January 10, 2025 • 43 mins
- 🪵 github.com/golang/glog fix pre-announcement
- Conferences
- 🇧🇷 GopherCon LATAM @ Florianópolis, SC, Brazil, May 5-6
- 🇩🇪 GopherCon EU @ Berlin, Germany, June 16-19
- CFP through February 23
- 🇬🇧 GopherCon UK @ London, UK, August 13-15
- CFP starts March 1
- go-safeweb
- 🦀 GoReleaser 2.5 includes Zig & Rust support
- Coming soon: GoReleaser 2.6
- 🌩️ Lightning Round
- Testing discussion
- Blog: if got, want: A Simple Way to Write Better Go Tests by Michael Lynch
- Reddit discussion
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jonathan Hall (00:09):
This is Cup of Go for January 10, 2025. Keep up to
date with the importanthappenings in the Go community
about 15 minutes per week. I'mJonathan Hall.
Shay Nehmad (00:18):
And I'm Shay Nehmad.
Jonathan Hall (00:19):
Hi, Shay. I heard I should be conversational, and
we should talk more on thisshow.
Shay Nehmad (00:24):
That's good. That's a non awkward way to do that.
How's the weather?
Jonathan Hall (00:30):
It's kinda cold here.
Shay Nehmad (00:32):
We have to talk about Go because, dear listener,
I have a confession to make. Ispent this week doing back end
with TypeScript. Traitor. Yeah.Jonathan, save me.
Let's talk about Go a littlebit.
Jonathan Hall (00:46):
Well, if if we're if we're making doing
confessions, I guess, I'll tellyou that I've been doing a lot
of front end with JavaScriptlately too.
Shay Nehmad (00:52):
That sounds alright. That sounds like an
okay choice.
Jonathan Hall (00:55):
Yeah. Yeah. Well, it's not fun.
Shay Nehmad (00:58):
No. It's not. Wait. TypeScript or JavaScript? Just
JavaScript.
No types. Oh. Damn.
Jonathan Hall (01:05):
In this show, we're gonna be talking about a
security update that's comingout soon, bunch of conferences
that you could be speaking at,some releases, and a few other
things. I don't know. 124. Ithink those are the highlights.
Shay Nehmad (01:16):
Yeah. We have, also cool blog posts that we wanted
to share a new project that'scoming out. It's a bit of, a a
little bit of everything. Andthen we're gonna bike shed,
after the ad break about how towrite tests. Because who doesn't
like to argue about that?
Jonathan Hall (01:32):
I'll just skip test. That's the easy way. Mhmm.
Shay Nehmad (01:35):
No tests, no failed tests, no failures in CI.
Jonathan Hall (01:40):
That's right.
Shay Nehmad (01:40):
That's great.
Jonathan Hall (01:41):
CI can't fail if you don't have any tests.
Shay Nehmad (01:43):
Yeah. The the CrowdStrike way. Just ship it. I
think that's the second episodein a row where I'm shitting on
CrowdStrike, but it's just, Iapologize CrowdStrike people.
You're all you you're doingokay.
Security fixes. So there is aplan to issue a security fix, on
Monday, January 13, which coversa specific CVE. You know,
(02:05):
there's a preannouncement, soyou don't have to upgrade yet.
Just remember to upgrade onJanuary 13th.
Jonathan Hall (02:11):
So how many of our listeners do you think this,
security patch is likely to toaffect?
Shay Nehmad (02:17):
So that's actually an interesting question because
the security patch impacts aspecific path of code that may
or may not be executed by yourown code. And this sort of
reachability analysis, if you goreally deep into the weeds, it's
kind of hard. Right? Becauseeven if I import this package I
don't necessarily call thefunction that has the
(02:40):
vulnerability and even if I callit maybe I don't call it in the
right context or with the rightparameters in a way that might
trigger the vulnerability. Sohow many people does this
actually affect?
Probably a very small number.However, this package is
imported by 100,000 otherpackages.
Jonathan Hall (03:00):
Wow.
Shay Nehmad (03:00):
According to, pkg.go.dev.
Jonathan Hall (03:03):
That's a lot more than I would have expected,
actually.
Shay Nehmad (03:05):
Yeah. It's it's only presenting the the top, 20
k, so I'm I'm not even seeing,like, whether Google themselves
imported somewhere, but itdefinitely seems like it's part
of Kubernetes because it's partof someone's fork of Kubernetes,
and I can't really see themchanging all the log to g log in
their fork. That's probably notwhat they did. But, yeah, it's
(03:27):
happening through, a lot ofother tools. So protobuf,
gateways, SQL exporters.
So it seems like people are notreally even importing it
themselves. It's just part ofvery basic things like, kubelet,
and just code they, like,vendored or copied, or forked.
(03:48):
Right? It's part of Vtest byPlanetScale, like, it's in a lot
of things. So it's probablyaffecting a lot of people, which
is interesting because, like, Iknew it, but I I if you told me,
hey.
What's g log? I can tell you offthe top of my mind. It's not
like something I use. I just sawit something, like, when I
learned c plus plus. So makesure to upgrade on Monday, but
(04:09):
it's probably in one of yourdependencies.
So maybe you wanna lock yourversion of glog to be higher
which is annoying but, yeah,maybe you should do that.
Definitely the find, like, graincontrol over logging in the find
level and evaluating argumentsand things like that. Something
that does matter at scale, butif your library if your project
is not at scale but imports alibrary or a tool or uses
(04:32):
something that was built to dealwith scale, suddenly you deal
with all these, like, you know,you're just building an HTTP
server that serves, like, 10users a day, but you have to
upgrade dependencies that have cplus plus optimizations. It's
actually written in pure go.Right?
But the original, concept was inc plus plus for huge scale. So,
(04:53):
yeah, upgrade on Monday, put iton your calendar. A nice way to
start the week. And a coolpackage, and the announcements
gonna come obviously on onMonday. Right?
So we're not gonna probably havethe details of the fix until
then, because it's a privateissue, but actually there is, a
(05:15):
change log. It's just like gointernal review, like, when I
click on it, it brings me to alogin page, single sign on in
Google. So I assume I can't gothere. Like, I assume I can't
see. It's all, like, internal golinks.
So I guess we'll have to waituntil the you will you can just
wait until the next show. Right?
Jonathan Hall (05:34):
Yeah. We'll talk about it next week. We'll tell
you what actually happened.
Shay Nehmad (05:36):
I'm adding, a thing to our backlog, so we don't
forget. What about someconferences?
Jonathan Hall (05:40):
Yeah. Let's let's talk about conferences. We
haven't been following this asclosely as we used to, largely
because the Wiki page for theconferences is no longer a Wiki
page, and it's really hard toget it updated. So, we'd have to
kinda scrape our conference infofrom other places, but we got a
few for you. The next one,coming up is gonna be in Brazil
for Annapolis.
(06:01):
That's, May 5 6th, go for ConLATAM. It looks like they're
doing, talks in English,Spanish, and Portuguese. So that
covers a pretty big portion ofthe the developer community,
that speaks one of those threelanguages. So there's no excuse
not to go to Brazil. I'll seeyou there.
Coming up next, we have GovConEurope. This will be in Berlin
again. This will be June 16through 19, and the CFP is still
(06:25):
open. So you have a chance topresent, there as well. CFP
closes CFP stands for
Shay Nehmad (06:32):
call for papers, which is funny because these are
not papers anymore.
Jonathan Hall (06:36):
Yeah. They're not.
Shay Nehmad (06:36):
I don't think they've ever been, but
Jonathan Hall (06:39):
They did call for presentation. So, actually, it
says call for speakers, but
Shay Nehmad (06:43):
c f CFS's.
Jonathan Hall (06:45):
That makes more sense. Anyway, c f CFS, or Go
for Con Berlin, is open untilFebruary 23rd. So you still have
a little over a month, 1 and ahalf, to propose a a talk in,
Berlin.
Shay Nehmad (06:58):
Yeah. If you're based in Europe though, don't
wait until the last minutebecause if your talk gets like,
usually what happens is all thetalk reviews, happen towards the
end of the call for papers. Butsometimes they can if you know
someone at the review board oryou can just send them an email
and be, like, hey, I sent mything early. Can you review it
(07:18):
and let me know if it's good ornot? And maybe I'll send another
one if it's not good.
That just gives you an extrachance if your talk is not a
good fit for that conferencebecause, you know, maybe the
talk is great, but someone isalready registered for a similar
talk or something like that.That could give you an extra
chance. That worked for me oncein one of our Go meetups.
Jonathan Hall (07:35):
And the last one, far out in the future, this is
all the all the way in August 13to 15, GovCon UK will be back in
London. The CFP slash CFS is notyet open. It opens on March 1st.
So we'll talk about that againin a few months to remind you.
Shay Nehmad (07:48):
Yeah. It is call for papers though. When you open
the the CFP page, it says thetitle in bold, call for papers.
Yes. And they just have a coolthing of, like, sort of
directing you towards whichtalks they're, aiming towards.
Yeah. They have keynotes, whichare 30 minutes, talk sessions
(08:09):
which are 60 minutes, andtutorials which are a 120
minutes.
Jonathan Hall (08:13):
I think I'll do the keynote. That sounds easier.
Shay Nehmad (08:15):
It's yeah. Only 4 keynote sessions will be
selected and 24, talk sessionswill be selected. And, the and
finally, tutorials which aremore classroom style. So, you
know, whatever, is more yourtype, you could take. I've
definitely seen people inconferences where it's only,
(08:37):
like, 60 minute presentations.
People try to do a tutorial in apresentation, and even if the
tutorial is great, people are,like, they don't have their
laptops ready. It's not reallytheir mindset, Or the other way
around. It's like a classroomand just someone's giving a
presentation. So it's cool thatthey, you know, have this,
separation already ahead oftime. And it seems like a big
(08:59):
conference from the picturehere.
It looks like a ton of people.
Jonathan Hall (09:01):
I think that is one of the bigger ones. I
haven't been to it, but justbased on people I've spoken to
who have been there.
Shay Nehmad (09:08):
Yeah. I guess, there are there are a lot of
gophers in the UK. That wouldmake sense. Cool. Talking about
Google and security, I have aHacker News, thread which I
found.
I don't do you use a HackerNews, like, as a social media?
Jonathan Hall (09:24):
Occasionally. I'm not a regular visitor, but I
occasionally browse or
Shay Nehmad (09:29):
So I I never, like, go visit the website, but I have
a Telegram feed that, like,feeds me just the titles, and
then I judge the book by itscover and choose which threads
to go into. And this one wasinteresting, go safe web. I was,
like, oh, what's this? It's apretty cool project from,
Google. Again, we're reallyhyping up, Google stuff, this
(09:53):
episode.
