On Tue, Feb 14, 2023 at 03:12:46PM -0500, Mike Frysinger wrote: > On Tue, Feb 14, 2023 at 3:08 PM Tom Rini <tr...@konsulko.com> wrote: > > Downloading things from the internet and putting them in to the default > > PATH always and forever is also kinda not great? > > you just described a standard distribution. this is like literally > how all of them work. not to mention every other language-specific > distro tool out there (e.g. Python pip, Perl cpan, Go, etc...). > > maybe you'd like more guarantees on top (e.g. signature verification) > which is reasonable. > > but to be clear, this script is already merged & in the tree, so your > feedback doesn't block this patch.
Yes, exactly. This is a fix on top of what we do today, so it should go in. But modern distributions only install signed packages, and language-specific tools tend to be a hive of bad examples. Looking over binman right now, I see that we're either using apt (and oh, there's "aot" typo in one spot) or downloading from a known Google drive, for only a few less common tools. So yes, I would like to see some ideas on how to improve things in the future so we aren't putting the binaries somewhere that's not a default (or frequently common) PATH location. -- Tom
signature.asc
Description: PGP signature