5 SPDX-License-Identifier: LGPL-2.1-or-later
12 - 8ch indent, no tabs, except for files in `man/` which are 2ch indent, and
13 still no tabs, and shell scripts, which are 4ch indent, and no tabs either.
15 - We prefer `/* comments */` over `// comments` in code you commit,
16 please. This way `// comments` are left for developers to use for local,
17 temporary commenting of code for debug purposes (i.e. uncommittable stuff),
18 making such comments easily discernible from explanatory, documenting code
19 comments (i.e. committable stuff).
21 - Don't break code lines too eagerly. We do **not** force line breaks at 80ch,
22 all of today's screens should be much larger than that. But then again, don't
23 overdo it, ~109ch should be enough really. The `.editorconfig`, `.vimrc` and
24 `.dir-locals.el` files contained in the repository will set this limit up for
25 you automatically, if you let them (as well as a few other things). Please
26 note that emacs loads `.dir-locals.el` automatically, but vim needs to be
27 configured to load `.vimrc`, see that file for instructions.
29 - If you break a function declaration over multiple lines, do it like this:
40 (i.e. use double indentation — 16 spaces — for the parameter list.)
57 - Single-line `if` blocks should not be enclosed in `{}`. Write this:
72 - Do not write `foo ()`, write `foo()`.
74 - `else` blocks should generally start on the same line as the closing `}`:
83 - Please define flags types like this:
86 typedef enum FoobarFlags {
88 FOOBAR_WALDO = 1 << 1,
94 i.e. use an enum for it, if possible. Indicate bit values via `1 <<`
95 expressions, and align them vertically. Define both an enum and a type for
98 - If you define (non-flags) enums, follow this template:
101 typedef enum FoobarMode {
107 _FOOBAR_INVALID = -EINVAL,
111 i.e. define a `_MAX` enum for the largest defined enum value, plus one. Since
112 this is not a regular enum value, prefix it with `_`. Also, define a special
113 "invalid" enum value, and set it to `-EINVAL`. That way the enum type can
114 safely be used to propagate conversion errors.
116 - If you define an enum in a public API, be extra careful, as the size of the
117 enum might change when new values are added, which would break ABI
118 compatibility. Since we typically want to allow adding new enum values to an
119 existing enum type with later API versions, please use the
120 `_SD_ENUM_FORCE_S64()` macro in the enum definition, which forces the size of
121 the enum to be signed 64bit wide.
123 - Empty lines to separate code blocks are a good thing, please add them
124 abundantly. However, please stick to one at a time, i.e. multiple empty lines
125 immediately following each other are not OK. Also, we try to keep function
126 calls and their immediate error handling together. Hence:
129 /* → empty line here is good */
130 r = some_function(…);
131 /* → empty line here would be bad */
133 return log_error_errno(r, "Some function failed: %m");
134 /* → empty line here is good */
136 - In shell scripts, do not use whitespace after the redirection operator
137 (`>some/file` instead of `> some/file`, `<<EOF` instead of `<< EOF`).
139 ## Code Organization and Semantics
141 - For our codebase we intend to use ISO C11 *with* GNU extensions (aka
142 "gnu11"). Public APIs (i.e. those we expose via `libsystemd.so`
143 i.e. `systemd/sd-*.h`) should only use ISO C89 however (with a very limited
144 set of conservative and common extensions, such as fixed size integer types
145 from `<inttypes.h>`), so that we don't force consuming programs into C11
146 mode. (This discrepancy in particular means one thing: internally we use C99
147 `bool` booleans, externally C89-compatible `int` booleans which generally
148 have different size in memory and slightly different semantics, also see
149 below.) Both for internal and external code it's OK to use even newer
150 features and GCC extension than "gnu11", as long as there's reasonable
151 fallback #ifdeffery in place to ensure compatibility is retained with older
154 - Please name structures in `PascalCase` (with exceptions, such as public API
155 structs), variables and functions in `snake_case`.
157 - Avoid static variables, except for caches and very few other cases. Think
158 about thread-safety! While most of our code is never used in threaded
159 environments, at least the library code should make sure it works correctly
160 in them. Instead of doing a lot of locking for that, we tend to prefer using
161 TLS to do per-thread caching (which only works for small, fixed-size cache
162 objects), or we disable caching for any thread that is not the main
163 thread. Use `is_main_thread()` to detect whether the calling thread is the
166 - Do not write functions that clobber call-by-reference variables on
167 failure. Use temporary variables for these cases and change the passed in
168 variables only on success. The rule is: never clobber return parameters on
169 failure, always initialize return parameters on success.
171 - Typically, function parameters fit into three categories: input parameters,
172 mutable objects, and call-by-reference return parameters. Input parameters
173 should always carry suitable "const" declarators if they are pointers, to
174 indicate they are input-only and not changed by the function. Return
175 parameters are best prefixed with "ret_", to clarify they are return
176 parameters. (Conversely, please do not prefix parameters that aren't
177 output-only with "ret_", in particular not mutable parameters that are both
178 input as well as output). Example:
181 static int foobar_frobnicate(
182 Foobar* object, /* the associated mutable object */
183 const char *input, /* immutable input parameter */
184 char **ret_frobnicated) { /* return parameter */
190 - The order in which header files are included doesn't matter too
191 much. systemd-internal headers must not rely on an include order, so it is
192 safe to include them in any order possible. However, to not clutter global
193 includes, and to make sure internal definitions will not affect global
194 headers, please always include the headers of external components first
195 (these are all headers enclosed in <>), followed by our own exported headers
196 (usually everything that's prefixed by `sd-`), and then followed by internal
197 headers. Furthermore, in all three groups, order all includes alphabetically
198 so duplicate includes can easily be detected.
200 - Please avoid using global variables as much as you can. And if you do use
201 them make sure they are static at least, instead of exported. Especially in
202 library-like code it is important to avoid global variables. Why are global
203 variables bad? They usually hinder generic reusability of code (since they
204 break in threaded programs, and usually would require locking there), and as
205 the code using them has side-effects make programs non-transparent. That
206 said, there are many cases where they explicitly make a lot of sense, and are
207 OK to use. For example, the log level and target in `log.c` is stored in a
208 global variable, and that's OK and probably expected by most. Also in many
209 cases we cache data in global variables. If you add more caches like this,
210 please be careful however, and think about threading. Only use static
211 variables if you are sure that thread-safety doesn't matter in your
212 case. Alternatively, consider using TLS, which is pretty easy to use with
213 gcc's `thread_local` concept. It's also OK to store data that is inherently
214 global in global variables, for example, data parsed from command lines, see
217 - Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are
218 incompatible with glibc it's on them. However, if there are equivalent POSIX
219 and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there
220 aren't, we are happy to use GNU or Linux APIs, and expect non-GNU
221 implementations of libc to catch up with glibc.
223 ## Using C Constructs
225 - Allocate local variables where it makes sense: at the top of the block, or at
226 the point where they can be initialized. Avoid huge variable declaration
227 lists at the top of the function.
229 As an exception, `int r` is typically used for a local state variable, but
230 should almost always be declared as the last variable at the top of the
242 uint64_t b = a + 1, c;
244 r = foobarify(a, b, &c);
248 const char *pretty = prettify(a, b, c);
253 - Do not mix multiple variable definitions with function invocations or
254 complicated expressions:
274 - Use `goto` for cleaning up, and only use it for that. I.e. you may only jump
275 to the end of a function, and little else. Never jump backwards!
277 - To minimize strict aliasing violations, we prefer unions over casting.
279 - Instead of using `memzero()`/`memset()` to initialize structs allocated on
280 the stack, please try to use c99 structure initializers. It's short, prettier
281 and actually even faster at execution. Hence:
299 - To implement an endless loop, use `for (;;)` rather than `while (1)`. The
300 latter is a bit ugly anyway, since you probably really meant `while
301 (true)`. To avoid the discussion what the right always-true expression for an
302 infinite while loop is, our recommendation is to simply write it without any
303 such expression by using `for (;;)`.
305 - To determine the length of a constant string `"foo"`, don't bother with
306 `sizeof("foo")-1`, please use `strlen()` instead (both gcc and clang optimize
307 the call away for fixed strings). The only exception is when declaring an
308 array. In that case use `STRLEN()`, which evaluates to a static constant and
309 doesn't force the compiler to create a VLA.
