How To Get Software from Blastwave.org

**************************************************************************** T A K E N O T E : T H I S D O C U M E N T I S F O R U S E R S O F S O L A R I S 8 O R H I G H E R ****************************************************************************

Step 0 - Be Patched Up To Date

I can not stress this enough. You can not expect your operating system to be at peak performance and stability if you do not perform regular software maintainance. At the very least you will need to apply the Solaris Recommended patch cluster. After that is complete you may then proceed.

    Step 1 - Install pkgutil

  To do much of anything you will need pkgutil on your system.

  Solaris 8 & 9 Users : You need to fetch the correct pkgutil package from Network.com thus :

    Sparc users : http://blastwave.network.com/csw/pkgutil_sparc.pkg

      md5    = e80958ffd5d92bc85c01dd89d764ae0f
      sha1   = 0d621e8b7db80a3e9d8659e6fd53fed0d150c660
      sha256 = 2a8b79cdb2b7e147c889d154d03cb232c3e0d816f6938cfed962b90c8828a383
    INTEL users : http://blastwave.network.com/csw/pkgutil_i386.pkg

      md5    = a9dcb973ca18d63439d6d4dd12c9bf0a
      sha1   = ba8ade3f4659708de716b6b6dbf5949fe4482b55
      sha256 = c8734812a53c2b83dd6084a93a4c3fbe9a209f4ddcc8a280fcedcfb2a03f6266

Then you need to manually install the package thus :

# cd /tmp # /opt/csw/bin/wget http://blastwave.network.com/csw/pkgutil_`/sbin/uname -p`.pkg --2009-04-11 06:47:31-- http://blastwave.network.com/csw/pkgutil_sparc.pkg Connecting to 192.168.35.7:8080... connected. Proxy request sent, awaiting response... 200 OK Length: 325632 (318K) [application/octet-stream] Saving to: `pkgutil_sparc.pkg' 0K .... 100% 287K=1.1s 2009-04-11 06:47:33 (287 KB/s) - `pkgutil_sparc.pkg' saved [325632/325632] # digest -a md5 pkgutil_sparc.pkg f3f3e27fac447b458f18a4ca3258df9e # pkgadd -d ./pkgutil_sparc.pkg The following packages are available: 1 CSWpkgutil pkgutil - Installs Solaris packages easily (sparc) 1.5,REV=2009.04.09 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance <CSWpkgutil> from </tmp/pkgutil_sparc.pkg> pkgutil - Installs Solaris packages easily(sparc) 1.5,REV=2009.04.09 Please see /opt/csw/share/doc/pkgutil/license for license information. ## Processing package information. ## Processing system information. 10 package pathnames are already properly installed. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSWpkgutil> [y,n,?] y Installing pkgutil - Installs Solaris packages easily as <CSWpkgutil> ## Installing part 1 of 1. /etc/opt/csw/pkgutil.conf.CSW /opt/csw/bin/bldcat /opt/csw/bin/chkcat /opt/csw/bin/pkgutil /opt/csw/etc/pkgutil.conf.CSW /opt/csw/libexec/pkgutil/wget /opt/csw/share/doc/pkgutil/license /opt/csw/share/doc/pkgutil/readme /opt/csw/share/man/man1/pkgutil.1 /var/opt/csw/pkgutil/admin.CSW [ verifying class <none> ] ## Executing postinstall script. Installation of <CSWpkgutil> was successful. # cp -p /opt/csw/etc/pkgutil.conf.CSW /etc/opt/csw/pkgutil.conf

Solaris 10 & Nevada or OpenSolaris™ Users :

