It may or may not be true that whether or not you race to use AI heavily right now will determine whether you’re part of a future wealthy elite ruling class or are left behind in poverty and powerlessness.
But if it is true, this strikes me as a deeply immoral future worth fighting hard against.
Did not know you were also a Go! expert.
Would still like to know which specific ones matter.
Also, not even everything that looks like it is in github.com/actions really is. You can fork one and make your own commit and then refer to that hash as if it were one of the commits in the original. "Working as intended."
💯
I honestly believe I didn't miss any boxes at that level of abstraction. But each of those boxes absolutely does have its own boxes recursively—boxes all the way down.
For instance, all the ways to break into, say, Google Cloud or MacStadium are missing. Or rather "abstracted away". 😀
Build deps get attention largely because they are easily computed. Other relevant dep graphs that are harder to compute are ignored.
The GitHub Actions graph is clearly relevant to attacks and should be easily computable from public repos.
What are the 'is-even's of GitHub Actions? Who owns them?
For example, in 2025, a successful attack on the GitHub Action reviewdog/action-setup was used to infect the Action tj-actions/changed-files, with an ultimate target of coinbase/agentkit. www.wiz.io/blog/new-git...
Graph of servers involved in serving Go releases, to understand attack surfaces where nefarious code could be introduced.
In my 2023 ACM talk, to illustrate how supply chain security is more than just build deps graphs, I showed a graph of the servers involved in building and serving Go releases.
Has anyone done something like this but for GitHub Actions? We have examples now of attacks moving between actions.
AI-generated software clones are going to be another significant bad content driving out good [3]. Not just open source but also commercial, closed source software. And it will put even more strain on copyright [4].
[3] blog.cloudflare.com/vinext/
[4] simonwillison.net/2026/Mar/5/c...
From the software engineering side, our more pressing examples of bad content driving out good today are the AI-generated low-quality code contributions [1] and security reports [2].
[1] github.com/orgs/communi...
[2] daniel.haxx.se/blog/2025/07...
Are you still hiding if no one is looking?
People aren't reading the code at all—they'd see the weird decoder+eval—and machines can see that and also the private use code points.
Also, it's been public since May 2025 and GitHub/NPM/Microsoft have done nothing.
www.aikido.dev/blog/glasswo...
On Mac – and — are Option-hyphen and Option-Shift-hyphen.
On Windows – and — are Alt-0150 and Alt-0151 (on the numeric keypad, not sure about laptops).
On Unix, 9fans.github.io/plan9port/ma... explains how to configure X windows programs to accept all of Plan 9's keyboard sequences.
👋
“Floating-Point Printing and Parsing Can Be Simple And Fast”
The fastest known floating-point printer and parsing algorithms - fixed-width printing, shortest-width printing, and parsing, all in 400 lines of Go.
research.swtch.com/fp
research.swtch.com/fp-proof
Definitely turning into one of my longest code reviews ever...
Indeed. There are more posts to come, but this "digression post" was ready and it seemed appropriate to post today. Stay tuned!
“Pulling a New Proof from Knuth's Fixed-Point Printer”
Happy 88th Birthday to Don Knuth!
And thanks again to @robpike.io for Ivy.
research.swtch.com/fp-knuth
This was a fun conversation. Thanks to ACM Bytecast for having me on. learning.acm.org/bytecast/ep7...
Happy to see someone outside Google rebuild/verify Go toolchains. Thanks @agwa.name! www.agwa.name/blog/post/ve...
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
Please send a CL updating x/review/git-codereview to work with this too (grep for auth.cookie).
There is some chatter about a CA misissuing a certificate for 1.1.1.1.
This CA (crt.sh?caid=201916, only ~300 certs) is only trusted by the Microsoft root program and the eIDAS QWAC trusted list.
MS has not been actively managing their roots for years, and the EU wanted to push theirs on browsers.
Hawaiian gopher shirt pattern.
Heading home from #GopherCon 2025 in NYC. As usual, many people asked how to get one of the amazing Go gopher Hawaiian shirts by Renee French. I've posted the details at github.com/rsc/gophersh.... (I know one person who has made pajama pants with the pattern. Socks might be nice too.) Enjoy!
Side point: this demonstrates the benefits of plain text file formats. When @robpike.io implemented the coverage tool he made it emit a simple line-based text file that Russ could then manipulate with the ubiquitous Unix tools.
That was my first thought but the files aren’t sorted the way comm needs.
True enough, but ultimately the problem is some other code that did run and zigged instead of zagging to the code that didn't run. I tried to make that point point earlier ("may prompt useful questions about what logic led to them being skipped...").
Overall I think the plumber works pretty well. I wouldn't change much. Language-specific clicking has been replaced by LSPs, but general clicks like URLs, issue numbers, RFCs, email addresses, or phone numbers are still helpful.
Use tabs instead.
Years ago, when I worked with someone who insisted on spaces, I wrote a little C program called tab that changed spaces to tabs for my editing; tab -u changed them back.
gist.github.com/rsc/78589f27...
