Go: x/tools/cmd/getgo: is a two-liner

Created on 2 Aug 2017  路  9Comments  路  Source: golang/go

The issue is about the tool cmd/getgo.
It follows this thread.

The tool is intended to be a one-liner : 

curl -LO https://get.golang.org/$(uname)/go_installer && chmod +x go_installer && ./go_installer && rm go_installer

but it ends with this advice : 

One more thing! Run `source /home/foobar/.bash_profile` to persist the
new environment variables to your current session, or open a
new shell prompt.

This looks to me like a real caveat for a tool whose purpose is do all the work in a single step (single action from user).

A possible solution (which may have other problems on its own that I'm not seeing right now) would be instead to download and source a script that does all of this : 

curl -LO https://get.golang.org/$(uname)/go_installer_script && source go_installer_script

The contents of go_installer_script would look like this : 

curl -LO https://get.golang.org/$(uname)/go_installer 
&& chmod +x go_installer 
&& ./go_installer 
&& rm go_installer_script go_installer
&& source $HOME/.bash_profile
DevExp Tools
Source
picture Deleplace
😕1

Most helpful comment

sourcing a script that does it all makes me nervous

picture jessfraz on 3 Aug 2017
👍3

All 9 comments

(@spf13)

bcmills picture bcmills on 3 Aug 2017

sourcing a script that does it all makes me nervous

jessfraz picture jessfraz on 3 Aug 2017
👍3

we used to spawn a new shell but it was buggy so to avoid that we changed it to this, but I am still open to more creative solutions

jessfraz picture jessfraz on 3 Aug 2017

sourcing a script makes me nervous too. You know what would work, writing out a temp file with the paths and sourcing that at the end of the one-line, then removing it.

spf13 picture spf13 on 3 Aug 2017

It makes me nervous too, but I can't find any objective reason to argue that sourcing a script would be more (or less) dangerous/suspicious than executing a binary. Both have the same power to be harmful and we rely on developers trusting the get.golang.org good intentions.

@spf13 Yes, executing binary that generates script + source script + removed 2 files, should work.

Deleplace picture Deleplace on 3 Aug 2017

sourcing a script I see as far more dangerous as the scripting execution depends on a local interpreter which can vary greatly from one system to the next. The binary doesn't have this property making it inherently much safer/more predictable.

spf13 picture spf13 on 3 Aug 2017
👍1

Change https://golang.org/cl/99620 mentions this issue: cmd/getgo: remove need for new session during install

gopherbot picture gopherbot on 8 Mar 2018

Assuming that sourcing someone's .bash_profile is without side effects is dangerous. My .profile does some intensive operations to prepare my environment and .bashrc is the one run by each tmux/screen session.

lepinkainen picture lepinkainen on 14 May 2018

The script will only source a file that it creates. We will not be sourcing any established profile or rc files.

spf13 picture spf13 on 15 May 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Miserlou picture Miserlou  路  3Comments
ajstarks picture ajstarks  路  3Comments
michaelsafyan picture michaelsafyan  路  3Comments
OneOfOne picture OneOfOne  路  3Comments
ashb picture ashb  路  3Comments