On 26 August 2015 at 03:15, Mathieu Trudel-Lapierre <mathieu...@gmail.com> wrote: > My concern isn't so much in that these binaries come with the source -- > it sounds suboptimal, but it's not quite as bad as shipping binary blobs > we haven't built ourselves...
Right, but as I tried to say, this is not a new thing, we were distributing these blobs anyway. > That's the main issue I have with it and with removing the line from > rules which deletes .syso files (note that we probably shouldn't ship > any binaries we have not built ourselves, that includes other ELF > binaries packed in the source tarball). It's possibly OK to run these > binaries late in the build process when running tests because we are not > exposing our users to untrusted binaries directly (as long as they don't > go silently change the binaries we built and are about to ship), but > shipping these files to users without having built them ourselves sounds > like a security accident waiting to happen. I agree that what we have here is not good. To be clear, the syso files are nothing at all to do with running test cases during the build. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1487928 Title: please upload 1.5 final packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang/+bug/1487928/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
