switch gotd from chroot(2) to unveil(2) In the future, gotd will fork+exec new processes for each client connection. Using unveil instead of chroot avoids having to start such processes as root. The -portable version could use chroot(2) where no equivalent to unveil(2) exists. A future component which starts new processes will be isolated as a separate process, which could run as root in the -portable version. ok op@

add a gotd "listen" process which watches the unix socket ok op@

fix gotd startup without any -v options

rename GOTD_SOCK_FILENO to GOTD_FILENO_MSG_PIPE for clarity (it's not a socket)

tedu Ted's copyright added to gotd.c by accident; doas-derived code is in auth.c

fix group membership check in gotd auth ok op@

implement per-repository read/write authorization rules in gotd ok op@

gotd: Don't include stdlib.h twice

fix crash in gotd if client gets disconnected on error; reported by Mikhail

use mkstemps(3) instead of mkstemp(3) for opening named temporary files Allows 'got commit' to use a ".diff" suffix for temporary diff files. ok op@

gotd: propagate confpath to children as well otherwise they end up running with default config which isn't ideal. ok stsp@

add gotctl(8); initially supported commands are 'info' and 'stop' This will be used by an upcoming regress test suite for gotd(8). ok tracey

remove sendfd pledge promise from gotd repo_read process Have the parent process send one end of the pipe directly to gotsh(1), such that repo_write can run without "sendfd". Combining "sendfd" and "recvfd" in the same process is frowned upon. ok tracey

remove sendfd pledge promise from gotd repo_write process Have the parent process send one end of the pipe directly to gotsh(1), such that repo_write can run without "sendfd". Combining "sendfd" and "recvfd" in the same process is frowned upon. ok tracey

sort getopt() option lists and switch statements; patch by Josiah Frentsos