On Tue, Feb 14, 2023 at 03:12:46PM -0500, Mike Frysinger wrote:
On Tue, Feb 14, 2023 at 3:08 PM Tom Rini trini@konsulko.com wrote:
Downloading things from the internet and putting them in to the default PATH always and forever is also kinda not great?
you just described a standard distribution. this is like literally how all of them work. not to mention every other language-specific distro tool out there (e.g. Python pip, Perl cpan, Go, etc...).
maybe you'd like more guarantees on top (e.g. signature verification) which is reasonable.
but to be clear, this script is already merged & in the tree, so your feedback doesn't block this patch.
Yes, exactly. This is a fix on top of what we do today, so it should go in. But modern distributions only install signed packages, and language-specific tools tend to be a hive of bad examples. Looking over binman right now, I see that we're either using apt (and oh, there's "aot" typo in one spot) or downloading from a known Google drive, for only a few less common tools.
So yes, I would like to see some ideas on how to improve things in the future so we aren't putting the binaries somewhere that's not a default (or frequently common) PATH location.