kevag4
commented
1 year ago Hello @tianon , Any news about this? Like Demonslayer mentions there is strong motivation to upgrade to Go 1.16, especially the one with CVEs
Closed Daemonslayer2048 closed 1 year ago
kevag4
commented
1 year ago Hello @tianon , Any news about this? Like Demonslayer mentions there is strong motivation to upgrade to Go 1.16, especially the one with CVEs
ThomasKroghMortensen
commented
1 year ago Hello @tianon , Any news about this? Like Demonslayer mentions there is strong motivation to upgrade to Go 1.16, especially the one with CVEs
Also waiting to see this happen. I think you mean Go.1.19.?
samuelkarp
commented
1 year ago I think https://github.com/tianon/gosu/issues/109#issuecomment-1160847570 covers @tianon's position here (though he can always correct me if I'm wrong).
tianon
commented
1 year ago With https://github.com/tianon/gosu/releases/tag/1.15, I've now got https://github.com/tianon/gosu/blob/master/SECURITY.md which makes it clear how to determine whether vulnerabilities apply to a released version/build of gosu (TLDR, the answer is now govulncheck, which checks for invocations of the actual vulnerable functionality).
Summary
It would appear the most recent release was compiled with go1.16 which is EOL as of approximately a year and a half ago. There are of course many CVEs this project is not impacted by according to #104 but new CVEs pop up all the time, so moving away from an unsupported version would be helpful.
Motivation
At Platform One we use continuous scanning with tools like Twistlock and Anchore to scan our hardened images. This project is also used in the synapse projects docker image, which is a security/privacy focused chat server. Updating this repo with a new version would help increase the security of the synapse image.
Proposal
Release a new version compiled with an updated version of go looks like the master branch is preparing to use 1.19?