Filippo Valsorda

@filippo.abyssdomain.expert

11470

Followers

388

Following

741

Posts

RC F'13, F2'17
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter

Posts Replies Media Lists Feeds

Reposted by

Filippo Valsorda

It’s an exciting time for Go cryptography and for the field at large! I’m looking forward to delivering a Go Cryptography State of the Union at @gophercon.bsky.social on Wednesday ✨ And of course the big professional maintenance news on Monday 👀

I thought the movie trope of people waking up from chest compressions without defibrillation and walking away was exaggerated. An EMT training joke maybe. Nope. Just watched a paramedic in a franchise movie walk away from a patient after distractingly doing compressions. “You’ll be fine.” 😳🫥

🚌🚋✈️🚇 #gopherconorbust @gophercon.bsky.social

I have some exciting news on the professional open source maintainer front! 👀 ✨ 🥁 Announcing it on Monday to Maintainer Dispatches (filippo.io/newsletter) and at GopherCon Chicago.

Ugh, I just realized that youtube-dl is likely to take collateral damage in the content hosts’ war with AI scrapers. I don’t like this. vimeo.com/blog/post/vi...

Vimeo's position on AIvimeo.com A message from our CEO on Vimeo's use of AI.

Oh 𝙤𝙛 𝙘𝙤𝙪𝙧𝙨𝙚 this is from a Recurser. Of course. eieio.games/whats-my-deal/

One Million Checkboxes has a vibe like Wordle — except it does not improve your mind in any way. It’s a website with 1 million little boxes in a row. You click in a box to make a check mark, and now the box is checked for everyone who plays the game.

This is the most pointless website on the planet. It’s fantastic.wapo.st We all deserve uncomplicated joy.

Like Qualys says in the report, OpenSSH is amazing software with a great track record. It is however written in C, and way overkill for what it's often used for. Would a minimal Go sshd replacement based on x/crypto/ssh be useful? It'd support maybe 1% of the features, just "log me into my server".

Uuuuh RCE in OpenSSH. Exploitable on 32-bit systems, possibly on 64-bit, too. The advisory is... idk, modern vulnerability exploitation is basically art. www.qualys.com/2024/07/01/c... The OpenSSH release notes are thorough, practical, and to the point. www.openssh.com/releasenotes...

I can't order a shirt because... of the polyfill.io software supply chain attack, which broke their online store. Chances Level 1 CS routes my hint to Eng?

Reposted by

Filippo Valsorda

Reply to

Dan Hon

Well now you made me go look up when Exploits of a Mom came out, and it was SEVENTEEN YEARS AGO, so yeah Bobby could definitely have children by now, and oh god oh god oh god

Reposted by

Filippo Valsorda

Can't believe Little Bobby Tables is all grown up and has had their first kid, Ignore All Previous Instructions

Reposted by

Filippo Valsorda

Reply to

Filippo Valsorda

Okay, first pass is up: go.rfc.observer "Implemented" is any issue closed while labeled Proposal-Accepted, other closures are "Closed". Did the Go Proposal workflow change in late 2015? There's very little label data prior to then. Also, y'all have a lot of proposals! Data fetch takes a minute.

Reposted by

Filippo Valsorda

It's big AND it's true: Google Chrome will cease trusting Entrust root certificates in October. security.googleblog.com/2024/06/sust...

Sustaining Digital Certificate Security - Entrust Certificate Distrustsecurity.googleblog.com Posted by Chrome Root Program, Chrome Security Team The Chrome Security Team prioritizes the security and privacy of Chrome’s users...

Reposted by

Filippo Valsorda

Reply to

Filippo Valsorda

Here's a .NET implementation of XAES-256-GCM. github.com/vcsjones/Xae...

GitHub - vcsjones/Xaes256Gcmgithub.com Contribute to vcsjones/Xaes256Gcm development by creating an account on GitHub.

Last year I wrote that “I want to use XAES-256-GCM, which has a number of nice properties and only the annoying defect of not existing.” Well, here we go. An easy to implement new extended-nonce AEAD designed for high-level APIs and FIPS 140 compliance. words.filippo.io/xaes-256-gcm...

XAES-256-GCMwords.filippo.io XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.

Reposted by

Filippo Valsorda

In 2020, under lockdown, I was in calls with some amazing lawyers to push back against the RIAA's ridiculous claim that youtube-dl was illegal. github.blog/2020-11-16-s... That is to say, if you are cheering them on now because you hate AI, you forget what copyright maximalism is. Just block me.

Standing up for developers: youtube-dl is backgithub.blog Today we reinstated youtube-dl, a popular project on GitHub, after we received additional information about the project that enabled us to reverse a Digital Millennium Copyright Act (DMCA) takedown.

Reposted by

Filippo Valsorda

Reply to

Filippo Valsorda

I have also made this point: www.techdirt.com/2023/12/04/i...

If Creators Suing AI Companies Over Copyright Win, It Will Further Entrench Big Techwww.techdirt.com There’s been this weird idea lately, even among people who used to recognize that copyright only empowers the largest gatekeepers, that in the AI world we have to magically flip the script on copyr…

Reposted by

Filippo Valsorda

Reply to

Shreyan 🆒

The number I see cheering on the RIAA makes me sad, after coming of age during the big fights between the RIAA/MPAA and the EFF and other groups over IP rights online.

The RIAA lawsuit against Suno and Udio is so so so bad. Not only does it not make sense, it actually goes against what the RIAA itself has been arguing in court lately.

Google Maps somehow managed to stop working reliably to search places, the one thing it was still better than the alternatives for. Results now seem kinda random, with places showing up one time out of 3 to 5. Even gas stations! I was about to drive 20m out of the way, then repeated the search.

It would be interesting if terminals were more than plain text, and text spans had metadata: you could annotate log lines and program output with the stack trace of where it was produced.

Reposted by

Filippo Valsorda

🎉 Go 1.23 Release Candidate 1 is released! 🏃‍♂️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new 🔈 Announcement: groups.google.com/g/golang-ann... 📦 Download: go.dev/dl/#go1.23rc1 #golang

GitHubgo.dev GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

I've never witnessed an experts vs non-experts split like on Kyber/ML-KEM. No cryptographer I know thinks ML-KEM was intentionally weakened, or knows any cryptographer who does. Meanwhile, enthusiasts in issue trackers are all but certain. It would be impressive if it wasn't sad and worrying.

Just published age v1.2.0 ✨ Minor release: · binaries built with Go 1.22.4 · plugin client API · CLI edge case fixes · RecipientWithLabels to make auth'd or post-quantum recipients Very happy about the last point, it was the last hardcoded thing about scrypt recipients. github.com/FiloSottile/...

Release age v1.2.0 · FiloSottile/agegithub.com A small release to build the release binaries with a more recent Go toolchain, and to fix a couple CLI edge cases (#491, #555). The Go module now exposes a plugin package that provides an age plugi...

Trivy 0.52.1 running on age v1.1.1 > Total: 31 (UNKNOWN: 2, LOW: 0, MEDIUM: 13, HIGH: 14, CRITICAL: 2) govulncheck v1.1.2 > No vulnerabilities found. govulncheck is correct. All the vulns reported by the other thing are provably false positives. Please use govulncheck.

I'm not an AI hater, I think it's a tool and we'll figure out how to use it well, but... oh god no DocuSign, I don't want an AI summary of a legal agreement. Maybe the AI can find errors or show changes or context... but certainly not summarize it!

Catching up on #WWDC and finally granular contacts permissions!! Can use contacts without sharing my whole contacts book with every app.

Apple: on-device models Apple: new transparent private remote computation Apple: you can access ChatGPT from Siri, too, it will ask for confirmation People on Mastodon: Apple better make ChatGPT opt-in or it will undo all their privacy work and I’ll take my business elsewhere!!!1! Time to log off.

I don't think I am the only one confused by GitHub's CODEOWNERS implementation. Apparently the GitHub UI is, too. (I think this is because I am a code owner myself, which doesn't allow me to merge my own PRs, UNLESS I am the only owner.)