changeset 258: |
390af47d8064 |
parent: |
f4376b952d35
|
child: |
c5aa261cb836 |
author: |
Richard Westhaver <ellis@rwest.io> |
date: |
Fri, 14 Jun 2024 22:48:30 +0000 |
permissions: |
-rwxr-xr-x |
description: |
updates |
7 local _arch=$(_read
arch
| tr
-d
'"') 14 local _url="https://packy.compiler.company/dist/${_arch}" 16 if !
_stash=".stash"; then 17 # Because the previous command ran in a subshell, we must manually 18 # propagate exit status. 21 ensure
mkdir
-p
"${_stash}/src" 22 ensure
mkdir
-p
"${_stash}/share/lisp/fasl" 23 ensure
mkdir
-p
"${_stash}/bin" 24 ensure
mkdir
-p
"${_stash}/lib" 25 ensure
mkdir
-p
"${_stash}/include" 26 ensure
mkdir
-p
"${_stash}/pack" 28 local _sbcl_pack="pack/sbcl.tar.zst" 29 local _rocksdb_pack="pack/rocksdb.tar.zst" 30 local _core_pack="pack/core.tar.zst" 31 local _sbcl_url="${_url}/${_sbcl_pack}" 32 local _rocksdb_url="${_url}/${_rocksdb_pack}" 33 local _core_url="${_url}/${_core_pack}" 34 ensure
download
"$_sbcl_url" "$_sbcl_pack" "$_arch" 35 unzstd
"${_sbcl_pack}" 36 tar
-xvf
"pack/sbcl.tar" 37 cd sbcl
&& INSTALL_ROOT=$(realpath
..
) sh
install.sh
&& cd ..
38 ensure
download
"$_rocksdb_url" "${_rocksdb_pack}" "$_arch" 39 unzstd
"${_rocksdb_pack}" 40 tar
-xvf
"pack/rocksdb.tar" 41 cp
-rf
rocksdb/include/*
include/
42 cp
-rf
rocksdb/*.so
lib/
43 ensure
download
"$_core_url" "${_core_pack}" "$_arch" 44 unzstd
"${_core_pack}" 45 tar
-xvf
"pack/core.tar" 46 cp
-rf
core/bin/*
bin/
47 cp
-rf
core/share/*
share/
49 rm
-rf
core
rocksdb
sbcl
54 grep
":$1" $INFRA_HOST_CONFIG | cut
-d
' ' -f
2-
57 # Check if curl supports the --retry flag, then pass it to the curl invocation. 58 check_curl_for_retry_support
() { 59 local _retry_supported="" 60 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 61 if check_help_for
"notspecified" "curl" "--retry"; then 62 _retry_supported="--retry 3" 63 if check_help_for
"notspecified" "curl" "--continue-at"; then 64 # "-C -" tells curl to automatically find where to resume the download when retrying. 65 _retry_supported="--retry 3 -C -" 69 RETVAL="$_retry_supported" 72 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 73 # if support by local tools is detected. Detection currently supports these curl backends: 74 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 75 get_ciphersuites_for_curl
() { 76 if [ -n
"${TLS_CIPHERSUITES-}" ]; then 77 # user specified custom cipher suites, assume they know what they're doing 78 RETVAL="$TLS_CIPHERSUITES" 82 local _openssl_syntax="no" 83 local _gnutls_syntax="no" 84 local _backend_supported="yes" 85 if curl
-V
| grep
-q
' OpenSSL/'; then 87 elif curl
-V
| grep
-iq
' LibreSSL/'; then 89 elif curl
-V
| grep
-iq
' BoringSSL/'; then 91 elif curl
-V
| grep
-iq
' GnuTLS/'; then 94 _backend_supported="no" 97 local _args_supported="no" 98 if [ "$_backend_supported" = "yes" ]; then 99 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 100 if check_help_for
"notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 101 _args_supported="yes" 106 if [ "$_args_supported" = "yes" ]; then 107 if [ "$_openssl_syntax" = "yes" ]; then 108 _cs=$(get_strong_ciphersuites_for
"openssl") 109 elif [ "$_gnutls_syntax" = "yes" ]; then 110 _cs=$(get_strong_ciphersuites_for
"gnutls") 117 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 118 # if support by local tools is detected. Detection currently supports these wget backends: 119 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 120 get_ciphersuites_for_wget
() { 121 if [ -n
"${TLS_CIPHERSUITES-}" ]; then 122 # user specified custom cipher suites, assume they know what they're doing 123 RETVAL="$TLS_CIPHERSUITES" 128 if wget
-V
| grep
-q
