← Back to context

Comment by sneak

1 month ago

“go install” does not have an update mechanism. I imagine most people using it would consider such an anti-feature; it is not a package manager.

I certainly don’t want programs I “go install” to change underneath me without notice or review. That’s basically handing ownership of your computer to a remote developer.

2 comments

sneak

Reply
esseph  25 days ago

> That's basically handling ownership of your computer to a remote developer.

System / application package updates??

  • sneak  25 days ago

    Compare the security resources of the median OS publisher with the median go package publisher.

    An OS update from Debian, Apple, or Microsoft is not the same thing as a new version tag on a random go CLI app made by one person (or even a team of people).

    Furthermore, while it is becoming much more common for OS package managers to autoupdate apps, it still isn’t the default state of affairs for most apps. OS updates are a different matter.

    In any case, even without these comparisons, handing RCE to 20 organizations/developers/publishers is worse than handing it to 1 or 2.