Since /dev/tcp doesn't work with https, complex redirect chains or even dns sometimes, almost all mentions of it in the hacking articles online are not that useful
We had to make soar's install script be able to work anywhere, In the article you get to know about http://http.pkgforge.dev & how you can use it to make /dev/tcp finally practical & useful in the modern https age
1. Hysp is completely agnostic: Does not depend on or care about what OS, Architecture & dependencies are installed. Just parses config.toml, based on that, installs what's defined & how is it defined.
2. No Toolchains or any other kinds of dependencies are required. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere. No dependencies whatsoever. This saves enormous space, storage & time.
3. Self-Hostable : As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
1. Yes, the readme could be better and have better documentation explaining the why. We will update this and clearly list the reasons. Thanks for pointing it out.
As to the actual why:
1. Be completely agnostic: Do not depend on or care about what OS, Architecture & dependencies are installed. Just parse config.toml, based on that, install what's needed.
2. The default pkg source that ships with hysp, contains only statically compiled/linked binaries that will work on anything.
3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
I actually love that you included a "Why" section in your readme, very few projects do that and I think it's extremely useful. So props for that.
I think some specific questions that would be nice to address:
1. I would recommend writing out Capture The Flag, CTF may not be as widely known as you imagine (I had to google it). Having unfamiliar jargon at the top of the readme might turn off prospective users who could benefit from your features.
2. How does this compare to some of the alternatives that others have mentioned, and why / how does this solve the problems differently?
Of course it's totally great to make software just for fun, but I get the sense this project serves a specific purpose. Good luck to you!
1. Hysp allows making request to http-only sites, because hysp doesn't care where you host your binaries. As long as you have sha256sum/blake3sum of the binaries, and they match, hysp will work.
2. The default pkg source that ships with hysp, is hosted on github itself, where's there's no need to use http. HTTP is simply a fallback, and meant for maximum compatibility.
3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
$BIN.TOML must contain either blake3sum or sha256sum of the binary specified as source.
And once hysp downloads them, it checks if they match exactly as specified in the $BIN.TOML
We prevent MITM or any other shenanigans by trusting whoever is hosting the pkg, isn't tampering both the binary and the checksums.
So yes, not completely foolproof (an attacker could, in theory, tamper both the binary and the checksum), but that's why we have the self-hosting option for people who want to trust only themselves and their servers.
The config allows you to specify different URL/Host for the TOML files and the actual binaries.
So unless, both the TOML files and source binaries are being hosted on an HTTP site, MITM is not possible.
And as already specified, the default source that ships with hysp, doesn't use HTTP anywhere.
To address your concerns:
1. Yes, no portable toolchains or any other kinds of dependencies are required.
2. Each & every single binary is statically compiled. This is the core at philosophy of Hysp. A single binary that runs anywhere.
3. Currently, there's about 200 pkgs for x86_64 & arm64 each. The upstream source (https://github.com/Azathothas/Toolpacks) has over 400 for x86_64 & 300+ for arm64, which will slowly be added to Hysp-Pkgs.
4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
Hey, thanks for replying! I had missed the static binary detail, and it is by far the most sensible solution.
Regarding the packages, those are very respectable numbers... But who is maintaining them? It takes a lot of effort to maintain a repo up to date, with patches both functional and security related. This is in most distros a full time job for a group of people. For comparison pkgsrc has 19444 packages, and it takes a substantial effort to keep up to date.
Regarding 4... I am not sure about your angle there... "Running random binaries" is risky. Technically hysp is a random binary itself, from a random source. I don´t know who you are, and even in that case any certification of authority is best efforts. You can´t certify that the code you built has not been compromised... This is a tough problem, good ideas are still needed!
OTOH, maybe you could leverage the work of the pkgsrc team to increase the number of available packages, traceability, and portability!
Join forces!
Synergy!!!!
Regarding pkgsrc, we came across that and the reason we eventually ended up creating hysp was that we didn't want to use any dependencies what's so ever.
So if you wanted to, you could use pure bash and nothing else to parse the TOML files that hysp uses and do everything that it does.
Hysp is simply an abstraction over that philosophy.
As to the question of maintaining them, currently only I am.
Hysp is a small project for now, and we have no plans to add anything that's dynamic. This will ensure low numbers of packages, but guarantee that those packages will work anywhere.
So maintaining the PKGs is quite simple, I write custom build script for each of them and then GitHub Actions automates the rest.
This currently requires very little manual maintenance.
The following repos are where the current packages are sourced from:
I had to mention 4, because people kept asking us about security concerns.
Self-Hosting everything on your own server and using hysp just as the frontend, is an option for those people.
1. Hysp is a single binary (Statically compiled), download & run anywhere kind of package manager.
2. Hysp, doesn't care about dependencies, and neither does it attempt to install anything that's not specifically defined in the config.
3. Due to 1 & 2, you do not need go or rust or anything else installed to install something. No dependencies whatsoever. This saves enormous space, storage & time.
4. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
As my comment above stated, hysp relies on single binaries.
The default source for PKGs that's shipped with hysp, contains only statically compiled binaries.
This allows you to run a single binary anywhere on any system. And since you can host your own binaries for whatever architecture, hysp is agnostic.
Further, since only binaries are installed, there's no need for toolchains/cache or any kind of other dependencies.
