Fallthrough

Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes

Listen Later

A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!

Thanks for tuning in and happy listening!

Notes & Links:

  • Go Module Mirror served backdoor to devs for 3+ years
  • Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • Abusing Go's infrastructure (from 8:38)
  • #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
  • openapi.tanna.dev/go/validator (from 22:15)
  • #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
    • Comment from above
  • SourceHut will (not) blacklist the Go module mirror (from 9:19)


Chapters:

  • (00:05) - Intro
  • (01:38) - Introducing Jamie Tanna
  • (02:21) - The vulnerability that's actually a feature
  • (04:53) - The Go Module Mirror
  • (14:02) - Paternalism
  • (21:14) - What are vanity URLs?
  • (23:02) - Not just the official Go Module Mirror
  • (27:58) - Unforgiving Module Proxies
  • (29:23) - #BringBackGOPATH
  • (29:36) - Tags are mutable
  • (33:44) - What does a version mean?
  • (35:10) - Jamie's Hot Take
  • (38:20) - The Trails and Tribulations of Modules
  • (42:03) - It's humans!
  • (44:40) - How might we fix this?
  • (49:12) - Is it too easy to fetch dependencies?
  • (52:25) - Decentralized versus Centralized
  • (57:24) - A Proxy is not an Origin
  • (01:03:14) - Can we revalidate?
  • (01:05:14) - I can't believe it's not SemVer!
  • (01:06:34) - Analogy Time, featuring The Web!
  • (01:09:25) - Is this a problem elsewhere?
  • (01:12:20) - The tooling should be better
  • (01:16:47) - The Community that was
  • (01:23:06) - Matthew's Is Go Dead? Perspective
  • (01:23:59) - Jamie's Is Go Dead? Perspective
  • (01:25:19) - What does Dead mean?
  • (01:28:23) - Go should be able to do more
  • (01:31:22) - Go as an identity
  • (01:32:33) - Some added nuance
  • (01:39:18) - A difference in leadership
  • (01:43:03) - A lack of inclusion
  • (01:57:34) - Blame the system, not the person
  • (02:03:00) - Outro

    • Hosts
    • Kris Brandow - Host
    • Dylan Bourque - Host
    • Matthew Sanabria - Host
    • Jamie Tanna - Host

      • Socials:
      • Website
      • Bluesky
      • Threads
      • X/Twitter
      • LinkedIn
      • Instagram
      ...more
      View all episodesView all episodes
      Download on the App Store
      FallthroughBy Fallthrough Media
      • 4.2
      • 4.2
      • 4.2
      • 4.2
      • 4.2

      4.2

      13 ratings

      More shows like Fallthrough

      View all
      Software Engineering Radio - the podcast for professional software developers by team@se-radio.net (SE-Radio Team)

      Software Engineering Radio - the podcast for professional software developers

      274 Listeners

      Hanselminutes with Scott Hanselman by Scott Hanselman

      Hanselminutes with Scott Hanselman

      380 Listeners

      The Changelog: Software Development, Open Source by Changelog Media

      The Changelog: Software Development, Open Source

      288 Listeners

      Software Engineering Daily by Software Engineering Daily

      Software Engineering Daily

      631 Listeners

      Talk Python To Me by Michael Kennedy

      Talk Python To Me

      583 Listeners

      Soft Skills Engineering by Jamison Dance and Dave Smith

      Soft Skills Engineering

      287 Listeners

      Python Bytes by Michael Kennedy and Brian Okken

      Python Bytes

      213 Listeners

      Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

      Syntax - Tasty Web Development Treats

      990 Listeners

      CoRecursive: Coding Stories by Adam Gordon Bell - Software Developer

      CoRecursive: Coding Stories

      190 Listeners

      Practical AI by Practical AI LLC

      Practical AI

      211 Listeners

      The Stack Overflow Podcast by The Stack Overflow Podcast

      The Stack Overflow Podcast

      62 Listeners

      The Real Python Podcast by Real Python

      The Real Python Podcast

      140 Listeners

      Oxide and Friends by Oxide Computer Company

      Oxide and Friends

      68 Listeners

      Cup o' Go by Jonathan Hall & Shay Nehmad

      Cup o' Go

      16 Listeners

      go podcast() by Dominic St-Pierre

      go podcast()

      6 Listeners