> but it is better understood as exploiting the natural lack of verification in the GitHub web interface, which doesn’t show the authentic (and in this case malicious) source of a module version, as used by actual Go tooling.
That's a load of crap. It can never become a github issue that the Go ecosystem has chosen to make it look like the packages you pull come from github, but are actually diverted to be served by Google from some strange pull-through cache.
Calling this a "lack of verification in the GitHub web interfaces" completely inverts the abstraction layers and asks GitHub to implement specific features for your incorrect usecase.
Then there's the misnomer of a hash database being anywhere close to analogous to PGP signed sources. This is amateur level stuff.
FTA:
> “For example, there is no guarantee that the code displayed at https://github.com/example/mod/blob/v1.2.3/exp.go is the actual contents of exp.go from v1.2.3 of module github.com/example/mod: GitHub allows force-pushing git tags and even built its recommended GitHub Actions workflows on top of mutable tags.”
In a sense this is a git issue: the fact that git is mutable instead of append-only. Git wasn’t designed to serve as part of a code integrity system - you’d have to add that at some other level, such as Github.
Or in the case of this example, recognize that tags can’t be secured and implement everything in terms of commit hashes, etc.
> the fact that git is mutable instead of append-only
Remind me again how I change a commit in the middle of a branch without affecting the commits that come later in the same branch?
git rebase can do that easily, I do it all the time when prepping feature branches for submission to the main branch
> git rebase can do that easily
What exact parameters you use for not changing the latter commits? Must be a very new feature, git's whole idea used to be that commits are on top of the previous ones, rewriting one needs rewrite of all the latter ones.
Instead of making a sarcastic response, just state plainly what you mean. This prevents you having to get into dumb arguments that don't mean anything to people who don't already know what you're trying to say.
literally just 'git rebase origin/main' to insert new commits to main into my branch history prior to the commits I made. No rewrites of later commits required if there are no conflicts. You seem to have an extreme misunderstanding of how git works.
Talking about extreme misunderstandings, rebase always rewrites commits, even when there are conflicts. Look at the commit sha's next time you're doing that.
> implement everything in terms of commit hashes
And remember, git uses a vulnerable algorithm :)
You are right. GitHub has nothing to do with this problem — it's entirely on Go.