On Tue, Aug 15, 2017 at 04:58:00PM -0700, 'Eric Johnson' via golang-nuts wrote: > As I scan reports of vulnerable software, I'm concerned that it is > impossible to tell, from a Go binary, what was used to build that binary.
A lot of projects are already doing this, if somewhat indirectly: they put a git commit hash into the binary that includes their (in-repo) vendor directory. Should vendor fall out of fashion at some point, one can surely come up with a different scheme. I don't see why this should be tied to a possible Go 2, though. It's pretty much independent from the language. Might be more appropriate to work on it in the context of dep. Could be as simple as making sure that dep can emit the required information for people to pick up during their build. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
