6 files changed, 344 insertions, 35 deletions
diff --git a/docs/BUILDING.md b/docs/BUILDING.md
index cb33c51..69a997c 100644
--- a/docs/BUILDING.md
+++ b/docs/BUILDING.md
@@ -16,7 +16,7 @@ Configuration
 $ ./configure --help
 Usage:
 
-  $ ./configure [--enable-*|--disable-*] [CC=...] [CFLAGS=...] [...]
+  $ ./configure [--enable-*|--disable-*] [--with-*|--without-*] [CC=...] [...]
   $ make
 
 ...
@@ -82,18 +82,18 @@ You can combine multiple profiles (e.g. `./configure --enable-asan --enable-ubsa
 ### Dependencies
 
 `bfs` depends on some system libraries for some of its features.
-External dependencies are auto-detected by default, but you can `--enable` or `--disable` them manually:
+External dependencies are auto-detected by default, but you can build `--with` or `--without` them explicitly:
 
 <pre>
---enable-<a href="https://savannah.nongnu.org/projects/acl">libacl</a>      --disable-libacl
---enable-<a href="https://sites.google.com/site/fullycapable/">libcap</a>      --disable-libcap
---enable-<a href="https://github.com/SELinuxProject/selinux">libselinux</a>  --disable-libselinux
---enable-<a href="https://github.com/axboe/liburing">liburing</a>    --disable-liburing
---enable-<a href="https://github.com/kkos/oniguruma">oniguruma</a>   --disable-oniguruma
+--with-<a href="https://savannah.nongnu.org/projects/acl">libacl</a>      --without-libacl
+--with-<a href="https://sites.google.com/site/fullycapable/">libcap</a>      --without-libcap
+--with-<a href="https://github.com/SELinuxProject/selinux">libselinux</a>  --without-libselinux
+--with-<a href="https://github.com/axboe/liburing">liburing</a>    --without-liburing
+--with-<a href="https://github.com/kkos/oniguruma">oniguruma</a>   --without-oniguruma
 </pre>
 
 [`pkg-config`] is used, if available, to detect these libraries and any additional build flags they may require.
-If this is undesireable, disable it by setting `PKG_CONFIG` to the empty string (`./configure PKG_CONFIG=""`).
+If this is undesirable, disable it by setting `PKG_CONFIG` to the empty string (`./configure PKG_CONFIG=""`).
 
 [`pkg-config`]: https://www.freedesktop.org/wiki/Software/pkg-config/
 
@@ -178,11 +178,11 @@ It can be handy to generate the snapshot with a different `find` implementation
 But keep in mind, other `find` implementations may not be correct.
 To my knowledge, no other implementation passes even the POSIX-compatible subset of the tests:
 
-    $ ./tests/tests.sh --bfs=find --posix
+    $ ./tests/tests.sh --bfs=find --sudo --posix
     ...
-    tests passed: 90
-    tests skipped: 3
-    tests failed: 6
+    [PASS] 104 / 119
+    [SKIP]   1 / 119
+    [FAIL]  14 / 119
 
