Supply Chain Security with Go

Michael Stapelberg

Playlists: 'gpn22' videos starting here / audio

You become aware of a security vulnerability affecting your Go program(s)! What now? This talk tries to answer that question for various common scenarios, explaining the roles of the various technologies and services (like the Go Module Proxy or Go Checksum Database).

The recent xz vulnerability brought the topic of Supply Chain Security to everyone’s attention.

I don’t have a solution for preventing the social engineering aspect of the vulnerability. So let’s focus on the part we can control: assuming it has happened, what does our incident response look like?

Aside from the more general details about Go, we’ll look at the gokrazy system as a concrete case study in Supply Chain Minimalism (Linux kernel + Go) and how it can be used for sensitive use-cases.