[georgemcbay]

Yeah I think people are very serious when they say that, though it is important to consider that they are talking about it from an installation convenience factor.

Being able to drop one binary over to a host (as opposed to the usual "DLL hell" of installing binary packages which, despite not being DLLs, is still quite common on Linux and other modern UNIX systems in the form of package versions) is insanely simpler than the usual methods.

Now, whether we trust that binary is a wholly separate matter. Maybe we do, maybe we don't, maybe it is signed by the original source, maybe we got it from a trusted source, maybe we built it ourselves from source after an extensive security audit (hopefully some variant of Ken Thompson's [part of the go team, though I present this as an interesting curiosity and nothing more] compiler hack isn't in play). But the security concerns surrounding the trust in the origin of the software and the ease of installation concerns are separate concerns. You can have one or both or neither.

Installing this blog software directly from a pre-built unsigned binary you ftp'd off some random site without ever looking at the source would be neither, but that doesn't negate the deployment benefits of "one single binary" which can be provided with both (at least to the degree that you can trust any 3rd party software).