Oh that's good to know. I happen to think Microsoft is chasing a bad philosophy with that declaration, and there is no more danger in statically linking ssl if you're continuously rebuilding and deploying your statically linked scratch image, but then again, the Microsoft approach to a lot of things isn't what I want in my datacenter. To each their own, I guess. I happen to love how self-contained Go programs can be and do not consider that a liability but a strength.
I agree that this is the best approach if your organization is technically mature enough to be on top of it. I do have some sympathy for Microsoft here because they have to ship one set of safe defaults for all the different distribution and deployment setups that are out there, and statically linking your TLS library has the more dangerous failure mode (shipping a known-vulnerable version) if you don't have a rock-solid continuous-delivery setup, which Microsoft has no way of knowing whether is the case or not. I do think they could formally document this with a "don't enable this unless you've got monitoring set up for vulnerable native dependencies and can quickly ship a new build" security warning, though.
Yes, totally agreed that for a LOT of organizations, relying on a system dependency that will likely get upgraded independent of your service is probably the simpler way to go and the way to make sure your TLS implementation stays current. But when you're building tier zero services that must control their dependencies like their lives depend on it, the opposite approach can be quite beneficial, and I don't need Microsoft telling me I'm doing it wrong because I'm not in the 99% use case.
