raison d'Γͺtre
βΉοΈ As of
2024-11-05, this repo is a part of PkgForge.PkgForge was created to fix the disparate status of Linux Package Formats.
Other than Static Binaries, we now also provide prebuilts & build recipes for formats like AppBundle, AppImage, FlatImage, GameImage, RunImage & More
We also have our own
Package-Managerbuilt in blazingly fast π¦ rust called SoarRepo Migration was Attempted but proved unsuccessful.
Contents
What? & Why?How does it all actually work?Request a new PKG/Toolπ¦ Frontend Package ManagersNotes On BuildingTypos, Grammatical Errors & Bad DocumentationAdditional Build Targets($ARCH-$OS)How To Contribute/DonateWhy NOT Host On GitHubWhy RESET ALL GIT CommitsWhere can I find the code for bin.pkgforge.dev?UPX Binaries β¬ποΈ GUI PKGs πCaching & RebuildsCurrent Problems & SetbacksDMCA & CopyrightContact Me
Loonix () Telegram
βΌhttps://t.me/official_loonix/63949
Loonix (βΌhttps://matrix.to/#/#loonix:matrix.orgABANDONED & NOT ACTIVEπ¦ Status π
π§° Architecture π§° π¦ Total Binaries π¦ π¨π WorkFlows π¨π π§ΎLogs Android arm64-v8a161 BUILD.log Linux aarch64 // arm642441 BUILD.log Linux amd // x86_642511 BUILD.log Windows x64 // AMD64157 BUILD.log Raw
metadatacontaining info for sources etc is available as JSON on bin.pkgforge.dev/METADATA.json & also as YAML.See: Parse METADATA.json to learn how to parse using
jqπ½ Download π½
Package ManagersRECOMMENDED
- If you want a pkg-manager in Rust π¦, Choose this. Details β£ https://github.com/pkgforge/soar
bash <(curl -qfsSL "https://raw.githubusercontent.com/pkgforge/soar/refs/heads/main/install.sh")
- If you want a pkg-manager in Go, Choose this. Details β£ https://github.com/xplshn/dbin
wget -qO- "https://raw.githubusercontent.com/xplshn/dbin/master/stubdl" | sh -s -- --install "${HOME}/.local/bin/dbin"
-
CLI- It's also possible to use
"$(uname -m)"SEE: https://github.com/Azathothas/Toolpacks/blob/main/Docs/METADATA.md#url-redirects
!# curl needs the `-L, --location` flag to Follow redirects !# wget works without any flags !# Example curl -qfsSLO "https://bin.pkgforge.dev/$(uname -m)/$BIN_OR_PATH_TO_BIN"
- It's also possible to use
-
GUI
NOT RECOMMENDED- Visit bin.pkgforge.dev
Note: If you notice slow loading, it is because it is not a real website.
It is a r2 bucket, and loads all objects upon each request.
- Visit bin.pkgforge.dev
-
π§ Security βοΈ
It is NEVER a good idea to install random binaries from random sources.
-
Check these
HackerNews Discussions- A cautionary tale from the decline of SourceForge
- Downloading PuTTY Safely Is Nearly Impossible (2014)
- Post-xz backdoor, how to know when to trust niche-distro binaries?
- A number of FAQs were also answered when Hysp (Frontend PKG Manager) was featured on HN: https://news.ycombinator.com/item?id=38457926
-
The amount of work and the near impossibility to ensure that every source used, provide reproducibility, is infeasibly impractical. Even if it were practical, not every
pkg/toolprovides source code, so this is impractical. -
Reasons to Trust this Repo
- All the Build Scripts & workflows are completely open-source. You are free to audit & scrutinize everything.
# Everything is automated via Github Actions & Build Scripts WorkFlows --> https://github.com/Azathothas/Toolpacks/tree/main/.github/workflows Build Scripts --> https://github.com/Azathothas/Toolpacks/tree/main/.github/scripts
Build LOGS (BUILD.log] are generated at Build Time & Pushed both to Github & R2
- Complete `RAW` **Build Logs** is made available with the **exception of `Personal Access Tokens`** [everytime the Workflows are run.](https://github.com/Azathothas/Toolpacks/actions) - Both `SHA256SUM` & `BLAKE3SUM` are automatically generated right after build script finishes. - If it still doesn't inspire confidence, there's a [Docker Image](https://github.com/Azathothas/Toolpacks/tree/main/Docs#how-to-setup--configure-local-build-environment) you can Configure to [<ins>Run & Reproduce</ins>](https://github.com/Azathothas/Toolpacks/tree/main/Docs#how-to-setup--configure-local-build-environment) any [Binary/Build Script](https://github.com/Azathothas/Toolpacks/tree/main/.github/scripts) on your own Secure System. > - Dockerfiles: https://github.com/Azathothas/Toolpacks/tree/main/.github/runners > - Note: <ins>Checksums may not be reproduced reliably (See Reason Below)</ins> - All the Build Scripts & workflows are completely open-source. You are free to audit & scrutinize everything.
-
Reasons NOT to trust this Repo
- Repos that already publish pre-compiled static binaries, nothing is changed (Other than stripping Debug Symbols & Comments). You can compare checksums.
- However, for repos that don't publish releases or at least not statically linked binaries, there is no way for you to end up with the same binary even when you use the same build scripts. In this case,
checksumsare meaningless as each build will produce different checksums. Your only option is totrust me broor:- Fork this repo : https://github.com/Azathothas/Toolpacks/fork
- Read & Verify everything : Scripts & Workflows
- Read the DOCS & Setup your own Infrastructure.
- You may contact me at: https://ajam.dev/contact if you need help setting up your own.
-
- First, it's important to verify that the alert is NOT a False Positive and truly confirm that indeed the Binary is Malicious
- Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS
- Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.
- It's important to NOTE that I DO NOT WRITE/OWN the binaries I compile and CAN NOT BE HELD RESPONSIBLE if the
Devloperhas DELIBERATELY made it Malicious. If that's the case, it's best to Notify Me (Create an Issue OR Contact Me) & also Report To Github the Original Repo like here: https://github.com/orgs/community/discussions/63603 - All of the Build Servers follow Standard Security Hardening to mitigate Supply Chain Attacks, so a single Malicious Binary is more probable than ALL of the binaries being Infected.
- Once again to reiterate, the source code of the packages or tools compiled here is not controlled in anyway.
- The process involves fetching the code and following standard build procedures which are well documented and the scripts available to audit.
- In the case of binaries, whose upstream developers do not provide source code (ngrok, Twingate, etc.) OR themselves provide a pre-compiled static binary (Github Releases), the binary is simply fetched AS-IS (Other than stripping Debug Symbols).
-
It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries.