I note it as something for Go 2, if only because it would be good to standardize it across all Go binaries, so it was possible to introspect *every* Go executable. Otherwise, I have to push to get all teams using go to adopt the same approach to building in this information, rather than having each team do it different. On top of that, it still doesn't solve my problem for third-party already-built binaries.
An indirect solution that captures the hash of the vendor directory (presumably the git commit hash?), doesn't solve the problem particularly well, even for internally built binaries, because I'd still then need to go back to the source tree to answer the question - "is this executable vulnerable?" That's more time consuming, more prone to failure, and the failure modes are harder to resolve (don't have access to source code, network is down, etc.). We don't need to worry about this with dynamically linked libraries, because we can actually see the versions of the libraries on the system directly. To make the Go binaries functionality equivalent, I want to be able to see the answer to the question without having to go to separate systems. Eric. On Wed, Aug 16, 2017 at 9:10 AM, Lars Seipel <lars.sei...@gmail.com> wrote: > On Tue, Aug 15, 2017 at 04:58:00PM -0700, 'Eric Johnson' via golang-nuts > wrote: > > As I scan reports of vulnerable software, I'm concerned that it is > > impossible to tell, from a Go binary, what was used to build that binary. > > A lot of projects are already doing this, if somewhat indirectly: they > put a git commit hash into the binary that includes their (in-repo) > vendor directory. > > Should vendor fall out of fashion at some point, one can surely come up > with a different scheme. I don't see why this should be tied to a > possible Go 2, though. It's pretty much independent from the language. > > Might be more appropriate to work on it in the context of dep. Could be > as simple as making sure that dep can emit the required information for > people to pick up during their build. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
