Go 1.26.2 is a beast. Go upgrade!
This show was supported by you, our listener. Stick around to laugh for the news to hear more about that. This is Cup o' Go for Friday, 04/10/2026. Stay up to date with the important happenings of the Go community in about twenty minutes or so per week. I'm Jonathan Hall.
Pato Whittingslow:And I'm Pato Whittingslow
Jonathan Hall:Pato, welcome to the show.
Pato Whittingslow:Thank you, John. Glad to be here.
Jonathan Hall:Thanks for joining today. Yeah. I'm so glad you were able to step up and take care of recording this show while Shay is off being a lazy butt or whatever he's doing.
Pato Whittingslow:I don't
Jonathan Hall:know what he's doing. I think he's skiing or or hoping to be. So we've got an interesting show coming up for you today. We're basically gonna be going through all the security fixes that were added in Go one point twenty six point two and one point twenty five point nine, which just came out earlier this week, I think on Tuesday. It's a big one.
Jonathan Hall:So there's a bunch of things to do. You definitely wanna upgrade, and we're gonna tell you why. Before we do that, though, we have a quick CFP to to announce. Gopher Con UK twenty twenty six is coming up, the CFP is open. This will be happening in London at their brewery.
Jonathan Hall:I think I'll buy my tickets right now. I like London, and I like breweries. So what's what's to miss? And like go. Why wouldn't I go?
Jonathan Hall:Anyway, the CFP is open until April 17. The conference itself happens August. So if you'd like to speak at Go For Hung UK, link is in the description. Go send them to CFP. I'll probably I'll probably fill one out here too.
Jonathan Hall:Have you ever spoken at a conference, Patricio?
Pato Whittingslow:Yes. I haven't. Yeah. I love speaking at Go conferences. Cool.
Pato Whittingslow:Try to make one every year.
Jonathan Hall:You think you'll make it to Go for Con UK?
Pato Whittingslow:I've I actually submitted a proposal for Go for Con UK. I'm still awaiting a response.
Jonathan Hall:Of course. Nice. Awesome. Alright. Well, I'll submit one too.
Jonathan Hall:And if we're lucky, we'll both be there at the same time presenting.
Pato Whittingslow:Alright. Let's go. I hope so.
Jonathan Hall:Otherwise, let's talk about the security release. I mentioned this is a big one. 10 individual CVEs have all been fixed. Why don't you tell us about the first one?
Pato Whittingslow:Oh, wow. Yeah. This one, big, big issues, first of all. We got a lot of stuff that has been fixed, So props to the people. Most of these or all of these have been found by peoples of the Go community.
Pato Whittingslow:So Mhmm. Good job there, peeps. And first one is OS. Root Chmod can follow symlinks out of root on Linux.
Jonathan Hall:That sounds nasty.
Pato Whittingslow:That sounds like something you don't want to ever happen because this is the OS root abstraction that was added one year ago, I believe. And it's basically supposed to contain access to the file system. And this is such a case where the access is non contained. The vulnerability exploits a symlink following. As so often happens with like, this this sibling following is a very common exploit in these so sort of thank you, Ugan Bayar.
Pato Whittingslow:Oh my I'm not gonna I made a mistake. I I tried saying the the person's name, but I can't. So thank you for reporting this. Sorry about your name. Yeah.
Pato Whittingslow:Issue is 78 thousand two hundred ninety three.
Jonathan Hall:I suppose the the thing is, like, you have to special case symlink following for every access path, I'm imagining. And that's why this one got missed because, like, the first thing I would think of when I'm building a root abstraction is symlinks. I have to fix symlinks. That's that's, like, the one thing you have to to solve. Right?
Pato Whittingslow:Yeah. Yeah. Absolutely.
Jonathan Hall:So I imagine that this is a case where it has to be special case in many different code paths and they missed one.
Pato Whittingslow:Mhmm.
Jonathan Hall:I'm also trying to imagine how you would how you would exploit this. I I suppose I mean, SCHMAD isn't, like, the most destructive thing you could do. But I I suppose you could, like, open you know, set the the the permissions on something you're not supposed to read to be readable. So that that actually could be pretty serious, couldn't it?
Pato Whittingslow:Right. So you're not gonna be accessing you're not gonna be yeah. You this might be like an out of band attack. Right? Like, you edit something elsewhere, something you don't have access to.
Pato Whittingslow:And maybe somehow you Or find a way to read maybe
Jonathan Hall:you schmawed Etsy pseudo words to make it world editable.
Pato Whittingslow:Oh. Oh. That could be
Jonathan Hall:pretty nasty. Yeah.
Pato Whittingslow:That's a scary one.
Jonathan Hall:So, yeah, this this is serious. You should definitely go upgrade your your Go version right now if you use this root thing. Alright. Next up. Who who would have guessed there's an HTML template bug?
Jonathan Hall:This never happened. So the issue here is with JS template literal context was incorrectly tracked. So basically, I don't know exactly how this would be exploited or or even triggered, But the way HTML template tracks JavaScript literals, it was not doing it completely correctly, and it could lead to some incorrect escaping of stuff, which could potentially lead to cross site scripting vulnerabilities. So probably a little bit less serious in general than SMOD, but you should also go upgrade anyway. So
Pato Whittingslow:That will be a common theme because there's many the next one is unbounded allocation when parsing old format GNU sparse map tar readers. So this is an archive tar package. Basically, have an unbounded allocation, a potential unbounded allocation. It's an old format, which is affected still. If your service is exposed to user input, specifically tar reading, you want to upgrade as soon as possible because users are able to basically explode your memory usage by crafting a I think these are called tar bombs.
Pato Whittingslow:There's like a name for these
Jonathan Hall:Nice.
Pato Whittingslow:These kind of files that sort of use up all your resources.
Jonathan Hall:I didn't realize that was a thing that TAR supported. And then when it says old format, so maybe it's been deprecated, but, of course, you still have to support it.
Pato Whittingslow:Yeah. Interesting. It's it's been so the thanks also goes out to this person whose name I will not pronounce. I'm so sorry. But and Yaqoub.
Pato Whittingslow:Think that's how you say his name. Right? Yacoub.
Jonathan Hall:You're right. Yeah. Yacoub was it Todor?
Pato Whittingslow:Todor. Is that the one?
Jonathan Hall:Yes. Think so. I think that's I think I said it right this time.
Pato Whittingslow:Alright. Yeah. That's issue 78,301, in case you're interested.
Jonathan Hall:And, of course, we'll have a link to the the full description here in the show notes, or you can find it on the the GoNotes mailing list or the GoAnnouncement mailing list. Sorry. So next up is a an actual compiler bug about some memory corruption. So previously slices and arrays were accessed using induction variables and sometimes incorrectly proved to be inbound when I guess it should have been out of bound. Right?
Jonathan Hall:So if it made the wrong conclusion about whether this was inbound versus out of bound, it would do the wrong thing and result into memory corruption. So it doesn't specify whether this could ever actually produce incorrect Go programs, but I suspect the answer is it's undefined. Like like, once you're once the compiler's memory is corrupted, kind of all bets are off. Probably more likely, it would it would create invalid output or crash, but I suppose it's possible that in some cases it might produce the wrong output and you wouldn't notice.
Pato Whittingslow:Okay. So this would affect your compiled program. Right?
Jonathan Hall:I think the direct impact is on the compiler. As you're running, like, Go build or Go run Mhmm. The Go compiler itself has corrupted memory. It's not clear to me from the description here whether this could actually produce bad output. I don't know if it would if it would do that, but I suppose the option I suppose the conclusion is it likely could in certain circumstances.
Jonathan Hall:So you should go upgrade.
Pato Whittingslow:Go upgrade. That sounds like a good idea.
Jonathan Hall:There's a whole bunch more. We're not gonna go through all of them. If we do this for everyone, you're gonna be so tired of hearing us say go upgrade. But let let's just breeze through some of the remainders here. There's a number of cryptographic related things, crypto x five zero nine, DNS constraints not properly applied to wildcard domains.
Jonathan Hall:We've talked about similar bugs in the past, I think.
Pato Whittingslow:There's also the unexpected work during chain building, also in the X five zero nine package, and inefficient policy validation. So validating certificate chains, is unexpectedly inefficient.
Jonathan Hall:There's also another compiler bug. No op interface conversion could bypass overlap checking. So this, I think, would actually produce bad programs or it might not do all the type checking or overlap checking it should. So you could accidentally produce a program that shouldn't compile. Like, it should produce an error, but it compiles instead is what I'm how I'm reading this.
Jonathan Hall:So go upgrade.
Pato Whittingslow:Also, TLS, multiple key update handshake messages can cause connection to deadlock. Scary. Nice.
Jonathan Hall:When when I try to shake multiple hands at the same time, I I tend to reach a deadlock as well. So I can understand.
Pato Whittingslow:Alright. Yeah.
Jonathan Hall:The
Pato Whittingslow:the overarching theme here is go upgrade your Go programs immediately.
Jonathan Hall:Here's another one from the the Go command, trust layer bypass when using Sego and Swig. I don't actually know what Swig is.
Pato Whittingslow:Isn't that like a generator for, like, bindings to other languages? Like, you got, like, a library on another language?
Jonathan Hall:I think
Pato Whittingslow:that's what that is.
Jonathan Hall:So if you're using Sego, you wanna upgrade. Okay. So, yeah, I think I think the bottom line here is, like, some of these obviously won't affect everybody. Root Schmode won't affect me because I don't use Root. HTML template probably won't affect me because I don't use JavaScript in my templates very often, etcetera, etcetera.
Jonathan Hall:But the compiler ones, they're they're going to affect me. So basically, everybody should upgrade. There's there's really very little reason that you would consider yourself an exclusion, I think, from this one. So, yeah, go upgrade. What do you think?
Jonathan Hall:What what what's your advice, Pato?
Pato Whittingslow:I think, you know, I've rethought about this one, and I think you should upgrade if Alright. You're using
Jonathan Hall:Well, I'm going to go do that here in just a few minutes. But before I do, we're going to take a quick break, and we're going to we're going have a lightning round with some interesting topics before I go do my upgrade. Thanks everybody for listening. We we love you. We're glad you're listening to our our show, and we're glad we've had some great volunteers pop up here to help host while Shay is gone.
Jonathan Hall:I think we have one more week without him, if I'm remembering. I don't remember. It's gonna be a surprise for me too who the host is
Pato Whittingslow:next week,
Jonathan Hall:but stick around for that. So aside from hosting the show, there are other ways you can support the show. A great way is just to share the show with your friends and colleagues and students and and pets and whatever else, all your all your pet gophers. Make sure that they know about the show. You can also support us financially if you want to help pay for this expensive hobby by becoming a Patreon and you can leave a rating review.
Jonathan Hall:I'm going to just leave it quick and short like that. I suppose one of the way you could you could help support me is I'm looking for new clients. So if you need somebody to help you with your Go project, reach out to me. I have a bunch of availability lately because I'm I'm just ending a contract. So let's move on to the lightning round.
Pato Whittingslow:Lightning round.
Jonathan Hall:Pato. You came up with some great lightning round topics here. Why don't you take the first one?
Pato Whittingslow:Oh, yes. Well, this great idea I came up with is is actually a bit of I'm selling a library I've made, Elnetto. So this is a user space networking stack. It's super lightweight, heap less, almost heap less if we're going be strict about the meaning of heap less. And you can use it to run networking on microcontrollers where you don't have an operating system like Linux, which does the networking for you.
Pato Whittingslow:Or if you're doing some networking heavy P2P stuff like maybe Tailscale or NetBird is doing, you could use it to replace gVisor in those places. So cool package I built over the last year and a half and yeah, looking for more users and more experiences.
Jonathan Hall:Very cool. The one I wanna talk about, this isn't directly Go related, but it comes from someone we've had on the show and we've talked about on the show frequently who who is a Go developer, Filippo Valvassori Bolg. He recently published a new blog post about quantum crypto. And you've read this too, right, Pato?
Pato Whittingslow:Yes. Yes. A pretty, like, how do you say, pretty striking message, if you ask me. Like, there's basically, if I were to sum this up, it would be, like, the future for non quantum cryptography looks bleak. Like and talking about near future.
Pato Whittingslow:No. Ten years from now.
Jonathan Hall:Yeah. So the the TLDR here, he says, in summary, it might be that in ten years, the predictions will turn out to be wrong, but at this point, they might also be right, and that risk is now unacceptable. What risk? Basically, the idea that I mean, I think we're all always vaguely familiar with the idea that quantum computing is a thing. It's in early stages, but it's coming or almost certainly coming, and it could have serious impacts on cryptography.
Jonathan Hall:Like a quantum computer could potentially break today's strongest crypto algorithms very quickly. And he talks about two papers, one from Google, another one from Oromatic, showing that they're able to do basically break standard cryptography much more quickly than previously thought possible using crypto or not crypto, using quantum computing. So the the sort of doomsday scenario is probably much closer or or potentially much closer than we previously thought in the worst case scenario. So this isn't, like, proven that this is gonna destroy crypto in the next n number of years, but it looks like it the worst case scenario is sooner than it might previously have been thought. Is that is that how you were at it too?
Pato Whittingslow:Yeah. Yeah. And the one takeaway Filippo gives is don't even bother with hybrid authentication, like classic post quantum. Just if you can, go straight for something pure quantum like ML DSA 44. I think that that's like the the nugget of wisdom Filippo is trying to get across.
Jonathan Hall:Yep. Alright. We're not gonna talk too much about that since it's supposed to be a lightning round, but the link in the show notes, and you could also subscribe to his his blog and get these in your mailbox if that's interesting to you. One other one. This one this one, I'm gonna let you talk about it, but it's interesting to me too.
Jonathan Hall:Go ahead and tell us what this one is.
Pato Whittingslow:Oh, yeah. Go can now run on ESP32 microcontrollers. So in case you're not familiar with the microcontroller embedded Go world, TinyGo is like a compiler, just like the Go compiler, that can compile to much smaller architectures, much smaller places. You can get, instead of your typical one megabyte sized hello world binary, You can get a couple of kilobyte sized executable. And this allows us to also compile for microcontrollers where memory is very limited.
Pato Whittingslow:One of these microcontrollers is the ESP32. It's a WiFi plus Bluetooth chip, which you it's very cheap. That's why it's
Jonathan Hall:Like $5, right?
Pato Whittingslow:Yeah. Something like that. And you basically power it with a very small, like, power source. It consumes basically no current draw. And so you can have like a a web server for $5 running in your in your room.
Pato Whittingslow:And, yeah, it's cool for some people like me. I find this absolutely so much fun.
Jonathan Hall:And I have a couple of ESP32s that I I haven't started using yet, but my intention is to set them up for some home automation tasks to integrate with Home Assistant.
Pato Whittingslow:Oh, yeah. Awesome.
Jonathan Hall:Yeah. I don't know if ESPHome has any Go support yet or will, but
Pato Whittingslow:We we welcome PRs that implement ESP Home maybe. Nice.
Jonathan Hall:Yeah. Yeah. Awesome. Yeah. It's pretty cool.
Jonathan Hall:How are you using Go on an ESP 32, or is it just experimental at this point for you?
Pato Whittingslow:I mean, I I'm not I'm not a fan of the ESP 30 twos, even though, you know, everyone sorry. I'm getting away from the mic from the microphone just to show you something I have next to my desk. I got, like, my production server running. Let me let me unhook this so I can show it to you on camera.
Jonathan Hall:Sorry for the listeners at home who won't be able to see this. I'll I'll do my best to describe it with words. It looks like a PCB plugged into another PCB at a at a 90 degree angle with a USB cable sticking out of it. And a and a Ethernet cable on the other side. Yeah.
Jonathan Hall:Okay.
Pato Whittingslow:So this is not an ESP 32. That's a Raspberry Pi Pico. And this is my production server. It's running connected to the Internet. Although, right now, I've I've redirected the port, so you won't be able to look at the website.
Pato Whittingslow:And I'm running El Neto on that. And basically, it has a networking stack, a whole server running. And it's got a little application which just lets you, like, send a message to it, and it's displayed to all the users who are who access the website.
Jonathan Hall:Sort of a multicast. If anybody if a 100 people are logged into the website, they all get the same message. Yeah. Clever. Cool.
Jonathan Hall:Awesome. Well, thank you so much, Pato, for joining us today and filling in for Shay. It's been fun meeting you and talking about a ton of security fixes. I think it's time for me to hang up and go upgrade.
Pato Whittingslow:Yeah. Did I say you should upgrade?
Jonathan Hall:Thanks for the advice. We will talk to you next time. Thanks, everybody.
Pato Whittingslow:Alright. Thank you, John.
Jonathan Hall:Program exited.
Creators and Guests
