aqua fallback

[jayvdb]

https://aquaproj.github.io/ looks like a decent binary installer, which might be a useful fallback strategy, especially for go tools

Its github action installer is reasonable, but not as mature as install-action, and if aqua is hacked, aqua-installer likely can also be hacked.

https://github.com/aquaproj/aqua-installer/blob/main/action.yaml

https://github.com/aquaproj/aqua-registry/tree/main/pkgs is where its package list exist.

Currently

> echo $(aqua list | cut -d '/' -f 2 | sort -u)
1build abbreviate abs acorn act actdocs actionlint action-validator actuated-cli adr-tools afx age agent agg aichat ain air akashi akoi aks-engine alejandra alertmanager algia ali allero alp amazon-ec2-instance-selector amazon-ec2-spot-interrupter amazon-ecr-credential-helper amazon-ecs-cli amazon-ecs-exec-checker Amber amicontained annie anteon api-linter apko approuvez aptly aqua-installer aqua-registry-updater arduino-cli arelo argo-cd argocd-autopilot argocd-image-updater argo-rollouts argo-workflows arkade arrow-tools asciigraph ascii-image-converter asciinema-trim assam ast-grep astra-cli as-tree athens atlantis atlas atmos atuin audit2rbac auth0-cli authy autok3s autosaved awless aws-cli awscost awsdo aws-iam-authenticator awslim aws-nuke aws-sdk-client-go awstaghelper awsu aws-vault aztfexport aztfy azure-dev bafi bandwhich banzai-cli bashbot bat bats-core bazelisk bed benthos berglas better-docker-ps bigquery-emulator bin binaryen bingo binnacle biodiff biome bit blendr blogsync bob boilerplate bombardier bomber bomberman bore bosh-cli bottom boundary brigade broot bsky btop bud buf buildg buildkit buildx bun cabal caddy calico camel-k canonicalheader cargo-binstall cargo-deny cargo-expand cargo-run-script cargo-watch carvel-imgpkg carvel-kapp carvel-kbld carvel-kwt carvel-vendir carvel-ytt cassowary catp certificates cert-manager cfft cfnctl cfssl chain-bench chamber changed-objects changie charm chart-releaser charts-syncer chart-testing cheat checkip checkmake checkout-merged-branch-with-ci-info checkov check-tls-cert chectl cherrybomb chezmoi chisel cho choose ci-info cilium-cli circleci-cli circleci-config-merge ci-renovate-config-validator clash cli cli53 click client clients clive cloak clog-cli closest cloudflared cloudfox cloud-hypervisor cloudlens cloudman cloudquery cloud-sql-proxy cls3 cluster-api cmctl cmdx cob cobra-cli cockroach cocogitto codeowners codeowners-validator coder colima comet compose comtrya concourse config-file-validator config-registry conflint conform conftest confused connect connect-go consul container2wasm containerd container-diff container-structure-test controller-tools copacetic copilot-cli copywrite cosign crabz crd-to-markdown credhub-cli cri-tools croc cronjob-runner cronplan crossplane crun csview csvlens csvtk ctlptl ctop cue cuemod curlie cyclonedx-cli d2 dagger dagu dajarep dart-sass dasel datanymizer datree db1000n dbmate ddev dd-time deck delstack delta delve deno deno-arm64 dep-doctor depm depu desk desync devbox devdash devpod devserver devspace dhall-haskell didder diffoci diffsitter difftastic direnv discussion-slack-notifier diskus dismember distribution diun dive dlayer dnote dns53 doc2go docforge dockerfile-generator docker-slim dockfmt dockle doctl docuum dog doggo dolt dotenv-linter dotfiles dprint draft driftctl driftwood drone-cli dstask dstp dsv-cli dt dua-cli duckdb duf durl dust dw-query-digest dyff dynein dysk e1s earthly easeprobe easyjson ec2x ecrm ecschedule ecsher ecspresso ecsta editorconfig-checker efm-langserver eget egress-auditor ejson eksctl eks-node-viewer eksup envplate envsubst erdtree etcd evans exa example-go-slsa-provenance execspansql exo external-tools extrude eza faas-cli fac falco FalconHound fatcontext fd fend ff ffuf fib filebrowser files fillin findup firebase-tools firecracker fission flowpipe flux2 fm fnm fofax fogg fork-cleaner fortio fq freeze frizbee frp frum fsql ftpgrab func fuse-overlayfs fuse-overlayfs-snapshotter fvm fw fx fzf fzwiki gama gasper gat gau gauge gaze gbt gci gdu gefyra genact getdeck getoptions gex gh2changelog ghalint ghch ghcp ghcup-hs gh-dash gh-do ghg ghkw ghorg ghq ghr ghrls gh-setup ghz gibo gimei-cli gimme gist git-absorb git-bug git-bump git-chglog git-cliff git-crypt gitea git-ghost github-comment github-compare github-labeler github_link_creator github-markdown-toc github-nippou github-release gitjacker gitlab-ci-local gitlab-comment gitlab-org gitleaks git-lfs gitmux gitql git-rm-branch git-secrets gitsemvers gitsign git-town gittuf gitty gitu gitui git-user git-xargs gjo gjson gke-auth-plugin gke-policy-automation glab gleam glice glow gnkf go go-arch-lint go-aws-s3get go-aws-sso gobang go-blueprint gobrew gobump go-car gocloc go-containerregistry go-cover-treemap gocovsh gocredits go-crond goda godzil go-enum gof gofind gofumpt go-getter go-github-apps gogs goimports-reviser go-ipfs gojekyll gojo gojq go-jsonnetgokart go-katsubushi gokey golangci-lint golangci-lint-langserver golicense go-licenses go-life golines go-markdown2confluence gomi gommit gomockhandler go-mod-upgrade gomplate gon gonogo google-cloud-sdk goose gopass goplicate go-plugin goreleaser goreman gorss gosec go-simple-http-redirector gosnakego goss gossh gost gostyle go-swagger gotesplit gotestfmt gotestsum go-tools gotop gotouch gotty go-tuf goverter govmomi gowrap gox goxz gpcd gping gptcommit gptscript gq gqldoc grafana-kiosk granted graphql-engine greenlight grex grit grizzly gron grpc-gateway grpc-go grpc-health-probe grpcp grpcui grpcurl grype gtree gum gup gvisor-tap-vsock gvm gwvault gyaml gyazo-cli hadolint handlr has havener hcl2json hcledit hclgrep helix helm helm-docs helmfile helmify helmsman helmwave hetty hexyl hgrep himalaya horcrux horenso hostctl htmlq httpie-go httpx hub huber hub-tool HuggingFaceModelDownloader hugo hurl hwatch hydra hyperfine iamlive iam-policy-json-to-terraform iap_curl ifacemaker iferr igrep img imgpkg impi incus influx-cli infracost inframap inletsctl inlets-pro insta in-toto-golang invoice istio jc jd jenkins-cli jenkins-job-cli jf jid jiq jira jira-cli jj jless jnv jotdown jq jql jqp jreleaser json2hcl json2yaml jsondiff jsonnet jsonnet-bundler jsonnet-language-server json-to-struct juicefs jump jumppad just jwt jwt-cli jx k0s k0sctl k2tf k3d k3sup k6 k8sec k8stail k9s kaf kafkactl kafta kail kalker kanister kapp kauthproxy kaytu kbld kcli kconf kcount kcp kcptun kdash kdigger kerbrute ketall kexp kfilt kics kilo kim kind kink kiota kluctl knest ko koji komorebi kompose konf-go kool kopia kops kor korb kots koyeb-cli kpt krew krewfile krew-release-bot ksnotify ksort ktunnel kubeadm kubeaudit kube-bench kubebox kubebuilder kube-capacity kubecfg kubeclarity kubecm kubecolor kubeconform kube-credential-cache kubectl kubectl-convert kubectl-cost kubectl-doctor kubectl-explore kubectl-external-forward kubectl-fzf kubectl-ice kubectl-iexec kubectl-images kubectl-kubesec kubectl-node-shell kubectl-pod-lens kubectl-rolesum kubectl-sudo kubectl-trace kubectl-tree kubectl-view-secret kubectl-warp kubectl-watch kubectl-whoami kubectl-who-can kubectx kube-dump kubedump kubeeye kubefed kubefwd kubeletctl kube-lineage kube-linter kubelogin kubemqctl kube-no-trouble kubens kubeone kube-prompt kube-psp-advisor kubepug kubergrunt kubernetes-iteration-toolkit kubescape kube-score kubesec kubeshark kubespy kubestr kubesurvival kubeswitch kubetail kubetest kubetui kubeval kubevela kubevirt kubie kubitect kubo kushi kusion kustomize kuttl kuzusi kwctl kwok kwt kyverno lab lambroll lamver launcher lazydocker lazygit lazynpm lefthook lego levant lf license licensed lima linkerd2 lintnet linuxkit listmonk litestream llama lnav local-php-security-checker logdy-core loki longgopher lowcharts lsd ls-lint lstags lua-language-server lux lwc lychee m1-terraform-provider-helper macchina mactop mage make2help maltmill Mangle manifest-tool manssh mantil markscribe marmot marp-cli marvin mask matchfile maven-mvnd maze mcfly md2confl mdBook mdviewer melange memit memo mergestat-lite mgo micro migrate miller mimir mindthegap minify minikube minimock miniserve minishift mirrord mise misspell mitamae mixctl mizu mkcert mkghtag mmark mmctl mmv mock mockery mocword mod modd mods mongocli mongodb-atlas-cli moon moq mosint mountpoint-s3 mqttui mtail muffet multi-gitter mustache mutagen mutagen-compose myaws mysql_random_data_load naabu nancy natscli navi ncdu ndiag nebula nekome neofetch neosync neovim nerdctl newrelic-cli nextword nfpm nginx-build nimotsu ninja nllint nomad notation note noti nova ntfy nuclei nuclio nushell nyan nyx oapi-codegen oatmeal oauth2c octant octocov odo oglens oha oh-my-posh ojichat ojosama okta-aws-cli okteto ollama om omekasy onefetch opa openapi-tui opentofu operator-registry operator-sdk optimize-controller oras osv-scanner oto ouch outdated ov oxc pachyderm pack packer packer-plugin-sdk pastel pax pdtm peco pen perfsprint pet pewpew pglet pgrok pgroll pike pinact pingu pint pipecd pipr pivnet-cli pkenv pkgx plant_erd playwright-go please plow plumber pluralith-cli pluto pnpm polaris pong-command popeye porter pprof prepalert prm procs prom2json prometheus promlens proto protobuf protobuf-go protoc-gen-doc protoc-gen-validate protolint pryrite pug pulumi pumas pup pv-migrate q qiitaz quill rain rainbow-roads rakkess random-winner rare rargs ratchet rbac-lookup rbw rclone redshift-credentials reg regal regclient registry-tool rekor relma renovate-issue-action repgrep Replibyte repo restic restish retry reviewdog revive richgo riex ripgrep ripgrep-all ripgrep-prebuilt rke rnr rootlesskit roumon rover rsc rtty rtx ruff run runc runme runn runtime rust-analyzer rustic rustsec rye s s3deploy s3gof3r s3s s3surfer s3url s5 s5cmd sad saml2aws sampler savvy-cli sbomqs scaleway-cli scan4all scc sccache scenarigo schemalex scorecard scout sd sealed-secrets secretlint selene semverbot semver-tool sentry-cli sesh session-manager-plugin sget sh shdotenv sheep sheldon shell2http shellcheck shellharden shellspec shipyard shisho shoutrrr shukujitsu sigi silicon sinker skaffold skate skeema skim skm slackcat slack-reminder slack-term slides slim slirp4netns sloglint sloth slp slsa-github-generator slsa-verifier slumber sm Smap smug snazy soci-snapshotter somafm sops sopstool spacectl spacedisplay-rs spanner-cli spanner-dump spannerplanviz spectral spectrum speedtest-cli speedtest-go spin spool spotify-downloader spotify-tui spruce sqlc sqldef sqlfmt sqls squealer src-cli srss ssh-manager sshocker sshproxy sshw ssmwrap ssosync stack starboard starship statusok steampipe stefunny stein stern stoml stree stripe-cli strongbox sttr stubin StyLua subfinder superfile surf sver svu swag switchboard syft syncthing sysz tagpr tailspin tala talhelper talos tanka taplo task taskctl taskdiff tbls tcpterm tctl tdl tdtidy tealdeer teip telepresence teler teller templ temporal tenv tere termscp termshark terracognita terradozer terrafmt terraform terraform-config-inspect terraform-docs terraformer terraform-graph-beautifier terraformify terraform-ls terraform-lsp terraform-module-versions terraform-plugin-docs terraform-validator terragrunt terramate terrap-cli terrascan terratag terrctl test-reporter textimg tf tf2pulumi tfaction-go tfadd tfautomv tfcmt tfcmt-gitlab tf-controller tfcw tfe-cli tfedit tfenv tffmtmd tflint tfmigrate tfnotify tf-profile tfprovidercheck tfproviderdocs tfproviderlint tfschema tfsec tfstate-lookup tf-summarize tftarget tftree tfupdate tfvar tgenv tgpt theila the-way tilt timeout timoni tinygo tlder tlsx todoist tofu-controller tofuenv toggl togomak tokei tools topgrade topicctl totp-cli toxiproxy tparagen tparse tpm tproxy tracer traitor transporter trashy trdsql tre t-rec-rs treefmt tree-sitter trident trippy trivy trubka trufflehog tson tty-copy ttyd tv twty typioca typos typst unity-meta-check updatecli upgit upterm uptrace upx usql utern uv vac vale vals variant variant2 vault vcluster vegeta velero vendir venom versio vhs viddy viff vim-startuptime vintage vivid vmclarity volta vscli vsh vtest vuln wabt wait-for-it wakatime-cli walk wapm-cli wasmer wasm-pack wasmtime watchexec waypoint websocat wgcf whalebrew whkd wiki-tui wire woodpecker wrench wstunnel wtf wuzz wzprof x xc xdg-ninja xeol xh xk6 xlsxsql xplr xq xremap xsv yaegi yaks yaml2json yamldiff yamlfmt yamlpatch yazi yd yesiscan yh yj yn yo yor youtube yq ytt zed zeitgeist zek zellij zenith zeromicro zf zfind zig zigchat zig-update zitadel zls zola zoxide zrok

