Hacker News: rsc

New comment by rsc in "Did Claude increase bugs in rsync?"

rsc — Sat, 06 Jun 2026 02:47:52 +0000

As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.

To respond to the specific technical point, there really _is_ a flood of security reports arriving everywhere in the past few months. The jury is out on whether Mythos is that much better than alternatives, but even the publicly available models are _highly_ capable of finding real problems, and they are being employed to that end quite effectively. Here are the counts of security issues fixed in each monthly Go minor release going back to the start of 2024:

     0 2024-01-09 Go 1.21.6, Go 1.20.13
     0 2024-02-06 Go 1.21.7, Go 1.20.14
     5 2024-03-05 Go 1.22.1, Go 1.21.8
     1 2024-04-03 Go 1.22.2, Go 1.21.9
     2 2024-05-07 Go 1.22.3, Go 1.21.10
     2 2024-06-04 Go 1.22.4, Go 1.21.11
     1 2024-07-02 Go 1.22.5, Go 1.21.12
     0 2024-08-06 Go 1.22.6, Go 1.21.13
     3 2024-09-05 Go 1.23.1, Go 1.22.7
     0 2024-10-01 Go 1.23.2, Go 1.22.8
     0 2024-11-06 Go 1.23.3, Go 1.22.9
     0 2024-12-03 Go 1.23.4, Go 1.22.10
     
     2 2025-01-16 Go 1.23.5, Go 1.22.11
     1 2025-02-04 Go 1.23.6, Go 1.22.12
     1 2025-03-04 Go 1.24.1, Go 1.23.7
     1 2025-04-01 Go 1.24.2, Go 1.23.8
     1 2025-05-06 Go 1.24.3, Go 1.23.9
     3 2025-06-05 Go 1.24.4, Go 1.23.10
     1 2025-07-08 Go 1.24.5, Go 1.23.11
     2 2025-08-06 Go 1.24.6, Go 1.23.12
     1 2025-09-03 Go 1.25.1, Go 1.24.7
    10 2025-10-07 Go 1.25.2, Go 1.24.8
     * 2025-10-13 Go 1.25.3, Go 1.24.9
     0 2025-11-05 Go 1.25.4, Go 1.24.10
     2 2025-12-02 Go 1.25.5, Go 1.24.11
    
     6 2026-01-15 Go 1.25.6, Go 1.24.12
     2 2026-02-04 Go 1.25.7, Go 1.24.13
     5 2026-03-05 Go 1.26.1, Go 1.25.8
    10 2026-04-07 Go 1.26.2, Go 1.25.9
    11 2026-05-07 Go 1.26.3, Go 1.25.10
     3 2026-06-02 Go 1.26.4, Go 1.25.11

* The Go 1.25.3 and Go 1.24.9 releases were a fast follow to fix a problem introduced by one of the security fixes the previous week.

You can see that 2026 has been quite different from the previous years. There are plenty of other contemporaneous accounts from other security teams about the load increase they've seen (which again is almost entirely not Mythos).

Also, the number of reports we are receiving has gone up far faster than the number of actual vulnerabilities. Over the 75-month period from January 2020 to early April 2026, the final 30 days accounted for ~16% of the reports.

It is easy to believe that Tridge is seeing a similar flood of reports. More reports means more fixes means more code changes means more bugs.

New comment by rsc in "System Card: Claude Mythos Preview [pdf]"

rsc — Wed, 08 Apr 2026 17:19:33 +0000

The $20K was the total across all the files scanned, not just the one with the bug.

New comment by rsc in "Rob Pike’s Rules of Programming (1989)"

rsc — Wed, 18 Mar 2026 20:59:14 +0000

Worth noting these were not written as rules of programming generally but rules specifically targeted at complexity. They are lifted from the "Complexity" section of Rob's "Notes on Programming in C".

https://www.lysator.liu.se/c/pikestyle.html http://www.literateprogramming.com/pikestyle.pdf

New comment by rsc in "Claude Opus 4.6"

rsc — Thu, 05 Feb 2026 21:46:35 +0000

Raises hand.

New comment by rsc in "Improved Gemini 2.5 Flash and Flash-Lite"

rsc — Thu, 25 Sep 2025 18:00:27 +0000

FWIW, the versions are not semver but they do follow a defined and regular version schema: https://ai.google.dev/gemini-api/docs/models#model-versions.

New comment by rsc in "What is the go proxy even doing?"

rsc — Fri, 15 Aug 2025 11:51:30 +0000

[Also posted to Lobsters: https://lobste.rs/s/ms94ja/what_is_go_proxy_even_doing#c_vz2...]

I apologize for the traffic. We clearly need to look at the “thundering herd” you are observing. That shouldn’t be happening at all.

Separately, the bug we fixed last time were about repeatedly cloning a repo in sequence even if it was unchanged, not about redundant parallel fetches. We fixed that only for Git, because Git makes it very easy to look at a branch or tag and get the tree hash, without downloading the full repo. This is exposed as the go command’s -reuse flag. The relevant Git code is at https://go.dev/src/cmd/go/internal/modfetch/codehost/git.go#... (CheckReuse).

