search

vmavromatis / absolutely-proprietary

Proprietary package detector for arch-based distros. Compares your installed packages against Parabola's package blacklist and then prints your Stallman Freedom Index (free/total).
GNU General Public License v3.0
274 stars 10 forks source link

Add PKGBUILD #18

Open vmavromatis opened 6 years ago

vmavromatis commented 6 years ago

It would be nice to create a PKGBUILD and deploy the app on AUR. For now the script install works, but it's not ideal as it contains security risks.

stiefel40k commented 6 years ago

Disclaimer: I never created PKGBUILD-Files before, so I might say stupid things :)

So for the PKGBUILD I would leave the run.sh. I would create a release of the repo only containing the main.py, and the licence I guess. I would set the python package as a direct dependency and in the package part I would unpack the release.tar.gz and with install I would copy the main.py to a directory on the PATH, but I would use /usr/bin or something, but please read the wiki before, as I just scrolled through fast to write this comment, I might missed something.

security risks

Which part concerns you? I mean you won't use it in the PKGBUILD anyways, as in my config the tmp is wiped on every restart, so it would be stupid to install there anything ;)

vmavromatis commented 6 years ago

Which part concerns you?

It's not me, it's a very common debate in the linux world that people don't trust curl pipe -sh installers. There is plenty of info about it online (just a quick google)

https://www.seancassidy.me/dont-pipe-to-your-shell.html https://askubuntu.com/questions/77247/ive-downloaded-a-sh-file-how-do-i-install-this https://github.com/ellotheth/pipethis https://news.ycombinator.com/item?id=12766049

Disclaimer: I never created PKGBUILD-Files before, so I might say stupid things :) So for the PKGBUILD I would leave the run.sh. I would create a release of the repo only containing the main.py, and the licence I guess. I would set the python package as a direct dependency and in the package part I would unpack the release.tar.gz and with install I would copy the main.py to a directory on the PATH, but I would use /usr/bin or something, but please read the wiki before, as I just scrolled through fast to write this comment, I might missed something.

Cool me neither XD I'm reading the wiki now.

stiefel40k commented 6 years ago

It's not me, it's a very common debate in the linux world that people don't trust curl pipe -sh installers. There is plenty of info about it online (just a quick google)

yeah that is understandable, but as I said, you won't use neither the curl method nor the run.sh, as everything you need will be defined in the PKDBUILD.

vmavromatis commented 6 years ago

I don't even know why I made a new branch for the PKGBUILD but here is the path: https://github.com/vmavromatis/absolutely-proprietary/blob/PKGBUILD/PKGBUILD I will look into it tomorrow

bepzi commented 6 years ago

Here's what I've come up with, feel free to use it or not:

# Maintainer : vmavromatis <8668731+vmavromatis@users.noreply.github.com>
# Contributor : stiefel40k
_pkgname=absolutely-proprietary
pkgname=${_pkgname}-git
pkgver=r54.93d1c3e
pkgrel=1
pkgdesc="Proprietary package detector for arch-based distros."
arch=('any')
url="https://github.com/vmavromatis/${_pkgname}"
license=('GPL3')
depends=('python>=3.6.3')
source=("https://github.com/vmavromatis/${_pkgname}/archive/master.zip")
sha256sums=('SKIP')

pkgver() {
    cd "$srcdir/${_pkgname}-master"
    printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}

package() {
    cd "$srcdir/${_pkgname}-master"
    install -Dm755 main.py "$pkgdir/usr/bin/${_pkgname}"
}

It seems to mostly work, makepkg -sri downloads the latest git release and creates the package, but when I install it with pacman running absolutely-proprietary doesn't work. From what I've found, when makepkg creates the package, it seems to strip out the shebang in main.py (#!/usr/bin/env python), so my computer tries to run it as a bash script, which doesn't work. Manually editing the installed /usr/bin/absolutely-proprietary to add the shebang allows it to work.

You can see this for yourself by running makepkg -sri and then looking at the first line of cat pkg/absolutely-proprietary-git/usr/bin/absolutely-proprietary.

It's not an issue with install, manually creating $pkgdir/usr/bin/${_pkgname} and copying over main.py yields the same result.

I'm not a Python programmer, but it's possible you'd need to create setup.py so that you can do python install. See this PKGBUILD and its corresponding repo for an example of how that would work.

MauroMombelli commented 6 years ago

plase make source() point to the .git, not the .zip, see https://wiki.archlinux.org/index.php/VCS_package_guidelines. This will make easy to edit the pkgbuild to set spefici tag/commit

you pkgver() will become

pkgver() { cd "$pkgname" ( set -o pipefail git describe --long 2>/dev/null | sed 's/\([^-]*-g\)/r\1/;s/-/./g' || printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" ) }