Comments (5)
My personal inclination is to do that after it becomes necessary. There were no changes in gorilla for years, so presumably it works fine.
from common.
Unfortunately, "waiting until it becomes necessary" is not an option for organizations with security requirements. My org wants to adopt FluxCD, but we cannot do so if gorilla is used, because of the risk of an unknown CVE.
Since the Gorilla project is archived, issues cannot be opened against it. Therefore if a security researcher wanted to report a CVE finding, it would not be possible. Various open source vulnerability scanners like Trivy use GHSA to report on CVEs, and GHSA generates vulnerable/fixed versions from issues on the projects themselves.
This could lead to unknown CVEs being present in gorilla which nobody will ever know about.
Please consider this a formal request from a potential customer to replace gorilla.
from common.
Can you point me at the non-archived Flux repo that depends on this repo?
from common.
Hi, apologies, I don't know that there is one. I was more making the point that IF Flux uses gorilla... Then this would prevent our adoption of it. :)
we cannot do so if gorilla is used
Added emphasis to the quote
from common.
Looks like the upstream position has changed, so I will close this issue.
gorilla/mux#707 (comment)
https://www.reddit.com/r/golang/comments/14xyido/the_gorilla_web_toolkit_project_is_being_revived/
Also, I looked into "if a security researcher wanted to report a CVE finding, it would not be possible", and found several avenues that could be used, e.g. https://github.com/golang/vulndb/issues/new. So this is not a concern.
from common.
Related Issues (20)
- Setting AWS_REGION has no effect with custom endpoint
- Move off of apt.dockerproject.org HOT 1
- Jaeger agent setup error
- HTTP Middleware Error Logging: Vision on StatusBadGateway/ServiceUnavailable HOT 2
- error of "github.com/uber/jaeger-lib/metrics/testutils" HOT 1
- Better handle configuring jaeger tracing with thrift http transport HOT 1
- Jaeger is always enabled HOT 1
- Add gzip compression middleware to server
- node_exporter/https moved to exporter-toolkit/web
- Logging: avoid expensive formatting when level is disabled. HOT 1
- Broken grpc.WithBalancerName HOT 5
- Further secure TLS communications HOT 1
- Enable advanced TLS configuration parameters HOT 4
- trace: Migrate to open-telemetry for instrumentation. HOT 4
- Proposal: remove dependency on deprecated gogo/protobuf HOT 1
- Migrate CircleCI to GitHub Actions HOT 1
- Restarting a server leads to metrics re-registration issues HOT 3
- Allow to disable GRPC/HTTP listener HOT 2
- Future of weaveworks/common repo HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from common.