This weekend I put together some RPMs, and now that it's done, I'll try to keep them up to date, since we don't have any other RPM maintainer at the moment.

I've put them up at

http://gibbled.com/seq

To install these on Fedora Core 2, download both the maps and the application package, then go to the directory you saved them in and type the command


rpm -ivh showeq-5.0.0.15-3.i386.rpm showeq-maps-1.0-2.rpm

and the packages will install. As always, you will need to be root to install the packages or run ShowEQ. If you're downloading a future version, of course the version numbers won't be the same.

When you need to update, you will usually only need to update the showeq package, the showeq-maps package will rarely change. Just update with


rpm -Fvh <newrpmhere>

If you aren't using Fedora Core 2, but your system does use RPMs, feel free to try and see if these work. I know they don't install directly on RHEL3 Workstation, due to an issue with the libpcap version, but it worked fine when I rebuilt the SRPM on the RHEL3 box. If there is demand for it, I could build RHEL3 binaries as well, but I'm guessing there aren't many who will want those.

Note that I've built it so that it places SEQ under /usr/bin, and the maps and other files in /usr/share/showeq, and documentation is in /usr/share/doc/showeq-<version> but if you're a keener on keeping it in /usr/local it should be relocateable.

To match the tarball release system, I have kept the application separate from the maps. The maps package depends on the application.

While I do package maintenance for internal use at work, I haven't made packages for public consumption before. If you find things that are broken or have suggestions please let me know.

Todo list:
- package currently won't preserve custom configurations during updates.
- Tanner had some contrib stuff he wanted packaged I think...
- should document my patch naming scheme and get feedback
- filters/spawnlists/etc?
PS. I've been around a while previously, but decided if I was going to raise my profile in this way, I wanted a username that wasn't easily traceable back to my name and/or station id. So that's why I'm posting from this brand new account, and also why I'm availing myself of the services of my friend at gibbled.com for hosting.

Even though CeleSEQ may have good intentions, I still strongly suggest that people get the source from the SEQ cvs or from Zaphod site since they are the only ones are verified not to contain any suspicious code.

Also since he only has one post, it is definately another reason to be suspicious.

Sorry guy, but there have been numerous attempts by people to put password capturing stuff in SEQ and other things. It may have been a nice gesture, but the risks out weigh the reward.

Blue Adept is correct, the only way to know what you're getting exactly is to compile it yourself from source.

There had been requests for an RPM package maintainer since there's already .deb and slack packagers, and I'm willing to do it. I asked what the best way to contact Zaphod was in IRC and they suggested he wasn't going to be around for a bit and that I should just post em. I know it's not ideal, but it's what I could do for now :)

Feel free to unpack the SRPMS and verify that the tarballs within are unmodified... Anytime you install a binary package, you're trusting that the person who built it and the person who distributed it were not acting maliciously. Choose wisely.

Zaphod, if you happen by and see this, drop me a note and let me know how you usually handle maintainer stuff...

Also of note, I would recommend rpm -Fvh over rpm -Uvh.

-F means Freshen, as in only update packages that are already installed.
-U means update or install if not already installed.

Cryonic's suggestion is smart, changed my original post to reduce any confusion.

I have a set of RPMs compiled against Mandrake 10 that I'm willing to share (also with .src rpms that you can unpack, diff against the official source and 10/13 changes, and compile for yourself if you'd like) but I lack hosting for them. I PMed Zaphod but haven't yet received a response (I didn't know he'd be away). If there's anyone who can host them let me know. I'd need roughly 12 megs for the binary RPMs and about 3.5 megs for the SRPMS.

I'd also love some critque of the spec file I did but that would only take up a few kb. Thanks!

Spec files should be small enough to attach to a forum message and that should be all you need to post to allow others to use them in conjunction with the tarballs to build their own RPMs from it...

showeq-5.0.0.15.spec :



summary: ShowEQ 5.0.0.15
Name: showeq
Version: 5.0.0.15
Release: 2
Copyright: GPL
Group: Games/Other
Source: http://showeq.doomed.to/showeq-5.0.0.15.tar.bz2
Patch0: showeq-20041013.patch
Requires: zlib
Requires: libpng
Requires: libpcap >= 0.6.2
Requires: gdbm >= 1.8.0

%description
Realtime packet analyzer for Everquest

%prep
%setup
%patch0 -p1

%build
%configure --prefix=/usr --datadir=/usr/share
%make

%install
rm -rf $RPM_BUILD_ROOT
%makeinstall

%clean
rm -rf $RPM_BUILD_ROOT

%post
echo

%files
%defattr(-,root,root,0755)
%doc README NEWS COPYING AUTHORS
%{_bindir}/showeq
%{_bindir}/showeqitemdbtool
%{_datadir}/showeq

%changelog
* Thu Oct 14 2004 I<3EQ I<3EQ <anonymous@anonymous> 5.0.0.15-2
- Patched to work with 10/13/2003 EQ Live
- Reworked the spec file to make it more correct
- Install to /usr instead of /usr/local
- Split the package into showeq and showeq-maps

* Wed Oct 6 2004 I<3EQ I<3EQ <anonymous@anonymous> 5.0.0.15-1
- Initial attempt at packaging


showeq-maps-1.0.spec :



Summary: ShowEQ Map Collection 1.0
Name: showeq-maps
Version: 1.0
Release:1
Copyright: GPL
Group: Games/Other
Source: http://showeq.doomed.to/showeq-maps-1.0.tar.bz2

%description
A map collection for ShowEQ.

%prep
%setup

%build
%configure --prefix=/usr --datadir=/usr/share
%make

%install
rm -rf $RPM_BUILD_ROOT
%makeinstall

%clean
rm -rf $RPM_BUILD_ROOT

%post
echo

%files
%defattr(-,root,root,0755)
%doc README NEWS COPYING AUTHORS
%{_datadir}/showeq

%changelog
* Thu Oct 14 2004 I<3EQ I<3EQ <anonymous@anonymous> 1.0-1
- Initial attempt at packaging


showeq-20041013.patch :



diff -Naur showeq-5.0.0.15/src/everquest.h /home/dave/showeq-5.0.0.15/src/everquest.h
--- showeq-5.0.0.15/src/everquest.h 2004-09-24 00:25:52.000000000 -0400
+++ /home/dave/showeq-5.0.0.15/src/everquest.h 2004-10-14 08:05:42.878153901 -0400
@@ -445,7 +445,7 @@
/*0244*/ uint8_t unknown244[14];

/*0258*/ int16_t deity; // Player's Deity
-/*0262*/ uint8_t unknown260[115];
+/*0262*/ uint8_t unknown260[119];
}; /* 0375 */

/*
@@ -473,7 +473,7 @@
/*0508*/ float underworld; // Underworld
/*0512*/ float minclip; // Minimum view distance
/*0516*/ float maxclip; // Maximum view distance
-/*0520*/ uint8_t unknown0520[156]; // *** Placeholder
+/*0520*/ uint8_t unknown0520[160]; // *** Placeholder
/*0676*/
};

@@ -820,7 +820,7 @@
/*250*/ int8_t unknown249[4];
/*254*/ uint32_t petOwnerId;
/*258*/ int16_t deity;
-/*260*/ uint8_t unknown260[115];
+/*260*/ uint8_t unknown260[119];
/*375*/
};


Comments regarding my spec file are most welcome. This is my first attempt at packaging with RPM so I'm sure there are some things I did wrong and some things I could have done better (for example, for the main showeq package, I should require qt (probably x11 too) but whenever I put in those requires, it barfs on install). In between showeq patches, I've been reading a lot about RPM creation and maintenance and trying to make the spec file as tight as it can be.

Todo list:
- package currently won't preserve custom configurations during updates.
- Tanner had some contrib stuff he wanted packaged I think...
- should document my patch naming scheme and get feedback
- filters/spawnlists/etc?

I'd recommend signing your packages with gnupg, so people can verify it's really from you.

But that will mean exposing your identity :-P

Just because you package up a tool doesn't mean you use it when you are playing :-P

Even though CeleSEQ may have good intentions, I still strongly suggest that people get the source from the SEQ cvs or from Zaphod site since they are the only ones are verified not to contain any suspicious code.

Also since he only has one post, it is definately another reason to be suspicious.

Sorry guy, but there have been numerous attempts by people to put password capturing stuff in SEQ and other things. It may have been a nice gesture, but the risks out weigh the reward.

To play devils advocate, how do I know the packages on Z's site are trojan'd?

