-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package manager publishing? #25
Comments
@BatmanAoD: sure, package manager support would be nice. Used Chocolatey a few years ago, and it's pretty convenient. Scrolled through Chocolately's website. Seems they support multiple maintainers, as well as a separate author. I am not interested in actively maintaining recipe(s); how about you and/or the community become package maintainers, and I get listed as author? Seems like a common setup, and I could take over if needed in the future.
Regarding releases: watching the repository here on github should work, right? There have been a grand total of 4 published X-Mouse Controls versions during the past 14 years (birthday a few days ago! 🎂🎉) so the chance of you missing something is quite low ;) |
@joelpurra That sounds fine! I didn't notice at first that your releases are tagged in Git despite not showing up in the "releases" view here on GitHub, but now that I see the tags, yes, monitoring GitHub should be entirely sufficient. |
@BatmanAoD: FYI, I've just created Github releases from all published versions. Am currently treating these releases merely as a backup for the project website downloads. The entire https://joelpurra.com/ domain recently went down for over a month (hardware failure), so felt it was needed. No new version of X-Mouse Controls is planned, but updating the website a little bit while I'm at it. |
I have to admit that I completely forgot that the ball was in my court for this 🤦🏻 I'm setting up the package now. In case you'd like a preview, here is what I've got so far. |
@BatmanAoD: oh, cool! There's no rush or anything; as mentioned, the Github releases were only triggered by the recent website downtime... |
As I'm sure was the case for you when you wrote the software, the only rush is that I want to use the choco package myself! |
@BatmanAoD: ran a quick test with the latest package (not the choco install xmouse-controls --version 1.1.0.0 The executable found in |
@joelpurra I kept the installer minimal; it just puts the |
@BatmanAoD: as X-Mouse Controls is a GUI tool, I would say that the (or at least my) expectation is that a start menu shortcut is created. (Was now reminded of #22, for any scripting needs.) Yes, please, keep the original executable name. Seems the |
@joelpurra Okay, I've added a start-menu shortcut to the installer! |
@joelpurra Chocolatey requests that packages include instructions for manual signature verification, but I'm actually having trouble with the Here's what I get (both on Windows using gpg4win and on WSL):
|
@BatmanAoD: your The You can find the pubkey with fingerprint Optional empty/test gpg keyring setupCreate a throwaway gpg home directory and set the mkdir --mode 0700 ./gnupg-home
export GNUPGHOME="${PWD}/gnupg-home"
gpg --list-keys First, have gpg --recv-key 4C47B4FF173AE6ED0DB733946DF6890D2A977668
gpg --list-key --with-subkey-fingerprint 4C47B4FF173AE6ED0DB733946DF6890D2A977668 Second, verify the gpg --verify x-mouse_controls_2018-10-06T1730Z_release.zip.asc x-mouse_controls_2018-10-06T1730Z_release.zip Didn't try this using |
@joelpurra Thanks for the explanation! Sorry, I was essentially blindly copying This doesn't need to be scriptable, I just want to make sure I can do the verification myself so that I can write up the instructions to include in the Chocolatey package. It looks like key importing worked, but for some reason
Do I have to explicitly tell it which imported public key to be checking against? |
...oh, do I need to mark the imported key "trusted" somehow? Edit: that doesn't seem to work; after running |
No need to be explicit; file verification should look for the public (sub)key in your keyring. The public key listing looks correct. The signing subkey The public key consists of multiple (somewhat independent) "packets"; perhaps old keys were "optimized away" somehow? You can verify that you have the old ("unusable") subkey in your keyring. gpg --list-keys --with-subkey-fingerprint --list-options show-unusable-subkeys 4C47B4FF173AE6ED0DB733946DF6890D2A977668 If some subkeys are missing, you could try to import the pubkey another way; any new data (packets) will be merged into what you already have. (There are several ways to "discover" pubkeys from various services/servers, and because they are independent not all of them contain the exact same packets.) # NOTE: use a specific retrieval method/keyserver.
gpg --keyserver 'hkps://keys.openpgp.org/' --recv-key 4C47B4FF173AE6ED0DB733946DF6890D2A977668
# NOTE: if you have curl, download the latest pubkey from my website.
curl 'https://joelpurra.com/key/mig-at-joelpurra.se-4C47B4FF173AE6ED0DB733946DF6890D2A977668.pgp.pubkey' | gpg --import
# NOTE: manual download; may lead to outdated keys.
gpg --import mig-at-joelpurra.se-4C47B4FF173AE6ED0DB733946DF6890D2A977668.pgp.pubkey
Good, that should make it easier.
Defining a per-pubkey trust level is not required for file verification. |
Okay, yeah, specifying I'll just include the |
@BatmanAoD: thanks for verifying -- glad it works, and hope Chocolatey agrees. It's a bit of an annoyance that data received from keyservers differ, with regards to old subkeys. There's a reason for this though. Basically, public keyservers were attacked and flooded with bogus data a few years ago. As a response, keyservers started "cleaning up" all pubkeys to be able to serve at least the bare minimum. It seems the default server used by The pubkey self-hosted on my website remains unaffected, so that's good. It's "minimized" though, meaning that it doesn't include web-of-trust signatures from others (which the keyservers used to provide). Will have to investigate if I can do something to improve my own pubkey (it's nearly a decade old, and may use outdated settings) and re-upload it to both my website and the public keyservers. Thank you again for calling this to my attention! |
The package is approved! https://community.chocolatey.org/packages/xmouse-controls/1.1.0.0 One of the maintainers clarified:
...I'm not sure what the point of this is; I thought the intent of the verification instructions was so that users and maintainers could check against something published by the software author, especially in cases like this where the packager and author are not the same person. In any case, I won't worry about that unless you update X-Mouse and I update the package. |
@BatmanAoD: yay, good job! =)
As you point out, checksums don't have any identity information -- which is particularly important when distributing compiled binaries. Then again, who downloads source packages and reads all source code? Including all dependencies, of dependencies? Checksums (by themselves) are for protecting against the odd broken download rather than malicious actors. Keeping "verified good checksums" separate from the file download location (on my website or otherwise) may help raise flags if there's a mismatch though. As an added measure, even if Chocolatey doesn't have procedures for it, you could sign the packaging scripts/files (in https://github.com/BatmanAoD/xmouse-choco-pkg) using either standalone gnupg signature files and/or signed git tags/commits. Anyhow, who can really say that I am trustworthy? There are some "false positives" in the virus checks, which can probably be ignored... right? How deep does the rabbit hole go? ;)
I'll close this issue now. If there are new releases (published on github) to be packaged I guess you'll be notified, but none are planned a the moment. Thank you very much for making the effort to get X-Mouse Controls into Chocolatey, am happy to see it =) |
It's been a little over a month since choco's approval, and the package already has nearly 100 downloads (excluding the test version). Nice! While the convenience of package managers is the norm on linux systems, I'm a bit surprised to see so many (in relative terms) windows/choco downloads for such a niche utility. Debian plus derivatives publish their (optional) package popularity contest usage statistics. In raw numbers, ignoring operating system user-base differences and opt-in bias, the xmouse-controls package rank would be circa 12,500 of nearly 200,000 (top ~6.5%) among packages sorted by number of users in the past 30 days ("votes"). For reference, the most popular download on https://github.com/joelpurra/xmouse-controls/releases has had 13 downloads in the past three months. While it would have been interesting to compare, I unfortunately don't have (recent) statistics for downloads from the X-Mouse Controls project website. That server has been on a stability rollercoaster lately; luckily users have the above alternatives =) |
I’m interested in a msstore package (or, if that is not possible, at least a winget one). winget can be used to install things from msstore and msstore will automatically provide updates (not that there will be many updates forthcoming). I should find time to play with that and see if that requires any buildsystem work. |
@binki: sure! Have no experience using To reiterate:
Ease of maintenance seems like a reasonable goal, in particular noting that various proprietary "application stores" have a tendency to update their policies/submission expectations over time. If you decide to go ahead, please consider opening a new issue and/or pull request for further discussion. |
I would love it if there were a package in Chocolatey (or any other Windows package manager) for X-Mouse Controls.
If you have no objection, I'd be willing to figure out how to create and publish one. If I do so, would you want to be listed as a maintainer? I assume the only maintenance would be an update to the package to reflect new versions of the software itself, which I can do myself if you have a way for me to subscribe to release updates. (It looks like updates are currently only listed on your website, so I can't subscribe to GitHub notifications or similar.)
P.S. Thanks for writing X-Mouse Controls; I've found it very useful! One could even say I've grown addicted; I don't install it on Windows accounts I share with my family, and am occasionally caught off-guard by not having it.
The text was updated successfully, but these errors were encountered: