Lol well I don't know what the trigger is for pulling in libc there, because I've built massive scale services that did a lot of nontrivial stuff and then the deployment was a single-binary docker container that did not have libc. The only thing needed to be put in the container was a directory full of root certs so it could do TLS.
(full disclosure, I don't think I ever had my service look up the address of localhost)
edit: seems like you probably have CGO_ENABLED=1, which is now the default and will cause simple networking things to use libc. Set CGO_ENABLED=0 and you won't have libc.
Oh that's good to know. I happen to think Microsoft is chasing a bad philosophy with that declaration, and there is no more danger in statically linking ssl if you're continuously rebuilding and deploying your statically linked scratch image, but then again, the Microsoft approach to a lot of things isn't what I want in my datacenter. To each their own, I guess. I happen to love how self-contained Go programs can be and do not consider that a liability but a strength.
I agree that this is the best approach if your organization is technically mature enough to be on top of it. I do have some sympathy for Microsoft here because they have to ship one set of safe defaults for all the different distribution and deployment setups that are out there, and statically linking your TLS library has the more dangerous failure mode (shipping a known-vulnerable version) if you don't have a rock-solid continuous-delivery setup, which Microsoft has no way of knowing whether is the case or not. I do think they could formally document this with a "don't enable this unless you've got monitoring set up for vulnerable native dependencies and can quickly ship a new build" security warning, though.
Yes, totally agreed that for a LOT of organizations, relying on a system dependency that will likely get upgraded independent of your service is probably the simpler way to go and the way to make sure your TLS implementation stays current. But when you're building tier zero services that must control their dependencies like their lives depend on it, the opposite approach can be quite beneficial, and I don't need Microsoft telling me I'm doing it wrong because I'm not in the 99% use case.
I suppose you are missing the point. Go had support for self contained binaries since its introduction in ~2009. This was not the case with dotnet, if i am not wrong.
But nevertheless , if any language provides something like that, win-win for entire ecosystem.
Agreed. The fact that .NET has a way to do true static linking is great and I didn't know it existed. The fact that they apparently think it's a weird and undesirable thing is less great and would make me worried that they're going to undermine the ability at some point. Golang has had this ability since way back and they think it's a strength.