As I scan reports of vulnerable software, I'm concerned that it is impossible to tell, from a Go binary, what was used to build that binary. Which means that if I depend on some library that is discovered to have a vulnerability, I cannot look at each of the binaries I have deployed, and discover if those binaries are vulnerable. This is starting to worry me, as my company builds more and more software with Go.
Now that "dep" is emerging as a standard tool, perhaps we can include the dependency information in the built binaries in a way that is discoverable with a common tool? Possibly we also want to establish a convention, such as a command line parameter "--buildinfo" that can be specified to spit out that very info? I'm happy to contributing to further exploring implementation, but I figured I'd start by asking a question, in case someone is already working in this direction. Eric. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
