,16 @@ The following are valid values for the STTRACE variable:

 // Environment options
 var (
-	noUpgrade    = os.Getenv("STNOUPGRADE") != ""
-	innerProcess = os.Getenv("STNORESTART") != "" || os.Getenv("STMONITORED") != ""
+	noUpgrade       = os.Getenv("STNOUPGRADE") != ""
+	innerProcess    = os.Getenv("STNORESTART") != "" || os.Getenv("STMONITORED") != ""
+	noDefaultFolder = os.Getenv("STNODEFAULTFOLDER") != ""
 )

 type RuntimeOptions struct {
 	confDir        string
 	reset          bool
 	showVersion    bool
+	showPaths      bool
 	doUpgrade      bool
 	doUpgradeCheck bool
 	upgradeTo      string
@@ -255,6 +256,7 @@ func parseCommandLineOptions() RuntimeOptions {
 	flag.BoolVar(&options.doUpgrade, "upgrade", false, "Perform upgrade")
 	flag.BoolVar(&options.doUpgradeCheck, "upgrade-check", false, "Check for available upgrade")
 	flag.BoolVar(&options.showVersion, "version", false, "Show version")
+	flag.BoolVar(&options.showPaths, "paths", false, "Show configuration paths")
 	flag.StringVar(&options.upgradeTo, "upgrade-to", options.upgradeTo, "Force upgrade directly from specified URL")
 	flag.BoolVar(&options.auditEnabled, "audit", false, "Write events to audit file")
 	flag.BoolVar(&options.verbose, "verbose", false, "Print verbose log output")
@@ -265,7 +267,7 @@ func parseCommandLineOptions() RuntimeOptions {
 		flag.BoolVar(&options.hideConsole, "no-console", false, "Hide console window")
 	}

-	longUsage := fmt.Sprintf(extraUsage, baseDirs["config"], debugFacilities())
+	longUsage := fmt.Sprintf(extraUsage, debugFacilities())
 	flag.Usage = usageFor(flag.CommandLine, usage, longUsage)
 	flag.Parse()

@@ -315,6 +317,11 @@ func main() {
 		return
 	}

+	if options.showPaths {
+		showPaths()
+		return
+	}
+
 	if options.browserOnly {
 		openGUI()
 		return
@@ -333,7 +340,7 @@ func main() {
 		if err != nil {
 			l.Fatalln("Upgrade:", err) // exits 1
 		}
-		l.Okln("Upgraded from", options.upgradeTo)
+		l.Infoln("Upgraded from", options.upgradeTo)
 		return
 	}

@@ -457,23 +464,28 @@ func performUpgrade(release upgrade.Release) {
 		if err != nil {
 			l.Fatalln("Upgrade:", err)
 		}
-		l.Okf("Upgraded to %q", release.Tag)
+		l.Infof("Upgraded to %q", release.Tag)
 	} else {
 		l.Infoln("Attempting upgrade through running Syncthing...")
 		err = upgradeViaRest()
 		if err != nil {
 			l.Fatalln("Upgrade:", err)
 		}
-		l.Okln("Syncthing upgrading")
+		l.Infoln("Syncthing upgrading")
 		os.Exit(exitUpgrading)
 	}
 }

 func upgradeViaRest() error {
 	cfg, _ := loadConfig()
-	target := cfg.GUI().URL()
-	r, _ := http.NewRequest("POST", target+"/rest/system/upgrade", nil)
-	r.Header.Set("X-API-Key", cfg.GUI().APIKey())
+	u, err := url.Parse(cfg.GUI().URL())
+	if err != nil {
+		return err
+	}
+	u.Path = path.Join(u.Path, "rest/system/upgrade")
+	target := u.String()
+	r, _ := http.NewRequest("POST", target, nil)
+	r.Header.Set("X-API-Key", cfg.GUI().APIKey)

 	tr := &http.Transport{
 		Dial:            dialer.Dial,
@@ -527,8 +539,9 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 	errors := logger.NewRecorder(l, logger.LevelWarn, maxSystemErrors, 0)
 	systemLog := logger.NewRecorder(l, logger.LevelDebug, maxSystemLog, initialSystemLog)

-	// Event subscription for the API; must start early to catch the early events.
-	apiSub := events.NewBufferedSubscription(events.Default.Subscribe(events.AllEvents), 1000)
+	// Event subscription for the API; must start early to catch the early events.  The LocalDiskUpdated
+	// event might overwhelm the event reciever in some situations so we will not subscribe to it here.
+	apiSub := events.NewBufferedSubscription(events.Default.Subscribe(events.AllEvents&^events.LocalChangeDetected), 1000)

 	if len(os.Getenv("GOMAXPROCS")) == 0 {
 		runtime.GOMAXPROCS(runtime.NumCPU())
@@ -549,10 +562,6 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 		}
 	}

-	// We reinitialize the predictable RNG with our device ID, to get a
-	// sequence that is always the same but unique to this syncthing instance.
-	predictableRandom.Seed(seedFromBytes(cert.Certificate[0]))
-
 	myID = protocol.NewDeviceID(cert.Certificate[0])
 	l.SetPrefix(fmt.Sprintf("[%s] ", myID.String()[:5]))

@@ -633,6 +642,7 @@ func syncthingMain(runtimeOptions RuntimeOptions) {

 	dbFile := locations[locDatabase]
 	ldb, err := db.Open(dbFile)
+
 	if err != nil {
 		l.Fatalln("Cannot open database:", err, "- Is another copy of Syncthing already running?")
 	}
@@ -653,13 +663,6 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 		}
 	}

-	// Pack and optimize the database
-	if err := ldb.Compact(); err != nil {
-		// I don't think this is fatal, but who knows. If it is, we'll surely
-		// get an error when trying to write to the db later.
-		l.Infoln("Compacting database:", err)
-	}
-
 	m := model.NewModel(cfg, myID, myDeviceName(cfg), "syncthing", Version, ldb, protectedFiles)
 	cfg.Subscribe(m)

@@ -689,63 +692,25 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 			}
 			m.Index(device, folderCfg.ID, nil, 0, nil)
 		}
-		// Routine to pull blocks from other devices to synchronize the local
-		// folder. Does not run when we are in read only (publish only) mode.
-		if folderCfg.ReadOnly {
-			m.StartFolderRO(folderCfg.ID)
-		} else {
-			m.StartFolderRW(folderCfg.ID)
-		}
+		m.StartFolder(folderCfg.ID)
 	}

 	mainService.Add(m)

-	// The default port we announce, possibly modified by setupUPnP next.
-
-	uri, err := url.Parse(opts.ListenAddress[0])
-	if err != nil {
-		l.Fatalf("Failed to parse listen address %s: %v", opts.ListenAddress[0], err)
-	}
-
-	addr, err := net.ResolveTCPAddr("tcp", uri.Host)
-	if err != nil {
-		l.Fatalln("Bad listen address:", err)
-	}
-
-	// The externalAddr tracks our external addresses for discovery purposes.
-
-	var addrList *addressLister
-
-	// Start UPnP
-
-	if opts.UPnPEnabled {
-		upnpService := newUPnPService(cfg, addr.Port)
-		mainService.Add(upnpService)
-
-		// The external address tracker needs to know about the UPnP service
-		// so it can check for an external mapped port.
-		addrList = newAddressLister(upnpService, cfg)
-	} else {
-		addrList = newAddressLister(nil, cfg)
-	}
-
-	// Start relay management
-
-	var relayService *relay.Service
-	if opts.RelaysEnabled && (opts.GlobalAnnEnabled || opts.RelayWithoutGlobalAnn) {
-		relayService = relay.NewService(cfg, tlsCfg)
-		mainService.Add(relayService)
-	}
-
 	// Start discovery

 	cachedDiscovery := discover.NewCachingMux()
 	mainService.Add(cachedDiscovery)

