PSA: Eget That Executable from GitHub (opens in new tab)

(taras.glek.net)

47 pointstarasglek1y ago28 comments

28 comments

19 comments · 9 top-level

sneak1y ago· 5 in thread

This is effectively giving Microsoft RCE on your computer.

We trust github.com and small-time publishers far too much. There’s a reason Debian packages software and runs mirrors.

Short of that, I really like the AUR model, especially -git packages. The scripts are so simple they can actually feasibly be reviewed (for the average arch Linux AUR user, anyway?) and are usually just "clone, make, install".

dishsoap1y ago

You probably already give Microsoft RCE on your computer (or Apple, or the maintainers of your linux distro, etc).

Zambyte1y ago

I'm curious why you think this is true of GNU/Linux distributions. I can't think of any besides Ubuntu (Snap) that this really makes sense for.

2 more replies

hamandcheese1y ago

But where does Debian get the source for those packages?

I agree that github is uncomfortably large, but the problem isn't this tool, and the solution isn't something Debian can achieve on their own.

cl3misch1y ago

True, but if you install it anyway (like the author), might as well do it with this tool.

alt1871y ago· 4 in thread

> However, I’m firmly on the side of using GitHub for everything because projects that use alternatives to GitHub are special snowflakes that make everything harder for me as a user.

Good.

nexus_six1y ago

There are privacy and data integrity issues with GitHub for both enterprise and personal use. Gitlab and other self-hosted alternatives are nearly exactly the same. I don't know if "by harder for me as a user" they mean the web-facing frontend, or something else. And even then something like Gitlab offers the exact same feature set as Github does on the web frontend.

On a sidenote this is the same "but x is so much more convenient" mentality that is driving open source projects to lock all their documentation behind something like a Discord chatroom instead of having a proper docs page or wiki.

immibis1y ago

Why do you like monopolies? GitHub is already abusing its position by refusing to let me have an account without SMS verification, and refusing to let me delete my account without SMS verification.

alt1871y ago

> Why do you like monopolies? GitHub is already abusing its position by refusing to let me have an account without SMS verification, and refusing to let me delete my account without SMS verification.

I'm against Github. I think that nuance got lost.

pmarreck1y ago

It would be way better if tooling was hub-agnostic and compatible with all git:// style url's so that github would not be a SPOF as well as a single point of monopolizing

kayson1y ago· 1 in thread

Similarly, there's Obtainium for Android. I love it for open source apps.

https://github.com/ImranR98/Obtainium

tarasglekOP1y ago

Awesome, thank you

captn3m01y ago

Figuring out the “latest” release can happen via the 302 redirect that GitHub offers on releases/latest/ - no API needed. It also works directly for artifact URLs.

__MatrixMan__1y ago

Glad to see that there's a `--verify-sha256=` flag.

I prefer hard-coded hashes in my code so that when the file changes, I'm made aware. I've lost so much time chasing bugs back to a dependency which changed without a version bump and whose hash was checked by a script that just got the hash it was checking at runtime.

duckkg51y ago

This seems to be inspired by the smelly nerds meme

https://www.reddit.com/r/github/comments/1at9br4/i_am_new_to...

bitbasher1y ago

I like the idea, but I can't imagine using it for a few reasons.

1. There's a catch-22. In order to fetch binaries you need to first install eget.

2. You need to trust eget to not be (or become) malicious.

Perhaps #1 can be resolved by providing it as a proxy service and not an executable. For example, "wget eget.net/gopls@latest" which then usings eget on the server to grab/cache the binary and send it back.

Then again, that would mean putting even more trust in eget.

athorax1y ago

Not exactly the same, but aqua is a similar tool in this space https://github.com/aquaproj/aqua

oalders1y ago

https://github.com/houseabsolute/ubi does a nice job of fetching binaries from GitHub. Just give it a repo and a location to place the binary.

ubi --project oalders/is --in ~/local/bin

j / k navigate · click thread line to collapse