changeset 271: | cd797f4eb846 |
parent: | 0e3229b8409f |
child: | 7046a8e3e517 |
author: | Richard Westhaver <ellis@rwest.io> |
date: | Sun, 16 Jun 2024 19:15:28 -0400 |
permissions: | -rwxr-xr-x |
description: | rm infra.asd |
239 | 1 | #!/bin/sh |
2 | set -eu |
|
255
ad70dec68fa1
autogen updates and moved Containerfiles
Richard Westhaver <ellis@rwest.io>
parents:
254
diff
changeset
|
3 | |
239 | 4 | main() { |
5 | . ./check.sh |
|
6 | download --check |
|
7 | local _arch=$(_read arch | tr -d '"') |
|
8 | local _ext="" |
|
9 | case "$_arch" in |
|
10 | *windows*) |
|
11 | _ext=".exe" |
|
12 | ;; |
|
13 | esac |
|
260 | 14 | local _url="https://packy.compiler.company/dist/${_arch}/pack" |
239 | 15 | local _stash |
16 | if ! _stash=".stash"; then |
|
17 | # Because the previous command ran in a subshell, we must manually |
|
18 | # propagate exit status. |
|
19 | exit 1 |
|
20 | fi |
|
21 | ensure mkdir -p "${_stash}/src" |
|
256 | 22 | ensure mkdir -p "${_stash}/share/lisp/fasl" |
239 | 23 | ensure mkdir -p "${_stash}/bin" |
256 | 24 | ensure mkdir -p "${_stash}/lib" |
25 | ensure mkdir -p "${_stash}/include" |
|
255
ad70dec68fa1
autogen updates and moved Containerfiles
Richard Westhaver <ellis@rwest.io>
parents:
254
diff
changeset
|
26 | cd "${_stash}" |
260 | 27 | local _sbcl_pack="sbcl.tar.zst" |
266 | 28 | # local _rocksdb_pack="rocksdb.tar.zst" |
260 | 29 | local _core_pack="core.tar.zst" |
30 | local _core_src_pack="core-source.tar.zst" |
|
256 | 31 | local _sbcl_url="${_url}/${_sbcl_pack}" |
266 | 32 | # local _rocksdb_url="${_url}/${_rocksdb_pack}" |
256 | 33 | local _core_url="${_url}/${_core_pack}" |
261 | 34 | local _core_src_url="${_url}/${_core_src_pack}" |
256 | 35 | ensure download "$_sbcl_url" "$_sbcl_pack" "$_arch" |
36 | unzstd "${_sbcl_pack}" |
|
265
fab40b02d833
less verbose, start lisp from autogen.lisp
Richard Westhaver <ellis@rwest.io>
parents:
264
diff
changeset
|
37 | tar -xf "sbcl.tar" |
256 | 38 | cd sbcl && INSTALL_ROOT=$(realpath ..) sh install.sh && cd .. |
266 | 39 | ensure download "$_core_src_url" "$_core_src_pack" "$_arch" |
40 | unzstd "${_core_src_pack}" |
|
41 | tar -xvf "core-source.tar" |
|
42 | mv core src/ |
|
260 | 43 | # ensure download "$_rocksdb_url" "${_rocksdb_pack}" "$_arch" |
44 | # unzstd "${_rocksdb_pack}" |
|
45 | # tar -xvf "pack/rocksdb.tar" |
|
46 | # cp -rf rocksdb/include/* include/ |
|
47 | # cp -rf rocksdb/*.so lib/ |
|
261 | 48 | ensure download "$_core_url" "${_core_pack}" "$_arch" |
49 | unzstd "${_core_pack}" |
|
265
fab40b02d833
less verbose, start lisp from autogen.lisp
Richard Westhaver <ellis@rwest.io>
parents:
264
diff
changeset
|
50 | tar -xf "core.tar" |
261 | 51 | cp -rf core/bin/* bin/ |
52 | cp -rf core/share/* share/ |
|
260 | 53 | chmod +x bin/* |
261 | 54 | rm -rf core sbcl |
260 | 55 | rm -rf *.tar |
264 | 56 | say "successfully unpacked core" |
57 | say "starting lisp..." |
|
271 | 58 | cd .. && \ |
59 | .stash/bin/sbcl --core .stash/share/lisp/user.core \ |
|
60 | --load autogen.lisp \ |
|
61 | --eval "(infra/autogen:autogen)" \ |
|
62 | --non-interactive |
|
264 | 63 | say "OK" |
239 | 64 | } |
65 | ||
66 | _read() { |
|
67 | grep ":$1" $INFRA_HOST_CONFIG | cut -d' ' -f 2- |
|
68 | } |
|
69 | ||
70 | # Check if curl supports the --retry flag, then pass it to the curl invocation. |
|
71 | check_curl_for_retry_support() { |
|
72 | local _retry_supported="" |
|
73 | # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. |
|
74 | if check_help_for "notspecified" "curl" "--retry"; then |
|
75 | _retry_supported="--retry 3" |
|
76 | if check_help_for "notspecified" "curl" "--continue-at"; then |
|
77 | # "-C -" tells curl to automatically find where to resume the download when retrying. |
|
78 | _retry_supported="--retry 3 -C -" |
|
79 | fi |
|
80 | fi |
|
81 | RETVAL="$_retry_supported" |
|
82 | } |
|
83 | ||
