(qbittorrent) Updated to embed installer #442
Conversation
|
Have a look at the ChocolateyGUI package. It is quite old, and needs updating, but the premise of embedding the msi within the package is shown in there. |
|
Heading out for the night, but will check in tomorrow to see if there are any questions. |
|
gotcha. |
|
Nope, don't think so. As long as the nuspec files section isn't explicitly including files, then the downloaded file should get picked up and included in the package that is generated by AU. If we are going down this route, we will need to include a verification.txt to allow moderators to verify that the included file is legitimate. |
Like where they can download the file and verify the checksum? |
|
Yip. Check the output of |
| @@ -1,28 +1,36 @@ | |||
| import-module au | |||
| import-module "./../../extensions/extensions.psm1" | |||
There was a problem hiding this comment.
will do, forgot about that one.
| $download_page = Invoke-WebRequest -uri $Latest.URL32 -UseBasicParsing | ||
| $url = $download_page.links | ? class -eq "direct-download" | select -expand href | ||
|
|
||
| $client = New-Object System.Net.WebClient |
There was a problem hiding this comment.
Why not using iwr for this too ?
There was a problem hiding this comment.
because iwr is notoriously slow for downloading files, so to save time if there is multiple packages
needing to download files, I'm using .net instead.
|
LGTM
You can just put $Latest table or parts of it in verification.txt Some questions:
|
Not sure what you mean by this. Can you elaborate? The idea of the verification.txt is that it is a list of human followable steps to verify that the bundled installer, and associates checksum are correct. I.e. Go to this website, click on download link, run this command to generate the hash, verify against chocolateyInstall.ps1. |
I don't see any reason to do that, and since the .exe file is already is already on the ignore list for the repo it shouldn't be commited (unless AU overrides it though).
Good question, I don't really know. definitely something that needs to be tested though.
I'm guessing you meant verifying against the installer/archive, right? |
Well yes, both. I.e. Verify against the checksum that is contained within the installation script as well. |
|
@gep13 It would be enough with something like this right? the checksum in the installation script? isn't the checksum only in the installation script if |
|
@AdmiringWorm ah, sorry, wasn't thinking there. Yes, you are right. The expected checksum would go into the verification.txt file, and wouldn't be in the install script. My bad... |
| 1. Go to <http://sourceforge.net/projects/qbittorrent/files/qbittorrent-win32/qbittorrent-3.3.7/qbittorrent_3.3.7_setup.exe/download> | ||
| and download the installer | ||
| 2. Use powershell function 'Get-FileHash' or the chocolatey utility 'checksum.exe' | ||
| to verify that the installer matches the sha256 checksum '49AE9A0ADFC3272BEC38822C528F732D9495B79A2A7CA934F8C6635237B15D07' |
There was a problem hiding this comment.
BEAUTIFUL! Thanks for catching this as a necessity
There was a problem hiding this comment.
no problem, is there anything else should be in the verification.txt file?
or any additional steps I need to include?
|
You will also need a LICENSE.txt file. The reason we ask for this is protection of maintainers and the community. A remote licenseUrl cannot be controlled and could be changed. You can see how this could lead to problems down the road if someone changes the license and then claims that the license did not allow for distributions. For protection, also place the LICENSE.txt file in the package with the embedded software. |
|
@ferventcoder alright, will do |
This is not just for moderators. This is also so someone looking can take the checksum for the binary (listed on the package page under files) and use it to verify the remote location is exactly the same. FWIW - when you push a package, during the gathering of all included files, if the file is a binary, the Gallery grabs the checksum values for md5, sha1, sha256, and sha512 to ease verifying it with the remote source. I'd still add the checksum value to the verification.txt file as well, that adds additional value IMHO. |
|
I wish github would publish checksums when folks put up binaries under releases. That would be most helpful. |
Same here, I actually find it a little odd that they doesn't |
I didn't mean about repo, but about installation. Installer can delete the setup after installation for example to save space, otherwise, every one will be x3 (tools, TEMP, windows cache).
We could have a template for this, could be part of the package directory and AU can modify it during update. Something like: Then this could be used as such for majority of packages. |
|
About keeping the binaries in repository I wouldn't do that for start, but that is probably the best solution. But really, if Choco ever goes out of buisnis I guess there will be migration plan and it will certainly not be shut down over night so we can make crawlers to downlolad older packages that we need. And honestly, in huge majority of cases you don't really need particular version but latest one so older versions are most of the time IMO irrelelvant (i mean, its one thing to have version for library and who needs specific version of lets say qbittorent). |
|
You will have to take into account that |
|
Sorry, my mind went straight to the repo not on the users machine. regarding saving space, it wouldn't be stored in TEMP though but it will be stored in tools directory and possibly in windows cache (although my windows\installer directory only contains msi files, not .exe files).
That would definitely be useful.
There is no need to store them in the repository, with this PR I've added a .gitignore file in the automatic directory to ignore common binary files. |
That may be true, I haven't really tested updating yet, but I will. |
Right, forgot you are using different choco installer.
I know, the point was that then we depend on chocolatey.org existence. If chocolatey.org is out one day packages on this repo become unusable. |
|
But even with no changes its certainly MUCH better then what we have now where exes dissapear from vendor site. |
|
I think chocolateyUninstall.ps1 should be modernized. |
Using the uninstall helper in |
|
We could explore git-lfs for binaries. |
|
Then you get best of both worlds here |
That's definitely a possibility, can't say I've ever tried git-lfs before though so I don't know how it is used (YET). |
|
I think it is done now, only thing to find out first it whether we should store the binaries in the repo or not. EDIT: |
Not for now. I just tried git-lfs and its really epic but we need to either use Github enterprise for chocolatey user or mount lfs server on existing chocolatey infrastructure. Without deduplication size will not be trivial - 15 versions of smplayer alone for example will take ~1GB. I think that 1 TB of space without deduplication should be enough for a couple of years for all packages that could ever become embeded. With dedup, I beleive this could be order of magnitude lower. Other then that I think git-lfs is epic as given the chocolatey client, repo becomes another form of decentralized gallery that is easy to utilize independent of the chocolatey.org and it solves the 404 problem completelly. |
|
So far I see just one downside of embeding - you will typically download x2 of what you need (as package contains both x32 and x64 and non-embeded packages download just one). This is not ideal for big tools but again those should probably not be embeded. Alternative is to use separate x32 and x64 package (like we already have for some packages) which is something I dont think we should generally practice. |
Qbittorrent does not register itself. Perhaps you could add at the end: The details are on chocolatey/choco#1072. This is quite practical for testing too as it allows you to very quickly launch it. Other then that this is ready for push. |
|
@majkinetor I've added the applicationr registration and uninstall of that key. If it looks good, I'll squash and merge this now... |
| $installLocation = Get-AppInstallLocation $packageArgs.softwareName | ||
| if ($installLocation) { | ||
| Write-Host "$($packageArgs.packageName) installed to '$installLocation'" | ||
| Register-Application "$installLocation\qbittorrent.exe" |
There was a problem hiding this comment.
It would be good to add explicit name here, something shorter like qbit because qbittorrent is not easy to type so it defets the purpose of having it (at least in WIN + R where you cant tab complete it). You can add both:
Register-Application "$installLocation\qbittorrent.exe"
Register-Application "$installLocation\qbittorrent.exe" qbit
|
LGTM |
The uses GPL license which allows redistribution
majkinetor
changed the title
qBittorrent uses GPL license which allows redistribution
I'm unsure about the creation of embedded packages, so any feedback would be appreciated.
/cc @gep13 @majkinetor @ferventcoder