Jonathan HallThis show was supported by you, our listener. Stick around to live for the news to hear more about that. This is Cup and Go for 06/06/2025 or 06/07/2025. We're recording on the sixth. Keep up to
Shay Nehmaddate with the important happenings in
Jonathan Hallthe Go community in about fifteen minutes per week. I'm Jonathan Hall. And I'm Shyne Hachman. Hey, Shayne.
Shay NehmadYou hesitated there for a Were you about to say I'm Shay Nehhmad?
Jonathan HallI was about to.
Shay NehmadI saw it. How you doing, man?
Jonathan HallI'm alright. Getting ready to travel. I won't be here next week for the show because I'll be in Brighton in The UK.
Shay NehmadOh my god. So Yeah. If you wanna replace Jonathan on next week's recording slot, come talk to us at the Copago channel. If you already did it in the past, wait for a We wanna try to get more friends of the show on the show.
Jonathan HallAnd if you're gonna be in Brighton, hit me up and we can have a drink. Or Amsterdam. Right? Yeah. I'll be in Amsterdam one one day two nights, one day after the after that.
Shay NehmadCool. Cool. Cool. This week, I wanna kick things off with the new minor release. Go one twenty four point four and Go one twenty three point ten have been released, and they include three security fixes.
One that I'm not gonna try to even explain, it's from crypto x five zero nine, whatever. I can't I I tried to read it. I couldn't understand it. But there are two that are in NetHTTP and in OS, two very, like, popular, you know, standard library libraries that I I'm gonna try to explain. Very cool security fixes. The NetHTTP one is about leaking sensitive data.
Jonathan HallOh.
Shay NehmadSo do you know what is the authorization header on, on HTTP request, like, we would use it?
Jonathan HallYeah. That's where you would, like, pass in your auth token or whatever. Right? You say authorization bearer and then a bunch of random seemingly random digits that represent a JWT or something. Mhmm.
Shay NehmadWhat about, like, in general, you have tons of ways to do it. You usually use the authorization header. Right? Yeah. You could use, JWT. You could use basic auth, blah blah blah. Almost everybody who's done a web app at some point probably had to implement it either themselves or integrate with a party, like, provider. Right? Now let me ask you a slightly harder question.
Jonathan HallMhmm.
Shay NehmadIf you implemented this, you probably know what a four zero one error is in HTTP. Right? Yeah. What's a 401?
Jonathan HallI never remember 401 versus 403.
Shay Nehmad401 is unauthorized.
Jonathan HallUnauthorized. Yeah. And 403 is Forbidden. Forbidden. Yeah. Mhmm. So unauthorized means that, like, you have not provided meaningful or correct authorization token of some sort. You haven't authenticated. Right?
Shay NehmadYes. And now I'm gonna raise the stakes one level higher to get to the actual problem in this in this security release. What is 407? Do you remember? No. Okay. So they also forgot about it when they implemented NetHCP. Basically, in the same way you have authorization, you have a header called proxy authenticate. There's a weird ass thing in HTTP that proxies are like a part of the protocol in some sense Mhmm. Instead of being like just an extra layer.
So there's a lot of like little gotchas, and this is one of them. In NetHCP, when you have an authorization header, right, if you do a redirect, you don't copy the authorization header. Right?
Jonathan HallOkay. Sure. Yeah.
Shay NehmadBecause you don't wanna like, you redirect the request from cross origin, right, from a to b, and you wanna make sure that you wanna strip these sensitive headers. Why? Because if you redirect to a different site and you keep these headers on the request, I could just redirect you to, like, my malicious site Mhmm. It it by just doing some XSS or whatever on a popular web site or phishing or whatever. Mhmm.
You would log in with your real thing, and then I redirect you to mymalicioussite.com, and I still get the these, like, highly sensitive headers, which basically include your authorization. Like and then I can, like, use your token.
Jonathan HallMhmm. Makes sense.
Shay NehmadThey did it for authorization, w w w authenticate, cookie and cookie two, and they just sort of forgot. Proxy authentication or proxy authenticate. If you look at the actual change with and and I'll put the specific commit. We don't usually do this, but I'll put the specific commit in the show notes. It's like the easiest I could read the commit out loud.
You just add these two values to the constant thing of, oh, the case includes also proxy authorization, proxy authenticate, and they also added, like, a one test case just to make sure. But, yeah, proxy authenticate. It's like a header that defines the authentication method or challenge to gain access behind a proxy server. So you put the thing in proxy authenticate, and then the proxy would, like, translate the request internally and just put it in the regular header. And four 07 is the proxy telling you, hey.
You forgot to give me the creds instead.
Jonathan HallRight.
Shay NehmadSo it's like part of the fetch standard. It's part of HP standard. It's, like, written all over the place. Just in every place you see, the normal authorization thing is written, and then in, an extra paragraph, it's also, oh, don't forget, also, proxy. So they did forget, and it was reported by, I hope I'm saying this correctly, Takeshi Kaneko, from GMO Cybersecurity by Leria, something like that, Incorporated.
Thank you for reporting this issue. So they fixed this CV. If you have GoCode that does, like, network stuff, server stuff, you implemented the proxy or something like that Mhmm. Super relevant to you and you
Jonathan Hallshould
Shay Nehmadlike broadly upgrade.
Jonathan HallI've done a lot with proxies. I don't think I've ever used proxy off that I not in Go anyway. I may have in a previous lifetime.
Shay NehmadIt might have happened like without you knowing it. Right?
Jonathan HallYeah. That's very possible.
Shay NehmadEngineX taking care of it for taking care of it for you or something. So that's the one.
Jonathan HallAlright. What else?
Shay NehmadThe security fix is also super cool. And it's one of your favorite topics, Linux against Windows. Right? Long time listener of the show, will know that Jonathan uses Linux, which is why it took him, like, three months to set up his home network when he moved to his new That
Jonathan Hallis not why, but okay.
Shay NehmadIt's in the same culture category. But there is, there was just a behavior that was inconsistent between Linux and Windows, when you try to, create a, like, a file handle. Let me I'll describe the scenario and you'll tell me what do you think should be the behavior. Right? So I'm calling open file Mhmm. On with, like, create. I want to create a new file. Right?
Jonathan HallAlright.
Shay NehmadAnd the target path is a symlink, like a dangling symlink.
Jonathan HallSo there's is a symlink that that's on the disk, but it doesn't point to anything and you're trying
Shay Nehmadto create Like a shortcut. Again, in in Windows terms, like a shortcut, but the the underlying thing behind the shortcut doesn't exist.
Jonathan HallAlright. And
Shay Nehmadnow I'm trying create
Jonathan Hallthat file even though it already exists as a symlink. Okay.
Shay NehmadWhat should I do? What what should happen? What would you want to happen as, like, a developer?
Jonathan HallI would either want to overwrite that file or give an error because it already exists depending on which mode I'm using. Right?
Shay NehmadSo it's with ocreate and oexcel.
Jonathan HallSo that would I would expect that to give an error.
Shay NehmadSo there's an inconsistent behavior between these two systems. In the proposal, you can even see, like, they included a test that shows, like, this test will pass on Linux and fail on Windows, which is like, you know, when you call OS open file, you want to see an error. So if you create a symlink to something that does not exist, it should fail when you try to create that to, like, open file and create that file. When I looked into it, the one interesting thing I found is the hacking lab, like, behind it. I'm I'm not sure what type of organization it is specifically.
Maybe it's like an academic thing. It at least looks like it. But hackinglab.kaist, which is in Korea, the Advanced Institute of Science and Technology in South Korea. They have, like, a GitHub. They have the people. And, the person who reported this specific vulnerability,
Jonathan HallI hope I'm pronouncing your name
Shay Nehmadcorrectly, Joon Young Park. They're just one of the PhD students in this group, and it looks like there's a lot of people here, which I I I found it pretty cool. Like, you can see the the people behind it, and they're, like, a bunch of students in in South Korea. So so if you wanna follow them or or or, like, check it out, you go to kaishacking.github.io and, like, see all of their publications, all their CVs. They do some really cool stuff.
Insecurity of mandatory security software for financial services in South Korea. Just like a paper and things like that. I thought it was pretty cool because they're, like, not just doing it's not just one person. It's like an organization, a hacking organization, which we don't see very often. For example, Junyoung Park released in the beginning of this year.
RgFuzz, rule guided fuzzer for WebAssembly runtimes. That's cool. You know what I mean? Yeah. And they also have some CVs and even, like, the the number of dollars they made on Bounty on it, which I thought is a pretty strong flex. Right? Like, look how much money we made bug bounty. So that's a security release. The bottom line is you need to upgrade your minor version. You should do that anyway.
Even if you don't understand the the underlying security fixes, you always wanna be on the latest version.
Jonathan HallAnd of course, the one you didn't go into detail on is related to x five zero nine certificates. If you're using that, upgrade too, even though we're not talking about the details there.
Shay NehmadYeah. So a cool, like, security release. I liked it. I like it when the security stuff is this thing I can pretend I understand. Awesome.
Jonathan HallNext up. So anybody who follows Go on social media probably already knows this has happened. But the Go team, specifically Robert Grasmere, has published a post about this error handling in Go. TLDR, we've been talking about improving error handling for years with dozens or hundreds, possibly thousands of proposals directly or indirectly related to it and cannot get anywhere close to consensus. So Go team has decided for the foreseeable future, we will stop pursuing syntactic language changes for error handling.
We'll also close all open and incoming proposals that concern themselves primarily with the syntax for error handling without further investigation. I can hear half of the audience cheering. I can hear the other half of the audience groaning. I don't know. Regardless of the conclusion, I feel like it's a little bit of a nice to have a reprieve from this topic. I don't know. What do you think, Shay? I'm really
Shay Nehmadhappy to like, anything that helps focus. Yeah. Is a good idea. Like, if the team can focus on on things that the whole point of of Go proposal, Go discussion, Go whatever is to drive action. Right? Mhmm. These discussions are not action. Action is code that goes it gets committed to go and gets released in a version. Yep. Anything else is is bureaucracy.
Jonathan HallFair enough.
Shay NehmadCode or documentation or talks or education or funds, like, these are actions. But just talking about, the proposal itself, while it is useful, it's only useful in the sense that it will lead to action. I'm a 100% convinced that talking about error handling in Go will not lead to action at this point. So I'm really glad to see them closing the lid on it. I feel the same way about the like YAML.
Right? I proposed a while ago to put YAML in the standard library. They gave a really, really good reason why not to, and I was like, you know what? That's fair. But then I I I on on something I care about even more, I was like, the time formats in Go are horrible.
Let's improve those. They were like, listen, we feel you. We think you're right, but look at all these previous discussions. We're not opening this anymore and they just closed the issue. So it stung for a little bit, but on the other hand, now they can focus on, I don't know, things that that do have consensus and will go into the language.
And there are so many interesting things we can do. Right? This allows focus. So I'm happy that it allows focus. And I'm putting aside my opinion about whether I think error handling in Go
Jonathan Hallis good or not. Yeah.
Shay NehmadPutting my opinion back in, I think error handling is fine. Like, I don't get what it's fine. Sure. It's a little verbose. Whatever. Who cares? Look, at the moment you get used to this code, you read through it pretty fast anyway.
Jonathan HallYeah. I'm I'm reminded I know not everybody listening here, of course, follows the US Supreme Court. And And I'm not talking about a specific case, but whenever they often rule on something other than the actual case, right? Like, I don't know if Bob should have been allowed to do this thing to Alice, but he wasn't allowed to sue her for this reason, that sort of thing. And this is kind of like that.
Like, nobody's saying that error handling is good or bad. That's not the point. The point is we're not talking about it anymore because we can't make progress on the discussion around it. So, yeah, there's room to love or to hate GIL's error handling and still decide we're not gonna talk about it anymore.
Shay NehmadYeah. Now you know it's set in place. So I think it's called, like, a legal precedent or something like that.
Jonathan HallThat's a separate con concept. Yeah.
Shay NehmadOh, okay. Never mind. Will say, I think that at this point, people who are, like, unhappy with the error handling to the point that really, really bothers them are are gonna be less and less. Because I don't know about you, but the more I use like Copilot and this exactly the sort of boilerplate that I'm happy to see when I'm debugging, right? Because I can read the code line by line and there's like no magic.
I'm I what's the line of code I'm reading is the line of code that's running like on the CPU and there it's not like, oh, there's gonna be an exception or something unexpected monkey patching like in Python or whatever. Right. But writing the code is becoming less and less of a bottleneck because the moment I start writing a function, cursor like already like does the if error is not nil return error or whatever error handling pattern I already have in that function. So writing it is not a big And when reading it, I'm happy that it exists because of the like extra debugging ease that it gives me and like my ability to reason about the system. This is my opinion.
Not like this is just an opinion in that regard, but I think it's one of the reasons that drive them to to change this. Because if, I don't know, instead of LLMs, we had a different thing invented that would make reading code and reasoning about code like the main thing that's improving all the time and you would look at code all the time instead of writing it. Maybe it would have, you know, tilted the scales a different way. But with the the physical text in the code file becoming less and less typed and more and more generated, like who cares? I didn't care before, but now I care even less.
Jonathan HallAll right. Well, enough about that. We're not gonna talk about error handling anymore ever on this show since it's been closed. We probably will talk about it on the show, but
Shay NehmadGo team does not allow it.
Jonathan HallSo we have one more story to talk about, a blog post before we jump into the break and the lightning round. This blog post comes from Ottawa in Delaware. It is called You Probably Don't Need a DI Framework. And I have to say I was very happy to read this, not because of the content per se or the opinion it expresses, but because it explained to me what a DI framework does in Go. I've been wondering this for a long time because I've never used one.
And I do agree with the conclusion that aside now, do agree with the conclusion that you don't need one. I've never used one, therefore I don't and I do dependency injection all the time. So I'm not surprised to hear someone else say that you don't need one. What were your thoughts when you read this, Shay?
Shay NehmadMy thoughts on it is it's very pragmatic. I like it a lot. Coming from both lower level and higher level languages, like my experience before starting Go was either like c plus plus, like Python, and c sharp. Mhmm. Dependency injection was a big thing.
Like, everybody taught me, oh, object oriented, dependency injection, solid framework, blah blah blah. But then when I actually did my well, the civilian projects I didn't go at Recco, we just did we just passed things Yeah. In Constructors. And I was really happy with that. So I based my design based on like GoKit, right, which is mostly very like lightweight, not a lot of, like, framework framework, capital f framework, few opinions.
And one of the opinions is like, okay. So you need, a service and a controller and a blah blah blah endpoints, and we're gonna generate those for you. But you're just gonna have a big, like, main where you call new on a whole bunch of things, and there's gonna be, like, two separate concepts. And I really like that when your code is, this file is called Bootstrap and it calls new on all the things based on configuration, like initialize the logger or whatever. And the rest of the files are your business logic.
And they just assume everything's already initialized.
Jonathan HallMhmm.
Shay NehmadIt's great for tests. It worked really well for me. I'm really happy to see, like, someone who's working at, like, a real company. Red one is, like, at Walt, which is a huge, like, it's like DoorDash. I used to use it all the time as well, saying basically, yeah, Shay, you were right.
Your lived experience does track in other companies as well. Yeah. If you let your DI framework figure it out for you, you're gonna have a bad time. And calling new and a whole bunch of things just is easier than having it happen in runtime using the, DI framework. I think the the biggest problem is that the, DI framework also came from Google.
Right? So the wire, DI framework, which is the biggest one, is also from Google. So it has an air of, like, being official or being, like, the supported way to do things, which is just not true. So I'm really happy to see those blog posts. I think it's it's it's right on the money.
Jonathan HallSo I do think it's worth pointing out the problem that DI frameworks are sensibly meant to solve, right? And that is that you sometimes end up with these constructors that take five or 10 or 20 or 100 different arguments for all the different dependencies they have. Right. And that can look ugly. And by using a dependency injector framework, maybe pass one thing in that kind of magically handles all that for you.
So it can look nicer, but I think that it's the infamous example of hiding complexity that Go tries not to do.
Shay NehmadIt just adds more confusion than what it's worth. Don't think it is of zero value. It's nice. I just think that the cost it introduces is much higher than the value. Sure. Even if you have a ton of modules. And by the way, like, if you have a thing, like a new call that that has a million dependencies. Right?
Jonathan HallMhmm.
Shay NehmadLet's say not a million. Let's say re reasonably. Right? It's the I don't know. Your main whatever module. Right? And it depends on the database module, and the database module depends on the configuration module, and the configuration module depends on the logger module. Mhmm. Right? And it also depends on the, I don't know, widget service, and the widget service depends also on the configuration module, blah blah blah, etcetera, etcetera.
Jonathan HallMhmm.
Shay NehmadAnd you're like, oh my god. I'm calling I'm passing in the logger thing a million times. Wouldn't you prefer to see it and be like, oh, maybe it's better for me to just make the logger, like, global static and and not have all these dependencies. If you don't if you have a DI framework, it's not like that Yeah. Architectural nonsense doesn't exist.
It just happens at runtime. Mhmm. I would rather just see it, like, with my two eyes and and see, oh, this is the complexity I'd introduced. Maybe I should do something about it. I'm using NestJS right now, which is all about dependency injection.
It's JavaScript, unfortunately. Well, TypeScript. But, like, you never call a constructor of anything. You just define, like, in decorators this, depends on that, imports this, and it, like, calls the decorators for you. And both me and my CDR are just, like, haphazardly trying to add random imports here and there, trying to make the, like, runtime resolver work.
And then, you know, I I I don't mean to, like, crap on SJS. It's fine. But you you need to buy the DevTools, like, SaaS application. It's $5 a month. And then it reports to you, hey, you have these unnecessary, I don't know, provider exports that you can remove. So it's like, wouldn't I just rather write the constructor? I don't know.
Jonathan HallYeah. Constructors are the are the one exception I have to the the general rule of like no more than four arguments to a function or whatever number you choose. Right? I don't follow that religiously when it comes to constructors because I want to see just like you're saying, I want to see the complexity that my constructor is taking on. And sometimes I refactor that.
I feel like my constructor is taking too many things, that's a sign that maybe I need to do some refactoring, move some densities around, turn it into two different things or whatever.
Shay NehmadYeah, the graph is too dense. Yeah. I I will say my rule is the same, but that all constructors must be either in bootstrap.go or be of something that is actually in the in business value is dynamic, like loading a real plugin, like loading a new DLL into Notepad plus plus or something. But I I really don't wanna call new on, like, a real module. I'm not talking about, like, a a just a data transfer object.
The real, like, class thing outside of, like, the the graph creation part of the code. So you have graph creation part of the code where functions can take as many parameters as they want because this basically represents the wiring of your application versus the business logic where that represents just every single node and you want every single node to be very understandable and small, take a few like, functions should be short, be tested, blah blah blah.
Jonathan HallYep. Absolutely.
Shay NehmadSo I I love I love this blog post. Great stuff, Radwan.
Jonathan HallI'm curious if anybody listening disagrees. If if you love your DI framework, let us know why, which one you're using and what problem solves for you and why you love it. We'd love to hear about that on our Slack channel, which I think is a great segue into our little break where we talk about our Slack channel. So if you don't know, we have a Slack channel. It's on the Gopher Slack or Cup A Go.
Kebabcase, come join the conversation there along with, I think we have close to 600 people now, five fifty three. You can also find us on the web, cupago.dev. You can find links to all of our things there, our swag store, all the past episodes, links to our personal profiles so you can see what we look like. Yeah. What else, Shayne?
Shay NehmadIt's a cool channel. It's kind of a fun place. I accidentally incited an AI related discussion, so maybe wait a day, and then it'll become like AI free zone again.
Jonathan HallWell, you're in San Francisco where apparently they believe in AI a 110%.
Shay NehmadSo I mean, I I took a driverless car to my to my meetup, so I I it's hard to argue with it, you know. There's something in the something in the water. I do wanna shout out, like you said at the beginning of the show, the show is supported by the listeners via Patreon. So two things. One, Patreon reminded me to remind you, don't use the iOS app because it takes like a cut.
So just use the web version instead. We wanted to say a lot of thanks to our new listeners that joined Patreon. Landy Bible, new supporters, I should say. Landy Bible, Michal Christensen, and Simon Law, which I met actually physically in the meetup. Like, I know how this person looks. Thanks, Landy, Mikkel, and Simon. We really appreciate your support.
Jonathan HallWe don't pay to advertise, so if you could share this show with your friends, colleagues, fellow students, leave a review, leave a rating, that is all that we need to get this show known about. Our listenership is growing. We had a record breaking month last month as far as number of We love that. Keep up the good work. Keep keep sharing the show.
Shay NehmadAnd one final reminder, if you want to replace Jonathan next week and host the show with me, talk to me on the Slack. I don't wanna do the episode alone, basically, is it? Alright. Let's do a quick lightning round.
Jonathan HallLet's do a lightning round.
Shay NehmadLightning round.
Jonathan Hallon the lightning round, the Stack Overflow developer survey this year is open.
Shay NehmadStack Overflow? I thought it's dead.
Jonathan HallYeah, but I think it might be. That's a shame actually.
Shay NehmadI have
Jonathan Hallto say I did this survey and you can imagine it's all about AI and how do you use AI and how would you like Stack Overflow to be improved with AI? And I have to say, I think half of these questions are written by AI because they don't make sense and there's grammatical errors and like logical errors and all sorts of ridiculous nonsense. I have to say, I wasn't really impressed with the survey this year. But I thought I'd
Shay Nehmadtell you I'll tell you another thing, and I'm putting this in in our channel right now, like our internal host channel. I just opened Stack Overflow, and it got like, oops, something bad happened, error. You know what? I'll skip it this year, I think.
Jonathan HallAnyway, when the results are out, we will, of course, go digging through the results to see anything relevant to go, and we'll talk about that in a in a few weeks or months whenever that's around.
Shay NehmadIf there's something relevant.
Jonathan HallIf there's something relevant.
Shay NehmadIt might have faded into irrelevance, this site, unfortunately. My Lightning Round thing is a cool cool idea. I haven't tried using it yet. I don't think I will, but I really like it. It's called Gitbug. Where do you you are like a contractor. Right? You do work with clients for them, whatever. Where do you like tracking bugs the most? I assume it's not Jira, even though you had to do Definitely
Jonathan Hallnot Jira. Linear maybe? I usually prefer whatever is tied to the source control we're using. So it's usually GitHub issues or GitLab issues.
Shay NehmadSo you might like Git bug, which is storing the bugs in, like, inside Git in in the dot Git directory. So you manage issues, users, and comments, like, directly from within the repo. So it's versioned, it's, like, clutter free, it's distributed. Right? So it's, like, on everybody's machine.
It's kind of fast because it's on your machine and it even synchronizes with GitHub using bridges. You know Interesting. You could start using it while your team is using GitHub. This is all like theoretically. Right? I I haven't tried it yet. I do wanna try it using it like and combine it with linear and see how it works. But it's sort a new project. I found it. It was trending on on GitHub.
That sounds like something you'd like to be involved in. Check it out. I I I think it's rather exciting. Like a new way to track bugs. That's cool.
Jonathan HallInteresting. Yeah. I'll have to check it out. I'm curious how it would handle, like, conflicts and stuff,
Shay Nehmadbut And videos. Like, half of the bugs I I put for the front end, I wanna say team guy at work Mhmm. Is an advantage of working in a small startup. Include like a small video of me like, hey, this is how it messes up. Yeah. It is interesting. I I like the I like the concept. Might try it.
Jonathan HallCool. Last today on the lightning round, friend of the show and previous cohost, so I guess he's not eligible this time. Jamie Tanner has done a blog post about looking back for last year about API cogen. We had him on the show as an interviewee also talking about OpenAPI Codegen.
Shay NehmadSure, yeah. So as you mentioned, I am one of the maintainers of a Go command line tool and library called OAPI Codegen. OAPI Codegen transforms OpenAPI specifications.
Jonathan HallIf you are a user or potential user of OAPI Codegen, this might be relevant to you. It sort of gives us, like I said, a summary of the changes over the last year, which were versions released. And of course, looking forward into the future, they're looking for some sponsors. Jamie would love to spend some dedicated time on this to implement new features that are not there right now.
Shay NehmadYeah. Specifically OpenAPI 3.1, like supporting the new version of OpenAPI. Generally, I think this blog post, this like post on the GitHub announcements and his blog post on his site. Just give the air of this is like a serious thing, like serious production thing, which is very cool.
Jonathan HallSo that's it. Check it out. We will be back together in two weeks time next week. I hope you have fun without me.
Shay NehmadAlright. Program exited. Program exited. Goodbye.