Main idea is to provide easier overview of the DevGuide, since right now it is somewhat complicated to start hacking.
Rename name of the guide to be able create links which work
in Eclipse and GitHub at same time
The file cdt-8.6.0.zip itself isn't available over HTTPS, so it is important that we download the checksum over HTTPS. Otherwise, the MITM can modify both the file and its SHA512 to match the malicious zip file.
- Update the xvfb command to add "-nolisten tcp" to the params.
- Change "gradlew" to just "gradle". We don't specify that you have to use the wrapper.
- Reword to emphasize that Xvbf required just for headless mode.
Per https://bugs.eclipse.org/bugs/show_bug.cgi?id=134634#c3 this
mirror redirection feature is not well known, but it works and it
removes a decision point from an otherwise copy-and-paste set of
steps.
The `r=1` query fragment causes Eclipse.org's download.php to pass
a redirect directly back to the client rather than a mirror list:
https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/download.php#n97
Sadly it appears that including the `protocol=https` query element
is wasted effort since that value is unconditionally overridden:
https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/download.php#n173
Add CDT 8.6.0 checksum verification (via HTTPS)
Per https://wiki.eclipse.org/CBI/How_to_check_integrity_of_downloads_from_the_Eclipse_Foundation
the Eclipse Foundation mirror system offers the ability to retrieve
checksums for mirrored packages to provide an additional degree of
certainty about the absence of tampering in transit, since mirrored
files are provided via HTTP. (The link cites performance concerns
as the reason for transferring mirrored files unencrypted, but that
concern, while common, is well known to be less worrisome than has
been the case even recently, [eg.][1] )
The `sums.php` [source][2] shows three checkum types may be used as
valid options: md5, sha1, and sha512. We'll prefer sha512. We'll
also assume that the `sha512sum` tool is available and supports the
`-c`/`--check` invocation option.
I have observed these three checksum values for `cdt-8.6.0.zip` as
returned by the Eclipse Foundation mirror, and I'm noting them here
rather than in `DevGuide.md` directly on the assumption that it is
a better idea to let `sha512sum` do the verification instead of the
user following the guide:
| Type | Value |
| ------ | ----- |
| md5 | `8e9438a6e3947d614af98e1b58e945a2` |
| sha1 | `6363c3eece78277cc6b6748bb4eba0166db30a6a` |
| sha512 | `2b8bb498146aa29995e807c5b4e9d5dab0f6afe89a5ce256978b7b2c478677a0cb5a0f15913a32bd99cb7b4bb31230521f70b9c26cdef1cb983dfcea599737c0` |
[1]: https://istlsfastyet.com
[2]: https://git.eclipse.org/c/www.eclipse.org/downloads.git/tree/sums.php
