• vegetvs@kbin.earth
    link
    fedilink
    arrow-up
    72
    arrow-down
    3
    ·
    6 months ago

    The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.

    This is absolutely not just specific to Go.

    • krakenfury@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      43
      arrow-down
      2
      ·
      6 months ago
      • PyPi
      • npm
      • Maven Central
      • Docker Hub
      • Artifact Hub
      • PPA
      • AUR

      The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.

    • blobjim [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      6 months ago

      That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?

      Not that an attack like this is unique or anything.

      • addie@feddit.uk
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.