技术

• How Go Mitigates Supply Chain Attacks

  • 供应链攻击

    供应链攻击是一种传播间谍软件的方式，一般通过产品软件官网或软件包存储库进行传播。 通常来说，黑客会瞄准部署知名软件官网的服务器，篡改服务器上供普通用户下载的软件源代码，将间谍软件传播给前往官网下载软件的用户。[1] 此外，黑客还会向一些软件开发者常用的软件包存储库如npm、PyPI和RubyGems等注入带有恶意代码的软件包。 这些软件包在用户下载后安装时会触发恶意行为[2][3]。比较知名的供应链攻击事有XcodeGhost风波。

  • 一点点的复制比一点点的依赖好

    A little copying is better than a little dependency.

  • Go 相关的一些谚语

    • Don't communicate by sharing memory, share memory by communicating.
    • Concurrency is not parallelism.
    • Channels orchestrate; mutexes serialize.
    • The bigger the interface, the weaker the abstraction.
    • Make the zero value useful.
    • interface{} says nothing.
    • Gofmt's style is no one's favorite, yet gofmt is everyone's favorite.
    • A little copying is better than a little dependency.
    • Syscall must always be guarded with build tags.
    • Cgo must always be guarded with build tags.
    • Cgo is not Go.
    • With the unsafe package there are no guarantees.
    • Clear is better than clever.
    • Reflection is never clear.
    • Errors are values.
    • Don't just check errors, handle them gracefully.
    • Design the architecture, name the components, document the details.
    • Documentation is for users.
    • Don't panic.