The Go release that was completely Expected, conferences, and cookies! 🍪🍪🍪
This show is supported by you. Stick around till our end show break to hear more. This is Cup of Go for July 5, 2024. Keep up to date with the important happenings in the Go community in about 15 minutes per week. I'm Shay Nehmad.
Jonathan Hall:I'm Jonathan Hall.
Shay Nehmad:And we're both sore in the neck.
Jonathan Hall:Yes. Jonathan's physical therapist and masseuse.
Shay Nehmad:Yeah. Everybody listening to this episode, please just turn your head 90 degrees to get the full experience. Just, like, totally wrap your back around. But let's get to some Go news, and hopefully, that will loosen up some some aches and some joints. Let's do it.
Shay Nehmad:So first up, we have a new minor release. It's a security release. Go 122.5 and go 121.12. It's 1 fix to the HTTP headers handling. Who could have guessed?
Shay Nehmad:Right? HTTP headers cause security issues. In other news, a dog bit a person. Right?
Jonathan Hall:We should start placing bets on which package in the center library is is, affected in the upcoming security releases. You know, whenever we get the preannouncement, we should, we should place bets.
Shay Nehmad:So this specific security release is actually kind of interesting because it taught me about a feature of HTTP I didn't even know existed. Would you like me to tell you about it?
Jonathan Hall:I bet you weren't expecting that.
Shay Nehmad:Nice. Alright. So I'll send you a 100, and then I'll continue telling you. Is that okay? That's cool.
Shay Nehmad:So that's the exact interaction this header, supports. You send a 100. Please give me an okay that you're ready to receive the request body. And then for some reason, the server should respond a 100, yes, please continue. And then the client sends the data.
Shay Nehmad:I I assume it's relevant if you wanna really sync up, like, file upload processes or something like that, but I've never used this header. This, like, entire family of codes, like, 1XXI didn't use. Apparently, there was a bug in the way HTP1 server side handled it that allowed attackers to do a denial of service attack. We can play it out. Right, Jonathan?
Shay Nehmad:Hey. Can I send you the body? Yeah. Anyway, whatever. Hey.
Shay Nehmad:Can I send you another body? Anyway, whatever. Can I send you an and Jonathan just has, like, a ton of open invalid connections? Eventually, he'll, you know, he won't have won't be able to serve anyone else anymore. So this vulnerability was fixed.
Shay Nehmad:If you use this header, why? But in any case, you should probably wanna upgrade your server to avoid any potential mishandling. I can't imagine this is will actually break a legitimate flow for you, so this should be a pretty safe upgrade all in all.
Jonathan Hall:I think so.
Shay Nehmad:Alright. So that's urgent news number 1. Now looking a bit ahead, how should I plan?
Jonathan Hall:Where am I going? You need to buy some tickets. We're going to 3 continents here. And, it's it's gonna be great. So the first 1 actually, you don't need a ticket for this 1.
Shay Nehmad:Around the world. Around the what?
Jonathan Hall:No.
Shay Nehmad:Sorry. I mean, just, my back is so sore. I'm on my second coffee, so it's gonna be a bit wonky today.
Jonathan Hall:The first conference we're talking about is in your hometown of Tel Aviv or very near your hometown. I guess you live outside in the suburbs. Is that the way that works? September 9. We already talked about this 1, when, Mickey was on 2 weeks ago, but mentioned it again since we're doing conferences.
Jonathan Hall:September 9 in Tel Aviv. Call for papers is open until July 15. So if you're gonna be in Tel Aviv and wanna speak, check that 1 out. If that's not your cup of tea or if you have a lot of frequent flyer miles, next, you can head over to gopherconau So
Shay Nehmad:I'll just say before you fly out to Australia, even if you don't wanna speak, Gofer Con Israel is pretty good usually. There's also sponsorship spots still open. So if you're a company and you want like, you work for a company and you wanna sponsor, that's still open. And I might speak there. So if you wanna listen to me blab on, I I'm I'm gonna I handed in my call for paper.
Shay Nehmad:I hope it will get accepted. Awesome.
Jonathan Hall:Okay. After you've, listened to Shay Blab and maybe Blab to add him as well, head over to GopherCon Australia in Sydney, November 6 through 8. Call for papers is open till September 15. I'm glad they chose my birthday to end the call for papers.
Shay Nehmad:Mhmm.
Jonathan Hall:And then, after Australia, you'll be catching a flight to, India, where on December 1st, we'll have Gopher Khan India in Jaipur. I don't have details on call for papers. I don't know if they're already closed or if they've
Shay Nehmad:They probably haven't opened yet. Right? Haven't opened yet? So yeah. 6 months out.
Jonathan Hall:The future. Mhmm. So if we get more information about that in the future, we'll be sure to let you know. If you know about that, if you're 1 of the organizers, let us know so we can include it in an upcoming episode.
Shay Nehmad:And I wanna shout out 2 things about Go for Con India. First, I wanna shout out Rishi from our, Slack channel for pointing that out to us. Even though we already had it on our backlog before, you put it in. That's how good of a journalist, we are. We know about a huge conference that's advertised everywhere in, the most populous, country in the world.
Shay Nehmad:And second of all, I really wanna shout out their gopher mascot. So cute. Oh, yeah. This is an audio medium, so this won't really carry, but it's like a gopher, like an Indian looking turban, and like sash. Looks like a Indian police officer.
Shay Nehmad:Really cute. So I don't know who designed that, but good work. Hold on.
Jonathan Hall:Alright. So we don't have proper proposal news today because the meeting notes haven't come out. I don't know if they didn't have a meeting or for us just decided to sleep at night like a normal human. But I don't have that. But we do have 1 proposal to talk about,
Shay Nehmad:which you implicitly said is improper. Right? We don't have proper proposals. So this is a improper proposal.
Jonathan Hall:Proposal nights. This is hot off the press. I don't know if anybody's seen it except Gabby help, the the new bot who, added a comment already. But Shai created this proposal with my help. We did it together just before we started recording.
Jonathan Hall:So last week, you may recall we talked about the proposal that's been accepted to list deprecations and newer available major and minor versions with the Go mod, a subcommand of the Go mod command. And we thought, wouldn't it be cool if it would also tell you about, archived repos that you're just gonna been abandoned? So that's what the proposal is about, is to add add that. What else do you wanna say about it, Shai?
Shay Nehmad:So, first of all, obviously, let's abuse the platform. Everybody go and upvote it now. If you're listening, you know, voter manipulation with the new, you know, US election being on the headlines, go out and vote. So, you can vote for this proposal instead. I think you said it.
Shay Nehmad:We worked on it just before the show, and I just the discussions are such an important part of Go because my original proposal was let's also add a deprecation marker to Go mod. And you just informed me, you educated me that 1 already exists. So here's my, you know, today I learned. If you want to mark your package as deprecated, there's literally built in support for that. But, yeah, I I the main thing I hope will happen here is the proposal would not get rejected for being stupid, just for, you know, maybe being infeasible or just like languishing in the in the backlog.
Shay Nehmad:I'd be surprised if if, people will like it. But for me, it's been an issue. Right? Someone proposes a new dependency in a pull request. First thing I do, I need to open up that GitHub page to make sure it's not archived or or doesn't have, like, a million issues that say, hey, is this project abandoned?
Shay Nehmad:Did this project abandoned? Did this project are you still maintaining it? Which fork should I use? And in the past, I've, like, come up with forks for existing projects that became, like, the de facto standard for that module without talking to the original maintainer because they were, like, unresponsive. So this is a real problem I had.
Shay Nehmad:I even had it now with, some library we used. Luckily, after 2 months, the original maintainer did merge our changes. So I hope it'll get, at least some discussions where I learn some more stuff. If it gets, approved, I might even, attempt at, you know, implementing it myself. That that could be cool.
Shay Nehmad:Especially because it's not too hard.
Jonathan Hall:It's pretty simple. Right? Yeah. Probably. Although, I don't
Shay Nehmad:know how you mark stuff as abandoned in GitLab. Like, I know archiving on GitHub, but I haven't used GitLab saying.
Jonathan Hall:It could get starting to get complicated if you start to to support all the different version control systems, GitHub, GitLab, Bitbucket, Mercurial, all those things. You know, it could it could start to get a little more complicated. But for the big 2, GitHub and GitLab, should be pretty straightforward.
Shay Nehmad:Think these are the big 2? Not GitHub and Bitbucket? Like market share wise? For open source, I think GitLab
Jonathan Hall:is a lot.
Shay Nehmad:For open source for
Jonathan Hall:sure. Yeah.
Shay Nehmad:Cool. We have another update on a past news item. You might remember last week we mentioned Kevin McDonald's blog post called gRPC, the bad parts.
Jonathan Hall:This is for June 28, 2024.
Shay Nehmad:This blog post from kmcd.dev, which is Kevin McDonald, a software engineer living in Copenhagen, is about why gRPC is bad, like, the bad part.
Jonathan Hall:I wouldn't say it's why it's bad, but it talks about some bad parts of it. Yeah.
Shay Nehmad:So there's, a counterpart blog post to this post. Again, really well written. Again, with, cool art and, I don't know, enough code for me to like it. Talking about the great parts of gRPC. So, you know, obviously, the first 1 is performance.
Shay Nehmad:It's not controversial, that it's faster than JSON and XML, and people demonstrate it over and over again. The strongly typed contracts for me is the actual, best value. You know, the moment you start working with, protobuf and gRPC, you have to encode your schemas. I don't know if you ever had that experience of, like, taking a loosey goosey system and trying to introduce some schemas into it, not necessarily, with the gRPC, even with, like, JSON schema or open API. Did you ever, like, try to bring some, order into a chaotic system like that?
Jonathan Hall:Oh, yeah.
Shay Nehmad:Definitely. And what's been your experience? Like, is it, oh, no problem. It's obvious. There's no value in talking about the schema because everybody agrees.
Jonathan Hall:The worst example I had was actually a, it was a I think it was a Jason Arc. I can't remember. It was it was some standard in big fat air quotes standard, JSON format, where the date formats were different. You know, sometimes it was year, month, day, and some of this is year, day, month, and just put on which endpoint you called. And in fact, I think I found some endpoints that parts of the data would be in 1 format and parts of a different format.
Jonathan Hall:So, yeah, like, it's just ridiculously, ad hoc data in many many schemas, and and it's a pain in the butt.
Shay Nehmad:So the pain in the butt part is, I think, the most, like, self indulgent, reason to use, gRPC that I actually support is because when you develop, you have a better experience. Right? You just have a smoother development cycle because you know what data is gone in, what data is going out. For example, with gRPC, that whole year month day, year day month thing would happen because there's a native type stamp type. Exactly.
Shay Nehmad:Even though very annoyingly, it's not a, super native. You have to do, like, import Google, something. Mhmm. But but it's part of the compiler, so you don't have to bring a file sometimes. Anyway, so there's a lot of, good, things here.
Shay Nehmad:For me, the strongly typed contracts is the best value, but this blog post is really great. I think if you're trying to introduce gRPC, to a company or like a project you're working on, A really really good pair of blog posts. Right? Last week, we talked about gRPC, the bad parts, and this is gRPC, the good parts. And I I believe that if you come up and sort of the dogmatically say, gRPC is the best and we must use it.
Shay Nehmad:No questions. Like, it would be easy for me to dismiss your opinion. Right? Because that doesn't sound really serious. But if you're, hey, here's the research.
Shay Nehmad:Here are the bad parts. Here are the good parts, and here's how it applies to our specific situation, here's why the good outweighs the bad. These pair of blog posts could be a really good resource to write that, you know, proper, design document. So it's a really good series. I hope I really hope to see, you know, gRPC, the ugly parts to finish out the, like, the good, the bad, and the ugly.
Jonathan Hall:I I like that he started with the bad parts. Because if you start with just the good parts, you you kinda feel like a fanboy. Although, if you start with just the bad parts, you kinda feel like a naysayer. But it's nice that he's balanced now.
Shay Nehmad:Yeah. Yeah. I have again, another shout out to Kevin's blog. 2 weeks in a row, man. And I know you're trying to do weekly, blog posts because I read it in 1 of your blog posts.
Shay Nehmad:If they're all of them are gonna be this good, we're just gonna keep mentioning them.
Jonathan Hall:I think 1 1 interesting call out is that, the translation between JSON and gRPC is mentioned in both articles. It's both a it's both a pain point, and some of the tools to overcome the pain point are are 1 of the good parts. So that's kinda cool.
Shay Nehmad:I think it's just so prevalent. Right? At some point, you wanna look at the data. At some point, you wanna debug it. Sometimes, you wanna translate it to JSON for working on the web.
Shay Nehmad:There's no way out of it, basically. Right? Unfortunately, I wish we could just work with structs in any context, like, well defined struct instead of random string data. Anyway
Jonathan Hall:Speaking of structs and string data, let's talk about a new I don't I don't know. How new is this? 2 days ago, version 0.1 was released 2 days ago of a package called syntaxx/cookie, which lets you essentially unmarshal cookies into structs using struct tags like you do for Jason Mar Marshaling, Unmarshaling, and so on. You can, of course, put the name of the the cookie key in the struct tag. You can also indicate whether that particular key is signed or unsigned and a few other bits of metadata.
Jonathan Hall:I've never I I for 1 thing, I don't use cookies that much. What I have, I've just done the old school way of, like, pulling out keys and values and doing manual parsing. Next time I have to use a cookie, I'm gonna reach for this tool because this makes it so much simpler, and it's just right in line with that whole idea of of marshaling from JSON into a struct or from your environment variables into a struct or all that all those sorts of things that makes it so much simpler.
Shay Nehmad:I think the very strong benefit of the signing key, you just, like, have a global manager for signing keys on every, signed cookie. The it's something that's just a pain. Usually, write your own custom middleware to do that. It does mean that if you like, it's a global thing. Right?
Shay Nehmad:In the same way you have an HTP global server or the recently deprecated global seed for random. Right? I don't love packages that have, like, package level things, but there are a few specific cases where I'm willing to make an exception. Like Mhmm. 0 log dot log is an example.
Shay Nehmad:Right? It's really good that they have a built in global logger in the package because when I start writing before I do my dependency injection logger all over the signatures, whatever, as long as the project is under 20 files, just use the global logger. It's it's totally fine. You're not gonna you don't you don't need to worry about it. I think the same goes here.
Shay Nehmad:Like, it's it's a good choice to have it as the global thing to get started because I can never imagine a situation where you have multiple managers. But it also it's possible to do that. So that's for me, that shows the maturity of this library even though it's 2 days old. It still already support supports both the out of box just use the default manager. And then when your app grows out of grows out of that stage, you can manage your own manager in, like, your server struct server state, I should say.
Shay Nehmad:Mhmm. And, yeah, more things being, structs and strongly typed and easily used by the by the, you know, your code. I love it. Awesome. Although you still have to somewhere maintain the list, like, the list of cookies you actually support.
Shay Nehmad:You know, you're gonna have a const file with x my custom header number 1, x my custom header number 2. Because it doesn't auto generate code for you. It just unmarshals it into a struct, which is nice. Right. Alright.
Shay Nehmad:And to round out our rather HTTP heavy, episode, there was a very, very good blog post, that also topped the Reddit charts.
Jonathan Hall:I don't
Shay Nehmad:know if it's charts, with, like, 500 upvotes in in a day or something from David Mokazello. I'm probably not pronouncing that right. Looks like a Polish name. No way. But, yeah, trying to send a lot of HTTP requests.
Shay Nehmad:So my I really like this blog post because it's very interactive. Feels like talking to, David because like, alright. How would I like, why did I do it? How much is 500, 000, 000 HTP1 requests? What does it mean to send a single 1?
Shay Nehmad:How much time does it take? It's like, just really exactly the questions you would ask and then the meet the the intro is basically, it's hard to send a lot of HTTP requests. It's gonna take you forever. If you just use, like, native curl without any optimizations whatsoever, it's gonna take you 8 years.
Jonathan Hall:Oh, that's fine. I'll have it done by next week. Wait. You you I can't do that.
Shay Nehmad:And then just how to optimize. So there's a design here for something he's calling descending the canon, which I like. And 1 highlight, 1 shout out is choosing the right HTTP library. If you wanted to work with some fast HTTP, which library would you reach out? Like, would you just use the standard library 1?
Jonathan Hall:If I really needed to do 500, 000, 000 requests, no. I would probably use fast HTTP.
Shay Nehmad:Fast HTTP, which we have mentioned on the show in the past, quite a long while ago
Jonathan Hall:Yeah.
Shay Nehmad:By Eric. Right? Your co Yeah.
Jonathan Hall:My co Amsterdam organizer. We had an interview with him on the show. We'll have a link to that if you wanna listen to more And
Shay Nehmad:he hosted the show, when you were stuck in the airport.
Jonathan Hall:When I was stuck in New York, you took my place. Thanks, Eric.
Shay Nehmad:And unbelievably, this blog post even optimizes fast HTTP even more, because since the author crafts the HTTP package, packets by hand, they don't need, the normalization of the request. So they just forked it and removed the normalization stuff which feels sort of like, you know, they o opening up the dashboard of your car and just ripping out some cables to try and make it, go faster. And there's, there's a whole bunch of, improvements here, optimizing DNS and optimizing TLS, and then splitting works into chunks, and then scaling it horizontally with Kubernetes, which is a bit of a of like a different approach. Like up to that point, it's how to optimize your Go code. At that point, it's like, okay, how do I horizontally scale out this workload which is sort of different.
Shay Nehmad:But it's interesting, like, how much bandwidth do you have per pod? Blah blah blah. And it's a really good blog post. I really understand why people, liked it. It shows a lot of Go's strength because it wasn't difficult at all.
