> On Jan 4, 2025, at 11:53 AM, Christoph Berger <christophberger....@gmail.com> > wrote: > > > We need "go-delete". Security is not important to us. There should be a > > balance between people that need security and people that don't need it. > > Security might not be important to you, but it is important for the clients > of your code—for the users that won't expect that a module provider removes > their repo or specific versions of a module, thus breaking all downstream > projects.
Well, it seems there are is at least one good reason for a go-delete — and a reason that is security-specific: "The malicious package github.com/boltdb-go/bolt <https://socket.dev/go/package/github.com/boltdb-go/bolt> contains a backdoor that enables remote code execution, allowing a threat actor to control infected systems via a command and control (C2) server. After the malware was cached by the Go Module Mirror, which the Go CLI toolchain downloads from, the git tag was strategically altered on GitHub to remove traces of malware, hiding it from manual code review." "As of this publication, the malicious package remains available on the Go Module Proxy. We have petitioned its removal from the module mirror and have also reported the threat actor’s GitHub repository and account, which were used to distribute the backdoored boltdb-go package." From: https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence <https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence> #justfyi -Mike -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com.
