PackagingCon

Go mod's lesser known features for supply chain security
2021-11-09 , Room 3

Golangs module and dependency system addresses more than version management. This talk will explore the lesser known features which support security in the software supply chain.


Golang uses the Minimum Version Selection (MVS) to select module versions. This deterministic algorithm has nice properties for reproducible builds and avoids the NP-complete runtime complexity. However, when one digs into the details, they find an array of features and techniques which also support security in the supply chain. The holistic approach from algorithms to tooling demonstrates the experience and expertise that went into designing Go's dependency management system.