Supply Chain Security with Go (gpn22)

Published: May 31, 2024, 3 p.m.

You become aware of a security vulnerability affecting your Go program(s)! What now? This talk tries to answer that question for various common scenarios, explaining the roles of the various technologies and services (like the Go Module Proxy or Go Checksum Database).\n\nThe recent xz vulnerability brought the topic of Supply Chain Security to everyone\u2019s attention.\n\nI don\u2019t have a solution for preventing the social engineering aspect of the vulnerability. So let\u2019s focus on the part we can control: assuming it has happened, what does our incident response look like?\n\nAside from the more general details about Go, we\u2019ll look at the gokrazy system as a concrete case study in Supply Chain Minimalism (Linux kernel + Go) and how it can be used for sensitive use-cases.\nabout this event: https://cfp.gulas.ch/gpn22/talk/WY37UN/