We should never download and install software via adhoc scripts without user consent. Was this ever discussed on this mailing list? If not, it’s a clear breach of policy (introducing a new dependency) and a severe one in my opinion, as it seems to introduce a new supply chain attack vector for all developers of Cassandra.
> On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote: > > > . > > >> But that doesn’t seem to be the case here, the script checks for arm vs >> amd64, Linux vs Mac, and then fetches and untars the go distro into tmp. >> There is no verification of the download. The only check is if curl >> returned non 0. > > > > Thanks for catching this, the sha256 check should always have been in place. > Adding this is just a one-liner, so that alone shouldn't force the decision. > > >> It looks to be very simple to install Go > > > It takes a bit to ensure all build and CI systems are updated, and we never > catch everything (esp what's downstream). > > While it's "simple", multiplied by everyone (and every system) it adds up to > be a significant time demand. > Again, this too shouldn't be forcing the decision either way on what we want > to do.
