1 |
Daiajo Tibdixious posted on Mon, 18 Apr 2016 22:40:08 +1000 as excerpted: |
2 |
|
3 |
> A package I wish to download has these instructions: |
4 |
> |
5 |
> wget -O - |
6 |
> http://content.runescape.com/a=946/downloads/ubuntu/runescape.gpg.key |
7 |
> | apt-key add - |
8 |
|
9 |
That, and each of the following, are effectively single command-lines, |
10 |
one each, only wrapped here, as they would be on a limited-width |
11 |
terminal, for purposes of display. |
12 |
|
13 |
That line simply adds the linked gpg key to apt's keys file, presumably |
14 |
so it can validate the later package as a validly signed package. |
15 |
|
16 |
Of course the key fetch is using unsecured http, not https, so it's not |
17 |
as if the key really provides much actual security, since anyone with |
18 |
access to the connection could substitute a fake key, but that's more or |
19 |
less beside the point. The point would be that apt wants packages signed |
20 |
by keys it trusts, and that adds said key to the appropriate trusted key |
21 |
store, regardless of whether the key has actually been verified as |
22 |
trustworthy. |
23 |
|
24 |
> mkdir -p /etc/apt/sources.list.d |
25 |
|
26 |
Makes (if it doesn't already exist) that local dir, used in the next |
27 |
command. |
28 |
|
29 |
> echo "deb http://content.runescape.com/a=946/downloads/ubuntu trusty |
30 |
> non-free" > /etc/apt/sources.list.d/runescape.list |
31 |
|
32 |
Just to make it explicit, that ">" between non-free and /etc/apt/... is |
33 |
output redirection in the original command, not just a misplaced quote |
34 |
character. |
35 |
|
36 |
This creates a file "runescape.list" in the directory created by the mkdir |
37 |
above, with one line of content: |
38 |
|
39 |
deb http://content.runescape.com/a=946/downloads/ubuntu trusty non-free |
40 |
|
41 |
Presumably, the "deb" on that line tells apt what format the repo is in, |
42 |
the link tells apt where it's at and the protocol to use, "trusty" tells |
43 |
it what version of ubuntu it's for, and non-free tells it the (Debian/ |
44 |
Ubuntu/apt) license status. |
45 |
|
46 |
> apt-get update |
47 |
|
48 |
This will be their equivalent of portage's emerge --sync command. It'll |
49 |
sync all configured repos, including the one just configured above, with |
50 |
that /etc/apt/sources.list.d/runescape.list file and its content. |
51 |
|
52 |
> apt-get install -y runescape-launcher |
53 |
|
54 |
With the local apt set of repos synced by the above, this installs the |
55 |
actual package, runescape-launcher. |
56 |
|
57 |
|
58 |
> I have downloaded the apt sources and have been reading it. However its |
59 |
> fairly large & complex which will take me a while to figure out. |
60 |
|
61 |
No kidding. You'd not expect someone to download and read the portage |
62 |
sources to figure out how to manually install a package from an ebuild, |
63 |
would you? Sure it should work... provided you're technically literate |
64 |
and patient enough, but it's definitely the long way around. |
65 |
|
66 |
All you need is a basic general understanding of what package managers |
67 |
/do/, a look at the instructions provided, and if necessary, a look at |
68 |
the package manager's manpage, etc, tho that's not really necessary here. |
69 |
|
70 |
FWIW I've never run a Debian-based distro, tho for about three years |
71 |
before I switched to gentoo in 2004, I ran Mandrake, an RPM-based |
72 |
distro. My rpm foo is thus well over a decade out of date and is rpm, |
73 |
not deb, but it does give me experience with a second package manager, |
74 |
one from a binary-based distro, to compare against portage and gentoo as |
75 |
a from-source package manager and distro, and that, coupled with a |
76 |
general familiarity with how Unix-style commandlines and bash as a shell |
77 |
work, is enough to decipher the above. |
78 |
|
79 |
> The gpg key was fairly easy, but I don't see how apt-get uses it yet. |
80 |
|
81 |
As with most such things, it's simply a corruption detection and |
82 |
authenticity verification thing. It's likely possible to turn off such |
83 |
checks in apt-get's options, but doing so for other than perhaps one's |
84 |
own local repo/overlay would be highly discouraged, and the above |
85 |
procedure, while not really secure because the key was fetched using |
86 |
insecure means, does at least still do integrity verification, which is |
87 |
what verification of unauthenticated signatures effectively amounts to. |
88 |
|
89 |
But presumably you can simply gpgverify the package once you download it |
90 |
manually, skipping figuring out the precise gpg-verification code in apt- |
91 |
get. Or even skip the verification entirely... |
92 |
|
93 |
> I also don't see how apt gets the list of files to download, since there |
94 |
> is only a directory given. |
95 |
> I can't display http://content.runescape.com/a=946/downloads/ubuntu in a |
96 |
> browser. |
97 |
|
98 |
Presumably, apt-get update simply fetches some standardized repository |
99 |
index or database file from that location, which then lists the packages, |
100 |
etc, in a way that apt-get can read them and fetch specific packages when |
101 |
necessary. |
102 |
|
103 |
Now *here* you might need to go diving into apt-get's workings a bit |
104 |
deeper, but presumably there's a manpage and/or other repository layout |
105 |
documentation available, so you don't need to read the actual sources |
106 |
unless you want to. |
107 |
|
108 |
Meanwhile, we already know the package name, runescape-launcher, from the |
109 |
above instructions. And the package will be a deb file. |
110 |
|
111 |
What we don't know yet is the version information part of the filename, |
112 |
and if there's any subdirs, like gentoo's categories, between the root of |
113 |
the repo and the package file we're actually trying to download. |
114 |
|
115 |
To use a gentoo example, suppose the package we were looking for was gcc. |
116 |
We know the package name, gcc, and the likely extension, .ebuild, but we |
117 |
don't know that it's in a subdir named sys-devel, yet, instead of |
118 |
possibly just a g (first letter of gcc) subdir, or perhaps a build or |
119 |
devel subdir/category instead of sys-devel, or maybe sorted by some other |
120 |
means like first letter of say a 256-bit hash value of the package, |
121 |
expressed in hexadecimal form.[1] And we don't know the version part, |
122 |
say -5.3.0 of the gcc-5.3.0 that I have installed here, either. |
123 |
|
124 |
You may have to either take an educated guess at the missing parts (maybe |
125 |
you know the version info or can find it in google), or get them from the |
126 |
repo database after reading up on its documentation or the like. |
127 |
|
128 |
But before that, it's also possible that you can find a reference to the |
129 |
specific path, or find the *.deb file elsewhere. |
130 |
|
131 |
You can also very likely take valuable hints from the older overlay ebuild |
132 |
that Mark linked, despite it being the old java-based launcher. Looks |
133 |
like the homepage is a github repo, with the latest 4.3.5 releases tagged |
134 |
on Sep 21, 2015, with the latest commit on master on Feb 2, changing the |
135 |
downloads to https from http, so it seems active still. |
136 |
|
137 |
Meanwhile, a dumb search on "runescape" at github reveals nearly 700 |
138 |
repos. Of course many look to be runescape bots or the like, and many of |
139 |
them will no doubt be for other platforms, but a smarter search could |
140 |
probably narrow it down. Anyway, 50 of those projects have been updated |
141 |
in the last 30 days, a reasonable activity metric. A perhaps smarter |
142 |
search on runescape launcher lists 70-some projects, tho most appear to |
143 |
use the old launcher or at least be written in java. Unfortunately, no |
144 |
github hits on runescape nxt yet. =:^( |
145 |
|
146 |
> Just wondering if anyone has anything helpful to shorten the process of |
147 |
> figuring it out. |
148 |
> I'm planning to create a cut down apt-get which just fetches the files, |
149 |
> but don't have much time most days. |
150 |
|
151 |
Well, this doesn't do all the work, but it should get you well beyond the |
152 |
figuring out what apt-get does with the signature file stage, at least. |
153 |
=:^) |
154 |
|
155 |
--- |
156 |
[1] Back in the day, myspace was using a scheme similar to this to index |
157 |
and store the myspace user images, including so-called "private" images, |
158 |
and someone figured out the scheme and brute-forced the entire namespace, |
159 |
resulting in an archive some 17 gigs or so in size of all those pictures, |
160 |
that was torrented out for anyone interested. Of course this was in an |
161 |
era where 100 GiB hard drives were still considered huge and connections |
162 |
were normally sub-megabit, so this was no small undertaking, even just |
163 |
doing the torrent, let alone the work to actually mine the entire |
164 |
namespace in question. I still have a copy around somewhere, and have |
165 |
actually looked thru IIRC about 1/8 of 1/16 of it (all the 000* thru 01f* |
166 |
images). |
167 |
|
168 |
-- |
169 |
Duncan - List replies preferred. No HTML msgs. |
170 |
"Every nonfree program has a lord, a master -- |
171 |
and if you use the program, he is your master." Richard Stallman |