You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Consider the developer who wants to upgrade to a new C compiler version, but notices that the new compiler allows flags that enable arbitrary code execution, during a CGO build of dependent packages, as per #23672.
And it just so happens that the new flags are allowed by the existing whitelist set.
In order to use the new compiler safely, while not waiting the average 3-6 months for an updated Go version, the developer would like to set an environment variable regex that blacklists the use of those new, unsafe flags, when building dependencies.
CGO_CFLAGS_DISALLOW is mentioned as being already present by https://golang.org/cmd/cgo/, and I see there is also a corresponding CGO_LDFLAGS_DISALLOW in the go1.9.4 source. So this proposal may be redundant.
As a complement to #23672 and #23749,
Consider the developer who wants to upgrade to a new C compiler version, but notices that the new compiler allows flags that enable arbitrary code execution, during a CGO build of dependent packages, as per #23672.
And it just so happens that the new flags are allowed by the existing whitelist set.
In order to use the new compiler safely, while not waiting the average 3-6 months for an updated Go version, the developer would like to set an environment variable regex that blacklists the use of those new, unsafe flags, when building dependencies.
Suggested names:
CGO_CFLAGS_FORBID
,CGO_LDFLAGS_FORBID
The text was updated successfully, but these errors were encountered: