Giter Club home page Giter Club logo

goup-rs's Introduction

goup

goup is an elegant Go version manager write in rust.

Rust Crates.io MSRV Crates.io Total Downloads Crates.io Crates License Tag

goup is an attempt to fulfill the above features and is heavily inspired by Rustup, golang/dl, goup, goenv, gvm and getgo.

NOTE: Please keep in mind that goup-rs is still under active development and therefore full backward compatibility is not guaranteed before reaching v1.0.0.

Features

  • Minimum dependencies, only depend on git. we may remove this dependency in future.
  • Multi-platform compatible (Linux, macOS & Windows).
  • Install/Remove Go versions with goup install/remove [TOOLCHAIN].
  • Support Installing Go from source with goup install <nightly|tip|gotip>.
  • List locally installed versions.
  • Switch between multiple installed versions.
  • Search available version of Go.
  • Manage locally archived files(such as *.tar.gz, *.tar.gz.sha256).
  • Upgrade goup itself.
  • Friendly prompt.
  • Should be pretty fast.

Installation

Cargo

Alternatively, you can also install it using cargo.

cargo install goup-rs

or

cargo install goup-rs --git https://github.com/thinkgos/goup-rs

Manual(for Linux/MacOS)

If you want to install manually, there are the steps:

  • Download the latest goup from Release Page
  • Drop the goup executable to your PATH and make it executable: mv GOUP_BIN /usr/local/bin/goup && chmod +x /usr/local/bin/goup
  • Run goup init, Got shell startup script at $HOME/.goup/env.
  • Add the Go bin directory to your shell startup script: echo '. "$HOME/.goup/env"' >> ~/.bashrc or echo '. "$HOME/.goup/env"' >> ~/.zshenv

Manual(for Windows)

MSI-installers

Install the latest version for your system with the MSI-installers from the Release Page section

Binary Compressed

  • Download the binary compressed file for Windows version from Release Page, and then unzipping it.
  • Move the goup.exe to $YOUR_PATH.
  • Add the $YOUR_PATH to windows environment.

Quick Start

$ goup install
[2024-01-30T00:38:48Z INFO ] Installing go1.21.6 ...
[2024-01-30T00:38:48Z INFO ] Unpacking /home/thinkgo/.goup/go1.21.6/go1.21.6.linux-amd64.tar.gz ...
[2024-01-30T00:38:48Z INFO ] go1.21.6 installed in /home/thinkgo/.goup/go1.21.6
[2024-01-30T00:38:48Z INFO ] Default Go is set to 'go1.21.6'
$ goup list
| VERSION | ACTIVE |
|---------|--------|
| 1.21.6  |   *    |
$ go env GOROOT
/home/thinkgo/.goup/current
$ go version
go version go1.21.6 linux/amd64
$ GOUP_GO_HOST=https://golang.google.cn goup install 1.21.6

Usage

Lists all available Go versions

goup search [FILTER], [FILTER] can be follow value 'stable', "unstable", 'beta' or any regex string.

$ goup search
1
...
1.21rc4
1.22rc1
$ goup search stable
1
...
1.21.4
1.21.5
1.21.6

List all installed Go version located at $HOME/.goup

$ goup list 
+---------+--------+
| Version | Active |
+---------+--------+
| 1.21.5  |        |
+---------+--------+
| 1.21.6  |   *    |
+---------+--------+
| tip     |        |
+---------+--------+

Install specified version of Go

goup install/update [TOOLCHAIN], [TOOLCHAIN] can be follow value 'stable'(default), 'nightly'('tip', 'gotip'), 'unstable', 'beta' or '1.21.4'('go1.21.4'), --dry flag means only install the version, but do not switch

$ goup install
[2024-01-30T00:38:48Z INFO ] Installing go1.21.6 ...
[2024-01-30T00:38:48Z INFO ] Unpacking /home/thinkgo/.goup/go1.21.6/go1.21.6.linux-amd64.tar.gz ...
[2024-01-30T00:38:48Z INFO ] go1.21.6 installed in /home/thinkgo/.goup/go1.21.6
[2024-01-30T00:38:48Z INFO ] Default Go is set to 'go1.21.6'
$ goup install 1.21.4 --dry
[2024-01-30T00:38:48Z INFO ] Installing go1.21.4 ...
[2024-01-30T00:38:48Z INFO ] Unpacking /home/thinkgo/.goup/go1.21.4/go1.21.4.linux-amd64.tar.gz ...
[2024-01-30T00:38:48Z INFO ] go1.21.6 installed in /home/thinkgo/.goup/go1.21.4

Switches to selected Go version

goup use/set [VERSION], switches to selected Go version.

$ goup use 
? Select a version ›
  1.21.5
❯ 1.21.6
  tip
[2024-01-30T00:38:48Z INFO ] Default Go is set to 'go1.21.6'

Remove the specified Go version list

goup remove/rm [VERSION]... Remove the specified Go version list. If no version is provided, a prompt will show to select multiple installed Go version

$ goup rm
? Select multiple version ›
✔ 1.21.5
⬚ 1.21.6
⬚ tip
✔ Select multiple version · 1.21.5

Manage download archive files

$ goup dl show --contain-sha256
go1.21.6.linux-amd64.tar.gz
go1.21.6.linux-amd64.tar.gz.sha256

$ goup dl clean
✔ Do you want to clean archive file? · yes

Modify the goup installation

$ goup self update
Checking target-arch... x86_64-unknown-linux-gnu
Checking current version... v0.3.0
Checking latest released version... v0.3.0
[2024-01-30T00:38:48Z INFO ] Update status: `v0.3.0`!

Environment

$ goup env
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+
| Key                       | Value                          | Explain                                                                         |
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+
| GOUP_GO_HOST              | https://go.dev                 | Get upstream latest go version, use by 'install'                                |
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+
| GOUP_GO_DOWNLOAD_BASE_URL | https://dl.google.com/go       | Download go archive file base url, use by 'install'                             |
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+
| GOUP_GO_SOURCE_GIT_URL    | https://github.com/golang/go   | Upstream source git url and get upstream go versions, use by 'install'/'search' |
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+
| GOUP_GO_SOURCE_GIT_URL    | https://go.googlesource.com/go | Upstream source git url, use by 'install' the gotip                             |
+---------------------------+--------------------------------+---------------------------------------------------------------------------------+

Autocompletion

goup completion <SHELL> Generate the autocompletion script for the specified shell. <SHELL> possible values: bash, elvish, fish, powershell, zsh.

goup completion zsh > _goup

More information

goup -h get more information

How it works

  • goup completion <SHELL> Generate the autocompletion script for the specified shell.
  • goup [help] Print this message or the help of the given subcommand(s).
  • goup install/update [TOOLCHAIN] downloads specified version of Go to$HOME/.goup/go<VERSION|tip>/go and symlinks it to $HOME/.goup/current.
  • goup use/set [VERSION] switches to selected Go version.
  • goup ls/list/show list all installed Go version located at $HOME/.goup.
  • goup remove/rm [VERSION]... remove the specified Go version list.
  • goup search [FILTER] lists all available Go versions.
  • goup downloads [COMMAND] Manage download archive files.
  • goup self <COMMAND> Modify the goup installation.
  • goup init write all necessary environment variables and values to $HOME/.goup/env.
  • goup env Show the specified goup environment variables and values.

How to Debug

Default log level is Info. You can use goup -v <subcommand> or goup -v <subcommand> to use Debug or Trace level.

FAQ

  • Compiling and Installing from source code failure?
    The minimum version of Go required depends on the target version of Go, more information see source installation instructions

License

Apache 2.0

goup-rs's People

Contributors

dependabot[bot] avatar thinkgos avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar

goup-rs's Issues

Improve debug log message

Please complete the following tasks

goup version

v0.6.2

Describe your use issue

Improve debug log message, When an error occurs, the log message is not detailed enough.

RUSTSEC-2024-0003: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)

Details
Package h2
Version 0.3.21
URL n/a
Patched Versions ^0.3.24 OR >=0.4.2
Related Advisories CVE-2019-9514

An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.

This fix is corrected in hyperium/h2#737, which limits the total number of
internal error resets emitted by default before the connection is closed.

RUSTSEC-2024-0003: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)

Details
Package h2
Version 0.3.21
URL n/a
Patched Versions ^0.3.24 OR >=0.4.2
Aliases GHSA-8r5v-vm4m-4g25
Related Advisories CVE-2019-9514

An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.

This fix is corrected in hyperium/h2#737, which limits the total number of
internal error resets emitted by default before the connection is closed.

RUSTSEC-2024-0332: Degradation of service in h2 servers with CONTINUATION Flood

Details
Package h2
Version 0.3.21
URL n/a
Patched Versions ^0.3.26 OR >=0.4.4
Aliases GHSA-q6cp-qfwq-4gcv

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely.
This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

RUSTSEC-2024-0336: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

Details
Package rustls
Version 0.21.7
URL GHSA-6g7w-8wpp-frhj
Patched Versions >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0
Aliases CVE-2024-32650, GHSA-6g7w-8wpp-frhj

If a close_notify alert is received during a handshake, complete_io
does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io
and are not affected.

rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.

[FR]Support command `goup install [stable|nightly]`

Now, we have support go install tip, but if I want install a latest release beta version, It feels a bit troublesome. we should first got the version, but how to got it?, then go install [stable|nightly] can resolve this.

RUSTSEC-2024-0013: Memory corruption, denial of service, and arbitrary code execution in libgit2

Details
Package libgit2-sys
Version 0.16.1+1.7.1
URL rust-lang/git2-rs#1017
Patched Versions >=0.16.2
Aliases GHSA-22q8-ghmq-63vf
Related Advisories CVE-2024-24575, CVE-2024-24577, GHSA-54mf-x2rh-hq9v, GHSA-j2v7-4f6v-gpg8

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

  • The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
  • The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
  • The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

RUSTSEC-2024-0019: Tokens for named pipes may be delivered after deregistration

Details
Package mio
Version 0.8.8
URL GHSA-r8w9-5wcg-vfj7
Patched Versions >=0.8.11
Unaffected Versions <0.7.2
Aliases CVE-2024-27308, GHSA-r8w9-5wcg-vfj7

Impact

When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.

For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.

The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.

Affected versions

This vulnerability has been fixed in mio v0.8.11.

All versions of mio between v0.7.2 and v0.8.10 are vulnerable.

Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.

Workarounds

Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.

Technical details

When an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is deregistered, then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.

This vulnerability was originally reported in the Tokio issue tracker: tokio-rs/tokio#6369
This vulnerability was fixed in: tokio-rs/mio#1760

Thank you to @rofoun and @radekvit for discovering and reporting this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.