科技回声

9 条评论

Figuring out the “latest” release can happen via the 302 redirect that GitHub offers on releases/latest/ - no API needed. It also works directly for artifact URLs.

__MatrixMan__9 个月前

Glad to see that there's a `--verify-sha256=` flag.I prefer hard-coded hashes in my code so that when the file changes, I'm made aware. I've lost so much time chasing bugs back to a dependency which changed without a version bump and whose hash was checked by a script that just got the hash it was checking at runtime.

duckkg59 个月前

This seems to be inspired by the smelly nerds meme<a href="https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to_github_and_i_have_lots_to_say/?share_id=PgaydUZlRDobIywviJrnb&utm_content=1&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1&rdt=60452" rel="nofollow">https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...</a>

sneak9 个月前

This is effectively giving Microsoft RCE on your computer.We trust github.com and small-time publishers far too much. There’s a reason Debian packages software and runs mirrors.

评论 #41496451 未加载

评论 #41496511 未加载

评论 #41496469 未加载

评论 #41496433 未加载

bitbasher8 个月前

I like the idea, but I can't imagine using it for a few reasons.1. There's a catch-22. In order to fetch binaries you need to first install eget.2. You need to trust eget to not be (or become) malicious.Perhaps #1 can be resolved by providing it as a proxy service and not an executable. For example, "wget eget.net/gopls@latest" which then usings eget on the server to grab/cache the binary and send it back.Then again, that would mean putting even more trust in eget.

athorax9 个月前

Not exactly the same, but aqua is a similar tool in this space <a href="https://github.com/aquaproj/aqua">https://github.com/aquaproj/aqua</a>

alt1879 个月前

> However, I’m firmly on the side of using GitHub for everything because projects that use alternatives to GitHub are special snowflakes that make everything harder for me as a user.Good.

评论 #41501961 未加载

评论 #41503009 未加载

评论 #41500961 未加载

oalders9 个月前

<a href="https://github.com/houseabsolute/ubi">https://github.com/houseabsolute/ubi</a> does a nice job of fetching binaries from GitHub. Just give it a repo and a location to place the binary.ubi --project oalders/is --in ~/local/bin

kayson9 个月前

Similarly, there's Obtainium for Android. I love it for open source apps.<a href="https://github.com/ImranR98/Obtainium">https://github.com/ImranR98/Obtainium</a>

评论 #41498388 未加载

9 条评论

captn3m09 个月前

Figuring out the “latest” release can happen via the 302 redirect that GitHub offers on releases/latest/ - no API needed. It also works directly for artifact URLs.

__MatrixMan__9 个月前

duckkg59 个月前

sneak9 个月前

This is effectively giving Microsoft RCE on your computer.We trust github.com and small-time publishers far too much. There’s a reason Debian packages software and runs mirrors.

评论 #41496451 未加载

评论 #41496511 未加载

评论 #41496469 未加载

评论 #41496433 未加载

bitbasher8 个月前

athorax9 个月前

Not exactly the same, but aqua is a similar tool in this space <a href="https://github.com/aquaproj/aqua">https://github.com/aquaproj/aqua</a>

alt1879 个月前

> However, I’m firmly on the side of using GitHub for everything because projects that use alternatives to GitHub are special snowflakes that make everything harder for me as a user.Good.

评论 #41501961 未加载

评论 #41503009 未加载

评论 #41500961 未加载

oalders9 个月前

kayson9 个月前

Similarly, there's Obtainium for Android. I love it for open source apps.<a href="https://github.com/ImranR98/Obtainium">https://github.com/ImranR98/Obtainium</a>

评论 #41498388 未加载

PSA: Eget That Executable from GitHub

9 条评论

PSA: Eget That Executable from GitHub

9 条评论