Hacker News new | ask | show | jobs
Gah – CLI to install software from GitHub Releases (github.com)
35 points by marverix 554 days ago
8 comments
combiBean 554 days ago
This seems to be similar to eget: https://github.com/zyedidia/eget

eget was developed by the same person like the micro terminal text editor.

link
westurner 554 days ago
Software installers should check hashes and signatures before installing anything.

Doesn't GitHub support package repositories for signed packages?

https://slsa.dev/get-started explains about verifiable build provenance attestations:

> SLSA 2

> To achieve SLSA 2, the goals are to:

> - Run your build on a hosted platform that generates and signs provenance

> - Publish the provenance to allow downstream users to verify

> [...]

> SLSA 3

> To achieve SLSA 3, you must:

> - Run your build on a hosted platform that generates and signs provenance

> - Ensure that build runs cannot influence each other

> - Produce signed provenance that can be verified as authentic

And:

> For now, the convention is to keep the provenance attestation with your artifact. Though Sigstore is becoming more and more popular, the format of the provenance is currently tool-specific.

link
nikolay 554 days ago
That's what' Aqua [0] does plus more!

[0]: https://aquaproj.github.io/

link
westurner 552 days ago
From https://aquaproj.github.io/ :

> aqua installs tools securely. aqua supports Checksum Verification, Policy as Code, Cosign and SLSA Provenance, GitHub Artifact Attestations, and Minisign. Please see Security.

link
darren0 554 days ago
Seems very similar to https://dist.sh/ but distillery seems a bit more robust.
link
drewbitt 554 days ago
ubi https://github.com/houseabsolute/ubi is the one I know, as it is available in mise https://mise.jdx.dev/dev-tools/backends/ubi.html
link
marverix 554 days ago
Nice! Shame that I didn't knew about it earlier
link
ekristen 554 days ago
nice work marverix, love seeing bash used like this.
link
marverix 554 days ago
Thanks! <3
link
ekristen 554 days ago
dist author here. since darren0 was so kind to reference my tool, I'll just add dist is written in go, is cross platform, can handle github, gitlab, homebrew packages (with caveats), and a few others and you can create custom aliases as well. there are a few additional features in the works right now. also supports signature and checksum verification if available.
link
jhvkjhk 554 days ago
There's also https://github.com/zyedidia/eget, which is also written in Go.
link
tarasglek 554 days ago
Here is my HN submission about eget: https://news.ycombinator.com/item?id=41479539

It's great to see movement in this space. The main problem in my experience is github api and throttling. It's really hard to download 40 binaries while building an image for CI/CD. Binaries themselves are CDNed, but github apis to find them are easily throttled, especially behind NAT.

Need to have some caching mechanism avoid this. Eget seems currently abandoned, maybe gah can start looking stuff in a cache.

link
ekristen 554 days ago
the dist project referenced above supports both caching and authentication for both github and gitlab.
link
tarasglek 554 days ago
yes, i added it to my blog post, will investigate
link
ekristen 554 days ago
cool. please let me know when you post, I would like to read. I'm the author of dist if that wasn't clear. Also looking for feedback on the project should you find it useful.
link
cyansmoker 553 days ago
This is so funny and also a commentary on my inability to perform searches in github I guess.

A month ago I was looking for something like this, so I created https://github.com/fusion/gogo

Now this thread is revealing an abundance of alternate tools.

I'm considering creating a "list of fetching tools" just to help folks find the one they want, since some features described here are very interesting.

link
johnisgood 554 days ago
> gah is an GitHub Releases app installer, that does not require sudo

?. I am sure it does if installed to /usr or /usr/local.

If installed to ~/.local, then obviously no root required. How is this a feature?

Do alternatives not allow installing to custom destination path?

link
Clement_Nerma 554 days ago
Nice! Shameless plug, I've made a similar tool recently, which uses a manifest file instead: https://github.com/ClementNerma/Fetchy
link
marverix 554 days ago
Fetchy is really nice! I really like the how smooth it looks in demo. Only thing that I don't like is the manifest file. Personally, I would be too lazy to create one. But I find use case for it for organizations, when you want to keep it as a code in repo, which pre-defined versions for whole organization. If, for example, you would be able to tell fetchy to use remote manifest that would be a game changer for organizations.
link
Clement_Nerma 554 days ago
Yes, Fetchy is only the base block, and I don't expect anyone to actually build their own repository.

You can actually use the example one which contains a few common tools.

link
nikolay 554 days ago
I've been using Aqua [0] and I'm super happy with it!

[0]: https://aquaproj.github.io/

link
hiatus 554 days ago
Should probably include "Show HN" in the title
link
marverix 554 days ago
Sorry, I will do it next time. Thank you for the comment.
link