If you look at a crypto/rsa invocation, you can’t actually know if it’s secure or not. The key size is nowhere in the type system. This is unusual among Go crypto packages.
I propose we fix that in Go 1.24. https://github.com/golang/go/issues/68762
If we break a production application with this, it’s overwhelmingly likely that we are fixing a security issue.
I know it will break some tests, but it’s hard to justify the real world risk, and we have a robust system of GODEBUG flags now.
Filippo Valsorda :go: /
npub1wh…akn2m
2024-08-07 12:35:31
Author Public Key
npub1whzyg92c6fsvpjjcnn504z0a2pfwenctp872sgmedqg2np4drj8qwakn2mPublished at
2024-08-07 12:35:31Event JSON
{
"id": "2bea769903f281d15fb1e60bfb3304340fc6b8f70e947262ad58a3eafb07d343",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1723034131,
"kind": 1,
"tags": [
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/112920764863213244",
"activitypub"
]
],
"content": "If you look at a crypto/rsa invocation, you can’t actually know if it’s secure or not. The key size is nowhere in the type system. This is unusual among Go crypto packages.\n\nI propose we fix that in Go 1.24. https://github.com/golang/go/issues/68762\n\nIf we break a production application with this, it’s overwhelmingly likely that we are fixing a security issue.\n\nI know it will break some tests, but it’s hard to justify the real world risk, and we have a robust system of GODEBUG flags now.",
"sig": "3da3923c1cf34a0752e593e75260ec9d88de45632fbfb3f186dcf78a85e369c65a8790089fb60b69629e2c7ce405a2a3918e2936a5edac4db039b1a668917dd3"
}