Russ Cox
@swtch.com
Happy to see someone outside Google rebuild/verify Go toolchains. Thanks @agwa.name! www.agwa.name/blog/post/ve...
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
I'm Independently Verifying Go's Reproducible Builds
Introducing Source Spotter, a Go Checksum Database auditor and Go toolchain reproducer
www.agwa.name
October 30, 2025 at 5:15 PM
Happy to see someone outside Google rebuild/verify Go toolchains. Thanks @agwa.name! www.agwa.name/blog/post/ve...
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
Reposted by Russ Cox
There is some chatter about a CA misissuing a certificate for 1.1.1.1.
This CA (crt.sh?caid=201916, only ~300 certs) is only trusted by the Microsoft root program and the eIDAS QWAC trusted list.
MS has not been actively managing their roots for years, and the EU wanted to push theirs on browsers.
This CA (crt.sh?caid=201916, only ~300 certs) is only trusted by the Microsoft root program and the eIDAS QWAC trusted list.
MS has not been actively managing their roots for years, and the EU wanted to push theirs on browsers.
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
Thank you, Youfu, for bringing this to the community’s attention.
groups.google.com
September 3, 2025 at 8:03 PM
There is some chatter about a CA misissuing a certificate for 1.1.1.1.
This CA (crt.sh?caid=201916, only ~300 certs) is only trusted by the Microsoft root program and the eIDAS QWAC trusted list.
MS has not been actively managing their roots for years, and the EU wanted to push theirs on browsers.
This CA (crt.sh?caid=201916, only ~300 certs) is only trusted by the Microsoft root program and the eIDAS QWAC trusted list.
MS has not been actively managing their roots for years, and the EU wanted to push theirs on browsers.
Heading home from #GopherCon 2025 in NYC. As usual, many people asked how to get one of the amazing Go gopher Hawaiian shirts by Renee French. I've posted the details at github.com/rsc/gophersh.... (I know one person who has made pajama pants with the pattern. Socks might be nice too.) Enjoy!
August 29, 2025 at 4:02 PM
Heading home from #GopherCon 2025 in NYC. As usual, many people asked how to get one of the amazing Go gopher Hawaiian shirts by Renee French. I've posted the details at github.com/rsc/gophersh.... (I know one person who has made pajama pants with the pattern. Socks might be nice too.) Enjoy!
Reposted by Russ Cox
Side point: this demonstrates the benefits of plain text file formats. When @robpike.io implemented the coverage tool he made it emit a simple line-based text file that Russ could then manipulate with the ubiquitous Unix tools.
April 25, 2025 at 10:35 PM
Side point: this demonstrates the benefits of plain text file formats. When @robpike.io implemented the coverage tool he made it emit a simple line-based text file that Russ could then manipulate with the ubiquitous Unix tools.
Reposted by Russ Cox
Fifty Years of Open Source Software Supply Chain Security
We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.
queue.acm.org/detail.cfm?i...
@swtch.com
We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.
queue.acm.org/detail.cfm?i...
@swtch.com
Fifty Years of Open Source Software Supply Chain Security - ACM Queue
queue.acm.org
April 3, 2025 at 4:45 PM
Fifty Years of Open Source Software Supply Chain Security
We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.
queue.acm.org/detail.cfm?i...
@swtch.com
We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real.
queue.acm.org/detail.cfm?i...
@swtch.com
Reposted by Russ Cox
With 8 minutes to go, @damienmiller.bsky.social sends me the only funny April Fool's joke of the day.
Notably because I was on the team of people writing the firewall rules for Rob Pike's plan 9 desktop at Google.
@tailscale.com fixes it (albeit ten years too late).
Notably because I was on the team of people writing the firewall rules for Rob Pike's plan 9 desktop at Google.
@tailscale.com fixes it (albeit ten years too late).
