Posts Tagged ‘scripts’

Scripts 2.10.2 and Compile 1.13.3 released

Tuesday, April 27th, 2010

More releases, all bugfixes this time.

Scripts has a fix for the man directory path in PrepareProgram (actually used by Compile), and handles dependency conversion better. It also includes updates to the database used by the CommandNotFound system as usual.

The only notable behaviour change is a special case in the useflag code: having -INSTALLED in the environment variable will now disable automatic flags from occurring at all, rather than applying the change at the end of the process. This helps debugging of recipes and is useful for targeted compilation, and the previous more consistent behaviour doesn’t seem to have a use case.

Compile has a single direct bugfix, affecting a case where a failed direct dependency would not cause the build process to terminate. It also benefits from the changes made within Scripts.

The packages are on the master now and will propagate to the mirrors shortly. You can use `InstallPackage Scripts 2.10.2` and `InstallPackage Compile 1.13.3` to install them. Please report any bugs you encounter in the bug tracker and request help either on the mailing lists or the forums.

Thanks to all those who contributed to this release, particularly “Baffo32” who sent patches to Scripts.

Validating Scripts after a fresh installation

Saturday, June 20th, 2009

On #gobolinux last night an issue came up that has appeared occasionally before – the signature format for packages has changed between the 014.01 release and now, so the Scripts package won’t validate when you upgrade. The change was necessary to make for security, but it creates a problem for new installations trying to bring their tools up-to-date.

For those that don’t care for the fuss, and are willing to take the (very small) risk, you can just run SymlinkProgram Scripts 2.10.1 to activate the new package after installation fails with the validation error. Alternatively, you can upgrade piecewise through intermediate releases to get the fullest possible validation. The first stop should be 2.9.1, which will allow validating the latest package but does not include the version-validating code introduced for another problem. That will also be good enough for most people – the chance of a compromised mirror is pretty slight.

However for complete security you would need to validate the entire package as installed using a trusted signature from the CD release. Here’s a quick script to do that – it builds a verifiable checksum and validates it against the live system. The core code is embedded in a signed block using my key, with a small piece of code outside to verify the signature and execute the code automatically (not necessary, but the GPG command line to use the GoboLinux keyring is pretty long, so this makes it easier – you can copy the internal block out and validate manually if you prefer).

HopValidate will validate the Scripts 2.10.1 package using a known good checksum, preserving the chain of trust all the way. For full security, you should review the unsigned portion of the code, which uses the system keyring to validate the rest.

The manual command to decrypt is gpg –decrypt –no-default-keyring –keyring=/Programs/Scripts/Current/Data/gpg/goboring.gpg HopValidate, or –verify to verify the signature only. If you’re using this on Rootless, you’ll need to adjust the wrapper script and the command to use your local path to the Scripts directory – there’s no autodetection to keep the code easily reviewable.

[ed. 2010-01-31: Updated for 2.10.1]