🌲🌳🌲 If an error falls in forest, and there's no variable around to see it... ?

This show is supported by you over on Patreon. Stick around till the ad break to hear more about that, about our live episode prep, and some other cool stuff. This is Cup of Go for January 25th 2025. Keep up to date with the important happenings in the Go community in about 15 minutes for a week. I'm Shay Nehmad.

And I'm Jonathan Hall. 

Oh, sounding all nice. I'm glad I'm glad to hear that. Long time listeners might remember that for the last few episodes, there's the microphone arc of Jonathan ever since he left Amsterdam. Yes. The Mike saga.

I should have just done this even before I left Amsterdam, but I don't know. I guess that was, stupid.

Yeah. Mike saga, by the way, the original name for, original proposed name for The Last Dance that Mike, Michael Jordan, and then I took it personally. And then someone said Zig was better than Go, and I took that personally. Oh. Alright.

Yeah. So 1.24 RC 2 is out. The really, the only thing to talk about there is that it includes all the CVEs that are also included in 1.23.5 and 1.22 point 11, or rather includes the fixes for the CVEs. They didn't just, like, decide to readd those vulnerabilities. But, yeah, it's, 1.24 is coming along. So if you're not already running it in your CI pipelines, it's a good idea to to add it there and report any bugs you discover.

And if you wanna know what the specific CVs are, there's one in crypto, which I don't fully understand. You have certificates with URIs. Right? So a certificate has, like, what what it certificates or where certificates from, right? If you use an IPv6 zone ID, you can bypass some constraints, again, proving that IPv6, really nobody remembers to check.

Let's say GitHub.

Alright. GitHub is good. Well, let me retract that statement. GitHub is a good example.

Okay.

I don't wanna say GitHub is good. Fair enough. Yeah. So let's say you need to talk to github.com/something. Mhmm. What headers would you need to send them in the HTTP request, I mean?

I'm assuming there's some sort of auth header. I don't know exactly how their auth works, but probably some authorization header.

Yeah. So you have some non sensitive headers. Right? Like, referral And, yeah, referral. And, yeah, accept and, like, these whatever. Simple things and authorization. So HTTP strips the sensitive headers when you follow a redirect. Let's say GitHub redirects you to some external login page.

Mhmm.

Mhmm. And it makes sense that it it would, it wouldn't send the authorization with the redirect. Right? It should drop the sensitive headers. That's how it should work. This, vulnerability basically says that if you, receive a subsequent redirect, the sensitive headers get restored.

Oh, no.

Yeah. So if you go to GitHub.com and GitHub.com redirects you to some login page slash 1, and then that login page goes to slash login page slash 2, the HTTP headers get restored, incorrectly, of course, following a chain of redirects. On the one hand, this is a really, really cool vulnerability in the HTTP client. On the other hand, I'm like, I don't think it impacts a ton of, people. Like, I don't think the severity is that high, but it's not it's not great.

You were there. Right. Right.

So it's a cool vulnerability. I'm not sure what's the attack path or attack surface, if that makes sense. But it's good that that it's closed. And if you any of the things we said worried you, go update because it's in go 123.5 and go 122.11.

And the, the note here says thanks to Kyle Seeley for reporting this issue. I just had to Google him to see if, if he's done anything else cool about Go. And I see a a rocking guitarist, on on the front page of Google, so I don't know if it's the same guy. I'm guessing not. But if if it is the same guy, then, good job, Kyle, for, taking time off your your rock star shows to to do security reporting.

Hey. I I, play guitar. Can I do a side note? This might get edited out. I, sold my guitar. Oh. My custom Les Paul, Gibson custom shop that I had the guy signature who who finished it at the the Gibson shop. It was a beautiful guitar, man. I sold it to a good guy, though.

Okay. Well, that's

good. Sold it to a good guy. He seemed to like, he's gonna have a lot of fun, playing it. And I I haven't touched it in a while. So like like, sensitive headers, good things get forwarded, I guess.

Yeah. So that's that's it for our releases. But something else has been released lately, and that is the CFP, all 4 presentation papers. We've had this debate before. Anyway, the CFP for GopherCon US is open now through March 3. GopherCon US will be in New York. Did I did I say that right? I don't know how to pick up their accent correctly. In New York, New York this year. I'm thinking about trying to go.

August. I don't know. I'll, I'll be in California that time.

Uh-huh.

But Gopher Con, that's that's tempting. And New York is also a lot of fun. Have you been before? Yes. I've been as a tourist. I went to the whole everything that's touristy. I went to the Soup Nazi. I went to Lady of Liberty, and I went, talking about Kyle Seeley, Kyle, if you're still lost listening and you're actually the guitarist, to the best, pedal shop in the world. And the same guy I told you I told I sold my guitar to, I sold him, the 2 best pedals I own, effects pedals I own owned,

as well. Now you can't edit out the guitar bit because you've referred to it again. So Yeah.

Yeah. It's no problem. Yeah. So no. I don't plan to, but go for con. That's tempting. What's the what's on the schedule? Like, do they have a keynote or anything?

Nothing yet. It's too early. It's it's too early. So maybe you if you wanna submit a CFP.

Oh, interesting. Oh, maybe us. Maybe we can do, like, a go a cup of go booth at GopherCon. Just beyond this the dates themselves, also important to highlight, you know, that, and there's a call for speakers. It's not only, like, big talks. You can submit lightning talks as well, and they'll be open in a few months. Right? The lightning talks, they only get opened on June. Mhmm. So you have a lot of time.

No.

It's not a super cheap event, but, you know, the the the higher the the later you get your ticket, the pricier it's gonna be, and it's gonna like, the current price ends on February 18th. So you don't actually, you don't have a lot of time to grab the, like, early price.

Yeah. You're on it.

If you know you're gonna go, buy the the thing now. Cool. Looks like there are some speakers already, including, Miki Tabekka was already on the show, our first, guest ever.

Well, if he can make it, surely you can try.

Maybe. Maybe.

Anyway, maybe, maybe you or I will be in New York. It'll be fun if it happens.

We'll see. You do have a lot of time to decide. But, again, like I said, if you know you're gonna go until February, 18th is the early price. So you don't know if you're gonna go yet. Right?

I don't know. I mean, it's it's not as far for me.

So is it a question mark?

There is a question mark involved for sure.

There is a question mark.

Mhmm.

Well, I'm sorry, but you can't use that anymore.

I can't use it anymore.

I see a proposal to turn the question mark into a keyword.

Oh, yes.

This is a pretty, long discussion as far as Go issues go, right, with many, many, many, related proposals, including a lot in go 2. And it it speaks to something which I think is is not super important, so I would love to keep, like, the discussion about it pretty short. But it's about reducing, error handling boilerplate. Basically, instead of doing, like, if is different than nil, you just do question mark. Right?

Mhmm.

So, you know, a function that, like, looks like, you know, copy file where you do something open, something create, and copy, and then close. And for each one, you need to check the errors, you just do OSI open s r c then question mark instead of different from nil. And if you return the error even, like, one level up, it's very very short. It's just call the function, question mark. That's it. Yeah. What do you think about this?

When I first read the proposal, I read the entire proposal, not all the comments. I read the entire proposal first when I was first saw it about 2 weeks ago. I had mixed feelings about it. There are a couple of things I like about it. Like I said, mixed feelings, so I wasn't sure.

There's a lot of comments here, like, a lot a lot a lot of comments here. The cost of generating code, like writing and or generating it, is very low. It was always low. It was never the thing to optimize for, but now it's lower than ever. Right?

I I think if you have a function that calls a bunch of other functions that only return an error, this would improve readability in that case. And and so that's kind of their first example here. One one of the first examples here. Right? They have this run function that calls start question mark, wait question mark, return nil.

To be fair, by the way, this is literally just reducing the boilerplate. It's not as loaded as the question mark is in other languages like Rust. Like, it doesn't do a whole lot of things. It just it's inspired by Rust.

Right. Right.

But it's it's only at the end, and it only, like it it literally replaces the get the error and check if it's different from nil. Right? Like, get a value check if it's different from nil.

And and it, additionally, instantiates a magic variable, which is the thing I hate the most about this proposal, actually. So if your question mark is followed by a code block, so you wanna do your own error handling, then it magically instantiates a locally scoped error variable to which is the only time Go ever does that. I hate it. I I that I think that particular aspect could be fixed. You could just put a parenthesis error, whatever, if you want.

Yeah. There there are some other, nits and discussion and, like, ways this discussion could go. Do we need a block form? And is the question mark a good thing to use? Because some languages, you know, in Rust, it's used for error handling, but in TypeScript is used to represent, like, non null in a object destructuring.

So so what do you think? What's what's your prediction? Is this gonna get merged? Never. I don't think it is.

Never. Never.

It's a good discussion. It's interesting, but I hope I hope it does.

We'll see. I I think it's interesting to challenge, like, very basic things in the language here and there, But it might be very basic. I might be misunderstanding, but I think there are way more important things to resolve. Like, it would help more people to localize the Go, website to a different language, right, than to continue bickering about the error handling. The error handling is fine.

Speaking of more important things. Yes. So he also wrote another proposal, that I I actually do like. It's for a new package called sync v 2. You ever use the sync package? Of course.

I do. Single slide and and mutexes and

Yeah. You use mutexes, but you use a a weight group.

Of course.

And, do you use sync map? No. Yeah. Because it's

ugly. I don't remember why, but I I always use a different thing.

So sync sync map is annoying because, you have to it was written long ago back in the dark ages before generics. So you have to convert everything. You know, you you read some

Yeah. Interface. And

You have to yeah. Do a type conversion and everything. So, anyway, the proposal is to add a new sync v two package, which has generics based map and a few other tweaks too. But I think the generics based map is is the big one. So I'm actually looking forward to this. I think I would probably use a sync map all the time if I could tie specific types to it, which you can with, with this proposed version.

I really like how we're building on his previous things. Like, listeners or people who follow the language might remember that there was a big watershed moment where, we released the first v two package in the standard library. Right? Brand v 2. And Ian here saying, hey. This has been successful. Let's add another v two package. Let's like, we can fix things in the standard library. That's fine. Generally, obviously, I like the improvement.

I don't remember specifically. I mean, the the old RAN API was just terrible.

So it was the API, but it was also security. It had a a generator that had, like, a shitty seed or something like that, and you couldn't change it because it would be breaking.

Yeah. Right.

And I don't while while I very much like this API, I I have a question. Why put it in the standard library? Like, why why can't I can just use a package? Right?

Surely, you can. And and many people do.

I I

think this is

Why add another thing to the center library? Well, I

I think part I mean, some reasons I can think of, it's already there for 1, but in a version in a format that's probably not very usable. So replacing with a usable version is is a nice thing to do. I think the main arguments for putting this in our library are to to get a standardized good implementation, although not all things in the center library are good implementations. JSON is a good example. Although that's hopefully changing with a new v two coming up before too long as well.

So let me let me ask you another thing. Yeah. Why not add, these new generic maps to the original package?

You could, but then you'd need to have 2 different versions of the same,

map and I don't know. Map or auth.

Right? I think that gets confusing. A lot more confusing than a v 2, than a package name.

Mhmm.

But I could see an argument for it.

I'm I'm I'm Some of

these things have been added. There are if if I'm not mistaken, let me double check. But I believe there are yeah. There there are some generic functions in the sync package that were added later, like once value and once values. So I don't know if those need to change. If the map is the big thing, you could add a a generic map or something. I don't know what you call it.

And this proposal is still, like, you know, doesn't have anybody assigned, doesn't have a label, doesn't have anything. So it's a good time it's a good early time to add your opinion. Obviously, I I really like the new API. I'm just a bit wary about, like, what v two packages in the standard library will be used for. Because this serve a slippery slope. Right? Can you imagine sync v 8 in the standard library of a language? What is that? How does that make you feel? Right?

That one finally supports enums and the new error handling syntax.

Yeah. And the new REPL. Actually, syncv2 just introduces a v 2, sync v 8 actually introduces a v 8 JavaScript engine inside the standard library. So cool. One proposal about error handling and one proposal about, a new sync v 2 package. 1 actually will improve the lives of Go developers, and one got, like, 800 comments. Guess which is which?

Well, I I think that pretty well wraps us up for the news for the week. There's a lot more we could be talking about, but we ramble a lot. So I hope can wait till next week to hear some of our backlog items. Stick around for a little bit of an update on some of our analytics Patreon members, and then we'll round it out with a quick lightning round after the break. As we mentioned at the top of the show, this show is supported by our listeners.

And to pay on Kotlin. There's a dedicated hate for Kotlin page.

You can also join us, of course, on, our on the Go for Slack where we have, just casual chat about Go mostly. You can post links there to your favorite blog about Go over the week. We might mention it on the show. That's on the Go for Slack in the cupago channel, kebab case, cup dash o dash go. What what what am I missing, Shai? Have I covered all the bases?

So almost all of them. We have, a live episode soon Oh, yes. Can't forget that. Which is very, very exciting. We have published 96 episodes so far. This, the one you're listening to right now should be the 97th. So in 3 episodes from what you're listening right now, we're gonna do a live episode. We're not a 100% sure what the details are gonna be yet. Like, where's the and place. How we're gonna record it exactly, but we know the time.

in India or Australia, we're sorry. We can't accommodate everybody.

Yeah. Although it's not that late. India is is kinda rough. It's it's, 3 and a half hours. Did you know that? The lead time has extra 30 minutes. Always made things hard when I needed to set up, like, design meetings with my India team. Mhmm. So, yeah. It's gonna we this is UTC.

Mhmm. Which number is that? Do we have 6 listeners now?

All time actually, we have 559 subscribers. But all time downloads, we are almost almost almost at a 100,000.

I wonder how long know what? When we started this podcast, I never would have guessed we would even get close to that number.

Yeah. No way, man. So thanks a lot to y'all for, like, listening and downloading. These numbers are, like, generally finicky. Right? They don't they don't mean a lot normally.

And They're like the the vanity metrics of vanity metrics.

Yeah. But it it's still, nice because I know that there are people who actually listen. Right? Because people talk to me about the show. So Yeah. Yeah. It's it's it's very nice. And if you wanna help us reach that 100 k, please do share the show with your friends, coworkers, family members, etcetera, etcetera, co students. Just, spread the show around. We're we're coming out we're coming up on a few exciting milestones here with, a 100 episodes and a 100000 downloads. It's pretty amazing.

Pretty cool.

That's it for our time break.

Yeah. Let's jump into a quick lightning round and, wrap the show up.

For sure. Lightning Round.

Alright. First off on the lightning round, I found a tool that I think is kinda cool. It's from our friends over at Charm Bracelet who make a lot of cool interesting things. It's called VHS. Do you know what VHS is, Shai? Are are you old enough to know what that is? Yeah. Yeah. Back before DVDs, back before streaming, we used VHS tapes to watch videos. Right?

So VHS because you, like, record it. Yeah. Cool. And there's a new release this week, which is why you mentioned it. Right?

Which is why I mentioned it. Yes. Oh, all

the, charm bracelet stuff always looks so nice. It makes me want to build like terminal UIs. Well, my, thing for the lightning round is OpenAI Go. There's an official SDK, for OpenAI API for Go, from OpenAI called, boringly enough, open AI dash go. So if you're trying to do work with, like, LLM ish applications, it's a release.

So my big question here is is there a, a REST API for it so that I can use open API Go with open AI Go?

I think you can. I think that's how they generated this SDK, actually. Although it might be, like, a beautifully handcrafted, it seems like the top contributor is actually

You know it was written by Chad GPT.

Yeah. 100%. One other thing I wanted to, bring to the lighting ground, and it's a lighting ground pick not because it's not interesting, but because it's not go, is Dreams of Code, Elliott, who was on the show, released a new YouTube video, which I really, really liked, which is all about, setting up, deployment to a v v a VPS to a server without Docker. Can you even imagine just your binary being naked on a server? And it's it really showcases, other than very interesting, like, DevOps stuff, the up level in, Elliott's, like, editing skills and whatever.

I wonder if you wrote it using VHS.

I guess you'll have to watch.

I'll have to watch and see.

Link in the show notes.

I think that wraps it up for this week. Thanks for listening. We'll talk to you next week.

Program exited. Program exited. Goodbye.