Supply chain security for Go, Part 2: Compromised dependencies (Google Online Security Blog)
Julie Qiu, Go Security & Reliability, and Roger Ng, Google Open Source Security Team “Secure your dependencies”—it’s the new supply chain mantra. With attacks targeting software supply chains sharply rising, open source developers need to monitor and judge the risks of the projects they rely on. Our previous installment of the Supply chain security for Go series shared the ecosystem tools available to Go developers to manage their dependencies and vulnerabilities. This second installment describes the ways that Go helps you trust the integrity of a Go package. Go has built-in protections against three major ways packages can be compromised before reaching you: A new, malicious version of your dependency is published A package is withdrawn from the ecosystem A malicious file is substituted for a currently used version of…