Michael Pratt
LightNews LightNews
prattmic.com
Michael Pratt
@prattmic.com
1.5K followers 190 following 180 posts
Hacking on the Go runtime and gVisor. 🏳️‍🌈
Posts Media Videos Starter Packs
Reposted by Michael Pratt
agwa.name
Andrew Ayer @agwa.name · 1d
New blog post: I'm Independently Verifying Go's Reproducible Builds: www.agwa.name/blog/post/ve...
I'm Independently Verifying Go's Reproducible Builds
Introducing Source Spotter, a Go Checksum Database auditor and Go toolchain reproducer
www.agwa.name
1 7 23
prattmic.com
Michael Pratt @prattmic.com · 1d
For some added fun, also see go.dev/cl/715362, wherein I discover that VPCOMPRESSQ is horrifically slow on AMD Zen 4, but only with a memory destination.

And thanks to @lemire.bsky.social for writing about this, which made this much faster to track down!
Gerrit Code Review
go.dev
2 7
prattmic.com
Michael Pratt @prattmic.com · 1d
If you have an interest in understanding garbage collection better, or in how Go's new GC works under-the-hood, I highly recommend reading @michael.express's thorough guide through Go's current and Green Tea GC.
golang.org Go @golang.org · 1d
“The Green Tea Garbage Collector” by Michael Knyszek and Austin Clements — https://go.dev/blog/greenteagc

#golang
1 6 27
Reposted by Michael Pratt
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 3d
Extremely happy to see Source Spotter, a Go Checksum Database monitor and Go toolchain reproducer by @agwa.name.

These use the transparency logs we built into the Go supply chain to keep the Google-operated services honest.
Source Spotter - Supply Chain Security for Go
Source Spotter is a sumdb auditor, module monitor, toolchain reproducer, and telemetry config tracker.
sourcespotter.com
2 7 47
Reposted by Michael Pratt
lemire.bsky.social
Daniel Lemire @lemire.bsky.social · 4d
Flame Graphs in Go https://lemire.me/blog/2025/10/26/flame-graphs-in-go/
2 11
Reposted by Michael Pratt
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
I got frustrated with how GitHub Actions lets workflows with read-only permissions poison the cache of read/write workflows (!!??!?), so yesterday night I put together an Action that runs commands in a gVisor sandbox.
GitHub - geomys/sandboxed-step: A GitHub Action that runs a command in a gVisor sandbox
A GitHub Action that runs a command in a gVisor sandbox - geomys/sandboxed-step
github.com
2 11 49
Reposted by Michael Pratt
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 7d
As professional maintainers we can invest in making our projects safer and more reliable. To that end, here's a draft of the Geomys Standard of Care.

It covers general maintenance, stability & reliability, dependency management, account and CI security, vulnerability handling, licensing, and more.
The Geomys Standard of Care
Introducing the set of standards that Geomys maintainers strive to uphold in our professional activity as open source maintainers.
words.filippo.io
1 3 25
prattmic.com
Michael Pratt @prattmic.com · 7d
(Paraphrasing)

> instead of automatic dependency version bump tools, we (1) run govulncheck on a schedule and (2) run CI with the latest versions of our dependencies to ensure we’re alerted early of breakages

I love this, particularly testing with the latest versions even when not using them yet.
2
prattmic.com
Michael Pratt @prattmic.com · 13d
Today's bug of the day has it all: ultimately caused by missing zero-initialization, bug in libc (-ish, arguably), copious use of setjmp/longjmp.

I love C.

github.com/ericphanson/...
(Apple Silicon): crashes with Getting signal 16 received but handler not on signal stack · Issue #11 · ericphanson/LicenseCheck.jl
MWE: tmp/yu julia --project=. _ _ _ _(_)_ | Documentation: https://docs.julialang.org (_) | (_) (_) | _ _ _| |_ __ _ | Type "?" for help, "]?" for Pkg help. | | | | | | |/ _` | | | | |_| | | | (_| ...
github.com
3 1 18
prattmic.com
Michael Pratt @prattmic.com · 15d
For the `reproducible = False` extension, it sounds like there is a general expectation that it is reproducible, but you get a warning if something changes.

Does that mean that every bazel command will refetch the toolchain to check? Or only when it happens to be missing from cache?
1
prattmic.com
Michael Pratt @prattmic.com · 15d
Wow, this is very cool. I haven’t been following the Bazel modules stuff, so I had no idea it could handle external dependencies now.
1 1
prattmic.com
Michael Pratt @prattmic.com · 20d
Is “control handoff is easily avoided by not doing it” oversimplified? Don’t give control to anyone, but even professional maintainers add new maintainers eventually. Things like two party review requirements help reduce risk by ensuring another human reviews changes even by other maintainers.
1
Reposted by Michael Pratt
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 20d
To implement robust mitigations across Geomys, I did a survey of open source project compromises in 2024/2025.

Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.

words.filippo.io/compromise-s...
A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises
Project compromises have common root causes we can mitigate: phishing, control handoff, and unsafe GitHub Actions triggers.
words.filippo.io
4 21 63
prattmic.com
Michael Pratt @prattmic.com · 21d
Are you looking for slices.Collect or maps.Collect?

pkg.go.dev/slices#Collect
pkg.go.dev
1 2
prattmic.com
Michael Pratt @prattmic.com · 22d
In all seriousness, check out Birria-Landia if you find yourself nearby.
Reposted by Michael Pratt
golang.org
Go @golang.org · 23d
🥳 Go 1.25.2 and 1.24.8 are released!

📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ

📦 Download: https://go.dev/dl/#go1.25.2

#golang
$ go install golang.org/dl/go1.25.2@latest $ go1.25.2 download Downloaded 0.0% ( 0 / 58280426 bytes) ... Downloaded 50.0% (29140213 / 58280426 bytes) ... Downloaded 100.0% (58280426 / 58280426 bytes) Unpacking go1.25.2.linux-riscv64.tar.gz ... Success. You may now run 'go1.25.2' $ go1.25.2 version go version go1.25.2 linux/riscv64
20 50
prattmic.com
Michael Pratt @prattmic.com · 29d
Time to go simplify my jj + Gerrit guide…
5
prattmic.com
Michael Pratt @prattmic.com · 29d
jj v0.34 is out, including Gerrit upload support!

github.com/jj-vcs/jj/re...
Release v0.34.0 · jj-vcs/jj
About jj is a Git-compatible version control system that is both simple and powerful. See the installation instructions to get started. Release highlights Support for uploading changes to Gerrit ...
github.com
1 3 15
prattmic.com
Michael Pratt @prattmic.com · 29d
There is also nice set of resellers that I’ve learned when I see they are the only seller listed it just means the hotel is sold out.
1
prattmic.com
Michael Pratt @prattmic.com · 29d
I hate this so much. I’ve slowly grown heuristics for ignoring them, but it’s so annoying to have lovely map full of lies.
1 4
Reposted by Michael Pratt
merriam-webster.com
Merriam-Webster @merriam-webster.com · 29d
We are thrilled to announce that our NEW Large Language Model will be released on 11.18.25.
660 8.4K 25K
prattmic.com
Michael Pratt @prattmic.com · 29d
No, I wouldn't reach for execution tracing first for memory usage issues. I suggest looking at a heap profile from runtime/pprof, as well as the breakdown of memory types in runtime/metrics (pkg.go.dev/runtime/metr...) /memory/classes/... metrics to verify that the leak is in Go memory.
metrics package - runtime/metrics - Go Packages
pkg.go.dev
1
Reposted by Michael Pratt
jakebailey.dev
Jake Bailey @jakebailey.dev · Sep 30
Fun little Go compiler CL merged today: go.dev/cl/706655

Uninlined generic functions have a "dict" arg, since Go generics are neither erased nor monomorphized, but instead instantiated for each "GC shape" (e.g. T=*int and T=*float64 get the same code, but T=int32 and T=int64 do not).
1 4 20
Reposted by Michael Pratt
steveklabnik.com
Steve Klabnik @steveklabnik.com · Sep 28
#jj-vcs part 1: what is it

andre.arko.net/2025/09/28/j...
jj part 1: what is it
I’ve been working on a blog post about migrating to jj for two months now. Rather than finish my ultimate opus and smother all of you in eight thousand words, I finally realized I could ship increment...
andre.arko.net
1 9 46
prattmic.com
Michael Pratt @prattmic.com · Sep 26
I'd love to hear from folks about your experiences. Do you use execution tracing often. If not, is it due to lack of need, lack of documentation, missing information, tooling issues, etc?
2 1 5