# uname -a SunOS core 5.10 Generic_138888-01 sun4u sparc sun4u # cat /etc/release Solaris 10 10/08 s10s_u6wos_07b SPARC Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 27 October 2008 # pkgadd -d http://blastwave.network.com/csw/pkgutil_`/sbin/uname -p`.pkg ## Downloading... ..............25%..............50%..............75%..............100% ## Download Complete The following packages are available: 1 CSWpkgutil pkgutil - installs Solaris packages easily (sparc) 1.4,REV=2009.01.20 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance <CSWpkgutil> from <http://blastwave.network.com/csw/pkgutil_sparc.pkg> pkgutil - installs Solaris packages easily(sparc) 1.4,REV=2009.01.20 Please see /opt/csw/share/doc/pkgutil/LICENSE for license information. ## Processing package information. ## Processing system information. 11 package pathnames are already properly installed. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSWpkgutil> [y,n,?] y Installing pkgutil - installs Solaris packages easily as <CSWpkgutil> ## Installing part 1 of 1. /opt/csw/bin/bldcat /opt/csw/bin/chkcat /opt/csw/bin/pkgutil /opt/csw/etc/pkgutil.conf.CSW /opt/csw/libexec/pkgutil/wget /opt/csw/share/doc/pkgutil/LICENSE /opt/csw/share/doc/pkgutil/readme /opt/csw/share/man/man1/pkgutil.1 /var/opt/csw/pkgutil/admin.CSW [ verifying class <none> ] ## Executing postinstall script. Installation of <CSWpkgutil> was successful. # mkdir /etc/opt/csw # cp -p /opt/csw/etc/pkgutil.conf.CSW /etc/opt/csw/pkgutil.conf

    Step 2 - Fetch the Software catalog

If you look closely you will see a copy of wget is included with pkgutil.
This means that pkgutil will work out of the box regardless of what rev
of Solaris you are on. You don't need to worry about OpenSSL or WGET or
even about basic configuration. That is all done for you.

The first thing you NEED to do is fetch the software catalog.

  Special NOTE : You may need a proxy setup !
    If you need a web HTTP proxy for access to the internet
    then be sure to create a .wgetrc file for the root user
    that looks like so :

        progress=dot:mega
        ftp_proxy=http://192.168.35.7:8080
        http_proxy=http://192.168.35.7:8080

    Choose an IP address and port number that works for your environment.

# /opt/csw/bin/pkgutil --catalog Fetching new catalog if available... --01:41:49-- http://blastwave.network.com/csw/unstable/i386/5.8/catalog => `/var/opt/csw/pkgutil/catalog.i386.5.8.0' Connecting to 192.168.35.7:8080... connected. Proxy request sent, awaiting response... 200 OK Length: 375,014 [text/plain] 0K ..... 100% 342.27 KB/s 01:41:52 (342.27 KB/s) - `/var/opt/csw/pkgutil/catalog.i386.5.8.0' saved [375014/375014]

    Step 3 - Security First !

  All of the software from Blastwave™ is delivered via digitally signed software catalogs. You need to ensure that your catalogs are correct and have not been tampered with.

  Install GNU GPG as well as the ability to verify MD5 hash values thus :

# /opt/csw/bin/pkgutil --install gnupg textutils Parsing catalog, may take a while... New packages: CSWcommon CSWisaexec CSWexpat CSWiconv CSWncurses CSWggettext CSWbzip2 CSWzlib CSWreadline CSWtextutils CSWgnupg Total size: 9.2 MB 11 packages to fetch. Do you want to continue? [Y,n]

Once you have CSWgnupg installed ( RFC 2440 compliant tool for secure communication ) then you must fetch the Blastwave.org GPG digital key and import that key into your local key ring.

You may fetch the Blastwave key in four possible ways :

Manually copy and paste the key into a local file.
Simply look at the key on the Blastwave website and then use vi to put it into a local file :
- View the key URL at http://www.blastwave.org/gpg_key.txt
- Put that exact key into a local file named blastwave_key.dat
- Run ( as root ) /opt/csw/bin/gpg --import blastwave_key.dat
Fetch and install a complete edition of wget and then use it to fetch the key
To get a full copy of CSWwget you need to run pkgutil again thus :
- /opt/csw/bin/pkgutil --install wget
Once that is complete use wget to fetch and import the key like so :
- /opt/csw/bin/wget http://www.blastwave.org/gpg_key.txt
- /opt/csw/bin/gpg --import gpg_key.txt
Use gpg to fetch the key directly from a key server
In this case you can run gpg directly to fetch the key from the MIT keyserver:

# /opt/csw/bin/gpg --keyserver pgp.mit.edu --recv-keys A1999E90 gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key A1999E90 from hkp server pgp.mit.edu gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key A1999E90: public key “Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>” imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 #
Use the wget binary that is included in the pkgutil tool package

The best method to use is option #3 above. If you have access to the internet directly then please perform step #3. Otherwise the last method is very safe and almost certainly reasonable for a server that does not have direct access to the internet.

Method #4 looks like so :

# cd /tmp # /opt/csw/libexec/pkgutil/wget http://www.blastwave.org/gpg_key.txt --02:28:22-- http://www.blastwave.org/gpg_key.txt => `gpg_key.txt' Connecting to 192.168.35.7:8080... connected. Proxy request sent, awaiting response... 200 OK Length: 1,734 [text/plain] 0K 100% 1.65 MB/s 02:28:22 (1.65 MB/s) - `gpg_key.txt' saved [1734/1734] # /opt/csw/bin/gpg --import gpg_key.txt gpg: directory `//.gnupg' created gpg: new configuration file `//.gnupg/gpg.conf' created gpg: WARNING: options in `//.gnupg/gpg.conf' are not yet active during this run gpg: keyring `//.gnupg/secring.gpg' created gpg: keyring `//.gnupg/pubring.gpg' created gpg: //.gnupg/trustdb.gpg: trustdb created gpg: key A1999E90: public key "Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>" imported gpg: Total number processed: 1 gpg: imported: 1

The last step to take is to actually employ the digital signature checks and MD5 hash verification that has been provided to you. To do this you need to do three things :

1) Verify that you have the key. Use the gpg --list-keys command :

# /opt/csw/bin/gpg --list-keys //.gnupg/pubring.gpg -------------------- pub 1024D/A1999E90 2008-08-17 [expires: 2011-08-17] uid Blastwave Software (Blastwave.org Inc.) <software@blastwave.org> sub 2048g/E4845389 2008-08-17 [expires: 2011-08-17]

2 ) Mark the key as being trusted for a given purpose. In this case you want to trust the signed software catalogs from Blastwave. To do this you need to edit the key and mark it as being trusted thus :

# /opt/csw/bin/gpg --edit-key A1999E90 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC trust: unknown validity: unknown sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E [ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org> Command> Trust pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC trust: unknown validity: unknown sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E [ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/A1999E90 created: 2008-08-17 expires: 2011-08-17 usage: SC trust: ultimate validity: unknown sub 2048g/E4845389 created: 2008-08-17 expires: 2011-08-17 usage: E [ unknown] (1). Blastwave Software (Blastwave.org Inc.) <software@blastwave.org> Please note that the shown key validity is not necessarily correct unless you restart the program. Command> quit

3) Lastly you need to modify the pkgutil configuration to actually use this GPG key as well as to verify the MD5 hashes of the software packages. Edit the pkgutil.conf file that you copied into /etc/opt/csw such that the lines related to GPG and MD5 are not commented out. Your pkgutil.conf should look like so :

# Configuration file for pkgutil # # Nothing below is mandatory to change, pkgutil will use the default values # noted below for each option unless something is uncommented # Mirror to use for downloads # See http://www.blastwave.org/mirrors.php for alternative mirrors # Default: http://blastwave.network.com/csw/unstable #mirror=http://blastwave.network.com/csw/unstable # Solaris 10: If you wish to limit pkgutil to installing packages # only to the global zone, then uncomment this line. Note that pkgrm does not # have the same option # WARNING: do not modify this unless you know what you're doing # Default: blank #pkgaddopts=-G # Flags for use with wget, e.g. "-nv" for less verbose or "-q" for quiet # WARNING: do not modify this unless you know what you're doing # Default: blank #wgetopts=-q # To enable use of gpg or md5, uncomment these # NOTE: it doesn't make sense to use md5 but not gpg so your options should be: # 1. both disabled, 2. gpg enabled, 3. both enabled. # Default: false, false use_gpg=true use_md5=true

