August 8, 2025 • 52 mins
Visit https://cupogo.dev/ for all things Cup o' Go!
- [security] Go 1.24.6 and Go 1.23.12 are released
- Microsoft build of Go Telemetry – Helping Us Build Better Tools
- Go Assembly Mutation Testing
- GitLab catches MongoDB Go module supply chain attack
- Break:
- Jonathan's streaming again on Twitch
- George Adams interview
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jonathan Hall (00:05):
This
Shay Nehmad (00:10):
is Cup o' Go for 08/08/2025. Stay up to date with
the important happenings of theGo community in about fifteen
minutes per week. I'm ShayNehmad.
Jonathan Hall (00:19):
Oh, and I'm Jonathan Hall.
to a slow start here, man.
Shay Nehmad (00:25):
I'm actually I just drank really good coffee. I
don't know if I wanna shout outthe shop because they don't
sponsor us. It's like very localto San Jose, it's not a chain.
I'll do it. Nirvana Soul.
You know these coffee shopswhere you walk in and they're
like, oh, this place is tootrendy for me. I'm not not cool
enough to drink coffee here.
Jonathan Hall (00:46):
I don't think I've had that experience.
Shay Nehmad (00:48):
You should you should drink coffee in the Bay
Area, and you will definitelyhave that experience.
Jonathan Hall (00:53):
Yeah. Well, I've been to Starbucks store number
one, but it it that that was notthat vibe there at all.
Shay Nehmad (00:59):
Anyway, I'm after coffee, and I'm, kinda tired.
But let's, let's push throughbecause we have a really, good
interview today, and I wanna getto that.
Jonathan Hall (01:07):
Yes, we do.
Shay Nehmad (01:08):
Let's start with the new release.
Jonathan Hall (01:10):
Oh, yeah. It's one point twenty five, right?
Shay Nehmad (01:13):
No, not yet.
Jonathan Hall (01:14):
No, not yet. Next week.
Shay Nehmad (01:16):
Probably.
Jonathan Hall (01:16):
Probably. So for now we have one point twenty
four point six and one pointtwenty three point twelve and
one point twenty five point RCNext, whatever it is, three or
four or something. They allinclude two security releases.
Tell us about the first one.
Shay Nehmad (01:30):
So the first one is one we've mentioned in the past.
It's OS exec look path mayreturn unexpected paths. This is
not like a hugely importantsecurity fix. I think it's
important, but, you know, it'sjust a normal security fix, but
it became a staple of the showjust because a listener told us
about it, then I got involvedwith the code review and I've
(01:50):
been checking up on that. Like,I've been getting emails about
it every day since, about thecomments and I've been replying
and when it got merged, washappy.
We told about it last week andnow it's in. Thank you, Olivier
Mengui for reporting this issue.This is CV202547906.
Jonathan Hall (02:07):
I have to say it's a little bit funny, at
least from my perspective here,that I've been reading about
this for the last few daysbecause it was it was pre
announced as a secret securitypatch. It's it's funny that one
of the secret security patchesis something we've been talking
about for three weeks already.
Shay Nehmad (02:23):
Yeah. Yeah. Still. There is another fix though that
looks super interesting and Ididn't do the code review on. So
so what's up there?
Jonathan Hall (02:31):
Yeah. So this is not the usual suspects at all.
Shay Nehmad (02:35):
Kaiser Soze. Got the cripple in there from New
York. Yeah. Did he mentionKaiser Soze? Who?
Just bear with me here.
Jonathan Hall (02:44):
Who's Kaiser Soze? Oh, So, yeah, this is not
the usual suspects. A bug, asecurity bug in database SQL.
Shay Nehmad (02:54):
That doesn't sound important.
Jonathan Hall (02:55):
No. Of course not. Nobody uses that. So it's
it's a it's really a very cornercase. I'll just read the
description.
I think it's a pretty gooddescription. Canceling a query,
such as by canceling the contextpassed to one of the query
methods, during a call to to thescan method of the returned rows
can result in unexpected resultsif other queries are being made
(03:16):
in parallel. So you have to belike doing multiple queries on
the same database in paralleland cancel one of them by
canceling a context. If you dothat under the right
circumstances, then you may getunexpected results or you may
even get results from the wrongquery into your scan result.
Shay Nehmad (03:35):
Woah. Damn, that sounds actually super
reasonable. Like, I'm thinkingabout the very reasonable case
you have a DB that has like rowlevel security to requests
coming to your web app at once,one from org a, one from org b,
then the connection gets closedon org a because they closed
their web whatever, connectionclosed. You cancel org a and
(03:56):
then org b gets the results fororg a data leak. Hot damn.
Jonathan Hall (04:00):
Pretty
Shay Nehmad (04:00):
This seems like
Jonathan Hall (04:01):
severe. Pretty serious. I mean, I think I think
it's very difficult to triggerthe condition, but if you do,
the results could be veryserious.
Shay Nehmad (04:09):
So Is it like a race condition sort of thing?
Like
Jonathan Hall (04:13):
I haven't looked at the code, but that's what it
sounds like to me, based on thedescription. So I don't wanna
take chances. I'm upgrading.
Shay Nehmad (04:20):
Yeah. You should I mean, it's easy. Right? You
should upgrade anyway. Thesethings are are usually, like,
not breaking.
And thank you for thank you toSpike Curtis from Coder for
reporting this issue.
Jonathan Hall (04:36):
Yeah. So go upgrade your code, and then next
week, probably, you can upgradeto 1.25 and get all the other
cool new things that we'll betalking about probably next
week.
Shay Nehmad (04:45):
I wonder how many times people ran into this bug
and then they refreshed thequery and it didn't happen
again. They're like, whatever.Actually wondering how Spike ran
into this, if it was like onpurpose or not.
Jonathan Hall (04:56):
Oh, that's a good question. Well, if
Shay Nehmad (04:57):
only there was some way to, you know, see all the
commands he ever ran. Could youthink of such an option?
Jonathan Hall (05:03):
I can't think of any way to do that.
Shay Nehmad (05:05):
Well, how about telemetry? We'll force everybody
to, you know, send us what theythey build. The community is
gonna be fine with that. Right?
Jonathan Hall (05:12):
Sure. Why not?
Shay Nehmad (05:14):
I think I'm gonna be using some flashbacks.
Jonathan Hall (05:15):
To wait a second. Yeah. So Microsoft and
telemetry, they decided to takea slightly different approach
than Google. What's that about?
Shay Nehmad (05:23):
So if you remember, actually, I think it was one of
the first things we Like one ofthe first overarching topics we
covered on the show because ithappened like a year and a half
ago when we started. The Googleteam wanted to add telemetry to
better direct the direction ofthe Go team and whatever. And
(05:45):
they made it opt- Opt in.
Jonathan Hall (05:49):
After some debate. It was originally gonna
be opt out.
Shay Nehmad (05:53):
Was opt out and people were really pissed off
about it, and then it theyturned it into opt in after
community feedback. Microsoft'sbuild of Go adds another
telemetry layer for the Go teamat Microsoft. And if you wanna
hear more about that and like,it's part of they they published
(06:14):
it on the dev blog, but Iimplore you to just stick around
because you could hear a lotmore about it when we
interviewed George Adams, who Ijust read this blog post and I
was like, that seemsinteresting. I wonder why they
do that. And I just contactedhim and was like, of course, I'd
love to come on.
Yeah. It's a bit of acliffhanger, Stick around for
the interview, but just if youdon't wanna listen to the
(06:35):
interview, you know, the datacollected is anonymized and they
have full you have full controlof it, and you can disable it by
MS Go tool chain telemetryenabled, setting it to zero. But
honestly, if you're using the Gothe Microsoft Go version, you
probably wanna send them thistelemetry. And this is separate
from the Google telemetry. It'sjust not the same thing.
So you can even send both if you
Jonathan Hall (06:56):
don't I love to send data.
Shay Nehmad (06:58):
I mean, I have opted into the Go telemetry I
Jonathan Hall (07:02):
have I have too. Yes.
Shay Nehmad (07:04):
And, yeah, stick around for the interview. We we
actually go into detail aboutthat and just go in Microsoft in
general, which is interesting.
Jonathan Hall (07:11):
So, something we talk about in that interview, a
lot is security since that's oneof the reasons that, Microsoft
has their own fork. So on thattopic, Filipe Valsorto, who's
been on the show before and doesa lot of work with the security
and crypto in Go, has a new blogpost out this about a week ago,
I guess, which I think isfascinating. It's about so
(07:34):
essentially, it's about assemblymutation testing in Go. But I
think
Shay Nehmad (07:38):
What does that mean?
Jonathan Hall (07:38):
Yeah. I'll talk what that means. What's what's
actually a little bit moreinteresting than that on and of
itself is the reason it's souseful in the sort of work he
does with crypto. But one stepat a time. So let's dissect that
title Go Assembly MutationTesting.
We already talked about thislast week about the pure Go tag,
That some Go code is written inassembly or Go's sort of pseudo
(08:02):
assembly. And that's very truefor a lot of the crypto
packages, low level stuff thatdo bite or bit manipulation and
so on and so forth. It's just alot more efficient to do that
sort of stuff in assembly thanit is in Go in many cases. So a
lot of the crypto work is donein assembly. So that's why Go
assembly.
What's mutation testing? Are youfamiliar with mutation testing,
(08:22):
Shay?
Shay Nehmad (08:23):
I'm familiar with the term.
Jonathan Hall (08:25):
Okay.
Shay Nehmad (08:25):
But it's basically like you run your thing, you
have like an expected output andthen you change your binary in
some way or your environment insome way and you try to fuzz,
like, what changes will causeyour expected result to break?
Is that the
Jonathan Hall (08:41):
So, yeah, you're you're pretty close. So we had
John Arundel on way back when,probably a year and a half ago,
who talked about fuzz testingwhen that was new in Go. Fuzz
testing is where you sort offeed random inputs to your
existing program and see whichones cause breakage. And this is
a way to sort of build a morerobust test suite. Mutation
testing is kind of the oppositeor the other side of that, where
(09:02):
you use maybe the same inputs,but you actually mutate the
program.
You don't mutate the inputs. Andthe idea is if you can change
the program and it doesn't breakyour tests, then your tests
probably aren't sophisticatedenough or they aren't covering
enough, right? If you take So asimple if statement, you have if
X equals Y and you mutate thatrandomly, so now it says if X
(09:25):
equals X, but it doesn't causeany tests to fail, then you
probably don't have sufficienttest coverage, right? Obviously,
mutations will generate aninvalid program and those are
easy to filter out. But assumingthat you do a mutation that
generates a valid program, butan incorrect program, you want
it to cause your test to fail.
So we're talking about doingmutation testing for Go
(09:45):
assembly. So that's topic of theblog post. Now, why would this
be a particularly interestingtopic? He goes into some
background here, which I'm notgoing go through all of it
because if you want that, youcan go read the blog post. But
he goes into some of the reasonswhy this is particularly
interesting for the sorts ofwork that we do with crypto and
Go.
So one simple example issomething I don't usually deal a
(10:07):
lot with, but it's reallyimportant in crypto, that is to
have code that executes inconstant time, meaning that
given different inputs, it stilltakes the same amount of time,
the same operations are executedregardless of input. You don't
take shortcuts. Know, if you'redoing certain decoding, might
know that, oh, this means that Ican I don't have to decode the
next 16 bytes because of the waythis is laid out? I could skip
(10:28):
that and be faster. Normally,want to do that with crypto.
We don't want to do that becausethat can allow for certain types
of forensic attacks, sidechannel attacks. You can if you
have access to the machine thatgoes running on, you can see,
oh, this ran faster in this casethan with this case so that I
can deduce certain things aboutsecurity, which I'm sure you
know a lot more about Shy than Ido.
Shay Nehmad (10:47):
I mean, you don't even have to have access to the
machine. Like, let's say you tryto decode a password, right?
Sure. You can do the sidechannel thing of, oh, if I pass
a password that starts with thecorrect letter, then it takes
longer. This is like so manylayers deep.
I feel like that the level ofcoverage and the level of
precision the Go team is talkingabout is like way more than even
(11:08):
the above layman understandingof security. Yeah, yeah. I mean,
is like standard standard. Butmutation testing is like, itself
seems like a fragile thing thatwould bring up like random edge
cases anyway. I mean, That'skind of the point, right?
The machine flips random bitshere and there, things are not
gonna work.
Jonathan Hall (11:28):
So, yeah, I suppose that's true. I think we
mostly trust our machines not toflip random bits in most cases,
but it certainly does happen intimes, right? But getting back
to this constant time, one ofthe So I sort of knew the
concept of constant time and whyit was important. I had never
considered the implications ontesting and he lays that out
here. One of simple ways to doconstant time is to, whenever
(11:51):
you have an if branch, forexample, execute both branches
all the time and then discardone result, the one you don't
need, depending on the thing.
That way you always do the sameamount of execution regardless
of your inputs. Well, that wouldmean that your normal tests look
like no matter what you do, youcovered all branches, right?
Because they all executed, butyou didn't necessarily assert on
all of So this is where themutation testing starts to come
in. It helps you it helps sortof bring to the surface the
(12:14):
areas where you may haveexecuted the code because of
this constant time constraint,but you aren't necessarily
testing all of the conditionalsthat might have been triggered.
