Supply chain attacks ⛓️‍💥 Ghetto Logs 👊🏾 🪵 and Rust/AI cold takes 🧊 with Thorsten Ball

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jonathan Hall (00:00):
Show is supported by you, our listener. Stick
around till after the news tohear more about that. This is
Cup of Go for February importanthappenings in the Go community
in about fifteen minutes perweek, sometimes more, sometimes

(00:22):
a lot more. I'm Jonathan Hall.

Shay Nehmad (00:24):
And I'm really hoping that today we can keep it
short enough, because other thannews, we have a pretty cool
interview coming up. How areyou, Jonathan?

I'm good. How are you, Shay?

I am excited. I have started the process of
selling all my earthlypossessions in anticipation of
the move. So I'm trying to sell,like, my car and my bike and my
furniture. I already sold myguitar, sold my standing desk,
which you are, familiar with,selling my gun. If if any of
these, interesting, productssound enticing to you and you

(00:58):
live in Herzliya, please buythem for me, like, now, like,
soon.

I'm doing the opposite. I'm buying all sorts
of stuff. We've been furnitureshopping, ordered a bed, ordered
nightstands and sofas and allsorts of things.

Yeah. Yeah. Yin and yang. Alright. Have you gotten a
bed or just a box with a bedshaped hole in it?

We've ordered a bed frame that will take about
thirteen weeks to be built,custom built and and made for
us.

Ah, damn.

The mattress should be here on Monday. So
I'll be sleeping on a mattresson the floor for a while.

Well, you're sort of, like, starting like a
peasant and then moving to acustom made bed frame. That's,
literally things that only kingshad.

Very cool. Is it?

I've always slept on IKEA furniture in my life, I
think.

Well, we have plenty of that coming too. The
bed is not actually from IKEAthis time. Anyway, we do have
some news to talk about.

Yes.

We're not just talking about buying and selling
things. We'll also be talkingabout some security releases,
lots of security related thingsactually in this episode. We'll
be talking about the liveepisode that's coming up next
week, and we're doing aninterview with Thorsten Ball. So
stick around. He, is a lover ofGo who's been forced, dragging
and screaming to write Rust forthe last, several months.

(02:06):
Although, I think he kind ofenjoys that too. Anyway, stick
around the interview to hear hishot takes or not so hot takes
about Go and, AI and Rust andother things like that.

Cool. Let me take the reins. Go 123.6, 1 20 2 12,
and 124 r c three, well, that'shard to say, have been released.
They all basically include thesame security fixes. Two
security fixes, both of which Ithink are interesting enough to
talk about.

(02:37):
So, yeah, you should upgrade,but let's discuss the content as
well because it's, pretty nice.If you're on 01/22 or 01/23,
just upgrade the miner, youshould do it anyway. And if
you're one of the few kind soulsthat's actually trying out the
release candidate and you're,like, CI pipelines or whatever,
make sure to, you know, upgradeyour your CI pipelines to the

(02:58):
third release candidate. Thethird release candidate is the
last one. Right?
That means that one twenty four,like, should be released pretty
soon.

I don't know if that's official. I think it
frequently is, but I don't knowif there's, like, a a rule that
after three, you have to do thereal release.

Of course, there is. Third third time's the
charm. Okay. Anyway, so twosecurity fixes. The first one is
arbitrary code execution, duringbuild.
So, you know, how we have tocompile our software in order to
ship it to someone? So,normally, what people find is
that compiling on platform onmultiple platforms can sometimes

(03:35):
be kinda hard, but in Go,usually it's pretty easy, too
complicated. Yeah. So I thinkit's very rare for me to see
issues that are related to buildand that are platform specific.
I've I've certainly neverexperienced anything like that
just, you know, sometimes Imistakenly build something for
Linux and then ship it on Mac orsomething like that.
But in in this case, when youuse, when you build on Apple,

(04:00):
there's, usage of things likeexecutable path, loader path,
like any special values, forSego, for like the LD flags for
Sego, you can get just arbitrarycode execution. So if you have,
like, bad flags or someone givesyou a package with bad flags,
they can just run code on yourmachine. This is only for, Go

(04:20):
one twenty four r c two. So thisis not, like, impacted the
previous versions. It's a newthing.
Funnily enough, the person whodiscovered this particular issue
is a Juho Forzen fromMattermost, which we had on the
show. Yeah. Here's a snippet ofthat interview.

Juho (04:38):
Has to be with you. So I work at a company called
Mattermost. We are a Go softwarecompany, and we do a lot of
different kinds of things withwith the Go. I work as a
security engineer there. And, aspart of the role at at MetaMost,
I've worked with the Gointernals for for a few years
now.

And other than, Juho's, vulnerability, there's a
timing side channel attack in anelliptic cryptography package.
However, it's, like, only onspecific architecture, like PPC.
And a very specific PPC. Yeah.64 little endian.

Which, like, three people in the world have.
I think fewer people use thatthan use Go on Windows.

I don't I I don't know, like, what maybe it's,
like, embedded devices, but thenwhy it's 64 bits? I don't know.
I don't know. Anyway, theinteresting part about this one
is just the nature of theattack. I really really love
side channel attacks.
If you know if you don't knowwhat they are, it's basically
there's like a cryptographymechanism or like any whatever

(05:42):
mechanism that doesn't give youany direct signal back about
whether you're successfully,like, hacking it or not, but you
can use, different artifacts of,like, timing, how long it takes
or temperature, how hot thedevice gets or whatever to
understand if you're doing agood job. Good way to explain
it, I think, is when you'retrying to pick a lock, you don't
actually see, like, the pinsinside the the lock, right?

(06:06):
You're trying to put yourlockpick in and you don't get
immediate until you finish allthe pins, you don't get feedback
whether you succeeded or not.Right? But you can listen to
hear if, like, the thing gotcaught on the on this on the
metal there.
Right? Mhmm. So it's sort of thelock is side channeling
information whether yousuccessfully picked it or not.
So in this case, it's a timingside channel where you can,

(06:28):
understand what is the privatekey based on how long it takes
to generate different parts ofit or something like that, but
they don't believe it it's itactually allows you to recover
the private key, but they solvedit anyway. Alright.

So those six people.

Yeah. Actually, you know, the the people who use
these architectures probably,like, hold the nuclear codes or
something.

So so I I think this architecture was was a
transition transitory? What'sthe word? Transitory
architecture specificallydesigned to make it easier to
port Linux software from x 86 toPowerPC, because normal PowerPC
is big endian, but I guess x 86is little endian. So by doing
this PowerPC little endianthing, it made it easier to port

(07:07):
software for Linux to the newthis new architecture. And I I
don't know how that's reallyuseful because I would imagine
you wanna continue the thetransition and go to Big Indian
later on.
But, yeah, it's a very, veryniche piece of hardware for a
very specific use case. I wouldbe surprised if anybody's using
this for anything seriousanymore. I don't I don't I don't
think this this hardware hasbeen manufactured for ten or

(07:30):
fifteen years or more.

I still think, at least pining before, like, all
the machines to make them stillwork is is, nice.

Oh, sure. I'm I'm not at all, disparaging the
people who who solve this bug.

Yeah. For sure. For sure. I just I don't remember
what's the guy's name. I thinkretro Ahoy or something like
that.
But just today, at lunch, Iwatched, like, a fifteen minute
video of how many Amigas did theCommodore company sell, like,
overall in the world, and he'sjust, like, digging into old
shareholder reports he boughtoff eBay just to try to I don't

(08:05):
know. People have nostalgia forold hardware. Like, when I see
an old CRT monitor, the bigones, you know, the Mhmm. Yellow
plastic, the, like, yellowgrayish plastic thing with a
curved glass on it, I get I get,like, it's cool. Definitely
happy that, people work on thesehardwares.
Not sure it's super critical forGo one twenty four r c three,

(08:26):
but sure, guys. At least it's itgave us a chance to talk about
the side channel attacks, whichare always Here we go.

Well, kind of like the way PPC 64 LE was a
transitory architecture, I wannatalk about something else that's
related to transitions, andthat's a new proposal that's
been accepted. It's a way toautomate migrations for simple
deprecations in code. So I'lluse an example that's that comes
from, I think, Go 1.16, becauseI think it's easy to understand.

(08:52):
Prior to Go 1.16, we had this IOutils package that had things
like read all and had a fewdifferent things in it.

Yeah. Whenever I use that, Versus Code, like,
strikes it out and says, hey,this is deprecated.

