Tobias Oetiker [Tue, 26 May 2026 15:33:34 +0000 (17:33 +0200)]
Update test fixtures for new dump timezone format (#1173)
Companion to the prior commit's switch from strftime("%Z") to ("%z") in
rrd_dump.c. Test fixtures had named-zone strings like "CET"; replace
with the corresponding numeric offsets ("+0100", "+0200"). Also update
the Windows-tz substitution in tests/functions accordingly.
Reported by @k79e.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 14:47:17 +0000 (16:47 +0200)]
Use numeric timezone in rrdtool dump XML output (#1173)
Replace %Z (locale timezone name) with %z (numeric UTC offset, e.g. +0900)
in strftime() calls inside rrd_dump_cb_r(). %Z emits the locale-encoded
timezone name which may contain non-UTF-8 bytes (e.g. CJK locales produce
bytes like 0xB1 0xB1 0xB1 0xEA), invalidating the XML file's UTF-8
declaration and causing 'rrdtool restore' to fail with
'Input is not proper UTF-8'. %z always produces ASCII digits and sign.
Reported by @k79e, fix by @oetiker.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 14:46:35 +0000 (16:46 +0200)]
Accept zero delta in libdbi /derive (#550)
When a counter is constant between two samples the delta is zero.
The previous guard `d_value > 0` treated that the same as a negative
delta (counter reset) and returned NaN instead of 0. Changing to
`d_value >= 0` preserves the counter-reset protection while correctly
returning 0.0 for a flat counter.
Reported by @bitionaire, fix by @oetiker.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 14:42:33 +0000 (16:42 +0200)]
Fix SIGFPE in rrdtool dump on crafted RRDs (#783)
When a fuzz-crafted RRD file contains an RRA with pdp_cnt == 0 or
pdp_step == 0, rrd_dump_cb_r performed a modulo operation whose
divisor could be zero, triggering a SIGFPE. Add a guard at the top
of the per-RRA loop that rejects such files with rrd_set_error()
and a clean return rather than crashing.
Reported by @rwhitworth.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 14:41:53 +0000 (16:41 +0200)]
Fix segfault when --x-grid lacks trailing date format (#1291)
When --x-grid is given a value such as 'MINUTE:1:MINUTE:5:MINUTE:30:0'
(missing the trailing colon before the date-format field), sscanf()
still returns 7 because %n is not counted in its return value, but the
%n assignment to stroff is never executed. stroff therefore kept its
uninitialized stack value; the subsequent 'stroff != 0' guard read
garbage and could cause strdup(optarg + stroff) to run with a bogus
offset, producing a segfault.
Initialise stroff = 0 at declaration so that a partial sscanf match
leaves stroff as zero, causing the condition to be false and execution
to fall through to the existing 'invalid x-grid format' error path.
Reported by @anvilvapre.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 14:13:46 +0000 (16:13 +0200)]
Fix heap buffer overflow in checkUnusedValues() (alt. to #1329)
After upgrading to 1.10.0, @ppisar caught a 1-byte heap buffer overflow
in rrd_graph_helper.c:checkUnusedValues() via glibc fortified strcat()
SIGABRT in the RRD-Simple-1.44 test suite (PR #1329 has the full
valgrind/gdb trace).
Root cause: the function tracked `len` as the running buffer size but
seeded it at 0 instead of 1, so the malloc/realloc never reserved
room for the trailing NUL. Each iteration appended `key=value` with
strncat() and then a separator with strcat(":") the strcat NUL
landed one byte past the allocation. After the loop, `res[len - 1] = 0`
"stripped the final ':'" only because the under-sizing made `len - 1`
coincidentally point at the colon rather than at the NUL the bug and
the strip were silently coupled.
PR #1329 fixes the overflow with `len = 1`, but `res[len - 1] = 0`
then no-ops on the already-NUL byte and the trailing `:` survives in
the error message ("Unused Arguments \" ... CEST\\r:\"" as @ppisar
reports). Same patch, exposed orphan line.
Refactor the function instead of patching one number:
- track `used = strlen(res)` explicitly
- size the buffer to exactly `used + sep + kvlen + 1`
- prepend `:` before all entries except the first, so the trailing
strip is gone
- use memcpy at the known offset rather than strncat (O(n) per
iteration instead of O(n) walk-to-find-NUL)
- preserve the realloc-OOM behaviour: return whatever was built
The size calculation and the string content no longer have to agree by
accident, so future readers don't have to reason about the coupling.
Tested with a standalone driver under -fsanitize=address against the
five cases the original loop handles (zero/one/many entries, mixed
flagged/unflagged, and the timestamp-with-CR string from the bug
report) no overflow, no leak.
The other failure @ppisar reported -- "Unused Arguments" appearing for
a COMMENT containing a literal `\r` -- is a separate bug in
COMMENT/scanargs handling, not addressed here.
Reported and original fix attempt in PR #1329 by @ppisar
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 26 May 2026 12:44:16 +0000 (14:44 +0200)]
Fix Perl $RRDs::VERSION monotonicity for two-digit minor releases
The numeric version encoding used `%d.%d%03d`, which produced
1.9.0 -> 1.9000 and 1.10.0 -> 1.10000. As a Perl decimal,
1.10000 < 1.9000, so any consumer comparing $RRDs::VERSION against
a literal like 1.2 silently flipped from true to false at 1.10.0,
breaking e.g. RRD-Simple's colon-escaping logic.
Switch the format string to `%d.%03d%03d` in both the autoconf macro
(configure.ac) and the release helper (conftools/bump-version.sh), and
propagate the new encoding into the Perl bindings and win32/rrd_config.h
via bump-version.sh. From 1.10.0 onward the value is monotonic
(1.009000 < 1.010000 < 1.010003 < 1.011000 < 2.000000).
This is a one-way format change: any code that tested
`$RRDs::VERSION >= 1.2` against any post-1.7 version will now see false
for every new-format release. The format could not be salvaged any
other way -- two-digit minors are not representable monotonically in
the old encoding -- so the break is unavoidable. CHANGES carries an
upgrade note.
Issue #1330 reported by @ppisar
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Petr Písař [Tue, 26 May 2026 08:46:02 +0000 (10:46 +0200)]
Fix writing past a buffer in checkUnusedValues()
After upgrading rrdtool from 1.9.0 to 1.10.0, some RRD-Simple-1.44
tests started to crash. An example with t/21synopsis.t:
$ valgrind -- perl -Ilib t/21synopsis.t
==3822== Memcheck, a memory error detector
==3822== Copyright (C) 2002-2026, and GNU GPL'd, by Julian Seward et al.
==3822== Using Valgrind-3.27.1 and LibVEX; rerun with -h for copyright info
==3822== Command: perl -Ilib t/21synopsis.t
==3822==
1..7
ok 1 - new
ok 2 - create
ok 3 - update
ok 4 - last
ok 5 - sources
*** buffer overflow detected ***: terminated
==3822==
==3822== Process terminating with default action of signal 6 (SIGABRT): dumping core
==3822== at 0x4D27E9C: __pthread_kill_implementation (pthread_kill.c:44)
==3822== by 0x4CCCECD: raise (raise.c:26)
==3822== by 0x4CB4432: abort (abort.c:77)
==3822== by 0x4CB5483: __libc_message_impl.cold (libc_fatal.c:138)
==3822== by 0x4DB564F: __libc_message_wrapper (stdio.h:203)
==3822== by 0x4DB564F: __fortify_fail (fortify_fail.c:24)
==3822== by 0x4DB4FE3: __chk_fail (chk_fail.c:28)
==3822== by 0x4DB6ABA: __strcat_chk (strcat_chk.c:34)
==3822== by 0x66D0C56: strcat (string_fortified.h:152)
==3822== by 0x66D0C56: checkUnusedValues (rrd_graph_helper.c:148)
==3822== by 0x66D0C56: rrd_graph_script (rrd_graph_helper.c:2075)
==3822== by 0x66C3A41: rrd_graph_v (rrd_graph.c:4740)
==3822== by 0x66C823A: rrd_graph (rrd_graph.c:4635)
==3822== by 0x668B86A: XS_RRDs_graph (RRDs.xs:407)
==3822== by 0x494DB80: Perl_rpp_invoke_xs (inline.h:1176)
==3822== by 0x494DB80: Perl_pp_entersub (pp_hot.c:6558)
It looks that strcat() did not like its arguments. checkUnusedValues() did:
After reading checkUnusedValues() code, I believe that it is a bug in
that function:
"res" variable is allocated to exactly accommodate pa->kv_args[i].keyvalue (see
"res = malloc(len);" where len is one byte more than strlen() of keyvalue
string), that is a content of keyvalue and a trailing null byte. Then the
content including the trailing null is copied there with strncat(). And
finally, strcat() is called to append ":". This call writes to the last byte of
"res" buffer the colon and then writes a trailing null byte past the buffer.
This probably triggers the abort.
This patch fixes the buffer overflow by initializing the "len"
variable to 1, i.e. to count the trailing null byte.
After applying this fix the RRD-Simple-1.44 tests do not crash with
the glibc SIGABORT anymore. Instead they fail with:
Unused Arguments " Tue 26/May/2026 12:08:05 CEST\r:" in command : COMMENT:Graph last updated: Tue 26/May/2026 12:08:05 CEST\r at t/21synopsis.t line 49.
Tobias Oetiker [Mon, 25 May 2026 21:09:47 +0000 (23:09 +0200)]
Detect nroff -Wbreak support at configure time
The doc-to-text rule unconditionally passes -Wbreak to nroff, but
-Wbreak is a GNU groff extension. BSD-derived nroff (e.g. macOS
/usr/bin/nroff) rejects it with "invalid option -Wbreak" and aborts
the build.
Feature-test the flag at configure time and substitute the result
into doc/Makefile.am via @NROFF_WBREAK@, so groff users keep the
warning suppression and BSD-nroff users get a working build.
Fixes #1323
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Mon, 25 May 2026 11:45:34 +0000 (13:45 +0200)]
Keep Y-axis label precision when gridstep is sub-integer (#1326)
When SI scaling produces a fractional gridstep (e.g. 0.1 G for values
around 10 G+) but MaxY >= 10, the classic gridder formatted labels with
%4.0f and rounded neighbouring labels (10.0, 10.2, 10.4 G ...) to the
same integer, producing duplicate Y-axis labels on tall graphs.
Extend the existing 'MaxY < 10' precision check to also trigger when
scaledstep * labfact < 1 (sub-integer label step) at all three label
formatting sites: no-SI, with-SI, and the second axis.
Also bump im->unitslength inside calc_horizontal_grid for the classic
branch, mirroring the existing ALTYGRID code path, so the label column
is sized appropriately when the call order is eventually reworked.
Adds tests/graph4 as a regression test that verifies Y-axis labels are
unique via pdftotext when pdftotext is available.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 18:58:05 +0000 (20:58 +0200)]
build: detect python headers via sysconfig, not which/python-config
AM_CHECK_PYTHON_HEADERS located python-config with `which`, which is
absent from minimal build containers such as AlmaLinux 8. The fallback
then guessed the include dir as .../include/pythonX.Y -- wrong for
Python <= 3.7, whose headers carry the "m" ABI suffix (EL8 ships them
in /usr/include/python3.6m). The check failed, configure disabled the
python binding, and the EL8 rpm silently shipped without it -- caught
now only because the verify step gained an `import rrdtool` test.
Ask the interpreter for its include directory via sysconfig instead:
correct for every CPython version and ABI, with no dependency on a
python-config binary or `which` being on PATH.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 16:51:11 +0000 (18:51 +0200)]
build: track the python wheel with a stamp file
The python: target rebuilt the wheel unconditionally on every `make`,
including the implicit `all` that `make install` and `make check` both
depend on. A `sudo make install` therefore re-ran bdist_wheel as root
and left root-owned build/, dist/ and rrdtool.egg-info/ in the source
tree, which the next non-root `make check` could not remove -- the
unconditional `rm -rf` failed with "Permission denied" and broke CI.
Drive the build from a wheel.stamp file that depends on the python
sources, so `all` rebuilds the wheel only when a source actually
changed and re-runs are a no-op -- matching how the perl and ruby
targets already stay idempotent.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 16:13:30 +0000 (18:13 +0200)]
build: install the Python binding as a wheel via pip
setup.py install was removed in setuptools 80. Build the binding as a
wheel (setup.py bdist_wheel) and install it with pip into a fixed,
distribution-independent directory ($libdir/python3/site-packages),
replacing both the removed command and Debian's "local/" install
scheme that made the module land in an inconsistent location.
The extension RPATH now comes from the RRDTOOL_RPATH environment
variable, so no build_ext --rpath flag is needed. rrdtool-env.sh points
PYTHONPATH at the fixed directory, and the rpm and deb release jobs
gain python3-pip/python3-wheel build deps plus an `import rrdtool`
runtime smoke test.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 16:13:01 +0000 (18:13 +0200)]
ci: include the Lua binding in the .deb packages
The build-deb job installed liblua5.1-0-dev but no Lua interpreter, so
configure's AC_PATH_PROG(LUA, lua) found nothing and silently skipped
the binding -- every .deb shipped without it. Install lua5.4 and
liblua5.4-dev and symlink /usr/bin/lua, so configure detects Lua and
its $LUA matches the lua5.4.pc prefix (needed before it trusts the
pkg-config flags).
