From ef3d98963b97f5e9b982141b7d4fae910970cb7d Mon Sep 17 00:00:00 2001 From: Rob Date: Sun, 17 May 2026 10:34:22 -0400 Subject: [PATCH] docs(agent): add rule to track latest RNS and verify packages with rnid MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit §3 now requires confirming the latest upstream version each session and verifying package signatures before install. Records that upstream is migrating off GitHub (1.2.5 ≈ last GitHub release) toward rngit/rnpkg self-hosting over Reticulum, and that signed wheels must be rnid-checked against Mark Qvist's release identity rather than trusting a bare `pip install` from PyPI (PyPI carries no .rsg). Co-Authored-By: Claude Opus 4.7 --- agent.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/agent.md b/agent.md index cf60391..895194a 100644 --- a/agent.md +++ b/agent.md @@ -55,12 +55,35 @@ PRs must include the verifier scripts. Don't commit a "verified" claim without t Agents working on this repo should have access to: -- A working Python 3 install with `rns` and `lxmf` packages: `pip install rns lxmf` +- A working Python 3 install with `rns` and `lxmf` packages (install per "Staying current" below — not a bare `pip install rns lxmf`). - The `RNS/` and `LXMF/` source trees (typically at `~/AppData/Roaming/Python/Python3xx/site-packages/RNS/` on Windows or `~/.local/lib/python3.x/site-packages/RNS/` on Linux/macOS). - Optional but very useful: a packet-trace tool. `tcpdump -i lo -A -X port 4242` works for TCPServerInterface; for BLE you need ADB + an RNode-aware capture tool. Hardware (RNode, RatDeck, etc.) is NOT required for most verification — most byte-level claims can be checked entirely in Python RNS without any radio. +### Staying current with upstream — and verifying what you install + +This spec is only as good as the upstream version it was checked against. **Before any verification pass, confirm you are looking at the latest RNS:** + +1. **Check the latest upstream version.** Upstream is mid-migration *off* GitHub: the RNS 1.2.4 release notes announced 1.2.4 would "probably be the last release also published to GitHub," and GitHub releases do stop around **1.2.5** (1.2.6/1.2.7 are PyPI-only). Reticulum is moving to self-hosting — `rngit` (git served over Reticulum) and `rnpkg` (package distribution over Reticulum). Per Mark Qvist, "updates to pip will continue at least until `rnpkg` is complete." Check, in order: + - PyPI: `pip index versions rns` / `pip index versions lxmf` — most current while it lasts, but PyPI carries **no `.rsg`**, so PyPI alone is unverifiable. + - GitHub releases: — signed (`.rsg`) but frozen near 1.2.5. + - `rngit` / `rnpkg` over Reticulum — the eventual canonical source of signed artifacts. + + PyPI runs *ahead* of the newest signed release (1.2.7 on PyPI vs 1.2.5 signed, 2026-05-17). Re-check every session — do not assume a frozen version. + +2. **Verify the package signature before installing.** Since RNS 1.2.x, signed releases ship a detached `.rsg` signature beside each artifact (on the GitHub release page while that lasts; via `rngit`/`rnpkg` afterward). Get the wheel *and* its `.rsg`, then: + + ``` + rnid -i bc7291552be7a58f361522990465165c -V rns--py3-none-any.whl + ``` + + `bc7291552be7a58f361522990465165c` is Mark Qvist's release-signing Reticulum identity — confirm that hash itself against a trusted channel (a release announcement) before trusting it. `rnid` works fully offline. Install the **exact wheel you verified** (`pip install --upgrade ./rns--py3-none-any.whl`), not a fresh `pip install rns` that re-downloads from PyPI. + +3. **Prefer the latest *signed* version.** If PyPI is ahead of the newest release carrying a `.rsg`, install the signed one and note the gap — do not silently install an unverifiable newer version. + +4. **After a version bump**, re-run every `tools/verify_*.py`, re-check the source-cited line numbers in any section you touch, and only advance SPEC.md's `**Last verified against:**` line once the whole document has been re-checked against the new version. + --- ## 4. Marking convention