Metal! 🤘 Bare metal go, config libs, building response writers

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Shay Nehmad (00:00):
This show is supported by you. Stick around

(00:02):
till the ad break to hear moreabout that. This is Cup of COBOL
for 05/09/2025. Keep up to datewith the important happenings in
the COBOL community in aboutfifteen minutes per week. I'm

(00:25):
Shay Nehmad.

Jonathan Hall (00:25):
And I'm Jonathan Hall.

How are you doing, Jonathan?

I am great. I am so excited about this new GCC
release. It's going to make myCOBOL programming so much
better.

So what's going on there?

Yeah, so GCC 15.1 finally supports COBOL.
Incredible. It is incredible. SoI can start doing all my COBOL
hardcore coding with the GNUcompiler. I'm so excited about
this.

Nice, nice, nice. Link in the show notes of course
if you wanna dive deep intothat. I know most of the
listeners mostly care aboutprocedures and names and things
like that, not compilers. So wewon't dive too deep into that.
But you should let your bankknow.

Definitely.

All right. In other news, the security release we
talked about yesterday.

Last week. I don't

know why I keep saying yesterday.

I mean, you may have talked about it yesterday.

I I didn't talk about it yesterday. We talked
about it last week. Go versionsone point twenty four point
three and one point twenty threepoint nine were released with
security fix or the OS packetwhere it was possible to
improperly access the parentdirectory. Mhmm. So exactly the
sort of thing when you talkabout directory traversals, you

(01:33):
can do root dot open dot dotslash, which allows escaping.

It's kind of funny that this happened because
that's like exactly the thingthis feature was intended to
prevent. And they kinda brainfarted, I guess, about this
particular instance of it andand let it through. But I'm glad
they caught it.

Yeah. The the this escape like only permits opening
the parent directory itself, notancestors. So you can't go
higher than what you did, ifthat makes sense, but not
ancestors of the parent. Yeah.Or the files within the parent.
So it's not as bad.

Yeah, could have been worse.

But yeah, thanks to Dan Sebastian. Dan Sebastian
Thurane for reporting thisissue. You can actually go look
at the issue report right now,and just take

a look

at the change list and everything now that it's
open. Very simple fix, if youuse the dot root thing, you
should probably upgrade. Yes.This is important. Unlike unlike
what we usually say when, thisis a niche case of HTML parsing,
probably not relevant to a lotof listeners, probably relevant
to a lot of listeners.
You should always upgradeanyways, but you know, go

(02:41):
upgrade. And upgrading miners,like it's so easy anyway, so it
shouldn't be a big deal. Youhave some none proposal that I'm
really excited to understandbecause I don't understand it.
Can you explain what's going on?

Yeah. So there's this new proposal. This has been
proposed a few times apparently.But this new proposal is
different because it comes witha working implementation. The
proposal is to add a Go OSequals none.
In other words, booting your Goapplication without an operating
system.

So Go OS normally I would use it like I would put
what operating system I wannacompile my Go program to.

Right? Usually Darwin or Linux or Windows or
whatever, whatever operatingsystem you're compiling for.

I'm I I was waiting to see if you will mention
Windows on that list.

Of course.

Of course. Of course.

I won't use it, but I'll mention it. Yeah. So
the idea is to do OS equalsnone. So everything, which maybe
sounds kind of cool. I mean, Iguess maybe first, why would you
want this?
If you want to boot directlyfrom say your BIOS or whatever
into your Go application, Iwould imagine this is mostly
useful for embedded types ofapplications. But yeah, that's

(03:51):
what you want to do, you don'twant to have to install Linux or
Windows or whatever. First, youjust want have your app, your
server, your computer that doesone thing and one thing only, it
boots directly into it. Itprobably has some interesting
implications for VMs as well. Soyou could have a lighter weight
VM that just boots oneapplication only.
So that's kind of the generaluse case, but it has a lot of
interesting implications becausewhen you think about what are

(04:12):
the things your operating systemusually manages for, your things
like your TCP stack and yourfile system memory management, a
whole bunch of things. Thesethings all have to then be
handled by the Go runtime. Sothe interesting thing to me
about this is that there'sactually a working or at least
mostly working implementationthat's being used to influence
this proposal. So I think it'sgetting traction in ways that

(04:34):
others never have. It's stillvery early.
This was only proposed threedays ago, but it's getting a lot
of discussion. It's kind of aninteresting thing.

