Peter Wu [Tue, 21 Jan 2020 03:54:27 +0000 (03:54 +0000)]
[Minor] Debian: set BUILD_WITH_INSTALL_RPATH=ON
* Use the install RPATH to avoid relinking at install time.
* This additionally ensures reproducible builds invariant of the build
directory since build paths such as `X/src:X/contrib/replxx:...` are
no longer embedded in the binary.
* This assumes that binaries are not ran at build time. If this is
needed, CMAKE_BUILD_RPATH_USE_ORIGIN=ON can be used instead (requires
CMake 3.14). For older CMake, try setting LD_LIBRARY_PATH.
Peter Wu [Tue, 21 Jan 2020 02:53:24 +0000 (02:53 +0000)]
[Minor] Make ragel-generated files independent of the parent directory
* Use relative paths for `#line` directives to allow reproducible builds
independent of the absolute build directory. For /b/rspamd/src/x.rl
and build dir /b/build, it could result in `../../build/src/x.rl`.
* The `-L` option for `Inhibit writing #line directives` is useless, it
just comments out the line with `/* ... */`, but that means that the
source file is still different.
* Note that ragel only accepts one input file, despite plural `INPUTS`.
Peter Wu [Tue, 21 Jan 2020 02:21:31 +0000 (02:21 +0000)]
[Minor] test: remove hard-coded build directory
* Reproducible build: avoid defining the BUILDROOT macro and avoid
embedding the build directory in the test image. Instead rely on the
test files being present next to the executable.
* I considered using g_test_build_filename, available since GLib 2.38
(available on all supported platforms, RHEL 7, Debian, Ubuntu, etc.),
but decided against it because it would require setting the
G_TEST_SRCDIR or G_TEST_BUILDDIR environment variables. Therefore this
patch simply parses argv0 directly.
Peter Wu [Tue, 21 Jan 2020 01:05:49 +0000 (01:05 +0000)]
[Minor] contrib/snowball: fix modules.h location
* Reproducible builds! No more absolute paths in source files, so the
generated binary is also invariant of the build directory.
* Output modules.h in snowball/libstemmer/ instead of snowball/. This
allows removal of the extra include directory and -f option.
* This partially reverts some changes in
https://github.com/snowballstem/snowball/commit/d178f201fda878c26538401650a7d46c37a5e6f1
and matches the commands in GNUmakefile.
Peter Wu [Mon, 20 Jan 2020 22:32:15 +0000 (22:32 +0000)]
[Minor] Debian: set fixfilepath reproducible build option
* Enable -ffile-prefix-map to ensure that assert statements in
contrib/libev/ev.c and other places do not store the full file path.
This ensures reproducible builds, invariant of the build directory.
Supported since dpkg 1.19.1, including Debian buster and Ubuntu 19.04.
* Enable all hardening features while at it, this adds bindnow only. See
https://manpages.debian.org/buster/dpkg-dev/dpkg-buildflags.1.en.html
Peter Wu [Mon, 20 Jan 2020 20:43:13 +0000 (20:43 +0000)]
[Minor] Debian: update arches and versions in build dependencies
* glib 2.28 is the current minimum declared in CMakeLists.txt, but even
Jessie satisfies that requirement. Remove it.
* Use DEB_HOST_ARCH for "The Debian architecture of the host machine"
instead of DEB_TARGET_ARCH which is relevant for cross-compiling only.
* Update luajit arches based on https://packages.debian.org/sid/luajit
* Added arm64, mips64el, ppc64, ppc64el (stretch-backports / buster).
* Removed kfreebsd-i386 and 32-bit powerpc (removed in Jessie).
* Removed powerpcspe (unofficial port with outdated luajit).
* Maintained mips (removed after buster).
Peter Wu [Sat, 18 Jan 2020 20:48:28 +0000 (20:48 +0000)]
[Minor] Debian: remove unnecessary packages
dh-systemd is a transitional package and moved into debhelper, so remove
it. This is supported since Debian Stretch. This change has to be
reversed if Debian Jessie or Ubuntu Xenial have to be supported.
Peter Wu [Sat, 18 Jan 2020 18:06:55 +0000 (18:06 +0000)]
[Minor] Debian: Enable Hyperscan and parallel builds
Debian 9 (Stretch) ships with Hyperscan 4.4.1, Ubuntu 18.04 ships with
Hyperscan 4.7.0. Follow rspamd's official recommendation and enable
support for these.
