Building Notmuch on macOS is known to cause problems because the Notmuch
distribution archive contains two files named "version". These names
clash with the <version> header as defined in C++20. Therefore, the
existing naming will likely become a problem on other platforms as well,
once compilers adopt the new standard.
Signed-off-by: Ralph Seichter <github@seichter.de>
Amended-by: db s/keyword/header/ in commit message.
Use `makefile-gmake-mode' instead of `makefile-mode' because the
former also highlights ifdef et al. while the latter does not.
"./Makefile.global" and one "Makefile.local" failed to specify any
major mode at all but doing so is necessary because Emacs does not
automatically figure out that these are Makefiles (of any flavor).
Use a URL https://notmuchmail.org/doc/latest to leave room for a
future more ambitious scheme deploying multiple versions.
This also forces the html docs to built as part of the release
process. In the future this should be updated to tolerate generating a
release without sphinx installed. This needs a new target analogous to
build-info and build-man that does nothing if sphinx is not installed.
Today Defalos on #notmuch asked for a signed tarball for
0.30~rc2. This is a minimal change to support this in the future. The
question of automagically uploading will need more thought; currently
I like the fact that tags from pre-releases are only pushed manually.
This is just a semantic cleanup -- we have multiple files that are
OpenPGP signatures. And while we're probably making signatures with
GnuPG, they can be verified with any OpenPGP implementation, so "GPG_"
is arguably both not specific enough, and overly-specific.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Distribute clearsigned sha256sum file in addition to the detached
signature.
Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.
A verifier can use something like the following (as expressed in
bash):
set -o pipefail
wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -
See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
The SHA256_FILE used to be built automatically because of the makefile
dependencies.
Since b8a8dbed91, it isn't getting made
properly, so the release target would fail.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Adam Majer pointed out in [1] the way were signing releases was
unusual. Neither Carl nor I could think of a good reason for
explicitely signing the checksum (internally of course that's what GPG
is going anyway).
[1] mid:b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de
The appended file 'version' has the same timestamp as the files added
by `git archive`.
The original file name and time stamp are no longer saved to the
gzip header in resulting $(PACKAGE)-$(VERSION).tar.gz file.
When build environment is close enough to another, this may
provide mutually reproducible release archive files.
The advantage of having a target as opposed to running cppcheck by
hand
- reuse list of source files
- output errors in a format parsable, e.g. by emacs
- returns exit code 1 on any error, for possibly use in other
targets.
For the moment, leave this as an optional target. If desired, it can
be added to e.g. the release targets in the same way as the test
target.
Using two levels of directory for the stamps is arguably
overengineering, but it doesn't really cost anything, and leaves open
the possibility of putting other kinds of stamp files there.
This only checks "new" source files (w.r.t. their last check). A future target
(cppcheck-all ?) could blow away the stamp files first.
Sometimes using $@ as the target in the quiet build lines can be
confusing. Accept an optional second parameter in the quiet variable
function to specify the target.
Commits 9db2145272 ("lib/gen-version-script.h: add getline and
getdelim to notmuch.sym if needed") and 3242e29e57 ("build: add
canonicalize_file_name to symbols exported from libnotmuch.so")
started exporting compat functions from libnotmuch so that the cli
could use them. But we shouldn't export such functions from the
library. They are not part of our ABI. Instead, the cli should include
its own copies of the compat functions.
The tar content `git archive` creates (reproducibly) have owner and
group set to 'root'. (GNU) tar writes user ids to the added file
`version` by default. The contents of tar archive looks better and
more consistent when owner and group in all files are the same.
While at it, split this long command line to multiple lines.
Apparently some systems (MacOS?) have a system library called libutil
and the name conflict causes problems. Since this library is quite
notmuch specific, rename it to something less generic.
I noticed when trying to use VERSION (and derived variables) in a
subdirectory that the top level Makefile.local needed to be included
first. But according to c10085c77b it
actually needs to be last. To break this conflict, move the variables
definitions into a new Makefile.global.
Apparently pre 5.1 gcc defaulted to gnu89, but we decided it was ok to
use some c99 features.
'-std=c99' by itself is not enough for notmuch to compile.
'-std=gnu99' seems to work with clang and gcc, so I'm not convinced
configuration support is needed.
With this GNU Make construct one shell invocation can be skipped
and code looks shorter (narrower). This would now match to .git
being other file type than regular file or directory (or symlink
to those), but that is not a use case anyone should expect users
to do.
Many of the external links found in the notmuch source can be resolved
using https instead of http. This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
this is a minor security hole, but no worse than what we had before. In
particular the worst that happens is someone prevents us from making a
release. Which is hardly worth the trouble of jacking the URL.
Because ruby generates a Makefile, we have to use recursive make.
Because mkmf.rb hardcodes the name Makefile, put our Makefile{.local}
in the parent directory.
Failing to update this string in globals.py causes failures when the
SONAME changes. In order to hopefully reduce the number of such
errors, automate the process of setting the SONAME in the python
bindings.
So that $(VERSION) and version.stamp uses the git-describe -based
version data instead of the content of `version' file.
For consistency also the git commands in Makefile[.local] target
`verify-no-dirty-code' uses the git --git-dir=$srcdir/.git ...
commands (inside ifeq($(IS_GIT),yes)). Attempting to make this
target outside of the tree will fail in any case.
It turns out to be inconvenient to delete the downloaded datafiles with
distclean, so I propose a new target which does that instead.
The closest conventional target is 'maintainer-clean'; the difference
here is that having the original source tarball is not enough to
reconstruct these files.
In my system `pkg-config --libs talloc` returns
'Wl,-rpath,/usr/lib -ltalloc' (probably wrongly) which causes the final
LDFLAGS to be something like '-Wl,-rpath,/usr/lib
-Wl,-rpath,/opt/notmuch/lib', which causes the RUNPATH to be
'/usr/lib:/opt/notmuch/lib', so basically defeating the whole purpose of
RUNPATH.
I noticed this when my /opt/notmuch/bin/notmuch (0.17) started updating
the database after I updated the system (which updated the system's
notmuch). This shouldn't happen.
Let's move the RUNPATH flags before other external flags have a chance of
screwing the build.
Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Users may have set core.abbrev=n, where n != 7 in their git config
file(s) which would give them different than expected version strings
when building notmuch from git. This fixes the commit hash part of
version string to 7 hexadecimal values.