'\-DHAVE_LIBSSL'; then 129 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 130 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 131 _cs=$(get_strong_ciphersuites_for
"openssl") 133 elif wget
-V
| grep
-q
'\-DHAVE_LIBGNUTLS'; then 134 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 135 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 136 _cs=$(get_strong_ciphersuites_for
"gnutls") 153 if "$_cmd" --help
| grep
-q
'For all options use the manual or "--help all".'; then 162 if check_cmd
sw_vers
; then 163 case $(sw_vers
-productVersion
) in 165 # If we're running on macOS, older than 10.13, then we always 166 # fail to find these options to force fallback 167 if [ "$(sw_vers
-productVersion
| cut
-d.
-f2
)" -lt
13 ]; then 169 echo "Warning: Detected macOS platform older than 10.13" 174 # We assume Big Sur will be OK for now 177 # Unknown product version, warn and continue 178 echo "Warning: Detected unknown macOS major version: $(sw_vers
-productVersion
)" 179 echo "Warning TLS capabilities detection may fail" 188 if !
"$_cmd" --help
"$_category" | grep
-q
--
"$_arg"; then 193 true # not strictly needed 196 # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 197 # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 198 # DH params often found on servers (see RFC 7919). Sequence matches or is 199 # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 200 # $1 must be openssl or gnutls. 201 get_strong_ciphersuites_for
() { 202 if [ "$1" = "openssl" ]; then 203 # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 204 echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 205 elif [ "$1" = "gnutls" ]; then 206 # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 207 # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 208 echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" 212 # This wraps curl or wget. Try curl first, if not installed, 220 if check_cmd
curl
; then 222 elif check_cmd
wget
; then 225 _dld='curl or wget' # to be used in error message of need_cmd 228 if [ "$1" = --check
]; then 230 elif [ "$_dld" = curl
]; then 231 check_curl_for_retry_support
233 get_ciphersuites_for_curl
234 _ciphersuites="$RETVAL" 235 if [ -n
"$_ciphersuites" ]; then 236 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--ciphers
"$_ciphersuites" --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 239 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 240 if !
check_help_for
"$3" curl
--proto
--tlsv1.2
; then 241 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 242 _err=$(curl
$_retry --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 245 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 249 if [ -n
"$_err" ]; then 251 if echo "$_err" | grep
-q
404$
; then 252 err
"installer for platform '$3' not found, this may be unsupported" 256 elif [ "$_dld" = wget
]; then 257 if [ "$(wget
-V
2>
&1|head
-2
|tail
-1
|cut
-f1
-d
" ")" = "BusyBox" ]; then 258 echo "Warning: using the BusyBox version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure" 259 _err=$(wget
"$1" -O
"$2" 2>
&1) 262 get_ciphersuites_for_wget
263 _ciphersuites="$RETVAL" 264 if [ -n
"$_ciphersuites" ]; then 265 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
--ciphers
"$_ciphersuites" "$1" -O
"$2" 2>
&1) 268 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 269 if !
check_help_for
"$3" wget
--https-only
--secure-protocol
; then 270 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 271 _err=$(wget
"$1" -O
"$2" 2>
&1) 274 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
"$1" -O
"$2" 2>
&1) 279 if [ -n
"$_err" ]; then 281 if echo "$_err" | grep
-q
' 404 Not Found$'; then 282 err
"installer for platform '$3' not found, this may be unsupported" 287 err
"Unknown downloader" # should not reach here