A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!Thanks for tuning in and happy listening!Notes & Links:Go Module Mirror served backdoor to devs for 3+ yearsGo Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for PersistenceAbusing Go's infrastructure (from 8:38)#66653: x/pkgsite: links can point at source code that may not match what is served by the module proxyopenapi.tanna.dev/go/validator (from 22:15)#44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)Comment from aboveSourceHut will (not) blacklist the Go module mirror (from 9:19)Chapters:(00:05) - Intro

(01:38) - Introducing Jamie Tanna

(02:21) - The vulnerability that's actually a feature

(04:53) - The Go Module Mirror

(14:02) - Paternalism

(21:14) - What are vanity URLs?

(23:02) - Not just the official Go Module Mirror

(27:58) - Unforgiving Module Proxies

(29:23) - #BringBackGOPATH

(29:36) - Tags are mutable

(33:44) - What does a version mean?

(35:10) - Jamie's Hot Take

(38:20) - The Trails and Tribulations of Modules

(42:03) - It's humans!

(44:40) - How might we fix this?

(49:12) - Is it too easy to fetch dependencies?

(52:25) - Decentralized versus Centralized

(57:24) - A Proxy is not an Origin

(01:03:14) - Can we revalidate?

(01:05:14) - I can't believe it's not SemVer!

(01:06:34) - Analogy Time, featuring The Web!

(01:09:25) - Is this a problem elsewhere?

(01:12:20) - The tooling should be better

(01:16:47) - The Community that was

(01:23:06) - Matthew's Is Go Dead? Perspective

(01:23:59) - Jamie's Is Go Dead? Perspective

(01:25:19) - What does Dead mean?

(01:28:23) - Go should be able to do more

(01:31:22) - Go as an identity

(01:32:33) - Some added nuance

(01:39:18) - A difference in leadership

(01:43:03) - A lack of inclusion

(01:57:34) - Blame the system, not the person

(02:03:00) - Outro
Hosts

Kris Brandow - Host
Dylan Bourque - Host
Matthew Sanabria - Host
Jamie Tanna - Host
Socials:WebsiteBlueskyThreadsX/TwitterLinkedInInstagram

Ver todos los episodios