Use something. It was deprecated in Go 1.16, and
and the things were moved tovarious other places, mostly
into into the IO package proper,a few things to other places.
Basically, the Go team decided,you know, having a a package
just called Util is kinda silly.You know, the the same thing
that you learned back in, youknow, twenty years ago, that
having a package called Util orhelpers or stuff is kinda silly.

(09:29):
The Go team finally caught on tothat.

I don't wanna date your example. Twenty years ago,
I was, like, starting to learnEnglish because I was at, like,
I don't know, third grade. Sojust remember and I assume,
like, half our listeners areeven younger than me. So
probably so.

Anyway, the point is these transitions from IOU
till dot readall, for example,to IO dot readall is a pretty
straightforward transition.Wouldn't it be nice if there was
a tool that would do that sortof thing for you automatically?
Well, now there will be becausethis proposal has been accepted.
So basically what you can do,and this works not just in the
centered library, you can dothis in your own code. You can
put a special comment, basicallya go directive in your source

(10:08):
code when something isdeprecated to tell this tool how
to rewrite it to the newversion.
And then if they if you run, Ithink it's called go fix is the
command. It will it will just gothrough your your project and do
those changes for youautomatically.

Is that a good feature in your opinion?

I I think it's a good idea. Yeah.

For a standard library stuff, sure. But for any
library stuff?

I mean, if you trust the library to be using
it, you probably trust it totell you how to upgrade itself
too.

So I'm wondering, like, if the case is that it's
easier to theoretically, it'seasier to deprecate stuff and,
like, build unstable interfaces,you're sort of disincentivizing
library developers to, like,think about their API longer and
develop stable APIs. Can theybecause they can just be, like,
oh, whatever. Run a new version.You have to run go fix.

I I can see that argument. But there's enough
times. I mean, I I could saythis is the is the author of an
open source library. There areenough times where,
legitimately, deprecation iscalled for. But I I think I I I
would love the opportunity to tobe able to tell people here's
the the quick and easy way toupdate.
You know, I mean, a really areally simple example, even
simpler than what I did is onewhere just one function is

(11:21):
replaced by another one. And wealready have the comment
deprecated use blah instead. Ifyou put a go fix in front of
that, it'll automatically justrename to use the new function
now.

How does the directive work? The I utill
example is a good one becauseyou have to change the imports
as well. You can't just call anew function.

So yeah, they talk about that in the in the
discussion on the proposal. Itmay add and remove imports as
needed, if that's, if that'sappropriate, depending on on the
change.

Cool. And writing the go fix, like, directives, is
it like a super cryptic languageor does it look like sane?

Good question, Shai. So basically, what you do
to make this work is you add ago fix inline, directive before
the function that that has beendeprecated or or in the go doc,
the function has beendeprecated, and it will
essentially replace calls tothat function with whatever is
inside that function. So ifyou're if you're deprecated
function is called read all andit just does say return IO dot

(12:20):
read all, then when you put gofix inline in the go doc for IO
util dot read all, the go fixtool will just do the inline for
you basically. So, it will thencall the the new function for
you. So you you wouldn't wannado this on, like, a big hairy
function that that doessomething crazy.
If it's a 50 line function, youwouldn't want to put go fix
inline because then you're goingto copy and paste those 50 lines

(12:40):
all over someone's code base.Yeah. But for short things where
something, you know, the orderof function or order of function
arguments changes or thefunction name changes, things
like that, it's a really easyway to do that for you.

Cool. It's another, command, like, to remember, but
it doesn't seem like you have torun it in every CI or anything
like that.

Oh, no. I would run it It's one

of these things that you do manually.

Yeah. I would do it manually, probably once every
few months or once every time Iupgrade a major library or a
version of Go, for example.

Cool cool cool. New new thing. New good thing in the
in the standard library. In thestandard, tools, I mean. The
standard tool chain.
Yeah. Yeah. Like Jonathan said,we have a lot of cool security
things for you. One of them is ablog post from a company called
socket.dev socket securitysocket.dev is their, domain.

(13:29):
They do a supply chain,security, which is, like,
there's a lot of companies thatdo that.
Funnily enough, like, when youlook at their page, one of the
things you find is socket versussneaks, socket versus dependabot
versus s m grep, indoor labs,blah blah blah. All these
companies, what they do is theytry to prevent vulnerabilities

(13:50):
from entering your code throughyour dependencies. So you don't
wanna import a library withsecurity bugs. Now, libraries
that you import or dependenciesthat you have can have we can
have two types of securityissues. Right?
Intentional or unintentional.The case we they they published
a blog post about, I think it'ssuper interesting, it's also

(14:11):
very simple to understand, is amalicious package that's just
based on, like, type squatting.Right? Typosquatting. Typo
squatting, basically, you have apackage in a name that looks
like the thing you'd like toimport, but it's not actually
it.
In this one, I think theinteresting thing they did is
they the typo is not in thepackage name, it's in the

(14:35):
organization on GitHub. So veryvery hard to see because if you
look at code examples, like, atat your code, it's not like it's
the package name is differentfrom official documentation. So
your code snippets look thesame, but the, organization on
GitHub. So just the import lineis different. In this one, it's
the BoltDB database.

(14:55):
Have you used the Bolt, DB? Doyou know, like, what database it
is?

I know what it is. I've not used it.

What is it?

It's a I believe it's Go native, key value store.

And it's, like, super widely used. It's not
niche at all. It's used by,like, a ton of, organizations,
Shopify, whatever. And themalicious package is bolt d b
dash go slash bolt and it hasthis one has malware in it. What
happened is they created it alot of years ago, it looks

(15:27):
exactly like the same thing, soif you install it and by the
way, I think it should evenwork.

They they effectively forked the the real
code and added their their thingwith a near identical
organization name, right?

Yes. And it was uploaded on November 2021, which
is super scary to, like, read.They they uploaded the package
and GitHub tag is pointing to aclean legitimate version,
something that looks like afork. It's not a fork, it's a
mirror, so you can't see theywere like linked to the
original, right? But But itlooks like a clean legitimate

(16:00):
version on GitHub, but on the Gowhen you run Go mod install,
it's not because in Go mod, it'scached as the previous tag.
So they changed the tag, butonly on GitHub and they didn't
notify Go mod and because go modhas no other way to know, go mod
points to the old tag which ismalicious. Again, it it gives
the attackers access to runarbitrary commands on your

(16:23):
machine. Not great, especiallylike when you're building DBs
and things like that. Go module,you might ask the question,
wait, why didn't the Go modsupdate when I changed the tag?
Right?
But it makes a lot of sense thatthe Go the module is immutable
because otherwise, like, youcould build the same package and
get two different things, like,you really wouldn't want people

(16:45):
to be able to upload anyversion. That's where you have
the lock files, etcetera. But,yeah, it's, there's a function
that attempts to continuously goto a hidden domain and execute
some shell commands without anyvalidation, with weird ass names
like underscore r and a pillinit, like, just very clearly

(17:07):
shitty names.

I'm taking that personally. Those are names I
use every day in my code. Yeah.By by the way, the repository
the entire organization onGitHub is now gone. I guess
GitHub decided that they didn'tlike hosting.

Yeah. So Kirill, I don't wanna say the name wrong,
but Kirill Boichenko publishedthis, like, two days ago, so I
assume they they're jumping onit at this point. Yeah. The code
itself, the malicious codeitself is also, interestingly
obfuscated, like, the IPaddresses and the ports are
saved in constants called maxmemory size and actually saved

(17:43):
as numbers and max index and maxport and things like that. But
they just transform it and like,you know, replace it with dots
so it so it actually becomes theIP address and the port of the
CNC server.
Very, like, if you go read the,blog post on saga.dev, it's
linked to the show notes, youcan look at, like, all the ICOs.

(18:03):
I assume, if you use the productlike the saga.dev it will report
it for you, but since theypublished it publicly, I assume
dependable and others will dothe same. At least I hope they
they will. It's a cool attack,like, I don't wanna praise it
because it's a bad thing. Ithink it it abuses Go mod
interestingly and I'm wonderinghow many more cases of this

(18:26):
actually exist or maybe you caneven target specific
organizations, right, that youknow that use a specific
dependency.
So if you knew Uber is using aspecific Go dependency like Zap,
right, their log library, maybeyou can create Zap with double p
and hope that one of theminstalls it one day. And all you
need is once if you wannainfiltrate the specific

(18:46):
organization. So a really cool,blog post, and security work
done by, Socket Security here. Ireally liked it. Well done,
Kirill.
Very cool stuff.

Try it. I get so bored with my logs sometimes. Do
you know anything I can do toimprove that?

Well, someone posted on our Slack a pretty
interesting solution. I guess ifyour logs were more sassy or
ghetto, you'd be happier. Right?

Yeah. It would help.

So someone wrote a log hook. This is, this is,
funny. I don't know if I'dactually ever use it.

I know I would. As it is. Yeah. Because it uses
it requires loggers, which I nono shade against loggers. I've
I've used Loggers.
I have some patches in Loggers.But now that s log is in the
center library, I never intendto use Loggers again.

So other than the fact that, uses Loggers, what is
it? It's a hook to for your logsthat goes to a local Ollama
server, so basically a local LLMmodel, and asks it to, ghettoize
your logs, which is absolutelyhilarious. They have, like,
ghettoize dot new ghettoize,function, which asks, like,

(20:01):
basically, it's all a wraparound take the log line and,
around this prompt. How wouldyou make this, log entry more
like a ghetto sentence? Theoutput should be already valid
to be the log entry.
Don't give me options and chooseone. Feel free to use emojis. So
pretty good. And it uses Ollama,which I've been meaning to have

(20:23):
you, like, played around withOllama? No.
I've deferred it again andagain. I was like, I have to
find something to do with alocal LLM, like, because I use
LLMs quite a lot, but I I havethem everywhere. Like, I have
them on Versus Code and I havethem on GitHub and I have them
on, like, ChatGPT, which I payfor, etcetera etcetera. And I
was, like, ah, I need to runlocal models. Like, what will
happen when I'll, like, be on along flight?

(20:45):
Right? I need I want the modelon my machine. So this, project
gave me the excuse to finallyinstall Ollama and start playing
with it. Manuel Martos, thankyou very much for the project,
which is very interesting. Ireally like his, his GitHub
page.
It's, like, the most setup thingI've ever seen. It has, like,

(21:07):
GitHub stats, GitHub trophies,languages I'm currently
learning, contact information,pretty busy cool stuff. And,
this project is just kind offunny. If you do use Logres, I
don't know if anyone is. If youdo, can you try it and show us
the results, please?

I was a little surprised that there weren't
some examples on the on thereadme.

Maybe we should, like, fork it and and add
support for, standard library aswell.

For s log?

S log has hooks. Can I hook into s log?

Why not? It's called the handlers, but, yeah,
it's the same concept.

I'll I'll definitely do it at some point.
Speaking of things I'll do atsome point, let's talk about,
the episode next week. Let'smove to our ad break and talk
about next week's episode, andyou should stick around because
we're not the only doing ads, wehave a really interesting
interview with Thorsten Hall.

So we have a live episode coming up in one week.
One

week from now, it's our hundredth episode.

Yes. We will do a live

stream on all the platforms. We're testing it,
like, right after we'refinishing this recording. But
just mark it in your calendars.It's gonna work somehow. There's
gonna be some link or someservice you could click on, join
our episode.

We will announce that link on our Slack channel.
And our Patreon group. And ourPatreon group. So if you're not
a member of either of those, youhave a couple days to go sign
up, and then, you'll getnotified.

We'll probably spam people on social media as well,
like LinkedIn and Twitter, butjust if we're, really extra.
We're planning a live episodeFebruary 13 at eighteen hundred
UTC. So it should be, like,early enough for American,
listeners just, like, start yourday with, joining your podcast
and for European listeners, it'slike evening, you're off work,

(23:04):
should be a good time foreverybody.

And if you miss it, of course, we'll also, post
a recording to our regular,podcast feed and probably on, I
mean, on YouTube and maybe a fewother places.

And just make sure to put it in your calendar if
you do wanna join. We wouldreally appreciate it.

And bring in bring a news item or or blog
post related to Go that youwanna share with us. Or a
friend.

Or a friend.
Who wanted to introduce to yourshow and you're like, have you
listened to that podcast I'vesent you? And they're like, nah,
man. I don't know. I don't havethe time. Like, join the live
episode.
That'll be speaking about ourcommunities, so we have the
Slack group, Slack channel. Youcan join the Slack channel on
the go for Slack. It's a cupdash o dash go kebab case, or
you just talk about the show andsome random stuff. Or if you

(23:51):
wanna extra support the show,you can join as a Patreon. It's
$8 a month and it helps ussupport the show financially.
This is a hobby. We do it forfun and to learn, but it does
cost a bit of money. We need tobuy boxes of, microphones and
then buy the actual microphone aweek later. We need to pay for
editing to, you know, bleep outall the whatever. I actually use

(24:16):
the curse words this time,Filippo.
Sorry. So you actually have tobleep them out instead of me
just saying bleep these wordsout, etcetera, etcetera. So if
you wanna support the show, comejoin as a Patreon member, or if
you don't feel comfortablegiving, money, that's also fair.
Maybe rate the show on yourpodcasting app of choice,
Spotify or Apple Podcasts orwhatever, or share the show with

(24:39):
a coworker or a friend or a costudent so, more people hear it
because that's always fun.Anything I'm forgetting?

You can also give us money in exchange for swag if
you really wanna do that too.

Yeah. We're this is not really supporting the show.
It's more just fun stuff becauseI think on average with
shipping, it's like we'retotally breaking.

We're breaking. Yeah. But still, it's nice to
have a little, rooster mug or tshirt, and then people would
say, what? Where'd that t shirtcome from? And you can tell them
about the show that way.

For sure. If you're planning to go to any of the
conferences usually, we talkabout conferences on the show.
This week, we, like, skipped theconference.

And Foz didn't just happen, and that was
completely off my radar becauseI'm not not in that part of the
world anymore.

That's we're not giving the European vibes
anymore

for the show. That's right.

Gofer Khan Israel is coming up soon, but I'll
mention it next week. The SwagStore is also, open and the best
item that you didn't mention isthe hoodie. Oh, yeah. That has
become a daily wear for me,especially now that it's so cold
here in Israel and raining. Wealso wanted to mention a cool
new service by a friend of theshow, Josh Bleaker Snyder.

(25:43):
If you have a merge conflict,how about you go to
merdenicht.ai,merde.ai, and havethe AI fix it for you. Not gonna
say anything else if you wannago and check it out, check it
out if you struggle with mergeconflicts. Thanks, Josh, for
being a friend of the show anddeveloping all these awesome,
services. That does it for thead break. Let's jump to the

(26:05):
interview.
Don't forget to come to our liveepisode next week. So, Jonathan,
we've been doing this show for,like, two years now, and I think
it's time we we find, like, abetter name.

Okay. We

have Capa Go. Capa Go is nice, But maybe we can do
something I'm imagining oldtimey sign, Hole and Nechmad.
Nechmad and Hall. What do youthink?

That's gonna be hard for me to pronounce. Even
though I lived in Holland for awhile, that that sound just
isn't natural for me.

Well, it's not like we can do Hall and Ball. Oh,
wait. Thorsten, why don't youtell us how we pronounce your
last name?

Thorsten Ball (26:44):
Hello. You know, the the last name is not the
problem usually. Ball is prettyeasy to pronounce the first
name. Thorsten is hard forpeople. And only this week I've
realized that I can you know, inthe past, I said, like, think of
Thor and then at Sten, you know,Thorsten.
And this week I realized, no.Like, people know how to
pronounce Thomas in English, andit's just that with a different

(27:08):
ending. So

Yeah.

I don't know.

So think about it, Hall and Ball, if, if you ever
wanna take the show on the road.Thorsten's easy, but maybe
that's just because I played alot of Skyrim.

Oh, I see.

Yeah. So other than, potentially renaming our
podcast, why don't you tell thepeople about yourself?

Yes. So thanks for having me. My name is
Torsten. I am software engineer,occasional writer. I guess for
this podcast, I'll do the Gofocused introduction.
I've been writing Go since onepoint zero came out in 02/2011
or '12, something like that. I Idon't know. And then I joined

(27:50):
source well, in 02/2016, Ipublished a book called writing
and interpreting Go, which someof you might know followed up in
02/2018 with writing a compilerin Go. I joined Sourcegraph in
02/2019 and worked there for thenext five years, also working
mainly in Go. And then this iswhere it gets spicy here.

(28:11):
Last year, I left Sourcegraph orsay, you know, one year and a
few months ago, I leftSourcegraph and worked at you
started working at Zed, and Istarted writing Rust full time
every day. Yes. After, you know,three years and multiple
attempts of using Rust in myspare time, NextivaGo, I did it

(28:32):
professionally now for a year.But now I'm going back to
Sourcegraph after this year, tosee if Rust. So right now, in
fact, I am unemployed this week.
I'm starting the new job nextweek, so I can basically say
anything I want right nowbecause it's just my opinions
and not those of my employer.Yeah. So that's my intro.

Very cool. I have to first off say it's it's
really nice to hear that eventhough you're doing rest now,
you're still willing to talk tous from your Gophers.

Man, I still like Go very much, and I missed Go. I
I really missed a lot of aspectsof Go.

We'll talk about that in a little bit. Go ahead,
Shay.

Yeah. I wanted to start other than all these
things, you also have a substackcalled, register spill.

That's right.

Which is how I actually sort of got to know
you. I think I I, like, saw thebooks before, but I I have to
admit I didn't read them. Andyou have, a specific newsletter
you put out called Joy andCuriosity. And I've been
scrolling through Substackbecause I've been trying to
replace social media with, like,better things. I just saw, like,
you know, people trying to prepyou for interviews and, like

(29:40):
Yeah.
Yeah. Obviously, like AIgenerated slop that that nobody
wrote and nobody's gonna readand it's just gonna, like,
generate numbers. And then Istumbled on joy and curiosity
and it really it really caughtme. The the way I see it, maybe
you explained it a bitdifferently, but it's sort of a
list of, links that you foundinteresting that almost

(30:03):
necessarily aren't the maincontext, the main focus, the
main job. They're almostnecessarily these like cool
random things that you wouldlike send in in the random
underscore tech channel in yourSlack or like in your Telegram
group, with your with your costudents or wherever you are
where you have a cool link.

(30:23):
It's not directly what you'redoing right now, but it's just
so cool that someone built itabout, like, tech. Someone built
something really cool or someonewrote something really cool. You
have to put it somewhere. Andyou sort of aggregate all these
cool links you find, and justput it in a weekly newsletter.
And instead of calling it thetech roundup or blah blah blah,
you call it joy and curiosity.

(30:43):
So before we dive into the,like, specific links and how do
you collect them and what do youlike about it and what's coming
this week, Why joy andcuriosity? Why that name?

Good question. So, yeah, first of all, thanks
for the appreciation. I

appreciate it. Everybody listening, go sign go,
like, go follow if you haveSubstack, which I

Yeah.

I don't know if I recommend. I don't know if I
recommend, but you can do it inthe email newsletter as well.

There's also an RSS feed and whatnot. Yeah.

Yeah.

Yeah.

And it's it's a normal email newsletter. Yeah.
So so the, you know, thebackground is the newsletter is
called register spill, and Istarted it because like you, you
know, when Twitter morphed intox and every day people were
talking only about social mediaand they were switching to this
platform or doing this otherthing or quitting it altogether.

(31:32):
I realized that I kinda want aplace that's not that noisy or a
place where I can just writestuff. So I started writing
register spiel with the ideabeing that once a week, I just
sit down Sunday morning, it wasin the first half year, and just
write for now what's on my mindand, you know, spilling the
registers.

(31:52):
And then over time, it slowlytransformed into, you know, now
it has, like, thousands ofsubscribers. And then I added
this special edition that comesout every week of the same
newsletter called JoinCuriosity. What was your sorry.
What was your you had some goodway to phrase it. What was the
question you just had?
The way the way the whiteprocess is.

The tech roundup, Thorsten's awesome links. You
won't believe which linksThorsten found this week.

Yeah. The so okay. This is how I wanted to
tie it together. I just saidthis. I wanted to quit social
media because, not quit it, butI think there's a big problem
with social media in that peopleoften just it seems to come
easier to people to sharenegative stuff or stuff that
they don't like.
And I've become super consciousof this, and I really try my

(32:41):
hardest not to do it. SometimesI slip and then I delete a post
after ten minutes, which soundsincredibly weird to somebody
who's not, you know, addicted tosocial media. But what I wanted
to do was, you know, spreadpositive things and spread
curiosity in the thing that weall do every day, like
programming computers. And thereason why I started to do it

(33:04):
was that while writing registerspill, I realized that, you
know, it's hard to come up witha topic every week. That's
certainly one thing.
And then one trick that I foundfor me was that, you know,
people have been saying this tome for a few years. They they're
like, oh, you you're like, yourpassion is inspiring, or you get
other people excited about thisstuff. And I can't help it.

(33:26):
Like, I just get excited aboutcomputers and programming, all
of this. So then when I startedto think about what should I
write about in my mind, I went,look.
Like, if I went out for beerswith the buddy, like, what would
I talk to them about if theywere also programmer? And then I
just started to write aboutthis. Like, this was my mental
hook. And then I realized that Ialso want to share this other

(33:47):
thing. Like like exactly likeyou said.
Like, I would send friends theselinks in, you know, iMessage and
whatnot or WhatsApp. I said,look at this. Or I would tweet
it out. Right? And peopleappreciate this or thought it
was interesting, so I started toput it in a newsletter.
And then it started with me justputting it at the bottom of
another, you know, mini essay,whatever you wanna call it. And

(34:11):
then I made it the main thingevery week. And, yeah, joy and
curiosity, I think it's this.It's a good combination to have,
you know, enjoying what you'redoing, being curious about it.
And I think that's kinda what Iwant to foster.
And that's also, you know, why Ifind this stuff interesting
because it does give me joy. AndI do find like I also realized

(34:32):
that the reason why I'm stilldoing this, and I I don't know
how long you guys have beenprogramming, but I noticed that
when you start out programming,in the beginning, you kinda
assume everybody's the sameroughly or has the same
motivations when you have nofour other junior developers.
You all wanna become a seniorengineer and whatnot. And then
after a few years, in my case, Isaw people that have been

(34:55):
programmed as long as I havekinda drop out or get bored by
program because they, you know,after doing it for eight years,
you just become bored of it.Like, I myself have, you know,
now that I've been doing it fornearly, you know, twenty years,
driving a car has become boringfor me.
You know? And if you're 20 yearsold and you've been driving a
car for two years, you're superexcited about this. And I

(35:17):
realized that this is what otherpeople go through with program.
They kinda lose interest, and sothat's fine. Like, that's
completely okay.
You know? But for me, I realizeit just doesn't stop. I still
find it interesting. I stillfind it, you know, it brings me
joy, so I kinda wanna fosterthis and and share with others.
And it seems to resonate, like,it seems to resonate with a

(35:37):
specific group of people.

Like, For me, it's really itching my like, I get a
lot of newsletters and most ofthem don't last over, like, two
months in my inbox. Some of themI signed up to, you know,
because they're friends orwhatever. But, like, ones that I
signed up to actually to read,most of them, like, don't last.
Most of most of them I startarchiving and then the moment I
realized, like, oh, I'm autoarchiving. This one, I'm gonna

(36:01):
unsubscribe.
But this one, I'm like, oh mygod, so many cool links. I've
never heard that OpenOfficecan't print on Tuesdays. What
what the fuck? Like, how doesthat work?

Yeah. I there's this internal struggle that I
have from time to time where Ithink, you know, oh, if I wanna
grow my audience, I guess Ishould do something that people
think will be useful for the dayto day job. You know? Like, if
you write a newsletter that'scalled keeping up with the news
things in AI, whatever, thenmaybe you people sign up because

(36:34):
they think it's important forprofessional development, and
maybe they could get their bossto pay for a subscription. But
then I always realize that, nah,like, that's not what I'm
interested in.
Like, I would rather do thisother stuff. And, I mean, you
know this, I guess, but I'moften also surprised by how
people respond to what I put inbecause it's so sometimes I just

(36:56):
link to a tweet or sometimesjust to one sentence of a tweet
or a comment on Hacker News orwherever it is. Basically, just
things that sparked otherthoughts or that created some
sense of curiosity or joy. Andnot to, you know, not to go too
meta, but over time, I realizedthat in the beginning, the

(37:17):
thought was, oh, isn't it easyto find these links? Like,
people have probably seen thisto go by on hacking.
So they've probably seen this goby on Twitter or wherever. But
then I realized that everybody'sreally unique in the way they
absorb information, and that'swhat makes them unique in some
sense. Like, all of that stuffcomes in and only some of that

(37:40):
stuff resonates. And if youkinda take that stuff that
resonates with you, you will endup with a unique combination
even if all the inputs areequal. You know?
And so so I don't know. I'vebeen leaning on this.

It's it's a lot of fun. I I do have a question.
Yeah. Jonathan and I, like, wealso have a similar cadence.
Right?
Once a week? Is it a weeklything? Now I realize it's coming
on Sundays, but I don't know ifit's every week. Yeah.

It's weekly. Yeah. Yeah.

Yeah. Yeah. So cool. So, Jonathan, we have a
similar cadence. Right?
We, collect links over the weekand put them in our in our
backlog. Then once a week, we doa program about it. So you can
draw similarities between whatwe do and what this newsletter.
You know what I mean, Jonathan?

Yeah. Yeah. That's right.

We cover three topics, like four, maybe five,
and then they it's really thelong shows where people don't
even get to the ad break a weekand that's a struggle. I'm
opening this last one join well,the second to last one, join
curiosity number 23. I thinkthere are like 30 links here.
How do you get so so many linksand actually read them? Do you

(38:49):
have, like, structured timeevery day to go hunting for
links and, like, actuallyfostering it?
Is it it doesn't happen, like,drive by?

I it morph It definitely changed how I consume
things. So I do have a note. I'mlooking at it right now.
Basically, it's just an Applenote in which I drop stuff.
Right?
Just stuff that might beinteresting. And sometimes I add
a thought next to it or someother thing. And right now, I
have one, two, three I don'tknow, 15 or something, and I'll

(39:19):
probably throw five of thoseaway. So over the week, I just
drop stuff in. And out of those30, you just said, I think, you
know, five of those might justbe links to tweets or something
or stuff that somebody else sentme.
Maybe I think in that issue,maybe even added a comment like,
hey. I haven't read this fullyyet, but blah blah blah. And I

(39:42):
think the rest is just stuffthat I, like, just came across,
you know, like a video I saw orsome tweet file by the link to
some other thing. And thenthere's two things happening,
which is this newsletter, like,made me then more conscious
about, you know, like, oh, Ishould really read this. So
instead of just saying, oh, thislooks interesting and skimming

(40:05):
of it, I'm like, okay.
Before I link to this, I have toread it. So I then make some
effort to put some time aside. Ialso, you know, now have the
Readwise reader in which I addstuff and then try to read it.
So number of links also hasgrown, but it's not I wouldn't
say it's something that I put alot of extra effort in. It's
mostly all of the reading I doanyway.

(40:26):
And then just, I don't know,like, then just collect it and
maybe there's one or two orthree things. Like, there's been
Thursdays where I'm like, Idon't have anything. I gotta
write this on Saturday orsomething and, you know, I've
got four links or something. Sothen I would dig into my email
inbox, like links that I sentmyself, or I would look into
reader or some other stuff. Ialso have, you know, backlog,

(40:49):
like if something becomes toolong, I put it on a backlist,
okay, and link it to some othertime.
And then I mean, you also see mesometimes not cheat, but I I can
do whatever I want in thatformat. It doesn't have to be up
to date. So sometimes I can justpull out old links and say, I
watched that video again thatI've been watching for ten
years. You know? Like, RichHiggy, it's simple made easy.

(41:10):
Right? And it's this. I've seenthat talk five times, but then
it comes up in a conversationwith some other program, and I'm
like, I should link to thisagain. Right? Because not
everybody has seen it.
And if you internalize this,that David Ogilvy, you know,
marketing guy, he said, you'renot advertising to a standing
army, but a moving parade,meaning you're not always

(41:32):
sending stuff out to the samepeople. Like, every week,
different people might tune in,and not everybody has seen the
same stuff that you've seen.It's totally fine to share link
that, you know, some people haveseen maybe, you know, like, five
years ago. Like, they won't getpissed off by this. They won't
say this guy have seen thisbefore.
Like, why does he link to this?You know? Yeah. But others might

(41:54):
not have seen it. So there'snothing bad about being loose
with what you put in.

Cool. Really good point. So what I need to
internalize is I need to watchSimple Made Easy again.

Oh, yeah. Yeah. Yeah. It's a great talk.

Yeah. It's a great talk. I reference it all the
time. One final question aboutthe joint curiosity. What's the,
like, on the upcoming one,what's the, like, link that,
you're most excited about?

Let me see. Let me see.

You're you're all getting a sneak preview just
because you have the press, wehave the press.

I mean, I've been really into the AI stuff, and,
obviously, there's been a lot ofinteresting thoughts on the
whole deep seek release lastweek. And, you know, now
analysis coming out, and I'mkinda I don't know. Like, I I
the whole, you know, oh, it's abluff. It's a double bluff
because they pretend it's, youknow, like, it costs more than

(42:50):
they say it cost. Like, I findthat stuff fascinating.
So there's a bunch of stuff thatI kinda bookmarked and read. And
then the other thing that I wasstaring at where I wrote three
lines of comments already in mynotes was was somebody was
comparing Wayland versus x 11input latency on Linux. And I
worked on the zed Linux versionlast summer on the x 11 version,

(43:12):
and it wasn't a good time. And Iread this, and I just thought
the the whole I don't wanna, youknow, offend anybody who's a big
Linux fan here. But if you readthis, the whole Wayland versus x
11 thing, and then you compareit to, say, macOS application
development, it's night and day.
Like, it's it's just there's nowonder that, you know, high

(43:37):
quality applications on Linuxare rare, you know, or say
cohesive, high qualityapplications on Linux are rare.
So, yeah, that's kinda it'sthis. And then I don't know.
There's, Jimmy Miller wrote agreat blog post that's in there
this morning. Also this week,I'm unemployed.
I have too much time this week.Yeah. This week also, there was
some interesting thing withsomebody, some guy who makes,

(43:58):
like, all of these differentfonts, and he had, like, a new
monospace font that he said as asystem font in macOS, which I
thought was interesting.

Monospace system font on Mac?

Yeah. Yeah. Yeah. So this

is This is this is exactly what I mean. Like, I
wanna say, okay. Let's stop therecording. I have to go install
it and see how it looks becauseI

already have mono

I've I already have mono space, mono space font on
Slack, and Yes. That's been,like, really helpful.

But One link above this is a link to a
YouTube video called let me seewhat the name is. The Intel four
eighty six d x two sixty sixmegahertz startup sounds. It's
just a what is it? Fifty secondvideo of the startup sounds this
computer makes. And that broughtme joy.
You know? Like, just listeningto that thing boot up and the

(44:46):
the hard drive and, like, thebeeping and

Cool. Cool. Cool. You mentioned you were very much
into the AI stuff. Mhmm.

I wanna hear about that.

Let's talk about that a little bit. Yeah.

I I don't know how to kick the I don't wanna
fall into the to trap here.

I think I think there's, like, a few hot takes
out there, right, that that wecan either agree with or or or,
debunk if we want to. So the ofcourse, the big hot take is
developers are all gonna losetheir job within five years. Or
some will go so far as to sayeverybody's gonna lose their job
within x number of years. Youknow? All creative jobs will go
and then manufacturing jobs willgo because AI's will build the

(45:24):
robots that manufacture things.
Nobody will have any jobsanymore. So that's the one
extreme. And then and then andthen there's other hot take.
This response to that is, no,that's all baloney. Every time
we've had an advance intechnology, it's, you know, cars
didn't didn't, didn't reduce thenumber of people who who went
around it, increased it.
Right? You make the road biggerand more people drive on it. The

(45:45):
Internet meant more people wantor when we went to AWS, server
sales skyrocketed because now,people are selling more servers,
etcetera, etcetera. So, youknow, the the flip argument
there is AI is may make us moreeffective on a per task basis,
but we're gonna take on so manymore tasks and do so many more
things that there's gonna be ahuge shortage of development
talent out there. Two strongviews opposite end of the

(46:07):
spectrum.
Where do you fall, or do youfall off of that spectrum
somewhere?

I would say I fall right in the middle Mhmm.
In the sense that

That nothing's gonna change at all? I know
that's not a new thing becauseI've written something.