 Run
 
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 62b6480..7f3c7b7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,6 +1,183 @@
+4.*
+===
+
+4.0.4
+-----
+
+**October 31, 2024**
+
+
+## Bug fixes
+
+- Fixed a man page typo
+  ([#144](https://github.com/tavianator/bfs/pull/144))
+
+- Fixed the build on PowerPC macOS
+  ([#145](https://github.com/tavianator/bfs/issues/145))
+
+- Fixed a bug introduced in bfs 4.0.3 that colorized every file as if it had capabilities on non-Linux systems
+  ([#146](https://github.com/tavianator/bfs/pull/146))
+
+
+4.0.3
+-----
+
+**October 22, 2024**
+
+### Bug fixes
+
+- Fixed an assertion failure when `$LS_COLORS` contained escaped NUL bytes like `*\0.gz=`
+  ([`f5eaadb9`](https://github.com/tavianator/bfs/commit/f5eaadb96fb94b2d3666e53a99495840a3099aec))
+
+- Fixed a use-after-free bug introduced in bfs 4.0 when unregistering and re-registering signal hooks.
+  This could be reproduced with `bfs -nocolor` by repeatedly sending `SIGINFO`/`SIGUSR1` to toggle the status bar.
+  ([`39ff273`](https://github.com/tavianator/bfs/commit/39ff273df97e51b1285358b9e6808b117ea8adb1))
+
+- Fixed a hang present since bfs 3.0 colorizing paths like `notdir/file`, where `notdir` is a symlink pointing to a non-directory file.
+  ([`b89f22cb`](https://github.com/tavianator/bfs/commit/b89f22cbf250958a802915eb7b6bf0e5f38376ca))
+
+
+4.0.2
+-----
+
+**September 17, 2024**
+
+### New features
+
+- Implemented `./configure --version=X.Y.Z`, mainly for packagers to override the version number
+  ([`4a278d3`](https://github.com/tavianator/bfs/commit/4a278d3e39a685379711727eac7bfaa83679e0e4))
+
+### Changes
+
+- Minor refactoring of the build system
+
+### Bug fixes
+
+- Fixed `./configure --help`, which was broken since `bfs` 4.0
+  ([`07ae989`](https://github.com/tavianator/bfs/commit/07ae98906dbb0caaac2f758d72e88dd0975b2a81))
+
+- Fixed compiler flag auto-detection on systems with non-GNU `sed`.
+  This fixes a potential race condition on FreeBSD since `bfs` 4.0 due to the [switch to `_Fork()`](https://github.com/tavianator/bfs/commit/085bb402c7b2c2f96624fb0523ff3f9686fe26d9) without passing `-z now` to the linker.
+  ([`34e6081`](https://github.com/tavianator/bfs/commit/34e60816adb0ea8ddb155a454676a99ab225dc8a))
+
+- Fixed `$MAKE distcheck` when `$MAKE` is not `make`, e.g. `gmake distcheck` on BSD
+  ([`2135b00`](https://github.com/tavianator/bfs/commit/2135b00d215efc5c2c38e1abd3254baf31229ad4))
+
+- Fixed some roff syntax issues in the `bfs` manpage
+  ([`812ecd1`](https://github.com/tavianator/bfs/commit/812ecd1feeb002252dd4d732b395d31c4179afaf))
+
+- Fixed an assertion failure optimizing expressions like `bfs -not \( -prune , -type f \)` since `bfs` 3.1.
+  Release builds were not affected, since their assertions are disabled and the behaviour was otherwise correct.
+  ([`b1a9998`](https://github.com/tavianator/bfs/commit/b1a999892b9e13181ddd9a7d895f3d1c65fbb449))
+
+
+4.0.1
+-----
+
+**August 19, 2024**
+
+### Bug fixes
+
+- `bfs` no longer prints a "suppressed errors" warning unless `-noerror` is actually suppressing errors
+  ([`5d03c9d`](https://github.com/tavianator/bfs/commit/5d03c9d460d1c1afcdf062d494537986ce96a690))
+
+
+4.0
+---
+
+**August 16, 2024**
+
+### New features
+
+- To match BSD `find` (and the POSIX Utility Syntax Guidelines), multiple flags can now be given in a single argument like `-LEXO2`.
+  Previously, you would have had to write `-L -E -X -O2`.
+  ([`c0fd33a`](https://github.com/tavianator/bfs/commit/c0fd33aaef5f345566a41c7c2558f27adf05558b))
+
+- Explicit timestamps can now be written as `@SECONDS_SINCE_EPOCH`.
+  For example, `bfs -newermt @946684800` will print files modified since January 1, 2000 (UTC).
+  ([`c6bb003`](https://github.com/tavianator/bfs/commit/c6bb003b8882e9a16941f5803d072ec1cb728318))
+
+- The new `-noerror` option suppresses all error messages during traversal.
+  ([#142](https://github.com/tavianator/bfs/issues/142))
+
+### Changes
+
+- `-mount` now excludes mount points entirely, to comply with the recently published POSIX 2024 standard.
+  Use `-xdev` to include the mount point itself, but not its contents.
+  `bfs` has been warning about this change since version 1.5.1 (September 2019).
+  ([`33b85e1`](https://github.com/tavianator/bfs/commit/33b85e1f8769e7f75721887638ae454d109a034f))
+
+- `-perm` now takes the current file creation mask into account when parsing a symbolic mode like `+rw`, as clarified by [POSIX defect 1392](https://www.austingroupbugs.net/view.php?id=1392).
+    This matches the behaviour of BSD `find`, contrary to the behaviour of GNU `find`.
+  ([`6290ce4`](https://github.com/tavianator/bfs/commit/6290ce41f3ec1f889abb881cf90ca91da869b5b2))
+
+### Bug fixes
+
+- Fixed commands like `./configure CC=clang --enable-release` that set variables before other options
+  ([`49a5d48`](https://github.com/tavianator/bfs/commit/49a5d48d0a43bac313c8b8d1b167e60da9eaadf6))
+
+- Fixed the build on RISC-V with GCC versions older than 14
+  ([`e93a1dc`](https://github.com/tavianator/bfs/commit/e93a1dccd82f831a2f0d2cc382d8af5e1fda55ed))
+
+- Fixed running `bfs` under Valgrind
+  ([`a01cfac`](https://github.com/tavianator/bfs/commit/a01cfacd423af28af6b7c13ba51e2395f3a52ee7))
+
+- Fixed the exit code when failing to execute a non-existent command with `-exec`/`-ok` on some platforms including OpenBSD and HPPA
+  ([`8c130ca`](https://github.com/tavianator/bfs/commit/8c130ca0117fd225c24569be2ec16c7dc2150a13))
+
+- Fixed `$LS_COLORS` case-sensitivity to match GNU ls more closely when the same extension is specified multiple times
+  ([`08030ae`](https://github.com/tavianator/bfs/commit/08030aea919039165c02805e8c637a9ec1ad0d70))
+
+- Fixed the `-status` bar on Solaris/Illumos
+
+
 3.*
 ===
 
+3.3.1
+-----
+
+**June 3, 2024**
+
+### Bug fixes
+
+- Reduced the scope of the symbolic link loop change in version 3.3.
+  `-xtype l` remains true for symbolic link loops, matching a change in GNU findutils 4.10.0.
+  However, `-L` will report an error, just like `bfs` prior to 3.3 and other `find` implementations, as required by POSIX.
+
+
+3.3
+---
+
+**May 28, 2024**
+
+### New features
+
+- The `-status` bar can now be toggled by `SIGINFO` (<kbd>Ctrl</kbd>+<kbd>T</kbd>) on systems that support it, and `SIGUSR1` on other systems
+
+- `-regextype` now supports all regex types from GNU find ([#21](https://github.com/tavianator/bfs/issues/21))
+
+- File birth times are now supported on OpenBSD
+
+### Changes
+
+- Symbolic link loops are now treated like other broken links, rather than an error
+
+- `./configure` now expects `--with-libacl`, `--without-libcap`, etc. rather than `--enable-`/`--disable-`
+
+- The ` ` (space) flag is now restricted to numeric `-printf` specifiers
+
+### Bug fixes
+
+- `-regextype emacs` now supports [shy](https://www.gnu.org/software/emacs/manual/html_node/elisp/Regexp-Backslash.html#index-shy-groups) (non-capturing) groups
+
+- Fixed `-status` bar visual corruption when the terminal is resized
+
+- `bfs` now prints a reset escape sequence when terminated by a signal in the middle of colored output ([#138](https://github.com/tavianator/bfs/issues/138))
+
+- `./configure CFLAGS=...` no longer overrides flags from `pkg-config` during configuration
+
+
 3.2
 ---
 
@@ -183,7 +360,7 @@
 
   - Breadth-first search could become highly unbalanced, negating many of the benefits of `bfs`
 
-  - On non-{Linux,FreeBSD} plaforms, directories could stay open longer than necessary, consuming extra memory
+  - On non-{Linux,FreeBSD} platforms, directories could stay open longer than necessary, consuming extra memory
 
