Browse Source

Updated post and instructions.

dev
Franco Masotti 2 years ago
parent
commit
29695bdacf
Signed by: frnmst
GPG Key ID: 24116ED85666780A
  1. 2
      _pages/about.md
  2. 39
      _pages/software.md
  3. 20
      _posts/2018-04-16-my-python-release-workflow.md

2
_pages/about.md

@ -68,4 +68,4 @@ look at [Linux Difficile](https://linuxdifficile.wordpress.com/).
## Software
See the [software]({{ site.baseurl }}/software/) page
See the [software]({{ site.baseurl }}/software/) page.

39
_pages/software.md

@ -10,16 +10,20 @@ permalink: /software/
- [Table of contents](#table-of-contents)
- [Introduction](#introduction)
- [Terminology](#terminology)
- [Methods](#methods)
- [Upload](#upload)
- [Create an archive](#create-an-archive)
- [Signing](#signing)
- [Checksums](#checksums)
- [Update the entry](#update-the-entry)
- [Update the table of contents](#update-the-table-of-contents)
- [Download](#download)
- [Get the public key](#get-the-public-key)
- [Download the repository](#download-the-repository)
- [Check the signature](#check-the-signature)
- [Run the checksums](#run-the-checksums)
- [Extract](#extract)
- [Software](#software)
- [fpyutils](#fpyutils)
- [Repository](#repository)
@ -35,10 +39,11 @@ permalink: /software/
This page is the only *real* trusted source of some of my software.
Here you will find methods to assert the authenticity of the presented software packages. You may contact me directly
to obtain a copy of the public key(s) used for the signatures.
to obtain a copy of the public key(s) used for the signatures, instead of downloading them
from here.
The following extract is from a [post by Mike Gerwitz](https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits#trust):
> Git Host
>>
>> Git hosting providers are probably the most easily overlooked trustees—providers like Gitorious, GitHub, Bitbucket, SourceForge, Google Code, etc. Each provides hosting for your repository and “secures” it by allowing only you, or other authorized users, to push to it, often with the use of SSH keys tied to an account. By using a host as the primary holder of your repository—the repository from which most clone and push to—you are entrusting them with the entirety of your project; you are stating, “Yes, I trust that my source code is safe with you and will not be tampered with”. This is a dangerous assumption. Do you trust that your host properly secures your account information? Furthermore, bugs exist in all but the most trivial pieces of software, so what is to say that there is not a vulnerability just waiting to be exploited in your host’s system, completely compromising your repository?
@ -47,11 +52,19 @@ The following extract is from a [post by Mike Gerwitz](https://mikegerwitz.com/2
Copyright © 2019 Mike Gerwitz. Licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
## Terminology
- `project_dir`: the full path directory of the project
- `project`: the project name
- `tag`: the git tag name which is usually [semver](https://semver.org/)ed
- `signing_key`: the public key file used to sign the archive file
- `url`: a generic url
## Methods
### Upload
What follow are the steps I use to upload the software on this page.
What follows are the steps I use to upload the software on this page.
#### Create an archive
@ -67,6 +80,21 @@ What follow are the steps I use to upload the software on this page.
sha512sum ${project}-${tag}.tar.gz > ${project}-${tag}.tar.gz.SHA512SUM.txt
sha256sum ${project}-${tag}.tar.gz > ${project}-${tag}.tar.gz.SHA256SUM.txt
#### Update the entry
```
- `${tag}`
- [${project}-${tag}.tar.gz]({{ site.baseurl }}/software/${project}-${tag}.tar.gz)
- [SHA512SUM.txt]({{ site.baseurl }}/software/${project}-${tag}.tar.gz.SHA512SUM.txt)
- [SHA256SUM.txt]({{ site.baseurl }}/software/${project}-${tag}.tar.gz.SHA256SUM.txt)
- [signature]({{ site.baseurl }}/software/${project}-${tag}.tar.gz.sig)
- [signing key]({{ site.baseurl }}/pubkeys/${signing_key})
```
#### Update the table of contents
md_toc -p github -l 6 software.md
### Download
Run the following to download and verify the software.
@ -83,11 +111,11 @@ If the public key is unknown you must import it from a trusted source:
#### Download the repository
cd /tmp
wget ${project}-${tag}.tar.gz.sig
wget ${url}/${project}-${tag}.tar.gz.sig
#### Check the signature
wget ${project}-${tag}.tar.gz
wget ${url}/${project}-${tag}.tar.gz
gpg --verify ${project}-${tag}.tar.gz.sig
#### Run the checksums
@ -117,7 +145,6 @@ If the public key is unknown you must import it from a trusted source:
- [signature]({{ site.baseurl }}/software/fpyutils-1.2.0.tar.gz.sig)
- [signing key]({{ site.baseurl }}/pubkeys/pgp_pubkey_2020.txt)
### md-toc
#### Repository

20
_posts/2018-04-16-my-python-release-workflow.md

@ -1,7 +1,7 @@
---
title: My Python release workflow
tags: [python, git, workflow, aur, arch]
updated: 2020-06-24 16:20
updated: 2020-06-26 12:42
description: A personal reminder with the instructions for releasing new versions of Python packages
---
@ -93,24 +93,26 @@ in case of a new version release with some of my Python repositories.
2. `make dist`
3. `make upload`
8. update downstream distribution packages
8. upload the package on the [software]({{ site.baseurl}}/software/) page:
1. follow the instructions reported [here]({{ site.baseurl}}/software/#upload)
9. update downstream distribution packages
1. [AUR](https://wiki.archlinux.org/index.php/Arch_User_Repository)
1. copy `./packages/aur/PKGBUILD` file in the project's AUR git directory (`${projects_aur_git_directory}`)
2. go to the project's AUR git directory
2. copy the signature file in the project's AUR git directory (`${projects_aur_git_directory}`)
3. go to the project's AUR git directory
1. `cd ~/${projects_aur_git_directory}`
2. update the sha256 checksum
1. `checksum="$(wget -O - ${project_url_archive_file_last_version} | sha256sum | awk '{print $1}')"`
2. update the `PKGBUILD` file with `${checksum}`
3. test the changes
4. update the sha512 checksum in the `PKGBUILD` file with the one in the [software]({{ site.baseurl}}/software/) page
4. test the changes
1. `makepkg -rsi`
2. remove all the build files and the installed package
1. `rm -rf pkg src *.tar.*`
2. `pacman -Rnus ${pacman_package_name}`
4. update and push
5. update and push
1. `makepkg --printsrcinfo > .SRCINFO`
2. `git add PKGBUILD .SRCINFO`
3. `git commit -m "New release."`
4. `git push`
9. if needed, update the entry on the
10. if needed, update the entry on the
[Free Software Directory](https://directory.fsf.org/wiki/Main_Page)

Loading…
Cancel
Save