On 03/09/2017 05:06 PM, Michael Orlitzky wrote: > "How do we update insecure libraries?" would have been a good question > to ask *before* adding Go to the tree, because the answer is pretty > clearly "we can't."
As it is now, if a go-package is to be in stable tree; the package maintainer adding a go package will need to keep track of relevant dependencies that are embedded and do a revdep of the package if a vulnerability in the chain is discovered. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature