The compiler, at least, knows which packages were used to compile the source. Even absent additional metadata from something like Gopkg.lock, the compiler could still include info about the packages compiled into a binary. Knowing that something might be vulnerable - but not knowing the version from the executable - is still better than not knowing at all.
Eric. On Wed, Aug 16, 2017 at 10:00 PM, Jakob Borg <ja...@kastelo.net> wrote: > Keep in mind that you can't assume vcs info is available at build time. > They may be building from a downloaded tarball, in which case you *may* > have a Gopkg.lock (if everyone uses dep) but not much else. They may be > Debian and build from source packages where the Go compiler sees no version > info at all - but the package manager knows the information you want. Etc. > > //jb > > On 16 Aug 2017, at 20:11, 'Eric Johnson' via golang-nuts < > golang-nuts@googlegroups.com> wrote: > > I note it as something for Go 2, if only because it would be good to > standardize it across all Go binaries, so it was possible to introspect > *every* Go executable. Otherwise, I have to push to get all teams using > go to adopt the same approach to building in this information, rather than > having each team do it different. On top of that, it still doesn't solve my > problem for third-party already-built binaries. > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
