Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vgo: support C dependencies? #23975

Closed
AlexRouSg opened this issue Feb 21, 2018 · 2 comments

Comments

@AlexRouSg
Copy link
Contributor

commented Feb 21, 2018

I'm quite confident everyone would agree that dealing with C deps is a huge pain compared to go packages. I'm even developing a build command for my package to pull and build C deps before building the package.

When I saw vgo I thought, it would be nice if this did the work instead of having to write a build command. I know that would mean allowing arbitrary code execution unless go had it's own makefile/configure/etc... parser.

If it is not automatic and the user can inspect the build commands. I believe it's no more dangerous than putting in a readme asking users to download and install a C library,

@gopherbot gopherbot added this to the Unreleased milestone Feb 21, 2018

@bradfitz bradfitz modified the milestones: Unreleased, vgo Feb 21, 2018

@kardianos

This comment has been minimized.

Copy link
Contributor

commented Feb 28, 2018

go1.10 and go1.9.4 contained a fix to prevent arbitrary execution during build steps. It was seen as a point release worthy security issue.

I suspect this would not fly for the same reasons.

@AlexRouSg

This comment has been minimized.

Copy link
Contributor Author

commented Feb 28, 2018

go get was running the commands automatically without the user knowing before hand so I can understand why blocking that would be important. However if a user has to opt in with a flag then they are given the chance to audit the commands and is not any more harmful than a line in the readme saying go download and install this lib running these commands.

@AlexRouSg AlexRouSg closed this Mar 30, 2018

@golang golang locked and limited conversation to collaborators Mar 30, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
4 participants
You can’t perform that action at this time.