What we need from any VCS to implement the reuse check is a cheap way to download a list of every tag and branch along with a cryptographic file tree checksum for each one, without doing a full repo clone. At the time, I convinced myself Mercurial did not support this. Perhaps I was wrong or perhaps it does now. If anyone can help us understand how that works, we could implement the -reuse flag for Mercurial too. (Any other VCSs would be great too, but Git is #1 by a very wide margin and I believe Mercurial is #2 also by a wide margin.)

Again, apologies for all the traffic, and thanks to Ted for the excellent analysis. We will look into both.

New comment by rsc in "How to store Go pointers from assembly"

rsc — Mon, 23 Jun 2025 18:16:20 +0000

This is a strange and dangerous thing to try to do from assembly. In particular, all these details about write barriers being hand-coded in the assembly are subject to change from release to release.

Better to structure your code so that you do the pointer manipulation (and allocation) in Go code instead, and leave assembly only for what is absolutely necessary for performance (usually things like bulk operations, special instructions, and so on).

New comment by rsc in "Leaving Google"

rsc — Tue, 13 May 2025 15:28:26 +0000

The parent comment is the first time I've said anything publicly (it has only been a few weeks). I didn't feel like it needed an announcement, but since it came up, it seemed worth correcting. It's not a state secret. :-)

In my August announcement, I was careful to say I wasn't leaving the Go project. I'm still involved with the Go project and expect to keep being involved. I'm just not officially on the Go team at Google anymore. Stepping back from the actual team to give others room to lead always seemed to me both likely and appropriate.

New comment by rsc in "Leaving Google"

rsc — Tue, 13 May 2025 14:30:03 +0000

Officially, I have left the Go team too; I started on a new team at Google a few weeks ago. I still use Go quite a bit, I still talk to people on the Go team regularly, and you will still see the occasional code change, code review, or blog post from me. Most importantly, I have high confidence that the team we built will do an excellent job continuing the work.

New comment by rsc in "Optimizing Heap Allocations in Go: A Case Study"

rsc — Tue, 22 Apr 2025 14:39:30 +0000

Those are semantically different (one is nil and one is not) but neither allocates.

New comment by rsc in "Porting Tailscale to Plan 9"

rsc — Wed, 02 Apr 2025 16:35:59 +0000

Not sure what the betrayal is? He contributed a quote for yesterday's post. https://tailscale.com/blog/tailscale-enterprise-plan-9-suppo...

New comment by rsc in "Porting Tailscale to Plan 9"

rsc — Wed, 02 Apr 2025 16:33:39 +0000

We had to do some Plan 9 work, which makes sense when doing something new, but the actual Tailscale implementation is far _less_ work than for other Unixes.

New comment by rsc in "Show HN: Chez Scheme txtar port from Go"

rsc — Sun, 09 Feb 2025 04:59:45 +0000

https://docs.rs/txtar/latest/txtar/

New comment by rsc in "Cracking a 512-bit DKIM key for less than $8 in the cloud"

rsc — Wed, 08 Jan 2025 14:13:19 +0000

In the link in the parent comment. :-)

New comment by rsc in "Jia Tanning Go Code"

rsc — Mon, 28 Oct 2024 18:12:52 +0000

People who go install it get an error that it's not a valid source tree at all.

New comment by rsc in "Jia Tanning Go Code"

rsc — Mon, 28 Oct 2024 14:00:25 +0000

While you can create and build a local package with U+FE0E in its file name, you cannot create or download a module using that character in a file name. So you could run this attack in someone's top-level repo but not in any of their dependencies. That's something at least.

https://go.googlesource.com/mod/+/refs/heads/master/module/m... https://go.googlesource.com/mod/+/refs/heads/master/module/m...

New comment by rsc in "Show HN: Go Plan9 Memo"

rsc — Fri, 18 Oct 2024 19:44:05 +0000

No. It's just Go assembly. (It happens to be a Plan 9-derived syntax, but we call it Go assembly.) See https://go.dev/doc/asm.

New comment by rsc in "Russ Cox is stepping down as the Go tech lead"

rsc — Fri, 02 Aug 2024 17:55:54 +0000

I replied to the other copy of this comment: https://news.ycombinator.com/item?id=41136122.

New comment by rsc in "Russ Cox is stepping down as the Go tech lead"

rsc — Fri, 02 Aug 2024 17:54:17 +0000

This is definitely not true. "Inside of Google" would have been just linux/amd64 for a very long time. Now it includes linux/arm64 too, but that port happened before Google needed it. And all the other ports are not used inside of Google, except maybe the Mac port if you count developers laptops.

New comment by rsc in "Russ Cox is stepping down as the Go tech lead"

rsc — Fri, 02 Aug 2024 17:52:19 +0000

If you just want to run Go programs on Alpine, it works fine. (I put some effort in back in Go 1.21 to make sure that the downloaded binary toolchains for Linux even work fine on Alpine.)

If you want to use c-shared mode and dlopen, then yes that only works with glibc, but that mode barely works at all anyway. It's not actively supported at all.