changeset 18: |
d15e540441fd |
child: |
3491c1d1815d |
author: |
ellis <ellis@rwest.io> |
date: |
Sun, 03 Dec 2023 18:44:34 -0500 |
permissions: |
-rw-r--r-- |
description: |
added core init script |
3 # install the compiler.company installer. 7 COMPANY_UPDATE_ROOT="${COMPANY_UPDATE_ROOT:-https://packy.compiler.company/dist}" 9 # NOTICE: If you change anything here, please make the same changes in setup_mode.rs 12 cc-init 0.10 (0941fa04c53d+ 2023-12-03) 13 The compiler.company installer 19 -y Disable confirmation prompt. 21 Print help information 23 Print version information 36 get_architecture
|| return 1 38 assert_nz
"$_arch" "arch" 47 local _url="${COMPANY_UPDATE_ROOT}/${_arch}/cc-init${_ext}" 50 if !
_dir="$(ensure
mktemp
-d
)"; then 51 # Because the previous command ran in a subshell, we must manually 52 # propagate exit status. 55 local _file="${_dir}/cc-init${_ext}" 57 local _ansi_escapes_are_valid=false 59 if [ "${TERM+set}" = 'set' ]; then 61 xterm*
|rxvt*
|urxvt*
|linux*
|vt*
) 62 _ansi_escapes_are_valid=true 68 # check if we have to use /dev/tty to prompt the user 78 if [ "${arg%%--*}" = "" ]; then 79 # Long option (other than --help); 80 # don't attempt to interpret it. 83 while getopts :hy
sub_arg
"$arg"; do 90 # user wants to skip the prompt -- 91 # we don't need /dev/tty 102 if $_ansi_escapes_are_valid; then 103 printf "\33[1minfo:\33[0m downloading installer\n" 1>
&2 105 printf '%s\n' 'info: downloading installer' 1>
&2 108 ensure
mkdir
-p
"$_dir" 109 ensure
downloader
"$_url" "$_file" "$_arch" 110 ensure
chmod
u+x
"$_file" 111 if [ !
-x
"$_file" ]; then 112 printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>
&2 113 printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./cc-init${_ext}." 1>
&2 117 if [ "$need_tty" = "yes" ] && [ !
-t
0 ]; then 118 # The installer is going to want to ask for confirmation by 119 # reading stdin. This script was piped into `sh` though and 120 # doesn't have stdin to pass to its children. Instead we're going 121 # to explicitly connect /dev/tty to the installer's stdin. 123 err
"Unable to run interactively. Run with -y to accept defaults, --help for additional options" 126 ignore
"$_file" "$@" <
/dev/tty
140 # Check for /proc by looking for the /proc/self/exe link 141 # This is only run on Linux 142 if !
test -L
/proc/self/exe
; then 143 err
"fatal: Unable to find /proc/self/exe. Is /proc mounted? Installation cannot proceed without /proc." 149 # Architecture detection without dependencies beyond coreutils. 150 # ELF files start out "\x7fELF", and the following byte is 151 # 0x01 for 32-bit and 153 # The printf builtin on some shells like dash only supports octal 154 # escape sequences, so we use those. 155 local _current_exe_head
156 _current_exe_head=$(head
-c
5 /proc/self/exe
) 157 if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then 159 elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then 162 err
"unknown platform bitness" 166 is_host_amd64_elf
() { 169 # ELF e_machine detection without dependencies beyond coreutils. 170 # Two-byte field at offset 0x12 indicates the CPU, 171 # but we're interested in it being 0x3E to indicate amd64, or not that. 172 local _current_exe_machine
173 _current_exe_machine=$(head
-c
19 /proc/self/exe
| tail
-c
1) 174 [ "$_current_exe_machine" = "$(printf '\076')" ] 182 # detect endianness without od/hexdump, like get_bitness() does. 186 local _current_exe_endianness
187 _current_exe_endianness="$(head
-c
6 /proc/self/exe
| tail
-c
1)" 188 if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then 189 echo "${cputype}${suffix_el}" 190 elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then 191 echo "${cputype}${suffix_eb}" 193 err
"unknown platform endianness" 198 local _ostype
_cputype
_bitness
_arch
_clibtype
199 _ostype="$(uname
-s
)" 200 _cputype="$(uname
-m
)" 203 if [ "$_ostype" = Linux
]; then 204 if [ "$(uname
-o
)" = Android
]; then 207 if ldd
--version
2>
&1 | grep
-q
'musl'; then 212 if [ "$_ostype" = Darwin
] && [ "$_cputype" = i386
]; then 213 # Darwin `uname -m` lies 214 if sysctl
hw.optional.x86_64
| grep
-q
': 1'; then 219 if [ "$_ostype" = SunOS
]; then 220 # Both Solaris and illumos presently announce as "SunOS" in "uname -s" 221 # so use "uname -o" to disambiguate. We use the full path to the 222 # system uname in case the user has coreutils uname first in PATH, 223 # which has historically sometimes printed the wrong value here. 224 if [ "$(/usr/bin/uname
-o
)" = illumos
]; then 228 # illumos systems have multi-arch userlands, and "uname -m" reports the 229 # machine hardware name; e.g., "i86pc" on both 32- and 64-bit x86 230 # systems. Check for the native (widest) instruction set on the 232 if [ "$_cputype" = i86pc
]; then 233 _cputype="$(isainfo
-n
)" 240 _ostype=linux-android
245 _ostype=unknown-linux-
$_clibtype 246 _bitness=$(get_bitness
) 250 _ostype=unknown-freebsd
254 _ostype=unknown-netbsd
258 _ostype=unknown-dragonfly
266 _ostype=unknown-illumos
269 MINGW*
| MSYS*
| CYGWIN*
| Windows_NT
) 270 _ostype=pc-windows-gnu
274 err
"unrecognized OS type: $_ostype" 281 i386
| i486
| i686
| i786
| x86
) 287 if [ "$_ostype" = "linux-android" ]; then 288 _ostype=linux-androideabi
294 if [ "$_ostype" = "linux-android" ]; then 295 _ostype=linux-androideabi
297 _ostype="${_ostype}eabihf" 303 if [ "$_ostype" = "linux-android" ]; then 304 _ostype=linux-androideabi
306 _ostype="${_ostype}eabihf" 314 x86_64
| x86-64
| x64
| amd64
) 319 _cputype=$(get_endianness
mips
'' el
) 323 if [ "$_bitness" -eq
64 ]; then 324 # only n64 ABI is supported for now 325 _ostype="${_ostype}abi64" 326 _cputype=$(get_endianness
mips64
'' el
) 352 err
"unknown CPU type: $_cputype" 356 # Detect 64-bit linux with 32-bit userland 357 if [ "${_ostype}" = unknown-linux-gnu
] && [ "${_bitness}" -eq
32 ]; then 360 if [ -n
"${CPUTYPE:-}" ]; then 363 # 32-bit executable for amd64 = x32 364 if is_host_amd64_elf
; then { 365 echo "This host is running an x32 userland; as it stands, x32 support is poor," 1>
&2 366 echo "and there isn't a native toolchain -- you will have to install" 1>
&2 367 echo "multiarch compatibility with i686 and/or amd64, then select one" 1>
&2 368 echo "by re-running this script with the CPUTYPE environment variable" 1>
&2 369 echo "set to i686 or x86_64, respectively." 1>
&2 377 _cputype=$(get_endianness
mips
'' el
) 384 if [ "$_ostype" = "linux-android" ]; then 385 _ostype=linux-androideabi
387 _ostype="${_ostype}eabihf" 391 err
"riscv64 with 32-bit userland unsupported" 396 if [ "$_ostype" = "unknown-linux-gnueabihf" ] && [ "$_cputype" = armv7
]; then 397 if ensure
grep
'^Features' /proc/cpuinfo
| grep
-q
-v
neon
; then 398 # At least one processor does not have NEON. 403 _arch="${_cputype}-${_ostype}" 409 printf 'compiler.company: %s\n' "$1" 418 if !
check_cmd
"$1"; then 419 err
"need '$1' (command not found)" 424 command -v
"$1" >
/dev/null
2>
&1 428 if [ -z
"$1" ]; then err
"assert_nz $2"; fi 431 # Run a command that should never fail. If the command fails execution 432 # will immediately terminate with an error showing the failing 435 if !
"$@"; then err
"command failed: $*"; fi 438 # This is just for indicating that commands' results are being 439 # intentionally ignored. Usually, because it's being executed 440 # as part of error handling. 445 # This wraps curl or wget. Try curl first, if not installed, 453 if check_cmd
curl
; then 455 elif check_cmd
wget
; then 458 _dld='curl or wget' # to be used in error message of need_cmd 461 if [ "$1" = --check
]; then 463 elif [ "$_dld" = curl
]; then 464 check_curl_for_retry_support
466 get_ciphersuites_for_curl
467 _ciphersuites="$RETVAL" 468 if [ -n
"$_ciphersuites" ]; then 469 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--ciphers
"$_ciphersuites" --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 472 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 473 if !
