RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Fri 15 may
  15. Sat 16 may
  16. Sun 17 may
  17. Mon 18 may
  18. Tue 19 may
  19. Wed 20 may
  20. Thu 21 may
  21. Sat 23 may
  22. Tue 26 may
  23. Wed 27 may
  24. Thu 28 may
  25. Fri 29 may
  26. Sat 30 may
  27. Sun 31 may
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

CRYPTO/X509 HOSTNAME VERIFICATION CUT FROM QUADRATIC TO LINEAR

By RepoJournal · Filed · About Go

Go's x509 certificate verification just got exponentially faster for domains with large SAN lists, eliminating a pathological case that scaled by hostname labels times certificate entries.

The crypto/x509 package shipped a critical optimization [1] that eliminates quadratic behavior in VerifyHostname when processing certificates with dozens of Subject Alternative Name entries. Previously, matchHostnames looped over every SAN and called strings.Split on the same hostname each time, causing verification time to scale with SAN count multiplied by hostname label count. This gets you from O(n*m) to O(n) on the common path. Separately, debug/gosym [2] fixed symbol handling for generic functions by masking bracketed expressions rather than removing them, preserving string indices and improving support for instantiated generics. The tools team is tightening gopls code generation: addtest [3] now emits t.Context() for Go 1.24+ modules instead of context.Background(), while analysis passes are broadening their heuristics [4] to detect test-only symbols by file name, not just function name. Finally, golang/crypto addressed a resource exhaustion vulnerability [5] in SSH server authentication by capping total userauth attempts at 128 per connection, closing a loop that would process requests indefinitely if clients triggered PartialSuccessError responses.

Action items

References

  1. [1] crypto/x509: split candidate hostname only once golang/go
  2. [2] debug/gosym: mask bracketed expressions rather than remove them golang/go
  3. [3] gopls/internal/golang: addtest: emit t.Context() for Go 1.24+ golang/tools
  4. [4] go/analysis/passes/inline: broaden "from own test" skip criterion golang/tools
  5. [5] ssh: cap total userauth attempts per server connection golang/crypto

FAQ

What changed in Go on May 28, 2026?
Go's x509 certificate verification just got exponentially faster for domains with large SAN lists, eliminating a pathological case that scaled by hostname labels times certificate entries.
What should Go teams do about it?
Verify your x509 verification paths if you handle certs with 50+ SANs; this should visibly improve latency on update • Update golang/crypto if you run SSH servers exposed to untrusted clients • Sync gopls if you're on Go 1.24 and use the 'Add test' code action
Which Go repositories shipped on May 28, 2026?
golang/go, golang/tools, golang/crypto

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.