Don't give me that line feed! 🖶

This show was supported by you, Artisaner. Stick around to live for the news to hear some more about that. This is Cup and Go for Friday, 04/04/2025. Keep up to date with the important happenings in the Go community in about fifteen minutes or sometimes more every week. I'm Jonathan Hall.

And I'm Shay Nehmad.

Hey, Shay. How are you settling in?

I've upgraded half of my projects to Golang CI Lint v two. That's what you're asking about. Right? Not like me moving countries.

Was the the only important thing I had in mind.

There are two migrations in my life. Golang CI Lint configuration files and moving to The US. No, man. The US is crazy. I I wanted to apply for an apartment, so I have to pay a fee. What the hell?

An application fee. Yeah. Yeah. Because they probably run a credit check that will always that will definitely return nothing since you don't have a credit history here.

Yes. Don't. Well, I actually have one month of credit already. Okay. But it's just been like dealing with all these. Like, I'm the first person who ever came to The US. Like, everybody was born here and they just don't know how to deal with someone who migrates from the outside. Even though I'm in San Jose where like 80% of the people, you know, look not American, let's say it like this. Right. Right.

I I I don't know, but it's gotta be something with malformed requests that can do nasty things. I don't know.

That is true.

Because that's always what it is.

As as long term listeners of the show know, Jonathan uses Linux. One of the things you have to get used to like, are many differences between Windows and Linux. Can you point out like a few of them, just the top of your head?

Well, let's see. One of them works and one of them doesn't. I can't remember which one's which, but.

Oh my God. Well, let's just look at Bill Gates' net worth and Linus and compare.

Yeah. Works is the fuzzy term, right? Works for what purpose?

No, but seriously, technical differences.

Technical differences. There's quite a few, although they seem to be getting narrower these days. I don't know. I don't know what you're looking at looking for. One's open source, one isn't. That's maybe a big difference.

Right. One open source wasn't. If you let's say if you work with a Windows developer on the same project development, what's

one thing that always trips you up? They're always complaining about how my configuration doesn't work for them. And I'm like, go figure it out or use a real operating system. It's up to you, dude.

That's nice. So, yeah, line ending because that was what I was aiming towards. Maybe you don't even remember you've been on Linux for so long, but CRLF versus LF. This is like so archaic. Whenever I remember this is a thing, I just like I can't stop laughing.

Which I'll I'll say after all the way, but this recent bad math thing of Windows, conceptually, that makes more sense to me than just the CR ending.

Then just the LF ending, mean?

Or LF, yeah. Because they are two different things, right? Go to the beginning and go down. In my mind, Windows makes more sense, even though it's annoying since it's the outlier. If everybody did that, I wouldn't mind.

The problem is it's not universal. Like if this was how humanity decided to represent a new line in a text file, nobody would have a problem. But in Unix and Linux and all that, a new line is just line feed without the carriage return. It's just one character, which caused unending suffering, on the world, and probably lowered the total GDP by who knows how how much. Now you have that theming in mind and you know the vulnerabilities in the HTTP package, right?

So it's got to be something that misinterprets one of those treats new lines or line feeds as a continuation of a line, I'm guessing.

So actually it's the other way around. In HTP, you shouldn't use just a bare LF as a new line. Right? Sometimes Go rejects it, but, sometimes it accepts

So so Go so the HTTP spec agrees with Windows is what you're saying?

I think so. Okay. The line terminator.

That seems to make sense to me. I think I remember that.

There's there's a reta for an RFC, so it actually messed up the HTTP RFC as well where people were, like, asking that the line terminator should be just LF and ignore any proceeding CR. But actually, HTP, wants to only use CRLF, and the difference is intentional, blah blah blah. So in one specific case where you get chunks of data like chunk data lines, Go rejects bare LFs, but accepts them in the chunk size. And then there's a super this is just a bug. It's not a security issue yet.

But it only affects you if you're running a Go proxy HTTP server. Is that correct?

You should upgrade anyways, right? Of It's a minor patch release.

It's always fun

to upgrade.

It makes you look like you're on top of things, even if it doesn't affect you. At least that's why I upgrade all the time.

I've been super happy with Dependabot lately. I've started using Dependabot for automatic upgrades in our repos, and it's been doing a pretty good job, like knowing when to open a PR, knowing when it's safe, etcetera.

Dependabot broke our go. Mod file recently. Oh. Yeah. Mean, it didn't break it. It removed the line feed that go mod verify wanted to put back. So it broke our CI because our CI runs go mod verify to make sure that somebody didn't forget to run go mod

New lines, new lines everywhere. Yeah. Yeah. New lines, new lines. I don't care. So, in one funny, comment, about this issue that I just have to put in, even though it's not super important, is that while explaining it, the author mistaken LF to CF as well. So even while describing the vulnerability, they they messed up CR and LF. That's how

confusing it You just said this is easy to understand. At one level, that's true. I'm like, I have no idea exactly what the problem is. Like, is is it CL or R? Which one which one's missing or which one shouldn't be?

So there isn't CL. Yeah. Right? There's CR and L. CL.

CL is not a thing. I can tell

you that for a fact.

Caret C. Line reserve.

Cool. So you have a new vulnerability discovered and fixed, go fix it. And if you're dealing anywhere with, new lines as a separator, you should probably think again. New line is not a good separator. What do you have?

Yeah. Let's talk about something that, I don't think it's quite as, intricate in terms of like which of two things do you have to admit or not. But we have a proposal that's been accepted. I think it's a good one. Structured output for test attributes. So I don't know. Often do you run your Go test suite?

I run my test suite like 20 times at the end of every feature because I'm at the end and then I run the test once, it helps me find all the problems. Then I repeatedly run the test until I fix all of them, especially if I did TDD. So like, I don't know, between five and twenty five times for every chunk of work. So maybe 100 a day. I don't know.

And how do you feel about the output you get? And I know you use I can't remember the name of the tool, you use a tool that reformats your outputs. This might not

be I used to use GoTestSum.

That one.

I like it. It does like little dots, but honestly, I just use I normally use a Versus Code, like the internal test explorer because that's pretty good. You can play and you can debug and like it it works for me. But at the first run first go around, I I use, you know, the Go Testsum. One thing that, I've always wanted to do better is to have better results in CI.

So anyway, this will help you with that. The basic thing is that it's outputting additional attribute data with, or optionally will output additional attribute data if you do go test JSON, which can then be interpreted by tools in CI, for example, to colorify and reformat your output to be friendlier. So this is a nice little screenshot on the issue. It shows the standard output that you just get from Go test and it's fine, but it's

pretty ugly.

Pretty ugly. At least by default it hides passing tests. So at least, you know, the output is failures.

To me that's even worse because I don't know if I remembered to uncomment like a test that I may have commented out. Like I like seeing all the tests running.

Yeah, that's fair. So anyway, the new output, it shows the passing tests in green and the failing ones in red and they're all collapsible. Of course, in like, I think this is GitHub actions you're showing a screenshot of. So it's not that your terminal is suddenly going to show collapsible text, but it's example of what can be done with this new metadata that will be output. So I think that's kind of cool. Think it'll make

it little easier. Like, you could add some metadata to test. You know, if you analyze the failing test, you could look at the metadata and see, oh, it failed on that user ID or that request ID or, like, source code information and things like that. Right? I'm wondering who's like this is super cool, but I'm wondering who's like the consumer. And also, why are there so many comments on this issue?

So, yeah, there there is a lot of discussion on the issue. It's kind of interesting in the sort of academic sense. I'm not going to bother our listeners with it, but if you really care, go read it. It's about a hundred comments and links to other issues. One of those I'll call out though, since you've mentioned Shai that you use GoTest some or have in the past, this will integrate very nicely with GoTestSum.

Oh, I I can just, highly recommend, GoTestsum and it's a big shout out to Dani and Neffin, which I think was like our second interviewee on the show ever or something. Yeah. Okay.

Yeah. So GoTestSome is a tool for running tests, and it doesn't try to replace all of what GoTest already does. GoTest already does a lot of great stuff. What it tries to be is a layer on top with a few extra features that some people might might want. So it uses in Go one ten. They added a dash JSON flag to the Go test, command.

All right. Let's talk about a couple of meetups that are coming up. The first one, April seventeen in Birmingham. I'm gonna I'm likely gonna be in Birmingham, but not then. I'm I'll be there in June. If you have another meetup in June, let me know. I'd love to come hang out with you guys. But anyway, April 17 in Birmingham. Birmingham, UK, not Birmingham,

Alabama, right?

Birmingham, UK. They'll be talking about quantifying your reliance on open source software. That's Jimmy Tanner, friend of the show, will be speaking about that. Paul Dragunis will be talking about CI and CD, building composable pipelines with Dagger. And I'm sure everybody will be talking about all sorts of other fun things, whether having drinks or snacks or whatever other sort of refreshments they have there.

And they have a three d gopher spinning around.

The three d gopher, yes. Looks like it came from like a Nintendo sixty four era.

Love those polygons. You work those polygons, bro.

Yeah. So if you have a meetup coming up, let us know. Send us an email. Find us on Slack. Let us know about it. We'll be happy to mention it on the show for you as well.

Okay. So I would like to mention a meetup so you could mention it on the show.

Yeah. Should I tell him about the meetup you'd like to mention on the show?

So it's still like, I'm not a % sure how it goes because I opened the event and I tried to reach out to the Go SF people. Anybody knows them, Travis Reeder or Frances Campoy. If you know them, please reach out to them. There is a Go meetup in San Francisco where at least two people are gonna go. That sounds exciting.

Now is this gonna be is this intended to be a full fledged meetup, like speakers and everything, this is just like casual go drinks?

This is intended to be a full fledged meetup in which we are gonna have fifteen minutes of like schmoozing, 45 of a live podcast recording where we're gonna do the Cup A Go episode like that day with you online, and with who whomever is gonna join, then a brief break and then a talk that's to be determined. The talk is open. Like, worst case, we're gonna have Josh do something, like teach us about something cool or show off his project. But if you actually have a talk, especially if you haven't hosted this show before like Andy or Josh, that would be super cool. But yeah, it's me, Andy and Josh probably.

Alright. So let's go back.

No. No.

I think we should go back. No. No. I really think we should go back.

No. Because I have travel resistant file APIs. All right. This is something in Go 124 that we've been meaning to talk about and just didn't get the time. But it's another security feature that's baked into Go, which I love. My wife's been learning for the certified bug bounty hunter certification over at Hack the Box. So, you know, every evening conversation is like, oh, I did this attack. I did a file inclusion attack. I did a blah blah attack. One of them is, path traversal attacks.

different varieties, I guess. I'm not an expert on this, but they can involve symlinks, I suppose. But they basically involve shenanigans with interpreted portions of a file path, like dot dot, for example,

or dot. So dot dot, like go back, which is

why they Yeah, right.

If you didn't get the joke, now you're probably laughing, right? After I explained.

Yeah, because it's always funnier after it's explained.

Yeah. So basically the whole gist of it is you shouldn't give untrusted sources access to file paths you didn't mean to, right? If you open a directory, 90% of the time you just want your program to operate under that directory and nowhere else. You don't want to allow, the software to access, other directories on your machine, especially if it's a web server. Right?

Devices that nobody uses anymore.

Well, I'm sure attackers do, right? Of course. If you look at recent shell codes, I'm sure they have like COM1 and all these LPT2. Beautiful things. However, that's not really enough.

Does it accomplish that? Does it just do all these things behind the scenes or does it have some OS level magic that makes that unnecessary?

So it depends on the platform. So it definitely has to be OS specific. So for example, if your Go OS is Windows, file names may not reference null and com one and other reserved device names. And in JavaScript, it's still vulnerable to time of check, time of view stuff in Symlink validation. And it basically says even in, with OS dot root, I'm not promising anything.

Right.

And in most platforms, it like opens a file descriptor referencing the directory. And if the directory is moved, it keeps that handle. So even if you try to move the directory, you can't escape from it like outside, which is pretty smart. And it simply doesn't prohibit it. It like doesn't allow you to follow symbolic links outside the root. So you can do symlinks inside that file system, but not outside.

So you can still use symlinks and you can still use like dot dot slash within that that that root.

Yeah. Which is super nice and useful for you as a developer and just sort of does it for you. I assume if you open the code, find like a rat's nest of, stuff. And actually, Go code is pretty easy to read, so I might just do that. But I haven't.

Cool. I like it. I'm gonna use it.

Yeah. More security built into the the system, that's great.

We have one more news item here before we jump to our break and then we have some lightning round items. So don't skip, don't turn off the podcast after the break or before the break. The last one here, this was a set of new changes to the Go language, the standard library, a bunch of different things. They were all announced just a few days ago. And these will be really beneficial to those who are attending those meetups we just talked about over in The UK.

Wait. But how do you if I wanna use color because I I actually wanna use color with a u because my English teacher in Israel was British. But let's say you you wanna use the, US version. How can we both use the same one?

You'll have to use an alias, I suppose.

So the new directive is slash slash go colon lang and then the language there.

Yeah. So you can actually localize your documentation. That's the point here, right? So you do you go colon lang en for the sort of normalized English. That's probably not the fair way to say that since the British came first with English, but so then you could say something like Acme Corp is a company, blah, blah, blah.

No kidding.

No kidding.

Yeah. It was the one of the only April fools pranks that I really liked. Yeah. Good one. Good one. You almost got me. This person called Carnivoral. You almost got me. I read it and I was like, wait, what?

If our show had come out on April 1, we probably would have done something a lot more elaborate ourselves, but it didn't, so consider yourselves lucky.

Yeah. I love the quality of life improvement, import maths.

Yes. That's that's the best one.

The top comment is great as well. Right? I was typing out a long post that I really, really disagree with this. This is from Satan Sprinter. Then I realized it was April. Side note, if this gets real, I stop using Go.

Alright. Stick around. We have a few more items, in our lightning round after a quick break.

Welcome to Adbreak. First of all, we wanna say thanks to our Patreon supporters. This show is a fun hobby that Jonathan and I do to learn about Go and, like, stay on top of things. Otherwise, how would we know about, collure? Do you know that SNL sketch where she says collure, collure?

Thanks Jess.

Thanks Jess. We really, really appreciate it. Our little community here is is growing. I really, really like it. I like seeing, like, how people support and, retain, their support as well.

Yeah, it's nice. My Thursdays had started to get full, so it was nice to move something to Friday. Although I still haven't remembered, I made plans today, not interesting plans, plans to get my car fixed. And then I remembered that we had this, so I rescheduled that till Monday. Not a big deal. It's just not second nature for me yet.

So our recording used to be really fun when we were both in European time zones. Then there was a period where you moved to The US, I stayed in Israel. That was rough because I was like recording in the middle of the night and for you it was early morning and we were both like a very different energy. Now we're both back on the same time zone, but we moved the recording to Fridays because I have the microphone in San Jose, but on Thursdays I'm driving up to San Ramon to a different office. So our episodes are gonna be Friday, they're gonna come out like Friday or Saturday, depending on like our editor schedule.

Yeah. He's still in Italy, so

It's all wonky.

We're not asking him to adjust his schedule to accommodate ours.

Yeah. Our news aren't that urgent, but let us know. We could like move it around the week. So if you're liking this like episode in the weekend, that's great. If not, let us know. It's a new schedule and we sort of wanna hear your opinions about it. Finally, we mentioned it at the show, but there's a chance to meet us. You can meet me in the San Francisco meetup we're arranging. I'll put the link in the show notes. Actually, that would be smart.

Is it like, are you nervous in front of people,

in front

of crowds?

No, I'm fine. Like, I I have you to blame. Anything that's wrong, it could be like, well, Jonathan's the actual podcaster. This is just like my first podcast. I have a fall guy. You know what I mean? Got it. Right. So that's good. So if you want to see these numbers growing like us, please leave a review on Spotify or Apple Podcasts or like wherever you listen to the podcast, and share the show with a friend or a coworker.

Lightning round. Round. Yeah. So I guess I'll be at KubeCon. I don't know. I haven't bought my ticket yet. Whether I'm there or not, or just hanging out for the after party or side party, whatever. I have an item that's relevant to people who might wanna go to

the Sidecar. Sidecar party. Yeah.

There we go. So friend of the show, listener of the show, David MDM shouted out a project that he's been working on called Yoke. The documentation for Yoke says that it is infrastructure as code for Kubernetes. It's a deployer, IAC package deployer for Kubernetes. So if you're one of the kinds of people who wants to go to KubeCon, this might be for you. I haven't been using Kubernetes for a while. Are you using Kubernetes, Shai?

Happily, no. I've used it in the last two companies. One unjustifyingly, like totally over engineered from the start and in a real company that actually needed it. And the one that's over engineered, we didn't need Kubernetes anyway. We just sort of got roped into it.

And to be clear, works with Helm, this isn't like a replacement or

or Yeah, yeah, of course. It's Helm inspired, I mean.

Yeah, yeah. Cool. Yeah, I'm not using Kubernetes either. Whenever I am again, I'll I'll have to give this a look as well.

Hoping for you that you won't have to. It's a bit too complicated for-

I enjoy Kubernetes, but it has it has to fit the problem and it doesn't always.

I know, I'm not Google at the moment. One thing I wanted to shout out is Princess Beef Heavy Industries has come out with a banger in February and somehow I missed it. There's static mocking in WiredTap. If all the words I said right now didn't make sense, go back and listen to our interview with Dave, Shanley about, Princess Beef Heavy Industries, but there's a tool called WiredTap. It's an API tool that allows you to validate API requests, and responses that make sure that's compliant with the schema and like a development server so you can test APIs and some diagnostic to debug API requests and responses.

So you've had one through four?

Yes. And one is the best. But two was pretty good as well.

Two was my first one and I've had a three and I had a four. I don't have any of them anymore. I got a Steam Deck and gave away my PlayStation four before I left Europe. Nice. But you can now run Go on the PlayStation two.

Timely.

Yes. This is actually quite an interesting blog post that's simply called Go Lang on the PlayStation two by Ricardo. Don't know the last name. But he goes through the challenge of getting Go to run on PS2, which is, it's not just like, oh, this is a weird piece of hardware. It's like, Go doesn't quite support the CPU architecture.

to the Legacy? It's only twenty five years old. That is super cool. I love this, like, low level nonsense stuff and dealing with, like, old hardware. Generally, the PS two aesthetic is pretty good, right?

This is

not useful for anything though, right? It's just for fun.

I think so. I mean, in principle, I suppose you could run a web server or a web proxy with Go 1.242 at least safely on your PlayStation two. But, I think it's it's for obvious. I love the Go build directive, by the way.

Slash slash go colon build p

s two. You just need to have Go and build added for this one as well.

One final item for the lightning round. Go Zero reaches 30,000 GitHub stars. I never heard of it. Have you heard of Go Zero? No.

Awesome. I think that's the show. That wraps it up. Program exited.

Program exited. We will see how we do the episode next week since it's a Passover, but we will definitely fit it somewhere on the schedule. Program exited everybody. Program exited. Goodbye.