Tailscale Enterprise Plan 9 Support
Securely connect to anything on the internet with Tailscale. Built on WireGuard®️, Tailscale enables you to make finely configurable connections, secured end-to-end according to zero trust principles,...
tailscale.com
April 2, 2025 at 6:54 AM
With 8 minutes to go, @damienmiller.bsky.social sends me the only funny April Fool's joke of the day.
Notably because I was on the team of people writing the firewall rules for Rob Pike's plan 9 desktop at Google.
@tailscale.com fixes it (albeit ten years too late).
Notably because I was on the team of people writing the firewall rules for Rob Pike's plan 9 desktop at Google.
@tailscale.com fixes it (albeit ten years too late).
Reposted by Russ Cox
i was going to say it was hilarious but i wished it was real and then i realized it was
April 1, 2025 at 2:58 PM
i was going to say it was hilarious but i wished it was real and then i realized it was
Reposted by Russ Cox
I only respect april fools jokes that commit to the bit. This? This is commitment.
"Tailscale Enterprise Plan 9 Support"
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com
April 1, 2025 at 3:04 PM
I only respect april fools jokes that commit to the bit. This? This is commitment.
This was a lot of fun!
"Tailscale Enterprise Plan 9 Support"
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com
April 1, 2025 at 5:58 PM
This was a lot of fun!
Reposted by Russ Cox
"Tailscale Enterprise Plan 9 Support"
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com
April 1, 2025 at 1:24 PM
"Tailscale Enterprise Plan 9 Support"
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
tailscale.com/plan9
(A little thing I wrote and worked on over the past few weekends with @swtch.com)
Reposted by Russ Cox
Does anyone know the effective time limit for GitHub comment edits being included in the comment text that is emailed to issue subscribers?
GitHub renders "- #12345" differently on web (nice link with title and issue status) vs email (literally a useless blue #12345).
1/3
GitHub renders "- #12345" differently on web (nice link with title and issue status) vs email (literally a useless blue #12345).
1/3
January 13, 2025 at 6:34 PM
Does anyone know the effective time limit for GitHub comment edits being included in the comment text that is emailed to issue subscribers?
GitHub renders "- #12345" differently on web (nice link with title and issue status) vs email (literally a useless blue #12345).
1/3
GitHub renders "- #12345" differently on web (nice link with title and issue status) vs email (literally a useless blue #12345).
1/3
I have found exclusive footage of the mystery drones over New Jersey. youtu.be/qsb74pW7goU?...
December 17, 2024 at 8:55 PM
I have found exclusive footage of the mystery drones over New Jersey. youtu.be/qsb74pW7goU?...
Reposted by Russ Cox
Day 4 part 1 adventofcode.com/2024/day/4 #AdventOfCode
pad dot-pads the matrix to avoid wraparound.
x y shift m rotates the matrix x left, y down.
d(=x y) shift4 m produces the 4 matrices shifted by d*0 1 2 3.
d XMAS m identifies the X in XMAS in direction d.
pad dot-pads the matrix to avoid wraparound.
x y shift m rotates the matrix x left, y down.
d(=x y) shift4 m produces the 4 matrices shifted by d*0 1 2 3.
d XMAS m identifies the X in XMAS in direction d.
![sample = read "sample.txt"
input = read "input.txt"
dirs = d, -d=4 2 rho 1 0, 0 1, 1 1, -1 1
op T x = transp x
op pad x = T (T x, '.'), '.'
op d shift m = T d[2] rot T d[1] rot m
op d shift4 m = (0 1 2 3 @* d) @shift m
op d XMAS m = T and/ 'XMAS' == T d shift4 m
op solve x = +/+/+/ dirs @XMAS pad x
solve sample
solve input](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:a4slcmeql3w6vsdbjbcgxd3m/bafkreiazvpevui6fije2gmsl66omgknsaihadye4ujbrmdymuspxxtbhlu@jpeg)
December 4, 2024 at 2:42 PM
Day 4 part 1 adventofcode.com/2024/day/4 #AdventOfCode
pad dot-pads the matrix to avoid wraparound.
x y shift m rotates the matrix x left, y down.
d(=x y) shift4 m produces the 4 matrices shifted by d*0 1 2 3.
d XMAS m identifies the X in XMAS in direction d.
pad dot-pads the matrix to avoid wraparound.
x y shift m rotates the matrix x left, y down.
d(=x y) shift4 m produces the 4 matrices shifted by d*0 1 2 3.
d XMAS m identifies the X in XMAS in direction d.
Well, it's been 2/3 of a year since the xz attack.
Is software safer now?
Serious question.
What improvements have we made?
Is software safer now?
Serious question.
What improvements have we made?
December 3, 2024 at 3:03 PM
Well, it's been 2/3 of a year since the xz attack.
Is software safer now?
Serious question.
What improvements have we made?
Is software safer now?
Serious question.
What improvements have we made?
Reposted by Russ Cox
Day 3 part 1.
The function 'c step s' steps the state machine state s to incorporate the new character c.
(step/ flip x) runs the state machine over the whole string, left to right.
The reduction base case for "...yz" is 'y' step 'z', which step rewrites to ('y' step 'z' step initial-state).
The function 'c step s' steps the state machine state s to incorporate the new character c.
(step/ flip x) runs the state machine over the whole string, left to right.
The reduction base case for "...yz" is 'y' step 'z', which step rewrites to ('y' step 'z' step initial-state).
![sample = read "sample.txt"
input = read "input1.txt"
digits = "0123456789"
op i atoi c = (i*10) + (code c) - (code '0')
op c step s =
(rho s) == 0: c step s step (0 0 0 0)
c == 'm': 1, 0, 0, s[4]
(s[1] == 1) and c == 'u': 2, 0, 0, s[4]
(s[1] == 2) and c == 'l': 3, 0, 0, s[4]
(s[1] == 3) and c == '(': 4, 0, 0, s[4]
(s[1] == 4) and c in digits: 4, (s[2] atoi c), 0, s[4]
(s[1] == 4) and (s[2] < 1000) and c == ',': 5, s[2], 0, s[4]
(s[1] == 5) and c in digits: 5, s[2], (s[3] atoi c), s[4]
(s[1] == 5) and (s[3] < 1000) and c == ')': 0, 0, 0, s[4]+s[2]*s[3]
0, 0, 0, s[4]
op solve x = (step/ flip x)[4]
solve sample
solve input](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:a4slcmeql3w6vsdbjbcgxd3m/bafkreiahk4xtn6ge7trxtpxeeobedw5ayr3lwr2fppn3isadkx7r72cyvm@jpeg)
December 3, 2024 at 6:25 AM
Day 3 part 1.
The function 'c step s' steps the state machine state s to incorporate the new character c.
(step/ flip x) runs the state machine over the whole string, left to right.
The reduction base case for "...yz" is 'y' step 'z', which step rewrites to ('y' step 'z' step initial-state).
The function 'c step s' steps the state machine state s to incorporate the new character c.
(step/ flip x) runs the state machine over the whole string, left to right.
The reduction base case for "...yz" is 'y' step 'z', which step rewrites to ('y' step 'z' step initial-state).
Ivy remains a good choice for #AdventOfCode.
Day 1:
sample = transp read "sample.txt"
op sort x = x[up x]
op solve x = +/abs (sort x[1]) - sort x[2]
solve sample
op solve2 x = +/x[1] * +/x[1] o.== x[2]
solve2 sample
adventofcode.com
(Ivy in 2021: www.youtube.com/playlist?lis...)
Day 1:
sample = transp read "sample.txt"
op sort x = x[up x]
op solve x = +/abs (sort x[1]) - sort x[2]
solve sample
op solve2 x = +/x[1] * +/x[1] o.== x[2]
solve2 sample
adventofcode.com
(Ivy in 2021: www.youtube.com/playlist?lis...)
December 2, 2024 at 3:22 PM
Ivy remains a good choice for #AdventOfCode.
Day 1:
sample = transp read "sample.txt"
op sort x = x[up x]
op solve x = +/abs (sort x[1]) - sort x[2]
solve sample
op solve2 x = +/x[1] * +/x[1] o.== x[2]
solve2 sample
adventofcode.com
(Ivy in 2021: www.youtube.com/playlist?lis...)
Day 1:
sample = transp read "sample.txt"
op sort x = x[up x]
op solve x = +/abs (sort x[1]) - sort x[2]
solve sample
op solve2 x = +/x[1] * +/x[1] o.== x[2]
solve2 sample
adventofcode.com
(Ivy in 2021: www.youtube.com/playlist?lis...)
SVG, HTML5 Canvas, Apple Core Graphics, PDF, and probably many others all use the same core vector graphics model and operators, which I think of as from PostScript.
Did the creators of PostScript invent these, did they originate in some even earlier system?
Did the creators of PostScript invent these, did they originate in some even earlier system?
October 5, 2024 at 1:21 PM
SVG, HTML5 Canvas, Apple Core Graphics, PDF, and probably many others all use the same core vector graphics model and operators, which I think of as from PostScript.
Did the creators of PostScript invent these, did they originate in some even earlier system?
Did the creators of PostScript invent these, did they originate in some even earlier system?
Learn a new magic trick!
Hash-Based Bisect Debugging in Compilers and Runtimes
research.swtch.com/bisect
Hash-Based Bisect Debugging in Compilers and Runtimes
research.swtch.com/bisect
research!rsc: Hash-Based Bisect Debugging in Compilers and Runtimes
research.swtch.com
July 18, 2024 at 2:41 PM
Learn a new magic trick!
Hash-Based Bisect Debugging in Compilers and Runtimes
research.swtch.com/bisect
Hash-Based Bisect Debugging in Compilers and Runtimes
research.swtch.com/bisect
This article attributes the xz attack to a Chinese hacker who texted about it, including claiming that they have at least one other open source bug.
thenightly.com.au/world/chines...
thenightly.com.au/world/chines...
Chinese hacker gloats at targeting Aussie intel agencies
A Chinese citizen understood to be the son of a senior Chinese Government official has claimed to be the architect of a multi-year infiltration operation that infected software used by Australia’s age...
thenightly.com.au
May 10, 2024 at 11:59 AM
This article attributes the xz attack to a Chinese hacker who texted about it, including claiming that they have at least one other open source bug.
thenightly.com.au/world/chines...
thenightly.com.au/world/chines...
A walkthrough of the xz attack shell script.
An RC4 variant in Awk, what more could you want?
research.swtch.com/xz-script
An RC4 variant in Awk, what more could you want?
research.swtch.com/xz-script
research!rsc: The xz attack shell script
research.swtch.com
April 2, 2024 at 8:08 AM
A walkthrough of the xz attack shell script.
An RC4 variant in Awk, what more could you want?
research.swtch.com/xz-script
An RC4 variant in Awk, what more could you want?
research.swtch.com/xz-script
I put together a timeline of the xz attack, dating back to 2021. Corrections or additions welcome here on Bluesky. research.swtch.com/xz-timeline
research!rsc: Timeline of the xz open source attack
research.swtch.com
April 2, 2024 at 3:31 AM
I put together a timeline of the xz attack, dating back to 2021. Corrections or additions welcome here on Bluesky. research.swtch.com/xz-timeline
The late, truly great Luiz Barroso wrote some very good, short essays on engineering practices at Google. He published them on his web site in a single PDF. The three one-pagers on pages 2, 3, and 4 are each gems.
fontoura.org
January 16, 2024 at 12:12 AM
The late, truly great Luiz Barroso wrote some very good, short essays on engineering practices at Google. He published them on his web site in a single PDF. The three one-pagers on pages 2, 3, and 4 are each gems.