Cup o' Go

Supply chain attacks ⛓️‍💥 Ghetto Logs 👊🏾 🪵 and Rust/AI cold takes 🧊 with Thorsten Ball

17 snips
Feb 7, 2025
Guest
Thorsten Ball
In this engaging discussion, Thorsten Ball, a software engineer at Sourcegraph and author of notable programming books, dives into pressing issues around supply chain security, highlighting threats like typo squatting and a dangerous malicious package in the Go ecosystem. He shares his insights on new Go language updates and tools like GoFix that automate code migration. Thorsten also explores the juxtaposition of Go and Rust, discussing preferences rooted in simplicity versus complexity, and wraps up with creative approaches to logging using AI.
Ask episode
AI Snips
Chapters
Books
Transcript
Episode notes
ADVICE

Go Security Releases

  • Upgrade to Go 1.23.6 or 1.22.12 for important security fixes.
  • These versions address arbitrary code execution during builds on Apple platforms.
ANECDOTE

Build Vulnerability

  • A vulnerability allowing arbitrary code execution during builds on Apple platforms was discovered.
  • This vulnerability was found by Yuho Forzen from Mattermost.
INSIGHT

Timing Attack

  • A timing side-channel attack was found in the elliptic cryptography package.
  • This vulnerability affects a niche PowerPC architecture (PPC64LE).
Get the Snipd Podcast app to discover more snips from this episode
Get the app