.gitignore | 1 + INSTALL | 35 ++++++++++++++++++++--------------- Makefile | 10 ++++++++-- PUBKEY.asc | 30 ++++++++++++++++++++++++++++++ VERSION | 2 +- download.texi | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 2 +- gocheese.texi | 29 ++++++++++++++++++++--------- makedist.sh | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++ style.css | 11 +++++++++++ www.mk | 17 +++++++++++++++++ diff --git a/.gitignore b/.gitignore index 06ab3c83e9cbc8ebf00325d98d8b0cc1edcf3cb27fb1963aa6a517a11219604c..b99e5ab083400e7ee339fba4a09471a5a17f61554a8823656ffb3ce6de8d2291 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ gocheese gocheese.info +gocheese.html diff --git a/INSTALL b/INSTALL index 3b98c04772c471d3d42440e71c1b4b10ae898dbddd1c5e095cd407c009c81411..36adc3fc2426371115bb148b73a1cae042e36ed4b612049fc07c34b202e4da3c 100644 --- a/INSTALL +++ b/INSTALL @@ -1,23 +1,28 @@ - # or use https://git.cypherpunks.ru/git/gocheese.git - $ git clone --depth 1 --branch v2.1.0 git://git.cypherpunks.ru/gocheese.git - $ cd gocheese - $ git tag --verify v2.1.0 - $ make +Preferable way is to download tarball with the signature from +website and, for example, run tests with benchmarks: -gocheese binary and gocheese.info documentation should be built. -Although you can also use: +@verbatim +$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz +$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz.sig +$ gpg --verify gocheese-2.2.0.tar.xz.sig gocheese-2.2.0.tar.xz +$ xz -d < gocheese-2.2.0.tar.xz | tar xf - +$ make -C gocheese-2.2.0 all test +@end verbatim - go get go.cypherpunks.ru/gocheese -but neither PGP-based authentication is performed, nor documentation build. +You have to verify downloaded tarballs integrity and authenticity to be +sure that you retrieved trusted and untampered software. GNU Privacy +Guard is used for that purpose. For the very first time it is necessary to get signing public key and -import it for verifying git's tag. Its fingerprint is: +import it. It is provided below, but you should check alternative +resources. - CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF + pub rsa2048/0xCD5CD01F55343D88 2019-12-08 [SC] + 9B27640BA78437EC6D4ACA6CCD5CD01F55343D88 + uid GoCheese releases -You can locate it using: + Look in PUBKEY.asc file. - $ gpg --auto-key-locate dane --locate-keys stargrave at stargrave dot org - $ gpg --auto-key-locate wkd --locate-keys stargrave at stargrave dot org - $ gpg --auto-key-locate wkd --locate-keys stargrave at gnupg dot net + $ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru + $ gpg --auto-key-locate wkd --locate-keys gocheese at cypherpunks dot ru diff --git a/Makefile b/Makefile index 152771524759ae5fdcd7331315a7a969a457a480354a98703b9c71476dc88a25..ffa255cc33b74aa8d3884f1d8f8d7f058e20099baebc2e0d56cee11c54823e47 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,19 @@ GO ?= go MAKEINFO ?= makeinfo +GOPATH != pwd VERSION != cat VERSION + +MOD = go.cypherpunks.ru/gocheese/v2 LDFLAGS = -X main.Version=$(VERSION) all: gocheese gocheese.info -gocheese: gocheese.go - GOPATH=$(GOPATH) go build -ldflags "$(LDFLAGS)" +gocheese: + GOPATH=$(GOPATH) go build -o gocheese -ldflags "$(LDFLAGS)" $(MOD) gocheese.info: gocheese.texi $(MAKEINFO) -o $@ gocheese.texi + +test: + GOPATH=$(GOPATH) go test $(MOD)/... diff --git a/PUBKEY.asc b/PUBKEY.asc new file mode 100644 index 0000000000000000000000000000000000000000..f8bbda2f3547314557cf286087af69d2894b8f12b1d57d8548d1db301868099c --- /dev/null +++ b/PUBKEY.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF3tH7gBCADIBL5PAJeqyNNlQ9qt+RweybmZn+qhvZkk88ud1iy0Suo3D1L0 +VA6MGOzOWtPG69iXVTsTBfasmXmP36fXgXgqqBz5fJgeaRkXo37b1d/FZlITPzne +xpx6je2/sivNAGTHQJAvlfW5HeFkU16jb1lAoIMuLJ7UojkaJB8qahqO/L72+oAU +D7Srz4ts513wMFLiYh/H7EIUVwuRA/2N2DwKNhZeWFwAux/9tM2VegjnanSneT+J +ZMw2W1VDWYOtW33xMgDadq+ctKGe5jogt/o294T0q/scgEGHpqeyU1psSxX8+7gJ +EU45QRM7hjR3v/LK3Bnjap/DPWT8/V0bsjVLABEBAAG0K0dvQ2hlZXNlIHJlbGVh +c2VzIDxnb2NoZWVzZUBjeXBoZXJwdW5rcy5ydT6JAVcEEwEKAEECGwMMCwoJDQgM +BwsDBAECBxUKCQgLAwIFFgIBAwACHgECF4AWIQSbJ2QLp4Q37G1KymzNXNAfVTQ9 +iAUCXe0f3AAKCRDNXNAfVTQ9iPK7B/4hGFIEFJtnbGHj5o5fpRtm2uWZ+cVJIIwm +IJSAT1AkGNkRsSVJb3qCjxP2gxL0zsy1/wFA48kze5LVq3ACpNPE3E0XWmTe+6GJ +corPcPhIrPqcXPZzuMk2ok80Zp1ghXATZKDHTVKflwGofto0xbSKzQeM11eKn3++ +nPAbpufXMllacpDI2ZK5yXQcekiPtpk+vZWB0Qrie66XxsNrTyLbxlyT1nxXNAZq +3iih9N0fjG2gkQuUSN/Us+keLJ6A3FuFag7FUMU2RlgchRYfXWga1AcxQVHjg4s+ +WVvSqEhypULvMrNsxbLzM6vL9BSeQzhwVtjmqfE6XpPThzl4Q4A5iHQEEBEKAB0W +IQTPYOiaWSMeduJjZCKuGoEJ5JhX7wUCXe0gFQAKCRCuGoEJ5JhX74RFAPjM0ArP +4suISttaR5OFOQM8luMpD3ACGL39jzPDjv5kAP9sUhz4B7RetvlSaQbFLgy8MkKz +VA9CnQiz0qdcZN1GXokBswQQAQoAHRYhBO/V3uTUaZUnrXG21nwDpYWOD+SqBQJd +7kxuAAoJEHwDpYWOD+SqgzEL/1sok8tODe/hAS3KT4O/ooPCT7ezSlfoCv2ezvJa +sRgtNRtBuB/sxb4KOy+Xz9Z9Ctf/HowpkNeL2x0XPlboL8P5h1P2boShfJCLUFqX +lrfbvqomKGsii89CWAib/qW+h/gNXg0UOD7nl+RwN7fbvmNwpetQdUYlYHRfjFt+ +10dGI2XluWWzrvEms+F1Jo8wYz/dJw2QZ+8/lE/19blCSYIJoe2CJJ2Pn2A2W2tg +Y5BGZIWPT5DHisAWHlcBDaSzgXCWJ+/fFN2Zz5vkkQkpvtz1zftUojZXkIbiGdKe +/YJCg6UeTMrKo26UoJYu9IgoTNvaflOPEbMBBponqBU+mGTy48iWkCJMk+Yh+WaX +DQPpJ7JdKNR/e6g3uvcdZ4QjbQJ8c+h4meBFabY+KUbccszO9VTiEHBsfeXkt+vI +4MXM0bfCmHxeScB/iT16b/4vtmU4eRXD838E/JLnXKhErrST8vYiPf+JREVX87Q3 +cl5uH/qEbhY+Fb6EiV2syRAyvA== +=aDrN +-----END PGP PUBLIC KEY BLOCK----- diff --git a/VERSION b/VERSION index 87ee5ca2c16837a96efe7a84d05d2057caa184fea97083205eaff1392929f4ed..c69ddbfceb5a29562ae0aa77160af177fea349623c7aa74b10ae7ca1d3155e48 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1.0 +2.2.0 diff --git a/download.texi b/download.texi new file mode 100644 index 0000000000000000000000000000000000000000..2e20290c5afb88c195e2eeab668b84b73b54914f94277e8f2b3f30b317930374 --- /dev/null +++ b/download.texi @@ -0,0 +1,49 @@ +@node Download +@unnumbered Download + +Preferable way is to download tarball with the signature from +website and, for example, run tests with benchmarks: + +@verbatim +$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz +$ [fetch|wget] http://gocheese.cypherpunks.ru/gocheese-2.2.0.tar.xz.sig +$ gpg --verify gocheese-2.2.0.tar.xz.sig gocheese-2.2.0.tar.xz +$ xz -d < gocheese-2.2.0.tar.xz | tar xf - +$ make -C gocheese-2.2.0 all test +@end verbatim + +@multitable {XXXXX} {XXXX-XX-XX} {XXXX KiB} {link sign} {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} +@headitem Version @tab Date @tab Size @tab Tarball @tab SHA256 checksum + +@end multitable + +You @strong{have to} verify downloaded tarballs integrity and +authenticity to be sure that you retrieved trusted and untampered +software. @url{https://www.gnupg.org/, GNU Privacy Guard} is used +for that purpose. + +For the very first time it is necessary to get signing public key and +import it. It is provided below, but you should check alternative +resources. + +@verbatim +pub rsa2048/0xCD5CD01F55343D88 2019-12-08 [SC] + 9B27640BA78437EC6D4ACA6CCD5CD01F55343D88 +uid GoCheese releases +@end verbatim + +@itemize + +@item +@verbatim +$ gpg --auto-key-locate dane --locate-keys gocheese at cypherpunks dot ru +$ gpg --auto-key-locate wkd --locate-keys gocheese at cypherpunks dot ru +@end verbatim + +@item +@verbatiminclude PUBKEY.asc + +@end itemize + +You can obtain development source code with +@command{git clone git://git.cypherpunks.ru/gocheese.git}. diff --git a/go.mod b/go.mod index 1ac7b0bed9a545ccd6363ff7038cb6e894ecc382fbb2768c96298f434a767e65..8ae4f3c21e20943e8bff208ca6b596adcfd7a3009cbc13b08d7a76c092f05a94 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module go.cypherpunks.ru/gocheese +module go.cypherpunks.ru/gocheese/v2 go 1.12 diff --git a/gocheese.texi b/gocheese.texi index 79ef1c2a7f69d5db2e36b0f33251849d31ac8ad907a269176a00414fb538c911..a5f985cdb848f9b7da2f34de57e6e6dd3364d0f616af3f7adaed4f469e896951 100644 --- a/gocheese.texi +++ b/gocheese.texi @@ -2,6 +2,10 @@ \input texinfo @documentencoding UTF-8 @settitle GoCheese +@copying +Copyright @copyright{} 2019 @email{stargrave@@stargrave.org, Sergey Matveev} +@end copying + @node Top @top @@ -23,17 +27,17 @@ @url{https://github.com/c4s4/cheeseshop, cheeseshop}, but nearly all the code was rewritten. It has huge differences: @itemize -@item proxying and caching of missing packages, including GPG signatures +@item Proxying and caching of missing packages, including GPG signatures @item @url{https://pythonwheels.com/, Wheel} uploading support -@item integrity check of proxied packages: MD5, SHA256, SHA512, BLAKE2b-256 +@item Integrity check of proxied packages: MD5, SHA256, SHA512, BLAKE2b-256 @item SHA256 checksums for stored packages -@item verifying of SHA256 checksum for uploaded packages -@item storing of uploaded GPG signatures -@item secure Argon2i (or SHA256) stored passwords hashing -@item no YAML configuration, just command-line arguments -@item no package overwriting ability (as PyPI does too) -@item atomic packages store on filesystem -@item graceful HTTP-server shutdown +@item Verifying of SHA256 checksum for uploaded packages +@item Storing of uploaded GPG signatures +@item Secure Argon2i (or SHA256) stored passwords hashing +@item No YAML configuration, just command-line arguments +@item No package overwriting ability (as PyPI does too) +@item Graceful HTTP-server shutdown +@item Atomic packages store on filesystem @end itemize Also it contains @file{pyshop2packages.sh} migration script for @@ -44,12 +48,19 @@ GoCheese is free software, licenced under @url{https://www.gnu.org/licenses/gpl-3.0.html, GNU GPLv3}: see the file COPYING for copying conditions. +Please send questions, bug reports and patches to @url{gocheese@@cypherpunks.ru}. + +@insertcopying + @menu +* Download:: * Usage:: * Password authentication: Passwords. * TLS support: TLS. * Storage format: Storage. @end menu + +@include download.texi @node Usage @unnumbered Usage diff --git a/makedist.sh b/makedist.sh new file mode 100755 index 0000000000000000000000000000000000000000..5df95f8a71e164aa29548fa7da0ad7d7796b5893156a767d4da703b67a97013a --- /dev/null +++ b/makedist.sh @@ -0,0 +1,98 @@ +#!/bin/sh -ex + +cur=$(pwd) +tmp=$(mktemp -d) +release=$1 +[ -n "$release" ] + +git clone . $tmp/gocheese-$release +cd $tmp/gocheese-$release +git checkout v$release + +mod_name=$(sed -n 's/^module //p' go.mod) +crypto_mod_path=$(sed -n 's#^require \(golang.org/x/crypto\) \(.*\)$#\1@\2#p' go.mod) +mkdir -p src/$mod_name +mv *.go go.mod go.sum src/$mod_name + +mods=" +golang.org/x/crypto +golang.org/x/net +" +for mod in $mods; do + mod_path=$(sed -n "s# // indirect## ; s#^ \($mod\) \(.*\)\$#\1@\2#p" src/$mod_name/go.mod) + [ -n "$mod_path" ] + mkdir -p src/$mod + ( cd $GOPATH/pkg/mod/$mod_path ; tar cf - --exclude ".git*" * ) | tar xfC - src/$mod + chmod -R +w src/$mod +done + +for mod in golang.org/x/sys; do + mod_path=$(sed -n "s#^\($mod\) \(.*\) h1:.*\$#\1@\2#p" src/$mod_name/go.sum | sed /go.mod/d | sort -n -r | sed -n 1p) + [ -n "$mod_path" ] + mkdir -p src/$mod + ( cd $GOPATH/pkg/mod/$mod_path ; tar cf - --exclude ".git*" * ) | tar xfC - src/$mod + chmod -R +w src/$mod +done + +cat > $tmp/includes < download.texi < diff --git a/www.mk b/www.mk new file mode 100644 index 0000000000000000000000000000000000000000..78140e87125127ecce8986afb80d43f6562831ff890f2c416f03ca089945f10a --- /dev/null +++ b/www.mk @@ -0,0 +1,17 @@ +MAKEINFO ?= makeinfo + +CSS != cat style.css + +all: gocheese.html + +gocheese.html: *.texi + rm -f gocheese.html/*.html + $(MAKEINFO) --html \ + --set-customization-variable CSS_LINES='$(CSS)' \ + --set-customization-variable SHOW_TITLE=0 \ + --set-customization-variable USE_ACCESSKEY=0 \ + --set-customization-variable DATE_IN_HEADER=1 \ + --set-customization-variable TOP_NODE_UP_URL=index.html \ + --set-customization-variable CLOSE_QUOTE_SYMBOL=\" \ + --set-customization-variable OPEN_QUOTE_SYMBOL=\" \ + -o gocheese.html gocheese.texi