Winni Neessen
@neessen.dev
I work in InfoSec. Music-lover, Record-collector, Go-Enthusiast, Perl-veteran. Vir potens spiritus.
Mastodon: https://s.pebcak.de/@winni
Mastodon: https://s.pebcak.de/@winni
Reposted by Winni Neessen
Really big age release coming tomorrow! 🎅🏻
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
GitHub - FiloSottile/age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. - FiloSottile/age
age-encryption.org
December 24, 2025 at 12:02 PM
Really big age release coming tomorrow! 🎅🏻
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages
Reposted by Winni Neessen
🥳 Go 1.25.5 and 1.24.11 are released!
🔐 Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727).
🗣 Announcement: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
📦 Download: https://go.dev/dl/#go1.25.5
#golang
🔐 Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727).
🗣 Announcement: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
📦 Download: https://go.dev/dl/#go1.25.5
#golang
December 2, 2025 at 4:54 PM
🥳 Go 1.25.5 and 1.24.11 are released!
🔐 Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727).
🗣 Announcement: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
📦 Download: https://go.dev/dl/#go1.25.5
#golang
🔐 Security: Includes security fixes for crypto/x509 (CVE-2025-61729, CVE-2025-61727).
🗣 Announcement: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
📦 Download: https://go.dev/dl/#go1.25.5
#golang
Reposted by Winni Neessen
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors
Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...
github.com
November 21, 2025 at 7:44 PM
Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇
github.com/rs/cors/issu...
github.com/rs/cors/issu...
waybar-weather v0.2.4 is out. Some exciting new features were added: GPSd for geolocation lookup, an alternate text template to show current or forecasted weather by clicking the widget and i18n support for all displayable elements.
Check it out! github.com/wneessen/way...
#linux #waybar #golang
Check it out! github.com/wneessen/way...
#linux #waybar #golang
November 19, 2025 at 10:36 PM
waybar-weather v0.2.4 is out. Some exciting new features were added: GPSd for geolocation lookup, an alternate text template to show current or forecasted weather by clicking the widget and i18n support for all displayable elements.
Check it out! github.com/wneessen/way...
#linux #waybar #golang
Check it out! github.com/wneessen/way...
#linux #waybar #golang
Reposted by Winni Neessen
So tempted to write a troll thread on how this incident shows Rust has bad error handling and wouldn’t have happened in Go, where we actually handle errors 🫣🫢😜
blog.cloudflare.com/18-november-...
blog.cloudflare.com/18-november-...
Cloudflare outage on November 18, 2025
Cloudflare suffered a service outage on November 18, 2025. The outage was triggered by a bug in generation logic for a Bot Management feature file causing many Cloudflare services to be affected.
blog.cloudflare.com
November 19, 2025 at 10:14 AM
So tempted to write a troll thread on how this incident shows Rust has bad error handling and wouldn’t have happened in Go, where we actually handle errors 🫣🫢😜
blog.cloudflare.com/18-november-...
blog.cloudflare.com/18-november-...
waybar-weather v0.2.0 is out and removes the depencency on Geoclue by implenting its own geolocation sub/pub bus. It also is now fully customizable via templates, allowing the user to make it look like they want.
Feedback is, as always, welcome!
github.com/wneessen/way...
#linux #waybar #weather
Feedback is, as always, welcome!
github.com/wneessen/way...
#linux #waybar #weather
Release v0.2.0: Better geolocation lookup · wneessen/waybar-weather
Welcome to waybar-weather v0.2.0 🎉
This release brings some major refactors and fixes that improve how waybar weather works.
Geoclue removal
So far waybar-weather used Geoclue as 3rd party dependen...
github.com
November 10, 2025 at 5:27 PM
waybar-weather v0.2.0 is out and removes the depencency on Geoclue by implenting its own geolocation sub/pub bus. It also is now fully customizable via templates, allowing the user to make it look like they want.
Feedback is, as always, welcome!
github.com/wneessen/way...
#linux #waybar #weather
Feedback is, as always, welcome!
github.com/wneessen/way...
#linux #waybar #weather
Reposted by Winni Neessen
🎊 Go 1.25.4 and 1.24.10 are released!
📡 Announcement: https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
🗃 Download: https://go.dev/dl/#go1.25.4
#golang
📡 Announcement: https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
🗃 Download: https://go.dev/dl/#go1.25.4
#golang
November 5, 2025 at 7:21 PM
🎊 Go 1.25.4 and 1.24.10 are released!
📡 Announcement: https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
🗃 Download: https://go.dev/dl/#go1.25.4
#golang
📡 Announcement: https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
🗃 Download: https://go.dev/dl/#go1.25.4
#golang
Reposted by Winni Neessen
Serious take: the solution to Safe Browsing false positives like the Immich one is passkeys.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
October 23, 2025 at 12:34 PM
Serious take: the solution to Safe Browsing false positives like the Immich one is passkeys.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
Reposted by Winni Neessen
It's been 14 months since the ML-KEM spec was published.
age still isn't PQ because it's waiting for trivial details of the HPKE hybrids to stabilize, but they are blocked on the CFRG.
The TLS, SSHM, and LAMPS (X.509) IETF WGs are not waiting for CFRG. I just posted a plea for HPKE to do the same.
age still isn't PQ because it's waiting for trivial details of the HPKE hybrids to stabilize, but they are blocked on the CFRG.
The TLS, SSHM, and LAMPS (X.509) IETF WGs are not waiting for CFRG. I just posted a plea for HPKE to do the same.
[hpke] Let's ship post-quantum HPKE
Search IETF mail list archives
mailarchive.ietf.org
October 16, 2025 at 3:11 PM
It's been 14 months since the ML-KEM spec was published.
age still isn't PQ because it's waiting for trivial details of the HPKE hybrids to stabilize, but they are blocked on the CFRG.
The TLS, SSHM, and LAMPS (X.509) IETF WGs are not waiting for CFRG. I just posted a plea for HPKE to do the same.
age still isn't PQ because it's waiting for trivial details of the HPKE hybrids to stabilize, but they are blocked on the CFRG.
The TLS, SSHM, and LAMPS (X.509) IETF WGs are not waiting for CFRG. I just posted a plea for HPKE to do the same.
Reposted by Winni Neessen
🥳 Go 1.25.3 and 1.24.9 are released!
📣 Announcement: https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ
⬇️ Download: https://go.dev/dl/#go1.25.3
#golang
📣 Announcement: https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ
⬇️ Download: https://go.dev/dl/#go1.25.3
#golang
October 13, 2025 at 9:26 PM
🥳 Go 1.25.3 and 1.24.9 are released!
📣 Announcement: https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ
⬇️ Download: https://go.dev/dl/#go1.25.3
#golang
📣 Announcement: https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ
⬇️ Download: https://go.dev/dl/#go1.25.3
#golang
Reposted by Winni Neessen
🥳 Go 1.25.2 and 1.24.8 are released!
📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
📦 Download: https://go.dev/dl/#go1.25.2
#golang
📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
📦 Download: https://go.dev/dl/#go1.25.2
#golang
October 7, 2025 at 6:51 PM
🥳 Go 1.25.2 and 1.24.8 are released!
📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
📦 Download: https://go.dev/dl/#go1.25.2
#golang
📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
📦 Download: https://go.dev/dl/#go1.25.2
#golang
Reposted by Winni Neessen
We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. signal.org/blog/pdfs/ge...
signal.org
October 3, 2025 at 4:14 PM
We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. signal.org/blog/pdfs/ge...
Reposted by Winni Neessen
go-mail v0.7.1 has just been released! This is a security release fixing a vulnerability in the mail address handling.
You can find the release notes here: github.com/wneessen/go-...
The corresponding security advisory can be found here: github.com/wneessen/go-...
We encouraged to update!
You can find the release notes here: github.com/wneessen/go-...
The corresponding security advisory can be found here: github.com/wneessen/go-...
We encouraged to update!
Release v0.7.1: Vulnerability fix in mail address handling · wneessen/go-mail
ImportantThis release fixes a vulnerability. All users are encouraged to update to this release at their earliest convenience.
Welcome to go-mail v0.7.1!
This is a security release, which addresse...
github.com
September 27, 2025 at 8:38 AM
go-mail v0.7.1 has just been released! This is a security release fixing a vulnerability in the mail address handling.
You can find the release notes here: github.com/wneessen/go-...
The corresponding security advisory can be found here: github.com/wneessen/go-...
We encouraged to update!
You can find the release notes here: github.com/wneessen/go-...
The corresponding security advisory can be found here: github.com/wneessen/go-...
We encouraged to update!
Reposted by Winni Neessen
We may still get a generified version of errors.As in #golang's standard library! 🤞
github.com/golang/go/is...
github.com/golang/go/is...
proposal: errors: As with type parameters · Issue #51945 · golang/go
Currently in 1.18 and before, when using the errors.As method, an error type you would like to write into must be predeclared before calling the function. For example: var myErr *MyCustomError if e...
github.com
August 21, 2025 at 10:36 AM
We may still get a generified version of errors.As in #golang's standard library! 🤞
github.com/golang/go/is...
github.com/golang/go/is...
Reposted by Winni Neessen
Check out this new blog post outlining how profiling is becoming the fourth pillar of observability 🚀.
www.datadoghq.com/blog/continu...
www.datadoghq.com/blog/continu...
Why continuous profiling is the fourth pillar of observability | Datadog
Learn how modern continuous profilers have transformed profiling into a core observability practice.
www.datadoghq.com
July 28, 2025 at 11:47 AM
Check out this new blog post outlining how profiling is becoming the fourth pillar of observability 🚀.
www.datadoghq.com/blog/continu...
www.datadoghq.com/blog/continu...
Reposted by Winni Neessen
We announced the new native Go FIPS 140-3 mode today!
FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.
Go is now one of the easiest and most secure ways to build under FIPS 140.
FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.
Go is now one of the easiest and most secure ways to build under FIPS 140.
The FIPS 140-3 Go Cryptographic Module
Go now has a built-in, native FIPS 140-3 compliant mode.
go.dev
July 15, 2025 at 9:40 PM
We announced the new native Go FIPS 140-3 mode today!
FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.
Go is now one of the easiest and most secure ways to build under FIPS 140.
FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.
Go is now one of the easiest and most secure ways to build under FIPS 140.
Reposted by Winni Neessen
🎉 I've just released v0.7.0 of jub0bs/cors, my #CORS middleware library for #golang!
💀 Now that Private-Network Access (PNA) has been put on indefinite hold in favor of a new permission-based mechanism named "Local-Network Access", I've removed all support for PNA.
github.com/jub0bs/cors
💀 Now that Private-Network Access (PNA) has been put on indefinite hold in favor of a new permission-based mechanism named "Local-Network Access", I've removed all support for PNA.
github.com/jub0bs/cors
GitHub - jub0bs/cors: perhaps the best CORS middleware library for Go
perhaps the best CORS middleware library for Go. Contribute to jub0bs/cors development by creating an account on GitHub.
github.com
June 14, 2025 at 2:34 PM
🎉 I've just released v0.7.0 of jub0bs/cors, my #CORS middleware library for #golang!
💀 Now that Private-Network Access (PNA) has been put on indefinite hold in favor of a new permission-based mechanism named "Local-Network Access", I've removed all support for PNA.
github.com/jub0bs/cors
💀 Now that Private-Network Access (PNA) has been put on indefinite hold in favor of a new permission-based mechanism named "Local-Network Access", I've removed all support for PNA.
github.com/jub0bs/cors
Reposted by Winni Neessen
🎉 Go 1.25 Release Candidate 1 is released!
🏃♀️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new
📢 Announcement: groups.google.com/g/golang-ann...
📦 Download: go.dev/dl/#go1.25rc1
🏃♀️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new
📢 Announcement: groups.google.com/g/golang-ann...
📦 Download: go.dev/dl/#go1.25rc1
June 11, 2025 at 7:13 PM
🎉 Go 1.25 Release Candidate 1 is released!
🏃♀️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new
📢 Announcement: groups.google.com/g/golang-ann...
📦 Download: go.dev/dl/#go1.25rc1
🏃♀️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new
📢 Announcement: groups.google.com/g/golang-ann...
📦 Download: go.dev/dl/#go1.25rc1
Reposted by Winni Neessen
Reposted by Winni Neessen
At least for #golang, avoid using deps.dev for now. It seems to be reporting security advisories based on outdated information, and the project seems unmaintained, as I reported this two weeks ago but got nothing at all.
Go dependency versions are wrong or outdated for a tagged module version · Issue #251 · google/deps.dev
https://deps.dev/go/cuelang.org%2Fgo/v0.13.0 shows that cuelang.org/[email protected] is vulnerable to https://deps.dev/advisory/osv/GO-2025-3488. This is because it thinks we depend on golang.org/x/oauth...
github.com
June 9, 2025 at 8:17 PM
Reposted by Winni Neessen
🫡 "For the foreseeable future, the Go team will stop pursuing syntactic language changes for error handling. We will also close all open and incoming proposals that concern themselves primarily with the syntax of error handling, without further investigation."
go.dev/blog/error-s...
#golang
go.dev/blog/error-s...
#golang
[ On | No ] syntactic support for error handling - The Go Programming Language
Go team plans around error handling support
go.dev
June 3, 2025 at 5:06 PM
🫡 "For the foreseeable future, the Go team will stop pursuing syntactic language changes for error handling. We will also close all open and incoming proposals that concern themselves primarily with the syntax of error handling, without further investigation."
go.dev/blog/error-s...
#golang
go.dev/blog/error-s...
#golang
Reposted by Winni Neessen
It's so awesome to build on a stack like this, where security is taken seriously from the ground up! #GoLang
Three Trail of Bits engineers audited core Go cryptography for a month and found only one low-sev security issue... in unsupported Go+BoringCrypto! 🍾
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆
Go Cryptography Security Audit
Go's cryptography libraries underwent an audit by Trail of Bits. Read more about the scope and results.
go.dev
May 20, 2025 at 1:22 PM
It's so awesome to build on a stack like this, where security is taken seriously from the ground up! #GoLang
Reposted by Winni Neessen
Three Trail of Bits engineers audited core Go cryptography for a month and found only one low-sev security issue... in unsupported Go+BoringCrypto! 🍾
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆
Go Cryptography Security Audit
Go's cryptography libraries underwent an audit by Trail of Bits. Read more about the scope and results.
go.dev
May 19, 2025 at 7:08 PM
Three Trail of Bits engineers audited core Go cryptography for a month and found only one low-sev security issue... in unsupported Go+BoringCrypto! 🍾
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆
Years of efforts on testing, limiting complexity, safe APIs, and readability have paid off! ✨
Yes I am taking a victory lap. No I am not sorry. 🏆