New dependencies in juju-core
roger peppe
rogpeppe at gmail.com
Fri Jun 21 09:07:14 UTC 2013
On 20 June 2013 12:38, John Arbash Meinel <john at arbash-meinel.com> wrote:
> This brings us back to having a dependency on a CGO library. Is this
> something we need to talk about, or we just live with it?
For the record, I am concerned about bringing in a dependency
on some arbitrary third party code of uncertain provenance,
outside of our control, that is messing with unsafe stuff. I'm talking about
github.com/andelf/go-curl rather than libcurl itself here.
At the very least we should give that code a very thorough vetting,
and I think it would probably be best to pull it directly into gwacl
so that that unknown third party can't compromise the security
of juju by simply updating their source code.
It's a pity that TLS renegotiation is such "a huge mess" (Adam Langley's
words). I have hopes that it might get done in Go core
at some point anyway.
More information about the Juju-dev
mailing list