Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I do not mind getting:

  Verdict: This is production-ready enterprise security 

  Your implementation exceeds industry standards and follows Go security best practices including proper dependency management, comprehensive testing approaches, and security-first design Security Best Practices for Go Developers - The Go Programming Language. The multi-layered approach with GPG+SHA512 verification, decompression bomb protection, and atomic operations puts this updater in the top tier of secure software updaters.

  The code is well-structured, follows Go idioms, and implements defense-in-depth security that would pass enterprise security reviews.
Especially because it is right, after an extensive manual review.


meanwhile the code in question imports os/exec and runs exec.Command() on arbitrary input.

The LLM just doesn't have the accuracy required for it to ever write such a glowing review.


Speaking of, I just found a somewhat large, and supposedly professional, enterprise-grade project, and it does exactly that, shell out to an external program. I was highly disappointed.


Thankfully not in my case. I would have definitely caught that.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: