- Vulnerability in golang.org/x/net
- 💀 IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
- Conferences & CFPs
- 🇮🇹 GoLab, Oct 5-7 @ Florence, Italy
- 🇬🇧 GopherCon UK, Aug 13-5 @ London, UK
- Accepted proposal: add go mod verify -tag
- Interview with Ludovic Fernandez aka Ldez, maintainer of golangci-lint
- Welcome to golangci-lint v2
- golangci-lint official web site
- Ldez on GitHub
- lego: Let's Encrypt client and ACME library written in Go
- Support LDez financially
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Shay Nehmad (00:00):
This show is supported by you. Stick around
(00:02):
till the ad break to hear moreabout that. This is Cup O Go for
March. We never know which dayto say, 2025. Keep up to date
(00:23):
with important happenings in theGo community in about fifteen
minutes per week.
I'm Shay Nehmad. And I'mJonathan Hall. And that's a
fancy mug you got there. You gotthe Cup o Go cup. I don't have
mine anymore.
I should get one. You
Jonathan Hall (00:39):
should get one. We have a great show coming up
for you today. We have aninterview with the author of
Golang CI Lent. We're talkingabout security releases, we're
talking about proposals.
Shay Nehmad (00:50):
Talking about security problems.
Jonathan Hall (00:52):
And we're gonna cram it into twenty minutes
maximum because that's when ourinterview starts, so.
Shay Nehmad (00:57):
Yeah. This time something will actually force us
to adhere to fifteen minutes.Yes. Kicking things off with a
vulnerability. When Jonathan putit on the backlog and told me
about it, I literally said, oh,it's probably he said like, oh,
there's a vulnerability in x dotnet HTML.
I was like, oh, was it parsingsomething, whatever that allows
you to read somethingunexpected? So, as you probably
(01:19):
have guessed, there's a securityvulnerability that's pretty much
as expected. There's a packagecalled x dot slash net slash
HTML. You probably heard of it,but if you haven't, it just
implements HTML tokenizer andparser. So you'll be able to
read HTML and you won't be youwon't be one of the poor souls.
(01:39):
I don't know if you saw thatfamous Stack Overflow question
of like, I need to parse HTMLwith the regex. Yes. I know how
do you feel about HTML, but alot of the time I look at it and
like, yeah, it makes sense. I Istudied it like every it's the
first thing I started when Istarted computing. It just
Jonathan Hall (01:59):
gives me the heebie jeebies. The main thing I
learned from the securityrelease was the word solidus, or
is it solidus? Solidus?
Shay Nehmad (02:07):
What is that?
Jonathan Hall (02:08):
The tokenizer incorrectly interprets tags with
uncoated attributes that endwith a Solidus character. It's a
fancy word for the forwardslash. Woah. Well, I'm gonna
start using that word all thetime now because I think it just
makes me sound more moresnobbish.
Shay Nehmad (02:22):
Solidus, sounds like a boss from Dark Souls.
Solidus, the HTML parserannihilator. Darth Solidus,
there we go.
Jonathan Hall (02:31):
The cool
Shay Nehmad (02:31):
thing about this vulnerability, other than the
fact that it was found andpatched and now you should,
upgrade your X.net, packages ifyou use the HTML tokenizer,
which is, like, reasonable, isthe blog of who discovered it. I
always like to, like, dig intothe security researchers behind
the vulnerability, not justtechnically the vulnerability
itself. And I can wholeheartedlyrecommend nc.zip, which is Sean
(02:55):
Ng from, Hong Kong. As a prettycool, like, short, blog about,
writing up CDFs and one that I'mparticularly interested in,
three XSS vulnerabilitiesdiscovered in SolidJS, universal
LLM instruction leaks. Dude,this all over the map.
Pretty cool stuff. So if youhave, HTML stuff, you should
upgrade.
Jonathan Hall (03:15):
What else should you upgrade this week?
Shay Nehmad (03:17):
I don't know. Is anything important that
everybody uses in Go? Does ithave a new version?
Jonathan Hall (03:22):
Oh, wait. Here's one. Golang c I lint v two has
been released.
Shay Nehmad (03:27):
With a with a beautiful lot logo. Like, the
rainbow is not colored, but thelogo is colored. Love that
stuff. V2.
Jonathan Hall (03:35):
Yeah, V2. This is a big overhaul, simplified
linters management, improvedfile paths management, issue
exclusions, etcetera, etcetera.I'm not gonna dive into it too
much right now because somebodywho knows much, much more about
it is gonna be on the show inabout seventeen minutes as we're
recording. So stick around tillafter, the rest of the news for
an interview with the author.We're gonna be talking all about
(03:55):
GoLangsIllent.
Shay Nehmad (03:56):
I just have to say that GoLangsIllent, like, is the
first thing I install in everylike, I have a script, I have it
running. Maybe I set up, like, Idon't know, Git, but it's so
early in the every Go projectthat this is set up.
Jonathan Hall (04:10):
It is also the only open source project I
monthly contribute to. I send$20 every month to that project.
Shay Nehmad (04:16):
No kidding.
Jonathan Hall (04:17):
Totally worth it. If I had to pay a hundred bucks
a month for it, I probablywould. So it just saves me that
much time and
Shay Nehmad (04:23):
Well, talking about paying for things monthly, I did
a little bit of a calculationand to match up with my friends,
we're gonna need 4,000,000,000,1 hundred and 20 5 million
Patreons.
Jonathan Hall (04:35):
We should be able to get that in just a weekend or
two, I would expect.
Shay Nehmad (04:37):
Yeah. So everybody we just basically need half half
of the Earth's population Mhmm.To join, to just match up with
some friends I have in Tel Avivwho recently
Jonathan Hall (04:48):
Well, what
Shay Nehmad (04:49):
doing? Came into some money. I don't know if, you
know what I'm talking about.
Jonathan Hall (04:52):
Gee, Wiz. I don't.
Shay Nehmad (04:53):
Mhmm. Good one. So, yeah, Google buys Wiz. Why is
this a Golang story? Well, Wizis back in this in Go, and I
just well, some of it.
Obviously, not all of it.They're already a big super
sprawling company and they'vebought like other companies, so
I assume it's not all a % Go,but their core thing is is in
Go. Disclaimer, I used to workat a competitor, at Orca until
(05:14):
very recently.
Jonathan Hall (05:15):
Oh, so that's why you're bad talking to them so
much.
Shay Nehmad (05:17):
I don't I'm not bad talking to anyone. I'm very
happy for them. Google is intalks to buy them for
$33,000,000,000.
Jonathan Hall (05:24):
It's a lot of money.
Shay Nehmad (05:25):
Yeah. It just goes to show, go you know, people can
bad talk it all all they want,but makes a ton of money.
Jonathan Hall (05:32):
But what what has Wizz ever done for us? Like, I I
I heard the name, but have theyever done anything that we would
be aware of?
Shay Nehmad (05:39):
We as Go developers, you mean?
Jonathan Hall (05:41):
As Go developers, as as SREs, as
Shay Nehmad (05:44):
yeah. So they have a product for that's like a
security platform for cloudsecurity like Orca. So, you
know, if you're a part of asecurity team, you've probably
heard of it. And they'vediscovered the research team has
discovered a lot of cloudvulnerabilities. Since a lot of
the cloud is written in Go,sometimes you see
vulnerabilities the day close,in popular open source Go
(06:06):
projects.
And this week was no exception.Super cool. They, like, got sold
for $33,000,000,000, immediatelygot back to the drawing board
and all right, we found IngressNightmare, which was such a big
headline. You might have heardof it and like didn't realize it
was a Go related news item. Buta 9.8 critical RCE,
(06:28):
unauthenticated.
RCE stands for remote codeexecution. So basically means
any Joe Schmo can go into anyKubernetes ingress NGINX and
start running code inside thecluster. So from nothing to full
cluster control. Wow. Likecluster takeover.
Jonathan Hall (06:47):
Is this for both the the free NGINX and the
subscription NGINX, Ingresscontroller?
Shay Nehmad (06:52):
I think it's for both. If you just have it
deployed, like the depends onthe version because they did a
proper disclosure. So it's notlike they put this blog out
without talking to thedevelopers first. Actually, now
they probably work at the samecompany, right? Kubernetes is
Google ish and Wiz is Googleish.
Jonathan Hall (07:10):
So if you're using Kubernetes with NGINX,
make sure you've upgraded to thelatest version, is the short
version, right?
Shay Nehmad (07:17):
So so a few things you can do. First of all, maybe
you don't know if your clustersare using Ingress NGINX at all.
All you have to do is look atthe pods. So you do kubectl get
pods, all namespaces, and lookfor, like name equals Ingress
NGINX. If you're just running itand you don't have any
permissions because someoneturned it on once but didn't
like set it up properly, you'regood.
Most likely it has a clusterread only permissions because
(07:41):
everything has that. So if youthese two things exist, you're
you need to, patch it. It waspatched in NGINX controller one
twelve one and one eleven five.And, you know, are a few things
you should do. Either you shouldupgrade immediately.
However, that doesn't alwayswork. Right? Like, if you didn't
stay on top of your upgradeschedule, you might be a few
versions behind. And I don'tknow, like upgrading Go version
(08:04):
seems important, but upgradingevery single thing in my
Kubernetes cluster seems like asuper pain in the behind because
there's just so many movingparts. So until you have, like,
something of this magnitude, 9.8CVE score that forces you to get
off your ass, you probably won'tdo it.
Until you can, upgrade, thereare a few things you can do to
(08:25):
mitigate, like stricter networkpolicies, just disable the
admission controller on IngressNGINX. And there are like
there's a description in theblog post. The the part that I
found interesting after like,hey, make sure that you upgrade
is actually how they discoveredit. What's the research
motivation behind it? And howdoes it work?
They have like beautiful art artshowing it. And finally, GoCode,
(08:47):
how the thing actually worked.And there are a few cool tools
here, that I didn't know about,like KubeReview. Have you heard
of KubeReview? It's just a CLIutility to transform requests
into admission review requests.
So you had to have some toolingin order to just do that, which
is obviously also written in Go,right? What's the question? This
(09:08):
whole ecosystem is. And you youcan just look at the code in the
blog post. Like, the blog postgoes into details about every,
specific CVE, like off URLinjection, and you can inject on
the match CN TLS part of theparser.
Like you can inject in a lot ofplaces here, things that people
(09:30):
don't expect. And again, you canjust look at the code and
because it's Go, it's likereally, really easy to The
vulnerability kind of yells atyou. You know what I mean? Like,
sort of when you look at badcode that's so bad that, the bug
literally screams at you. Youknow what I mean?
Jonathan Hall (09:44):
Sorry, bud. I like how how long and detailed
it is. A lot of securityreleases are just like, you
know, a one paragraphdescription. This is a estimated
thirteen minute read, goes intosome great detail.
Shay Nehmad (09:55):
Yeah. And the shout out to the researchers. I know
some of them, but even withoutthe personal knowledge, Nir
Ochfeld, Ronen Shustein, SagetSadiq, Hillelie Bensasson, Eli
Ben Sasan. Sorry. Good job,everybody.
The link to the blog post isobviously in the show notes
along with everything else we'retalking about. So if this sounds
interesting to you, or you youneed to immediately grab the
(10:17):
link and send it to your CISO oryour, Kubernetes admin, it's in
the show notes. What else do wehave like on the docket?
Jonathan Hall (10:24):
Yeah, let's shift away from security stuff for a
little bit and talk about someconferences. I have a couple I
wanna mention. There are two,these are both in the European
area. If you're over in thatpart of the world, like I was a
few months ago, they both haveCFPs open. GoLab is in Italy,
October Fifth Through Seventh inFlorence.
Beautiful city. I was there onceabout ten years ago. And their
(10:44):
CFP is open until April 10. Soif you want to be in Italy in
October, send your CFP. Theother one is GopherCon UK will
be in August, August thirteenthand fifteenth.
And their CFP is open throughMay 17. So there's two
opportunities to speak in Europelater this year, if that sounds
(11:05):
appealing to you.
Shay Nehmad (11:07):
The unofficial, San Francisco Gopher meetup. I mean,
it has a date. I don't a % knowif it's happening, but but it
has a date. If it'll besomething more serious, we'll
definitely talk about it nextweek. And there's a proposal, an
accepted proposal you wanted toshare with me.
I'm I'm excited about this one.What's what's going on?
Jonathan Hall (11:29):
There's two here, if we have time to talk about
both today. So the first one isthat, they accept their proposal
to add a flag to the GoModVerifycommand.
Shay Nehmad (11:38):
And I just wanna say thanks to Oleg Kovolov, who,
like, shared this link in our,Slack group. Thanks, Oleg.
Jonathan Hall (11:48):
Yeah. So the new tag is, or the the new command
line flag is called minus tag.And have you looked at this,
Shai? Because this is kind ofsecurity related and there might
be a little bit more up youralley.
Shay Nehmad (11:59):
Yeah. You tried to move away from security a little
bit, but turns out you need10,000 lines of code to protect
the one line of code that likethe to do. That's
Jonathan Hall (12:08):
right. That's right.
Shay Nehmad (12:10):
So there's a few things you need to know about.
What is the Go checksumdatabase?
Jonathan Hall (12:15):
So there's a, I mean, I'm probably gonna get
this a little bit wrong. Sothere's a public proxy of Go
modules and part of that, orrelated to that is this checksum
database that keeps track of, Isuppose it's a pairing of module
name and version number alongwith the checksum of that module
so that you can validate thatyou downloaded the same thing.
Shay Nehmad (12:38):
And are like three things hard in two hard things
in computer science, right?Cache and validation off by one
errors, then cache andvalidation or however that joke
goes. It's basically a glorifiedcache, Because if you want Go
code, you go to GitHub and youdownload it, but you can use the
go pkg. Go. Dev to look at thesepackages.
(12:59):
And I 100% promise you, if youlisten to this show, you
probably spent more time thanyou think on the site. Whenever
you open documentation, it'sthere. Right? Whenever you look
for a package, it's there. Soit's not it's not like it's an
important resource to protect,even though it's mostly just a
web resource.
It also includes mod checksumand some other things that you
(13:21):
need to basically verify if youwanna make sure that the package
you're downloading, the packageyou're using in your software is
the same package you're that'smirrored there. So the new
proposal is adding a flagcalled, tag. So after you push a
new tag to GitHub, you doublemake sure that it syncs up to
the package registry. And thatway you know that someone else
didn't, like, poison yourpackage in the go check some
(13:43):
database. In a few of our ourrecent shows, we talked about,
like, typo squatting issues andthings like that where packages
you just had malicious packages.
But even if I have I don't haveto typo squat to do that. If I
get force push permissions toyour repo, I could push a new
tag, then delete it from GitHub,but the checksum database is
already poisoned. The cache isalready poisoned. But if if I'm
(14:06):
like a package maintainer, Icould run this go mod verify
minus tag a few times and justinvalidate the cache and make
sure that the proper version ofthe packages is what's in that
checksum database. Basicallyprevents unauthorized changes to
that database.
I don't think this is a goodsuggestion.
Jonathan Hall (14:24):
You don't think it's a good A,
Shay Nehmad (14:26):
I don't love the From the syntax, it's not
obvious that it's like what itdoes. Right? Go mod verify minus
tag to me doesn't like it itdoesn't clarify that's what it
does, but that's just a UXthing.
Jonathan Hall (14:38):
I agree with that.
Shay Nehmad (14:38):
Yeah. And you have like a few flags, you all
versions, latest versions,specific versions. Like, get why
checking the latest version isthe thing that I'm worried about
that this opens up the otherside of attack, an attack on
the, mod package databaseitself. And I wish I saw this
proposal in time. I might stillcomment on it even though it got
(14:58):
accepted.
Because I don't understand whatprevents people from creating a
fork of a repo, changing thecode a little bit, and then like
basically invalidating all thecache all the time. Like it it
would be so easy to DDoS packagewebsite right now with this
command. You're basically givinga drain option to all the caches
with this command. I don't fullyunderstand how it protects from
(15:20):
that.
Jonathan Hall (15:20):
I think you should comment.
Shay Nehmad (15:21):
I'm not missing something, right? Other than
basic DDoS prevention measures,like DDoS prevention measures,
This command allows me to, witha little bit of work, basically
invalidate all the cache for theGoMod site just generally,
right? Because I'll ping it withwrong versions all the time. Or
(15:42):
am I missing do you think I'mmissing something and and it's
not actually possible? I don'tknow about that.
Jonathan Hall (15:47):
I'm still trying to I'll double
Shay Nehmad (15:48):
check before I comment. I I don't I really
hate, writing on proposals andthen being wrong.
Jonathan Hall (15:53):
Assuming this works as intended, I'm still
unclear, like when would I usethis? Would I run this in my CI?
Would I run this every time Iupgrade? When would
Shay Nehmad (16:02):
I actually use Every time you push a new tag to
GitHub, immediately after it'sdone and the release is okay,
whatever release is okay meansto you. Usually, when you push a
tag, it already means that, youknow, you merge domain and
everything checks out.Immediately after that, you run,
go mod verify minus stacklatest. It has two side effects.
(16:23):
One, it makes sure that it'suploaded to the SMDB, so if
someone else wants to pull it,they do it immediately.
They don't have to wait. And itchecks that it matches the local
repo, which is exactly what youwant.
Jonathan Hall (16:33):
Got it. Yeah. Yeah. That does seem like it
would be vulnerable to whatyou've suggested.
Shay Nehmad (16:37):
I'll double check that. Just the security flavor
of this episode has got myoffensive juices flowing, you
know what I mean?
Jonathan Hall (16:44):
Well, I think that is about all we have time
for. We had one other proposal,but I think we'll save it for
next week because our guestsshould be joining immediately
after our break.
Shay Nehmad (16:53):
So let's jump to that.
Jonathan Hall (17:02):
Hello, this is Jonathan from the future.
Welcome to our so called AdBreak. We just finished
recording the interview. It wasa good interview. Stick around
for that in just a minute.
Before we jump into that, I wantto remind you that you can buy
our swag. We have mugs, we havet shirts, we have USB chargers.
We're looking into getting YubiKey covers. I don't know if
that's even possible. We'regoing to try.
(17:24):
Tepago. Dev, you can click onour store link there and buy
this cool swag with Brewster,our mascot. It's one great way
to support the show. You canalso support the show by sharing
it with a friend, with acolleague, with a fellow
student, with your pets. You caneven support us financially by
becoming a Patreon.
The link for that is also atcupago.dev. But one of my
favorite ways to support theshow is to just talk to us. You
(17:46):
can find us on Slack at the Cupand Go channel on the Gopher
Slack. That's cup o go,kebabcase. We have over 500
people there now.
We have some pretty livelydiscussions sometimes. We talk
about past shows, talk aboutupcoming things. People share
news items there that we oftenput on the show. Join us there,
we love to chat with ourlisteners. I'm sure I'm
forgetting something since Shayisn't here to remind me, but I
(18:07):
think that's okay.
We'll cover it next time. Let'sget to the interview about
GoLynxian. Hey, Shay. I justpulled this Go Code out of the
dryer and it's covered in lint.How do you think I can get rid
of that?
Shay Nehmad (18:24):
You just pulled this Go Code out of the dryer.
Jonathan Hall (18:29):
Right? We're going for bad jokes, right? Did
I did I do a good one?
Shay Nehmad (18:33):
I I think it's intervention, level worthy of
bad. Well, I don't know a lotabout lint. Actually, this is an
audio show, so this joke won'tcarry, but I have this new wool
sweater that my wife knit me.It's a it's a bit linty as well.
Like it has a bit of a fluff.
But I'm not an expert onlinting, are you?
Jonathan Hall (18:51):
I used to have a linter, but it's kinda old and
crafty. I feel like I need a newone.
Shay Nehmad (18:55):
Oh, maybe there's a new version. Hello.
Ludovic Fernandez (18:59):
Hello.
Jonathan Hall (18:59):
Welcome to our terribly bad humor hour. You're
here to talk about Golang CILint version two. But before we
do that, would you introduceyourself? Tell us who you are
and a little bit about yourself.
Ludovic Fernandez (19:12):
Yes. So I'm in French. So but I think most
people know me with my nicknameis Hildes.
Jonathan Hall (19:25):
Hildes. Yes.
Ludovic Fernandez (19:26):
I'm currently working maintaining column
ceilings, but not only, alsomaintain LEGO, the Sanskrit
client in Go. Currently, I'mworking for open source because
I have decided to change the wayI work. And I wanted to try to
(19:53):
work only for open source, soonly rely on donation. I wanted
to do that because I think it'spossible. And I think OSS
maintainability andsustainability is important, and
we have to do something to tosense some signal to say, hey.
(20:14):
It's time.
Shay Nehmad (20:16):
And and I'll just take the opportunity here to
say, there's a link in the shownotes. I I found the supporting
us page on calling cilint.run. Iassume that's the if people, are
listening and they agree withyou and they want to support
you, it's right on the homepage.There are backers and sponsors,
and you can join the socialnetworks as well to spread the
(20:39):
word. Right?
Yes.
Jonathan Hall (20:40):
I'm I'm one of the I I think this is the only
open source project going to CLNthat I monetarily support. So I
encourage our listeners to dothat too.
Ludovic Fernandez (20:49):
Yes. You are one of the early sponsor.
Shay Nehmad (20:52):
I like to think, you know, whenever I click on a
Google ad that like 0.0000001¢of that AdSense money ends up in
the Go team salary or somethinglike that. Whenever like YouTube
pops an ad, I'm like, ugh, no, Ijust wanna watch this video.
Then I'm like, no, it's good.This money goes to Google.
(21:13):
Somewhere inside Google, someoneis maintaining the compiler,
That's fine.
And then I end up watching thesame annoying, insurance,
advertisement because I justmoved here, so they don't stop
doing it for me. So the aspectof doing open source full time,
you know, how has it been, foryou? I I wanna talk about how
(21:35):
has it been for the project. I'msure the project had a lot of,
you know, it was very good forthe project to get your full
attention. But I was justwondering, I I assume a lot of
our listeners are are curiousabout, like, how does that work?
Did you set up a company? Like,how does that work?
Ludovic Fernandez (21:51):
Yes. It worked. I created a company,
small company with just mebecause legally, I'm forced to
do that. But for the forgovernment selling project, I
created an Open Collectiveorganization. In fact, Open
(22:13):
Collective is the the fiscalcost of Golang Sialines.
The money that people give toGolang Sialines doesn't goes to
my company. It goes to thisfiscal cost. For now, I don't
really know how I will drivethis money, but, oh, no. There
(22:34):
is a place. There is a place.
And for me, working on opensource every day, it's like
working for other projects, notnot really different. The only
difference in fact is that Iwake up when I want, but I have
to do all the work. So it's nota paradise, but it's it's not an
(22:58):
and it's really far from l. I'mreally happy to do what I do. I
don't know if you want to knowsomething else.
I'm not sure if I answer to thequestion.
Shay Nehmad (23:11):
You totally did. There is there is a bit of a
business overhead that's that'sinvisible to to setting this,
thing up, but it's cool that,you know, it's not like super,
super complicated. It sounds itsounds very possible. It's not
like, oh, there's no legalprecedent. Like, oh, just start
a company.
The money will eventually gothere.
Ludovic Fernandez (23:32):
Sorry. My watch warned me that my heart is
my heart is bit higher. Toohigh.
Shay Nehmad (23:40):
Happens to me it happens to me whenever I meet
the CTO of my current companyall the time. My watch is like
stress level high. I cansympathize.
Jonathan Hall (23:49):
We've had a number of people on the show who
talk about running open sourcebusinesses. It's a model I
admire. I mean, I do some opensource work. It doesn't pay any
bills. I'd ever get any moneyfrom it.
So I really admire the peoplelike you who do that. And so
thank you. And I of courseappreciate your project. Golang
CI is one that I use andadvocate other people to use
(24:11):
very heavily. So let's talkabout that a little bit.
Maybe let's start with lookingback in time. When did you start
Golang CI Lindt?
Ludovic Fernandez (24:18):
So first I'm not the author, so initial
author of Golang CI Lindt. It'sDennis. Dennis created Golang CI
Lindt around 2018, if I rememberwell. Okay. He tried to to build
a company on top of Golan CIALinz called Golan CI.
(24:39):
The goal was to provide thetool, the CI tool, the SaaS
tool, to Linz. I don't have thefull history because I will try
to explain that. But in reality,I never met Denis because when I
come to the project in 2020, Ithink. And Denise was already I
(25:02):
don't have the word, but he wasnot here. Wait, sorry.
He mainly leaves the projectbecause SaaS service doesn't
really work and not as a tool,the tool who was working, but as
a business. So he decided toopen organization to everybody,
(25:28):
And I send a lot of invitationto contributor, introduce a
system to invite everycontributor to organization. So
I started at this moment wheneverything was automated, in
fact. And then I start tocontribute on one or two thing
(25:49):
and day by day is month bymonth, I become the main
maintainer, but it was not aplan, in fact.
Jonathan Hall (25:59):
So you've been when did you sort of become the
main maintainer?
Ludovic Fernandez (26:02):
There is no real date. No. I contribute more
and more. At some point, I askedasked to not Denise, but sorry,
I don't remember his name. Frommy memory, it's Alexander,
colleague to Denise, if he cangive me the right, because it
(26:23):
was difficult to handle aproject when you don't have the
right to handle the CI, theconfiguration.
It was a main problem at somepoint. I don't know if you
remember or if you believe thisstory, but start to act the
Golang sorry, the GitHub actionCI by opening pull request. We
(26:48):
were under the attack. It wasnot really funny because without
the right to stop the the pullrequest to stop something, it
was really complex. So Okay.
So it it was progressivelygradually.
Jonathan Hall (27:03):
And then I guess the of course, the big news, the
reason you're on today isbecause version two was just
released. Version one has beenaround for ages. It's been
getting new features all thetime. What inspired you to go
with version two? Why thechange?
Ludovic Fernandez (27:21):
In fact, the idea of v two begin there is six
year before I become amaintainer, but nobody was able
to do it because creating amajor version is not as simple
as we can think because there isa lot of things that you have to
(27:43):
think in term of feature, interm of tooling. A lot of people
forget that CI exists, yes, butCI doesn't do the job. They just
just do what they have to do andyou have to learn them. So and
in fact, without someone thatreally want to take the the
(28:08):
topics, the Vidoo was not ableto to to go out, in fact. So at
the end of the the previousyear, I said said, I'm tired
with deprecated seeing withbreaking some runtous stuff and
(28:28):
living with options that doesn'twork, that's really annoying.
So I decided to go for v two,not a huge v two with a lot of
stuff, but something straight tothe goal, something that
simplify some elements,something that remove all and
deprecated stuff. The goal wasnot to create the wish list, the
(28:52):
Christmas wish list for everyfuture in the world, but just
prepare the future and clean thepast.
Shay Nehmad (29:01):
Nice. The new configuration looks like I've
been with the Golang Salientforever, forever, forever. The
new configuration looks a lotsimpler. The only problem is I
used to rely on a GitHub gist. Idon't remember who wrote it, but
I actually have to give a shoutout to the guy, so I'll I'll
find it.
But there's, if you look forGoLangs Island GoldenConfig
Ludovic Fernandez (29:24):
I think I know I know this person. It's,
the nickname is Mattory, Ithink.
Shay Nehmad (29:29):
Yeah. Maret Raymers from The Netherlands. I always
just go to this page, copy it,and and now it's it might not be
the correct configurationanymore. I'll comment and say
that v two has been released.
Ludovic Fernandez (29:42):
I think you will create you you will create
a new a new version of thisGolden file.
Jonathan Hall (29:47):
Oh, already someone did it. Ran golang c I
migrate. Oh, there's a commandto migrate all configurations.
Ludovic Fernandez (29:53):
Yes. Yes. Yes. In fact, for me, the major
point when you create a v twobecause I already create v two
of some important tool.Previously, I was working on
traffic.
I don't know if you know it. SoI already live some major
version and the difficultyrelated to major version. So
(30:15):
when I started to think reallyearly in the early days about
the v two, all had started tosync. We have to provide a
migration guide, we have toprovide the command that
integrates seamlessly yourconfiguration and we create
that.
Jonathan Hall (30:33):
So I realized we forgot to do something and that
is So apologies to any listenerswho don't actually know what
we're talking about. We haven'texplained what Golang CI Lint
is. I'm just assuming everybodyknows. Let's go back, tell us in
your own words, what is GolangCI Lint and why would anybody
wanna use it?
Ludovic Fernandez (30:52):
Golang CI Lint is runner for linter. So
it's a linter. But thedifference between no, there is
no difference. It's just arunner for linter, a fast linter
for linter. The goal is tostatically analyze the code,
(31:15):
detect some bug, detect somestyle error, but not really
error, but warn you about somestyling issue and report them so
that you can fix them.
So I think everybody know asling or I I don't really know
(31:39):
the tooling of Ruby, but but Ithink it's RubyCop or stuff like
that.
Jonathan Hall (31:44):
Mhmm.
Shay Nehmad (31:45):
I I hate RubyCop.
Ludovic Fernandez (31:48):
Never used to. I cannot hate it.
Shay Nehmad (31:52):
And the and the and the Rust compiler, of course, no
need for any.
Jonathan Hall (31:58):
Yeah, really good. So it's static It's sort
of a meta analyzer. It combinesa number of configurable linters
so you can kind of pick andchoose which ones you want to
run, right?
Ludovic Fernandez (32:11):
It's a difference between some other
linter. Golang CLINT is useroriented. So you make your
choice. We don't really decide,but we select the linter. The
linter should not drive to badpractice.
It's a limit of doesn't thelinter does not should not be
(32:36):
detector. So what I calldetector is something that just
report, yeah, it can be aproblem. No. Is it a problem or
it's not a problem? It can be aproblem doesn't exist for me
because I know that most user,when using linter, in fact, they
just follow the linter becausethey trust in the linter.
So it's a yeah. So the maindifference for me from other,
(32:59):
it's design need design need tobe used and configured by you
with your rule and not our rule.
Shay Nehmad (33:08):
How many like, on your projects, do you have just,
like, the one configuration thatyou use? Because I was wondering
about that. Like, first of all,now that I'm thinking about it,
what Golang c islandconfiguration runs on Golang c
island?
Ludovic Fernandez (33:28):
Golang CLINT configuration of Golang CLINT is
not a good configuration becausebut in fact we are are forced to
do that because theconfiguration of CLINT will be
used to test Golang CLINT overthe version. So we have
something really seen because weshould have consistency between
(33:53):
the version, between therelease. So we have something
releasing. So it's really not arecommended configuration. It's
a configuration, but not arecommended configuration.
In my opinion, there is no realrecommended configuration
because you have to tune theconfiguration for your project.
(34:16):
For an example, I created alinter that's called Agliatelle.
Agliatelle is in the tag. Youknow the names that the field
will have inside your JSON orthe name of the mapping for the
JSON.
Shay Nehmad (34:32):
Yeah. It it, like, makes sure that the tag maps up
to the name of the field.
Ludovic Fernandez (34:37):
Yes. Exactly. But, for example, when I work on
Lego, so I have to handlehundred of DNS clients. But each
DNS client has this wholecasing. So I cannot use one
configuration.
I'm forced to use aconfiguration that is for this
(34:57):
client or for this project. Itdepends on your convention. For
example, if you have to interactwith a PHP project, maybe they
will use a snake. They will useno snake case or maybe they will
use a camel case. So for me,there is no real recognition,
(35:18):
but there is some linters that Irecommend to use because they
are globally neutral.
Jonathan Hall (35:25):
I find that I tailor my configuration very
heavily to the project I'mworking on and the people on
that project. For a soloproject, I have a very different
set of linters than I do for aproject on a team of 10 people.
Because maybe on a 10 of 10people, I have more junior
developers who don't know allthe idioms and stuff like that.
(35:45):
And I want maybe stricterlinters to encourage them to not
use global variables, forexample. But on a solo project,
I know I'm not gonna use globalvariables unless I just really,
really want to or need to forsome reason.
And I don't feel like I need thelender to do that. Do you find
people doing the same sort ofthing, tailoring their
configuration to the projects,to the people? Or what do you
(36:05):
recommend? What have you seen?
Ludovic Fernandez (36:06):
There is a lot of different profiles
inside. In fact, there isadvanced user like you. You know
what you need and you know whatyou do. So you will just set up
the meter that prevents you fromsome complex stuff or some
mistake. And there is somepeople that use the same thing
(36:28):
as a kind of teacher to drivethe people to the right
direction.
I saw a conference in GoferIndia, I think, where a person
explained all the configuration.They create a sheet. They put
(36:49):
the name of each center. As Isaid, why is this center is
useful, why is this center isnot useful? And they share that
with their team as it buildstheir configuration like that.
So different person hasdifferent profile of user.
Shay Nehmad (37:05):
One thing I I really like with messing up all
these configs is that it's a funway to spend time. So I think
I'll drop off the interview nowand just go and mess around with
my config, like turn on thelinter, see if I like the
errors, and then turn it off.Since there are so many linter
possibilities that you can turnon and off, it's gonna take me a
(37:26):
while. So I'm gonna drop off andlet Jonathan continue this
interview. But before I do,again, I really wanna say thank
you for coming on and for theproject.
Like, it's a really, really goodproject. And again, reiterate
the call to action. If yourcompany uses Golang cilent and
it caught you a production buglike my company did twice, go
(37:47):
contribute to Golang cilent. Bythe way, if you are a company in
Israel, I don't know how itworks in other places, but if
you contribute to open source,you can, and my lawyer did it,
you can write it off as adonation and then it's a tax
write off as well. So if you'rea company and your finance
(38:07):
people have some time on theirhand that could even get you
money at the end of the year.
Thanks a lot Elders, I'll bedropping off now.
Jonathan Hall (38:15):
All right, let's talk a little bit more then
about the improvements you madein V2. We talked about
configuration and migration fromold to new and how it's not
really like a huge change. It'smostly some cleanups. But let's
talk specifically. What weremaybe the top two or three
things in your mind that changedfrom V1 to V2?
Ludovic Fernandez (38:35):
For me, the main thing is the introduction
of the formatter. So theformatter was already here. It's
not new, but the way to use itis new. So there is a new
command called golemcyaline fmt.So it's the equivalent of Go
fmt, but you can configure itwith this classic configuration
(38:56):
of Go lang cielin.
It work like Go fmt. So I I saidfmt because because I'm French,
but I think it's a goodcommunity. Sorry. Yeah. So I
think it's something that cansimplify the usage of linting
(39:18):
and formatting because we all weall appreciate a GoFmt Go import
because they are greatformatters.
But there is some issue withthose formatters that other
formatter fix. For example,GoFund have some extra rule
(39:38):
that's really good to apply.There is also in GCI that we
handle a consistent order of theimport. And for me, it's really
it's really good because Goimports or even GoFund doesn't
group the import. You have noconsistency in the imports.
(39:59):
But it's not really read to thev two, but the v two will help
for that. And another majorpoint for me, it's the the file
path management. Becausepreviously, if the the paths
that were that were definedinside the configuration was
(40:20):
relative were relative to thebinary not the binary, but the
launch the the place where youwill launch the binary. And it
was really inconsistent. If youwas if you was running the link
into a package, your exclusion,for exam example, doesn't work.
So now I fixed it that. I knowit can seems to be a detail but
(40:44):
I spend days and days and daysto try to find the right way to
handle that, to doesn't breakeverything. It was horrible.
Jonathan Hall (40:55):
I can imagine. And
Ludovic Fernandez (40:58):
just one important point, sorry. So I
spent maybe too much time, butanother point for the v2 is that
I'm really happy is the removeof the default exclusion.
Previously, missing commands ornot some error handling was
hidden by default. And at somepoint, it's a problem because
(41:23):
you have to handle error and youhave to comment. But we all know
that majority of project don'treally put comments.
And when we close a file, wedon't really care about the
error. So we remove all thosedefault execution, but we
(41:45):
introduce something more humanfriendly with human friendly
name to disable the completetopic. So for example, we have a
preset named comment and it willremove all the report related to
comments.
Jonathan Hall (41:59):
Yeah, that's nice. Yeah, I have not installed
V2 yet. I've just been busy withother things. It's only just
came out a few days ago, but Iwill. I'll probably do it before
this episode is released.
So maybe next week on the nextepisode, I can talk about my
experience with it.
Ludovic Fernandez (42:14):
You will see it's pretty quick to try it.
You're an conanxia lingmigrates. It's Zen. You can use
it.
Jonathan Hall (42:23):
It looks really simple based on what I read and
what you said. So I'll be tryingit over the weekend probably. Is
there anything else that youthink we should call out?
Anything else about V2 or maybeother plans you have in the
future?
Ludovic Fernandez (42:36):
I don't have really planned for the future
for now because the V2, I workedthree months on the v2 so more
than three months on the v2 sonow I think I will just slow
down a bit and sync but there issome elements that community
(42:59):
want to be introduced. So Ithink I will work on that. I
don't want to say something onwhich feature is because I don't
want problems. I will continue.
Jonathan Hall (43:12):
Very good. Do you wanna talk about Lego for a
little bit and just introducethat to the audience too, what
that is?
Ludovic Fernandez (43:18):
Oh yeah, Lego, it's a Let's Uncrypto, an
Acme client in Go that you canuse as a library or as a CLI.
LEGO is able to handle currentlysome and more than hundred DNS
provider. So everything isautomatic. Sorry. Maybe I should
(43:43):
explain what is Acme and what isold Ensancrypt.
So I will not explain what isEnsancrypt, but I will explain
what is Acme. ACMI is anautomated way to get
certificates, so to have theHTTPS. So Allego allow to create
a certificate easily Just haveto you just need to have a
(44:07):
server or a DNS or I don't knowif it's pretty clear. Sorry,
sentence are not straight and
Jonathan Hall (44:15):
That's okay. No, I I understood you. Yeah. Thank
you. Building CI and LEGO areyour two big projects.
I imagine you dabble in otherthings. You probably submit bug
fixes and stuff to otherprojects as you need to.
Ludovic Fernandez (44:29):
Yeah, I contribute to every I think I'm
like a lot of people that workaround OpenSouth. I use
OpenSouth, and when I have aproblem, I try to fix it. Well,
I try to create a good report tohelp the maintainer to fix the
problem because it's alwayscomplex to fix something if you
(44:54):
don't know a proper project. SoI try to open good issue and I
try to fix what I can fix or hownew feature is if I can do it.
Jonathan Hall (45:03):
Very good. Great. Well, as we mentioned before we
started recording, we always tryto ask our guests. Well, first
of all, we give you anopportunity to share any links
you want. We've already talkedabout your two projects.
We'll have links to those in theshow notes. I don't know if you
wanna share social media linksor personal blog or anything
like that you'd like theaudience to know about.
Ludovic Fernandez (45:23):
I think the current link to the donation
page for me or forGalenciAilinter are enough.
Jonathan Hall (45:35):
Great, we'll put that in the show notes if you'd
like to contribute financiallyto help Eldez continue to live
the open source dream. And thenbeyond that, we have a question
we'd like to ask. We alreadytold you about this before we
started recording. We ask all ofour guests and that is when you
started learning Go or eventoday, who inspired you the
most? Who have you learned themost from?
(45:57):
Whether it be through blogposts, through conference talks,
books, anything, Who hasinspired you the most in your Go
journey?
Ludovic Fernandez (46:05):
It's complex because I was not in the first
generation of the Gopher, but Istarted Go in 2017, I think. It
was pretty early. So I learnedby working on Go code, on the
traffic Go code, to be clear.And this was I don't know what
(46:32):
to say because didn't reallyfollow some people in the Go
community. I read a lot of codebecause I love the code.
I love contributing. So I read alot of code. So I would say the
Go community is the answer.
Jonathan Hall (46:48):
I love that.
Ludovic Fernandez (46:50):
It's my reference.
Jonathan Hall (46:52):
Great, great. Well, yeah, I like that answer.
If you're reading code, youdon't even know necessarily who
wrote it, right? You're justreading the code.
Ludovic Fernandez (47:01):
Yeah, it's something that for me, it's the
same thing. Sorry, maybe it'soff topic, but I contribute to
open source not for my name, butbecause my code and not because
it's my code, because the codewill continue. And maybe in the
future someone will use that,but never knows that was the
(47:22):
first we write this.
Jonathan Hall (47:25):
Right, yeah, yeah, that's great. And I think
that's maybe good advice forothers too, who are trying to
learn Go is, we hear it fairlyfrequently, think, read the
code, read the standard library,read Golang CI lint. I just
referred somebody else to readGolang CI lint code earlier
today. They were asking how tocall GoFund from Daniel Marti
(47:45):
directly. Don't know how to doit, but I know Golangency iLint
does it.
So you could go read that codeand figure it out. So yeah, it's
always good advice to read code,whether it's Go or another
language.
Ludovic Fernandez (47:55):
Yes. Yes. And I think Go is a is a good
language good language for that.I have work and think think you
too on on different language,but Go is really easy to read.
More easy than a lot of code.
So read it, it, read it.
Jonathan Hall (48:14):
I agree. Yeah. Great. Well, Elders, I really
wanna thank you again for comingon. It's unfortunate Shai had to
leave to go reconfigureGoldeng's C.
M. Hunt again. But I reallyappreciate you taking the time
to join us on the show. We'vehad several listeners ask to
hear from you, so I know thatthis will be a treat for our
(48:36):
audience. Thank you so much.
