Bra podcast
Sveriges mest populära poddar
Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes
127 min •
17 februari 2025
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
- (01:38) - Introducing Jamie Tanna
- (02:21) - The vulnerability that's actually a feature
- (04:53) - The Go Module Mirror
- (14:02) - Paternalism
- (21:14) - What are vanity URLs?
- (23:02) - Not just the official Go Module Mirror
- (27:58) - Unforgiving Module Proxies
- (29:23) - #BringBackGOPATH
- (29:36) - Tags are mutable
- (33:44) - What does a version mean?
- (35:10) - Jamie's Hot Take
- (38:20) - The Trails and Tribulations of Modules
- (42:03) - It's humans!
- (44:40) - How might we fix this?
- (49:12) - Is it too easy to fetch dependencies?
- (52:25) - Decentralized versus Centralized
- (57:24) - A Proxy is not an Origin
- (01:03:14) - Can we revalidate?
- (01:05:14) - I can't believe it's not SemVer!
- (01:06:34) - Analogy Time, featuring The Web!
- (01:09:25) - Is this a problem elsewhere?
- (01:12:20) - The tooling should be better
- (01:16:47) - The Community that was
- (01:23:06) - Matthew's Is Go Dead? Perspective
- (01:23:59) - Jamie's Is Go Dead? Perspective
- (01:25:19) - What does Dead mean?
- (01:28:23) - Go should be able to do more
- (01:31:22) - Go as an identity
- (01:32:33) - Some added nuance
- (01:39:18) - A difference in leadership
- (01:43:03) - A lack of inclusion
- (01:57:34) - Blame the system, not the person
- (02:03:00) - Outro
Hosts
- Kris Brandow - Host
- Dylan Bourque - Host
- Matthew Sanabria - Host
- Jamie Tanna - Host
Socials:
00:00
-00:00