The --parallel option has been supported since 2009 and works perfectly
with CMake, so enable it by default.
Peter Wu [Sat, 18 Jan 2020 16:26:39 +0000 (16:26 +0000)]
[Minor] Simplify creation of dist tarball that is reproducible
Instead of archiving files from the working tree, distribute files as
committed. Use the 'git archive' command to achieve this, it results in
a reproducible tarball with the same timestamp as the latest commit.
[Minor] do not pass invalid C warnings to C++ flags
cc1plus: warning: command line option ‘-Wno-pointer-sign’ is valid for C/ObjC but not for C++
cc1plus: warning: command line option ‘-Wstrict-prototypes’ is valid for C/ObjC but not for C++
[74/340] Building C object contrib/lua-lpeg/CMakeFiles/rspamd-lpeg.dir/lpprint.c.o
In file included from ../contrib/lua-lpeg/lpprint.c:11:
../contrib/lua-lpeg/lptypes.h:15: warning: "NDEBUG" redefined
15 | #define NDEBUG
|
<command-line>: note: this is the location of the previous definition
[75/340] Building C object contrib/lua-lpeg/CMakeFiles/rspamd-lpeg.dir/lpcap.c.o
In file included from ../contrib/lua-lpeg/lpcap.h:9,
from ../contrib/lua-lpeg/lpcap.c:9:
../contrib/lua-lpeg/lptypes.h:15: warning: "NDEBUG" redefined
15 | #define NDEBUG
|
<command-line>: note: this is the location of the previous definition
[77/340] Building C object contrib/lua-lpeg/CMakeFiles/rspamd-lpeg.dir/lpvm.c.o
In file included from ../contrib/lua-lpeg/lpcap.h:9,
from ../contrib/lua-lpeg/lpvm.c:15:
../contrib/lua-lpeg/lptypes.h:15: warning: "NDEBUG" redefined
15 | #define NDEBUG
|
<command-line>: note: this is the location of the previous definition
[79/340] Building C object contrib/lua-lpeg/CMakeFiles/rspamd-lpeg.dir/lpcode.c.o
In file included from ../contrib/lua-lpeg/lpcode.c:12:
../contrib/lua-lpeg/lptypes.h:15: warning: "NDEBUG" redefined
15 | #define NDEBUG
|
<command-line>: note: this is the location of the previous definition
[81/340] Building C object contrib/lua-lpeg/CMakeFiles/rspamd-lpeg.dir/lptree.c.o
In file included from ../contrib/lua-lpeg/lptree.c:15:
../contrib/lua-lpeg/lptypes.h:15: warning: "NDEBUG" redefined
15 | #define NDEBUG
|
<command-line>: note: this is the location of the previous definition
[Minor] silence -Wmisleading-indentation in contrib/snowball/
../contrib/snowball/compiler/analyser.c: In function ‘check_name_type’:
../contrib/snowball/compiler/analyser.c:210:19: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
210 | case 'r': if (p->type == t_routine ||
| ^~
../contrib/snowball/compiler/analyser.c:211:54: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
211 | p->type == t_external) return; break;
| ^~~~~
../contrib/snowball/compiler/analyser.c: In function ‘read_program’:
../contrib/snowball/compiler/analyser.c:859:21: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
859 | if (q->used && q->definition == 0) error4(a, q); break;
| ^~
../contrib/snowball/compiler/analyser.c:859:70: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
859 | if (q->used && q->definition == 0) error4(a, q); break;
| ^~~~~
../contrib/snowball/compiler/analyser.c:861:21: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
861 | if (q->used && q->grouping == 0) error4(a, q); break;
| ^~
../contrib/snowball/compiler/analyser.c:861:68: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
861 | if (q->used && q->grouping == 0) error4(a, q); break;
| ^~~~~
Peter Wu [Thu, 16 Jan 2020 01:11:49 +0000 (01:11 +0000)]
[Minor] Dkim_signing: correct is_skip_sign logic
If any of "sign_networks", "auth_only", or "sign_local" are disabled,
then it should not automatically proceed with signing if the enabled
conditions all fail. For example, if only the auth_only setting is
enabled, and is_authed is false, then signing should be skipped.
An earlier check luckily prevents this correctness issue from being
exploitable ("ignoring unauthenticated mail"), but fix the logic anyway.