-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

== Date ==
This release was made the 28 January 2021 by Denis 'GNUtoo' Carikli.

== Introduction ==
At the time of writing, Debian 9 (stretch) is the only GNU/Linux distribution
that can build Replicant 6.0.

It has python 3.5.3. Recent repo versions require at least python 3.6.

Using older repo versions is very impractical as repo tends to update
itself when using 'repo sync'.

Because of that we also provide a self contained version of repo that also
contains all the dependencies it needs, including python.

This way people wanting to build Replicant can simply install that version
of repo on top of Debian 9 or other GNU/Linux distributions.

== How to verify this release ==
It's a good practice to verify software releases. It enables to detect corrupted
downloads and sometimes even attacks[1].

All the technical information needed to verify the tarball is included in
this file.

This way, all the important information like the release date, how to build
and install it and so on is also authenticated.

Without that, an attacker can also rename an older release that has been signed
by the same person and make people think that it's the new release. That could
be an issue if one day security issues are found in older releases.

To do that you first need to download the GPG key of the person that prepared
the release:
    gpg --keyserver keys.gnupg.net --recv-key \
    FB31DBA3AB8DB76A4157329F7651568F80374459

You then need to verify this README file with the following command:
    gpg --verify README.txt

It should says "Good signature", and look similar to this output:
    gpg: Signature made jeu. 28 janv. 2021 12:38:15 CET
    gpg:                using RSA key 782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
    gpg: Good signature from "Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>" [undefined]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.

Once this is done you can verify the released archive.

As this file (README.txt) contains a checksum at the end, you can simply run
this command to check the tarball:
    sha512sum -c --ignore-missing README.txt
It should then say "OK", and the output will be somewhat similar to this one:
    sz1lkq3ryr5iv6amy6f3d2pziks27g28-tarball-pack.tar.xz: OK
    sha512sum: WARNING: 60 lines are improperly formatted

References:
- -----------
[1]https://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

== Installation ==
The tarball needs to be decompressed in / as root. Once you are root, you
can simply uncompress it with the following command:
    tar xf path/to/somehash-tarball-pack.tar.xz -C /

It will install all its dependencies in /gnu/ and install repo and repo-env.sh
in /usr/local/bin/.

== Usage ==
Once installed, that repo version will need some environment variables to be
set to find its SSL / TLS certificates. To do that you can run this command
in the current terminal:
    source /usr/local/bin/repo-env.sh
You can then use repo as usual, in that same terminal. For instance:
    repo sync

When building Replicant it would be a good idea to open a new terminal not to
have the environment variables of repo interfere with the build, as the build
was never tested with such environment variables set.

== How was that tarball made ==
The tarball was made with Guix[1], on an x86_64 computer with the following
commands:
    guix pull
    guix pack \
    --compression=xz \
    --save-provenance \
    -RR \
    --symlink=/usr/local/bin/repo=bin/repo \
    --symlink=/usr/local/bin/repo-env.sh=etc/profile \
    git-repo le-certs nss-certs git python-certifi

Since --save-provenance is used, it also contains a manifest file that can
be used to recreate the exact same tarball. As it is the only file named
manifest in that tarball, once it is installed, you can find it with the
following command:
    find /gnu -name manifest

References:
- -----------
[1]https://guix.gnu.org/

== Checksums ==
def3c0b3ae2305d695b57d8d1f2fa8acfaf9b7c9c0f668c129a2bfe2652c24a8f2f8167d95f0d71a72d04601daac2b626bfecfae8e7833c812d912d95fd61a5a  sz1lkq3ryr5iv6amy6f3d2pziks27g28-tarball-pack.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEeC+d2+Nrp/PU3kkGX138wUF34mMFAmASwRoACgkQX138wUF3
4mOO6A/9FdPAdt2crRcQPl6JwRTUiNEEIOOy7PIMp8gABV57gzE59oiVWK9mG3ac
WCdX4j5WFl8gN4xbYOMXcZSAjyj3lYOv7i5cb0LdX1BR5ZxSq6Ltpqle/txpOKjL
R0GI9+XdfLqzsGgukYsaFBnzIoV01pOIEXaQo1ibEOJ7vPU4HnE9mJQaxvQhA4gV
ZICHilWzSFU7y7sg/aiuVVOev9H7v9VZVKPfD/J+7rhL2uwTtD3r2IZUjoT9JEXJ
U4JOEqUphZmN6fVSwU9U5EXAI+PbETs5imLNpd6l9UTdU6zQvEAnfGxtcd2PNvY9
imNUaa4DaAhQuwDWVQl/HRkaBI6py6+wdMOqzVKMYryuMN8x+/KzfHXfwU4akWET
qTyxj/G6cKUmV7NLtI7vcjDmSm5xaiMDAHveeQCULCKvvv88AyxScgC51Fx+wPfq
cUb4tH0JRrkz0m0n9ZJrSGcPH7oBiNyySEKdyZ42tgBMjYoFyZeDTyb9PRAMjIR1
y3hRMg61Mk4DYR1UUqhXLaC51VXu5EcwOJqlAXz4+hJpxF7IHd7kHxLhqkltMc6y
jIRs1rSCf3RulUyTzAn6cnj626UYu3+FYPxBIaRPXhtRVKFABE3LqNhcNRHuG+ug
zri4SLxwZ4Q2RAzUyO86AVVDh4tfbRnCAffI9PgKd0wwewOpDbA=
=RD/P
-----END PGP SIGNATURE-----