Open chasemp opened 3 years ago
I think the repo for (get.)k0s.sh is https://github.com/k0sproject/get ? I commented the same earlier in https://github.com/k0sproject/get/pull/1#discussion_r542257307
In my opinion, get.k0s.sh should just directly return the binary, no scripts. Then you can place it wherever you want to.
$ curl get.k0s.sh/$(uname -m) > k0s
$ chmod +x k0s
Any "official" installation should be done via package manager.
The API for k0s.sh would be something like:
/:arch
gives the latest bin for that arch/:arch/:version
gives a specific version for that arch, maybe with aliases such as /x86_64/beta
which would give you the latest beta.Pretty much like downloading from github but with easier urls. I guess the implementation would redirect the request to the asset url in github.
How To Reproduce
Visit https://docs.k0sproject.io/v0.9.1/ and follow demo gif
Expected behavior
The demo runs a command which downloads and runs arbitrary code as root from the internet. This is a model that should be marked as non-production use only explicitly in the docs. This is never something someone should actually do on a machine they care about. The demo also installs the binary in /usr/bin which violates the normalized usage of the Filesystem Hierarchy Standard.
Typically, /usr/local is expected to be used for non-distro binaries and packages. /usr/bin in particular is for non-essential binaries and k0s would most probably belong in /sbin.
The appropriate directory is either /opt/k0s/sbin/ or /usr/local/sbin.
root@ip-172-31-12-11:~# which k0s