| changeset 371: |
7dcabf3e0edc |
| parent: |
7c19637786a7
|
| author: |
Richard Westhaver <ellis@rwest.io> |
| date: |
Tue, 24 Sep 2024 15:53:24 -0400 |
| permissions: |
-rwxr-xr-x |
| description: |
no link in bootstrap.sh |
6 if [[ -z
"${INFRA_PROFILE:-}" ]]; then 7 export INFRA_PROFILE="${1:-default.sxp}" 9 export INFRA_PROFILE="${INFRA_PROFILE}" 13 local _arch=$(_read
arch
| tr
-d
'"') 20 local _url="https://packy.compiler.company/dist/${_arch}/pack" 22 if !
_stash=".stash"; then 23 # Because the previous command ran in a subshell, we must manually 24 # propagate exit status. 27 # setup default directories 28 ensure
mkdir
-p
"${_stash}/src" 29 ensure
mkdir
-p
"${_stash}/share/lisp/fasl" 30 ensure
mkdir
-p
"${_stash}/tmp" 31 ensure
mkdir
-p
"${_stash}/share/store/dist" 32 ensure
mkdir
-p
"${_stash}/bin" 33 ensure
mkdir
-p
"${_stash}/lib" 34 ensure
mkdir
-p
"${_stash}/include" 37 local _sbcl_pack="sbcl.tar.zst" 38 # local _rocksdb_pack="rocksdb.tar.zst" 39 local _core_pack="core.tar.zst" 40 local _infra_core="infra.core" 41 # local _core_src_pack="core-source.tar.zst" 42 local _sbcl_url="${_url}/${_sbcl_pack}" 43 # local _rocksdb_url="${_url}/${_rocksdb_pack}" 44 local _core_url="${_url}/${_core_pack}" 45 local _infra_core_url="https://packy.compiler.company/dist/${_arch}/lisp/${_infra_core}" 46 # local _core_src_url="${_url}/${_core_src_pack}" 47 if [ !
-f
"tmp/$_sbcl_pack" ]; then 48 ensure
download
"$_sbcl_url" "tmp/$_sbcl_pack" "$_arch" 49 unzstd
"tmp/${_sbcl_pack}" 50 tar
-C
tmp
-xf
"tmp/sbcl.tar" 51 cd tmp/sbcl
&& INSTALL_ROOT=$(realpath
../..
) sh
install.sh
&& cd ../..
54 # ensure download "$_core_src_url" "$_core_src_pack" "$_arch" 55 # unzstd "${_core_src_pack}" 56 # tar -xvf "core-source.tar" 58 # ensure download "$_rocksdb_url" "${_rocksdb_pack}" "$_arch" 59 # unzstd "${_rocksdb_pack}" 60 # tar -xvf "pack/rocksdb.tar" 61 # cp -rf rocksdb/include/* include/ 62 # cp -rf rocksdb/*.so lib/ 64 if [ !
-f
"bin/skel" ]; then 66 ensure
download
"$_core_url" "${_core_pack}" "$_arch" 67 unzstd
"${_core_pack}" 70 cp
-rf
tmp/core/bin/*
bin/
71 # unpacked core, link binaries 76 cp
-rf
tmp/core/share/*
share/
79 if [ !
-f
"share/lisp/$_infra_core" ]; then 80 ensure
download
"$_infra_core_url" "share/lisp/$_infra_core" "$_arch" 85 say
"bootstrap complete" 87 say
"starting lisp..." 89 .stash/bin/sbcl
--core
.stash/share/lisp/infra.core
\ 91 --eval
"(infra/autogen:autogen)" \ 93 --no-userinit
--no-sysinit
99 grep
":$1" $INFRA_HOST_CONFIG | cut
-d
' ' -f
2-
102 # Check if curl supports the --retry flag, then pass it to the curl invocation. 103 check_curl_for_retry_support
() { 104 local _retry_supported="" 105 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 106 if check_help_for
"notspecified" "curl" "--retry"; then 107 _retry_supported="--retry 3" 108 if check_help_for
"notspecified" "curl" "--continue-at"; then 109 # "-C -" tells curl to automatically find where to resume the download when retrying. 110 _retry_supported="--retry 3 -C -" 113 RETVAL="$_retry_supported" 116 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 117 # if support by local tools is detected. Detection currently supports these curl backends: 118 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 119 get_ciphersuites_for_curl
() { 120 if [ -n
"${TLS_CIPHERSUITES-}" ]; then 121 # user specified custom cipher suites, assume they know what they're doing 122 RETVAL="$TLS_CIPHERSUITES" 125 local _openssl_syntax="no" 126 local _gnutls_syntax="no" 127 local _backend_supported="yes" 128 if curl
-V
| grep
-q
' OpenSSL/'; then 129 _openssl_syntax="yes" 130 elif curl
-V
| grep
-iq
' LibreSSL/'; then 131 _openssl_syntax="yes" 132 elif curl
-V
| grep
-iq
' BoringSSL/'; then 133 _openssl_syntax="yes" 134 elif curl
-V
| grep
-iq
' GnuTLS/'; then 137 _backend_supported="no" 139 local _args_supported="no" 140 if [ "$_backend_supported" = "yes" ]; then 141 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 142 if check_help_for
"notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 143 _args_supported="yes" 147 if [ "$_args_supported" = "yes" ]; then 148 if [ "$_openssl_syntax" = "yes" ]; then 149 _cs=$(get_strong_ciphersuites_for
"openssl") 150 elif [ "$_gnutls_syntax" = "yes" ]; then 151 _cs=$(get_strong_ciphersuites_for
"gnutls") 157 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 158 # if support by local tools is detected. Detection currently supports these wget backends: 159 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 160 get_ciphersuites_for_wget
() { 161 if [ -n
"${TLS_CIPHERSUITES-}" ]; then 162 # user specified custom cipher suites, assume they know what they're doing 163 RETVAL="$TLS_CIPHERSUITES" 167 if wget
-V
| grep
-q
'\-DHAVE_LIBSSL'; then 168 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 169 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 170 _cs=$(get_strong_ciphersuites_for
"openssl") 172 elif wget
-V
| grep
-q
'\-DHAVE_LIBGNUTLS'; then 173 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 174 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 175 _cs=$(get_strong_ciphersuites_for
"gnutls") 190 if "$_cmd" --help
| grep
-q
'For all options use the manual or "--help all".'; then 198 if check_cmd
sw_vers
; then 199 case $(sw_vers
-productVersion
) in 201 # If we're running on macOS, older than 10.13, then we always 202 # fail to find these options to force fallback 203 if [ "$(sw_vers
-productVersion
| cut
-d.
-f2
)" -lt
13 ]; then 205 echo "Warning: Detected macOS platform older than 10.13" 210 # We assume Big Sur will be OK for now 213 # Unknown product version, warn and continue 214 echo "Warning: Detected unknown macOS major version: $(sw_vers
-productVersion
)" 215 echo "Warning TLS capabilities detection may fail" 222 if !
"$_cmd" --help
"$_category" | grep
-q
--
"$_arg"; then 226 true # not strictly needed 229 # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 230 # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 231 # DH params often found on servers (see RFC 7919). Sequence matches or is 232 # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 233 # $1 must be openssl or gnutls. 234 get_strong_ciphersuites_for
() { 235 if [ "$1" = "openssl" ]; then 236 # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 237 echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 238 elif [ "$1" = "gnutls" ]; then 239 # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 240 # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 241 echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" 245 # This wraps curl or wget. Try curl first, if not installed, 253 if check_cmd
curl
; then 255 elif check_cmd
wget
; then 258 _dld='curl or wget' # to be used in error message of need_cmd 260 if [ "$1" = --check
]; then 262 elif [ "$_dld" = curl
]; then 263 check_curl_for_retry_support
265 get_ciphersuites_for_curl
266 _ciphersuites="$RETVAL" 267 if [ -n
"$_ciphersuites" ]; then 268 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--ciphers
"$_ciphersuites" --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 271 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 272 if !
check_help_for
"$3" curl
--proto
--tlsv1.2
; then 273 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 274 _err=$(curl
$_retry --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 277 _err=$(curl
$_retry --proto
'=https' --tlsv1.2
--silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 281 if [ -n
"$_err" ]; then 283 if echo "$_err" | grep
-q
404$
; then 284 err
"installer for platform '$3' not found, this may be unsupported" 288 elif [ "$_dld" = wget
]; then 289 if [ "$(wget
-V
2>
&1|head
-2
|tail
-1
|cut
-f1
-d
" ")" = "BusyBox" ]; then 290 echo "Warning: using the BusyBox version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure" 291 _err=$(wget
"$1" -O
"$2" 2>
&1) 294 get_ciphersuites_for_wget
295 _ciphersuites="$RETVAL" 296 if [ -n
"$_ciphersuites" ]; then 297 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
--ciphers
"$_ciphersuites" "$1" -O
"$2" 2>
&1) 300 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 301 if !
check_help_for
"$3" wget
--https-only
--secure-protocol
; then 302 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 303 _err=$(wget
"$1" -O
"$2" 2>
&1) 306 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
"$1" -O
"$2" 2>
&1) 311 if [ -n
"$_err" ]; then 313 if echo "$_err" | grep
-q
' 404 Not Found$'; then 314 err
"installer for platform '$3' not found, this may be unsupported" 319 err
"Unknown downloader" # should not reach here
