On Fri, 21 Apr 2017 11:45:02 PDT "'Eric Johnson' via golang-nuts" <golang-nuts@googlegroups.com> wrote: > > A question has been bugging me for the past few weeks. How can I tell what > was used to build a Go application? > > As I see various security notices scrolling by my email inbox, I see things > like Tomcat or OpenSSL announcing security updates, the JRE, or for that > matter, Go itself. > > Once I see one of those alerts, frequently I want to be able to ask, "are > the systems I administer affected?" > > For a first approximation, StackOverflow says: > https://stackoverflow.com/questions/18990242/find-out-the-version-of-go-a-bin > ary-was-built-with > > But that doesn't appear to work with the first Go executable I tried (on > macOS). > > Version of Go is a start, but it would also be great to know the packages. > After a point, I don't expect many ongoing security issues with the Go > standard library, but I do expect to see more problems with the supporting > packages, so I want to know those, too! > > If I know the packages, even better if I can know the versions of those > packages, or perhaps the version control commits? > > Is this a known planned feature? Is there an existing way to do this that > I've overlooked?
At my last place we embedded git checksum in a global string. Assuming packages are vendored carefully, at least you now have a means to track down if a known security issue applies. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
