~olbohlen/oi-userland.git

			@@ -1,8 +1,109 @@

			# userland-tools

			oi-userland comes with some tools used all over the build system and
			oi-userland comes with some tools used all over the build system and
			these tools reside in the [tools/](https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/tools) directory.

			## userland-fetch
			_userland-fetch_ is a tool to download and verify remote archives and files.
			The build system uses it to download all archive packages. It takes care of download security testing,
			gpg verification, checksum verification, partial downloads/continuation, and storing hash files.


			### Notes

			* Use `--hash <algorithm>:<checksum>` to skip `HASH_DIR` checking for a download.
			* Use `--hash none` to skip all hash checking for a download.
			* Use `--sigurl <URL>` to set the exact GPG signature to check.
			This signature will be saved locally for future use.
			* Use `--sigurl none` to skip all signature checking for a download.
			* Use `--keep` to stop _userland-fetch_ from deleting any files.
			* Use `-nN` to force checking of both signature and hash.
			* Use `--search` to add a URL to the list to query for files, signatures and hashes.
			Can be used more than once.

			##### protocols
			_userland-fetch_ decides whether a download protocol is secure by checking the `SECURE_PROTOCOLS` envvar.
			This can be set to a space-delimited list of schemes. (URLs are in the form `<scheme>://<resource>`)
			Override with caution!

			##### verification
			_userland-fetch_ uses the following rules to determine the validity of a download:
			* confirm the file has a good signature, using each extension in `SIGNATURE_EXTENSIONS`, OR
			* confirm the file has a correct hash entry in a file in `HASH_DIR`, OR
			* check if `URL` scheme is in `SECURE_PROTOCOLS` and `ALLOW_UNVERIFIED_DOWNLOADS=yes`.

			Downloaded hash files are also checked for signatures and protocol security.

			##### signature extensions
			_userland-fetch_ searches for signature files with the extensions listed in the `SIGNATURE_EXTENSIONS` envvar.
			If you find a strange extension for a remote signature, you can add it to `SIGNATURE_EXTENSIONS`, but keep
			in mind that the file must be a detached GPG signature.

			##### hashfiles and hash directory
			_userland-fetch_ checks the envvar `HASH_DIR` to find the path to search for and store hashfiles. It will search
			each file in `HASH_DIR` for a hash entry containing the basename of `--file <path>`, or the basename of `--url <URL>`, stopping on the first match. Subsequent matches are ignored. Files are checked in `sorted()` order.

			_userland-fetch_ will strip directory information from the hashfiles when scanning them. The hashfiles themselves
			are not altered. (I.E. `<hash> a/b/file.txt` becomes `<hash> file.txt` internally, so it will match)

			In the event of an erroneous match, you can add a hashfile to the hashes directory manually, or
			have it download with the build in a Makefile target:
			```
			$(HASH_DIR)/<filename>:
			$(FETCH) -N --url <URL> --file $@
			download:: $(HASH_DIR)/<filename>
			```

			### Defaults
			```
			ALLOW_UNVERIFIED_DOWNLOADS=no
			SECURE_PROTOCOLS=https
			HASH_DIR=<file_arg directory>/hashes; (if --file <filename>)
			HASH_DIR=<current directory>/hashes ; (if no --file argument)
			SIGNATURE_EXTENSIONS=sig asc ; (space delimited, no '.' prefix)
			DEFAULT_HASH_FILES=SHA256SUMS sha256sums.txt sha256sum.txt (space delimited)
			DEFAULT_HASH_ALGO=sha256 (this is sent directly to python's hashlib.new() - only set one algorithm)
			```

			### Use cases

			`userland-fetch --url <URL>`
			* Download the file at URL, placing it in the current directory.
			* Skip downloading if the output file already exists.
			* Verify the download or file using the method stated above.

			`userland-fetch --url <URL> --file <path>`
			* Same as above, but output the download to `path`.

			`userland-fetch -gn --url <URL>`
			* Download the file at `URL`, placing it in the current directory.
			* Look for these hash files in `URL`'s remote directory:
			* * Filenames in the `DEFAULT_HASH_FILES` envvar
			* * A few styles of `<filename>.DEFAULT_HASH_ALGO`
			* If a local copy of a hashfile exists, use it instead of downloading the remote one
			* Search hashfiles for an entry matching the filename; stop on first match.
			* Verify the download, ensuring that a correct hash is present.

			`userland-fetch -c --url <URL>`
			* Do -g, but replace any files in HASH_DIR with their remote versions.

			`userland-fetch -GN --url <URL>`
			* Download the file at URL, placing it in the current directory.
			* Look for these signature files in `URL`'s remote directory:
			* * `<filename>.ext` for each extension in `SIGNATURE_EXTENSIONS`
			* If a local copy of a signature exists, __overwrite it__
			* Verify the file, ensuring that it has a good signature.

			`userland-fetch --file <path>`
			* Verify the file using the method stated above; protocol checking is skipped.

			`userland-fetch -n --file <path>`
			* Ensure a correct hash exists for `path` in HASH_DIR.

			`userland-fetch -c --file <path>`
			* Same as `userland-fetch -n --file <path>`.

			## userland-zone

			_userland-zone_ is a tool to manage a lifecycle of build zones in oi-userland.