So mutation testing is one toolthat they can use to help cover
these sorts of cases.
And then he goes into, heactually shows some examples of
assembly code, which I haven'tbothered to read in-depth enough
(12:37):
to fully understand it. But he'sbasically, he's building a test
framework to do mutation testingin GoAssembly, which I think is
pretty cool. I'll probably neveruse it since I don't write
GoAssembly. And if I ever do,it'll it won't be a lot. I don't
imagine.
But I think it's a pretty coolconcept. So I like this post.
Thanks, Filippo, for sharingthis with us.
Shay Nehmad (12:55):
The question I have, if what you wanna do is
uncover these problems, why doyou have to do it in the
assembly layer and not justmutate source code? Can't you do
this thing and just change theGo code instead of changing,
like, the assembly commands?
Jonathan Hall (13:13):
I think this is where they're writing assembly
directly to be more efficient.So this isn't so so, yes, you
have Go code that's essentiallytranspiled to the Go assembly,
right? I think that's whatyou're talking about. Here is
where they're actually writingthe assembly raw, I believe.
Shay Nehmad (13:28):
Okay. Okay.
Jonathan Hall (13:30):
Because they want they want the the precise
control over the Bitwiseoperations, and they want to
make sure that the GoCompilerdoesn't do any path
optimizations to to, clean updead code and stuff like that,
that would ruin the constanttime.
Shay Nehmad (13:45):
Generally, unless you But the general policy
around like writing assembly,you absolutely need it, it's
better for you to write Go.Sure. Right? It's more portable,
etcetera, etcetera.
Jonathan Hall (13:55):
Right, right, Definitely.
Shay Nehmad (13:58):
I mean, assembly is fun. I I enjoy writing assembly
and disassembly and reverseengineering, but it's I think
the the general thing is
Jonathan Hall (14:06):
It's like doing a Sudoku. You do it for fun, not
because it's productive.
Shay Nehmad (14:08):
Right? Totally. It is very Sudoku ish in a sense.
You have to like remember whatyou have in each register, what
you've pushed to the stack.Yeah.
It is Sudoku e in nature forsure. Cool. I wanted to mention
one other blog post and I feelbad about breaking it up because
I put it in the backlog and thenevery week I was like, Oh, we'll
get to it next week, we'll getto it next week. And it's been
(14:29):
like a month and a half. So, ifyou read this already, I'm
sorry.
But GitLab caught anothertyposquatting supply chain
attack thing, and I like theirtechnique. So I'll quickly
explain what the typosquattingthing is. When you import a
package in Go, you usually dolike, go get, and then you pass
in the, like, path, right?
Jonathan Hall (14:51):
Mhmm.
Shay Nehmad (14:51):
The github.com/something/whatever
for third party libraries. With,you know, copy pasted snippets
and AI code generation and blogposts and whatever, it's very
rare that I just sit out andtype out the package name.
Usually I just go on GitHub, Ifind the package I need, and if
I don't already know what Ineed. Typical squatting is where
(15:14):
people make their packages looklike the package you actually
want to import. Maybe the nameis like one character over or
something like that.
And then you import theirpackage and theoretically it
does the same, maybe it's even afork, but somewhere inside the
code they have their maliciousintent, like installing a key
(15:35):
logger or whatever, justsomething malicious.
CryptoMiner, many othermalicious options, remain,
right? CNC server, CNC client,or a botnet, blah blah blah.
There is one. If you use a QMGO,which is a MongoDB model, double
check your import because thereal one is
(15:58):
github.com/qiniu/qmgo.
Title squatting one isgithub.com/qiniu/qmgo. So you
won't even be able to see itwhen you look at the package
name, only the package path. Andit's just like one extra I in a
name that I think most peoplewon't be able to realize is
(16:19):
because it's not a word, it'skind of hard to even understand,
you know, you imported the wrongGo driver.
Jonathan Hall (16:24):
You know how easy it is to make a mistake with
this spelling? The authors ofthe article made a mistake with
the spelling.
Shay Nehmad (16:30):
What do mean?
Jonathan Hall (16:31):
That's how easy it is. In one place, they say Q
I N I I u. In another place,they say q I I n I u. So they
they put the double I indifferent places depending on
where you read in the article.
Shay Nehmad (16:41):
Oh, no. No. No. You should read the article very
carefully. The first type ofsquatting
Jonathan Hall (16:46):
Two was type of smuttings.
Shay Nehmad (16:48):
They GitHub took it down, and then they did another
one with the double I in adifferent place.
Jonathan Hall (16:53):
Got it.
Shay Nehmad (16:54):
But the fact that you thought that there was, both
of them the same thing justshows it goes to show how easy
it is. Yeah. And again, it's nota word, so it's not very easy to
like understand that it's thewrong thing. First of all, like
double check which package youimported, especially if it's a
third party thing and especiallyif you added it recently,
generally. What I liked aboutthis blog post other than the
(17:16):
fact that they did it allseriously and analyzed the code,
and the code by the way is likethe malicious payload is
actually downloading like a fileand then executing thing, and
then it downloads an MP3 andthen it puts it somewhere and
it's a Go binary, and then itgives you like a persistent
remote access to the machine,tries to connect to a command
(17:36):
and control server, and then youcould do whatever you want.
Screenshots, SOX proxy, shellaccess. So it's like it
basically completely owns yourmachine. Just, like, installs a
Trojan horse, opens it to the tothe web. Pretty pretty, like,
hardcore. The way theydiscovered it is pretty cool.
Like, how would you discovertype of squatting, a type of
(17:58):
squatting attack in the wild?
Jonathan Hall (17:59):
Probably by something weird happening on my
machine and investigating to seewhat happened.
Shay Nehmad (18:04):
But that's a bit too late, right? You want to
discover it before it happens.
Jonathan Hall (18:07):
I'm trying to do it at a time, like you're
asking, like, what would be mylike, if I was implementing
security policies, I don't know,a white list of known good
packages or something that
Shay Nehmad (18:18):
has So that's be one way to do it. But then when
you wanna add a new package, yougotta somehow add it to the
thing.
Jonathan Hall (18:24):
Yeah, yeah.
Shay Nehmad (18:25):
Actually, the Vollum research team at GitLab
developed a whole automateddetection system. Nice. So they
do automated type of squattingdetection, like just look at
suspicious naming patterns. So Iguess everything that's like
leverage staying distance of Xor suspicious existing patterns
(18:45):
already, and semantic codeanalysis. So they look at Go
code in the packages that mightbe typosquatting and filter it
by like there's a networkrequest or command execution,
things that shouldn't happen inlibraries basically.
And finally, they do AI assistedinitial screening for like
trying to understand if there'slike advanced payloads or
(19:07):
obfuscation detection, which Ithink is a great use of like
LLMs. You're like, Oh, just lookat this code and tell me if it
looks suspicious or not. Hereare a few examples of normal
looking code, and here's a fewexamples of payload cyber y
looking code. And given enoughexamples, you could get a pretty
(19:30):
high confidence vote here. Whentrying to look at all packages,
this is like a great way tofilter and prioritize what to
look at.
So I really liked it. It's asystematic approach to solving
the problem. And I was like, oh,let's see what happens after
someone gets owned, which iscool. Great stuff for GitLab
security team. Like, And youknow, if they find it and they
(19:51):
find it on GitHub, take it down,they're helping everybody, like
every Go developer, just GitLab.
So that's awesome as well.
Jonathan Hall (19:58):
I like this episode. We have a theme going
here that GitLab helps GitHuband Microsoft helps Go. We'll
have more about that in theinterview.
Shay Nehmad (20:05):
Yeah. Kumbaya, everybody together. And only the
only the cyber attackers are inthe corner,
Jonathan Hall (20:10):
like, stop taking all our vectors.
Shay Nehmad (20:12):
Talking about stop, let's stop for a brief moment
here before we continue with ourepisode. What do you say? Okay.
Like I mentioned at the top ofthe episode, this show is
supported by you. This is ahobby, Jonathan and I do it for
fun and to stay on top of Go,but it also costs us some money.
(20:34):
If you wanna help us recoup someof that costs, if the show is
helpful for you, you can supportus directly on Patreon, where
you can kick us 3 or $8 a monthand helps cover the cost of the
show. Last week I mentioned thatI couldn't pull the funds, I
fixed it, I got the money. Allgood. If you want to find the
Patreon link or the Swag Storelink or our Gopher Slack channel
Jonathan Hall (20:53):
or our
Shay Nehmad (20:54):
email or all past episodes, including transcripts,
you can find all of that atkapogo.dev. And if you want to
help the show in other ways,spreading the word, leaving
reviews, rating it, sharing whatyou've learned, and then kicking
us back and say, oh, I learnedit on that show. Just getting
more people to listen, would begreat. I recently opened our,
analytics and I was very happyto see, like, some milestones we
(21:17):
reached and seems like the showis doing really well. That's
mostly thanks to you sharing itwith other people.
So we really appreciatelistening, sharing the show and
just talking about it. One tinyprogramming, well, it's not a
programming note, I guess it'sjust an ask. If you're a gopher
in the Bay Area, I'm thinkingabout hosting another meetup
(21:38):
somewhere around October. If youthink you'd like to come, join
the San Francisco channel and gofor a second, let me know. I'll
I'll try to arrange it.
This is not related to the show,but probably we'll do another
live episode because that wassuper fun.
Jonathan Hall (21:52):
That was fun, even though I wasn't there.
Shay Nehmad (21:54):
Yeah. Maybe we'll fly you out this time. Probably
not.
Jonathan Hall (21:57):
With all that all that Patreon money we've got
sitting in your
Shay Nehmad (21:59):
account now. Yeah. Exactly. Private jet. So, yeah,
San Francisco meetup, mighthappen in October.
A good chance to see me live.Are there any good chances to
see you live, Jonathan, and ifwe if we won't end up flying you
out?
Jonathan Hall (22:13):
Yeah. Well, there there are. So I don't know if
you remember. I used tolivestream coding in Go back
before I moved, and I'm finallyat the point where I'm ready to
start doing that again. So nextweek, Friday the fifteenth,
03:00PM local time for me, whichis I think 7PM UTC.
I'm going to start livestreaming. I'm going to try to
(22:34):
do it every Friday or almostevery Friday. So if you'd like
to watch me code and go, I'mgoing to be working on my open
source project. Some of thecomments I've gotten before are,
wow, I never saw anybody do TDDon a real project. Or I get
commentary asking, why do you doit this way instead of that way?
So it's fun. Sometimes I make afool of myself because I don't
know the answer to how to dosomething. But yeah, I'll make a
(22:56):
fool of myself in public, that'sfine.
Shay Nehmad (22:57):
Usually we have a lighting around here, but we
just really want you all to hearwhat George Adams has to say
about Go at Microsoft. So we'rejust gonna move to that
interview. Thanks a lot forlistening. Alright, Jonathan.
Today, we're doing an interviewwith, George Adams from
Microsoft.
Jonathan Hall (23:16):
George Adams from Microsoft. I I never signed up
for that. How do I opt out?
Shay Nehmad (23:20):
No. No. We're doing an interview right now. No
questions.
Jonathan Hall (23:23):
Fine. Fine. I'll do it. Hi, George.
George Adams (23:25):
Hey. Nice to meet you. Nice to exciting to be on
the show.
Jonathan Hall (23:29):
Yeah. Glad to have you here. So, George, I
believe you are our firstofficial Microsoft employee on
the show. Welcome and thank youfor being the first one to
respond to our request. We'vewe've reached out to a couple.
George Adams (23:38):
Well, I mean, it's it's obviously an honor to be
here, and and hopefully first,but, certainly not last. I'm
sure there's a whole load of,people at Microsoft that would
love to talk to you.
Shay Nehmad (23:47):
Well, depends how it goes. You know what I mean?
If if we if we totally roastyou, maybe they wouldn't wanna
come. So we'd we'd better benice, actually.
Jonathan Hall (23:56):
If I'm
George Adams (23:56):
in the headlines of Hacker News tomorrow, you'll
never hear from me again.
Jonathan Hall (24:00):
Alright. Well, tell us, George, a little bit
about what you do at Microsoft,and and in general. Tell us
about who you are.
George Adams (24:06):
Yeah. Sure. So, yeah, I guess hey, folks. My
name is George Adams. I'm asoftware engineering manager at
Microsoft, where I lead the teambehind the Microsoft Builder Go.
Our kind of primary purpose isthat we maintain a downstream
distribution of Go that powersmajor services like AKS, Azure
Kubernetes Service, GitHub, manyother first party customers. And
(24:29):
I guess the kind of key focusthat my team has is focusing on
security, compliance, And alsocrucially, we have a really kind
of strict upstream firstcontribution policy where
everything we do, we try and putit upstream first so that the
community gets goodness from itas well.
Shay Nehmad (24:45):
Really cool. The value of, doing it upstream
first is like, it's great thatthe community gets it, but also
you get some like testing and RCand whatever before you deploy
it to like critical Microsoftresources like AKS, right, that
run like the biggest enterprisecustomers in the world. Like if
you have downtime, perhaps it'sbetter to run it through the
normal process anyways, right?
George Adams (25:06):
Yeah, think you often have it going both ways.
