install.sh was used for AC_PROG_INSTALL, which was removed in
4421517c55 (corresponding PR #5133)
From the manual of GNU Autoconf (version 2.73):
> Autoconf comes with a copy of ‘install-sh’ that you can use. If
> you use ‘AC_PROG_INSTALL’, you must include ‘install-sh’ in your
> distribution; otherwise ‘autoreconf’ and ‘configure’ will produce
> an error message saying they can’t find it—even if the system
> you’re on has a good ‘install’ program. This check is a safety
> measure to prevent you from accidentally leaving that file out,
> which would prevent your package from installing on systems that
> don’t have a BSD-compatible ‘install’ program.
If install-sh wasn't found, configure would check for install.sh in
srcdir. install.sh is a placeholder that does nothing, without it
configure would abort.
Move them from the distclean target in the root Makefile.
Related commits:
* a1ff0c3fd ("testing", 2026-01-16)
* 2f6afc99d ("gcov testing", 2026-01-16)
And use it in CI.
Note: The target currently always runs sort.py for all profiles.
Before:
$ ./ci/check/profiles/sort.py etc/inc/*.inc etc/profile*/*.profile
After:
$ make sort-profiles
Remove what remains of the Intrusion Detection System (IDS)/fids,
`--ids` commands and the `--enable-ids` configure option.
Commands:
* `--ids-check`
* `--ids-init`
Related commits:
* 5e962ff78 ("removed IDS feature, it was never enabled by default in
our builds", 2025-12-17)
Relates to #6995.
The `--check-level=exhaustive` option was briefly added, then changed to
`--max-ctu-depth=40`, presumably because the version being used in CI
(cppcheck 2.7 on ubuntu-22.04) did not support the former.
The current version in CI (cppcheck 2.13 on ubuntu-24.04) supports that
option, so restore it.
This fixes a flood of `information:` messages (which appear even with
`-q`) in the latest version of cppcheck:
$ cppcheck --version
Cppcheck 2.18.0
$ make cppcheck
cppcheck -q -j 4 --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
cppcheck: --max-ctu-depth is being capped at 10. This limitation will be removed in a future Cppcheck version.
src/etc-cleanup/main.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_bin.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_fs.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
[...]
This is a follow-up to #6874.
Related commits:
* be3c2a071 ("some problems reported by ccpcheck", 2025-08-17)
* d4881b6bc ("cppcheck cleanup", 2025-08-17)
* ebb368780 ("ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04",
2025-08-20) / PR #6874
To avoid CI failures.
From the first run of `cppcheck_old` on commit 8f69e9841 ("bugfix:
firecfg: check full filename in check_profile() (#6674)", 2025-03-04)
[1]:
> This is a scheduled Ubuntu 20.04 brownout. Ubuntu 20.04 LTS runner
> will be removed on 2025-04-01. For more details, see
> https://github.com/actions/runner-images/issues/11101
The target depends on the cppcheck version from Ubuntu 20.04 in order to
work properly and this distribution will become EOL next month (April
2025), so just remove the target.
Added on commit 53f0b3950 ("CI: keep old cppcheck job and ignore two
files in new job that take too long to check", 2022-07-26).
[1] https://github.com/netblue30/firejail/actions/runs/13658953453/job/38185280665
To make it consistent with the standard GNU make targets.
From the manual of GNU Make (version 4.4.1-2):
> 'installcheck'
> Perform installation tests (if any). The user must build and
> install the program before running the tests. You should not
> assume that '$(bindir)' is in the search path.
Commands used to search and replace:
$ git grep -Ilz print-version |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
's/print-version/installcheck/g' '{}')\" >'{}'"
$ git grep -Ilz 'print version' .github/workflows |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
's/print version/make installcheck/g' '{}')\" >'{}'"
Added on commit c9531d95e ("build: add print-version target and use in
CI", 2024-02-22) / #6230.
Changes:
* Remove / after `$(DESTDIR)`
* Remove useless -c
* Use 0755 instead of 755
* Use -d after -m
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
The command below already installs it.
Added on commit 926790411 ("add basic Firejail support to AppArmor base
abstraction (#3226)", 2021-10-21) / PR #4628.
And remove the extraneous semicolon at the end of the command string.
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
Cleaning does not appear to make a difference; the same amount of files
is checked with/without cleaning.
Environment: cppcheck 2.12.0-3 on Artix Linux.
Added on commit 4e22add64 ("llvm scan", 2015-11-29).
This is a follow-up to #6222.
Leave just the "install" and "install-strip" targets.
See commit 099925e18 ("added install-strip, make install now without
strip.", 2015-09-10) / PR #60 and commit 0215cbc02 ("make install, make
install-strip", 2015-09-11).
Changes:
* Use the same command from the cppcheck CI job in the cppcheck target
* Add cppcheck-old target based on the cppcheck_old CI job
* Call the make targets in CI to avoid duplicating the commands
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to certain variables not being declared:
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/kmk3/firejail_ci'
error: run ./configure to generate config.mk
[...]
rm -f contrib/syntax/files/example [...]
rm -fr - -.tar.xz
rm: invalid option -- '.'
Try 'rm --help' for more information.
make[1]: *** [Makefile:175: clean] Error 1
This amends commit 8a783cdc2 ("build: use TARNAME and remove more paths
on clean", 2023-07-29) / PR #6186.
