From 89f4b8850358951040949eae9fdef277ae7afbf2 Mon Sep 17 00:00:00 2001 From: Ben Zanin Date: Fri, 5 Apr 2019 14:38:12 -0400 Subject: [PATCH 1/2] Change CDT 8.6.0 d/l to use auto mirrors + checksums Per https://bugs.eclipse.org/bugs/show_bug.cgi?id=134634#c3 this mirror redirection feature is not well known, but it works and it removes a decision point from an otherwise copy-and-paste set of steps. The `r=1` query fragment causes Eclipse.org's download.php to pass a redirect directly back to the client rather than a mirror list: https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/download.php#n97 Sadly it appears that including the `protocol=https` query element is wasted effort since that value is unconditionally overridden: https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/download.php#n173 Add CDT 8.6.0 checksum verification (via HTTPS) Per https://wiki.eclipse.org/CBI/How_to_check_integrity_of_downloads_from_the_Eclipse_Foundation the Eclipse Foundation mirror system offers the ability to retrieve checksums for mirrored packages to provide an additional degree of certainty about the absence of tampering in transit, since mirrored files are provided via HTTP. (The link cites performance concerns as the reason for transferring mirrored files unencrypted, but that concern, while common, is well known to be less worrisome than has been the case even recently, [eg.][1] ) The `sums.php` [source][2] shows three checkum types may be used as valid options: md5, sha1, and sha512. We'll prefer sha512. We'll also assume that the `sha512sum` tool is available and supports the `-c`/`--check` invocation option. I have observed these three checksum values for `cdt-8.6.0.zip` as returned by the Eclipse Foundation mirror, and I'm noting them here rather than in `DevGuide.md` directly on the assumption that it is a better idea to let `sha512sum` do the verification instead of the user following the guide: | Type | Value | | ------ | ----- | | md5 | `8e9438a6e3947d614af98e1b58e945a2` | | sha1 | `6363c3eece78277cc6b6748bb4eba0166db30a6a` | | sha512 | `2b8bb498146aa29995e807c5b4e9d5dab0f6afe89a5ce256978b7b2c478677a0cb5a0f15913a32bd99cb7b4bb31230521f70b9c26cdef1cb983dfcea599737c0` | [1]: https://istlsfastyet.com [2]: https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/sums.php --- DevGuide.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/DevGuide.md b/DevGuide.md index b6adbc9de2..7e54fd2aac 100644 --- a/DevGuide.md +++ b/DevGuide.md @@ -303,11 +303,12 @@ Building the GhidraDev plugin for Eclipse requires the CDT and PyDev plugins for Download `cdt-8.6.0.zip` from The Eclipse Foundation, and place it in a directory named: `ghidra.bin/GhidraBuild/EclipsePlugins/GhidraDev/buildDependencies/`. Note that `ghidra.bin` must be a sibling of `ghidra`. -To respect the Eclipse Project's resources, you may need to download the file using a browser, or at the very least, locate a suitable mirror on your own: ```bash cd ~/Downloads # Or wherever -curl -OL https://$CHOOSE_YOUR_MIRROR/pub/eclipse/tools/cdt/releases/8.6/cdt-8.6.0.zip +curl -OL 'http://www.eclipse.org/downloads/download.php?r=1&protocol=https&file=/tools/cdt/releases/8.6/cdt-8.6.0.zip' +curl -o 'cdt-8.6.0.zip.sha512' -L --retry 3 'http://www.eclipse.org/downloads/sums.php?type=sha512&file=/tools/cdt/releases/8.6/cdt-8.6.0.zip' +sha512sum -c 'cdt-8.6.0.zip.sha512' mkdir -p ~/git/ghidra.bin/GhidraBuild/EclipsePlugins/GhidraDev/buildDependencies/ cp ~/Downloads/cdt-8.6.0.zip ~/git/ghidra.bin/GhidraBuild/EclipsePlugins/GhidraDev/buildDependencies/ ```