GopherCon 2025: The Code You Reviewed is Not the Code You Built - Jess McClintock
Автор: Gopher Academy
Загружено: 2025-12-29
Просмотров: 941
Описание:
Ken Thompson's "Reflections on trusting trust" highlights the potential disparity between source code and the final built product, cautioning developers to question their trust model right down to the compiler itself. This principle is crucial when dealing with intricate trust models, as code reviews alone can not provide sufficient assurance in the behaviors of the build artifact.
Earlier this year, a malicious typosquat of the boltdb package was identified on the Go module proxy. There were several things of note about this typosquat, most prominent being the way that the attackers modified the git tags to obfuscate the malicious behavior. Even a security-minded developer who reviewed the code present on GitHub could have been tricked into using this package. In a sense, there were two levels of deception used to ship this code - the typosquat itself and the decoy code present on GitHub. This attack exposes the real-world practicality of deceiving traditional source reviews, threatening the foundation of open source consumption.
Повторяем попытку...
Доступные форматы для скачивания:
Скачать видео
-
Информация по загрузке: