[pkg-golang-devel] [pkg-go] Security support for packages written in Go
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 13 07:20:29 UTC 2016
On Mon, Jul 11, 2016 at 09:12:05AM +1200, Michael Hudson-Doyle wrote:
> On 8 July 2016 at 20:03, Potter, Tim (HPE Linux Support)
> <timothy.potter at hpe.com> wrote:
> > On 7 Jul 2016, at 12:40 PM, Martín Ferrari <tincho at tincho.org> wrote:
> >>
> >> On 06/07/16 20:59, Moritz Mühlenhoff wrote:
> >>
> >>> What's the current status? Is there technical progress compared to what was
> >>> discussed in April? The freeze is coming really close and we can't support
> >>> the status quo for stretch.
> >>
> >> The discussion stalled at that point. AFAIK, there is no technical
> >> solution for this. The best we could do is to have easier ways to track
> >> dependency chains, but that does not change the fact that all golang
> >> applications are still statically built, and so would require rebuilds
> >> when security bugs are discovered and fixed.
> >>
> >> I understand this is problematic, but not sure we can do anything about
> >> it at this point.
> >
> > Hi everyone. I've done a small amount of research into the buildmode=c-shared
> > and the dynlink option and they look good on paper. Has anyone examined these
> > options more seriously?
>
> Well, using them in Ubuntu was the reason Canonical paid me to
> implement them, so yes... I'm am currently in the process of starting
> to use these features in Ubuntu. My plan, such as it was, was to use
> them in Ubuntu through the 16.10 cycle and then propose the changes to
> Debian too, assuming they work out OK.
What does the provide specifically? Dynamic linking similar to what we currently
have for library code written in C?
Cheers,
Moritz
More information about the pkg-golang-devel
mailing list