PLEASE TEST: New net installer and streamlined distribution #571

Closed
IgnorantGuru opened this Issue Aug 28, 2015 · 3 comments

Projects

None yet

2 participants

@IgnorantGuru
Owner

SpaceFM's distribution methods are being streamlined, which affects where source packages may be downloaded from, what packages will be available, and the contents of assorted documentation and websites. Please note the following changes, which are currently being implemented in the rolling release 'next' branch, due for 1.0.4 release:

  • SpaceFM has a new interactive net installer which replaces the self-extracting installer packages (and the 'install' script in the source). This new installer can download and/or build/install with various options, based on any branch, commit, or version. Basic instructions can be found on the homepage. The installer may be downloaded and used alone, and is also installed to /usr/bin/spacefm-installer.
  • README has been streamlined and rewritten, including information on the new installer and new download locations, and new USING GIT section has been added, which details how to download versions, check sigs, etc. The homepage and user's manual have also been updated.
  • Signed source archives and Debian packages will no longer be distributed with releases. The pkg branch on Github (previously used to distribute source and Debian packages) will be deleted. Instead, release source archives may be downloaded from Github Releases. The rolling release will continue to be available as SpaceFM's 'next' branch on Github.
  • Distributed files are being removed from Sourceforge. Sourceforge is under new ownership, and has reportedly been engaging in malware and other shady practices (you can search for news on this - several well-known projects have had malware problems). In addition, maintaining files on Sourceforge was adding to the release workflow, and signed files are no longer being created. However, Sourceforge will continue to host SpaceFM's forum for now.
  • SpaceFM packages will be removed from IgnorantGuru's PPA, as these packages are no longer being created as part of the release process. SpaceFM is included in official Debian repos. For users of older Debian distros who previously used the PPA's self-building packages, the new installer is recommended instead, which works similarly. Or, a custom deb package can be easily built from sources as before - see README.
  • Recommendations to enable kernel polling have been made less prominent in docs, as this is already enabled now on most distros.
  • (Developers and forks only) A new script for automating releases, probably called 'release', will be added shortly has been added. This will consolidate several external scripts I've been using, and will allow owners of forks to easily create custom releases. Also, a RELEASE section was added to README which briefly describes the new 'release' script.
  • Similar changes will be coming to udevil's distribution shortly.

Commands for building and installing SpaceFM have NOT changed, but the location of files may be different. Please review the updated instructions in README.

Regarding the security provisions for code and releases, git already has built-in integrity protection. Downloading the rolling release version from Github has not changed. In addition, all release tags within the git repo have always been GPG-signed with my key (0x01937621), and this will continue. If you previously depended on GPG-signed release files, the way to check GPG signatures now is within git. For example, to download and check the signature on the sources for version 1.0.3:

git clone --depth 1 -b 1.0.3 git://github.com/IgnorantGuru/spacefm.git spacefm
cd spacefm
git tag -v 1.0.3

This will produce this output, or similar:

object 1709b809e94c1bfcc24fdbc0f91f68f2a6b3e6b5
type commit
tag 1.0.3
tagger IgnorantGuru <ignorantguru@gmx.com> 1440599048 -0600

release 1.0.3
gpg: Signature made Wed 26 Aug 2015 08:24:08 AM MDT using DSA key ID 01937621
gpg: Good signature from "IgnorantGuru (igurublog.wordpress.com) <ignorantguru@users.sourceforge.net>"
gpg:                 aka "IgnorantGuru <ignorantguru@gmx.com>"

Note: The net installer uses wget or curl to download a tarball from Github. However, if wget and curl are not available, it will use git, and will automatically check the tag signature. You can refer to that script, or modify it to use git by default if you want to check signatures automatically. Note that git cannot download specific commits via spacefm-installer, only branches and tags, while wget or curl will also download by commit.

If you redistribute SpaceFM source archives, you should sign them yourself, so that users of your site can verify their integrity.

Testing of the new installer is appreciated. Any questions or problems may be added to the comments below. Thanks!

@IgnorantGuru IgnorantGuru added this to the 1.0.4 milestone Aug 28, 2015
@Vladimir-csp

Installer extracts downloaded archive to subdir, but tries to cd to source in the current dir

Line 395 contains typo:

        ./confXigure${configure_options}
@IgnorantGuru
Owner

@Vladimir-csp Thanks - I noticed that right after I pushed, and it has been corrected. I had added that to trigger an error to test the error handling and forgot to remove it.

@IgnorantGuru IgnorantGuru added a commit that referenced this issue Aug 29, 2015
@IgnorantGuru add release script #571 9ce8ac9
@IgnorantGuru
Owner

A new USING GIT section has been added to README, which details how to download versions, check sigs, etc. Also, a RELEASE section was added which briefly describes the new 'release' script (applies to developers and forks only).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment