On Tue, Aug 8, 2023 at 7:37 AM Jakub Jelinek <ja...@redhat.com> wrote: > > BTW, I think we should perhaps differentiate between production ready > libraries (e.g. libgcc, libstdc++, libgomp, libatomic, libgfortran, > libquadmath, > libssp) vs. e.g. the sanitizer libraries which are meant for debugging and > I believe it is highly risky to run them in programs with extra priviledges > - e.g. I think they use getenv rather than *secure_getenv to get at various > tweaks for their behavior including where logging will happen and upstream > doesn't really care. > And not really sure what to say about lesser used language support > libraries, libada, libphobos, libgo, libgm2, ... nor what to say about > libvtv etc.
libgo is a complicated case because it has a lot of components including a web server with TLS support, so there are a lot of potential security issues for programs that use libgo. The upstream security policy is https://go.dev/security/policy. I'm not sure what to say about libgo in GCC, since realistically the support for security problems is best-effort. I guess we should at least accept security reports, even if we can't promise to fix them quickly. Ian