Can Claude Code fix your subtle bugs? 🐞

This show is supported by you. Stick around till the outbreak to hear more about that. This is Capu Go for 11/07/2025. Keep up to date with the important happenings in the Go community in about fifteen minutes per week. I'm Shay Nehmad. And I'm Jonathan Hall. And I'm compensating for feeling a little sick. Yes. No worry. In three minutes, the energy is gonna come back to, you know, back to the meme.

Would you say these are subtle bugs? Yeah. Yeah. Because one of them is in the crypto subtle package.

The ones that are in the subtle, I just the ones that are in crypto, I just glaze over. I have no, no way to parse them even. But I wanted to sort of quiz you to see if you would have been able to even understand that these are bug.

Try me.

So, let me, this is gonna make for great audio, by the Let me read you this HTTP address and you let me know if you think it's correct.

I'll tell you right now, it's not correct. Can tell you right now.

Alright, alright. You're putting your bed right now even before I start reading it? I am, yes. Alright, let's check. Httpscolon/slash. That's that's fine, right? That's all.

Yeah, that

seemed good. Open square brackets.

Okay.

Colon colon.

Okay.

FFFF colon. Uh-huh. One nine two dot zero dot two dot one, close square brackets.

Sounds like it's an IPv6 that a

valid address or no?

It sounds like an IPv6 address, but I don't know. My IPv6 But it ends with,

with, IPv4 address. So it it starts with a thing that looks like, you know, the colon colon ffff.

Uh-huh.

After the last colon, it's an IPv4 address, one eighty two dot zero the one.

I'll tell you, if if I were to counter that, I would assume it was a spammer or a a scammer and I would just skip it, whether it was legitimate, like, syntactically correct or not. That's about as far as I would get with thinking it through.

So, the Go runtime agrees with you. Okay. Which is why in a recent fix to a vulnerability, which I even think we discussed on the show, like in passing, Uh-huh. That the parse function permits values that aren't IPv6 Uh-huh. In the host component in the square brackets.

Okay.

That they resolved that they resolved in, in this, release. Do you know the any, keyword?

Yeah. The All right. Like the empty interface, right? Yeah. Yeah, yeah.

So, any, that accepts an empty function equals equals any ex empty function.

Say it again.

What what should it return? You're, comparing Comparing two empty. To interface values, basically.

I don't have any idea what that should return. I don't think comparing interface values is necessarily supported or I I don't know what that does.

So it should panic. The documentation says, oh, if you compare it to interface values with identical dynamic types, you should have a runtime panic. Okay. And we just forgot to implement it. So someone was like, hey, I found this.

I'm a little surprised that they didn't have a test covering that already. That seems like something like, I don't know, when I'm implementing the spec, I would be like, yeah, let's make sure that this really simple obvious case works, but okay.

So I don't know what would, you know, cause someone to write such code. This is like nonsense You would never write it in production. It's just like an edge case you have to cover.

Maybe Claude was writing it.

Oh, that's that's a good segue. I don't think Claude should do software.

Foreshadowing.

So anyway, there's a new release with these super esoteric bug fixes, and I like our recommendation to, you should upgrade because it has security fixes. If these bug hit your code, man, what are you writing? Jesus. But still probably good to upgrade. And this was back ported, so it's on 1.24 as well. That's it about the new release.

Nice. So I I guess we'll try to I'm gonna return this as a useful segue. Next, I wanna talk about standards of code. Code standards, I guess.

Oh.

Yeah. So long, long time ago, you know, in Galaxy Far Away, we had Filippo Valsorta on the show, and he talked about his open source work. He does a lot of crypto work for the Go centered library and some other work, and he he makes his money doing that, right? So he has recently released his standard of care that he and his his group

of Manifesto.

Open source folks adhere to. Yeah. He has a manifesto. It's called the Geomys. Is that how you pronounce this?

First of all, increased churn part, like Dependabot is shoving PRs at your face and it's, like, automated so you trust Dependabot is, for now, I'm I'm not, like, bashing GitHub. Right? This is true for Snyk. This is true for all the other application security companies. You get these PRs, at some point you just start approving them.

Oh, wow.

These are all legitimate concerns. I mostly care about the, the first two because I work in Closos right now. Mhmm. But it's not like they're not doing anything at all on the on the readme. It's not readme. Oh, it is a readme. On the standard of care project, they're saying like, oh, we run, go vuln check. We they check like a high signal to noise, notification to find actual vulnerable dependencies. Yep. And they also run their CI with the latest version.

Well, and and more more than just if they need to upgrade, but, like, if if one of the consumers of the library is using the latest version, they're not they know they're not gonna be broken, right? So that's

also I think that's actually a a more sophisticated and smarter approach to dependency management than most, people use. Most people, I assume, don't actually care about this stuff and just do whatever policy they have to adhere to. So if their company or whatever they work on don't have a dependency management policy, they just won't upgrade ever unless they want the new feature. I and like most of the areas where I'm developing, like enterprise, software y, you have like SOC two or whatever, you know, compliance framework that like forces you to upgrade. But then it's like more of a checkbox thing, you know what I mean?

I think this is a good document for anybody who has security concerns about their code to look at, not to implement as is, but to get ideas for things they might be overlooking with regard to security in in their their code. There's many other things here. I'm not gonna go into as much detail on all of them, but they talk about long lived credentials and how they try to avoid those, how they do security in in CI pipelines, how and when they grant third party access to, you know, like GitHub tokens and stuff like that that can modify the code, monitoring, logging, and and even even licensing. So, I think it would be rare that anybody would wanna copy this exactly, but I think it's a great resource if you work, whether it's an open source project or even for your internal code. There's probably something you could learn from this and you might want to pick and choose two or three things from this to implement on your own projects.

And not to Like, I'm I'm in security. I learned about a new tool here from this, this document. I learned about ZisSmore. I haven't tried it yet but, I I added it to my, like, ever increasing to do list of things to check out. Yeah.

You are very click baiting. I don't think vibe coding is the right description, but let's let's talk about this. So Filippo, he he wrote this himself, so he's telling us we're not we're not reading between the lines here.

Yeah. We we didn't we didn't like spy on him and find and like by the way, Filippo, the new couch looks great from the tree outside where I'm sitting in with my binoculars. Looks great. Switch the pillows though. Anyway, what has he been doing with Claude?

Yeah, so last week he wrote this blog post called Claude Code Can Debug Low Level Cryptography. And he goes into some work he was doing on a new implementation of MLDSA. I don't have any idea what that is, except that it's a post quantum signature algorithm. But he's working on that and there was a hairy bug and he had a difficult time with it. And so he started using Cloud Code version 2.0.28 with Opus 4.1, and no system prompts and gave it the following prompt.

I mean, if this is not proof that I hear a lot of talk about, oh, it's gonna replace, it's gonna, whatever. But I think this is really strong proof that it can augment. Like, Filippo, according to the blog, you know, clearly a senior Go developer, we had him on the show, whatever. He was tired and then let let the AI take over and the AI was able to, like, within the context of him, like, giving all the context and having all the code, having all the tooling and all the understanding and exactly, like, showing you how to run the test and giving all the context, whatever, managed to basically generate, like, an hour's worth of work for him. When he was too tired to do it.

But it found the solution. It found the problem and, you know, it was still very valuable.

Very, very cool. It is important to know that, you know, he discloses that he has a free key for Claude, Max, but they didn't, like, pay him to do a sponsored segment or anything. They just gave him the free, coupon. What do you think about this?

So I've been using Claude a lot lately. It's still very much an experiment.

Like Cloud Code?

Yeah. Cloud Code. And I don't know. I I have very mixed results. Sometimes it's great. Sometimes it's terrible. I still don't know if it's a net positive a net productivity gain. Certainly, there are times when it definitely is, especially for like refactoring where it's sort of rote repetition.

I have a guy on my team who's using Cloud Code and he's using it, you know, he's integrated it with the various MCPs, he has like custom commands, you'll sit at the office and you'll hear like Cloud Code needs your attention. Like his computer will yell at him. But I don't get it, I'm still with Cursor, I'm working with like multiple sub agents, but I need the IDE, I need to like navigate between files and look at the code, I can't just do English. I don't know.

I don't know. I use Cloud Code Integrated with my IDE, so I don't I don't know what the difference is, but there probably is one.

I I I still don't get it, but maybe I'll maybe it's just, it's true that different tools for different people. I use pretty much the same MCPs and the same capabilities. I do love the blog post though, I think it's really good. And also, you can look, the funny thing is you can look at Filipa coding all this stuff. He has a link to his Twitch.

Yeah. So let's let's do a quick break, and then we'll be back with another new segment, I guess.

Alright. Let's go.

This week, we have a few new Patreons to mention. I don't know if we've mentioned some of these before, but it's okay if we have. It's fine. Shiva Best. Thank you. David Woodward Woodard. Sorry. There's only one one w in Woodard. Ria Dennis? Ken Smith, Adam Arash. I think that's an alias, not a real name, but based on the way it's spelled. And Jennifer Johnson, thank you all for supporting the show.

We really, really appreciate it. There's two subscription tiers in Patreon you can use, the Cup O Gopher and Cup O Gopher Mini. This is the best way to support the show, you know, this is a fun hobby, but it's also a little bit expensive, and this just helps us, recoup some of our costs. And by the way, don't wanna be, like, too pedantic, but there are two d's in Woodard. One is w and one

Not two w's. Did I say d's?

Yes.

I thought I I had said Wood word, but Wood Nerd, and I meant to

say there's not not two w's.

Thank you

so much.

It's four d's if you count the first name.

That's true. Anyway, that's the best way to support the show. But if you want to support the show in other ways, find past episodes, buy new swag, find all the links, transcripts, whatever, you can go to cupogo.dev, that is cupogo.dev, or join our Slack channel at cupogo in the go for Slack. That's like kabobcase with hyphens. And you can also email us at news at cupogo. Dev. How else can listeners who are listening right now help the show out?

You could leave a review. You could share the show with your friends, your colleagues, your coworkers, your student other students you are studying with, a rating on iTunes? I'm not in the Apple ecosystem, know that's not the name anymore.

Apple Podcasts, it's Apple Podcasts. There you go. Okay. Or Spotify.

Or Spotify or all of those places. Yeah, spread the word, basically, is kind of what it comes down to.

By the way, we always say co students because in my mind students are listening and they could tell the show like to their fellow students

at class. But

it could be your students if we have a professor, like a Kopsai professor listening

to

the show. Yeah. You you can make it required listening and put it in the test at the end of the semester. We'd be super happy if that's the case.

Interesting.

And just mentioning in case you left, missed it in the last few shows, I mentioned the swag. We have a lot of new swag. I'm just still wearing my Cup Go hoodie, which I really like, but if you visit the store link, store.cupogo.dev, you'll find the new sticker, which is the Range Over Brewster recursive Cup of Go sticker. The new cap, the new baseball cap, it's embroidered, so it's like, looks really high quality, and it is really high quality. I I I've worn it on a few hikes already.

And send us a picture of you sporting the socks, that would be great.

Yeah, for sure. Yeah, so that's everything. And we just wanna say thanks for listening. The show's been going great lately, a lot of listenership. I visited the Transistor stats again. It made me feel really good. I don't know if you visited that page recently.

Not lately.

I visited our, like, stats. Yeah. I haven't done so in a while. Our all time downloads have passed a 150,000 downloaded episodes.

Holy cow.

That's a lot. I don't know if it actually means anything because, you know, downloads podcast statistics are are always kind of funky. But, yeah, it looks like people enjoy listening to the show, basically.

I I think what's might be more impressive is that the average, downloads per episode is now over 1,000.

That's really cool. That's really, really cool.

A little bit intimidating that

people are listening Thousand people. Well, I'll I'll get excited when it passes like a round number, like a 24. Oh,

okay. Got

it. And thanks everybody for listening and telling other people about the show. And, you know, I always like looking at the countries as well, at the, like where we have 0.14, listenership in Chile or in Armenia or in Cyprus, 0.1.

I I wanna do a quick shout out to Moriah, who, of course, is one of the co organizers of the Go West conference. She and I were chatting after the conference when I was there a couple weeks ago, and she just did a a she said thank you to me personally for doing Cup of Go and that it was expressed that it was, in her opinion, one of the highlights of the Go community. So thanks, Moriah, for the encouragement. And as far as I know, Shy and I will keep doing it for a while. I don't think either of us have plans to quit.

Alright. So in in great news, great timing, we're moving on to the news. I'm quitting the show. No, I'm just kidding.

It's about time. I've been looking for a new co host

for a while. I can't with all this security talk anymore. I It is important to know that Utah is, like, I think in the top 50% of states listening in The US. Alaska is near the bottom. South Dakota. South Dakota, you have some we need to find gophers in South Dakota. We have 0.02 listenership there. But hey, number one is my current home state, California. Woo hoo.

We're the number one person.

Once again, California is the state in the in America. All the all the American listeners are like, New York New York is at, number three. Maybe we should get the new the new mayor to, like, sponsor a cup ago. We just missed it. Like, we should have done we should start doing political some campaign donations. Alright. That's it for the ad break.

We have

one more thing to talk about, so stick around.

So let's talk about GoPodcast and GoPodman or or whatever this is.

Yes. You don't listen to other tech podcasts. Right? Not so We we talked about this a few times.

Yeah. Yeah. I sadly, I I wouldn't even listen to my own podcast. It's not my it's not my genre.

I I think sometimes I ask you if you listen to episodes where you're, like, sick or whatever or you're traveling and I have someone else cohost instead

of I usually don't. I I spotless. Very spotless. Yeah.

I do. I I I like listening to other podcasts in general. Now that I moved to The US, I listen to a lot of, like, Israeli podcasts, actually a lot more than I used to, just to, like, sort of stay in touch. But recently I, found out about Go Podcast, which is Go, space podcast, open paren, clone close paren. So, like, starting a Go routine.

So you can listen to it in the background, basically.

Yeah. You you can listen to it as a By the way, shout out I don't know, like, what's the etiquette of in a podcast shouting out another podcast. I like it. I recommend you listen to it. And, you know, it's another place to

be I think we're supposed to be mortal enemies. Like, listen to our podcast instead.

Yeah. I don't know. It's pretty good though. It's pretty good. So you should probably listen to it.

If you wanna upload this whole episode to your channel, that's fine.

I don't know about that. That's exactly what Filippo was worrying about with supply chain attacks. People will just load this latest and greatest podcast episode, they'll get a totally different episode. That's a good idea. Fishing via podcasting.

There we go.

Podfishing, the the latest craze. So I wanted to ask you about Docker.

Do you use while ago, Typosquad go the the Go podcast channel on the Go for Plug.

Do you use Docker?

I use Docker quite a bit. Yes.

Have you ever considered any Docker alternatives?

Yes. I used one many years ago. I don't remember what it was called, but it was just for building Docker images. It wasn't for the runtime. It was just for building Docker images. And that was because it was faster, but it had a lot of limitations that made it not useful in most scenarios. And I don't know what the state is today, but

So the episode in question, episode 64 of Go Podcast talks about Podman, which is a ruthless alternative to Docker, which led me down a little rabbit hole. In my company we use Docker right now. The way we use Docker is we run Postgres locally. So, I think a super bog standard way, you know, you run Postgres locally for your local application, right? What could you want?

I like, literally, what do I search for in the search bar?

Yeah. Like, what what do you what do you wanna find before you

I try usually type the name of the technology versus and see what autocomplete pops up to give me a list of of alternatives.

So that's crazy because that's exactly what I did. And I found Orbstack, Podman, Docker and Colima.

Okay.

And then the second thing I do is I type the name of the technology I wanna check right now, space Reddit. Then I start looking for it in Reddit. But I don't think that works anymore, man. I think, like, companies have wised up to that. They, like, pay people to do it and they have a lot of AI writing, like, good reviews there.

So, what's the what's the pain that you had considered Podman in the first place?

I just want it to run faster. It's just, like, kinda slow, and takes up a lot of power and resources

Is that, for my like, run is running as slow? Is that because you're on an M4 and there's that translation layer or something, or

It's building Dockers, I wanna build my own because because we're running our containers in Azure Container App, so we have to containerize them. Yep. And it's going a bit slow. I think it's related to the m one thing, to, like, the, Apple Silicon thing, but not only. Yeah. Uh-huh. But also just, like, startup time. I wanna start for Postgres. I want it to start just Yeah. Like, in in zero milliseconds.

I do too.

So, the startup time of the container actually impacts my end to end test run time. But in that case, I talked to you about this in the past, I want I just don't wanna use a container at all. I wanted to use, like, an in memory Postgres implementation. Sure. But I haven't gotten around to that yet, and I never will.

I will often use persistent containers that stick around for ten minutes or even a day, and then I can get rid of that startup time at the expense of it's running in the background all the time. And maybe that matters if you don't have a lot of memory or something.

I just want, like, 15 of them, but because I run the tests, as many cores as I have minus one. So for me, it's like 15, but but that's a good idea as well. But it's just so fussy with, with Docker. I wanted to see if there's something better. It's a tool I use all the time. It's not a big pain, but this episode from Go Podcast brought it to my intention. You're just using, like, rock and playing Docker, right?

I use playing Docker. I have I've I hear people complain about Docker desktop. I've literally never used Docker desktop and can't imagine why I would ever want to, like, I don't know what problem it solves, so

It's a good chance to mention you're on Linux, right?

Does that make a difference So,

solves problems of, people not using Linux. No other way to run the Docker container on the Mac. You have to install the desktop version.

Well, that's ridiculous.

But that's, again, also another pain, like, every developer that comes to the to the company has to install this, like, GUI desktop application, and when you open it, it, like, suggests you log in to the Docker container registry, we're using, like, your users, so you start paying.

Can't you just run a VM or something and run your Docker stuff in a Linux VM?

I mean, you want it to run as close to your software as possible, I feel. Like, don't want it behind another VM and another blah blah, just to avoid the pain of installing this app. But I'm looking into Colima, I might even try it today, which is container run runtimes for macOS, which is open source. So, I think I might try this, version next. And all this experimentation is thanks to this podcast. So, maybe you should start listening to tech podcasts, man.

But maybe I should, but it sounds like you're solving a bunch of problems I don't have because I use Linux.

Skill issue. You heard it here first.

It's a

skill issue. If you're listening Hey, listeners, if you're listening to tech podcasts, you're just not skilled enough. That's what Jonathan Hall is saying.

That's right, that's right.

Alright. I think that does it for the show. Maybe we'll do a lightning round next time.

Let's do it next time.

Thanks a lot for listening, everybody. Program exited. Program exited. Goodbye.