Figuring out the “latest” release can happen via the 302 redirect that GitHub offers on releases/latest/ - no API needed. It also works directly for artifact URLs.
Glad to see that there's a `--verify-sha256=` flag.<p>I prefer hard-coded hashes in my code so that when the file changes, I'm made aware. I've lost so much time chasing bugs back to a dependency which changed without a version bump and whose hash was checked by a script that just got the hash it was checking at runtime.
This seems to be inspired by the smelly nerds meme<p><a href="https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to_github_and_i_have_lots_to_say/?share_id=PgaydUZlRDobIywviJrnb&utm_content=1&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1&rdt=60452" rel="nofollow">https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...</a>
This is effectively giving Microsoft RCE on your computer.<p>We trust github.com and small-time publishers far too much. There’s a reason Debian packages software and runs mirrors.
I like the idea, but I can't imagine using it for a few reasons.<p>1. There's a catch-22. In order to fetch binaries you need to first install eget.<p>2. You need to trust eget to not be (or become) malicious.<p>Perhaps #1 can be resolved by providing it as a proxy service and not an executable. For example, "wget eget.net/gopls@latest" which then usings eget on the server to grab/cache the binary and send it back.<p>Then again, that would mean putting even more trust in eget.
Not exactly the same, but aqua is a similar tool in this space <a href="https://github.com/aquaproj/aqua">https://github.com/aquaproj/aqua</a>
> However, I’m firmly on the side of using GitHub for everything because projects that use alternatives to GitHub are special snowflakes that make everything harder for me as a user.<p>Good.
<a href="https://github.com/houseabsolute/ubi">https://github.com/houseabsolute/ubi</a> does a nice job of fetching binaries from GitHub. Just give it a repo and a location to place the binary.<p>ubi --project oalders/is --in ~/local/bin
Similarly, there's Obtainium for Android. I love it for open source apps.<p><a href="https://github.com/ImranR98/Obtainium">https://github.com/ImranR98/Obtainium</a>