Filippo Valsorda is a leading voice in Go and modern cryptography, writing in-depth essays on security engineering, open-source maintenance, and real-world cryptographic systems. His work spans Go internals, supply chain security, transparency logs, and post-quantum cryptography.
11 articles from this blog
Explains the security of Go's Checksum Database and the risks of viewing unverified source code on platforms like GitHub, with tools to verify module integrity.
Clarifies that go.sum is a checksum cache, not a lockfile, and explains why go.mod is the true source for dependency versions in Go.
A technical guide on building a transparent keyserver for age public keys using Go and transparency log technology to ensure operator accountability.
A summary of key developments in Go's cryptography ecosystem over the past year, including post-quantum key exchanges and security improvements.
A developer uses Claude Code to debug a complex bug in their Go implementation of the ML-DSA post-quantum cryptography algorithm.
Introduces the Geomys Standard of Care, a professional framework for secure and reliable open-source software maintenance.
Analysis of 2024/2025 open source supply chain compromises, categorizing root causes like control handoff, phishing, and CI/CD vulnerabilities.
Geomys, a professional open source maintainer group, discusses taking over critical but unmaintained Go projects like bluemonday and gorilla/csrf as a 'maintainer of last resort'.
Explains Cross-Site Request Forgery (CSRF) attacks, their impact on web applications using cookie authentication, and foundational defense concepts.
Introducing a mutation testing framework for Go assembly to improve test coverage of constant-time cryptographic code and prevent hidden bugs.
Explains how to use passkeys and the age encryption format for file encryption, including a TypeScript implementation and browser capabilities.