84 | # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites |
|
85 | # if support by local tools is detected. Detection currently supports these curl backends: |
|
86 | # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. |
|
87 | get_ciphersuites_for_curl() { |
|
88 | if [ -n "${TLS_CIPHERSUITES-}" ]; then |
|
89 | # user specified custom cipher suites, assume they know what they're doing |
|
90 | RETVAL="$TLS_CIPHERSUITES" |
|
91 | return |
|
92 | fi |
|
93 | local _openssl_syntax="no" |
|
94 | local _gnutls_syntax="no" |
|
95 | local _backend_supported="yes" |
|
96 | if curl -V | grep -q ' OpenSSL/'; then |
|
97 | _openssl_syntax="yes" |
|
98 | elif curl -V | grep -iq ' LibreSSL/'; then |
|
99 | _openssl_syntax="yes" |
|
100 | elif curl -V | grep -iq ' BoringSSL/'; then |
|
101 | _openssl_syntax="yes" |
|
102 | elif curl -V | grep -iq ' GnuTLS/'; then |
|
103 | _gnutls_syntax="yes" |
|
104 | else |
|
105 | _backend_supported="no" |
|
106 | fi |
|
107 | local _args_supported="no" |
|
108 | if [ "$_backend_supported" = "yes" ]; then |
|
109 | # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. |
|
110 | if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then |
|
111 | _args_supported="yes" |
|
112 | fi |
|
113 | fi |
|
114 | local _cs="" |
|
115 | if [ "$_args_supported" = "yes" ]; then |
|
116 | if [ "$_openssl_syntax" = "yes" ]; then |
|
117 | _cs=$(get_strong_ciphersuites_for "openssl") |
|
118 | elif [ "$_gnutls_syntax" = "yes" ]; then |
|
119 | _cs=$(get_strong_ciphersuites_for "gnutls") |
|
120 | fi |
|
121 | fi |
|
122 | RETVAL="$_cs" |
|
123 | } |
|
124 | ||
125 | # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites |
|
126 | # if support by local tools is detected. Detection currently supports these wget backends: |
|
127 | # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. |
|
128 | get_ciphersuites_for_wget() { |
|
129 | if [ -n "${TLS_CIPHERSUITES-}" ]; then |
|
130 | # user specified custom cipher suites, assume they know what they're doing |
|
131 | RETVAL="$TLS_CIPHERSUITES" |
|
132 | return |
|
133 | fi |
|
134 | local _cs="" |
|
135 | if wget -V | grep -q '\-DHAVE_LIBSSL'; then |
|
136 | # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. |
|
137 | if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then |
|
138 | _cs=$(get_strong_ciphersuites_for "openssl") |
|
139 | fi |
|
140 | elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then |
|
141 | # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. |
|
142 | if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then |
|
143 | _cs=$(get_strong_ciphersuites_for "gnutls") |
|
144 | fi |
|
145 | fi |
|
146 | RETVAL="$_cs" |
|
147 | } |
|
148 | ||
149 | check_help_for() { |
|
150 | local _arch |
|
151 | local _cmd |
|
152 | local _arg |
|
153 | _arch="$1" |
|
154 | shift |
|
155 | _cmd="$1" |
|
156 | shift |
|
157 | local _category |
|
158 | if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then |
|
159 | _category="all" |
|
160 | else |
|
161 | _category="" |
|
162 | fi |
|
163 | ||
164 | case "$_arch" in |
|
165 | *darwin*) |
|
166 | if check_cmd sw_vers; then |
|
167 | case $(sw_vers -productVersion) in |
|
168 | 10.*) |
|
169 | # If we're running on macOS, older than 10.13, then we always |
|
170 | # fail to find these options to force fallback |
|
171 | if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then |
|
172 | # Older than 10.13 |
|
173 | echo "Warning: Detected macOS platform older than 10.13" |
|
174 | return 1 |
|
175 | fi |
|
176 | ;; |
|
177 | 11.*) |
|
178 | # We assume Big Sur will be OK for now |
|
179 | ;; |
|
180 | *) |
|
181 | # Unknown product version, warn and continue |
|
182 | echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)" |
|
183 | echo "Warning TLS capabilities detection may fail" |
|
184 | ;; |
|
185 | esac |
|
186 | fi |
|
187 | ;; |
|
188 | esac |
|
189 | for _arg in "$@"; do |
|
