feat(examples): add Go and Rust runtime templates#735
Conversation
| package main | ||
|
|
||
| import "testing" | ||
|
|
There was a problem hiding this comment.
Suggestion: Consider adding a second test case for Greeting("Alice") to cover the non-empty name branch. As a template example meant to teach testing patterns, having only one test that covers only one conditional branch is incomplete. This also applies to the Rust lib.rs test.
PR Review: Go and Rust Runtime TemplatesReviewed by: code-quality-reviewer, security-code-reviewer, test-coverage-reviewer, documentation-accuracy-reviewer, performance-reviewer Overall: Clean, well-structured PR. 23 files added (0 modified, 0 deleted). Both Go and Rust templates follow their respective ecosystem conventions correctly. All issues below are minor; nothing blocking. 🔒 SecurityRust Dockerfile: 📖 Documentation
⚡ PerformanceGo tarball download lacks checksum ( Rust ✅ Resolved favorably
|
Add template-authoring examples for Go and Rust runtimes built on cubesandbox-base. Refs TencentCloud#645
e003d4d to
378df46
Compare
| pkg-config \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \ |
There was a problem hiding this comment.
Supply-chain risk: curl | sh without checksum verification
The Rust installer is fetched and piped directly to sh without any checksum or signature verification. If sh.rustup.rs were compromised, arbitrary code would execute at build time.
The Go template avoids this by downloading a tarball to a file rather than piping to a shell. Consider using the rustup-init binary with SHA-256 verification published at static.rust-lang.org/rustup/dist/<arch>/rustup-init.sha256. For a template meant to be copied and reused, this defense-in-depth improvement would be valuable.
| pkg-config \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \ |
There was a problem hiding this comment.
Supply-chain risk: curl | sh without checksum verification
The Rust installer is fetched and piped directly to sh without any checksum or signature verification. If sh.rustup.rs were compromised, arbitrary code would execute at build time.
The Go template avoids this by downloading a tarball to a file rather than piping to a shell. Consider using the rustup-init binary with SHA-256 verification published at static.rust-lang.org/rustup/dist/<arch>/rustup-init.sha256. For a template meant to be copied and reused, this defense-in-depth improvement would be valuable.
Summary
cubesandbox-base..dockerignore, and bilingual READMEs for both templates.Verification
docker build --platform linux/amd64 -t cubesandbox-go-runtime:local examples/go-runtime-templatedocker build --platform linux/amd64 -t cubesandbox-rust-runtime:local examples/rust-runtime-templatesmoke.pyscripts