TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

50% Positive

Analyzed from 248 words in the discussion.

Trending Topics

#service#vibe#using#binary#version#target#download#binaries#builds#install

Discussion (7 Comments)Read Original on HackerNews

guessmynameabout 2 hours ago
Oh, this web service is going to be such a nice target for hackers waiting to infect everyone who dares download random binaries. Centralizing “builds on demand” like this creates a pretty juicy supply-chain target. If the service gets popped, you’ve got a one-stop shop for shipping compromised binaries to every arch/OS combo. Convenient idea, but I’d only trust it with strong guarantees: reproducible builds, signed artifacts tied to commits, and a way to verify locally. Otherwise it’s basically “go install URL” with extra steps.
oefrhaabout 1 hour ago
If you're in the market for this kind of thin convenience wrapper you might as well just vibe code a .goreleaser.yaml, .github/workflows/releases.yml and an install.sh. Takes a couple minutes, and you don't need to face angry users when this service is hacked/turns evil/shuts down. (Before anyone protests vibe coding, you're doing less due diligence by using this.)
fractorialabout 1 hour ago
Precisely; Go is by no means perfect, but if you want to throw away its security efforts, by all means use goblin.run

I’ll take vibe shooting myself in the foot over lying to myself any day.

fractorialabout 3 hours ago
I cannot fathom why anyone would want this.
gbraadabout 2 hours ago
It is mostly indicative of another underlying issue, like glibc versions or so. But this also leads to weird situations with reproducibility for QE/error reporting. One of the reasons I also hated some distro wanting to devendor and use distro dependencies. This all makes it harder to have a consistent support matrix.
duskwuffabout 1 hour ago
> The response of this request is a Golang binary compiled for the requested operating system, architecture, package version, and the binary's name—using Go 1.17.x

Uh... Go 1.17 is almost five years old. (The current version is 1.26.) Why is this service using an ancient version of Go?

ivere27about 3 hours ago
so, it's kinda build server, building golang sources in remote server? then, download the built binary? it seems to be useful for normal enduser I guess