Glad to see that there's a `--verify-sha256=` flag.
I prefer hard-coded hashes in my code so that when the file changes, I'm made aware. I've lost so much time chasing bugs back to a dependency which changed without a version bump and whose hash was checked by a script that just got the hash it was checking at runtime.
This seems to be inspired by the smelly nerds meme
https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...
This is effectively giving Microsoft RCE on your computer.
We trust github.com and small-time publishers far too much. There’s a reason Debian packages software and runs mirrors.
I like the idea, but I can't imagine using it for a few reasons.
1. There's a catch-22. In order to fetch binaries you need to first install eget.
2. You need to trust eget to not be (or become) malicious.
Perhaps #1 can be resolved by providing it as a proxy service and not an executable. For example, "wget eget.net/gopls@latest" which then usings eget on the server to grab/cache the binary and send it back.
Then again, that would mean putting even more trust in eget.
Not exactly the same, but aqua is a similar tool in this space https://github.com/aquaproj/aqua
> However, I’m firmly on the side of using GitHub for everything because projects that use alternatives to GitHub are special snowflakes that make everything harder for me as a user.
Good.
https://github.com/houseabsolute/ubi does a nice job of fetching binaries from GitHub. Just give it a repo and a location to place the binary.
ubi --project oalders/is --in ~/local/bin
Similarly, there's Obtainium for Android. I love it for open source apps.
Figuring out the “latest” release can happen via the 302 redirect that GitHub offers on releases/latest/ - no API needed. It also works directly for artifact URLs.