November 1, 2025 • 29 mins
- New proposal: go vet check for using %q with integer types
- Blog: I'm Independently Verifying Go's Reproducible Builds by Andrew Ayer
- JetBrains' language promise index
- Reddit: Why I built a ~39M op/s, zero-allocation ring buffer for file watching
- Blog: A modern approach to preventing CSRF in Go
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jonathan Hall (00:02):
This show is supported by you. Stick around
until the end to hear more aboutthat. This is Cup of Go for
(00:31):
Halloween, 10/31/2025. Keep upto date with important
happenings in the Go communityin about fifteen minutes per
week. I'm Jonathan Hall.
Shay Nehmad (00:39):
And I'm Shay Nehmad. I am very excited for my
first Halloween ever. Woo hoo.
Jonathan Hall (00:44):
Do you have a costume?
Shay Nehmad (00:45):
My kid has a costume.
Jonathan Hall (00:46):
Your kid has
Shay Nehmad (00:47):
a I didn't I'll probably like put on a sheet,
whatever. Yeah. Like I'llimprovise something.
Jonathan Hall (00:53):
They'll do something.
Shay Nehmad (00:55):
The like rule, you know, I'm going with my kid up
to a house, she's knocking,she'll say trick or treat. How
many candies am I getting? One,two?
Jonathan Hall (01:05):
Probably a few. You personally or your kid?
Shay Nehmad (01:08):
All of us is like a I'm not dressed
Jonathan Hall (01:10):
You're not dressed up. You're there to and
observe and to steal the candyafter she goes to sleep.
Shay Nehmad (01:16):
That's the plan.
Jonathan Hall (01:17):
Yeah. Yeah.
Shay Nehmad (01:18):
Any dress up for you?
Jonathan Hall (01:20):
I don't have a costume this year. I have worn
costumes in years past. My sonwas a firefighter yesterday at
preschool. My daughter stayedhome sick, so she didn't go as
the fairy princess that costumewe bought for her. And the last
time I dressed up for Halloweenwas probably eight years ago.
I was I was Mario. I went allout. I I dyed my mustache to be
brown and I had some blueoveralls and white gloves and
(01:43):
everything.
Shay Nehmad (01:44):
One costume I'm considering, I might do it, I'm
still like debating, is gettinglike some bubble wrap from
someplace and just writing AI onit. The AI bubble who's above
the top.
Jonathan Hall (01:58):
Right.
Shay Nehmad (01:58):
Right. That's a bit too on the nose though on
working at an AI securitystartup, you know?
Jonathan Hall (02:02):
Yeah. And you are in San Francisco.
Shay Nehmad (02:04):
I I think it's considered hate speech here too,
hate on LLMs. Right.
Jonathan Hall (02:08):
You're not allowed
Shay Nehmad (02:09):
to say clanger in the street, you know what I
mean?
Jonathan Hall (02:11):
Maybe we can get an inflatable gopher outfit.
Shay Nehmad (02:13):
Oh, that actually that could be cool. Talking
about Halloween and beingscared, like, don't know, I'm
scared out. I'm I'm creeped out.Give me some like normal
proposals, Bring me back tonormalcy.
Jonathan Hall (02:26):
All right, here's a question for you, Shai. What
happens if you use FMT printfwith the percent Q operator for
an integer? I don't
Shay Nehmad (02:36):
remember. What is percent Q? Have to admit, I'm
really bad about this stuff. Ialways use percent plus v no
matter what. I'm just like,whatever, give me the most
verbose representation I I'llI'll need.
Jonathan Hall (02:47):
So percent q does a quoted version of a string. So
if you pass in a string that hasescape characters entered or
something, it will quote it sothat it's safe.
Shay Nehmad (02:54):
Oh, okay. Cool.
Jonathan Hall (02:56):
But but if you pass a non string, like an
integer, what would you expecthappens? Like, you pass one two
three.
Shay Nehmad (03:01):
To string, like, try to find the best string
representation of it.
Jonathan Hall (03:05):
So you might expect it to print, like, quote
one two three end quote orsomething like that. Right?
Shay Nehmad (03:09):
Yes.
Jonathan Hall (03:09):
If you if you use one twenty three if you pass one
two three to that, the result isactually much scarier than that.
The actual result is it printsthe opening curly brace because
it converts it to ASCII.
Shay Nehmad (03:20):
Oh, no way. Yeah.
Jonathan Hall (03:23):
That's cool. So that's kind of
Shay Nehmad (03:24):
actually cool.
Jonathan Hall (03:25):
It might be cool. It is a little bit unexpected.
So there's a new proposal to adda check for that case to GoVet
and warn if someone tries to dothat. I think that's kind of
useful. I don't know that I'veever run into that problem, but
I could could see it happening.
Shay Nehmad (03:41):
The but that does sound like possible intended
usage. Like, how should I?
Jonathan Hall (03:46):
Someone someone could mean that. But if you
really want that, like youwouldn't use percent Q, you
would probably use percent S tointentionally convert your
integer to a string.
Shay Nehmad (03:55):
But then it's not quoted.
Jonathan Hall (03:57):
Well, it's not quoted in this case either. Are
you oh. Because it's not astring. You know, it's it's
yeah. I don't know.
It's weird.
Shay Nehmad (04:04):
Cool. Well, if this bit you, whenever you were
trying to use percent cube, goupvote this issue, this
proposal, sorry. Seems likethere's no CL yet,
Jonathan Hall (04:16):
so you could even try to do that. Yeah. This is
this is still new, so it hasn'tbeen accepted yet. But I I I
don't think it's a there's a nota high chance that it will be
rejected. I I my my that's myfeeling.
Shay Nehmad (04:29):
Seems a bit
Jonathan Hall (04:30):
a no brainer, but
Shay Nehmad (04:31):
Someone did the thing I like, Alan Donovan did
the thing I like of actuallygoing digging through Go code
and finding examples wheresomeone used q and passed in the
wrong type. And it seems like alot
Jonathan Hall (04:45):
of people made that mistake. He's, I don't
Shay Nehmad (04:48):
know why he's dunking specifically on
HashiCorp, like all thosemistakes. Look at HashiCorp
doing it wrong. But I guess theyjust write a lot of Go code.
That's also another option.
Jonathan Hall (04:57):
Yeah, maybe they Yeah, I don't know. I'm not
gonna make jokes aboutHatchiCorp. So
Shay Nehmad (05:03):
cool, go up for that proposal. Also, don't think
there's a CL yet, and thissounds like actually a pretty
easy one. I would try Honestly,if you were looking for an
opportunity to
Jonathan Hall (05:16):
write a CL, I would definitely do that.
Shay Nehmad (05:20):
Before jumping to the next blog post, last week's
episode was a live episode andyou were in Go West. How was
that? How was the conference?
Jonathan Hall (05:28):
It was great. I had a I had a good time. I spoke
at the end of the day, soeverybody was falling asleep
already, I suppose, beforebefore I got to speak. But, no,
it was it was a good good talk.I actually did two talks.
I did a lightning talk also lastminute about the CMP package in
the standard library. And Iknow, felt like all the talks
that were presented were great.I think they'll be online before
(05:50):
too long. So we'll try to share,you know, mention that on the
show with a link in the shownotes when that's available.
Shay Nehmad (05:55):
Yeah, we'll definitely put a note to look
into that.