Originator, this doesn't come out of nowhere.
There is a project calledTamaGo.

Yes.

It's bare metal go already, which has like, you
know, almost 1.5 ks stars. Ilike the motivation. You're
like, oh, it could be useful forembedded stuff. The motivation
of the project as they lay itout is reducing the attack
surface of embedded systems.

Oh, right, yeah.

So when you push out sensors to the field that do
something, you know what I mean?Just like, and you need to run
some code on them, and you don'twant them to become a botnet,
it's a lot easier if they don'trun Linux and C libraries on
them, but just your code andnothing else. Right. Because
that normally makes them eveneven if they're not super

(05:26):
secure, they just don't show upon like scans for botnets and
things like that, which I thinkis the main attack factor you're
worried about with embeddedstuff. Although maybe also, you
know, smart locks things likeLike, that's very interesting.
My thought process is also ifyou wanna create, like, a Go
thing that runs before you runthe operating system. If you

(05:49):
wanna do, like, sandbox yourmachine or something like that.

You wanna rewrite Grub and Go?

Yeah, basically. Like, why not? I'm sure there's
some cyber security companiesout there that it's relevant for
them.

Mhmm.

So is this like obvious gonna go in or is this
like, this is this bad for Go ingeneral because it introduces a
lot of, new things that it hasto deal with, but it's good for
Go, you know, OS nonespecifically because it becomes
available? Like, what's thewhat's the vibe on the
discussion right now?

I think it's getting serious attention. I
mean, I see well known Go teammembers and other prominent
Gophers commenting that thislooks fascinating. They'd like
to look at this more closely,and not getting the sort of
dismissal you would expect fromsomething that might seem
outlandish if it didn't have-What do

mean you would expect, Jonathan?

If it didn't have a working prototype attached to
it. So yeah, I guess I'm alsocurious if the no OS would work
on all architectures or if itwould be limited to certain
architectures, at leastinitially, because I don't know.

From my voice, it's limited to specific
architectures. So if it's basedon that, I assume it's gonna be
limited as well.

Yeah, I imagine the same. But yeah, well, it'd
be fascinating to see because ofcourse different hardware
platforms have differentrequirements when it comes to
implementing a file system or anetwork stack or talking to the
video driver and all that, orthe video driver, but the video
hardware and all that stuff. Soquite fascinating. Yeah, I have
no prediction whether it willultimately be accepted or not.

(07:21):
But the fact that there's a livevibrant project behind it, I
think increases those oddsdrastically.

Yeah, I think one of the things that's very
interesting here is this is notactually anything new other than
the Tamago implementation,right? So this proposal is just
like, hey, core team, supportthis.

Like, don't

the core team have enough to deal with?

So I could see that argument for sure. And like
I said, like I was alluding to,there's a lot of different
hardware out there regardless ofthe CPU architecture and stuff
like that. It's like, how youtalk to a video hardware on an
old Mac or on a Raspberry Pi oron whatever sorts of hardware
might matter? There's a reasonoperating systems are

(08:07):
complicated and I don't know howmuch of this they're wanting to
take on, but I could see thatbeing a deal breaker. You know,
if Go runtime now has to support15,000 different video chipsets,
I'm sure they don't wanna dothat.
So, I don't know. It'll beinteresting to see what happens
here. I think in principle, likethe idea. I don't know if the

(08:27):
all the particulars, which Imostly haven't thought of,
really make it practical.

And by the way, don't like, I remember a talk
from the recent the latest Gothing I went to, the Go for Con
Israel, that talked about like,hey, if you wanna do embedded,
you can use TinyGo. Why not justuse TinyGo? Like what's the
difference?

I'm pretty sure TinyGo still needs an operating
system of some kind. Butsomebody asked this, how do you
see the overlap with usage ofTinyGo? And the person who made
the proposal, whose name isAndrea Barzani, his answer is, I
don't see overlap as TinyGo'sdifferent implementation, which
also targets entirely differentclasses of targets, different

(09:10):
instruction sets, and doesn'tprovide 100% compatibility with
runtime and or the language. Andthey have an FAQ entry about
that as well. So this is clearlysomething they've thought about
and at least the Tamago groupfeels that it's justified to be
a very separate project, so.

And actually that program for the TinyGo project
commented as well. Generally hesaid he's excited about this. I
I think that we can summarizethis as a low level nerds
excited by proposal, not nomodel understands. You saw a
library that maybe I can'tfigure out. Can you tell me a
little bit about that on Reddit?

Yeah. So I was scouring Reddit this week for
interesting stuff and I cameacross this post by r3z4boris
called, I've built the mostergonomic Go config library. I'm
curious, before I talk about thedetails here, Shai, how do you
manage configuration in atypical Go project? Like if you

(10:10):
were starting from scratch, notsomething inherited that that
you have to go with theirchoices. How would you do it
from scratch?

Until I got to three or five configuration
values, would just envar it withno library.

Mhmm.

Because it's easy to add, but it's kinda hard to
mess with. And then I woulddefine my own config struct and
use something. Usually I end updoing the CobraViper thing.
Although I don't love it, I endup doing the CobraViper thing
just because I'm so used to it,and there are so many examples,
to like load the configurationfrom like a JSON or YAML or TOML

(10:44):
file and allow overrides withenvironment fire builds just
because it's easy for, like,staging versus production kind
of thing Mhmm. Versus localdevelopment.
That's usually where I stop.That's usually good enough.

Cool. That's pretty close to what the author
of this library claims is sortof his default. He points out a
couple issues he has with this.One is that you typically end up
your configuration struct mayend up with substructs in it.
Say you have a Stripeintegration, so you want to have
your Stripe config in a structand you have database
configuration in a struct.

(11:16):
And these are all pointed to bya master struct. So you end up
with your configuration ofCortis sort of sprawled out in
various parts of yourapplication. They're not
centrally defined somewhere. Andthen when you use the
configuration or validate it,you have that sprawled out in
various places and so on. So hetalks about the problem of
configuration sprawl and havingmultiple sources of truth,

(11:38):
defining your structs indifferent places.
So his goal with this librarycalled Zero CFG is to simplify
all that and mimic the standardlibraries flag package to handle
YAML and TOML and arbitraryother types of configuration
environment variables. So that'sthat's the gist of this library.
I'm curious if you have thoughtson that already.

Yeah. I I also like building Straumann and then
winning arguments against them.It's really easy and fun. But
no, in reality, there is aproblem with when you define
your configuration that you haveto put tags, right? Have to put
struct tags as well.
But I don't know, it doesn'tfeel like a real problem to me

(12:21):
because, yes, you can put yourconfiguration all over the place
and the validation all over theplace and the defaults all over
the place, and then you're gonnahave a bad time when you wanna
figure out what yourconfiguration is. But you can
just have a file called config.Go and not do that. Like, is
forcing you, there is notechnical limitation that's
forcing you not to arrange yourcode in a way that avoids these.

(12:42):
It is true that you have to puttag fields with metadata and
nest structs for hierarchicalsettings, but that's just fine.
And I'm using TypeScript rightnow in backend for NestJS
projects, and that's how I do myconfig as well. I just make sure
that it's all in the config dotwhatever file.

Right.

So I don't think it's a real problem. I do think
Viper and Cobra and all those,like Viper and Cobra, I always
use them together, but Viperlike alone, you know, every time
I open it, I'm less happy aboutit because, you know, it's
heading towards v two and it hasall this documentation and all

(13:21):
these options and it's like, Idon't know, it feels a bit too
over engineered to me and a bitlike it has so many users at
this point that I like, you knowsometimes I'm just like, maybe I
can use something smaller. So ifzero so I think the Straumann
argument is is not relevant, butif zero CFG is awesome, I I
would check it out. Is itawesome?

