Something that bothered me about the 1.10 beta installer is that, while definitely convenient, it didn’t feel very official. Are there any possible features to make the experience feel more secure?

I understand that downloading an archive from the download page or doing just about anything on the Internet also requires the same level of trust (why were the files hosted on something other than dl.google.com for awhile?), but a thought is the convenience offered by a 1-line installer could make people more complacent in their sourcing of it.

why were the files hosted on something other than dl.google.com for awhile?

Are you referring to #22648? I agree that it looked sketchy, which is part of why I filed the bug to get it changed.

Yes that was it, thanks for the change.

I trusted the redirector.gvt1.com link because of the https://golang.org/dl/ URL and Chrome saying the cert is valid there, but I thought about it for a moment.

Downloading a 1-click downloader binary over HTTPS from a trustworthy URL page (even pointing at gvt1.com) is the only security I'd actually expect, but the previous comment seemed worth sharing here.

@pciet regarding safety/trust - I'd suggest opening a new bug to discuss that that, but the short answer is that we do provide GPG signatures for tarballs (add .asc to any those download URLs). They're signed with the Google private key. Some more docs for that may be warranted.

@broady here it is: #23430, thanks.

This bug has little description. What is this one-line installer? What problem is supposed to solve? On which operating systems? Is there any kind of doc/spec on how it should work?

@rasky It's intended to be a single short command that anyone can run to install or update Go on their system. It's intended to be the Go equivalent of https://www.rustup.rs/ .

@ianlancetaylor comment in the other issue:

When you suggest some additional documentation that "could be part of the tool distribution," what do you mean?

I was referring to what @broady said above. Maybe explaining good security practices, such as how to verify the GPG signature, could be part of the documentation for the tool. This could be on the website and in the program as help text.

I've been talking with @spf13 about the one-line installer. If the idea is to use tools/cmd/getgo, then how about the following?

curl -LO https://get.golang.org/$(uname)/go_installer \
  && chmod +x go_installer \
  && ./go_installer \
  && rm go_installer \
  && source ~/.go_env

The idea would be to set the necessary environment variables -- GOPATH and appending to PATH -- in the .go_env file. For future sessions, getgo could also add a line sourcing .go_env to the shell config file.

This would presumably resolve #21277.

Granted, it's not as nice as:

curl https://sh.rustup.rs -sSf | sh

but getgo does support Windows without a separate installation process.

if we rename it from go_installer to "gi" it shortens the command a lot :)

It's a fundamentally different approach from the rustup.sh approach. The rustup approach can't set variables in the current shell which is a major stumbling block for users.

Here is an attempt at resolving #21277 as we've discussed.

/cc @spf13 @broady @Deleplace

I saw that no progress was made with getgo so I built goup for myself. Blog post: https://owenou.com/goup.

A few questions I have about a potential tool like this:

1. Is it going to allow multiple Go toolchains to coexist on a system?
2. If so, is it going to allow setting a default toolchain?
3. Do environment variables need to be set? I assume they won't, since the go command has sensible defaults, and GOPATH is deprecated.
4. Will it be module-aware, i.e. if I run go build in a project that expects a different version of the language, would another version be fetched? I assume not, since there would have to be some interaction between the compiler and the installer.

I think this is a great idea, but continuing the comparison with Rust, that has 3 tools:

• rustc - the actual compiler
• cargo - the package and project manager
• rustup - the rust toolchain / target installer and manager

The go binary seems to cover the first 2 cases. What is nice about using rustup, is it’s much more than just a simple install script. You can upgrade your rust install, you can add targets, and you can add tool chains. The rust project nailed it with their tooling and it’s a pleasure to work with.

Perhaps a in the same naming spirit, a go-up tool which can manage versions of go installed and select the active or default version and upgrade it. And it could have a nice 1 line installer with curl piping into sh.

fyi - getgo is deprecated.
The new GOTOOLCHAIN helps updating/switching go toolchain conveniently - assuming there is already a version of go toolchain installed.