Add an output abstraction layer, with a single output format, "clap",
the clar protocol, which is the current output format for clar.

We want to parse arguments before we start printing any output; the
arguments themselves may impact the way we display that output.

clar: use internal functions instead of /bin/cp and /bin/rm

Similar to how clar has used `/bin/cp` to copy files, it's used
`/bin/rm` to remove them.  This has similar deficiencies; meaning that
leaks is noisy and it's slow.  Move it to an internal function.

clar has historically shelled out to `/bin/cp` to copy test fixtures
into a sandbox.  This has two deficiencies:

1. It's slower than simply opening the source and destination and
   copying them in a read/write loop.  On my Mac, the `/bin/cp` based
   approach takes ~2:40 for a full test pass.  Using a read/write loop
   to copy the files ourselves takes ~1:50.

2. It's noisy.  Since the leak detector follows fork/exec, we'll end up
   running the leak detector on `/bin/cp`.  This would be fine, except
   that the leak detector spams the console on startup and shutdown, so
   it adds a _lot_ of additional information to the test runs that is
   useless.  By not forking and using this internal system, we see much
   less output.

strarray refactoring

We should not be in the business of copying strings around for users.
We either return a strarray that can be freed, or we take one (and do
not mutate it).

We _dispose_ the contents of objects; we _free_ objects (and their
contents).  Update `git_strarray_free` to be `git_strarray_dispose`.
`git_strarray_free` remains as a deprecated proxy function.

CMake cleanups

git_pool_init: allow the function to fail

Propagate failures caused by pool initialization errors.

We currently disable deprecation synchronization warnings in case we're
building with Clang. We check for Clang by doing a string comparison on
the compiler identification, but this seems to have been broken by an
update in macOS' image as the compiler ID has changed to "AppleClang".
Let's just unconditionally disable this warning on Unix platforms. We
never add the deprecated attribute anyway, so the warning doesn't help
us at all.

The `CMAKE_MINIUM_REQUIRE()` function not only sets up the minimum
required CMake version of a project, but it will also at the same time
set the CMake policy version. In effect this means that all policies
that have been introduced before the minimum CMake version will be
enabled automatically.

When updating our minimum required version ebabb88f (cmake: update
minimum CMake version to v3.5.1, 2019-10-10), we didn't remove any of
the policies we've been manually enabling. The newest CMake policy we've
been enabling is CMP0054, which was introduced back in CMake v3.1. As a
result, we can now just remove all manual calls to `CMAKE_POLICY()`.

We currently have an option that adds options for profiling to both our
CFLAGS and LDFLAGS. Having such flags behind various build options is
not really sensible at all, since users should instead set up those
flags via environment variables supported by CMake itself.

Let's remove this option.

We currently have support for generating tags via ctags as part of our
build system. We aren't really in the place of supporting any tooling
that exists apart from the actual build environment, as doing so adds
additional complexity and maintenance burden to our build instructions.
This is in fact nicely demonstrated by this particular option, as it
hasn't been working anymore since commit e5c9723d (cmake: move library
build instructions into subdirectory, 2017-06-30).

As a result, this commit removes support for building CTags

Our custom CMake module currently live in "cmake/Modules". As the
"cmake/" directory doesn't contain anything except the "Modules"
directory, it doesn't really make sense to have the additional
intermediate directory. So let's instead move the modules one level up
into the "cmake/" top level directory.

diff::workdir: actually test the buffers

Handle unreadable configuration files

Modified `config_file_open()` so it returns 0 if the config file is
not readable, which happens on global config files under macOS
sandboxing (note that for some reason `access(F_OK)` DOES work with
sandboxing, but it is lying). Without this read check sandboxed
applications on macOS can not open any repository, because
`config_file_read()` will return GIT_ERROR when it cannot read the
global /Users/username/.gitconfig file, and the upper layers will
just completely abort on GIT_ERROR when attempting to load the
global config file, so no repositories can be opened.

Make git_index_write() generate valid v4 index

The `git_index_free()` merely decrement the reference counter from 2 to
1, and does not "free" the index.
Thus, the following `git_repository_index()` merely increase the counter
to 2, instead of read index from disk.
The written index is not read and parsed, which makes this test case
effectively becomes a no-op.

According to index-format.txt of git, the path of an entry is prefixed
with N, where N indicates the length of bytes to be stripped.

The static test data is erroneously initialized with a length of 0 for
three of the strings.  This means the tests are not actually examining
those strings.  Provide the length.

OpenSSL certificate memory leak

Let `git_pool_init` return an int so that it could fail.

tests: checkout: fix flaky test due to mtime race

cmake: Sort source files for reproducible builds

When trying to determine whether a file changed, we try to avoid heavy
operations by fist taking a look at the index, seeing whether the index
entry is modified already. This doesn't seem to cut it, though, as we
currently have the racy checkout::index::can_disable_pathspec_match test
case: sometimes the files get restored to their original contents,
sometimes they aren't.

The issue is caused by a racy index [1]: in case we modify a file, add
it to the index and then modify it again in-place without changing its
file, then we may end up with a modified file that has the same stat(3P)
info as we've currently got it in its corresponding index entry. The
mitigation for this is to treat files with the same mtime as the index
are treated as racily modified. We already have this logic in place for
the index, but not when doing a checkout.

Fix the issue by only consulting the index entry in case it has an older
mtime as the index. Previously, the following script reliably had at
least 20 failures, while now there is no failure to be observed anymore:

```bash
j=0
for i in $(seq 100)
do
	if ! ./libgit2_clar -scheckout::index::can_disable_pathspec_match >/dev/null
	then
		j=$(($j + 1))
	fi
done
echo "Failures: $j"
```

[1]: https://git-scm.com/docs/racy-git

The test case checkout::index::can_disable_pathspec_match has some
shortcomings when it comes to coding style, which didn't fit our own
coding style. Furthermore, it had an unnecessary static local variable.

The test has been refactored to address these issues.

We currently use `FILE(GLOB ...)` in most places to find source and
header files. This is problematic in that the order of files returned
depends on the operating system's directory iteration order and may thus
not be deterministic. As a result, we link object files in unspecified
order, which may cause the linker to emit different code across runs.

Fix this issue by sorting all code used as input to the libgit2 library
to improve the reliability of reproducible builds.

When creating a `git_cert` from the OpenSSL X509 certificate of a given
stream, we do not call `X509_free()` on the certificate, leading to a
memory leak as soon as the certificate is requested e.g. by the
certificate check callback.

Fix the issue by properly calling `X509_free()`.

futils: fix order of declared parameters for `git_futils_fake_symlink`