+	// Start connection management
+
+	connectionsService := connections.NewService(cfg, myID, m, tlsCfg, cachedDiscovery, bepProtocolName, tlsDefaultCommonName, lans)
+	mainService.Add(connectionsService)
+
 	if cfg.Options().GlobalAnnEnabled {
 		for _, srv := range cfg.GlobalDiscoveryServers() {
 			l.Infoln("Using discovery server", srv)
-			gd, err := discover.NewGlobal(srv, cert, addrList, relayService)
+			gd, err := discover.NewGlobal(srv, cert, connectionsService)
 			if err != nil {
 				l.Warnln("Global discovery:", err)
 				continue
@@ -760,14 +725,14 @@ func syncthingMain(runtimeOptions RuntimeOptions) {

 	if cfg.Options().LocalAnnEnabled {
 		// v4 broadcasts
-		bcd, err := discover.NewLocal(myID, fmt.Sprintf(":%d", cfg.Options().LocalAnnPort), addrList, relayService)
+		bcd, err := discover.NewLocal(myID, fmt.Sprintf(":%d", cfg.Options().LocalAnnPort), connectionsService)
 		if err != nil {
 			l.Warnln("IPv4 local discovery:", err)
 		} else {
 			cachedDiscovery.Add(bcd, 0, 0, ipv4LocalDiscoveryPriority)
 		}
 		// v6 multicasts
-		mcd, err := discover.NewLocal(myID, cfg.Options().LocalAnnMCAddr, addrList, relayService)
+		mcd, err := discover.NewLocal(myID, cfg.Options().LocalAnnMCAddr, connectionsService)
 		if err != nil {
 			l.Warnln("IPv6 local discovery:", err)
 		} else {
@@ -777,12 +742,7 @@ func syncthingMain(runtimeOptions RuntimeOptions) {

 	// GUI

-	setupGUI(mainService, cfg, m, apiSub, cachedDiscovery, relayService, errors, systemLog, runtimeOptions)
-
-	// Start connection management
-
-	connectionService := connections.NewConnectionService(cfg, myID, m, tlsCfg, cachedDiscovery, relayService, bepProtocolName, tlsDefaultCommonName, lans)
-	mainService.Add(connectionService)
+	setupGUI(mainService, cfg, m, apiSub, cachedDiscovery, connectionsService, errors, systemLog, runtimeOptions)

 	if runtimeOptions.cpuProfile {
 		f, err := os.Create(fmt.Sprintf("cpu-%d.pprof", os.Getpid()))
@@ -808,7 +768,7 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 		if opts.URUniqueID == "" {
 			// Previously the ID was generated from the node ID. We now need
 			// to generate a new one.
-			opts.URUniqueID = randomString(8)
+			opts.URUniqueID = rand.String(8)
 			cfg.SetOptions(opts)
 			cfg.Save()
 		}
@@ -826,10 +786,8 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 	if opts.AutoUpgradeIntervalH > 0 {
 		if noUpgrade {
 			l.Infof("No automatic upgrades; STNOUPGRADE environment variable defined.")
-		} else if IsRelease {
-			go autoUpgrade(cfg)
 		} else {
-			l.Infof("No automatic upgrades; %s is not a release version.", Version)
+			go autoUpgrade(cfg)
 		}
 	}

@@ -844,7 +802,7 @@ func syncthingMain(runtimeOptions RuntimeOptions) {

 	mainService.Stop()

-	l.Okln("Exiting")
+	l.Infoln("Exiting")

 	if runtimeOptions.cpuProfile {
 		pprof.StopCPUProfile()
@@ -964,7 +922,7 @@ func startAuditing(mainService *suture.Supervisor) {
 	l.Infoln("Audit log in", auditFile)
 }

-func setupGUI(mainService *suture.Supervisor, cfg *config.Wrapper, m *model.Model, apiSub *events.BufferedSubscription, discoverer *discover.CachingMux, relayService *relay.Service, errors, systemLog *logger.Recorder, runtimeOptions RuntimeOptions) {
+func setupGUI(mainService *suture.Supervisor, cfg *config.Wrapper, m *model.Model, apiSub events.BufferedSubscription, discoverer discover.CachingMux, connectionsService *connections.Service, errors, systemLog logger.Recorder, runtimeOptions RuntimeOptions) {
 	guiCfg := cfg.GUI()

 	if !guiCfg.Enabled {
@@ -975,10 +933,7 @@ func setupGUI(mainService *suture.Supervisor, cfg *config.Wrapper, m *model.Mode
 		l.Warnln("Insecure admin access is enabled.")
 	}

-	api, err := newAPIService(myID, cfg, runtimeOptions.assetDir, m, apiSub, discoverer, relayService, errors, systemLog)
-	if err != nil {
-		l.Fatalln("Cannot start GUI:", err)
-	}
+	api := newAPIService(myID, cfg, locations[locHTTPSCertFile], locations[locHTTPSKeyFile], runtimeOptions.assetDir, m, apiSub, discoverer, connectionsService, errors, systemLog)
 	cfg.Subscribe(api)
 	mainService.Add(api)

@@ -990,18 +945,29 @@ func setupGUI(mainService *suture.Supervisor, cfg *config.Wrapper, m *model.Mode
 }

 func defaultConfig(myName string) config.Configuration {
-	defaultFolder := config.NewFolderConfiguration("default", locations[locDefFolder])
-	defaultFolder.RescanIntervalS = 60
-	defaultFolder.MinDiskFreePct = 1
-	defaultFolder.Devices = []config.FolderDeviceConfiguration{{DeviceID: myID}}
-	defaultFolder.AutoNormalize = true
-	defaultFolder.MaxConflicts = -1
+	var defaultFolder config.FolderConfiguration
+
+	if !noDefaultFolder {
+		l.Infoln("Default folder created and/or linked to new config")
+		folderID := rand.String(5) + "-" + rand.String(5)
+		defaultFolder = config.NewFolderConfiguration(folderID, locations[locDefFolder])
+		defaultFolder.Label = "Default Folder (" + folderID + ")"
+		defaultFolder.RescanIntervalS = 60
+		defaultFolder.MinDiskFreePct = 1
+		defaultFolder.Devices = []config.FolderDeviceConfiguration{{DeviceID: myID}}
+		defaultFolder.AutoNormalize = true
+		defaultFolder.MaxConflicts = -1
+	} else {
+		l.Infoln("We will skip creation of a default folder on first start since the proper envvar is set")
+	}

 	thisDevice := config.NewDeviceConfiguration(myID, myName)
 	thisDevice.Addresses = []string{"dynamic"}

 	newCfg := config.New(myID)
-	newCfg.Folders = []config.FolderConfiguration{defaultFolder}
+	if !noDefaultFolder {
+		newCfg.Folders = []config.FolderConfiguration{defaultFolder}
+	}
 	newCfg.Devices = []config.DeviceConfiguration{thisDevice}

 	port, err := getFreePort("127.0.0.1", 8384)
@@ -1014,7 +980,15 @@ func defaultConfig(myName string) config.Configuration {
 	if err != nil {
 		l.Fatalln("get free port (BEP):", err)
 	}
-	newCfg.Options.ListenAddress = []string{fmt.Sprintf("tcp://0.0.0.0:%d", port)}
+	if port == 22000 {
+		newCfg.Options.ListenAddresses = []string{"default"}
+	} else {
+		newCfg.Options.ListenAddresses = []string{
+			fmt.Sprintf("tcp://%s", net.JoinHostPort("0.0.0.0", strconv.Itoa(port))),
+			"dynamic+https://relays.syncthing.net/endpoint",
+		}
+	}
+
 	return newCfg
 }

@@ -1153,12 +1127,13 @@ func autoUpgrade(cfg *config.Wrapper) {
 // suitable time after they have gone out of fashion.
 func cleanConfigDirectory() {
 	patterns := map[string]time.Duration{
-		"panic-*.log":    7 * 24 * time.Hour,  // keep panic logs for a week
-		"audit-*.log":    7 * 24 * time.Hour,  // keep audit logs for a week
-		"index":          14 * 24 * time.Hour, // keep old index format for two weeks
-		"config.xml.v*":  30 * 24 * time.Hour, // old config versions for a month
-		"*.idx.gz":       30 * 24 * time.Hour, // these should for sure no longer exist
-		"backup-of-v0.8": 30 * 24 * time.Hour, // these neither
+		"panic-*.log":      7 * 24 * time.Hour,  // keep panic logs for a week
+		"audit-*.log":      7 * 24 * time.Hour,  // keep audit logs for a week
+		"index":            14 * 24 * time.Hour, // keep old index format for two weeks
+		"index*.converted": 14 * 24 * time.Hour, // keep old converted indexes for two weeks
+		"config.xml.v*":    30 * 24 * time.Hour, // old config versions for a month
+		"*.idx.gz":         30 * 24 * time.Hour, // these should for sure no longer exist
+		"backup-of-v0.8":   30 * 24 * time.Hour, // these neither
 	}

 	for pat, dur := range patterns {
@@ -1191,7 +1166,7 @@ func cleanConfigDirectory() {
 // short ID:s; that is, that the devices in the cluster all have unique
 // initial 64 bits.
 func checkShortIDs(cfg *config.Wrapper) error {
-	exists := make(map[uint64]protocol.DeviceID)
+	exists := make(map[protocol.ShortID]protocol.DeviceID)
 	for deviceID := range cfg.Devices() {
 		shortID := deviceID.Short()
 		if otherID, ok := exists[shortID]; ok {
@@ -1201,3 +1176,13 @@ func checkShortIDs(cfg *config.Wrapper) error {
 	}
 	return nil
 }
+
+func showPaths() {
+	fmt.Printf("Configuration file:\n\t%s\n\n", locations[locConfigFile])
+	fmt.Printf("Database directory:\n\t%s\n\n", locations[locDatabase])
+	fmt.Printf("Device private key & certificate files:\n\t%s\n\t%s\n\n", locations[locKeyFile], locations[locCertFile])
+	fmt.Printf("HTTPS private key & certificate files:\n\t%s\n\t%s\n\n", locations[locHTTPSKeyFile], locations[locHTTPSCertFile])
+	fmt.Printf("Log file:\n\t%s\n\n", locations[locLogFile])
+	fmt.Printf("GUI override directory:\n\t%s\n\n", locations[locGUIAssets])
+	fmt.Printf("Default sync folder directory:\n\t%s\n\n", locations[locDefFolder])
+}
--- a/cmd/syncthing/main_test.go
+++ b/cmd/syncthing/main_test.go
@@ -175,3 +175,29 @@ func TestShortIDCheck(t *testing.T) {
 		t.Error("Should have gotten an error")
 	}
 }
+
+func TestAllowedVersions(t *testing.T) {
+	testcases := []struct {
+		ver     string
+		allowed bool
+	}{
+		{"v0.13.0", true},
+		{"v0.12.11+22-gabcdef0", true},
+		{"v0.13.0-beta0", true},
+		{"v0.13.0-beta47", true},
+		{"v0.13.0-beta47+1-gabcdef0", true},
+		{"v0.13.0-beta.0", true},
+		{"v0.13.0-beta.47", true},
+		{"v0.13.0-beta.0+1-gabcdef0", true},
+		{"v0.13.0-beta.47+1-gabcdef0", true},
+		{"v0.13.0-some-weird-but-allowed-tag", true},
+		{"v0.13.0-allowed.to.do.this", true},
+		{"v0.13.0+not.allowed.to.do.this", false},
+	}
+
+	for i, c := range testcases {
+		if allowed := allowedVersionExp.MatchString(c.ver); allowed != c.allowed {
+			t.Errorf("%d: incorrect result %v != %v for %q", i, allowed, c.allowed, c.ver)
+		}
+	}
+}
--- a/cmd/syncthing/mocked_config_test.go
+++ b/cmd/syncthing/mocked_config_test.go
@@ -0,0 +1,50 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"github.com/syncthing/syncthing/lib/config"
+	"github.com/syncthing/syncthing/lib/protocol"
+)
+
+type mockedConfig struct {
+	gui config.GUIConfiguration
+}
+
+func (c *mockedConfig) GUI() config.GUIConfiguration {
+	return c.gui
+}
+
+func (c *mockedConfig) ListenAddresses() []string {
+	return nil
+}
+
+func (c *mockedConfig) Raw() config.Configuration {
+	return config.Configuration{}
+}
+
+func (c *mockedConfig) Options() config.OptionsConfiguration {
+	return config.OptionsConfiguration{}
+}
+
+func (c *mockedConfig) Replace(cfg config.Configuration) config.CommitResponse {
+	return config.CommitResponse{}
+}
+
+func (c *mockedConfig) Subscribe(cm config.Committer) {}
+
+func (c *mockedConfig) Folders() map[string]config.FolderConfiguration {
+	return nil
+}
+
+func (c *mockedConfig) Devices() map[protocol.DeviceID]config.DeviceConfiguration {
+	return nil
+}
+
+func (c *mockedConfig) Save() error {
+	return nil
+}
--- a/cmd/syncthing/mocked_connections_test.go
+++ b/cmd/syncthing/mocked_connections_test.go
@@ -0,0 +1,13 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+type mockedConnections struct{}
+
+func (m *mockedConnections) Status() map[string]interface{} {
+	return nil
+}
--- a/cmd/syncthing/mocked_discovery_test.go
+++ b/cmd/syncthing/mocked_discovery_test.go
@@ -0,0 +1,52 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"time"
+
+	"github.com/syncthing/syncthing/lib/discover"
+	"github.com/syncthing/syncthing/lib/protocol"
+)
+
+type mockedCachingMux struct{}
+
+// from suture.Service
+
+func (m *mockedCachingMux) Serve() {
+	select {}
+}
+
+func (m *mockedCachingMux) Stop() {
+}
+
+// from events.Finder
+
+func (m *mockedCachingMux) Lookup(deviceID protocol.DeviceID) (direct []string, err error) {
+	return nil, nil
+}
+
+func (m *mockedCachingMux) Error() error {
+	return nil
+}
+
+func (m *mockedCachingMux) String() string {
+	return "mockedCachingMux"
+}
+
+func (m *mockedCachingMux) Cache() map[protocol.DeviceID]discover.CacheEntry {
+	return nil
+}
+
+// from events.CachingMux
+
+func (m *mockedCachingMux) Add(finder discover.Finder, cacheTime, negCacheTime time.Duration, priority int) {
+}
+
+func (m *mockedCachingMux) ChildErrors() map[string]error {
+	return nil
+}
--- a/cmd/syncthing/mocked_events_test.go
+++ b/cmd/syncthing/mocked_events_test.go
@@ -0,0 +1,15 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import "github.com/syncthing/syncthing/lib/events"
+
+type mockedEventSub struct{}
+
+func (s *mockedEventSub) Since(id int, into []events.Event) []events.Event {
+	select {}
+}
--- a/cmd/syncthing/mocked_logger_test.go
+++ b/cmd/syncthing/mocked_logger_test.go
@@ -0,0 +1,26 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"time"
+
+	"github.com/syncthing/syncthing/lib/logger"
+)
+
+type mockedLoggerRecorder struct{}
+
+func (r *mockedLoggerRecorder) Since(t time.Time) []logger.Line {
+	return []logger.Line{
+		{
+			When:    time.Now(),
+			Message: "Test message",
+		},
+	}
+}
+
+func (r *mockedLoggerRecorder) Clear() {}
--- a/cmd/syncthing/mocked_model_test.go
+++ b/cmd/syncthing/mocked_model_test.go
@@ -0,0 +1,116 @@
+// Copyright (C) 2016 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package main
+
+import (
+	"time"
+
+	"github.com/syncthing/syncthing/lib/db"
+	"github.com/syncthing/syncthing/lib/model"
+	"github.com/syncthing/syncthing/lib/protocol"
+	"github.com/syncthing/syncthing/lib/stats"
+)
+
+type mockedModel struct{}
+
+func (m *mockedModel) GlobalDirectoryTree(folder, prefix string, levels int, dirsonly bool) map[string]interface{} {
+	return nil
+}
+
+func (m *mockedModel) Completion(device protocol.DeviceID, folder string) float64 {
+	return 0
+}
+
+func (m *mockedModel) Override(folder string) {}
+
+func (m *mockedModel) NeedFolderFiles(folder string, page, perpage int) ([]db.FileInfoTruncated, []db.FileInfoTruncated, []db.FileInfoTruncated, int) {
+	return nil, nil, nil, 0
+}
+
+func (m *mockedModel) NeedSize(folder string) (nfiles int, bytes int64) {
+	return 0, 0
+}
+
+func (m *mockedModel) ConnectionStats() map[string]interface{} {
+	return nil
+}
+
+func (m *mockedModel) DeviceStatistics() map[string]stats.DeviceStatistics {
+	return nil
+}
+
+func (m *mockedModel) FolderStatistics() map[string]stats.FolderStatistics {
+	return nil
+}
+
+func (m *mockedModel) CurrentFolderFile(folder string, file string) (protocol.FileInfo, bool) {
+	return protocol.FileInfo{}, false
+}
+
+func (m *mockedModel) CurrentGlobalFile(folder string, file string) (protocol.FileInfo, bool) {
+	return protocol.FileInfo{}, false
+}
+
+func (m *mockedModel) ResetFolder(folder string) {
+}
+
+func (m *mockedModel) Availability(folder, file string, version protocol.Vector, block protocol.BlockInfo) []model.Availability {
+	return nil
+}
+
+func (m *mockedModel) GetIgnores(folder string) ([]string, []string, error) {
+	return nil, nil, nil
+}
+
+func (m *mockedModel) SetIgnores(folder string, content []string) error {
+	return nil
+}
+
+func (m *mockedModel) PauseDevice(device protocol.DeviceID) {
+}
+
+func (m *mockedModel) ResumeDevice(device protocol.DeviceID) {}
+
+func (m *mockedModel) DelayScan(folder string, next time.Duration) {}
+
+func (m *mockedModel) ScanFolder(folder string) error {
+	return nil
+}
+
+func (m *mockedModel) ScanFolders() map[string]error {
+	return nil
+}
+
+func (m *mockedModel) ScanFolderSubs(folder string, subs []string) error {
+	return nil
+}
+
+func (m *mockedModel) BringToFront(folder, file string) {}
+
+func (m *mockedModel) ConnectedTo(deviceID protocol.DeviceID) bool {
+	return false
+}
+
+func (m *mockedModel) GlobalSize(folder string) (nfiles, deleted int, bytes int64) {
+	return 0, 0, 0
+}
+
+func (m *mockedModel) LocalSize(folder string) (nfiles, deleted int, bytes int64) {
+	return 0, 0, 0
+}
+
+func (m *mockedModel) CurrentLocalVersion(folder string) (int64, bool) {
+	return 0, false
+}
+
+func (m *mockedModel) RemoteLocalVersion(folder string) (int64, bool) {
+	return 0, false
+}
+
+func (m *mockedModel) State(folder string) (string, time.Time, error) {
+	return "", time.Time{}, nil
+}
--- a/cmd/syncthing/random.go
+++ b/cmd/syncthing/random.go
@@ -1,59 +0,0 @@
-// Copyright (C) 2014 The Syncthing Authors.
-//
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this file,
-// You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package main
-
-import (
-	"crypto/md5"
-	cryptoRand "crypto/rand"
-	"encoding/binary"
-	"io"
-	mathRand "math/rand"
-)
-
-// randomCharset contains the characters that can make up a randomString().
-const randomCharset = "01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-"
-
-// predictableRandom is an RNG that will always have the same sequence. It
-// will be seeded with the device ID during startup, so that the sequence is
-// predictable but varies between instances.
-var predictableRandom = mathRand.New(mathRand.NewSource(42))
-
-func init() {
-	// The default RNG should be seeded with something good.
-	mathRand.Seed(randomInt64())
-}
-
-// randomString returns a string of random characters (taken from
-// randomCharset) of the specified length.
-func randomString(l int) string {
-	bs := make([]byte, l)
-	for i := range bs {
-		bs[i] = randomCharset[mathRand.Intn(len(randomCharset))]
-	}
-	return string(bs)
-}
-
-// randomInt64 returns a strongly random int64, slowly
-func randomInt64() int64 {
-	var bs [8]byte
-	_, err := io.ReadFull(cryptoRand.Reader, bs[:])
-	if err != nil {
-		panic("randomness failure: " + err.Error())
-	}
-	return seedFromBytes(bs[:])
-}
-
-// seedFromBytes calculates a weak 64 bit hash from the given byte slice,
-// suitable for use a predictable random seed.
-func seedFromBytes(bs []byte) int64 {
-	h := md5.New()
-	h.Write(bs)
-	s := h.Sum(nil)
-	// The MD5 hash of the byte slice is 16 bytes long. We interpret it as two
-	// uint64s and XOR them together.
-	return int64(binary.BigEndian.Uint64(s[0:]) ^ binary.BigEndian.Uint64(s[8:]))
-}
--- a/cmd/syncthing/summaryservice.go
+++ b/cmd/syncthing/summaryservice.go
@@ -9,9 +9,7 @@ package main
 import (
 	"time"

-	"github.com/syncthing/syncthing/lib/config"
 	"github.com/syncthing/syncthing/lib/events"
-	"github.com/syncthing/syncthing/lib/model"
 	"github.com/syncthing/syncthing/lib/sync"
 	"github.com/thejerf/suture"
 )
@@ -21,8 +19,8 @@ import (
 type folderSummaryService struct {
 	*suture.Supervisor

-	cfg       *config.Wrapper
-	model     *model.Model
+	cfg       configIntf
+	model     modelIntf
 	stop      chan struct{}
 	immediate chan string

@@ -35,7 +33,7 @@ type folderSummaryService struct {
 	lastEventReqMut sync.Mutex
 }

-func newFolderSummaryService(cfg *config.Wrapper, m *model.Model) *folderSummaryService {
+func newFolderSummaryService(cfg configIntf, m modelIntf) *folderSummaryService {
 	service := &folderSummaryService{
 		Supervisor:      suture.NewSimple("folderSummaryService"),
 		cfg:             cfg,
@@ -61,7 +59,7 @@ func (c *folderSummaryService) Stop() {
 // listenForUpdates subscribes to the event bus and makes note of folders that
 // need their data recalculated.
 func (c *folderSummaryService) listenForUpdates() {
-	sub := events.Default.Subscribe(events.LocalIndexUpdated | events.RemoteIndexUpdated | events.StateChanged)
+	sub := events.Default.Subscribe(events.LocalIndexUpdated | events.RemoteIndexUpdated | events.StateChanged | events.RemoteDownloadProgress)
 	defer events.Default.Unsubscribe(sub)

 	for {
--- a/cmd/syncthing/testdata/default/a
+++ b/cmd/syncthing/testdata/default/a
@@ -0,0 +1 @@
+overridden-default
--- a/cmd/syncthing/testdata/default/b
+++ b/cmd/syncthing/testdata/default/b
@@ -0,0 +1 @@
+overridden-default
--- a/cmd/syncthing/testdata/default/d
+++ b/cmd/syncthing/testdata/default/d
@@ -0,0 +1 @@
+overridden-default
--- a/cmd/syncthing/testdata/foo/a
+++ b/cmd/syncthing/testdata/foo/a
@@ -0,0 +1 @@
+overridden-foo
--- a/cmd/syncthing/upnpservice.go
+++ b/cmd/syncthing/upnpservice.go
@@ -1,132 +0,0 @@
-// Copyright (C) 2015 The Syncthing Authors.
-//
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this file,
-// You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package main
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/syncthing/syncthing/lib/config"
-	"github.com/syncthing/syncthing/lib/events"
-	"github.com/syncthing/syncthing/lib/sync"
-	"github.com/syncthing/syncthing/lib/upnp"
-)
-
-// The UPnP service runs a loop for discovery of IGDs (Internet Gateway
-// Devices) and setup/renewal of a port mapping.
-type upnpService struct {
-	cfg        *config.Wrapper
-	localPort  int
-	extPort    int
-	extPortMut sync.Mutex
-	stop       chan struct{}
-}
-
-func newUPnPService(cfg *config.Wrapper, localPort int) *upnpService {
-	return &upnpService{
-		cfg:        cfg,
-		localPort:  localPort,
-		extPortMut: sync.NewMutex(),
-	}
-}
-
-func (s *upnpService) Serve() {
-	foundIGD := true
-	s.stop = make(chan struct{})
-
-	for {
-		igds := upnp.Discover(time.Duration(s.cfg.Options().UPnPTimeoutS) * time.Second)
-		if len(igds) > 0 {
-			foundIGD = true
-			s.extPortMut.Lock()
-			oldExtPort := s.extPort
-			s.extPortMut.Unlock()
-
-			newExtPort := s.tryIGDs(igds, oldExtPort)
-
-			s.extPortMut.Lock()
-			s.extPort = newExtPort
-			s.extPortMut.Unlock()
-		} else if foundIGD {
-			// Only print a notice if we've previously found an IGD or this is
-			// the first time around.
-			foundIGD = false
-			l.Infof("No UPnP device detected")
-		}
-
-		d := time.Duration(s.cfg.Options().UPnPRenewalM) * time.Minute
-		if d == 0 {
-			// We always want to do renewal so lets just pick a nice sane number.
-			d = 30 * time.Minute
-		}
-
-		select {
-		case <-s.stop:
-			return
-		case <-time.After(d):
-		}
-	}
-}
-
-func (s *upnpService) Stop() {
-	close(s.stop)
-}
-
-func (s *upnpService) ExternalPort() int {
-	s.extPortMut.Lock()
-	port := s.extPort
-	s.extPortMut.Unlock()
-	return port
-}
-
-func (s *upnpService) tryIGDs(igds []upnp.IGD, prevExtPort int) int {
-	// Lets try all the IGDs we found and use the first one that works.
-	// TODO: Use all of them, and sort out the resulting mess to the
-	// discovery announcement code...
-	for _, igd := range igds {
-		extPort, err := s.tryIGD(igd, prevExtPort)
-		if err != nil {
-			l.Warnf("Failed to set UPnP port mapping: external port %d on device %s.", extPort, igd.FriendlyIdentifier())
-			continue
-		}
-
-		if extPort != prevExtPort {
-			l.Infof("New UPnP port mapping: external port %d to local port %d.", extPort, s.localPort)
-			events.Default.Log(events.ExternalPortMappingChanged, map[string]int{"port": extPort})
-		}
-		l.Debugf("Created/updated UPnP port mapping for external port %d on device %s.", extPort, igd.FriendlyIdentifier())
-		return extPort
-	}
-
-	return 0
-}
-
-func (s *upnpService) tryIGD(igd upnp.IGD, suggestedPort int) (int, error) {
-	var err error
-	leaseTime := s.cfg.Options().UPnPLeaseM * 60
-
-	if suggestedPort != 0 {
-		// First try renewing our existing mapping.
-		name := fmt.Sprintf("syncthing-%d", suggestedPort)
-		err = igd.AddPortMapping(upnp.TCP, suggestedPort, s.localPort, name, leaseTime)
-		if err == nil {
-			return suggestedPort, nil
-		}
-	}
-
-	for i := 0; i < 10; i++ {
-		// Then try up to ten random ports.
-		extPort := 1024 + predictableRandom.Intn(65535-1024)
-		name := fmt.Sprintf("syncthing-%d", extPort)
-		err = igd.AddPortMapping(upnp.TCP, extPort, s.localPort, name, leaseTime)
-		if err == nil {
-			return extPort, nil
-		}
-	}
-
-	return 0, err
-}
--- a/cmd/syncthing/usage_report.go
+++ b/cmd/syncthing/usage_report.go
@@ -16,6 +16,7 @@ import (
 	"net/http"
 	"runtime"
 	"sort"
+	"strings"
 	"time"

 	"github.com/syncthing/syncthing/lib/config"
@@ -79,7 +80,7 @@ func (m *usageReportingManager) String() string {

 // reportData returns the data to be sent in a usage report. It's used in
 // various places, so not part of the usageReportingManager object.
-func reportData(cfg *config.Wrapper, m *model.Model) map[string]interface{} {
+func reportData(cfg configIntf, m modelIntf) map[string]interface{} {
 	res := make(map[string]interface{})
 	res["urVersion"] = usageReportVersion
 	res["uniqueID"] = cfg.Options().URUniqueID
@@ -121,15 +122,19 @@ func reportData(cfg *config.Wrapper, m *model.Model) map[string]interface{} {

 	var rescanIntvs []int
 	folderUses := map[string]int{
-		"readonly":      0,
-		"ignorePerms":   0,
-		"ignoreDelete":  0,
-		"autoNormalize": 0,
+		"readonly":            0,
+		"ignorePerms":         0,
+		"ignoreDelete":        0,
+		"autoNormalize":       0,
+		"simpleVersioning":    0,
+		"externalVersioning":  0,
+		"staggeredVersioning": 0,
+		"trashcanVersioning":  0,
 	}
 	for _, cfg := range cfg.Folders() {
 		rescanIntvs = append(rescanIntvs, cfg.RescanIntervalS)

-		if cfg.ReadOnly {
+		if cfg.Type == config.FolderTypeReadOnly {
 			folderUses["readonly"]++
 		}
 		if cfg.IgnorePerms {
@@ -141,6 +146,9 @@ func reportData(cfg *config.Wrapper, m *model.Model) map[string]interface{} {
 		if cfg.AutoNormalize {
 			folderUses["autoNormalize"]++
 		}
+		if cfg.Versioning.Type != "" {
+			folderUses[cfg.Versioning.Type+"Versioning"]++
+		}
 	}
 	sort.Ints(rescanIntvs)
 	res["rescanIntvs"] = rescanIntvs
@@ -196,16 +204,16 @@ func reportData(cfg *config.Wrapper, m *model.Model) map[string]interface{} {
 	}

 	defaultRelayServers, otherRelayServers := 0, 0
-	for _, addr := range cfg.Options().RelayServers {
-		switch addr {
-		case "dynamic+https://relays.syncthing.net/endpoint":
+	for _, addr := range cfg.ListenAddresses() {
+		switch {
+		case addr == "dynamic+https://relays.syncthing.net/endpoint":
 			defaultRelayServers++
-		default:
+		case strings.HasPrefix(addr, "relay://") || strings.HasPrefix(addr, "dynamic+http"):
 			otherRelayServers++
 		}
 	}
 	res["relays"] = map[string]interface{}{
-		"enabled":        cfg.Options().RelaysEnabled,
+		"enabled":        defaultRelayServers+otherAnnounceServers > 0,
 		"defaultServers": defaultRelayServers,
 		"otherServers":   otherRelayServers,
 	}
--- a/cmd/syncthing/verboseservice.go
+++ b/cmd/syncthing/verboseservice.go
@@ -8,7 +8,6 @@ package main

 import (
 	"fmt"
-	"strings"

 	"github.com/syncthing/syncthing/lib/events"
 )
@@ -73,15 +72,18 @@ func (s *verboseService) formatEvent(ev events.Event) string {

 	case events.Starting:
 		return fmt.Sprintf("Starting up (%s)", ev.Data.(map[string]string)["home"])
+
 	case events.StartupComplete:
 		return "Startup complete"

 	case events.DeviceDiscovered:
 		data := ev.Data.(map[string]interface{})
 		return fmt.Sprintf("Discovered device %v at %v", data["device"], data["addrs"])
+
 	case events.DeviceConnected:
 		data := ev.Data.(map[string]string)
 		return fmt.Sprintf("Connected to device %v at %v (type %s)", data["id"], data["addr"], data["type"])
+
 	case events.DeviceDisconnected:
 		data := ev.Data.(map[string]string)
 		return fmt.Sprintf("Disconnected from device %v", data["id"])
@@ -90,6 +92,11 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 		data := ev.Data.(map[string]interface{})
 		return fmt.Sprintf("Folder %q is now %v", data["folder"], data["to"])

