ensure

command module

v0.0.0-...-aa1d45b Latest Latest Go to latest Published: Jul 27, 2020 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/clfs/ensure

Links

Open Source Insights

README ¶

ensure

Check hashes with Unix pipes.

Disclaimer

This tool provides no additional security - it only prevents accidental data modification. If you need to prevent malicious data modification, you should use a public-key signature system.

Installation

go get github.com/clfs/ensure

Usage

$ ensure
Usage:
	$ ... | ensure md5 1a79a4d60de6718e8e5b326e338ae533 | ...
	Check the hash, then pass standard input to standard output.
Options:
	-list	List all supported algorithms.
	-help	Print this help message.
	-quiet	Suppress error messages.

Inspiration

I thought of this while installing Rust. As of now, the recommended rustup installation method looks like this:

curl https://sh.rustup.rs -sSf | sh

The curl flags are:

-s, --silent        Silent mode (don't output anything)
-S, --show-error    Show error. With -s, make curl show errors when they occur
-f, --fail          Fail silently (no output at all) on HTTP errors (H)

If you check man curl though, you'll see that the -f flag isn't exactly fail-safe. At minimum, the 401 (Unauthorized) and 407 (Proxy Authentication Required) HTML response codes still cause curl to print to standard ouput.

-f, --fail
       (HTTP)  Fail  silently (no output at all) on server errors. This
       is mostly done to better enable scripts etc to better deal  with
       failed  attempts.  In  normal cases when an HTTP server fails to
       deliver a document, it  returns  an  HTML  document  stating  so
       (which  often  also describes why and more). This flag will pre‐
       vent curl from outputting that and return error 22.

       This method is not fail-safe and there are occasions where  non-
       successful  response  codes  will  slip through, especially when
       authentication is involved (response codes 401 and 407).

Instead, you can strengthen the -f flag by using ensure in tandem. Here's what that might look like (with the hash truncated for clarity):

curl https://sh.rustup.rs -sSf | ensure sha256 9bbf4987[...] | sh

This isn't a great solution, to be fair - I'd definitely prefer the rustup team use signing keys for their installation script. The RVM installer is a useful example, even if it uses outdated GPG tooling.

License

MIT; check the LICENSE file.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL