This blog is such a great example of why it is difficult to creat great software. So often you have to make impossible
choices between security and backward-compatibility.
Today’s Go security release fixes an issue involving PATH lookups in untrusted directories that can lead to remote
execution during the go get command. We expect people to have questions about what exactly this means and whether they
might have issues in their own programs. This post details the bug, the fixes we have applied, how to decide whether
your own programs are vulnerable to similar problems, and what you can do if they are.
As I wrote to Tanya,
I have been in two orgs where peer reviews came across as condescending and nitpicky. The CTO didn’t do much to
address the situation. It really disincentives talking candidly about trade-offs. Thanks. I’ve shared this with
$my_current_job because this is what’s needed to change the culture of a company.