[pkg-go] Security support for packages written in Go
Potter, Tim (HPE Linux Support)
timothy.potter at hpe.com
Fri Jul 8 08:03:31 UTC 2016
On 7 Jul 2016, at 12:40 PM, Martín Ferrari <tincho at tincho.org> wrote:
>
> On 06/07/16 20:59, Moritz Mühlenhoff wrote:
>
>> What's the current status? Is there technical progress compared to what was
>> discussed in April? The freeze is coming really close and we can't support
>> the status quo for stretch.
>
> The discussion stalled at that point. AFAIK, there is no technical
> solution for this. The best we could do is to have easier ways to track
> dependency chains, but that does not change the fact that all golang
> applications are still statically built, and so would require rebuilds
> when security bugs are discovered and fixed.
>
> I understand this is problematic, but not sure we can do anything about
> it at this point.
Hi everyone. I've done a small amount of research into the buildmode=c-shared
and the dynlink option and they look good on paper. Has anyone examined these
options more seriously?
My guess would be that there might be a bunch of as yet undiscovered
platform-specific bugs with this, and it's probably too late at this stage to make
such a major change to the golang package build process.
Tim.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.alioth.debian.org/pipermail/pkg-go-maintainers/attachments/20160708/43bf2a78/attachment.sig>
More information about the Pkg-go-maintainers
mailing list