Like there's times where we'llhave patches that we float first
and actually we see putting thatthrough a team like AKS as a
good practice before upstreamingit. You know, if it breaks AKS,
it's probably going to havebroken 10,000 other people in
the community. So sometimes thatway works as a great way of
testing a change. But equally,yeah, we also love trying to get
(25:29):
things up into the Google codebase as quickly as possible so
that they get the goodness oftesting it.
Obviously, by going into theprimary Go distribution, you get
the largest number of peopletesting it.
Shay Nehmad (25:41):
I'll start with a really basic question before we
dive into the technical detailsof how the Microsoft Teams works
and what do you do there andwhatever. It's not really a
question for me, but it's aquestion I've heard. So so let
me know what you think. Go is aGoogle language. Right?
It's out of Google. AndMicrosoft notably is not Google.
(26:03):
So how comes, Microsoft uses Go?While Microsoft does have, like,
internal language programminglanguages that it developed. The
first thing that comes to mymind is C, but I assume there
are, like, a a million others.
George Adams (26:17):
Yes. I mean, that's a great point. Right?
It's true. Go started at Google,but it's always been open
source.
And I think that's been one ofthe biggest strengths of Go,
right? Microsoft deals withdozens of different runtimes in
other languages. Yeah, C sharp,.net, Java, Rust, Python, you
name it, Microsoft's dealingwith that. I think the kind of
(26:37):
thing that really stuck out withGo firstly is Azure Kubernetes
is just a massive part of theAzure platform and AKS and all
of the Kubernetes stuff iswritten in Go fundamentally,
right? So Microsoft is almostforced into adopting Go for AKS.
But equally, Go is alsocompletely awesome for CLI
(26:59):
tooling. It's great for toolsthat we have in Azure. It's
great for things in Defender,for example. We also dozens of
SDKs that developers are usingthat are all written in Go. And
so I think, yeah, okay, Go iswritten by Google.
It's open source. Microsoft isin Google. But equally, we can
benefit a huge amount from that.And we have a lot of industry
(27:22):
expertise and also expertise inshaping the future direction of
languages and runtimes ingeneral that we can contribute
back to Google. Hopefully thatmakes Go a better place, I
guess.
Shay Nehmad (27:32):
Cool. Well, among the projects, there's also
TypeScript, right? This is likea Microsoft language and the
engine is being rewritten to Go.We reported on this a few months
ago. I'm like, I haven't Ihaven't checked up on that
project.
Is that like part of your teamor is that like someplace else?
I assume Microsoft is actually ahuge place, so that's probably a
(27:52):
dumb question.
George Adams (27:53):
Microsoft is one of those places where you've got
to go digging deep to findcertain teams. But yeah,
interestingly, the TypeScriptteam owned this for obvious
reasons. They reached out to usa little while ago, and I
remember at the time, they wereassessing a whole load of
languages as well as Rust,looking at what the best options
were. And I think it becamereally clear from almost day one
(28:15):
that they wanted to go with Go,which was fantastic. Yeah, the
performance increases, I thinkit's like 10x is what they're
reporting, is pretty cool.
And I think a lot of people inthe TypeScript community are
looking forward to that GA ingand being able to build their
massive TypeScript monsterdependent projects in in a
fraction of the time. But, yeah,I think it's it's a great
(28:36):
example of Go being used outsideof its, like, traditional back
end space. Right? So, yeah, itwas kind of an interesting one
and and one I love to talk aboutas well.
Jonathan Hall (28:43):
So you manage remind me your title or the team
that you work on.
George Adams (28:48):
So I'm an engineering manager basically. I
look after the, we'll call itthe Go toolset team in
Microsoft.
Jonathan Hall (28:57):
Okay.
George Adams (28:57):
So there are other parts of Microsoft that have
other Go teams as SDK teams,there's other teams that
maintain things like AKS, butanything that's to do with the
Go toolset, essentiallyMicrosoft's fork of Go, that
comes down to me.
Jonathan Hall (29:11):
So talk to me about what Microsoft does. I
mean, I don't know, as somebodywho's not familiar with what
Microsoft does for Go, I don'tknow what that is because the Go
toolset's already pretty robust.It has a lot of things in it. I
can imagine you're just forrubber stamping things, you
know, making sure that they passsecurity audits or something.
But I'm sure there's more to itthan that.
Tell me a little bit more aboutwhat you do. What kind of
(29:32):
features have you added otherthan turning on the opt out,
turning off opt in? I don't knowthe telemetry thing. What are
the kinds features or changesthat you make to go from the
fork?
George Adams (29:44):
Yeah, that's a good question. And to be
perfectly honest with you, likeif you look under the hood, 99%
of the code base is identical.The key thing here is that
Microsoft builds and distributesa Go tool chain for our internal
teams. Microsoft, like justabout every other large corp has
a whole load of securitygoverned policies and crypto
(30:06):
policies that we have to complywith. And a lot of that boils
down to things like SBOM, securesupply chain.
And frankly, when you're lookingat a team the size of AKS, they
want to be able to pick up thephone in the middle of the night
and say, I need a build and Ineed it yesterday. And that's
the sheer reality, right? Wecan't ask Google or expect
Google to provide that to us.And so we're primarily there to
(30:28):
essentially act as a stop gapthere. Beyond that, the other
reason that the team was puttogether at the time was that Go
had no support for FIPS, whichis the government crypto Yeah.
I've messed that up. FIPS, whichis the that acronym that I never
remember.
Jonathan Hall (30:49):
Yeah. Me either.
Shay Nehmad (30:50):
We we had someone on the show literally talk about
FIPS. What what was what who wasthat? Alex Schiele or some? For
maybe for forty five minutes,and I still don't remember what
the acronym it's just like,yeah, the government wants a
strong encryption standards,post quantum, very Federal I'm
just looking here.
George Adams (31:08):
Federal Information Processing
Standards. There you go. FIPS.You see, I say FIPS daily, but
my, my team will, my team willtease me for not knowing what
that stands for.
Shay Nehmad (31:18):
You know what? I'll tell you, George, actually,
like, behind the curtain, that'sthe whole reason we do this
show, just to learn things soour coworkers can't hold them
over our heads. We can hold themover their heads.
George Adams (31:29):
Absolutely. Absolutely.
Jonathan Hall (31:31):
Sean, you're saying the quiet part out loud.
Stop it.
George Adams (31:34):
Yeah. We can't see what's going on behind the
scene, surely. But, yeah, Iguess so that the kind of key
thing around Phipps is thecrypto board doesn't essentially
allow Go Native cryptography. Sothe crypto board is a Microsoft
thing. This is internalpolicies.
Any first party customer thatwants to use Microsoft's crypto
board says, well, you can't goand use Go Native cryptography.
(31:56):
And the reason is it follows thesame suit with every other
language and runtime inMicrosoft that says you need to
go and use the OS providedcryptography layer. So like
OpenSSL or on macOS, we've gotCommonCrypto, on Windows we have
CNG. So we essentially providethis kind of wrapper shim which
allows people when they need to,to shell out of Go cryptography
(32:19):
and into system providedcryptography. And that was
really why the team was puttogether.
I guess one of the interestingthings beyond that is that now
Filippo and his team have goneand implemented a FIPS validated
crypto layer in Go, which Ithink is the first time this has
been done. But unfortunately, atleast for now, Microsoft isn't
(32:41):
able to use that. And so thereason that we're still here
doing this FIPS port is for thatexact reason.
Shay Nehmad (32:47):
And just to, you know, again, it's sometimes it's
hard to understand how big thewhen you say, oh, there's the
FIPS compliance thing sometimes,you know, I think of it as like
a more of a startup guy. Oh,maybe I have a customer that has
like a FIPS requirement becauseof a subcontractor or something.
Microsoft has dedicatedgovernment Azure data centers
(33:10):
and like a $10,000,000,000contract with the Department of
Defense. It's like the actualpeople who need to have that
working.
George Adams (33:18):
Absolutely. Yeah. It's all about just basically
meeting stricter compliance incryptographic standards, right?
So you've listed government,finance, healthcare, any
regulated industry you can thinkof, and Microsoft has a lot of
customers in that space. And so,yeah, for that exact reason, we
have to build FIPS validatedbuilds.
For example, you can runKubernetes in Azure for
(33:40):
government, and because you canrun Kubernetes, you need to be
able to run with a, a FIPSvalidated GoPinary.
Shay Nehmad (33:46):
So is the I guess a follow-up on that. If I want to
be a really good, team member onyour team, do I need to be more
of a, like, go person or do Iactually need to be more of like
a DevOps person? Is my dayspent, you know, just on
average? Obviously, I assume theteam is diverse and has a lot of
diverse, tasks, but I'm justtrying to understand the vibe.
(34:08):
Is it like trying to untanglebuild processes because you need
to build Kubernetes fromscratch?
Or is it like changing Go codeat, you know, the standard
library, level and having toboth of them sound super hard. I
mean, the team sounds superhardcore. Just trying to
understand if it's a hardcorelike DevOps team or is it
hardcore dev team or is it sortof both?
George Adams (34:29):
Yeah, it's kind of a hybrid. There's obviously a
DevOps team that has to producethe binaries and that in its own
right, as I'm sure Google willtell you, is a pretty serious
job in its own right, just theamount of builds, the amount of
testing, all of that stuff. Butequally, a lot of what my team
is focusing on is, A, sort ofchanges to the standard library.
(34:50):
So we're making a lot of changesto Go and also changes in the
cryptographic layer. So again,we've got a lot of crypto
expertise in our group, whichoften is not necessarily Go
specific.
A lot of it's written in C plusplus for example. So Go and C Go
are definitely kind of keyskills that we're looking for in
the team. And equally justDevOps skills are very useful.
Shay Nehmad (35:14):
One question I had about the sort of the place your
team has at Microsoft. I don'tknow, but let me ask Jonathan
first. Jonathan, have you everworked at a company before where
you were like the go person, butthe company wasn't like a go
company yet. Yeah. You know, asa contractor, and then you get
some technical tasks, but youend up with, oh, I need to
(35:37):
Actually, people come for me forquestions and training and they
come for me for guidance sort ofsituation.
Jonathan Hall (35:44):
Oh, yeah. That happens. That's that's normal
for me.
Shay Nehmad (35:47):
Yeah. So I'm wondering if, George, you you
are just that person for,Microsoft where they ping you on
Teams, I assume, and
Jonathan Hall (35:56):
are It
George Adams (35:57):
is on Teams.
Shay Nehmad (35:59):
Off the record, I'm sort of jealous that you
actually get to use Teams. I'mI'm done with Slack. I wanna
move to Teams. Don't tellanybody I said that because
people love to hate on Teams.Never mind.
Anyway, I assume people ping youon the internal chat, and are
like, hey, can you, we want tomove this service to Go. Or is
there like a Go communityalready inside Microsoft, like
(36:23):
an internal Go channel? Is therea guild? Like how, if I'm a
Microsoft person who's currentlynot writing Go and for some
business reason or even like apersonal reason, you know, I
wanna learn, I wanna move to Go.Do I end up talking to you?
George Adams (36:38):
Yeah. That's a it's a good question. Actually
like full disclosure, so I cameinto the team, I'm trying to
think three, four years ago now.And at the time, I can say this
on a podcast because peoplecan't throw drinks at me. At the
time I was in the Java team.
I kind of come from a Javabackground anyway. But at the
time I came into this Go teamthat was reasonably young in its
(36:59):
existence. And the first thingwe had to do was just map out Go
usage across the company. Andone of the things we really
quickly realized was Go is beingused in loads of places, but no
one really has this centralizedplace to talk about it. And so
that was one of the kind of keygoals when I came into the
group, which was map out companyusage and try and make my team,
not necessarily me, butcertainly my team, the Go
(37:21):
experts so that when someone inthe company let's pick on
TypeScript because we spokeabout them earlier when
TypeScript is evaluating Go forthis particular component of
their products, and they're allTypeScript developers with no
idea about Go, they know thatthey can come to us and get our
guidance.
And so, yeah, spent a lot oftime building out these
wonderful Teams channels andwe've built a whole list of
(37:44):
internal dev pages where peoplecan find us. And equally, this
is kind of one of the otherareas where we wanted to enable
telemetry so that we canactually try and help track down
some of our first partycustomers and and provide a
better layer of support to them.
Shay Nehmad (37:58):
By the way, the people are not gonna throw
drinks at you for the you know,being a Java developer. I I
assume we have some Javarecovery people in the in the
listeners. You know what I mean?
Jonathan Hall (38:09):
Well, we probably have people who still like Java
in our listenership, and that'sfine too. I don't understand
them, but it's fine that they'rethere.
George Adams (38:17):
I mean, we like Java. I like Java. Yeah, no, it
was it was fun. When I first gotwhen I first got brought into
the group, I remember a threadon Reddit where I was referred
to as a Java heavyweight takingover Go. So I think the the
initial concern was, are we arewe going to have a whole lot of
horrible Java crust in the inthe tool chain?
But I can assure you we're not.
Shay Nehmad (38:36):
Oh, you you don't have a FIPS, factory
implementation factory,singleton factory sort of thing
going on?
