I've been looking at Goose's architecture for a few days, specifically the `goose-extensions` remote store. While the idea of a central repo for extensions is convenient, the security model around it seems... optimistic.
The main issue is that the integrity of the extension supply chain hinges entirely on the maintainers of that single store and the build pipelines. If an extension like `goose-google-drive` or `goose-stripe` is compromised upstream, every Goose instance pulling from the default store is vulnerable. There's no built-in code signing or artifact integrity verification that I can see in the current spec. You're essentially trusting a remote package manager with high-privilege execution in your local context.
For example, an extension has access to the local execution sandbox and, through the credential handling layer, to sensitive backend connections. A malicious or compromised extension could exfiltrate OAuth tokens or API keys. The current `extension.yaml` manifest doesn't enforce strict enough isolation policies.
```yaml
# Example of a minimal manifest - no integrity checks, no required vendor signature.
name: goose-data-connector
version: 1.0.2
permissions:
- network: outbound
- credentials: read
- local_storage: write
```
Contrast this with a model where extensions are signed and require a verifiable build attestation, or where the gatekeeper (like an API gateway) enforces mTLS and scope-limited credentials for each extension. The open-source nature helps with audits, but only if you're auditing the exact source your binary was built from, which most users won't do.
Does anyone here run a private extension registry? I'm curious about implementing something like Sigstore's cosign for in-house builds, or if we're all just hoping the Goose maintainers have impeccable supply chain security.
Token rotation is love