Subscribe
Copied to clipboard
Share
Share
Copied to clipboard
Embed
Copied to clipboard
Fallthrough
Trailer
Bonus
Episode 7
Season 1
Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
Hosts
- Kris Brandow - Host
- Dylan Bourque - Host
- Matthew Sanabria - Host
- Jamie Tanna - Host
Socials:
Chapters
- Intro
- Introducing Jamie Tanna
- The vulnerability that's actually a feature
- The Go Module Mirror
- Paternalism
- What are vanity URLs?
- Not just the official Go Module Mirror
- Unforgiving Module Proxies
- #BringBackGOPATH
- Tags are mutable
- What does a version mean?
- Jamie's Hot Take
- The Trails and Tribulations of Modules
- It's humans!
- How might we fix this?
- Is it too easy to fetch dependencies?
- Decentralized versus Centralized
- A Proxy is not an Origin
- Can we revalidate?
- I can't believe it's not SemVer!
- Analogy Time, featuring The Web!
- Is this a problem elsewhere?
- The tooling should be better
- The Community that was
- Matthew's Is Go Dead? Perspective
- Jamie's Is Go Dead? Perspective
- What does Dead mean?
- Go should be able to do more
- Go as an identity
- Some added nuance
- A difference in leadership
- A lack of inclusion
- Blame the system, not the person
- Outro
Comments and Discussion