Daiajo Tibdixious posted on Mon, 18 Apr 2016 22:40:08 +1000 as excerpted: > A package I wish to download has these instructions:
> wget -O -
> | apt-key add -
That, and each of the following, are effectively single command-lines,
one each, only wrapped here, as they would be on a limited-width
terminal, for purposes of display.
That line simply adds the linked gpg key to apt's keys file, presumably
so it can validate the later package as a validly signed package.
Of course the key fetch is using unsecured http, not https, so it's not
as if the key really provides much actual security, since anyone with
access to the connection could substitute a fake key, but that's more or
less beside the point. The point would be that apt wants packages signed
by keys it trusts, and that adds said key to the appropriate trusted key
store, regardless of whether the key has actually been verified as
trustworthy. > mkdir -p /etc/apt/sources.list.d
Makes (if it doesn't already exist) that local dir, used in the next
command. > echo "deb http://content.runescape.com/a=946/downloads/ubuntu trusty
> non-free" > /etc/apt/sources.list.d/runescape.list
Just to make it explicit, that ">" between non-free and /etc/apt/... is
output redirection in the original command, not just a misplaced quote
This creates a file "runescape.list" in the directory created by the mkdir
above, with one line of content:
Presumably, the "deb" on that line tells apt what format the repo is in,
the link tells apt where it's at and the protocol to use, "trusty" tells
it what version of ubuntu it's for, and non-free tells it the (Debian/
Ubuntu/apt) license status. > apt-get update
This will be their equivalent of portage's emerge --sync command. It'll
sync all configured repos, including the one just configured above, with
that /etc/apt/sources.list.d/runescape.list file and its content. > apt-get install -y runescape-launcher
With the local apt set of repos synced by the above, this installs the
actual package, runescape-launcher. > I have downloaded the apt sources and have been reading it. However its
> fairly large & complex which will take me a while to figure out.
No kidding. You'd not expect someone to download and read the portage
sources to figure out how to manually install a package from an ebuild,
would you? Sure it should work... provided you're technically literate
and patient enough, but it's definitely the long way around.
All you need is a basic general understanding of what package managers
/do/, a look at the instructions provided, and if necessary, a look at
the package manager's manpage, etc, tho that's not really necessary here.
FWIW I've never run a Debian-based distro, tho for about three years
before I switched to gentoo in 2004, I ran Mandrake, an RPM-based
distro. My rpm foo is thus well over a decade out of date and is rpm,
not deb, but it does give me experience with a second package manager,
one from a binary-based distro, to compare against portage and gentoo as
a from-source package manager and distro, and that, coupled with a
general familiarity with how Unix-style commandlines and bash as a shell
work, is enough to decipher the above. > The gpg key was fairly easy, but I don't see how apt-get uses it yet.
As with most such things, it's simply a corruption detection and
authenticity verification thing. It's likely possible to turn off such
checks in apt-get's options, but doing so for other than perhaps one's
own local repo/overlay would be highly discouraged, and the above
procedure, while not really secure because the key was fetched using
insecure means, does at least still do integrity verification, which is
what verification of unauthenticated signatures effectively amounts to.
But presumably you can simply gpgverify the package once you download it
manually, skipping figuring out the precise gpg-verification code in apt-
get. Or even skip the verification entirely... > I also don't see how apt gets the list of files to download, since there
> is only a directory given.
> I can't display http://content.runescape.com/a=946/downloads/ubuntu in a
Presumably, apt-get update simply fetches some standardized repository
index or database file from that location, which then lists the packages,
etc, in a way that apt-get can read them and fetch specific packages when
Now *here* you might need to go diving into apt-get's workings a bit
deeper, but presumably there's a manpage and/or other repository layout
documentation available, so you don't need to read the actual sources
unless you want to.
Meanwhile, we already know the package name, runescape-launcher, from the
above instructions. And the package will be a deb file.
What we don't know yet is the version information part of the filename,
and if there's any subdirs, like gentoo's categories, between the root of
the repo and the package file we're actually trying to download.
To use a gentoo example, suppose the package we were looking for was gcc.
We know the package name, gcc, and the likely extension, .ebuild, but we
don't know that it's in a subdir named sys-devel, yet, instead of
possibly just a g (first letter of gcc) subdir, or perhaps a build or
devel subdir/category instead of sys-devel, or maybe sorted by some other
means like first letter of say a 256-bit hash value of the package,
expressed in hexadecimal form. And we don't know the version part,
say -5.3.0 of the gcc-5.3.0 that I have installed here, either.
You may have to either take an educated guess at the missing parts (maybe
you know the version info or can find it in google), or get them from the
repo database after reading up on its documentation or the like.
But before that, it's also possible that you can find a reference to the
specific path, or find the *.deb file elsewhere.
You can also very likely take valuable hints from the older overlay ebuild
that Mark linked, despite it being the old java-based launcher. Looks
like the homepage is a github repo, with the latest 4.3.5 releases tagged
on Sep 21, 2015, with the latest commit on master on Feb 2, changing the
downloads to https from http, so it seems active still.
Meanwhile, a dumb search on "runescape" at github reveals nearly 700
repos. Of course many look to be runescape bots or the like, and many of
them will no doubt be for other platforms, but a smarter search could
probably narrow it down. Anyway, 50 of those projects have been updated
in the last 30 days, a reasonable activity metric. A perhaps smarter
search on runescape launcher lists 70-some projects, tho most appear to
use the old launcher or at least be written in java. Unfortunately, no
github hits on runescape nxt yet. =:^( > Just wondering if anyone has anything helpful to shorten the process of
> figuring it out.
> I'm planning to create a cut down apt-get which just fetches the files,
> but don't have much time most days.
Well, this doesn't do all the work, but it should get you well beyond the
figuring out what apt-get does with the signature file stage, at least. =:^)
 Back in the day, myspace was using a scheme similar to this to index
and store the myspace user images, including so-called "private" images,
and someone figured out the scheme and brute-forced the entire namespace,
resulting in an archive some 17 gigs or so in size of all those pictures,
that was torrented out for anyone interested. Of course this was in an
era where 100 GiB hard drives were still considered huge and connections
were normally sub-megabit, so this was no small undertaking, even just
doing the torrent, let alone the work to actually mine the entire
namespace in question. I still have a copy around somewhere, and have
actually looked thru IIRC about 1/8 of 1/16 of it (all the 000* thru 01f*
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman