Don't give me that line feed! 🖶

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jonathan Hall (00:00):
This show was supported by you, Artisaner.
Stick around to live for thenews to hear some more about
that. This is Cup and Go forFriday, 04/04/2025. Keep up to
date with the importanthappenings in the Go community

(00:21):
in about fifteen minutes orsometimes more every week. I'm
Jonathan Hall.

Shay Nehmad (00:25):
And I'm Shay Nehmad.

Hey, Shay. How are you settling in?

I've upgraded half of my projects to Golang CI Lint
v two. That's what you're askingabout. Right? Not like me moving
countries.

Was the the only important thing I had in mind.

There are two migrations in my life. Golang CI
Lint configuration files andmoving to The US. No, man. The
US is crazy. I I wanted to applyfor an apartment, so I have to
pay a fee.
What the hell?

An application fee. Yeah. Yeah. Because they
probably run a credit check thatwill always that will definitely
return nothing since you don'thave a credit history here.

Yes. Don't. Well, I actually have one month of
credit already. Okay. But it'sjust been like dealing with all
these.
Like, I'm the first person whoever came to The US. Like,
everybody was born here and theyjust don't know how to deal with
someone who migrates from theoutside. Even though I'm in San
Jose where like 80% of thepeople, you know, look not

(01:17):
American, let's say it likethis. Right. Right.
So yeah, I had to run a lot ofchecks and I had to get by a lot
of weird internet forms, whichis why I'm very happy to discuss
this first vulnerability becauseit might have helped me get
through Social Security or theMazda credit check Internet form

(01:38):
or whatever. Go 124.2 and go123.8 are released. It's a minor
point release with one securityfix in the net slash http
package. Not telling youanything. What do you think it's
gonna be?

I I I don't know, but it's gotta be something with
malformed requests that can donasty things. I don't know.

That is true.

Because that's always what it is.

As as long term listeners of the show know,
Jonathan uses Linux. One of thethings you have to get used to
like, are many differencesbetween Windows and Linux. Can
you point out like a few ofthem, just the top of your head?

Well, let's see. One of them works and one of
them doesn't. I can't rememberwhich one's which, but.

Oh my God. Well, let's just look at Bill Gates'
net worth and Linus and compare.

Yeah. Works is the fuzzy term, right? Works for
what purpose?

No, but seriously, technical differences.

Technical differences. There's quite a
few, although they seem to begetting narrower these days. I
don't know. I don't know whatyou're looking at looking for.
One's open source, one isn't.
That's maybe a big difference.

Right. One open source wasn't. If you let's say
if you work with a Windowsdeveloper on the same project
development, what's

one thing that always trips you up? They're
always complaining about how myconfiguration doesn't work for
them. And I'm like, go figure itout or use a real operating
system. It's up to you, dude.

That's nice. So, yeah, line ending because that
was what I was aiming towards.Maybe you don't even remember
you've been on Linux for solong, but CRLF versus LF. This
is like so archaic. Whenever Iremember this is a thing, I just
like I can't stop laughing.
But CR is carriage return, whichis if you have a typewriter,

(03:20):
it's the and the LF is the line,like line feed, the new line,
which is like the ding on thetypewriter. Right? Right.
Anyway, Windows is CRLF for anew line. Like the cursor goes
one of the line down sorry, itgoes to the beginning of the
line and then goes one linedown.

(03:42):
That's how Windows represents anew line.

Which I'll I'll say after all the way, but this
recent bad math thing ofWindows, conceptually, that
makes more sense to me than justthe CR ending.

Then just the LF ending, mean?

Or LF, yeah. Because they are two different
things, right? Go to thebeginning and go down. In my
mind, Windows makes more sense,even though it's annoying since
it's the outlier. If everybodydid that, I wouldn't mind.

The problem is it's not universal. Like if this was
how humanity decided torepresent a new line in a text
file, nobody would have aproblem. But in Unix and Linux
and all that, a new line is justline feed without the carriage
return. It's just one character,which caused unending suffering,

(04:25):
on the world, and probablylowered the total GDP by who
knows how how much. Now you havethat theming in mind and you
know the vulnerabilities in theHTTP package, right?
Yeah. Try to come up with wherenew lines.

So it's got to be something that misinterprets one
of those treats new lines orline feeds as a continuation of
a line, I'm guessing.

So actually it's the other way around. In HTP,
you shouldn't use just a bare LFas a new line. Right? Sometimes
Go rejects it, but, sometimes itaccepts

So so Go so the HTTP spec agrees with Windows is
what you're saying?

I think so. Okay. The line terminator.

That seems to make sense to me. I think I
remember that.

There's there's a reta for an RFC, so it actually
messed up the HTTP RFC as wellwhere people were, like, asking
that the line terminator shouldbe just LF and ignore any
proceeding CR. But actually,HTP, wants to only use CRLF, and
the difference is intentional,blah blah blah. So in one

(05:36):
specific case where you getchunks of data like chunk data
lines, Go rejects bare LFs, butaccepts them in the chunk size.
And then there's a super this isjust a bug. It's not a security
issue yet.
But if your proxy accepts LF andyour server accepts if your

(05:57):
proxy is the Go server andtherefore accepts this LF as a
new request, and then your,server is a different
implementation that, doesn't,you could smuggle requests. You
could send a single HTTP requestand then smuggle it as two, like
smuggle like one in the trunk inbetween these LFL lines because

(06:19):
a new line in HTTP, that what itmeans, which is a super cool
vulnerability in my opinion,because it's very
understandable. And the fix isalso very simple, just reject
BareLFs and chunk data lines. SoI like it. You should obviously
upgrade, like other thanlearning about this.

But it only affects you if you're running a
Go proxy HTTP server. Is thatcorrect?

You should upgrade anyways, right? Of It's a minor
patch release.

It's always fun

to upgrade.

It makes you look like you're on top of things,
even if it doesn't affect you.At least that's why I upgrade
all the time.

I've been super happy with Dependabot lately.
I've started using Dependabotfor automatic upgrades in our
repos, and it's been doing apretty good job, like knowing
when to open a PR, knowing whenit's safe, etcetera.

Dependabot broke our go. Mod file recently. Oh.
Yeah. Mean, it didn't break it.
It removed the line feed that gomod verify wanted to put back.
So it broke our CI because ourCI runs go mod verify to make
sure that somebody didn't forgetto run go mod

New lines, new lines everywhere. Yeah. Yeah.
New lines, new lines. I don'tcare.
So, in one funny, comment, aboutthis issue that I just have to
put in, even though it's notsuper important, is that while
explaining it, the authormistaken LF to CF as well. So

(07:40):
even while describing thevulnerability, they they messed
up CR and LF. That's how

confusing it You just said this is easy to
understand. At one level, that'strue. I'm like, I have no idea
exactly what the problem is.Like, is is it CL or R? Which
one which one's missing or whichone shouldn't be?

So there isn't CL. Yeah. Right? There's CR and L.
CL.

CL is not a thing. I can tell

you that for a fact.

Caret C. Line reserve.

Cool. So you have a new vulnerability discovered and
fixed, go fix it. And if you'redealing anywhere with, new lines
as a separator, you shouldprobably think again. New line
is not a good separator. What doyou have?

Yeah. Let's talk about something that, I don't
think it's quite as, intricatein terms of like which of two
things do you have to admit ornot. But we have a proposal
that's been accepted. I thinkit's a good one. Structured
output for test attributes.
So I don't know. Often do yourun your Go test suite?

I run my test suite like 20 times at the end of
every feature because I'm at theend and then I run the test
once, it helps me find all theproblems. Then I repeatedly run
the test until I fix all ofthem, especially if I did TDD.
So like, I don't know, betweenfive and twenty five times for
every chunk of work. So maybe100 a day. I don't know.

And how do you feel about the output you get?
And I know you use I can'tremember the name of the tool,
you use a tool that reformatsyour outputs. This might not

be I used to use GoTestSum.

That one.

I like it. It does like little dots, but honestly,
I just use I normally use aVersus Code, like the internal
test explorer because that'spretty good. You can play and
you can debug and like it itworks for me. But at the first
run first go around, I I use,you know, the Go Testsum. One
thing that, I've always wantedto do better is to have better

(09:44):
results in CI.
Because I imagine like the CIcould be super beautiful, show
me what lines the problem,etcetera, etcetera. But I always
end up just reading a huge blechof like log output.

So anyway, this will help you with that. The
basic thing is that it'soutputting additional attribute
data with, or optionally willoutput additional attribute data
if you do go test JSON, whichcan then be interpreted by tools
in CI, for example, to colorifyand reformat your output to be
friendlier. So this is a nicelittle screenshot on the issue.

(10:18):
It shows the standard outputthat you just get from Go test
and it's fine, but it's

pretty ugly.

Pretty ugly. At least by default it hides
passing tests. So at least, youknow, the output is failures.

To me that's even worse because I don't know if I
remembered to uncomment like atest that I may have commented
out. Like I like seeing all thetests running.

Yeah, that's fair. So anyway, the new output,
it shows the passing tests ingreen and the failing ones in
red and they're all collapsible.Of course, in like, I think this
is GitHub actions you're showinga screenshot of. So it's not
that your terminal is suddenlygoing to show collapsible text,
but it's example of what can bedone with this new metadata that
will be output. So I thinkthat's kind of cool.

(11:07):
Think it'll make

it little easier. Like, you could add some
metadata to test. You know, ifyou analyze the failing test,
you could look at the metadataand see, oh, it failed on that
user ID or that request ID or,like, source code information
and things like that. Right? I'mwondering who's like this is
super cool, but I'm wonderingwho's like the consumer.

(11:29):
And also, why are there so manycomments on this issue?

So, yeah, there there is a lot of discussion on
the issue. It's kind ofinteresting in the sort of
academic sense. I'm not going tobother our listeners with it,
but if you really care, go readit. It's about a hundred
comments and links to otherissues. One of those I'll call
out though, since you'vementioned Shai that you use
GoTest some or have in the past,this will integrate very nicely
with GoTestSum.

(11:53):
So this is not a replacement forGoTestSum, but it will enhance
GoTestSum by providingadditional data to it. So it can
take advantage of that and evenimprove its outputs further.

Oh, I I can just, highly recommend, GoTestsum and
it's a big shout out to Dani andNeffin, which I think was like
our second interviewee on theshow ever or something. Yeah.
Okay.

Daniel Nephin (12:18):
Yeah. So GoTestSome is a tool for running
tests, and it doesn't try toreplace all of what GoTest
already does. GoTest alreadydoes a lot of great stuff. What
it tries to be is a layer on topwith a few extra features that
some people might might want. Soit uses in Go one ten.
They added a dash JSON flag tothe Go test, command.

All right. Let's talk about a couple of meetups
that are coming up. The firstone, April seventeen in
Birmingham. I'm gonna I'm likelygonna be in Birmingham, but not
then. I'm I'll be there in June.
If you have another meetup inJune, let me know. I'd love to
come hang out with you guys. Butanyway, April 17 in Birmingham.
Birmingham, UK, not Birmingham,

Alabama, right?

Birmingham, UK. They'll be talking about
quantifying your reliance onopen source software. That's
Jimmy Tanner, friend of theshow, will be speaking about
that. Paul Dragunis will betalking about CI and CD,
building composable pipelineswith Dagger. And I'm sure
everybody will be talking aboutall sorts of other fun things,
whether having drinks or snacksor whatever other sort of

(13:25):
refreshments they have there.
So check that out if you're inthe area. Second, also in The
UK, not in Alabama, theManchester Gophers have a new
website, ManchesterGophers.com.So if you're in Manchester, go
check out the website. They havesome information there about the
organizers. You can see photosof the handsome guys who run
that.
They have a hall of fame.

And they have a three d gopher spinning around.

The three d gopher, yes. Looks like it came
from like a Nintendo sixty fourera.

Love those polygons. You work those
polygons, bro.

Yeah. So if you have a meetup coming up, let us
know. Send us an email. Find uson Slack. Let us know about it.
We'll be happy to mention it onthe show for you as well.

Okay. So I would like to mention a meetup so you
could mention it on the show.

Yeah. Should I tell him about the meetup you'd
like to mention on the show?

So it's still like, I'm not a % sure how it goes
because I opened the event and Itried to reach out to the Go SF
people. Anybody knows them,Travis Reeder or Frances Campoy.
If you know them, please reachout to them. There is a Go
meetup in San Francisco where atleast two people are gonna go.
That sounds exciting.

(14:33):
Me and Andy. Andy from Fine.Yeah. Wednesday, May 28, which
is like a month and a half fromnow. Everything is to be
announced and I would appreciateany help I could get because I'm
not from here and I'm somehowgot roped up into arranging
this.

Now is this gonna be is this intended to be a full
fledged meetup, like speakersand everything, this is just
like casual go drinks?

This is intended to be a full fledged meetup in
which we are gonna have fifteenminutes of like schmoozing, 45
of a live podcast recordingwhere we're gonna do the Cup A
Go episode like that day withyou online, and with who
whomever is gonna join, then abrief break and then a talk
that's to be determined. Thetalk is open. Like, worst case,

(15:17):
we're gonna have Josh dosomething, like teach us about
something cool or show off hisproject. But if you actually
have a talk, especially if youhaven't hosted this show before
like Andy or Josh, that would besuper cool. But yeah, it's me,
Andy and Josh probably.
And I assume as the event rollsup, more people will want to
join. So it's organized by mepersonally, but I would love for

(15:39):
like some go group here in theBay Area or San Francisco or
whatever. If you know thesepeople, please connect us. And
also if you have an office inSan Francisco, that would be
cool. Otherwise, I'm going tohave to like grab a WeWork room
and that's going to cost mecredits.
And I don't want to spend thecredits because I need them to
review people, to like interviewpeople. But yeah, yeah, it's

(16:01):
Wednesday, May 28 in SanFrancisco, location to be
determined, 5PM until 7PMPacific time.

Alright. So let's go back.

No. No.

I think we should go back. No. No. I really think
we should go back.

No. Because I have travel resistant file APIs. All
right. This is something in Go124 that we've been meaning to
talk about and just didn't getthe time. But it's another
security feature that's bakedinto Go, which I love.
My wife's been learning for thecertified bug bounty hunter

(16:42):
certification over at Hack theBox. So, you know, every evening
conversation is like, oh, I didthis attack. I did a file
inclusion attack. I did a blahblah attack. One of them is,
path traversal attacks.
Just in case our listeners don'tknow or haven't heard of it
before, what are path reversalattacks, Jonathan? There's a
couple of

different varieties, I guess. I'm not an
expert on this, but they caninvolve symlinks, I suppose. But
they basically involveshenanigans with interpreted
portions of a file path, likedot dot, for example,

or dot. So dot dot, like go back, which is

why they Yeah, right.

If you didn't get the joke, now you're probably
laughing, right? After Iexplained.

Yeah, because it's always funnier after it's
explained.

Yeah. So basically the whole gist of it is you
shouldn't give untrusted sourcesaccess to file paths you didn't
mean to, right? If you open adirectory, 90% of the time you
just want your program tooperate under that directory and
nowhere else. You don't want toallow, the software to access,

(17:46):
other directories on yourmachine, especially if it's a
web server. Right?
You can try to sanitize pathsand that is considered like the
best practice, I guess. Right?Just look if you have a dot dot
in the path and if so, rejectit, whatever. I think back in Go
one twenty, there is like filepath that is local, which could

(18:07):
help you understand if it's likedoesn't escape or if it's not an
absolute path or empty or is nota reserved name, by the way,
talking on Windows, like if youuse com one, it's like a
reserved FAT for devices andthings like that.

Devices that nobody uses anymore.

Well, I'm sure attackers do, right? Of course.
If you look at recent shellcodes, I'm sure they have like
COM1 and all these LPT2.Beautiful things. However,
that's not really enough.
Like, there are many, manythings you can do with like
Simlinks, like you said, a tonof other stuff. In Go one twenty

(18:47):
four, there's a new API in theOS package that allows you to
safely open a file in a totallytravel resistant fashion. So
instead of worrying about allthese edge cases, you just need
to use open root OS open root,and it just basically solves
everything for you. You get afile system that is in
traversable, like you can'tescape outside of it, but the

(19:10):
path you give it is directorywithin your machine.

Does it accomplish that? Does it just do
all these things behind thescenes or does it have some OS
level magic that makes thatunnecessary?

So it depends on the platform. So it definitely
has to be OS specific. So forexample, if your Go OS is
Windows, file names may notreference null and com one and
other reserved device names. Andin JavaScript, it's still
vulnerable to time of check,time of view stuff in Symlink

(19:45):
validation. And it basicallysays even in, with OS dot root,
I'm not promising anything.
And with plan nine, which Idon't even know what operation
like operating system that is,it doesn't track directories. So
it's, like, OS specific. Itbasically protects against these
ones specifically. Like, everyOS has its specific, like,

(20:08):
weirdness, which is just areality.

Right.

And in most platforms, it like opens a file
descriptor referencing thedirectory. And if the directory
is moved, it keeps that handle.So even if you try to move the
directory, you can't escape fromit like outside, which is pretty
smart. And it simply doesn'tprohibit it. It like doesn't

(20:33):
allow you to follow symboliclinks outside the root.
So you can do symlinks insidethat file system, but not
outside.

So you can still use symlinks and you can still
use like dot dot slash withinthat that that root.

Yeah. Which is super nice and useful for you as
a developer and just sort ofdoes it for you. I assume if you
open the code, find like a rat'snest of, stuff. And actually, Go
code is pretty easy to read, soI might just do that. But I
haven't.
I haven't read the code becauseI sorta I assume it's gonna be
fine. It has a similar ish setof operations to file system, OS

(21:07):
file system. I don't think it'sa % compatible, but it's
compatible enough. You havecreate, open, open file, remove,
stat, like all the things youwould need. And if you have an
untrusted file name, you can useOS dot open in root.
So you don't have to open rootand then do open inside it. You
can just like usually what youwant to do is read a file that

(21:27):
someone sent you over the web,the path to, right? Like a
profile picture, if an exampleof a super simplistic web
server. So you can just use OSdot open en route, and that
means that the untrusted filename, like, won't be able to
traverse, with tons of caveats.So if you're actually using
WebAssembly or JS or plan nineor, like, whatever, you're gonna

(21:51):
have to read through thesecaveats because not everything
is a % on lockdown, but itshould be fine.

Cool. I like it. I'm gonna use it.

Yeah. More security built into the the system,
that's great.

We have one more news item here before we jump to
our break and then we have somelightning round items. So don't
skip, don't turn off the podcastafter the break or before the
break. The last one here, thiswas a set of new changes to the
Go language, the standardlibrary, a bunch of different
things. They were all announcedjust a few days ago. And these

(22:24):
will be really beneficial tothose who are attending those
meetups we just talked aboutover in The UK.
Go has and also a little bitunusual. They announced these
changes on Reddit rather than onthe official blog post. But the
changes are some newlocalization for our British
friends over there across thepond. The concern is that some
commands like go build mightfeel unnatural. They aren't the

(22:46):
way people speak.
So they've added go and build, anew and subcommand. They've
added some spelling variations.I know it's really painful for
our British friends to type c ol o r, so now they could do c o
l o u r if they're using anythings like that that are built
into the center library. Colloo.Colloo.

Wait. But how do you if I wanna use color because
I I actually wanna use colorwith a u because my English
teacher in Israel was British.But let's say you you wanna use
the, US version. How can we bothuse the same one?

You'll have to use an alias, I suppose.

So the new directive is slash slash go
colon lang and then the languagethere.

Yeah. So you can actually localize your
documentation. That's the pointhere, right? So you do you go
colon lang en for the sort ofnormalized English. That's
probably not the fair way to saythat since the British came
first with English, but so thenyou could say something like
Acme Corp is a company, blah,blah, blah.
And then if you want to do theBritish version, could do Bill

(23:53):
Cullen Lang, EMGB Acme Corp area company, which sounds
completely weird to my ears, butI understand that some people
prefer that. So when was thisannounced? Yeah, it came out on
April 1.

No kidding.

No kidding.

Yeah. It was the one of the only April fools
pranks that I really liked.Yeah. Good one. Good one.
You almost got me. This personcalled Carnivoral. You almost
got me. I read it and I waslike, wait, what?

If our show had come out on April 1, we probably
would have done something a lotmore elaborate ourselves, but it
didn't, so consider yourselveslucky.

Yeah. I love the quality of life improvement,
import maths.

Yes. That's that's the best one.

The top comment is great as well. Right? I was
typing out a long post that Ireally, really disagree with
this. This is from SatanSprinter. Then I realized it was
April.
Side note, if this gets real, Istop using Go.

Alright. Stick around. We have a few more
items, in our lightning roundafter a quick break.

Welcome to Adbreak. First of all, we wanna say
thanks to our Patreonsupporters. This show is a fun
hobby that Jonathan and I do tolearn about Go and, like, stay
on top of things. Otherwise, howwould we know about, collure? Do
you know that SNL sketch whereshe says collure, collure?
I'll dig it up for you. It'sreally funny. Anyway, but it's

(25:25):
expensive. It takes up our timeand we pay for hosting fees,
editing fees, apparentlyapartment submission application
fees, although that doesn't comefrom the Cupogo fund. But fees,
fees everywhere.
And the best way to support theshow and keep it alive is to go
to Patreon and support us. Youcan chip in for $8 a month and

(25:48):
we would really, reallyappreciate it. It's just a super
direct support. We wanna say hito our new paid member, Jess
Brisson. I hope I'm saying thatcorrectly.

Thanks Jess.

Thanks Jess. We really, really appreciate it.
Our little community here is isgrowing. I really, really like
it. I like seeing, like, howpeople support and, retain,
their support as well.
This is super, super appreciatedwith 38 people in the Patreon,
not all of them paying, butstill showing their support. It

(26:20):
really helps like make a dentinto these fees, which is nice.
We're still not, in the blackthough, so if you feel like
chipping in, we would reallyappreciate it. To find the link
to the Patreon and also our swagstore and also our Slack channel
on the Go For Slack, you can goto kapago.dev. That is
kapago.dev.
You can also email us, atnews@kapogo.dev if all these

(26:43):
fancy schmancy new communicationmethods are not your thing. So
thanks again Jess and all therest of the members. As you
probably noticed, we're on a newschedule. How do you like it,
Jonathan? It's like recordingtowards the end of the week.

Yeah, it's nice. My Thursdays had started to get
full, so it was nice to movesomething to Friday. Although I
still haven't remembered, I madeplans today, not interesting
plans, plans to get my carfixed. And then I remembered
that we had this, so Irescheduled that till Monday.
Not a big deal.
It's just not second nature forme yet.

So our recording used to be really fun when we
were both in European timezones. Then there was a period
where you moved to The US, Istayed in Israel. That was rough
because I was like recording inthe middle of the night and for
you it was early morning and wewere both like a very different
energy. Now we're both back onthe same time zone, but we moved
the recording to Fridays becauseI have the microphone in San

(27:37):
Jose, but on Thursdays I'mdriving up to San Ramon to a
different office. So ourepisodes are gonna be Friday,
they're gonna come out likeFriday or Saturday, depending on
like our editor schedule.

Yeah. He's still in Italy, so

It's all wonky.

We're not asking him to adjust his schedule to
accommodate ours.

Yeah. Our news aren't that urgent, but let us
know. We could like move itaround the week. So if you're
liking this like episode in theweekend, that's great. If not,
let us know.
It's a new schedule and we sortof wanna hear your opinions
about it. Finally, we mentionedit at the show, but there's a
chance to meet us. You can meetme in the San Francisco meetup

(28:18):
we're arranging. I'll put thelink in the show notes.
Actually, that would be smart.
Right? So I'll I'll put it righthere. So if you wanna meet us,
there are two places where youcan do that, like in real life.
You can meet me in San Franciscoin the Go meetup that, I'm
arranging, organizingapparently. Towards the back end

(28:38):
of the year, back end, you couldmeet, Jonathan at KubeCon
because it's the back end of theyou know?
Like somewhere in October,November, there's gonna be
KubeCon, and Jonathan's gonna bethere as well. That does it for
the ad break. One last thing wecould ask you is to leave a
review advertise and the show'sbeen growing only on

(29:01):
word-of-mouth. I haven't openedthe analytics in a while, but my
CEO actually asked me, hey, whatis the listenership for your
show? So I actually pulled upthe analytics and we're like at
654 subscribers.
We had a big jump recently, withalmost a thousand people

(29:21):
downloading every episode, whichis insane. We appreciate it very
much. Like a thousand peoplelistening to my voice right now.
Oh my god. Thank you so much.

Is it like, are you nervous in front of people,

in front

of crowds?

No, I'm fine. Like, I I have you to blame. Anything
that's wrong, it could be like,well, Jonathan's the actual
podcaster. This is just like myfirst podcast. I have a fall
guy.
You know what I mean? Got it.Right. So that's good. So if you
want to see these numbersgrowing like us, please leave a
review on Spotify or ApplePodcasts or like wherever you

(29:54):
listen to the podcast, and sharethe show with a friend or a
coworker.
Damn, Overcast just overtookSpotify, so I should change that
tagline on our staff. But, yeah,just share the show. We would
really, really appreciate it.Well, to the lightning round.

Lightning round. Round. Yeah. So I guess I'll be
at KubeCon. I don't know.
I haven't bought my ticket yet.Whether I'm there or not, or
just hanging out for the afterparty or side party, whatever. I
have an item that's relevant topeople who might wanna go to

the Sidecar. Sidecar party. Yeah.

There we go. So friend of the show, listener of
the show, David MDM shouted outa project that he's been working
on called Yoke. Thedocumentation for Yoke says that
it is infrastructure as code forKubernetes. It's a deployer, IAC
package deployer for Kubernetes.So if you're one of the kinds of

(30:51):
people who wants to go toKubeCon, this might be for you.
I haven't been using Kubernetesfor a while. Are you using
Kubernetes, Shai?

Happily, no. I've used it in the last two
companies. One unjustifyingly,like totally over engineered
from the start and in a realcompany that actually needed it.
And the one that's overengineered, we didn't need
Kubernetes anyway. We just sortof got roped into it.
But in the other one in Orca,like this looks like a pretty
good project. It makes a lot ofsense. It's like Helm for, like,

(31:22):
packages in Kubernetes describedas code, things like control
flow, test frameworks, typing,blah blah blah, all these
things. I would try it. But justremember, it's still not,
version one.
So it's like it could havebreaking changes very early. If
this seems like the sort ofthings you you wanna jump on,

(31:43):
it's a good chance to jump on onit if you're working on
something similar or if you hadlike this particular problem.
But I wouldn't go with it likefor your, you know, production
pipeline at the moment.

And to be clear, works with Helm, this isn't like
a replacement or

or Yeah, yeah, of course. It's Helm inspired, I
mean.

Yeah, yeah. Cool. Yeah, I'm not using Kubernetes
either. Whenever I am again,I'll I'll have to give this a
look as well.

Hoping for you that you won't have to. It's a bit
too complicated for-

I enjoy Kubernetes, but it has it has to
fit the problem and it doesn'talways.

I know, I'm not Google at the moment. One thing
I wanted to shout out isPrincess Beef Heavy Industries
has come out with a banger inFebruary and somehow I missed
it. There's static mocking inWiredTap. If all the words I
said right now didn't makesense, go back and listen to our
interview with Dave, Shanleyabout, Princess Beef Heavy

(32:36):
Industries, but there's a toolcalled WiredTap. It's an API
tool that allows you to validateAPI requests, and responses that
make sure that's compliant withthe schema and like a
development server so you cantest APIs and some diagnostic to
debug API requests andresponses.
And it's beeping awesome. It'sreally, really, really good. I

(32:58):
love this tool and it now hasstatic mocking. So basically it
does what Wiremock does. So ifyou use Wiremock to like, you
know, put in responses, liketest responses for your local
development servers, now you canjust do it with Wiretap.
You get all the benefits ofWiretap and get rid of Wiremock,
just super great. There actuallyhave been four minor releases

(33:21):
since then with a lot of fixesand and things like that. So
this is pretty stable at thispoint. I I just we just, like,
missed it on the on the backlog.But really, really cool release.
They keep them coming. You good,PlayStation? I had every
generation until five.

So you've had one through four?

Yes. And one is the best. But two was pretty good as
well.

Two was my first one and I've had a three and I
had a four. I don't have any ofthem anymore. I got a Steam Deck
and gave away my PlayStationfour before I left Europe. Nice.
But you can now run Go on thePlayStation two.

Timely.

Yes. This is actually quite an interesting
blog post that's simply calledGo Lang on the PlayStation two
by Ricardo. Don't know the lastname. But he goes through the
challenge of getting Go to runon PS2, which is, it's not just
like, oh, this is a weird pieceof hardware. It's like, Go
doesn't quite support the CPUarchitecture.

(34:22):
And there's just a lot of weirdnuance to getting this to work.
Stuff I obviously shouldn't sayobviously, but stuff I
personally would never bother todo because I don't need Go to
run on my PlayStation two that Idon't have anymore. But it's
really interesting read. If youlike sort of legacy code hacking
stuff, you'll enjoy this a lot.So we'll have a link

to the Legacy? It's only twenty five years old. That
is super cool. I love this,like, low level nonsense stuff
and dealing with, like, oldhardware. Generally, the PS two
aesthetic is pretty good, right?

This is

not useful for anything though, right? It's
just for fun.

I think so. I mean, in principle, I suppose
you could run a web server or aweb proxy with Go 1.242 at least
safely on your PlayStation two.But, I think it's it's for
obvious. I love the Go builddirective, by the way.

Slash slash go colon build p

s two. You just need to have Go and build added
for this one as well.

One final item for the lightning round. Go Zero
reaches 30,000 GitHub stars. Inever heard of it. Have you
heard of Go Zero? No.
So it just shows to show youthat there are cultural and,
like, country differences evenin the software world. It's a
super, ubiquitous microservicesframework with a CLI tool that

(35:44):
actually looks pretty good andis very productive, includes API
gateway with a ton of featuresand services with a ton of
features like authorization,inter services, cache control,
stats, monitoring, time outcontrol, circuit breakers,
tracing, blah blah blah. It'sjust Chinese. That's why I
haven't heard of it. But it it'sused by a ton of logos here that
are all Chinese companies.

(36:05):
I have no idea if these are likehuge companies that employ
thousands of developers or like,have no idea. It seems like
Lenovo China is there andIndochat, which I've heard the
name of and 30three.cn, which Iheard the name of. But like, I
don't I don't know a lot aboutthe Chinese market, but it has
30,000 stars, which is prettycool. You know, has support for

(36:27):
caches and dbs and blah blahblah. Seems very productive.
Like, if I had to implement a vtwo of a microservice
architecture at like a big ishcompany, I would definitely give
this a look. It seems prettycool. And it reached a it
reached a pretty high milestoneof like stars and forks. It
seems very popular as well. Godash zero.

(36:48):
If that sounds relevant to you,go check it out.

Awesome. I think that's the show. That wraps it
up. Program exited.

Program exited. We will see how we do the episode
next week since it's a Passover,but we will definitely fit it
somewhere on the schedule.Program exited everybody.
Program exited. Goodbye.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Don't give me that line feed! 🖶

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Don't give me that line feed! 🖶

On Purpose with Jay Shetty