Skip to content

Configuring download urls

Jump to bottom
Zoran Simic edited this page Jun 17, 2022 · 5 revisions

Starting with portable-python 1.5.0, all urls for the various components source code will be configured. This page is a draft outlining the design.

Design

All source components are configured under sources:, there is one required url: key, and several optional keys

  • url: key is required, and can/should use {version} marker
  • sha256: sha256 checksum of downloaded blob, will be verified if provided
  • sha512: sha512 checksum of downloaded blob, will be verified if provided
  • sha512sum:: url to a bzip2-like sum file, see https://sourceware.org/pub/bzip2/sha512.sum

Simplest case: just a url

No verification on downloaded blob is performed

sources:
  bdb:
    url: https://ftp.osuosl.org/pub/blfs/conglomeration/db/db-{version}.tar.gz

sha256 example, with generic version url (same for sha512)

Use this form if remote origin is "consistent" with where each version lives...

sources:
  gdbm:
    url: https://ftp.gnu.org/gnu/gdbm/gdbm-{version}.tar.gz
    sha256:
      1.23: ...
  libffi:
    url: https://github.com/libffi/libffi/releases/download/v{version}/libffi-{version}.tar.gz
    sha512:
      3.4.2: ...

A helper command is provided to help you craft/maintain config files for this form (and this form only):

portable-python checksum <component> <version>

The command will output a copy-pastable snippet to use in a config file

sha256 example, with sha256 coming from a url

Openssl for example provides this

sources:
  openssl:
    url: https://www.openssl.org/source/openssl-{version}.tar.gz
    sha256: https://www.openssl.org/source/openssl-{version}.tar.gz.sha256

sha512sum style:

Not sure if this is worth doing... only bzip2 seems to follow this convention

sources:
  bzip2:
    url: https://sourceware.org/pub/bzip2/bzip2-{version}.tar.gz
    sha512sum: https://sourceware.org/pub/bzip2/sha512.sum

PGP sig

Requires gpg installed, which is heavy, cumbersome... but cpython provides such a GPG signature...

sources:
  cpython:
    url: https://www.python.org/ftp/python/{version}/Python-{version}.tar.xz
    pgp-signature: https://www.python.org/ftp/python/{version}/Python-{version}.tar.xz.asc

Detached gpg .sig

Requires gpg, not sure how standard this is, and if it's worth doing. All gnu tools seem to follow this convention. It's unclear tho how to check the .sig, against what etc...

sources:
  readline:
    url: https://ftp.gnu.org/gnu/readline/readline-{version}.tar.gz.sig
    pgp-sig: https://ftp.gnu.org/gnu/readline/readline-{version}.tar.gz.sig
Clone this wiki locally