I'm wondering how to respond to security patches. After a patch, any go.mod file mentioning an older version of the library is a candidate for version-bumping: download the new version, test, and do a commit with the new version number if all goes well.
It's nice that it can be done in any order, but if it isn't done (either manually or automatically) nobody will use the new version except new customers of the patched library. I suppose a minimal approach would be to encourage people to run "vgo get -u" periodically, test, and commit. On Tuesday, February 20, 2018 at 9:20:54 AM UTC-8, Russ Cox wrote: > > Hi everyone, > > I have a new blog post you might be interested in. > https://research.swtch.com/vgo. > > I'll try to watch this thread to answer any questions. > > Best, > Russ > > > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
