Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.
Uncategorized
4
Posts
4
Posters
16
Views
-
Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.
The subdb and MVP get us far, and supply chain attacks are not much of a thing in Go beyond typosquatting, but we want to stay ahead of them.
https://github.com/golang/go/issues/76485#issuecomment-4043378459
-
undefined cybersecurity@poliverso.org shared this topic on
-
Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.
The subdb and MVP get us far, and supply chain attacks are not much of a thing in Go beyond typosquatting, but we want to stay ahead of them.
https://github.com/golang/go/issues/76485#issuecomment-4043378459
@filippo My experience is that I've seen multiple cases where dependabot updates raced with the dependency re-publishing a different thing under the same tag. The result was something that would only build if you used the proxy (which had cached the original published version). This is obviously bad practice (possibly in multiple places), but I think it suggests a cooldown would be useful even with MVP.
(Also maybe dependabot needs a cooldown itself, but ... good luck persuading them.)
-
Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.
The subdb and MVP get us far, and supply chain attacks are not much of a thing in Go beyond typosquatting, but we want to stay ahead of them.
https://github.com/golang/go/issues/76485#issuecomment-4043378459
@filippo If cooldown becomes common would that mean that supply chain attacks would mostly affect early adopters who presumably are more sensitive to the risks?
-
Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.
The subdb and MVP get us far, and supply chain attacks are not much of a thing in Go beyond typosquatting, but we want to stay ahead of them.
https://github.com/golang/go/issues/76485#issuecomment-4043378459
@filippo But then coders will go back to node.js!
-
undefined riffraff@mastodon.social shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Starmer, la riapertura di Hormuz non può essere affidata a una missione Nato. (Rainews)
-
Briefing: Concerns Regarding Palantir Technologies and NHS Data Systems - Medact
https://www.medact.org/2026/resources/briefings/briefing-palantir-fdp/
> This briefing document outlines the key concerns regarding the involvement of Palantir Technologies in NHS data infrastructure and operations, including via their delivery of the FDP.
-
io ormai non riesco piú a leggere «hello world» senza sentire
-
Non è vero che ci fossero solo personaggi di seconda fila da Peter Thiel a Roma. C’era anche Pietro Dettori, che non è stato affatto una seconda fila nella politica di questi anni: Pietro fu il vero uomo fidato di Gianroberto Casaleggio, negli anni ruggenti de L’Esperimento M5S
-
@jzb @kattekrab every species is part of the web of life, providing food for some species, controlling the population of another, symbiotically supporting yet another. There are 3600+ species of mosquitoes around the world, and each of them is part of their local ecology.
-
@jzb @kattekrab agreed!
-
@kattekrab It would be sad to lose bats and dragonflies.
