Filippo Valsorda
@filippo.abyssdomain.expert
RC F'13, F2'17
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter
Yes, I log in as root on all of my machines.
February 10, 2026 at 4:48 AM
Yes, I log in as root on all of my machines.
Anyway read-only tooling exploration doesn't have to go visual.
Touch-friendly tap-to-definition/references with jump stacks.
Semantic-equivalent refactoring into more understandable code, or input/range propagation.
Cross-codebase identifier coloring.
So many things could be tried.
Touch-friendly tap-to-definition/references with jump stacks.
Semantic-equivalent refactoring into more understandable code, or input/range propagation.
Cross-codebase identifier coloring.
So many things could be tried.
February 8, 2026 at 10:02 PM
Anyway read-only tooling exploration doesn't have to go visual.
Touch-friendly tap-to-definition/references with jump stacks.
Semantic-equivalent refactoring into more understandable code, or input/range propagation.
Cross-codebase identifier coloring.
So many things could be tried.
Touch-friendly tap-to-definition/references with jump stacks.
Semantic-equivalent refactoring into more understandable code, or input/range propagation.
Cross-codebase identifier coloring.
So many things could be tried.
I am convinced text is a great storage, interchange, collaboration, and generation format for code! But It is a bit absurd that we always only consume it as linear text.
Mermaid diagrams are great to write in text, but then we look at them as rendered.
Mermaid diagrams are great to write in text, but then we look at them as rendered.
February 8, 2026 at 9:59 PM
I am convinced text is a great storage, interchange, collaboration, and generation format for code! But It is a bit absurd that we always only consume it as linear text.
Mermaid diagrams are great to write in text, but then we look at them as rendered.
Mermaid diagrams are great to write in text, but then we look at them as rendered.
Right, totally fine storage and interchange format for compilers, VCS, etc.
Doesn't mean we need to look at them in that format!
SQLite database pages are easy to query, but we generally don't dump them in a B-Tree on the screen.
Doesn't mean we need to look at them in that format!
SQLite database pages are easy to query, but we generally don't dump them in a B-Tree on the screen.
February 8, 2026 at 5:48 PM
Right, totally fine storage and interchange format for compilers, VCS, etc.
Doesn't mean we need to look at them in that format!
SQLite database pages are easy to query, but we generally don't dump them in a B-Tree on the screen.
Doesn't mean we need to look at them in that format!
SQLite database pages are easy to query, but we generally don't dump them in a B-Tree on the screen.
Code is an easily analyzed and manipulated tree with readily accessible invariants and properties... and we universally show it as a list of Unicode character lines. Why!
Reverse engineering tools are light-years ahead of the tools we use to look at well-structured typed code.
Reverse engineering tools are light-years ahead of the tools we use to look at well-structured typed code.
February 8, 2026 at 12:04 PM
Code is an easily analyzed and manipulated tree with readily accessible invariants and properties... and we universally show it as a list of Unicode character lines. Why!
Reverse engineering tools are light-years ahead of the tools we use to look at well-structured typed code.
Reverse engineering tools are light-years ahead of the tools we use to look at well-structured typed code.
Like, how come we have not seen any experimentation with linking code blocks in 2D space, or with making lexical scopes first-class UI elements (beyond the anemic block folding of IDEs), or with doing logic-based visual refactors one the fly (e.g. show me this function's logic when foo is true)
February 8, 2026 at 12:01 PM
Like, how come we have not seen any experimentation with linking code blocks in 2D space, or with making lexical scopes first-class UI elements (beyond the anemic block folding of IDEs), or with doing logic-based visual refactors one the fly (e.g. show me this function's logic when foo is true)
I've always wanted better tools to read and navigate—not edit!—source code.
For example, it's incredible to me that there is no iPad app that does LSP features plus bookmarks, navigation tree, etc.
Maybe now that LLMs made it more people's job to read code, we'll get good code reading tools?
For example, it's incredible to me that there is no iPad app that does LSP features plus bookmarks, navigation tree, etc.
Maybe now that LLMs made it more people's job to read code, we'll get good code reading tools?
February 8, 2026 at 11:31 AM
I've always wanted better tools to read and navigate—not edit!—source code.
For example, it's incredible to me that there is no iPad app that does LSP features plus bookmarks, navigation tree, etc.
Maybe now that LLMs made it more people's job to read code, we'll get good code reading tools?
For example, it's incredible to me that there is no iPad app that does LSP features plus bookmarks, navigation tree, etc.
Maybe now that LLMs made it more people's job to read code, we'll get good code reading tools?
Reposted by Filippo Valsorda
Apps that get DNS verification functionality wrong really cause a lot of pain for their users.
Having explained the problem a number of times, I finally decided to write it down so now I can just share a link.
Having explained the problem a number of times, I finally decided to write it down so now I can just share a link.
Stop Telling Users Their DNS Is Wrong
If you’re like me, you’ve had the experience where you add a DNS record for a service. You triple check it. The app still says it’s invalid. You wait. You check again. Still invalid. You start wonderi...
jacob.gold
February 7, 2026 at 6:02 PM
Apps that get DNS verification functionality wrong really cause a lot of pain for their users.
Having explained the problem a number of times, I finally decided to write it down so now I can just share a link.
Having explained the problem a number of times, I finally decided to write it down so now I can just share a link.
Had Claude replace the bsky embed with simple server-rendered boxes and I like the result a lot better!
github.com/FiloSottile/...
github.com/FiloSottile/...
February 7, 2026 at 3:00 PM
Had Claude replace the bsky embed with simple server-rendered boxes and I like the result a lot better!
github.com/FiloSottile/...
github.com/FiloSottile/...
Reposted by Filippo Valsorda
in-band signaling is always a mistake and unix tooling is full of in-band signaling https://mas.to/@zekjur/116022397626943871
Michael Stapelberg 🐧🐹😺 (@zekjur@mas.to)
Attached: 4 images PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages? Like https://github.com/i3/i3/pull/6564 for example Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change! This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
mas.to
February 6, 2026 at 8:05 AM
in-band signaling is always a mistake and unix tooling is full of in-band signaling https://mas.to/@zekjur/116022397626943871
It can run DOOM.
February 6, 2026 at 4:39 PM
It can run DOOM.
Just had the next Geomys CT log hw delivered, this one to be racked in an EU DC.
This means my home office now has an Ampere Altra 64-core NAS with 96 TB HDD, a Dell PowerEdge R6515, a Milk-V Jupiter RISC-V 64-bit, redundant fiber, a Turris Omnia, a USB Armory, and an Enigma replica. And a MacBook.
This means my home office now has an Ampere Altra 64-core NAS with 96 TB HDD, a Dell PowerEdge R6515, a Milk-V Jupiter RISC-V 64-bit, redundant fiber, a Turris Omnia, a USB Armory, and an Enigma replica. And a MacBook.
February 6, 2026 at 2:03 PM
Just had the next Geomys CT log hw delivered, this one to be racked in an EU DC.
This means my home office now has an Ampere Altra 64-core NAS with 96 TB HDD, a Dell PowerEdge R6515, a Milk-V Jupiter RISC-V 64-bit, redundant fiber, a Turris Omnia, a USB Armory, and an Enigma replica. And a MacBook.
This means my home office now has an Ampere Altra 64-core NAS with 96 TB HDD, a Dell PowerEdge R6515, a Milk-V Jupiter RISC-V 64-bit, redundant fiber, a Turris Omnia, a USB Armory, and an Enigma replica. And a MacBook.
That’s not at all how I interpret it, they explicitly say you can still do full-turn resume.
You just can’t have Claude resume halfway its own turn.
You just can’t have Claude resume halfway its own turn.
February 6, 2026 at 1:27 PM
That’s not at all how I interpret it, they explicitly say you can still do full-turn resume.
You just can’t have Claude resume halfway its own turn.
You just can’t have Claude resume halfway its own turn.
February 6, 2026 at 1:00 PM
We need a web generator for these. Please!
February 3, 2026 at 12:58 PM
We need a web generator for these. Please!
PayPal did offer me to pay over three months!
January 30, 2026 at 8:57 PM
PayPal did offer me to pay over three months!
I just bought a whole new server for the Geomys transparency services (CT log, tlog witness with SLA, more soon) using “PayPal Check out” and for some reason it was extremely funny to me.
January 30, 2026 at 8:48 PM
I just bought a whole new server for the Geomys transparency services (CT log, tlog witness with SLA, more soon) using “PayPal Check out” and for some reason it was extremely funny to me.
Ok, what is the mature distro I should be using instead, which is not maintained by a small team of volunteers?
January 30, 2026 at 6:09 PM
Ok, what is the mature distro I should be using instead, which is not maintained by a small team of volunteers?
Right, but it is a valid observation that the Risc-V distros are still maintained by small teams, while e.g. amd64/arm64 Fedora isn't and won't have this problem.
January 30, 2026 at 5:56 PM
Right, but it is a valid observation that the Risc-V distros are still maintained by small teams, while e.g. amd64/arm64 Fedora isn't and won't have this problem.
2x www.amazon.it/-/en/dp/B0DW... (don't expect all 5 USB-C ports to work, depending on the voltage mix you can get 3 at non-5V).
A few "DSD TECH MagicConn" USB-C + PD trigger + barrel power jack all-in-one cables.
One spare USB-C PD trigger board for a manual mod.
One dumb USB-C to barrel for 5V.
A few "DSD TECH MagicConn" USB-C + PD trigger + barrel power jack all-in-one cables.
One spare USB-C PD trigger board for a manual mod.
One dumb USB-C to barrel for 5V.
January 30, 2026 at 1:51 PM
2x www.amazon.it/-/en/dp/B0DW... (don't expect all 5 USB-C ports to work, depending on the voltage mix you can get 3 at non-5V).
A few "DSD TECH MagicConn" USB-C + PD trigger + barrel power jack all-in-one cables.
One spare USB-C PD trigger board for a manual mod.
One dumb USB-C to barrel for 5V.
A few "DSD TECH MagicConn" USB-C + PD trigger + barrel power jack all-in-one cables.
One spare USB-C PD trigger board for a manual mod.
One dumb USB-C to barrel for 5V.
Empirically it's working great with all of the devices I plugged in.
I was worried about (1) but I got lucky on the first power supply I got. Otherwise I was planning to return it and try another one.
I was worried about (1) but I got lucky on the first power supply I got. Otherwise I was planning to return it and try another one.
January 30, 2026 at 1:35 PM
Empirically it's working great with all of the devices I plugged in.
I was worried about (1) but I got lucky on the first power supply I got. Otherwise I was planning to return it and try another one.
I was worried about (1) but I got lucky on the first power supply I got. Otherwise I was planning to return it and try another one.
I replaced eight different 5V, 12V, and 20V power supplies (for network gear, ext. hard drive, Milk-V board, air monitor) with two large USB-C ones (and various USB-C PD trigger cables).
It might be the most satisfying thing I've done all year.
It might be the most satisfying thing I've done all year.
January 30, 2026 at 12:22 PM
I replaced eight different 5V, 12V, and 20V power supplies (for network gear, ext. hard drive, Milk-V board, air monitor) with two large USB-C ones (and various USB-C PD trigger cables).
It might be the most satisfying thing I've done all year.
It might be the most satisfying thing I've done all year.
Were you around for Python 2 to 3?
The risk is collect-now-decrypt-later attacks.
Again if we only changed the default in response to CVEs we’d have the same defaults as 2014.
You can keep an old go.mod version, or just not use the defaults. (Or get a correct TLS implementation.)
The risk is collect-now-decrypt-later attacks.
Again if we only changed the default in response to CVEs we’d have the same defaults as 2014.
You can keep an old go.mod version, or just not use the defaults. (Or get a correct TLS implementation.)
January 29, 2026 at 11:59 PM
Were you around for Python 2 to 3?
The risk is collect-now-decrypt-later attacks.
Again if we only changed the default in response to CVEs we’d have the same defaults as 2014.
You can keep an old go.mod version, or just not use the defaults. (Or get a correct TLS implementation.)
The risk is collect-now-decrypt-later attacks.
Again if we only changed the default in response to CVEs we’d have the same defaults as 2014.
You can keep an old go.mod version, or just not use the defaults. (Or get a correct TLS implementation.)
Yes, we make these changes in “minor” releases (there are no majors), gated on the go.mod version (to avoid surprises when updating the toolchain), with GODEBUG flags to revert them.
Otherwise Go would have the same defaults it had in 2014.
Otherwise Go would have the same defaults it had in 2014.
January 29, 2026 at 11:09 PM
Yes, we make these changes in “minor” releases (there are no majors), gated on the go.mod version (to avoid surprises when updating the toolchain), with GODEBUG flags to revert them.
Otherwise Go would have the same defaults it had in 2014.
Otherwise Go would have the same defaults it had in 2014.