Yeah. Yeah. Yeah. No. What I mean is I've been you
know, I worked at Sourcegraphtwo years ago when the whole AI
thing start to kick off, whenSourcegraph also went and build
an AI assistant.
I was part of that team. Andback then, I was highly
skeptical because, you know, thevariance was too high. Like, it
was used JADGPT and it wouldspit out like 50 lines of

(46:43):
Python. Impressive. You try itagain the next day.
Completely unimpressive, totallywrong. And then you had all of
this hype going on, and I justdidn't see it. I didn't see how
it would even change things. Itfelt like you had an unreliable
Google or Stack Overflow orsomething like this. And I
didn't understand it.
I didn't know looking back, Ialso didn't know how to use it,

(47:06):
or I didn't understand it enoughto know what to use it for. And
I think in the last two years,this has changed for me by one
thing, and that is the modelshave become better. Like, that's
just that's just what it is. Ithink even a year ago, it was
completely different. But nowsince the summer cloud three

(47:27):
point five, anthropic, that's acompletely different thing than
two years ago, chat g p t.
And that so that's one thing.And the other thing is that I
what really changed things forme was in the last two months, I
worked on the AI team at Zed oninline completion, meaning, you
know, what cursor has copilotinline completion, and we built

(47:48):
this for Zed. And to do this, wework with LLMs, and we fine
tuned LLMs. And I you know, whenyou do this, you collect data,
which is a lot of plain text.You have to label data.
You have to generate data. Youhave to analyze data. I realized
that LLMs are really good forthat. Like, they're really,

(48:08):
really good at taking, say, ahundred files, and you give them
the option of which of thesefive labels would you give this
file. And if you run this abunch of times or even just
once, you get pretty goodresults, and you can see how
this is a lifesaver.
And for me, I don't know how toput it into words yet, but for
me, I started to realize thatthere's this mechanical nature

(48:28):
of it all where, oh, thesethings are really good at taking
fuzzy stuff and turning it intonon fuzzy stuff, which is a big
thing that we've been missing incomputers. Like, you know, I
mean, you can now take ascreenshot of this screen and
and send it to Claude and say,where should I click, you know,
to to end this call orsomething? And it can pretty

(48:49):
much tell you where to click.And that's huge, I think. And
working with text, working withdata, fine tuning stuff, playing
around with inline completion,and seeing how good it can be
and how much of the mechanicalstuff that you do in day to day
programming it can take awayfrom you or it can help you with
made me realize that, oh, like,this is I made a category error.

(49:09):
I I the LLMs are not this, youknow, this oracle that helps me
do all of the stuff that, youknow, some people say it is or
it might be one day. But for me,it's just more this, oh, they're
really good at working withtext. And guess what? I work
with text all day because I'm aprogrammer and, you know, code
is text. And give you, like, oneexample here.

(49:30):
You know, I I was a Vim user formany, many years, two decades,
basically. And in the Vimcommunity, people are obsessed
with being really efficientwith, like, navigating through
text and whatnot. And there's,like, you know, how you jump,
and I think it's called easy Idon't know. Quick scoping and
easy find and all of thesethings to jump to specific
characters.

Mhmm.

And while working with LLMs, I realized that LLMs
can be in the same category asthese tools. If you have a small
local model, it can predictwhere you want to jump next, and
then you just have to hit taptap tap tap. And putting the
alarms not on you know, takingthem down from this pedestal and
putting them into the categoryof this is a tool that works

(50:11):
with text, a a thing that, youknow, the fit I can use the
mechanics this thing allows meto have to get more productive
with the thing that I do. Thatkinda changed things a lot for
me. And I don't know how much ofthis made sense, but it's this,
I guess, it changed things forme.
And I see them now as reallyuseful things to work with text,

(50:33):
meaning they can be pretty goodwhen writing code. And they can
also be really good atgenerating small amounts of
code. And they also allow you toturn a lot of fuzzy stuff into
non fuzzy stuff. And they can besuper helpful, you know? And one
last thing on this, and this isnot, you know, the appeal to

(50:54):
authority, But people were superskeptic of AI.
And I, like I said, I was too.But then you would see all of
these programming legendssuddenly switch over and kinda
get interested in this stuff andsee it or use it, you know, like
Antares from Reddit. You know,John Carmack famously, right?

(51:17):
And Mitchell HashimotoHashicorp, he doesn't use a
language server, but he usesCopilot. Right?
And that guy is one of the bestprogrammers I ever seen in
action, and he trusts Copilot towrite Zeek for him. And that
changed it for me where I startto think, okay. If these guys
use it, I should take a closerlook. Like, then it's not just
all bullshit. Something has tobe there.

Mhmm.

And yeah. So now, you know, will they take our
jobs? Will they, will we all beout of a job in a few years? I
do not know. Are they just afancy autocomplete?
No. You know, I don't think so.But I do think they are a, to
sound super fancy, a paradigmshifting tool that will change

(52:02):
programming. I I thinkprogramming has changed multiple
times over the years. Right?
We started with punch cards.Nobody uses punch cards anymore.
Right? Why should programmingstay the way it's been for the
last, say, ten years? And wherepeople write just text in a text
editor?
Everything. Right? Why wouldn'twe go into this hybrid mode

(52:25):
where some code is written by AIand people review it and other
code is written only by humansand stuff is merged. Like, I I
think stuff like this willhappen where we change the way
we write code because now wehave these machines that are
surprisingly good at writinglots of, you know, small amounts
of code. And Mhmm.

Let me ask you something. Yeah. The you
mentioned just Vim users being,like, obsessed about the
finding. I find well, I found alot of joy. Like, I I felt smart
and cool when I wrote this macrowhich fixes I don't remember
which, Golangsi Island error,but a pretty complex Golangsi

(53:06):
island error that does have apattern.
I think it was, reusing orsomething like that and not
reassigning it. And I found away to copy, like, the name of
the function that I'm, doing andthen capitalizing the first word
and then putting it the end ofthe error and then adding a
colon if it doesn't existalready in the file. And then I
had it in a macro. I felt supersmart, and then I did it a

(53:27):
couple of times. It obviouslytook me longer than it would to,
like, you know, command I on thefile in Versus Code and tell,
Copilot, hey, can you pleaserename all the error, variables
to, you know, the correspondingnames to avoid this lint error?
And, you know, if you click on,like, IntelliSense right now,
the first options are not theauto complete and and the

(53:49):
previous IntelliSenses areexplained with Copilot and fixed
with Copilot. So it wouldn'teven have to type anything.
Like, it would just offer me fixwith Copilot. A lot of you you
speak about this with a lot ofpassion where the others things
you mentioned enjoying curiosityare often very low level
programming things, right, thatfeel to me that are gonna

(54:11):
disappear. We're not gonna docool vMacros anymore because
Mhmm.
Like there's no point. So howcan you be so excited and
curious, and joyful about these,like, very human program y,
things that feel to me likethey're drawn from, like, ages
past and not looking forward,and also be very excited about

(54:31):
this, like, Pacific Rim mindmelding you and Claude going to
attack the Godzilla together.

I think the answer is that I don't see it as
two opposing ends. And I oncesaw it like this. Like a year
ago, I would have said, in onecorner, we have AI slob as they
call it. And on the other end,we have handcrafted software
where people with care andpassion, expertise and skill,

(54:59):
you know, aligned every line.You know?
But then what changed for me wasthat I started to find or I
began to find the samefascination with LLMs as I had
for somebody who writes VINMacros. Right? Like, you have to
have some kind of, I don't know,romantic idea of what you're

(55:19):
doing to become fascinated byVIN Macros. Right? Because if I
go out on the street and I tellsomebody, hey.
I just use, like, two t'skeystrokes to do what others,
you know, would use 40keystrokes for. They don't give
a damn. Right? But you dobecause you care about something
here. Right?
And it's not this, oh, a personis sitting on front of a screen
and typing letters on thekeyboard. You have some idea of,

(55:42):
you know, what you findfascinating about this. And once
I started looking to LLMs and Irealized that it's this, you
know, all written text on theInternet compressed into
numbers, into vector space,where you can have, like, you
know, one vector meaning theking, and then if you subtract
the vector of, I don't know,male and you get out the vector

(56:06):
of queen or something like this.Like, it's just marvelous that
this stuff works at all. Youknow, it's just fascinating.
And then when you think that youtook like, they took all of the
public code of whatever it wasand condensed it into numbers,
and now I can take my code, turnit into numbers, and shove it in

(56:27):
there, and out come a bunch ofother numbers that are a
completion of the code that Ijust wrote. That is fascinating.
That's as fascinating to me asthe guy who spent ten years, you
know, hand aligning his Emacsconfiguration to whatever it is
to, you know, be aligned to theFibonacci numbers on every tenth
line or whatever. You know? Likeso I get fascination from this.

