Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dist: provide one-line installer #23381

Open
rsc opened this issue Jan 8, 2018 · 11 comments

Comments

@rsc
Copy link
Contributor

commented Jan 8, 2018

We all agree we want a 1-line installer. tools/cmd/getgo is a start but has work to do. This is the tracking bug for shipping it (and advertising it on the install page).

@pciet

This comment has been minimized.

Copy link
Contributor

commented Jan 8, 2018

Something that bothered me about the 1.10 beta installer is that, while definitely convenient, it didn’t feel very official. Are there any possible features to make the experience feel more secure?

I understand that downloading an archive from the download page or doing just about anything on the Internet also requires the same level of trust (why were the files hosted on something other than dl.google.com for awhile?), but a thought is the convenience offered by a 1-line installer could make people more complacent in their sourcing of it.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jan 9, 2018

why were the files hosted on something other than dl.google.com for awhile?

Are you referring to #22648? I agree that it looked sketchy, which is part of why I filed the bug to get it changed.

@pciet

This comment has been minimized.

Copy link
Contributor

commented Jan 9, 2018

Yes that was it, thanks for the change.

I trusted the redirector.gvt1.com link because of the https://golang.org/dl/ URL and Chrome saying the cert is valid there, but I thought about it for a moment.

Downloading a 1-click downloader binary over HTTPS from a trustworthy URL page (even pointing at gvt1.com) is the only security I'd actually expect, but the previous comment seemed worth sharing here.

@broady broady added the DevExp label Jan 11, 2018

@broady

This comment has been minimized.

Copy link
Member

commented Jan 11, 2018

@pciet regarding safety/trust - I'd suggest opening a new bug to discuss that that, but the short answer is that we do provide GPG signatures for tarballs (add .asc to any those download URLs). They're signed with the Google private key. Some more docs for that may be warranted.

@pciet

This comment has been minimized.

Copy link
Contributor

commented Jan 12, 2018

@broady here it is: #23430, thanks.

@rasky

This comment has been minimized.

Copy link
Member

commented Jan 12, 2018

This bug has little description. What is this one-line installer? What problem is supposed to solve? On which operating systems? Is there any kind of doc/spec on how it should work?

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Jan 12, 2018

@rasky It's intended to be a single short command that anyone can run to install or update Go on their system. It's intended to be the Go equivalent of https://www.rustup.rs/ .

@pciet

This comment has been minimized.

Copy link
Contributor

commented Jan 13, 2018

@ianlancetaylor comment in the other issue:

When you suggest some additional documentation that "could be part of the tool distribution," what do you mean?

I was referring to what @broady said above. Maybe explaining good security practices, such as how to verify the GPG signature, could be part of the documentation for the tool. This could be on the website and in the program as help text.

@andybons andybons self-assigned this Jan 13, 2018

@enocom

This comment has been minimized.

Copy link

commented Mar 7, 2018

I've been talking with @spf13 about the one-line installer. If the idea is to use tools/cmd/getgo, then how about the following?

curl -LO https://get.golang.org/$(uname)/go_installer \
  && chmod +x go_installer \
  && ./go_installer \
  && rm go_installer \
  && source ~/.go_env

The idea would be to set the necessary environment variables -- GOPATH and appending to PATH -- in the .go_env file. For future sessions, getgo could also add a line sourcing .go_env to the shell config file.

This would presumably resolve #21277.

Granted, it's not as nice as:

curl https://sh.rustup.rs -sSf | sh

but getgo does support Windows without a separate installation process.

@spf13

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2018

if we rename it from go_installer to "gi" it shortens the command a lot :)

It's a fundamentally different approach from the rustup.sh approach. The rustup approach can't set variables in the current shell which is a major stumbling block for users.

@enocom

This comment has been minimized.

Copy link

commented Mar 8, 2018

Here is an attempt at resolving #21277 as we've discussed.

/cc @spf13 @broady @Deleplace

@bradfitz bradfitz modified the milestones: Go1.11, Unreleased Jun 13, 2018

@andybons andybons removed their assignment Sep 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.