Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Go: Google's Plan9 refugees are staging a breakout
 
  • Post
  • Reply
fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb
I have zero experience with go but I was interested in installing a subsonic server https://github.com/sentriz/gonic, and had a question about the installation from source instructions which mention:
code:
go install go.senan.xyz/gonic/cmd/gonic@latest
I have no idea what this go.senan.xyz host is, and wasn't sure about the security aspect of installing something from it. It seems somewhat like a "curl ... | bash" type of install that I'm not a fan of. Is that sort of recommendation typical for a go app?

The route I ended up going with was:
code:
git clone https://github.com/sentriz/gonic
cd gonic
git checkout v0.15.2
go install cmd/gonic/gonic.go
Slightly better I think, but not perfect, of course. Is there a "go install ..." equivalent that can install it from github? How come I need to go through this go.senan.xyz host for it?

* # ¿ Aug 31, 2023 08:32
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 11, 2024 12:47
  • Quote
fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

30.5 Days posted:

I would try doing go install with GitHub instead of their custom path. Their path almost certainly just proxies through to GitHub. I don't know why people do that.

I had tried a few attempts of doing this and couldn't figure it out, but maybe I just didn't have the right syntax. I don't have my bash history handy at the moment to see what I had attempted.


skul-gun posted:

Go modules are identified by url. From their go.mod, go.senan.xyz/gonic is the official name of the module. One reason to use your own domain is to not be tied down to one code hosting site. Another example of a project that uses its own domain is k8s.io/kubernetes

Checking out the git repo and compiling from there is totally fine. But I would point out that for the dependencies specified in gonic's go.mod, the go tool is effectively doing "go install ..." (actually go get) for each of those, and that's normal.

At least something like k8s.io has a larger group behind it, and it's way more popular so an issue would have better visibility!

I do see some other random hosts though in the dependencies list, so I suppose I would need to do something with "go mod replace" to deal with those?

Of course, it's not really feasible to go down through the whole dependency tree and review everything myself, so I could see how this whole exercise to limit my exposure to an issue is kinda futile.

cruft posted:

You'd rather compile and install source code you can't/won't review from GitHub than from the author's server? That is an interesting threat model.

Well, the way I see it is that at least the source code in github has the opportunity for me to review it, and it has more eyeballs on it in general.

That random server though, it could be compromised and there would potentially be a lot less visibility on it.

So at least installing from source (using the naive way described above) I would just have to worry about somebody re-tagging a compromised revision of the code. That's easy to handle though - I can just switch to a copy of the code that I've frozen at a point in time. Assuming I also do the same for all the dependencies, of course.

Jamus posted:

It’s still ‘curl | bash’ if the fetch command is ‘git’ and you compile and exec the binary yourself. Unless you deeply inspect the source code you’re just replacing a pipe with the file system.

I’m a little salty about this because it’s a difficult sell to package internal tools to engineers with “curl | sh” (from a trusted URL and verifiable source!) but nobody really thinks about their normal dependancy process with the same skepticism. I don’t quite understand it!


Totally true. The amount of trust you need to have when doing an "apt install <whatever>" is quite high...I guess I was just overall wondering if there's some simple things I can do to reduce exposure at least a little bit!

* # ¿ Aug 31, 2023 19:44
  • Quote
fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb
Thanks for all the great info! That's really cool they have the safeguards in place already with tracking the dependency checksums to mitigate the concerns.

Running arbitrary commands during the build was part of the concern, but the other part of it was the thing it's building doing something malicious when I go to execute whatever it built.

I learned a lot here, greatly appreciated and thank you!

* # ¿ Aug 31, 2023 23:23
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Go: Google's Plan9 refugees are staging a breakout