| 1 |
Daiajo Tibdixious posted on Mon, 18 Apr 2016 22:40:08 +1000 as excerpted: |
| 2 |
|
| 3 |
> A package I wish to download has these instructions: |
| 4 |
> |
| 5 |
> wget -O - |
| 6 |
> http://content.runescape.com/a=946/downloads/ubuntu/runescape.gpg.key |
| 7 |
> | apt-key add - |
| 8 |
|
| 9 |
That, and each of the following, are effectively single command-lines, |
| 10 |
one each, only wrapped here, as they would be on a limited-width |
| 11 |
terminal, for purposes of display. |
| 12 |
|
| 13 |
That line simply adds the linked gpg key to apt's keys file, presumably |
| 14 |
so it can validate the later package as a validly signed package. |
| 15 |
|
| 16 |
Of course the key fetch is using unsecured http, not https, so it's not |
| 17 |
as if the key really provides much actual security, since anyone with |
| 18 |
access to the connection could substitute a fake key, but that's more or |
| 19 |
less beside the point. The point would be that apt wants packages signed |
| 20 |
by keys it trusts, and that adds said key to the appropriate trusted key |
| 21 |
store, regardless of whether the key has actually been verified as |
| 22 |
trustworthy. |
| 23 |
|
| 24 |
> mkdir -p /etc/apt/sources.list.d |
| 25 |
|
| 26 |
Makes (if it doesn't already exist) that local dir, used in the next |
| 27 |
command. |
| 28 |
|
| 29 |
> echo "deb http://content.runescape.com/a=946/downloads/ubuntu trusty |
| 30 |
> non-free" > /etc/apt/sources.list.d/runescape.list |
| 31 |
|
| 32 |
Just to make it explicit, that ">" between non-free and /etc/apt/... is |
| 33 |
output redirection in the original command, not just a misplaced quote |
| 34 |
character. |
| 35 |
|
| 36 |
This creates a file "runescape.list" in the directory created by the mkdir |
| 37 |
above, with one line of content: |
| 38 |
|
| 39 |
deb http://content.runescape.com/a=946/downloads/ubuntu trusty non-free |
| 40 |
|
| 41 |
Presumably, the "deb" on that line tells apt what format the repo is in, |
| 42 |
the link tells apt where it's at and the protocol to use, "trusty" tells |
| 43 |
it what version of ubuntu it's for, and non-free tells it the (Debian/ |
| 44 |
Ubuntu/apt) license status. |
| 45 |
|
| 46 |
> apt-get update |
| 47 |
|
| 48 |
This will be their equivalent of portage's emerge --sync command. It'll |
| 49 |
sync all configured repos, including the one just configured above, with |
| 50 |
that /etc/apt/sources.list.d/runescape.list file and its content. |
| 51 |
|
| 52 |
> apt-get install -y runescape-launcher |
| 53 |
|
| 54 |
With the local apt set of repos synced by the above, this installs the |
| 55 |
actual package, runescape-launcher. |
| 56 |
|
| 57 |
|
| 58 |
> I have downloaded the apt sources and have been reading it. However its |
| 59 |
> fairly large & complex which will take me a while to figure out. |
| 60 |
|
| 61 |
No kidding. You'd not expect someone to download and read the portage |
| 62 |
sources to figure out how to manually install a package from an ebuild, |
| 63 |
would you? Sure it should work... provided you're technically literate |
| 64 |
and patient enough, but it's definitely the long way around. |
| 65 |
|
| 66 |
All you need is a basic general understanding of what package managers |
| 67 |
/do/, a look at the instructions provided, and if necessary, a look at |
| 68 |
the package manager's manpage, etc, tho that's not really necessary here. |
| 69 |
|
| 70 |
FWIW I've never run a Debian-based distro, tho for about three years |
| 71 |
before I switched to gentoo in 2004, I ran Mandrake, an RPM-based |
| 72 |
distro. My rpm foo is thus well over a decade out of date and is rpm, |
| 73 |
not deb, but it does give me experience with a second package manager, |
| 74 |
one from a binary-based distro, to compare against portage and gentoo as |
| 75 |
a from-source package manager and distro, and that, coupled with a |
| 76 |
general familiarity with how Unix-style commandlines and bash as a shell |
| 77 |
work, is enough to decipher the above. |
| 78 |
|
| 79 |
> The gpg key was fairly easy, but I don't see how apt-get uses it yet. |
| 80 |
|
| 81 |
As with most such things, it's simply a corruption detection and |
| 82 |
authenticity verification thing. It's likely possible to turn off such |
| 83 |
checks in apt-get's options, but doing so for other than perhaps one's |
| 84 |
own local repo/overlay would be highly discouraged, and the above |
| 85 |
procedure, while not really secure because the key was fetched using |
| 86 |
insecure means, does at least still do integrity verification, which is |
| 87 |
what verification of unauthenticated signatures effectively amounts to. |
| 88 |
|
| 89 |
But presumably you can simply gpgverify the package once you download it |
| 90 |
manually, skipping figuring out the precise gpg-verification code in apt- |
| 91 |
