Subscribe
Share
Share
Embed
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
- (01:38) - Introducing Jamie Tanna
- (02:21) - The vulnerability that's actually a feature
- (04:53) - The Go Module Mirror
- (14:02) - Paternalism
- (21:14) - What are vanity URLs?
- (23:02) - Not just the official Go Module Mirror
- (27:58) - Unforgiving Module Proxies
- (29:23) - #BringBackGOPATH
- (29:36) - Tags are mutable
- (33:44) - What does a version mean?
- (35:10) - Jamie's Hot Take
- (38:20) - The Trails and Tribulations of Modules
- (42:03) - It's humans!
- (44:40) - How might we fix this?
- (49:12) - Is it too easy to fetch dependencies?
- (52:25) - Decentralized versus Centralized
- (57:24) - A Proxy is not an Origin
- (01:03:14) - Can we revalidate?
- (01:05:14) - I can't believe it's not SemVer!
- (01:06:34) - Analogy Time, featuring The Web!
- (01:09:25) - Is this a problem elsewhere?
- (01:12:20) - The tooling should be better
- (01:16:47) - The Community that was
- (01:23:06) - Matthew's Is Go Dead? Perspective
- (01:23:59) - Jamie's Is Go Dead? Perspective
- (01:25:19) - What does Dead mean?
- (01:28:23) - Go should be able to do more
- (01:31:22) - Go as an identity
- (01:32:33) - Some added nuance
- (01:39:18) - A difference in leadership
- (01:43:03) - A lack of inclusion
- (01:57:34) - Blame the system, not the person
- (02:03:00) - Outro
Socials:
Creators & Guests
Host
Host
Matthew Sanabria
Matthew is an engineering leader focused on building reliable, scalable, and observable systems. Matthew is known for using his breadth and depth of experience to add value in minimal context situations and help great people become great engineers through mentoring. Matthew serves the Go community as a member of GoBridge. In his spare time, Matthew spends time with his family, helps grow his wife's chocolate business, works on home improvement projects, and reads technical resources to learn and tinker.
What is Fallthrough?
A deep and nuanced conversational podcast focused on technology, software, and computing.