check_help_for
"$3" curl
--proto
--tlsv1.2
; then 474 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 475 _err=$(curl
$_retry --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 478 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 482 if [ -n
"$_err" ]; then 484 if echo "$_err" | grep
-q
404$
; then 485 err
"installer for platform '$3' not found, this may be unsupported" 489 elif [ "$_dld" = wget
]; then 490 if [ "$(wget
-V
2>
&1|head
-2
|tail
-1
|cut
-f1
-d
" ")" = "BusyBox" ]; then 491 echo "Warning: using the BusyBox version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure" 492 _err=$(wget
"$1" -O
"$2" 2>
&1) 495 get_ciphersuites_for_wget
496 _ciphersuites="$RETVAL" 497 if [ -n
"$_ciphersuites" ]; then 498 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
--ciphers
"$_ciphersuites" "$1" -O
"$2" 2>
&1) 501 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 502 if !
check_help_for
"$3" wget
--https-only
--secure-protocol
; then 503 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 504 _err=$(wget
"$1" -O
"$2" 2>
&1) 507 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
"$1" -O
"$2" 2>
&1) 512 if [ -n
"$_err" ]; then 514 if echo "$_err" | grep
-q
' 404 Not Found$'; then 515 err
"installer for platform '$3' not found, this may be unsupported" 520 err
"Unknown downloader" # should not reach here 534 if "$_cmd" --help
| grep
-q
'For all options use the manual or "--help all".'; then 543 if check_cmd
sw_vers
; then 544 case $(sw_vers
-productVersion
) in 546 # If we're running on macOS, older than 10.13, then we always 547 # fail to find these options to force fallback 548 if [ "$(sw_vers
-productVersion
| cut
-d.
-f2
)" -lt
13 ]; then 550 echo "Warning: Detected macOS platform older than 10.13" 555 # We assume Big Sur will be OK for now 558 # Unknown product version, warn and continue 559 echo "Warning: Detected unknown macOS major version: $(sw_vers
-productVersion
)" 560 echo "Warning TLS capabilities detection may fail" 569 if !
"$_cmd" --help
"$_category" | grep
-q
--
"$_arg"; then 574 true # not strictly needed 577 # Check if curl supports the --retry flag, then pass it to the curl invocation. 578 check_curl_for_retry_support
() { 579 local _retry_supported="" 580 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 581 if check_help_for
"notspecified" "curl" "--retry"; then 582 _retry_supported="--retry 3" 583 if check_help_for
"notspecified" "curl" "--continue-at"; then 584 # "-C -" tells curl to automatically find where to resume the download when retrying. 585 _retry_supported="--retry 3 -C -" 589 RETVAL="$_retry_supported" 592 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 593 # if support by local tools is detected. Detection currently supports these curl backends: 594 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 595 get_ciphersuites_for_curl
() { 596 if [ -n
"${COMPANY_TLS_CIPHERSUITES-}" ]; then 597 # user specified custom cipher suites, assume they know what they're doing 598 RETVAL="$COMPANY_TLS_CIPHERSUITES" 602 local _openssl_syntax="no" 603 local _gnutls_syntax="no" 604 local _backend_supported="yes" 605 if curl
-V
| grep
-q
' OpenSSL/'; then 606 _openssl_syntax="yes" 607 elif curl
-V
| grep
-iq
' LibreSSL/'; then 608 _openssl_syntax="yes" 609 elif curl
-V
| grep
-iq
' BoringSSL/'; then 610 _openssl_syntax="yes" 611 elif curl
-V
| grep
-iq
' GnuTLS/'; then 614 _backend_supported="no" 617 local _args_supported="no" 618 if [ "$_backend_supported" = "yes" ]; then 619 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 620 if check_help_for
"notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 621 _args_supported="yes" 626 if [ "$_args_supported" = "yes" ]; then 627 if [ "$_openssl_syntax" = "yes" ]; then 628 _cs=$(get_strong_ciphersuites_for
"openssl") 629 elif [ "$_gnutls_syntax" = "yes" ]; then 630 _cs=$(get_strong_ciphersuites_for
"gnutls") 637 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 638 # if support by local tools is detected. Detection currently supports these wget backends: 639 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 640 get_ciphersuites_for_wget
() { 641 if [ -n
"${COMPANY_TLS_CIPHERSUITES-}" ]; then 642 # user specified custom cipher suites, assume they know what they're doing 643 RETVAL="$COMPANY_TLS_CIPHERSUITES" 648 if wget
-V
| grep
-q
'\-DHAVE_LIBSSL'; then 649 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 650 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 651 _cs=$(get_strong_ciphersuites_for
"openssl") 653 elif wget
-V
| grep
-q
'\-DHAVE_LIBGNUTLS'; then 654 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 655 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 656 _cs=$(get_strong_ciphersuites_for
"gnutls") 663 # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 664 # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 665 # DH params often found on servers (see RFC 7919). Sequence matches or is 666 # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 667 # $1 must be openssl or gnutls. 668 get_strong_ciphersuites_for
() { 669 if [ "$1" = "openssl" ]; then 670 # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 671 echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 672 elif [ "$1" = "gnutls" ]; then 673 # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 674 # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 675 echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"