This morning, the creator of go-bindata deleted their GitHub account and someone else created a new account under the same name. When open source is at center stage for new innovations, the provenance and security of components is critical to the well-being of development practices in all industries.
As we saw with the removal of leftpad in #npmgate a few years back,
even small components can have an enormous reach across an ecosystem.
When developers chose to publish their work, they are taking on an
extraordinary responsibility...often unwittingly. They need to
consider this when choosing how to secure their credentials and how to
protect namespaces like GitHub ids because it’s not just themselves
they put at risk, the risk includes the entire ecosystem should they
be compromised.
This distributed risk is not unlike vaccines. Getting the flu might be
only a bother for you, but in reality, the life saved might be that of
your grandmother who doesn’t contract the virus on the holidays
because you were yourself vaccinated and unaffected.
A hijack of a known GitHub ID as in this latest disclosure could lead
to fake versions of popular components being published to the
repository for everyone to consume. The new reality is that developers
themselves are on the frontlines of modern security attacks. Their
ids, if compromised or hijacked could be unwittingly injecting malware
into an otherwise approved and sanctioned release of their components.
Response across the industry has been multifaceted with some users planning to use local cached versions of go-bindata, others questioning the trust of any open source components, and some attempting to track the provenance of components in GitHub:
The Central Repository has long required detached pgp signatures
produced with published keys for any components pushed to the
repository. This provides a permanent and audit-able secondary
authentication mechanism that consumers can use to validate who
created a component, and to validate the authenticity of a component
itself. This is an under utilized capability of the repository as most
consumers don’t bother to validate, however it stands apart in the
various component repositories that don’t even provide similar
protections.
We will continue to track this issue at Sonatype and provide updates as they are available.
Written by Brian Fox
Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.
Explore All Posts by Brian Fox