Here s a potentially dumb question On <https www pantsbuild Pants #general

Here's a potentially dumb question. On <https://ww...

silly-queen-7197

03/12/2023, 4:42 AM

Here's a potentially dumb question. On https://www.pantsbuild.org/docs/installation it suggests removing

./pants

. Ok, I'll run

Copy code

curl --proto '=https' --tlsv1.2 -fsSL <https://static.pantsbuild.org/setup/get-pants.sh>

as suggested but this doesn't install anything in

~/bin

. All it seems to do is print a bunch of stuff out? I'm running on Ubuntu. The output looks like

Copy code

...
ARCH="$(calculate_arch)"
URL="<https://github.com/pantsbuild/scie-pants/releases/${version}/scie-pants-${OS}-${ARCH}>"
dest="${bin_dir}/${base_name}"

log "Downloading and installing the pants launcher ..."
install_from_url "${URL}" "${dest}"
green "Installed the pants launcher from ${URL} to ${dest}"
if ! command -v "${base_name}" > /dev/null; then
  warn "${dest} is not on the PATH."
  log "You'll either need to invoke ${dest} explicitly or else add ${bin_dir} to your shell's PATH."
fi

green "\nRunning \`pants\` in a Pants-enabled repo will use the version of Pants configured for that repo."
green "In a repo not yet Pants-enabled, it will prompt you to set up Pants for that repo."

enough-analyst-54434

03/12/2023, 4:45 AM

Try the 2.16 instructions: https://www.pantsbuild.org/v2.16/docs/installation

✅ 1

enough-analyst-54434

03/12/2023, 4:47 AM

The short of it is, it's a super bad idea to curl | bash. You should read scripts you execute. The 2.15 instructions left actually saving the curled file as an exercise for the reader (not sure why). You could add -O to get curl to save the file in the 2.15 instructions, for example.

enough-analyst-54434

03/12/2023, 4:48 AM

Then, continuing on the 2.15 path, you'd read the script, determine it's not a virus, chmod +x it, then execute it or check it in or both. If you're comfortable with the 2.16 curl | bash though, then you can just do that.

silly-queen-7197

03/12/2023, 4:56 AM

Browsing the internet for an example, would something like

Copy code

RUN curl --location --show-error --silent --output get-poetry.py <https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py> \
      && echo '08336beb0091ab192adef2cedbaa3428dabfc8572e724d2aa7fc4a4922efb20a get-poetry.py' > get-poetry.py.sha256 \
      && sha256sum --check get-poetry.py.sha256 \
      && python3 get-poetry.py \
      && rm get-poetry.py get-poetry.py.sha256

be a more secure option? (e.g. checking an explicit checksum) Or does it not matter because its https and I trust *.pantsbuild.org?

silly-queen-7197

03/12/2023, 5:07 AM

In any case, thanks for such a quick answer on a Saturday night. It's always appreciated

happy-kitchen-89482

03/12/2023, 5:45 AM

get-pants.sh applies that sort of checksum verification to the binaries it downloads.

happy-kitchen-89482

03/12/2023, 5:45 AM

If you want to apply checksum verification to it then where would that checksum come from?

happy-kitchen-89482

03/12/2023, 5:46 AM

There is an infinite recursion problem here...

happy-kitchen-89482

03/12/2023, 5:46 AM

In the end there has to be some moment of trust. Checking get-pants.sh into your repo lets you at least concentrate that moment of trust to just a one-time download and visual inspection of the script.

9 Views

Open in Slack

Previous Next