Skip to content
View FiloSottile's full-sized avatar

Sponsors

@magnuswatn
@MarkusZoppelt
@ptere
@abraithwaite
@photoprism
@arcxio
Private Sponsor
@aganet

Sponsoring

@Homebrew
@richfelker
@alyssais
@dominikh
@pirate
@ncw
@zx2c4
@bitcynth
@mholt
@ziglang
@arp242
@gnachman

Organizations

@ArchiveTeam @recursecenter @cryptography-training
Block or Report

Block or report FiloSottile

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
FiloSottile/README.md

I’m a cryptography engineer and open source maintainer, specializing in Go.

From 2018 to 2022, I worked on the Go team at Google, where I was in charge of the Go Security team. I implemented TLS 1.3 support in the Go standard library; co-designed the Go Checksum Database, a seamless solution for securing the Go software supply chain with transparency trees; and with my team was responsible for developing features such as native fuzzing and the Go Vulnerability Database, as well as handling vulnerability reports.

Before that, I was at Cloudflare, where I maintained the proprietary Go authoritative DNS server which powers 10% of the Internet, and led the DNSSEC and TLS 1.3 implementations.

Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.

I also develop and maintain a set of cryptographic tools, including the file encryption tool age, the development certificate generator mkcert, and the SSH agent yubikey-agent.

Professional maintenance

Open-source software, despite being shared critical infrastructure, is maintained by volunteers or by full-time company employees. Neither is a sustainable model, the former for obvious reasons, and the latter because available resources at a single company do not scale with the size and success of the project, leading whole teams to burnout and churn.

I am testing a new model: professional independent full-time maintainers, who bill companies as contractors, providing ongoing maintenance and access to their expertise and to the project’s decision-making process.

I envision open source maintainer as a first-class profession, with independent maintainers organized in personal practices or small and medium-sized firms, earning compensation comparable to what senior software engineers are paid. I want maintainers to be empowered to keep doing what they do best, and be available as a resource to the companies that fund them.

I believe the best way to precipitate this change is to prove the model myself, and I plan to build the missing tools (legal contracts, best practices, professional associations…) and grow the model by example and by employing others.

None of this, both my open source work and establishing this model, would be possible without my clients, who've been forward-thinking enough to invest in something new.

Nine logos in a grid: Sigsum, Latacora, Interchain Foundation, Smallstep, Ava Labs, Teleport, SandboxAQ, Tailscale, Charm

Pinned Loading

  1. mkcert mkcert Public

    A simple zero-config tool to make locally trusted development certificates with any names you'd like.

    Go 47.5k 2.5k

  2. age age Public

    A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

    Go 15.9k 481

  3. Heartbleed Heartbleed Public

    A checker (site and tool) for CVE-2014-0160

    Go 2.3k 467

  4. whoami.filippo.io whoami.filippo.io Public

    A ssh server that knows who you are. $ ssh whoami.filippo.io

    Go 2.2k 108

  5. yubikey-agent yubikey-agent Public

    yubikey-agent is a seamless ssh-agent for YubiKeys.

    Go 2.6k 125

  6. sunlight sunlight Public

    A Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.

    Go 121 7