From Russia with doubt: Go library's Kremlin ties stoke fear Easyjson, a software library for serializing data in Golang applications, is maintained by developers affiliated with Russia's VK Group. And this, according to security biz Hunted Labs, presents a potential security risk for US government organizations and private sector firms. Hunted said it takes this position because VK …
I have no idea if this library has any security issues or not. But if it does have links to some Russian gov gangster outfit then there is clearly scope for concern.
Given this, I despair that it seems to be so widely used and (apparently) nobody has noticed the issue up until now. It highlights the real dangers of just blindly (how else would you describe it?) including some stuff found on the internet into your product, and the backseat that security (of one’s product) takes. Even in today’s rancid tech climate
It’s sloppy and lazy - except for those product-makers that have actually done their due diligence …Bueller? … Bueller?
The bad,
You can't really ignore millions of pulls from mail.ru repo each day as direct or indirect dependencies in the context of supply chain risk evaluation.
mail.ru is not a "ban everything coded by russians" frothy mouthed spluttering.
mail.ru/vk was force bought by Gazprom(kremlim) and the kremlins deputy chief of staff's (since 2016) son given the role of CEO.
The son is explicitly named and subject to US and EU sanctions.
It is hard to rationalize whilst the code is safe today its beyond risk of being tainted at any time.
The good,
Golang versioning can't be side-stepped easily, if at all, - albeit a new version would undeniably quite quickly through automated builds and indirect dependencies be widely dispersed.
However it would be noticed and many eyes are watching the diff's. Perhaps even github would take action if a library change so widely used was reported as malicious
Maybe some CI tests to warn on version bump are worthy, if refactoring out indirect dependencies are not feasible
While a .RU TLD might raise some eyebrows, it is childishly simple to have 2 or more levels of indirection as owners/maintainers to the code base.
It seems obvious (to me) that anyone that delivers software or hardware from within the USSR would be highly suspect. Just like any news coming from that autocratic state. Easily co-opted.
Since the US is apparently a vassal state with Putin as its behind-the-curtain leader, I'd question a lot of American products also.
>anyone that delivers software or hardware from within the USSR would be highly suspect
You'd have to ask them why they were delivering 30 year old kit for a start.
This code would be no different from getting code sponsored from a US government agency. It would be smart to check it over for unexpected behaviors but when they're not busy spying on everything and everybody, inserting backdoors in everything and so on they're actually contributing useful work. You'll recall that the DES, the original encryption standard, originated from this agency; it was a decent encryption standard but had, among other things, the problem of being encumbered by US export regulations (not their fault, Congress can't leave stuff to the experts)(because if it was compromised then it would have been done so subtly that it would take decades for people to even being to figure it out). Anyway, its naive to think that the Russians don't have similar agencies and similar capabilities but also that they'd only contribute something to the common good if there was some angle they could exploit.
It's not that distrusting code based on geopolitical bias is overkill, it's simply that using such puerile criteria completely misses the most important point...
You should not be trusting *ANY* contributor.
It may come as a shock to Western authorities to discover that their respective countries are also riddled with black hat hackers and organised crime, at least some of which is on record as being perpetrated by state actors.
By all means distrust contributors. All of them. Just don't be hypocrites.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
