Official prebuilt binaries

[gperciva]

We should offer official prebuilt binaries for download&install.

We already have some support for this in pkg/archlinux/ and pkg/debian/. However,

• those files need to be tested on current OSes, and possibly updated for a newer packaging format (I remember seeing some warnings when playing with Debian tarsnap packages).
• any official packages must absolutely be signed
• any official packages must be reproducible (e.g., 2015-01 summary of Debian's reproducible builds https://lwn.net/Articles/630074/)
• all packages need to be tested locally (by me) before they go to the tarsnap-alphatest list.

[cperciva]

Also,

• Packages must be built inside virtual machines
• Those virtual machines must be run on physically-controlled hardware which does not have internet access -- source tarballs copied in and binaries copied out via sneakernet.

[greyspectrum]

Hello, thank you for developing Tarsnap! I have a small, (potential) contribution which may or may not prove useful:

I wrote a shell script that fetches and verifies (via a hard-coded fingerprint) the Tarsnap signing key, fetches the Tarsnap tarball and the signed hash file from the project site, verifies the hash file and checks the signed hash against a local sha256 hash of the tarball before compiling and installing Tarsnap:

https://github.com/greyspectrum/install-tarsnap

Basically, it follows the installation instructions already on the website, but automates them instead of asking the user to do these things.

If a similar installation script were offered as a signed package for various distributions, this could be an easier route, in terms of package maintenance, than offering pre-built binaries for each distro.

The only part of the script that isn't distribution agnostic is the installation of Tarnsap's dependencies. The script uses apt to get Tarsnap's dependencies for Debian-based systems, so this part would have to be changed for RedHat, CentOS, SuSE, and similar systems. However, since it's just a shell script, compilation would remain a local affair on the user's machine, which could obviate the need for pre-built binaries, deterministic builds, or compilation in different airgapped VMs.

On the other hand, this script may just be an unnecessary Rube-Goldberg-machine-style step in the release process, which it would be better to bypass entirely via pre-built binaries for each distribution.

Even if that turns out to be the case, there may still be a place for a script to walk the user through the initial setup, after installation, since the current documentation is fairly intimidating for people who aren't fluent with the shell, and remains a bit time consuming even for those who are.