The End Result is a secure mechanism for software delivery

You're final step is to fetch a new catalog and this time you will see that the GPG digital signature will be verified for you :

# /opt/csw/bin/pkgutil --catalog Fetching new catalog if available... --02:53:52-- http://blastwave.network.com/csw/unstable/i386/5.8/catalog => `/var/opt/csw/pkgutil/catalog.i386.5.8.0' Connecting to 192.168.35.7:8080... connected. Proxy request sent, awaiting response... 200 OK Length: 375,014 [text/plain] 0K ..... 100% 7.95 MB/s 02:53:55 (7.95 MB/s) - `/var/opt/csw/pkgutil/catalog.i386.5.8.0' saved [375014/375014] Checking catalog integrity with gpg. gpg: Signature made Thu Jan 22 21:09:32 2009 GMT using DSA key ID A1999E90 gpg: Good signature from "Blastwave Software (Blastwave.org Inc.) <software@blastwave.org>"

You may now install software with full end to end verification in place regardless of the mirror site you use. Simply run pkgutil --install softwarename to get what you need.

Step 4 - Before you proceed ...

What I have to say here will be “Motherhood” statements at best. Really just a bit of advice if you are making the leap from Linux and wonder where to set the PATH for your users and things like that.

Firstly we need to talk about the root user.

Don't mess with the root user account!

That was less than clear so I guess I had better elaborate.

It seems to be common practice to change the root users default shell.

Don't do that unless you have Solaris 10

What I do recommend is that you change the root users home directory location to /root and nothing more fancy than that. You can edit the /etc/passwd file and change the entry for the root user thus :

root:x:0:1:Super-User:/root:/sbin/sh

Be very diligent about creating the root users home directory right away and ensure that it is only readable by the root user :

# mkdir /root # chmod 700 /root # chown root:root /root

Also, you may be wondering why you should not change the root users default shell to bash. Simply put, any other shell than /sbin/sh will be a dynamically linked executable with dependencies. If you were to check /sbin/sh you would find that it is a standalone program :

$ ldd /sbin/sh ldd: /sbin/sh: file is not a dynamic executable or shared object

That means that your machine can suffer some horrible disaster and still be able to function in single user mode if you can boot the kernel and get to a running shell with the root user. That is becuase the root user only needs /sbin/sh to have a fully functional shell. If you were to use bash or any other shell then you would need a stack of dependencies. Those dependencies may not exist if they are on some other file system or on a damaged file system.

Solaris 10 is different. Solaris 10 has a default Bourne Shell /sbin/sh that is not statically linked anymore. This was done intentionally when the single/multi threaded process model was unified and the statically linked libc was removed. Solaris 10 commands in /sbin should only link with things in /lib. There are symlinks in /usr/lib to /lib for some libraries for backwards compatibility reasons. In fact, Solaris 10 is so smart that both su and login will fall back to /sbin/sh if the shell you specify in /etc/passwd for root can not be executed for some reason. What I am saying here is that you can change root's shell in Solaris 10 and still sleep well at night.

Next item is the default PATH for the root user and regular users. You can set this in the files /etc/default/login and /etc/default/su. Please feel free to be pedantic and set PATH and SUPATH in both of those files to something useful thus :

PATH=/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin

Really you can leave /opt/csw/bin out of there entirely if you want. The software from Blastwave is isolated in /opt/csw and will not interfere with your other software. You can use GNOME from somewhere else if you want. Your users can have there own .profile files that determine that they run JDS if they want.

On the other hand your users may place /opt/csw/bin first in their PATH and then will be running with the desktop software and applications from Blastwave. Again, this will be isolated. Don't be surprised if you have problems switching back and forth from different distributions of GNOME however. There are a lot of configuration files that get created in the users home directory and you can really only depend on them to work consistently when you stay on one edition of KDE or GNOME.



Blastwave™ · Open Source Software for Solaris™ and OpenSolaris™