Inspecting the Source of Go Modules
3 months ago
- #Go Modules
- #Open Source
- #Security
- Go's Checksum Database ensures package integrity by storing cryptographic hashes of module versions.
- The decentralized nature of Go modules allows fetching directly from origin, but the Checksum Database prevents tampering.
- GitHub's web interface can display incorrect code due to mutable tags, unlike the Go tooling which verifies checksums.
- A typosquatting attack exploited GitHub's mutable tags to hide malicious code behind innocent-looking commits.
- Solutions include using `go mod download` to fetch correct source and upcoming `go mod verify -tag` for local verification.
- Alternative services like pkg.geomys.dev provide verified source viewing with additional features.
- Future plans include optional proof checking for module zip files once CORS issues are resolved.
- Geomys, supported by companies like Ava Labs and Teleport, funds sustainable open-source Go maintenance.
- Recommendation against `GOPROXY=direct` to reduce attack surface from direct git clones.