You should know you're vulnerable because the authors of the binary you're
running should tell you what libraries they're using. The same as any other
binary authors telling you they use libfoo. You have to trust that when
they say they're using libfoo, that they actually are, and not something
else. Regardless of whether they link to it or not, they either might not
be actually using the linked dll... or they might have renamed/rebuilt it
and linked against a private copy... I've seen both of these situations in
production systems.

This does mean that you need to rely on the software vendor to update their
software when a vulnerability occurs, instead of installing a new basement
under their house for them. This is probably a good idea. And if they're
not reliable enough to get this done ASAP, maybe consider a different
vendor, or consider open source, where you can see the code and fix it

I know this is not the black and white case you feel like you have with
replacing DLLs, but that world is a fallacy anyway.

On Wednesday, January 30, 2013 7:49:32 AM UTC-5, den...@kaarsemaker.net

I'm the sysadmin Damian refers to and would like to clarify my reasons a
bit, as they seem to be misinterpreted.

Currently, on our linux systems, when there is a vulnerability in libfoo
(for any random shared library foo, ssl is merely my favourite here), I
update that library and all os, homegrown and third party applications that
use it are no longer vulnerable. Go (and java, as has been pointed out)
make my life a lot more difficult, especially in the face of large third
party commercial applications, or even distribution-provided binary
packages (deb, rpm). These don't (afaik) yet exist in the go universe, but
in the java universe this is a royal pain in the ass, similar to static
linking. Instead of being able to fix problems ourselves, we have to
completely rely on an outside party to update their binaries. And java jar
bundles are at least simple zip files and can be inspected, I cannot see
which libraries are linked into a specific go binary. So if libfoo has a
security vulnerability, I won't even know I'm vulnerable unless I happen to
know that one or more of the apps I use, use this library.

Dennis K.
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 18 of 20 | next ›
Discussion Overview
groupgolang-nuts @
postedJan 30, '13 at 10:39a
activeJan 30, '13 at 5:51p



site design / logo © 2021 Grokbase