This show is supported by you, and boy, is it supported by you. Stick around for more about that in just a moment. This is Cup and Go for 01/16/2026. Keep up to date with the important happenings in the Go community about twenty minutes per week, maybe.
Twenty? We've never hit
the fifty minute mark. We're gonna try twenty. I'm Jonathan Hall.
I'm Shay Nehmad, and my New Year's resolution is to finish this show in twenty minutes. Even though this week we have a little more to talk about. Blah
blah. Last week was a long episode. I think our longest ever probably. But more about that in just a second. First up, right, hot off the press as of yesterday. Go 1.26 RC two is out with some security fixes and a bunch of other cool stuff that we talked about last week in what is proving to be our best episode ever.
Yeah. The one twenty six overview episode seems to, like, really bring people in. So if you ever thought about sharing the show with someone, last week's episode is, like, our best performing episode yet, which I'll I don't know. I'm excited about.
Yeah. It's it's pretty cool. So we've had over 1,500 listens since that episode went live, which makes it the best episode in terms of listens for the first two weeks. And it hasn't even been out a week yet. So we blew past the the one week threshold early, early on. So share that episode with your friends. Do you
believe this indicates good things on our show or good things on 01/26? Like, it's gonna be the most highly adopted Go version ever because people like the version. Is it us or is it Go?
I don't think it's it's not me. It might be you, Shay. It actually
is a good question about the show in general. Like, were we to talk about, like, a worse language? If this was, like, Cup of Python, would people like the show the same? Or do people like the show because the language is good?
Maybe they like it better according to those dubious charts we've talked about in the show in the past.
I guess people just can't get enough of their Go routine leak protection or whatever. So what does RC two stand for?
Yeah. Release Candidate two, so that means this could be the final version of Go 1.26, which is scheduled to be released in a couple weeks or so, sometime next month probably.
Although, usually, they go to RC three and four, if I if I
remember the Probably. I mean, it's it's basically, if they find any showstoppers, they'll fix them. And showstoppers could be a a serious bug they've discovered, which the odds of that are diminishingly low as time goes on. You know, usually those bugs are discovered early. But it could also be security releases, security fixes, which is of course what the main thing happened here was.
There were a number of security fixes, which are also included in Go 1.25.6, which I hope you can educate me on because I haven't read through them yet.
All right. There are a lot of them. We're not gonna go through all of them, but as usual, update your Go versions, 124.12, 125.6, and 126 RC2, include all these fixes. It's like this awkward window where all three versions are sort of active, right? Before, 126 is officially in and 124 is officially out.
But there are six security fixes. I think, again, what I like about these is that most of them are pretty understandable. Like, I could give you the primitive and I guess you could guess the vulnerability. We could we could play that game. Let's see.
You know, Wheel of Fortune, could be like Wheel of Ida, can you find the vulnerability in So the the first security fix on this release is from Jacob Koelek. I hope I'm saying that correctly. And I I should learn that name because we've talked about Jacob a few times already on the show. Jacob or Jacob Koelek. I hope I'm saying that correctly.
I'm probably not. Reported it. Really cool things. I I think it's an interesting find because it sounds obvious in hindsight, but these are the things that are exactly very hard to find. Super cool. A a great find. Yes. Finding vulnerabilities in Go, which
is By the way, Jacob, come on the show. We'd love to talk to you.
Answer my LinkedIn messages, Jacob. So the first one is in the zip the archive zip library, which is fixing a denial of service. When you parse a zip file, if you think about it, it includes all the data inside it and some, you know, headers that help you figure out, you know, what to fix, what to parse, sorry. And the algorithm that does that, the fine name indexing algorithm, is super linear, which I don't know if it's what that means. I just think it's, like, linear. Maybe it's worse
Linear than seems like like yeah. I don't know what
Linear in terms of the runtime.
Right.
Right.
And Like, linear means, like, o one. Right? So simply be like, o one n?
Actually, think linear means o of n, not o
of one. You're right. Right. O of n. You're right. You're right. You're right. So it's like it's like o o o of n times one or something. Have no idea what super linear means.
Anyway, when you construct a zip file that's maliciously constructed, you can make that algorithm just get all, hairy and cause a denial of service. I wonder who like, where that hits people because I know that people use Zip all the time. I can't remember a single time I imported the package.
I've I've imported it a few times, mostly because I had to consume something from somewhere else.
So you you would be vulnerable to this?
Probably, yeah.
If someone gave you like an untrusted zip file, you know, user upload, they could DOS your server, but no more, which is good. Same. Similar thing in NetHttp, so memory exhaustion in request. ParseForm. Again, if you provide a very large number of key value pairs, you can cause a denial of service.
This was reported by someone else, and it's in a different library, but it's exactly the same sort of primitive, you know what I mean? Like, oh, you this could just pass a big list of things. This was reported by Julian Credel or Jubobs. Jubobs. Yeah.
Which I think we also mentioned on the show before. Don't exactly remember when, but I remember that name. It's funny, like, seeing, you know, these names pop up again. Other fixes are slightly less exciting in my opinion. It's like crypto TLS, you know, you copy some automated, generated ticket keys. So when you resume a session, your expiration isn't exactly a 100% correct.
I have to call something out though on this one. This yeah. It's it's only crypto TLS. Who cares about that?
No. I mean, it's important.
It was reported by a 19 old high school student.
Oh, no way.
Yeah. What do
you mean?
Koya Prunt? I hope I said that right. At least their GitHub profile says they're a 19 year old high school student. So, that's pretty cool. Way to way to get involved early.
Very, very cool. I love the genre, you know, people on the on the Internet who are like anime avatar. It's like, it's beyond my in my opinion, it's beyond my my age group already that I I literally can't understand it. Their website is, by the way, blog.gov.cooking. That's awesome. Which is great. It's also, I think, in Chinese or Japanese because I can
I can definitely claim to be in China, so I would assume Chinese, but I can't read the language, so it's the same to me?
Very, very cool RBQVQ. If you are indeed a 19 year old high school student from China and not a SIOP operation to do something else. But it is a worthy shout out. Very, very cool. I wonder what's the who's the youngest person doing Go? You know, people are getting into programming very early.
I started programming when I was eight, but it was it was not in Go, of course.
What do you consider programming? Because I did a super advanced PowerPoint presentation. No. No? It doesn't it literally had the Visual Basic script in it.
Okay. The VB script would be considered programming, yes.
Then 11, I wanna say. Ten, eleven, something like that. But Go is, like, such a second language sort of thing, you know what I mean? Like, you can't imagine someone trying to We we had that discussion. We've discussed that, yeah, yeah.
Very, very cool Koya print, one bypass of flag sanitation that can lead to arbitrary code execution. This was, reported by GMO flat security, Ryotak. Also, again, 21 year old security researcher and, you know, this like sort of anime, chibi style site, which I like. And also, I I don't know what this, language is, just straight up. It might be Japanese from a GMO flat security, might be Japanese.
But a very cool vulnerability, like talking about the vulnerability in another person, it's just you're allowed to pass, flags that are not safe listed, which might lead to arbitrary code execution. It's it's a bit of a stretch, but you could pass, like, you know, a flag and then inject something into the bash terminal that you're running the command into. Mhmm. If you're using the, cgo package config. So you could have like a package config, binary run with flags that are not safe listed.
So it could be like da da da, and then, you know, semicolon, RM, RF, or something like that. Again, a similar but not exactly the same sort of vulnerability reported by someone else, split line from the DevCore research team. Apparently, what, what version control system do you use? Have you used others recently? Recently,
no. I've used some version in the long, long ancient history, past, ages ago. Can barely spell SVN anymore.
I used SVN a lot, which I like because now whenever I commit something and I wanna skip the the verify, like the pre commit, I do my commit mentions me, like, you know, I the command reminds me of SVN because I do git git commit minus s for the signed off, v for the verbose in the commit editor, and then n for no verify. So it's git commit minus s v n, which feels like poetic justice. And I've used TFS in the past and whatever, but a lot of people still use Mercurial or JJ or things like that.
JJ's a pretty new one though, right?
Yeah, I haven't played around with it yet, but I'm not I'm actually not anxious too, I really like it, I have no problem with it. But apparently, if you have, you know, various VCSs installed, there was a way to have unexpected code execution when you invoke the Go toolchain. Oh. Because on Mercurial, you could like download modules, you know, when you do GoGet or whatever from custom domains. And it's just because how the VCS command is constructed.
On Git, you know, you can give the specific malicious version string to a tool chain, and it will cause some problems. So now it's just using safer VCS operations to do it and also just disallow a version that starts with like minus or backward slash. So you can't, like, have these shenanigans because that's not a valid version anyway. So, yeah, a lot of security fixes. One final one, again, from CoiaPrint.
It's a handshake that may be pre processed in the incorrect encryption level, also in Crypto TLS. The previous vulnerability we talked about from Koya was discovered while investigating this one. So the team, Koya reported this one, and then the team found out the the config clone copies of the session keys. Generally, a pretty serious release with, you know, a pretty wide attack surface that's being closed, so I'd highly recommend just upgrade. And also diving into these implementations, if you're into security, sounds like a pretty good idea.
Cool. Sounds like a pretty fun idea, by the way. So how does one go we always recommend you should upgrade. What's the physical thing I need to do to upgrade my my Go version?
These days, all you really need to do is update your Go. Mod to the new version, and it will download the new version. And depending on how you build for deployment, that that's that may be enough as well. I also tend to update my Docker files to pull in the latest you know, the the image based on the new version of Go. That would not strictly be necessary because the go.
Mod will instruct the Go tool chain to download the that version of Go. So even if you're, say, building on a Docker image from Go 1.2, if you update Go. Mod, you'll you'll build from Go 1.23 Docker image. That image will download Go one twenty five point six at build time. So it's less efficient, but it would still give you the latest version of Go. But yeah, I tend to update my Go. Mod, my Dockerfile, and then my CI scripts to use the latest version.
Sounds good. So you have a recipe as well.
Yeah, more or less. And then I often forget to do this till later, but my local version of Go, it's nice to have that on the latest version too. It doesn't matter if I'm in a Go module because it uses whatever version Go. Mod specifies. But if I'm outside of a Go module and I try to install a tool, sometimes I get version mismatches or something. It's annoying.
Cool. Alright. Now on to our second, debate. Is it Czechia or Czech Republic?
I am not the one to ask. I've been there, but, yeah, I don't I don't have any idea.
Why are we talking about Czechia or Czech Republic?
Yeah. Because they're they're they like go over there. And on April, Gopher Camp twenty twenty six will be happening. It was just announced recently. Head over to gophercamp.cz and click that get tickets button. They're actually pretty cheap. Super early bird is only €42 until January 18. You have two days. Better hurry. If you don't do that, you'll have to
pay the full price of €89. And there are group student discounts if you have a student ID. Why would I go there, though? What's Go For Camp all about?
About Go.
Well, that makes sense.
You can also, submit a talk, and then we'll know more about what it's about. So it could be about whatever you wanna talk about. The call for speakers is still open. They are looking for thirty minute regular talks, ten minute lightning talks, and ninety minute plus workshops. Until that is a little more complete, I don't think we actually know what the topics will be. We can look at last year's Gopher Camp videos to get a a sense of what it might be like. Understanding runtime traces.
It's gonna be two days now. We're talking about the tickets. €42 for two days.
I mean, if I still lived in Europe, I would be jumping on this. I I can drive I I could have driven there from where I live. I mean, it's a long drive, but I I did it before.
Technically, you know, you can drive Canada Alaska.
Technically, I should do it now with the if I include at least one ferry and several weeks of travel time.
Although I don't know if you wanna travel through the entire path right now. Yeah. Hope every single mile of it is safe.
Safe as a crib. But, anyway, I know a bunch of folks who will be easy to travel to.
So we'll we'll watch this and update you when the when the talks are there. I think at least I know of at least one person who's gonna be there, Bill Kennedy. So Bill Kennedy is is gonna be there. We had Bill on the show, of course, and if you're into Go, you probably heard of Bill.
Building a lot of trading material. I've written well over 100 blogs. I've written the books. I'm really focused a lot today on trying to teach software design as opposed to software design in Go and Kubernetes and Encore as opposed to, like like language mechanics now.
So, yeah, Bill's gonna be there as well. I won't be. Although I'll fly over, I think same dates because I'm thinking I'll be in Israel at that time. But, seems like a great event if you're in Europe.
Awesome. Well, I think that we're coming up on our twenty minute mark. It is time to move into the lightning round. Yes. Let's start.
Lightning round.
Start us off, Shay.
My thing for the lightning round is a blog post on Medium that I found very useful last year, and it's been languishing on our backlog since October 10. But it's how to get consistent classification from inconsistent LLMs. So where I work, we use LLMs for classification. So, you know, get some content and try to classify it. We have our own methods for evaluation and whatever.
You know, you it's a very reasonable use case. Right? Take this tweet and classify it if it's either complain about political party or complain about, you know, technology. For our use case, it's cybersecurity. Right?
So take this file and and file name and try to predict whether it's financial information or like personal health information or whatever. So this is a very data science y blog post. Why am I talking about it in a Go podcast? It's because the code is in Go. It's called Consistent Classifier by French Majesty on GitHub.
So if you're doing AI stuff in Go, you know, the this is if you're doing like API plumbing in Go basically, and it goes to an LLM or classification, this is a great blog post for you. I was just surprised to read it in the end. Was like a 100% expecting it to be in R or in Python. And I was like Go and
I was like, awesome. Well, I have another it's also written in Go item. It's called NGINX UI, but you'll never guess what it is. I'll I'll I'll I'll spoil the suspense. It's an NGINX UI.
Oh, no. Yet another NGINX web UI. I guess this is like for administrating your NGINX system or cluster, provides online statistics for server indicators, automatic configuration backup, cluster management, encryption management, etcetera, etcetera. And it's written in Go, of course, and it's open source, a GPL three license. So, yeah, if you use NGINX, it claims to be yet another NGINX WebUI.
I've never used an NGINX WebUI, so I don't know what other options are out there. But this one's probably the best since it's obviously written in Go.
Yes. I mean, there is one nice thing about it other than the fact that it's written in Go, which I think is useful, which is it has an MCP server. So I could imagine, you know, you just talking in your cursor and being like, hey, can you use the NGINX MCP server and check if it's down or whatever? That could be cool. And, course, it has dark mode, which is Yeah.
That's what I was gonna call it. That's the killer feature. It has dark mode. So I I can Do
you use NGINX right now on one of your partners?
I do use NGINX fairly regularly, but not for anything very interesting. Like, it's often sort of the base for a static website container. Can
I tell the really fun NGINX bug I had? Okay. Twenty seconds because it's a lightning round. So, I had monitoring on the NGINX logs, and every now and then I saw the monitor would jump on, like, on the HTTP errors, right? So, it was looking for 503s to find, like, problems in NGINX, and they would alert us like, you know, every now and then, and we didn't know what's up because we investigated and we couldn't find any stack trace, we couldn't find any problem like, oh my God, it's a statistical crash in the NGINX server, what's going on?
It turns out one of our users login, like email details were exactly five zero three bytes long. And instead of just looking for the HTTP code, because the NGINX wasn't the NGINX logs was text, like the default NGINX format and not JSON. We were just literally looking for contains five zero three. I spent like two months of my life on that. And from that day forward, no production system I have ever written was logged without JSON.
From that day forward, structured logging. So, if you want another NGINX WebUI, go check that out. I think it's pretty cool. Cool. Alright, that's it for the items. We need to go to an ad break.
Yay.
I'm stressed out to keep this in under twenty minutes. I think we already failed. We did. Well, it's a new year. You'll forgive us.
Thanks for listening. Thanks for making our last episode a big success. Continue to share the show with your friends and colleagues. That's the best way you can support the show. Honestly, I mean, I love getting Patreons. It's it's nice to have that vote of financial confidence. But just hearing feedback from listeners and seeing the numbers go up, that's I don't see. That's why I keep doing it. So we we love your support. We're happy to do this.
Support the show by by sharing it and leaving a rating or a comment wherever you listen to your podcast. You can also support the show by buying some swag if you like. We sell T shirts and mugs, of course, because of the coffee theme. Cupofgo.dev. There you can find all the links to past episodes and a link to our swag store.
I think that's about all I want to say about supporting the show, but we do have an important benchmark coming up, Shai. Oh. We have been doing this show almost three years, which honestly amazes me. I wasn't expecting to do
it this long when we started. Definitely not.
Next week will be our third year our three year anniversary.
Which, by the way, just shows, like, we've been pretty consistent as well because we've had 140 episodes. It's like 2.7 if we, you know you know what I mean? We only missed 0.3 of a year. Mhmm. It was like a 140 divided by 52. It's almost, we've been on, like, consistently every week. I don't know. When did we stop? It was, like, probably October, like, October 7 we took a while off while I was not Yeah.
Mean, we we've taken a few days a few weeks off for holidays and and for summer vacation. For
wars. For wars. Yeah. Various reasons. Cool. So, yeah, it's our three year anniversary and we decided this time to celebrate by hearing what you all have to say. And the way we're gonna do that is we posted thing on Patreon, but it's avail it should be available to everybody. We want you to send in your voice notes, just like a thirty second ish voice note. You can record it in whatever just on your device while you're walking around and send it to us on Slack or at news at cupogo. Dev.
You can talk about whatever you want. We have some guiding questions. Have you learned anything that was actually useful from the show? If so, what was it? What's your favorite part of Cupago?
And the suggestion box, like, if you have a suggestion to improve the show. And if we get enough of these voice notes, we'll have like a sort of a Frasier y episode, you know what I mean, where you talk and we listen, radio psychologist sort of thing, where we hear what you all have to say. But I agree with Jonathan. It's mostly thanks to you for listening and sharing the show. It's been a huge driver for continuing to do this other than learning.
And I think the last item we have before we close out this not twenty minute episode is an update on your San Francisco meetup.
Yes. Nepotism wins again, and we're gonna update only on my meetups because this is my show. And if you don't like it, you can If
you don't like that, send us your meetups, then we'll include them in the show too.
Honestly, please do that. Absolutely. But we have two meetups coming up in San Francisco. Go Rumors meetup in San Francisco hosted by Quantcast on January 28, 05:30PM, on a Wednesday. We would really I would really love for you to, RSVP and come.
We have about 30 ish people attending, which I assume that means 20 people actually showing up in my organizer experience. But there's gonna be a talk by Max de Mulan. We're gonna do a live episode recording and, Preetam from Funnel Story is gonna tell how they're doing Go testing. We're gonna have like the normal job board where people can advertise if they have open roles or if they're available to for work. And yeah, it's gonna it's gonna be a big a lot of fun in, like, smack dab in the middle of, San Francisco in the, you know, right next to Moscone Station, so very easy to get there.
And there's gonna be another meetup in March. If you wanna decide what date that's gonna be, there's polls on, there's a poll, like a Google Form thing I set up that you could decide whether it's March 23, March 25, or March 26. And then probably like next week or probably the, sorry, on the twenty eighth when we're gonna do the live, episode and we're gonna have the meetup, we're gonna lock down that date as well. So two meetups coming up in San Francisco. If you're in the Bay Area, I would love to, meet you.
That's it on the SF updates. I think that does it for this episode as well. Right?
I think so too. I think we're done.
Send us your voice notes, please, please, please. If there's only gonna be, like, three of them, we're probably not gonna do that that plan.
Sounds great.
Program exited, guys. Goodbye. Program exited. Goodbye.
