👻 Spooky integer printing and 🧛🏻 scary fast ring buffers

This show is supported by you. Stick around until the end to hear more about that. This is Cup of Go for Halloween, 10/31/2025. Keep up to date with important happenings in the Go community in about fifteen minutes per week. I'm Jonathan Hall.

And I'm Shay Nehmad. I am very excited for my first Halloween ever. Woo hoo.

Do you have a costume?

My kid has a costume.

Your kid has

a I didn't I'll probably like put on a sheet, whatever. Yeah. Like I'll improvise something.

They'll do something.

The like rule, you know, I'm going with my kid up to a house, she's knocking, she'll say trick or treat. How many candies am I getting? One, two?

Probably a few. You personally or your kid?

All of us is like a I'm not dressed

You're not dressed up. You're there to and observe and to steal the candy after she goes to sleep.

That's the plan.

Yeah. Yeah.

Any dress up for you?

I don't have a costume this year. I have worn costumes in years past. My son was a firefighter yesterday at preschool. My daughter stayed home sick, so she didn't go as the fairy princess that costume we bought for her. And the last time I dressed up for Halloween was probably eight years ago. I was I was Mario. I went all out. I I dyed my mustache to be brown and I had some blue overalls and white gloves and everything.

One costume I'm considering, I might do it, I'm still like debating, is getting like some bubble wrap from someplace and just writing AI on it. The AI bubble who's above the top.

Right.

Right. That's a bit too on the nose though on working at an AI security startup, you know?

Yeah. And you are in San Francisco.

I I think it's considered hate speech here too, hate on LLMs. Right.

You're not allowed

to say clanger in the street, you know what I mean?

Maybe we can get an inflatable gopher outfit.

Oh, that actually that could be cool. Talking about Halloween and being scared, like, don't know, I'm scared out. I'm I'm creeped out. Give me some like normal proposals, Bring me back to normalcy.

All right, here's a question for you, Shai. What happens if you use FMT printf with the percent Q operator for an integer? I don't

remember. What is percent Q? Have to admit, I'm really bad about this stuff. I always use percent plus v no matter what. I'm just like, whatever, give me the most verbose representation I I'll I'll need.

So percent q does a quoted version of a string. So if you pass in a string that has escape characters entered or something, it will quote it so that it's safe.

Oh, okay. Cool.

But but if you pass a non string, like an integer, what would you expect happens? Like, you pass one two three.

To string, like, try to find the best string representation of it.

So you might expect it to print, like, quote one two three end quote or something like that. Right?

Yes.

If you if you use one twenty three if you pass one two three to that, the result is actually much scarier than that. The actual result is it prints the opening curly brace because it converts it to ASCII.

Oh, no way. Yeah.

That's cool. So that's kind of

actually cool.

It might be cool. It is a little bit unexpected. So there's a new proposal to add a check for that case to GoVet and warn if someone tries to do that. I think that's kind of useful. I don't know that I've ever run into that problem, but I could could see it happening.

The but that does sound like possible intended usage. Like, how should I?

Someone someone could mean that. But if you really want that, like you wouldn't use percent Q, you would probably use percent S to intentionally convert your integer to a string.

But then it's not quoted.

Well, it's not quoted in this case either. Are you oh. Because it's not a string. You know, it's it's yeah. I don't know. It's weird.

Cool. Well, if this bit you, whenever you were trying to use percent cube, go upvote this issue, this proposal, sorry. Seems like there's no CL yet,

so you could even try to do that. Yeah. This is this is still new, so it hasn't been accepted yet. But I I I don't think it's a there's a not a high chance that it will be rejected. I I my my that's my feeling.

Seems a bit

a no brainer, but

Someone did the thing I like, Alan Donovan did the thing I like of actually going digging through Go code and finding examples where someone used q and passed in the wrong type. And it seems like a lot

of people made that mistake. He's, I don't

know why he's dunking specifically on HashiCorp, like all those mistakes. Look at HashiCorp doing it wrong. But I guess they just write a lot of Go code. That's also another option.

Yeah, maybe they Yeah, I don't know. I'm not gonna make jokes about HatchiCorp. So

cool, go up for that proposal. Also, don't think there's a CL yet, and this sounds like actually a pretty easy one. I would try Honestly, if you were looking for an opportunity to

write a CL, I would definitely do that.

Before jumping to the next blog post, last week's episode was a live episode and you were in Go West. How was that? How was the conference?

It was great. I had a I had a good time. I spoke at the end of the day, so everybody was falling asleep already, I suppose, before before I got to speak. But, no, it was it was a good good talk. I actually did two talks.

Yeah, we'll definitely put a note to look into that.

There were a lot of talks aimed at more beginner intermediate folks sort of breaking down like how memory management works and not so much the how memory management works, but why memory management is important, which is something that's often overlooked. And great talk about channels. So yeah, I look forward to

sharing those videos when they're available. And you mentioned before the show, you met a lot of people who were actually on the show before, right?

Yeah. So of course I met Moriah and Derek who are co organizers of the show, and they've been on the show before. Moriah at least twice. I also met Elliot Mins of Dreams of Code. He was there. He was one of the panel presenters, so he was one of the speakers. And I met a few other people. Of course, many people I'd never met before. A couple of others I had met that weren't with any relation to the show. Almost met Lane Wagner from boot.

You gotta prioritize, man. You gotta prioritize. Your brother could get married like three, four times on average. But you go west twenty twenty five, that happens only once.

But he did send a couple representatives from Roo. Dev, so I got to meet those folks. And yeah, it was a great time.

Would you recommend people to like fly into the conference next year?

I think so. Mean, I I would love to go again.

Sounds like a great time.

It's a great time. About 120, 130 people attendees. So it's a small it feels like a big meetup more than like a large than like a small conference, if that makes sense. If that's your sort of thing, yeah, it was great. Very good. So as you mentioned, while I was busy meeting folks, you were also meeting folks. And we of course did a little bit of an awkward live episode from a noisy restaurant parking lot.

That was a little, I don't know, not super official. Saw behind the scenes a little bit, but it was good. Yeah, I helped organize the Go San Francisco meetups.

This

is the second one I'm running already. Saw some familiar faces, Simon Law, Josh Bickersteiner of course did a talk, which I found really cool. Changed the Go runtime while like running some programs and then suddenly every time there's an assignment to a map, it prints to the screen. You know what, now arrays increase their size, like slices increase their size three times, not two times every time they need to like increase the capacity. All these cool things, I really liked it.

the pandemic. Like, the city got like emptied out, you know what I mean? Mhmm.

And now it's coming back like really, really strong. So there's a lot of excitement about like meetups and Go and whatever. And yeah, we're already planning the next one in January. I don't know, what do you think

is a is a good cadence for like city meetups? In Amsterdam, we did about 10 a year. So we usually do one a month except during summer or maybe around Christmas time.

I'm like, I wanna do four a year. I don't know

if that's like too too few to get people like I think it depends on the most important thing is don't burn out your organizers. You're If you have the energy to do four, then do four.

I think I think I'll do one in, January and if, there'll be a bit more attendance. It was a really good crowd, but it was pretty small. One of the things that pissed me off of it, like, we had 50 people RSVP and about 20% show up. That was kind of frustrating because we ordered a ton of food and ended up going to waste. But under that, I had a great time.

Let's do it.

Andrew Eyre posted a blog post which I really like called, I'm independently verifying Go's reproducible builds. I think these are sort of blog posts that you're either gonna really like, you're gonna really find super boring. Well, I'll try to explain it. Do you know what supply chain attacks are? They've been all over recently.

Yes. Yes. Yes. Yes. How do I explain this? Like, I know I know what it means. We've talked about it on the show before.

Yeah. So you and get

so on.

But So you have typo squatting and you have like, even people replacing your binaries like in the CI to be bad ones, etcetera, etcetera. It basically means introducing vulnerabilities, at least in software, right? Introducing vulnerabilities in code that you import and not code that you write in some level of the stack. And one important level of that stack is the Go runtime itself, right? I could replace the Go runtime to, I don't know, send me a message every time I'm open a Go routine that opens a port that I can connect to your machine remotely and you wouldn't want that.

Not usually. So I tend to trust I tend to put a lot of trust in a lot of things that maybe I don't deserve it. But I I guess I trust things like HTTPS to to download dependencies securely. I trust that my compiler is secure because I got it from an official source.

So that's the thing you trust that is a single point of failure at the moment is the go check some database. So the go command verifies that the tool chain you downloaded matches that database and the database is open, so anybody can see it. So when you reuse the go command, unless someone messed up with your go command and now we're getting into the point of like, oh, can I even trust anything? But when you download the Go binary from the site for the first time, can compare its hash because it's like posted on the site. So assuming you have the correct Go command, the Go command makes sure that it's the exact same binaries byte for byte.

Oh, wow.

They built all the versions and it seems like in all words. And indeed, the Go checksum is correct from Go 01/2020, up until now. They actually tested 2,672 tool change, which is pretty cool. And yeah, I like this sort of work, you know, sort of mitigating trusting trust attacks, which is a thing I like to say. There are a few problems like making this work.

Funny.

Yeah. It should be like a 1.9 RC two, but they just have an extra two there, guess.

I see.

It was released by mistake, but because it's like an append only check the log database sort of thing, you can't like ignore it. Right. So there's just a special case in the code for that specific version of Go one point nine point two, just because it was released by mistake. This is really, really cool. I love this work.

Yeah. Awesome. Would have been a little bit different story. More interesting in a way if if he had found problems, right?

Yeah. Definitely would have been we would have opened with it seems like Google has slipped a backdoor into all of our tool chains. Yeah. But honestly, whenever a a blog post comes out like this of, like, someone going really deep doing a security research, and then everything's okay, I love these sorts of blog posts as well. Because it's very easy to talk about vulnerabilities, but it's actually interesting to talk to like independently verify and say, I think confidently this is okay.

Yeah. Because if it's not

okay, you know what I mean? People are gonna come back to your blog post and be like, that guy,

I'm get looking at something that looks kind of promising. It's the JetBrains Language Promise Index. I love this

tools and trends.

Did you know that Go has more promise than JavaScript? Is saying something because JavaScript has promises and Go doesn't, right?

You know what, I bet someone did like that. I'll look it up right now. Promise syntax in Go. Generic promise library for Go.

Love it.

There you go, Go type promise.

There we go. Go has promises now too. So JetBrains published recently their language promise index and a whole bunch of other statistics. I don't know what the promise index means. It's sort of an arbitrary number.

100 promise points. Yeah. Rust is number two, which I think indicates, this number is more like who is going to expand versus who has market share right now. Although these things that tend to be related, I think this is a pretty It's a combination of like real world adoption, but also like aspirational thinking by developers.

It must because like Shell is rated at plus 41 above PHP and SQL and Ruby has minus 21. Yeah. I can understand Objective C having a minus three because that kind of lost the battle a long time ago, right? It's been superseded by, I don't remember what, but yeah, don't know. Are- Slumber

end things.

Yeah, yeah, exactly. But anyway, like, I don't know. Seeing Shell outperforming Ruby is strange.

It's not really comparable. I am sad to see SQL so low on that list. I wish more people knew better SQL instead of like really liking TypeScript and then writing stuff with ORMs, but that's just another battle. The important numbers I saw is that something that I think a number I can understand is top five languages developers want to adopt next. So these are like the share of developers expressing an intention to adopt said language.

I did see other numbers, most weren't Go related. I was encouraged to see that Postgres is finally more popular than MySQL. MySQL had a strong lead for years and Postgres is now 1% higher.

Great. I love Postgres.

I'm not sure why that is. I've been a Postgres fan for years. I suppose MySQL's acquisition and licensing issues and forks and all of it, you know, probably all plays a role. But

And also all the new fancy hosting stuff like Neon and Superbase and blah blah blah. Actually, don't know about Superbase, I'm taking that back. But definitely like Neon and there's a lot of like newfangled hosting, like cloud hosting companies that give you fancy Postgres, I think made it easier to adopt.

I I suppose we should also mention MariaDB is listed separately and it has a 16%. So if you were to combine Maria and MySQL, it would still be Postgres. So that ecosystem might still be winning if it's a battle, but whatever.

I think it's interesting. Like the more something is popular, the easier it is to adopt it in like an enterprise perspective, right? Or a company. So like, I'm hiring for engineers right now. Would I try to write my thing in Objective C, which has like 2% or TypeScript, which has 45%?

Sure, definitely.

So link in the show notes, you can check this out.

I don't know where

they got the numbers for these, by the way. I'm like trusting these numbers, but I have no idea where they got the numbers.

They probably didn't use the Go Checksum database, so these numbers might not be secure.

Yeah, exactly. But I don't know, I have an innate trust in JetRains, even though I hate to their IDE. I feel like they're a good engineer y company. It's just a brand thing. I can't justify it for sure.

First up on the lightning round, why I built a 39,000,000 operations per second zero allocation ring buffer for file watching in Go. Why not? Why not? Yeah. It sounds like fun. I love zero allocations. Everything it's it's like it's like the new Code Golf. Right? How many is how many allocations can we get out of our our Game of Life or our FizzBuzz or whatever else you're doing?

Seems like you're not you're not loving the zero allocation vibe.

So the truth is, I think zero allocation is is quite useful for certain applications. I guess I feel like I I I've seen it before. You don't care. I don't I don't care. Yeah. It's not worth not worth bragging about anymore. Everybody does zero allocations now. I don't know.

I think I think it's useful for specific applications. This is part of like a high performance dynamic configuration framework.

Absolutely, yeah.

And configuration has never been a bottleneck in any application of growth. Sometimes, you know, there was like a very inefficient logger or whatever. It's something you do a lot, But honestly, most of the times where like this infrastructure stuff have been a bottleneck, it was because I used it incorrectly.

Right.

So, if you have an application that reads tens of thousands of configuration variables a second, you should probably stop for a second and then ask why? Anyway, I actually like the premise of the project, like let's build a really, really high performance piece of infrastructure and then you can do 39,000,000 operations per second, blah, blah, blah, a nanosecond latency and throughput and zero allocations memory. People on Reddit really hated on it. And this is not me like doing the usual Reddit thing. I don't understand why people are like so negative towards such a such a cool project.

Because it's Reddit.

Maybe.

If you try to give them all money, they they criticize you for doing charity. I don't know.

You're trying to get me to pay more taxes? Anyway, if you if you need the really fast configuration thing or you're looking for some performance related inspiration, you can go check out this project. My thing is something, it's been on the backlog for a while, so I decided to just do it in a lighting run instead of letting it rot. A modern approach to preventing CSRF in Go. I don't know about you, but, I hate it when I develop, web applications, then I have CSRF issues.

Nice correction. That does it for the show. It sure does.

Thank you for listening. See you all next week. Happy Halloween. Program exited. Goodbye. Program exited. Goodbye.