-
Notifications
You must be signed in to change notification settings - Fork 9
Configuring download urls
Starting with portable-python
1.5.0, all urls for the various components source code will be configured.
This page is a draft outlining the design.
All source components are configured under sources:
, there is one required url:
key, and several optional keys
-
url:
key is required, and can/should use{version}
marker -
sha256:
sha256 checksum of downloaded blob, will be verified if provided -
sha512:
sha512 checksum of downloaded blob, will be verified if provided -
sha512sum:
: url to a bzip2-like sum file, see https://sourceware.org/pub/bzip2/sha512.sum
No verification on downloaded blob is performed
sources:
bdb:
url: https://ftp.osuosl.org/pub/blfs/conglomeration/db/db-{version}.tar.gz
Use this form if remote origin is "consistent" with where each version lives...
sources:
gdbm:
url: https://ftp.gnu.org/gnu/gdbm/gdbm-{version}.tar.gz
sha256:
1.23: ...
libffi:
url: https://github.com/libffi/libffi/releases/download/v{version}/libffi-{version}.tar.gz
sha512:
3.4.2: ...
A helper command is provided to help you craft/maintain config files for this form (and this form only):
portable-python checksum <component> <version>
The command will output a copy-pastable snippet to use in a config file
Openssl for example provides this
sources:
openssl:
url: https://www.openssl.org/source/openssl-{version}.tar.gz
sha256: https://www.openssl.org/source/openssl-{version}.tar.gz.sha256
Not sure if this is worth doing... only bzip2 seems to follow this convention
sources:
bzip2:
url: https://sourceware.org/pub/bzip2/bzip2-{version}.tar.gz
sha512sum: https://sourceware.org/pub/bzip2/sha512.sum
Requires gpg
installed, which is heavy, cumbersome... but cpython provides such a GPG signature...
sources:
cpython:
url: https://www.python.org/ftp/python/{version}/Python-{version}.tar.xz
pgp-signature: https://www.python.org/ftp/python/{version}/Python-{version}.tar.xz.asc
Requires gpg
, not sure how standard this is, and if it's worth doing. All gnu tools seem to follow this convention. It's unclear tho how to check the .sig
, against what etc...
sources:
readline:
url: https://ftp.gnu.org/gnu/readline/readline-{version}.tar.gz.sig
pgp-sig: https://ftp.gnu.org/gnu/readline/readline-{version}.tar.gz.sig