search

OWASP / packman

A documentation and tracking project with the goal of making package management systems more secure.
47 stars 11 forks source link

Review proposed Golang ecosystem changes #13

Open mkonda opened 5 years ago

mkonda commented 5 years ago

https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md

mkonda commented 5 years ago

https://github.com/golang/go/issues/25530

mkonda commented 5 years ago

Specific comments:

  1. The go.sum concept is useful in
  2. The go distributed source ecosystem (eg. github repos) is usefully decentralized.

But:

  1. I don't see any clear authentication of developers
  2. I don't see a security alerting mechanism
  3. No MFA
  4. No security alerting process

Basically none of the Tier 2 items we are talking about are really addressed in this proposal.

mkonda commented 5 years ago

https://github.com/golang/go/issues/25530