I’m a cryptography engineer and open source maintainer, specializing in Go.
From 2018 to 2022, I worked on the Go team at Google, where I was in charge of the Go Security team. I implemented TLS 1.3 support in the Go standard library; co-designed the Go Checksum Database, a seamless solution for securing the Go software supply chain with transparency trees; and with my team was responsible for developing features such as native fuzzing and the Go Vulnerability Database, as well as handling vulnerability reports.
Before that, I was at Cloudflare, where I maintained the proprietary Go authoritative DNS server which powers 10% of the Internet, and led the DNSSEC and TLS 1.3 implementations.
Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.
I also develop and maintain a set of cryptographic tools, including the file encryption tool age, the development certificate generator mkcert, and the SSH agent yubikey-agent.
Open-source software, despite being shared critical infrastructure, is maintained by volunteers or by full-time company employees. Neither is a sustainable model, the former for obvious reasons, and the latter because available resources at a single company do not scale with the size and success of the project, leading whole teams to burnout and churn.
I am testing a new model: professional independent full-time maintainers, who bill companies as contractors, providing ongoing maintenance and access to their expertise and to the project’s decision-making process.
I envision open source maintainer as a first-class profession, with independent maintainers organized in personal practices or small and medium-sized firms, earning compensation comparable to what senior software engineers are paid. I want maintainers to be empowered to keep doing what they do best, and be available as a resource to the companies that fund them.
I believe the best way to precipitate this change is to prove the model myself, and I plan to build the missing tools (legal contracts, best practices, professional associations…) and grow the model by example and by employing others.
None of this, both my open source work and establishing this model, would be possible without my clients, who've been forward-thinking enough to invest in something new.