The advancing threat of cryptographically-relevant quantum computers has made it urgent to replace currently-deployed asymmetric cryptography primi...
Dependabot is a noise machine. It makes you feel like you’re doing work, but you’re actually discouraging more useful work. This is _especially_ tr...
Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go clien...
I need everyone to stop looking at `go.sum`, _especially_ to analyze dependency graphs. It is not a “lockfile,” and it has zero semantic effects on...
Today, we are going to build a keyserver to lookup age public keys. That part is boring. What’s interesting is that we’ll apply the same transparen...
Last August, I delivered my traditional _Go Cryptography State of the Union_ talk at GopherCon US 2025 in New York. It goes into everything that h...
Over the past few days I wrote a new Go implementation of ML-DSA, a post-quantum signature algorithm specified by NIST last summer. I livecoded it ...
One of the most impactful effects of professionalizing open source maintenance is that as professionals we can invest into upholding a set of stand...
Lack of memory safety is such a predominant cause of security issues that we have a responsibility as professional software engineering to robustly...
Geomys is an organization of professional open source maintainers, focused on a portfolio of critical Go projects. For example, we are two thirds o...
AI-powered asset discovery, dark web monitoring, CVE alerting, and vulnerability scanning — all in one platform.
