Growing convinced we could and should ship new version cooldown in the Go modules ecosystem.

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 15:46:41 GMT

cks@mastodon.social — Fri, 13 Mar 2026 15:46:41 GMT

@filippo If you force an upstream fetch you get a big fatal error about the checksums not matching (which will detect the substitution). Otherwise you'll pull without any way to discover that the upstream and the proxy don't match.

(I force pulls of upstream for my own eccentric reasons so I get to see this every so often.)

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 08:49:29 GMT

filippo@abyssdomain.expert — Fri, 13 Mar 2026 08:49:29 GMT

@cks yep see https://words.filippo.io/go-source/

There is no “unless you force an upstream fetch” though: unless you turn off the sumdb there is only one true version. The issue is using an unverifiable view like the GitHub UI to try to view it.

Not different from any other ecosystem though: plenty of malicious npm packages with innocent code on GitHub.

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 02:39:11 GMT

cks@mastodon.social — Fri, 13 Mar 2026 02:39:11 GMT

@filippo This has made me think of a little attack that's basically a reverse tag replacement attack:
* get access to a repo and publish a compromised version with a new version tag
* get the Go proxy to fetch and cache your new version
* force-push an innocent version under the same tag

People will look at your repo and see harmless code under the tag, but I believe actual 'go mod' updates use the proxy's cached version (compromised) and its cached sum, unless you force upstream use?

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 00:52:21 GMT

raggi@don.rag.pub — Fri, 13 Mar 2026 00:52:21 GMT

@filippo seeing Google finally publishing rust ones gives me hope. We need to keep breaking the seal, not let people freak out, and just get on with it

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 00:41:20 GMT

cks@mastodon.social — Fri, 13 Mar 2026 00:41:20 GMT

@filippo Sorry, I didn't manage to say my actual thought. I think the dependabot race shows that today, people are updating rapidly as soon as new versions become visible to them, even with MVP. So slowing down visibility through a cooldown would buy time.

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 00:36:10 GMT

filippo@abyssdomain.expert — Fri, 13 Mar 2026 00:36:10 GMT

@raggi Review attestation is one of those things I heard talked about for all of my career and never once saw implemented successfully at scale. Even at large companies with employees!

There's a fundamental incentives problem which I mostly saw ignored or anyway unsolved.

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 00:34:48 GMT

filippo@abyssdomain.expert — Fri, 13 Mar 2026 00:34:48 GMT

@markd Why wouldn't clients that are most sensitive to risk adopt a longer, instead of shorter, cooldown?

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Fri, 13 Mar 2026 00:34:20 GMT

filippo@abyssdomain.expert — Fri, 13 Mar 2026 00:34:20 GMT

@cks Editing a tag is indistinguishable from an attack, so it will never work, cooldown or not. The cooldown clock starts when the sumdb captures the first contents, which then are it forever.

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Thu, 12 Mar 2026 11:45:39 GMT

raggi@don.rag.pub — Thu, 12 Mar 2026 11:45:39 GMT

@filippo we should work on review attestation, given mvs I don’t think this will have a ton of impact

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Thu, 12 Mar 2026 02:54:07 GMT

drwho@masto.hackers.town — Thu, 12 Mar 2026 02:54:07 GMT

@filippo But then coders will go back to node.js!

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Thu, 12 Mar 2026 02:19:37 GMT

markd@hachyderm.io — Thu, 12 Mar 2026 02:19:37 GMT

@filippo If cooldown becomes common would that mean that supply chain attacks would mostly affect early adopters who presumably are more sensitive to the risks?

Reply to Growing convinced we could and should ship new version cooldown in the Go modules ecosystem. on Thu, 12 Mar 2026 02:19:11 GMT

cks@mastodon.social — Thu, 12 Mar 2026 02:19:11 GMT

@filippo My experience is that I've seen multiple cases where dependabot updates raced with the dependency re-publishing a different thing under the same tag. The result was something that would only build if you used the proxy (which had cached the original published version). This is obviously bad practice (possibly in multiple places), but I think it suggests a cooldown would be useful even with MVP.

(Also maybe dependabot needs a cooldown itself, but ... good luck persuading them.)