Cup o' Go

✍️ Rewriting all the things in Go! 🎉

Duration:: 30m
Broadcast on:: 14 Mar 2025
Audio Format:: other

🛡️ Security releases
- Go 1.24.1 & 1.23.7 released
- golang.org/x/net v0.36.0 released
gopls v0.18.0 released
🇫🇮 Helsinki meetup, March 18, still looking for speakers
TypeScript rewrite in Go
🌩️ Lightning Round

★ Support this podcast on Patreon ★

This show is supported by you. Stick around till the ad break to hear more about that. This is Capico for March 14, 2025. Keep up to date with the important happenings in the Go community in about 15 minutes per week. I'm Shainesh Mad. And I'm Jonathan Hall. And I'm back. You're back. Welcome back, man. Thank you. I was studying California. California is rainy. It's not sunny at the moment. I mean, beautiful sun at the moment, looking at a lake. But let's be honest, I'm actually at the WeWork like phone booth, jail cell combo, you know, the ones. I know the ones. So I'm in one of those at the moment because I don't want to disturb all my WeWork neighbors. But yeah, I'm in the United States. Cool. Thanks a lot to Lane Wagner for coming on the show, covering for me last week. You did a really, really good job, man. Shout out to Lane and to boo.dev. Thanks a lot for that. Always fun to talk to him. You say, as opposed to what you're having to do right now. I like talking to you, Tisha. I've missed you. Thank you. All right, we have a show. Let's do a show. Let's do it. Today, we want to talk about security release, some changes to Go Please. Helising key meetup, some projects that we wanted to mention, the TypeScript thing everybody is talking about, we'll just briefly mention. We don't want to do it this week because we're looking to talk to someone who is actually working on it. If you know someone who's working on the TypeScript port to go, let us know because we are interested in getting more than just what the article says, which is, "Go fast." I think we all know, "Go is fast." "Go better." That's an easy conclusion to reach and some proposals. We have a lot to get through. We have some cool stuff for the lightning round as well. Let's jump into it. Here we go. Let's start with an announcement of a security release. This one is a pretty fun one. 124.1 and 123.7 are released with security effects following the normal security policy in Net HTTP, Net Proxy and HTTP Proxy. This one is, by the way, also reported by YouHo. If you're a long-time listener, you probably know that name as the single person who's with the finger in the damn holding back all the security problems in Go, basically. This one's about IPV6. I don't know how you feel about these addresses, Jonathan, but I've become very cynical of them in the last 12 years. I started learning. How did you learn networking or how did you get started? Well, I got started, so I ran an ISP, a dial-up ISP back when that was still a thing, and did learn. Yeah, that's how I learned Bitwise operations, and Net Masks and all this stuff was IPV4. Did they at the time teach you IPV4 is going to run out soon? Absolutely. Absolutely. Yeah. You have to pay extra for an IP address if you want to fix one because there's a limited supply. They're going to run out. IPV6 is the magical solution. It's better than AI in the blockchain and it's going to solve everybody. You heard it here. Invest in IPV6 addresses now, it's a new goal. So yeah, I've been, when I started learning networking, they gave me computer networks by Tenonbaum, that huge book you can level a table with. They just studied this back and forth, and they told me IPV4 is going to run out. Everybody's going to use IPV6 and look 2025, and we're actually okay. So the problem with this thing is that many people had to implement it, and it is used, and it is actually widely used, despite all the cynicism I just pointed at it. But it's more complicated. It's more complicated than IPV4 addresses, which is why people keep finding security bugs in it, because the implementation is not like top priority for anyone. So it doesn't get enough attention, then gets, and the spec is overly complicated in my opinion. I think to security issues like these ones, do you know that IPV6 addresses have zone IDs? I'm vaguely aware of that at a concept. I don't know what they mean. I was nowhere. And I learned like the IPV6 properly, just because you don't have to use it, you'd end up forgetting. Yeah. So IPV6 address, when you imagine it, how does it look? It looks like sets of four-digit hexadecimals with some randomly placed colons and periods. So you have colons to generate a right order of anything. Apparently, there's a percent sign as well, and after the percent sign you can put in a zone ID, which helps you identify, helps your computer root packets through the correct address. So if you want to send something, and you have both an IPV4 and IPV6, if you have the zone ID, it might prioritize the IPV6 one, and the zone ID can be anything. Like, zone identifiers have purely local meaning. They're not actually part of the address. They're just like helpers, like hints. Almost like documentation. It's kind of like the part after the hash sign on the URL, they're like, yeah, in a sense. But it's part of the address. In the URL, I'm already imagining it's very applicative, so it's no problem to add whatever bleep you want, right? Because parse it however you like, but putting basically the documentation so low in the stack, at least to me feels very peculiar. The security issue with this feature of IPV6 zone IDs is when you pass, it's pretty funny, but when you pass an IPV6 address to a proxy server, and the zone ID is actually an address like a DNS address, you sort of poison the proxy to take the host. So let's take the most basic IPV6 address of all, which is local host, which is colon colon one. colon colon one is the IPV6 address for local host. If you put the zone ID as star.example.com, and you pass that to the go HTTP proxy, your address will get matched and like not proxy. So I think this is a pretty edge case. And the only reason you would actually care about this is A, if you have like dependable things that you must fix for a security audit, or if you're like the one person who's developing a GUI where you take untrusted addresses from users or from a database and put them into a go proxy, but still better than not fixing it, I guess. Yep. Although there might be more attack surfaces that I'm not thinking about, but hey, if you didn't know about IPV6 zone 80s, now you know, and in any case, like we always recommend you should just upgrade, you know, this is just one security fix. So this update will probably not break your build. And who knows if like one of your libraries does use this somehow, right? Yeah. So in short, upgrade go 124 or 123 or X net, if you're using that third party, but that external back. And thanks again for to you for providing us with all these educational security patches. I love it that somebody else is willing to understand all these intricacies. So I don't have to bother. I could just do go get you could just chill, not worry about these RFCs. Whenever I open an RFC, I'm like half excited. I feel like very smart reading this like monospace 80 character document, if you know, but on the other hand, I'm like, my eyes immediately get glazed over. I think there's a market for translating RFCs to like TikTok 60 second videos, but I'm not going to fulfill that market. You're not going to do that one too busy? No. Okay. I'm too busy. You know, I have so much so much go code that I need to upgrade, like do if else is for things and I have to replace it with minute max, you get a bunch of that time back. Oh, really? Yeah. The new goes. That's for a second. That's a great one. The new go pleases out this actually is about three weeks old, but we haven't had a show since then. So we haven't had one together since then anyway, go please version 0.18.0 and it's a whole bunch of cool things. Some of them look cool. But the one that will help you out is the new modernizer and an analyzer modern, modernize analyzer, modernizer analyzer sounds good, like a radio head album. Exactly. That's a better than modern. That's our alanite. Yeah. So like you remember back in the old days of go, if you wanted to get the maximum of two numbers, you had to do this silly little. If A is greater than B, then B equals whatever, you had to then they decided that that was silly and like the computers are good at doing min and max. So they added min and max to the as goes and functions. Well, modernize will detect those funny little if else's and tell you to trigger them or to change them to min and max and other similar sorts of changes. So that's what this new modernize does. Do you think he'll use that? I think overall, this is a good approach, but I'm worried about go is very famous for having one way to do things and if you got to the point where a go please has to modernize your code. What does that mean? Does that mean that there are many ways to do things and go actually and that promise is not true anymore? And like which cases does it cover? Like all of them are is all of them are safe. A good one is replacing interface like if you have interface, open parent, close parent, it replaces it with any, right? So to me, these two things mean exactly the same thing because I lived through go 118 and I don't see any specific benefit for using any. Like if you can replace the code automatically, it might be nicer. And there are some cases where I actually agree it's better. But I'm not 100% sure all of them are worth the change and it has to go through contribute. I don't know why I have an antagonistic feeling towards this because overall, it's a good thing. You know, for example, the with cancel context that we talked about in Go124, which is super new, right? And omit empty versus omit zero instruct, which is also Go124 and also super new. These are like two super useful features I would love people to know about and obviously not everybody's listening to our show, but if you're a linter, if like, Oh, please is telling you, Hey, if your ID is like popping, Hey, you can modernize this. This is an actually a much better way to let people know about these features. But it feels icky to me and I'm not sure why. Maybe you can like explain this feeling. I don't I don't share the feelings. I don't know. So I've had a lot of you think it's a good one. Well, I mean, maybe there might be some examples where it's not, but of the examples I talked about, I like it. So switching interface open close to any, I did that a long time ago, you know, I haven't lintered it told me and I just did it all at once for the good basis. I was involved in there's a couple rare cases where I don't like it, but I prefer the interface open close brand or squiggly. And that's like where I'm actually building an interface and I just haven't put methods in it yet where I sort of place it over. But that's such a minor case that it's bit me maybe twice in the last year or something. For minimax, I actually prefer switching to the minimax or even CMP.org is another is not built in function, but it's and it's relatively new capability that can help you get rid of some else's. I like those because they when they're not overly clever, because they mean less code to read and the tent is more obvious. All of these suggestions are only simplifying, in my opinion, like using slices dot sort instead of like source dot slice X funk. So I think this is just like sort of hinting you towards how to simplify and clarify existing code by using stuff that they added over the years. So minimax is the simplest example before a year ago, we talked about ending a ranging over ends, right? All the focus was drawn by ranging over functions, which was the actual big change. But now you have all these three clauses in four loops, right, where in Python, I never write those, right? I never would go like for I equals zero, I smaller than an I plus plus, but just because I didn't go, that's how it was done. Now I can do a walrus range up to end, and that just works and it looks nicer. I'm still getting used to it, but it definitely looks nicer. This analyzer would assist me in recognizing that, hey, I can use that here. I don't want to remember all these cases by heart, and I want to remember all these new features. I just want to, I want them to pop up in context. On your point about going through another code of your cycle, I think this is a place I don't know if GoPlease will automatically do these updates for you, if you tell it. You can, you can't pass a minus fix and then you actually have to run it a couple of times that it figures everything out because some cases, you know, some cases actually have, you fix it once and then the inside of the loop was another thing and you won't do both changes at the same time. So I have to do a couple of passes. But like, that's the kind of thing where if you have a full request that is completely done by a tool, and principally you could skip code review, of course it's up to your team's policy, but yeah, I don't, I don't think it needs to be a big burden for GoToView. Hopefully a person isn't going through and validating the tool does everything, right? Will we trust that the authors of the tool are contributing? I'll counter that and I'll say that the new modernized analyzer team has said that they are aware of bugs in the analyzer's fixes. It may cause an import to become unused or delete like comments or do, and the comments in Go could be like a library call or a GoGenerate call or things like that. I know. And they literally say these things are obvious during a code review. So, you know, one big benefit even though this does make me feel kind of icky is I think most of the code people will generate and not write will not use the modern features because most of the training set, right, like if you tell an AI right now to, and without any like system prompt engineering trying to make it use the best practices and follow the new stuff and whatever, just like a normal model out of the box, tell it, create a for loop. Create the old style, right, because it has a million examples of those and not a lot of the new ones. And especially talking about things that come in 124, right, it doesn't have it in a training data at all. So, you know, I think using four range strings dot split instead of like using that the modernized analyzer is going to suggest use split seek instead, right. I've never ridden split seek before, so I'd be super surprised if the AI is going to auto complete that for me, but if it's going to auto complete the old one and then the linter is going to be like, hey, hey, here's what you actually want to use. And the, you know, go PLS is not AI, it's deterministic and written by smart people. I think it sort of helps out with the fact that a lot of code is generated based on training on older practices, right. So I think that's a benefit. How do I upgrade? Do I need to do anything specific or will my ID just do it for me? I don't know which ID you use, but I'm pretty sure VSCO does it for you automatically because I've been using this and I haven't tried to upgrade. So cool. So if you are using like some custom setup where you need to upgrade a copiel, our conclusion after discussion is that this is a net good thing. I would say so. If you disagree, though, and you want to go fight with somebody about it, and you're in Helsinki. Okay. Because they are worthy known as violent people. Helsinki is having a go meet up on March 20, and they're looking for speakers. So you can go speak about your hatred for this new feature and maybe pick it up next week. That's like in seven days. Exactly. Got to hurry. Yeah. I was working on PJX Outbox as invited everybody and you can register, oh, the event actually moved to March 18, so you even have less time. Okay. Oh, yeah. It's a good thing. I opened the LinkedIn post. The LinkedIn post is in our show notes. So if you're in Helsinki or in the area, go visit. Looks like a pretty good meet up. Click house and go. It's gonna be there's a Londo office, which should be fun place. I don't know what it's like at that location, but it's always fun to see somebody's office. And if you're working with Clickhouse in Go, we're going to have a talk about it. I think this is a good point to stop for a second with all the news news and talk about the TypeScript native port. We're not going to dive into it fully, because like we said, we're looking for people who are connected to this project. If you know anyone, please let us know. We're trying to reach out to them on social media, but that's not always the best way to get ahold of these people. If you don't know what this is, what are we talking about? Everybody's been talking about it, but I guess some people get their news through us, so we should tell them about it. What? Listen to a news podcast for news. So the news is that Microsoft has announced that they are rewriting TypeScript in Go. That doesn't mean that you'll be writing Go for the browser or anything like that. It means that the transpiler that converts TypeScript into JavaScript that runs in the browser will be written in Go, and their headline reason is 10 times faster. Oh, compilation times, not TypeScript run time, I don't imagine that will be changing substantially. TypeScript is not a runtime. Exactly. It just complies to JavaScript. Correct. And it's going to compile to theoretically the same JavaScript with it, yes. But it'll go faster, so it'll make your CI pipelines faster and your local like NPM run dev and NPM build and those sorts of things should go faster once this project is done. And they have a video and a blog post and the GitHub issue about it sort of talking about the concept of many other languages in Go is kind of a sweet spot they settled on. Yeah, the benchmarks they're showing here are super impressive. They're saying compiling the entire VS code code base, which is like a million and half lines of code is down from 77 seconds to 7.5 seconds, which is slightly more than a 10% speed up playwright, which is like a lot of these libraries, let's see. They talk about the following code pieces, VS code playwright type or MDATE functions, TRPC and RxJS, I'm using five, like I've used five out of six in the last three months where I've started doing the types of professionally in the backend. All of these are like 10 to 14 times faster, which is literally a one order of magnitude faster. Super great for me. A lot of talk on why go, a lot of talk on how this works on a lot of talk about how this happened, and we're hoping to find someone, ideally we'll talk to Andre himself if we can get some time on his calendar, if you can connect us, if you're working at Microsoft, we would really appreciate it. Yeah, they picked Go, which is interesting. A lot of the language stuff, like I don't know, all the new Python tooling, like the UV and rough is in Rust. I was surprised to see Go picked as the tool here, but obviously it makes a lot of sense from various reasons, especially it's very fast to develop. I'm excited to see what kind of skill over this will happen to other JavaScript tools, because like ES build is already written in Go, and it's incredibly fast. But like when we get other linters and other build tools for the JavaScript ecosystem written in Go, I would expect we will, if only because this raises the awareness, but I suspect that there will be some tools that Microsoft builds that could easily be adapted to other problems, and it would just be great to have faster JavaScript build tools across the board, whether you're using TypeScript or not. Maybe things like Jest, like testing frameworks that are currently today in JavaScript and JavaScript mostly, and I feel they could be slightly faster. I always, when I work with these test execution tools versus like Go test, I always feel a bit bad. But it's yeah, radically improving TypeScript performance. If you're like me and you have to work with TypeScript in the back end, this is great, great news for you. Do you feel like JavaScript or do you get to work with TypeScript? Well, you know what, I work with TypeScript in the back end, and I have to work with Python in the back end, that's my current situation. So we don't, we don't want to dive too much into it if we can find someone who's an expert, so connect us to an expert, please, please, please, and we'll keep it in the backlog, just in case we don't find one, and then we'll try to figure it out ourselves. That does it for what we have time for this episode. We actually plan to talk a bit on more things, but there's a catch up episode. We'll catch up to the backlog. If the Go community can stop innovating for two weeks and let me get up, I would really appreciate it. And yeah, let's take a short break. As we mentioned at the top of the show, this show is listener supported, that support comes in many different forms. You can support the show by sharing it with a friend, with a colleague, with a student, with your pets, with your wife, whoever you know, the neighbor, the mailman, share this. We don't pay to advertise the word of mouth is how people learn about the show. You can also support us financially if you want to on Patreon. Shai is checking right now to see if we have any new Patreons to shout out to you. Shout out to Jay Martin, who became a member of Copper Gopher. Awesome. And became a part of our beautiful, beautiful audience, which is now 40, I think. 40. Not all of them are paying members, but all of them are very appreciated. And you know, some of the people who have been here a while, and you know, it's eight bucks a month or eight euros, like, you know, whoever or how much you want to give. But some people have been here for a while and these numbers like add up and, you know, some people have almost paid for a full episode and things like that. That's super, super appreciated. This is a hobby. There's somebody. But it's an expensive one. We need to pay for editing. We need to pay for hosting fees. Obviously, our time into doing the show. So it's a hobby. To learn about Go, like how else would I know what the IPv6 zone IDs are? But this helps. This helps a lot. Thanks a lot to all our beautiful Patreons, the newest one, Jay Martin. And the previous one is Jamie. And three before that is Jose. So if your name starts with Jay, you're a good bit to our Patreons audience. Yans. And there are a lot of Jay's in this crowd. The other way you can support us is just by joining our Cupico Slack channel. We have 498 members there. So if you're not already there, wait for one of the person to come in first so you can be 500. But come join us there. We just chat about Go stuff that's not really very structured. You can share news items there, meet up conferences, blog posts. What do you think of relevance or irrelevance is welcome there too. And of course, you could leave a rating review wherever you listen to your podcast. That would also be helpful. One last quote unquote sponsor for this week's episode is my new company, Absen. If you're in the Bay Area and you want to come do engineering with me, we're looking for one founding engineer, just like one role to fill in the final piece of the puzzle of the founding team. You got to be pretty experienced, but just you can talk to me on some. Can you get to use TypeScript and Python? Don't let me, you get to work with me, isn't that enough? Yeah, so opsinsecurity.com/careers if you want to join the team. I'm having a lot of fun, like I'm bashing TypeScript and Python a little bit just because you got to complain about something. But obviously I'm enjoying this new place very much, otherwise I wouldn't be putting it on the show because I've been with the show for like two years and I've been here just like one month. So you know it's pretty good. All right. Next round we have a couple lightning round items before we wrap up the show. Lightning round. My first submission for the lightning round is the ASDF Go rewrite. So we talked about, you know, the big TypeScript rewrite because that has a lot of reach, but I actually love the rewrite of ASDF. ASDF is a tool that like, it used to be a bunch of bash scripts that help you like install stuff and manage your environment and things like that. I've actually used it and then stopped using it, but it's pretty good. You like ASDF, I want this Python, ASDF, I want this node version, whatever, whatever. I've ended up using the specific environment tools for each one. So I use UV for Python and NVM for node, like I have my tool said that I already know, but instead of a bunch of shell scripts that mess around with your bash like environment, whatever, this is now a single binary written in Go and it's seven times faster. So that's great. I love these rewrites like a tool gets solid enough for performance to be the issue and then you pick Go as a good language and again, the main issue was performance but also maintain ability like early on bash served them well, but then it's kind of harder to work with it, you know, and people contributed wrong bug fixes and it's hard to see type issues, blah, blah, blah, arrays in bash is very difficult, in bash everything is just a string. They go through this entire blog post, you can check it out and if you want to join like a pretty big and fun project, this is a good time to do it because now it's in Go. Cool. So try do you think they use Cloudflare over there at ASDF? Well, I assume they do like a lot of the internet traffic in general goes through Cloudflare. Yeah, right. Cloudflare has recently published an interesting article with a whole bunch of statistics about internet traffic because they see such large percentages of internet traffic. They can do some analysis on this traffic and come up with some interesting statistics. And one of the statistics they publish, it says we analyzed API traffic to identify the top languages used to develop API clients. So assuming this is a representative sample of the entire internet, a percentage of API traffic is done by, is done using clients written in a particular language. And Go comes out the highest, just edging out Node.js and Python, that's kind of interesting. I'm really curious how they determine that for one thing, and I imagine there's a lot of API traffic that just can't determine at all. So it's like this unknown bucket of stuff, but even so, it's interesting that Go APIs are so popular out there. And just goes to show that for specific workloads, Go is the number one choice today, I think, just in terms of popularity. And one, my final thing for the roundup is very similar to the ASDF one. It's about NVM Windows. So a few episodes ago, I don't remember when I mentioned this project, NVM Windows, because it had a new release, which is NVM, which helps you manage Node versions on your machine, but for Windows. It has a section about why writing in Go, and not writing in Node. And I really liked the part in the readme, which says, "Well, I wanted to experiment with Go," which is why I picked Go over other languages. But the reason it didn't write NVM with Node is because writing a tool with a tool you're trying to install doesn't make a lot of sense to me. And this is something I felt a lot of times with Python tooling, where you have great Python tooling, but the bootstrapping experience is horrible, because you have to install some Python runtime, and then your machine is already, like, it already has two different Python's on its path, and you're super annoyed. Obviously, it makes sense to write it in not necessarily in a different language, but just ship it as a single binary, and Go is a good option for that, right? Yeah, it makes sense. So I just like... So now you can write NVM, Ritten and Go, TypeScript, Ritten and Go. Yes, build Ritten and Go. We're getting there. Yeah, for sure. Getting over the world, Go would do all the things. I just like the fact that, you know, that specific part of the read means the thing I'm bringing to the lightning round, not the entire project. But if you want to do NVM on Windows, that's another good option. Cool. Well, I think that's a show. It's good to talk to you again, chives, good to ramble about Go. Yeah, and same time zone. We have, like, similar entry because it's, like, early lunch for both of us. Exactly. Cool. If anybody's in the Bay Area and wants to hang out, I'm here now. I liked people who wanted to hang out when I was in Tel Aviv and didn't help Telia. So now I'm in the Bay Area, if you are as well. Talk to me on Slack. I haven't set up Slack on this machine yet, but I will after this lunch. Awesome. Until next time. Yeah, have a nice weekend, everybody, right? That's the time zone. Yeah, yeah. We're good. Have a nice weekend, everybody. And that's it. Program excellent. Bye-bye. Program, exit up. Goodbye. [BLANK_AUDIO]