Skip to content

Consider go install instructions as another option for installing from latest #137

Open
@AaronFriel

Description

@AaronFriel

This installation method enables users to download and install any version published as a tag, the latest tag, or a branch. It can be a convenient way to install on platforms or CI environments where local scripting tools can vary wildly, but a Go compiler is available due to a previous step in the CI pipeline or by the container image.

It's common for tools to suggest this as the quickest way to install from source, without requiring users to clone a repository.

Example commands:

# install the most recently tagged version
go install oras.land/oras/cmd/oras@latest

# use the tip of a ref, e.g.: main
go install oras.land/oras/cmd/oras@main

# use a specific tag, e.g.: v1.0.0
go install oras.land/oras/cmd/[email protected]

The security purist in me doesn't like that this method lacks certain supply chain security characteristics - these binaries cannot be signed - but these instructions are protected by the same mechanism as Go dependencies are via the Go module proxy. When using tagged versions, the tag is checked against sum.golang.org.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions