[Bug 1487928] Re: please upload 1.5 final packages
Michael Hudson-Doyle
michael.hudson+lp at canonical.com
Wed Aug 26 03:28:39 UTC 2015
On 26 August 2015 at 03:15, Mathieu Trudel-Lapierre
<mathieu.tl at gmail.com> wrote:
> My concern isn't so much in that these binaries come with the source --
> it sounds suboptimal, but it's not quite as bad as shipping binary blobs
> we haven't built ourselves...
Right, but as I tried to say, this is not a new thing, we were
distributing these blobs anyway.
> That's the main issue I have with it and with removing the line from
> rules which deletes .syso files (note that we probably shouldn't ship
> any binaries we have not built ourselves, that includes other ELF
> binaries packed in the source tarball). It's possibly OK to run these
> binaries late in the build process when running tests because we are not
> exposing our users to untrusted binaries directly (as long as they don't
> go silently change the binaries we built and are about to ship), but
> shipping these files to users without having built them ourselves sounds
> like a security accident waiting to happen.
I agree that what we have here is not good. To be clear, the syso
files are nothing at all to do with running test cases during the
build.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to golang in Ubuntu.
https://bugs.launchpad.net/bugs/1487928
Title:
please upload 1.5 final packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang/+bug/1487928/+subscriptions
More information about the Ubuntu-server-bugs
mailing list