We'll have links to the projectsand to your donation page.
Ludovic Fernandez (48:40):
Thank you too for inviting me, sorry.
Jonathan Hall (48:45):
Yeah, it's been a pleasure. It's always great to
meet somebody who makes thesoftware I use. So thank you so
much.
This show is supported by you. Stick around
(00:02):
till the ad break to hear moreabout that. This is Cup O Go for
March. We never know which dayto say, 2025. Keep up to date
(00:23):
with important happenings in theGo community in about fifteen
minutes per week.
I'm Shay Nehmad. And I'mJonathan Hall. And that's a
fancy mug you got there. You gotthe Cup o Go cup. I don't have
mine anymore.
I should get one. You
Jonathan Hall (00:39):
should get one. We have a great show coming up
for you today. We have aninterview with the author of
Golang CI Lent. We're talkingabout security releases, we're
talking about proposals.
Shay Nehmad (00:50):
Talking about security problems.
Jonathan Hall (00:52):
And we're gonna cram it into twenty minutes
maximum because that's when ourinterview starts, so.
Shay Nehmad (00:57):
Yeah. This time something will actually force us
to adhere to fifteen minutes.Yes. Kicking things off with a
vulnerability. When Jonathan putit on the backlog and told me
about it, I literally said, oh,it's probably he said like, oh,
there's a vulnerability in x dotnet HTML.
I was like, oh, was it parsingsomething, whatever that allows
you to read somethingunexpected? So, as you probably
(01:19):
have guessed, there's a securityvulnerability that's pretty much
as expected. There's a packagecalled x dot slash net slash
HTML. You probably heard of it,but if you haven't, it just
implements HTML tokenizer andparser. So you'll be able to
read HTML and you won't be youwon't be one of the poor souls.
(01:39):
I don't know if you saw thatfamous Stack Overflow question
of like, I need to parse HTMLwith the regex. Yes. I know how
do you feel about HTML, but alot of the time I look at it and
like, yeah, it makes sense. I Istudied it like every it's the
first thing I started when Istarted computing. It just
Jonathan Hall (01:59):
gives me the heebie jeebies. The main thing I
learned from the securityrelease was the word solidus, or
is it solidus? Solidus?
Shay Nehmad (02:07):
What is that?
Jonathan Hall (02:08):
The tokenizer incorrectly interprets tags with
uncoated attributes that endwith a Solidus character. It's a
fancy word for the forwardslash. Woah. Well, I'm gonna
start using that word all thetime now because I think it just
makes me sound more moresnobbish.
Shay Nehmad (02:22):
Solidus, sounds like a boss from Dark Souls.
Solidus, the HTML parserannihilator. Darth Solidus,
there we go.
Jonathan Hall (02:31):
The cool
Shay Nehmad (02:31):
thing about this vulnerability, other than the
fact that it was found andpatched and now you should,
upgrade your X.net, packages ifyou use the HTML tokenizer,
which is, like, reasonable, isthe blog of who discovered it. I
always like to, like, dig intothe security researchers behind
the vulnerability, not justtechnically the vulnerability
itself. And I can wholeheartedlyrecommend nc.zip, which is Sean
(02:55):
Ng from, Hong Kong. As a prettycool, like, short, blog about,
writing up CDFs and one that I'mparticularly interested in,
three XSS vulnerabilitiesdiscovered in SolidJS, universal
LLM instruction leaks. Dude,this all over the map.
Pretty cool stuff. So if youhave, HTML stuff, you should
upgrade.
Jonathan Hall (03:15):
What else should you upgrade this week?
Shay Nehmad (03:17):
I don't know. Is anything important that
everybody uses in Go? Does ithave a new version?
Jonathan Hall (03:22):
Oh, wait. Here's one. Golang c I lint v two has
been released.
Shay Nehmad (03:27):
With a with a beautiful lot logo. Like, the
rainbow is not colored, but thelogo is colored. Love that
stuff. V2.
Jonathan Hall (03:35):
Yeah, V2. This is a big overhaul, simplified
linters management, improvedfile paths management, issue
exclusions, etcetera, etcetera.I'm not gonna dive into it too
much right now because somebodywho knows much, much more about
it is gonna be on the show inabout seventeen minutes as we're
recording. So stick around tillafter, the rest of the news for
an interview with the author.We're gonna be talking all about
(03:55):
GoLangsIllent.
Shay Nehmad (03:56):
I just have to say that GoLangsIllent, like, is the
first thing I install in everylike, I have a script, I have it
running. Maybe I set up, like, Idon't know, Git, but it's so
early in the every Go projectthat this is set up.
Jonathan Hall (04:10):
It is also the only open source project I
monthly contribute to. I send$20 every month to that project.
Shay Nehmad (04:16):
No kidding.
Jonathan Hall (04:17):
Totally worth it. If I had to pay a hundred bucks
a month for it, I probablywould. So it just saves me that
much time and
Shay Nehmad (04:23):
Well, talking about paying for things monthly, I did
a little bit of a calculationand to match up with my friends,
we're gonna need 4,000,000,000,1 hundred and 20 5 million
Patreons.
Jonathan Hall (04:35):
We should be able to get that in just a weekend or
two, I would expect.
Shay Nehmad (04:37):
Yeah. So everybody we just basically need half half
of the Earth's population Mhmm.To join, to just match up with
some friends I have in Tel Avivwho recently
Jonathan Hall (04:48):
Well, what
Shay Nehmad (04:49):
doing? Came into some money. I don't know if, you
know what I'm talking about.
Jonathan Hall (04:52):
Gee, Wiz. I don't.
Shay Nehmad (04:53):
Mhmm. Good one. So, yeah, Google buys Wiz. Why is
this a Golang story? Well, Wizis back in this in Go, and I
just well, some of it.
Obviously, not all of it.They're already a big super
sprawling company and they'vebought like other companies, so
I assume it's not all a % Go,but their core thing is is in
Go. Disclaimer, I used to workat a competitor, at Orca until
(05:14):
very recently.
Jonathan Hall (05:15):
Oh, so that's why you're bad talking to them so
much.
Shay Nehmad (05:17):
I don't I'm not bad talking to anyone. I'm very
happy for them. Google is intalks to buy them for
$33,000,000,000.
Jonathan Hall (05:24):
It's a lot of money.
Shay Nehmad (05:25):
Yeah. It just goes to show, go you know, people can
bad talk it all all they want,but makes a ton of money.
Jonathan Hall (05:32):
But what what has Wizz ever done for us? Like, I I
I heard the name, but have theyever done anything that we would
be aware of?
Shay Nehmad (05:39):
We as Go developers, you mean?
Jonathan Hall (05:41):
As Go developers, as as SREs, as
Shay Nehmad (05:44):
yeah. So they have a product for that's like a
security platform for cloudsecurity like Orca. So, you
know, if you're a part of asecurity team, you've probably
heard of it. And they'vediscovered the research team has
discovered a lot of cloudvulnerabilities. Since a lot of
the cloud is written in Go,sometimes you see
vulnerabilities the day close,in popular open source Go
(06:06):
projects.
And this week was no exception.Super cool. They, like, got sold
for $33,000,000,000, immediatelygot back to the drawing board
and all right, we found IngressNightmare, which was such a big
headline. You might have heardof it and like didn't realize it
was a Go related news item. Buta 9.8 critical RCE,
(06:28):
unauthenticated.
RCE stands for remote codeexecution. So basically means
any Joe Schmo can go into anyKubernetes ingress NGINX and
start running code inside thecluster. So from nothing to full
cluster control. Wow. Likecluster takeover.
Jonathan Hall (06:47):
Is this for both the the free NGINX and the
subscription NGINX, Ingresscontroller?
Shay Nehmad (06:52):
I think it's for both. If you just have it
deployed, like the depends onthe version because they did a
proper disclosure. So it's notlike they put this blog out
without talking to thedevelopers first. Actually, now
they probably work at the samecompany, right? Kubernetes is
Google ish and Wiz is Googleish.
Jonathan Hall (07:10):
So if you're using Kubernetes with NGINX,
make sure you've upgraded to thelatest version, is the short
version, right?
Shay Nehmad (07:17):
So so a few things you can do. First of all, maybe
you don't know if your clustersare using Ingress NGINX at all.
All you have to do is look atthe pods. So you do kubectl get
pods, all namespaces, and lookfor, like name equals Ingress
NGINX. If you're just running itand you don't have any
permissions because someoneturned it on once but didn't
like set it up properly, you'regood.
Most likely it has a clusterread only permissions because
(07:41):
everything has that. So if youthese two things exist, you're
you need to, patch it. It waspatched in NGINX controller one
twelve one and one eleven five.And, you know, are a few things
you should do. Either you shouldupgrade immediately.
However, that doesn't alwayswork. Right? Like, if you didn't
stay on top of your upgradeschedule, you might be a few
versions behind. And I don'tknow, like upgrading Go version
(08:04):
seems important, but upgradingevery single thing in my
Kubernetes cluster seems like asuper pain in the behind because
there's just so many movingparts. So until you have, like,
something of this magnitude, 9.8CVE score that forces you to get
off your ass, you probably won'tdo it.
Until you can, upgrade, thereare a few things you can do to
(08:25):
mitigate, like stricter networkpolicies, just disable the
admission controller on IngressNGINX. And there are like
there's a description in theblog post. The the part that I
found interesting after like,hey, make sure that you upgrade
is actually how they discoveredit. What's the research
motivation behind it? And howdoes it work?
They have like beautiful art artshowing it. And finally, GoCode,
(08:47):
how the thing actually worked.And there are a few cool tools
here, that I didn't know about,like KubeReview. Have you heard
of KubeReview? It's just a CLIutility to transform requests
into admission review requests.
So you had to have some toolingin order to just do that, which
is obviously also written in Go,right? What's the question? This
(09:08):
whole ecosystem is. And you youcan just look at the code in the
blog post. Like, the blog postgoes into details about every,
specific CVE, like off URLinjection, and you can inject on
the match CN TLS part of theparser.
Like you can inject in a lot ofplaces here, things that people
(09:30):
don't expect. And again, you canjust look at the code and
because it's Go, it's likereally, really easy to The
vulnerability kind of yells atyou. You know what I mean? Like,
sort of when you look at badcode that's so bad that, the bug
literally screams at you. Youknow what I mean?
Jonathan Hall (09:44):
Sorry, bud. I like how how long and detailed
it is. A lot of securityreleases are just like, you
know, a one paragraphdescription. This is a estimated
thirteen minute read, goes intosome great detail.
Shay Nehmad (09:55):
Yeah. And the shout out to the researchers. I know
some of them, but even withoutthe personal knowledge, Nir
Ochfeld, Ronen Shustein, SagetSadiq, Hillelie Bensasson, Eli
Ben Sasan. Sorry. Good job,everybody.
The link to the blog post isobviously in the show notes
along with everything else we'retalking about. So if this sounds
interesting to you, or you youneed to immediately grab the
(10:17):
link and send it to your CISO oryour, Kubernetes admin, it's in
the show notes. What else do wehave like on the docket?
Jonathan Hall (10:24):
Yeah, let's shift away from security stuff for a
little bit and talk about someconferences. I have a couple I
wanna mention. There are two,these are both in the European
area. If you're over in thatpart of the world, like I was a
few months ago, they both haveCFPs open. GoLab is in Italy,
October Fifth Through Seventh inFlorence.
Beautiful city. I was there onceabout ten years ago. And their
(10:44):
CFP is open until April 10. Soif you want to be in Italy in
October, send your CFP. Theother one is GopherCon UK will
be in August, August thirteenthand fifteenth.
And their CFP is open throughMay 17. So there's two
opportunities to speak in Europelater this year, if that sounds
(11:05):
appealing to you.
Shay Nehmad (11:07):
The unofficial, San Francisco Gopher meetup. I mean,
it has a date. I don't a % knowif it's happening, but but it
has a date. If it'll besomething more serious, we'll
definitely talk about it nextweek. And there's a proposal, an
accepted proposal you wanted toshare with me.
I'm I'm excited about this one.What's what's going on?
Jonathan Hall (11:29):
There's two here, if we have time to talk about
both today. So the first one isthat, they accept their proposal
to add a flag to the GoModVerifycommand.
Shay Nehmad (11:38):
And I just wanna say thanks to Oleg Kovolov, who,
like, shared this link in our,Slack group. Thanks, Oleg.
Jonathan Hall (11:48):
Yeah. So the new tag is, or the the new command
line flag is called minus tag.And have you looked at this,
Shai? Because this is kind ofsecurity related and there might
be a little bit more up youralley.
Shay Nehmad (11:59):
Yeah. You tried to move away from security a little
bit, but turns out you need10,000 lines of code to protect
the one line of code that likethe to do. That's
Jonathan Hall (12:08):
right. That's right.
Shay Nehmad (12:10):
So there's a few things you need to know about.
What is the Go checksumdatabase?
Jonathan Hall (12:15):
So there's a, I mean, I'm probably gonna get
this a little bit wrong. Sothere's a public proxy of Go
modules and part of that, orrelated to that is this checksum
database that keeps track of, Isuppose it's a pairing of module
name and version number alongwith the checksum of that module
so that you can validate thatyou downloaded the same thing.
Shay Nehmad (12:38):
And are like three things hard in two hard things
in computer science, right?Cache and validation off by one
errors, then cache andvalidation or however that joke
goes. It's basically a glorifiedcache, Because if you want Go
code, you go to GitHub and youdownload it, but you can use the
go pkg. Go. Dev to look at thesepackages.
(12:59):
And I 100% promise you, if youlisten to this show, you
probably spent more time thanyou think on the site. Whenever
you open documentation, it'sthere. Right? Whenever you look
for a package, it's there. Soit's not it's not like it's an
important resource to protect,even though it's mostly just a
web resource.
It also includes mod checksumand some other things that you
(13:21):
need to basically verify if youwanna make sure that the package
you're downloading, the packageyou're using in your software is
the same package you're that'smirrored there. So the new
proposal is adding a flagcalled, tag. So after you push a
new tag to GitHub, you doublemake sure that it syncs up to
the package registry. And thatway you know that someone else
didn't, like, poison yourpackage in the go check some
(13:43):
database. In a few of our ourrecent shows, we talked about,
like, typo squatting issues andthings like that where packages
you just had malicious packages.
But even if I have I don't haveto typo squat to do that. If I
get force push permissions toyour repo, I could push a new
tag, then delete it from GitHub,but the checksum database is
already poisoned. The cache isalready poisoned. But if if I'm
(14:06):
like a package maintainer, Icould run this go mod verify
minus tag a few times and justinvalidate the cache and make
sure that the proper version ofthe packages is what's in that
checksum database. Basicallyprevents unauthorized changes to
that database.
I don't think this is a goodsuggestion.
Jonathan Hall (14:24):
You don't think it's a good A,
Shay Nehmad (14:26):
I don't love the From the syntax, it's not
obvious that it's like what itdoes. Right? Go mod verify minus
tag to me doesn't like it itdoesn't clarify that's what it
does, but that's just a UXthing.
Jonathan Hall (14:38):
I agree with that.
Shay Nehmad (14:38):
Yeah. And you have like a few flags, you all
versions, latest versions,specific versions. Like, get why
checking the latest version isthe thing that I'm worried about
that this opens up the otherside of attack, an attack on
the, mod package databaseitself. And I wish I saw this
proposal in time. I might stillcomment on it even though it got
(14:58):
accepted.
Because I don't understand whatprevents people from creating a
fork of a repo, changing thecode a little bit, and then like
basically invalidating all thecache all the time. Like it it
would be so easy to DDoS packagewebsite right now with this
command. You're basically givinga drain option to all the caches
with this command. I don't fullyunderstand how it protects from
(15:20):
that.
Jonathan Hall (15:20):
I think you should comment.
Shay Nehmad (15:21):
I'm not missing something, right? Other than
basic DDoS prevention measures,like DDoS prevention measures,
This command allows me to, witha little bit of work, basically
invalidate all the cache for theGoMod site just generally,
right? Because I'll ping it withwrong versions all the time. Or
(15:42):
am I missing do you think I'mmissing something and and it's
not actually possible? I don'tknow about that.
Jonathan Hall (15:47):
I'm still trying to I'll double
Shay Nehmad (15:48):
check before I comment. I I don't I really
hate, writing on proposals andthen being wrong.
Jonathan Hall (15:53):
Assuming this works as intended, I'm still
unclear, like when would I usethis? Would I run this in my CI?
Would I run this every time Iupgrade? When would
Shay Nehmad (16:02):
I actually use Every time you push a new tag to
GitHub, immediately after it'sdone and the release is okay,
whatever release is okay meansto you. Usually, when you push a
tag, it already means that, youknow, you merge domain and
everything checks out.Immediately after that, you run,
go mod verify minus stacklatest. It has two side effects.
(16:23):
One, it makes sure that it'suploaded to the SMDB, so if
someone else wants to pull it,they do it immediately.
They don't have to wait. And itchecks that it matches the local
repo, which is exactly what youwant.
Jonathan Hall (16:33):
Got it. Yeah. Yeah. That does seem like it
would be vulnerable to whatyou've suggested.
Shay Nehmad (16:37):
I'll double check that. Just the security flavor
of this episode has got myoffensive juices flowing, you
know what I mean?
Jonathan Hall (16:44):
Well, I think that is about all we have time
for. We had one other proposal,but I think we'll save it for
next week because our guestsshould be joining immediately
after our break.
Shay Nehmad (16:53):
So let's jump to that.
Jonathan Hall (17:02):
Hello, this is Jonathan from the future.
Welcome to our so called AdBreak. We just finished
recording the interview. It wasa good interview. Stick around
for that in just a minute.
Before we jump into that, I wantto remind you that you can buy
our swag. We have mugs, we havet shirts, we have USB chargers.
We're looking into getting YubiKey covers. I don't know if
that's even possible. We'regoing to try.
(17:24):
Tepago. Dev, you can click onour store link there and buy
this cool swag with Brewster,our mascot. It's one great way
to support the show. You canalso support the show by sharing
it with a friend, with acolleague, with a fellow
student, with your pets. You caneven support us financially by
becoming a Patreon.
The link for that is also atcupago.dev. But one of my
favorite ways to support theshow is to just talk to us. You
(17:46):
can find us on Slack at the Cupand Go channel on the Gopher
Slack. That's cup o go,kebabcase. We have over 500
people there now.
We have some pretty livelydiscussions sometimes. We talk
about past shows, talk aboutupcoming things. People share
news items there that we oftenput on the show. Join us there,
we love to chat with ourlisteners. I'm sure I'm
forgetting something since Shayisn't here to remind me, but I
(18:07):
think that's okay.
We'll cover it next time. Let'sget to the interview about
GoLynxian. Hey, Shay. I justpulled this Go Code out of the
dryer and it's covered in lint.How do you think I can get rid
of that?
Shay Nehmad (18:24):
You just pulled this Go Code out of the dryer.
Jonathan Hall (18:29):
Right? We're going for bad jokes, right? Did
I did I do a good one?
Shay Nehmad (18:33):
I I think it's intervention, level worthy of
bad. Well, I don't know a lotabout lint. Actually, this is an
audio show, so this joke won'tcarry, but I have this new wool
sweater that my wife knit me.It's a it's a bit linty as well.
Like it has a bit of a fluff.
But I'm not an expert onlinting, are you?
Jonathan Hall (18:51):
I used to have a linter, but it's kinda old and
crafty. I feel like I need a newone.
Shay Nehmad (18:55):
Oh, maybe there's a new version. Hello.
Ludovic Fernandez (18:59):
Hello.
Jonathan Hall (18:59):
Welcome to our terribly bad humor hour. You're
here to talk about Golang CILint version two. But before we
do that, would you introduceyourself? Tell us who you are
and a little bit about yourself.
Ludovic Fernandez (19:12):
Yes. So I'm in French. So but I think most
people know me with my nicknameis Hildes.
Jonathan Hall (19:25):
Hildes. Yes.
Ludovic Fernandez (19:26):
I'm currently working maintaining column
ceilings, but not only, alsomaintain LEGO, the Sanskrit
client in Go. Currently, I'mworking for open source because
I have decided to change the wayI work. And I wanted to try to
(19:53):
work only for open source, soonly rely on donation. I wanted
to do that because I think it'spossible. And I think OSS
maintainability andsustainability is important, and
we have to do something to tosense some signal to say, hey.
(20:14):
It's time.
Shay Nehmad (20:16):
And and I'll just take the opportunity here to
say, there's a link in the shownotes. I I found the supporting
us page on calling cilint.run. Iassume that's the if people, are
listening and they agree withyou and they want to support
you, it's right on the homepage.There are backers and sponsors,
and you can join the socialnetworks as well to spread the
(20:39):
word. Right?
Yes.
Jonathan Hall (20:40):
I'm I'm one of the I I think this is the only
open source project going to CLNthat I monetarily support. So I
encourage our listeners to dothat too.
Ludovic Fernandez (20:49):
Yes. You are one of the early sponsor.
Shay Nehmad (20:52):
I like to think, you know, whenever I click on a
Google ad that like 0.0000001¢of that AdSense money ends up in
the Go team salary or somethinglike that. Whenever like YouTube
pops an ad, I'm like, ugh, no, Ijust wanna watch this video.
Then I'm like, no, it's good.This money goes to Google.
(21:13):
Somewhere inside Google, someoneis maintaining the compiler,
That's fine.
And then I end up watching thesame annoying, insurance,
advertisement because I justmoved here, so they don't stop
doing it for me. So the aspectof doing open source full time,
you know, how has it been, foryou? I I wanna talk about how
(21:35):
has it been for the project. I'msure the project had a lot of,
you know, it was very good forthe project to get your full
attention. But I was justwondering, I I assume a lot of
our listeners are are curiousabout, like, how does that work?
Did you set up a company? Like,how does that work?
Ludovic Fernandez (21:51):
Yes. It worked. I created a company,
small company with just mebecause legally, I'm forced to
do that. But for the forgovernment selling project, I
created an Open Collectiveorganization. In fact, Open
(22:13):
Collective is the the fiscalcost of Golang Sialines.
The money that people give toGolang Sialines doesn't goes to
my company. It goes to thisfiscal cost. For now, I don't
really know how I will drivethis money, but, oh, no. There
(22:34):
is a place. There is a place.
And for me, working on opensource every day, it's like
working for other projects, notnot really different. The only
difference in fact is that Iwake up when I want, but I have
to do all the work. So it's nota paradise, but it's it's not an
(22:58):
and it's really far from l. I'mreally happy to do what I do. I
don't know if you want to knowsomething else.
I'm not sure if I answer to thequestion.
Shay Nehmad (23:11):
You totally did. There is there is a bit of a
business overhead that's that'sinvisible to to setting this,
thing up, but it's cool that,you know, it's not like super,
super complicated. It sounds itsounds very possible. It's not
like, oh, there's no legalprecedent. Like, oh, just start
a company.
The money will eventually gothere.
Ludovic Fernandez (23:32):
Sorry. My watch warned me that my heart is
my heart is bit higher. Toohigh.
Shay Nehmad (23:40):
Happens to me it happens to me whenever I meet
the CTO of my current companyall the time. My watch is like
stress level high. I cansympathize.
Jonathan Hall (23:49):
We've had a number of people on the show who
talk about running open sourcebusinesses. It's a model I
admire. I mean, I do some opensource work. It doesn't pay any
bills. I'd ever get any moneyfrom it.
So I really admire the peoplelike you who do that. And so
thank you. And I of courseappreciate your project. Golang
CI is one that I use andadvocate other people to use
(24:11):
very heavily. So let's talkabout that a little bit.
Maybe let's start with lookingback in time. When did you start
Golang CI Lindt?
Ludovic Fernandez (24:18):
So first I'm not the author, so initial
author of Golang CI Lindt. It'sDennis. Dennis created Golang CI
Lindt around 2018, if I rememberwell. Okay. He tried to to build
a company on top of Golan CIALinz called Golan CI.
(24:39):
The goal was to provide thetool, the CI tool, the SaaS
tool, to Linz. I don't have thefull history because I will try
to explain that. But in reality,I never met Denis because when I
come to the project in 2020, Ithink. And Denise was already I
(25:02):
don't have the word, but he wasnot here. Wait, sorry.
He mainly leaves the projectbecause SaaS service doesn't
really work and not as a tool,the tool who was working, but as
a business. So he decided toopen organization to everybody,
(25:28):
And I send a lot of invitationto contributor, introduce a
system to invite everycontributor to organization. So
I started at this moment wheneverything was automated, in
fact. And then I start tocontribute on one or two thing
(25:49):
and day by day is month bymonth, I become the main
maintainer, but it was not aplan, in fact.
Jonathan Hall (25:59):
So you've been when did you sort of become the
main maintainer?
Ludovic Fernandez (26:02):
There is no real date. No. I contribute more
and more. At some point, I askedasked to not Denise, but sorry,
I don't remember his name. Frommy memory, it's Alexander,
colleague to Denise, if he cangive me the right, because it
(26:23):
was difficult to handle aproject when you don't have the
right to handle the CI, theconfiguration.
It was a main problem at somepoint. I don't know if you
remember or if you believe thisstory, but start to act the
Golang sorry, the GitHub actionCI by opening pull request. We
(26:48):
were under the attack. It wasnot really funny because without
the right to stop the the pullrequest to stop something, it
was really complex. So Okay.
So it it was progressivelygradually.
Jonathan Hall (27:03):
And then I guess the of course, the big news, the
reason you're on today isbecause version two was just
released. Version one has beenaround for ages. It's been
getting new features all thetime. What inspired you to go
with version two? Why thechange?
Ludovic Fernandez (27:21):
In fact, the idea of v two begin there is six
year before I become amaintainer, but nobody was able
to do it because creating amajor version is not as simple
as we can think because there isa lot of things that you have to
(27:43):
think in term of feature, interm of tooling. A lot of people
forget that CI exists, yes, butCI doesn't do the job. They just
just do what they have to do andyou have to learn them. So and
in fact, without someone thatreally want to take the the
(28:08):
topics, the Vidoo was not ableto to to go out, in fact. So at
the end of the the previousyear, I said said, I'm tired
with deprecated seeing withbreaking some runtous stuff and
(28:28):
living with options that doesn'twork, that's really annoying.
So I decided to go for v two,not a huge v two with a lot of
stuff, but something straight tothe goal, something that
simplify some elements,something that remove all and
deprecated stuff. The goal wasnot to create the wish list, the
(28:52):
Christmas wish list for everyfuture in the world, but just
prepare the future and clean thepast.
Shay Nehmad (29:01):
Nice. The new configuration looks like I've
been with the Golang Salientforever, forever, forever. The
new configuration looks a lotsimpler. The only problem is I
used to rely on a GitHub gist. Idon't remember who wrote it, but
I actually have to give a shoutout to the guy, so I'll I'll
find it.
But there's, if you look forGoLangs Island GoldenConfig
Ludovic Fernandez (29:24):
I think I know I know this person. It's,
the nickname is Mattory, Ithink.
Shay Nehmad (29:29):
Yeah. Maret Raymers from The Netherlands. I always
just go to this page, copy it,and and now it's it might not be
the correct configurationanymore. I'll comment and say
that v two has been released.
Ludovic Fernandez (29:42):
I think you will create you you will create
a new a new version of thisGolden file.
Jonathan Hall (29:47):
Oh, already someone did it. Ran golang c I
migrate. Oh, there's a commandto migrate all configurations.
Ludovic Fernandez (29:53):
Yes. Yes. Yes. In fact, for me, the major
point when you create a v twobecause I already create v two
of some important tool.Previously, I was working on
traffic.
I don't know if you know it. SoI already live some major
version and the difficultyrelated to major version. So
(30:15):
when I started to think reallyearly in the early days about
the v two, all had started tosync. We have to provide a
migration guide, we have toprovide the command that
integrates seamlessly yourconfiguration and we create
that.
Jonathan Hall (30:33):
So I realized we forgot to do something and that
is So apologies to any listenerswho don't actually know what
we're talking about. We haven'texplained what Golang CI Lint
is. I'm just assuming everybodyknows. Let's go back, tell us in
your own words, what is GolangCI Lint and why would anybody
wanna use it?
Ludovic Fernandez (30:52):
Golang CI Lint is runner for linter. So
it's a linter. But thedifference between no, there is
no difference. It's just arunner for linter, a fast linter
for linter. The goal is tostatically analyze the code,
(31:15):
detect some bug, detect somestyle error, but not really
error, but warn you about somestyling issue and report them so
that you can fix them.
So I think everybody know asling or I I don't really know
(31:39):
the tooling of Ruby, but but Ithink it's RubyCop or stuff like
that.
Jonathan Hall (31:44):
Mhmm.
Shay Nehmad (31:45):
I I hate RubyCop.
Ludovic Fernandez (31:48):
Never used to. I cannot hate it.
Shay Nehmad (31:52):
And the and the and the Rust compiler, of course, no
need for any.
Jonathan Hall (31:58):
Yeah, really good. So it's static It's sort
of a meta analyzer. It combinesa number of configurable linters
so you can kind of pick andchoose which ones you want to
run, right?
Ludovic Fernandez (32:11):
It's a difference between some other
linter. Golang CLINT is useroriented. So you make your
choice. We don't really decide,but we select the linter. The
linter should not drive to badpractice.
It's a limit of doesn't thelinter does not should not be
(32:36):
detector. So what I calldetector is something that just
report, yeah, it can be aproblem. No. Is it a problem or
it's not a problem? It can be aproblem doesn't exist for me
because I know that most user,when using linter, in fact, they
just follow the linter becausethey trust in the linter.
So it's a yeah. So the maindifference for me from other,
(32:59):
it's design need design need tobe used and configured by you
with your rule and not our rule.
Shay Nehmad (33:08):
How many like, on your projects, do you have just,
like, the one configuration thatyou use? Because I was wondering
about that. Like, first of all,now that I'm thinking about it,
what Golang c islandconfiguration runs on Golang c
island?
Ludovic Fernandez (33:28):
Golang CLINT configuration of Golang CLINT is
not a good configuration becausebut in fact we are are forced to
do that because theconfiguration of CLINT will be
used to test Golang CLINT overthe version. So we have
something really seen because weshould have consistency between
(33:53):
the version, between therelease. So we have something
releasing. So it's really not arecommended configuration. It's
a configuration, but not arecommended configuration.
In my opinion, there is no realrecommended configuration
because you have to tune theconfiguration for your project.
(34:16):
For an example, I created alinter that's called Agliatelle.
Agliatelle is in the tag. Youknow the names that the field
will have inside your JSON orthe name of the mapping for the
JSON.
Shay Nehmad (34:32):
Yeah. It it, like, makes sure that the tag maps up
to the name of the field.
Ludovic Fernandez (34:37):
Yes. Exactly. But, for example, when I work on
Lego, so I have to handlehundred of DNS clients. But each
DNS client has this wholecasing. So I cannot use one
configuration.
I'm forced to use aconfiguration that is for this
(34:57):
client or for this project. Itdepends on your convention. For
example, if you have to interactwith a PHP project, maybe they
will use a snake. They will useno snake case or maybe they will
use a camel case. So for me,there is no real recognition,
(35:18):
but there is some linters that Irecommend to use because they
are globally neutral.
Jonathan Hall (35:25):
I find that I tailor my configuration very
heavily to the project I'mworking on and the people on
that project. For a soloproject, I have a very different
set of linters than I do for aproject on a team of 10 people.
Because maybe on a 10 of 10people, I have more junior
developers who don't know allthe idioms and stuff like that.
(35:45):
And I want maybe stricterlinters to encourage them to not
use global variables, forexample. But on a solo project,
I know I'm not gonna use globalvariables unless I just really,
really want to or need to forsome reason.
And I don't feel like I need thelender to do that. Do you find
people doing the same sort ofthing, tailoring their
configuration to the projects,to the people? Or what do you
(36:05):
recommend? What have you seen?
Ludovic Fernandez (36:06):
There is a lot of different profiles
inside. In fact, there isadvanced user like you. You know
what you need and you know whatyou do. So you will just set up
the meter that prevents you fromsome complex stuff or some
mistake. And there is somepeople that use the same thing
(36:28):
as a kind of teacher to drivethe people to the right
direction.
I saw a conference in GoferIndia, I think, where a person
explained all the configuration.They create a sheet. They put
(36:49):
the name of each center. As Isaid, why is this center is
useful, why is this center isnot useful? And they share that
with their team as it buildstheir configuration like that.
So different person hasdifferent profile of user.
Shay Nehmad (37:05):
One thing I I really like with messing up all
these configs is that it's a funway to spend time. So I think
I'll drop off the interview nowand just go and mess around with
my config, like turn on thelinter, see if I like the
errors, and then turn it off.Since there are so many linter
possibilities that you can turnon and off, it's gonna take me a
(37:26):
while. So I'm gonna drop off andlet Jonathan continue this
interview. But before I do,again, I really wanna say thank
you for coming on and for theproject.
Like, it's a really, really goodproject. And again, reiterate
the call to action. If yourcompany uses Golang cilent and
it caught you a production buglike my company did twice, go
(37:47):
contribute to Golang cilent. Bythe way, if you are a company in
Israel, I don't know how itworks in other places, but if
you contribute to open source,you can, and my lawyer did it,
you can write it off as adonation and then it's a tax
write off as well. So if you'rea company and your finance
(38:07):
people have some time on theirhand that could even get you
money at the end of the year.
Thanks a lot Elders, I'll bedropping off now.
Jonathan Hall (38:15):
All right, let's talk a little bit more then
about the improvements you madein V2. We talked about
configuration and migration fromold to new and how it's not
really like a huge change. It'smostly some cleanups. But let's
talk specifically. What weremaybe the top two or three
things in your mind that changedfrom V1 to V2?
Ludovic Fernandez (38:35):
For me, the main thing is the introduction
of the formatter. So theformatter was already here. It's
not new, but the way to use itis new. So there is a new
command called golemcyaline fmt.So it's the equivalent of Go
fmt, but you can configure itwith this classic configuration
(38:56):
of Go lang cielin.
It work like Go fmt. So I I saidfmt because because I'm French,
but I think it's a goodcommunity. Sorry. Yeah. So I
think it's something that cansimplify the usage of linting
(39:18):
and formatting because we all weall appreciate a GoFmt Go import
because they are greatformatters.
But there is some issue withthose formatters that other
formatter fix. For example,GoFund have some extra rule
(39:38):
that's really good to apply.There is also in GCI that we
handle a consistent order of theimport. And for me, it's really
it's really good because Goimports or even GoFund doesn't
group the import. You have noconsistency in the imports.
(39:59):
But it's not really read to thev two, but the v two will help
for that. And another majorpoint for me, it's the the file
path management. Becausepreviously, if the the paths
that were that were definedinside the configuration was
(40:20):
relative were relative to thebinary not the binary, but the
launch the the place where youwill launch the binary. And it
was really inconsistent. If youwas if you was running the link
into a package, your exclusion,for exam example, doesn't work.
So now I fixed it that. I knowit can seems to be a detail but
(40:44):
I spend days and days and daysto try to find the right way to
handle that, to doesn't breakeverything. It was horrible.
Jonathan Hall (40:55):
I can imagine. And
Ludovic Fernandez (40:58):
just one important point, sorry. So I
spent maybe too much time, butanother point for the v2 is that
I'm really happy is the removeof the default exclusion.
Previously, missing commands ornot some error handling was
hidden by default. And at somepoint, it's a problem because
(41:23):
you have to handle error and youhave to comment. But we all know
that majority of project don'treally put comments.
And when we close a file, wedon't really care about the
error. So we remove all thosedefault execution, but we
(41:45):
introduce something more humanfriendly with human friendly
name to disable the completetopic. So for example, we have a
preset named comment and it willremove all the report related to
comments.
Jonathan Hall (41:59):
Yeah, that's nice. Yeah, I have not installed
V2 yet. I've just been busy withother things. It's only just
came out a few days ago, but Iwill. I'll probably do it before
this episode is released.
So maybe next week on the nextepisode, I can talk about my
experience with it.
Ludovic Fernandez (42:14):
You will see it's pretty quick to try it.
You're an conanxia lingmigrates. It's Zen. You can use
it.
Jonathan Hall (42:23):
It looks really simple based on what I read and
what you said. So I'll be tryingit over the weekend probably. Is
there anything else that youthink we should call out?
Anything else about V2 or maybeother plans you have in the
future?
Ludovic Fernandez (42:36):
I don't have really planned for the future
for now because the V2, I workedthree months on the v2 so more
than three months on the v2 sonow I think I will just slow
down a bit and sync but there issome elements that community
(42:59):
want to be introduced. So Ithink I will work on that. I
don't want to say something onwhich feature is because I don't
want problems. I will continue.
Jonathan Hall (43:12):
Very good. Do you wanna talk about Lego for a
little bit and just introducethat to the audience too, what
that is?
Ludovic Fernandez (43:18):
Oh yeah, Lego, it's a Let's Uncrypto, an
Acme client in Go that you canuse as a library or as a CLI.
LEGO is able to handle currentlysome and more than hundred DNS
provider. So everything isautomatic. Sorry. Maybe I should
(43:43):
explain what is Acme and what isold Ensancrypt.
So I will not explain what isEnsancrypt, but I will explain
what is Acme. ACMI is anautomated way to get
certificates, so to have theHTTPS. So Allego allow to create
a certificate easily Just haveto you just need to have a
(44:07):
server or a DNS or I don't knowif it's pretty clear. Sorry,
sentence are not straight and
Jonathan Hall (44:15):
That's okay. No, I I understood you. Yeah. Thank
you. Building CI and LEGO areyour two big projects.
I imagine you dabble in otherthings. You probably submit bug
fixes and stuff to otherprojects as you need to.
Ludovic Fernandez (44:29):
Yeah, I contribute to every I think I'm
like a lot of people that workaround OpenSouth. I use
OpenSouth, and when I have aproblem, I try to fix it. Well,
I try to create a good report tohelp the maintainer to fix the
problem because it's alwayscomplex to fix something if you
(44:54):
don't know a proper project. SoI try to open good issue and I
try to fix what I can fix or hownew feature is if I can do it.
Jonathan Hall (45:03):
Very good. Great. Well, as we mentioned before we
started recording, we always tryto ask our guests. Well, first
of all, we give you anopportunity to share any links
you want. We've already talkedabout your two projects.
We'll have links to those in theshow notes. I don't know if you
wanna share social media linksor personal blog or anything
like that you'd like theaudience to know about.
Ludovic Fernandez (45:23):
I think the current link to the donation
page for me or forGalenciAilinter are enough.
Jonathan Hall (45:35):
Great, we'll put that in the show notes if you'd
like to contribute financiallyto help Eldez continue to live
the open source dream. And thenbeyond that, we have a question
we'd like to ask. We alreadytold you about this before we
started recording. We ask all ofour guests and that is when you
started learning Go or eventoday, who inspired you the
most? Who have you learned themost from?
(45:57):
Whether it be through blogposts, through conference talks,
books, anything, Who hasinspired you the most in your Go
journey?
Ludovic Fernandez (46:05):
It's complex because I was not in the first
generation of the Gopher, but Istarted Go in 2017, I think. It
was pretty early. So I learnedby working on Go code, on the
traffic Go code, to be clear.And this was I don't know what
(46:32):
to say because didn't reallyfollow some people in the Go
community. I read a lot of codebecause I love the code.
I love contributing. So I read alot of code. So I would say the
Go community is the answer.
Jonathan Hall (46:48):
I love that.
Ludovic Fernandez (46:50):
It's my reference.
Jonathan Hall (46:52):
Great, great. Well, yeah, I like that answer.
If you're reading code, youdon't even know necessarily who
wrote it, right? You're justreading the code.
Ludovic Fernandez (47:01):
Yeah, it's something that for me, it's the
same thing. Sorry, maybe it'soff topic, but I contribute to
open source not for my name, butbecause my code and not because
it's my code, because the codewill continue. And maybe in the
future someone will use that,but never knows that was the
(47:22):
first we write this.
Jonathan Hall (47:25):
Right, yeah, yeah, that's great. And I think
that's maybe good advice forothers too, who are trying to
learn Go is, we hear it fairlyfrequently, think, read the
code, read the standard library,read Golang CI lint. I just
referred somebody else to readGolang CI lint code earlier
today. They were asking how tocall GoFund from Daniel Marti
(47:45):
directly. Don't know how to doit, but I know Golangency iLint
does it.
So you could go read that codeand figure it out. So yeah, it's
always good advice to read code,whether it's Go or another
language.
Ludovic Fernandez (47:55):
Yes. Yes. And I think Go is a is a good
language good language for that.I have work and think think you
too on on different language,but Go is really easy to read.
More easy than a lot of code.
So read it, it, read it.
Jonathan Hall (48:14):
I agree. Yeah. Great. Well, Elders, I really
wanna thank you again for comingon. It's unfortunate Shai had to
leave to go reconfigureGoldeng's C.
M. Hunt again. But I reallyappreciate you taking the time
to join us on the show. We'vehad several listeners ask to
hear from you, so I know thatthis will be a treat for our
(48:36):
audience. Thank you so much.
We'll have links to the projectsand to your donation page.
Ludovic Fernandez (48:40):
Thank you too for inviting me, sorry.
Jonathan Hall (48:45):
Yeah, it's been a pleasure. It's always great to
meet somebody who makes thesoftware I use. So thank you so
much.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com