George Adams (38:43):
No. Not yet. But
Shay Nehmad (38:48):
now that we have generic, cool. So other than,
you know, is there like aformal, something more formal,
like a training thing insideMicrosoft for for Go? Is there a
movement towards Go? Are youmore like, it sounds like you're
letting the customers come toyou, you're giving the
telemetry, you're answeringthings. Are you actively
(39:09):
pushing, you know, likeevangelizing Go in Microsoft or
do you not think that's actuallythe point?
George Adams (39:15):
I think it absolutely is the point, and I
think it's worth doing. And Ithink one of the challenges is,
as I say, the team is stillreasonably young in its
existence and hasn't had a hugeamount of time to go beyond
that. But one of the areas we'redefinitely trying to improve is
just developer learning acrossthe company for Go, right? I
think there's a lot of resourcesfor you want to become a Python
(39:37):
developer, you want to become adot net developer, you want to
go and learn more about thesethings. And so, I think one of
the areas that we're definitelytrying to improve is for people
inside the company, A, how canthey find Go and how can they
connect with the community?
And B, how can they, if theywant to shift career or they
want to up shift what they'redoing into a more Go focused
(39:57):
space, how can we support themin doing that? And Microsoft is
a good company for this. Fulltransparency, you can move
around really easily in thecompany and retrain, relearn new
skills. And I see lots of peopledoing this in Developer Division
where you come from a particularlanguage and you go to another.
And to be perfectly honest withyou, I'm a great example.
I came from Java. And so, Ithink there is the existence of
(40:22):
some of the support there, butI'd like to see more. And it's
one of the areas that I'm hopingwe can build out more. Part of
that involves having a moreformal developer advocacy set up
for Go, which we just don't havetoday.
Jonathan Hall (40:34):
All right, George, I have a couple of
questions, I think before we tryto wrap this up. So of course,
we led this interview with asilly joke about opting out,
which is kind of how we stumbledupon your contact details in the
first place that Microsoft hasdecided for opt out telemetry,
whereas the Go team famouslydecided for opt in telemetry
sort of against protest. Whatmade the Microsoft team make
(40:57):
that decision? And secondarily,who does it affect? Does it only
affect internal Microsoft teamsor who else is this going to be
affecting?
George Adams (41:05):
Yeah, that's a great question. And I think the
first disclaimer is, yeah,absolutely. Microsoft has gone
and enabled telemetry to justsort of make it clear the
telemetry we've enabled iscompletely separate from the
upstream Google telemetry that'sthere. And yes, Google's is opt
in, ours is opt out. The keything here, and I guess the kind
(41:25):
of headline figures are, we wantto understand real world usage
of our toolchain.
Right now, we just don't havethat. We want to be able to
prioritize the optimizations orfixes that will have high
impact. So we want to understandwhich teams are using which
particular components, and thatthen helps us prioritize these
things. And the other area is wecan then make better upstream
contributions informed by thatdata, which was one of the key
(41:47):
reasons I wanted to do this inthe first place. We wanted to be
able to say, Well, here's awhole load of Windows users, and
they're all using this API thatuses this really old Cisco.
That's slow and we can do thatbetter. And that then helps us
prioritize making the Gocommunity better for everyone.
So yeah, I guess to answer yourquestion, why opt out rather
than opt in? Most of thelanguages in Microsoft are that
(42:11):
way. So like .net, for example,is the same.
And the reason we did thatreally was nine times out of 10,
the use cases that we'reencouraging people to use
Microsoft Builder Go for are (42:19):
A, you're an internal customer, so
you're a first party or B,you're probably using it in some
sort of CI environment. And bothof those scenarios, we think
it's valuable enough to be ableto gather that telemetry. And
the key thing here is thetelemetry helps us understand
whether people are using ourcrypto backend or Google's
(42:40):
crypto backend. That's kind ofrelevant to us because that then
allows us to kind of say, Well,how many users are using our
backend and how do we thenprioritize what we're doing So,
yeah, what are we collecting?It's basically command and
usage, flags.
We look at some environmentcontext, but sort of crucially,
whenever tracking your code,your identifiers, yeah, you're
(43:01):
safe. It's anonymized. And wereally don't want it to ever
become something more than that,just as Google have the same
kind of guidelines. Right?
Jonathan Hall (43:09):
Mhmm. Is it possible to opt into both
Google's telemetry and yours andsend that to both places?
George Adams (43:17):
Yeah. Absolutely.
Shay Nehmad (43:18):
That's a good
George Adams (43:20):
question. You can opt into both Google's and
Microsoft's. So telemetry worksin a slightly different way,
which is it sends the telemetryon the fly. Google's telemetry
creates a local telemetry store,I think it's weekly pushes an
update up, and you enable thatwith the GoTelemetry command.
Ours, because it's opt in bydefault sorry, opt out by
(43:41):
default this is, see, even I'mconfused with opt in, opt out
now.
Because ours is opt out bydefault, it essentially just
pushes it whenever you runcertain subcommands. So yes, you
can absolutely send yourtelemetry in both ways. And that
was one of the key things wewanted to do here. We didn't
want to take away from thetelemetry that Google get and
then use in their annualreports.
Shay Nehmad (44:02):
Yeah. Nice. How can I opt into Metas as well? I need
I need Amazon and Metas to knowwhat I'm doing
Jonathan Hall (44:11):
with Go. You're opted into that just by being
born.
George Adams (44:17):
Yes. There's the, export Mark Zuckerberg is a, is
a robot equal one, and that willstart sending them telemetry.
Shay Nehmad (44:24):
You know what? I do have a Facebook account, and I
really wanted to delete it. AndI didn't delete it for two
reasons. First one was, my StackOverflow account was related to
that and Uh-huh. At the time Iwas like, oh, I really care
about the points.
It was I used it as a sociallogin. And then my mom doesn't
allow me to delete it becauseshe sells like secondhand stuff
(44:45):
on Facebook Marketplace andwants me to reshare it. So I'm
stuck with it. I might I might,do an integration, you know,
every time I run go build, postthe status on my wall. Shai just
ran go build.
It took him x y seconds. Nice.
George Adams (44:59):
I would be would love to have a vote. That would
be pretty cool. One
Jonathan Hall (45:03):
one last question. I I think it I mean, I
think this goes without saying,but I I think you could
elaborate on my assumptionshere. I'm sure that your team
also contributes upstream to theGo project. Some of the things
you do, maybe they make sense tomerge upstream eventually. Maybe
you're fixing bugs that affectyou.
What kind of what kind ofcontributions do you make to go
(45:26):
that don't affect your fork?
George Adams (45:30):
Yeah, that's a that's a good question. I think
sort of fundamentally we we havea couple of people in my team
that sit on the official Windowsport maintainers group. And so
that's kind of one of the areasthat we've focused quite heavily
on, on making Windows a firstclass platform in Go. And I
think it's fair to say I'll holdmy hands up and say the
(45:51):
experience today on Windows isnot as good for Go developers as
it is on macOS and Linux. Andthat's an area that we want to
improve.
There's certain Cisco's, forexample, that use very old, say,
like Windows XP or Windows VistaCisco's that we just want to
kill. And that's kind of one ofthe areas that we've been
working pretty hard on improvingthat. There's also more tricky
(46:14):
decisions that we have to make.One of them, for example, being
long path support, which wasadded into the upstream Go
toolset, but that was using awhole load of undocumented APIs.
And so we actually made thedecision to remove long path
support from our Microsoft buildfor compliance reasons.
But the challenge that we nowhave is trying to obviously
realign upstream Go and worktogether with them to find a new
(46:35):
version of doing that. Otherthan that, I think the key thing
is just working on the Windowsports in general. So like
Windows ARM 64, we were veryheavily involved in. I think
that's definitely an excitingarea, one that is becoming more
widely used. I think evenlooking at our internal
downloads, we're seeing morepeople using Windows ARM than
ever before.
So that's definitely an areathat we want to we're working
(46:58):
with Google to get Windows ARMto be a first class, first tier
platform, I think it's called.And that will be an area where I
expect that Microsoft will haveto help sort of maintain that
and keep that stable for thelong term.
Jonathan Hall (47:09):
Well, thank you. I'm not a Windows ARM user, at
least not yet, but I appreciatethe contributions on behalf of
the community.
Shay Nehmad (47:18):
Know that Yeah. I'm planning to run, like, on my
Windows machine the moment Ifind someone who can give me a
case to rebuild it because I hadit back in Israel. And then I
took it apart, and I can'trebuild it yet. But once it's
up, man, I'm gonna run tons ofGo projects on that thing. And
it is like it it always has beena pain.
(47:39):
It's it's become much easiersince you have a WSL, but you
don't wanna run everythingthrough a container or, you
know, a virtual environment. Youjust want to run things on your
machine. And whenever the Gosurvey comes out, Jonathan and I
are like incredibly surprised byhow many people use Windows, for
Go. It's always like 20something percent, which is way
(48:00):
more than I would expect.
George Adams (48:01):
Yeah. In fairness, the numbers surprised me too,
actually. And to be fair, likefull disclosure, I'm sitting in
front of my MacBook right now,which is always funny when
people sort of joke about mebeing a Microsoft employee and
not using Windows. But yeah, Ithink there definitely is a
reasonable market share there.And they are obviously screaming
(48:22):
for more features, especiallylooking at the IDE space.
So Versus Code, making WindowsVersus Code and Go work
together. And also one of theareas that we've been working
with more recently is workingwith GitHub on getting Copilot
and particularly a GenSync modeof Copilot to work better with
Go. And that's, I think going tobe an area that will hopefully
(48:42):
help millions of developersaround the world, which would be
pretty cool.
Shay Nehmad (48:47):
Awesome. Damn. Cool stuff. Well, one thing we wanted
to, mention is the Go blog fromMicrosoft, the Go Dev blog,
which is how we met, so alreadyan incredible resource. But,
let's just, put it out there.
(49:07):
First of all, if you'relistening, the link is in the
show notes. What can peopleexpect to see there, Jordan?
George Adams (49:14):
Yeah, it's good question. Thanks plugging our
blog. I'm pretty proud thatwe've got it there. And I think
it's our first sort of reallypublic platform we can use to
share more of the excitingthings we do. A lot of the blogs
right now are release notes.
And so bear with those. They'reobviously useful and we want
people to see them. But we'vealso got a lot of other things
that we're talking about,particularly Windows
(49:34):
optimizations we're making inthe community. Our plan is to
try and use that and also sharemore company wide updates. So
for example, TypeScript andTypeScript Go, that's gonna be
an awesome opportunity to sharesome of the cool things that
we're doing in that dev blog.
So definitely join that. I thinkyou can put in your email and
hit subscribe, and then thatautomatically sends you sends
(49:55):
you more blogs that I that Iwell, me and my team write.
Shay Nehmad (49:59):
So, you know, we're obviously, we're happy to
mention it. The link is in theshow notes. And also, you open
that link, you do have an RSSyou could, follow, and you could
even enter your email, to, like,sign up for the newsletter. So
no no reason not to not to stayinformed unless you want to stay
informed only through our showbecause we'll only tell about
(50:20):
the interesting, blogs, not allof them.
George Adams (50:22):
Absolutely. And and if there's if there's blogs
that that your show findinteresting, would happily send
you the contacts for some of theother people that are writing
them. I'm sure there's otherpeople in Microsoft that would
love to talk more technicallyabout what we're doing in the
space.
Jonathan Hall (50:36):
Cool. Cool. Cool. Well, George, thanks so much for
giving us a glimpse behind theMicrosoft curtain at the Go team
there. As we talked before westarted recording, we like to
ask our guests a commonquestion.
This year we're asking, who hasbeen most influential for you in
learning Go? I know you camefrom the Java background, but
(50:56):
you've been doing Go now for afew years. Who's who's been the
biggest influence?
George Adams (51:00):
Yeah. That's a that's a good question. And in
fairness, I think that's a toughone to answer. My my team will
all be sitting here saying,well, why don't you pick me?
Think for me, there's a handfulof people that have definitely
influenced my journey, bothGoogle side, particularly
Filippo, I've followed prettyclosely from the crypto side.
I've also got some amazingengineers in my team, Kim
(51:23):
Montal, Davis Gooden, to name afew that are working on some
super interesting stuff and arevery heavily involved in
upstream Go and have reallyacted sort of as mentors to me
coming in and asking them why Ican't run Java minus version of
my Go app. So they're definitelyout there as some great people.
But my team is continuing togrow. One of the greatest things
(51:44):
about being an engineeringmanager at Microsoft is you can
hire some of the most amazingpeople and work with them daily.
So I've got a whole handful ofpeople I'd love to name on this,
but I'd be going for a longtime.
Jonathan Hall (51:54):
That's great. That's a great answer. I think
it's hard for most of us to picka single person. Kind of take my
knowledge, as they say, right?Yeah, there you go.
Easy. ChatGPT was my biggestinfluence.
Shay Nehmad (52:09):
Absolutely. And ironically, Jonathan, what your
behavior right now, like fiveyears from now, gonna be
considered like, oh, he's notcool enough yet to not be racist
on the chatbots. I'd be carefulwhat you put
Jonathan Hall (52:24):
on record, man. I'm not worried. I'm not
worried.
Shay Nehmad (52:27):
George, thanks a lot for, coming on and shedding
some light. I'll be watching theMicrosoft Devlog a lot more
closely.
George Adams (52:35):
No. Thanks for having me. It's been, it's been
awesome.
Jonathan Hall (52:37):
Yeah. It's been wonderful.
This
Shay Nehmad (00:10):
is Cup o' Go for 08/08/2025. Stay up to date with
the important happenings of theGo community in about fifteen
minutes per week. I'm ShayNehmad.
Jonathan Hall (00:19):
Oh, and I'm Jonathan Hall.
to a slow start here, man.
Shay Nehmad (00:25):
I'm actually I just drank really good coffee. I
don't know if I wanna shout outthe shop because they don't
sponsor us. It's like very localto San Jose, it's not a chain.
I'll do it. Nirvana Soul.
You know these coffee shopswhere you walk in and they're
like, oh, this place is tootrendy for me. I'm not not cool
enough to drink coffee here.
Jonathan Hall (00:46):
I don't think I've had that experience.
Shay Nehmad (00:48):
You should you should drink coffee in the Bay
Area, and you will definitelyhave that experience.
Jonathan Hall (00:53):
Yeah. Well, I've been to Starbucks store number
one, but it it that that was notthat vibe there at all.
Shay Nehmad (00:59):
Anyway, I'm after coffee, and I'm, kinda tired.
But let's, let's push throughbecause we have a really, good
interview today, and I wanna getto that.
Jonathan Hall (01:07):
Yes, we do.
Shay Nehmad (01:08):
Let's start with the new release.
Jonathan Hall (01:10):
Oh, yeah. It's one point twenty five, right?
Shay Nehmad (01:13):
No, not yet.
Jonathan Hall (01:14):
No, not yet. Next week.
Shay Nehmad (01:16):
Probably.
Jonathan Hall (01:16):
Probably. So for now we have one point twenty
four point six and one pointtwenty three point twelve and
one point twenty five point RCNext, whatever it is, three or
four or something. They allinclude two security releases.
Tell us about the first one.
Shay Nehmad (01:30):
So the first one is one we've mentioned in the past.
It's OS exec look path mayreturn unexpected paths. This is
not like a hugely importantsecurity fix. I think it's
important, but, you know, it'sjust a normal security fix, but
it became a staple of the showjust because a listener told us
about it, then I got involvedwith the code review and I've
(01:50):
been checking up on that. Like,I've been getting emails about
it every day since, about thecomments and I've been replying
and when it got merged, washappy.
We told about it last week andnow it's in. Thank you, Olivier
Mengui for reporting this issue.This is CV202547906.
Jonathan Hall (02:07):
I have to say it's a little bit funny, at
least from my perspective here,that I've been reading about
this for the last few daysbecause it was it was pre
announced as a secret securitypatch. It's it's funny that one
of the secret security patchesis something we've been talking
about for three weeks already.
Shay Nehmad (02:23):
Yeah. Yeah. Still. There is another fix though that
looks super interesting and Ididn't do the code review on. So
so what's up there?
Jonathan Hall (02:31):
Yeah. So this is not the usual suspects at all.
Shay Nehmad (02:35):
Kaiser Soze. Got the cripple in there from New
York. Yeah. Did he mentionKaiser Soze? Who?
Just bear with me here.
Jonathan Hall (02:44):
Who's Kaiser Soze? Oh, So, yeah, this is not
the usual suspects. A bug, asecurity bug in database SQL.
Shay Nehmad (02:54):
That doesn't sound important.
Jonathan Hall (02:55):
No. Of course not. Nobody uses that. So it's
it's a it's really a very cornercase. I'll just read the
description.
I think it's a pretty gooddescription. Canceling a query,
such as by canceling the contextpassed to one of the query
methods, during a call to to thescan method of the returned rows
can result in unexpected resultsif other queries are being made
(03:16):
in parallel. So you have to belike doing multiple queries on
the same database in paralleland cancel one of them by
canceling a context. If you dothat under the right
circumstances, then you may getunexpected results or you may
even get results from the wrongquery into your scan result.
Shay Nehmad (03:35):
Woah. Damn, that sounds actually super
reasonable. Like, I'm thinkingabout the very reasonable case
you have a DB that has like rowlevel security to requests
coming to your web app at once,one from org a, one from org b,
then the connection gets closedon org a because they closed
their web whatever, connectionclosed. You cancel org a and
(03:56):
then org b gets the results fororg a data leak. Hot damn.
Jonathan Hall (04:00):
Pretty
Shay Nehmad (04:00):
This seems like
Jonathan Hall (04:01):
severe. Pretty serious. I mean, I think I think
it's very difficult to triggerthe condition, but if you do,
the results could be veryserious.
Shay Nehmad (04:09):
So Is it like a race condition sort of thing?
Like
Jonathan Hall (04:13):
I haven't looked at the code, but that's what it
sounds like to me, based on thedescription. So I don't wanna
take chances. I'm upgrading.
Shay Nehmad (04:20):
Yeah. You should I mean, it's easy. Right? You
should upgrade anyway. Thesethings are are usually, like,
not breaking.
And thank you for thank you toSpike Curtis from Coder for
reporting this issue.
Jonathan Hall (04:36):
Yeah. So go upgrade your code, and then next
week, probably, you can upgradeto 1.25 and get all the other
cool new things that we'll betalking about probably next
week.
Shay Nehmad (04:45):
I wonder how many times people ran into this bug
and then they refreshed thequery and it didn't happen
again. They're like, whatever.Actually wondering how Spike ran
into this, if it was like onpurpose or not.
Jonathan Hall (04:56):
Oh, that's a good question. Well, if
Shay Nehmad (04:57):
only there was some way to, you know, see all the
commands he ever ran. Could youthink of such an option?
Jonathan Hall (05:03):
I can't think of any way to do that.
Shay Nehmad (05:05):
Well, how about telemetry? We'll force everybody
to, you know, send us what theythey build. The community is
gonna be fine with that. Right?
Jonathan Hall (05:12):
Sure. Why not?
Shay Nehmad (05:14):
I think I'm gonna be using some flashbacks.
Jonathan Hall (05:15):
To wait a second. Yeah. So Microsoft and
telemetry, they decided to takea slightly different approach
than Google. What's that about?
Shay Nehmad (05:23):
So if you remember, actually, I think it was one of
the first things we Like one ofthe first overarching topics we
covered on the show because ithappened like a year and a half
ago when we started. The Googleteam wanted to add telemetry to
better direct the direction ofthe Go team and whatever. And
(05:45):
they made it opt- Opt in.
Jonathan Hall (05:49):
After some debate. It was originally gonna
be opt out.
Shay Nehmad (05:53):
Was opt out and people were really pissed off
about it, and then it theyturned it into opt in after
community feedback. Microsoft'sbuild of Go adds another
telemetry layer for the Go teamat Microsoft. And if you wanna
hear more about that and like,it's part of they they published
(06:14):
it on the dev blog, but Iimplore you to just stick around
because you could hear a lotmore about it when we
interviewed George Adams, who Ijust read this blog post and I
was like, that seemsinteresting. I wonder why they
do that. And I just contactedhim and was like, of course, I'd
love to come on.
Yeah. It's a bit of acliffhanger, Stick around for
the interview, but just if youdon't wanna listen to the
(06:35):
interview, you know, the datacollected is anonymized and they
have full you have full controlof it, and you can disable it by
MS Go tool chain telemetryenabled, setting it to zero. But
honestly, if you're using the Gothe Microsoft Go version, you
probably wanna send them thistelemetry. And this is separate
from the Google telemetry. It'sjust not the same thing.
So you can even send both if you
Jonathan Hall (06:56):
don't I love to send data.
Shay Nehmad (06:58):
I mean, I have opted into the Go telemetry I
Jonathan Hall (07:02):
have I have too. Yes.
Shay Nehmad (07:04):
And, yeah, stick around for the interview. We we
actually go into detail aboutthat and just go in Microsoft in
general, which is interesting.
Jonathan Hall (07:11):
So, something we talk about in that interview, a
lot is security since that's oneof the reasons that, Microsoft
has their own fork. So on thattopic, Filipe Valsorto, who's
been on the show before and doesa lot of work with the security
and crypto in Go, has a new blogpost out this about a week ago,
I guess, which I think isfascinating. It's about so
(07:34):
essentially, it's about assemblymutation testing in Go. But I
think
Shay Nehmad (07:38):
What does that mean?
Jonathan Hall (07:38):
Yeah. I'll talk what that means. What's what's
actually a little bit moreinteresting than that on and of
itself is the reason it's souseful in the sort of work he
does with crypto. But one stepat a time. So let's dissect that
title Go Assembly MutationTesting.
We already talked about thislast week about the pure Go tag,
That some Go code is written inassembly or Go's sort of pseudo
(08:02):
assembly. And that's very truefor a lot of the crypto
packages, low level stuff thatdo bite or bit manipulation and
so on and so forth. It's just alot more efficient to do that
sort of stuff in assembly thanit is in Go in many cases. So a
lot of the crypto work is donein assembly. So that's why Go
assembly.
What's mutation testing? Are youfamiliar with mutation testing,
(08:22):
Shay?
Shay Nehmad (08:23):
I'm familiar with the term.
Jonathan Hall (08:25):
Okay.
Shay Nehmad (08:25):
But it's basically like you run your thing, you
have like an expected output andthen you change your binary in
some way or your environment insome way and you try to fuzz,
like, what changes will causeyour expected result to break?
Is that the
Jonathan Hall (08:41):
So, yeah, you're you're pretty close. So we had
John Arundel on way back when,probably a year and a half ago,
who talked about fuzz testingwhen that was new in Go. Fuzz
testing is where you sort offeed random inputs to your
existing program and see whichones cause breakage. And this is
a way to sort of build a morerobust test suite. Mutation
testing is kind of the oppositeor the other side of that, where
(09:02):
you use maybe the same inputs,but you actually mutate the
program.
You don't mutate the inputs. Andthe idea is if you can change
the program and it doesn't breakyour tests, then your tests
probably aren't sophisticatedenough or they aren't covering
enough, right? If you take So asimple if statement, you have if
X equals Y and you mutate thatrandomly, so now it says if X
(09:25):
equals X, but it doesn't causeany tests to fail, then you
probably don't have sufficienttest coverage, right? Obviously,
mutations will generate aninvalid program and those are
easy to filter out. But assumingthat you do a mutation that
generates a valid program, butan incorrect program, you want
it to cause your test to fail.
So we're talking about doingmutation testing for Go
(09:45):
assembly. So that's topic of theblog post. Now, why would this
be a particularly interestingtopic? He goes into some
background here, which I'm notgoing go through all of it
because if you want that, youcan go read the blog post. But
he goes into some of the reasonswhy this is particularly
interesting for the sorts ofwork that we do with crypto and
Go.
So one simple example issomething I don't usually deal a
(10:07):
lot with, but it's reallyimportant in crypto, that is to
have code that executes inconstant time, meaning that
given different inputs, it stilltakes the same amount of time,
the same operations are executedregardless of input. You don't
take shortcuts. Know, if you'redoing certain decoding, might
know that, oh, this means that Ican I don't have to decode the
next 16 bytes because of the waythis is laid out? I could skip
(10:28):
that and be faster. Normally,want to do that with crypto.
We don't want to do that becausethat can allow for certain types
of forensic attacks, sidechannel attacks. You can if you
have access to the machine thatgoes running on, you can see,
oh, this ran faster in this casethan with this case so that I
can deduce certain things aboutsecurity, which I'm sure you
know a lot more about Shy than Ido.
Shay Nehmad (10:47):
I mean, you don't even have to have access to the
machine. Like, let's say you tryto decode a password, right?
Sure. You can do the sidechannel thing of, oh, if I pass
a password that starts with thecorrect letter, then it takes
longer. This is like so manylayers deep.
I feel like that the level ofcoverage and the level of
precision the Go team is talkingabout is like way more than even
(11:08):
the above layman understandingof security. Yeah, yeah. I mean,
is like standard standard. Butmutation testing is like, itself
seems like a fragile thing thatwould bring up like random edge
cases anyway. I mean, That'skind of the point, right?
The machine flips random bitshere and there, things are not
gonna work.
Jonathan Hall (11:28):
So, yeah, I suppose that's true. I think we
mostly trust our machines not toflip random bits in most cases,
but it certainly does happen intimes, right? But getting back
to this constant time, one ofthe So I sort of knew the
concept of constant time and whyit was important. I had never
considered the implications ontesting and he lays that out
here. One of simple ways to doconstant time is to, whenever
(11:51):
you have an if branch, forexample, execute both branches
all the time and then discardone result, the one you don't
need, depending on the thing.
That way you always do the sameamount of execution regardless
of your inputs. Well, that wouldmean that your normal tests look
like no matter what you do, youcovered all branches, right?
Because they all executed, butyou didn't necessarily assert on
all of So this is where themutation testing starts to come
in. It helps you it helps sortof bring to the surface the
(12:14):
areas where you may haveexecuted the code because of
this constant time constraint,but you aren't necessarily
testing all of the conditionalsthat might have been triggered.
So mutation testing is one toolthat they can use to help cover
these sorts of cases.
And then he goes into, heactually shows some examples of
assembly code, which I haven'tbothered to read in-depth enough
(12:37):
to fully understand it. But he'sbasically, he's building a test
framework to do mutation testingin GoAssembly, which I think is
pretty cool. I'll probably neveruse it since I don't write
GoAssembly. And if I ever do,it'll it won't be a lot. I don't
imagine.
But I think it's a pretty coolconcept. So I like this post.
Thanks, Filippo, for sharingthis with us.
Shay Nehmad (12:55):
The question I have, if what you wanna do is
uncover these problems, why doyou have to do it in the
assembly layer and not justmutate source code? Can't you do
this thing and just change theGo code instead of changing,
like, the assembly commands?
Jonathan Hall (13:13):
I think this is where they're writing assembly
directly to be more efficient.So this isn't so so, yes, you
have Go code that's essentiallytranspiled to the Go assembly,
right? I think that's whatyou're talking about. Here is
where they're actually writingthe assembly raw, I believe.
Shay Nehmad (13:28):
Okay. Okay.
Jonathan Hall (13:30):
Because they want they want the the precise
control over the Bitwiseoperations, and they want to
make sure that the GoCompilerdoesn't do any path
optimizations to to, clean updead code and stuff like that,
that would ruin the constanttime.
Shay Nehmad (13:45):
Generally, unless you But the general policy
around like writing assembly,you absolutely need it, it's
better for you to write Go.Sure. Right? It's more portable,
etcetera, etcetera.
Jonathan Hall (13:55):
Right, right, Definitely.
Shay Nehmad (13:58):
I mean, assembly is fun. I I enjoy writing assembly
and disassembly and reverseengineering, but it's I think
the the general thing is
Jonathan Hall (14:06):
It's like doing a Sudoku. You do it for fun, not
because it's productive.
Shay Nehmad (14:08):
Right? Totally. It is very Sudoku ish in a sense.
You have to like remember whatyou have in each register, what
you've pushed to the stack.Yeah.
It is Sudoku e in nature forsure. Cool. I wanted to mention
one other blog post and I feelbad about breaking it up because
I put it in the backlog and thenevery week I was like, Oh, we'll
get to it next week, we'll getto it next week. And it's been
(14:29):
like a month and a half. So, ifyou read this already, I'm
sorry.
But GitLab caught anothertyposquatting supply chain
attack thing, and I like theirtechnique. So I'll quickly
explain what the typosquattingthing is. When you import a
package in Go, you usually dolike, go get, and then you pass
in the, like, path, right?
Jonathan Hall (14:51):
Mhmm.
Shay Nehmad (14:51):
The github.com/something/whatever
for third party libraries. With,you know, copy pasted snippets
and AI code generation and blogposts and whatever, it's very
rare that I just sit out andtype out the package name.
Usually I just go on GitHub, Ifind the package I need, and if
I don't already know what Ineed. Typical squatting is where
(15:14):
people make their packages looklike the package you actually
want to import. Maybe the nameis like one character over or
something like that.
And then you import theirpackage and theoretically it
does the same, maybe it's even afork, but somewhere inside the
code they have their maliciousintent, like installing a key
(15:35):
logger or whatever, justsomething malicious.
CryptoMiner, many othermalicious options, remain,
right? CNC server, CNC client,or a botnet, blah blah blah.
There is one. If you use a QMGO,which is a MongoDB model, double
check your import because thereal one is
(15:58):
github.com/qiniu/qmgo.
Title squatting one isgithub.com/qiniu/qmgo. So you
won't even be able to see itwhen you look at the package
name, only the package path. Andit's just like one extra I in a
name that I think most peoplewon't be able to realize is
(16:19):
because it's not a word, it'skind of hard to even understand,
you know, you imported the wrongGo driver.
Jonathan Hall (16:24):
You know how easy it is to make a mistake with
this spelling? The authors ofthe article made a mistake with
the spelling.
Shay Nehmad (16:30):
What do mean?
Jonathan Hall (16:31):
That's how easy it is. In one place, they say Q
I N I I u. In another place,they say q I I n I u. So they
they put the double I indifferent places depending on
where you read in the article.
Shay Nehmad (16:41):
Oh, no. No. No. You should read the article very
carefully. The first type ofsquatting
Jonathan Hall (16:46):
Two was type of smuttings.
Shay Nehmad (16:48):
They GitHub took it down, and then they did another
one with the double I in adifferent place.
Jonathan Hall (16:53):
Got it.
Shay Nehmad (16:54):
But the fact that you thought that there was, both
of them the same thing justshows it goes to show how easy
it is. Yeah. And again, it's nota word, so it's not very easy to
like understand that it's thewrong thing. First of all, like
double check which package youimported, especially if it's a
third party thing and especiallyif you added it recently,
generally. What I liked aboutthis blog post other than the
(17:16):
fact that they did it allseriously and analyzed the code,
and the code by the way is likethe malicious payload is
actually downloading like a fileand then executing thing, and
then it downloads an MP3 andthen it puts it somewhere and
it's a Go binary, and then itgives you like a persistent
remote access to the machine,tries to connect to a command
(17:36):
and control server, and then youcould do whatever you want.
Screenshots, SOX proxy, shellaccess. So it's like it
basically completely owns yourmachine. Just, like, installs a
Trojan horse, opens it to the tothe web. Pretty pretty, like,
hardcore. The way theydiscovered it is pretty cool.
Like, how would you discovertype of squatting, a type of
(17:58):
squatting attack in the wild?
Jonathan Hall (17:59):
Probably by something weird happening on my
machine and investigating to seewhat happened.
Shay Nehmad (18:04):
But that's a bit too late, right? You want to
discover it before it happens.
Jonathan Hall (18:07):
I'm trying to do it at a time, like you're
asking, like, what would be mylike, if I was implementing
security policies, I don't know,a white list of known good
packages or something that
Shay Nehmad (18:18):
has So that's be one way to do it. But then when
you wanna add a new package, yougotta somehow add it to the
thing.
Jonathan Hall (18:24):
Yeah, yeah.
Shay Nehmad (18:25):
Actually, the Vollum research team at GitLab
developed a whole automateddetection system. Nice. So they
do automated type of squattingdetection, like just look at
suspicious naming patterns. So Iguess everything that's like
leverage staying distance of Xor suspicious existing patterns
(18:45):
already, and semantic codeanalysis. So they look at Go
code in the packages that mightbe typosquatting and filter it
by like there's a networkrequest or command execution,
things that shouldn't happen inlibraries basically.
And finally, they do AI assistedinitial screening for like
trying to understand if there'slike advanced payloads or
(19:07):
obfuscation detection, which Ithink is a great use of like
LLMs. You're like, Oh, just lookat this code and tell me if it
looks suspicious or not. Hereare a few examples of normal
looking code, and here's a fewexamples of payload cyber y
looking code. And given enoughexamples, you could get a pretty
(19:30):
high confidence vote here. Whentrying to look at all packages,
this is like a great way tofilter and prioritize what to
look at.
So I really liked it. It's asystematic approach to solving
the problem. And I was like, oh,let's see what happens after
someone gets owned, which iscool. Great stuff for GitLab
security team. Like, And youknow, if they find it and they
(19:51):
find it on GitHub, take it down,they're helping everybody, like
every Go developer, just GitLab.
So that's awesome as well.
Jonathan Hall (19:58):
I like this episode. We have a theme going
here that GitLab helps GitHuband Microsoft helps Go. We'll
have more about that in theinterview.
Shay Nehmad (20:05):
Yeah. Kumbaya, everybody together. And only the
only the cyber attackers are inthe corner,
Jonathan Hall (20:10):
like, stop taking all our vectors.
Shay Nehmad (20:12):
Talking about stop, let's stop for a brief moment
here before we continue with ourepisode. What do you say? Okay.
Like I mentioned at the top ofthe episode, this show is
supported by you. This is ahobby, Jonathan and I do it for
fun and to stay on top of Go,but it also costs us some money.
(20:34):
If you wanna help us recoup someof that costs, if the show is
helpful for you, you can supportus directly on Patreon, where
you can kick us 3 or $8 a monthand helps cover the cost of the
show. Last week I mentioned thatI couldn't pull the funds, I
fixed it, I got the money. Allgood. If you want to find the
Patreon link or the Swag Storelink or our Gopher Slack channel
Jonathan Hall (20:53):
or our
Shay Nehmad (20:54):
email or all past episodes, including transcripts,
you can find all of that atkapogo.dev. And if you want to
help the show in other ways,spreading the word, leaving
reviews, rating it, sharing whatyou've learned, and then kicking
us back and say, oh, I learnedit on that show. Just getting
more people to listen, would begreat. I recently opened our,
analytics and I was very happyto see, like, some milestones we
(21:17):
reached and seems like the showis doing really well. That's
mostly thanks to you sharing itwith other people.
So we really appreciatelistening, sharing the show and
just talking about it. One tinyprogramming, well, it's not a
programming note, I guess it'sjust an ask. If you're a gopher
in the Bay Area, I'm thinkingabout hosting another meetup
(21:38):
somewhere around October. If youthink you'd like to come, join
the San Francisco channel and gofor a second, let me know. I'll
I'll try to arrange it.
This is not related to the show,but probably we'll do another
live episode because that wassuper fun.
Jonathan Hall (21:52):
That was fun, even though I wasn't there.
Shay Nehmad (21:54):
Yeah. Maybe we'll fly you out this time. Probably
not.
Jonathan Hall (21:57):
With all that all that Patreon money we've got
sitting in your
Shay Nehmad (21:59):
account now. Yeah. Exactly. Private jet. So, yeah,
San Francisco meetup, mighthappen in October.
A good chance to see me live.Are there any good chances to
see you live, Jonathan, and ifwe if we won't end up flying you
out?
Jonathan Hall (22:13):
Yeah. Well, there there are. So I don't know if
you remember. I used tolivestream coding in Go back
before I moved, and I'm finallyat the point where I'm ready to
start doing that again. So nextweek, Friday the fifteenth,
03:00PM local time for me, whichis I think 7PM UTC.
I'm going to start livestreaming. I'm going to try to
(22:34):
do it every Friday or almostevery Friday. So if you'd like
to watch me code and go, I'mgoing to be working on my open
source project. Some of thecomments I've gotten before are,
wow, I never saw anybody do TDDon a real project. Or I get
commentary asking, why do you doit this way instead of that way?
So it's fun. Sometimes I make afool of myself because I don't
know the answer to how to dosomething. But yeah, I'll make a
(22:56):
fool of myself in public, that'sfine.
Shay Nehmad (22:57):
Usually we have a lighting around here, but we
just really want you all to hearwhat George Adams has to say
about Go at Microsoft. So we'rejust gonna move to that
interview. Thanks a lot forlistening. Alright, Jonathan.
Today, we're doing an interviewwith, George Adams from
Microsoft.
Jonathan Hall (23:16):
George Adams from Microsoft. I I never signed up
for that. How do I opt out?
Shay Nehmad (23:20):
No. No. We're doing an interview right now. No
questions.
Jonathan Hall (23:23):
Fine. Fine. I'll do it. Hi, George.
George Adams (23:25):
Hey. Nice to meet you. Nice to exciting to be on
the show.
Jonathan Hall (23:29):
Yeah. Glad to have you here. So, George, I
believe you are our firstofficial Microsoft employee on
the show. Welcome and thank youfor being the first one to
respond to our request. We'vewe've reached out to a couple.
George Adams (23:38):
Well, I mean, it's it's obviously an honor to be
here, and and hopefully first,but, certainly not last. I'm
sure there's a whole load of,people at Microsoft that would
love to talk to you.
Shay Nehmad (23:47):
Well, depends how it goes. You know what I mean?
If if we if we totally roastyou, maybe they wouldn't wanna
come. So we'd we'd better benice, actually.
Jonathan Hall (23:56):
If I'm
George Adams (23:56):
in the headlines of Hacker News tomorrow, you'll
never hear from me again.
Jonathan Hall (24:00):
Alright. Well, tell us, George, a little bit
about what you do at Microsoft,and and in general. Tell us
about who you are.
George Adams (24:06):
Yeah. Sure. So, yeah, I guess hey, folks. My
name is George Adams. I'm asoftware engineering manager at
Microsoft, where I lead the teambehind the Microsoft Builder Go.
Our kind of primary purpose isthat we maintain a downstream
distribution of Go that powersmajor services like AKS, Azure
Kubernetes Service, GitHub, manyother first party customers. And
(24:29):
I guess the kind of key focusthat my team has is focusing on
security, compliance, And alsocrucially, we have a really kind
of strict upstream firstcontribution policy where
everything we do, we try and putit upstream first so that the
community gets goodness from itas well.
Shay Nehmad (24:45):
Really cool. The value of, doing it upstream
first is like, it's great thatthe community gets it, but also
you get some like testing and RCand whatever before you deploy
it to like critical Microsoftresources like AKS, right, that
run like the biggest enterprisecustomers in the world. Like if
you have downtime, perhaps it'sbetter to run it through the
normal process anyways, right?
George Adams (25:06):
Yeah, think you often have it going both ways.
Like there's times where we'llhave patches that we float first
and actually we see putting thatthrough a team like AKS as a
good practice before upstreamingit. You know, if it breaks AKS,
it's probably going to havebroken 10,000 other people in
the community. So sometimes thatway works as a great way of
testing a change. But equally,yeah, we also love trying to get
(25:29):
things up into the Google codebase as quickly as possible so
that they get the goodness oftesting it.
Obviously, by going into theprimary Go distribution, you get
the largest number of peopletesting it.
Shay Nehmad (25:41):
I'll start with a really basic question before we
dive into the technical detailsof how the Microsoft Teams works
and what do you do there andwhatever. It's not really a
question for me, but it's aquestion I've heard. So so let
me know what you think. Go is aGoogle language. Right?
It's out of Google. AndMicrosoft notably is not Google.
(26:03):
So how comes, Microsoft uses Go?While Microsoft does have, like,
internal language programminglanguages that it developed. The
first thing that comes to mymind is C, but I assume there
are, like, a a million others.
George Adams (26:17):
Yes. I mean, that's a great point. Right?
It's true. Go started at Google,but it's always been open
source.
And I think that's been one ofthe biggest strengths of Go,
right? Microsoft deals withdozens of different runtimes in
other languages. Yeah, C sharp,.net, Java, Rust, Python, you
name it, Microsoft's dealingwith that. I think the kind of
(26:37):
thing that really stuck out withGo firstly is Azure Kubernetes
is just a massive part of theAzure platform and AKS and all
of the Kubernetes stuff iswritten in Go fundamentally,
right? So Microsoft is almostforced into adopting Go for AKS.
But equally, Go is alsocompletely awesome for CLI
(26:59):
tooling. It's great for toolsthat we have in Azure. It's
great for things in Defender,for example. We also dozens of
SDKs that developers are usingthat are all written in Go. And
so I think, yeah, okay, Go iswritten by Google.
It's open source. Microsoft isin Google. But equally, we can
benefit a huge amount from that.And we have a lot of industry
(27:22):
expertise and also expertise inshaping the future direction of
languages and runtimes ingeneral that we can contribute
back to Google. Hopefully thatmakes Go a better place, I
guess.
Shay Nehmad (27:32):
Cool. Well, among the projects, there's also
TypeScript, right? This is likea Microsoft language and the
engine is being rewritten to Go.We reported on this a few months
ago. I'm like, I haven't Ihaven't checked up on that
project.
Is that like part of your teamor is that like someplace else?
I assume Microsoft is actually ahuge place, so that's probably a
(27:52):
dumb question.
George Adams (27:53):
Microsoft is one of those places where you've got
to go digging deep to findcertain teams. But yeah,
interestingly, the TypeScriptteam owned this for obvious
reasons. They reached out to usa little while ago, and I
remember at the time, they wereassessing a whole load of
languages as well as Rust,looking at what the best options
were. And I think it becamereally clear from almost day one
(28:15):
that they wanted to go with Go,which was fantastic. Yeah, the
performance increases, I thinkit's like 10x is what they're
reporting, is pretty cool.
And I think a lot of people inthe TypeScript community are
looking forward to that GA ingand being able to build their
massive TypeScript monsterdependent projects in in a
fraction of the time. But, yeah,I think it's it's a great
(28:36):
example of Go being used outsideof its, like, traditional back
end space. Right? So, yeah, itwas kind of an interesting one
and and one I love to talk aboutas well.
Jonathan Hall (28:43):
So you manage remind me your title or the team
that you work on.
George Adams (28:48):
So I'm an engineering manager basically. I
look after the, we'll call itthe Go toolset team in
Microsoft.
Jonathan Hall (28:57):
Okay.
George Adams (28:57):
So there are other parts of Microsoft that have
other Go teams as SDK teams,there's other teams that
maintain things like AKS, butanything that's to do with the
Go toolset, essentiallyMicrosoft's fork of Go, that
comes down to me.
Jonathan Hall (29:11):
So talk to me about what Microsoft does. I
mean, I don't know, as somebodywho's not familiar with what
Microsoft does for Go, I don'tknow what that is because the Go
toolset's already pretty robust.It has a lot of things in it. I
can imagine you're just forrubber stamping things, you
know, making sure that they passsecurity audits or something.
But I'm sure there's more to itthan that.
Tell me a little bit more aboutwhat you do. What kind of
(29:32):
features have you added otherthan turning on the opt out,
turning off opt in? I don't knowthe telemetry thing. What are
the kinds features or changesthat you make to go from the
fork?
George Adams (29:44):
Yeah, that's a good question. And to be
perfectly honest with you, likeif you look under the hood, 99%
of the code base is identical.The key thing here is that
Microsoft builds and distributesa Go tool chain for our internal
teams. Microsoft, like justabout every other large corp has
a whole load of securitygoverned policies and crypto
(30:06):
policies that we have to complywith. And a lot of that boils
down to things like SBOM, securesupply chain.
And frankly, when you're lookingat a team the size of AKS, they
want to be able to pick up thephone in the middle of the night
and say, I need a build and Ineed it yesterday. And that's
the sheer reality, right? Wecan't ask Google or expect
Google to provide that to us.And so we're primarily there to
(30:28):
essentially act as a stop gapthere. Beyond that, the other
reason that the team was puttogether at the time was that Go
had no support for FIPS, whichis the government crypto Yeah.
I've messed that up. FIPS, whichis the that acronym that I never
remember.
Jonathan Hall (30:49):
Yeah. Me either.
Shay Nehmad (30:50):
We we had someone on the show literally talk about
FIPS. What what was what who wasthat? Alex Schiele or some? For
maybe for forty five minutes,and I still don't remember what
the acronym it's just like,yeah, the government wants a
strong encryption standards,post quantum, very Federal I'm
just looking here.
George Adams (31:08):
Federal Information Processing
Standards. There you go. FIPS.You see, I say FIPS daily, but
my, my team will, my team willtease me for not knowing what
that stands for.
Shay Nehmad (31:18):
You know what? I'll tell you, George, actually,
like, behind the curtain, that'sthe whole reason we do this
show, just to learn things soour coworkers can't hold them
over our heads. We can hold themover their heads.
George Adams (31:29):
Absolutely. Absolutely.
Jonathan Hall (31:31):
Sean, you're saying the quiet part out loud.
Stop it.
George Adams (31:34):
Yeah. We can't see what's going on behind the
scene, surely. But, yeah, Iguess so that the kind of key
thing around Phipps is thecrypto board doesn't essentially
allow Go Native cryptography. Sothe crypto board is a Microsoft
thing. This is internalpolicies.
Any first party customer thatwants to use Microsoft's crypto
board says, well, you can't goand use Go Native cryptography.
(31:56):
And the reason is it follows thesame suit with every other
language and runtime inMicrosoft that says you need to
go and use the OS providedcryptography layer. So like
OpenSSL or on macOS, we've gotCommonCrypto, on Windows we have
CNG. So we essentially providethis kind of wrapper shim which
allows people when they need to,to shell out of Go cryptography
(32:19):
and into system providedcryptography. And that was
really why the team was puttogether.
I guess one of the interestingthings beyond that is that now
Filippo and his team have goneand implemented a FIPS validated
crypto layer in Go, which Ithink is the first time this has
been done. But unfortunately, atleast for now, Microsoft isn't
(32:41):
able to use that. And so thereason that we're still here
doing this FIPS port is for thatexact reason.
Shay Nehmad (32:47):
And just to, you know, again, it's sometimes it's
hard to understand how big thewhen you say, oh, there's the
FIPS compliance thing sometimes,you know, I think of it as like
a more of a startup guy. Oh,maybe I have a customer that has
like a FIPS requirement becauseof a subcontractor or something.
Microsoft has dedicatedgovernment Azure data centers
(33:10):
and like a $10,000,000,000contract with the Department of
Defense. It's like the actualpeople who need to have that
working.
George Adams (33:18):
Absolutely. Yeah. It's all about just basically
meeting stricter compliance incryptographic standards, right?
So you've listed government,finance, healthcare, any
regulated industry you can thinkof, and Microsoft has a lot of
customers in that space. And so,yeah, for that exact reason, we
have to build FIPS validatedbuilds.
For example, you can runKubernetes in Azure for
(33:40):
government, and because you canrun Kubernetes, you need to be
able to run with a, a FIPSvalidated GoPinary.
Shay Nehmad (33:46):
So is the I guess a follow-up on that. If I want to
be a really good, team member onyour team, do I need to be more
of a, like, go person or do Iactually need to be more of like
a DevOps person? Is my dayspent, you know, just on
average? Obviously, I assume theteam is diverse and has a lot of
diverse, tasks, but I'm justtrying to understand the vibe.
(34:08):
Is it like trying to untanglebuild processes because you need
to build Kubernetes fromscratch?
Or is it like changing Go codeat, you know, the standard
library, level and having toboth of them sound super hard. I
mean, the team sounds superhardcore. Just trying to
understand if it's a hardcorelike DevOps team or is it
hardcore dev team or is it sortof both?
George Adams (34:29):
Yeah, it's kind of a hybrid. There's obviously a
DevOps team that has to producethe binaries and that in its own
right, as I'm sure Google willtell you, is a pretty serious
job in its own right, just theamount of builds, the amount of
testing, all of that stuff. Butequally, a lot of what my team
is focusing on is, A, sort ofchanges to the standard library.
(34:50):
So we're making a lot of changesto Go and also changes in the
cryptographic layer. So again,we've got a lot of crypto
expertise in our group, whichoften is not necessarily Go
specific.
A lot of it's written in C plusplus for example. So Go and C Go
are definitely kind of keyskills that we're looking for in
the team. And equally justDevOps skills are very useful.
Shay Nehmad (35:14):
One question I had about the sort of the place your
team has at Microsoft. I don'tknow, but let me ask Jonathan
first. Jonathan, have you everworked at a company before where
you were like the go person, butthe company wasn't like a go
company yet. Yeah. You know, asa contractor, and then you get
some technical tasks, but youend up with, oh, I need to
(35:37):
Actually, people come for me forquestions and training and they
come for me for guidance sort ofsituation.
Jonathan Hall (35:44):
Oh, yeah. That happens. That's that's normal
for me.
Shay Nehmad (35:47):
Yeah. So I'm wondering if, George, you you
are just that person for,Microsoft where they ping you on
Teams, I assume, and
Jonathan Hall (35:56):
are It
George Adams (35:57):
is on Teams.
Shay Nehmad (35:59):
Off the record, I'm sort of jealous that you
actually get to use Teams. I'mI'm done with Slack. I wanna
move to Teams. Don't tellanybody I said that because
people love to hate on Teams.Never mind.
Anyway, I assume people ping youon the internal chat, and are
like, hey, can you, we want tomove this service to Go. Or is
there like a Go communityalready inside Microsoft, like
(36:23):
an internal Go channel? Is therea guild? Like how, if I'm a
Microsoft person who's currentlynot writing Go and for some
business reason or even like apersonal reason, you know, I
wanna learn, I wanna move to Go.Do I end up talking to you?
George Adams (36:38):
Yeah. That's a it's a good question. Actually
like full disclosure, so I cameinto the team, I'm trying to
think three, four years ago now.And at the time, I can say this
on a podcast because peoplecan't throw drinks at me. At the
time I was in the Java team.
I kind of come from a Javabackground anyway. But at the
time I came into this Go teamthat was reasonably young in its
(36:59):
existence. And the first thingwe had to do was just map out Go
usage across the company. Andone of the things we really
quickly realized was Go is beingused in loads of places, but no
one really has this centralizedplace to talk about it. And so
that was one of the kind of keygoals when I came into the
group, which was map out companyusage and try and make my team,
not necessarily me, butcertainly my team, the Go
(37:21):
experts so that when someone inthe company let's pick on
TypeScript because we spokeabout them earlier when
TypeScript is evaluating Go forthis particular component of
their products, and they're allTypeScript developers with no
idea about Go, they know thatthey can come to us and get our
guidance.
And so, yeah, spent a lot oftime building out these
wonderful Teams channels andwe've built a whole list of
(37:44):
internal dev pages where peoplecan find us. And equally, this
is kind of one of the otherareas where we wanted to enable
telemetry so that we canactually try and help track down
some of our first partycustomers and and provide a
better layer of support to them.
Shay Nehmad (37:58):
By the way, the people are not gonna throw
drinks at you for the you know,being a Java developer. I I
assume we have some Javarecovery people in the in the
listeners. You know what I mean?
Jonathan Hall (38:09):
Well, we probably have people who still like Java
in our listenership, and that'sfine too. I don't understand
them, but it's fine that they'rethere.
George Adams (38:17):
I mean, we like Java. I like Java. Yeah, no, it
was it was fun. When I first gotwhen I first got brought into
the group, I remember a threadon Reddit where I was referred
to as a Java heavyweight takingover Go. So I think the the
initial concern was, are we arewe going to have a whole lot of
horrible Java crust in the inthe tool chain?
But I can assure you we're not.
Shay Nehmad (38:36):
Oh, you you don't have a FIPS, factory
implementation factory,singleton factory sort of thing
going on?
George Adams (38:43):
No. Not yet. But
Shay Nehmad (38:48):
now that we have generic, cool. So other than,
you know, is there like aformal, something more formal,
like a training thing insideMicrosoft for for Go? Is there a
movement towards Go? Are youmore like, it sounds like you're
letting the customers come toyou, you're giving the
telemetry, you're answeringthings. Are you actively
(39:09):
pushing, you know, likeevangelizing Go in Microsoft or
do you not think that's actuallythe point?
George Adams (39:15):
I think it absolutely is the point, and I
think it's worth doing. And Ithink one of the challenges is,
as I say, the team is stillreasonably young in its
existence and hasn't had a hugeamount of time to go beyond
that. But one of the areas we'redefinitely trying to improve is
just developer learning acrossthe company for Go, right? I
think there's a lot of resourcesfor you want to become a Python
(39:37):
developer, you want to become adot net developer, you want to
go and learn more about thesethings. And so, I think one of
the areas that we're definitelytrying to improve is for people
inside the company, A, how canthey find Go and how can they
connect with the community?
And B, how can they, if theywant to shift career or they
want to up shift what they'redoing into a more Go focused
(39:57):
space, how can we support themin doing that? And Microsoft is
a good company for this. Fulltransparency, you can move
around really easily in thecompany and retrain, relearn new
skills. And I see lots of peopledoing this in Developer Division
where you come from a particularlanguage and you go to another.
And to be perfectly honest withyou, I'm a great example.
I came from Java. And so, Ithink there is the existence of
(40:22):
some of the support there, butI'd like to see more. And it's
one of the areas that I'm hopingwe can build out more. Part of
that involves having a moreformal developer advocacy set up
for Go, which we just don't havetoday.
Jonathan Hall (40:34):
All right, George, I have a couple of
questions, I think before we tryto wrap this up. So of course,
we led this interview with asilly joke about opting out,
which is kind of how we stumbledupon your contact details in the
first place that Microsoft hasdecided for opt out telemetry,
whereas the Go team famouslydecided for opt in telemetry
sort of against protest. Whatmade the Microsoft team make
(40:57):
that decision? And secondarily,who does it affect? Does it only
affect internal Microsoft teamsor who else is this going to be
affecting?
George Adams (41:05):
Yeah, that's a great question. And I think the
first disclaimer is, yeah,absolutely. Microsoft has gone
and enabled telemetry to justsort of make it clear the
telemetry we've enabled iscompletely separate from the
upstream Google telemetry that'sthere. And yes, Google's is opt
in, ours is opt out. The keything here, and I guess the kind
(41:25):
of headline figures are, we wantto understand real world usage
of our toolchain.
Right now, we just don't havethat. We want to be able to
prioritize the optimizations orfixes that will have high
impact. So we want to understandwhich teams are using which
particular components, and thatthen helps us prioritize these
things. And the other area is wecan then make better upstream
contributions informed by thatdata, which was one of the key
(41:47):
reasons I wanted to do this inthe first place. We wanted to be
able to say, Well, here's awhole load of Windows users, and
they're all using this API thatuses this really old Cisco.
That's slow and we can do thatbetter. And that then helps us
prioritize making the Gocommunity better for everyone.
So yeah, I guess to answer yourquestion, why opt out rather
than opt in? Most of thelanguages in Microsoft are that
(42:11):
way. So like .net, for example,is the same.
And the reason we did thatreally was nine times out of 10,
the use cases that we'reencouraging people to use
Microsoft Builder Go for are (42:19):
A, you're an internal customer, so
you're a first party or B,you're probably using it in some
sort of CI environment. And bothof those scenarios, we think
it's valuable enough to be ableto gather that telemetry. And
the key thing here is thetelemetry helps us understand
whether people are using ourcrypto backend or Google's
(42:40):
crypto backend. That's kind ofrelevant to us because that then
allows us to kind of say, Well,how many users are using our
backend and how do we thenprioritize what we're doing So,
yeah, what are we collecting?It's basically command and
usage, flags.
We look at some environmentcontext, but sort of crucially,
whenever tracking your code,your identifiers, yeah, you're
(43:01):
safe. It's anonymized. And wereally don't want it to ever
become something more than that,just as Google have the same
kind of guidelines. Right?
Jonathan Hall (43:09):
Mhmm. Is it possible to opt into both
Google's telemetry and yours andsend that to both places?
George Adams (43:17):
Yeah. Absolutely.
Shay Nehmad (43:18):
That's a good
George Adams (43:20):
question. You can opt into both Google's and
Microsoft's. So telemetry worksin a slightly different way,
which is it sends the telemetryon the fly. Google's telemetry
creates a local telemetry store,I think it's weekly pushes an
update up, and you enable thatwith the GoTelemetry command.
Ours, because it's opt in bydefault sorry, opt out by
(43:41):
default this is, see, even I'mconfused with opt in, opt out
now.
Because ours is opt out bydefault, it essentially just
pushes it whenever you runcertain subcommands. So yes, you
can absolutely send yourtelemetry in both ways. And that
was one of the key things wewanted to do here. We didn't
want to take away from thetelemetry that Google get and
then use in their annualreports.
Shay Nehmad (44:02):
Yeah. Nice. How can I opt into Metas as well? I need
I need Amazon and Metas to knowwhat I'm doing
Jonathan Hall (44:11):
with Go. You're opted into that just by being
born.
George Adams (44:17):
Yes. There's the, export Mark Zuckerberg is a, is
a robot equal one, and that willstart sending them telemetry.
Shay Nehmad (44:24):
You know what? I do have a Facebook account, and I
really wanted to delete it. AndI didn't delete it for two
reasons. First one was, my StackOverflow account was related to
that and Uh-huh. At the time Iwas like, oh, I really care
about the points.
It was I used it as a sociallogin. And then my mom doesn't
allow me to delete it becauseshe sells like secondhand stuff
(44:45):
on Facebook Marketplace andwants me to reshare it. So I'm
stuck with it. I might I might,do an integration, you know,
every time I run go build, postthe status on my wall. Shai just
ran go build.
It took him x y seconds. Nice.
George Adams (44:59):
I would be would love to have a vote. That would
be pretty cool. One
Jonathan Hall (45:03):
one last question. I I think it I mean, I
think this goes without saying,but I I think you could
elaborate on my assumptionshere. I'm sure that your team
also contributes upstream to theGo project. Some of the things
you do, maybe they make sense tomerge upstream eventually. Maybe
you're fixing bugs that affectyou.
What kind of what kind ofcontributions do you make to go
(45:26):
that don't affect your fork?
George Adams (45:30):
Yeah, that's a that's a good question. I think
sort of fundamentally we we havea couple of people in my team
that sit on the official Windowsport maintainers group. And so
that's kind of one of the areasthat we've focused quite heavily
on, on making Windows a firstclass platform in Go. And I
think it's fair to say I'll holdmy hands up and say the
(45:51):
experience today on Windows isnot as good for Go developers as
it is on macOS and Linux. Andthat's an area that we want to
improve.
There's certain Cisco's, forexample, that use very old, say,
like Windows XP or Windows VistaCisco's that we just want to
kill. And that's kind of one ofthe areas that we've been
working pretty hard on improvingthat. There's also more tricky
(46:14):
decisions that we have to make.One of them, for example, being
long path support, which wasadded into the upstream Go
toolset, but that was using awhole load of undocumented APIs.
And so we actually made thedecision to remove long path
support from our Microsoft buildfor compliance reasons.
But the challenge that we nowhave is trying to obviously
realign upstream Go and worktogether with them to find a new
(46:35):
version of doing that. Otherthan that, I think the key thing
is just working on the Windowsports in general. So like
Windows ARM 64, we were veryheavily involved in. I think
that's definitely an excitingarea, one that is becoming more
widely used. I think evenlooking at our internal
downloads, we're seeing morepeople using Windows ARM than
ever before.
So that's definitely an areathat we want to we're working
(46:58):
with Google to get Windows ARMto be a first class, first tier
platform, I think it's called.And that will be an area where I
expect that Microsoft will haveto help sort of maintain that
and keep that stable for thelong term.
Jonathan Hall (47:09):
Well, thank you. I'm not a Windows ARM user, at
least not yet, but I appreciatethe contributions on behalf of
the community.
Shay Nehmad (47:18):
Know that Yeah. I'm planning to run, like, on my
Windows machine the moment Ifind someone who can give me a
case to rebuild it because I hadit back in Israel. And then I
took it apart, and I can'trebuild it yet. But once it's
up, man, I'm gonna run tons ofGo projects on that thing. And
it is like it it always has beena pain.
(47:39):
It's it's become much easiersince you have a WSL, but you
don't wanna run everythingthrough a container or, you
know, a virtual environment. Youjust want to run things on your
machine. And whenever the Gosurvey comes out, Jonathan and I
are like incredibly surprised byhow many people use Windows, for
Go. It's always like 20something percent, which is way
(48:00):
more than I would expect.
George Adams (48:01):
Yeah. In fairness, the numbers surprised me too,
actually. And to be fair, likefull disclosure, I'm sitting in
front of my MacBook right now,which is always funny when
people sort of joke about mebeing a Microsoft employee and
not using Windows. But yeah, Ithink there definitely is a
reasonable market share there.And they are obviously screaming
(48:22):
for more features, especiallylooking at the IDE space.
So Versus Code, making WindowsVersus Code and Go work
together. And also one of theareas that we've been working
with more recently is workingwith GitHub on getting Copilot
and particularly a GenSync modeof Copilot to work better with
Go. And that's, I think going tobe an area that will hopefully
(48:42):
help millions of developersaround the world, which would be
pretty cool.
Shay Nehmad (48:47):
Awesome. Damn. Cool stuff. Well, one thing we wanted
to, mention is the Go blog fromMicrosoft, the Go Dev blog,
which is how we met, so alreadyan incredible resource. But,
let's just, put it out there.
(49:07):
First of all, if you'relistening, the link is in the
show notes. What can peopleexpect to see there, Jordan?
George Adams (49:14):
Yeah, it's good question. Thanks plugging our
blog. I'm pretty proud thatwe've got it there. And I think
it's our first sort of reallypublic platform we can use to
share more of the excitingthings we do. A lot of the blogs
right now are release notes.
And so bear with those. They'reobviously useful and we want
people to see them. But we'vealso got a lot of other things
that we're talking about,particularly Windows
(49:34):
optimizations we're making inthe community. Our plan is to
try and use that and also sharemore company wide updates. So
for example, TypeScript andTypeScript Go, that's gonna be
an awesome opportunity to sharesome of the cool things that
we're doing in that dev blog.
So definitely join that. I thinkyou can put in your email and
hit subscribe, and then thatautomatically sends you sends
(49:55):
you more blogs that I that Iwell, me and my team write.
Shay Nehmad (49:59):
So, you know, we're obviously, we're happy to
mention it. The link is in theshow notes. And also, you open
that link, you do have an RSSyou could, follow, and you could
even enter your email, to, like,sign up for the newsletter. So
no no reason not to not to stayinformed unless you want to stay
informed only through our showbecause we'll only tell about
(50:20):
the interesting, blogs, not allof them.
George Adams (50:22):
Absolutely. And and if there's if there's blogs
that that your show findinteresting, would happily send
you the contacts for some of theother people that are writing
them. I'm sure there's otherpeople in Microsoft that would
love to talk more technicallyabout what we're doing in the
space.
Jonathan Hall (50:36):
Cool. Cool. Cool. Well, George, thanks so much for
giving us a glimpse behind theMicrosoft curtain at the Go team
there. As we talked before westarted recording, we like to
ask our guests a commonquestion.
This year we're asking, who hasbeen most influential for you in
learning Go? I know you camefrom the Java background, but
(50:56):
you've been doing Go now for afew years. Who's who's been the
biggest influence?
George Adams (51:00):
Yeah. That's a that's a good question. And in
fairness, I think that's a toughone to answer. My my team will
all be sitting here saying,well, why don't you pick me?
Think for me, there's a handfulof people that have definitely
influenced my journey, bothGoogle side, particularly
Filippo, I've followed prettyclosely from the crypto side.
I've also got some amazingengineers in my team, Kim
(51:23):
Montal, Davis Gooden, to name afew that are working on some
super interesting stuff and arevery heavily involved in
upstream Go and have reallyacted sort of as mentors to me
coming in and asking them why Ican't run Java minus version of
my Go app. So they're definitelyout there as some great people.
But my team is continuing togrow. One of the greatest things
(51:44):
about being an engineeringmanager at Microsoft is you can
hire some of the most amazingpeople and work with them daily.
So I've got a whole handful ofpeople I'd love to name on this,
but I'd be going for a longtime.
Jonathan Hall (51:54):
That's great. That's a great answer. I think
it's hard for most of us to picka single person. Kind of take my
knowledge, as they say, right?Yeah, there you go.
Easy. ChatGPT was my biggestinfluence.
Shay Nehmad (52:09):
Absolutely. And ironically, Jonathan, what your
behavior right now, like fiveyears from now, gonna be
considered like, oh, he's notcool enough yet to not be racist
on the chatbots. I'd be carefulwhat you put
Jonathan Hall (52:24):
on record, man. I'm not worried. I'm not
worried.
Shay Nehmad (52:27):
George, thanks a lot for, coming on and shedding
some light. I'll be watching theMicrosoft Devlog a lot more
closely.
George Adams (52:35):
No. Thanks for having me. It's been, it's been
awesome.
Jonathan Hall (52:37):
Yeah. It's been wonderful.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.