https://pantsbuild.org/ logo
Powered by
s

silly-queen-7197

03/12/2023, 4:42 AM
Here's a potentially dumb question. On https://www.pantsbuild.org/docs/installation it suggests removing 
./pants
. Ok, I'll run
Copy code
curl --proto '=https' --tlsv1.2 -fsSL <https://static.pantsbuild.org/setup/get-pants.sh>
as suggested but this doesn't install anything in 
~/bin
. All it seems to do is print a bunch of stuff out? I'm running on Ubuntu. The output looks like
Copy code
...
ARCH="$(calculate_arch)"
URL="<https://github.com/pantsbuild/scie-pants/releases/${version}/scie-pants-${OS}-${ARCH}>"
dest="${bin_dir}/${base_name}"

log "Downloading and installing the pants launcher ..."
install_from_url "${URL}" "${dest}"
green "Installed the pants launcher from ${URL} to ${dest}"
if ! command -v "${base_name}" > /dev/null; then
  warn "${dest} is not on the PATH."
  log "You'll either need to invoke ${dest} explicitly or else add ${bin_dir} to your shell's PATH."
fi

green "\nRunning \`pants\` in a Pants-enabled repo will use the version of Pants configured for that repo."
green "In a repo not yet Pants-enabled, it will prompt you to set up Pants for that repo."
e

enough-analyst-54434

03/12/2023, 4:45 AM
The short of it is, it's a super bad idea to curl | bash. You should read scripts you execute. The 2.15 instructions left actually saving the curled file as an exercise for the reader (not sure why). You could add -O to get curl to save the file in the 2.15 instructions, for example.
Then, continuing on the 2.15 path, you'd read the script, determine it's not a virus, chmod +x it, then execute it or check it in or both. If you're comfortable with the 2.16 curl | bash though, then you can just do that.
s

silly-queen-7197

03/12/2023, 4:56 AM
Browsing the internet for an example, would something like
Copy code
RUN curl --location --show-error --silent --output get-poetry.py <https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py> \
      && echo '08336beb0091ab192adef2cedbaa3428dabfc8572e724d2aa7fc4a4922efb20a get-poetry.py' > get-poetry.py.sha256 \
      && sha256sum --check get-poetry.py.sha256 \
      && python3 get-poetry.py \
      && rm get-poetry.py get-poetry.py.sha256
be a more secure option? (e.g. checking an explicit checksum) Or does it not matter because its https and I trust *.pantsbuild.org?
In any case, thanks for such a quick answer on a Saturday night. It's always appreciated
h

happy-kitchen-89482

03/12/2023, 5:45 AM
get-pants.sh applies that sort of checksum verification to the binaries it downloads.
If you want to apply checksum verification to it then where would that checksum come from?
There is an infinite recursion problem here...
In the end there has to be some moment of trust. Checking get-pants.sh into your repo lets you at least concentrate that moment of trust to just a one-time download and visual inspection of the script.
9 Views
Powered by