On Fri, 2024-10-25 at 13:08 +0200, Holger Hoffstätte wrote: > > > > It's a Go package though, so it will quietly install a mountain a > > random outdated static libraries from github. > > What? No, it will not. Those dependencies are absolutely not installed, > they are only used for building & linking the executable. >
You're right of course but after they're all statically linked into that executable, the executable, containing the libraries that will never be updated, is installed. And then we use them to process untrusted content from the network...?
