3️⃣3️⃣3️⃣ Security patches for 3 Go versions, 3 meetups, planning our 3 year anniversary!
This show is supported by you, and boy, is it supported by you. Stick around for more about that in just a moment. This is Cup and Go for 01/16/2026. Keep up to date with the important happenings in the Go community about twenty minutes per week, maybe.
Shay Nehmad:Twenty? We've never hit
Jonathan Hall:the fifty minute mark. We're gonna try twenty. I'm Jonathan Hall.
Shay Nehmad:I'm Shay Nehmad, and my New Year's resolution is to finish this show in twenty minutes. Even though this week we have a little more to talk about. Blah
Jonathan Hall:blah. Last week was a long episode. I think our longest ever probably. But more about that in just a second. First up, right, hot off the press as of yesterday.
Jonathan Hall:Go 1.26 RC two is out with some security fixes and a bunch of other cool stuff that we talked about last week in what is proving to be our best episode ever.
Shay Nehmad:Yeah. The one twenty six overview episode seems to, like, really bring people in. So if you ever thought about sharing the show with someone, last week's episode is, like, our best performing episode yet, which I'll I don't know. I'm excited about.
Jonathan Hall:Yeah. It's it's pretty cool. So we've had over 1,500 listens since that episode went live, which makes it the best episode in terms of listens for the first two weeks. And it hasn't even been out a week yet. So we blew past the the one week threshold early, early on.
Jonathan Hall:So share that episode with your friends. Do you
Shay Nehmad:believe this indicates good things on our show or good things on 01/26? Like, it's gonna be the most highly adopted Go version ever because people like the version. Is it us or is it Go?
Jonathan Hall:I don't think it's it's not me. It might be you, Shay. It actually
Shay Nehmad:is a good question about the show in general. Like, were we to talk about, like, a worse language? If this was, like, Cup of Python, would people like the show the same? Or do people like the show because the language is good?
Jonathan Hall:Maybe they like it better according to those dubious charts we've talked about in the show in the past.
Shay Nehmad:I guess people just can't get enough of their Go routine leak protection or whatever. So what does RC two stand for?
Jonathan Hall:Yeah. Release Candidate two, so that means this could be the final version of Go 1.26, which is scheduled to be released in a couple weeks or so, sometime next month probably.
Shay Nehmad:Although, usually, they go to RC three and four, if I if I
Jonathan Hall:remember the Probably. I mean, it's it's basically, if they find any showstoppers, they'll fix them. And showstoppers could be a a serious bug they've discovered, which the odds of that are diminishingly low as time goes on. You know, usually those bugs are discovered early. But it could also be security releases, security fixes, which is of course what the main thing happened here was.
Jonathan Hall:There were a number of security fixes, which are also included in Go 1.25.6, which I hope you can educate me on because I haven't read through them yet.
Shay Nehmad:All right. There are a lot of them. We're not gonna go through all of them, but as usual, update your Go versions, 124.12, 125.6, and 126 RC2, include all these fixes. It's like this awkward window where all three versions are sort of active, right? Before, 126 is officially in and 124 is officially out.
Shay Nehmad:But there are six security fixes. I think, again, what I like about these is that most of them are pretty understandable. Like, I could give you the primitive and I guess you could guess the vulnerability. We could we could play that game. Let's see.
Shay Nehmad:You know, Wheel of Fortune, could be like Wheel of Ida, can you find the vulnerability in So the the first security fix on this release is from Jacob Koelek. I hope I'm saying that correctly. And I I should learn that name because we've talked about Jacob a few times already on the show. Jacob or Jacob Koelek. I hope I'm saying that correctly.
Shay Nehmad:I'm probably not. Reported it. Really cool things. I I think it's an interesting find because it sounds obvious in hindsight, but these are the things that are exactly very hard to find. Super cool.
Shay Nehmad:A a great find. Yes. Finding vulnerabilities in Go, which
Jonathan Hall:is By the way, Jacob, come on the show. We'd love to talk to you.
Shay Nehmad:Answer my LinkedIn messages, Jacob. So the first one is in the zip the archive zip library, which is fixing a denial of service. When you parse a zip file, if you think about it, it includes all the data inside it and some, you know, headers that help you figure out, you know, what to fix, what to parse, sorry. And the algorithm that does that, the fine name indexing algorithm, is super linear, which I don't know if it's what that means. I just think it's, like, linear.
Shay Nehmad:Maybe it's worse
Jonathan Hall:Linear than seems like like yeah. I don't know what
Shay Nehmad:Linear in terms of the runtime.
Jonathan Hall:Right.
Shay Nehmad:Right.
Jonathan Hall:And Like, linear means, like, o one. Right? So simply be like, o one n?
Shay Nehmad:Actually, think linear means o of n, not o
Jonathan Hall:of one. You're right. Right. O of n. You're right.
Jonathan Hall:You're right. You're right. So it's like it's like o o o of n times one or something. Have no idea what super linear means.
Shay Nehmad:Anyway, when you construct a zip file that's maliciously constructed, you can make that algorithm just get all, hairy and cause a denial of service. I wonder who like, where that hits people because I know that people use Zip all the time. I can't remember a single time I imported the package.
Jonathan Hall:I've I've imported it a few times, mostly because I had to consume something from somewhere else.
Shay Nehmad:So you you would be vulnerable to this?
Jonathan Hall:Probably, yeah.
Shay Nehmad:If someone gave you like an untrusted zip file, you know, user upload, they could DOS your server, but no more, which is good. Same. Similar thing in NetHttp, so memory exhaustion in request. ParseForm. Again, if you provide a very large number of key value pairs, you can cause a denial of service.
Shay Nehmad:This was reported by someone else, and it's in a different library, but it's exactly the same sort of primitive, you know what I mean? Like, oh, you this could just pass a big list of things. This was reported by Julian Credel or Jubobs. Jubobs. Yeah.
Shay Nehmad:Which I think we also mentioned on the show before. Don't exactly remember when, but I remember that name. It's funny, like, seeing, you know, these names pop up again. Other fixes are slightly less exciting in my opinion. It's like crypto TLS, you know, you copy some automated, generated ticket keys.
Shay Nehmad:So when you resume a session, your expiration isn't exactly a 100% correct.
Jonathan Hall:I have to call something out though on this one. This yeah. It's it's only crypto TLS. Who cares about that?
Shay Nehmad:No. I mean, it's important.
Jonathan Hall:It was reported by a 19 old high school student.
Shay Nehmad:Oh, no way.
Jonathan Hall:Yeah. What do
Shay Nehmad:you mean?
Jonathan Hall:Koya Prunt? I hope I said that right. At least their GitHub profile says they're a 19 year old high school student. So, that's pretty cool. Way to way to get involved early.
Shay Nehmad:Very, very cool. I love the genre, you know, people on the on the Internet who are like anime avatar. It's like, it's beyond my in my opinion, it's beyond my my age group already that I I literally can't understand it. Their website is, by the way, blog.gov.cooking. That's awesome.
Shay Nehmad:Which is great. It's also, I think, in Chinese or Japanese because I can
Jonathan Hall:I can definitely claim to be in China, so I would assume Chinese, but I can't read the language, so it's the same to me?
Shay Nehmad:Very, very cool RBQVQ. If you are indeed a 19 year old high school student from China and not a SIOP operation to do something else. But it is a worthy shout out. Very, very cool. I wonder what's the who's the youngest person doing Go?
Shay Nehmad:You know, people are getting into programming very early.
Jonathan Hall:I started programming when I was eight, but it was it was not in Go, of course.
Shay Nehmad:What do you consider programming? Because I did a super advanced PowerPoint presentation. No. No? It doesn't it literally had the Visual Basic script in it.
Jonathan Hall:Okay. The VB script would be considered programming, yes.
Shay Nehmad:Then 11, I wanna say. Ten, eleven, something like that. But Go is, like, such a second language sort of thing, you know what I mean? Like, you can't imagine someone trying to We we had that discussion. We've discussed that, yeah, yeah.
Shay Nehmad:Very, very cool Koya print, one bypass of flag sanitation that can lead to arbitrary code execution. This was, reported by GMO flat security, Ryotak. Also, again, 21 year old security researcher and, you know, this like sort of anime, chibi style site, which I like. And also, I I don't know what this, language is, just straight up. It might be Japanese from a GMO flat security, might be Japanese.
Shay Nehmad:But a very cool vulnerability, like talking about the vulnerability in another person, it's just you're allowed to pass, flags that are not safe listed, which might lead to arbitrary code execution. It's it's a bit of a stretch, but you could pass, like, you know, a flag and then inject something into the bash terminal that you're running the command into. Mhmm. If you're using the, cgo package config. So you could have like a package config, binary run with flags that are not safe listed.
Shay Nehmad:So it could be like da da da, and then, you know, semicolon, RM, RF, or something like that. Again, a similar but not exactly the same sort of vulnerability reported by someone else, split line from the DevCore research team. Apparently, what, what version control system do you use? Have you used others recently? Recently,
Jonathan Hall:no. I've used some version in the long, long ancient history, past, ages ago. Can barely spell SVN anymore.
Shay Nehmad:I used SVN a lot, which I like because now whenever I commit something and I wanna skip the the verify, like the pre commit, I do my commit mentions me, like, you know, I the command reminds me of SVN because I do git git commit minus s for the signed off, v for the verbose in the commit editor, and then n for no verify. So it's git commit minus s v n, which feels like poetic justice. And I've used TFS in the past and whatever, but a lot of people still use Mercurial or JJ or things like that.
Jonathan Hall:JJ's a pretty new one though, right?
Shay Nehmad:Yeah, I haven't played around with it yet, but I'm not I'm actually not anxious too, I really like it, I have no problem with it. But apparently, if you have, you know, various VCSs installed, there was a way to have unexpected code execution when you invoke the Go toolchain. Oh. Because on Mercurial, you could like download modules, you know, when you do GoGet or whatever from custom domains. And it's just because how the VCS command is constructed.
Shay Nehmad:On Git, you know, you can give the specific malicious version string to a tool chain, and it will cause some problems. So now it's just using safer VCS operations to do it and also just disallow a version that starts with like minus or backward slash. So you can't, like, have these shenanigans because that's not a valid version anyway. So, yeah, a lot of security fixes. One final one, again, from CoiaPrint.
Shay Nehmad:It's a handshake that may be pre processed in the incorrect encryption level, also in Crypto TLS. The previous vulnerability we talked about from Koya was discovered while investigating this one. So the team, Koya reported this one, and then the team found out the the config clone copies of the session keys. Generally, a pretty serious release with, you know, a pretty wide attack surface that's being closed, so I'd highly recommend just upgrade. And also diving into these implementations, if you're into security, sounds like a pretty good idea.
Shay Nehmad:Cool. Sounds like a pretty fun idea, by the way. So how does one go we always recommend you should upgrade. What's the physical thing I need to do to upgrade my my Go version?
Jonathan Hall:These days, all you really need to do is update your Go. Mod to the new version, and it will download the new version. And depending on how you build for deployment, that that's that may be enough as well. I also tend to update my Docker files to pull in the latest you know, the the image based on the new version of Go. That would not strictly be necessary because the go.
Jonathan Hall:Mod will instruct the Go tool chain to download the that version of Go. So even if you're, say, building on a Docker image from Go 1.2, if you update Go. Mod, you'll you'll build from Go 1.23 Docker image. That image will download Go one twenty five point six at build time. So it's less efficient, but it would still give you the latest version of Go.
Jonathan Hall:But yeah, I tend to update my Go. Mod, my Dockerfile, and then my CI scripts to use the latest version.
Shay Nehmad:Sounds good. So you have a recipe as well.
Jonathan Hall:Yeah, more or less. And then I often forget to do this till later, but my local version of Go, it's nice to have that on the latest version too. It doesn't matter if I'm in a Go module because it uses whatever version Go. Mod specifies. But if I'm outside of a Go module and I try to install a tool, sometimes I get version mismatches or something.
Jonathan Hall:It's annoying.
Shay Nehmad:Cool. Alright. Now on to our second, debate. Is it Czechia or Czech Republic?
Jonathan Hall:I am not the one to ask. I've been there, but, yeah, I don't I don't have any idea.
Shay Nehmad:Why are we talking about Czechia or Czech Republic?
Jonathan Hall:Yeah. Because they're they're they like go over there. And on April, Gopher Camp twenty twenty six will be happening. It was just announced recently. Head over to gophercamp.cz and click that get tickets button.
Jonathan Hall:They're actually pretty cheap. Super early bird is only €42 until January 18. You have two days. Better hurry. If you don't do that, you'll have to
Shay Nehmad:pay the full price of €89. And there are group student discounts if you have a student ID. Why would I go there, though? What's Go For Camp all about?
Jonathan Hall:About Go.
Shay Nehmad:Well, that makes sense.
Jonathan Hall:You can also, submit a talk, and then we'll know more about what it's about. So it could be about whatever you wanna talk about. The call for speakers is still open. They are looking for thirty minute regular talks, ten minute lightning talks, and ninety minute plus workshops. Until that is a little more complete, I don't think we actually know what the topics will be.
Jonathan Hall:We can look at last year's Gopher Camp videos to get a a sense of what it might be like. Understanding runtime traces.
Shay Nehmad:It's gonna be two days now. We're talking about the tickets. €42 for two days.
Jonathan Hall:I mean, if I still lived in Europe, I would be jumping on this. I I can drive I I could have driven there from where I live. I mean, it's a long drive, but I I did it before.
Shay Nehmad:Technically, you know, you can drive Canada Alaska.
Jonathan Hall:Technically, I should do it now with the if I include at least one ferry and several weeks of travel time.
Shay Nehmad:Although I don't know if you wanna travel through the entire path right now. Yeah. Hope every single mile of it is safe.
Jonathan Hall:Safe as a crib. But, anyway, I know a bunch of folks who will be easy to travel to.
Shay Nehmad:So we'll we'll watch this and update you when the when the talks are there. I think at least I know of at least one person who's gonna be there, Bill Kennedy. So Bill Kennedy is is gonna be there. We had Bill on the show, of course, and if you're into Go, you probably heard of Bill.
Jonathan Hall:Building a lot of trading material. I've written well over 100 blogs. I've written the books. I'm really focused a lot today on trying to teach software design as opposed to software design in Go and Kubernetes and Encore as opposed to, like like language mechanics now.
Shay Nehmad:So, yeah, Bill's gonna be there as well. I won't be. Although I'll fly over, I think same dates because I'm thinking I'll be in Israel at that time. But, seems like a great event if you're in Europe.
Jonathan Hall:Awesome. Well, I think that we're coming up on our twenty minute mark. It is time to move into the lightning round. Yes. Let's start.
Shay Nehmad:Lightning round.
Jonathan Hall:Start us off, Shay.
Shay Nehmad:My thing for the lightning round is a blog post on Medium that I found very useful last year, and it's been languishing on our backlog since October 10. But it's how to get consistent classification from inconsistent LLMs. So where I work, we use LLMs for classification. So, you know, get some content and try to classify it. We have our own methods for evaluation and whatever.
Shay Nehmad:You know, you it's a very reasonable use case. Right? Take this tweet and classify it if it's either complain about political party or complain about, you know, technology. For our use case, it's cybersecurity. Right?
Shay Nehmad:So take this file and and file name and try to predict whether it's financial information or like personal health information or whatever. So this is a very data science y blog post. Why am I talking about it in a Go podcast? It's because the code is in Go. It's called Consistent Classifier by French Majesty on GitHub.
Shay Nehmad:So if you're doing AI stuff in Go, you know, the this is if you're doing like API plumbing in Go basically, and it goes to an LLM or classification, this is a great blog post for you. I was just surprised to read it in the end. Was like a 100% expecting it to be in R or in Python. And I was like Go and
Jonathan Hall:I was like, awesome. Well, I have another it's also written in Go item. It's called NGINX UI, but you'll never guess what it is. I'll I'll I'll I'll spoil the suspense. It's an NGINX UI.
Jonathan Hall:Oh, no. Yet another NGINX web UI. I guess this is like for administrating your NGINX system or cluster, provides online statistics for server indicators, automatic configuration backup, cluster management, encryption management, etcetera, etcetera. And it's written in Go, of course, and it's open source, a GPL three license. So, yeah, if you use NGINX, it claims to be yet another NGINX WebUI.
Jonathan Hall:I've never used an NGINX WebUI, so I don't know what other options are out there. But this one's probably the best since it's obviously written in Go.
Shay Nehmad:Yes. I mean, there is one nice thing about it other than the fact that it's written in Go, which I think is useful, which is it has an MCP server. So I could imagine, you know, you just talking in your cursor and being like, hey, can you use the NGINX MCP server and check if it's down or whatever? That could be cool. And, course, it has dark mode, which is Yeah.
Jonathan Hall:That's what I was gonna call it. That's the killer feature. It has dark mode. So I I can Do
Shay Nehmad:you use NGINX right now on one of your partners?
Jonathan Hall:I do use NGINX fairly regularly, but not for anything very interesting. Like, it's often sort of the base for a static website container. Can
Shay Nehmad:I tell the really fun NGINX bug I had? Okay. Twenty seconds because it's a lightning round. So, I had monitoring on the NGINX logs, and every now and then I saw the monitor would jump on, like, on the HTTP errors, right? So, it was looking for 503s to find, like, problems in NGINX, and they would alert us like, you know, every now and then, and we didn't know what's up because we investigated and we couldn't find any stack trace, we couldn't find any problem like, oh my God, it's a statistical crash in the NGINX server, what's going on?
Shay Nehmad:It turns out one of our users login, like email details were exactly five zero three bytes long. And instead of just looking for the HTTP code, because the NGINX wasn't the NGINX logs was text, like the default NGINX format and not JSON. We were just literally looking for contains five zero three. I spent like two months of my life on that. And from that day forward, no production system I have ever written was logged without JSON.
Shay Nehmad:From that day forward, structured logging. So, if you want another NGINX WebUI, go check that out. I think it's pretty cool. Cool. Alright, that's it for the items.
Shay Nehmad:We need to go to an ad break.
Jonathan Hall:Yay.
Shay Nehmad:I'm stressed out to keep this in under twenty minutes. I think we already failed. We did. Well, it's a new year. You'll forgive us.
Jonathan Hall:Thanks for listening. Thanks for making our last episode a big success. Continue to share the show with your friends and colleagues. That's the best way you can support the show. Honestly, I mean, I love getting Patreons.
Jonathan Hall:It's it's nice to have that vote of financial confidence. But just hearing feedback from listeners and seeing the numbers go up, that's I don't see. That's why I keep doing it. So we we love your support. We're happy to do this.
Jonathan Hall:Support the show by by sharing it and leaving a rating or a comment wherever you listen to your podcast. You can also support the show by buying some swag if you like. We sell T shirts and mugs, of course, because of the coffee theme. Cupofgo.dev. There you can find all the links to past episodes and a link to our swag store.
Jonathan Hall:I think that's about all I want to say about supporting the show, but we do have an important benchmark coming up, Shai. Oh. We have been doing this show almost three years, which honestly amazes me. I wasn't expecting to do
Shay Nehmad:it this long when we started. Definitely not.
Jonathan Hall:Next week will be our third year our three year anniversary.
Shay Nehmad:Which, by the way, just shows, like, we've been pretty consistent as well because we've had 140 episodes. It's like 2.7 if we, you know you know what I mean? We only missed 0.3 of a year. Mhmm. It was like a 140 divided by 52.
Shay Nehmad:It's almost, we've been on, like, consistently every week. I don't know. When did we stop? It was, like, probably October, like, October 7 we took a while off while I was not Yeah.
Jonathan Hall:Mean, we we've taken a few days a few weeks off for holidays and and for summer vacation. For
Shay Nehmad:wars. For wars. Yeah. Various reasons. Cool.
Shay Nehmad:So, yeah, it's our three year anniversary and we decided this time to celebrate by hearing what you all have to say. And the way we're gonna do that is we posted thing on Patreon, but it's avail it should be available to everybody. We want you to send in your voice notes, just like a thirty second ish voice note. You can record it in whatever just on your device while you're walking around and send it to us on Slack or at news at cupogo. Dev.
Shay Nehmad:You can talk about whatever you want. We have some guiding questions. Have you learned anything that was actually useful from the show? If so, what was it? What's your favorite part of Cupago?
Shay Nehmad:And the suggestion box, like, if you have a suggestion to improve the show. And if we get enough of these voice notes, we'll have like a sort of a Frasier y episode, you know what I mean, where you talk and we listen, radio psychologist sort of thing, where we hear what you all have to say. But I agree with Jonathan. It's mostly thanks to you for listening and sharing the show. It's been a huge driver for continuing to do this other than learning.
Jonathan Hall:And I think the last item we have before we close out this not twenty minute episode is an update on your San Francisco meetup.
Shay Nehmad:Yes. Nepotism wins again, and we're gonna update only on my meetups because this is my show. And if you don't like it, you can If
Jonathan Hall:you don't like that, send us your meetups, then we'll include them in the show too.
Shay Nehmad:Honestly, please do that. Absolutely. But we have two meetups coming up in San Francisco. Go Rumors meetup in San Francisco hosted by Quantcast on January 28, 05:30PM, on a Wednesday. We would really I would really love for you to, RSVP and come.
Shay Nehmad:We have about 30 ish people attending, which I assume that means 20 people actually showing up in my organizer experience. But there's gonna be a talk by Max de Mulan. We're gonna do a live episode recording and, Preetam from Funnel Story is gonna tell how they're doing Go testing. We're gonna have like the normal job board where people can advertise if they have open roles or if they're available to for work. And yeah, it's gonna it's gonna be a big a lot of fun in, like, smack dab in the middle of, San Francisco in the, you know, right next to Moscone Station, so very easy to get there.
Shay Nehmad:And there's gonna be another meetup in March. If you wanna decide what date that's gonna be, there's polls on, there's a poll, like a Google Form thing I set up that you could decide whether it's March 23, March 25, or March 26. And then probably like next week or probably the, sorry, on the twenty eighth when we're gonna do the live, episode and we're gonna have the meetup, we're gonna lock down that date as well. So two meetups coming up in San Francisco. If you're in the Bay Area, I would love to, meet you.
Shay Nehmad:That's it on the SF updates. I think that does it for this episode as well. Right?
Jonathan Hall:I think so too. I think we're done.
Shay Nehmad:Send us your voice notes, please, please, please. If there's only gonna be, like, three of them, we're probably not gonna do that that plan.
Jonathan Hall:Sounds great.
Shay Nehmad:Program exited, guys. Goodbye. Program exited. Goodbye.
Creators and Guests
