Go automatically downloads a newer toolchain if needed
Go now automatically downloads newer toolchains from version 1.21, allowing users to manage toolchain versions via the GOTOOLCHAIN variable, with security measures in place to ensure safe downloads.
Read original article
Go has introduced a feature that automatically downloads a newer toolchain if needed, starting from version 1.21. This functionality allows the Go command to utilize its bundled toolchain or download other versions as required. The toolchain will be downloaded when the Go version specified in the go.mod file exceeds the current Go binary version, provided the binary is at least version 1.21. Users can specify a particular toolchain using the GOTOOLCHAIN environment variable, with options for auto, local, and path settings. The downloaded toolchains are stored in the GOPATH under the golang.org/toolchain module. This feature simplifies the setup process for Go projects, ensuring that as long as a reasonably up-to-date Go binary is available, users can easily bootstrap their projects. While there are concerns about downloading binaries from the internet, the security measures in place, such as module checksums, help mitigate risks. Users who prefer not to use this automatic downloading feature can disable it by setting GOTOOLCHAIN to local, which is also recommended for continuous integration environments to maintain version consistency.
- Go now automatically downloads newer toolchains starting from version 1.21.
- Toolchains are downloaded when the specified version in go.mod exceeds the current binary version.
- Users can control toolchain behavior using the GOTOOLCHAIN environment variable.
- Downloaded toolchains are stored in the GOPATH under the golang.org/toolchain module.
- Security measures, including module checksums, help ensure safe downloads.
Related
Is Guix full-source bootstrap a lie?
The article discusses Guix's transparent and secure full-source bootstrap process, enabling users to verify over 22,000 nodes like Python PyTorch with 1150 dependencies. It emphasizes verifying each step to prevent backdoors or fraud.
Building static binaries with Go on Linux
The article explains how to build static binaries with Go on Linux, noting that while possible, it requires specific configurations and tools, especially when using C code via cgo.
Go 1.23 Release Notes
Go 1.23, releasing in August 2024, introduces features like "range-over-func," generic type aliases, a telemetry system, improved timers, and new packages, enhancing performance and developer experience.
Go is my hammer, and everything is a nail
Markus, a solo developer, exclusively uses Go for software development, valuing its simplicity and versatility. He believes focusing on one language enhances productivity and deepens expertise without limiting career options.
Go 1.23
Go 1.23 has been released with enhancements to the toolchain, runtime, and libraries, including the "range-over-func" feature, opt-in telemetry, and updates to the standard library for improved performance.
13 commentsMade a little harder to track down initially as we have a replace directive pointing to a local proto module in each service. It was here that toolchain was set which forced it to keep appearing in the top level module.
Should’ve been opt in behaviour by default not enforced.
We’ve decided to sit on n-1 of Go and I’ve already had an example last month of a well used OSS library setting toolchain to 1.22 as a patch release (which could be considered a breaking change) which fortunately was quickly reverted.
https://go.googlesource.com/proposal/+/master/design/57001-g...
> Many people believe the go line in the go.mod file specifies which Go toolchain to use. This proposal would correct this widely held misunderstanding by making it reality.
That doesn't sound like a good reason to automatically download binaries and run them.
Is it difficult to update or install a new version of Go and are there frequent updates in Go spec introducing new features that it is necessary to auto install the compiler itself ?
Supply chain attacks are on rise and not a new concept and yet we see these changes.
This is not the first time Go lang has introduced a questionable opt-out feature [1]. They backed out but looks like there were no takeaways from that episode.
Only by default, as the Go toolchain supports dynamic linking for ages, and without third party dependencies called via cgo, or stuff like DNS resolution on Linux.
If they want magic like this, it should be opt-in, not opt-out.
And yes you need to make sure GOTOOLCHAIN=auto, my colleague had to explicitly set it because it defaults to local on Gentoo.
GoTV builds needed toolchain versions with the Go source code instead of downloading the pre-built toolchain packages.
Related
Is Guix full-source bootstrap a lie?
The article discusses Guix's transparent and secure full-source bootstrap process, enabling users to verify over 22,000 nodes like Python PyTorch with 1150 dependencies. It emphasizes verifying each step to prevent backdoors or fraud.
Building static binaries with Go on Linux
The article explains how to build static binaries with Go on Linux, noting that while possible, it requires specific configurations and tools, especially when using C code via cgo.
Go 1.23 Release Notes
Go 1.23, releasing in August 2024, introduces features like "range-over-func," generic type aliases, a telemetry system, improved timers, and new packages, enhancing performance and developer experience.
Go is my hammer, and everything is a nail
Markus, a solo developer, exclusively uses Go for software development, valuing its simplicity and versatility. He believes focusing on one language enhances productivity and deepens expertise without limiting career options.
Go 1.23
Go 1.23 has been released with enhancements to the toolchain, runtime, and libraries, including the "range-over-func" feature, opt-in telemetry, and updates to the standard library for improved performance.