Check checksum of Go binary
When investigating how to upgrade the Go versions for Gitaly I noticed the following:
ENV GO_VERSION 1.10.3
RUN curl -fsSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" \
| tar -xzC /usr/local \
&& ln -sf /usr/local/go/bin/go /usr/local/go/bin/gofmt /usr/local/go/bin/godoc /usr/local/bin/
This implies that whatever in the tar is trusted as there's no check on the tars checksum. This might compromise the packages when compiling with compromised compilation tools.