diff --git a/CHANGELOG.md b/CHANGELOG.md
index 207d489..b834d49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,33 @@ All notable changes to this project will be documented in this file.
 
 ## main branch
 
+## Security fix
+
+Certain Go tarballs, e.g. version 1.20.14 for macOS/Darwin, had files owned by
+non-root users:
+
+    ❯ curl -SsL https://go.dev/dl/go1.20.14.darwin-amd64.tar.gz | tar -tzvf - | head -3
+    drwxr-xr-x  0 0      0           0 Feb  2 10:19 go/
+    -rw-r--r--  0 gopher wheel    1339 Feb  2 10:09 go/CONTRIBUTING.md
+    -rw-r--r--  0 gopher wheel    1479 Feb  2 10:09 go/LICENSE
+
+In this case, the non-root user in question mapped to the first user created on
+the macOS system (UID 501).
+
+When running as root, previous versions of dp-golang would preserve file
+ownership when extracting the tarball, even if `owner` was set to something
+else. **This meant that files, such as the `go` binary, ended up being writable
+by a non-root user.**
+
+This version of dp-golang enables [`tar`]’s `--no-same-owner` and
+`--no-same-permissions` flags, which cause files to be extracted as the user
+running Puppet, or as the user/group specified in the Puppet code.
+
+**This will not fix existing installs** unless you update the Go version, or
+otherwise prompt Puppet to reinstall.
+
+[`tar`]: https://www.man7.org/linux/man-pages/man1/tar.1.html
+
 ## Release 1.2.6
 
 * Synced with [PDK][].
diff --git a/manifests/from_tarball.pp b/manifests/from_tarball.pp
index fdc1650..6c2521a 100644
--- a/manifests/from_tarball.pp
+++ b/manifests/from_tarball.pp
@@ -109,7 +109,7 @@
       ensure        => present,
       extract       => true,
       extract_path  => $go_dir,
-      extract_flags => '--strip-components 1 -xf',
+      extract_flags => '--strip-components 1 --no-same-owner --no-same-permissions -xf',
       user          => $owner,
       group         => $group,
       source        => $source,