.
> But that doesn’t seem to be the case here, the script checks for arm vs > amd64, Linux vs Mac, and then fetches and untars the go distro into tmp. > There is no verification of the download. The only check is if curl > returned non 0. > Thanks for catching this, the sha256 check should always have been in place. Adding this is just a one-liner, so that alone shouldn't force the decision. It looks to be very simple to install Go It takes a bit to ensure all build and CI systems are updated, and we never catch everything (esp what's downstream). While it's "simple", multiplied by everyone (and every system) it adds up to be a significant time demand. Again, this too shouldn't be forcing the decision either way on what we want to do.