Filippo Valsorda is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Filippo Valsorda

With the data it has Facebook could help prevent suicides. Instead it sells vulnerable moments to advertisers.

Wow, I did a plot google search to find the title of "As Good As it Gets", and I found this piece of long form bigotry denouncing movies with gay characters as "clearly not made for revenue". Looked at the book's title. "Porn Generation: How Social Liberalism Is Corrupting Our Future". There are surely voters that read this cover to cover...

You can't make this up. Nomx is now claiming that their un-authenticated CSRF leading to admin privileges on a public URL poses "non-existing threat" because "the user must visit a hacked website".
That's it. CSRF is solved folks! You wanted to rework the OWASP Top 10 anyway, no?

Folks, if you require direct secure communications with someone on Mastodon, take it off Mastodon and use a secure E2E messenger.

Wire if you only want to provide a username to the other party.

Signal if you are comfortable with sharing your phone number with the other party.

Uh, I would have expected Alpine to have a reproducibility story. 🙁 It usually picks up the most simple/secure practices first.

I might not be happy to see it, but I appreciate the homage of the fail masto.

Figured it out! 🙌 And got it to reproduce 💥

The default GOROOT matters to the build ID because it's written to zversion.go, which is intentionally hashed in to detect toolchain changes.

Not, as I thought, because of the filepaths in the stdlib build IDs. The tree is recomputed with the current GOROOT instead. So every time you change GOROOT, the stdlib *is* rebuilt. (My previous tweet was wrong!)

All bets are off, it's Filippo is stupid.

But! Go binaries also get the *default* GOROOT copied in. The one that the compiler will use if no GOROOT is set, which was set at (compiler) compile time. Binaries need to know it to behave exactly like the compiler that built them.

So this is a fixed diff. But I don't see how it would affect the build ID.

Interesting read:

Three hours in. I know much more about embedded GOROOT paths.

Interestingly, the compiler will patch the paths of the symbols in the stdlib to match the GOROOT. That's smart, avoids recompiling the stdlib at every GOROOT change, but allows debuggers to find the stdlib files.

Also, should make reproducible builds just work.

So it's not this.

Why you never need to nuke your $GOPATH/pkg. I love the Go toolchain.

The whole pkg.go file is a good read.

🙌 BA just upgraded us to Club World on an overnight 8h 787 flight! Never had that happen before check-in 😃

Trying to reproduce the release build of a popular Go software. There are Makefiles and it's pretty basic, but coming up with slight differences. Taking bets:

1/10 Backdoor
3/5 Filippo is stupid
3/10 Owner messed up

"In Praise of Drop-In Libraries"

Just today I was mentioning how SQLite (drop-in library) and youtube-dl (drop-in Python "script") are case studies in how simplicity of adoption can make the success of something (even complex).

TIL "Despite being Clang-based, Apple's compiler version numbers have no apparent relationship to Clang version numbers."

Sigh. Ninjalicious would probably not be happy with where the world is almost 15 years later.

From "Access All Areas", 2004

Started a fuzzing job, forgot to add a way to extract crashes. Immediately found 2 crashes. Restarted it with logging. 2 hours with no results. Ok.

Just wasted over 2 hours (partially) dockerizing what seems to be a standard Gulp-based static site generator. It only works if node_modules is generated at the repo root, with that precise sequence of commands, that changed three times in the last year. Every mistake is fatal and the only solution is to start over.

Good tooling is judged by how it adapts, how narrow its scope is, and how does it works when you step off the happy path.