SpaceFM's distribution methods are being streamlined, which affects where source packages may be downloaded from, what packages will be available, and the contents of assorted documentation and websites. Please note the following changes, which are currently being implemented in the rolling release 'next' branch, due for 1.0.4 release:
Commands for building and installing SpaceFM have NOT changed, but the location of files may be different. Please review the updated instructions in README.
Regarding the security provisions for code and releases, git already has built-in integrity protection. Downloading the rolling release version from Github has not changed. In addition, all release tags within the git repo have always been GPG-signed with my key (0x01937621), and this will continue. If you previously depended on GPG-signed release files, the way to check GPG signatures now is within git. For example, to download and check the signature on the sources for version 1.0.3:
git clone --depth 1 -b 1.0.3 git://github.com/IgnorantGuru/spacefm.git spacefm
git tag -v 1.0.3
This will produce this output, or similar:
tagger IgnorantGuru <email@example.com> 1440599048 -0600
gpg: Signature made Wed 26 Aug 2015 08:24:08 AM MDT using DSA key ID 01937621
gpg: Good signature from "IgnorantGuru (igurublog.wordpress.com) <firstname.lastname@example.org>"
gpg: aka "IgnorantGuru <email@example.com>"
Note: The net installer uses wget or curl to download a tarball from Github. However, if wget and curl are not available, it will use git, and will automatically check the tag signature. You can refer to that script, or modify it to use git by default if you want to check signatures automatically. Note that git cannot download specific commits via spacefm-installer, only branches and tags, while wget or curl will also download by commit.
If you redistribute SpaceFM source archives, you should sign them yourself, so that users of your site can verify their integrity.
Testing of the new installer is appreciated. Any questions or problems may be added to the comments below. Thanks!
remove error trick for configure #571
Installer extracts downloaded archive to subdir, but tries to cd to source in the current dir
Line 395 contains typo:
@Vladimir-csp Thanks - I noticed that right after I pushed, and it has been corrected. I had added that to trigger an error to test the error handling and forgot to remove it.
[installer] correct debug_prefix to debug_mode #571
[installer] output format adjustment #571
add release script #571
new net installer; distribution changes #571
add USING GIT and RELEASE to README; update release script #571
A new USING GIT section has been added to README, which details how to download versions, check sigs, etc. Also, a RELEASE section was added which briefly describes the new 'release' script (applies to developers and forks only).
[installer] minor adjustments #571