Fallthrough

Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes

Listen Later

A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!

Thanks for tuning in and happy listening!

Notes & Links:

  • Go Module Mirror served backdoor to devs for 3+ years
  • Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • Abusing Go's infrastructure (from 8:38)
  • #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
  • openapi.tanna.dev/go/validator (from 22:15)
  • #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
    • Comment from above
  • SourceHut will (not) blacklist the Go module mirror (from 9:19)


Chapters:

  • (00:05) - Intro
  • (01:38) - Introducing Jamie Tanna
  • (02:21) - The vulnerability that's actually a feature
  • (04:53) - The Go Module Mirror
  • (14:02) - Paternalism
  • (21:14) - What are vanity URLs?
  • (23:02) - Not just the official Go Module Mirror
  • (27:58) - Unforgiving Module Proxies
  • (29:23) - #BringBackGOPATH
  • (29:36) - Tags are mutable
  • (33:44) - What does a version mean?
  • (35:10) - Jamie's Hot Take
  • (38:20) - The Trails and Tribulations of Modules
  • (42:03) - It's humans!
  • (44:40) - How might we fix this?
  • (49:12) - Is it too easy to fetch dependencies?
  • (52:25) - Decentralized versus Centralized
  • (57:24) - A Proxy is not an Origin
  • (01:03:14) - Can we revalidate?
  • (01:05:14) - I can't believe it's not SemVer!
  • (01:06:34) - Analogy Time, featuring The Web!
  • (01:09:25) - Is this a problem elsewhere?
  • (01:12:20) - The tooling should be better
  • (01:16:47) - The Community that was
  • (01:23:06) - Matthew's Is Go Dead? Perspective
  • (01:23:59) - Jamie's Is Go Dead? Perspective
  • (01:25:19) - What does Dead mean?
  • (01:28:23) - Go should be able to do more
  • (01:31:22) - Go as an identity
  • (01:32:33) - Some added nuance
  • (01:39:18) - A difference in leadership
  • (01:43:03) - A lack of inclusion
  • (01:57:34) - Blame the system, not the person
  • (02:03:00) - Outro

    • Hosts
    • Kris Brandow - Host
    • Dylan Bourque - Host
    • Matthew Sanabria - Host
    • Jamie Tanna - Host

      • Socials:
      • Website
      • Bluesky
      • Threads
      • X/Twitter
      • LinkedIn
      • Instagram
      ...more
      View all episodesView all episodes
      Download on the App Store
      FallthroughBy Fallthrough Media
      • 4.3
      • 4.3
      • 4.3
      • 4.3
      • 4.3

      4.3

      10 ratings

      More shows like Fallthrough

      View all
      Hanselminutes with Scott Hanselman by Scott Hanselman

      Hanselminutes with Scott Hanselman

      377 Listeners

      Software Engineering Radio - the podcast for professional software developers by se-radio@computer.org

      Software Engineering Radio - the podcast for professional software developers

      272 Listeners

      The Changelog: Software Development, Open Source by Changelog Media

      The Changelog: Software Development, Open Source

      282 Listeners

      Thoughtworks Technology Podcast by Thoughtworks

      Thoughtworks Technology Podcast

      42 Listeners

      Talk Python To Me by Michael Kennedy

      Talk Python To Me

      590 Listeners

      Software Engineering Daily by Software Engineering Daily

      Software Engineering Daily

      626 Listeners

      Python Bytes by Michael Kennedy and Brian Okken

      Python Bytes

      213 Listeners

      Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

      Syntax - Tasty Web Development Treats

      984 Listeners

      CoRecursive: Coding Stories by Adam Gordon Bell - Software Developer

      CoRecursive: Coding Stories

      189 Listeners

      Kubernetes Podcast from Google by Abdel Sghiouar, Kaslin Fields

      Kubernetes Podcast from Google

      181 Listeners

      Self-Hosted by Jupiter Broadcasting

      Self-Hosted

      135 Listeners

      The Stack Overflow Podcast by The Stack Overflow Podcast

      The Stack Overflow Podcast

      64 Listeners

      Oxide and Friends by Oxide Computer Company

      Oxide and Friends

      47 Listeners

      Cup o' Go by Jonathan Hall & Shay Nehmad

      Cup o' Go

      16 Listeners

      The Pragmatic Engineer by Gergely Orosz

      The Pragmatic Engineer

      52 Listeners