a delete in the control of the module author would make it worse, as you can serve malicious modules for a while, then delete and hide it, making it unsuitable, unlike the current situation.
- sean On Thu, Feb 6, 2025, 13:44 MKS Archive <mikeschin...@gmail.com> wrote: > On Jan 4, 2025, at 11:53 AM, Christoph Berger < > christophberger....@gmail.com> wrote: > > > We need "go-delete". Security is not important to us. There should be a > balance between people that need security and people that don't need it. > > Security might not be important to you, but it is important for the > clients of your code—for the users that won't expect that a module provider > removes their repo or specific versions of a module, thus breaking all > downstream projects. > > > Well, it seems there are is at least one good reason for a go-delete — and > a reason that is security-specific: > > *"The malicious package github.com/boltdb-go/bolt > <https://socket.dev/go/package/github.com/boltdb-go/bolt> contains a > backdoor that enables remote code execution, allowing a threat actor to > control infected systems via a command and control (C2) server. After the > malware was cached by the Go Module Mirror, which the Go CLI toolchain > downloads from, the git tag was strategically altered on GitHub to remove > traces of malware, hiding it from manual code review."* > > *"As of this publication, the malicious package remains available on the > Go Module Proxy. We have petitioned its removal from the module mirror and > have also reported the threat actor’s GitHub repository and account, which > were used to distribute the backdoored boltdb-go package."* > > From: > https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence > > #justfyi > > -Mike > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com > <https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CAGabyPrKq%3DDSJGAsHpXOZ2d3NpQSQNzZ04amNeHY9m9fGeF0Eg%40mail.gmail.com.
