Subscribe
Share
Share
Embed
- GopherCon Agenda is live! Aug 3-6 @ Seattle
- Go 1.26.3 and 1.25.10 released with 11 security fixes
- Go + LLM projects
- gosymdb: A Go symbol and call-graph database backed by SQLite.
- cli-bridge: If you want agents to actually use your CLI, this is the missing piece.
Creators and Guests
What is Cup o' Go?
Stay up to date with the Go community in about 15 minutes per week
This show is supported by you. Stick around till the ad break to hear more about that. This is Cup o' Go for 05/07/2026. Keep up to date with the important happenings in the Go community in about twenty minutes per week. I'm Shay Nehmad.
Jonathan Hall:I'm Jonathan Hall. Is it still May 7?
Shay Nehmad:Yeah. It it might be a little late.
Jonathan Hall:It is as we record, barely. I'm sure you'll be listening to this on the eighth or later. We're recording late before Shay takes off
Shay Nehmad:tomorrow. Potentially. Potentially. Very I I very much hope that I'll, fly soon. So I was supposed to be in Israel, a while ago, and as things shook out there, I was not able to fly.
Shay Nehmad:And now I'm really hoping I will be able to fly, and we'll see how that goes. If so, you won't hear me for a little while, and we might take a break. We might have some guest co hosts. We'll see, until I come back. Other than that, I might sound kinda weird, because I usually record this show standing up, but today I can't.
Shay Nehmad:Twisted my knee playing basketball.
Jonathan Hall:Oh, man.
Shay Nehmad:You gotta support me somehow. Give me some good GO news to cheer me up.
Jonathan Hall:I have some good GO news to cheer you up, and that is that GopherCon has published their schedule. Which GopherCon? The GopherCon. The original. The one and only.
Jonathan Hall:The GopherCon will be in Seattle in August, August. I have purchased my tickets. I haven't purchased my hotel, but I have my flight and my ticket. So I might be sleeping under a bridge there, but I will be there.
Shay Nehmad:Well, that's common thing in Seattle. Right?
Jonathan Hall:Yeah. It's common there. It's I'll be welcome, I'm sure. Underneath the bridge. But you should come join me.
Jonathan Hall:I'm really looking forward to some of these sessions. There's this one called afternoon beverage break that I am super excited about. The other ones I don't know. There's one here called, what, S Log left on the table.
Shay Nehmad:Hot damn. Do you use S Log? Of course. I honestly you know what? That was too quick of an answer.
Shay Nehmad:Until up to recently, I used, I think, a a Zero Log.
Jonathan Hall:Yeah.
Shay Nehmad:Yeah. Because that was pretty good and also but SLOG is just good enough. It does the same as far as I'm concerned. I'm sure that there are, like, performance considerations that I'm not aware of, but that's never been a problem for me. And I I'm really happy to cut down on, you know what I mean, on dependencies and just use the standard library where I can.
Shay Nehmad:I moved from Zerolog to SLOG, but I guess I missed something because it left some things on the table.
Jonathan Hall:Yeah. If you didn't know, SLOG left a couple of things on the table that Dylan Bork, I hope I say that right, from Corby will be teaching us about some testing stuff. Basically, he's added he's created a library that that extends SLOG. He's gonna talk about how to improve your testing with SLOG and how you can make change your verbosity levels per component in your application at runtime. So that's that's one I'm looking forward to.
Jonathan Hall:I'm a big fan of SLOG.
Shay Nehmad:Oh, that sounds problematic. What do you mean?
Jonathan Hall:You mean the runtime part?
Shay Nehmad:Yeah. I define globally, I want info, and then suddenly some component can decide on their own and move it to debug?
Jonathan Hall:The idea is that you could you could say, I I am trying to debug the the foo widget. I need debug level there for twenty minutes. And you don't wanna have to redeploy the app or restart the app, so you can toggle a switch somewhere. It turns on debugging just for that component for for while you're debugging and then turns it back off again.
Shay Nehmad:You know what? That is actually fire. I take back all my disdain.
Jonathan Hall:But there there's one other talk here I really think that you specifically, Shay, should come to Seattle for, and that is from Go to Factorio, what games can teach us about compilers.
Shay Nehmad:Oh my god. Oh my god. I have to go. Have you played Factorio? Do you, like, understand my obsession with this game?
Jonathan Hall:I do not. I think I may have installed it once maybe and got confused before I, like, got into it.
Shay Nehmad:I highly recommend you and I do a livestream when I come back, like five hours on Twitch with our Hey, listeners, if you're actually into it, I'll buy you, like, the a copy of the game, and you and I just play Factorio for five hours and see to what science we can get before we kill each other. It might end the podcast and our friendship, but on the other hand, we might be like best friends after it. It's honestly one of the best games I've ever I've finished it three times.
Jonathan Hall:Is competitive? Like, we would be competing or we would be collaborating in this scenario?
Shay Nehmad:So that's a highly interesting, like, team dynamic question. Like, if you're a if you and I were programmers in a team, do you think we'd feel competitive in, like, who's finishing the most PRs or has the biggest impact or leaves the most code review comments?
Jonathan Hall:I would be be collaborative, but I think we will be collaborative.
Shay Nehmad:I I get to be a little competitive sometimes. Like, if someone doesn't accept my design in a design, discussion, I'll be all, uppity about it for a little while. Alright. We had I played with, a few friends. Shout out, Omer and Olga and Vovshai.
Shay Nehmad:We had, like, a group going for a long time, and we had one guy, like, he would build part of a factory, and then he would come in and, like, you go you go back to check on your automation an hour later or whatever. You see it's completely rebuilt. You just refactored it without talking to you. That was very contentious. Anyway, it's a great game, and I think legitimately it can teach you a lot about programming.
Shay Nehmad:I don't know what it can teach you specifically about compilers, but man, I really wanna watch
Jonathan Hall:the Yeah. Recording of You will know after you watch that presentation.
Shay Nehmad:Goddamn. I might make it. Let's see. Let's see. I'm I'm now that I see the agenda, I'm suddenly tickled to go.
Jonathan Hall:So, yeah, hope to see you there, Shay. If not, then we can do a Factorio livestream afterwards once I know how it can teach me about compilers. Mhmm. See if it's worth it. What else do we have to talk about this week, or or is it just games?
Shay Nehmad:I wish it was just games. I actually a little bit inside baseball here. I don't know because I hear Fresh Trello, and their status page is down. So how about you tell me?
Jonathan Hall:Okay. Well, next up, in on my agenda here is the security release that just dropped today for Go one point twenty six point three and one twenty five point ten.
Shay Nehmad:So this is a big one. We counted three times just to make sure it includes 11 secondurity fixes, and some of them are pretty interesting. Obviously, we can go through 11 secondurity fixes in, an audio show, but there are a few I wanna highlight. First one is if you're into, like, memory management or like me, you started in assembler and C. So there's a classic double free, in lookup CNAME in the Sego DNS resolver, which I think is only relevant in the Linux implementation as well.
Shay Nehmad:Another, big l for Linux people, such as Jonathan.
Jonathan Hall:Yeah. But I don't use CGO. So
Shay Nehmad:Exactly. So what's happening here is you pass I actually read the code to try and understand it, and I think I do understand it. There's a DNS resolver, right, in sego unix dot go in the net library. There's a function called ressearch or cgoressearch, which is like a DNS CNAME resolver, right? And you got to put the name in a buffer, right?
Shay Nehmad:That makes sense. And if the buffer is really, really long and you can't host name, I mean, is really, really long, it doesn't fit. And then you have to, like, allocate a bigger buffer so you can fit the entire message because you sort of reuse the buffer, but you end up releasing it twice, which is unfortunate. Like, do calling free twice if it's only in that path. So instead, you just call C free, in a defer.
Jonathan Hall:So this will show my my ignorance or more like forgetfulness. I've been it's been so long since I've done C, and I was never very good at it.
Shay Nehmad:Don't worry. Nobody is. Apparently,
Jonathan Hall:releasing that memory twice is not like a repeatable thing to do. It's releasing the same memory. Is it like truncating something again, or is it that that memory might be already used by something else by then? Or what what is the actual problem?
Shay Nehmad:So a double free in C is undefined behavior, which means anything can happen. I if were it idempotent, it would have been really bad because it would have meant that somewhere C would have to track all the things that were freed. Uh-huh. So you can free them again and nothing happens. That basically means you have to implement them, runtime and whatever, and then you end up with, like C sharp or any language that does that stuff for you and then you don't.
Shay Nehmad:At that point, you're like, well, I wrote this thing that tracks everything that needs to be freed. Why do people need to call free? And hey, you implemented a garbage collector. It's undefined behavior. In practice, what happens is it causes corruption in the state of the memory manager, and then you're like basically, a lot of the time it'll just like seg faults.
Shay Nehmad:And sometimes it I think in the worst cases, it fails silently for a year and then something else changes, like in the way that memory is laid out in your program, completely unrelated, and your program starts failing. Yes. So when you in this change, in this, like, change that was introduced, it's released in closure. So instead of deferring the direct free call, you defer it in a function. The closure captures buff and it picks up a reallocated buffer if needed.
Shay Nehmad:Tiny detail, but very interesting. Kind of hard to read. Like, I'm not, it took me multiple reads. It's very hard. You, like, need to read the four and whatever.
Shay Nehmad:Hard catch. So, of course, we can't, mention this specific, issue without mentioning who reported it. Who reported
Jonathan Hall:this one? Humayun Humayun. Double allocated username to go along with a double free bug report.
Shay Nehmad:You can't. You can't make this stuff up. Actually, a web security enthusiast, I think from Japan, because their Twitter profile is in Japanese. I know you don't visit Twitter anymore, but I do. I have a user, and now everything's auto translated automatically.
Shay Nehmad:So it shows you, like, translated from Japanese, but it's all in English. Pretty cool, I guess.
Jonathan Hall:That special x AI over there doing that.
Shay Nehmad:Yeah. Yeah. Definitely. But pretty pretty cool. Thank you, Homayan Homayan, if that is your real name and we're not mispronouncing it.
Shay Nehmad:Another one that I wanted to talk about, which caught my eye because it taught me about a new Go subcommand. What does Go bug do?
Jonathan Hall:It it bugs me that you ask.
Shay Nehmad:Because you don't know?
Jonathan Hall:Because I don't know.
Shay Nehmad:It's a chance for you to learn something and for me to teach you, which is great. I also didn't So know what it I opened up Google Groups discussion from 09/06/2016. I was, like, still in the army. I was just learning about Go at the time, I think. And lo and behold, Josh Bleecher Snyder is reporting things.
Shay Nehmad:Sometimes I forget, like, how much, experience that guy has. Anyway, they added a Go bug subcommand. I typed that into my terminal, and what it does is it opens up a GitHub issue with all of the Go version and Go env stuff on my machine, like where's the Go cache, what's the Go env, what are my GCC flags, What's my GoModCache, OS, path? Just all the things that you would need to do, and also, you know, the my computer version and whatever. So when I report a bug, it has all these very, very useful, you know, pieces of information about my computer.
Shay Nehmad:What is the bug report or what is the security issue? These files were written to a predictable file in TMP. Now why would that be a problem? Let's see if you can do the offensive part.
Jonathan Hall:Mhmm. Because I could put a SIM link
Shay Nehmad:in that location that points somewhere nefarious. Exactly. So you can access if you have access to temp, which is not a high bar, right, basically any process can access it, and you put a symlink, you can cause GoBug, which is probably being executed by a developer running sudo or whatever, to overwrite the target of the symlink and like destroy something on their machine. Again, by the way, note on the
Jonathan Hall:other More possibly I don't know if that would possibly share any privileged information if GoBug could could could write information that might be privileged for a user.
Shay Nehmad:So it writes a lot of things like, you know, where my Go is with a full path, which includes my username and, you know, my exact machine version and whatever. So it's good for recon. Doesn't include, like, obviously, you know, any passwords or anything like Oh,
Jonathan Hall:for secrets. Yeah. Right.
Shay Nehmad:But still pretty, it's a lot of recon info. If you already have code running on my machine, I guess it's not as important because you can just run Goenv yourself. Sure. But if you don't, that's interesting. And also just like why, if it's a temporary file that nobody should know about, let's not use a predictable file name.
Shay Nehmad:Another big L for Jonathan, this is also only on Linux. Yeah. This was fixed as well. Now it's just using like MKTemp. Right?
Shay Nehmad:What's the function name I'm looking for?
Jonathan Hall:OSMKTempDir or some something to that effect?
Shay Nehmad:Yeah. MKDirTemp.
Jonathan Hall:MKDirTemp. Yeah.
Shay Nehmad:Yeah. So instead of using the temporary directory exactly and then writing it to very predictable file paths, it's creating a random directory within the temp directory and then writing it there. Small detail, but very cool. And also, now I learned about GoBug, so next time I have a GoBug or any of the listeners, you know, when when is the the next Go version coming out? Like, August?
Shay Nehmad:Something like that?
Jonathan Hall:Could be.
Shay Nehmad:Yeah. It's it's close to the end of the freeze time. So as we, you know, pick up the RC versions and start playing around with those, If you have a bug report, report it using Go Bug.
Jonathan Hall:There it is.
Shay Nehmad:I didn't know about that. All right. So long CNAMEs, new commands, all these things I'm learning about just because of the Go security release notes, which is pretty interesting. The final one I wanted to mention was a panic, and the reason I wanted to mention it is for balance. I've told
Jonathan Hall:you about you're mentioning this because I was gonna have to if you didn't.
Shay Nehmad:Yeah. I've been mentioning all these security issues
Jonathan Hall:in My poor Linux heart over here is just feeling crushed.
Shay Nehmad:Yeah. There's a panic that's only in Windows. So everybody everybody gets a security vulnerability. Don't worry about it.
Jonathan Hall:And and this one doesn't come from Microsoft.
Shay Nehmad:I'm the, like, number one noted Microsoft hater in my company, so I just wanna make sure that I'm not breaking any stereotypes. But yeah, when you're specifically in Windows and you're doing dial or lookup port, there's a syscall for just like translating a string. So, you know, you're trying to call dial with a specific address, right? Host name, or whatever.
Jonathan Hall:Mhmm. Yep.
Shay Nehmad:If you had a null character in the input, it would panic, both in net dot dial, net dot lookup port, and syscall dot read link. Now instead of panicking, it raised an error. I have a question for you. Why is this a security vulnerability and not just, you know, a bug fix? Why is panic introducing a security aspect instead of just being like, oh, we found a bug?
Jonathan Hall:I would I would imagine it's because of the DOS concern. If I can find some way to cause your thing to panic, you know, I can I can bring your service down?
Shay Nehmad:Got it. And this is actually input that's relevant because you can pass, like, a bad port that's like port one, two, three, four, and then null byte. You know what I mean?
Jonathan Hall:Yeah. So, like, I guess if you if there's some sort of networking yeah. I I I don't know. Like, it would be unusual in my opinion to pass unsanitized data to dial.
Shay Nehmad:Yeah. But if you're implementing, like, a proxy, you're reading it from somewhere. You know what I mean?
Jonathan Hall:Right. So, like, if you're doing something where you already yeah. Yeah. So, yeah, I I I I think it would be a legitimate thing.
Shay Nehmad:Anyway, it's good that it's fixed just because it would be a weird bug, to
Jonathan Hall:find running a service on Windows for public consumption, I I guess.
Shay Nehmad:Well, who's trying to run it?
Jonathan Hall:Git Oh, there you go.
Shay Nehmad:Who's successfully running it? You know, I don't I don't wanna be a hater. It's me. I'm using Azure as well. And honestly, Azure is okay.
Shay Nehmad:If we have any people here who work on the listeners who are working on Azure, you're doing alright. I'm enjoying using your cloud. Alright. There are more interesting security things going on here, including the malicious model proxy, but I think that's enough security notes for one day. What else is on our radar?
Shay Nehmad:Trello is still down, and I can't tell what our backlog is.
Jonathan Hall:Next up, something that actually comes from a listener who emailed us and has shared a a new project called Go SIM DB.
Shay Nehmad:Paired with another co project called CLI Dash Bridge, which is not a Go project, but it's very relevant, so we'll mention it.
Jonathan Hall:So I think you've looked at this maybe slightly longer than I have, Shay. Maybe you can explain sort of the high level what Go SIM DB is, because I don't really understand it.
Shay Nehmad:So Stefano Stefano Mihai shared this with us. At first, I I had your, thinking it's like an agent, something to a dev tool. Oh, use it with an MCP, and I was like, Ah, whatever. But then I actually read it, and I think it's a very, very interesting approach. So let's start with this context.
Shay Nehmad:When you edit code, you, the human Jonathan, you know, you edit code manually, not telling an agent to do
Jonathan Hall:something. Imagine
Shay Nehmad:this is like 2021. What do you open to edit the code?
Jonathan Hall:Usually, in 2021, I was opening Versus Code.
Shay Nehmad:Versus Code. That would be cool. Yeah. What if it was a Go file, what else did you run to, like, get every all the features you wanted and to, like, understand the code faster and and be able to, like, search and replace and be able to follow definitions and, like, understand all these things.
Jonathan Hall:Yeah. So Versus Code's Go plugin, which, of course, relies heavily on Go, please. Yeah. Some of that highlighting and few other things like that. Yeah.
Jonathan Hall:Right.
Shay Nehmad:I think this is the best lens to explain Go SIMDV from. So Go plus is the, like, language server. Right? It you can ask it, hey, what is this symbol? And it'll tell you, oh, this is the documentation for this symbol.
Shay Nehmad:Or you can be like, show me all references to this variable. And it'll
Jonathan Hall:be like, oh, here are
Shay Nehmad:all references to this variable. Right? Go SIM DB is a SQLite database, like a file, that has similar capabilities. It has commands like callers, show me the director transitive callers of a symbol, or callees, what does a function call, dead, like show me symbols with no callers, references, where a type is used, like sort of very useful commands when you're editing code, and it's pointed towards agents. So Mhmm.
Shay Nehmad:When your agent, like, runs, it can start with Go SIMDB instead of running a LSP on the side, just query that SQL IDB directly, which should be theoretically faster. And also once the agent is done, it can diff the result from before and after it's edited and see like the changes using like a JSON flag, which is something that you as a human, you know, you used the, like, LSP to edit. Right? So you don't need the the that diff view when you're done. But for an agent, because, you know, you might reset the context or maybe it compacted or whatever, having that Div View, I think, might be useful.
Shay Nehmad:So this project is all about just building that database, which before I even move to the CLI Bridge, which is another like project from Stefano, I was wondering what do you think about this approach of, like, instead of having a live LSP server, having a call graph symbol sorry, symbol and call graph database that's just like a SQLite file.
Jonathan Hall:I I'm gonna have to look closely at it. It sounds interesting. I I like that he actually has this specific GoSimdB and Go Please section where he says GoSimdB complements Go Please. It's not replacement. And specifically says if you're editing an IDE, use Go, please.
Jonathan Hall:If you're using an agent, then this might be for you. So, yeah, I'm gonna have to look at it because I do use agents, of course, a lot.
Shay Nehmad:Mhmm. Yeah. And very importantly, this is running on your machine. Like, a lot of these AI style new tools, I almost immediately opt out of using because they're not private. Right?
Shay Nehmad:You run them and they're like, oh, yeah, run this cool tool which helps your agent and also ships all your source code to my machine. So not with this one, luckily. Doesn't send source code or any data or telemetry, which I really appreciate. And like the reason theoretically agents should work well with this and have a better time is you get like fully qualified symbol names all the time, which I remember like using, you know, Visual Studio, the old one, you have an ability to like turn on FQDNs for all your symbols, usually they're really long, right? When you work in Java and you have to type like com.
Shay Nehmad:Whatever until you reach a symbol. But I do end up with agents sometimes like importing the wrong thing or because it's just like the same name. Right? I think it's going to happen a lot with the UID package where people like type UID expecting the standard library one that's coming out, but the agent's just going to decide to import the Google one because that's very common. So maybe with this tool, you know, you could avoid sort of these ambiguities.
Shay Nehmad:Generally, you don't you shouldn't use this directly, I think. I think the point is to give go to give your harness, like, Cloud Code or whatever you're using, a plugin that uses, like, this CLI. Although this is just a CLI you can use and program around. So I think if you're into, like, you know, Go language analysis, you should look at this. This is very interesting.
Shay Nehmad:It mostly uses a standard library, of course, and this is a very new project as well. So we actually talked to Stefano, like, he sent us to it like immediately after he released it. According to his benchmarks, this like saves a lot of tokens, which is very interesting compared to using the LSP. So if you're very cost aware about your tokens, he says it's lowering the results. I'm not sure.
Shay Nehmad:I don't mean to, like, doubt his benchmarks, but, you know, I'm going to need someone else to review it before I
Jonathan Hall:fully trust it. I wouldn't be surprised because I see Claude doing all sorts of greps and stuff, which are very coarse for code analysis, you know, because you have to grep much broader than you need to get everything with, you know, when you're not AST aware. So I could easily see something like this saving tokens.
Shay Nehmad:Yeah. But it it's definitely if it's that useful, then and, you know, any of our listeners have any impact on it, like working in a Anthropic or something, would be cool to check it out specifically for Go. Awesome. Alright.
Jonathan Hall:I think we've been talking for more than twenty minutes, Shay. Should we wrap this thing up?
Shay Nehmad:Yeah. Let's go to the ad break. Like I mentioned at the top of the show, this program is supported entirely by you. We really, really appreciate it. The most direct way to support the show and help us continue this fun but expensive hobby is to support us via Patreon.
Shay Nehmad:We would like to thank Tom Vendenburg for joining as a Cup o' Go for it, the full tier.
Jonathan Hall:That's awesome. Thanks, Tom.
Shay Nehmad:If you wanna join awesome people like Tom and the rest of our audience, we would really, really appreciate it. And you can find all the links to the Patreon, past episodes, our email, the Slack group, our Swag Store, whatever, all in cupo'go.dev. That is cupo'go.dev. Very short URL, not a lot of typing needed. If you'll go into it, well, let's see how fast John is.
Shay Nehmad:I found a bug in the homepage. Let's see if he finds it before you do. There is a bug in the homepage. Other than that, to support the show, can definitely share and comment and like and do all the things. If you're listening to like Apple Podcasts or Spotify, rate it.
Shay Nehmad:And if you have a developer in your life that needs to learn about panic while dialing in Linux or will be interested in trying out Go SIMDB in CLI Bridge, send them an episode of the show. We really appreciate it.
Jonathan Hall:Very cool. One programming note. You are, as you already mentioned, trying to fly out tomorrow. So next week, probably be here with a cohost. A a guest cohost, I should say.
Jonathan Hall:And the week after that, probably just taking a break.
Shay Nehmad:Yeah. We might take an episode off. Yep. So just make sure to, that week, strictly use Elixir. Right?
Shay Nehmad:Because you won't know about Go, so how could you how could you ever program It's in impossible if you
Jonathan Hall:can't listen to your cup
Shay Nehmad:of Go. Impossible. Yeah. So I'm gonna be off, hopefully, an episode next week, and honestly, we'll take a break after. Thank you so much for listening.
Shay Nehmad:Have a great weekend, everybody. Program exited.