aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: b6591610ae0da4c409c3f748d539e5e58b691b43 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
Trashman: the dystopic package and config manager
=================================================

    Poorman's Rule:
            When you pull a plastic garbage bag from its handy dispenser
            package, you always get hold of the closed end and try to
            pull it open.

Hello dumpster divers! Wanna know about the new tool in the "ecosystem"?

It pollutes your environment with the modern depressing stack like nodejs and
docker.

Some stuff are hard to package or upstream makes the effort to keep it harder
and harder to package. Distros are left behind the planned obsolescence.

This humble tool alleviates the pain like if you find yourself in the urge to
install that hyped application but have no choice other than run magic commands
and install untrusted code.

It replaces curl-pipe-bash statements like

    curl $backdoor_url | bash

by this one:

    trashman install <package>

Instead of being just a shorthand, `trashman` packages can try as best as possible
not to fetch keys and scripts from remote locations without some basic checks. So if
you have to add files into `/etc/apt/trusted.gpg.d`, `trashman` will provide those
keys or fingerprints instead of downloading it from somewhere, in which case it could
be easily tampered.

## Hoarder

Hoarder is trashman's companion, an equivalent script intended to install packages
locally, at the current user's folder:

    hoarder install <package>

## Features

* Multi-arch, multi-OS: you might code packages for any distro,
  be it a GNU/Linux flavour, BSD, Minix or whatever UNIX implementation.
  Its written in bourne shell language, which guarantees it may run in most
  systems.

* Multi-language: code your package in the language you want, the way you want.
  This tool is mainly a script dispatcher. Packages have only to respect some
  basic conventions like exit statuses.

* Stateless: it doesnt save package state. Instead, packages should provide their
  own built-in code to detected whether they are installed, half-installed or not.

* Installess: `trashman` itself does not, but can be, installed system-wide.
  It has no other dependencies other than basic tools like those available
  in coreutils packages and nowadays common applications like `git`.

* Provides basic automation: instead of always running command by hand, recipes
  can be included in your deployment scripts.

* The one to rule then all; a meta package manager suportting any other
  package manager, like apt/dpkg, stowpkg, pkg_src, etc.

## Limitations

* It is not a full-feature package manager. Use the one provided by your distro
  instead. We're not advocating you to stop using your distro way to manage things.
  We're just providing an alternative way when your distro does not provide easier
  ways to install some software.

* Do not use your main system for installing `trashman` packages. Use a Virtual Machine
  instead: this is more manageable and keep the litter isolated from the other parts
  of your infrastructure.

* Not everything can be checked in advance by `trashman` packages. Each package can do
  it's best to check sources and avoiding running unsigned/untrusted code from remote
  locations.

* This software is a poor mitigation and a way to save yourself some time in a growing
  trend of open source software lifecycles dominated by conglomerates running their
  "cloud" providing you with "open core" applications, taking over your computing stack.

## Installation

Simply clone it and add to your `$PATH`:

    git clone https://git.fluxo.info/trashman

You can also verify the latest commit's OpenPGP signature:

    /usr/bin/git -C templater verify-commit HEAD

Note that `/usr/bin/git` is called to avoid any other `git` wrappers or aliases
you might have available on your shell.

You might also proceed with a system-wide install using `trashman` do install
itself in your system:

     ./trashman install trashman

## Syncing the codebase

Syncing the codebase is a two-step procedure. First grab upstream changes:

    trashman fetch

This will output current OpenPGP signature's from the last commit. You might
check that and also check for repository changes. Once you're fine with those,
do the actual merge:

    trashman merge

## How it works

Basically `trashman` is just a dispatcher/router for scripts available under
it's `share/` directory. It scans every available package for the available
implementation that best fits your current distro.

Say that you're running Debian GNU/Linux. First trashman tries to find scripts
that matches `debian` distro, trying `linux` target next and finally `unix`.

This ways, it's possible to implement generic package management procedures
as longs as specific to each distro.

## Writing a package

You might use [templater](https://templater.fluxo.info):

    cd path/to/trashman/repo && templater share/package/<package_name> trashman

packages are simply as having the following files:

* `share/trashman/<package>/info`: describe package purpose.
* `share/trashman/<package>/<ancestor>/<family>/<distro>/<action>`: script that runs on a given action.
* `share/trashman/<package>/<ancestor>/<family>/<action>`: script that runs on a given action, fallback.
* `share/trashman/<package>/<ancestor>/<action>`: script that runs on a given action, fallback.

Where actions can be like `install`, `check`, `remove` or `upgrade`. You don't have
to implement all actions. Actually, no action is required to create a package, but
having no action makes it useless.

### Check action

The `check` action may return the following exit codes:

* 0: the package is installed system-wide.
* 1: the package is not installed system-wide.
* 2: the package is partially installed system-wide.

Yes. This is far from deterministic builds. We're talking about scripts that might fail
anytime, due to network errors or inconsistencies.

### Idempotency

Shit. I think I can't even spell this word correctly. Idempowhat? So you're saying
you want to make your program keep your system in the same state no matter how many
times you run it?

You don't need a DSL to do that. It's as simply as

    if ! installed $program; then
      install_program $program
    fi

It's recommended that you try to make your packaging script to be idempotent.

This way,`trashman` turns into a configuration manager, going beyond the basic
package management.

## Naming candidates

While designing this tools, the following names were considered:

* trashman
* garbageman
* dumpster
* dumpsterize
* gari
* lixomanina
* trashops

This software is dedicated to bands like Trashmen, Trashwomen and Lixomania.