Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
Content provided by Fallthrough Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Fallthrough Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Similar to Fallthrough
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Software's best weekly news brief, deep technical interviews & talk show.
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
It takes more than great code to be a great engineer. Soft Skills Engineering is a weekly advice podcast for software developers about the non-technical stuff that goes into being a great software developer.
…
continue reading
BBC Radio 5 live’s award winning gaming podcast, discussing the world of video games and games culture.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
A weekly talk show taking a pragmatic look at the art and business of Software Development and the world of technology.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Patching Problems with Persnickety Proxies Purveyed by Paternalistic Princes
Manage episode 467085408 series 3620759
Content provided by Fallthrough Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Fallthrough Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
- (01:38) - Introducing Jamie Tanna
- (02:21) - The vulnerability that's actually a feature
- (04:53) - The Go Module Mirror
- (14:02) - Paternalism
- (21:14) - What are vanity URLs?
- (23:02) - Not just the official Go Module Mirror
- (27:58) - Unforgiving Module Proxies
- (29:23) - #BringBackGOPATH
- (29:36) - Tags are mutable
- (33:44) - What does a version mean?
- (35:10) - Jamie's Hot Take
- (38:20) - The Trails and Tribulations of Modules
- (42:03) - It's humans!
- (44:40) - How might we fix this?
- (49:12) - Is it too easy to fetch dependencies?
- (52:25) - Decentralized versus Centralized
- (57:24) - A Proxy is not an Origin
- (01:03:14) - Can we revalidate?
- (01:05:14) - I can't believe it's not SemVer!
- (01:06:34) - Analogy Time, featuring The Web!
- (01:09:25) - Is this a problem elsewhere?
- (01:12:20) - The tooling should be better
- (01:16:47) - The Community that was
- (01:23:06) - Matthew's Is Go Dead? Perspective
- (01:23:59) - Jamie's Is Go Dead? Perspective
- (01:25:19) - What does Dead mean?
- (01:28:23) - Go should be able to do more
- (01:31:22) - Go as an identity
- (01:32:33) - Some added nuance
- (01:39:18) - A difference in leadership
- (01:43:03) - A lack of inclusion
- (01:57:34) - Blame the system, not the person
- (02:03:00) - Outro
Hosts
- Kris Brandow - Host
- Dylan Bourque - Host
- Matthew Sanabria - Host
- Jamie Tanna - Host
Socials:
19 episodes
Share
Manage episode 467085408 series 3620759
Content provided by Fallthrough Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Fallthrough Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
A recent Ars Technica article outlined a backdoor in the Go Module Mirror. Even though it's framed as a backdoor, and potentially a vulnerability, it's actually an exploit of a design choice designers of the module mirror made. Kris is joined by Matthew, Dylan, and guest host Jamie Tanna, to discuss this vulnerability-but-actually-feature, the implications for the Go community, and the wider reasons why something like this happened. We go on a journey through the history of modules, the Go community, and a whole lot more. We know this is a long one but we're sure you'll love it! Have thoughts? Reach out to us on social media and let us hear them!
Thanks for tuning in and happy listening!
Notes & Links:
- Go Module Mirror served backdoor to devs for 3+ years
- Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- Abusing Go's infrastructure (from 8:38)
- #66653: x/pkgsite: links can point at source code that may not match what is served by the module proxy
- openapi.tanna.dev/go/validator (from 22:15)
- #44550: proposal: cmd/go: make major versions optional in import paths (from 1:15:56)
- SourceHut will (not) blacklist the Go module mirror (from 9:19)
Chapters:
- (00:05) - Intro
- (01:38) - Introducing Jamie Tanna
- (02:21) - The vulnerability that's actually a feature
- (04:53) - The Go Module Mirror
- (14:02) - Paternalism
- (21:14) - What are vanity URLs?
- (23:02) - Not just the official Go Module Mirror
- (27:58) - Unforgiving Module Proxies
- (29:23) - #BringBackGOPATH
- (29:36) - Tags are mutable
- (33:44) - What does a version mean?
- (35:10) - Jamie's Hot Take
- (38:20) - The Trails and Tribulations of Modules
- (42:03) - It's humans!
- (44:40) - How might we fix this?
- (49:12) - Is it too easy to fetch dependencies?
- (52:25) - Decentralized versus Centralized
- (57:24) - A Proxy is not an Origin
- (01:03:14) - Can we revalidate?
- (01:05:14) - I can't believe it's not SemVer!
- (01:06:34) - Analogy Time, featuring The Web!
- (01:09:25) - Is this a problem elsewhere?
- (01:12:20) - The tooling should be better
- (01:16:47) - The Community that was
- (01:23:06) - Matthew's Is Go Dead? Perspective
- (01:23:59) - Jamie's Is Go Dead? Perspective
- (01:25:19) - What does Dead mean?
- (01:28:23) - Go should be able to do more
- (01:31:22) - Go as an identity
- (01:32:33) - Some added nuance
- (01:39:18) - A difference in leadership
- (01:43:03) - A lack of inclusion
- (01:57:34) - Blame the system, not the person
- (02:03:00) - Outro
Hosts
- Kris Brandow - Host
- Dylan Bourque - Host
- Matthew Sanabria - Host
- Jamie Tanna - Host
Socials:
19 episodes
All episodes
×
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Similar to Fallthrough
Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Software's best weekly news brief, deep technical interviews & talk show.
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
It takes more than great code to be a great engineer. Soft Skills Engineering is a weekly advice podcast for software developers about the non-technical stuff that goes into being a great software developer.
…
continue reading
BBC Radio 5 live’s award winning gaming podcast, discussing the world of video games and games culture.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
A weekly talk show taking a pragmatic look at the art and business of Software Development and the world of technology.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
