-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/tools/cmd/getgo: is a two-liner #21277
Comments
(@spf13) |
sourcing a script that does it all makes me nervous |
we used to spawn a new shell but it was buggy so to avoid that we changed it to this, but I am still open to more creative solutions |
sourcing a script makes me nervous too. You know what would work, writing out a temp file with the paths and sourcing that at the end of the one-line, then removing it. |
It makes me nervous too, but I can't find any objective reason to argue that sourcing a script would be more (or less) dangerous/suspicious than executing a binary. Both have the same power to be harmful and we rely on developers trusting the get.golang.org good intentions. @spf13 Yes, executing binary that generates script + source script + removed 2 files, should work. |
sourcing a script I see as far more dangerous as the scripting execution depends on a local interpreter which can vary greatly from one system to the next. The binary doesn't have this property making it inherently much safer/more predictable. |
Change https://golang.org/cl/99620 mentions this issue: |
Assuming that sourcing someone's .bash_profile is without side effects is dangerous. My .profile does some intensive operations to prepare my environment and .bashrc is the one run by each tmux/screen session. |
The script will only source a file that it creates. We will not be sourcing any established profile or rc files. |
Closing - |
The issue is about the tool cmd/getgo.
It follows this thread.
The tool is intended to be a one-liner :
but it ends with this advice :
This looks to me like a real caveat for a tool whose purpose is do all the work in a single step (single action from user).
A possible solution (which may have other problems on its own that I'm not seeing right now) would be instead to download and source a script that does all of this :
The contents of
go_installer_script
would look like this :The text was updated successfully, but these errors were encountered: