On 2024-10-25, Michael Orlitzky <m...@gentoo.org> wrote: > On Fri, 2024-10-25 at 13:08 +0200, Holger Hoffstätte wrote: >> > >> > It's a Go package though, so it will quietly install a mountain a >> > random outdated static libraries from github. >> >> What? No, it will not. Those dependencies are absolutely not installed, >> they are only used for building & linking the executable. >> > > You're right of course but after they're all statically linked into > that executable, the executable, containing the libraries that will > never be updated, is installed. And then we use them to process > untrusted content from the network...?
And there seems to be plenty of crypto and ssh stuff in there, so that's a bit scary. -- Grant
