On 8/17/20 08:41, fge...@gmail.com wrote:
On 8/17/20, 'K Richard Pixley' via golang-nuts
<golang-nuts@googlegroups.com> wrote:
On 8/15/20 00:43, fge...@gmail.com wrote:
On 8/15/20, Marvin Renich <m...@renich.org> wrote:
* Volker Dobler <dr.volker.dob...@gmail.com> [200814 14:53]:
On Friday, 14 August 2020 20:39:37 UTC+2, K Richard Pixley wrote:
Isn't this the default location? I just untarred the distribution...
No. There is a reason
https://urldefense.com/v3/__https://golang.org/doc/install*install__;Iw!!NEt6yMaO-gk!R3z5eGP7tSVHh9dkw1eEv-l-WAko3RdxhuxICWySuRetk6bW0W3c9v5JhOxueCU2Ww$
states to do tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz
....
It also might be productive to mention that many (Linux?) distributions
(e.g. Debian, Fedora, RHEL) provide reasonably up-to-date packages for
Go, and that using the distribution's package manager may be easier,
provide better security support, and integrate better than manually
installing the official Go binary distribution.
Could you please give an example to "better security support" in a
distribution's package manager?
Part of the job of a distribution is integration. Who owns which files,
where they are stored, and who has access to them are all under the
auspices of integration. Go itself can't really be expected to manage
all of those details for every single distribution that might ever
exist. But the local package manager can, and typically does both own
and manage those details.
Oh but yes, I expect that the current Go installation scheme is
expected to manage all those details (a user's private namespace), so
it shall be a viable alternative for quite a long time.
(Although my imagination is limited, at the moment I can't imagine a
change where the all too frequent global namespace pollution of
operating system packages, which as I understand you can call
management if you like, would mess up the private namespace of a user
that much. At least for the mainstream desktop and server operating
systems.)
I think you're missing my point. Let me try again.
If the standard location for the go compiler is /usr/local/go/bin and
anyone with access to that file system can, at will, install a new
compiler, then the other users are at their mercy. Policies for who can
or can't install a new /usr/local/go/bin/go are up to the distribution
and generally handled by the distribution's packaging and integration
policies.
Eg, is it owned by root? By bin? By "golang"? What group? Is
/usr/local/go/bin a local file system? Shared, perhaps by NFS or ceph?
Or duplicated and distributed read-only as a cloud based filesystem on a
cloud-based-block-device?
These are all decisions made by system admins in concert with the
distribution they're using. The distributors of golang proper can't
really be held responsible for each and every possible local
convention. But the local sysadmins, (in concert with their
distribution), certainly can.
Anyway, this is a level of security that cannot reasonably be expected
of the golang team but can, and typically is, expected from
distributions. I believe that is an answer to the question that was asked.
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/d4bdebc9-3387-5ab4-dcfb-4c7602b16360%40juniper.net.
