Microsoft Maintains Go Fork for FIPS 140-2 Support

There used to be the GO FIPS branch:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;tree&#x2F;dev.boringcrypto&#x2F;misc&#x2F;boring">https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;tree&#x2F;dev.boringcrypto&#x2F;misc&#x2F;bori...</a><p>But it looks dead for some time.<p>However <a href="https:&#x2F;&#x2F;github.com&#x2F;golang-fips&#x2F;go">https:&#x2F;&#x2F;github.com&#x2F;golang-fips&#x2F;go</a> sprung up to take it&#x27;s place.<p>I wonder why microsoft prefers to maintain it&#x27;s own in entirety rather than share a piece of the burden.

You would be interested in this if you need the &#x27;crypto&#x27; library to work in a FIPS 140-2 compliant way. You can switch on &#x2F; off this mode by setting the runtime variable GOFIPS=1 before running your Go program [1]. Nice.<p>It looks like the Go community officially has no plans to support FIPS140-2 any time, so I&#x27;m glad to see this alternative.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;go&#x2F;tree&#x2F;microsoft&#x2F;main&#x2F;eng&#x2F;doc&#x2F;fips#usage-runtime">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;go&#x2F;tree&#x2F;microsoft&#x2F;main&#x2F;eng&#x2F;doc&#x2F;...</a>

Does anyone with FIPS experience know what sort of changes are entailed by those requirements?<p>This repo doesn&#x27;t seem to list what sort of high-level&#x2F;conceptual changes are involved. I could look at the diff, but that sounds exhausting :Þ

I&#x27;d be happy if just made Defender stop detecting all my go binaries as Malware...

If this doesn&#x27;t also _add_ some &quot;accidental&quot; backdoor, I&#x27;d be surprised.<p>Microsoft&#x27;s security reputation is so flawed, that some parts simply must be intentional, or coerced.<p>Don&#x27;t use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.