{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Fallthrough","title":"Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/9d8e0fc8\"></iframe>","width":"100%","height":180,"duration":7616,"description":"A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!Thanks for tuning in and happy listening!Notes & Links:Go Module Mirror served backdoor to devs for 3+ yearsGo Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for PersistenceAbusing Go's infrastructure (from 8:38)#66653: x/pkgsite: links can point at source code that may not match what is served by the module proxyopenapi.tanna.dev/go/validator (from 22:15)#44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)Comment from aboveSourceHut will (not) blacklist the Go module mirror (from 9:19)Chapters:Socials:WebsiteBlueskyThreadsX/TwitterLinkedInInstagram","thumbnail_url":"https://img.transistorcdn.com/mvdmLvKoUHIRpZ-KrAk2Ojbd3YOV0WEY6iiB3rwNNdc/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS81ZWUw/NTFjMmEwMDYwMjdm/MDFjNGRmMThlMWUz/NjQxNC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}