🕸️ With great power comes great responsibility, or why not to use the linkname directive 🔗

Jonathan Hall:

The show is sponsored by you, the listener. Stick around till after the news to hear more about that. This is Cup to Go for May 24, 2024. Keep up to date with the important happenings in the Go community in about 15 minutes per week. I'm Jonathan Hall.

Miki Tebeka:

And I'm Miki Tabeka, filling for Shay Nehmad.

Jonathan Hall:

Hi, Miki. Thanks for coming back. You were you were here on the inaugural episode, the very first episode. You you joined us as a guest. We interviewed you.

Jonathan Hall:

Thanks for coming back.

Miki Tebeka:

Thanks. It was fun, and always want to come back.

Jonathan Hall:

Wonderful. Well, first things first. We have a couple of things that, I I just wanna mention really briefly for those who've been listening to previous episodes. We have a couple of accepted proposals we talked about. The first one was about making Linux kernel version 3.17 the minimum to run go.

Jonathan Hall:

And I think this will take effect. It's been accepted. I think it will take effect for Go 1.24. So that will be coming out in August, presumably. So if you're on an older version of Linux, you'll need to update.

Jonathan Hall:

Update. If you wanna hear more details about that, we'll put out a link in the show notes to that episode. Another accepted proposal we mentioned briefly, even 2 weeks ago, the proposal for append text and append binary has been accepted. We mentioned this in the context of another proposal for encoding binary append, which was accepted at the time. These are very closely related topics.

Jonathan Hall:

So I'm not gonna go into the details again. Again, link in the show notes if you want to hear more about that. I wanna hand it over a little bit here to you, Mickey. I know that you're heavily involved in the Go community there in Israel where you live. You're one of the organizers of the Go meet up there in Israel.

Jonathan Hall:

You're one of the organizers of GopherCon Israel. And I think you have an announcement to share related to GopherCon Israel. Would you would you tell us about that?

Miki Tebeka:

Yes. So GopherCon Israel is going to happen on September 9th this year. And currently, the call for proposals is open. So head over to our, website and submit a proposal. We know that people from outside Israel, it's probably not the great time to travel here.

Miki Tebeka:

But if you do, we'll welcome you in open arms.

Jonathan Hall:

Wonderful. And what kinds of topics are you looking for? Are you looking for advanced technical topics, intro to go topics? What do you hope to find?

Miki Tebeka:

So we're looking for, anything that is Go related. We don't really strict about, what are we looking for. It's more about the topic and the speaker and if it's interesting. We're looking at all levels. We usually have 2 tracks simultaneously, and we try to do one more beginner and one more advanced.

Miki Tebeka:

So, we see that. Most of the attendees or at least half of them usually are pretty new to go. So we try to have some intro topics as well. Cool.

Jonathan Hall:

And what language is it typically done? Is it is it English or Hebrew or a mix?

Miki Tebeka:

It's a mix. We let the speaker decide what they want to do. Some of them, especially because it's going up to YouTube, they chose to they choose to do it in, English. Mhmm. Some choose to do it in Hebrew, but we try to have it that we never have 2 Hebrew ones next to each other.

Miki Tebeka:

So if you don't understand Hebrew, to have at least one of the talks to go to, that is in English.

Jonathan Hall:

Yeah. Good. Good. Awesome. Well, looking forward to see how that pans out.

Jonathan Hall:

I'm sure we'll be talking about it again on the show as September comes closer so that people are reminded to go attend as well. Are tickets on sale yet or that's not quite yet?

Miki Tebeka:

No. We we haven't started ticket sales yet, and we're also looking for sponsors. So if you want to sponsor us, hey. Wonderful.

Jonathan Hall:

Well, this week, we're gonna talk about a bunch of sort of, I would say things that kind of fly below my radar. So this is one nice thing about having a fill in, co host is you you bring a new perspective, a different, set of of news items. So I'm really looking forward. I I expect to learn a lot in the next 10 minutes. The first one on our list is go sec.

Jonathan Hall:

Now I've used GoSec a little bit. I think it's built into building CI Lint maybe or or a similar tool is at least. But maybe before we talk about the news, the new release, do you wanna tell us kinda how to high level what Gosec is?

Miki Tebeka:

So Gosec is a linter. It's a static analyzer that goes over your code without running it and checks for common security errors. And I really love the emphasis the Go community has on security. There's a dedicated security team in the Go team, and there's a lot of tooling and talk around that. And as a developer, even if you're not a security expert, you can really help by writing secure Go code.

Miki Tebeka:

And this tool will help you, especially if you're a beginner, about common mistakes that people do.

Jonathan Hall:

Is this an official tool from the Go team or it's

Miki Tebeka:

a No. No. The the this is an outside tool. The Go team has another tool. It is called GoVulunCheck for vulnerabilities.

Miki Tebeka:

And this is more about supply chain. So it it checks if you're using dependencies that have known security issues. So it will go over your Go mode, query, there's a big database that, they maintain about vulnerabilities. And then we'll let you know that you're using this version, which has a security issue. Please upgrade or do other things.

Jonathan Hall:

Cool. So both of those are worth using. They they serve different purposes.

Miki Tebeka:

Yes. There's there's also, the the one from GitHub, Dependable. Yeah. Yeah. Does a similar thing.

Miki Tebeka:

So if you're enabling it in your CI, this is also a great thing to know.

Jonathan Hall:

Cool. And so the news this week is that GoSec has a new release. Any highlights you wanna share from the new release?

Miki Tebeka:

So I looked at the new release, mostly bug fixes. One thing they added, and this is about when you're trying to open a file, an attacker can sneak in a relative path, like dot dot and dot dot, and then they can access actually the whole system. And you need to normalize or sanitize these path. And I added support for a new function, which I forget the name, but it's related to symbolic links in the OS package to check for that as well.

Jonathan Hall:

Okay. Yeah. That's one of the things that that trips me up a lot, especially when I run go second on an on an old code base for the first time is it will tell me I'm opening an, I don't know the term it uses, but, like, unverified file paths. You know, passing a variable name to to OS open or similar.

Miki Tebeka:

Yeah.

Jonathan Hall:

So, yeah, it's something that's really easy to not think about until, something like this slaps you in the face with it.

Miki Tebeka:

Yeah. And sometimes it's okay. Like, if you know the configuration file and you just want to start from a given directory and you know that this is something that you do. But every time something comes outside from a user, then that's the problem, then you need to really be careful.

Jonathan Hall:

Yeah. Exactly. Exactly. Alright. So, new version of GoSec is out 2 point 20.

Jonathan Hall:

So if you're using GoSec or I'm I'm pretty sure that's built into Golang CI Lint, you'll probably wanna use the latest version of that.

Miki Tebeka:

And there's also a GitHub action for that. So Yep. You can Yep. Plug it to your All sorts

Jonathan Hall:

of ways to consume it. Alright. We also have a next here, this is a a proposal that has been accepted and actually completed, it looks like. It's already been merged about host layout directive types. Do you wanna explain what that means and what this new proposal is?

Miki Tebeka:

So when you're declaring a struct, you declare the fields in your logical order, the the order that makes sense to you as a developer. But when you go down, compiler has to align the fields because the hardware is not efficient at accessing on the byte, level. So usually, the alignment is either 4 or 8 bytes to the struct. So what happens is that if you put, let's say, a field which is a Boolean, which is a single byte, and after that an integer, which is int 64, let's say, it's an 8 byte, there are 7 bytes that are just fill up by by the compiler. So this is something which can, waste space.

Miki Tebeka:

And there are, external tools, one from the Go team and called field alignment and another one called better align that can actually go over your struct and said, if you reorder the field, you can save this amount of memory by doing that. Now the thing is that sometimes, and this proposal goes to when Go interacts with existing c libraries. Existing c libraries have their own convention about struct alignment. And you want to make sure that when you declare a struct in go and what the one in c, that you actually get the same alignment. Otherwise, you'll get some kind of garbage in memory.

Miki Tebeka:

And the Go compiler was doing a good job, but in some cases, it needed a little bit more hints about how to do the alignment. And this proposal is exactly like that. You're going to add a field which has a zero space, just the name, has a meaning for the compiler, then it's going to change the way it aligns the structure.

Jonathan Hall:

Mhmm. So what does this mean for the average Go developer out there?

Miki Tebeka:

I'm guessing the average Go developer will never touch that, mostly for people who are interacting with c. Yeah. The thing is there's a lot of existing c code out there. So at one point or another but we try to write pure Go, and cgo enabled 0 is something we we strive to do. But Mhmm.

Miki Tebeka:

It's not always the case. And in cases when you need to interact with the c library and this library has its own alignment, then you might want to to do that.

Jonathan Hall:

So if you're using c go, this is probably relevant to you, especially if you're trying to save memory. Otherwise, it's just nice to know it's there.

Miki Tebeka:

Well, the saving memory is something on the side. This is more about Okay. Making sure that your alignment is on par with the c one.

Jonathan Hall:

Yeah. Yeah. Yes. Very good. Let's move on to this next one here.

Jonathan Hall:

I think this is another sort of slightly esoteric thing, something that I think most people don't realize is even possible. But there's a a go link name directive you can put in your code. I'm gonna explain what that does and what this new proposal is about.

