✍️ Rewriting all the things in Go! 🎉

This show is supported by you. Stick around till the ad break to hear more about that. This is CapaGo for 03/14/2025. Keep up to date with the important happenings in the Go community in about fifteen minutes per week. I'm Shay Nehmad.

And I'm Jonathan Hall.

And I'm back.

You're back. Welcome back, man.

Thank you. How's sunny California? California is rainy. It's not sunny at the moment. I'm in beautiful San Ramon at the moment, looking at a lake. But let's be honest, I'm actually at the WeWork, like, phone booth jail cell combo, you know the ones. I know the ones. So I'm in one of those at the moment, because I don't wanna disturb all of my WeWork neighbors. But yeah, I'm in The United States. Cool.

fun to talk to him.

You say, on the as as opposed to what you're having to do right now.

I like talking to you too, Shai. I've missed you.

Thank you. Alright. We have a show. Let's do a show.

Let's do it.

Today we wanna talk about security release, some changes to Go Please, Helsinki Meetup, some projects that we wanted to mention, the TypeScript thing everybody's talking about, we'll just briefly mention. We don't wanna do it this week because we're looking to talk to someone who is actually working on it. If you know someone who's working on the TypeScript port to go, let us know, because we are interested in getting more than just what the article says, which is go fast. I think we all know go is fast. Go go better.

Here we go.

Let's start with the announcement of a security release. This one is a pretty fun one. One hundred 20 four point one and one hundred 20 three point seven are released with security effects following, you know, the normal security policy in NetHttp, NetProxy, and HTTP proxy. This one's, by the way, also reported by Yuho. If you're a long time listener, you probably know that name as like the single person who's with the finger in the dam holding back all the security problems in Go, basically.

Well, I got started well, so I ran an ISP, a dial up ISP back when that was still a thing. And did learn yeah. That's how I learned Bitwise operations and had a masks and all that stuff with IPv4.

Did they at the time teach you IPv4 is gonna run out soon and immediately Yeah. You have to

pay extra for an IP address if you wanna fix one because there's a limited supply, they're gonna run out. IPv6 is the magical solution. It's better than AI and and blockchain. It's gonna solve everybody. Yeah.

You heard it here. Invest in IPv6 addresses now. It's a new goal. So yeah, I've been like, I when I started learning networking, they like gave me computer networks by Tenenbaum, you know, that like huge book you can level a

table Oh yeah. Mhmm.

They just studied this back and forth. Then they, you know, they told me IPv4 is gonna run out. You're gonna have to, everybody's gonna use IPv6. And look, 2025, and we're actually okay. So the problem with this thing is that many people had to implement it, and it is used. And it is actually widely used despite all the cynicism I just pointed at it.

Mhmm.

But it's more complicated. It's more complicated than IPv4 addresses, which is why people keep finding security bugs in it. Because the implementation is not like top priority for anyone. So it doesn't get enough attention then gets And the spec is overly complicated in my opinion, leading to security issues like these ones. Do you know that IPv6 addresses have zone IDs?

I I'm vaguely aware of that. It's a concept. I don't know what they mean.

I did. I wasn't aware. And I learned, like, the IPv6 properly just because you don't have to use it, you'd end up forgetting. Yeah. So IPv6 address, when you imagine it, how does it look?

It looks like sets of four digit hexadecimals with some randomly placed colons and periods. I don't

even remember Yeah. You have colons

to separate order of anything. Yeah.

Apparently, there's a percent sign as well. After the percent sign, you can put in a zone ID, which helps you like identify, like helps your computer route packets to the correct address. So if you wanna send something and you have both IPv4 and IPv6, if you have the zone ID, it might prioritize the IPv6 one. And the zone ID can be anything. Like, zone identifiers have purely local meaning.

It's kinda like the part after the hash sign on the URL then. They're like

Yeah. Yeah, in a sense. Okay. But it's part of the address. Like, in the in the URL, I'm already imagining it's very applicative, so it's no problem to add whatever you want, right?

Yeah. So in short, Go 124 or 123 or XNet, if you're using that third party. It's not third party, but that external deck.

And thanks again for to Yeho for Yeah. Providing us with all these educational security patches.

I love it that somebody else is willing to understand all these intricacies. So I don't have to bother. I could just do go get

Yeah. You can just chill. Not not worry about these RFCs. Whenever I open an RFC, I'm, like, half excited. I feel, like, very smart reading this, like, monospace 80 character document. You know what

I mean?

But on the other hand, I'm like, my eyes immediately get glazed over. I think there's a market for translating RFCs to like TikTok 60 videos. But I'm not gonna fulfill that market. You're you're not gonna do that one?

You're too busy? No. Okay.

I'm too busy, you know. I have so much much Go code that I need to upgrade. Like do if else's for things and I have to replace it with MinuteMax.

I know I know how you can get a bunch of that time back.

Oh, really? Yeah. The new How's that for a segue?

That's a great one. The new Go Please is out. This actually is about three weeks old, we haven't had a show since then. So well, we haven't had one together since then. Anyway, Go Please version 0.18.0. That's a whole bunch of cool things. Some of them look cool, but the one that will help you out is the new Modernizr Analyzer. Modernizr Analyzer.

Modernizr Analyzer sounds good. It's like a Radiohead album. It's a good Android that Modernizr or Al and I.

Yeah. So, like, you remember back in the old days of Go, if you wanted to get the maximum of two numbers, had to do this silly little, if if a is greater than b, then b equals, you know, whatever, had to. Then they decided that that was silly and like computers are good at doing min and max, so they added min and max to the as built in functions. Well, modernize will detect those funny little if elses and tell you to trigger them or to change them to min and max and other sim similar sorts of changes. So that's what this new modernize does.

I think overall, this is a good approach, but I'm worried about Go is very famous for having one way to do things. And if you got to the point where Go, please, has to modernize your code, what does that mean? Does that mean that there are many ways to do things in Go actually, and that promise is not true anymore? And like which cases does it cover? Like all of them are safe. A good one is replacing interface.

Like

if you have interface open paren, close paren, it replaces it with any. Yep. Right? So, to me, these two things mean exactly the same thing because I lived through Go 1.8, and I don't see any specific benefit for using any. Like, if you can replace the code automatically, it might be nicer, but, and there are some cases where I actually agree it's better.

I don't I don't share the feelings. I don't know. So I've had a

look You think it's a good one?

Well, it it I mean, maybe there might be some examples where it's not, but of the examples I talked about, I like it. So switching interface open close to Any, I did that a long time ago. I have an linter that told me, and I just did it all at once for the code bases I was involved in. There's a couple rare cases where I don't like it, where I prefer the interface open close paren or squiggly. And that's like where I'm actually building an interface and I just haven't put methods in it yet, where I sort of placeholder.

All of these suggestions are are only simplifying in my opinion. Like using slices dot sort instead of Mhmm. Like source dot slice x func. So I think this is just like sort of hinting you towards how to simplify and clarify existing code by using stuff that they added over the years. So min and max is the simplest example before a year ago we talked about ending, ranging over ints, right?

On your point about going through another code review cycle, I I think this is a place I I don't know if Go Please will automatically do these updates for

you if you tell it to. You can. You can't pass a minus fix, and then you you actually have to run it a couple of times until it figures everything out, because some cases, you know, you you some cases actually have you fix it once, and then the inside of the loop was another thing, and they Yeah. It won't do both changes at the same time. You have to do a couple of passes.

But like that's the kind of thing where if you have a pull request that is completely done by a tool, in principle, you could skip code review. Of course, it's up to your team's policy. But yeah, I don't think it needs to be a big burden for good to read. Hopefully a person isn't going through and validating the tool, does everything right. Hopefully we trust that the authors of the tool are conservative.

I'll counter that and I'll say that the new modernized analyzer team has said that they are aware of bugs in the analyzer's fixes. It may cause an import to become unused or delete like comments, or or do a And the comments in Go could be like a library call or a Go generate call or things like that.

I know what it And

they literally say, these things are obvious during a code review. So, you know, one big benefit, even though this does make me feel kinda icky, is I think most of the code people will generate and not write will not use the modern features. Because most of the training set, right, like if you tell an AI right now to, and without any like system prompt engineering trying to make it use the best practices and follow the new stuff and whatever. Just like a normal model out of the box, tell it, create a for loop. It will probably create the old style, right?

I I don't know which IDE you use, but I'm pretty sure Versus Code does it for you automatically, because I've been using this and I haven't tried to upgrade upgrade, so cool.

So if you if you are using like some custom setup where you need to upgrade the CodePLS, our conclusion after discussion is that this is a net,

good I would say so. If you disagree though, and you wanna go fight with somebody about it, Andrew and Helsinki

Okay. Because they are

That's the most awkward position.

Worldly known as violent people.

Helsinki is having a Go meetup on March 20, and they're looking for speakers. So you could go speak about your hatred for this new feature and, maybe pick

up That's next week. That's, like, in seven days.

Exactly. Gotta hurry.

Yeah. So Yeah. Nikolay Kuznetsov, who's working on PJX Outbox, has invited everybody. And you can register oh, the event actually moved to March 18. So you even have Oh. Less time.

Okay.

Yeah. It's a good thing I opened the LinkedIn post. The LinkedIn post is in our show notes. So if you're in Helsinki or in the area, go visit. Looks like a pretty good meetup. Click house and go.

It's gonna be at the Zalando office, which should be a fun place. I don't know what it's like at that location, but it's always fun to see company's offices.

And if you're working with Click house in Go, they're gonna have a talk about it. I think this is a good point to stop for a second with all the news news, and talk about the TypeScript native port. We're not gonna dive into it fully, because like we said, we're looking for people who are connected to this project. If you know anyone, please let us know. We're trying to like reach out to them on social media, but that's not always the best way to get ahold of these people.

What? Listen to a news podcast for news? So the news is that Microsoft has announced that they are rewriting TypeScript in Go. That doesn't mean that you'll be writing Go for the browser or anything like that. It means that the the transpiler that converts TypeScript into JavaScript that runs in the browser will be written in Go, and the headline reason is 10 times faster. Compilation times, not not TypeScript runtime. I don't I don't imagine that will be changing substantially.

TypeScript is not a runtime. Exactly. It just compiles to JavaScript.

Right. Right.

And it's gonna compile to theoretically the same JavaScript.

Yes. But it'll go faster. So it'll make your CI pipelines faster and your local NPM run dev and NPM build and those sorts of things. It should go faster once this project is And they have a video and a blog post and the GitHub issue about it, sort of talking about they considered many other languages, and Go is kind of the sweet spot they settled on.

Yeah. The benchmarks they're showing here are super impressive. They're saying compiling the entire Versus Code code base, which is like a million and a half lines of code, is down from seventy seven seconds to seven point five seconds.

Hundred and

fifty seconds. Which is slightly more than a 10% speed up. Mhmm. Playwright, which is like, a lot of these libraries, let's see, they talk about the code the following code bases. Versus Code Playwright, TypeRM, date functions, tRPC, and RxJS.

I'm excited to see what kind of spillover this will happen to other JavaScript tools. Because like ES Build is already written in Go and it's incredibly fast. But like, will we get other linters and other, build tools for the JavaScript because it's written in Go? I would expect we will, if only because this raises the awareness, but I suspect that there will be some tools that Microsoft builds that could easily be adapted to other problems. And it would just be great to have faster JavaScript build tools across the board, whether you're using TypeScript or Maybe

things like Jest, like testing frameworks that are currently today in TypeScript and JavaScript mostly. And I feel they could be slightly faster. I always I always, when I work with these test execution tools versus like GoTest, I always feel a bit bad. But it's, yeah, radically improving TypeScript performance. If you're like me and you have to work with TypeScript in the back end, this is great, great news for you. Wait.

And if you're John you're with TypeScript or you get to work with TypeScript?

Well, you know what? I work with TypeScript in the back end.

Uh-huh.

And I have to work with Python in the back end. That's my current situation. So we don't we don't wanna dive too much into it if we can find someone who's an expert, so connect us to an expert. Please, please, please. And we'll keep it in the backlog, just in case we don't find one, and then we'll try to figure it out ourselves.

As we mentioned at the top of the show, this show is listener supported. That support comes in many different forms. You can support the show by sharing it with a friend, with a colleague, with a student, with your pets, with your wife, whoever you know, the neighbor, the mailman. Share this. We don't pay to advertise, so word-of-mouth is how people learn about the show. You can also support us financially if you want to on Patreon. Shy is checking right now to see if we have any new Patreons to

shout out Shout out to Jay Martin, became a member of Copper Gopher. Awesome. And became a part of our beautiful beautiful audience, which is now 40, I think. 40. Not all of them are paying members, but, all of them are very appreciated.

Thanks, Jay.

And the previous one is Jamie. And three before that is, Jose. So if your name starts with j, you're a good fit to our Patreon audience. Yeah. Jens and and There are a lot of j's in in this crowd.

The other way you could support us is just by, joining our Kupago Slack channel. We have 498 members there. So if you're not already there, wait for one other person to come in first so you can be 500. But come join us there. We just chat about Go stuff that's not really very structured.

One last quote unquote sponsor for this week's episode is my new company, Opsen. Oh. If you're in the Bay Area and you wanna come do engineering with me, we're looking for one, founding engineer. Just like one role to fill in the final piece of the puzzle of the founding team. You gotta be pretty experienced, but just, you can talk to me on-site.

And you get to use TypeScript and Python?

Don't let me You get to work with me. Isn't that enough? Yeah. So opsinsecurity.com/careers, if you wanna join the team. I'm having a lot of fun. Like, I'm I'm bashing TypeScript and Python a little bit just because you gotta complain about something. But obviously, I'm enjoying this new place very much. Otherwise, I wouldn't be putting it on the show. Because I've been with the show for like two years, and I've been here just like one month. So, you know, it's pretty good.

All right. Well, stick around. We have a couple lightning round items before we wrap up the show.

Lightning round. First submission for the lightning round is the ASDF Go rewrite. So we talked about, you know, the big TypeScript rewrite because that has a lot of reach, but I actually love the rewrite of ASDF. ASDF is a tool that, like, it used to be a bunch of bash scripts that help you, like, install stuff and and manage your environment and things like that. I've actually used it and then stopped using it, but it's it's pretty good.

So, Shai, do you think they use Cloudflare over there at ASDF?

Well, I assume they do. Like, a lot of the Internet traffic in general goes through Cloudflare.

Yeah. Right. Cloudflare has recently published an interesting article with a whole bunch of statistics about Internet traffic because they see such large percentages of internet traffic. They can do some analysis on this traffic and come up with some interesting statistics. And one of the statistics they publish, it says, We analyzed API traffic to identify the top languages used to develop API clients.

It just goes to show that for specific workloads, Go is the number one choice today, I think. Just in terms of popularity. And one, my final thing for the roundup is very similar to the ASDF one. It's about NVM Windows. So a few episodes ago, I don't remember when I mentioned this project, NVM Windows, because it had a new release, which is NVM, which helps you version, like manage node versions on your machine, but for Windows.

Yeah, makes sense.

So I just like that.

So now you can run nvm written in Go, TypeScript written in Go, ES Build written in Go. We're getting there.

Yeah, for sure.

Go's taking over the the world.

Go go would do all the things. I just I just like the fact that, you know, that's the specific part of the readme is the thing I'm bringing to the Lightning Ground, not the entire project.

Right.

But if you wanna do NVM on Windows, that's another good option.

Cool. Well, I think that's a show. It's good to talk to you again, Chai. It's good to ramble about Go.

Yeah. And same time zone. We have, like, similar energy because it's, like, early lunch for both of us.

Exactly.

Cool. If anybody's in the Bay Area and wants to hang out, I'm here now. I like people who wanted to hang out when I was in Tel Aviv and in Hertilia. So now I'm in the Bay Area, if you are as well. Talk to me on Slack. I haven't set up Slack on this machine yet, but I will after this lunch.

Awesome. Until next time.

Yeah. Have a nice weekend, everybody. Right? That's the time zone. Yeah. Yeah. We're good. Have a nice weekend, everybody. And that's it. Program exited. Bye bye. Program exited. Goodbye.