Le mercredi 30 janvier 2013 11:51:01 UTC+1, Jan Mercl a écrit :
On Wed, Jan 30, 2013 at 11:39 AM, Damian Gryski wrote:
In discussions with a sysadmin at $WORK, he mentioned that Go's
static-linking is a deal-breaker for him. His example is if a security
problem with a shared library (say, openssl) is discovered, only a single
package (the vulnerable ssl lib) needs to be upgraded. If a problem with
Go's SSL implementation is discovered, every Go application that might use
that library needs to be rebuilt, and for packages without source code you'd
never know which ones include the vulnerable code.
That argument seems pretty weak to me, b/c that's a double-edged sword
issue. With dynamic linking, a new version of library makes all it's
client vulnerable to any exploit which may happen to be introduced by
it. But static-linked Go apps are safe from introducing _new_ exploits
into them via the shared lib vector.
We're not, however, upgrading libraries regularly -- *only* for security
updates. So the 'introduction of new exploits' vector is not a concern.


You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 20 | next ›
Discussion Overview
groupgolang-nuts @
postedJan 30, '13 at 10:39a
activeJan 30, '13 at 5:51p



site design / logo © 2021 Grokbase