June 30, 2024

Supply Chain Attack, Anyone? • The Applied Go Weekly Newsletter 2024-06-30

Your weekly source of Go news, tips, and projects

Have you heard of the Polyfill attack?

Shortly after the Polyfill.js project and domain changed owner, the Polyfill servers injected malware into 100k+ sites, making potentially millions of mobile devices visiting these sites vulnerable to that malware.

Software supply chains get increasingly under pressure to apply effective security measures. It's not even three months since the attack on the xz package was reported.

In the face of events like this, I am extremely glad that the Go team took measures to secure software supply chains in Go.

• The release of the Go Module Proxy and Go Sum DB in 2019 was a first step to make supply chain attacks more difficult.
• In 2023, the Go toolchain itself became perfectly reproducible and verifiable.
• The govulncheck tool is another example of the Go team's efforts to make Go projects more secure.
• Every package listing on pkg.go.dev includes a link to an Open Source Insights page that reveals vulnerabilites and further useful information, such as dependencies or licenses used.

So even though every project needs specific hardening to prevent supply chain attacks, I believe we gophers start from a farily high level.

Happy coding!

Featured Articles

No sleep until we build the ideal pub/sub library in Go

Publisher publishes and consumer consumes. What could possibly go wrong?

Raul Jordan built a pub-sub library and can tell you about all those details you need to take care of.

rauljordan::blog

7 Common Interface Mistakes in Go

Buyer beware: Interfaces in language A are not the same as interfaces in language B. If you come from, say, Java to Go, you're accustomed to writing large interfaces up-front. If you continue to do the same in Go, then, well, just don't show it to anybody. Go interfaces are supposed to work on a totally different premise. They're small, often having only one or two functions, and they may be declared after the fact.

Andrei Boar's article gently nudges you to use Go interfaces NOT like Java interfaces.

7 Common Interface Mistakes in Go | by Andrei Boar | Jun, 2024 | Medium

A silly mistake that I made with io.TeeReader

Without peeking into the article, what mistake do you think Vishnu Bharati made?

A silly mistake that I made with io.TeeReader

Deadlocks in Go: Understanding and Preventing for Production Stability

Deadlocks are tricky, especially if they occur only under rare conditions. Kostiantyn Lysenko inspects all those different types of deadlocks, to help you avoid another "Damn, not again!" moment.

Deadlocks in Go: Understanding and Preventing for Production Stability | by Kostiantyn Lysenko | Jun, 2024 | Medium

Podcast corner

Cup o' Go: 🎹 As simple as Do, Re, Mi, Go 1.23 (rc1), baby, you and me!

Go 1.23 RC1 has been released, and Go 1.22.5 & 1.21.12 are also coming soon! See the episode landing page for links.

Also in this episode:

go podcast() 041: Speaking at conferences with Matt Boyle

Matt Boyle, creator of a great debugging course and book, recently got his first conference talk acccepted - for GopherCon UK! In this go podcast() episode, he talks to Dominic St-Pierre about his journey and shares some advice for landing a conference talk.

Go Time: Gophers Say! GopherCon EU Berlin 2024

This episode is a live recording from GopherCon EU 2024. The Go Time team ran a game show where teams have to guess what GopherCon gophers have said about a specific topic.

Go tip of the week: Don't check in go.work

Here is a quick tip as I recently seen yet another repo with go.work and go.work.sum files in it.

Don't check in your go.work files to source control.

go.work is meant to specify a local workspace, in which you can redirect imports of remote packages to local repos. Those redirects are specific to your local file system. You're totally free in deciding about where to clone repos to, and this defines the contents of your go.work file.

If you check in the go.work file, your go.work files gets used on a machine that don't have the same Go workspace structure as your machine. The redirects in go.work thus will fail at their machines.

So always add go.work* to your .gitignore file (or the equivalent for the source control system you are using).

Tip inside the tip: If you really want to share your workspace layout, use a go.work.example file for that purpose.

Quote of the week: A healthy amount of skepticism

As programmers, we should see our knowledge as a house of cards made of leaky abstractions and assumptions. We should have a healthy amount of skepticism of everything and everyone, including ourselves.

– Sung Kim

More articles, videos, talks

URL Shortener Example | DGate API Gateway

An API gateway that can run functions at certain events (e.g. before or after sending a request upstream) and even handle requests directly through JS/TS functions (think "edge computing").

Securing Prometheus Metrics in Echo Golang Framework – Clivern

The Prometheus middleware does not support authentication. Ahmed Fathy shows how to add basic authentication to secure the Prometheus connection.

Three Ways To Think About Channels

A channel is a channel is a channel. A channel in different contexts and at different abstraction levels is... Well, let Max Hoffman explain it to you.

CRUD API with AWS API Gateway, Lambda and DynamoDB - Solution Toolkit

Are you, like me, a fan of simple recipies with only a handful of ingredients? Like, "tomato, egg, balsamico vinegar, salt'n'peppa, put in oven, et voila: meal." Then you'll enjoy this three-ingredience recipe for a crunchy CRUD app.

GitHub - xhd2015/xgo: All-in-one go testing library

Explore tests in the browser.

