Fallthrough

Fallthrough Trailer Bonus Episode 7 Season 1

Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes

Patching Problems with Persnickety Proxies Purveyed by Paternalistic PrincesPatching Problems with Persnickety Proxies Purveyed by Paternalistic Princes

00:00
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!

Thanks for tuning in and happy listening!

Notes & Links:

Chapters:
  • (00:05) - Intro
  • (01:38) - Introducing Jamie Tanna
  • (02:21) - The vulnerability that's actually a feature
  • (04:53) - The Go Module Mirror
  • (14:02) - Paternalism
  • (21:14) - What are vanity URLs?
  • (23:02) - Not just the official Go Module Mirror
  • (27:58) - Unforgiving Module Proxies
  • (29:23) - #BringBackGOPATH
  • (29:36) - Tags are mutable
  • (33:44) - What does a version mean?
  • (35:10) - Jamie's Hot Take
  • (38:20) - The Trails and Tribulations of Modules
  • (42:03) - It's humans!
  • (44:40) - How might we fix this?
  • (49:12) - Is it too easy to fetch dependencies?
  • (52:25) - Decentralized versus Centralized
  • (57:24) - A Proxy is not an Origin
  • (01:03:14) - Can we revalidate?
  • (01:05:14) - I can't believe it's not SemVer!
  • (01:06:34) - Analogy Time, featuring The Web!
  • (01:09:25) - Is this a problem elsewhere?
  • (01:12:20) - The tooling should be better
  • (01:16:47) - The Community that was
  • (01:23:06) - Matthew's Is Go Dead? Perspective
  • (01:23:59) - Jamie's Is Go Dead? Perspective
  • (01:25:19) - What does Dead mean?
  • (01:28:23) - Go should be able to do more
  • (01:31:22) - Go as an identity
  • (01:32:33) - Some added nuance
  • (01:39:18) - A difference in leadership
  • (01:43:03) - A lack of inclusion
  • (01:57:34) - Blame the system, not the person
  • (02:03:00) - Outro

Socials:

Creators & Guests

Host
Dylan Bourque
Host
Jamie Tanna
Self-documenting Senior Software Engineer, Open Sourcerer, and collector of too many things to do
Host
Kris Brandow
Host
Matthew Sanabria
Matthew is an engineering leader focused on building reliable, scalable, and observable systems. Matthew is known for using his breadth and depth of experience to add value in minimal context situations and help great people become great engineers through mentoring. Matthew serves the Go community as a member of GoBridge. In his spare time, Matthew spends time with his family, helps grow his wife's chocolate business, works on home improvement projects, and reads technical resources to learn and tinker.

Comments and Discussion

Reply on Bluesky here to join the discussion.

3 likes 1 reposts 1 replies
  1. @dev-el-ops.bsky.social avatar @dev-el-ops.bsky.social
    Thanks for the critique of Google's leadship of the project - I've been starting to doubt myself with the issues I've been seeing after starting with go two years ago, and I'm glad I'm not completely alone with my problems.

    What is Fallthrough?

    A deep and nuanced conversational podcast focused on technology, software, and computing.