Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
x/vgo: verify go.mod files somehow #25526
When using a proxy, it's useful for vgo to be able to fetch go.mod files without fetching the whole module. The go.mod file is needed for dependency resolution also when the specific package being built does not depend on the module. However, go.mod files are not verified by go.modverify, and we want proxies to be untrusted.
Following untrusted go.mod can turn out to be a bad idea in a number of ways. An attacker might for example downgrade the user to a known vulnerable version, or to an old version including an attacker controlled transitive dependency. In general, allowing an attacker to change behavior is recipe for disaster.
This is a proposal for a hashing scheme that will allow the efficient verification of go.mod files without extending the go.modverify entries, by building a poor man Merkle tree.
A Hash2 is defined as:
And a new field ModVerifier is added to the
This way a client can verify a go.mod file with only the Hash1 from the
If a hash with version 1 is encountered in modverify, the whole package is fetched, and the hash is replaced with a version 2 hash. If the
Alternatively, we can implement a full Merkle tree, which would allow us to verifiably fetch any file or directory from within a larger module, but I don't see this becoming necessary soon.
It is a bit unclear to me how much damage a proxy can do by faking