If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post
Taking garbage collection to a whole new level !
Aaah finally, malware for Linux, truly the year of the Linux Desktop!
We made it! I never thought I’d live to see this day!
The Go programming language allows developers to fetch modules directly from version control platforms like GitHub.
This is absolutely not just specific to Go.
- PyPi
- npm
- Maven Central
- Docker Hub
- Artifact Hub
- PPA
- AUR
The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.
Cargo also has a
--gitoption but I suppose it’s not default behaviorSure! My point is that hosting doesn’t really matter, though. Malware and vulnerabilities are introduced at all points of supply chains.
I agree, I was just giving another example to raise awareness about that feature of rust.
That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?
Not that an attack like this is unique or anything.
CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.
The one, fool-proof solution to supply chain attacks? Write all your own dependencies.
I’m already writing my own dependency to check if a number is even:
if (number == 0) return true if (number == 1) return false if (number == 2) return true if (number == 3) return falseI’m almost there!
You’ve probably covered 90% of use cases there so you’re doing well!
I’m trying to port your code to Rust but the compiler keeps giving me an error about non-exhaustive match arms
It’s quite cruel of that compiler not being happy until you’re exhausted.
this is so sad, I’m gonna pray for you in rust
Assuming you’re monotheistic, I believe you can use an mpsc channel to send those asynchronously.
That seems to be the Go way. Why put it in a library when everyone can just re-implement it themselves (and test and document it too, right? Right?).
E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map. And then people try to paint this as a virtue of the language.
E.g. There isn’t even a standard set object, everyone just implements it as a map pointing to empty structs, and you get familiar with that and just accept it and learn to understand what it means when someone added an empty struct to a map.
Goooood fucking gravy.
I hate to be such an opinionated programmer, but everything I’ve read about Go only reinforces my negative opinion, especially since I read this now-famous article.
I have decades as a SWE, including deep (but now out-of-date) C++ experience, a lot more recently in serious Python systems, and a fair amount of web UI dev on the side.
Now I have 1 year with Go. I came to it with an open mind having heard people sing its praises I thought it would be broadening to spend some time with a language new to me.
My advice now is do anything you can to avoid working in golang. Almost daily, I seriously contemplate whether it’d be worth quitting and being unemployed, even in this economy (US). It is a better C, but that’s a low, low bar at least for the project domains I ever work in. Where it’s an even plausible answer, Rust is probably a better one (I think? - haven’t used Rust for anything real).
Oooof, good to know. I have a bit more of a low level C brain at root so I see the appeal of Go, but never had enough of a reason to get into C++. I’ve only really used C# and JS/JS frameworks professionally.
Rust is an absolute joy to work with. The strong typing, the hands-on memory management, the functional elements, the build system, the helpful compiler errors and warnings, the magical feeling that comes when your first successful compile since refactoring just works, the queer-friendly community… just the perfect language for the way my brain operates.
I’m lucky to be unemployed at the moment and have time to make my own projects with tools of my choosing. There are definitely some barriers to using it in most workplaces, but most of those come down to adoption inertia and the fact that the language is still “new” - new in the sense that it’s not mature enough to have a mature enough frontend framework that has a mature enough third party component library for easy plug and play. Filling out all the corners that older languages have is gonna take a while.
This is why we can’t have nice things
Any intel on affected, high-profile software?
I found the original blog post more educational.
Looks like these may be typosquats, or at least “namespace obfuscation”, imitating more popular packages. So hopefully not too widespread. I think it’s easy to just search for a package name and copy/paste the first .git files, but it’s important to look at forks/stars/issue numbers too. Maybe I’m just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can’t say I do that for their includes and those includes etc. Like if this was included in hugo or something huge I would just be fucked.
The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.
Halloween documents pt 2
