[pkg-go] Security support for packages written in Go

Michael Hudson-Doyle michael.hudson at canonical.com
Wed Jul 13 22:23:47 UTC 2016


On 13 July 2016 at 19:20, Moritz Mühlenhoff <jmm at inutil.org> wrote:
> On Mon, Jul 11, 2016 at 09:12:05AM +1200, Michael Hudson-Doyle wrote:
>> On 8 July 2016 at 20:03, Potter, Tim (HPE Linux Support)
>> <timothy.potter at hpe.com> wrote:
>> > On 7 Jul 2016, at 12:40 PM, Martín Ferrari <tincho at tincho.org> wrote:
>> >>
>> >> On 06/07/16 20:59, Moritz Mühlenhoff wrote:
>> >>
>> >>> What's the current status? Is there technical progress compared to what was
>> >>> discussed in April? The freeze is coming really close and we can't support
>> >>> the status quo for stretch.
>> >>
>> >> The discussion stalled at that point. AFAIK, there is no technical
>> >> solution for this. The best we could do is to have easier ways to track
>> >> dependency chains, but that does not change the fact that all golang
>> >> applications are still statically built, and so would require rebuilds
>> >> when security bugs are discovered and fixed.
>> >>
>> >> I understand this is problematic, but not sure we can do anything about
>> >> it at this point.
>> >
>> > Hi everyone.  I've done a small amount of research into the buildmode=c-shared
>> > and the dynlink option and they look good on paper.  Has anyone examined these
>> > options more seriously?
>>
>> Well, using them in Ubuntu was the reason Canonical paid me to
>> implement them, so yes... I'm am currently in the process of starting
>> to use these features in Ubuntu. My plan, such as it was, was to use
>> them in Ubuntu through the 16.10 cycle and then propose the changes to
>> Debian too, assuming they work out OK.
>
> What does the provide specifically? Dynamic linking similar to what we currently
> have for library code written in C?

Yes. There are more details here:
https://docs.google.com/document/d/1IOlBWWgcDeB9PfRORENESYj8iJt4W2EwsbYcpg4akBE/edit

Cheers,
mwh



More information about the Pkg-go-maintainers mailing list