40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
-
+
-
+
|
---
## What’s in this repo
```
.
├─ client/1.0/neutral/
│ ├─ VERSION # current toolset version (e.g., 1.0.10)
│ ├─ VERSION # current toolset version (e.g., 1.0.11)
│ ├─ common.tcl # shared Tcl helpers
│ ├─ pkgIndex.tcl # Tcl-side integration
│ ├─ pkgIndex.eagle # Eagle-side integration (Harpy-signed variants included)
│ ├─ pkgd.eagle # package downloader library (client side)
│ ├─ pkgr.eagle # package repository client library
│ ├─ pkgu.eagle # package uploads client library
│ ├─ pkgr_setup.eagle # setup/configure repositories & keys
│ ├─ pkgr_install.eagle # install/persist packages locally
│ └─ pkgr_upload.eagle # upload/publish packages (maintainers)
├─ externals/
│ ├─ Eagle/lib/Eagle1.0/ # Eagle library packaged for Tcl
│ └─ Harpy/Tools/sign.eagle# Harpy code-sign tooling
├─ tools/
│ ├─ deploy.bat
│ ├─ pkgr_an_d_get.sh
│ └─ pkgr_an_d_install.sh # helper scripts to fetch/install the client
└─ doc/
└─ v1.html # v1 toolset documentation (reference)
```
> File names and layout above come from the initial import. See the commit tree for the authoritative list. The current version is **1.0.10**.
> File names and layout above come from the initial import. See the commit tree for the authoritative list. The current version is **1.0.11**.
---
## Security model at a glance
* **Metadata path**: The client asks a repository service for a package that satisfies a **TIP #268** version requirement. The server returns a small **signed script** that knows what to fetch.
* **File path**: The client downloads one or more **OpenPGP‑signed** files and verifies them **before** the package is made available to the interpreter.
|
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
-
+
|
**Q. How are Eagle scripts treated differently?**
A. They carry **two** signatures: OpenPGP (like all files) and **Harpy** (Eagle‑specific). Both must validate before the package is exposed to the interpreter.
**Q. Can I keep some packages private?**
A. Yes. Repository access uses API keys; file serving can be on a private Fossil instance. Public/private mixes are supported.
**Q. What version of the pkgt client is this?**
A. See `client/1.0/neutral/VERSION` (currently **1.0.10**).
A. See `client/1.0/neutral/VERSION` (currently **1.0.11**).
---
## Contributing
* Open issues and PRs are welcome.
* Please test on both **Tcl** and **Eagle** when touching shared client code (`client/1.0/neutral/`).
|