Shay Nehmad:Like, if you read the blog post, it's all very, very simple. Just a few Go routines and a queue and, the right library, and it's very easy to fork and optimize that library. Just like super super simple stuff. So if you're into a HTTP, ethical hacking, or trying to, you know, trying to get into ethical hacking or trying to understand how DDoS works, all that, cool stuff, this is a blog post for you.
Jonathan Hall:I think it's interesting he mentioned that at first he tried it in Rust.
Shay Nehmad:Yeah. I was just about to to shout that out.
Jonathan Hall:But, it was too confusing. Those are my words, but my small brain is too small for async Tokyo types magic. Go, on the other hand, allowed this JS developer to write the whole thing. This is quite a statement about the language. Yeah.
Jonathan Hall:No shade on Rust. It's just not quite as simple to understand for a JS developer in particular.
Shay Nehmad:Yeah. The Go is very easy to to read and in this case, like, the problem is IO. It's not like you're not super strict on memory. That's not your problem. So I think this is it's no problem.
Shay Nehmad:Right? While you're sending out this pack packets, you the garbage collection can can run. You won't see it spike. Right. Right.
Shay Nehmad:So it's not really an issue, but III like the the humbleness. Yeah. I tried Rust, but then I wanted to get shit done, so I
Jonathan Hall:wrote it in the note. Alright. Awesome. I think that's the show. So let's
Shay Nehmad:move on to the break.
Jonathan Hall:Our break will have stick around for that.
Shay Nehmad:This show is supported by you. We wanna shout out, Jens and Frederic, just a couple of our Patreon members, among, 26 other beautiful, members. If you wanna jump on and then basically help us make this hobby sustainable and you enjoy the content that's in your ears right now, that'd be cool. It's a a very good way to support the show directly. This is a hobby.
Shay Nehmad:We do it for fun. We learn. For example, the day I learned that Go has a deprecation marker on on modules, that was worth the time for me. But, you know, it is expensive, mostly paying for, editing and, hosting fees. So directly joining our Patreon and contributing $8 a month could really help us out.
Shay Nehmad:If you wanna reach us, buy some swag or talk to the people or see listen to previous episodes, you can find all the links at capago.dev that is capago.dev. Please just use normal HTTP requests and don't try to, you know, send a 100 headers, a 100 continue and and DOS us. And please don't use that guy's blog post to try and DOS DDoS the the site as well. That wouldn't be nice. If you wanna talk to the other, listeners on the show, we have some really interesting discussions going on, now and then.
Shay Nehmad:People sharing links and seeing, like, check out this new cool thing, and we actually talked about it 2 weeks ago on the show and they haven't caught up yet. You can join, Cup o go on the Gopher Slack. Gopher Slack is a just a community for you to join for a myriad, topics, for many topics about, Go, and we have our own little channel there. I don't know if little still stands. We have We have 399.
Shay Nehmad:399 members. Join now if you wanna be the 401. It's a kebab case with hyphens. So cup dashodashgo. If you like more direct communication, news@capogo.dev is our email.
Shay Nehmad:Other than buying swag or joining our Patreon, which is the most direct way to support us, we really like the fact that the show is, getting to many people and helping out the many people. Sharing it in your, like, work place or some other community groups or leaving reviews on Apple Podcasts or Spotify, really helps us out. We don't pay to advertise the show at all. All our growth has been ear to mouth to ear. Is that how you say that?
Jonathan Hall:It's how we
Shay Nehmad:say that. Word-of-mouth. That's that's what I'm looking for. In Hebrew, it's mouth to ear. But that sounds really bad in English for some reason.
Shay Nehmad:Anyway We're
Jonathan Hall:not that kind of a show, Shai.
Shay Nehmad:Yeah. Not not the well, join on Patreon right now, and you're gonna get our ASMR version. No. No. You're not gonna get that.
Shay Nehmad:Anyway, leave a review or share the show with your friends and colleagues and coworkers. That would be super cool and swell. Next week, we are planning to have a show, normally, like July is is should be good. August, we're still not sure when we're taking vacations, if and, and if we are when, but we'll definitely let you know. But for next week, you got it.
Jonathan Hall:Got it. We'll be here. See you then.
Shay Nehmad:Alright. And time to roll out our new intro.
Jonathan Hall:Our new outro. Yeah. Yeah.
Shay Nehmad:Outro, I mean. What am I saying? Time to roll out our new outro. Program exited.