311 - Please use C's downgrade-to-bool feature only for expressions that are
312 actually booleans (or "boolean-like"), and not for variables that are really
313 numeric. Specifically, if you have an `int b` and it's only used in a boolean
314 sense, by all means check its state with `if (b) …` — but if `b` can actually
315 have more than two semantic values, and you want to compare for non-zero,
316 then please write that explicitly with `if (b != 0) …`. This helps readability
317 as the value range and semantical behaviour is directly clear from the
318 condition check. As a special addition: when dealing with pointers which you
319 want to check for non-NULL-ness, you may also use downgrade-to-bool feature.
321 - Please do not use yoda comparisons, i.e. please prefer the more readable `if
322 (a == 7)` over the less readable `if (7 == a)`.
326 - The destructors always deregister the object from the next bigger object, not
327 the other way around.
329 - For robustness reasons, destructors should be able to destruct
330 half-initialized objects, too.
332 - When you define a destructor or `unref()` call for an object, please accept a
333 `NULL` object and simply treat this as NOP. This is similar to how libc
334 `free()` works, which accepts `NULL` pointers and becomes a NOP for them. By
335 following this scheme a lot of `if` checks can be removed before invoking
336 your destructor, which makes the code substantially more readable and robust.
338 - Related to this: when you define a destructor or `unref()` call for an
339 object, please make it return the same type it takes and always return `NULL`
340 from it. This allows writing code like this:
346 which will always work regardless if `p` is initialized or not, and
347 guarantees that `p` is `NULL` afterwards, all in just one line.
349 ## Common Function Naming
351 - Name destructor functions that destroy an object in full freeing all its
352 memory and associated resources (and thus invalidating the pointer to it)
353 `xyz_free()`. Example: `strv_free()`.
355 - Name destructor functions that destroy only the referenced content of an
356 object but leave the object itself allocated `xyz_done()`. If it resets all
357 fields so that the object can be reused later call it `xyz_clear()`.
359 - Functions that decrease the reference counter of an object by one should be
360 called `xyz_unref()`. Example: `json_variant_unref()`. Functions that
361 increase the reference counter by one should be called `xyz_ref()`. Example:
366 - Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There are
367 some exceptions: for constructors, it is OK to return `NULL` on OOM. For
368 lookup functions, `NULL` is fine too for "not found".
370 Be strict with this. When you write a function that can fail due to more than
371 one cause, it *really* should have an `int` as the return value for the error
374 - libc system calls typically return -1 on error (with the error code in
375 `errno`), and >= 0 on success. Use the RET_NERRNO() helper if you are looking
376 for a simple way to convert this libc style error returning into systemd
377 style error returning. e.g.
381 r = RET_NERRNO(unlink(t));
389 r = RET_NERRNO(open("/some/file", O_RDONLY|O_CLOEXEC));
393 - Do not bother with error checking whether writing to stdout/stderr worked.
395 - Do not log errors from "library" code, only do so from "main program"
396 code. (With one exception: it is OK to log with DEBUG level from any code,
397 with the exception of maybe inner loops).
399 - In public API calls, you **must** validate all your input arguments for
400 programming error with `assert_return()` and return a sensible return
401 code. In all other calls, it is recommended to check for programming errors
402 with a more brutal `assert()`. We are more forgiving to public users than for
403 ourselves! Note that `assert()` and `assert_return()` really only should be
404 used for detecting programming errors, not for runtime errors. `assert()` and
405 `assert_return()` by usage of `_likely_()` inform the compiler that it should
406 not expect these checks to fail, and they inform fellow programmers about the
407 expected validity and range of parameters.
409 - When you invoke certain calls like `unlink()`, or `mkdir_p()` and you know it
410 is safe to ignore the error it might return (because a later call would
411 detect the failure anyway, or because the error is in an error path and you
412 thus couldn't do anything about it anyway), then make this clear by casting
413 the invocation explicitly to `(void)`. Code checks like Coverity understand
414 that, and will not complain about ignored error codes. Hence, please use
418 (void) unlink("/foo/bar/baz");
421 instead of just this:
424 unlink("/foo/bar/baz");
427 When returning from a `void` function, you may also want to shorten the error
428 path boilerplate by returning a function invocation cast to `(void)` like so:
431 if (condition_not_met)
432 return (void) log_tests_skipped("Cannot run ...");
435 Don't cast function calls to `(void)` that return no error
436 conditions. Specifically, the various `xyz_unref()` calls that return a
437 `NULL` object shouldn't be cast to `(void)`, since not using the return value
438 does not hide any errors.
440 - When returning a return code from `main()`, please preferably use
441 `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc.
445 - For every function you add, think about whether it is a "logging" function or
446 a "non-logging" function. "Logging" functions do (non-debug) logging on their
447 own, "non-logging" functions never log on their own (except at debug level)
448 and expect their callers to log. All functions in "library" code, i.e. in
449 `src/shared/` and suchlike must be "non-logging". Every time a "logging"
450 function calls a "non-logging" function, it should log about the resulting
451 errors. If a "logging" function calls another "logging" function, then it
452 should not generate log messages, so that log messages are not generated
453 twice for the same errors. (Note that debug level logging — at syslog level
454 `LOG_DEBUG` — is not considered logging in this context, debug logging is
455 generally always fine and welcome.)
457 - If possible, do a combined log & return operation:
462 return log_(error|warning|notice|...)_errno(r, "Failed to ...: %m");
465 If the error value is "synthetic", i.e. it was not received from
466 the called function, use `SYNTHETIC_ERRNO` wrapper to tell the logging
467 system to not log the errno value, but still return it:
470 n = read(..., s, sizeof s);
472 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to read ...");
477 - Always check OOM. There is no excuse. In program code, you can use
478 `log_oom()` for then printing a short message, but not in "library" code.
480 - Avoid fixed-size string buffers, unless you really know the maximum size and
481 that maximum size is small. It is often nicer to use dynamic memory,
482 `alloca_safe()` or VLAs. If you do allocate fixed-size strings on the stack,
483 then it is probably only OK if you either use a maximum size such as
484 `LINE_MAX`, or count in detail the maximum size a string can
485 have. (`DECIMAL_STR_MAX` and `DECIMAL_STR_WIDTH` macros are your friends for
488 Or in other words, if you use `char buf[256]` then you are likely doing
491 - Make use of `_cleanup_free_` and friends. It makes your code much nicer to
494 - Do not use `alloca()`, `strdupa()` or `strndupa()` directly. Use
495 `alloca_safe()`, `strdupa_safe()` or `strndupa_safe()` instead. (The
496 difference is that the latter include an assertion that the specified size is
497 below a safety threshold, so that the program rather aborts than runs into
498 possible stack overruns.)
500 - Use `alloca_safe()`, but never forget that it is not OK to invoke
501 `alloca_safe()` within a loop or within function call
502 parameters. `alloca_safe()` memory is released at the end of a function, and
503 not at the end of a `{}` block. Thus, if you invoke it in a loop, you keep
504 increasing the stack pointer without ever releasing memory again. (VLAs have
505 better behavior in this case, so consider using them as an alternative.)
506 Regarding not using `alloca_safe()` within function parameters, see the BUGS
507 section of the `alloca(3)` man page.
509 - If you want to concatenate two or more strings, consider using `strjoina()`
510 or `strjoin()` rather than `asprintf()`, as the latter is a lot slower. This
511 matters particularly in inner loops (but note that `strjoina()` cannot be
516 - Avoid leaving long-running child processes around, i.e. `fork()`s that are
517 not followed quickly by an `execv()` in the child. Resource management is
518 unclear in this case, and memory CoW will result in unexpected penalties in
519 the parent much, much later on.
521 - Don't block execution for arbitrary amounts of time using `usleep()` or a
522 similar call, unless you really know what you do. Just "giving something some
523 time", or so is a lazy excuse. Always wait for the proper event, instead of
524 doing time-based poll loops.
526 - Whenever installing a signal handler, make sure to set `SA_RESTART` for it,
527 so that interrupted system calls are automatically restarted, and we minimize
528 hassles with handling `EINTR` (in particular as `EINTR` handling is pretty
531 - When applying C-style unescaping as well as specifier expansion on the same
532 string, always apply the C-style unescaping first, followed by the specifier
533 expansion. When doing the reverse, make sure to escape `%` in specifier-style
534 first (i.e. `%` → `%%`), and then do C-style escaping where necessary.
536 - Be exceptionally careful when formatting and parsing floating point
537 numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is generally
538 understood as 5, while in de_DE as 5000.).
540 - Make sure to enforce limits on every user controllable resource. If the user
541 can allocate resources in your code, your code must enforce some form of
542 limits after which it will refuse operation. It's fine if it is hard-coded
543 (at least initially), but it needs to be there. This is particularly
544 important for objects that unprivileged users may allocate, but also matters
545 for everything else any user may allocate.
549 - Think about the types you use. If a value cannot sensibly be negative, do not
550 use `int`, but use `unsigned`.
552 - Use `char` only for actual characters. Use `uint8_t` or `int8_t` when you
553 actually mean a byte-sized signed or unsigned integers. When referring to a
554 generic byte, we generally prefer the unsigned variant `uint8_t`. Do not use
555 types based on `short`. They *never* make sense. Use `int`, `long`, `long
556 long`, all in unsigned and signed fashion, and the fixed-size types
557 `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t`
558 and so on, as well as `size_t`, but nothing else. Do not use kernel types
559 like `u32` and so on, leave that to the kernel.
561 - Stay uniform. For example, always use `usec_t` for time values. Do not mix
562 `usec` and `msec`, and `usec` and whatnot.
564 - Never use the `off_t` type, and particularly avoid it in public APIs. It's
565 really weirdly defined, as it usually is 64-bit and we don't support it any
566 other way, but it could in theory also be 32-bit. Which one it is depends on
567 a compiler switch chosen by the compiled program, which hence corrupts APIs
568 using it unless they can also follow the program's choice. Moreover, in
569 systemd we should parse values the same way on all architectures and cannot
570 expose `off_t` values over D-Bus. To avoid any confusion regarding conversion
571 and ABIs, always use simply `uint64_t` directly.
573 - Unless you allocate an array, `double` is always a better choice than
574 `float`. Processors speak `double` natively anyway, so there is no speed
575 benefit, and on calls like `printf()` `float`s get promoted to `double`s
576 anyway, so there is no point.
578 - Use the bool type for booleans, not integers. One exception: in public
579 headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool`
580 is C99 and in our public APIs we try to stick to C89 (with a few extensions;
585 - Do not issue NSS requests (that includes user name and hostname lookups)
586 from PID 1 as this might trigger deadlocks when those lookups involve
587 synchronously talking to services that we would need to start up.
589 - Do not synchronously talk to any other service from PID 1, due to risk of
594 - When you allocate a file descriptor, it should be made `O_CLOEXEC` right from
595 the beginning, as none of our files should leak to forked binaries by
596 default. Hence, whenever you open a file, `O_CLOEXEC` must be specified,
597 right from the beginning. This also applies to sockets. Effectively, this
598 means that all invocations to:
600 - `open()` must get `O_CLOEXEC` passed,
601 - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed,
602 - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set,
603 - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on,
604 - invocations of `fopen()` should take `e`.
606 - It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files,
607 i.e. file system objects that are supposed to be regular files whose paths
608 were specified by the user and hence might actually refer to other types of
609 file system objects. This is a good idea so that we don't end up blocking on
610 'strange' file nodes, for example, if the user pointed us to a FIFO or device
611 node which may block when opening. Moreover even for actual regular files
612 `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in
613 effect on the regular file. If in doubt consider turning off `O_NONBLOCK`
618 - If you parse a command line, and want to store the parsed parameters in
619 global variables, please consider prefixing their names with `arg_`. We have
620 been following this naming rule in most of our tools, and we should continue
621 to do so, as it makes it easy to identify command line parameter variables,
622 and makes it clear why it is OK that they are global variables.
624 - Command line option parsing:
625 - Do not print full `help()` on error, be specific about the error.
626 - Do not print messages to stdout on error.
627 - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string.
631 - Variables and functions **must** be static, unless they have a prototype, and
632 are supposed to be exported.
634 - Public API calls (i.e. functions exported by our shared libraries)
635 must be marked `_public_` and need to be prefixed with `sd_`. No
636 other functions should be prefixed like that.
638 - When exposing public C APIs, be careful what function parameters you make
639 `const`. For example, a parameter taking a context object should probably not
640 be `const`, even if you are writing an otherwise read-only accessor function
641 for it. The reason is that making it `const` fixates the contract that your
642 call won't alter the object ever, as part of the API. However, that's often
643 quite a promise, given that this even prohibits object-internal caching or
644 lazy initialization of object variables. Moreover, it's usually not too
645 useful for client applications. Hence, please be careful and avoid `const` on
646 object parameters, unless you are very sure `const` is appropriate.
