Right now, all commands are just run without any shell and manually calling a shell in a build script would break Windows compatibility, so I think it could be extremely convenient to have r2pm always use a shell and some basic unix tools that it provides by itself, which could be done by bundling Busybox.

This is a port for Windows: https://frippery.org/busybox/ I didn't try it myself, but doesn't look bad.

See radareorg/radare2#17178

Detailed description

When using r2 from non-git (release builds), installing packages can result in build problems. This PR aims to enable r2pm with the ability to pick the right commit from the tagged version from 3rd party repos if available.

Afaik this is done by r2ghidra-dec and r2dec-js, it may be good to define a different tag name than just the r2 version string, otherwise it will confuse users with the version of the decompiler and the version of the r2 required to build. Suggestion is to use r2- as prefix in the 3rd party repos.

Test plan

Get r2-4.4 and type the following command:

$ r2pm install r2ghidra-dec

Describe the issue
r2pm doesn't build packages if the cmake's default generator isn't make.

How to reproduce?
Simply setting cmake's default generator to anything else than makefiles. Eg: Having CMAKE_GENERATOR=Ninja

Expected behavior
Still building the file using the default generator.

Possible fix
Using cmake --build . instead of make or forcing cmake to use make

I use window 10, and how can I install r2pm for now?

See:

• https://dependabot.com/go
• https://dependabot.com/docs/config-file/

It checks the dependencies automatically and sends PRs to the repo. Go language is supported.

When I type ./r2pm ls right after building, I get

.local/share/RadareOrg/r2pm/r2pm-db/db: no such file or directory

Maybe it would be good to add a global check to make sure the local r2pm-db is not broken

Create a Makefile

Old r2pm installs r2 plugins directly in the global plugin directory.

What if new r2pm would install packages only in a self-contained directory and then can give you a list of paths for LIBR_PLUGINS, so r2 can find all the plugins? Of course this implies that r2 has to either query r2pm for the paths itself or you have to manually run r2 with env vars given by r2pm.

This would make it more transparent to the user where files from a package are installed.
And if you have a binary package (e.g. for Windows), it would be enough to unpack it and set the paths.
Also, for Cutter plugins, r2pm would not need to know where Cutter is installed and gets its plugins from, but only Cutter needs to know where r2pm is.

See these files:

• https://github.com/radare/radare2book/blob/master/tools/r2pm/intro.md
• https://github.com/radare/radare2book/blob/master/plugins/r2pm.md

To grab the binaries from AppVeyor. You didn't address my comment in that PR: #46

https://github.com/radareorg/radare2-release/blob/master/build.sh#L502

You can add Azure Pipelines YAML file, I enabled it for the repository

Originally posted by @XVilka in #40 (comment)

For example, be able to sort/list the packages with categories like asm, anal, io, core, debug, etc kinds of the radare2 plugins provided. Also the r2pipe and something else.

Another approach could be to associate tags instead, e.g. asm, python, so it will be known that this plugin implements disassembly plugin in Python, and so on.

@radare @xarkes @ITAYC0HEN @thestr4ng3r what do you think?

• update
• updateall

imagine rasm2 -L was able to extend the listing with r2pm's output when the arch you need is not there. same goes for rabin2 -L and others. Basically this means integrgating the pkg manager within r2

Add Appveyor for Windows binaries for r2pm.

Allow to set the dependency following something like these rules

depends: qwe
depends: qwe < 0.4
depends: qwe <= 0.5
depends: qwe > 1.4.5
depends: qwe >= 1.5.6
depends: 5.5 > qwe <= 8.0

Checkilist for progress of development:

• -i,info show information about a package
• -i,install install package in your home (pkgname=all)
• -gi,global-install install package system-wide
• -gu,global-uninstall uninstall pkg from systemdir
• -u,uninstall r2pm -u baleful (-uu to force)
• -l,list list installed pkgs
• -r,run [cmd ...args] run shell command with R2PM_BINDIR in PATH
• -s,search [] search in database
• -t,test FX,XX,BR BID check in Travis regressions
• -v,version show version
• -h,help show this message
• -H variable show value of given variable
• -c,clean ([git/dir]) clear source cache (GITDIR)
• -ci (pkgname) clean install of given package
• -cp clean the user's home plugin directory
• -d,doc [pkgname] show documentation for given package
• -w what/where is installed
• init | update .. initialize/update database
• cd [git/dir] cd into given git (see 'r2pm ls')
• ls ls all cloned git repos in GITDIR
• suicide self remove all (home + system) installations of r2
• cache cache contents of r2 -H to make r2pm r2-independent

Add TravisCI for OSX and Linux builds

For we can push r2pm binaries to choco or whenever else, and r2pm will check the github/appveyor/whatever for available source or binary packages of those.

To make it something like rustup

https://github.com/codecov/example-go

I run :

go run r2pm.go -s r2frida

it return :

Could not read database file C:\Users\cx\AppData\Roaming/db.json. Did you initialize r2pm? 

so, where is the db.json ?

Currently it doesn't work on OSX.

Add builds.sr.ht support for *BSD builds

A simple page built on top of the r2pm database allowing to navigate through the packages, maybe show description and dependencies for every package, along with versions and links.

Something of likes

• Hackage
• Opam
• etc

Mostly for Windows and OS X

Issues like r2ghidra-dec/76 seem to happen all the time. Because r2pm installs packages from git master, and those packages are usually made to be compatible with the latest radare2 master, it seems that r2pm can really only be considered secure and compatible when used with radare2 from git.

As a result, those who are using the latest stable (or older) release of radare2—which I am sure is a massive portion of the userbase—are left with plenty of packages that either won't compile or could even possibly have bugs to be discovered later on. As an example, I currently can't install r2ghidra-dec under radare2 4.3.1 because a function was renamed in r2 upstream three days ago, and the r2ghidra devs responded very quickly with the refactor.

Not exactly sure what the best idea would be here. Packages often don't create tagged releases, and if they did, they might not align well with Radare2 releases. Perhaps it would be a good idea if we were to create an r2pm -ii <pkg> command that would checkout R2PM_GIT to the date that r2 says it was built under r2 -v. This could be implemented with git rev-list.

A caveat against the above idea is that a stable release of r2 could've definitely been built after the release date, and some changes may have happened in between. To resolve that, I imagine that we would have to use the output of r2 -qv and some git magic to figure out the date the last commit of that tag was pushed, then checkout packages to that date. I would guess that this would work something like 99 % of the time, and would only fail if a last-minute change was pushed to the r2 repo before the tagged version and plugin creators didn't respond in time.

Anyway, it seems like a complicated mess—ideally, I think plugin creators could just make tagged releases that correspond to radare2 versions. Is that something we'd want to enforce/suggest?

Edit: the simplest solution I can think of right now, which leaves some work to the user, would just be to create a --commit=1234abcd option on installation that could be passed to git during/after the cloning process. Users would have to figure out what commit works for their version of radare2.

Like in Julia language, to look something like:
R2pm should have its own REPL mode, which can be entered from the radare2 shell by pressing ]. To get back to the radare2 shell press backspace or ^C.
It will then change the command prompt:

pkg>

Good example how to provide such a command is yara plugin - it installs new command in radare2: https://github.com/radare/radare2-extras/blob/master/yara/yara/core_yara.c
So installing r2pm will install the radare2 plugin, which radare2 will automatically load and will provide this command for using directly from the r2 shell.

Migrated from here radareorg/radare2#14372

/cc @radare @Maijin @xarkes @qbarrand

See https://stackoverflow.com/questions/45342640/golang-git-pulling-a-repo/45342748#45342748