Daiajo Tibdixious posted on Mon, 18 Apr 2016 22:40:08 +1000 as excerpted: > A package I wish to download has these instructions: > > wget -O - > http://content.runescape.com/a=946/downloads/ubuntu/runescape.gpg.key > | apt-key add -
That, and each of the following, are effectively single command-lines, one each, only wrapped here, as they would be on a limited-width terminal, for purposes of display. That line simply adds the linked gpg key to apt's keys file, presumably so it can validate the later package as a validly signed package. Of course the key fetch is using unsecured http, not https, so it's not as if the key really provides much actual security, since anyone with access to the connection could substitute a fake key, but that's more or less beside the point. The point would be that apt wants packages signed by keys it trusts, and that adds said key to the appropriate trusted key store, regardless of whether the key has actually been verified as trustworthy. > mkdir -p /etc/apt/sources.list.d Makes (if it doesn't already exist) that local dir, used in the next command. > echo "deb http://content.runescape.com/a=946/downloads/ubuntu trusty > non-free" > /etc/apt/sources.list.d/runescape.list Just to make it explicit, that ">" between non-free and /etc/apt/... is output redirection in the original command, not just a misplaced quote character. This creates a file "runescape.list" in the directory created by the mkdir above, with one line of content: deb http://content.runescape.com/a=946/downloads/ubuntu trusty non-free Presumably, the "deb" on that line tells apt what format the repo is in, the link tells apt where it's at and the protocol to use, "trusty" tells it what version of ubuntu it's for, and non-free tells it the (Debian/ Ubuntu/apt) license status. > apt-get update This will be their equivalent of portage's emerge --sync command. It'll sync all configured repos, including the one just configured above, with that /etc/apt/sources.list.d/runescape.list file and its content. > apt-get install -y runescape-launcher With the local apt set of repos synced by the above, this installs the actual package, runescape-launcher. > I have downloaded the apt sources and have been reading it. However its > fairly large & complex which will take me a while to figure out. No kidding. You'd not expect someone to download and read the portage sources to figure out how to manually install a package from an ebuild, would you? Sure it should work... provided you're technically literate and patient enough, but it's definitely the long way around. All you need is a basic general understanding of what package managers /do/, a look at the instructions provided, and if necessary, a look at the package manager's manpage, etc, tho that's not really necessary here. FWIW I've never run a Debian-based distro, tho for about three years before I switched to gentoo in 2004, I ran Mandrake, an RPM-based distro. My rpm foo is thus well over a decade out of date and is rpm, not deb, but it does give me experience with a second package manager, one from a binary-based distro, to compare against portage and gentoo as a from-source package manager and distro, and that, coupled with a general familiarity with how Unix-style commandlines and bash as a shell work, is enough to decipher the above. > The gpg key was fairly easy, but I don't see how apt-get uses it yet. As with most such things, it's simply a corruption detection and authenticity verification thing. It's likely possible to turn off such checks in apt-get's options, but doing so for other than perhaps one's own local repo/overlay would be highly discouraged, and the above procedure, while not really secure because the key was fetched using insecure means, does at least still do integrity verification, which is what verification of unauthenticated signatures effectively amounts to. But presumably you can simply gpgverify the package once you download it manually, skipping figuring out the precise gpg-verification code in apt- get. Or even skip the verification entirely... > I also don't see how apt gets the list of files to download, since there > is only a directory given. > I can't display http://content.runescape.com/a=946/downloads/ubuntu in a > browser. Presumably, apt-get update simply fetches some standardized repository index or database file from that location, which then lists the packages, etc, in a way that apt-get can read them and fetch specific packages when necessary. Now *here* you might need to go diving into apt-get's workings a bit deeper, but presumably there's a manpage and/or other repository layout documentation available, so you don't need to read the actual sources unless you want to. Meanwhile, we already know the package name, runescape-launcher, from the above instructions. And the package will be a deb file. What we don't know yet is the version information part of the filename, and if there's any subdirs, like gentoo's categories, between the root of the repo and the package file we're actually trying to download. To use a gentoo example, suppose the package we were looking for was gcc. We know the package name, gcc, and the likely extension, .ebuild, but we don't know that it's in a subdir named sys-devel, yet, instead of possibly just a g (first letter of gcc) subdir, or perhaps a build or devel subdir/category instead of sys-devel, or maybe sorted by some other means like first letter of say a 256-bit hash value of the package, expressed in hexadecimal form.[1] And we don't know the version part, say -5.3.0 of the gcc-5.3.0 that I have installed here, either. You may have to either take an educated guess at the missing parts (maybe you know the version info or can find it in google), or get them from the repo database after reading up on its documentation or the like. But before that, it's also possible that you can find a reference to the specific path, or find the *.deb file elsewhere. You can also very likely take valuable hints from the older overlay ebuild that Mark linked, despite it being the old java-based launcher. Looks like the homepage is a github repo, with the latest 4.3.5 releases tagged on Sep 21, 2015, with the latest commit on master on Feb 2, changing the downloads to https from http, so it seems active still. Meanwhile, a dumb search on "runescape" at github reveals nearly 700 repos. Of course many look to be runescape bots or the like, and many of them will no doubt be for other platforms, but a smarter search could probably narrow it down. Anyway, 50 of those projects have been updated in the last 30 days, a reasonable activity metric. A perhaps smarter search on runescape launcher lists 70-some projects, tho most appear to use the old launcher or at least be written in java. Unfortunately, no github hits on runescape nxt yet. =:^( > Just wondering if anyone has anything helpful to shorten the process of > figuring it out. > I'm planning to create a cut down apt-get which just fetches the files, > but don't have much time most days. Well, this doesn't do all the work, but it should get you well beyond the figuring out what apt-get does with the signature file stage, at least. =:^) --- [1] Back in the day, myspace was using a scheme similar to this to index and store the myspace user images, including so-called "private" images, and someone figured out the scheme and brute-forced the entire namespace, resulting in an archive some 17 gigs or so in size of all those pictures, that was torrented out for anyone interested. Of course this was in an era where 100 GiB hard drives were still considered huge and connections were normally sub-megabit, so this was no small undertaking, even just doing the torrent, let alone the work to actually mine the entire namespace in question. I still have a copy around somewhere, and have actually looked thru IIRC about 1/8 of 1/16 of it (all the 000* thru 01f* images). -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
