Filippo Valsorda is a leading voice in Go and modern cryptography, writing in-depth essays on security engineering, open-source maintenance, and real-world cryptographic systems. His work spans Go internals, supply chain security, transparency logs, and post-quantum cryptography.
10 articles from this blog
Clarifies that go.sum is a checksum cache, not a lockfile, and explains why go.mod is the true source for dependency versions in Go.
A technical guide on building a transparent keyserver for age public keys using Go and transparency log technology to ensure operator accountability.
A summary of key developments in Go's cryptography ecosystem over the past year, including post-quantum key exchanges and security improvements.
A developer uses Claude Code to debug a complex bug in their Go implementation of the ML-DSA post-quantum cryptography algorithm.
Introduces the Geomys Standard of Care, a professional framework for secure and reliable open-source software maintenance.
Analysis of 2024/2025 open source supply chain compromises, categorizing root causes like control handoff, phishing, and CI/CD vulnerabilities.
Geomys, a professional open source maintainer group, discusses taking over critical but unmaintained Go projects like bluemonday and gorilla/csrf as a 'maintainer of last resort'.
Explains Cross-Site Request Forgery (CSRF) attacks, their impact on web applications using cookie authentication, and foundational defense concepts.
Introducing a mutation testing framework for Go assembly to improve test coverage of constant-time cryptographic code and prevent hidden bugs.
Explains how to use passkeys and the age encryption format for file encryption, including a TypeScript implementation and browser capabilities.