+	case events.LocalChangeDetected:
+		data := ev.Data.(map[string]string)
+		// Local change detected in folder "foo": modified file /Users/jb/whatever
+		return fmt.Sprintf("Local change detected in folder %q: %s %s %s", data["folder"], data["action"], data["type"], data["path"])
+
 	case events.RemoteIndexUpdated:
 		data := ev.Data.(map[string]interface{})
 		return fmt.Sprintf("Device %v sent an index update for %q with %d items", data["device"], data["folder"], data["items"])
@@ -97,6 +104,7 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 	case events.DeviceRejected:
 		data := ev.Data.(map[string]interface{})
 		return fmt.Sprintf("Rejected connection from device %v at %v", data["device"], data["address"])
+
 	case events.FolderRejected:
 		data := ev.Data.(map[string]string)
 		return fmt.Sprintf("Rejected unshared folder %q from device %v", data["folder"], data["device"])
@@ -104,6 +112,7 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 	case events.ItemStarted:
 		data := ev.Data.(map[string]string)
 		return fmt.Sprintf("Started syncing %q / %q (%v %v)", data["folder"], data["item"], data["action"], data["type"])
+
 	case events.ItemFinished:
 		data := ev.Data.(map[string]interface{})
 		if err, ok := data["error"].(*string); ok && err != nil {
@@ -120,13 +129,18 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 	case events.FolderCompletion:
 		data := ev.Data.(map[string]interface{})
 		return fmt.Sprintf("Completion for folder %q on device %v is %v%%", data["folder"], data["device"], data["completion"])
+
 	case events.FolderSummary:
 		data := ev.Data.(map[string]interface{})
-		sum := data["summary"].(map[string]interface{})
-		delete(sum, "invalid")
-		delete(sum, "ignorePatterns")
-		delete(sum, "stateChanged")
-		return fmt.Sprintf("Summary for folder %q is %v", data["folder"], data["summary"])
+		sum := make(map[string]interface{})
+		for k, v := range data["summary"].(map[string]interface{}) {
+			if k == "invalid" || k == "ignorePatterns" || k == "stateChanged" {
+				continue
+			}
+			sum[k] = v
+		}
+		return fmt.Sprintf("Summary for folder %q is %v", data["folder"], sum)
+
 	case events.FolderScanProgress:
 		data := ev.Data.(map[string]interface{})
 		folder := data["folder"].(string)
@@ -143,19 +157,19 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 		data := ev.Data.(map[string]string)
 		device := data["device"]
 		return fmt.Sprintf("Device %v was paused", device)
+
 	case events.DeviceResumed:
 		data := ev.Data.(map[string]string)
 		device := data["device"]
 		return fmt.Sprintf("Device %v was resumed", device)

-	case events.ExternalPortMappingChanged:
-		data := ev.Data.(map[string]int)
-		port := data["port"]
-		return fmt.Sprintf("External port mapping changed; new port is %d.", port)
-	case events.RelayStateChanged:
-		data := ev.Data.(map[string][]string)
-		newRelays := data["new"]
-		return fmt.Sprintf("Relay state changed; connected relay(s) are %s.", strings.Join(newRelays, ", "))
+	case events.ListenAddressesChanged:
+		data := ev.Data.(map[string]interface{})
+		address := data["address"]
+		lan := data["lan"]
+		wan := data["wan"]
+		return fmt.Sprintf("Listen address %s resolution has changed: lan addresses: %s wan addresses: %s", address, lan, wan)
+
 	case events.LoginAttempt:
 		data := ev.Data.(map[string]interface{})
 		username := data["username"].(string)
@@ -166,7 +180,6 @@ func (s *verboseService) formatEvent(ev events.Event) string {
 			success = "failed"
 		}
 		return fmt.Sprintf("Login %s for username %s.", success, username)
-
 	}

 	return fmt.Sprintf("%s %#v", ev.Type, ev)
--- a/debtpl/common/changelog
+++ b/debtpl/common/changelog
@@ -0,0 +1,5 @@
+{{.name}} ({{.version}}); urgency=medium
+
+  * Packaging of {{.version}}.
+
+ -- Syncthing Release Management <release@syncthing.net>  {{.date}}
--- a/debtpl/common/compat
+++ b/debtpl/common/compat
@@ -0,0 +1 @@
+9
--- a/debtpl/syncthing/control
+++ b/debtpl/syncthing/control
@@ -0,0 +1,16 @@
+Package: syncthing
+Version: {{.version}}
+Priority: optional
+Section: net
+Architecture: {{.arch}}
+Depends: libc6, procps
+Homepage: https://syncthing.net/
+Maintainer: Syncthing Release Management <release@syncthing.net>
+Description: Open Source Continuous File Synchronization
+ Syncthing is an application that lets you synchronize your files across
+ multiple devices. This means the creation, modification or deletion of files
+ on one machine will automatically be replicated to your other devices. We
+ believe your data is your data alone and you deserve to choose where it is
+ stored. Therefore Syncthing does not upload your data to the cloud but
+ exchanges your data across your machines as soon as they are online at the
+ same time.
--- a/debtpl/syncthing/postinst
+++ b/debtpl/syncthing/postinst
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ ${1:-} == configure ]]; then
+	pkill -HUP -x syncthing || true
+fi
--- a/etc/linux-systemd/system/syncthing-resume.service
+++ b/etc/linux-systemd/system/syncthing-resume.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Restart Syncthing after resume
+Documentation=man:syncthing(1)
+After=suspend.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/pkill -HUP -x syncthing
+
+[Install]
+WantedBy=suspend.target
--- a/etc/linux-systemd/system/syncthing@.service
+++ b/etc/linux-systemd/system/syncthing@.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Syncthing - Open Source Continuous File Synchronization for %I
-Documentation=http://docs.syncthing.net/
+Documentation=man:syncthing(1)
 After=network.target
 Wants=syncthing-inotify@.service

--- a/etc/linux-systemd/user/syncthing.service
+++ b/etc/linux-systemd/user/syncthing.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Syncthing - Open Source Continuous File Synchronization
-Documentation=http://docs.syncthing.net/
+Documentation=man:syncthing(1)
 After=network.target
 Wants=syncthing-inotify.service

--- a/gui/assets/img/favicon.png
+++ b/gui/assets/img/favicon.png
--- a/gui/assets/lang/lang-ro-RO.json
+++ b/gui/assets/lang/lang-ro-RO.json
@@ -1,225 +0,0 @@
-{
-    "A negative number of days doesn't make sense.": "A negative number of days doesn't make sense.",
-    "A new major version may not be compatible with previous versions.": "A new major version may not be compatible with previous versions.",
-    "API Key": "Cheie API",
-    "About": "Despre",
-    "Actions": "Actions",
-    "Add": "Adaugă",
-    "Add Device": "Adaugă Dispozitiv",
-    "Add Folder": "Adaugă Mapă",
-    "Add new folder?": "Adauga o mapă nouă?",
-    "Address": "Adresă",
-    "Addresses": "Adrese",
-    "Advanced": "Advanced",
-    "Advanced Configuration": "Configurari avansate",
-    "All Data": "Toate Datele",
-    "Allow Anonymous Usage Reporting?": "Permiteţi raportarea anonimă de folosire a aplicaţiei?",
-    "Alphabetic": "Alphabetic",
-    "An external command handles the versioning. It has to remove the file from the synced folder.": "O comandă externă administrează versiunile. Trebuie să şteargă documentul din fişierul sincronizat. ",
-    "Anonymous Usage Reporting": "Raport Anonim despre Folosirea Aplicației",
-    "Any devices configured on an introducer device will be added to this device as well.": "Toate dispozitivele configurate pe un dispozitiv iniţiator vor fi adăugate şi pe acest dispozitiv. ",
-    "Automatic upgrades": "Actualizare automată",
-    "Be careful!": "Fii atent!",
-    "Bugs": "Bug-uri",
-    "CPU Utilization": "CPU ",
-    "Changelog": "Noutăți",
-    "Clean out after": "Clean out after",
-    "Close": "Închide",
-    "Command": "Comandă",
-    "Comment, when used at the start of a line": "Comentariu, când este folosit la începutul unei linii",
-    "Compression": "Compresie",
-    "Connection Error": "Eroare de conexiune",
-    "Copied from elsewhere": "Copiat din altă parte",
-    "Copied from original": "Copiat  din original",
-    "Copyright © 2015 the following Contributors:": "Copyright ©2015 Următorii Contribuitori:",
-    "Danger!": "Danger!",
-    "Delete": "Şterge",
-    "Deleted": "Șters",
-    "Device ID": "ID Dispozitiv",
-    "Device Identification": "Identificare Dispozitiv",
-    "Device Name": "Nume Dispozitiv",
-    "Device {%device%} ({%address%}) wants to connect. Add new device?": "Dispozitivul{{dispoztiv}}({{adresă}})vrea sa se conecteze.Adaug un dispozitiv nou?",
-    "Devices": "Dispozitiv",
-    "Disconnected": "Deconectat",
-    "Discovery": "Discovery",
-    "Documentation": "Documentaţie",
-    "Download Rate": "Viteză de Descărcare",
-    "Downloaded": "Descărcat",
-    "Downloading": "Se descarcă",
-    "Edit": "Modifică",
-    "Edit Device": "Modifică Dispozitiv",
-    "Edit Folder": "Modifică Mapa",
-    "Editing": "Modificare",
-    "Enable UPnP": "Activează UPnP",
-    "Enter comma separated  (\"tcp://ip:port\", \"tcp://host:port\") addresses or \"dynamic\" to perform automatic discovery of the address.": "Enter comma separated  (\"tcp://ip:port\", \"tcp://host:port\") addresses or \"dynamic\" to perform automatic discovery of the address.",
-    "Enter ignore patterns, one per line.": "Adaugă șabloanele de ignorare, câte una pe linie.",
-    "Error": "Eroare",
-    "External File Versioning": "Administrare externă a versiunilor documentului",
-    "Failed Items": "Failed Items",
-    "File Pull Order": "File Pull Order",
-    "File Versioning": "Versiune Fișier",
-    "File permission bits are ignored when looking for changes. Use on FAT file systems.": "Biții de autorizare sînt excluși cînd se analizează modificările. A se utiliza pe sisteme FAT. ",
-    "Files are moved to .stversions folder when replaced or deleted by Syncthing.": "Files are moved to .stversions folder when replaced or deleted by Syncthing.",
-    "Files are moved to date stamped versions in a .stversions folder when replaced or deleted by Syncthing.": "Documentele sînt mutate într-un fișier .stversions conținînd versiuni datate atunci cînd sînt șterse sau înlocuite de Syncthing. ",
-    "Files are protected from changes made on other devices, but changes made on this device will be sent to the rest of the cluster.": "Fișierele sunt protejate de schimbările făcute pe alte dispozitive dar schimbările efectuate pe acest dispozitiv vor fi trimise catre restul grupului.",
-    "Folder": "Mapă",
-    "Folder ID": "ID Mapă",
-    "Folder Master": "Master Măpi",
-    "Folder Path": "Locaţie Mapei",
-    "Folders": "Mapă",
-    "GUI": "GUI",
-    "GUI Authentication Password": "Parolă Interfaţă",
-    "GUI Authentication User": "User Interfaţă",
-    "GUI Listen Addresses": "Adresă Interfaţă",
-    "Generate": "Generează",
-    "Global Discovery": "Găsire Globală",
-    "Global Discovery Server": "Server pentru Găsirea Globală",
-    "Global State": "Status Global",
-    "Help": "Help",
-    "Home page": "Home page",
-    "Ignore": "Ignoră",
-    "Ignore Patterns": "Reguli de excludere",
-    "Ignore Permissions": "Ignoră Permisiuni",
-    "Incoming Rate Limit (KiB/s)": "Limită Viteză de Download (KB/s)",
-    "Incorrect configuration may damage your folder contents and render Syncthing inoperable.": "Incorrect configuration may damage your folder contents and render Syncthing inoperable.",
-    "Introducer": "Dispozitiv Inițiator",
-    "Inversion of the given condition (i.e. do not exclude)": "Inversarea condiției (de ex., nu exclude)",
-    "Keep Versions": "Păstrează Versiuni",
-    "Largest First": "Largest First",
-    "Last File Received": "Ultimul Fișier Primit",
-    "Last seen": "Ultima vizionare",
-    "Later": "Mai tîrziu",
-    "Local Discovery": "Găsire Locală",
-    "Local State": "Status Local",
-    "Local State (Total)": "Local State (Total)",
-    "Major Upgrade": "Major Upgrade",
-    "Maximum Age": "Vârsta Maximă",
-    "Metadata Only": "Doar Metadate",
-    "Minimum Free Disk Space": "Minimum Free Disk Space",
-    "Move to top of queue": "Mută la începutul listei",
-    "Multi level wildcard (matches multiple directory levels)": "Asterisc de nivel multiplu (corespunde fișierelor și sub-fișierelor)",
-    "Never": "Niciodată",
-    "New Device": "Dispozitiv Nou",
-    "New Folder": "Mapă Nouă",
-    "Newest First": "Newest First",
-    "No": "Nu",
-    "No File Versioning": "Fără versiuni ale documentelor",
-    "Notice": "Mențiuni",
-    "OK": "OK",
-    "Off": "Închis",
-    "Oldest First": "Oldest First",
-    "Options": "Opțiuni",
-    "Out of Sync": "Out of Sync",
-    "Out of Sync Items": "Elemente Nesincronizate",
-    "Outgoing Rate Limit (KiB/s)": "Limită Viteză de Upload (KB/s)",
-    "Override Changes": "Suprascrie Schimbări",
-    "Path to the folder on the local computer. Will be created if it does not exist. The tilde character (~) can be used as a shortcut for": "Localizarea fișierului în acest computer. Dacă nu există, va fi creat. Tilda (~) înlocuiește ",
-    "Path where versions should be stored (leave empty for the default .stversions folder in the folder).": "Locul unde vor fi stocate versiunile (a se lăsa neschimbat pentru fișierul .stversions din fișier). ",
-    "Pause": "Pauză",
-    "Paused": "Paused",
-    "Please consult the release notes before performing a major upgrade.": "Please consult the release notes before performing a major upgrade.",
-    "Please set a GUI Authentication User and Password in the Settings dialog.": "Please set a GUI Authentication User and Password in the Settings dialog.",
-    "Please wait": "Aşteaptă",
-    "Preview": "Previzualizează",
-    "Preview Usage Report": "Vezi raportul de utilizare",
-    "Quick guide to supported patterns": "Ghid rapid pentru regulile suportate",
-    "RAM Utilization": "RAM",
-    "Random": "Random",
-    "Relayed via": "Relayed via",
-    "Relays": "Relays",
-    "Release Notes": "Release Notes",
-    "Remove": "Remove",
-    "Rescan": "Rescanează",
-    "Rescan All": "Rescaneaza Tot",
-    "Rescan Interval": "Interval Scanare",
-    "Restart": "Restart",
-    "Restart Needed": "Restart Necesar",
-    "Restarting": "Se restartează",
-    "Resume": "Resume",
-    "Reused": "Refolosit",
-    "Save": "Salvează",
-    "Scan Time Remaining": "Scan Time Remaining",
-    "Scanning": "Scanează",
-    "Select the devices to share this folder with.": "Selectează dispozitivele pentru care să fie disponibil această mapă.",
-    "Select the folders to share with this device.": "Alege mapele pe care vrei sa le imparți cu acest dispozitiv.",
-    "Settings": "Setări",
-    "Share": "Împarte",
-    "Share Folder": "Împarte Mapa",
-    "Share Folders With Device": "Împarte Mapa Cu Dispozitivul",
-    "Share With Devices": "Împarte Cu Dispozitivul",
-    "Share this folder?": "Împarte această mapă?",
-    "Shared With": "Împarte Cu",
-    "Short identifier for the folder. Must be the same on all cluster devices.": "Identificator scurt al fișierului. Trebuie să fie același pe toate mașinile. ",
-    "Show ID": "Arată ID",
-    "Shown instead of Device ID in the cluster status. Will be advertised to other devices as an optional default name.": "Vizibil în locul ID-ului dispozitivului într-un grup. Va fi sugerat celorlalte dispozitive ca nume opţional. ",
-    "Shown instead of Device ID in the cluster status. Will be updated to the name the device advertises if left empty.": "Vizibil în locul ID-ului dispozitivului într-un grup. Va fi înlocuit de numele sugerat de dispozitiv daca nu este completat. ",
-    "Shutdown": "Opreşte",
-    "Shutdown Complete": "Oprește Complet",
-    "Simple File Versioning": "Versiuni simple ale documentelor",
-    "Single level wildcard (matches within a directory only)": "Asterisc de nivel simplu (corespunde doar unui fişier)",
-    "Smallest First": "Smallest First",
-    "Source Code": "Cod Sursă",
-    "Staggered File Versioning": "Versiuni eşalonate ale documentelor",
-    "Start Browser": "Lansează Browser",
-    "Statistics": "Statistici",
-    "Stopped": "Oprit",
-    "Support": "Suport Tehnic",
-    "Sync Protocol Listen Addresses": "Adresa protocolului de sincronizare",
-    "Syncing": "Se sincronizează",
-    "Syncthing has been shut down.": "Sincronizarea a fost oprită.",
-    "Syncthing includes the following software or portions thereof:": "Syncthing include următoarele soft-uri sau părţi din ele:",
-    "Syncthing is restarting.": "Syncthing se restartează.",
-    "Syncthing is upgrading.": "Syncthing se actualizează.",
-    "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…": "Syncthing pare a fi oprit sau aveţi probleme cu conexiunea la internet. Reluare... ",
-    "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.": "Syncthing pare a avea probleme prelucrînd solicitarea dumneavoastră. Reîncărcaţi pagina sau porniţi Syncthing din nou dacă problema continuă. ",
-    "The Syncthing admin interface is configured to allow remote access without a password.": "The Syncthing admin interface is configured to allow remote access without a password.",
-    "The aggregated statistics are publicly available at {%url%}.": "Statisticile în ansamblu sînt accesibile public la {{url}}.",
-    "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.": "Configuraţia a fost salvată dar nu şi activată. Syncthing trebuie să repornească pentru a activa noua configuraţie.",
-    "The device ID cannot be blank.": "ID-ul dispozitivului nu poate fi gol.",
-    "The device ID to enter here can be found in the \"Edit > Show ID\" dialog on the other device. Spaces and dashes are optional (ignored).": "ID-ul dispozitivului ce trebuie introdus aici poate fi aflat la \"Editează > Arată ID-ul\" pe celălalt dispozitiv. Spaţiile şi liniile oblice sînt opţionale (vor fi ignorate). ",
-    "The encrypted usage report is sent daily. It is used to track common platforms, folder sizes and app versions. If the reported data set is changed you will be prompted with this dialog again.": "Raportul codat de utilizare este trimit zilnic. Este folosit pentru studierea platformelor comune, dimensiunilor fişierelor şi versiunea aplicaţiilor. În cazul în care setul de date trimis este modificat, acest dialog va aparea din nou. ",
-    "The entered device ID does not look valid. It should be a 52 or 56 character string consisting of letters and numbers, with spaces and dashes being optional.": "ID-ul dispozitivului nu pare a fi valid.El trebuie sa fie format dintrun șir din 52 ori 56 de caractere formate din litere și cifre, cu spatii și linii opțional.",
-    "The first command line parameter is the folder path and the second parameter is the relative path in the folder.": "The first command line parameter is the folder path and the second parameter is the relative path in the folder.",
-    "The folder ID cannot be blank.": "ID-ul mapei nu poate fi gol.",
-    "The folder ID must be a short identifier (64 characters or less) consisting of letters, numbers and the dot (.), dash (-) and underscode (_) characters only.": "The folder ID must be a short identifier (64 characters or less) consisting of letters, numbers and the dot (.), dash (-) and underscode (_) characters only.",
-    "The folder ID must be unique.": "ID-ul mapei trebuie să fie unic.",
-    "The folder path cannot be blank.": "Locaţia mapei nu poate fi goală.",
-    "The following intervals are used: for the first hour a version is kept every 30 seconds, for the first day a version is kept every hour, for the first 30 days a version is kept every day, until the maximum age a version is kept every week.": "The following intervals are used: for the first hour a version is kept every 30 seconds, for the first day a version is kept every hour, for the first 30 days a version is kept every day, until the maximum age a version is kept every week.",
-    "The following items could not be synchronized.": "The following items could not be synchronized.",
-    "The maximum age must be a number and cannot be blank.": "Vârsta maximă trebuie să fie un număr şi nu poate fi goală.",
-    "The maximum time to keep a version (in days, set to 0 to keep versions forever).": "Câte zile să se păstreze o versiune (setează 0 pentru nelimitat)",
-    "The minimum free disk space percentage must be a non-negative number between 0 and 100 (inclusive).": "The minimum free disk space percentage must be a non-negative number between 0 and 100 (inclusive).",
-    "The number of days must be a number and cannot be blank.": "The number of days must be a number and cannot be blank.",
-    "The number of days to keep files in the trash can. Zero means forever.": "Numărul de zile pentru a păstra fișierele in urnă.Zero înseamnă permanent.",
-    "The number of old versions to keep, per file.": "Numărul de versiuni vechi de salvat per fişier.",
-    "The number of versions must be a number and cannot be blank.": "Numărul de versiuni trebuie să fie un număr şi nu poate fi gol.",
-    "The path cannot be blank.": "Locația nu poate fi goală.",
-    "The rate limit must be a non-negative number (0: no limit)": "The rate limit must be a non-negative number (0: no limit)",
-    "The rescan interval must be a non-negative number of seconds.": "Intervalul de rescanare trebuie să nu fie un număr negativ de secunde. ",
-    "They are retried automatically and will be synced when the error is resolved.": "They are retried automatically and will be synced when the error is resolved.",
-    "This can easily give hackers access to read and change any files on your computer.": "This can easily give hackers access to read and change any files on your computer.",
-    "This is a major version upgrade.": "This is a major version upgrade.",
-    "Trash Can File Versioning": "Trash Can File Versioning",
-    "Unknown": "Necunoscut",
-    "Unshared": "Neîmpărțit",
-    "Unused": "Nefolosit",
-    "Up to Date": "La Zi",
-    "Updated": "Updated",
-    "Upgrade": "Upgrade",
-    "Upgrade To {%version%}": "Actualizează La Versiunea {{version}}",
-    "Upgrading": "Se Actualizează",
-    "Upload Rate": "Viteză Upload",
-    "Uptime": "Uptime",
-    "Use HTTPS for GUI": "Foloseşte HTTPS pentru interfaţă",
-    "Version": "Versiune",
-    "Versions Path": "Locaţie Versiuni",
-    "Versions are automatically deleted if they are older than the maximum age or exceed the number of files allowed in an interval.": "Versiunile sînt şterse în mod automat dacă sînt mai vechi decît vîrsta maximă sau depăşesc numărul de documente permise într-un anume interval. ",
-    "When adding a new device, keep in mind that this device must be added on the other side too.": "Când adaugi un dispozitiv nou, trebuie să adaugi şi dispozitivul curent în dispozitivul nou.",
-    "When adding a new folder, keep in mind that the Folder ID is used to tie folders together between devices. They are case sensitive and must match exactly between all devices.": "Cînd adăugaţi un fişier nou, nu uitaţi că ID-ul fişierului va rămîne acelaşi pe toate dispozitivele. Iar literele mari sînt diferite de literele mici. ",
-    "Yes": "Da",
-    "You must keep at least one version.": "Trebuie să păstrezi cel puţin o versiune.",
-    "days": "Zile",
-    "full documentation": "toată documentaţia",
-    "items": "obiecte",
-    "{%device%} wants to share folder \"{%folder%}\".": "{{Dispozitivul}} vrea să transmită mapa {{Mapa}}"
-}
--- a/Show More
+++ b/Show More