-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: Use the golang.org/dl API for version info #191
Comments
The python code would be run periodically by a CI job. Though I guess we could include it as python3 is pretty common now... and fall back to the pre-generated version. The DB is about 2.2Mb but compresses really well to about 183kb; we can just use |
It would be an awesome contribution. |
@syndbg Would it be okay to have a run-time dependency on python3? I can use any language or tool you want; it just needs to be able to translate JSON to text. I could even download something like hairyhenderson/gomplate or docwhat/temple instead of depending on python3. Or I could even build a tiny GoLang program to do the translation from JSON to the DB file format. |
Re: "Would it be okay to have a run-time dependency on python3?" This 'should just work' on many modern OSes, but I would prefer to avoid it since it adds extra complexity. |
this would be an excellent feature - our CI uses goenv, but we have to rebuild the whole image just to refresh the list of supported golang version! Seems silly consider: instead of throwing a |
Hey, sorry for the delayed reply, on a vacation 'till the end of the year. So, answering the questions.
I'd prefer not to depend on anything Python. If you're looking for a specific language to do it, I'd prefer Golang. Just to be clear, this is only a feature for the CI. I still prefer for this "version golang releases/versions discovery feature" to run in CI, create PR (if needed) and still require manual approval.
Being able to install versions fetched dynamically from remote might be amazing as a user experience, but I prefer it the other way - a specific version of Goenv can install only N versions of Golang from well-determined sources and expected checksums. The reason why I prefer this is rather "lame". It's easier from a security perspective (InfoSec) to review and sign-off that this software is "secure". Enterprise/Grown-up friendly... in a way. |
Unless someone is reviewing each release, the only security benefit is that the window of attack is smaller (golang.org would have be compromised during a CI build vs. any time someone installs Go) and that a bad release can be removed (tho not revoked since goenv lacks a revoke system). 💡idea: Since we have to trust golang.org anyway, how about we pin the SSL certificate in the curl request? Whether we do it only in CI or in run-time. Is there something we could do to increase the security of gathering the available go versions at run-time? |
See #261..waiting on being able to add a PAT to the repo 😄 |
@ankitcharolia we use the go dev API for automation of daily version checks. I don't mind that you have your own version of goenv that depends on go. Our implementation doesn't depend on any external dependency and uses native shell to achieve the same outcomes. |
Now that https://golang.org/dl?mode=json&include=all works, we can use this to fetch a complete list of go archives and installers.
`golang-versions.py`
The generated file output can be used to find versions with
grep
.And you can find available versions by using the
versions
variable:The text was updated successfully, but these errors were encountered: