periodic rechecks of mod-cached packages
182 views
Skip to first unread message
Dan Kortschak
Feb 10, 2025, 10:24:14 PMFeb 10
to golang-dev
Provoked by the bolt-go malicious package cache exploit last week, I've
been thinking about how to detect this en masse. There is a simple but
expensive (at a personal financial cost level) way to find candidates
for other packages that have used this technique, to iterate over all
package in the cache and run go get in an empty client module with
GOPROXY=direct. This finds packages where the version in the source
control system does not match that in the cache. I'd sort of like to do
this, but the bandwidth would be onerous for me.
An alternative to this would be for 1/n (for some reasonable n) go gets
via the cache recollect the package from the original source location
and if the sum hash value does not match the already known sumdb value
a warning flag is attached to the package in the cache and reported to
the user and flagged on pkg.go.dev. This approach has the
characteristic that popularly used packages will be checked more
frequently and no work will be done for unused packages. It does leave
a window open, but how long this window is open for can be tuned by
varying n. Fetches by pkg.go.dev could also trigger the 1/n, or a
similar after-time (if it has not been check for a certain amount of
time it is checked) check so that not often used packages that are
being explored are also made safer.
Is this something that's worth considering?
Dan
been thinking about how to detect this en masse. There is a simple but
expensive (at a personal financial cost level) way to find candidates
for other packages that have used this technique, to iterate over all
package in the cache and run go get in an empty client module with
GOPROXY=direct. This finds packages where the version in the source
control system does not match that in the cache. I'd sort of like to do
this, but the bandwidth would be onerous for me.
An alternative to this would be for 1/n (for some reasonable n) go gets
via the cache recollect the package from the original source location
and if the sum hash value does not match the already known sumdb value
a warning flag is attached to the package in the cache and reported to
the user and flagged on pkg.go.dev. This approach has the
characteristic that popularly used packages will be checked more
frequently and no work will be done for unused packages. It does leave
a window open, but how long this window is open for can be tuned by
varying n. Fetches by pkg.go.dev could also trigger the 1/n, or a
similar after-time (if it has not been check for a certain amount of
time it is checked) check so that not often used packages that are
being explored are also made safer.
Is this something that's worth considering?
Dan
Reply all
Reply to author
Forward
0 new messages