Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/tools/cmd/getgo: is a two-liner #21277

Open
Deleplace opened this issue Aug 2, 2017 · 9 comments
Open

x/tools/cmd/getgo: is a two-liner #21277

Deleplace opened this issue Aug 2, 2017 · 9 comments
Assignees
Milestone

Comments

@Deleplace
Copy link

@Deleplace Deleplace commented Aug 2, 2017

The issue is about the tool cmd/getgo.
It follows this thread.

The tool is intended to be a one-liner :

curl -LO https://get.golang.org/$(uname)/go_installer && chmod +x go_installer && ./go_installer && rm go_installer

but it ends with this advice :

One more thing! Run `source /home/foobar/.bash_profile` to persist the
new environment variables to your current session, or open a
new shell prompt.

This looks to me like a real caveat for a tool whose purpose is do all the work in a single step (single action from user).

A possible solution (which may have other problems on its own that I'm not seeing right now) would be instead to download and source a script that does all of this :

curl -LO https://get.golang.org/$(uname)/go_installer_script && source go_installer_script

The contents of go_installer_script would look like this :

curl -LO https://get.golang.org/$(uname)/go_installer 
&& chmod +x go_installer 
&& ./go_installer 
&& rm go_installer_script go_installer
&& source $HOME/.bash_profile
@mikioh mikioh changed the title tools/cmd/getgo: is a two-liner x/tools/cmd/getgo: is a two-liner Aug 2, 2017
@gopherbot gopherbot added this to the Unreleased milestone Aug 2, 2017
@bcmills
Copy link
Member

@bcmills bcmills commented Aug 3, 2017

(@spf13)

Loading

@jessfraz
Copy link
Contributor

@jessfraz jessfraz commented Aug 3, 2017

sourcing a script that does it all makes me nervous

Loading

@jessfraz
Copy link
Contributor

@jessfraz jessfraz commented Aug 3, 2017

we used to spawn a new shell but it was buggy so to avoid that we changed it to this, but I am still open to more creative solutions

Loading

@spf13
Copy link
Contributor

@spf13 spf13 commented Aug 3, 2017

sourcing a script makes me nervous too. You know what would work, writing out a temp file with the paths and sourcing that at the end of the one-line, then removing it.

Loading

@Deleplace
Copy link
Author

@Deleplace Deleplace commented Aug 3, 2017

It makes me nervous too, but I can't find any objective reason to argue that sourcing a script would be more (or less) dangerous/suspicious than executing a binary. Both have the same power to be harmful and we rely on developers trusting the get.golang.org good intentions.

@spf13 Yes, executing binary that generates script + source script + removed 2 files, should work.

Loading

@spf13
Copy link
Contributor

@spf13 spf13 commented Aug 3, 2017

sourcing a script I see as far more dangerous as the scripting execution depends on a local interpreter which can vary greatly from one system to the next. The binary doesn't have this property making it inherently much safer/more predictable.

Loading

@gopherbot
Copy link

@gopherbot gopherbot commented Mar 8, 2018

Change https://golang.org/cl/99620 mentions this issue: cmd/getgo: remove need for new session during install

Loading

@lepinkainen
Copy link

@lepinkainen lepinkainen commented May 14, 2018

Assuming that sourcing someone's .bash_profile is without side effects is dangerous. My .profile does some intensive operations to prepare my environment and .bashrc is the one run by each tmux/screen session.

Loading

@spf13
Copy link
Contributor

@spf13 spf13 commented May 15, 2018

The script will only source a file that it creates. We will not be sourcing any established profile or rc files.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants