May 2, 2026
Build-a-binary or build-a-breach?
Show HN: Golang binaries built for your users depending on their arch and system
One-click app installs spark panic, side-eyes, and a whole lot of “absolutely not”
TLDR: Goblin is a new service that builds Go apps for whatever kind of computer a user has, so downloads are easier. But the real story is the backlash: commenters are split between “nice convenience” and “this could become a giant malware delivery machine,” with extra roasting over its outdated tool version.
A new Show HN project called Goblin promises a very simple trick: paste a link into your terminal, and it spits out a ready-to-run Go app built for your computer setup. In plain English, it’s trying to save developers from making separate downloads for Windows, Mac, and Linux users. Handy? Sure. But the comment section immediately turned into a full-blown trust crisis.
The loudest reaction was basically: "This is a hacker buffet." One commenter warned that a service that builds and hands out binaries on demand could become a dream target for attackers. If the service were ever compromised, critics say, it could quietly send poisoned downloads to everyone. That fear completely dominated the vibe. Another user went even further, saying if you want this level of convenience, you may as well just spend a few minutes setting up your own release process instead of betting your users’ safety on a third-party middleman.
Then came the savage drive-bys. One person simply declared, "I cannot fathom why anyone would want this," which is the kind of brutal one-liner that can end a party. Another raised eyebrows at Goblin using Go 1.17, calling it ancient compared with today’s versions. Still, not everyone was dunking: one commenter shrugged that for ordinary users, a remote build service does sound useful. So the drama split cleanly into two camps: "convenient shortcut" versus "future supply-chain horror story."
Key Points
- •Goblin provides a curl-based way to install Go binaries compiled for the user’s requested operating system and architecture.
- •The API accepts a full Go module path with an optional version, supporting latest releases, exact versions, partial version ranges, and some commit-hash based installs.
- •Users can customize installation behavior with `PREFIX`, `OUT`, and `CMD_PATH` environment variables.
- •The service resolves module tags and versions through `proxy.golang.org` and can fall back to commit hashes on supported platforms such as GitHub.
- •Binaries are compiled using Go 1.17.x in the official Docker image, and compilation is limited to 200 seconds.