Sign up to save your podcasts
Or
Share Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- Comment from above
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
Hosts
Socials:
- Website
- Bluesky
- Threads
- X/Twitter
View all episodes
By Fallthrough Media
5
22 ratings
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- Comment from above
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
Hosts
Socials:
- Website
- Bluesky
- Threads
- X/Twitter
More shows like Fallthrough
View all
The Changelog: Software Development, Open Source
285 Listeners
Coder Radio
152 Listeners
Go Time: Golang, Software Engineering
128 Listeners
Changelog Master Feed
31 Listeners
Syntax - Tasty Web Development Treats
987 Listeners
Kubernetes Podcast from Google
184 Listeners
Rustacean Station
63 Listeners
The Stack Overflow Podcast
62 Listeners
Algorithms + Data Structures = Programs
34 Listeners
Ship It! Cloud, SRE, Platform Engineering
19 Listeners
Oxide and Friends
48 Listeners
Cup o' Go
15 Listeners
Rust in Production
12 Listeners