Jonathan Hall (05:59):
There were a lot of talks aimed at more beginner
intermediate folks sort ofbreaking down like how memory
management works and not so muchthe how memory management works,
but why memory management isimportant, which is something
that's often overlooked. Andgreat talk about channels. So
yeah, I look forward to
Shay Nehmad (06:16):
sharing those videos when they're available.
And you mentioned before theshow, you met a lot of people
who were actually on the showbefore, right?
Jonathan Hall (06:24):
Yeah. So of course I met Moriah and Derek
who are co organizers of theshow, and they've been on the
show before. Moriah at leasttwice. I also met Elliot Mins of
Dreams of Code. He was there.
He was one of the panelpresenters, so he was one of the
speakers. And I met a few otherpeople. Of course, many people
I'd never met before. A coupleof others I had met that weren't
(06:44):
with any relation to the show.Almost met Lane Wagner from
boot.
Dev. He's been on the show acouple of times, but he was at
his brother's wedding. Same onyou, Lane. But he sent sent a
couple of his
Shay Nehmad (06:55):
You gotta prioritize, man. You gotta
prioritize. Your brother couldget married like three, four
times on average. But you gowest twenty twenty five, that
happens only once.
Jonathan Hall (07:06):
But he did send a couple representatives from Roo.
Dev, so I got to meet thosefolks. And yeah, it was a great
time.
Shay Nehmad (07:12):
Would you recommend people to like fly into the
conference next year?
Jonathan Hall (07:16):
I think so. Mean, I I would love to go again.
Shay Nehmad (07:18):
Sounds like a great time.
Jonathan Hall (07:20):
It's a great time. About 120, 130 people
attendees. So it's a small itfeels like a big meetup more
than like a large than like asmall conference, if that makes
sense. If that's your sort ofthing, yeah, it was great. Very
good.
So as you mentioned, while I wasbusy meeting folks, you were
also meeting folks. And we ofcourse did a little bit of an
(07:41):
awkward live episode from anoisy restaurant parking lot.
Shay Nehmad (07:46):
That was a little, I don't know, not super
official. Saw behind the scenesa little bit, but it was good.
Yeah, I helped organize the GoSan Francisco meetups.
Jonathan Hall (08:01):
This
Shay Nehmad (08:01):
is the second one I'm running already. Saw some
familiar faces, Simon Law, JoshBickersteiner of course did a
talk, which I found really cool.Changed the Go runtime while
like running some programs andthen suddenly every time there's
an assignment to a map, itprints to the screen. You know
(08:22):
what, now arrays increase theirsize, like slices increase their
size three times, not two timesevery time they need to like
increase the capacity. All thesecool things, I really liked it.
And yes, people are gettingexcited about the Go meetups in
San Francisco again. Like I'vehad more than one person
approach me and like, I wanna bepart of the organizers, I wanna
(08:42):
host, I wanna sponsor. Like, Idon't know, feels like San
Francisco went through like somedowntime during, at least that's
what people tell me that theylived here for a while. They had
a really rough time during
Jonathan Hall (08:53):
the pandemic. Like, the city got like emptied
out, you know what I mean? Mhmm.
Shay Nehmad (08:57):
And now it's coming back like really, really strong.
So there's a lot of excitementabout like meetups and Go and
whatever. And yeah, we'realready planning the next one in
January. I don't know, what doyou think
Jonathan Hall (09:08):
is a is a good cadence for like city meetups?
In Amsterdam, we did about 10 ayear. So we usually do one a
month except during summer ormaybe around Christmas time.
Shay Nehmad (09:18):
I'm like, I wanna do four a year. I don't know
Jonathan Hall (09:20):
if that's like too too few to get people like I
think it depends on the mostimportant thing is don't burn
out your organizers. You're Ifyou have the energy to do four,
then do four.
Shay Nehmad (09:31):
I think I think I'll do one in, January and if,
there'll be a bit moreattendance. It was a really good
crowd, but it was pretty small.One of the things that pissed me
off of it, like, we had 50people RSVP and about 20% show
up. That was kind of frustratingbecause we ordered a ton of food
and ended up going to waste. Butunder that, I had a great time.
(09:52):
I'll definitely do it again. Andthere is gonna be one in
January. So if you're in thearea like, or you're listening
to this podcast, like staytuned. I will update on it. But
yeah, very face to face y sortof week for us the Go.
How do you like to call it? Meetspace. Meet space, yes. All
right. There is a blog post Iwanna talk about.
Jonathan Hall (10:12):
Let's do it.
Shay Nehmad (10:13):
Andrew Eyre posted a blog post which I really like
called, I'm independentlyverifying Go's reproducible
builds. I think these are sortof blog posts that you're either
gonna really like, you're gonnareally find super boring. Well,
I'll try to explain it. Do youknow what supply chain attacks
are? They've been all overrecently.
Jonathan Hall (10:32):
Yes. Yes. Yes. Yes. How do I explain this?
Like, I know I know what itmeans. We've talked about it on
the show before.
Shay Nehmad (10:40):
Yeah. So you and get
Jonathan Hall (10:42):
so on.
Shay Nehmad (10:43):
But So you have typo squatting and you have
like, even people replacing yourbinaries like in the CI to be
bad ones, etcetera, etcetera. Itbasically means introducing
vulnerabilities, at least insoftware, right? Introducing
vulnerabilities in code that youimport and not code that you
(11:05):
write in some level of thestack. And one important level
of that stack is the Go runtimeitself, right? I could replace
the Go runtime to, I don't know,send me a message every time I'm
open a Go routine that opens aport that I can connect to your
machine remotely and youwouldn't want that.
And because you don't read andreview all of the Go code, you
(11:27):
know, while you build, you needsomething to protect you from
it. What do you do you thinkprotects you from it today?
Like, because this is notsomething that worries you when
you release Go to production.
Jonathan Hall (11:38):
Not usually. So I tend to trust I tend to put a
lot of trust in a lot of thingsthat maybe I don't deserve it.
But I I guess I trust thingslike HTTPS to to download
dependencies securely. I trustthat my compiler is secure
because I got it from anofficial source.
Shay Nehmad (11:56):
So that's the thing you trust that is a single point
of failure at the moment is thego check some database. So the
go command verifies that thetool chain you downloaded
matches that database and thedatabase is open, so anybody can
see it. So when you reuse the gocommand, unless someone messed
(12:16):
up with your go command and nowwe're getting into the point of
like, oh, can I even trustanything? But when you download
the Go binary from the site forthe first time, can compare its
hash because it's like posted onthe site. So assuming you have
the correct Go command, the Gocommand makes sure that it's the
exact same binaries byte forbyte.
If you had built a tool chainfrom source yourself, because of
(12:39):
Google's go check some database.This blog post is all about
who's watching the watchers,like who promises that Google
doesn't introduce like, slip ina backdoor or maybe they even
have a bug and their buildsaren't actually reproducible.
And these checksums are likewrong, right? So they could give
you the source code on one sideand tell you this is the hash on
(13:02):
another. But if you haven'ttest, I actually built from
source yourself and tested it,it comes out byte for byte the
same and then ran the checksumand saw that the checksum comes
out the same, how would youknow?
Like, how would you know thatthat database is correct? Most
people, including myself, I justlike trust Google. And I was
like, ah, there's there is gonnabe someone who's pedantic enough
(13:24):
to actually test it. And thisperson, Antwire, just did that.
Jonathan Hall (13:29):
Oh, wow.
Shay Nehmad (13:29):
They built all the versions and it seems like in
all words. And indeed, the Gochecksum is correct from Go
01/2020, up until now. Theyactually tested 2,672 tool
change, which is pretty cool.And yeah, I like this sort of
work, you know, sort ofmitigating trusting trust
(13:51):
attacks, which is a thing I liketo say. There are a few problems
like making this work.
It's not literally justdownloading a thing and
compiling it and seeing theresults. Google has a private
key, you can't reproduce thatprivate key, you have to strip
it and compare the strippedversions. And there's some like
compilation related issues.There's also a funny thing that
there's one Go version thatisn't a valid version number. I
(14:14):
didn't know that.
But apparently 1.9.2 RC2 is nota valid version, but it is a
version.
Jonathan Hall (14:22):
Funny.
Shay Nehmad (14:23):
Yeah. It should be like a 1.9 RC two, but they just
have an extra two there, guess.
Jonathan Hall (14:29):
I see.
Shay Nehmad (14:30):
It was released by mistake, but because it's like
an append only check the logdatabase sort of thing, you
can't like ignore it. Right. Sothere's just a special case in
the code for that specificversion of Go one point nine
point two, just because it wasreleased by mistake. This is
really, really cool. I love thiswork.
Also mentions, Filipa Valsortaby name, like, he seems involved
(14:53):
in it as well. And yeah, seemslike I can trust the the Go.
This is a long winded way ofsaying the Go check some
database, which you didn't evenknow you check against, but you
do, actually works really well.But I do love the peeling the
onion and seeing the, like, onelayer below a thing that I
didn't I I know Go is, secure,but now I know why.
Jonathan Hall (15:13):
Yeah. Awesome. Would have been a little bit
different story. Moreinteresting in a way if if he
had found problems, right?
Shay Nehmad (15:20):
Yeah. Definitely would have been we would have
opened with it seems like Googlehas slipped a backdoor into all
of our tool chains. Yeah. Buthonestly, whenever a a blog post
comes out like this of, like,someone going really deep doing
a security research, and theneverything's okay, I love these
sorts of blog posts as well.Because it's very easy to talk
(15:40):
about vulnerabilities, but it'sactually interesting to talk to
like independently verify andsay, I think confidently this is
okay.
As a security like person, whenyou find a problem, it's super
easy to talk about it. When youdon't find anything, you need a
lot of confidence to standbehind and say like, I'm pretty
(16:00):
sure this is okay.
Jonathan Hall (16:02):
Yeah. Because if it's not
Shay Nehmad (16:03):
okay, you know what I mean? People are gonna come
back to your blog post and belike, that guy,
Jonathan Hall (16:09):
I'm get looking at something that looks kind of
promising. It's the JetBrainsLanguage Promise Index. I love
this
Shay Nehmad (16:20):
tools and trends.
Jonathan Hall (16:22):
Did you know that Go has more promise than
JavaScript? Is saying somethingbecause JavaScript has promises
and Go doesn't, right?
Shay Nehmad (16:30):
You know what, I bet someone did like that. I'll
look it up right now. Promisesyntax in Go. Generic promise
library for Go.
Jonathan Hall (16:39):
Love it.
Shay Nehmad (16:40):
There you go, Go type promise.
Jonathan Hall (16:41):
There we go. Go has promises now too. So
JetBrains published recentlytheir language promise index and
a whole bunch of otherstatistics. I don't know what
the promise index means. It'ssort of an arbitrary number.
It says we combine growth,stability, adoption momentum,
and user loyalty to identifyprogramming languages with the
biggest chance of expansion overthe coming year. And TypeScript
is ranked at number one with aplus two twenty three, whatever
(17:03):
that means. Go comes in atnumber four with plus 115.
JavaScript only has plus 15. SoGo is ahead of JavaScript by 100
promise, whatever that means.
Shay Nehmad (17:12):
100 promise points. Yeah. Rust is number two, which
I think indicates, this numberis more like who is going to
expand versus who has marketshare right now. Although these
things that tend to be related,I think this is a pretty It's a
combination of like real worldadoption, but also like
(17:34):
aspirational thinking bydevelopers.
Jonathan Hall (17:36):
It must because like Shell is rated at plus 41
above PHP and SQL and Ruby hasminus 21. Yeah. I can understand
Objective C having a minus threebecause that kind of lost the
battle a long time ago, right?It's been superseded by, I don't
remember what, but yeah, don'tknow. Are- Slumber
Shay Nehmad (17:53):
end things.
Jonathan Hall (17:54):
Yeah, yeah, exactly. But anyway, like, I
don't know. Seeing Shelloutperforming Ruby is strange.
Shay Nehmad (18:00):
It's not really comparable. I am sad to see SQL
so low on that list. I wish morepeople knew better SQL instead
of like really liking TypeScriptand then writing stuff with
ORMs, but that's just anotherbattle. The important numbers I
saw is that something that Ithink a number I can understand
is top five languages developerswant to adopt next. So these are
(18:23):
like the share of developersexpressing an intention to adopt
said language.
And number one is Go with 11%.Rust to write behind it with
10%, and then like Python,Kotlin and TypeScript. First of
all, this says something wetalked about in the right in the
beginning of the show, I thinkone of the first episodes, that
Go is very much a secondlanguage. You remember we I
(18:46):
remember talking about blog it,yeah. Post about it.
Like nobody starts with Gobecause you have to start like
someplace else and then you canappreciate all of Go's little
parts of like why it actuallyhelps you out. But yeah, a lot
of developers want to move toGo. I think also like
dynamically typed languages thathelp you like type less and do
things more freely. The more Italk to people, I don't know if
(19:08):
you got the same vibe, but itseems like they're losing their
allure because people want theircompilers to check AI generated
garbage. It's much harder towrite like garbage that won't
compile in using LLMs, in Rustor in Go than it is in
TypeScript, JavaScript orPython, where it's really easy
to generate plausible lookinglike text that isn't actually a
(19:31):
valid program.
I don't know what's thereasoning behind it. But I'm
obviously, I'm happy to see it.More people coming to Go,
meaning more, open sourcecontributions, more usage, more
bugs, more listeners to Cup ofGo. I love it. Any other number
you looked at at at this, sortof report that stood out to you?
Jonathan Hall (19:49):
I did see other numbers, most weren't Go
related. I was encouraged to seethat Postgres is finally more
popular than MySQL. MySQL had astrong lead for years and
Postgres is now 1% higher.
Shay Nehmad (20:01):
Great. I love Postgres.
Jonathan Hall (20:02):
I'm not sure why that is. I've been a Postgres
fan for years. I suppose MySQL'sacquisition and licensing issues
and forks and all of it, youknow, probably all plays a role.
But
Shay Nehmad (20:13):
And also all the new fancy hosting stuff like
Neon and Superbase and blah blahblah. Actually, don't know about
Superbase, I'm taking that back.But definitely like Neon and
there's a lot of like newfangledhosting, like cloud hosting
companies that give you fancyPostgres, I think made it easier
to adopt.
Jonathan Hall (20:31):
I I suppose we should also mention MariaDB is
listed separately and it has a16%. So if you were to combine
Maria and MySQL, it would stillbe Postgres. So that ecosystem
might still be winning if it's abattle, but whatever.
Shay Nehmad (20:43):
I think it's interesting. Like the more
something is popular, the easierit is to adopt it in like an
enterprise perspective, right?Or a company. So like, I'm
hiring for engineers right now.Would I try to write my thing in
Objective C, which has like 2%or TypeScript, which has 45%?
And that's a good question forRust, right? If you think that
(21:05):
they are, or Go, if you thinkthis survey is correct and these
languages have a lot of promise,it would make sense to use Rust
or Go for your next projectinstead of like TypeScript or
Python if you think these have abenefit because people would
wanna move to it. And from a jobseeker perspective, this is a
bit more complicated likereading this, feel. Because
you'd much rather learn alanguage that would be
(21:29):
employable, but also you wannalearn the language you wanna
learn, right? Like if you enjoyusing, I don't know, I know a
lot of people enjoy usingKotlin, for example.
They love the syntax, thefunctional approach, blah, blah,
blah. So would you learn Kotlinright now because you want it
and, you know, it's according tothis thing, it's on the up and
up, versus, I don't know,learning Swift, which is like
(21:50):
sort of going down. Would youlearn Java, which is like pretty
stable and not moving anywhere?You know what I mean? Yeah.
Both from a job seeker andalready established team, these
numbers I think are. They couldinform someone who's actually
making the decision of should werewrite it in Rust? Follow-up.
Jonathan Hall (22:09):
Sure, definitely.
Shay Nehmad (22:10):
So link in the show notes, you can check this out.
Jonathan Hall (22:12):
I don't know where
Shay Nehmad (22:12):
they got the numbers for these, by the way.
I'm like trusting these numbers,but I have no idea where they
got the numbers.
Jonathan Hall (22:17):
They probably didn't use the Go Checksum
database, so these numbers mightnot be secure.
Shay Nehmad (22:21):
Yeah, exactly. But I don't know, I have an innate
trust in JetRains, even though Ihate to their IDE. I feel like
they're a good engineer ycompany. It's just a brand
thing. I can't justify it forsure.
All right, and given thatsurvey, you have the link in the
show notes. Let's move to aquick ad break. Like, Nosferatu
(22:50):
mentioned at the top of theshow, this show is supported by
you. The best way to support theshow is directly via Patreon. We
wanna say a lot of thanks to theour new Patreon, Shiva Best.
Thank you for supporting, theshow. Really, really appreciate
it. You can find the link to thePatreon and all the rest of the
stuff in kapago.dev, that iskapago.dev. There you'll be able
(23:11):
to find links to our Slackchannel, kapago. Our email
address newskapago.
Dev, Our swag store, whichincludes brand new swag that
people have been enjoying, newhats, new stickers, and the GO
socks, like rooster socks, whichI haven't gotten, I'll admit. I
have too many socks, I just didlike a Costco run, but someone
(23:33):
wanted them. So buying the swagand then like sharing, your love
for the show is, appreciated aswell. Finally, if you want, you
can also leave a review and arating on like whatever app you
use to listen to the podcast, orjust tell about the show, to
your coworkers, to your friends.If you're one of these 11%
(23:53):
aspirational developers who'smoving to Go right now, or you
know one of them, let them knowabout the show, we would really
appreciate it.
It's a lot of fun when more andmore people listen to the show.
And all the support goes to justmaking the show. Jonathan and I
do it for fun, but it's a prettyexpensive hobby all in all. And
this stuff helps us pay forhosting fees, editing fees,
(24:14):
things like that. We're notgetting rich off the program
yet, don't worry about it.
That does it for the ad break.Let's move to a quick lightning
round and close out thisepisode. Lightning round.
Jonathan Hall (24:29):
First up on the lightning round, why I built a
39,000,000 operations per secondzero allocation ring buffer for
file watching in Go. Why not?Why not? Yeah. It sounds like
fun.
I love zero allocations.Everything it's it's like it's
like the new Code Golf. Right?How many is how many allocations
can we get out of our our Gameof Life or our FizzBuzz or
(24:50):
whatever else you're doing?
Shay Nehmad (24:51):
Seems like you're not you're not loving the zero
allocation vibe.
Jonathan Hall (24:55):
So the truth is, I think zero allocation is is
quite useful for certainapplications. I guess I feel
like I I I've seen it before.You don't care. I don't I don't
care. Yeah.
It's not worth not worthbragging about anymore.
Everybody does zero allocationsnow. I don't know.
Shay Nehmad (25:11):
I think I think it's useful for specific
applications. This is part oflike a high performance dynamic
configuration framework.
Jonathan Hall (25:19):
Absolutely, yeah.
Shay Nehmad (25:19):
And configuration has never been a bottleneck in
any application of growth.Sometimes, you know, there was
like a very inefficient loggeror whatever. It's something you
do a lot, But honestly, most ofthe times where like this
infrastructure stuff have been abottleneck, it was because I
used it incorrectly.
Jonathan Hall (25:36):
Right.
Shay Nehmad (25:36):
So, if you have an application that reads tens of
thousands of configurationvariables a second, you should
probably stop for a second andthen ask why? Anyway, I actually
like the premise of the project,like let's build a really,
really high performance piece ofinfrastructure and then you can
do 39,000,000 operations persecond, blah, blah, blah, a
(25:58):
nanosecond latency andthroughput and zero allocations
memory. People on Reddit reallyhated on it. And this is not me
like doing the usual Redditthing. I don't understand why
people are like so negativetowards such a such a cool
project.
Jonathan Hall (26:15):
Because it's Reddit.
Shay Nehmad (26:16):
Maybe.
Jonathan Hall (26:17):
If you try to give them all money, they they
criticize you for doing charity.I don't know.
Shay Nehmad (26:22):
You're trying to get me to pay more taxes?
Anyway, if you if you need thereally fast configuration thing
or you're looking for someperformance related inspiration,
you can go check out thisproject. My thing is something,
it's been on the backlog for awhile, so I decided to just do
it in a lighting run instead ofletting it rot. A modern
approach to preventing CSRF inGo. I don't know about you, but,
(26:46):
I hate it when I develop, webapplications, then I have CSRF
issues.
I'm also very worried that don'texactly remember which headers I
need to add, every time. And Ilike always have a task to take
care of it once in every HTTPserver I need to implement. This
blog post like tells you at thesimplest, you can do HTTP dot
(27:09):
new cross origin protection,which is a pretty new thing, in
Go. And it's like, you know, Go01/25 introduced HTTP dot cross
origin protection middleware.Just as part of the standard
library, this blog post asks thequestion, do you need to import
(27:29):
anything?
You know, just build acompletely secure web
application without bringinglike Gorilla CSRF or NoSurf or
any of the other packages? Andthe answer is yes, if you use it
correctly. So what I would do isI would just take this blog
post, go to the end where itsays, putting it all together,
(27:51):
there are like six bullet pointsthat you need to make sure, you
implement. Take them, put themin your cursor or codex or
whatever and tell it, implementthat. And then your application
will be secure.
If you're interested in thedetails, you can actually read
it as well, which I think ispretty good. Yeah, Alex Edwards,
a pretty cool site with likelots of books and whatever,
(28:12):
like, you know, let's go, let'sgo further, go beyond the
syntax, which is coming soon.It's a good blog, period. Like,
I always love looking at theother write ups here. I can't
wait for the next one, to behonest.
So, a good one. It's in the shownotes if you want to make sure
your thing is If you wanna knockout Gorilla CSRF from your,
(28:34):
like, dependencies, one lessdependency, one fewer dependency
issues.
Jonathan Hall (28:38):
Nice correction. That does it for the show. It
sure does.
Shay Nehmad (28:42):
Thank you for listening. See you all next
week. Happy Halloween. Programexited. Goodbye.
Program exited. Goodbye.
This show is supported by you. Stick around
until the end to hear more aboutthat. This is Cup of Go for
(00:31):
Halloween, 10/31/2025. Keep upto date with important
happenings in the Go communityin about fifteen minutes per
week. I'm Jonathan Hall.
Shay Nehmad (00:39):
And I'm Shay Nehmad. I am very excited for my
first Halloween ever. Woo hoo.
Jonathan Hall (00:44):
Do you have a costume?
Shay Nehmad (00:45):
My kid has a costume.
Jonathan Hall (00:46):
Your kid has
Shay Nehmad (00:47):
a I didn't I'll probably like put on a sheet,
whatever. Yeah. Like I'llimprovise something.
Jonathan Hall (00:53):
They'll do something.
Shay Nehmad (00:55):
The like rule, you know, I'm going with my kid up
to a house, she's knocking,she'll say trick or treat. How
many candies am I getting? One,two?
Jonathan Hall (01:05):
Probably a few. You personally or your kid?
Shay Nehmad (01:08):
All of us is like a I'm not dressed
Jonathan Hall (01:10):
You're not dressed up. You're there to and
observe and to steal the candyafter she goes to sleep.
Shay Nehmad (01:16):
That's the plan.
Jonathan Hall (01:17):
Yeah. Yeah.
Shay Nehmad (01:18):
Any dress up for you?
Jonathan Hall (01:20):
I don't have a costume this year. I have worn
costumes in years past. My sonwas a firefighter yesterday at
preschool. My daughter stayedhome sick, so she didn't go as
the fairy princess that costumewe bought for her. And the last
time I dressed up for Halloweenwas probably eight years ago.
I was I was Mario. I went allout. I I dyed my mustache to be
brown and I had some blueoveralls and white gloves and
(01:43):
everything.
Shay Nehmad (01:44):
One costume I'm considering, I might do it, I'm
still like debating, is gettinglike some bubble wrap from
someplace and just writing AI onit. The AI bubble who's above
the top.
Jonathan Hall (01:58):
Right.
Shay Nehmad (01:58):
Right. That's a bit too on the nose though on
working at an AI securitystartup, you know?
Jonathan Hall (02:02):
Yeah. And you are in San Francisco.
Shay Nehmad (02:04):
I I think it's considered hate speech here too,
hate on LLMs. Right.
Jonathan Hall (02:08):
You're not allowed
Shay Nehmad (02:09):
to say clanger in the street, you know what I
mean?
Jonathan Hall (02:11):
Maybe we can get an inflatable gopher outfit.
Shay Nehmad (02:13):
Oh, that actually that could be cool. Talking
about Halloween and beingscared, like, don't know, I'm
scared out. I'm I'm creeped out.Give me some like normal
proposals, Bring me back tonormalcy.
Jonathan Hall (02:26):
All right, here's a question for you, Shai. What
happens if you use FMT printfwith the percent Q operator for
an integer? I don't
Shay Nehmad (02:36):
remember. What is percent Q? Have to admit, I'm
really bad about this stuff. Ialways use percent plus v no
matter what. I'm just like,whatever, give me the most
verbose representation I I'llI'll need.
Jonathan Hall (02:47):
So percent q does a quoted version of a string. So
if you pass in a string that hasescape characters entered or
something, it will quote it sothat it's safe.
Shay Nehmad (02:54):
Oh, okay. Cool.
Jonathan Hall (02:56):
But but if you pass a non string, like an
integer, what would you expecthappens? Like, you pass one two
three.
Shay Nehmad (03:01):
To string, like, try to find the best string
representation of it.
Jonathan Hall (03:05):
So you might expect it to print, like, quote
one two three end quote orsomething like that. Right?
Shay Nehmad (03:09):
Yes.
Jonathan Hall (03:09):
If you if you use one twenty three if you pass one
two three to that, the result isactually much scarier than that.
The actual result is it printsthe opening curly brace because
it converts it to ASCII.
Shay Nehmad (03:20):
Oh, no way. Yeah.
Jonathan Hall (03:23):
That's cool. So that's kind of
Shay Nehmad (03:24):
actually cool.
Jonathan Hall (03:25):
It might be cool. It is a little bit unexpected.
So there's a new proposal to adda check for that case to GoVet
and warn if someone tries to dothat. I think that's kind of
useful. I don't know that I'veever run into that problem, but
I could could see it happening.
Shay Nehmad (03:41):
The but that does sound like possible intended
usage. Like, how should I?
Jonathan Hall (03:46):
Someone someone could mean that. But if you
really want that, like youwouldn't use percent Q, you
would probably use percent S tointentionally convert your
integer to a string.
Shay Nehmad (03:55):
But then it's not quoted.
Jonathan Hall (03:57):
Well, it's not quoted in this case either. Are
you oh. Because it's not astring. You know, it's it's
yeah. I don't know.
It's weird.
Shay Nehmad (04:04):
Cool. Well, if this bit you, whenever you were
trying to use percent cube, goupvote this issue, this
proposal, sorry. Seems likethere's no CL yet,
Jonathan Hall (04:16):
so you could even try to do that. Yeah. This is
this is still new, so it hasn'tbeen accepted yet. But I I I
don't think it's a there's a nota high chance that it will be
rejected. I I my my that's myfeeling.
Shay Nehmad (04:29):
Seems a bit
Jonathan Hall (04:30):
a no brainer, but
Shay Nehmad (04:31):
Someone did the thing I like, Alan Donovan did
the thing I like of actuallygoing digging through Go code
and finding examples wheresomeone used q and passed in the
wrong type. And it seems like alot
Jonathan Hall (04:45):
of people made that mistake. He's, I don't
Shay Nehmad (04:48):
know why he's dunking specifically on
HashiCorp, like all thosemistakes. Look at HashiCorp
doing it wrong. But I guess theyjust write a lot of Go code.
That's also another option.
Jonathan Hall (04:57):
Yeah, maybe they Yeah, I don't know. I'm not
gonna make jokes aboutHatchiCorp. So
Shay Nehmad (05:03):
cool, go up for that proposal. Also, don't think
there's a CL yet, and thissounds like actually a pretty
easy one. I would try Honestly,if you were looking for an
opportunity to
Jonathan Hall (05:16):
write a CL, I would definitely do that.
Shay Nehmad (05:20):
Before jumping to the next blog post, last week's
episode was a live episode andyou were in Go West. How was
that? How was the conference?
Jonathan Hall (05:28):
It was great. I had a I had a good time. I spoke
at the end of the day, soeverybody was falling asleep
already, I suppose, beforebefore I got to speak. But, no,
it was it was a good good talk.I actually did two talks.
I did a lightning talk also lastminute about the CMP package in
the standard library. And Iknow, felt like all the talks
that were presented were great.I think they'll be online before
(05:50):
too long. So we'll try to share,you know, mention that on the
show with a link in the shownotes when that's available.
Shay Nehmad (05:55):
Yeah, we'll definitely put a note to look
into that.
Jonathan Hall (05:59):
There were a lot of talks aimed at more beginner
intermediate folks sort ofbreaking down like how memory
management works and not so muchthe how memory management works,
but why memory management isimportant, which is something
that's often overlooked. Andgreat talk about channels. So
yeah, I look forward to
Shay Nehmad (06:16):
sharing those videos when they're available.
And you mentioned before theshow, you met a lot of people
who were actually on the showbefore, right?
Jonathan Hall (06:24):
Yeah. So of course I met Moriah and Derek
who are co organizers of theshow, and they've been on the
show before. Moriah at leasttwice. I also met Elliot Mins of
Dreams of Code. He was there.
He was one of the panelpresenters, so he was one of the
speakers. And I met a few otherpeople. Of course, many people
I'd never met before. A coupleof others I had met that weren't
(06:44):
with any relation to the show.Almost met Lane Wagner from
boot.
Dev. He's been on the show acouple of times, but he was at
his brother's wedding. Same onyou, Lane. But he sent sent a
couple of his
Shay Nehmad (06:55):
You gotta prioritize, man. You gotta
prioritize. Your brother couldget married like three, four
times on average. But you gowest twenty twenty five, that
happens only once.
Jonathan Hall (07:06):
But he did send a couple representatives from Roo.
Dev, so I got to meet thosefolks. And yeah, it was a great
time.
Shay Nehmad (07:12):
Would you recommend people to like fly into the
conference next year?
Jonathan Hall (07:16):
I think so. Mean, I I would love to go again.
Shay Nehmad (07:18):
Sounds like a great time.
Jonathan Hall (07:20):
It's a great time. About 120, 130 people
attendees. So it's a small itfeels like a big meetup more
than like a large than like asmall conference, if that makes
sense. If that's your sort ofthing, yeah, it was great. Very
good.
So as you mentioned, while I wasbusy meeting folks, you were
also meeting folks. And we ofcourse did a little bit of an
(07:41):
awkward live episode from anoisy restaurant parking lot.
Shay Nehmad (07:46):
That was a little, I don't know, not super
official. Saw behind the scenesa little bit, but it was good.
Yeah, I helped organize the GoSan Francisco meetups.
Jonathan Hall (08:01):
This
Shay Nehmad (08:01):
is the second one I'm running already. Saw some
familiar faces, Simon Law, JoshBickersteiner of course did a
talk, which I found really cool.Changed the Go runtime while
like running some programs andthen suddenly every time there's
an assignment to a map, itprints to the screen. You know
(08:22):
what, now arrays increase theirsize, like slices increase their
size three times, not two timesevery time they need to like
increase the capacity. All thesecool things, I really liked it.
And yes, people are gettingexcited about the Go meetups in
San Francisco again. Like I'vehad more than one person
approach me and like, I wanna bepart of the organizers, I wanna
(08:42):
host, I wanna sponsor. Like, Idon't know, feels like San
Francisco went through like somedowntime during, at least that's
what people tell me that theylived here for a while. They had
a really rough time during
Jonathan Hall (08:53):
the pandemic. Like, the city got like emptied
out, you know what I mean? Mhmm.
Shay Nehmad (08:57):
And now it's coming back like really, really strong.
So there's a lot of excitementabout like meetups and Go and
whatever. And yeah, we'realready planning the next one in
January. I don't know, what doyou think
Jonathan Hall (09:08):
is a is a good cadence for like city meetups?
In Amsterdam, we did about 10 ayear. So we usually do one a
month except during summer ormaybe around Christmas time.
Shay Nehmad (09:18):
I'm like, I wanna do four a year. I don't know
Jonathan Hall (09:20):
if that's like too too few to get people like I
think it depends on the mostimportant thing is don't burn
out your organizers. You're Ifyou have the energy to do four,
then do four.
Shay Nehmad (09:31):
I think I think I'll do one in, January and if,
there'll be a bit moreattendance. It was a really good
crowd, but it was pretty small.One of the things that pissed me
off of it, like, we had 50people RSVP and about 20% show
up. That was kind of frustratingbecause we ordered a ton of food
and ended up going to waste. Butunder that, I had a great time.
(09:52):
I'll definitely do it again. Andthere is gonna be one in
January. So if you're in thearea like, or you're listening
to this podcast, like staytuned. I will update on it. But
yeah, very face to face y sortof week for us the Go.
How do you like to call it? Meetspace. Meet space, yes. All
right. There is a blog post Iwanna talk about.
Jonathan Hall (10:12):
Let's do it.
Shay Nehmad (10:13):
Andrew Eyre posted a blog post which I really like
called, I'm independentlyverifying Go's reproducible
builds. I think these are sortof blog posts that you're either
gonna really like, you're gonnareally find super boring. Well,
I'll try to explain it. Do youknow what supply chain attacks
are? They've been all overrecently.
Jonathan Hall (10:32):
Yes. Yes. Yes. Yes. How do I explain this?
Like, I know I know what itmeans. We've talked about it on
the show before.
Shay Nehmad (10:40):
Yeah. So you and get
Jonathan Hall (10:42):
so on.
Shay Nehmad (10:43):
But So you have typo squatting and you have
like, even people replacing yourbinaries like in the CI to be
bad ones, etcetera, etcetera. Itbasically means introducing
vulnerabilities, at least insoftware, right? Introducing
vulnerabilities in code that youimport and not code that you
(11:05):
write in some level of thestack. And one important level
of that stack is the Go runtimeitself, right? I could replace
the Go runtime to, I don't know,send me a message every time I'm
open a Go routine that opens aport that I can connect to your
machine remotely and youwouldn't want that.
And because you don't read andreview all of the Go code, you
(11:27):
know, while you build, you needsomething to protect you from
it. What do you do you thinkprotects you from it today?
Like, because this is notsomething that worries you when
you release Go to production.
Jonathan Hall (11:38):
Not usually. So I tend to trust I tend to put a
lot of trust in a lot of thingsthat maybe I don't deserve it.
But I I guess I trust thingslike HTTPS to to download
dependencies securely. I trustthat my compiler is secure
because I got it from anofficial source.
Shay Nehmad (11:56):
So that's the thing you trust that is a single point
of failure at the moment is thego check some database. So the
go command verifies that thetool chain you downloaded
matches that database and thedatabase is open, so anybody can
see it. So when you reuse the gocommand, unless someone messed
(12:16):
up with your go command and nowwe're getting into the point of
like, oh, can I even trustanything? But when you download
the Go binary from the site forthe first time, can compare its
hash because it's like posted onthe site. So assuming you have
the correct Go command, the Gocommand makes sure that it's the
exact same binaries byte forbyte.
If you had built a tool chainfrom source yourself, because of
(12:39):
Google's go check some database.This blog post is all about
who's watching the watchers,like who promises that Google
doesn't introduce like, slip ina backdoor or maybe they even
have a bug and their buildsaren't actually reproducible.
And these checksums are likewrong, right? So they could give
you the source code on one sideand tell you this is the hash on
(13:02):
another. But if you haven'ttest, I actually built from
source yourself and tested it,it comes out byte for byte the
same and then ran the checksumand saw that the checksum comes
out the same, how would youknow?
Like, how would you know thatthat database is correct? Most
people, including myself, I justlike trust Google. And I was
like, ah, there's there is gonnabe someone who's pedantic enough
(13:24):
to actually test it. And thisperson, Antwire, just did that.
Jonathan Hall (13:29):
Oh, wow.
Shay Nehmad (13:29):
They built all the versions and it seems like in
all words. And indeed, the Gochecksum is correct from Go
01/2020, up until now. Theyactually tested 2,672 tool
change, which is pretty cool.And yeah, I like this sort of
work, you know, sort ofmitigating trusting trust
(13:51):
attacks, which is a thing I liketo say. There are a few problems
like making this work.
It's not literally justdownloading a thing and
compiling it and seeing theresults. Google has a private
key, you can't reproduce thatprivate key, you have to strip
it and compare the strippedversions. And there's some like
compilation related issues.There's also a funny thing that
there's one Go version thatisn't a valid version number. I
(14:14):
didn't know that.
But apparently 1.9.2 RC2 is nota valid version, but it is a
version.
Jonathan Hall (14:22):
Funny.
Shay Nehmad (14:23):
Yeah. It should be like a 1.9 RC two, but they just
have an extra two there, guess.
Jonathan Hall (14:29):
I see.
Shay Nehmad (14:30):
It was released by mistake, but because it's like
an append only check the logdatabase sort of thing, you
can't like ignore it. Right. Sothere's just a special case in
the code for that specificversion of Go one point nine
point two, just because it wasreleased by mistake. This is
really, really cool. I love thiswork.
Also mentions, Filipa Valsortaby name, like, he seems involved
(14:53):
in it as well. And yeah, seemslike I can trust the the Go.
This is a long winded way ofsaying the Go check some
database, which you didn't evenknow you check against, but you
do, actually works really well.But I do love the peeling the
onion and seeing the, like, onelayer below a thing that I
didn't I I know Go is, secure,but now I know why.
Jonathan Hall (15:13):
Yeah. Awesome. Would have been a little bit
different story. Moreinteresting in a way if if he
had found problems, right?
Shay Nehmad (15:20):
Yeah. Definitely would have been we would have
opened with it seems like Googlehas slipped a backdoor into all
of our tool chains. Yeah. Buthonestly, whenever a a blog post
comes out like this of, like,someone going really deep doing
a security research, and theneverything's okay, I love these
sorts of blog posts as well.Because it's very easy to talk
(15:40):
about vulnerabilities, but it'sactually interesting to talk to
like independently verify andsay, I think confidently this is
okay.
As a security like person, whenyou find a problem, it's super
easy to talk about it. When youdon't find anything, you need a
lot of confidence to standbehind and say like, I'm pretty
(16:00):
sure this is okay.
Jonathan Hall (16:02):
Yeah. Because if it's not
Shay Nehmad (16:03):
okay, you know what I mean? People are gonna come
back to your blog post and belike, that guy,
Jonathan Hall (16:09):
I'm get looking at something that looks kind of
promising. It's the JetBrainsLanguage Promise Index. I love
this
Shay Nehmad (16:20):
tools and trends.
Jonathan Hall (16:22):
Did you know that Go has more promise than
JavaScript? Is saying somethingbecause JavaScript has promises
and Go doesn't, right?
Shay Nehmad (16:30):
You know what, I bet someone did like that. I'll
look it up right now. Promisesyntax in Go. Generic promise
library for Go.
Jonathan Hall (16:39):
Love it.
Shay Nehmad (16:40):
There you go, Go type promise.
Jonathan Hall (16:41):
There we go. Go has promises now too. So
JetBrains published recentlytheir language promise index and
a whole bunch of otherstatistics. I don't know what
the promise index means. It'ssort of an arbitrary number.
It says we combine growth,stability, adoption momentum,
and user loyalty to identifyprogramming languages with the
biggest chance of expansion overthe coming year. And TypeScript
is ranked at number one with aplus two twenty three, whatever
(17:03):
that means. Go comes in atnumber four with plus 115.
JavaScript only has plus 15. SoGo is ahead of JavaScript by 100
promise, whatever that means.
Shay Nehmad (17:12):
100 promise points. Yeah. Rust is number two, which
I think indicates, this numberis more like who is going to
expand versus who has marketshare right now. Although these
things that tend to be related,I think this is a pretty It's a
combination of like real worldadoption, but also like
(17:34):
aspirational thinking bydevelopers.
Jonathan Hall (17:36):
It must because like Shell is rated at plus 41
above PHP and SQL and Ruby hasminus 21. Yeah. I can understand
Objective C having a minus threebecause that kind of lost the
battle a long time ago, right?It's been superseded by, I don't
remember what, but yeah, don'tknow. Are- Slumber
Shay Nehmad (17:53):
end things.
Jonathan Hall (17:54):
Yeah, yeah, exactly. But anyway, like, I
don't know. Seeing Shelloutperforming Ruby is strange.
Shay Nehmad (18:00):
It's not really comparable. I am sad to see SQL
so low on that list. I wish morepeople knew better SQL instead
of like really liking TypeScriptand then writing stuff with
ORMs, but that's just anotherbattle. The important numbers I
saw is that something that Ithink a number I can understand
is top five languages developerswant to adopt next. So these are
(18:23):
like the share of developersexpressing an intention to adopt
said language.
And number one is Go with 11%.Rust to write behind it with
10%, and then like Python,Kotlin and TypeScript. First of
all, this says something wetalked about in the right in the
beginning of the show, I thinkone of the first episodes, that
Go is very much a secondlanguage. You remember we I
(18:46):
remember talking about blog it,yeah. Post about it.
Like nobody starts with Gobecause you have to start like
someplace else and then you canappreciate all of Go's little
parts of like why it actuallyhelps you out. But yeah, a lot
of developers want to move toGo. I think also like
dynamically typed languages thathelp you like type less and do
things more freely. The more Italk to people, I don't know if
(19:08):
you got the same vibe, but itseems like they're losing their
allure because people want theircompilers to check AI generated
garbage. It's much harder towrite like garbage that won't
compile in using LLMs, in Rustor in Go than it is in
TypeScript, JavaScript orPython, where it's really easy
to generate plausible lookinglike text that isn't actually a
(19:31):
valid program.
I don't know what's thereasoning behind it. But I'm
obviously, I'm happy to see it.More people coming to Go,
meaning more, open sourcecontributions, more usage, more
bugs, more listeners to Cup ofGo. I love it. Any other number
you looked at at at this, sortof report that stood out to you?
Jonathan Hall (19:49):
I did see other numbers, most weren't Go
related. I was encouraged to seethat Postgres is finally more
popular than MySQL. MySQL had astrong lead for years and
Postgres is now 1% higher.
Shay Nehmad (20:01):
Great. I love Postgres.
Jonathan Hall (20:02):
I'm not sure why that is. I've been a Postgres
fan for years. I suppose MySQL'sacquisition and licensing issues
and forks and all of it, youknow, probably all plays a role.
But
Shay Nehmad (20:13):
And also all the new fancy hosting stuff like
Neon and Superbase and blah blahblah. Actually, don't know about
Superbase, I'm taking that back.But definitely like Neon and
there's a lot of like newfangledhosting, like cloud hosting
companies that give you fancyPostgres, I think made it easier
to adopt.
Jonathan Hall (20:31):
I I suppose we should also mention MariaDB is
listed separately and it has a16%. So if you were to combine
Maria and MySQL, it would stillbe Postgres. So that ecosystem
might still be winning if it's abattle, but whatever.
Shay Nehmad (20:43):
I think it's interesting. Like the more
something is popular, the easierit is to adopt it in like an
enterprise perspective, right?Or a company. So like, I'm
hiring for engineers right now.Would I try to write my thing in
Objective C, which has like 2%or TypeScript, which has 45%?