Jonathan Hall (09:53):
Although the first line of the readme, it
Shay Nehmad (09:54):
says. Right? Disclaimer. It's a language by
Google. That's fair.
Jonathan Hall (09:58):
The first line of the readme, however, says
disclaimer. This is not anofficially supported Google
product. So, it's done byGoogle, but I guess you can't
sue them if it breaks or or getsupport or whatever.
Shay Nehmad (10:09):
So so let me ask you something. Google plus, was
that an officially supportedGoogle product?
Jonathan Hall (10:14):
How about I believe it was. Podcast?
Shay Nehmad (10:17):
How about all the rest of the killed by Google,
you know, site? Do you know thatthing? Google graveyard? Yeah. I
fucking love that.
Jamboard, Chromecast, Rob Cam,Keene, optimized podcast
domains. Do you remember theyshut down domains in 2023? That
was insane.
Jonathan Hall (10:34):
I'm actually surprised that Chromecast is on
that list. I thought that wasstill going on, but I guess No.
Shay Nehmad (10:39):
No. No. Just out of date. Died 5 month ago after 11
years. And YouTube stories andif you go Stadia Stadia was a
heartbreaker for me.
Man, I really thought cloudgaming was gonna be a thing. And
if you go really way back, youfind a lot of things.
Jonathan Hall (10:56):
You remember when Google used to do search?
Anyway, let's stay focused.
Shay Nehmad (11:01):
Yeah. Let's stay focused. It's a non official
Google product, so it's probablygonna live longer than the
official ones. I guess that whatwhat that means. But what is
this project and why would youcare?
So, Jonathan, let's say, you'reat work, and you're working on
something that has sensitivedata, and it's an HTTP server.
(11:22):
Yeah. What do you need to do?
Jonathan Hall (11:24):
Well, I wanna make sure there's some
authentication, in middlewareprobably. I wanna make sure I'm
using HTTPS.
Shay Nehmad (11:31):
So so you're, like, scratching your brain right now
trying to, like, dig up open thefolder called security, clear
out all the cobwebs. Right?Right. Because usually you have
some of the smarter people likeFilippo and whatever taking care
of that stuff for you. Mhmm.
Trying to remember that list. Sogo safe web is just a collection
of libraries for writing secureby default HTTP servers. So you
(11:54):
don't have to remember toprotect yourself from all these
things. So just all the securitymechanisms are are applied by
default. They're opt out, versusopt in.
And if you have to do unsafeusage, it's like it's like very
clear. It's very much anexception. And enforcing new
security measures will be ableas well through AST, like your
(12:17):
your manipulation. So you couldactually change the code after
you release it, and existingusers will just have either
static analysis or on timemonitoring to migrate in the
future as well. Right?
When new vulnerabilities and newattack patterns are detected. I
think that's like the killerfeature other than the fact
that's a collection of good,current best practices or secure
(12:40):
practices, I should say. Theyclaim to be able to do sort of,
like, future proofing towardsfuture security requirements.
I'm not a 100%, like, convincedby their example, but it's a
good goal to aspire to. Right?
Some security vulnerabilitiesthey plan to address or mitigate
(13:05):
is XSS, XSRF, CORS, TLS,iframing, authentication and
access control, parsing bugswith, htp. If you remember, we
had, someone on the show, Iforgot his name, found a bug
with, like, flooding HP a 100.
Jonathan Hall (13:22):
Yeah.
Shay Nehmad (13:23):
Right? So, like, sort of avoiding these things,
uniform, error handling to makesure you don't accidentally leak
data over error, messages, andenforcing a ton of h u p
security headers that you justhave to, include and do
correctly with, like, aninterceptor that forces you the
content type options and theaccess protection and things
(13:45):
like that. Just things you youif you remember to do or your
framework does for you, that'sgreat, but if you don't, you're
less secure as a as a server. Soa big list of really cool
things. I like the approach.
I like the idea. It's stillearly, so, like, I won't build
production things on it. Butdefinitely, like, looking at
(14:06):
that list and making sure yourcompany slash server applied
everything here.
Jonathan Hall (14:11):
When you say it's early, what do you mean?
Shay Nehmad (14:12):
They just claim it's, this project is in early
stage, and they are notaccepting any contributions. So
I think it's just like aninternal
Jonathan Hall (14:20):
Google interface. The Go mod references Go 1.16.
There's at least commits 5 yearsold. So
Shay Nehmad (14:27):
Yeah. I I don't the fact that it's old doesn't mean
it's, like, it's not in earlystage. I don't think it's, like,
a top priority thing for Google.They just released it as a as an
idea. Yeah.
I think. And when it came outon, Hacker News, I'm not sure
why someone posted it, like,what was new. Maybe they're
working in, like, a differentfork or something. There was a
(14:49):
lot of interesting discussionhere and the the main one was
when you do all these things atthe application level, that's
kinda weird. Right?
Because you almost never haveyour HTTP server just bare on
the web. Right? Like, the firstthing you would actually do in
this scenario I asked you isprobably set up the thing on the
cloud somewhere. Right?
Jonathan Hall (15:10):
Yeah. Set up a load balancer or something to to
handle all of your stuff. Right?
Shay Nehmad (15:14):
Yeah. And the SSL certificates, you get them from
your cloud provider or whatever.So you I almost never had to do
SSL in Go. Right? Because I hadNginx or ALB or whatever
wrapping the thing for me.
And then internally in mynetwork, it was all, HEP. And
even when you have mTLS betweenservices and you have to do it,
(15:36):
you don't, like, do cross or,like, origin things between your
internal services or internaltooling and things like that.
But if you do zero trustapproach, super high level,
things, maybe you can take alook at this project. I think
it's a really good, like,stepping stone, and I'm I'm
wondering if someone would pickit up in the future. But,
(15:56):
definitely, it it does seemabandoned.
Right? It's a large project, andit's dead. Right? Yeah.
Jonathan Hall (16:04):
I mean, the last update was 3 weeks ago, and it
was just updating dependencies,I guess, for some security
vulnerabilities.
Shay Nehmad (16:09):
Actually, opening opening the issues, the top
issue is state on the read methat this project is
substantially unmaintained andit seems like, it's an ex
Googler or no, currentlysecurity engineer at Google,
from Ilano, at least accordingto their, GitHub, profile that
(16:31):
says this project is large. Ithink it would need more work
than what's currently been doneto define it as a live project.
I think it's safe to say it'sdead. The reason being, the only
application that adopted thisframework internally was written
by me and has since gone inmaintenance mode.
Jonathan Hall (16:47):
I love the open draft pull request called, I
think we're getting somewherewith generics.
Shay Nehmad (16:52):
So it's an interesting concept, but it's a
good thing that, this person,Roberto Clappes, has stated that
this isn't actually abandoned.So it's a it's an interesting
concept. If you have a securityaware thing at your company,
maybe take a look, but Iwouldn't build on top of it. I
would just take the concepts.Because each individual concept
(17:15):
is not that hard to implementother than the promise of, like,
future proof this safe thisframework will forever and ever
protect us from every singlesecurity vulnerability.
I don't think that's reallypossible even with static
analysis and run time monitoringand blah blah blah. Evolving
security requirements, they, youknow, they always involve evolve
just to be better than theattackers. Right? And then the
(17:38):
attackers have to evolve. That'show it always has been.
So I think it's a cool casestudy. Cool. So let's talk about
a a project that actually hasbeen released and actually is
useful.
Jonathan Hall (17:49):
One that's clearly not abandoned. So this
is Go Releaser. We talked aboutit on the show before. They're
always adding new features. GoReleaser 2.5 was released, just
before Christmas.
And the interesting thing aboutthis is it's no longer named
properly, I guess. They addedexperimental support for Rust
and Zig. So now it's like theRust Sig Releaser.
Shay Nehmad (18:13):
Multi language support for Go Releaser. That's
super cool.
Jonathan Hall (18:17):
That's pretty cool. Yeah. The other, thing I
wanna mention, upcoming, I sawthat just last night, Go
Releaser 2.6 nightly wasreleased, and it has a bunch of
cool features that even if youare, like, hardcore, I only ever
do Go for whatever reason, youmight appreciate this. It has
capabilities or or will onceit's released essentially in the
(18:38):
next day or 2, to automatically,I guess, announce your releases
on Blue Sky, on Discord,LinkedIn, Mastodon, Mattermost,
and a whole bunch of othersocial media websites and and
and Slack and things like that.So I think that's pretty cool.
If you wanna set up integrationso that every release is
automatically gets spammed outto your network, why not?
Shay Nehmad (18:58):
Honestly, almost every Go Releaser thing, I've
done had integration with Slackjust as part of GitHub actions.
Right? Once it's released andpushed, something lets, Slack
know. Right? So CS's or otherpeople who depend on the thing
that was released, they can goout to their customers and say,
hey, blah blah blah.
New release, check out. So thefact that it's built into Go
(19:20):
Releaser. I I really love howit's slowly trying to, you know,
every release is eating one morepiece of the, like, continuous
deployment puzzle. Mhmm. Until,like, eventually, you're just
gonna literally just gonna haveto go run GoReleaser.
No parameters. It's gonna takecare of your entire CD for you.
We just need to wait for thatguy to implement his own, like,
(19:43):
a GitHub actions runner. Right?
Jonathan Hall (19:45):
Yeah. Right.
Shay Nehmad (19:47):
I mean, it would be good. Go release is great, man.
Super tight, always works, worksfast, simple configuration. I'm
I'm all for Go Releaser. At myprevious, company, we used Go
Releaser Pro.
That was really good.
Jonathan Hall (20:00):
Yeah. Cool.
Shay Nehmad (20:02):
That's enough, long form news. We know the current
generation is all hyped upbecause of YouTube shorts and
TikTok, and you don't haveattention spans anymore. So
let's move to that lightingground to feed you some of that
good good dopamine you like.Lightning ground. My thing for
(20:23):
the lighting ground is a reallyreally really really really good
blog post about how you
Jonathan Hall (20:27):
How good is it?
Shay Nehmad (20:28):
Really really really really really really
good. You know what? That's apretty good, question. How about
you read it and I read it andthen we compare our results
about how much we liked it. Waita second.
You're asking how will wecompare these results? Maybe we
can benchmark them and thencompare them with bench stat.
Well, if you read these blogpost, you know how to do that.
(20:49):
It's Bartek. I think we talkedabout Bartek's, blog post in the
past.
He's the author of or somethinghe did. I I just remembered that
name. He's the author ofEfficient Go, which is an
O'Reilly book about writing,Efficient Go, obviously. And
it's a really simple log postasking how do you compare
(21:10):
benchmarks. So the old way wasyou run a benchmark, then you
optimize your code, then you runa benchmark again, and then you
compare the 2 benchmarks usingthe bench stats tool.
And this is already valuable.Like, if you didn't know how to
compare 2 benchmarks, this isthe way to do it. The benchmark
tool gives you a lot of, like,visibility and options about,
(21:30):
like, how things have beenimproved between 2 different
runs, right, of of the samebenchmark and you can see like
seconds per operation and thedifferences between the old and
the new and how much theperformance has increased or
decreased for like, specific subcases of your benchmark.
However, that does entailrunning it twice and saving it
(21:53):
to do different files. You know,you have to repeat all these
steps basically.
And in the new case that, Bartikpresents here, you know, there's
a new flow where you can compareefficiency across specific
cases, in a more complicatedbenchmark with like based on the
row of 1 file. So you don't haveto run it, like, twice with 2
(22:17):
different flags or something.You just run your test once. You
have to add some boilerplate toyour test, but if you have
something that's very benchmarkish specific, that could be
really useful. I don't know.
What's the last benchmark youwrote?
Jonathan Hall (22:30):
Oh, wow. It's been a while.
Shay Nehmad (22:32):
Did it have, like did you just write it to make
sure that you're not going oversome threshold, or did you
actually try to optimize thething?
Jonathan Hall (22:39):
Usually usually, I do benchmarks when I'm
comparing 2 differentimplementations or something to
decide which one failed.
Shay Nehmad (22:45):
So that would be perfect for that. You just need
to add to your row, to your,like, your benchmark test, a row
that says, oh, case 1, case 2,Bartik has an example here. It's
all verbose. Like, it looks sougly. I won't lie.
It's like for case in case andthen 4, like, you know, method
1, method 2, run the benchmark.And then you just run bench stat
(23:08):
on it with minus row instead ofminus new and old and you get
the table comparison after onetest which is really really
useful. Yep. Yep. Yep.
I love these benchmark tables,like, he's comparing protobuf,
Prometheus write requests. Ilove that people nerd out on
these details so I don't have toand Prometheus just ends up
being fast. So a cool blog post,go read it if you're doing
(23:30):
benchmarks. What do you have?
Jonathan Hall (23:31):
I don't remember.
Okay. I do remember. So I I have 2 quick
picks for the lightning round.They're basically just resources
that you could use to get moreGo news or happenings in the Go
community, if you will. Firstone's called Golang Nugget.
It's a little blog that does, Ithink, weekly ish nuggets of Go
(23:52):
goodness with little AIgenerated gophers. So who
doesn't love that? Check out golike nugget.com. And the other
one we've talked about on theshow before is going weekly. I'm
subscribed with this newsletterthat I think it's put up by
Arden Labs.
They send you a weekly snippetof good news. Sometimes it makes
in this podcast, so it's timefor us to mention them again.
Shay Nehmad (24:15):
So what's the difference between Golang Weekly
and Golang Applied Weekly? IsGolang Weekly, like, unapplied?
Jonathan Hall (24:21):
Yeah. Yeah. This is purely, sort of hypothetical
abstract. If you want to applyyour Go knowledge, then, going
apply weekly is also great.
Shay Nehmad (24:32):
I love that, there's enough Go news for,
like, a podcast and, like, 5,newsletters, everybody with
their style and take. It'sactually a good thing, but we
hope, you know, this show givesyou, like, a specific take. And,
obviously, worth mentioning, golike Applied Weekly as well,
which, is maintained by ourfriend, Kristoff, which was on
(24:52):
the show a long time ago. Iwonder if if we pull out that
episode, how old, Filippo'sgonna make it sound in the edit.
Jonathan Hall (25:01):
So, Si, I just got a copy of the applied Go
weekly newsletter, and it has areally good article. Have you
seen this this newsletter?
Of course. I follow it. I really like the
recently, I it's going to AI andstuff. Wondering who's writing
it.
Oh, wait. Yeah. I don't know. We we should find
out because I mean, he justshared one of my videos and so,
you know, he's not a super guy.
That's a good day. So Yes.
Oh, hi, Kristoff. Welcome to the show. Thanks for
(25:23):
having me.
Shay Nehmad (25:26):
And that does it for the lightning round. Let's
do a quick ad break before wejump into a bike shedding
discussion about Goethas.
Jonathan Hall (25:33):
I can't wait.
Shay Nehmad (25:41):
Welcome to our ad break. This podcast is sponsored
by Blockbuster.
Jonathan Hall (25:48):
I don't know how to say that.
Shay Nehmad (25:51):
I thought it was sponsored by, things that were,
you know, really cool in thenineties.
Jonathan Hall (25:57):
Okay.
Shay Nehmad (25:58):
Oh, no. Those are our listeners. Never mind. Never
mind. This show is sponsored byour listeners.
Actually, I'm wondering what'sthe average age of, the list
like, the listener to thepodcast. I might be totally off,
and most people who listen are,like, 18 or something.
Jonathan Hall (26:13):
Good question. I don't know. I would imagine I
would imagine older than 18, butprobably younger than me. I'm
45.
Shay Nehmad (26:21):
Don't let me phrase this in a wrong way, but it's
easier to like, I think theaverage is to be younger than
you.
Jonathan Hall (26:29):
Yeah. I think so. I think I would expect the
average to be I would I wouldexpect late twenties as an
average probably. But I don'tknow.
Shay Nehmad (26:35):
Actually, I like I love the fact that podcasts
don't have great analyticsbecause I would start obsessing
over them. But just getting aslice of, all the people who
listen to the show would becool.
Jonathan Hall (26:46):
Speaking of analytics, I I can hop over to
YouTube and see who watches uson YouTube at least.
Shay Nehmad (26:50):
Oh, that would be cool. Why don't you do that
while I tell, the nice listenersabout how we are actually
sponsored? Because we're notsponsored by Blockbuster. We're
not sponsored by anyone. Thisshow is self supported with the
beautiful Patreon members.
If you want to join and kick afew bucks a month our way, that
would be cool. We're not makingany money off the show. Trust
us. We're we do have to pay for,like, hosting fees and editing
(27:13):
fees just to make this show,sound nice and be transmitted
all over the world. So thathelps cover that.
While mentioning Patreon, thanksto our new member, Jose d s, for
joining Patreon. Thank you.Thank you. Thank you. Obviously,
all the old patrons as well.
You're just so cool. You know,you're you're already part of
the, thing. I don't have tomention your name. For that link
(27:34):
and many others, go tocupago.dev where you can find
links to our Slack channel. It'son the go for Slack, so if
you're already there, you canjust look up cupago.
And if you're not into all that,you can email us at
news@capago.dev. That isnews@capago.dev. I always say
you can email us. That addressactually just goes to Jonathan.
Jonathan Hall (27:52):
Yeah. But, yeah. That goes to me.
Shay Nehmad (27:54):
But he lets me know when things, go through. Yeah.
You can also find links in thesite to past episodes with all
the transcripts, all our socialmedia links, less than go
release our offers, but they arethere. I don't think we have
Blue Sky, Mastodon, and allthat.
Jonathan Hall (28:11):
We have we have Mastodon. Do we? We have.
Shay Nehmad (28:14):
I'm not on Mastodon, so I wouldn't have.
Jonathan Hall (28:15):
We have LinkedIn. We had Twitter, but I closed my
Twitter account, and that likelyclosed our CupidGo account too.
I'm not sure.
Shay Nehmad (28:21):
I think it's still it's still kicking.
Jonathan Hall (28:22):
It must still
Shay Nehmad (28:23):
We need to ask Elon, I guess. Yeah. And, you
know, we need to make sure thatour episode have right wing
enough titles so the algorithmpicks them up. That would be a
fun experiment. Maybe we canrelease an episode just named
Jordan Jordan Peterson, AlexJones.
What are their contributions tothe Go language? Also, what
(28:44):
happens when you put the January6th, date into the Go lang date
format? That's probably gonnaget picked up. Or alien it or a
left wing listeners. Anyway
Jonathan Hall (28:56):
Some of our listeners have just sworn us off
now. I don't know whichdirection they're leaning
politically, but they're nolonger listening. For sure.
Alright.
Shay Nehmad (29:04):
Also, if you wanna support us and you don't wanna
support us financially, that'stotally fine. You can leave a
review, or share this show.Setting like, spreading the word
about the show is the only wayit gets around. We don't pay for
advertising. So leaving a reviewon the whatever app you're using
to listen to this whether it'sSpotify or Apple Podcasts or
whatever or just sharing theshow in your jobs like Slack
(29:27):
channel being, like, hey.
I heard on this show, linked tothis show, that we have to do a
super crazy update on Monday. Dowe use g log anywhere? Does
anybody know? You could soundsuper smart and also send some
other super smart people ourway. That'd be really cool.
So Lieutenant Data, how's theYouTube, research going?
Jonathan Hall (29:45):
Yeah. So not great. What I learned about our
listeners on YouTube is that54.9% of them are subscribed to
our channel.
Shay Nehmad (29:53):
That sounds good.
Jonathan Hall (29:54):
When I go to the age and gender, tab, it says not
enough demographic data to showthis, report. So no idea.
Shay Nehmad (30:02):
Alright. Isn't 50% really good?
Jonathan Hall (30:04):
I guess so. We we we seem to have a 164
subscribers.
Shay Nehmad (30:09):
Oh, that's cool. That's cool. Well, if you use
YouTube
Jonathan Hall (30:13):
Oh, no. I'm wrong. We have 366 subscribers.
Shay Nehmad (30:16):
That's still cool. Well, I guess if you use YouTube
Music for your podcast. Right?Then you would find podcasts
there.
Jonathan Hall (30:22):
Anyway, thanks for listening on YouTube, if if
that's you.
Shay Nehmad (30:25):
Yeah. Thanks for listening, in general,
everybody. That's all the normalthings we have to say. Go click
on all the links we told you toand leave a rating and do all
the things. Thank you.
So, Jonathan, do you write Gotests? Yes. I do. Usually, when
(30:49):
you write your tests, at somepoint, you wanna assert that the
thing you got from the functionis the thing you want. Right?
Jonathan Hall (30:57):
Mhmm.
Shay Nehmad (30:58):
How do you write that?
Jonathan Hall (30:59):
Depends on what I'm testing. I know where you're
going with this because I Ilooked at the the post. Mhmm. I
guess I can just TLDR. I alreadydo the thing he suggests.
Shay Nehmad (31:10):
So Michael Lynch has a blog post that sort of
kicked off a really, reallyReddit ish thread of people,
like, bike shedding about how towrite tests. The TLDR of what
he's saying is, don't use anythird party library for
assertions like testify or is orany of these, libraries. Rather,
write if like go has this thingwhere you have an if then an
(31:35):
expression then a semicolon andthen the condition. Right? The
binary condition.
Right. This creates a scope sowhatever you define in the
expression is only for that ifand then you can reuse the
variable name and maybe moreimportantly, you can't use that
variable outside of the scope ofthe if. Right? So what he's
(31:55):
saying is do if got, want andthen pass, the 2 things you
wanna assert, right, semicolon,and then got is not want. Right?
And then you always use thewords got and want all over in
your test. You can copy pastethis pattern any anywhere, and
you just put the actualunexpected value and maybe
(32:18):
change the the t dot failed fmessage inside. And he says it's
easy to copy paste and makes theassertions look really different
from actual code because this isa pretty weird like, I've never
seen if got, comma, want. MaybeI I saw it like once or twice
but definitely not not as apattern And, yeah, just gives a
(32:39):
lot of examples in the blogpost. The blog post itself, very
good, but I don't super lovethis, how it looks.
So I I would love to debate thiswith you.
Jonathan Hall (32:49):
So the one nitpick I have is I always like
my want before my god, andthere's two reasons for that.
One is I think it's morereadable. Using this pattern, if
your if your expression for yourgod is of inconsistent length,
then you have to sort of scandifferent parts of the line to
find what your want actually is.So I like to have the want first
for that reason. I think it'svisually easier to put that
(33:10):
first.
Shay Nehmad (33:11):
I actually before you move on, I actually do that
as well, but for a totallydifferent reason. Okay. It's
because in when I learned c plusplus like in 2012, I read the
twin effective c plus plus andit says always in ifs put the
constant on the left because youcan accidentally do if a equals
(33:31):
b, 0, not a equals equals 0.Yeah. So that's sort of got
ingrained into my, like, musclememory, and I do it in every
language, even in Go where,like, it it can't happen.
Right?
Jonathan Hall (33:43):
I also do that just because it feels right, and
I never knew why it felt right.But that's it probably goes back
to learning it for those reasonswithout realizing that those are
the reasons.
Shay Nehmad (33:52):
Yeah. That's like, just the cultural DNA of, people
who started in, old language.Anyway, so that's the first
reason. Yeah.
Jonathan Hall (34:00):
The second reason I prefer want first is when I'm
using a tool like cmp.diff. Ithink the diff is easier to read
if the expected value is firstand the actual value is second
because then I know that plusesare extra or different and
minuses are things that aremissing. Flipping that around to
some people, I guess, maybe likeit the other way, but I feel
like it's just less intuitive toread a diff where minus means
(34:21):
that should not be there. Yeah.So that's the other reason.
Shay Nehmad (34:26):
So the reason I don't like this, and this might
be slightly controversial, is Iknow Go is a simple language and
you shouldn't use something thatisn't standard library for
things, but, honestly, testifyis great.
Jonathan Hall (34:42):
I think testify is so bad.
Shay Nehmad (34:44):
Or or any testify ish, library that just gives you
assert equal, nil, is error,expect error, like, all these,
you know, require and all thesesort of testing niceties that
are just a very, very simple APIthat looks really, really good.
Is equal, is true, is nowhere,is fail. Yeah.
Jonathan Hall (35:07):
I I disagree with most of that.
Shay Nehmad (35:09):
Like, you don't think it looks good? Or I don't
Jonathan Hall (35:11):
think it looks good. I think it's hard to read.
And and there's 2 parts of that.First, the testify API is
inconsistent, and that's what Ihate most about testify. Like,
in some cases, the want comesfirst.
Like, it's it's usually alwayswant is first, but sometimes
it's want the second or some Idon't remember. It's been a long
time since I looked at this. Sothere's a few inconsistencies,
and I and I think the currentmaintainers has acknowledged
(35:31):
that but won't change it becausethey don't wanna bother with v
2. And, you know, I respectthat. But more important, if
it's a simple one, it's like ifassert.
Equals, that's simple enough.It's easy to understand. But
it's also really easy just towrite if god equals want. You
know, it it doesn't really buyany readability. And then when
you get when you get to thebigger, longer ones, you know,
(35:54):
assert contains like orsomething like that, then I
don't even know what it's doing.
And I have to actually go eitherread the documentation or read
the code to understand what it'sdoing in the 1st place when I
get some weird error. I'd ratherjust look at Go code. I don't
want to have to go have to Iwant that assertion directly in
my code, so I know what'shappening. I don't want to have
to go read out the codesomewhere else. So I've I've
never found a case where I wantto search the library and go, I
(36:17):
often remove it when I'm workingon a project where I have that
that sort of power.
Shay Nehmad (36:21):
There's a comment here on Reddit that I I really
liked where someone said I like,basically, my opinion. Right? I
don't like this style as afterhundreds of assertions, this
starts to get very verbose andrepetitive. Is and go CMP mostly
does fine for me. An assertionshouldn't take more than one
line in my opinion.
That's crowdy river on, on,Reddit. That's an okay ish
(36:46):
opinion. Right? That's basicallywhat I'm saying. The response
here is just so Reddit.
It's incredible. Classic doublething. This is my Redditor
voice. Right? In my imagination,I'm like taking off my fedora.
Right? Classic double thing.Gophers in regular code. The
verbose it is worth it becauseblah blah blah. Gophers in test
code, we need DSLs that reinventthe language poorly like
(37:09):
testify.
Now I'd I'm not trying to paintyou into the Reddit or, it's
just the the way you phrased it.A person needs to go touch grass
for a second.
Jonathan Hall (37:21):
My response to to that would actually be more
nuanced. That is if the testsare too repetitive or difficult
to read, then they need to berefactored just as normal code
that's too repetitive or toodifficult to read needs to be
refactored. So tests or codetreat them as such, and then I
don't think you need theassertion libraries anymore
either.
Shay Nehmad (37:37):
Yeah. The only thing I think you would use is
cmp equal for structured data.Right? Because you don't want
Yeah.
Jonathan Hall (37:42):
I use cmp diff for for structured data usually.
Yeah. And I also don'tunderstand this assertion
shouldn't take more than oneline. I I guess that just they
don't like the three lines of ifx equals y, then t dot fatal,
that they feel like there's toomany lines.
Shay Nehmad (37:55):
Yeah. That it's I think it's a reasonable thing to
say, I'm gonna write a a 100tests, and each test is gonna
have 10 assertions, in the next,like, year, making it shorter
and easier to read, in myopinion, or in this personal
opinion is interesting. I likethat. I like the justifications
that people come up with inthis, thread. Like, Google uses
(38:19):
this, like, sort of, you know,going to Google code as
authority, maybe.
But I I I'll just say to sort ofround on my opinion is that,
yes, testify is annoying becauseof the fact that's the things
are not aligned. Right?Sometimes it's got one,
(38:40):
sometimes it's one got. That'sreally annoying. There are
others.
I think there's is, which isnice. But, generally, you know,
the style guide is let's not doassertion libraries, because it
just causes less useful, youknow, failure messages,
etcetera, etcetera. And,generally, the the Google style
(39:04):
guide says that they do not usethey do not provide useful
failure messages in the contextbecause you have, like, the the
stack of assert.nil or whateverin the in the call stack or in
the result. So they're basicallysaying write your tests, write
your assertions yourself. Don'tdon't bring in assertion
(39:26):
library.
You're sort of sharing youropinion, I guess.
Jonathan Hall (39:29):
So you you made a point about, readability, which
reminds me of a conversation Ihad on LinkedIn, of all places,
recently, about codereadability. And you you said
that you like the the shorterassertions for for greater
readability. Of course,readability is a very subjective
concept. If you're fluent withtestify, then many of those
(39:52):
assertions will be readable toyou. If you're fluent with is or
with, JUnit or whatever, youknow, then you'll you're gonna
find those certain idioms to bereadable.
I think that the most readablefor most people, which is which
is what the conversation wasabout on LinkedIn, is that, you
know, the the reason I prefer Goisn't, the reason we were
(40:13):
talking specifically about theverbosity of error handling in
Go on this thread. I said, youknow, I I like the verbosity of
error handling in Go becauseit's more readable for more
people. You know, it's it'spretty clear exactly what's
going on to anybody who who hasthe the basic understanding of
any programming language. That'snot to say that it's the most
readable for everybody. Youknow, once you're fluent in Go,
(40:34):
then something else like Rust'squestion mark, syntax might be
more readable for you, butthat's not more readable for
everybody.
And so I think it's a similarargument here. Certainly,
assert.equal or whatever mightbe more readable for certain
people, but it's going to be, ifyou're trying to appeal to the
masses, so to speak, or toeverybody, the standard library
is gonna be the most readable, Ibelieve, in the vast majority of
(40:57):
cases. And that and that's notto say that you should appeal
try to appeal to everybody. Youknow, if your team is is
completely content with usyou'll testify or whatever, and
you all find it readable andyou're happy to onboard new
developers to to that standard,of course, you know, that's your
choice. So I'm not trying tomake a judgment call.
I'm just trying to trying toexplain my view on that.
Shay Nehmad (41:15):
Yeah. The the author actually responded here
and said he understands bothperspective perspectives, and
it's a close call. So I thinkthat's, like, the best way to
summarize this discussion.Doesn't super matter. Like, at
the end of the day, there arethings in, like, about test
(41:35):
cleanliness that are way, way,way more important.
Like, how do you set up yourdata, and do you have shared
variables, and, like, thesesorts of things. Is your test
flaky is a 100 times moreimportant than this, like, new
pattern. I think the title is abit clickbaity which is why
people got, angry about it. Asimple way to write better Go
(41:58):
tests and then people are like,wait, better than my tests? But,
yeah, I think, like, Michael'sopinion here is wholly valid.
Although, I might be lazy andreach to testify again, next
time I have to do a thing.
Jonathan Hall (42:15):
Alright. Cool. Cool. Cool.
Shay Nehmad (42:18):
So And write tests.
Jonathan Hall (42:21):
I think that's the conclusion. Right? Write
your tests.
Shay Nehmad (42:23):
Definitely write them. Don't don't have AI write
them. That would be crazy.
Jonathan Hall (42:30):
Speaking of AI, I found great success having
Copilot rewrite my tests, from,one framework to another. We had
a bunch of tests written inConvey, which I think is
terrible. It's much it's muchmore than a search library. It
tries to, like, take overeverything about your test. It
does BDD or something.
Right? It's it's I think it'snot even that. Like, maybe they
tries to, but I don't know. It'sweird. But I I used it.
(42:50):
I I had been, like, slowlyhammering away at converting
convey test to standard standardtest. One is and I can see if
Copilot can help you with this.I I knocked out probably 200,
200 tests, in in an afternoon.So so switched over. It was felt
so much better.
