Why does this need to pipe a script into bash from a non-github origin?
And in that script, you're actually piping another script from yet another domain (`https://goblin.reaper.im/`), where reaper.im looks like some kind of ad-infested parking domain?
Looks like goblin.run is a project that lets you install golang projects without having golang installed. OP should probably preface the installation script with this.
sure, for each arch.. or just use the thing that the tool is designed for as the distribution mechanism. A `docker run ...` is one step, not the two you're advocating.
Goblin is a service that builds a go binary for your platform on the fly and downloads it in PATH. This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release. You can also use go install if you know what you are doing.
curl should probably scream when it detects piping unencrypted wan (not local ips) connections to shell, sort of like what openssh does when a host’s fingerprint changes
It says in the README it leverages Dive. Basically it's a visualization for Dive's JSON output, which I'd very much prefer to exist as exactly that -- something I can pipe Dive's JSON into. No need to wrap Dive for that.
I don't remember what this type of visualisation this is called, but I really like it for understanding disk use quickly. When I wish to drill into detail I find a list helps me more but the box layout is usually where I like to start.
It's a treemap graph, frontend people use it all the time to analyze a website javascript bundle size, I created this so Docker people can make smaller images more easily
Why does this need to pipe a script into bash from a non-github origin?
And in that script, you're actually piping another script from yet another domain (`https://goblin.reaper.im/`), where reaper.im looks like some kind of ad-infested parking domain?
You can also install it with go, I updated the readme
go install github.com/remorses/docker-phobia
Looks like goblin.run is a project that lets you install golang projects without having golang installed. OP should probably preface the installation script with this.
or just use, I don't know, docker?
> or just use, I don't know, docker?
The author is apparently afraid of docker, hence Docker-phobia.
touche!
Aren't go binaries statically compiled? Why is anything other than a static binary download and `chmod +x` even needed?
sure, for each arch.. or just use the thing that the tool is designed for as the distribution mechanism. A `docker run ...` is one step, not the two you're advocating.
Not using https is bad.
curl -sf http://goblin.run/github.com/remorses/docker-phobia | sh
Also why just include that shell script in the repo and have people curl that?
Goblin is a service that builds a go binary for your platform on the fly and downloads it in PATH. This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release. You can also use go install if you know what you are doing.
> This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release
It's not even that hard. Just use GoReleaser.
https://goreleaser.com/
And then later add a script that downloads the binary from Github releases. Doesn't improve the situation with curl script haters
I feel like the assumption is that GitHub would be more proactive about stopping malware being distributed from their platform.
curl should probably scream when it detects piping unencrypted wan (not local ips) connections to shell, sort of like what openssh does when a host’s fingerprint changes
How could curl detect where it's piped to?
Something like (in Python)
os.isatty(sys.stdout.fileno())
That doesn't say where it's piped though. It could be redirected to a file, or piped to something harmless like jq.
Iterate through /proc/<pid>/fd and check for the pipe id in the symlink target.
The shell would have to give the warning
Lol. This is an hilariously shady instruction. Is this a docker inside joke or something?
Cool, gonna try this soon. Would be great to use in combination with Dive (https://github.com/wagoodman/dive)
It says in the README it leverages Dive. Basically it's a visualization for Dive's JSON output, which I'd very much prefer to exist as exactly that -- something I can pipe Dive's JSON into. No need to wrap Dive for that.
Dive doesn't have a JSON output, I had to use the internal API to do it.
What do you mean? It's literally there:
Ran this instead of that scary pipe thru sh command
go install github.com/remorses/docker-phobia@latest
No thanks, this looks shady as hell.
I don't remember what this type of visualisation this is called, but I really like it for understanding disk use quickly. When I wish to drill into detail I find a list helps me more but the box layout is usually where I like to start.
Looking forward to trying this.
It's a treemap graph, frontend people use it all the time to analyze a website javascript bundle size, I created this so Docker people can make smaller images more easily
Sounds great, I'm looking forward to giving this a shot.
Why not just show it per layer and folder via plain text?