For that fact, how do we know if cvs hasn't been compromised?

Unless you visual inspect -and- are a c++ dev and know what heck you are doing, you can compile from source and still get hacked.

I've talked to Z about this and he has some design changes to address the issue.

I also talked about maintaining some sort of MD5 of each file and master list signed with some key we all trust to verify the integrity of the source files.

GNU arch has a nice feature of signing the archive, which would greatly reduce this concern.

Yes, the issue of trust vs security is always a tough one. And I absolutely know that if someone slipped a few lines into CVS or a tarball that fed them back usernames and passwords, or even worse, a full keylogger stream... I would be unlikely to catch it. Even if I was a much much better coder, I would never have time to read the code for everything I use. So it starts with a calculated risk, that I believe the showeq project isn't just a front for people to put evil things in the app, then I extend that to say that I think Zaphod has been around long enough that if he was going to put evil things in the app, they're already there and we're all screwed...

I'll keep building packages, I'll do what I can to earn trust in a sensible manner and to provide easily-verifiable ways to show that what I'm doing is clean, and people will make their own decision about whether they thing I'm here to do evil stuff.

I'll consider the gpg signing Tanner, thanks :)

I agree what's been said about binary package distribution. It doesn't apply to just showeq, it applies to every package released.

I think the best solution would be for me and/or CeleSEQ to maintain the .spec file and have someone a bit more trusted actually roll (and possibly sign) the RPMs for us. The amount of work involved with that should be pretty trival. It'd basically involve having a proper RPM build environment set up (more or less copying the source tarbal and patch tarballs to specific directories) and running rpm -ba on the spec file we provide.

If that doesn't work out, another solution would be for someone to put our packages through the ringer on a clean machine and make sure they're not doing anything abnormal (i.e. opening/writing to files it shouldn't, sending packets out on the network, etc.) and to have the packages signed by whomever rolled them.

I thought about whether or not losing my anonymity would be a bad thing. At this point in the game, I've accomplished everything I've wanted to so if Sony decided to cut my time short, I wouldn't necessarily lose any sleep over it. :)

BTW, if anyone needs to speak with me I'm back on IRC. Just started a new contract gig and had to set myself up where the gig is located.

Enjoy,
Zaphod (dohpaZ)

if anyone is interested:
$ whois gibbled.com
[Querying whois.internic.net]
[Redirected to whois.dotster.com]
[Querying whois.dotster.com]
[whois.dotster.com]


The data contained in the WHOIS database, while
believed by the company to be reliable, is provided "as is",
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of this company. You may not use the data to
allow, enable, or otherwise support any marketing activities,
regardless of the medium used. Such media include but are not
limited to e-mail, telephone, facsimile, postal mail, SMS, and
wireless alerts. In addition, you may not sell or redistribute
the data. By submitting an inquiry, you agree to these terms of
usage and limitations of warranty. Please limit your queries to
10 per minute and one connection.

Registrant:
Chris Maki-Hill
401-330 3 AVE NE
Calgary, AB T2E 0H4
CA

Registrar: DOTSTER
Domain Name: GIBBLED.COM
Created on: 20-FEB-01
Expires on: 21-FEB-05
Last Updated on: 31-JUL-04

Administrative, Technical Contact:
Maki-Hill, Chris [email protected]
401-330 3 AVE NE
Calgary, AB T2E 0H4
CA
403-230-2949


Domain servers in listed order:
NS1.ACHERON.COM
NS.CYBERHQZ.COM

End of Whois Information

I've put up 5.0.0.16 RPMS for FC2, as well as a rebuilt version of showeq-maps that cleans ups the file permissions on the map files. Source and binary RPMS are there, and now are signed. I'm working to provide real life contact information to some of the trusted people around here so they can sign my key after phoning me and verifying who I am. That doesn't stop me from trojaning anything, but it does prove that it was REALLY me who did it if something bad turns up.

Baelang: as noted in my original post, gibbled.com is a non-eq-playing friend's domain who agreed to host this stuff for me. If you really want to track Chris down to get to me, I guess thats your choice.

If people need hosting space for ShowEQ related stuff, I can provide space... just need to PM or email me with what you need and are planning on doing.

I can even give you a hostname on showeq.net... such as fedora.showeq.net or debian.showeq.net and some webspace to play with... similar to myseq.showeq.net