Miki Tebeka:

So I'll just say that my my sweet spot and the place I like to be is where I ask a question in Stack Overflow and nobody answers. This is the place I like to code. So all of these things are probably in my in my, my area. So goal link name is basically a way to tell the Go compiler that I want to use this function from that library, but I want to give it another name. So you can put in your function, and on top of it, put a directive called go link name, and then give the link from the actual library that you want.

Miki Tebeka:

And this is done by mostly internally inside the go run time to access, things usually written in assembly. And then maybe you want to change the names or access things from from that area. But what you can do with it, like any good developer is you can abuse it. And then, you can use it to access private things from other packages. We'll put in the show notes a great, article by Adena Lightenfield about this, and she talks in great length about how you can do it.

Miki Tebeka:

But the thing is, some packages are actually accessing the internals of Go code with the Golang directive, so they can use some internal functions in their packages, which is a problem. Because as Russ said in the release notes over there, they are internal for a reason. We don't want people to use them. We want the freedom to change them. So this proposal is about saying we are still going to keep that around, but we're going to do it in a way that is more responsible and will not allow abuse of that.

Jonathan Hall:

Mhmm. I can hear a lot of people, especially if they're kinda new to Go and maybe coming from JavaScript or or a very loose sort of language, hearing about this thing. Oh, great. Now I can access all those things I couldn't get at

Miki Tebeka:

before. Yes. Exactly. And and Nira then starts the her blog post with, don't do what I'm saying here. Just, keep a things are internal for a reason.

Miki Tebeka:

I I'm doing a lot of Python. I started with Python, which is very dynamic. You can access anything. But the joke there that it's a it's a language of consenting adults, but please don't don't try to access anything. This is not not good.

Miki Tebeka:

And in the long run, you're going to get bitten by that.

Jonathan Hall:

Yeah. Yeah. Alright. So, with great power comes great responsibility. That's right.

Jonathan Hall:

Use Go Link Name responsibly.

Miki Tebeka:

Ideally, don't.

Jonathan Hall:

Ideally, don't use it at all. Yes. Yes. Yes. Alright.

Jonathan Hall:

Next up on our list here, we have, normalized line endings, example, output comparisons. This seems like something that I think anybody can understand. It doesn't require esoteric knowledge. Yes. What what is this one?

Miki Tebeka:

Well, the esoteric knowledge that you need to know is about line learning of Windows versus the rest of the world, which the rest of the world just use a new line and, Windows Windows uses a new line and encourages them. Or is it the other way around? I always mix them up. And the thing is that in Go, we have testable examples, which is a feature I love, and people usually don't use that. Briefly, you write in a test file a function that start with an example, and after that, either an underscore or an uppercase letter.

Miki Tebeka:

And what you do inside, you just write your code and print it out. You don't make a decision to compare things or anything like that. You just print things out. In the end of the function, you write special comment and then the expected output. And what Go is going to do is it's going to run the function, capture the standard output, and compare it to what you said it's going to be.

Miki Tebeka:

Now these are not for testing or for deep testing. These are for testable examples. So this is the way to write examples. These are the examples that also show in the Go doc as in the example section. These are exactly these ones.

Miki Tebeka:

I use it a lot when I'm starting to get a feel if the API is right or not. So I write initially just testable example to look at how my API is going to look and then fill in the code, somewhat of TDD, but on a higher level. And this fix is for Windows because you write your examples and then there's one line ending. And then in Windows, it's the same output, just the line ending is a little bit different. So this is going to fix it for Windows users.

Miki Tebeka:

And I'm glad to see that Windows is becoming, a first class citizen in the Go ecosystem. It's been neglected for a bit. It is an important platform, love it or hate it, and, I'm glad that Go is getting there.

Jonathan Hall:

I'm a little bit surprised that this hasn't already been fixed or, like, wasn't even fixed in the first version. Because I could imagine anybody who's running, these examples on Windows is just failing all the time. Yeah. And that's gotta be completely frustrating. I'm like, yeah.

Jonathan Hall:

I I guess I'm a little baffled why this why this is still existing in 2024.

Miki Tebeka:

From my experience, most people, they don't try these testable examples. I I haven't seen

Jonathan Hall:

them That's true.

Miki Tebeka:

Very common.

Jonathan Hall:

Yeah. And I suppose when they are run, they're most often run probably from a web browser browsing pkgdeco.dev or something like that.

Miki Tebeka:

Yeah. Or in your CI, and then it's probably a Linux anyway.

Jonathan Hall:

Yeah. Still, I'm glad to see this being fixed, and and I I'm Yeah. I'm still maybe less surprised than I was a moment ago, but still mildly surprised that it still exists. So

Miki Tebeka:

Yes.

Jonathan Hall:

Well, we have made it through the news in in great time. We we have a shorter episode for you today. But, Mickey, I want you to take the time to introduce yourself. And I I wanna talk to you just a little bit about you in lieu of a a longer interview after the the the news break. Okay.

Jonathan Hall:

But start by tell us a little about who you are and and how you're involved in GOAT.

Miki Tebeka:

So I've been, well, I checked I started at Intel professionally in, 97. So 27 years now in, in in tech. Most of the time in Python, I still write Python on a weekly basis, I would say. And then I started using Go 13, 14 years way before we had the Go tool when there were only make files and all of these things. I'm running my own company for the last 10 years, doing consulting, which for me means I write code.

Miki Tebeka:

And then, I'm teaching a lot as well, either myself or, an instructor at Oden Labs. I help organize conferences, the Go for Con Israel, the Pipedata Israel 1. I help with the Go Israel meetup. I have videos on LinkedIn Learning, and I'm authoring books. My last one, Effective Go Recipes from the Progantic Programmers just came out.

Miki Tebeka:

And I'd like to, give a shout out to my wonderful, wonderful editor, Margaret. She made the book so much better. And I think that's most of the geek stuff I do.

Jonathan Hall:

Cool. And we'll have links to your book and, your your company and all that stuff in the show notes if you're interested in in following up. And I I imagine social media accounts and things like that. So if you wanna get in touch with Mickey Thanks. Just follow the the links in the show notes.

Jonathan Hall:

Thanks again, Mickey, for filling in. Shai was

Miki Tebeka:

Thank you. Had a

Jonathan Hall:

I think a family commitment this week, so he he wasn't available. But he should be back next week. So, yeah. Thanks a lot for for filling in.

Miki Tebeka:

Thank you. It's really fun.

Jonathan Hall:

Great. Thanks everybody for listening. Have a great week. And, I know. I we need a tagline here.

Jonathan Hall:

Like, may the go be with you. That sounds really good for you. I don't know. I'll think of something for next time. Until then.

Jonathan Hall:

Thanks for listening to the end. Once again, a big thank you to Mickey for filling in for Shai this week, who who was gone. Just a couple of quick things, and then I'll send you on your way to your the next podcast in your player. First, this show is a hobby for us. It costs us some money.

Jonathan Hall:

If you wanna help cover that cost, we'd love to have you as a a Patreon member. You can head over to cupago.dev. That's our website, and you can find links there to Patreon. You can also have links to our merch store and show notes for this and all other episodes and, some pictures of our dorky faces. If you're not interested in being a Patreon or just not in your budget, that's also cool.

Jonathan Hall:

We still wanna have you as listener, and you can still help support the show. The best way you could do that is by sharing it with a friend or a colleague, share it on your work Slack, or head over to your, iTunes or wherever you listen to this show and leave a rating and review. I wanna shout out one review we got on, the Apple Podcast Store. Is that what it's called? I don't even know what it's called these days.

Jonathan Hall:

Anyway, Andrew Donald says, great bang for your buck. That's cool, I guess. You know, buck? We we don't charge anything, to listen, but he says it's a great short form podcast that packs a lot of information from around the community into short segments. So thanks, Andrew, for your review and your 5 star rating.

Jonathan Hall:

We appreciate that. You can do the same. Give us a rating. It doesn't have to be 5 stars if you don't think it's worth that. Be honest, but we do appreciate your ratings.

Jonathan Hall:

Other than that, I wanna remind you, we talked about this last week, but coming up June 19, Shai will be in Amsterdam with me. There'll be the first time that we're together physically in person. And if you'd like to join us for that meeting and possibly very likely a live recording of the show, let us know. You can reach out to us by email news@cuppago.dev or on our Slack channel, which is on the go for Slack, cup dash o dash go. Over there, let us know that you'll be in Amsterdam or just join to chat about anything go related also.

Jonathan Hall:

I think that wraps it up for this week. Thanks for listening. No interview this week without Shai. It was a little bit harder to schedule that. Hopefully, next week, we'll be back with Shai for sure and hopefully with an interview as well.

Jonathan Hall:

See you then.

Creators and Guests

Jonathan Hall
Host
Jonathan Hall
Freelance Gopher, Continuous Delivery consultant, and host of the Boldly Go YouTube channel.
Miki tebeka
Host
Miki tebeka
Miki has been shipping bugs to production for over 25 years. He has a passion for teaching, mentoring, and talking about tech for way too long. Miki contributes to open source, either his own projects, or external ones - including the Go and Python projects. Miki wrote several technical books, he's a LinkedIn Learning author and an organiser of Go Israel Meetup, GopherCon Israel, and PyData Tel Aviv Conference. When not geeking out, Miki likes to climb, hike all over the world, read books and annoy his family.
🕸️ With great power comes great responsibility, or why not to use the linkname directive 🔗
Broadcast by