I'm not sure it works that way. _In general_ before the recent announcement you are supposed to sign the debug build (what you feed into adb to install) with your debug key that's different from the release nor upload key, and the debug key is never submitted to google.
Of course _maybe_ at some point google will also force you to submit your debug key to them. But I don't believe that's the case now.
I don't understand how this got so many upvotes. Embedded struct fields are never "promoted", you always need to access them via the embedded type's name, so there's nothing to conflict.
The only thing "promoted" are the functions associated with the embedded types, and when those actually conflicts, the compiler will tell you, as expected.
> you always need to access them via the embedded type's name, so there's nothing to conflict.
The article talks about "opts.URL" in its example being accepted by the compiler, which accesses "opts.FooService.URL" without using the embedded type's name.
I tried to use fish on some of my debian servers that i only rarely update packages/kernel, so I don't have to carry my bashrc there, but found their completion for apt is pretty naive. for example after updated kernel i would want to clean up the old ones, but `apt purge linux-image-<TAB>` would list all available kernel versions, not just the ones currently installed.
it has guest support (so people does not need a matrix account to comment), but if you use your own matrix account, you are essentially joining a matrix room per post.
The request body on the client do a lot of other things than reading the body once (an io.Reader can only be read once).
There's Content-Length, and there's also the need to read it multiple times in case a redirect happens (so the same body need to be sent again when being redirected).
As a result, the implementation in stdlib would check a few common io.Reader implementations (bytes.Buffer, bytes.Reader, strings.Reader) and make sure it stores something that can be read multiple times (if it's none of the 3, it's read fully into memory and stored instead).
This is the same basic reply as the other one but my thoughts are roughly the same. The only comment I have aside from what I replied on the sibling comment (this just being another case of wrappers not being transparent biting us in the ass) is that they could've done this in a more generic way than they did, at the downside of requiring more interfaces.
Yea I saw your other reply later and agree on most of it. But I'd say there's a balance between simplicity of the API and more specific cases. For example they can make an optional api to io.Reader to provide size info, and maybe another optional api to io.Reader to make it able to be read more than once, etc.. But at the same time, if you have all those info, that _usually_ means you already have either a []byte or string, and you would most likely use one of the 3 types to convert that into an io.Reader, so that special handling is enough without adding more public apis, and the go team is notoriously conservative when adding new public apis.
Garmin's hardware, including the hardware of their smartwatches, are very tempting. They are designed to be easy to use even with gloves, have good battery life, and on some high end they have solar and/or 40-meter scuba diving rated.
If there's a way to use Garmin's smartwatches without using their cloud I probably would consider that. But since their ransomware attack from 2020, I really can no longer trust their cloud any more, especially that the data collected from a smartwatch is on the more sensitive side. The only Garmin hardware I'm still using is their bicycle tail light+radar, which I just use with wahoo's bike computer instead of other Garmin products.
I had a facebook account from the early days. I deleted my facebook account at 2018-ish. I never had an instagram account.
Recently I got an email from instagram saying it's "easier to get back to instagram", with my usual username. I can't check what's on that instagram user because they don't show you anything without logging in, so I asked my wife to check that instagram user for me. It doesn't have any photos nor profile photo or following, but it does have several followers that's my facebook friends (when I had the account), so at some point meta created that instagram account for me and associated it with my facebook account, I guess? I hope that account was not "AI-powered".
>exposing yourself to the mercy of a single organization
The nice thing about passkey is that unlike password, you can have multiple per account.
So you can register a passkey from 1password to website A, and also register a passkey from Apple keychain to website A, and also register a passkey from Google account to website A, and also register a passkey from yubikey to website A, so even if you are locked out from one of your accounts, you still have several other ways to log into your account at website A.
And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).
A door can be kicked in, a safe can be drilled, a password can be reset. But these keys (whether a phone or a Yubikey) to your digital life are irreplaceable if they're all lost. We've never been in this situation before.
The problem with any solution relying on a couple of physical devices as the sole access to your digital life is that the management and protection of those objects becomes one of the most important things in your life. These keys are supposed to give perfect security so by design making "software" copies brings that security to the level of passwords. But losing them kills your digital life.
You have two keys in the house and you have a fire or severe natural disaster? There's no reset for them and you just piled a tragedy on top of another. You want to restore them from a backup? You probably need the keys to begin with. People need one on them at all times, one at home, one or two in some other safe far away location but to still trust that they won't be misused there.
That's all people hear when they look into passkeys. "One more key" is not enough for most people, tech savvy or not.
Even if it's possible technically, I don't think it's very practical, as UX is very heavily directed towards a single passkey provider. I can imagine doing this for one or two most important websites, but not for each of dozens (hundreds?) websites users have registeration on.
It's not actually all that bad. I went through today and added passkeys for all the sites I use that support them, and for most it went like this.
1. I login to the site using my password, supplied by my password manager (1Password).
2. I go to the site's security settings and find their passkey settings. I invoke their "add a passkey" function.
3. If I'm on my Mac, using Chrome, Firefox, or Safari, I get a dialog showing me the site and the user name and asking if I want to save a passkey in my 1Password.
There is a security key icon on the dialog that I can click if I want to save the passkey elsewhere. That replaces the 1Password dialog with one offering to save a passkey in my iCloud keychain for use on all my Apple devices.
That dialog has an "other options" link which brings up another dialog that adds options to use an external security key or to save a passkey on an iPhone, iPad, or Android device with a camera. The latter option will show a QR code that can be scanned on that other device.
I save the passkey in either 1Password or my iCloud keychain.
If I'm on my iPad using Safari it is similar, except the first dialog shows both 1Password and iCloud as storage destinations, with radio buttons to pick between them.
4. Repeat step #3 once, storing a passkey in whichever of 1Password and iCloud keychain that I didn't pick the first time through.
Some sites let you give the passkeys names to make them easier to remember so there might be typing a name in there somewhere.
All in all, it is only a few seconds to add a passkey after pressing the "add a passkey" button on a site, so adding two is no big deal.
I currently have over 700 credentials in 1Password. Consider me not interested for anything that takes any decent amount of time.
I really like the idea of passkeys but I think most people forgot that security and convenience are not working well together, and passkeys attempt to solve this problem.
Passwords have their own issues but they are so easy to transport to multiple stores, meaning loosing access is going to be hard(er).
And as long as there's going to be a single-point-of-failure (being it Apple, Google, 1Password or whoever stores your passkeys) without any _easy_ way to retrieve your passkeys again I'm advising against it.
With passwords, I don't care loosing access to my iCloud/1Password/whatever. A somewhat recent list of all passwords are stored in a safe place, printed out on paper. AFAIK this isn't easily doable with passkeys.
You can still benefit from adding passkeys to some sites. It will often be a little faster and/or fewer clicks than using a password, especially at sites where you have to enter a TOTP code.
For example at Github signing in with a passkey from the sign in page is two clicks. Click on "Sign in with a passkey", a dialog pops up from the browser showing the passkey it will use by default, and I click "Sign in".
With a password it is a click to have 1Password fill my email and password, a click to submit (which could be eliminated if I had autosubmit enabled in 1Password), and then it asks for a TOTP code. After the code is entered it is a click to complete the sign in.
Github's TOTP entry form is well coded, so if 1Password has the TOTP key it will automatically fill it. If you don't keep TOTP keys in 1Password you'll have to open your authenticator app and copy the code.
Considering that it only takes a few seconds to add a passkey for Github to 1Password, you'll make up the time that takes after just a few logins.
I'm not sure what UX you are talking about, the majority of the websites supporting u2f/passkey have UX to manage your u2f keys/passkeys. (the only exception I can think of is early Twitter when it first implemented u2f, and at that point it only allow you to add a single u2f key, but even Twitter fixed that later and supports multiple keys now).
And (this is probably not emphasized enough) you really should never only use a single u2f key/passkey for a website, that's the recipe to get you locked out when you can't find your u2f key/get locked out of the provider of your passkey. I have at least 2 yubikeys on my keychain all the time (one for usb-a and one for usb-c), plus one for each of my computers, and passkeys from 1password, google, etc.. And whenever I add u2f keys/passkeys to a website I add all/most of them.
...and you just described why this is not ready for prime time. Managing a number of physical devices tied to completely opaque secrets stored by unclear providers in places you never see, with hidden agendas promoting their locked-in solution over all others and complicating everything out of one ecosystem.
Most standard users will either mess up royally or run away scared. Damn, I've been on this field for 30 years, I've been using 4 OSs, 5 different browsers and devices from every ecosystem, and I still find this whole thing too much of a hassle.
And yes, I do have a backup passkey. Even though I had to convince my skip-level that it made sense. I just find it all too complex to adopt it broadly.
if I am reading right, any time you set up passkeys on a web site, you add half-a-dozen passkeys from various services? Yeah, this sounds totally impractical to me.
Have you considered stopping using passkeys and using strong passwords stored in password manager instead? You will have approximately same level of security:
- Either way, if one site is compromised other sites are not affected (because password managers have site-per-password)
- Either way, you will be phishing-protected (because password managers autofill based on host name, and you are smart enough not to override it)
- Either way, it'll be game over if you get a malware on your computer (because it will steal your passkey out of 1password)
... but your UX for new website would be dramatically simpler.
It's not much of a hassle. I'll add at least two when I want to start using a passkeys for a site. So maybe add a passkeys to the phone and to my keychain device. Then, next time I use the service on my laptop, I'll sign in with either my phone or keyring (whatever happens to be closer) and make one there. Then next time I want to use the service on my desktop I'll sign in with whatever I've got nearby and add my desktop and the token in my desk drawer. And maybe my password manager also has a passkeys, added somewhere in there.
It's not like every time I sign up for a new site I have to drop everything right at that instant and go add a passkey to every single device I own.
> And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).
Without a standard automatable way of doing this, it doesn't happen in practice, even assuming people implement it competently enough to allow multiple passcodes (TOTP codes, for example, are often only one per account, which is similarly annoying for maintaining a revocable backup)
> The nice thing about passkey is that unlike password, you can have multiple per account.
I would charitably estimate that of the sites currently supporting Passkey, the ones that support multiple passkeys are in the single digit percentage. So, practically, you can't.
As someone who actually uses them in a lot of places, the number of sites I know that only allows a single passkey is one: PayPal. What other sites do you know only allow a single one?
PayPal allows multiple passkeys. I just added passkeys there today and had no trouble making two.
I have a vague recollection of running into some trouble when I tried to add passkeys to an account in their sandbox (sandbox.paypal.com) but don't remember what it was. I realized I don't need any of my sandbox accounts any more and deleted them all from my password manager rather than try to solve the problems. :-)
PayPal's handling of multiple passkeys is kind of annoying. I didn't see any way to change the default labels it gives them, which appear to be simply the OS and browser names. So both of my passkeys are labeled "macOS Chrome".
Clicking on them tells when they were created but the resolution is only to the day.
If somehow my private key for one of the them leaked and I wanted to delete the public key I wouldn't know which to delete.
Some sites label the passkeys "1Password" and something like "Apple iCloud" which works a lot better.
I too first experimented with passkeys about a year ago, and then largely ignored them until this discussion prompted me to have another go.
A year ago I found them almost unusable. I had trouble getting browsers to recognize a passkey was available for a site, and I had trouble getting browsers on my Mac to use passkeys from the Apple keychain on my Mac. They would often put up a QR code for me to scan on my phone to use the passkey from the phone--and that was also not very reliable.
Now I'm hitting almost no problems.
There are still some settings annoyance with some sites. At PayPal for instance it asks for my TOTP code even when logging in with a passkey. There is no option to turn off TOTP for passkeys but leave it on for passwords.
Of course _maybe_ at some point google will also force you to submit your debug key to them. But I don't believe that's the case now.