And that's a good question forRust, right? If you think that
(21:05):
they are, or Go, if you thinkthis survey is correct and these
languages have a lot of promise,it would make sense to use Rust
or Go for your next projectinstead of like TypeScript or
Python if you think these have abenefit because people would
wanna move to it. And from a jobseeker perspective, this is a
bit more complicated likereading this, feel. Because
you'd much rather learn alanguage that would be
(21:29):
employable, but also you wannalearn the language you wanna
learn, right? Like if you enjoyusing, I don't know, I know a
lot of people enjoy usingKotlin, for example.
They love the syntax, thefunctional approach, blah, blah,
blah. So would you learn Kotlinright now because you want it
and, you know, it's according tothis thing, it's on the up and
up, versus, I don't know,learning Swift, which is like
(21:50):
sort of going down. Would youlearn Java, which is like pretty
stable and not moving anywhere?You know what I mean? Yeah.
Both from a job seeker andalready established team, these
numbers I think are. They couldinform someone who's actually
making the decision of should werewrite it in Rust? Follow-up.
Jonathan Hall (22:09):
Sure, definitely.
Shay Nehmad (22:10):
So link in the show notes, you can check this out.
Jonathan Hall (22:12):
I don't know where
Shay Nehmad (22:12):
they got the numbers for these, by the way.
I'm like trusting these numbers,but I have no idea where they
got the numbers.
Jonathan Hall (22:17):
They probably didn't use the Go Checksum
database, so these numbers mightnot be secure.
Shay Nehmad (22:21):
Yeah, exactly. But I don't know, I have an innate
trust in JetRains, even though Ihate to their IDE. I feel like
they're a good engineer ycompany. It's just a brand
thing. I can't justify it forsure.
All right, and given thatsurvey, you have the link in the
show notes. Let's move to aquick ad break. Like, Nosferatu
(22:50):
mentioned at the top of theshow, this show is supported by
you. The best way to support theshow is directly via Patreon. We
wanna say a lot of thanks to theour new Patreon, Shiva Best.
Thank you for supporting, theshow. Really, really appreciate
it. You can find the link to thePatreon and all the rest of the
stuff in kapago.dev, that iskapago.dev. There you'll be able
(23:11):
to find links to our Slackchannel, kapago. Our email
address newskapago.
Dev, Our swag store, whichincludes brand new swag that
people have been enjoying, newhats, new stickers, and the GO
socks, like rooster socks, whichI haven't gotten, I'll admit. I
have too many socks, I just didlike a Costco run, but someone
(23:33):
wanted them. So buying the swagand then like sharing, your love
for the show is, appreciated aswell. Finally, if you want, you
can also leave a review and arating on like whatever app you
use to listen to the podcast, orjust tell about the show, to
your coworkers, to your friends.If you're one of these 11%
(23:53):
aspirational developers who'smoving to Go right now, or you
know one of them, let them knowabout the show, we would really
appreciate it.
It's a lot of fun when more andmore people listen to the show.
And all the support goes to justmaking the show. Jonathan and I
do it for fun, but it's a prettyexpensive hobby all in all. And
this stuff helps us pay forhosting fees, editing fees,
(24:14):
things like that. We're notgetting rich off the program
yet, don't worry about it.
That does it for the ad break.Let's move to a quick lightning
round and close out thisepisode. Lightning round.
Jonathan Hall (24:29):
First up on the lightning round, why I built a
39,000,000 operations per secondzero allocation ring buffer for
file watching in Go. Why not?Why not? Yeah. It sounds like
fun.
I love zero allocations.Everything it's it's like it's
like the new Code Golf. Right?How many is how many allocations
can we get out of our our Gameof Life or our FizzBuzz or
(24:50):
whatever else you're doing?
Shay Nehmad (24:51):
Seems like you're not you're not loving the zero
allocation vibe.
Jonathan Hall (24:55):
So the truth is, I think zero allocation is is
quite useful for certainapplications. I guess I feel
like I I I've seen it before.You don't care. I don't I don't
care. Yeah.
It's not worth not worthbragging about anymore.
Everybody does zero allocationsnow. I don't know.
Shay Nehmad (25:11):
I think I think it's useful for specific
applications. This is part oflike a high performance dynamic
configuration framework.
Jonathan Hall (25:19):
Absolutely, yeah.
Shay Nehmad (25:19):
And configuration has never been a bottleneck in
any application of growth.Sometimes, you know, there was
like a very inefficient loggeror whatever. It's something you
do a lot, But honestly, most ofthe times where like this
infrastructure stuff have been abottleneck, it was because I
used it incorrectly.
Jonathan Hall (25:36):
Right.
Shay Nehmad (25:36):
So, if you have an application that reads tens of
thousands of configurationvariables a second, you should
probably stop for a second andthen ask why? Anyway, I actually
like the premise of the project,like let's build a really,
really high performance piece ofinfrastructure and then you can
do 39,000,000 operations persecond, blah, blah, blah, a
(25:58):
nanosecond latency andthroughput and zero allocations
memory. People on Reddit reallyhated on it. And this is not me
like doing the usual Redditthing. I don't understand why
people are like so negativetowards such a such a cool
project.
Jonathan Hall (26:15):
Because it's Reddit.
Shay Nehmad (26:16):
Maybe.
Jonathan Hall (26:17):
If you try to give them all money, they they
criticize you for doing charity.I don't know.
Shay Nehmad (26:22):
You're trying to get me to pay more taxes?
Anyway, if you if you need thereally fast configuration thing
or you're looking for someperformance related inspiration,
you can go check out thisproject. My thing is something,
it's been on the backlog for awhile, so I decided to just do
it in a lighting run instead ofletting it rot. A modern
approach to preventing CSRF inGo. I don't know about you, but,
(26:46):
I hate it when I develop, webapplications, then I have CSRF
issues.
I'm also very worried that don'texactly remember which headers I
need to add, every time. And Ilike always have a task to take
care of it once in every HTTPserver I need to implement. This
blog post like tells you at thesimplest, you can do HTTP dot
(27:09):
new cross origin protection,which is a pretty new thing, in
Go. And it's like, you know, Go01/25 introduced HTTP dot cross
origin protection middleware.Just as part of the standard
library, this blog post asks thequestion, do you need to import
(27:29):
anything?
You know, just build acompletely secure web
application without bringinglike Gorilla CSRF or NoSurf or
any of the other packages? Andthe answer is yes, if you use it
correctly. So what I would do isI would just take this blog
post, go to the end where itsays, putting it all together,
(27:51):
there are like six bullet pointsthat you need to make sure, you
implement. Take them, put themin your cursor or codex or
whatever and tell it, implementthat. And then your application
will be secure.
If you're interested in thedetails, you can actually read
it as well, which I think ispretty good. Yeah, Alex Edwards,
a pretty cool site with likelots of books and whatever,
(28:12):
like, you know, let's go, let'sgo further, go beyond the
syntax, which is coming soon.It's a good blog, period. Like,
I always love looking at theother write ups here. I can't
wait for the next one, to behonest.
So, a good one. It's in the shownotes if you want to make sure
your thing is If you wanna knockout Gorilla CSRF from your,
(28:34):
like, dependencies, one lessdependency, one fewer dependency
issues.
Jonathan Hall (28:38):
Nice correction. That does it for the show. It
sure does.
Shay Nehmad (28:42):
Thank you for listening. See you all next
week. Happy Halloween. Programexited. Goodbye.
Program exited. Goodbye.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.