On Thu, Aug 17, 2017 at 09:54:43AM -0700, Eric Johnson wrote:
> The compiler, at least, knows which packages were used to compile the
> source. Even absent additional metadata from something like Gopkg.lock, the
> compiler could still include info about the packages compiled into a
> binary.
The compiler, at least, knows which packages were used to compile the
source. Even absent additional metadata from something like Gopkg.lock, the
compiler could still include info about the packages compiled into a
binary. Knowing that something might be vulnerable - but not knowing the
version
Keep in mind that you can't assume vcs info is available at build time. They
may be building from a downloaded tarball, in which case you *may* have a
Gopkg.lock (if everyone uses dep) but not much else. They may be Debian and
build from source packages where the Go compiler sees no version
I note it as something for Go 2, if only because it would be good to
standardize it across all Go binaries, so it was possible to introspect
*every* Go executable. Otherwise, I have to push to get all teams using go
to adopt the same approach to building in this information, rather than
having
On Tue, Aug 15, 2017 at 04:58:00PM -0700, 'Eric Johnson' via golang-nuts wrote:
> As I scan reports of vulnerable software, I'm concerned that it is
> impossible to tell, from a Go binary, what was used to build that binary.
A lot of projects are already doing this, if somewhat indirectly: they
On Wed, Aug 16, 2017 at 1:58 AM 'Eric Johnson' via golang-nuts <
golang-nuts@googlegroups.com> wrote:
> I'm happy to contributing to further exploring implementation, but I
figured I'd start by asking a question, in case someone is already working
in this direction.
That'd be a nice tool for
As I scan reports of vulnerable software, I'm concerned that it is
impossible to tell, from a Go binary, what was used to build that binary.
Which means that if I depend on some library that is discovered to have a
vulnerability, I cannot look at each of the binaries I have deployed, and