[jayvdb]

https://aquaproj.github.io/docs/reference/security/checksum describes the verification the tool does. It isnt comprehensive by default. IMO we should be clear to our users if we are installing an unverifiable binary, so this needs to be part of the design for inclusion of aqua.

A lot of their tool definitions contain

        checksum:
          enabled: false

Or they omit the "checksum" key entirely, like https://github.com/aquaproj/aqua-registry/blob/main/pkgs/CycloneDX/cyclonedx-cli/registry.yaml and https://github.com/aquaproj/aqua-registry/blob/07ade5a0cd34c199a0f6eb0ff88295f8a23cd8ee/pkgs/ziglang/zig/registry.yaml

Here is one with a valid checksum definition
https://github.com/aquaproj/aqua-registry/blob/main/pkgs/Boeing/config-file-validator/registry.yaml

I believe they have no fallback to a central storage of previously computed checksums. They provide examples of how users can update their own aqua-checksums.json in CI, for the tools they depend on.

install-action could store checksums in the install-action repo ; i.e. the file aqua-checksums.json file that aqua creates just needs to be stored in the repo, so that the aqua installer can use it. If done for a large subset of the aqua repository, unfortunately that will chew up a lot of CI. If we only wanted to do it for a small subset, then we could just as easily create normal manifests for that small subset, and there is no need for aqua.

The approach that I think makes the most sense is to allow installs of tools that do have a checksum definition in aqua. This might be done by putting the following in the aqua config that install-action creates before handing control over to aqua.

require_checksum: true

When I tried to install CycloneDX/cyclonedx-cli with the above set, it failed with an exit code.

> aqua install
INFO[0000] create a symbolic link                        aqua_version=2.29.0 command=cyclonedx env=linux/amd64 program=aqua
INFO[0000] download and unarchive the package            aqua_version=2.29.0 env=linux/amd64 package_name=CycloneDX/cyclonedx-cli package_version=v0.25.1 program=aqua registry=standard
ERRO[0022] install the package                           aqua_version=2.29.0 doc="https://aquaproj.github.io/docs/reference/codes/001" env=linux/amd64 error="checksum is required" package_name=CycloneDX/cyclonedx-cli package_version=v0.25.1 program=aqua registry=standard
FATA[0022] aqua failed                                   aqua_version=2.29.0 env=linux/amd64 error="it failed to install some packages" program=aqua
> echo $?

However that would mean that zig cant be installed using aqua due to lack of checksum, and that was one of the reasons that I was interested in aqua.

> aqua install
INFO[0000] create a symbolic link                        aqua_version=2.29.0 command=zig env=linux/amd64 program=aqua
INFO[0000] download and unarchive the package            aqua_version=2.29.0 env=linux/amd64 package_name=ziglang/zig package_version=0.13.0 program=aqua registry=standard
ERRO[0014] install the package                           aqua_version=2.29.0 doc="https://aquaproj.github.io/docs/reference/codes/001" env=linux/amd64 error="checksum is required" package_name=ziglang/zig package_version=0.13.0 program=aqua registry=standard
FATA[0014] aqua failed                                   aqua_version=2.29.0 env=linux/amd64 error="it failed to install some packages" program=aqua

However zig does provide checksums at https://ziglang.org/download/ , so for me the first step is to see if the aqua can support those checksums.