Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Statically linking your SSL library makes you an asshole...Heartbleed 2.0.

Go has its own SSL library, crypto/tls, which is not linked to any C libraries and wasn't affected by Heartbleed 1.0. You haven't written much Go if you don't know that.

The argument is specious anyway, there's nothing difficult about building a binary from an old version of your code or just upgrading in most cases. Deploying a new Go binary is always trivial as compared with upgrading, testing, and deploying Python, Ruby, or Java applications with their associated libraries and interpreters.



> Go has its own SSL library, crypto/tls, which is not linked to any C libraries and wasn't affected by Heartbleed 1.0. You haven't written much Go if you don't know that.

The parent poster obviously wasn't saying that crypto/tls was affected by Heartbleed specifically. It was a statement about the security implications of static linking.


His point was not that golang was susceptible to heartbleed. It's about static vs dynamic linking.


"Go has its own SSL library, crypto/tls, which is not linked to any C libraries and wasn't affected by Heartbleed 1.0."

Is it going to be affected by Heartbleet 2.0? How about whatever the next exploit is?

"The argument is specious anyway, there's nothing difficult about building a binary from an old version of your code or just upgrading in most cases."

Not in every case, and not for customers who don't have access to the code.


I'm not even particularly worried about applications to which I don't have code access. I'm worried about getting off my OS's upgrade track because the minor version of the application I've verified to be usable and correct in my environment is no longer the one I'm going to have because a vendored dependency was upgraded during a release of the application itself rather than as an independent, dynamically linked library.


No, it will just have its own vulnerabilities instead.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: