PSA: go.sum is not a lockfile.

@raito yeah it’s a trade-off, dirhash OTOH avoids the need to stabilize the archive format, compression, and metadata including timestamps

@diazona what does “being done from a lockfile” mean in this context?

You are in xxx. You add foo. Which version of bar do you get? The latest or the one in foo’s lockfile?

In Go, you get the one in foo’s go.mod. Which is why I say go.mod applies to dependents like manifests and unlike lockfiles, despite having lockfile-like precision.

@diazona if you add foo to xxx’s dependencies, and foo depends on bar, which version of bar is used?

@raito yeah, cmd/go/internal/modfetch needs the hashes when downloading contents. But essentially no one reimplements that part.

@raito correct, go.mod has the versions, go.sum is a dumb mapping of versions to hashes.

@risottobias expanded a bit the part that says what it's for!

@diazona they don’t apply to dependents. Click on the linked post by Russ Cox for a full explanation.

@michael awesome, that’s exactly what I wrote it for!

You might want to reconsider using whatever generated that notification: if they get something so basic wrong, it’s unlikely they’ll be doing everything else right!

PSA: go.sum is not a lockfile.

You never need to look at go.sum.

go.mod has everything you need.

https://words.filippo.io/gosum/?source=Mastodon

Do you have an idle cluster? Can you spare a couple core-years?

Help me bruteforce some test vectors for RSA key generation edge cases!

Here are the instructions, it's just a matter of running a single self-contained cross-compilable Go binary that will report the results autonomously.

https://gist.github.com/FiloSottile/19e7ceb1fdcdaa128f7d3319ad0939fa

The good news is that my new lead detection kit works. Yay?

The bad news is that I need new solder. Uh.

💥💥💥💥💥 age v1.3.0 💥💥💥💥💥

Post-quantum keys, seeking DecryptReaderAt API, age-inspect CLI tool, built-in recipients compatible with hardware plugins, non-interactive passphrase input, Go framework for implementing plugins, and sooooo many improved errors.

Our best release yet, six years to the day after the first beta, again released from the floor of #39c3!

https://github.com/FiloSottile/age/releases/tag/v1.3.0

At the https://gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.

I just booked a last-minute trip to Hamburg for #39C3 ✨

Looking forward to seeing folks there. If we are mutuals and you're going too, text me!

If you have an extra ticket, DM me and I'll buy it full price.

Really big age release coming tomorrow! 🎅🏻

- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages

https://age-encryption.org

Here's something that Claude Opus 4.5 can just do without even running code on my machine.

This is all the prompting I did. It figured out the charset restriction and replaced characters with look-alikes all by itself.

Kicked it off an went back to writing the article I wanted to use this in.

How your email finds me

The AT Protocol PLC Directory allows a higher-priority rotation key to revert a key change for 72h.

But what good is that window if you don't know about a change?

Well, here's an Atom feed generator of PLC operations for any handle/DID.

https://at.geomys.org/plc/

This Bernstein crap drives me up the wall because IT MAKES NO SENSE.

Why would the NSA be picking weak crypto to protect US NatSec?!

They have mathematicians and clusters in China, too!

Dual_EC_DRBG was a NOBUS backdoor. There is NOWHERE to hide a NOBUS backdoor in ML-KEM. Look at the code, there is nothing even remotely public key shaped.

MacWhisper just transcribed a video with Parakeet v3 at 66.2x realtime on my 2022 MacBook Air.

I know technology gets better but... excuse me? 66.2x locally on a laptop!?

For context, when I bought this laptop, OpenAI's Whisper didn't exist yet.