onebm 0.0.1

Single binary manager
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

= 1bm: single binary manager

image:https://img.shields.io/crates/v/onebm?style=flat-square[Crates.io,link=https://crates.io/crates/onebm]

1bm is a single (*1*) **b**inary application **m**anager.
It installs, updates, uninstalls single binary applications (SBAs),
just like a package manager would do to packages.

Due to limitations of Cargo, the crate is named onebm.

== Install and use

.install
----
$ mkdir -p ~/.local/1bm/bin
$ curl -O ~/.local/1bm/bin/1bm -sSL https://github.com/1bm/1bm/releases/latest/download/1bm-{linux,macos,windows.exe}
$ echo 'export PATH="$HOME/.local/1bm/bin:$PATH"' >> ~/.config/fish/config.fish; source ~/.config/fish/config.fish
$ 1bm i https://github.com/1bm/1bm/raw/master/1bm.1bmdist
----

An installer is intentionally not provided
because literally four lines won't cost you much time.

The download links are redirected to GitHub releases.
You can as well download them from there manually.

.use
----
# download dist file and install application with default binary name
$ 1bm i https://github.com/some/app/raw/master/app.1bmdist
# install application with custom binary name (also local identifier)
$ 1bm i -n someapp https://github.com/some/app/raw/master/app.1bmdist
# list binaries intalled through 1bm
$ 1bm ls
# update all installed applications
$ 1bm up
# update specified applications
$ 1bm up 1bm someapp
# uninstall applications
$ 1bm rm someapp
----

That's it. 1bm doesn't attempt to do more than that.

.uninstall 1bm
----
$ rm -rf ~/.local/1bm
# Then remove the PATH line from your shell startup script. I don't know a one-liner to do that.
----

For developers generating dist files and signatures,
please refer to <<Dist files and signatures>>.

== Why?

Nowadays, many CLI applications are built in a way so that they're delivered as a single binary,
without depending on shared libraries.
Also notably, AppImage is an attempt at doing so for GUI applications.

Using a full-blown software package manager,
packages are often managed by people other than application authors,
resulting in outdated versions or even abandoned packages.

How about using the package manager of the programming language the application is written in?
First, language package managers, despite being called "package managers" just like software
package managers, are used to manage source code packages (libraries), not binaries;
second, the user has to install an additional piece of software they may otherwise make no use of.

Many authors now utilize public CI/CD services to deliver their applications;
it's often trivial to download the binaries from such services.

Thus, it's reasonable to have an "application manager" for SBAs.

== How?

- SBA author signs their binaries,
and distributes an 1bm dist(ribution) file (JSON, ending with ".1bmdist"), which contains metadata
like the signing key, default binary name, and where to download the newest binary.
- To install an application, you feed the dist file to 1bm,
which then downloads the binary, verifies it with the key, and puts it into its binary store.
- On upgrading an application, 1bm goes over the download - verify - store process.
- On uninstalling, the installed binary is simply deleted. (actually there's a little bit bookkeeping)
- If the "update URL" is 404, 1bm tells the user they should check for a new dist file.

== Security?

Indeed, running pre-built binaries poses some security concerns.
But unless you are hardcore enough to audit and build yourself all - I mean ALL - software you use,
including the operating system, you are running things you don't 100% know.

It's always about trust. And you already trust the application author,
or you won't use what they built in the first place.

Plus, the binaries are signed.

== Dist files and signatures

Dist files are JSON files with an ".1bmdist" extension. Fields of the JSON:

* *signing_key* `string` Signing public key.
* *binary_name* `string` Default binary name.
* *download_url* `string` Different depending on *download_type*, see below.
* *download_type* `string`
** `ghr` Download through GitHub releases, always the latest release.
Has following additional fields (on top level).
The `github_asset_regex_*` fields may be omitted if no binary is built for certain platform.
*** *download_url* `string` GitHub repo slug, e.g. `bnoctis/1bm`.
*** *github_asset_regex_linux* `string` regular expression to match asset name for Linux.
*** *github_asset_regex_macos* `string` regular expression to match asset name for macOS.
*** *github_asset_regex_windows* `string` regular expression to match asset name for Windows.
** `url` Direct URL download, no version check.
*** *download_url* `string` Download URL.

Signatures are generated with https://github.com/jedisct1/minisign[minisign].
*signing_key* above is the public key.

Signatures are expected to be placed alongside the binary,
named `SIGNED_FILE.minisig`, e.g. `1bm.minisig` if the binary is `1bm`,
which is the default behavior of minisign.

== License

BSD 3-clause &copy; Blair Noctis.