 [#107]: https://github.com/tavianator/bfs/pull/107
 
diff --git a/docs/RELATED.md b/docs/RELATED.md
index cf52b70..6e7bd38 100644
--- a/docs/RELATED.md
+++ b/docs/RELATED.md
@@ -25,8 +25,9 @@ These are not usually installed as the system `find`, but are designed to be `fi
 - [`bfs`](https://tavianator.com/projects/bfs.html) ([manual](https://man.archlinux.org/man/bfs.1), [source](https://github.com/tavianator/bfs))
 - [schilytools](https://codeberg.org/schilytools/schilytools) `sfind` ([source](https://codeberg.org/schilytools/schilytools/src/branch/master/sfind))
 - [BusyBox](https://busybox.net/) `find` ([manual](https://busybox.net/downloads/BusyBox.html#find), [source](https://git.busybox.net/busybox/tree/findutils/find.c))
-- [ToyBox](http://landley.net/toybox/) `find` ([manual](http://landley.net/toybox/help.html#find), [source](https://github.com/landley/toybox/blob/master/toys/posix/find.c))
-- uutils `find` ([source](https://github.com/uutils/findutils))
+- [ToyBox](https://landley.net/toybox/) `find` ([manual](http://landley.net/toybox/help.html#find), [source](https://github.com/landley/toybox/blob/master/toys/posix/find.c))
+- [Heirloom Project](https://heirloom.sourceforge.net/) `find` ([manual](https://heirloom.sourceforge.net/man/find.1.html), [source](https://github.com/eunuchs/heirloom-project/blob/master/heirloom/heirloom/find/find.c))
+- [uutils](https://uutils.github.io/) `find` ([source](https://github.com/uutils/findutils))
 
 ## `find` alternatives
 
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
new file mode 100644
index 0000000..dd3277a
--- /dev/null
+++ b/docs/SECURITY.md
@@ -0,0 +1,126 @@
+Security
+========
+
+Threat model
+------------
+
+`bfs` is a command line program running on multi-user operating systems.
+Those other users may be malicious, but `bfs` should not allow them to do anything they couldn't already do.
+That includes situations where one user (especially `root`) is running `bfs` on files owned or controlled by another user.
+
+On the other hand, `bfs` implicitly trusts the user running it.
+Anyone with enough control over the command line of `bfs` or any `find`-compatible tool can wreak havoc with dangerous actions like `-exec`, `-delete`, etc.
+
+> [!CAUTION]
+> The only untrusted input that should *ever* be passed on the `bfs` command line are **file paths**.
+> It is *always* unsafe to allow *any* other part of the command line to be affected by untrusted input.
+> Use the `-f` flag, or `-files0-from`, to ensure that the input is interpreted as a path.
+
+This still has security implications, including:
+
+- **Information disclosure:** an attacker may learn whether particular files exist by observing `bfs`'s output, exit status, or even side channels like execution time.
+- **Denial of service:** large directory trees or slow/network storage may cause `bfs` to consume excessive system resources.
+
+> [!TIP]
+> When in doubt, do not pass any untrusted input to `bfs`.
+
+
+Executing commands
+------------------
+
+The `-exec` family of actions execute commands, passing the matched paths as arguments.
+File names that begin with a dash may be misinterpreted as options, so `bfs` adds a leading `./` in some instances:
+
+```console
+user@host$ bfs -execdir echo {} \;
+./-rf
+```
+
+This might save you from accidentally running `rm -rf` (for example) when you didn't mean to.
+This mitigation applies to `-execdir`, but not `-exec`, because the full path typically does not begin with a dash.
+But it is possible, so be careful:
+
+```console
+user@host$ bfs -f -rf -exec echo {} \;
+-rf
+```
+
+
+Race conditions
+---------------
+
+Like many programs that interface with the file system, `bfs` can be affected by race conditions&mdash;in particular, "[time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use)" (TOCTTOU) issues.
+For example,
+
+```console
+user@host$ bfs / -user user -exec dangerous_command {} \;
+```
+
+is not guaranteed to only run `dangerous_command` on files you own, because another user may run
+
+```console
+evil@host$ mv /path/to/file /path/to/exile
+evil@host$ mv ~/malicious /path/to/file
+```
+
+in between checking `-user user` and executing the command.
+
+> [!WARNING]
+> Be careful when running `bfs` on directories that other users have write access to, because they can modify the directory tree while `bfs` is running, leading to unpredictable results and possible TOCTTOU issues.
+
+
+Output sanitization
+-------------------
+
+In general, printing arbitrary data to a terminal may have [security](https://hdm.io/writing/termulation.txt) [implications](https://dgl.cx/2023/09/ansi-terminal-security#vulnerabilities-using-known-replies).
+On many platforms, file paths may be completely arbitrary data (except for NUL (`\0`) bytes).
+Therefore, when `bfs` is writing output to a terminal, it will escape non-printable characters:
+
+<pre>
+user@host$ touch $'\e[1mBOLD\e[0m'
+user@host$ bfs
+.
+./$'\e[1mBOLD\e[0m'
+</pre>
+
+However, this is fragile as it only applies when outputting directly to a terminal:
+
+<pre>
+user@host$ bfs | grep BOLD
+<strong>BOLD</strong>
+</pre>
+
+
+Code quality
+------------
+
+Every correctness issue in `bfs` is a potential security issue, because acting on the wrong path may do arbitrarily bad things.
+For example:
+
+```console
+root@host# bfs /etc -name passwd -exec cat {} \;
+```
+
+should print `/etc/passwd` but not `/etc/shadow`.
+`bfs` tries to ensure correct behavior through careful programming practice, an extensive testsuite, and static analysis.
+
+`bfs` is written in C, which is a memory unsafe language.
+Bugs that lead to memory corruption are likely to be exploitable due to the nature of C.
+We use [sanitizers](https://github.com/google/sanitizers) to try to detect these bugs.
+Fuzzing has also been applied in the past, and deploying continuous fuzzing is a work in progress.
+
+
+Supported versions
+------------------
+
+`bfs` comes with [no warranty](/LICENSE), and is maintained by [me](https://tavianator.com/) and [other volunteers](https://github.com/tavianator/bfs/graphs/contributors) in our spare time.
+In that sense, there are no *supported* versions.
+However, as long as I maintain `bfs` I will attempt to address any security issues swiftly.
+In general, security fixes will be part of the latest release, though for significant issues I may backport fixes to older release series.
+
+
+Reporting a vulnerability
+-------------------------
+
+If you think you have found a sensitive security issue in `bfs`, you can [report it privately](https://github.com/tavianator/bfs/security/advisories/new).
+Or you can [report it publicly](https://github.com/tavianator/bfs/issues/new); I won't judge you.
diff --git a/docs/USAGE.md b/docs/USAGE.md
index 70f8475..16aeaf6 100644
--- a/docs/USAGE.md
+++ b/docs/USAGE.md
@@ -105,7 +105,7 @@ For expressions like `-name`, that's all they do.
 But some expressions, called *actions*, have other side effects.
 
 If no actions are included in the expression, `bfs` adds the `-print` action automatically, which is why the above examples actually print any output.
-The default `-print` is supressed if any actions are given explicitly.
+The default `-print` is suppressed if any actions are given explicitly.
 Available actions include printing with alternate formats (`-ls`, `-printf`, etc.), executing commands (`-exec`, `-execdir`, etc.), deleting files (`-delete`), and stopping the search (`-quit`, `-exit`).
 
 
diff --git a/docs/bfs.1 b/docs/bfs.1
index 54166ab..317ac5d 100644
--- a/docs/bfs.1
+++ b/docs/bfs.1
@@ -1,4 +1,4 @@
-.TH BFS 1
+.TH BFS 1 2024-10-31 "bfs 4.0.4"
 .SH NAME
 bfs \- breadth-first search for your files
 .SH SYNOPSIS
@@ -41,17 +41,17 @@ For example,
 .PP
 .nf
 .RS
-.B bfs \\\( \-name '*.txt' \-or \-lname '*.txt' \\\\) \-and \-print
+.B bfs \e( \-name '*.txt' \-or \-lname '*.txt' \e) \-and \-print
 .RE
 .fi
 .PP
-will print the all the paths that are either .txt files or symbolic links to .txt files.
+will print all the paths that are either .txt files or symbolic links to .txt files.
 .B \-and
 is implied between two consecutive expressions, so this is equivalent:
 .PP
 .nf
 .RS
-.B bfs \\\( \-name '*.txt' \-or \-lname '*.txt' \\\\) \-print
+.B bfs \e( \-name '*.txt' \-or \-lname '*.txt' \e) \-print
 .RE
 .fi
 .PP
@@ -71,7 +71,7 @@ will also accept
 .I \-N
 or
 .IR +N .
-.IR \-N
+.I \-N
 means "less than
 .IR N ,"
 and
@@ -115,7 +115,6 @@ Don't descend into other mount points (same as \fB\-xdev\fR).
 Treat
 .I PATH
 as a path to search (useful if it begins with a dash).
-.PP
 .TP
 \fB\-D \fIFLAG\fR
 Turn on a debugging flag (see
@@ -188,9 +187,9 @@ threads in parallel (default: number of CPUs, up to
 \fB( \fIexpression \fB)\fR
 Parentheses are used for grouping expressions together.
 You'll probably have to write
-.B \\\\(
+.B \e(
 .I expression
-.B \\\\)
+.B \e)
 to avoid the parentheses being interpreted by the shell.
 .PP
 \fB! \fIexpression\fR
@@ -199,7 +198,7 @@ to avoid the parentheses being interpreted by the shell.
 .RS
 The "not" operator: returns the negation of the truth value of the
 .IR expression .
-You may have to write \fB\\! \fIexpression\fR to avoid \fB!\fR being interpreted by the shell.
+You may have to write \fB\e! \fIexpression\fR to avoid \fB!\fR being interpreted by the shell.
 .RE
 .PP
 \fIexpression\fR \fIexpression\fR
@@ -266,7 +265,6 @@ Print usage information, and exit immediately (without parsing the rest of the c
 Print version information, and exit immediately.
 .RE
 .SH OPTIONS
-.PP
 .B \-color
 .br
 .B \-nocolor
@@ -289,7 +287,7 @@ Follow all symbolic links (same as
 .BR \-L ).
 .TP
 \fB\-files0\-from \fIFILE\fR
-Treat the NUL ('\\0')-separated paths in
+Treat the NUL ('\e0')-separated paths in
 .I FILE
 as starting points for the search.
 Pass
@@ -316,9 +314,10 @@ Ignore files deeper/shallower than
 .RE
 .TP
 .B \-mount
-Don't descend into other mount points (same as
-.B \-xdev
-for now, but will skip mount points entirely in the future).
+Exclude mount points entirely from the results.
+.TP
+.B \-noerror
+Ignore any errors that occur during traversal.
 .TP
 .B \-nohidden
 Exclude hidden files and directories.
@@ -337,7 +336,7 @@ The possible types are
 POSIX basic regular expressions (the default).
 .TP
 .I posix-extended
-POSIX extended resular expressions.
+POSIX extended regular expressions.
 .TP
 .I ed
 Like
@@ -381,6 +380,9 @@ Turn on or off warnings about the command line.
 .TP
 .B \-xdev
 Don't descend into other mount points.
+Unlike
+.BR \-mount ,
+the mount point itself is still included.
 .SH TESTS
 .TP
 .B \-acl
@@ -479,6 +481,10 @@ Find files the current user can execute/read/write.
 Always false/true.
 .RE
 .TP
+\fB\-flags\fR [\fI\-+\fR]\fIFLAGS\fR
+Find files with matching inode
+.BR FLAGS .
+.TP
 \fB\-fstype \fITYPE\fR
 Find files on file systems with the given
 .IR TYPE .
@@ -582,7 +588,7 @@ Find files whose entire path matches the
 .IR GLOB .
 .RE
 .TP
-\fB\-perm\fR [\fI\-\fR]\fIMODE\fR
+\fB\-perm\fR [\fI\-+/\fR]\fIMODE\fR
 Find files with a matching mode.
 .TP
 \fB\-regex \fIREGEX\fR
@@ -681,7 +687,6 @@ Find files of the given type, following links when
 .B \-type
 would not, and vice versa.
 .SH ACTIONS
-.PP
 .B \-delete
 .br
 .B \-rm
@@ -745,7 +750,7 @@ Print the path to the found file.
 .B \-print0
 Like
 .BR \-print ,
-but use the null character ('\\0') as a separator rather than newlines.
+but use the null character ('\e0') as a separator rather than newlines.
 Useful in conjunction with
 .B xargs
 .IR \-0 .
@@ -913,7 +918,7 @@ Finds broken symbolic links.
 .TP
 .B bfs \-name config \-exclude \-name .git
 Finds all files named
-.BR config,
+.BR config ,
 skipping every
 .B .git
 directory.