(56:49):
And the other thing is that abigger, you know, equally
important thing is that I don'tlike doing things that I think
are a waste of time. And I thinkwith the advent of LLMs, a lot
of programming for me felt likea thing of the past or waste of

(57:10):
time. Like, hey. I'm oh, I Iwanna write a script where, you
know, I have five CSV files inthis directory, and I wanna load
them all and concatenate themand output them as, like, an XML
file in some other thing. And Ican do this.
Like, I can write you thatscript in probably three, four,
five different languages. Right?But I will have to look into

(57:32):
documentation. I will have tofigure out how this library
works, whether this has know,CSV in the standard lib, blah
blah blah blah blah. And doingthis and writing this by hand
for the sake of writing it byhand just feels like a waste of
time to me.
Like, I can hit a button, andClaude can generate me that same
script, then I can move on anddo other interesting stuff. So,
yeah.

Thanks for sharing your thoughts on AI. I I
think you have a prettybalanced, take there. It's kinda
refreshing to hear when afteryou know, as as we're talking
about on social media whereeveryone's always, trying to get
get the last word and hot takeseverywhere. It's nice to hear a
balance to you. And on thatnote, you used to do a lot of
Go, and now you're doing Rust.

(58:13):
I'm curious if you would compareand contrast those, maybe in a
balanced way or or or or hottakes if that's your thing.
Whatever. What what are yourthoughts about those two those
two languages? Some said it is ahot topic out there.

Yeah. I'll my balanced take is that I think
that those values overlap withmy personal values more than
Rust's values overlap with myvalues. Okay. And specifically,
I think built into Go, there's abig focus on simplicity and

(58:46):
minimalism and and and, like, Idon't know, no bullshit in some
sense, rawness, whatever youwanna call it. And I've and also
pragmatism and trade offs andall of that.
And I think that resonates withme a lot. And that's also what
I've been missing a lot in Rust.For example, you know, Go

(59:11):
famously has made trade offs tonot put stuff in the language
that I could have put intolanguage to keep, say, compile
times down. And then people say,oh, Go should have have should
have this and should have that.But I love that they have this
explicit trade off.
Like, all engineering is themanaging of trade offs, I think.

(59:33):
And they made some good tradeoffs, and they really care about
the ergonomics. They've I thinkthe first language had really
shove this into the focus, theergonomics of a programming
language. Like, oh, you have abuild and test tool. That's
amazing.
You can you can compile and runand test your code with a single
tool. You have a format, a buildin tool. The the format has no
configuration. Right?

Mhmm.

That's what I love. And they made trade offs.
Sure. It lacks in other areas,but they consciously, I think,
made these trade offs. And ifyou look at their issue tracker
and, like, you know, Russ Coxcomments and whatnot and in
Lance Taylor's comments on howthey think about adding stuff to
the language, you can see thatthese are incredibly nuanced and

(01:00:14):
detailed discussions where theyhave a lot of thoughts on, you
know, pros and cons of differentthings.
And I really appreciate this.And with Rust, I found that, you
know, the community, I thinkthey they like different things
that I like. It's it's a nicelanguage. It's often also fun to
write it. Sometimes it's not.

(01:00:36):
They have some amazing featuresin it. I do love the enums. I do
love the match statements. I dolove, like, I don't know, like,
how much you can do with theprint line command because I'm a
print line debugger. You know,there's a lot of stuff that I
love.
They have include string, whichis like how you you know, to go
embed stuff, but kinda nicer. Ialso have to admit, I do like

(01:00:56):
macros sometimes, like writingmy own. It's cool. Join
curiosity. There you go.
Macros. But for example, whereasGo would say, you know, a little
copying is better than, youknow, adding a dependency. You
know? Oh, I just need thisfunction from this, you know,
library. I'll just take thisfunction, put it in my code.
I would say that in the Rustcommunity, they would add
another crate or something. Theywould add another dependency.

(01:01:19):
Mhmm. And that just is to me,you create a new like, I asked
this for scientific purposes awhile back. On Blue Sky, I
asked, like, if you had tocreate a small web server with
Rust, like, which library wouldyou pick?
And they would say, oh, Axum,you know, like, which is a web
web framework with Tokyo. If youdo this, I don't I don't have
the number, but I would bet 50dependencies will be pulled in.

(01:01:40):
Right? And your target folderthat contains, like, the comp
the object files and compiledependencies, it'll be huge,
like, hundreds of megabytes. Andthat to me is just, like, guys,
like,

Shay Nehmad (01:01:50):
I don't know.

Thorsten Ball (01:01:50):
Like, I just it doesn't resonate with me. And
there's other stuff like thiswhere I think and I've wrote
I've wrote this many times innews sites and on my blog that I
am not a perfectionist. I don'tbelieve in perfection. I think
I'm an 80% inch, and I don'tthink perfection is achievable.
There will always be trade offs.

(01:02:11):
There will always be downsidesto anything.

Jonathan Hall (01:02:13):
Mhmm.

And I think the Rust community would think that
there is perfection achievable.Like, it's always a %. And it's
this, oh, I I I I wanna get thecurrent time stamp and print it.
Right? And go time dot now andyou print it.
Mhmm. In Rust, wait. Wait. Wait.What time?
Like, what time zone? You know,what time zone in relation to

(01:02:35):
what other times how do you evenwanna print it? Because that's
not, you know, like, if youdon't specify this, you just
might get this out, and it'sundefined. So blah blah blah
blah. And this, you know, senseof, I don't know, perfection is
achievable.
Everything has to be a %perfect. That doesn't resonate
with me. And the other thing, Ithink over the years as a

(01:02:57):
programmer, I've kinda becomewary of abstractions. And I
think in Go, there's not a lotof abstractions. I kinda have to
admit that I've never reallytried Go with generics.
I might be missing out, but Idon't think I am.

Don't worry. 90% of people do that.

And so I become kinda skeptical of too many
abstractions. And I think in theRust community, there's still
the sense of, oh, abstractionsare good. Like, if we can make
this indirect and this sidedoesn't have to know about this
side, then that's better code.Even though there's only one
caller and one callee, and thiswon't change in the foreseeable

(01:03:35):
future. But how about weseparate these concerns and put
this layer in?
And this is actually a trade,and this implements this trade,
and this does this. And I thinkthere's a lot of this and often
for good reason. But, you know,everything I'm saying is just to
say that there's no specificthing where I was, oh, this is
super bad about this, and thisis super bad about this. And I
also don't agree with a lot ofthese blog posts that compare

(01:03:58):
languages on, like, a feature byfeature basis and whether this
type system does this, whetherthis type system is this. For
me, it's, you know, what thekids would call vibe space.
It's like, do I do I think if Iuse this language, do I feel
like I'm running in the samedirection that the community or
the author of that language wasrunning towards? Or am I going

(01:04:19):
with the flow of that communityor that language? And with Rust,
I often had this feeling that,ugh, no. You know? Like, no.
No. No. Like, I I would trade alot of the type system and the
bar checker to get bettercompile times. And the Rust
community, I don't think, wouldsign that contract. You know?
Yeah. That's fine. And and theRust the Go community is

(01:04:40):
different. And JavaScriptcommunity is completely
different, you know, again, andand Python and Ruby. And yeah.
I don't know. It's not atechnical answer, but that's
kinda my my take on things thatI like simplicity. I like
ergonomics. I like trade offs.

That means you're going back to Go, this year?

Yeah. I mean, at Salesforce, there's still a lot
of Go. I think, I don't thinkthey ripped out all of it in a
year. Yeah. I think there'llalso be a lot of TypeScript.
There'll also be Rust, I think.

There's this wave of people who've been working a
lot with Go. You mentioned,HashiCorp. That's a good
example. Right? He wrote Go for,like, ten years and then moved
to Zig.
Yeah. And I saw a few of theseblog posts. And, Jonathan, I
think we even discussed some ofthem of people, like, sort of
burning out on the simplicityand looking for something more
challenging.

Yeah.

But I guess it's just what you're looking for.
Are you looking for a challengein the thing you're building? Do
you wanna get it built and andand see what it does? Or are you
looking for a challenge in youreditor? Are you looking for
architectural challenges?
Are you looking for businesschallenges? Are you trying to,
like, build a ton of businessesand the code is just a means to
an end? It it doesn't matter atall?

Yeah. I I everything I said so far in this
recording is always comes withthe asterisk. And it

will be used again.

It always comes with the asterisk of it depends
on the context. Like, do I likesomebody code golfing and being,
you know, building the mostminimal thing in VIM language? I
do. Yes. On a Saturday morning,but not at work.
You know? Not when I'm shippingsomething that's to be used in
production. And I think I I Iwatch a interview with, you

(01:06:20):
know, person who's using Rust,and they also switch from Go to
Rust. And I don't know howexperienced they are, but they
said, oh, they like Rust becauseit's fun, because in Rust, it's
like all of these little puzzlesthat you have to solve. And I
think Rust in that sense, it'slike catnip for programmers.
It's this you get the feeling ofaccomplishing something by

(01:06:43):
writing code in that language,and you get that that sense of,
oh, hey. I solved another puzzleby making this match statement.
Like, do exactly this in thatamount of code. But I would say
that's cool, but have youactually shipped something of
value to your users or to yourcustomers? And, you know, yes,
on a Sunday morning, give me allof the code golf you have.

(01:07:05):
I love it. I yesterday, I saw,like, a a Game Boy emulator in
JavaScript that looked writtenby an alien life form. I'm gonna
link to it too in my newsletter.Is this code that I wanna debug
in production? 100%.
No. Yeah. You know? And I thinksometimes if you say, oh, I I'm
tired of Go simplicity, thatdoesn't mean it's a bad language
to build products in. Right?

(01:07:26):
Mhmm. It just means that you gottired of something. But that's a
different thing, man. Like,that's a different thing than

So the formula is rust on the weekends.

Yeah. Yeah. I mean, to be fair, like, it's an
absolutely the how much do youenjoy working with the language
you're working? That's it'scompletely fair thing. Right?
Mitchell Hashimoto, he said, onthe Primogen, like, podcast two
weeks ago, he said, all he cansay is that he doesn't enjoy
working in Rust. Like, that'sall he can say. Like

Mhmm.

There's technical stuff you could talk about, but
it doesn't change the fact thatat the end of the day, he
doesn't feel like he's enjoyingthis. And for me, it often was
the same. Like, I would rideRust and think, it's not fun.
Like, it's not I don't I okay. Ican see why, but this is not
fun.
And

I'm getting back into TypeScript right now and
and Yeah. It's it's beendifficult for me to find this
spark of, like, oh, this isawesome. This is fun. Yeah. I'm
programming instead of, like

Yeah.

Fighting with a a type type system bolted onto a
browser language for somereason.

The other just to get back on this point, like,
people saying Go is born when itand and Mitchell switching from
Go to Zig. I think for the stuffthat he's building, Go is just
not a like, the terminalemulator Go see, Go is not a
good fit. Like, it just wouldn'twork. Like, there's also this,
and Zed is written in Rust. AndI think it's Rust is the perfect
choice for this.
Like, they built this highperformance text editor that

(01:08:52):
interfaces with macOS, you know,system level frameworks like
AppKit and, like, the the, GDC,the global what was it called?
The global dispatch queue andwhatnot. Grand Central Dispatch,
GCD. Sorry. And you can't dothis in Rust.
Sorry, in Go. You you have touse Rust or some other language
should drop down to the same.And for that, it is perfect.

(01:09:13):
Right? But that doesn't meanit's perfect for all of the use
cases all of the time.
Right?

For sure. So Cool. Cool.

Mile take, I guess.

So it's actually refreshing. Yeah.

Is it?

It's it's a shield they give.

I think it's also a great a great segue into our
stumper question. I guess thisisn't a stumper question
anymore. The the first one wedid a couple of years ago, we
tried to kinda stump people.They can think hard, but this
shouldn't be too hard. Thequestion is when you were
learning Go, who influenced youthe most?
And and, like, you've alreadytalked about how you identify
with sort of the Go ethos. SoI'm guessing you thought about

(01:09:47):
this before. Who who who hasinfluenced you? You already
mentioned some names, but justjust

you know,

who who who maybe the most?

Two come to mind. One is my friend, Felix
Geissendurfer. He now works atDatadog. I I don't know if you
guys had him on, but, back then,02/1213, he was starting to get
into go. He would not shut upabout it.
Like, he would be he would wemade a joke. Like, we were at j

(01:10:16):
s conf in Florida in 02/2013,and he would be sitting at
tables with different people.And and we would say, where's
fields again? And and we wouldmake jokes like he's trying to
convert people to go again. Andwe would walk over and he would
be sitting and talking to themabout go, and he got me really
interested in it.
So then I started to look intoit. And then I think, I don't

(01:10:37):
know, like Dave Cheney was ainfluential guy. Like his blog
posts and his, you know, writingon Go really made me see, like,
the beauty and the simplicity ofit. Then, obviously, you know,
Ross Cox's writing or Rob Pike,like, his talk and, like, all of
those early, you know, Goprogrammers that had this back

(01:11:01):
then, I was coming from Ruby andJavaScript, and I felt like I
was now in this other worldwhere there was this sense of
systems programming, which, youknow, now looking back is kinda
didn't turn out to be, say, Go'sforte. And Mhmm.
But there was this sense of, oh,you know, like, this is this is
proper engineering. Like, thepeople writing the Go Garbage
Collector, they know whatthey're doing. They they they

(01:11:24):
really hardcore on this and thesimplicity and the trade offs
and the thinking not just abouta friend of mine put it as he
said, the big problem that Rubymade was that Matz thought that,
you know, you know, Matz, theinventor of Ruby, he said,
developer happiness. That'swhat's important. You know, like

(01:11:45):
the the language should servedeveloper happiness.
And my friend said he made themistake of thinking that
developer happiness is onlyabout syntax. He forgot the
tooling. Mhmm. And I think Idon't know how true it is, but I
think it's kinda an interestingangle to look at things from
because ten, fifteen years ago,yes, the language itself, like,

(01:12:05):
the syntax, you would writestuff in. That was so important.
Like, people would discussoperators and whatnot and blah
blah blah. Because they had

time while their c plus plus was combined, so they
had time to work it. Yeah.

But then Go came along and you had, like, this
fast, you know, Go test and Gobuild and and, you know, how you
ship stuff single binary. Andpeople would say, oh, it's such
a fat binary. This is eightmegabytes for hello world. And
guess, you know, who cares?Like, nobody did and still
doesn't.
And this focus on ergonomicsand, like, this conscious choice

(01:12:36):
of trading, say, in someelegance for ergonomics, that's
what, I don't know, reallyappeal to me.

Mhmm. Cool. Cool. Cool.

We are definitely writing down the people you
said, which is difficult becausesome of their last names are
hard to spell. To try to invitethem on, we we did, I'm 85 sure
we had Felix's, tweet aboutperformance optimization in Go
that he did. We we featured thaton the show. So we might reach

(01:13:07):
out to him as well. Cool, like,seeing these threads link
because I didn't know you knowthe guy, but I I, follow him on
Twitter.
Cool. Where can people find allthis joy and curiosity and high
performance editors and allthese beautiful links and
yourself and the books, if youhaven't read

them?

Yeah. So you can find me at torstenball.com if
you know how to spell it, or youjust the name of the newsletter
is register spill,registerspill.TorstenBall.com.
I'm on on Twitter slash x bluesky. Mostly these two, mostly
these days. You can always sendme an email.
I'm happy to receive any sort ofemail. I don't know if I'll

(01:13:47):
regret saying

this. Yeah. People signing you up for all these
sorts of

My, books you can find interpretabook.com and
compilerbook.com. And I think,yeah, that's basically it.

And all these links, listeners, you can find
in this week's show notes, whichis in your app somewhere. I
don't know what app you'relistening with. So if you're out
to your own custom Rust slash goslash TypeScript RSS feed,
podcast thing with Claude lastnight, I don't know where you
put the show notes, but thereyou can find all these links.

(01:14:20):
Thanks a lot, Darston, forcoming on.

Thanks so much. It was a pleasure.

Thanks, guys. Thanks Thanks for having me.
This was fun. Great.

We'll have to do it again and talk about other
things.

Waiting for the next, joint curiosity. I'm I'm
I'm I can't wait to see what'son it. Awesome. Thanks a lot.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Supply chain attacks ⛓️‍💥 Ghetto Logs 👊🏾 🪵 and Rust/AI cold takes 🧊 with Thorsten Ball

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Supply chain attacks ⛓️‍💥 Ghetto Logs 👊🏾 🪵 and Rust/AI cold takes 🧊 with Thorsten Ball

On Purpose with Jay Shetty