On Wednesday, January 30, 2013 11:39:37 AM UTC+1, Damian Gryski wrote:
In discussions with a sysadmin at $WORK, he mentioned that Go's
static-linking is a deal-breaker for him. His example is if a security
problem with a shared library (say, openssl) is discovered, only a single
package (the vulnerable ssl lib) needs to be upgraded. If a problem with
Go's SSL implementation is discovered, every Go application that might use
that library needs to be rebuilt, and for packages without source code
you'd never know which ones include the vulnerable code. He does, however,
agree that the 'single binary' deployment is an improvement over fighting
with multitudes of Perl or Python modules.

I am aware of the "dynamic linking considered harmful" page, and I've read
the FAQ and know that static linking was a design decision. Has anyone
else encountered this problem before? How did you solve it? (Note that
"problem" in this sense is the security aspect of having to
rebuild/redeploy everything instead of just the single shared library. I'm
not interested in stories about how you convinced your co-wokers to switch
to Go :)

I'm the sysadmin Damian refers to and would like to clarify my reasons a
bit, as they seem to be misinterpreted.

Currently, on our linux systems, when there is a vulnerability in libfoo
(for any random shared library foo, ssl is merely my favourite here), I
update that library and all os, homegrown and third party applications that
use it are no longer vulnerable. Go (and java, as has been pointed out)
make my life a lot more difficult, especially in the face of large third
party commercial applications, or even distribution-provided binary
packages (deb, rpm). These don't (afaik) yet exist in the go universe, but
in the java universe this is a royal pain in the ass, similar to static
linking. Instead of being able to fix problems ourselves, we have to
completely rely on an outside party to update their binaries. And java jar
bundles are at least simple zip files and can be inspected, I cannot see
which libraries are linked into a specific go binary. So if libfoo has a
security vulnerability, I won't even know I'm vulnerable unless I happen to
know that one or more of the apps I use, use this library.

Dennis K.

You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 14 of 20 | next ›
Discussion Overview
groupgolang-nuts @
postedJan 30, '13 at 10:39a
activeJan 30, '13 at 5:51p



site design / logo © 2021 Grokbase