x/vgo: support C dependencies? #23975
Labels
Milestone
Comments
|
go1.10 and go1.9.4 contained a fix to prevent arbitrary execution during build steps. It was seen as a point release worthy security issue. I suspect this would not fly for the same reasons. |
|
go get was running the commands automatically without the user knowing before hand so I can understand why blocking that would be important. However if a user has to opt in with a flag then they are given the chance to audit the commands and is not any more harmful than a line in the readme saying go download and install this lib running these commands. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm quite confident everyone would agree that dealing with C deps is a huge pain compared to go packages. I'm even developing a build command for my package to pull and build C deps before building the package.
When I saw vgo I thought, it would be nice if this did the work instead of having to write a build command. I know that would mean allowing arbitrary code execution unless go had it's own makefile/configure/etc... parser.
If it is not automatic and the user can inspect the build commands. I believe it's no more dangerous than putting in a readme asking users to download and install a C library,
The text was updated successfully, but these errors were encountered: