installer script MD5 issue

[Justin Mclean <ju...@classsoftware.com>]

Hi,

I just made a simple installer script for Squiggly  (checked into develop) and realised we have a bit of an issue with the installer script being in the package.

The script downloads squiggly and does an MD5 check, however once you have created the packages you need to update the MD5 values, which means you have to regenerate the packages, which changes the MD5 values again and around and around you go.

Only solutions I see is to have the installer script read the MD5 from a file external to the release package OR move the installer script outside the package - which may be an issue for Linux users.

Any ideas on how to fix this?

Thanks,
Justin

Re: installer script MD5 issue

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Well yes.  You go to our site to download the binary tar.gz or zip.  You
> should verify it yourself, but if you don¹t, if you can unzip/untar it and
> find an installer.xml file, it pretty much has to be ok.

So basically the upshot of this is installer.xml can't contain a MD5 check on the package it is for.

This has several consequences:
-  Linux user must check it themselves
- We're currently not able to add optionals items to the installer without changing the installers code to do a MD5 check on the optional package

May have to come up with another way of adding FlexUnit etc as an optional download to the SDK.

Thanks,
Justin

Re: installer script MD5 issue

[Alex Harui <ah...@adobe.com>]

On 10/10/14, 10:07 PM, "Justin Mclean" <ju...@classsoftware.com> wrote:

>Hi,
>
>> The installer currently downloads the zip or tar.gz from dist/mirror and
>> then downloads the md5 from dist.
>
>How does that work on linux? You assuming that the install script can't
>do a MD5 check and they must do it manually?
Well yes.  You go to our site to download the binary tar.gz or zip.  You
should verify it yourself, but if you don¹t, if you can unzip/untar it and
find an installer.xml file, it pretty much has to be ok.

>
>>  it runs the script, which might choose to checksum any otherdownloads.
>
>How it that possible to release unless you modify the installer files
>after you vote and deploy?
The main package that contains installer.xml is not checksummed by the
installer.xml.  The installer does that or as I explained above, the Linux
user does it or assumes it is good if it unzips/untars cleanly.  All other
dependency downloads don¹t affect the checksum on the main package,
although we now can override most of them via .properties files on
flex.a.o.

-Alex

Re: installer script MD5 issue

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> The installer currently downloads the zip or tar.gz from dist/mirror and
> then downloads the md5 from dist.

How does that work on linux? You assuming that the install script can't do a MD5 check and they must do it manually?

>  it runs the script, which might choose to checksum any otherdownloads.

How it that possible to release unless you modify the installer files after you vote and deploy?

Justin

Re: installer script MD5 issue

[Alex Harui <ah...@adobe.com>]

The installer currently downloads the zip or tar.gz from dist/mirror and
then downloads the md5 from dist.  Then, if it is valid and an ant_on_air
install, it runs the script, which might choose to checksum any other
downloads.

The install script does not check itself, after all, if you are able to
unpack it, to get at the script, it must be in decent shape.

-Alex

On 10/10/14, 6:52 PM, "Justin Mclean" <ju...@classsoftware.com> wrote:

>Hi,
>
>I just made a simple installer script for Squiggly  (checked into
>develop) and realised we have a bit of an issue with the installer script
>being in the package.
>
>The script downloads squiggly and does an MD5 check, however once you
>have created the packages you need to update the MD5 values, which means
>you have to regenerate the packages, which changes the MD5 values again
>and around and around you go.
>
>Only solutions I see is to have the installer script read the MD5 from a
>file external to the release package OR move the installer script outside
>the package - which may be an issue for Linux users.
>
>Any ideas on how to fix this?
>
>Thanks,
>Justin