get. Or even skip the verification entirely... |
| 92 |
|
| 93 |
> I also don't see how apt gets the list of files to download, since there |
| 94 |
> is only a directory given. |
| 95 |
> I can't display http://content.runescape.com/a=946/downloads/ubuntu in a |
| 96 |
> browser. |
| 97 |
|
| 98 |
Presumably, apt-get update simply fetches some standardized repository |
| 99 |
index or database file from that location, which then lists the packages, |
| 100 |
etc, in a way that apt-get can read them and fetch specific packages when |
| 101 |
necessary. |
| 102 |
|
| 103 |
Now *here* you might need to go diving into apt-get's workings a bit |
| 104 |
deeper, but presumably there's a manpage and/or other repository layout |
| 105 |
documentation available, so you don't need to read the actual sources |
| 106 |
unless you want to. |
| 107 |
|
| 108 |
Meanwhile, we already know the package name, runescape-launcher, from the |
| 109 |
above instructions. And the package will be a deb file. |
| 110 |
|
| 111 |
What we don't know yet is the version information part of the filename, |
| 112 |
and if there's any subdirs, like gentoo's categories, between the root of |
| 113 |
the repo and the package file we're actually trying to download. |
| 114 |
|
| 115 |
To use a gentoo example, suppose the package we were looking for was gcc. |
| 116 |
We know the package name, gcc, and the likely extension, .ebuild, but we |
| 117 |
don't know that it's in a subdir named sys-devel, yet, instead of |
| 118 |
possibly just a g (first letter of gcc) subdir, or perhaps a build or |
| 119 |
devel subdir/category instead of sys-devel, or maybe sorted by some other |
| 120 |
means like first letter of say a 256-bit hash value of the package, |
| 121 |
expressed in hexadecimal form.[1] And we don't know the version part, |
| 122 |
say -5.3.0 of the gcc-5.3.0 that I have installed here, either. |
| 123 |
|
| 124 |
You may have to either take an educated guess at the missing parts (maybe |
| 125 |
you know the version info or can find it in google), or get them from the |
| 126 |
repo database after reading up on its documentation or the like. |
| 127 |
|
| 128 |
But before that, it's also possible that you can find a reference to the |
| 129 |
specific path, or find the *.deb file elsewhere. |
| 130 |
|
| 131 |
You can also very likely take valuable hints from the older overlay ebuild |
| 132 |
that Mark linked, despite it being the old java-based launcher. Looks |
| 133 |
like the homepage is a github repo, with the latest 4.3.5 releases tagged |
| 134 |
on Sep 21, 2015, with the latest commit on master on Feb 2, changing the |
| 135 |
downloads to https from http, so it seems active still. |
| 136 |
|
| 137 |
Meanwhile, a dumb search on "runescape" at github reveals nearly 700 |
| 138 |
repos. Of course many look to be runescape bots or the like, and many of |
| 139 |
them will no doubt be for other platforms, but a smarter search could |
| 140 |
probably narrow it down. Anyway, 50 of those projects have been updated |
| 141 |
in the last 30 days, a reasonable activity metric. A perhaps smarter |
| 142 |
search on runescape launcher lists 70-some projects, tho most appear to |
| 143 |
use the old launcher or at least be written in java. Unfortunately, no |
| 144 |
github hits on runescape nxt yet. =:^( |
| 145 |
|
| 146 |
> Just wondering if anyone has anything helpful to shorten the process of |
| 147 |
> figuring it out. |
| 148 |
> I'm planning to create a cut down apt-get which just fetches the files, |
| 149 |
> but don't have much time most days. |
| 150 |
|
| 151 |
Well, this doesn't do all the work, but it should get you well beyond the |
| 152 |
figuring out what apt-get does with the signature file stage, at least. |
| 153 |
=:^) |
| 154 |
|
| 155 |
--- |
| 156 |
[1] Back in the day, myspace was using a scheme similar to this to index |
| 157 |
and store the myspace user images, including so-called "private" images, |
| 158 |
and someone figured out the scheme and brute-forced the entire namespace, |
| 159 |
resulting in an archive some 17 gigs or so in size of all those pictures, |
| 160 |
that was torrented out for anyone interested. Of course this was in an |
| 161 |
era where 100 GiB hard drives were still considered huge and connections |
| 162 |
were normally sub-megabit, so this was no small undertaking, even just |
| 163 |
doing the torrent, let alone the work to actually mine the entire |
| 164 |
namespace in question. I still have a copy around somewhere, and have |
| 165 |
actually looked thru IIRC about 1/8 of 1/16 of it (all the 000* thru 01f* |
| 166 |
images). |
| 167 |
|
| 168 |
-- |
| 169 |
Duncan - List replies preferred. No HTML msgs. |
| 170 |
"Every nonfree program has a lord, a master -- |
| 171 |
and if you use the program, he is your master." Richard Stallman |
Archives