<p>My goal is to add a notice at the console that will tell the user about the vulnerability when they go get my code that requires the user to acknowledge they need an update before go get continues. Would that be possible or even considered reasonable? </p>
<p>Essentially I'm thinking to actually use the vulnerability to supply the notice.</p>
<hr/>**评论:**<br/><br/>magpiecub: <pre><p>TIL. <a href="https://github.com/golang/go/issues/22131">https://github.com/golang/go/issues/22131</a></p>
<blockquote>
<p>Essentially I'm thinking to actually use the vulnerability to supply the notice.</p>
</blockquote>
<p>While a noble intention, you're still running code on other people's computers without their permission.</p>
<p>Do you live somewhere where that's legal? And are you sure you won't get extradited to a country where it isn't?</p></pre>DemandsBattletoads: <pre><p>It's still illegal, but it has been done before.</p>
<p><a href="https://en.wikipedia.org/wiki/Anti-worm" rel="nofollow">https://en.wikipedia.org/wiki/Anti-worm</a></p></pre>WikiTextBot: <pre><p><strong>Anti-worm</strong></p>
<p>Anti-worm (sometimes helpful worm), has multiple meanings in the field of computer security. It can be a piece of software designed to protect against computer worms, combining the features of anti-virus software and a personal firewall. It can also refer to a worm designed to do something that its author feels is helpful, though not necessarily with the permission of the executing computer's owner.</p>
<hr/>
<p><sup>[</sup> <a href="https://www.reddit.com/message/compose?to=kittens_from_space" rel="nofollow"><sup>PM</sup></a> <sup>|</sup> <a href="https://reddit.com/message/compose?to=WikiTextBot&message=Excludeme&subject=Excludeme" rel="nofollow"><sup>Exclude</sup> <sup>me</sup></a> <sup>|</sup> <a href="https://np.reddit.com/r/golang/about/banned" rel="nofollow"><sup>Exclude</sup> <sup>from</sup> <sup>subreddit</sup></a> <sup>|</sup> <a href="https://np.reddit.com/r/WikiTextBot/wiki/index" rel="nofollow"><sup>FAQ</sup> <sup>/</sup> <sup>Information</sup></a> <sup>|</sup> <a href="https://github.com/kittenswolf/WikiTextBot" rel="nofollow"><sup>Source</sup></a> <sup>]</sup>
<sup>Downvote</sup> <sup>to</sup> <sup>remove</sup> <sup>|</sup> <sup>v0.27</sup></p></pre>igknighted: <pre><p>In this scenario, nothing gets modified. The end user is left to do their own updating. No changes get made, no legal issues should arise either. While one might try to argue arbitrarily executing code in itself is illegal, it isn't going to be doing anything the user should expect except locking their console during <code>go get</code> to force them into confirming "okay" if the vulnerability check code is ran with the -d flag. </p></pre>mwholt: <pre><p>Although I wouldn't underestimate the will of law enforcement agencies, I also would be surprised if any entity actually went to the trouble of extradition for this. The bigger concern, IMO, would be casually traveling to a country where you're wanted and may not even know it (like happened recently at DEFCON).</p></pre>igknighted: <pre><p>The code is mostly consumed by team members. Also, in regards to legal stuff, I don't really care. If I landed in court over something so frivolous, I'd be spanking the plaintiff with paper work for decades. Legally speaking, it can probably be accounted for in licensure clauses. </p>
<p>Working on a shared codebase I'd personally rather annoy them with notices than have them unknowningly be exploitable. </p>
<p>I'm just trying to assess how people feel about it really. The idea isn't too modify or do anything really. Just notify the user "bro, your shits insecure, see CVE-2027-####"</p></pre>epiris: <pre><p>I don't know the internals of go get, does it provide any signature across versions? User-agent, extra headers or a behavior change from 1.9 -> 1.9.1 etc to distinguish requests? If so might be nice to get a repo with some common configs people can use to display a status code / error text that will propagate nicely through go-get without executing code.</p></pre>
