thread-based email index, search, and tagging https://git.notmuchmail.org/git/notmuch/atom?h=0.29_rc0 2019-03-27T20:59:40Z 2019-03-27T20:59:40Z David Bremner david@tethera.net 2019-03-19T10:08:19Z urn:sha1:4bfbd5baa1e754e18d58dd6b8052a8072c0bfc2f This produces tarballs that are roughly 30% smaller. 2019-03-27T20:54:12Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-03-23T12:35:44Z urn:sha1:1f82039e0da1adf078559ef9bf80e2b47858a607 This is just a semantic cleanup -- we have multiple files that are OpenPGP signatures. And while we're probably making signatures with GnuPG, they can be verified with any OpenPGP implementation, so "GPG_" is arguably both not specific enough, and overly-specific. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-27T20:53:41Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-03-23T12:35:43Z urn:sha1:01f9c71312937011c4474688d3d1dd64c14731fb Distribute clearsigned sha256sum file in addition to the detached signature. Verifies that use the sha256sum ensure that the thing signed includes the name of the tarball. This defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-12T01:28:11Z David Bremner david@tethera.net 2019-02-13T02:17:03Z urn:sha1:b8a8dbed91d16299a8768646fb6f18181f31ec40 Adam Majer pointed out in [1] the way were signing releases was unusual. Neither Carl nor I could think of a good reason for explicitely signing the checksum (internally of course that's what GPG is going anyway). [1] mid:b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de 2017-03-19T00:37:43Z David Bremner david@tethera.net 2017-03-14T11:10:07Z urn:sha1:c39f6361d0798aa8d0dcd0b91f6b86ab9dc21c75 Apparently some systems (MacOS?) have a system library called libutil and the name conflict causes problems. Since this library is quite notmuch specific, rename it to something less generic. 2017-03-02T21:31:15Z David Bremner david@tethera.net 2017-03-02T00:44:47Z urn:sha1:914c4db1f2cf5b19100b42a8e3ea62d000a9b642 2016-11-26T11:57:58Z David Bremner david@tethera.net 2016-11-19T17:44:29Z urn:sha1:10f8c5d205d5398bb86809bf8e7958038ba3b6fe This package can be created without emacs, but will only be usable in versions of emacs supporting package.el 2016-11-26T11:46:42Z David Bremner david@tethera.net 2016-11-19T17:44:28Z urn:sha1:46a47f06a628c7025246da040fa9ab6301c49313 I noticed when trying to use VERSION (and derived variables) in a subdirectory that the top level Makefile.local needed to be included first. But according to c10085c77b407d9ea704f8b4f9e0a805f63e72cb it actually needs to be last. To break this conflict, move the variables definitions into a new Makefile.global.