Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
PLEASE TEST: New net installer and streamlined distribution #571
SpaceFM's distribution methods are being streamlined, which affects where source packages may be downloaded from, what packages will be available, and the contents of assorted documentation and websites. Please note the following changes, which are currently being implemented in the rolling release 'next' branch, due for 1.0.4 release:
Commands for building and installing SpaceFM have NOT changed, but the location of files may be different. Please review the updated instructions in README.
Regarding the security provisions for code and releases, git already has built-in integrity protection. Downloading the rolling release version from Github has not changed. In addition, all release tags within the git repo have always been GPG-signed with my key (0x01937621), and this will continue. If you previously depended on GPG-signed release files, the way to check GPG signatures now is within git. For example, to download and check the signature on the sources for version 1.0.3:
This will produce this output, or similar:
Note: The net installer uses wget or curl to download a tarball from Github. However, if wget and curl are not available, it will use git, and will automatically check the tag signature. You can refer to that script, or modify it to use git by default if you want to check signatures automatically. Note that git cannot download specific commits via spacefm-installer, only branches and tags, while wget or curl will also download by commit.
If you redistribute SpaceFM source archives, you should sign them yourself, so that users of your site can verify their integrity.
Testing of the new installer is appreciated. Any questions or problems may be added to the comments below. Thanks!