Is there a way to identify a package as safe?

Let's restrict the imported packages to built-in ones. Now assuming a 
package only imports "strings" and "net/url" can it considered as safe? 
Since it does not (can not) modify the environment (most notably executing 
code)?

Of course the package still can behave in a malicious manner by (for 
example) creating too many goroutines.

This came to mind when I was reading about package managers and learnt some 
problems that they have. 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to