Guide to Sign, Notarize and Staple Your Go App for outside Mac App Store distribution

Apple computers reject any software that is not signed and notarized.

Call for feedback on gomponents before v1

Markus Wüstenberg, author of the gomponents package, is looking for feedback before moving the package vom v0 to v1.

Coordinating multiple web servers on the same machine

Proxy servers for small-scale infrastructure might not require the full power (and weight) of Traefik or Caddy. Hasen Judi wrote a lightweight reverse proxy that can be configured programmatically.

Projects

Libraries

GitHub - Thiht/transactor: Transactor is an injectable type making DB transactions seamless.

transactor aims at making database transaction transparent, with the slight drawback of not being concurrency-safe.

GitHub - subomi/requestmigrations: requestmigrations implements rolling versions for REST APIs.

REST APIs must have a version, and breaking changes require to increase the version number. At least, this is the commonly agreed-upon way of handling incompatibilities.

But there is a drawback: Version jumps include large sets of backward-incompatible changes because all of those changes are collected and held back until the time has come for The Big Update.

Rolling releases have no version number but a release date. Breaking changes can be published in much smaller sizes, making updating almost painless.

requestmigrations helps to build APIs with rolling releases.

GitHub - Ha4sh-447/flowcharts: Create simple flowcharts from text

Why are there so few terminal UI apps that show flowcharts? Because this library was missing!

GitHub - external-secrets/bitwarden-sdk-server: This repository contains a simple REST wrapper for the Bitwarden Rust SDK

Using the standard Bitwarden SDK requires CGO. This project (in alpha status) is an API wrapper around the SDK to make using Bitwarden a pure Go experience.

GitHub - orisano/gosax: Go library for XML SAX (Simple API for XML) parsing

When XML files become large, the parsing performance becomes crucial. gosax utilizes optimization techniques snitched from inspired by quick-xml and pkg/json.

Tools and applications

GitHub - quentinlintz/cmdtop: ⌨️ A tool for showing your top commands

If you happen to NOT use Fish as a shell, this tool reveals the commands you use most.

GitHub - RussellLuo/hats: Communicating with NATS using the HTTP protocol.

NATS is a message passing infrastructure with its own protocol. hats builds a bridge to clients who can or want to speak only HTTP.

GitHub - takacs/donkey: donkey (d-anki) is a terminal flash card review app

Spaced repetition is a proven way of acquiring lasting knowledge. Donkey brings this learning strategy to your terminal.

GitHub - odddollar/Bilinear-gradient-generator-GUI: Generates colour gradients using bilinear-interpolation

Maybe you have not many use cases for generated gradients, but then maybe you want to dissect a Fyne app to peek into desktop GUI programming.

GitHub - orellazri/renderkit: A swiss army knife CLI tool for rendering templates

Need to test templates on the fly? Render Kit takes a template file (formats: Envsubst, Go Templates (including Sprig Functions), Handlebars, Jet, Jinja, Mustache) and a data file (formats: YAML, TOML, JSON, URLs, or environment variables) and renders the template with the provided data.

GitHub - theshubhamp/fetadb: FetaDB is a Work-In-Progress SQL Database backed by a KV store (Badger)

Maybe you don't want to use this Badger-backed SQL db in production, but if you are curious how to build a SQL database from scratch, this project might be a good example for studying purposes.

GitHub - JFryy/qq: jq inspired interoperable config format transcoder with interactive querying.

Transcode between json, xml, yaml, hcl (tf), toml, csv and ini file formats.

GitHub - dancnb/sonicradio: A TUI radio player making use of Radio Browser API and Bubbletea.

Tune in to your favorite station without leaving the terminal.

GitHub - superjose/deploy-golang-cloudrun: A Script that configures all the Google Cloud Permissions and deploys your golang application to Google Cloud Run

Special feature: The script won't create duplicate resources if run multiple times. (A.k.a. "idempotency".)

Completely unrelated to Go

If it never breaks, you're doing it wrong

99.999999% uptime! Who wouldn't want to have services that virtually never fail? However, downtime is still a frequent guest in our IT living room. You can either fight downtimes, or look at them from a different angle.

Happy coding! ʕ◔ϖ◔ʔ

Questions or feedback? Drop me a line. I'd love to hear from you.

Best from Munich, Christoph

Not a subscriber yet?

If you read this newsletter issue online, or if someone forwarded the newsletter to you, subscribe for regular updates to get every new issue earlier than the online version, and more reliable than an occasional forwarding. 

Find the subscription form at the end of this page.

How I can help

If you're looking for more useful content around Go, here are some ways I can help you become a better Gopher (or a Gopher at all):

On AppliedGo.net, I blog about Go projects, algorithms and data structures in Go, and other fun stuff.

Or visit the AppliedGo.com blog and learn about language specifics, Go updates, and programming-related stuff. 

My AppliedGo YouTube channel hosts quick tip and crash course videos that help you get more productive and creative with Go.

Enroll in my Go course for developers that stands out for its intense use of animated graphics for explaining abstract concepts in an intuitive way. Numerous short and concise lectures allow you to schedule your learning flow as you like.

Check it out.

---

Christoph Berger IT Products and Services
Dachauer Straße 29
Bergkirchen
Germany