Well, I think it depends on your your taste. My
complaint after looking at itfor an hour or so, best I can
tell, unlike the flags packagein the center library, it
requires that you use globalconfiguration state. So there's
no way to like instantiate aconfig object and pass that
around to your tests and so on.You have to depend on global
state, which would make testinga bit awkward. And even when I'm

(14:03):
using the flags package, I liketo use objects because I just
feel like they're a cleaner wayto deal with state rather than
using the global functions inthe flag package.
Also, don't really like the flagpackage. So building something
based on that would not be mypreference in the first place.
So yeah, I guess I have mixedfeelings. So on the one hand, I

(14:23):
think you're essentially right.That is a straw man argument.
I have had some complaints aboutbasically the pattern you
described for configuration. Thebiggest one being using struct
tags feels clunky, especiallyfor they tend to get overloaded.
You specify here's what the JSONkey is or the YAML key, here's

(14:43):
what the environment variableversion is, here's how the
validation works, here's thedefault value. It's really
mixing concerns there. And thenmany of those things can't
really be set in flags.
Like if you have something thatthe default value of this is
built from three other things,then you have to have a function
that does that somewhere.Sometimes you have custom
validation logic somewhere. Sothere can be some sort of sprawl
of the sort, but I don't thinkthat this solves any of those

(15:05):
problems because I'm going havethe same exact problem. If I
have the option to specify adatabase DSN or to specify a
user and a host and a password,etcetera, all separately, I have
to have that same logic tofigure that out using this
approach as well. So it doesn'treally solve the problems that I
feel like I have, and I'm notexcited about the solution.
So I don't entirely agree withthe premise, and I certainly

(15:26):
don't agree with the outcome.But that's not to say that some
people wouldn't love this. Ifyou like the flags package,
prefer to handle your YAML thatway, you should look at this.

Generally, think having read over the library a
little bit, it seems like a verysimple opinionated solution. I
might like It might be the casethat you don't like it. Like you
said, Jonathan, I don't like thethe global thing because it
makes my tests harder. But ifyou if you, I don't know, all
your tests are end to end testsinstead of unit tests, so it

(15:54):
doesn't bother you that there'sjust one global thing because
you don't change them betweentests or whatever, and that's
your decision, then this willwork for you.

Devil's advocate though, if all you're doing is
end to end test because younever change those configuration
variables, you don't needconfiguration variables, you
need constants.

That's not devil's advocate because that's the
position you don't believe in.That's just Jonathan's advocate.
Yes, of course. All I'm tryingto say is, you know, there is, I
tried to come up with a scenariowhere, you know, you
pragmatically, you change yourconfiguration variables, like,
you know, maybe it's a scriptthat you run locally, right, for

(16:34):
internal support agents in yourorganization, and you just want
to be able to override it withCLI, but have a file and you
don't care about anything else.This is a good, like it is
readable and nice, seems simple.
It's very feature bare, like ifyou wanna pass a config struct
around, or if you wanted to dovalidation, etcetera, etcetera,
you're gonna have to startimplementing these on your own.

(16:57):
That doesn't mean by the waythat you're gonna have a better
time with a big ass framework,but I will say that, you know,
just for fairness sake, likethere are a lot of options
there. We said, or Viper orthis, but like what about the
Elastic one, right? Elastic hasa universal config thing,
although I don't know if it'svery maintained. Like there many

(17:19):
configuration options inlibraries because people like
developing those in Go becauseGo is good for this.
If the person's claim is thatit's the most ergonomic, it's
like designed for long termhealth, efficiency, and comfort,
I don't think that's the case.Think this is like the best food
of configuration libraries. Youcan Uber this, this

(17:40):
configuration library, it worksin a minute, but long term, it's
not gonna be good for you.

Yeah. I I have to admit the ergonomic the most
ergonomic was the clickbait thatgot me to read it in the first
place. So kudos for picking thatheadline, even if I don't agree
with it.

Talking about clickbait, you're not gonna
believe what we have for you inthe ad break and the lightning
round. Two links you're notgonna wanna miss.

Woo hoo. So first off, we have a new Patreon level
by popular demand, meaning oneperson asked for it. You can now
become a Patreon at $3 a monthinstead of 8. So if you, as our
one listener pointed out, if youalready support a large number

(18:25):
of other podcasts or otherefforts and $8 a month stretches
your budget, you can still joinus for $3 a month. So we have a
new Patreon level.

Yeah, it's a membership called Gopher Mini.

It's like an espresso shot of Go news. Yeah.

So this is for, you know, this is a half calf
espresso shot versus the Cup OGopher, which is like a proper
cortado. Damn, I want coffeeright now.

Who wants coffee? I just made a fresh pot of
coffee. Does anybody wantcoffee? Hey, hey, hey. Who wants
coffee?
Does anybody want coffee? Whowants Do we have any new patrons
this week, Shay?

I don't think so, but it's a good chance to shout
out some of our audiencemembers. Moshe Viner. Oh, wait,
we do have Moshe Viner. MosheVayner, thank you for joining,
Liz Lam, Kelsey Wolf, JessBrisson, Jay Martin, Jamie,
Sager, David, Jose, David,Chaney, oh, Dave Chaney, yeah, I

(19:27):
always forget that. Suddenly yousee names you recognize.
Gilead, thank you for joiningand also being on the show and
also being awesome. And all the,and CodeSank, of course, every
time I see it. Rob Prentice,Adelina, of course, friend of
the show, Thank you all so muchfor supporting and more. This is
the pagination limit we have sofar. We really appreciate all of

(19:48):
you.

I'm gonna let you talk about the next link because
it's really your link.

It is, it is. So I'm arranging a Go meetup in San
Francisco, and it's going prettywell. It's being sponsored by
Elastic and in the meetup, we'regonna record the episode live,
which is super cool. So if youare in San Francisco in May 27,
we're gonna meet up at 5PM atElastic's offices. There's gonna

(20:13):
be food, there's gonna be swag,Josh Bleecker Snyder's gonna
give a talk, Ishai Shore isgonna give a talk, I'm gonna do
the podcast episode, which issort of a talk, actually
originated, like the podcastactually originated from Go
Meetups, right?
Yeah. So this is a full circlekinda thing. Mhmm. We're gonna
talk about what's new in Go.Nice.

(20:35):
And also do a sponsoredinterview with someone from the
Elastic team. Because they'vebeen kind enough to host this
event and we're really reallyhappy for them doing that. I'm
gonna ask for two things. If youare in the Bay Area, try to make
it because I really want a lotof people to come. I'm new here
and I wanna meet you all.
And if your company has like anSF or even a Bay Area office,

(21:00):
let them know. Like, again, I'mnew here in the Bay Area and the
reason I'm doing this meetup isjust so I know who are the
gophers like around me, you knowwhat I mean? Which is good for
for many things, professionalnetwork included, but it's also
a lot of fun. So you know, ifyou know where to push this
event, please do that. There aretwo links in the in the show

(21:23):
notes, one for Eventbrite, onefor Luma.
I don't know why, but peoplehere in the Bay Area, they like
Luma more. So so yeah, try andpush it. I would really
appreciate it. And I'm sureElastic would as well, and maybe
they would continue to sponsorus, which would also be cool. So
yeah, go meet up in SanFrancisco.
I'm excited and kind ofterrified.

I wanna do a quick shout out to Christoph
Berger, who does the AppliedWeekly Newsletter. He is the
reason in part that we've kickedoff the program with COBOL.

Yeah.

I just want to explain that for anybody who has
made it this far.

What's up, Christophe?

Yeah, he mentioned our podcast as he
often does in his weeklynewsletter and he challenged our
title last week, which wassomething about being
surprising. He said it wasn'tsurprising that we had a new
episode out, so we decided toinject

a little surprise there for We're we're starting
to bore Chris off. But it'sgood, GO is like boring software
and it it just makes sense thatthe show is boring as well. I I
like being that slot. No no nota lot of drama.

That's right.

Until the next time they introduce, you know, Opt
Out Telemetry.