190 | if ! "$_cmd" --help "$_category" | grep -q -- "$_arg"; then |
|
191 | return 1 |
|
192 | fi |
|
193 | done |
|
194 | true # not strictly needed |
|
195 | } |
|
196 | ||
197 | # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 |
|
198 | # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad |
|
199 | # DH params often found on servers (see RFC 7919). Sequence matches or is |
|
200 | # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. |
|
201 | # $1 must be openssl or gnutls. |
|
202 | get_strong_ciphersuites_for() { |
|
203 | if [ "$1" = "openssl" ]; then |
|
204 | # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. |
|
205 | echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" |
|
206 | elif [ "$1" = "gnutls" ]; then |
|
207 | # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. |
|
208 | # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. |
|
209 | echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" |
|
210 | fi |
|
211 | } |
|
212 | ||
213 | # This wraps curl or wget. Try curl first, if not installed, |
|
214 | # use wget instead. |
|
215 | download() { |
|
216 | local _dld |
|
217 | local _ciphersuites |
|
218 | local _err |
|
219 | local _status |
|
220 | local _retry |
|
221 | if check_cmd curl; then |
|
222 | _dld=curl |
|
223 | elif check_cmd wget; then |
|
224 | _dld=wget |
|
225 | else |
|
226 | _dld='curl or wget' # to be used in error message of need_cmd |
|
227 | fi |
|
228 | if [ "$1" = --check ]; then |
|
229 | need_cmd "$_dld" |
|
230 | elif [ "$_dld" = curl ]; then |
|
231 | check_curl_for_retry_support |
|
232 | _retry="$RETVAL" |
|
233 | get_ciphersuites_for_curl |
|
234 | _ciphersuites="$RETVAL" |
|
235 | if [ -n "$_ciphersuites" ]; then |
|
236 | _err=$(curl $_retry --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1) |
|
237 | _status=$? |
|
238 | else |
|
239 | echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" |
|
240 | if ! check_help_for "$3" curl --proto --tlsv1.2; then |
|
241 | echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" |
|
242 | _err=$(curl $_retry --silent --show-error --fail --location "$1" --output "$2" 2>&1) |
|
243 | _status=$? |
|
244 | else |
|
245 | _err=$(curl $_retry --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1) |
|
246 | _status=$? |
|
247 | fi |
|
248 | fi |
|
249 | if [ -n "$_err" ]; then |
|
250 | echo "$_err" >&2 |
|
251 | if echo "$_err" | grep -q 404$; then |
|
252 | err "installer for platform '$3' not found, this may be unsupported" |
|
253 | fi |
|
254 | fi |
|
255 | return $_status |
|
256 | elif [ "$_dld" = wget ]; then |
|
257 | if [ "$(wget -V 2>&1|head -2|tail -1|cut -f1 -d" ")" = "BusyBox" ]; then |
|
258 | echo "Warning: using the BusyBox version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure" |
|
259 | _err=$(wget "$1" -O "$2" 2>&1) |
|
260 | _status=$? |
|
261 | else |
|
262 | get_ciphersuites_for_wget |
|
263 | _ciphersuites="$RETVAL" |
|
264 | if [ -n "$_ciphersuites" ]; then |
|
265 | _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1) |
|
266 | _status=$? |
|
267 | else |
|
268 | echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" |
|
269 | if ! check_help_for "$3" wget --https-only --secure-protocol; then |
|
270 | echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" |
|
271 | _err=$(wget "$1" -O "$2" 2>&1) |
|
272 | _status=$? |
|
273 | else |
|
274 | _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1) |
|
275 | _status=$? |
|
276 | fi |
|
277 | fi |
|
278 | fi |
|
279 | if [ -n "$_err" ]; then |
|
280 | echo "$_err" >&2 |
|
281 | if echo "$_err" | grep -q ' 404 Not Found$'; then |
|
282 | err "installer for platform '$3' not found, this may be unsupported" |
|
283 | fi |
|
284 | fi |
|
285 | return $_status |
|
286 | else |
|
287 | err "Unknown downloader" # should not reach here |
|
288 | fi |
|
289 | } |
|
290 | ||
291 | main "$@" || exit 1 |