This repo doesn't seem to list what sort of high-level/conceptual changes are involved. I could look at the diff, but that sounds exhausting :Þ
https://github.com/golang/go/tree/dev.boringcrypto/misc/bori...
But it looks dead for some time.
However https://github.com/golang-fips/go sprung up to take it's place.
I wonder why microsoft prefers to maintain it's own in entirety rather than share a piece of the burden.
Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.
Don't use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.
Don't use any FIPS branch of any platform, because FIPS is terrible. But the argument presented here seems facile.
They are a lot better than they used to be. They went through a trial by fire in the 90s and early 00s and came through for the better.
It's worth noting that classified computer systems in the military-industrial complex run Windows, and not Linux, nor do they run the security cosplay that is OpenBSD.
What he didn't discuss was how vulnerable proprietary vendors (including, but by no means limited to, Microsoft) are to "rubber-hose vulnerability injection".
Anyway, it's good to see Microsoft actually participating in the open source process.
If you're not trying to get US government contracts that require it, don't bother with FIPS. It mandates older algorithms; they're mostly secure enough but not as performant and there are a lot more footguns. FIPS 140-3 fixed a few, but not all.
It looks like the Go community officially has no plans to support FIPS140-2 any time, so I'm glad to see this alternative.
[1] https://github.com/microsoft/go/tree/microsoft/main/eng/doc/...
"Embrace, extend, and extinguish" (EEE),[1] also known as "embrace, extend, and exterminate",[2] is a phrase that the U.S. Department of Justice found[3] was used internally by Microsoft[4] to describe its strategy for entering product categories involving widely used open standards, extending those standards with proprietary capabilities, and using the differences to strongly disadvantage its competitors.
Please see the Wiki article for the full deal including footnotes.