FAQ

On Wed, Jan 30, 2013 at 2:39 AM, Damian Gryski wrote:

In discussions with a sysadmin at $WORK, he mentioned that Go's
static-linking is a deal-breaker for him. His example is if a security
problem with a shared library (say, openssl) is discovered, only a single
package (the vulnerable ssl lib) needs to be upgraded. If a problem with
Go's SSL implementation is discovered, every Go application that might use
that library needs to be rebuilt, and for packages without source code
you'd never know which ones include the vulnerable code.
A few things here. Vulnerabilities in Go will tend to be on a much
different axis than vulnerabilities in C/C++. I know some security guys
who have spent quite a bit of time hammering at Go and they haven't
(without using unsafe) been able to break through the runtime to do
anything beyond crash the app in anything resembling normal code, and even
that required specifically crafted, racy Go. Problems in Go libraries will
tend to be bugs, and will tend to be surfaced in different ways for
different apps. A bug in the way that SSL is used in HTTP could do a
number of problematic things and would affect a reasonable number of apps,
but they're more likely to leak too much information than they are to allow
arbitrary code execution. Deploying a shared library requires knowing
where all such shared libraries are and notifying all engineering teams,
which seems like about as much work as knowing who's importing the affected
package and telling them to update their binaries (though obviously it's a
bit slower).

He does, however, agree that the 'single binary' deployment is an
improvement over fighting with multitudes of Perl or Python modules.

I am aware of the "dynamic linking considered harmful" page, and I've read
the FAQ and know that static linking was a design decision. Has anyone
else encountered this problem before? How did you solve it? (Note that
"problem" in this sense is the security aspect of having to
rebuild/redeploy everything instead of just the single shared library. I'm
not interested in stories about how you convinced your co-wokers to switch
to Go :)

Damian

--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 20 of 20 | next ›
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJan 30, '13 at 10:39a
activeJan 30, '13 at 5:51p
posts20
users13
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase