.


> But that doesn’t seem to be the case here, the script checks for arm vs
> amd64, Linux vs Mac, and then fetches and untars the go distro into tmp.
> There is no verification of the download.  The only check is if curl
> returned non 0.
>


Thanks for catching this, the sha256 check should always have been in
place.  Adding this is just a one-liner, so that alone shouldn't force the
decision.



It looks to be very simple to install  Go



It takes a bit to ensure all build and CI systems are updated, and we never
catch everything (esp what's downstream).


While it's "simple", multiplied by everyone (and every system) it adds up
to be a significant time demand.

Again, this too shouldn't be forcing the decision either way on what we
want to do.

Reply via email to