英文:
How do I update golang standard library in my go application?
问题
我有一个使用go 1.16.4构建的应用程序,它使用Go标准库的archive/zip组件(导入)。我查看了golang发布说明,发现在golang 1.16.5中修复了archive/zip的安全漏洞。我如何确保我的应用程序不再存在漏洞?我必须升级go本身的版本,然后使用新版本的go重新构建吗?还是我可以将修复后的组件的新版本放入vendor目录,然后重新构建?构建机器的$GOROOT目录中的文件必须更新吗?
英文:
I have an application that was built with go 1.16.4, which uses (imports) the archive/zip component of the Go std lib. I took a look at the golang Release Notes and see that a security vulnerability has been fixed in archive/zip in golang 1.16.5. How do I ensure that my application is no longer vulnerable? Must I upgrade my version of go itself, and then rebuild with that new version of go? Or could I vendor the newer version of the fixed component then rebuild? Must the files in the build machine's $GOROOT be updated?
答案1
得分: 1
> 我必须升级我的 go 版本,然后使用新版本的 go 重新构建吗?
是的...
- 升级 Go。
- 重新构建。
> 或者我可以将修复的组件的新版本放入 vendor 目录,然后重新构建吗?
不可以,你不能将 Go 标准库放入 vendor 目录。
> 构建机器的 $GOROOT 目录中的文件必须更新吗?
GOROOT 是 Go SDK 安装的根目录。当你在机器(或容器)上升级 Go(调用 go build/go install)时,它会被更新。
英文:
> Must I upgrade my version of go itself, and then rebuild with that new version of go?
Yes...
- Upgrade Go.
- Rebuild.
> Or could I vendor the newer version of the fixed component then rebuild?
No, you can't vendor the Go standard library.
> Must the files in the build machine's $GOROOT be updated?
GOROOT is the root folder of the Go SDK installation. It is updated when you upgrade Go on the machine (or container) that invokes go build/go install.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论