Filippo Valsorda
@filippo.abyssdomain.expert
RC F'13, F2'17
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter
Cryptogopher / Go cryptography maintainer
Professional open source maintainer
https://filippo.io / https://github.com/FiloSottile
https://mkcert.dev / https://age-encryption.org
https://sunlight.dev / https://filippo.io/newsletter
Thankfully not!
November 13, 2025 at 2:31 PM
Thankfully not!
I confused myself further by debugging with the CLI, and then turning NULLs into empty TEXTs vs empty BLOBs.
'' and X'' and NULL show the same in the SQLite CLI (by default) but they don't compare equal!
I love SQLite, but weakly typed columns (by default) with strongly typed equality is criminal.
'' and X'' and NULL show the same in the SQLite CLI (by default) but they don't compare equal!
I love SQLite, but weakly typed columns (by default) with strongly typed equality is criminal.
STRICT Tables
SQLite strives to be flexible regarding the datatype of the content that it stores. For example, if a table column has a type of "INTEGER", then SQLite tries to convert anything inserted into that…
www.sqlite.org
November 8, 2025 at 12:21 AM
I confused myself further by debugging with the CLI, and then turning NULLs into empty TEXTs vs empty BLOBs.
'' and X'' and NULL show the same in the SQLite CLI (by default) but they don't compare equal!
I love SQLite, but weakly typed columns (by default) with strongly typed equality is criminal.
'' and X'' and NULL show the same in the SQLite CLI (by default) but they don't compare equal!
I love SQLite, but weakly typed columns (by default) with strongly typed equality is criminal.
Reposted by Filippo Valsorda
Yes, the only real Go targets are
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
November 7, 2025 at 11:21 PM
Yes, the only real Go targets are
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
Yes, the only real Go targets are
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
November 7, 2025 at 11:21 PM
Yes, the only real Go targets are
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
linux/amd64
linux/arm64
darwin/arm64
windows/amd64
(“Things you should be very concerned about the crypto maintainer saying,” if you deploy to any others 😬)
Come on, Windows ARM is not real.
Said as the owner of a Surface laptop.
Said as the owner of a Surface laptop.
November 7, 2025 at 10:36 PM
Come on, Windows ARM is not real.
Said as the owner of a Surface laptop.
Said as the owner of a Surface laptop.
Yup, figured it out, sorry for the noise.
I assumed the US-only part was the retailer the purchase is from, not the geolocation of the IP.
I assumed the US-only part was the retailer the purchase is from, not the geolocation of the IP.
November 7, 2025 at 9:25 PM
Yup, figured it out, sorry for the noise.
I assumed the US-only part was the retailer the purchase is from, not the geolocation of the IP.
I assumed the US-only part was the retailer the purchase is from, not the geolocation of the IP.
Oooh interesting, there is no form at the bottom of the page for me, maybe because I am outside of the US right now.
November 7, 2025 at 8:23 PM
Oooh interesting, there is no form at the bottom of the page for me, maybe because I am outside of the US right now.
Hey, I might be particularly dense today, or the instructions are themselves antimemetic, but "submit your proof of purchase"... how? I see no email or link on that page, except the vanilla pre-order links.
November 7, 2025 at 7:49 PM
Hey, I might be particularly dense today, or the instructions are themselves antimemetic, but "submit your proof of purchase"... how? I see no email or link on that page, except the vanilla pre-order links.
There's "the attacker has RCE and you are trying to contain them" sandboxing and there's "the agent might do something stupid" sandboxing.
Untrusted prompts require the former because an attacker can pivot into RCE, but the latter is useful in a lot of other cases.
Untrusted prompts require the former because an attacker can pivot into RCE, but the latter is useful in a lot of other cases.
November 4, 2025 at 7:03 PM
There's "the attacker has RCE and you are trying to contain them" sandboxing and there's "the agent might do something stupid" sandboxing.
Untrusted prompts require the former because an attacker can pivot into RCE, but the latter is useful in a lot of other cases.
Untrusted prompts require the former because an attacker can pivot into RCE, but the latter is useful in a lot of other cases.
Ah, that explains the influx of visits from Youtube ^^
Might be the first time I hear someone talk about technical topics in Italian, I'm glad you are doing this.
One note: the LLM did not quite find the bug, I had a failing test and it found the cause and fix. (Still impressive, but different.)
Might be the first time I hear someone talk about technical topics in Italian, I'm glad you are doing this.
One note: the LLM did not quite find the bug, I had a failing test and it found the cause and fix. (Still impressive, but different.)
November 4, 2025 at 7:00 PM
Ah, that explains the influx of visits from Youtube ^^
Might be the first time I hear someone talk about technical topics in Italian, I'm glad you are doing this.
One note: the LLM did not quite find the bug, I had a failing test and it found the cause and fix. (Still impressive, but different.)
Might be the first time I hear someone talk about technical topics in Italian, I'm glad you are doing this.
One note: the LLM did not quite find the bug, I had a failing test and it found the cause and fix. (Still impressive, but different.)
Yep, I have a TODO to upload them to YouTube and archive.org!
November 4, 2025 at 1:02 PM
Yep, I have a TODO to upload them to YouTube and archive.org!
I had a bug in my new ML-DSA implementation that caused Verify to reject all signatures. I gave up after half an hour. On a whim, I threw Claude Code at it. Surprisingly (to me!) it one-shotted it in 5 minutes.
A small case study of useful AI tasks that aren't generating code that requires review.
A small case study of useful AI tasks that aren't generating code that requires review.
Claude Code Can Debug Low-level Cryptography
Surprisingly (to me) Claude Code debugged my new ML-DSA implementation faster than I would have, finding the non-obvious low-level issue that was making Verify fail.
words.filippo.io
November 1, 2025 at 6:40 PM
Oh I don’t let it write (nontrivial amounts of) code. IMHO such a short-sighted and sub-optimal use case for my purposes.
But it being able to find MY bugs is excellent!
But it being able to find MY bugs is excellent!
November 1, 2025 at 6:05 PM
Oh I don’t let it write (nontrivial amounts of) code. IMHO such a short-sighted and sub-optimal use case for my purposes.
But it being able to find MY bugs is excellent!
But it being able to find MY bugs is excellent!