thread-based email index, search, and tagging https://git.notmuchmail.org/git/notmuch/atom?h=0.30 2020-07-03T10:37:00Z 2020-07-03T10:37:00Z David Bremner david@tethera.net 2020-06-16T14:17:55Z urn:sha1:552029f7482ea76806f18b8ef2cbe9c8706b39f4 Today Defalos on #notmuch asked for a signed tarball for 0.30~rc2. This is a minimal change to support this in the future. The question of automagically uploading will need more thought; currently I like the fact that tags from pre-releases are only pushed manually. 2020-07-03T09:38:55Z David Bremner david@tethera.net 2020-06-30T00:22:47Z urn:sha1:3a42abb456893b71b530f099a1467400f2b0ea71 Attempt to avoid breaking "pip install ." As far as I can tell, we need to have a copy (not just a relative symlink) of the version file. 2019-12-20T23:54:11Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-12-04T08:47:38Z urn:sha1:7ebb2f5509c175c0efc6682fc7abf89a68f61f7d Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-12-03T12:12:30Z David Bremner david@tethera.net 2019-10-20T01:52:56Z urn:sha1:46e96156218e456df3fdd239e8c055220fba667a Put the build product (and tests) in a well known location so that we can find them e.g. from the tests. 2019-03-27T20:59:40Z David Bremner david@tethera.net 2019-03-19T10:08:19Z urn:sha1:4bfbd5baa1e754e18d58dd6b8052a8072c0bfc2f This produces tarballs that are roughly 30% smaller. 2019-03-27T20:54:12Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-03-23T12:35:44Z urn:sha1:1f82039e0da1adf078559ef9bf80e2b47858a607 This is just a semantic cleanup -- we have multiple files that are OpenPGP signatures. And while we're probably making signatures with GnuPG, they can be verified with any OpenPGP implementation, so "GPG_" is arguably both not specific enough, and overly-specific. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-27T20:53:41Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-03-23T12:35:43Z urn:sha1:01f9c71312937011c4474688d3d1dd64c14731fb Distribute clearsigned sha256sum file in addition to the detached signature. Verifies that use the sha256sum ensure that the thing signed includes the name of the tarball. This defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-27T20:53:18Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-03-23T12:35:42Z urn:sha1:cc8d837d5a137a14a62526dcea60af1de7a353e4 The SHA256_FILE used to be built automatically because of the makefile dependencies. Since b8a8dbed91d16299a8768646fb6f18181f31ec40, it isn't getting made properly, so the release target would fail. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-12T01:28:11Z David Bremner david@tethera.net 2019-02-13T02:17:03Z urn:sha1:b8a8dbed91d16299a8768646fb6f18181f31ec40 Adam Majer pointed out in [1] the way were signing releases was unusual. Neither Carl nor I could think of a good reason for explicitely signing the checksum (internally of course that's what GPG is going anyway). [1] mid:b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de 2018-05-26T15:26:13Z David Bremner david@tethera.net 2018-05-21T20:08:51Z urn:sha1:7a6d4a0852664483bbba702cf3b030448b079e2c All of the man pages are installed as info pages, plus the (unfinished) notmuch-emacs manual