notmuch/Makefile.local, branch 0.30_rc2thread-based email index, search, and tagginghttps://git.notmuchmail.org/git/notmuch/atom?h=0.30_rc22019-12-20T23:54:11Zdebian: return an error if debian snapshot build fails2019-12-20T23:54:11ZDaniel Kahn Gillmordkg@fifthhorseman.net2019-12-04T08:47:38Zurn:sha1:7ebb2f5509c175c0efc6682fc7abf89a68f61f7d
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
build: optionally build python-cffi bindings2019-12-03T12:12:30ZDavid Bremnerdavid@tethera.net2019-10-20T01:52:56Zurn:sha1:46e96156218e456df3fdd239e8c055220fba667a
Put the build product (and tests) in a well known location so that we
can find them e.g. from the tests.
release: use xz compression2019-03-27T20:59:40ZDavid Bremnerdavid@tethera.net2019-03-19T10:08:19Zurn:sha1:4bfbd5baa1e754e18d58dd6b8052a8072c0bfc2f
This produces tarballs that are roughly 30% smaller.
build: Rename GPG_FILE to DETACHED_SIG_FILE2019-03-27T20:54:12ZDaniel Kahn Gillmordkg@fifthhorseman.net2019-03-23T12:35:44Zurn:sha1:1f82039e0da1adf078559ef9bf80e2b47858a607
This is just a semantic cleanup -- we have multiple files that are
OpenPGP signatures. And while we're probably making signatures with
GnuPG, they can be verified with any OpenPGP implementation, so "GPG_"
is arguably both not specific enough, and overly-specific.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
build: distribute signed sha256sums2019-03-27T20:53:41ZDaniel Kahn Gillmordkg@fifthhorseman.net2019-03-23T12:35:43Zurn:sha1:01f9c71312937011c4474688d3d1dd64c14731fb
Distribute clearsigned sha256sum file in addition to the detached
signature.
Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.
A verifier can use something like the following (as expressed in
bash):
set -o pipefail
wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -
See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
build: ensure that SHA256_FILE is built2019-03-27T20:53:18ZDaniel Kahn Gillmordkg@fifthhorseman.net2019-03-23T12:35:42Zurn:sha1:cc8d837d5a137a14a62526dcea60af1de7a353e4
The SHA256_FILE used to be built automatically because of the makefile
dependencies.
Since b8a8dbed91d16299a8768646fb6f18181f31ec40, it isn't getting made
properly, so the release target would fail.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
build: sign tarball instead of sha256sum2019-03-12T01:28:11ZDavid Bremnerdavid@tethera.net2019-02-13T02:17:03Zurn:sha1:b8a8dbed91d16299a8768646fb6f18181f31ec40
Adam Majer pointed out in [1] the way were signing releases was
unusual. Neither Carl nor I could think of a good reason for
explicitely signing the checksum (internally of course that's what GPG
is going anyway).
[1] mid:b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de
doc: install build and install info pages2018-05-26T15:26:13ZDavid Bremnerdavid@tethera.net2018-05-21T20:08:51Zurn:sha1:7a6d4a0852664483bbba702cf3b030448b079e2c
All of the man pages are installed as info pages, plus
the (unfinished) notmuch-emacs manual
build: push additional refs during release2018-04-28T11:34:48ZDavid Bremnerdavid@tethera.net2018-04-28T11:34:48Zurn:sha1:a08c36417f1f43042ea6a44dad8ce85a7fb372b0
These currently have to be pushed by hand during a release, which
isn't a big deal, but is one more thing to remember.
fix typos2018-01-05T00:35:58ZDaniel Kahn Gillmordkg@fifthhorseman.net2018-01-02T15:32:38Zurn:sha1:54982e520c3bee74e947e311ee5b1219396fa1a8