[pkg-go] Security support for packages written in Go

Moritz Mühlenhoff jmm at inutil.org
Wed Jul 6 19:59:32 UTC 2016


On Wed, Apr 06, 2016 at 09:24:20AM +1000, Dmitry Smirnov wrote:
> IMHO Golang community abused almost as much as possible with static linking, 
> embedding resources to executables, not using versioning and breaking API at 
> any time, etc.
> 
> Even if we find effective technical solution to detect dependency chains 
> there is a problem of re-building ever growing number of all packages 
> indirectly depending on vulnerable package.
> 
> Golang is just too young, unstable and fragile. I have a feeling that few 
> upstream projects take security concerns seriously. Many upstream projects 
> have no concept of "stable" releases so I doubt it is practical to offer any 
> kind of security support for Golang when too many projects introduce new 
> dependencies with almost every new versioned release while old release is 
> abandoned as soon as new one becomes available.
> 
> Unless we can exclude Golang from security support I think we should not ship 
> any Golang applications with next stable release.

What's the current status? Is there technical progress compared to what was
discussed in April? The freeze is coming really close and we can't support
the status quo for stretch.

Cheers,
        Moritz





More information about the Pkg-go-maintainers mailing list