Skip to content

v0.1.0

Latest

Choose a tag to compare

@github-actions github-actions released this 20 Jun 20:16

What's Changed

  • Added cvm use system to temporarily return the current shell to system compiler resolution.
  • Added cvm deactivate as a direct way to remove cvm-managed toolchain paths from the current shell.
  • Added optional cvm use system llvm and cvm use system gcc forms for tool-specific system fallback intent.
  • Preserved persistent defaults when using system fallback; opening a new shell still applies configured cvm alias default ... entries.
  • Updated bash/zsh completion and help output for the new commands.

Documentation

  • Clarified release asset verification by comparing the installed cvm binary with a verified release asset.
  • Added docs/TODOs.md for discussed future work.
  • Updated README, README_CN, design notes, troubleshooting, contribution guidance, and agent instructions.

Verifying Packages

cvm install <llvm|gcc> ... automatically verifies upstream LLVM/GCC source archive signatures before building.

install.sh does not automatically verify cvm release assets. To audit an installed cvm binary, verify the matching release asset and compare it with the local binary:

tag=v0.1.0
asset=cvm-x86_64-unknown-linux-musl.tar.gz
tmp="$(mktemp -d)"

curl -fsSLo "$tmp/cvm-release-signing-key.asc" "https://raw.githubusercontent.com/QGrain/cvm/$tag/assets/keys/cvm-release-signing-key.asc"
gpg --import "$tmp/cvm-release-signing-key.asc"

curl -fsSLo "$tmp/$asset" "https://github.com/QGrain/cvm/releases/download/$tag/$asset"
curl -fsSLo "$tmp/$asset.sig" "https://github.com/QGrain/cvm/releases/download/$tag/$asset.sig"
gpg --verify "$tmp/$asset.sig" "$tmp/$asset"

tar -xzf "$tmp/$asset" -C "$tmp"
cmp "$tmp/cvm" "${CVM_HOME:-$HOME/.cvm}/bin/cvm" && echo "installed cvm matches signed release asset"

Replace asset with the file matching your platform.