Move is supposed to be double-plus good for supply-chain security
Google is planning to tighten the security around its open source Go programming language by requiring two Google employees to be involved in code changes, where previously only one approver needed to be company-affiliated. « For compliance and supply chain security reasons, Google recently revisited the code review requirements we use in all settings, both internal development and open source, » explained Russ Cox, distinguished engineer at Google, in a note to the golang mailing list on Monday. « We are now required to have two Google employees review each change before it is shipped to users, which for most of our tools means submitted in [code review system] Gerrit. » Google did not respond to a query about whether any particular incident had motivated this change. Supply chain security in this context refers to attempts to subvert software modules or libraries, in order to compromise applications utilizing them. Software supply chain attacks have become a serious problem over the past few years and remain an unsolved problem at major package registries like npm, RubyGems, and PyPI. Go, because of certain design decisions, has some defenses against mischief but remains an attractive target for malware authors.
