Filippo Valsorda
Filippo Valsorda — Cryptographer, Go security team, founder of Geomys
Go security team member writing about cryptography and open source maintenance.
words.filippo.ioOne of the most respected voices in applied cryptography and Go security. Filippo maintains critical Go cryptographic libraries, founded Geomys (a firm dedicated to open-source maintenance), and writes about the deep technical details that most security blogs gloss over — post-quantum algorithms, TLS implementation, key management, and the economics of sustaining open-source infrastructure. His posts are the kind that other cryptographers cite.
Written by Filippo Valsorda.
Occasional
Publishes a few times per month
2
Independent Blog
English
How this blog's content is accessed through Blogs Are Back.
Full Content
RSS feed includes complete post content for reading in-app
Proxy Required
Feed is fetched through our proxy for browser compatibility
Proxy Post Links
Post pages are loaded through our proxy for compatibility
Embeddable
Posts can be displayed inline in the reader view
This blog appears in the following curated collections.
Recent posts from Filippo Valsorda's RSS feed.
Turn Dependabot Off
Dependabot is a noise machine. It makes you feel like you’re doing work, but you’re actually discouraging more useful work. This is especially true for security alerts in the Go ecosystem. I recommend turning it off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running your test suite against the latest version of your dependencies. A little case study On Tuesday, I published a security fix for filippo.io/edwards25519. The (*Point).MultiScalarMu...
Inspecting the Source of Go Modules
Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go client in the world is using the same source for a given Go module and version, forever. It works despite the decentralized nature of Go modules, which can be fetched directly from their origin based on the import path. (For example, you can fetch v1.2.3 of github.com/example/mod by cloning the git repository and exporting the v1.2.3 tag. GOPROXY=direct fo...
go.sum Is Not a Lockfile
I need everyone to stop looking at go.sum, especially to analyze dependency graphs. It is not a “lockfile,”1 and it has zero semantic effects on version resolution. There is truly no use case for ever parsing it outside of cmd/go. go.sum is only a local cache for the Go Checksum Database. It’s a map of module versions to their cryptographic hashes. Those versions may or may not be in use; it doesn’t matter to package resolution. go.sum was not even enabled by default in the original modules desi...
Building a Transparent Keyserver
Today, we are going to build a keyserver to lookup age public keys. That part is boring. What’s interesting is that we’ll apply the same transparency log technology as the Go Checksum Database to keep the keyserver operator honest and unable to surreptitiously inject malicious keys, while still protecting user privacy and delivering a smooth UX. You can see the final result at keyserver.geomys.org. We’ll build it step-by-step, using modern tooling from the tlog ecosystem, integrating transparenc...
The 2025 Go Cryptography State of the Union
This past August, I delivered my traditional Go Cryptography State of the Union talk at GopherCon US 2025 in New York. It goes into everything that happened at the intersection of Go and cryptography over the last year. You can watch the video (with manually edited subtitles, for my fellow subtitles enjoyers) or read the transcript below (for my fellow videos not-enjoyers). The annotated transcript below was made with Simon Willison’s tool. All pictures were taken around Rome, the Italian cont...
If you enjoy Filippo Valsorda, you might also like these blogs.
Andrew Nesbitt
nesbitt.ioPackage management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.
Seth Larson
sethmlarson.devPython security and open source infrastructure, plus retro gaming preservation and emulation.
Troy Hunt
troyhunt.comSecurity researcher and creator of Have I Been Pwned. Expert analysis on data breaches and web security.
the website of jyn
jyn.devTechnical blog on build systems, Rust, developer tools, and the human side of software engineering.
Follow Filippo Valsorda
If you care about how cryptography actually works in production — or how to make open-source maintenance sustainable — Filippo writes with a depth and candor that's rare in the field.