Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
cmd/dist: one-line installer: additional safety/trust features #23430
The one-line installer tracked in #23381 is something many new and current Go programmers will use, likely downloaded from golang.org. In that issue I mentioned having a sensation of distrust when using the Go 1.10 beta installer, and this issue is to discuss any additional features that may reduce such distrust.
My opinion is the valid HTTPS link source is trustworthy enough (I still ran the Go 1.10 beta) and that this issue is a nice to have perception improvement. @broady mentions in the other issue that a GPG signature is provided for all downloads on golang.org already.
The sensation of distrust is due to thinking that the features provided in the downloaded binary could be easily replicated by a third party with deconstructive intent. Due to the open source of the tool I'm not sure there's much else that could be done there and the website seems to have just about every necessary security feature, but maybe documentation saying "only download from golang.org and check for the browser green certificate verification and verify the GPG key this way" could be part of the tool distribution.