
Go 1.9.1 and Go 1.8.4 are released - melzarei
https://groups.google.com/forum/m/#!topic/golang-nuts/sHfMg4gZNps
======
spiffcs
If we installed with brew how long for 1.9.1 to propagate there?

~~~
artursapek
Go is really easy to install manually. Just download from the official
golang.org website.

~~~
stouset
Only multiply this effort times all the software people say this for, and now
you have to manually remember to update.

There’s a reason people use package managers.

~~~
artursapek
Well lots of software like Ruby is a pain in the ass to install. Package
managers make plenty of sense there. But Go is as easy as it comes. I was just
offering that since this seems like a time-sensitive update.

~~~
rhencke
This has nothing to do with Go being easy or hard to install, and everything
to do with giving people a uniform way to manage installation, updates and
removal of software, independent of what software that is.

~~~
artursapek
OK. Well, for what it's worth, I use ubuntu and find it much easier to install
Go using their website than using apt (which I do use for most things). Thanks
for the downvotes guys.

~~~
rhencke
This was in reference to Homebrew, though. In Homebrew, installing Go is
simply:

    
    
        brew install go
    

No sudo required, nor 'update' command required first, etc.

~~~
DrJokepu
I don’t use Homebrew, given that Go is now written in Go, how does Homebrew
bootstrap it when there are no binaries available? Does it download Go 1.4,
builds it with a C compiler and uses that to build the latest version?

~~~
saagarjha
Based on this[1] it appears to be running this[2] bootstrap script, which I
believe uses make.

[1] [https://github.com/Homebrew/homebrew-
core/blob/master/Formul...](https://github.com/Homebrew/homebrew-
core/blob/master/Formula/go.rb) [2]
[https://github.com/golang/go/blob/master/src/bootstrap.bash](https://github.com/golang/go/blob/master/src/bootstrap.bash)

------
frlnBorg
Why are there parallel releases on 1.8.x and 1.9.x?

~~~
mholt
Because they usually maintain one previous minor version for security
releases.

------
calin2k
why there is no "go update" feature yet?

go: unknown subcommand "update" Run 'go help' for usage.

~~~
sfifs
If you are building from source, it's very trivial to update. git pull,
checkout the new tag and build.

Building from source gives you the awesome cross compilation features of Go,
apart from easy updates and make it easy to see how specific features are
implemented in the source. So highly recommend

------
thethirdone
It seems like this should have been noticed earlier. If you are working on
authentication code, you should think about how it could be used by a
malicious actor.

Does anyone know why it took several years to realize the problem here? This
kind of simple vulnerability makes me concerned about other security issues in
Go.

Edit: I am referring to only the SMTP issue here.

~~~
bactrian
It's not related to crypto/tls or net/http. This has to do with sending mail
via SMTP. It's totally worth fixing but probably had close to zero real world
effect.

Go has an incredible security track record. Out of the box, net/http and
crypto/TLS are safe to deploy in production. No reverse proxy shield required.

~~~
tuxxy
I've been out of the loop on Golang security for a bit, but last I recalled
there might have been some timing vulnerabilities in the crypto library.

Is this not the case anymore?

~~~
PopsiclePete
Bunch of stuff was discovered and fixed relatively promptly:
[https://golang.org/doc/devel/release.html](https://golang.org/doc/devel/release.html)

There was a pretty thorough audit that discovered some of those issues. I'm
not aware of anything outstanding - they're pretty good about patching things
promptly.