Also add a staged-tree check that fails the release if any compiled
binding -- Perl, Python, Tcl or Lua -- is missing, so a silent skip
can no longer slip into a release unnoticed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 16:12:36 +0000 (18:12 +0200)]
ci: ship debuginfo and debugsource RPMs in releases
rpmbuild already produces rrdtool-1-opt-debuginfo and -debugsource
packages -- configure's default CFLAGS carry -g, so find-debuginfo has
symbols to extract -- but the collect step copied only the main package
through a version-specific glob. Widen it to every binary rpm in
RPMS/x86_64; the .src.rpm lives under SRPMS and stays excluded.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
AC_TRY_LINK_FUNC in ACX_PTHREAD is left as-is: current autoconf does
not flag it as obsolete, and rewriting load-bearing pthread detection
for no warning reduction is not worth the risk.
Verified with a full bootstrap + build: detection results are
unchanged (HAVE_TM_GMTOFF, HAVE_ISFINITE, HAVE_SIGWAIT, HAVE_SYS_TIME_H
all still defined). The only obsolete-macro warnings now remaining
originate inside the bundled gettext m4 (AM_GNU_GETTEXT), which is
regenerated by autopoint and not ours to edit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 08:20:12 +0000 (10:20 +0200)]
build: modernize obsolete autoconf macros in configure.ac
Replace obsolete autoconf macros that newer autoconf warns about:
- AC_PREREQ(2.59) -> AC_PREREQ([2.69]) (quoted; 2.69 is the autoconf
shipped by AlmaLinux 8, the oldest distro in the release matrix)
- AC_PROG_LIBTOOL -> LT_INIT
- AC_TRY_RUN / AC_TRY_COMPILE -> AC_RUN_IFELSE / AC_COMPILE_IFELSE
- drop AC_HEADER_STDC and AC_HEADER_TIME (obsolete: every supported
platform is standard-C and can include <sys/time.h> and <time.h>
together)
rrd_config_bottom.h relied on the STDC_HEADERS and TIME_WITH_SYS_TIME
defines those macros produced, so collapse the now-dead branches:
string.h is included unconditionally, and sys/time.h is gated on
HAVE_SYS_TIME_H. AC_HEADER_TIME used to pull in sys/time.h on its own,
so add sys/time.h to AC_CHECK_HEADERS — otherwise HAVE_SYS_TIME_H is
never defined and gettimeofday loses its declaration.
Remaining obsolete-macro warnings originate in the bundled gettext m4
and in m4/acinclude.m4; those are left for a separate change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Tue, 19 May 2026 08:09:17 +0000 (10:09 +0200)]
ci(release): fix RPM python binding and DEB libxml2 dep on new distros
Two release-blocking failures surfaced when the package matrix gained
AlmaLinux 10 and Ubuntu 26.04:
- AlmaLinux 10 (Python 3.12) no longer bundles setuptools with
python3-devel, so the python binding failed with 'The setup requires
setuptools'. Add python3-setuptools to the RPM build-dep list; it is
harmless on EL8/EL9 and needed on Fedora too.
- Ubuntu 26.04 bumped libxml2 to 2.14 and renamed the runtime package
from 'libxml2' to 'libxml2-16'. Make the fpm dependency an
alternative ('libxml2-16 | libxml2') so apt resolves it on every
distro in the matrix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Mon, 18 May 2026 14:59:47 +0000 (16:59 +0200)]
ci: upgrade all GitHub Actions to latest major versions
Sweep every workflow so no action trails its latest major (most also
clears the Node.js 20 deprecation warnings):
* actions/upload-artifact v6 -> v7 (release, build-test-linux)
* johnwason/vcpkg-action v7 -> v8 (ci-workflow; release was
already bumped)
* codecov/codecov-action v5 -> v6 (code-coverage; v6 is a
pure Node.js 24 bump, the
step passes no inputs)
* github/codeql-action/autobuild v3 -> v4 (commented-out template
line, kept consistent with
the active init/analyze@v4)
Already on their latest major, left unchanged: actions/checkout@v6,
actions/download-artifact@v8, msys2/setup-msys2@v2,
ncipollo/release-action@v1, github/codeql-action/{init,analyze}@v4.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Mon, 18 May 2026 14:50:42 +0000 (16:50 +0200)]
release: relocate ruby binding into /opt; upgrade build actions
Ruby binding relocation
-----------------------
Ruby's mkmf installs the compiled extension into the interpreter's own
sitearchdir (/usr/local/lib*/ruby/site_ruby), ignoring the autoconf
--prefix. The diagnostic step from the previous run confirmed RRD.so
landed at stage/usr/local/lib/<arch>/site_ruby/RRD.so on every Debian/
Ubuntu image (and /usr/local/lib64/ruby/site_ruby on AlmaLinux) —
entirely outside /opt/rrdtool.
Consequences: fpm packages only opt/, so the .deb silently shipped
without the ruby binding; and once the check-rpaths fix lets rpmbuild
proceed, that stray file trips the unpackaged-files check.
Relocate RRD.so to /opt/rrdtool/lib/ruby/ in both the DEB workflow and
the RPM spec %install. rrdtool-env.sh already puts that directory on
RUBYLIB. The install-coexist verify steps now also `require "RRD"` to
prove the relocated binding actually loads.
Build action upgrades
---------------------
* johnwason/vcpkg-action v7 -> v8: v8 bumps its internal actions to
checkout@v6 and cache@v5, clearing the Node.js 20 deprecation
warnings on the Windows MSVC jobs. Inputs are unchanged.
* actions/download-artifact v6 -> v8: v6 still bundles Node.js 20;
v8 runs on Node.js 24.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ERROR 0002: file '/opt/rrdtool/bin/rrdtool' contains an invalid
rpath '/opt/rrdtool/lib' in [/opt/rrdtool/lib]
The previous attempt set `%global __brp_check_rpaths %{nil}`, but on
RHEL/EL the check-rpaths QA script is invoked through
`%__arch_install_post` (from redhat-rpm-config), not through the
Fedora `%__brp_check_rpaths` hook — so it kept firing and rejecting
our deliberate /opt/rrdtool/lib RPATH.
Redefine `%__arch_install_post` to run only check-buildroot, dropping
check-rpaths while keeping the buildroot-leak check. The Fedora hook
override is kept alongside so the spec stays portable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The RPM build failed in %install: RHEL's check-rpaths QA script
rejects the deliberate /opt/rrdtool/lib RPATH that our binaries need
to locate librrd. Disable it for this package with
`%global __brp_check_rpaths %{nil}` — the RPATH is intentional and is
the whole mechanism by which the /opt build avoids system linker
config.
rrdtool-env.sh.in globbed `$ROOT/lib/python*` for the Python binding,
but on RHEL-family 64-bit systems the module installs under `lib64`
(observed: /opt/rrdtool/lib64/python3.9/site-packages). Glob `lib*`
so both `lib` and `lib64` are found.
The same run also revealed Ruby's mkmf ignores --prefix and installs
RRD.so into Ruby's own tree (/usr/local/lib64/ruby/...), outside
/opt/rrdtool. RPM caught it as an unpackaged file; fpm silently drops
it, so the DEBs from that run ship with no Ruby binding at all. Add a
read-only diagnostic step to build-deb that records where RRD.so lands
and the mkmf variables behind it, so the relocation fix can be made
from data rather than guesswork. @oetiker
Tobias Oetiker [Sun, 17 May 2026 17:47:53 +0000 (19:47 +0200)]
release: fix Windows CRLF crash and RPM ps2pdf failure
The first run of the automated Release workflow failed in two jobs:
* Windows MSVC (x86/x64) — the version-bump step died with
"CHANGES: no leading 'RRDtool - master ...' block found".
actions/checkout writes CHANGES with CRLF endings on Windows
runners, defeating the LF-anchored regexes in finalize-changes.pl.
Normalize CRLF -> LF after slurping the file, and add a
.gitattributes entry forcing LF on CHANGES as defense-in-depth.
* RPM (almalinux:9) — "make dist" died with "ps2pdf: command not
found" while generating EXTRA_DIST PDFs. The minimal RPM container
has no ghostscript. The build-rpm job already depends on
build-source, which ships the canonical tarball, so download that
artifact instead of rebuilding it in-container. This matches the
job's own documented intent and drops a class of missing-dist-dep
failures.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Sun, 17 May 2026 11:19:38 +0000 (13:19 +0200)]
release: name /opt package rrdtool-1-opt (concrete major version)
Use the concrete major version `1` rather than a literal `1.x`
placeholder, matching the established distro convention for
version-pinned package names (gcc-12, postgresql-15, python3). The
major version is itself the SemVer compatibility boundary, so `1`
carries the full meaning; the `x` was a constant conveying nothing a
package resolver acts on. @oetiker
Tobias Oetiker [Sun, 17 May 2026 11:15:09 +0000 (13:15 +0200)]
release: name /opt package rrdtool-1.x-opt; verify it installs
The /opt package was named `rrdtool` — identical to the distro
package. RPM and dpkg key the package database on name, so the two
could never be installed at once, contradicting the design's
coexistence goal and the package's own description.
Name it `rrdtool-1.x-opt`: distinct from the distro `rrdtool` so both
live in the package DB simultaneously, and the `1.x` series tag means
`dnf update` / `apt upgrade` stay within the backward-compatible 1.x
line rather than ever crossing a compatibility break.
build-rpm and build-deb now each end with a verification step that
installs the distro `rrdtool` AND our package, asserts both are in the
package database, runs both binaries, runs a create/update/fetch smoke
test against the /opt build, and checks the env helper puts it on
PATH. Nothing half-publishes: a failed verify fails the job, which
fails the workflow before `publish` runs. @oetiker
Tobias Oetiker [Sun, 17 May 2026 09:55:47 +0000 (11:55 +0200)]
release: authenticate publish push with RELEASE_PAT
The default GITHUB_TOKEN / github-actions[bot] cannot be placed on a
branch ruleset's bypass list, so the publish job's direct push to
master would be rejected under branch protection. Check out with a
repo-admin PAT (RELEASE_PAT) instead — the admin is on the bypass
list, and actions/checkout persists the token so the commit+tag push
and the race-check fetch both use it. @oetiker
Tobias Oetiker [Wed, 13 May 2026 13:51:09 +0000 (15:51 +0200)]
drop superpowers spec from git; ignore the dir going forward
The release-workflow design doc was a working artifact useful while
authoring the workflow, but now that the flow exists the workflow
itself (.github/workflows/release.yml + the helpers in conftools/) is
the documentation. Untrack the spec and add /docs/superpowers/ to
.gitignore so future working docs stay local.
Tobias Oetiker [Wed, 13 May 2026 09:46:45 +0000 (11:46 +0200)]
release: implement automated release workflow
Implements the design at
docs/superpowers/specs/2026-05-13-release-workflow-design.md.
A single workflow_dispatch on master computes the next SemVer (per the
release_type input), bumps every hard-coded version string in-place in
each parallel build job, produces source tarball + MSVC zips + .rpm +
.deb, and only after every build succeeds does the publish job commit
the bump, push the tag, and create a GitHub Release with all artifacts.
New / refactored files:
- .github/workflows/release.yml — six-job orchestrator (check-ci,
compute-version, build-source, build-windows, build-rpm, build-deb,
publish). check-ci asserts "Linux Build" and "Windows CI" succeeded
for the master HEAD commit (waiting up to 30m for in-progress runs)
before anything else runs.
- .github/workflows/release-source.yml, release-windows.yml — removed,
folded into release.yml.
- .github/actions/bump-version/action.yml — composite action wrapping
the shared "write VERSION + bump-version.sh + finalize-changes.pl"
block used by all five build/publish jobs.
- conftools/bump-version.sh — version-propagation logic extracted from
rrdtool-release; idempotent and accepts the version as positional arg.
- conftools/finalize-changes.pl — idempotent CHANGES rewrite (rename
leading master block to versioned, prepend fresh empty placeholder).
- conftools/rrdtool-opt.spec — minimal RPM spec for the /opt/rrdtool
build; AutoReqProv off (so distro coexistence isn't broken), no PHP
bits, single combined package.
- conftools/rrdtool-env.sh.in — sourceable shell helper that puts
/opt/rrdtool on PATH and makes Perl/Python/Tcl/Lua/Ruby bindings
discoverable to their interpreters. Installed at
/opt/rrdtool/bin/rrdtool-env.sh by both the .rpm and .deb.
- rrdtool-release — refactored to call bump-version.sh; SCP-to-james
and local sanity build kept intact for the maintainer's local flow.
Deviations from the spec (small, intent-preserving):
- finalize-changes.pl is a separate file rather than perl inlined in
every job, since the same rewrite is needed in 5 places.
- A composite action wraps the bump step for the same reason.
Things to watch on first dispatch (none verifiable without an actual
run on GitHub):
- The publish job pushes directly to master as github-actions[bot]
via `git push origin master --follow-tags`. Branch protection on
master must allow this (or the bot must be exempted), otherwise the
push step fails and no Release is created. The spec explicitly opts
for direct push over a PR-then-merge flow.
- Ubuntu 24.04 .deb runtime depends list libpng16-16 / libfreetype6;
on 24.04 the actual packages are libpng16-16t64 / libfreetype6t64,
which carry Provides aliases for the old names. Resolution should
succeed on install but is the place a 24.04 user would hit issues
if Canonical ever drops the aliases.
- The spec text says build-rpm/build-deb need build-source; the
diagram shows them parallel. Followed the text — they wait for the
source job to finish before running, which fail-fasts on tarball
problems at the cost of ~3min of parallel time.
Tobias Oetiker [Wed, 13 May 2026 08:04:04 +0000 (10:04 +0200)]
spec: defer tag-push until all builds succeed, drop continue-on-error
Address two issues:
1. continue-on-error: true on build-rpm/build-deb risked publishing a
release with missing artifacts. Removed entirely - every job must
succeed for the release to publish.
2. Reordering: tag is now pushed by the new 'publish' job AFTER all
builds (windows, rpm, deb) have succeeded. If any build fails the
workflow aborts cleanly with no tag and no commit - nothing to
undo. Previously the prepare job pushed the tag first, leaving
orphans on later failures.
Each build job now independently checks out master and runs the
idempotent bump-version.sh + CHANGES rewrite locally - no artifact-
passing for source between build jobs. This is simpler given that
every job runs in a checkout of the rrdtool-1.x repo anyway.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Wed, 13 May 2026 07:57:21 +0000 (09:57 +0200)]
spec: enable language bindings in /opt build via rrdtool's own configure
After confirming rrdtool's configure has --enable-X-site-install flags
that default to $prefix/lib/<lang> when not set, redesign the /opt
build to include language bindings without touching the system:
- Build Perl, Python, Tcl, Lua, Ruby bindings via configure's
built-in support (no *-site-install flags = local install).
- Drop /etc/ld.so.conf.d/rrdtool-opt.conf entirely. libtool bakes
RPATH=/opt/rrdtool/lib into rrdtool's own binaries. Consumers
get rpath via post-install rewrite of librrd.pc to include
-Wl,-rpath,${libdir} in Libs.
- Install /opt/rrdtool/bin/rrdtool-env.sh as a sourceable helper
setting PATH/PERL5LIB/PYTHONPATH/RUBYLIB/LUA_CPATH/TCLLIBPATH/
PKG_CONFIG_PATH so users opt in with a single line.
- Add binding -dev packages to build-deps for both RPM and DEB.
- Update risks section to reflect the new realities (bindings need
user opt-in, Python version varies by distro).
Everything still lives under /opt/rrdtool — no system files at all.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Wed, 13 May 2026 07:49:48 +0000 (09:49 +0200)]
spec: target /opt/rrdtool prefix to avoid conflicts with distro packages
After reviewing Debian's rrdtool packaging (10 subpackages, FHS-targeted)
and Fedora's spec (similar split), pivot to a simpler model:
- Install prefix is /opt/rrdtool so upstream packages coexist with
distro-maintained rrdtool packages.
- Single package per distro (no subpackage split). The /opt build
contains rrdtool, rrdupdate, rrdcgi, rrdcached, librrd.so, headers,
manpages — C tooling only.
- Language bindings are explicitly disabled in the /opt build. Distros
install bindings into FHS-canonical paths (/usr/lib/python3/...,
@INC, etc.) which our /opt paths can't satisfy without per-user env
setup; users wanting bindings install them from their distro.
- Add a new conftools/rrdtool-opt.spec (separate from the legacy
rrdtool.spec) for the /opt build.
- /etc/ld.so.conf.d/rrdtool-opt.conf is the only file outside /opt.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Wed, 13 May 2026 07:41:01 +0000 (09:41 +0200)]
spec: add RPM and DEB container builds to release workflow design
Promotes the RPM/DEB sketch into concrete jobs:
- build-rpm uses the existing rrdtool.spec via rpmbuild -ta in an
almalinux:9 container.
- build-deb uses fpm to produce a single-package .deb from a
make install DESTDIR tree, across ubuntu:22.04, ubuntu:24.04, and
debian:12 containers (because debian/ in-tree is empty).
