Re: [go-nuts] "go-import" is great, we need "go-delete"

[Robert Engels]

Agreed. Better to have the Go tooling state “xxx module has been marked as a security risk” during compilation.  On Feb 6, 2025, at 12:56 PM, 'Sean Liao' via golang-nuts <golang-nuts@googlegroups.com> wrote:  a delete in the control of the module author would make it worse, as you can serve malicious modules for a while, then delete and hide it, making it unsuitable, unlike the current situation. - sean On Thu, Feb 6, 2025, 13:44 MKS Archive <mikeschin...@gmail.com> wrote: On Jan 4, 2025, at 11:53 AM, Christoph Berger <christophberger....@gmail.com> wrote: > We need "go-delete". Security is not important to us. There should be a balance between people that need security and people that don't need it. Security might not be important to you, but it is important for the clients of your code—for the users that won't expect that a module provider removes their repo or specific versions of a module, thus breaking all downstream projects. Well, it seems there are is at least one good reason for a go-delete — and a reason that is security-specific: "The malicious package github.com/boltdb-go/bolt contains a backdoor that enables remote code execution, allowing a threat actor to control infected systems via a command and control (C2) server. After the malware was cached by the Go Module Mirror, which the Go CLI toolchain downloads from, the git tag was strategically altered on GitHub to remove traces of malware, hiding it from manual code review." "As of this publication, the malicious package remains available on the Go Module Proxy. We have petitioned its removal from the module mirror and have also reported the threat actor’s GitHub repository and account, which were used to distribute the backdoored boltdb-go package." From: https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence #justfyi -Mike -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CAGabyPrKq%3DDSJGAsHpXOZ2d3NpQSQNzZ04amNeHY9m9fGeF0Eg%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CB9AB81C-B83B-4CEE-A2FE-7E9A515DE089%40ix.netcom.com.