cmd/dist: one-line installer: additional safety/trust features #23430
Labels
Documentation
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
WaitingForInfo
Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Comments
|
I'm sorry, I don't fully understand this bug report. When you suggest some additional documentation that "could be part of the tool distribution," what do you mean? |
ianlancetaylor
added
Documentation
NeedsInvestigation
bradfitz
added
the
WaitingForInfo
|
@cznic Since we control golang.org, we should be able to know for sure whether it is vulnerable as the article describes. |
Conclusion: Vulnerable |
mikioh
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The one-line installer tracked in #23381 is something many new and current Go programmers will use, likely downloaded from golang.org. In that issue I mentioned having a sensation of distrust when using the Go 1.10 beta installer, and this issue is to discuss any additional features that may reduce such distrust.
My opinion is the valid HTTPS link source is trustworthy enough (I still ran the Go 1.10 beta) and that this issue is a nice to have perception improvement. @broady mentions in the other issue that a GPG signature is provided for all downloads on golang.org already.
The sensation of distrust is due to thinking that the features provided in the downloaded binary could be easily replicated by a third party with deconstructive intent. Due to the open source of the tool I'm not sure there's much else that could be done there and the website seems to have just about every necessary security feature, but maybe documentation saying "only download from golang.org and check for the browser green certificate verification and verify the GPG key this way" could be part of the tool distribution.
The text was updated successfully, but these errors were encountered: