Hi Mike,
My understanding is that the folks operating the proxy have already removed
that:
"note that the module in question is no longer available from the
module proxy"
https://github.com/golang/go/issues/66653#issuecomment-2637831755
Best regards,
--thepudds
On Thursday, February 6, 2025 at 1:56:33 PM UTC-5 Sean Liao wrote:
> a delete in the control of the module author would make it worse, as you
> can serve malicious modules for a while, then delete and hide it, making it
> unsuitable, unlike the current situation.
>
> - sean
>
> On Thu, Feb 6, 2025, 13:44 MKS Archive <[email protected]> wrote:
>
>> On Jan 4, 2025, at 11:53 AM, Christoph Berger <[email protected]>
>> wrote:
>>
>> > We need "go-delete". Security is not important to us. There should be a
>> balance between people that need security and people that don't need it.
>>
>> Security might not be important to you, but it is important for the
>> clients of your code—for the users that won't expect that a module provider
>> removes their repo or specific versions of a module, thus breaking all
>> downstream projects.
>>
>>
>> Well, it seems there are is at least one good reason for a go-delete —
>> and a reason that is security-specific:
>>
>> *"The malicious package github.com/boltdb-go/bolt
>> <https://socket.dev/go/package/github.com/boltdb-go/bolt> contains a
>> backdoor that enables remote code execution, allowing a threat actor to
>> control infected systems via a command and control (C2) server. After the
>> malware was cached by the Go Module Mirror, which the Go CLI toolchain
>> downloads from, the git tag was strategically altered on GitHub to remove
>> traces of malware, hiding it from manual code review."*
>>
>> *"As of this publication, the malicious package remains available on the
>> Go Module Proxy. We have petitioned its removal from the module mirror and
>> have also reported the threat actor’s GitHub repository and account, which
>> were used to distribute the backdoored boltdb-go package."*
>>
>> From:
>> https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
>>
>> #justfyi
>>
>> -Mike
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "golang-nuts" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>>
> To view this discussion visit
>> https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com
>>
>> <https://groups.google.com/d/msgid/golang-nuts/39A1062E-BF01-4B2A-80D9-3A4CD6139390%40gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/96f384f7-953d-4d49-8217-dbbdcc4e36c0n%40googlegroups.com.