648 ## Referencing Concepts
650 - When referring to a configuration file option in the documentation and such,
651 please always suffix it with `=`, to indicate that it is a configuration file
654 - When referring to a command line option in the documentation and such, please
655 always prefix with `--` or `-` (as appropriate), to indicate that it is a
658 - When referring to a file system path that is a directory, please always
659 suffix it with `/`, to indicate that it is a directory, not a regular file
660 (or other file system object).
662 ## Functions to Avoid
664 - Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)`
666 - Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where
667 applicable (i.e. wherever you just care about equality/inequality, not about
670 - Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`,
671 `safe_atou32()` and suchlike instead. They are much nicer to use in most
672 cases and correctly check for parsing errors.
674 - `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()`
675 and `htobe16()` instead, it's much more descriptive, and actually says what
676 really is happening, after all `htonl()` and `htons()` don't operate on
677 `long`s and `short`s as their name would suggest, but on `uint32_t` and
678 `uint16_t`. Also, "network byte order" is just a weird name for "big endian",
679 hence we might want to call it "big endian" right-away.
681 - Use `typesafe_inet_ntop()`, `typesafe_inet_ntop4()`, and
682 `typesafe_inet_ntop6()` instead of `inet_ntop()`. But better yet, use the
683 `IN_ADDR_TO_STRING()`, `IN4_ADDR_TO_STRING()`, and `IN6_ADDR_TO_STRING()`
684 macros which allocate an anonymous buffer internally.
686 - Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)` instead. For
687 two reasons: first, you want `O_CLOEXEC` set on the new `fd` (see
688 above). Second, `dup()` will happily duplicate your `fd` as 0, 1, 2,
689 i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the special
690 semantics of those `fd`s, it's probably a good idea to avoid
691 them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them.
693 - Don't use `fgets()`, it's too hard to properly handle errors such as overly
694 long lines. Use `read_line()` instead, which is our own function that handles
695 this much more nicely.
697 - Don't invoke `exit()`, ever. It is not replacement for proper error
698 handling. Please escalate errors up your call chain, and use normal `return`
699 to exit from the main function of a process. If you `fork()`ed off a child
700 process, please use `_exit()` instead of `exit()`, so that the exit handlers
703 - Do not use `basename()` or `dirname()`. The semantics in corner cases are
704 full of pitfalls, and the fact that there are two quite different versions of
705 `basename()` (one POSIX and one GNU, of which the latter is much more useful)
706 doesn't make it better either. Use path_extract_filename() and
707 path_extract_directory() instead.
709 - Never use `FILENAME_MAX`. Use `PATH_MAX` instead (for checking maximum size
710 of paths) and `NAME_MAX` (for checking maximum size of filenames).
711 `FILENAME_MAX` is not POSIX, and is a confusingly named alias for `PATH_MAX`
712 on Linux. Note that `NAME_MAX` does not include space for a trailing `NUL`,
713 but `PATH_MAX` does. UNIX FTW!
717 - Commit message subject lines should be prefixed with an appropriate component
718 name of some kind. For example, "journal: ", "nspawn: " and so on.
720 - Do not use "Signed-Off-By:" in your commit messages. That's a kernel thing we
721 don't do in the systemd project.
725 - The best place for code comments and explanations is in the code itself. Only
726 the second best is in git commit messages. The worst place is in the GitHub
727 PR cover letter. Hence, whenever you type a commit message consider for a
728 moment if what you are typing there wouldn't be a better fit for an in-code
729 comment. And if you type the cover letter of a PR, think hard if this
730 wouldn't be better as a commit message or even code comment. Comments are
731 supposed to be useful for somebody who reviews the code, and hence hiding
732 comments in git commits or PR cover letters makes reviews unnecessarily
733 hard. Moreover, while we rely heavily on GitHub's project management
734 infrastructure we'd like to keep everything that can reasonably be kept in
735 the git repository itself in the git repository, so that we can theoretically
736 move things elsewhere with the least effort possible.
738 - It's OK to reference GitHub PRs, GitHub issues and git commits from code
739 comments. Cross-referencing code, issues, and documentation is a good thing.
741 - Reasonable use of non-ASCII Unicode UTF-8 characters in code comments is
742 welcome. If your code comment contains an emoji or two this will certainly
743 brighten the day of the occasional reviewer of your code. Really! 😊