🏃🏼♂️➡️ You can run, but you can't hide from the security! 🫣 And golangci-lint v2 with Ludovic Fernandez
This show is supported by you. Stick around till the ad break to hear more about that. This is Cup O Go for March. We never know which day to say, 2025. Keep up to date with important happenings in the Go community in about fifteen minutes per week.
Shay Nehmad:I'm Shay Nehmad. And I'm Jonathan Hall. And that's a fancy mug you got there. You got the Cup o Go cup. I don't have mine anymore.
Shay Nehmad:I should get one. You
Jonathan Hall:should get one. We have a great show coming up for you today. We have an interview with the author of Golang CI Lent. We're talking about security releases, we're talking about proposals.
Shay Nehmad:Talking about security problems.
Jonathan Hall:And we're gonna cram it into twenty minutes maximum because that's when our interview starts, so.
Shay Nehmad:Yeah. This time something will actually force us to adhere to fifteen minutes. Yes. Kicking things off with a vulnerability. When Jonathan put it on the backlog and told me about it, I literally said, oh, it's probably he said like, oh, there's a vulnerability in x dot net HTML.
Shay Nehmad:I was like, oh, was it parsing something, whatever that allows you to read something unexpected? So, as you probably have guessed, there's a security vulnerability that's pretty much as expected. There's a package called x dot slash net slash HTML. You probably heard of it, but if you haven't, it just implements HTML tokenizer and parser. So you'll be able to read HTML and you won't be you won't be one of the poor souls.
Shay Nehmad:I don't know if you saw that famous Stack Overflow question of like, I need to parse HTML with the regex. Yes. I know how do you feel about HTML, but a lot of the time I look at it and like, yeah, it makes sense. I I studied it like every it's the first thing I started when I started computing. It just
Jonathan Hall:gives me the heebie jeebies. The main thing I learned from the security release was the word solidus, or is it solidus? Solidus?
Shay Nehmad:What is that?
Jonathan Hall:The tokenizer incorrectly interprets tags with uncoated attributes that end with a Solidus character. It's a fancy word for the forward slash. Woah. Well, I'm gonna start using that word all the time now because I think it just makes me sound more more snobbish.
Shay Nehmad:Solidus, sounds like a boss from Dark Souls. Solidus, the HTML parser annihilator. Darth Solidus, there we go.
Jonathan Hall:The cool
Shay Nehmad:thing about this vulnerability, other than the fact that it was found and patched and now you should, upgrade your X.net, packages if you use the HTML tokenizer, which is, like, reasonable, is the blog of who discovered it. I always like to, like, dig into the security researchers behind the vulnerability, not just technically the vulnerability itself. And I can wholeheartedly recommend nc.zip, which is Sean Ng from, Hong Kong. As a pretty cool, like, short, blog about, writing up CDFs and one that I'm particularly interested in, three XSS vulnerabilities discovered in SolidJS, universal LLM instruction leaks. Dude, this all over the map.
Shay Nehmad:Pretty cool stuff. So if you have, HTML stuff, you should upgrade.
Jonathan Hall:What else should you upgrade this week?
Shay Nehmad:I don't know. Is anything important that everybody uses in Go? Does it have a new version?
Jonathan Hall:Oh, wait. Here's one. Golang c I lint v two has been released.
Shay Nehmad:With a with a beautiful lot logo. Like, the rainbow is not colored, but the logo is colored. Love that stuff. V2.
Jonathan Hall:Yeah, V2. This is a big overhaul, simplified linters management, improved file paths management, issue exclusions, etcetera, etcetera. I'm not gonna dive into it too much right now because somebody who knows much, much more about it is gonna be on the show in about seventeen minutes as we're recording. So stick around till after, the rest of the news for an interview with the author. We're gonna be talking all about GoLangsIllent.
Shay Nehmad:I just have to say that GoLangsIllent, like, is the first thing I install in every like, I have a script, I have it running. Maybe I set up, like, I don't know, Git, but it's so early in the every Go project that this is set up.
Jonathan Hall:It is also the only open source project I monthly contribute to. I send $20 every month to that project.
Shay Nehmad:No kidding.
Jonathan Hall:Totally worth it. If I had to pay a hundred bucks a month for it, I probably would. So it just saves me that much time and
Shay Nehmad:Well, talking about paying for things monthly, I did a little bit of a calculation and to match up with my friends, we're gonna need 4,000,000,000, 1 hundred and 20 5 million Patreons.
Jonathan Hall:We should be able to get that in just a weekend or two, I would expect.
Shay Nehmad:Yeah. So everybody we just basically need half half of the Earth's population Mhmm. To join, to just match up with some friends I have in Tel Aviv who recently
Jonathan Hall:Well, what
Shay Nehmad:doing? Came into some money. I don't know if, you know what I'm talking about.
Jonathan Hall:Gee, Wiz. I don't.
Shay Nehmad:Mhmm. Good one. So, yeah, Google buys Wiz. Why is this a Golang story? Well, Wiz is back in this in Go, and I just well, some of it.
Shay Nehmad:Obviously, not all of it. They're already a big super sprawling company and they've bought like other companies, so I assume it's not all a % Go, but their core thing is is in Go. Disclaimer, I used to work at a competitor, at Orca until very recently.
Jonathan Hall:Oh, so that's why you're bad talking to them so much.
Shay Nehmad:I don't I'm not bad talking to anyone. I'm very happy for them. Google is in talks to buy them for $33,000,000,000.
Jonathan Hall:It's a lot of money.
Shay Nehmad:Yeah. It just goes to show, go you know, people can bad talk it all all they want, but makes a ton of money.
Jonathan Hall:But what what has Wizz ever done for us? Like, I I I heard the name, but have they ever done anything that we would be aware of?
Shay Nehmad:We as Go developers, you mean?
Jonathan Hall:As Go developers, as as SREs, as
Shay Nehmad:yeah. So they have a product for that's like a security platform for cloud security like Orca. So, you know, if you're a part of a security team, you've probably heard of it. And they've discovered the research team has discovered a lot of cloud vulnerabilities. Since a lot of the cloud is written in Go, sometimes you see vulnerabilities the day close, in popular open source Go projects.
Shay Nehmad:And this week was no exception. Super cool. They, like, got sold for $33,000,000,000, immediately got back to the drawing board and all right, we found Ingress Nightmare, which was such a big headline. You might have heard of it and like didn't realize it was a Go related news item. But a 9.8 critical RCE, unauthenticated.
Shay Nehmad:RCE stands for remote code execution. So basically means any Joe Schmo can go into any Kubernetes ingress NGINX and start running code inside the cluster. So from nothing to full cluster control. Wow. Like cluster takeover.
Jonathan Hall:Is this for both the the free NGINX and the subscription NGINX, Ingress controller?
Shay Nehmad:I think it's for both. If you just have it deployed, like the depends on the version because they did a proper disclosure. So it's not like they put this blog out without talking to the developers first. Actually, now they probably work at the same company, right? Kubernetes is Google ish and Wiz is Google ish.
Jonathan Hall:So if you're using Kubernetes with NGINX, make sure you've upgraded to the latest version, is the short version, right?
Shay Nehmad:So so a few things you can do. First of all, maybe you don't know if your clusters are using Ingress NGINX at all. All you have to do is look at the pods. So you do kubectl get pods, all namespaces, and look for, like name equals Ingress NGINX. If you're just running it and you don't have any permissions because someone turned it on once but didn't like set it up properly, you're good.
Shay Nehmad:Most likely it has a cluster read only permissions because everything has that. So if you these two things exist, you're you need to, patch it. It was patched in NGINX controller one twelve one and one eleven five. And, you know, are a few things you should do. Either you should upgrade immediately.
Shay Nehmad:However, that doesn't always work. Right? Like, if you didn't stay on top of your upgrade schedule, you might be a few versions behind. And I don't know, like upgrading Go version seems important, but upgrading every single thing in my Kubernetes cluster seems like a super pain in the behind because there's just so many moving parts. So until you have, like, something of this magnitude, 9.8 CVE score that forces you to get off your ass, you probably won't do it.
Shay Nehmad:Until you can, upgrade, there are a few things you can do to mitigate, like stricter network policies, just disable the admission controller on Ingress NGINX. And there are like there's a description in the blog post. The the part that I found interesting after like, hey, make sure that you upgrade is actually how they discovered it. What's the research motivation behind it? And how does it work?
Shay Nehmad:They have like beautiful art art showing it. And finally, GoCode, how the thing actually worked. And there are a few cool tools here, that I didn't know about, like KubeReview. Have you heard of KubeReview? It's just a CLI utility to transform requests into admission review requests.
Shay Nehmad:So you had to have some tooling in order to just do that, which is obviously also written in Go, right? What's the question? This whole ecosystem is. And you you can just look at the code in the blog post. Like, the blog post goes into details about every, specific CVE, like off URL injection, and you can inject on the match CN TLS part of the parser.
Shay Nehmad:Like you can inject in a lot of places here, things that people don't expect. And again, you can just look at the code and because it's Go, it's like really, really easy to The vulnerability kind of yells at you. You know what I mean? Like, sort of when you look at bad code that's so bad that, the bug literally screams at you. You know what I mean?
Jonathan Hall:Sorry, bud. I like how how long and detailed it is. A lot of security releases are just like, you know, a one paragraph description. This is a estimated thirteen minute read, goes into some great detail.
Shay Nehmad:Yeah. And the shout out to the researchers. I know some of them, but even without the personal knowledge, Nir Ochfeld, Ronen Shustein, Saget Sadiq, Hillelie Bensasson, Eli Ben Sasan. Sorry. Good job, everybody.
Shay Nehmad:The link to the blog post is obviously in the show notes along with everything else we're talking about. So if this sounds interesting to you, or you you need to immediately grab the link and send it to your CISO or your, Kubernetes admin, it's in the show notes. What else do we have like on the docket?
Jonathan Hall:Yeah, let's shift away from security stuff for a little bit and talk about some conferences. I have a couple I wanna mention. There are two, these are both in the European area. If you're over in that part of the world, like I was a few months ago, they both have CFPs open. GoLab is in Italy, October Fifth Through Seventh in Florence.
Jonathan Hall:Beautiful city. I was there once about ten years ago. And their CFP is open until April 10. So if you want to be in Italy in October, send your CFP. The other one is GopherCon UK will be in August, August thirteenth and fifteenth.
Jonathan Hall:And their CFP is open through May 17. So there's two opportunities to speak in Europe later this year, if that sounds appealing to you.
Shay Nehmad:The unofficial, San Francisco Gopher meetup. I mean, it has a date. I don't a % know if it's happening, but but it has a date. If it'll be something more serious, we'll definitely talk about it next week. And there's a proposal, an accepted proposal you wanted to share with me.
Shay Nehmad:I'm I'm excited about this one. What's what's going on?
Jonathan Hall:There's two here, if we have time to talk about both today. So the first one is that, they accept their proposal to add a flag to the GoModVerify command.
Shay Nehmad:And I just wanna say thanks to Oleg Kovolov, who, like, shared this link in our, Slack group. Thanks, Oleg.
Jonathan Hall:Yeah. So the new tag is, or the the new command line flag is called minus tag. And have you looked at this, Shai? Because this is kind of security related and there might be a little bit more up your alley.
Shay Nehmad:Yeah. You tried to move away from security a little bit, but turns out you need 10,000 lines of code to protect the one line of code that like the to do. That's
Jonathan Hall:right. That's right.
Shay Nehmad:So there's a few things you need to know about. What is the Go checksum database?
Jonathan Hall:So there's a, I mean, I'm probably gonna get this a little bit wrong. So there's a public proxy of Go modules and part of that, or related to that is this checksum database that keeps track of, I suppose it's a pairing of module name and version number along with the checksum of that module so that you can validate that you downloaded the same thing.
Shay Nehmad:And are like three things hard in two hard things in computer science, right? Cache and validation off by one errors, then cache and validation or however that joke goes. It's basically a glorified cache, Because if you want Go code, you go to GitHub and you download it, but you can use the go pkg. Go. Dev to look at these packages.
Shay Nehmad:And I 100% promise you, if you listen to this show, you probably spent more time than you think on the site. Whenever you open documentation, it's there. Right? Whenever you look for a package, it's there. So it's not it's not like it's an important resource to protect, even though it's mostly just a web resource.
Shay Nehmad:It also includes mod checksum and some other things that you need to basically verify if you wanna make sure that the package you're downloading, the package you're using in your software is the same package you're that's mirrored there. So the new proposal is adding a flag called, tag. So after you push a new tag to GitHub, you double make sure that it syncs up to the package registry. And that way you know that someone else didn't, like, poison your package in the go check some database. In a few of our our recent shows, we talked about, like, typo squatting issues and things like that where packages you just had malicious packages.
Shay Nehmad:But even if I have I don't have to typo squat to do that. If I get force push permissions to your repo, I could push a new tag, then delete it from GitHub, but the checksum database is already poisoned. The cache is already poisoned. But if if I'm like a package maintainer, I could run this go mod verify minus tag a few times and just invalidate the cache and make sure that the proper version of the packages is what's in that checksum database. Basically prevents unauthorized changes to that database.
Shay Nehmad:I don't think this is a good suggestion.
Jonathan Hall:You don't think it's a good A,
Shay Nehmad:I don't love the From the syntax, it's not obvious that it's like what it does. Right? Go mod verify minus tag to me doesn't like it it doesn't clarify that's what it does, but that's just a UX thing.
Jonathan Hall:I agree with that.
Shay Nehmad:Yeah. And you have like a few flags, you all versions, latest versions, specific versions. Like, get why checking the latest version is the thing that I'm worried about that this opens up the other side of attack, an attack on the, mod package database itself. And I wish I saw this proposal in time. I might still comment on it even though it got accepted.
Shay Nehmad:Because I don't understand what prevents people from creating a fork of a repo, changing the code a little bit, and then like basically invalidating all the cache all the time. Like it it would be so easy to DDoS package website right now with this command. You're basically giving a drain option to all the caches with this command. I don't fully understand how it protects from that.
Jonathan Hall:I think you should comment.
Shay Nehmad:I'm not missing something, right? Other than basic DDoS prevention measures, like DDoS prevention measures, This command allows me to, with a little bit of work, basically invalidate all the cache for the GoMod site just generally, right? Because I'll ping it with wrong versions all the time. Or am I missing do you think I'm missing something and and it's not actually possible? I don't know about that.
Jonathan Hall:I'm still trying to I'll double
Shay Nehmad:check before I comment. I I don't I really hate, writing on proposals and then being wrong.
Jonathan Hall:Assuming this works as intended, I'm still unclear, like when would I use this? Would I run this in my CI? Would I run this every time I upgrade? When would
Shay Nehmad:I actually use Every time you push a new tag to GitHub, immediately after it's done and the release is okay, whatever release is okay means to you. Usually, when you push a tag, it already means that, you know, you merge domain and everything checks out. Immediately after that, you run, go mod verify minus stack latest. It has two side effects. One, it makes sure that it's uploaded to the SMDB, so if someone else wants to pull it, they do it immediately.
Shay Nehmad:They don't have to wait. And it checks that it matches the local repo, which is exactly what you want.
Jonathan Hall:Got it. Yeah. Yeah. That does seem like it would be vulnerable to what you've suggested.
Shay Nehmad:I'll double check that. Just the security flavor of this episode has got my offensive juices flowing, you know what I mean?
Jonathan Hall:Well, I think that is about all we have time for. We had one other proposal, but I think we'll save it for next week because our guests should be joining immediately after our break.
Shay Nehmad:So let's jump to that.
Jonathan Hall:Hello, this is Jonathan from the future. Welcome to our so called Ad Break. We just finished recording the interview. It was a good interview. Stick around for that in just a minute.
Jonathan Hall:Before we jump into that, I want to remind you that you can buy our swag. We have mugs, we have t shirts, we have USB chargers. We're looking into getting Yubi Key covers. I don't know if that's even possible. We're going to try.
Jonathan Hall:Tepago. Dev, you can click on our store link there and buy this cool swag with Brewster, our mascot. It's one great way to support the show. You can also support the show by sharing it with a friend, with a colleague, with a fellow student, with your pets. You can even support us financially by becoming a Patreon.
Jonathan Hall:The link for that is also at cupago.dev. But one of my favorite ways to support the show is to just talk to us. You can find us on Slack at the Cup and Go channel on the Gopher Slack. That's cup o go, kebabcase. We have over 500 people there now.
Jonathan Hall:We have some pretty lively discussions sometimes. We talk about past shows, talk about upcoming things. People share news items there that we often put on the show. Join us there, we love to chat with our listeners. I'm sure I'm forgetting something since Shay isn't here to remind me, but I think that's okay.
Jonathan Hall:We'll cover it next time. Let's get to the interview about GoLynxian. Hey, Shay. I just pulled this Go Code out of the dryer and it's covered in lint. How do you think I can get rid of that?
Shay Nehmad:You just pulled this Go Code out of the dryer.
Jonathan Hall:Right? We're going for bad jokes, right? Did I did I do a good one?
Shay Nehmad:I I think it's intervention, level worthy of bad. Well, I don't know a lot about lint. Actually, this is an audio show, so this joke won't carry, but I have this new wool sweater that my wife knit me. It's a it's a bit linty as well. Like it has a bit of a fluff.
Shay Nehmad:But I'm not an expert on linting, are you?
Jonathan Hall:I used to have a linter, but it's kinda old and crafty. I feel like I need a new one.
Shay Nehmad:Oh, maybe there's a new version. Hello.
Ludovic Fernandez:Hello.
Jonathan Hall:Welcome to our terribly bad humor hour. You're here to talk about Golang CI Lint version two. But before we do that, would you introduce yourself? Tell us who you are and a little bit about yourself.
Ludovic Fernandez:Yes. So I'm in French. So but I think most people know me with my nickname is Hildes.
Jonathan Hall:Hildes. Yes.
Ludovic Fernandez:I'm currently working maintaining column ceilings, but not only, also maintain LEGO, the Sanskrit client in Go. Currently, I'm working for open source because I have decided to change the way I work. And I wanted to try to work only for open source, so only rely on donation. I wanted to do that because I think it's possible. And I think OSS maintainability and sustainability is important, and we have to do something to to sense some signal to say, hey.
Ludovic Fernandez:It's time.
Shay Nehmad:And and I'll just take the opportunity here to say, there's a link in the show notes. I I found the supporting us page on calling cilint.run. I assume that's the if people, are listening and they agree with you and they want to support you, it's right on the homepage. There are backers and sponsors, and you can join the social networks as well to spread the word. Right?
Shay Nehmad:Yes.
Jonathan Hall:I'm I'm one of the I I think this is the only open source project going to CLN that I monetarily support. So I encourage our listeners to do that too.
Ludovic Fernandez:Yes. You are one of the early sponsor.
Shay Nehmad:I like to think, you know, whenever I click on a Google ad that like 0.0000001¢ of that AdSense money ends up in the Go team salary or something like that. Whenever like YouTube pops an ad, I'm like, ugh, no, I just wanna watch this video. Then I'm like, no, it's good. This money goes to Google. Somewhere inside Google, someone is maintaining the compiler, That's fine.
Shay Nehmad:And then I end up watching the same annoying, insurance, advertisement because I just moved here, so they don't stop doing it for me. So the aspect of doing open source full time, you know, how has it been, for you? I I wanna talk about how has it been for the project. I'm sure the project had a lot of, you know, it was very good for the project to get your full attention. But I was just wondering, I I assume a lot of our listeners are are curious about, like, how does that work?
Shay Nehmad:Did you set up a company? Like, how does that work?
Ludovic Fernandez:Yes. It worked. I created a company, small company with just me because legally, I'm forced to do that. But for the for government selling project, I created an Open Collective organization. In fact, Open Collective is the the fiscal cost of Golang Sialines.
Ludovic Fernandez:The money that people give to Golang Sialines doesn't goes to my company. It goes to this fiscal cost. For now, I don't really know how I will drive this money, but, oh, no. There is a place. There is a place.
Ludovic Fernandez:And for me, working on open source every day, it's like working for other projects, not not really different. The only difference in fact is that I wake up when I want, but I have to do all the work. So it's not a paradise, but it's it's not an and it's really far from l. I'm really happy to do what I do. I don't know if you want to know something else.
Ludovic Fernandez:I'm not sure if I answer to the question.
Shay Nehmad:You totally did. There is there is a bit of a business overhead that's that's invisible to to setting this, thing up, but it's cool that, you know, it's not like super, super complicated. It sounds it sounds very possible. It's not like, oh, there's no legal precedent. Like, oh, just start a company.
Shay Nehmad:The money will eventually go there.
Ludovic Fernandez:Sorry. My watch warned me that my heart is my heart is bit higher. Too high.
Shay Nehmad:Happens to me it happens to me whenever I meet the CTO of my current company all the time. My watch is like stress level high. I can sympathize.
Jonathan Hall:We've had a number of people on the show who talk about running open source businesses. It's a model I admire. I mean, I do some open source work. It doesn't pay any bills. I'd ever get any money from it.
Jonathan Hall:So I really admire the people like you who do that. And so thank you. And I of course appreciate your project. Golang CI is one that I use and advocate other people to use very heavily. So let's talk about that a little bit.
Jonathan Hall:Maybe let's start with looking back in time. When did you start Golang CI Lindt?
Ludovic Fernandez:So first I'm not the author, so initial author of Golang CI Lindt. It's Dennis. Dennis created Golang CI Lindt around 2018, if I remember well. Okay. He tried to to build a company on top of Golan CIA Linz called Golan CI.
Ludovic Fernandez:The goal was to provide the tool, the CI tool, the SaaS tool, to Linz. I don't have the full history because I will try to explain that. But in reality, I never met Denis because when I come to the project in 2020, I think. And Denise was already I don't have the word, but he was not here. Wait, sorry.
Ludovic Fernandez:He mainly leaves the project because SaaS service doesn't really work and not as a tool, the tool who was working, but as a business. So he decided to open organization to everybody, And I send a lot of invitation to contributor, introduce a system to invite every contributor to organization. So I started at this moment when everything was automated, in fact. And then I start to contribute on one or two thing and day by day is month by month, I become the main maintainer, but it was not a plan, in fact.
Jonathan Hall:So you've been when did you sort of become the main maintainer?
Ludovic Fernandez:There is no real date. No. I contribute more and more. At some point, I asked asked to not Denise, but sorry, I don't remember his name. From my memory, it's Alexander, colleague to Denise, if he can give me the right, because it was difficult to handle a project when you don't have the right to handle the CI, the configuration.
Ludovic Fernandez:It was a main problem at some point. I don't know if you remember or if you believe this story, but start to act the Golang sorry, the GitHub action CI by opening pull request. We were under the attack. It was not really funny because without the right to stop the the pull request to stop something, it was really complex. So Okay.
Ludovic Fernandez:So it it was progressively gradually.
Jonathan Hall:And then I guess the of course, the big news, the reason you're on today is because version two was just released. Version one has been around for ages. It's been getting new features all the time. What inspired you to go with version two? Why the change?
Ludovic Fernandez:In fact, the idea of v two begin there is six year before I become a maintainer, but nobody was able to do it because creating a major version is not as simple as we can think because there is a lot of things that you have to think in term of feature, in term of tooling. A lot of people forget that CI exists, yes, but CI doesn't do the job. They just just do what they have to do and you have to learn them. So and in fact, without someone that really want to take the the topics, the Vidoo was not able to to to go out, in fact. So at the end of the the previous year, I said said, I'm tired with deprecated seeing with breaking some runtous stuff and living with options that doesn't work, that's really annoying.
Ludovic Fernandez:So I decided to go for v two, not a huge v two with a lot of stuff, but something straight to the goal, something that simplify some elements, something that remove all and deprecated stuff. The goal was not to create the wish list, the Christmas wish list for every future in the world, but just prepare the future and clean the past.
Shay Nehmad:Nice. The new configuration looks like I've been with the Golang Salient forever, forever, forever. The new configuration looks a lot simpler. The only problem is I used to rely on a GitHub gist. I don't remember who wrote it, but I actually have to give a shout out to the guy, so I'll I'll find it.
Shay Nehmad:But there's, if you look for GoLangs Island GoldenConfig
Ludovic Fernandez:I think I know I know this person. It's, the nickname is Mattory, I think.
Shay Nehmad:Yeah. Maret Raymers from The Netherlands. I always just go to this page, copy it, and and now it's it might not be the correct configuration anymore. I'll comment and say that v two has been released.
Ludovic Fernandez:I think you will create you you will create a new a new version of this Golden file.
Jonathan Hall:Oh, already someone did it. Ran golang c I migrate. Oh, there's a command to migrate all configurations.
Ludovic Fernandez:Yes. Yes. Yes. In fact, for me, the major point when you create a v two because I already create v two of some important tool. Previously, I was working on traffic.
Ludovic Fernandez:I don't know if you know it. So I already live some major version and the difficulty related to major version. So when I started to think really early in the early days about the v two, all had started to sync. We have to provide a migration guide, we have to provide the command that integrates seamlessly your configuration and we create that.
Jonathan Hall:So I realized we forgot to do something and that is So apologies to any listeners who don't actually know what we're talking about. We haven't explained what Golang CI Lint is. I'm just assuming everybody knows. Let's go back, tell us in your own words, what is Golang CI Lint and why would anybody wanna use it?
Ludovic Fernandez:Golang CI Lint is runner for linter. So it's a linter. But the difference between no, there is no difference. It's just a runner for linter, a fast linter for linter. The goal is to statically analyze the code, detect some bug, detect some style error, but not really error, but warn you about some styling issue and report them so that you can fix them.
Ludovic Fernandez:So I think everybody know a sling or I I don't really know the tooling of Ruby, but but I think it's RubyCop or stuff like that.
Jonathan Hall:Mhmm.
Shay Nehmad:I I hate RubyCop.
Ludovic Fernandez:Never used to. I cannot hate it.
Shay Nehmad:And the and the and the Rust compiler, of course, no need for any.
Jonathan Hall:Yeah, really good. So it's static It's sort of a meta analyzer. It combines a number of configurable linters so you can kind of pick and choose which ones you want to run, right?
Ludovic Fernandez:It's a difference between some other linter. Golang CLINT is user oriented. So you make your choice. We don't really decide, but we select the linter. The linter should not drive to bad practice.
Ludovic Fernandez:It's a limit of doesn't the linter does not should not be detector. So what I call detector is something that just report, yeah, it can be a problem. No. Is it a problem or it's not a problem? It can be a problem doesn't exist for me because I know that most user, when using linter, in fact, they just follow the linter because they trust in the linter.
Ludovic Fernandez:So it's a yeah. So the main difference for me from other, it's design need design need to be used and configured by you with your rule and not our rule.
Shay Nehmad:How many like, on your projects, do you have just, like, the one configuration that you use? Because I was wondering about that. Like, first of all, now that I'm thinking about it, what Golang c island configuration runs on Golang c island?
Ludovic Fernandez:Golang CLINT configuration of Golang CLINT is not a good configuration because but in fact we are are forced to do that because the configuration of CLINT will be used to test Golang CLINT over the version. So we have something really seen because we should have consistency between the version, between the release. So we have something releasing. So it's really not a recommended configuration. It's a configuration, but not a recommended configuration.
Ludovic Fernandez:In my opinion, there is no real recommended configuration because you have to tune the configuration for your project. For an example, I created a linter that's called Agliatelle. Agliatelle is in the tag. You know the names that the field will have inside your JSON or the name of the mapping for the JSON.
Shay Nehmad:Yeah. It it, like, makes sure that the tag maps up to the name of the field.
Ludovic Fernandez:Yes. Exactly. But, for example, when I work on Lego, so I have to handle hundred of DNS clients. But each DNS client has this whole casing. So I cannot use one configuration.
Ludovic Fernandez:I'm forced to use a configuration that is for this client or for this project. It depends on your convention. For example, if you have to interact with a PHP project, maybe they will use a snake. They will use no snake case or maybe they will use a camel case. So for me, there is no real recognition, but there is some linters that I recommend to use because they are globally neutral.
Jonathan Hall:I find that I tailor my configuration very heavily to the project I'm working on and the people on that project. For a solo project, I have a very different set of linters than I do for a project on a team of 10 people. Because maybe on a 10 of 10 people, I have more junior developers who don't know all the idioms and stuff like that. And I want maybe stricter linters to encourage them to not use global variables, for example. But on a solo project, I know I'm not gonna use global variables unless I just really, really want to or need to for some reason.
Jonathan Hall:And I don't feel like I need the lender to do that. Do you find people doing the same sort of thing, tailoring their configuration to the projects, to the people? Or what do you recommend? What have you seen?
Ludovic Fernandez:There is a lot of different profiles inside. In fact, there is advanced user like you. You know what you need and you know what you do. So you will just set up the meter that prevents you from some complex stuff or some mistake. And there is some people that use the same thing as a kind of teacher to drive the people to the right direction.
Ludovic Fernandez:I saw a conference in Gofer India, I think, where a person explained all the configuration. They create a sheet. They put the name of each center. As I said, why is this center is useful, why is this center is not useful? And they share that with their team as it builds their configuration like that.
Ludovic Fernandez:So different person has different profile of user.
Shay Nehmad:One thing I I really like with messing up all these configs is that it's a fun way to spend time. So I think I'll drop off the interview now and just go and mess around with my config, like turn on the linter, see if I like the errors, and then turn it off. Since there are so many linter possibilities that you can turn on and off, it's gonna take me a while. So I'm gonna drop off and let Jonathan continue this interview. But before I do, again, I really wanna say thank you for coming on and for the project.
Shay Nehmad:Like, it's a really, really good project. And again, reiterate the call to action. If your company uses Golang cilent and it caught you a production bug like my company did twice, go contribute to Golang cilent. By the way, if you are a company in Israel, I don't know how it works in other places, but if you contribute to open source, you can, and my lawyer did it, you can write it off as a donation and then it's a tax write off as well. So if you're a company and your finance people have some time on their hand that could even get you money at the end of the year.
Shay Nehmad:Thanks a lot Elders, I'll be dropping off now.
Jonathan Hall:All right, let's talk a little bit more then about the improvements you made in V2. We talked about configuration and migration from old to new and how it's not really like a huge change. It's mostly some cleanups. But let's talk specifically. What were maybe the top two or three things in your mind that changed from V1 to V2?
Ludovic Fernandez:For me, the main thing is the introduction of the formatter. So the formatter was already here. It's not new, but the way to use it is new. So there is a new command called golemcyaline fmt. So it's the equivalent of Go fmt, but you can configure it with this classic configuration of Go lang cielin.
Ludovic Fernandez:It work like Go fmt. So I I said fmt because because I'm French, but I think it's a good community. Sorry. Yeah. So I think it's something that can simplify the usage of linting and formatting because we all we all appreciate a GoFmt Go import because they are great formatters.
Ludovic Fernandez:But there is some issue with those formatters that other formatter fix. For example, GoFund have some extra rule that's really good to apply. There is also in GCI that we handle a consistent order of the import. And for me, it's really it's really good because Go imports or even GoFund doesn't group the import. You have no consistency in the imports.
Ludovic Fernandez:But it's not really read to the v two, but the v two will help for that. And another major point for me, it's the the file path management. Because previously, if the the paths that were that were defined inside the configuration was relative were relative to the binary not the binary, but the launch the the place where you will launch the binary. And it was really inconsistent. If you was if you was running the link into a package, your exclusion, for exam example, doesn't work.
Ludovic Fernandez:So now I fixed it that. I know it can seems to be a detail but I spend days and days and days to try to find the right way to handle that, to doesn't break everything. It was horrible.
Jonathan Hall:I can imagine. And
Ludovic Fernandez:just one important point, sorry. So I spent maybe too much time, but another point for the v2 is that I'm really happy is the remove of the default exclusion. Previously, missing commands or not some error handling was hidden by default. And at some point, it's a problem because you have to handle error and you have to comment. But we all know that majority of project don't really put comments.
Ludovic Fernandez:And when we close a file, we don't really care about the error. So we remove all those default execution, but we introduce something more human friendly with human friendly name to disable the complete topic. So for example, we have a preset named comment and it will remove all the report related to comments.
Jonathan Hall:Yeah, that's nice. Yeah, I have not installed V2 yet. I've just been busy with other things. It's only just came out a few days ago, but I will. I'll probably do it before this episode is released.
Jonathan Hall:So maybe next week on the next episode, I can talk about my experience with it.
Ludovic Fernandez:You will see it's pretty quick to try it. You're an conanxia ling migrates. It's Zen. You can use it.
Jonathan Hall:It looks really simple based on what I read and what you said. So I'll be trying it over the weekend probably. Is there anything else that you think we should call out? Anything else about V2 or maybe other plans you have in the future?
Ludovic Fernandez:I don't have really planned for the future for now because the V2, I worked three months on the v2 so more than three months on the v2 so now I think I will just slow down a bit and sync but there is some elements that community want to be introduced. So I think I will work on that. I don't want to say something on which feature is because I don't want problems. I will continue.
Jonathan Hall:Very good. Do you wanna talk about Lego for a little bit and just introduce that to the audience too, what that is?
Ludovic Fernandez:Oh yeah, Lego, it's a Let's Uncrypto, an Acme client in Go that you can use as a library or as a CLI. LEGO is able to handle currently some and more than hundred DNS provider. So everything is automatic. Sorry. Maybe I should explain what is Acme and what is old Ensancrypt.
Ludovic Fernandez:So I will not explain what is Ensancrypt, but I will explain what is Acme. ACMI is an automated way to get certificates, so to have the HTTPS. So Allego allow to create a certificate easily Just have to you just need to have a server or a DNS or I don't know if it's pretty clear. Sorry, sentence are not straight and
Jonathan Hall:That's okay. No, I I understood you. Yeah. Thank you. Building CI and LEGO are your two big projects.
Jonathan Hall:I imagine you dabble in other things. You probably submit bug fixes and stuff to other projects as you need to.
Ludovic Fernandez:Yeah, I contribute to every I think I'm like a lot of people that work around OpenSouth. I use OpenSouth, and when I have a problem, I try to fix it. Well, I try to create a good report to help the maintainer to fix the problem because it's always complex to fix something if you don't know a proper project. So I try to open good issue and I try to fix what I can fix or how new feature is if I can do it.
Jonathan Hall:Very good. Great. Well, as we mentioned before we started recording, we always try to ask our guests. Well, first of all, we give you an opportunity to share any links you want. We've already talked about your two projects.
Jonathan Hall:We'll have links to those in the show notes. I don't know if you wanna share social media links or personal blog or anything like that you'd like the audience to know about.
Ludovic Fernandez:I think the current link to the donation page for me or for GalenciAilinter are enough.
Jonathan Hall:Great, we'll put that in the show notes if you'd like to contribute financially to help Eldez continue to live the open source dream. And then beyond that, we have a question we'd like to ask. We already told you about this before we started recording. We ask all of our guests and that is when you started learning Go or even today, who inspired you the most? Who have you learned the most from?
Jonathan Hall:Whether it be through blog posts, through conference talks, books, anything, Who has inspired you the most in your Go journey?
Ludovic Fernandez:It's complex because I was not in the first generation of the Gopher, but I started Go in 2017, I think. It was pretty early. So I learned by working on Go code, on the traffic Go code, to be clear. And this was I don't know what to say because didn't really follow some people in the Go community. I read a lot of code because I love the code.
Ludovic Fernandez:I love contributing. So I read a lot of code. So I would say the Go community is the answer.
Jonathan Hall:I love that.
Ludovic Fernandez:It's my reference.
Jonathan Hall:Great, great. Well, yeah, I like that answer. If you're reading code, you don't even know necessarily who wrote it, right? You're just reading the code.
Ludovic Fernandez:Yeah, it's something that for me, it's the same thing. Sorry, maybe it's off topic, but I contribute to open source not for my name, but because my code and not because it's my code, because the code will continue. And maybe in the future someone will use that, but never knows that was the first we write this.
Jonathan Hall:Right, yeah, yeah, that's great. And I think that's maybe good advice for others too, who are trying to learn Go is, we hear it fairly frequently, think, read the code, read the standard library, read Golang CI lint. I just referred somebody else to read Golang CI lint code earlier today. They were asking how to call GoFund from Daniel Marti directly. Don't know how to do it, but I know Golangency iLint does it.
Jonathan Hall:So you could go read that code and figure it out. So yeah, it's always good advice to read code, whether it's Go or another language.
Ludovic Fernandez:Yes. Yes. And I think Go is a is a good language good language for that. I have work and think think you too on on different language, but Go is really easy to read. More easy than a lot of code.
Ludovic Fernandez:So read it, it, read it.
Jonathan Hall:I agree. Yeah. Great. Well, Elders, I really wanna thank you again for coming on. It's unfortunate Shai had to leave to go reconfigure Goldeng's C.
Jonathan Hall:M. Hunt again. But I really appreciate you taking the time to join us on the show. We've had several listeners ask to hear from you, so I know that this will be a treat for our audience. Thank you so much.
Jonathan Hall:We'll have links to the projects and to your donation page.
Ludovic Fernandez:Thank you too for inviting me, sorry.
Jonathan Hall:Yeah, it's been a pleasure. It's always great to meet somebody who makes the software I use. So thank you so much.
Creators and Guests