- Both are continue-on-error so a packaging hiccup never blocks the
core source+windows release.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tobias Oetiker [Wed, 13 May 2026 07:36:11 +0000 (09:36 +0200)]
spec: design for automated release workflow
Captures the design for replacing the manual rrdtool-release script
with a workflow_dispatch-triggered GitHub Action that gates on CI,
bumps the version, finalizes CHANGES, builds source and Windows
artifacts, and publishes a single GitHub Release. Includes a sketch
for adding RPM and DEB jobs later via distro container matrices.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Thomas Vincent [Mon, 13 Apr 2026 06:35:40 +0000 (23:35 -0700)]
fix(xport): use index-based guard instead of timestamp comparison
The previous `now >= im->gdes[vidx].start` guard rejected data points
where the aligned export start preceded the data source start. On Linux
the modular alignment at line 397 can place the first export row before
gdes.start, causing all data in that row to become DNAN and breaking
the xport3 test.
Replace the timestamp comparison with an index-based check: compute the
signed index first, then only use it if non-negative. This preserves
the safety against negative-index wraparound (the original motivation)
without changing output for rows at or after the data source start.
Fixes the xport3 test failure on Linux reported by @oetiker.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Thomas Vincent [Sat, 21 Mar 2026 16:06:31 +0000 (09:06 -0700)]
fix: export ABS_TOP_BUILDDIR to env for ruby extconf.rb
extconf.rb checks ENV['ABS_TOP_BUILDDIR'] to decide between
in-tree and system-installed librrd paths. The ruby target
passed these as make variables to the subsequent $(MAKE) call
but not as environment variables to $(RUBY) extconf.rb, so
the in-tree build path was never taken.
Add env before the $(RUBY) call, matching the pattern used by
the python, perl-piped, and perl-shared targets.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Thomas Vincent [Sat, 21 Mar 2026 16:05:54 +0000 (09:05 -0700)]
fix: remove broken argc overflow check in handle_request_tune
The overflow guard `(int)(SIZE_MAX / sizeof(char*))` wraps to a
negative value on 64-bit platforms, causing every positive argc
to trigger "Argument count too large". The strtol validation
already caps argc at 65536, so the redundant check is simply
removed and the malloc cast is widened to size_t.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Thomas Vincent [Wed, 11 Mar 2026 10:40:01 +0000 (03:40 -0700)]
fix: harden daemon pid parsing and error diagnostics
- check_pidfile: replace atoi with strtol for pid parsing (reject
non-numeric, overflow, and zero/negative values)
- gmtime_r fallback: include raw time value and errno for diagnostics
- send_response: log snprintf truncation at LOG_DEBUG level
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Thomas Vincent [Wed, 11 Mar 2026 03:48:20 +0000 (20:48 -0700)]
fix: add pkg-config fallback for Perl and Ruby bindings
The Perl and Ruby bindings require ABS_TOP_BUILDDIR from autotools
for in-tree builds. When building standalone (CPAN, gem install),
these vars are absent and the build fails silently.
Add a three-way branch: Windows (unchanged), in-tree (autotools vars
present), standalone (pkg-config lookup). The standalone path uses
die/abort instead of exit 0 so missing librrd is a hard error.
Fixes: https://github.com/oetiker/rrdtool-1.x/issues/1295 Fixes: https://github.com/oetiker/rrdtool-1.x/issues/1124 Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Thomas Vincent [Wed, 11 Mar 2026 05:31:39 +0000 (22:31 -0700)]
fix: escape control characters in JSON xport output (RFC 7159)
escapeJSON() only escaped '"' and '\'. RFC 7159 section 7 requires all
control characters U+0000 through U+001F to be escaped. Add the
mandatory two-character sequences (\b, \f, \n, \r, \t) and \uXXXX
for the remaining control codes.
Allocation changed from len+2 to l*6+1 (worst case: every byte
becomes \uXXXX). Truncation uses forward-tracked safe boundaries
instead of post-hoc backward scanning to avoid splitting escape
sequences mid-output.
Thomas Vincent [Wed, 11 Mar 2026 03:48:42 +0000 (20:48 -0700)]
fix: add -S short option for --step in rrdtool xport
rrdtool xport accepts --step but lacks a short form that other
rrdtool subcommands provide. Add -S as a short alias, consistent
with rrdtool graph which uses -S/--step and -s/--start.
-s is already taken by --start in xport, so -S (uppercase) is
the correct short form, matching rrd_graph_options() in rrd_graph.c.
Fixes #1103
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
projects / thirdparty / rrdtool-1.x.git / log
