1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • 3rdp/build/GNUmakefile src/build/Common.gmake src/ssh/CMakeLists.txt s

    From Deuc¨@VERT to Git commit to main/sbbs/master on Thu Apr 30 10:38:25 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/99ed96c92394c623d5daf8a3
    Modified Files:
    3rdp/build/GNUmakefile src/build/Common.gmake src/ssh/CMakeLists.txt src/ssh/kex/libcrux_mlkem768_sha3.h src/syncterm/GNUmakefile
    Log Message:
    SyncTERM: macOS universal vendored-Botan + DeuceSSH pipeline

    Existing FAT=1 nightly build threaded -arch x86_64 -arch arm64 through SyncTERM's own CFLAGS but couldn't carry the same intent into the vendored-Botan recipe (Botan's configure.py emits per-arch intrinsic
    .cpp files only for the configured --cpu) or DeuceSSH (a CMake
    subproject that doesn't see the FAT cascade).

    Two flags compose:

    - FAT=1 alone: each slice picks its host's natural microarch defaults.
    Fine for a developer making a fat build for local testing.
    - MACOS_PORTABLE=1 alone: single-arch redistribution; pins
    -march=skylake on x86_64 hosts (oldest microarch macOS 13 boots on)
    and -mcpu=apple-m1 on arm64 hosts (only arm64 CPU macOS 13 supports;
    M2/M3/M4 are supersets).
    - FAT=1 MACOS_PORTABLE=1: universal binary with per-slice floors via
    -Xarch_x86_64 -march=skylake -Xarch_arm64 -mcpu=apple-m1. The
    intent of the existing nightly script.

    3rdp/build/GNUmakefile: when os=darwin && FAT, set BOTAN_FAT and run
    the recipe twice Ä extract Botan.tar.xz into per-arch source trees,
    configure each with --cpu=<arch> --cc-abi-flags='-arch <arch> [floor] [-mmacosx-version-min=...]', build, install the x86_64 slice, then
    lipo-merge the two libbotan-3.a archives over the installed copy.
    Headers + pkgconfig are arch-independent so the install-once is fine.
    Common configure flags shared between fat and non-fat paths via
    BOTAN_CFG_BASE so neither drifts.

    src/build/Common.gmake: MACOS_PORTABLE adds -Xarch_<arch>-prefixed
    microarch flags to CFLAGS/LDFLAGS when paired with FAT, or host-arch
    flags otherwise.

    src/syncterm/GNUmakefile: new darwin branch in the DeuceSSH cmake
    toolchain args adds -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" (quoted
    to survive the recipe's shell), per-slice floor flags, and -DCMAKE_OSX_DEPLOYMENT_TARGET=<MIN_MAC_OSX_VERSION>. Both the
    parse-time deferred-config probe and the recipe-time cmake invocation
    now explicitly forward PKG_CONFIG_PATH; build/botan.gmake's
    make-level `export` doesn't reach $(shell ...) calls and didn't reach
    the recipe's child shell on darwin either.

    src/ssh/CMakeLists.txt: probes that decide which compiler flags get
    into DEUCESSH_COMPILE_OPTIONS now run with -Werror=unused-command- line-argument always (was only when -Werror was already on, which is Debug-only). AppleClang accepts a number of GCC-style hardening
    flags (-fstack-clash-protection, -fstrict-flex-arrays, ...) but
    treats them as no-ops, so plain check_c_compiler_flag returned
    HAVE_X=YES for flags the binary got none of. The strict probe
    correctly drops them.

    src/ssh/kex/libcrux_mlkem768_sha3.h: two narrowing fixes for warnings AppleClang flags that GCC doesn't. `~value0` (uint16_t promoted to
    int by ~) cast back to uint16_t at the wrapping_add() call; `-zetaN`
    (int16_t promoted to int by negation) cast back to int16_t at the
    four ntt_multiply_binomials() calls. Note: this header is vendored
    from OpenBSD's libcrux extraction Ä if it gets re-extracted the
    patches need re-applying (or upstreaming).

    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net