It is, of course, our final spiel here. Share the
program with somebody, leave areview, leave a rating that
helps promote the show. We don'tpay for promotion, so it's all
word-of-mouth. Gottogo.dev isthe website for swag and for
joining Patreon and for emailingus your requests for new Patreon
membership levels or anythingelse.

Yes. And, people have been telling me they've
been, using the transcripts tocatch up on the show. Like,
instead of, listening to oldepisodes, they would just like
skim through them and evensummarize them with, LLMs, which
I thought was pretty cool. Soyou can find transcripts on the
site as well. Cool.
Let's do a quick lightninground. Let's do it. Lightning

(23:11):
round. My thing for thelightning round is not Go
specific, but I've been way likethis last week, I've been way
deep into AI Cursor LLM land. Iknow people are already sick of
hearing of it.
But actually yesterday, I wentto AI at the Frontier meetup
here in San Francisco withpeople from some like, you know,

(23:32):
head of API engineering atOpenAI, and head of engineering
at Stripe, and someone who usedto be on the Notion, like one of
the Notion founders, like prettyrespectable panel. They sat
there for an hour and talkedabout, you know, vibe coding,
etcetera, etcetera. So I wantedto share like one blog post
that's called From Design Talkto Code, the Groundhog AI Coding

(23:54):
Assistant. It's basically abouthow to vibe code with cursor
correctly end to end. The partthat's Go ish about this is that
basically this person claimsthat it's really really better
to use strongly typed languages.
They use Rust for what they'redeveloping. They claim that
using well typed languages ismuch better for agents, not just

(24:17):
LLMs in general, which makessense to me. And we know that Go
is pretty good for LLMs becauseall the code is formatted the
same because Go FMT is built in,right?

Mhmm. Mhmm.

So I would implore anybody who's exploring, you
know, using agents, developmentagents, things like that in the
company to read through this. Ijust wanna bring one quote
that's really funny to me fromthe this is the rule that the
person is writing for the LLM,so they embed it into the you
know, into cursor and everyrequest you do that this is part
of the context, right? You knowwhat I mean? Yeah. Mhmm.

(24:49):
You are an expert softwareengineer who knows Rust. In
fact, you are the softwareengineer who created Rust. So I
I wanted to I wanted to justfloat like what what is the
prompt for you're the bestgopher ever you would put for an
LLM?

I I haven't thought about that. That's a
good idea. I would be afraid todo that for something like

Pearl or

or Ruby, like, an

expert GoLang engineer. You listen to Cup of
Go religiously every week. Oh,no. No.

I'm afraid what kind of result that will
produce.

In fact, instead of writing code, a % of your day is
spent debating on GitHub issues.Alright. So that's my thing for
the lightning round. A prettycool blog post on a pretty cool
out there blog calledghuntley.com, which is pretty
cool.

Cool. Well, I wanna shout out a blog post came
out May 7, so it's pretty new.It's called Build Your Own
Response Writers, Safer HTTP andGo. I don't know how many people
realize, but the ResponseWriters, if you're building an
HTTP handler, the ResponseWriters is an interface, which
means you can implement yourown. Oh really?
Yeah, I've done this a fewtimes, but the blog post goes

(25:58):
into some details about not onlyhow to do it, but why you might
want to. Maybe you want toenforce certain behaviors or the
certain headers are always setor require a handler to specify
a status code rather thanassuming 200 if it doesn't get
one and stuff like that. So thisis the lightning round, so I'm
not going into details, but it'sa cool little blog post, pretty
quick read. And it kind of getsinto, I wouldn't say the depths

(26:22):
of go, but some interestingimplications that many people
probably don't think about.Comes from Antonio.
Thanks, Antonio, for the greatblog post. We'll have a link in
the show notes.

I love the person's blog. Colors are so nice. Cool.
Well, that makes it for ourshow. We'll see you all next
week.

Program exited.

Goodbye. Program exited. Goodbye.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Metal! 🤘 Bare metal go, config libs, building response writers

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

All Episodes

Metal! 🤘 Bare metal go, config libs, building response writers

Stuff You Should Know