cmd/dist: one-line installer: additional safety/trust features #23430
Labels
Documentation
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
WaitingForInfo
Issue is not actionable because of missing required information, which needs to be provided.
Milestone
The one-line installer tracked in #23381 is something many new and current Go programmers will use, likely downloaded from golang.org. In that issue I mentioned having a sensation of distrust when using the Go 1.10 beta installer, and this issue is to discuss any additional features that may reduce such distrust.
My opinion is the valid HTTPS link source is trustworthy enough (I still ran the Go 1.10 beta) and that this issue is a nice to have perception improvement. @broady mentions in the other issue that a GPG signature is provided for all downloads on golang.org already.
The sensation of distrust is due to thinking that the features provided in the downloaded binary could be easily replicated by a third party with deconstructive intent. Due to the open source of the tool I'm not sure there's much else that could be done there and the website seems to have just about every necessary security feature, but maybe documentation saying "only download from golang.org and check for the browser green certificate verification and verify the GPG key this way" could be part of the tool distribution.
The text was updated successfully, but these errors were encountered: