Release 2025c - 2025-12-10 14:42:37 -0800

Briefly:
Several code changes for compatibility with FreeBSD.

Changes to code

An unset TZ is no longer invalid when /etc/localtime is missing,
and is abbreviated "UTC" not "-00". This reverts to 2024b behavior.
(Problem and patch reported by Dag-Erling Smørgrav.)

New function offtime_r, short for fixed-offset localtime_rz.
It is defined if STD_INSPIRED is defined.
(Patch from Dag-Erling Smørgrav.)

tzset etc. are now more cautious about questionable TZ settings.
Privileged programs now reject TZ settings that start with '/',
unless they are TZDEFAULT (default "/etc/localtime") or
start with TZDIR then '/' (default "/usr/share/zoneinfo/").
Unprivileged programs now require files to be regular files
and reject relative names containing ".." directory components;
formerly, only privileged programs did those two things.
These changes were inspired by similar behavior in FreeBSD.
On NetBSD, unprivileged programs now use O_REGULAR to check
whether a TZ setting starting with '/' names a regular file,
avoiding a minor security race still present elsewhere.
TZ strings taken from tzalloc arguments are now treated with
no less caution than TZ strings taken from the environment, as
the old undocumented behavior would have been hard to explain.
tzset etc. no longer use the 'access' system call to check access;
instead they now use the system calls issetugid, getauxval,
getresuid/getresgid, and geteuid/getegid/getuid/getgid (whichever
first works) to test whether a program is privileged.
Compile with -DHAVE_SYS_AUXV_H=[01] to enable or disable
<sys/auxv.h> which (if it defines AT_SECURE) enables getauxval,
and compile with -DHAVE_ISSETUGID=[01], -DHAVE_GETRESUID=[01], and
-DHAVE_GETEUID=[01] to enable or disable the other calls' use.

The new CFLAGS option -DTZ_CHANGE_INTERVAL=N makes tzset etc.
check for TZif file changes if the in-memory data are N seconds
old or more, and are derived from the TZ environment variable.
This is intended for platforms that want tzset etc. to reflect
changes to whatever file TZ selects (including changes to
/etc/localtime if TZ is unset). If N is negative (the default)
these checks are omitted; this is the traditional behavior.

The new CFLAGS options -DHAVE_STRUCT_STAT_ST_CTIM=0 and
-DHAVE_STRUCT_TIMESPEC=0 port to non-POSIX.1-2008 platforms
that lack st_ctim and struct timespec, respectively.

tzset etc. now treat ' ' like '_' in time zone abbreviations,
just as they treat other invalid bytes. This continues the
transition begun in release 96k, which removed spaces in tzdata
because the spaces break time string parsers.

The new CFLAGS option -DTHREAD_PREFER_SINGLE causes tzcode
in single-threaded processes to avoid locks, as FreeBSD does.
This can save time in single-threaded apps. The threadedness
testing costs CPU time and energy in multi-threaded apps.
New options -DHAVE___ISTHREADED and -DHAVE_SYS_SINGLE_THREADED_H
can help configure how to test for single-threadedness.

The new CFLAGS option -DTHREAD_RWLOCK uses read-write locks, as
macOS does, instead of mutexes. This saves real time when TZ is
rarely changing and many threads call tzcode simultaneously.
It costs more CPU time and energy.

The new CFLAGS option -TTHREAD_TM_MULTI causes localtime to return
a pointer to thread-specific memory, as FreeBSD does, instead of
to the same memory in all threads. This supports unportable
programs that incorrectly use localtime instead of localtime_r.
This option affects gmtime and offtime similarly to localtime.
Because the corresponding storage is freed on thread exit, this
option is incompatible with POSIX.1-2024 and earlier. It also
costs CPU time and memory.

tzfree now preserves errno, consistently with POSIX.1-2024 'free'.

tzcode now uses mempcpy if available, guessing its availability.
Compile with -DHAVE_MEMPCPY=1 or 0 to override the guess.

tzcode now uses strnlen to improve asymptotic performance a bit.
Compile with -DHAVE_STRNLEN=0 if your platform lacks it.

tzcode now hand-declares unistd.h-provided symbols like getopt
if HAVE_UNISTD_H=0, not if HAVE_POSIX_DECLS=0.

tzset etc. now have an experimental OPENAT_TZDIR option;
see Makefile and localtime.c for details.

On platforms like GNU/Hurd that do not define PATH_MAX,
exceedingly long TZ strings no longer fail merely because they
exceed an arbitrary file name length limit imposed by tzcode.

zic has new options inspired by FreeBSD. '-D' skips creation of
output ancestor directories, '-m MODE' sets output files' mode,
and '-u OWNER[:GROUP]' sets output files' owner and group.

zic now uses the fdopen function, which was standardized by
POSIX.1-1988 and is now safe to use in portable code.
This replaces its use of the older umask function, which
complicated maintenance.

Change to code and documentation from 2021a -> 2021e

Release 2021e - 2021-10-21 18:41:00 -0700

Changes to code

none


Release 2021d - 2021-10-15 13:48:18 -0700

Changes to code

'zic -r' now uses "-00" time zone abbreviations for intervals
with UT offsets that are unspecified due to -r truncation.
This implements a change in draft Internet RFC 8536bis.


Release 2021c - 2021-10-01 14:21:49 -0700

Changes to code

Fix a bug in 'zic -b fat' that caused old timestamps to be
mishandled in 32-bit-only readers (problem reported by Daniel
Fischer).

Changes to documentation

Distribute the SECURITY file (problem reported by Andreas Radke).


Release 2021b - 2021-09-24 16:23:00 -0700

Changes to maintenance procedure

The new file SECURITY covers how to report security-related bugs.

Several backward-compatibility links have been moved to the
'backward' file. These links, which range from Africa/Addis_Ababa
to Pacific/Saipan, are only for compatibility with now-obsolete
guidelines suggesting an entry for every ISO 3166 code.
The intercontinental convenience links Asia/Istanbul and
Europe/Nicosia have also been moved to 'backward'.

Changes to code

zic now creates each output file or link atomically,
possibly by creating a temporary file and then renaming it.
This avoids races where a TZ setting would temporarily stop
working while zic was installing a replacement file or link.

zic -L no longer omits the POSIX TZ string in its output.
Starting with 2020a, zic -L truncated its output according to the
"Expires" directive or "#expires" comment in the leapseconds file.
The resulting TZif files omitted daylight saving transitions after
the leap second table expired, which led to far less-accurate
predictions of times after the expiry. Although future timestamps
cannot be converted accurately in the presence of leap seconds, it
is more accurate to convert near-future timestamps with a few
seconds error than with an hour error, so zic -L no longer
truncates output in this way.

Instead, when zic -L is given the "Expires" directive, it now
outputs the expiration by appending a no-change entry to the leap
second table. Although this should work well with most TZif
readers, it does not conform to Internet RFC 8536 and some pickier
clients (including tzdb 2017c through 2021a) reject it, so
"Expires" directives are currently disabled by default. To enable
them, set the EXPIRES_LINE Makefile variable. If a TZif file uses
this new feature it is marked with a new TZif version number 4,
a format intended to be documented in a successor to RFC 8536.

zic -L LEAPFILE -r @LO no longer generates an invalid TZif file
that omits leap second information for the range LO..B when LO
falls between two leap seconds A and B. Instead, it generates a
TZif version 4 file that represents the previously-missing
information.

The TZif reader now allows the leap second table to begin with a
correction other than -1 or +1, and to contain adjacent
transitions with equal corrections. This supports TZif version 4.

The TZif reader now lets leap seconds occur less than 28 days
apart. This supports possible future TZif extensions.

Fix bug that caused 'localtime' etc. to crash when TZ was
set to a all-year DST string like "EST5EDT4,0/0,J365/25" that does
not conform to POSIX but does conform to Internet RFC 8536.

Fix another bug that caused 'localtime' etc. to crash when TZ was
set to a POSIX-conforming but unusual TZ string like
"EST5EDT4,0/0,J365/0", where almost all the year is DST.

Fix yet another bug that caused 'localtime' etc. to mishandle slim
TZif files containing leap seconds after the last explicit
transition in the table, or when handling far-future timestamps
in slim TZif files lacking leap seconds.

Fix localtime misbehavior involving positive leap seconds.
This change affects only behavior for "right" system time,
which contains leap seconds, and only if the UT offset is
not a multiple of 60 seconds when a positive leap second occurs.
(No such timezone exists in tzdb, luckily.) Without the fix,
the timestamp was ambiguous during a positive leap second.
With the fix, any seconds occurring after a positive leap second
and within the same localtime minute are counted through 60, not
through 59; their UT offset (tm_gmtoff) is the same as before.
Here is how the fix affects timestamps in a timezone with UT
offset +01:23:45 (5025 seconds) and with a positive leap second at
1972-06-30 23:59:60 UTC (78796800):

time_t without the fix with the fix
78796800 1972-07-01 01:23:45 1972-07-01 01:23:45 (leap second)
78796801 1972-07-01 01:23:45 1972-07-01 01:23:46
...
78796815 1972-07-01 01:23:59 1972-07-01 01:23:60
78796816 1972-07-01 01:24:00 1972-07-01 01:24:00

Fix an unlikely bug that caused 'localtime' etc. to misbehave if
civil time changes a few seconds before time_t wraps around, when
leap seconds are enabled.

Fix bug in zic -r; in some cases, the dummy time type after the
last time transition disagreed with the TZ string, contrary to
Internet RFC 8563 section 3.3.

Fix a bug with 'zic -r @X' when X is a negative leap second that
has a nonnegative correction. Without the fix, the output file
was truncated so that X appeared to be a positive leap second.
Fix a similar, even-less-likely bug when truncating at a positive
leap second that has a nonpositive correction.

zic -r now reports an error if given rolling leap seconds, as this
usage has never generally worked and is evidently unused.

zic now generates a POSIX-conforming TZ string for TZif files
where all-year DST is predicted for the indefinite future.
For example, for all-year Eastern Daylight Time, zic now generates
"XXX3EDT4,0/0,J365/23" where it previously generated
"EST5EDT,0/0,J365/25" or "". (Thanks to Michael Deckers for
noting the possibility of POSIX conformance.)

zic.c no longer requires sys/wait.h (thanks to spazmodius for
noting it wasn't needed).

When reading slim TZif files, zdump no longer mishandles leap
seconds on the rare platforms where time_t counts leap seconds,
fixing a bug introduced in 2014g.

zdump -v now outputs timestamps at boundaries of what localtime
and gmtime can represent, instead of the less-useful timestamps
one day after the minimum and one day before the maximum.
(Thanks to Arthur David Olson for prototype code, and to Manuela
Friedrich for debugging help.)

zdump's -c and -t options are now consistently inclusive for the
lower time bound and exclusive for the upper. Formerly they were
inconsistent. (Confusion noted by Martin Burnicki.)

Changes to build procedure

You can now compile with -DHAVE_MALLOC_ERRNO=0 to port to
non-POSIX hosts where malloc doesn't set errno.
(Problem reported by Jan Engelhardt.)

Changes to documentation

tzfile.5 better matches a draft successor to RFC 8536
<https://datatracker.ietf.org/doc/draft-murchison-rfc8536bis/01/>.