FRESH

Hacker News

Inspecting the Source of Go Modules

41 points by todsacerdoti

by aleksi

0 subcomment

See also https://github.com/golang/go/issues/66653 (that I don’t think is linked from the article)

by delusional

2 subcomments

> but it is better understood as exploiting the natural lack of verification in the GitHub web interface, which doesn’t show the authentic (and in this case malicious) source of a module version, as used by actual Go tooling.
That's a load of crap. It can never become a github issue that the Go ecosystem has chosen to make it look like the packages you pull come from github, but are actually diverted to be served by Google from some strange pull-through cache.
Calling this a "lack of verification in the GitHub web interfaces" completely inverts the abstraction layers and asks GitHub to implement specific features for your incorrect usecase.
Then there's the misnomer of a hash database being anywhere close to analogous to PGP signed sources. This is amateur level stuff.

by philipwhiuk

4 subcomments

I've always found it very weird that GitHub's tolerated being completely subverted to become a package manager for ecosystems that can't be bothered to manage it themselves.
NPM doesn't just proxy to GitHub (even though both are owned by Microsoft).
To see maintainers criticise GitHub for not being a perfect package manager is lunacy.
See also https://github.com/CocoaPods/CocoaPods/issues/4989

by pjmlp

1 subcomments

> Go has indisputably the best package integrity story of any programming language ecosystem
Nope, still catching up to Java and .NET.