Shay Nehmad (43:08):
Cool. Well, I guess I know what you're answering
about using AI in the nextsurvey. Lowering the usage of
third party libraries andsubscribing to the standard
library. There we go. I'm surethey'll like that answer there
in the Go team.
Jonathan Hall (43:26):
I think that's a show.
Shay Nehmad (43:27):
Thank you for listening, everybody. Program
exited. Bye bye.
This is Cup of Go for January 10, 2025. Keep up to
date with the importanthappenings in the Go community
about 15 minutes per week. I'mJonathan Hall.
Shay Nehmad (00:18):
And I'm Shay Nehmad.
Jonathan Hall (00:19):
Hi, Shay. I heard I should be conversational, and
we should talk more on thisshow.
Shay Nehmad (00:24):
That's good. That's a non awkward way to do that.
How's the weather?
Jonathan Hall (00:30):
It's kinda cold here.
Shay Nehmad (00:32):
We have to talk about Go because, dear listener,
I have a confession to make. Ispent this week doing back end
with TypeScript. Traitor. Yeah.Jonathan, save me.
Let's talk about Go a littlebit.
Jonathan Hall (00:46):
Well, if if we're if we're making doing
confessions, I guess, I'll tellyou that I've been doing a lot
of front end with JavaScriptlately too.
Shay Nehmad (00:52):
That sounds alright. That sounds like an
okay choice.
Jonathan Hall (00:55):
Yeah. Yeah. Well, it's not fun.
Shay Nehmad (00:58):
No. It's not. Wait. TypeScript or JavaScript? Just
JavaScript.
No types. Oh. Damn.
Jonathan Hall (01:05):
In this show, we're gonna be talking about a
security update that's comingout soon, bunch of conferences
that you could be speaking at,some releases, and a few other
things. I don't know. 124. Ithink those are the highlights.
Shay Nehmad (01:16):
Yeah. We have, also cool blog posts that we wanted
to share a new project that'scoming out. It's a bit of, a a
little bit of everything. Andthen we're gonna bike shed,
after the ad break about how towrite tests. Because who doesn't
like to argue about that?
Jonathan Hall (01:32):
I'll just skip test. That's the easy way. Mhmm.
Shay Nehmad (01:35):
No tests, no failed tests, no failures in CI.
Jonathan Hall (01:40):
That's right.
Shay Nehmad (01:40):
That's great.
Jonathan Hall (01:41):
CI can't fail if you don't have any tests.
Shay Nehmad (01:43):
Yeah. The the CrowdStrike way. Just ship it. I
think that's the second episodein a row where I'm shitting on
CrowdStrike, but it's just, Iapologize CrowdStrike people.
You're all you you're doingokay.
Security fixes. So there is aplan to issue a security fix, on
Monday, January 13, which coversa specific CVE. You know,
(02:05):
there's a preannouncement, soyou don't have to upgrade yet.
Just remember to upgrade onJanuary 13th.
Jonathan Hall (02:11):
So how many of our listeners do you think this,
security patch is likely to toaffect?
Shay Nehmad (02:17):
So that's actually an interesting question because
the security patch impacts aspecific path of code that may
or may not be executed by yourown code. And this sort of
reachability analysis, if you goreally deep into the weeds, it's
kind of hard. Right? Becauseeven if I import this package I
don't necessarily call thefunction that has the
(02:40):
vulnerability and even if I callit maybe I don't call it in the
right context or with the rightparameters in a way that might
trigger the vulnerability. Sohow many people does this
actually affect?
Probably a very small number.However, this package is
imported by 100,000 otherpackages.
Jonathan Hall (03:00):
Wow.
Shay Nehmad (03:00):
According to, pkg.go.dev.
Jonathan Hall (03:03):
That's a lot more than I would have expected,
actually.
Shay Nehmad (03:05):
Yeah. It's it's only presenting the the top, 20
k, so I'm I'm not even seeing,like, whether Google themselves
imported somewhere, but itdefinitely seems like it's part
of Kubernetes because it's partof someone's fork of Kubernetes,
and I can't really see themchanging all the log to g log in
their fork. That's probably notwhat they did. But, yeah, it's
(03:27):
happening through, a lot ofother tools. So protobuf,
gateways, SQL exporters.
So it seems like people are notreally even importing it
themselves. It's just part ofvery basic things like, kubelet,
and just code they, like,vendored or copied, or forked.
(03:48):
Right? It's part of Vtest byPlanetScale, like, it's in a lot
of things. So it's probablyaffecting a lot of people, which
is interesting because, like, Iknew it, but I I if you told me,
hey.
What's g log? I can tell you offthe top of my mind. It's not
like something I use. I just sawit something, like, when I
learned c plus plus. So makesure to upgrade on Monday, but
(04:09):
it's probably in one of yourdependencies.
So maybe you wanna lock yourversion of glog to be higher
which is annoying but, yeah,maybe you should do that.
Definitely the find, like, graincontrol over logging in the find
level and evaluating argumentsand things like that. Something
that does matter at scale, butif your library if your project
is not at scale but imports alibrary or a tool or uses
(04:32):
something that was built to dealwith scale, suddenly you deal
with all these, like, you know,you're just building an HTTP
server that serves, like, 10users a day, but you have to
upgrade dependencies that have cplus plus optimizations. It's
actually written in pure go.Right?
But the original, concept was inc plus plus for huge scale. So,
(04:53):
yeah, upgrade on Monday, put iton your calendar. A nice way to
start the week. And a coolpackage, and the announcements
gonna come obviously on onMonday. Right?
So we're not gonna probably havethe details of the fix until
then, because it's a privateissue, but actually there is, a
(05:15):
change log. It's just like gointernal review, like, when I
click on it, it brings me to alogin page, single sign on in
Google. So I assume I can't gothere. Like, I assume I can't
see. It's all, like, internal golinks.
So I guess we'll have to waituntil the you will you can just
wait until the next show. Right?
Jonathan Hall (05:34):
Yeah. We'll talk about it next week. We'll tell
you what actually happened.
Shay Nehmad (05:36):
I'm adding, a thing to our backlog, so we don't
forget. What about someconferences?
Jonathan Hall (05:40):
Yeah. Let's let's talk about conferences. We
haven't been following this asclosely as we used to, largely
because the Wiki page for theconferences is no longer a Wiki
page, and it's really hard toget it updated. So, we'd have to
kinda scrape our conference infofrom other places, but we got a
few for you. The next one,coming up is gonna be in Brazil
for Annapolis.
(06:01):
That's, May 5 6th, go for ConLATAM. It looks like they're
doing, talks in English,Spanish, and Portuguese. So that
covers a pretty big portion ofthe the developer community,
that speaks one of those threelanguages. So there's no excuse
not to go to Brazil. I'll seeyou there.
Coming up next, we have GovConEurope. This will be in Berlin
again. This will be June 16through 19, and the CFP is still
(06:25):
open. So you have a chance topresent, there as well. CFP
closes CFP stands for
Shay Nehmad (06:32):
call for papers, which is funny because these are
not papers anymore.
Jonathan Hall (06:36):
Yeah. They're not.
Shay Nehmad (06:36):
I don't think they've ever been, but
Jonathan Hall (06:39):
They did call for presentation. So, actually, it
says call for speakers, but
Shay Nehmad (06:43):
c f CFS's.
Jonathan Hall (06:45):
That makes more sense. Anyway, c f CFS, or Go
for Con Berlin, is open untilFebruary 23rd. So you still have
a little over a month, 1 and ahalf, to propose a a talk in,
Berlin.
Shay Nehmad (06:58):
Yeah. If you're based in Europe though, don't
wait until the last minutebecause if your talk gets like,
usually what happens is all thetalk reviews, happen towards the
end of the call for papers. Butsometimes they can if you know
someone at the review board oryou can just send them an email
and be, like, hey, I sent mything early. Can you review it
(07:18):
and let me know if it's good ornot? And maybe I'll send another
one if it's not good.
That just gives you an extrachance if your talk is not a
good fit for that conferencebecause, you know, maybe the
talk is great, but someone isalready registered for a similar
talk or something like that.That could give you an extra
chance. That worked for me oncein one of our Go meetups.
Jonathan Hall (07:35):
And the last one, far out in the future, this is
all the all the way in August 13to 15, GovCon UK will be back in
London. The CFP slash CFS is notyet open. It opens on March 1st.
So we'll talk about that againin a few months to remind you.
Shay Nehmad (07:48):
Yeah. It is call for papers though. When you open
the the CFP page, it says thetitle in bold, call for papers.
Yes. And they just have a coolthing of, like, sort of
directing you towards whichtalks they're, aiming towards.
Yeah. They have keynotes, whichare 30 minutes, talk sessions
(08:09):
which are 60 minutes, andtutorials which are a 120
minutes.
Jonathan Hall (08:13):
I think I'll do the keynote. That sounds easier.
Shay Nehmad (08:15):
It's yeah. Only 4 keynote sessions will be
selected and 24, talk sessionswill be selected. And, the and
finally, tutorials which aremore classroom style. So, you
know, whatever, is more yourtype, you could take. I've
definitely seen people inconferences where it's only,
(08:37):
like, 60 minute presentations.
People try to do a tutorial in apresentation, and even if the
tutorial is great, people are,like, they don't have their
laptops ready. It's not reallytheir mindset, Or the other way
around. It's like a classroomand just someone's giving a
presentation. So it's cool thatthey, you know, have this,
separation already ahead oftime. And it seems like a big
(08:59):
conference from the picturehere.
It looks like a ton of people.
Jonathan Hall (09:01):
I think that is one of the bigger ones. I
haven't been to it, but justbased on people I've spoken to
who have been there.
Shay Nehmad (09:08):
Yeah. I guess, there are there are a lot of
gophers in the UK. That wouldmake sense. Cool. Talking about
Google and security, I have aHacker News, thread which I
found.
I don't do you use a HackerNews, like, as a social media?
Jonathan Hall (09:24):
Occasionally. I'm not a regular visitor, but I
occasionally browse or
Shay Nehmad (09:29):
So I I never, like, go visit the website, but I have
a Telegram feed that, like,feeds me just the titles, and
then I judge the book by itscover and choose which threads
to go into. And this one wasinteresting, go safe web. I was,
like, oh, what's this? It's apretty cool project from,
Google. Again, we're reallyhyping up, Google stuff, this
(09:53):
episode.
Jonathan Hall (09:53):
Although the first line of the readme, it
Shay Nehmad (09:54):
says. Right? Disclaimer. It's a language by
Google. That's fair.
Jonathan Hall (09:58):
The first line of the readme, however, says
disclaimer. This is not anofficially supported Google
product. So, it's done byGoogle, but I guess you can't
sue them if it breaks or or getsupport or whatever.
Shay Nehmad (10:09):
So so let me ask you something. Google plus, was
that an officially supportedGoogle product?
Jonathan Hall (10:14):
How about I believe it was. Podcast?
Shay Nehmad (10:17):
How about all the rest of the killed by Google,
you know, site? Do you know thatthing? Google graveyard? Yeah. I
fucking love that.
Jamboard, Chromecast, Rob Cam,Keene, optimized podcast
domains. Do you remember theyshut down domains in 2023? That
was insane.
Jonathan Hall (10:34):
I'm actually surprised that Chromecast is on
that list. I thought that wasstill going on, but I guess No.
Shay Nehmad (10:39):
No. No. Just out of date. Died 5 month ago after 11
years. And YouTube stories andif you go Stadia Stadia was a
heartbreaker for me.
Man, I really thought cloudgaming was gonna be a thing. And
if you go really way back, youfind a lot of things.
Jonathan Hall (10:56):
You remember when Google used to do search?
Anyway, let's stay focused.
Shay Nehmad (11:01):
Yeah. Let's stay focused. It's a non official
Google product, so it's probablygonna live longer than the
official ones. I guess that whatwhat that means. But what is
this project and why would youcare?
So, Jonathan, let's say, you'reat work, and you're working on
something that has sensitivedata, and it's an HTTP server.
(11:22):
Yeah. What do you need to do?
Jonathan Hall (11:24):
Well, I wanna make sure there's some
authentication, in middlewareprobably. I wanna make sure I'm
using HTTPS.
Shay Nehmad (11:31):
So so you're, like, scratching your brain right now
trying to, like, dig up open thefolder called security, clear
out all the cobwebs. Right?Right. Because usually you have
some of the smarter people likeFilippo and whatever taking care
of that stuff for you. Mhmm.
Trying to remember that list. Sogo safe web is just a collection
of libraries for writing secureby default HTTP servers. So you
(11:54):
don't have to remember toprotect yourself from all these
things. So just all the securitymechanisms are are applied by
default. They're opt out, versusopt in.
And if you have to do unsafeusage, it's like it's like very
clear. It's very much anexception. And enforcing new
security measures will be ableas well through AST, like your
(12:17):
your manipulation. So you couldactually change the code after
you release it, and existingusers will just have either
static analysis or on timemonitoring to migrate in the
future as well. Right?
When new vulnerabilities and newattack patterns are detected. I
think that's like the killerfeature other than the fact
that's a collection of good,current best practices or secure
(12:40):
practices, I should say. Theyclaim to be able to do sort of,
like, future proofing towardsfuture security requirements.
I'm not a 100%, like, convincedby their example, but it's a
good goal to aspire to. Right?
Some security vulnerabilitiesthey plan to address or mitigate
(13:05):
is XSS, XSRF, CORS, TLS,iframing, authentication and
access control, parsing bugswith, htp. If you remember, we
had, someone on the show, Iforgot his name, found a bug
with, like, flooding HP a 100.
Jonathan Hall (13:22):
Yeah.
Shay Nehmad (13:23):
Right? So, like, sort of avoiding these things,
uniform, error handling to makesure you don't accidentally leak
data over error, messages, andenforcing a ton of h u p
security headers that you justhave to, include and do
correctly with, like, aninterceptor that forces you the
content type options and theaccess protection and things
(13:45):
like that. Just things you youif you remember to do or your
framework does for you, that'sgreat, but if you don't, you're
less secure as a as a server. Soa big list of really cool
things. I like the approach.
I like the idea. It's stillearly, so, like, I won't build
production things on it. Butdefinitely, like, looking at
(14:06):
that list and making sure yourcompany slash server applied
everything here.
Jonathan Hall (14:11):
When you say it's early, what do you mean?
Shay Nehmad (14:12):
They just claim it's, this project is in early
stage, and they are notaccepting any contributions. So
I think it's just like aninternal
Jonathan Hall (14:20):
Google interface. The Go mod references Go 1.16.
There's at least commits 5 yearsold. So
Shay Nehmad (14:27):
Yeah. I I don't the fact that it's old doesn't mean
it's, like, it's not in earlystage. I don't think it's, like,
a top priority thing for Google.They just released it as a as an
idea. Yeah.
I think. And when it came outon, Hacker News, I'm not sure
why someone posted it, like,what was new. Maybe they're
working in, like, a differentfork or something. There was a
(14:49):
lot of interesting discussionhere and the the main one was
when you do all these things atthe application level, that's
kinda weird. Right?
Because you almost never haveyour HTTP server just bare on
the web. Right? Like, the firstthing you would actually do in
this scenario I asked you isprobably set up the thing on the
cloud somewhere. Right?
Jonathan Hall (15:10):
Yeah. Set up a load balancer or something to to
handle all of your stuff. Right?
Shay Nehmad (15:14):
Yeah. And the SSL certificates, you get them from
your cloud provider or whatever.So you I almost never had to do
SSL in Go. Right? Because I hadNginx or ALB or whatever
wrapping the thing for me.
And then internally in mynetwork, it was all, HEP. And
even when you have mTLS betweenservices and you have to do it,
(15:36):
you don't, like, do cross or,like, origin things between your
internal services or internaltooling and things like that.
But if you do zero trustapproach, super high level,
things, maybe you can take alook at this project. I think
it's a really good, like,stepping stone, and I'm I'm
wondering if someone would pickit up in the future. But,
(15:56):
definitely, it it does seemabandoned.
Right? It's a large project, andit's dead. Right? Yeah.
Jonathan Hall (16:04):
I mean, the last update was 3 weeks ago, and it
was just updating dependencies,I guess, for some security
vulnerabilities.
Shay Nehmad (16:09):
Actually, opening opening the issues, the top
issue is state on the read methat this project is
substantially unmaintained andit seems like, it's an ex
Googler or no, currentlysecurity engineer at Google,
from Ilano, at least accordingto their, GitHub, profile that
(16:31):
says this project is large. Ithink it would need more work
than what's currently been doneto define it as a live project.
I think it's safe to say it'sdead. The reason being, the only
application that adopted thisframework internally was written
by me and has since gone inmaintenance mode.
Jonathan Hall (16:47):
I love the open draft pull request called, I
think we're getting somewherewith generics.
Shay Nehmad (16:52):
So it's an interesting concept, but it's a
good thing that, this person,Roberto Clappes, has stated that
this isn't actually abandoned.So it's a it's an interesting
concept. If you have a securityaware thing at your company,
maybe take a look, but Iwouldn't build on top of it. I
would just take the concepts.Because each individual concept
(17:15):
is not that hard to implementother than the promise of, like,
future proof this safe thisframework will forever and ever
protect us from every singlesecurity vulnerability.
I don't think that's reallypossible even with static
analysis and run time monitoringand blah blah blah. Evolving
security requirements, they, youknow, they always involve evolve
just to be better than theattackers. Right? And then the
(17:38):
attackers have to evolve. That'show it always has been.
So I think it's a cool casestudy. Cool. So let's talk about
a a project that actually hasbeen released and actually is
useful.
Jonathan Hall (17:49):
One that's clearly not abandoned. So this
is Go Releaser. We talked aboutit on the show before. They're
always adding new features. GoReleaser 2.5 was released, just
before Christmas.
And the interesting thing aboutthis is it's no longer named
properly, I guess. They addedexperimental support for Rust
and Zig. So now it's like theRust Sig Releaser.
Shay Nehmad (18:13):
Multi language support for Go Releaser. That's
super cool.
Jonathan Hall (18:17):
That's pretty cool. Yeah. The other, thing I
wanna mention, upcoming, I sawthat just last night, Go
Releaser 2.6 nightly wasreleased, and it has a bunch of
cool features that even if youare, like, hardcore, I only ever
do Go for whatever reason, youmight appreciate this. It has
capabilities or or will onceit's released essentially in the
(18:38):
next day or 2, to automatically,I guess, announce your releases
on Blue Sky, on Discord,LinkedIn, Mastodon, Mattermost,
and a whole bunch of othersocial media websites and and
and Slack and things like that.So I think that's pretty cool.
If you wanna set up integrationso that every release is
automatically gets spammed outto your network, why not?
Shay Nehmad (18:58):
Honestly, almost every Go Releaser thing, I've
done had integration with Slackjust as part of GitHub actions.
Right? Once it's released andpushed, something lets, Slack
know. Right? So CS's or otherpeople who depend on the thing
that was released, they can goout to their customers and say,
hey, blah blah blah.
New release, check out. So thefact that it's built into Go
(19:20):
Releaser. I I really love howit's slowly trying to, you know,
every release is eating one morepiece of the, like, continuous
deployment puzzle. Mhmm. Until,like, eventually, you're just
gonna literally just gonna haveto go run GoReleaser.
No parameters. It's gonna takecare of your entire CD for you.
We just need to wait for thatguy to implement his own, like,
(19:43):
a GitHub actions runner. Right?
Jonathan Hall (19:45):
Yeah. Right.
Shay Nehmad (19:47):
I mean, it would be good. Go release is great, man.
Super tight, always works, worksfast, simple configuration. I'm
I'm all for Go Releaser. At myprevious, company, we used Go
Releaser Pro.
That was really good.
Jonathan Hall (20:00):
Yeah. Cool.
Shay Nehmad (20:02):
That's enough, long form news. We know the current
generation is all hyped upbecause of YouTube shorts and
TikTok, and you don't haveattention spans anymore. So
let's move to that lightingground to feed you some of that
good good dopamine you like.Lightning ground. My thing for
(20:23):
the lighting ground is a reallyreally really really really good
blog post about how you
Jonathan Hall (20:27):
How good is it?
Shay Nehmad (20:28):
Really really really really really really
good. You know what? That's apretty good, question. How about
you read it and I read it andthen we compare our results
about how much we liked it. Waita second.
You're asking how will wecompare these results? Maybe we
can benchmark them and thencompare them with bench stat.
Well, if you read these blogpost, you know how to do that.
(20:49):
It's Bartek. I think we talkedabout Bartek's, blog post in the
past.
He's the author of or somethinghe did. I I just remembered that
name. He's the author ofEfficient Go, which is an
O'Reilly book about writing,Efficient Go, obviously. And
it's a really simple log postasking how do you compare
(21:10):
benchmarks. So the old way wasyou run a benchmark, then you
optimize your code, then you runa benchmark again, and then you
compare the 2 benchmarks usingthe bench stats tool.
And this is already valuable.Like, if you didn't know how to
compare 2 benchmarks, this isthe way to do it. The benchmark
tool gives you a lot of, like,visibility and options about,
(21:30):
like, how things have beenimproved between 2 different
runs, right, of of the samebenchmark and you can see like
seconds per operation and thedifferences between the old and
the new and how much theperformance has increased or
decreased for like, specific subcases of your benchmark.
However, that does entailrunning it twice and saving it
(21:53):
to do different files. You know,you have to repeat all these
steps basically.
And in the new case that, Bartikpresents here, you know, there's
a new flow where you can compareefficiency across specific
cases, in a more complicatedbenchmark with like based on the
row of 1 file. So you don't haveto run it, like, twice with 2
(22:17):
different flags or something.You just run your test once. You
have to add some boilerplate toyour test, but if you have
something that's very benchmarkish specific, that could be
really useful. I don't know.
What's the last benchmark youwrote?
Jonathan Hall (22:30):
Oh, wow. It's been a while.
Shay Nehmad (22:32):
Did it have, like did you just write it to make
sure that you're not going oversome threshold, or did you
actually try to optimize thething?
Jonathan Hall (22:39):
Usually usually, I do benchmarks when I'm
comparing 2 differentimplementations or something to
decide which one failed.
Shay Nehmad (22:45):
So that would be perfect for that. You just need
to add to your row, to your,like, your benchmark test, a row
that says, oh, case 1, case 2,Bartik has an example here. It's
all verbose. Like, it looks sougly. I won't lie.
It's like for case in case andthen 4, like, you know, method
1, method 2, run the benchmark.And then you just run bench stat
(23:08):
on it with minus row instead ofminus new and old and you get
the table comparison after onetest which is really really
useful. Yep. Yep. Yep.
I love these benchmark tables,like, he's comparing protobuf,
Prometheus write requests. Ilove that people nerd out on
these details so I don't have toand Prometheus just ends up
being fast. So a cool blog post,go read it if you're doing
(23:30):
benchmarks. What do you have?
Jonathan Hall (23:31):
I don't remember.
Okay. I do remember. So I I have 2 quick
picks for the lightning round.They're basically just resources
that you could use to get moreGo news or happenings in the Go
community, if you will. Firstone's called Golang Nugget.
It's a little blog that does, Ithink, weekly ish nuggets of Go
(23:52):
goodness with little AIgenerated gophers. So who
doesn't love that? Check out golike nugget.com. And the other
one we've talked about on theshow before is going weekly. I'm
subscribed with this newsletterthat I think it's put up by
Arden Labs.
They send you a weekly snippetof good news. Sometimes it makes
in this podcast, so it's timefor us to mention them again.
Shay Nehmad (24:15):
So what's the difference between Golang Weekly
and Golang Applied Weekly? IsGolang Weekly, like, unapplied?
Jonathan Hall (24:21):
Yeah. Yeah. This is purely, sort of hypothetical
abstract. If you want to applyyour Go knowledge, then, going
apply weekly is also great.
Shay Nehmad (24:32):
I love that, there's enough Go news for,
like, a podcast and, like, 5,newsletters, everybody with
their style and take. It'sactually a good thing, but we
hope, you know, this show givesyou, like, a specific take. And,
obviously, worth mentioning, golike Applied Weekly as well,
which, is maintained by ourfriend, Kristoff, which was on
(24:52):
the show a long time ago. Iwonder if if we pull out that
episode, how old, Filippo'sgonna make it sound in the edit.
Jonathan Hall (25:01):
So, Si, I just got a copy of the applied Go
weekly newsletter, and it has areally good article. Have you
seen this this newsletter?
Of course. I follow it. I really like the
recently, I it's going to AI andstuff. Wondering who's writing
it.
Oh, wait. Yeah. I don't know. We we should find
out because I mean, he justshared one of my videos and so,
you know, he's not a super guy.
That's a good day. So Yes.
Oh, hi, Kristoff. Welcome to the show. Thanks for
(25:23):
having me.
Shay Nehmad (25:26):
And that does it for the lightning round. Let's
do a quick ad break before wejump into a bike shedding
discussion about Goethas.
Jonathan Hall (25:33):
I can't wait.
Shay Nehmad (25:41):
Welcome to our ad break. This podcast is sponsored
by Blockbuster.
Jonathan Hall (25:48):
I don't know how to say that.
Shay Nehmad (25:51):
I thought it was sponsored by, things that were,
you know, really cool in thenineties.
Jonathan Hall (25:57):
Okay.
Shay Nehmad (25:58):
Oh, no. Those are our listeners. Never mind. Never
mind. This show is sponsored byour listeners.
Actually, I'm wondering what'sthe average age of, the list
like, the listener to thepodcast. I might be totally off,
and most people who listen are,like, 18 or something.
Jonathan Hall (26:13):
Good question. I don't know. I would imagine I
would imagine older than 18, butprobably younger than me. I'm
45.
Shay Nehmad (26:21):
Don't let me phrase this in a wrong way, but it's
easier to like, I think theaverage is to be younger than
you.
Jonathan Hall (26:29):
Yeah. I think so. I think I would expect the
average to be I would I wouldexpect late twenties as an
average probably. But I don'tknow.
Shay Nehmad (26:35):
Actually, I like I love the fact that podcasts
don't have great analyticsbecause I would start obsessing
over them. But just getting aslice of, all the people who
listen to the show would becool.
Jonathan Hall (26:46):
Speaking of analytics, I I can hop over to
YouTube and see who watches uson YouTube at least.
Shay Nehmad (26:50):
Oh, that would be cool. Why don't you do that
while I tell, the nice listenersabout how we are actually
sponsored? Because we're notsponsored by Blockbuster. We're
not sponsored by anyone. Thisshow is self supported with the
beautiful Patreon members.
If you want to join and kick afew bucks a month our way, that
would be cool. We're not makingany money off the show. Trust
us. We're we do have to pay for,like, hosting fees and editing
(27:13):
fees just to make this show,sound nice and be transmitted
all over the world. So thathelps cover that.
While mentioning Patreon, thanksto our new member, Jose d s, for
joining Patreon. Thank you.Thank you. Thank you. Obviously,
all the old patrons as well.
You're just so cool. You know,you're you're already part of
the, thing. I don't have tomention your name. For that link
(27:34):
and many others, go tocupago.dev where you can find
links to our Slack channel. It'son the go for Slack, so if
you're already there, you canjust look up cupago.
And if you're not into all that,you can email us at
news@capago.dev. That isnews@capago.dev. I always say
you can email us. That addressactually just goes to Jonathan.
Jonathan Hall (27:52):
Yeah. But, yeah. That goes to me.
Shay Nehmad (27:54):
But he lets me know when things, go through. Yeah.
You can also find links in thesite to past episodes with all
the transcripts, all our socialmedia links, less than go
release our offers, but they arethere. I don't think we have
Blue Sky, Mastodon, and allthat.
Jonathan Hall (28:11):
We have we have Mastodon. Do we? We have.
Shay Nehmad (28:14):
I'm not on Mastodon, so I wouldn't have.
Jonathan Hall (28:15):
We have LinkedIn. We had Twitter, but I closed my
Twitter account, and that likelyclosed our CupidGo account too.
I'm not sure.
Shay Nehmad (28:21):
I think it's still it's still kicking.
Jonathan Hall (28:22):
It must still
Shay Nehmad (28:23):
We need to ask Elon, I guess. Yeah. And, you
know, we need to make sure thatour episode have right wing
enough titles so the algorithmpicks them up. That would be a
fun experiment. Maybe we canrelease an episode just named
Jordan Jordan Peterson, AlexJones.
What are their contributions tothe Go language? Also, what
(28:44):
happens when you put the January6th, date into the Go lang date
format? That's probably gonnaget picked up. Or alien it or a
left wing listeners. Anyway
Jonathan Hall (28:56):
Some of our listeners have just sworn us off
now. I don't know whichdirection they're leaning
politically, but they're nolonger listening. For sure.
Alright.
Shay Nehmad (29:04):
Also, if you wanna support us and you don't wanna
support us financially, that'stotally fine. You can leave a
review, or share this show.Setting like, spreading the word
about the show is the only wayit gets around. We don't pay for
advertising. So leaving a reviewon the whatever app you're using
to listen to this whether it'sSpotify or Apple Podcasts or
whatever or just sharing theshow in your jobs like Slack
(29:27):
channel being, like, hey.
I heard on this show, linked tothis show, that we have to do a
super crazy update on Monday. Dowe use g log anywhere? Does
anybody know? You could soundsuper smart and also send some
other super smart people ourway. That'd be really cool.
So Lieutenant Data, how's theYouTube, research going?
Jonathan Hall (29:45):
Yeah. So not great. What I learned about our
listeners on YouTube is that54.9% of them are subscribed to
our channel.
Shay Nehmad (29:53):
That sounds good.
Jonathan Hall (29:54):
When I go to the age and gender, tab, it says not
enough demographic data to showthis, report. So no idea.
Shay Nehmad (30:02):
Alright. Isn't 50% really good?
Jonathan Hall (30:04):
I guess so. We we we seem to have a 164
subscribers.
Shay Nehmad (30:09):
Oh, that's cool. That's cool. Well, if you use
YouTube
Jonathan Hall (30:13):
Oh, no. I'm wrong. We have 366 subscribers.
Shay Nehmad (30:16):
That's still cool. Well, I guess if you use YouTube
Music for your podcast. Right?Then you would find podcasts
there.
Jonathan Hall (30:22):
Anyway, thanks for listening on YouTube, if if
that's you.
Shay Nehmad (30:25):
Yeah. Thanks for listening, in general,
everybody. That's all the normalthings we have to say. Go click
on all the links we told you toand leave a rating and do all
the things. Thank you.
So, Jonathan, do you write Gotests? Yes. I do. Usually, when
(30:49):
you write your tests, at somepoint, you wanna assert that the
thing you got from the functionis the thing you want. Right?
Jonathan Hall (30:57):
Mhmm.
Shay Nehmad (30:58):
How do you write that?
Jonathan Hall (30:59):
Depends on what I'm testing. I know where you're
going with this because I Ilooked at the the post. Mhmm. I
guess I can just TLDR. I alreadydo the thing he suggests.
Shay Nehmad (31:10):
So Michael Lynch has a blog post that sort of
kicked off a really, reallyReddit ish thread of people,
like, bike shedding about how towrite tests. The TLDR of what
he's saying is, don't use anythird party library for
assertions like testify or is orany of these, libraries. Rather,
write if like go has this thingwhere you have an if then an
(31:35):
expression then a semicolon andthen the condition. Right? The
binary condition.
Right. This creates a scope sowhatever you define in the
expression is only for that ifand then you can reuse the
variable name and maybe moreimportantly, you can't use that
variable outside of the scope ofthe if. Right? So what he's
(31:55):
saying is do if got, want andthen pass, the 2 things you
wanna assert, right, semicolon,and then got is not want. Right?
And then you always use thewords got and want all over in
your test. You can copy pastethis pattern any anywhere, and
you just put the actualunexpected value and maybe
(32:18):
change the the t dot failed fmessage inside. And he says it's
easy to copy paste and makes theassertions look really different
from actual code because this isa pretty weird like, I've never
seen if got, comma, want. MaybeI I saw it like once or twice
but definitely not not as apattern And, yeah, just gives a
(32:39):
lot of examples in the blogpost. The blog post itself, very
good, but I don't super lovethis, how it looks.
So I I would love to debate thiswith you.
Jonathan Hall (32:49):
So the one nitpick I have is I always like
my want before my god, andthere's two reasons for that.
One is I think it's morereadable. Using this pattern, if
your if your expression for yourgod is of inconsistent length,
then you have to sort of scandifferent parts of the line to
find what your want actually is.So I like to have the want first
for that reason. I think it'svisually easier to put that
(33:10):
first.
Shay Nehmad (33:11):
I actually before you move on, I actually do that
as well, but for a totallydifferent reason. Okay. It's
because in when I learned c plusplus like in 2012, I read the
twin effective c plus plus andit says always in ifs put the
constant on the left because youcan accidentally do if a equals
(33:31):
b, 0, not a equals equals 0.Yeah. So that's sort of got
ingrained into my, like, musclememory, and I do it in every
language, even in Go where,like, it it can't happen.
Right?
Jonathan Hall (33:43):
I also do that just because it feels right, and
I never knew why it felt right.But that's it probably goes back
to learning it for those reasonswithout realizing that those are
the reasons.
Shay Nehmad (33:52):
Yeah. That's like, just the cultural DNA of, people
who started in, old language.Anyway, so that's the first
reason. Yeah.
Jonathan Hall (34:00):
The second reason I prefer want first is when I'm
using a tool like cmp.diff. Ithink the diff is easier to read
if the expected value is firstand the actual value is second
because then I know that plusesare extra or different and
minuses are things that aremissing. Flipping that around to
some people, I guess, maybe likeit the other way, but I feel
like it's just less intuitive toread a diff where minus means
(34:21):
that should not be there. Yeah.So that's the other reason.
Shay Nehmad (34:26):
So the reason I don't like this, and this might
be slightly controversial, is Iknow Go is a simple language and
you shouldn't use something thatisn't standard library for
things, but, honestly, testifyis great.
Jonathan Hall (34:42):
I think testify is so bad.
Shay Nehmad (34:44):
Or or any testify ish, library that just gives you
assert equal, nil, is error,expect error, like, all these,
you know, require and all thesesort of testing niceties that
are just a very, very simple APIthat looks really, really good.
Is equal, is true, is nowhere,is fail. Yeah.
Jonathan Hall (35:07):
I I disagree with most of that.
Shay Nehmad (35:09):
Like, you don't think it looks good? Or I don't
Jonathan Hall (35:11):
think it looks good. I think it's hard to read.
And and there's 2 parts of that.First, the testify API is
inconsistent, and that's what Ihate most about testify. Like,
in some cases, the want comesfirst.
Like, it's it's usually alwayswant is first, but sometimes
it's want the second or some Idon't remember. It's been a long
time since I looked at this. Sothere's a few inconsistencies,
and I and I think the currentmaintainers has acknowledged
(35:31):
that but won't change it becausethey don't wanna bother with v
2. And, you know, I respectthat. But more important, if
it's a simple one, it's like ifassert.
Equals, that's simple enough.It's easy to understand. But
it's also really easy just towrite if god equals want. You
know, it it doesn't really buyany readability. And then when
you get when you get to thebigger, longer ones, you know,
(35:54):
assert contains like orsomething like that, then I
don't even know what it's doing.
And I have to actually go eitherread the documentation or read
the code to understand what it'sdoing in the 1st place when I
get some weird error. I'd ratherjust look at Go code. I don't
want to have to go have to Iwant that assertion directly in
my code, so I know what'shappening. I don't want to have
to go read out the codesomewhere else. So I've I've
never found a case where I wantto search the library and go, I
(36:17):
often remove it when I'm workingon a project where I have that
that sort of power.
Shay Nehmad (36:21):
There's a comment here on Reddit that I I really
liked where someone said I like,basically, my opinion. Right? I
don't like this style as afterhundreds of assertions, this
starts to get very verbose andrepetitive. Is and go CMP mostly
does fine for me. An assertionshouldn't take more than one
line in my opinion.
That's crowdy river on, on,Reddit. That's an okay ish
(36:46):
opinion. Right? That's basicallywhat I'm saying. The response
here is just so Reddit.
It's incredible. Classic doublething. This is my Redditor
voice. Right? In my imagination,I'm like taking off my fedora.
Right? Classic double thing.Gophers in regular code. The
verbose it is worth it becauseblah blah blah. Gophers in test
code, we need DSLs that reinventthe language poorly like
(37:09):
testify.
Now I'd I'm not trying to paintyou into the Reddit or, it's
just the the way you phrased it.A person needs to go touch grass
for a second.
Jonathan Hall (37:21):
My response to to that would actually be more
nuanced. That is if the testsare too repetitive or difficult
to read, then they need to berefactored just as normal code
that's too repetitive or toodifficult to read needs to be
refactored. So tests or codetreat them as such, and then I
don't think you need theassertion libraries anymore
either.
Shay Nehmad (37:37):
Yeah. The only thing I think you would use is
cmp equal for structured data.Right? Because you don't want
Yeah.
Jonathan Hall (37:42):
I use cmp diff for for structured data usually.
Yeah. And I also don'tunderstand this assertion
shouldn't take more than oneline. I I guess that just they
don't like the three lines of ifx equals y, then t dot fatal,
that they feel like there's toomany lines.
Shay Nehmad (37:55):
Yeah. That it's I think it's a reasonable thing to
say, I'm gonna write a a 100tests, and each test is gonna
have 10 assertions, in the next,like, year, making it shorter
and easier to read, in myopinion, or in this personal
opinion is interesting. I likethat. I like the justifications
that people come up with inthis, thread. Like, Google uses
(38:19):
this, like, sort of, you know,going to Google code as
authority, maybe.
But I I I'll just say to sort ofround on my opinion is that,
yes, testify is annoying becauseof the fact that's the things
are not aligned. Right?Sometimes it's got one,
(38:40):
sometimes it's one got. That'sreally annoying. There are
others.
I think there's is, which isnice. But, generally, you know,
the style guide is let's not doassertion libraries, because it
just causes less useful, youknow, failure messages,
etcetera, etcetera. And,generally, the the Google style
(39:04):
guide says that they do not usethey do not provide useful
failure messages in the contextbecause you have, like, the the
stack of assert.nil or whateverin the in the call stack or in
the result. So they're basicallysaying write your tests, write
your assertions yourself. Don'tdon't bring in assertion
(39:26):
library.
You're sort of sharing youropinion, I guess.
Jonathan Hall (39:29):
So you you made a point about, readability, which
reminds me of a conversation Ihad on LinkedIn, of all places,
recently, about codereadability. And you you said
that you like the the shorterassertions for for greater
readability. Of course,readability is a very subjective
concept. If you're fluent withtestify, then many of those
(39:52):
assertions will be readable toyou. If you're fluent with is or
with, JUnit or whatever, youknow, then you'll you're gonna
find those certain idioms to bereadable.
I think that the most readablefor most people, which is which
is what the conversation wasabout on LinkedIn, is that, you
know, the the reason I prefer Goisn't, the reason we were
(40:13):
talking specifically about theverbosity of error handling in
Go on this thread. I said, youknow, I I like the verbosity of
error handling in Go becauseit's more readable for more
people. You know, it's it'spretty clear exactly what's
going on to anybody who who hasthe the basic understanding of
any programming language. That'snot to say that it's the most
readable for everybody. Youknow, once you're fluent in Go,
(40:34):
then something else like Rust'squestion mark, syntax might be
more readable for you, butthat's not more readable for
everybody.
And so I think it's a similarargument here. Certainly,
assert.equal or whatever mightbe more readable for certain
people, but it's going to be, ifyou're trying to appeal to the
masses, so to speak, or toeverybody, the standard library
is gonna be the most readable, Ibelieve, in the vast majority of
(40:57):
cases. And that and that's notto say that you should appeal
try to appeal to everybody. Youknow, if your team is is
completely content with usyou'll testify or whatever, and
you all find it readable andyou're happy to onboard new
developers to to that standard,of course, you know, that's your
choice. So I'm not trying tomake a judgment call.
I'm just trying to trying toexplain my view on that.
Shay Nehmad (41:15):
Yeah. The the author actually responded here
and said he understands bothperspective perspectives, and
it's a close call. So I thinkthat's, like, the best way to
summarize this discussion.Doesn't super matter. Like, at
the end of the day, there arethings in, like, about test
(41:35):
cleanliness that are way, way,way more important.
Like, how do you set up yourdata, and do you have shared
variables, and, like, thesesorts of things. Is your test
flaky is a 100 times moreimportant than this, like, new
pattern. I think the title is abit clickbaity which is why
people got, angry about it. Asimple way to write better Go
(41:58):
tests and then people are like,wait, better than my tests? But,
yeah, I think, like, Michael'sopinion here is wholly valid.
Although, I might be lazy andreach to testify again, next
time I have to do a thing.
Jonathan Hall (42:15):
Alright. Cool. Cool. Cool.
Shay Nehmad (42:18):
So And write tests.
Jonathan Hall (42:21):
I think that's the conclusion. Right? Write
your tests.
Shay Nehmad (42:23):
Definitely write them. Don't don't have AI write
them. That would be crazy.
Jonathan Hall (42:30):
Speaking of AI, I found great success having
Copilot rewrite my tests, from,one framework to another. We had
a bunch of tests written inConvey, which I think is
terrible. It's much it's muchmore than a search library. It
tries to, like, take overeverything about your test. It
does BDD or something.
Right? It's it's I think it'snot even that. Like, maybe they
tries to, but I don't know. It'sweird. But I I used it.
(42:50):
I I had been, like, slowlyhammering away at converting
convey test to standard standardtest. One is and I can see if
Copilot can help you with this.I I knocked out probably 200,
200 tests, in in an afternoon.So so switched over. It was felt
so much better.
Shay Nehmad (43:08):
Cool. Well, I guess I know what you're answering
about using AI in the nextsurvey. Lowering the usage of
third party libraries andsubscribing to the standard
library. There we go. I'm surethey'll like that answer there
in the Go team.
Jonathan Hall (43:26):
I think that's a show.
Shay Nehmad (43:27):
Thank you for listening, everybody. Program
exited. Bye bye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com