Go With The Vibe • The Applied Go Weekly Newsletter 2025-04-06
Your weekly source of Go news, tips, and projects
Go with the vibe
Hi ,
The software development communities have been getting into heated discussions about vibe coding, where a person with or without development experience lets an LLM do all the coding. The human isn't supposed to even look at the code. If the code errors out or doesn't deliver the desired result, the human tells the LLM to fix the problem. Proponents of vibe coding see it as the definite democratization of software development (but so did the proponents of COBOL, the Common Business Language from 1959). Critics anticipate mountains of code mess to be cleaned up by veteran developers because the new, LLM-grown generation of "programmers" won't have the knowledge and skills to comprehend the code their LLMs are producing.
Go's natural turf is the backend where it runs infrastructure and servers. As such, Go doesn't seem to be a natural target of vibe coders. However, it actually happens already, and this is why I am writing about it here. I am not yet decided about the usefulness of AI-assisted coding (let alone vibe coding), but one thing is clear: The development of LLMs doesn't stop, and they will only get better at programming in the future. Likewise, LLM-driven systems become more and more power as they learn to take control of their environment: Agentic AI can access files, databases, and remote services autonomously, with all opportunities and risks you can imagine. In this issue's Spotlight, I look into the risks that come with combining LLMs and tools through mechanisms like the Model Context Protocol.
Happy (vibe-?) coding!
–Christoph
Featured articles
Golang on the PlayStation 2 | Ricardo
Now, Go runs on many architectures and operating system. But on a PlayStation 2? That even has no proper Linux? And runs on some MIPS-something processor? Ricardo Gomes da Silva isn't someone who lets such minor issues hold him back.
Finly — Building a Real-Time Notification System in Go with PostgreSQL
The Finly team needed real-time notifications for their system. So they combined PostgreSQL's PGNotify with GraphQL subscriptions for instant user notifications.
How Go’s Error Handling Makes You a Better Coder | by Aryan | Mar, 2025 | Cubed
Tired of all the hate that Go's error handling receives? Here is some material to convince critics (including your inner critic).
Podcast corner
Cup o' Go: 🏃🏼♂️➡️ You can run, but you can't hide from the security! 🫣 And golangci-lint v2 with Ludovic Fernandez
Jonathan and Shay discuss vulnerabilities in golang.org/x/net, NGINX nightmares, and golangci-lint v2 with Ludovic Fernandez.
go podcast() 056: I unite with another technical professional, and we talk about being blind in tech
This is probably every developer's nightmare: losing one's eyesight. It happened to Dominc St-Pierre, the host of go podcast(), and in this episode he is joined by Ivan Fetch to talk about working as a blind dev.
Fallthrough: What Even Is A Senior Software Engineer?
Bill Kennedy of Ardan Labs is this episode's guest, discussing what makes a software engineer a "senior".
Spotlight: No risk, no fun? Beware of careless use of MCP
Vibe coding has arrived at Go. With a single prompt, you can create a complete CLI tool like this #definitelynotbiased Go tool for detecting Rust in Linux systems.
If you are a real vibe coder, you won't be satisfied with simple single-prompt tools, though. The real magic comes with MCP, the Model Context Protocol that puts truckloads of powerful tools to an LLM's fingertips. (Provided that the LLM has fingertips, or, in other words, is tools-aware.)
In case you haven't tried a tool like Goose, Claude Code, Cline, Continue, or any other MCP-aware platform, try it! It's fun, believe me. I tried it too, and it's fascinating to see how an algorithm based on statistic models and a few matrix calculations goes ahead and churns out code for you.
Ok, did you try it now? And it was fun, right? Great, because I'm here to spoil the fun.
How MCP works
The Model Context Protocol describes a client-server architecture with an "agentic app" at the center. An agentic app connects to LLMs and MCP servers. An MCP server exposes a tool, such as a web search, file access, or some remote service, to the agentic app. The app, in turn, can tell the LLM, "here is a tool that you can use." The Model Context Protocol ensures that the LLM knows what a tool does, how to invoke it, and how to read the results.
Here is a diagram of the MCP architecture:
The architecture looks simple enough; what could possibly go wrong?
How an agentic app is vulnerable to attacks and misbehavior
The idea of an agentic app is to give an LLM control over tools to examine and manipulate external instances: your local file system, databases, services that you are connected to, and more. Here are some pitfalls to avoid:
-
Unrestricted access: By default, agentic systems start in "Ask" mode, where the user has to approve every request for using a tool. Getting constantly asked for permission can become tedious, which is why many users switch to auto approval mode, letting the LLM invoke tools as it needs.
But even in "Ask" mode, you cannot be sure what specific series of tasks the LLM runs. The LLM doesn't even need to hallucinate in order to wipe out files that you'd rather keep, or wreak havoc in some other way.
Precautionary measure: Always have a backup, and if the LLM requests to use a tool, ensure that it tells you what exactly it wants to do.
-
Unauthenticated MCP servers or tools: The MCP specification lists authorization as optional. Adding an MCP server to an agentic app is as easy as adding a few lines of JSON to the agent's config. An attacker could replace the MCP server or tool without you noticing.
Precautionary measure: Use only tools with authentication, or at least know the tools you expose to your agentic app. If it's open source, take some time to inspect it or let an LLM check the code for malicious intents or vulnerabilities.
-
Malicious MCP servers or tools: The MCP servers or tools can act in malicious ways, especially if they are remote services. For example, an MCP server or a tool could try to inject malicious prompts to make the LLM gather and leak sensitive data.
Precautionary measure: Examine each new MCP server or tool that you intend to use for trustworthiness.
-
Compromised MCP servers: MCP servers may store credentials for the services they connect to, such as your mail account or your GitHub organization. Attackers who gain access to these credentials can pull sensitive data or abuse the service.
Precautionary measure: Shield your MCP servers as good as possible from outside attacks. When connecting to remote MCP servers outside your control, you might even want to consider not using this server at all.
This is only a fraction of possible attacks and misbehaviors, but it should be enough to get the point across; for more details, find further reading here, here, and here.
To be clear, I am not trying to say, "all MCP is evil". With sufficient caution and common sense applied, doing some Go coding with an AI buddy can be fun and insightful.
Quote of the Week: Websites for $2000 machines
Why are we building websites that require $2000 machines to run smoothly when the actual content could fit on a 1990s floppy disk?
More articles, videos, talks
Go Concurrency From The Beginning - YouTube
CaaV, or: Concurrency-as-a-Video.
Go Optimization Guide
Alexander Stavonin started a performance guide and asks for contributions
Zero Copy Readers in Go | Ian Lewis
How to read from an io.Reader without having it copy the data into a byte slice.
Why concrete error types are superior to sentinel errors :: jub0bs.com
Sentinel errors are package level error variables that package clients can test an error against. Prominent examples are io.EOF an oserror.ErrNotExist. Sentinel errors have drawbacks, however. Julien Cretel suggests an alternative approach: custom error types.
When is it OK to panic in Go? – Alex Edwards
A call to panic() has severe effects on the code flow and should therefore be used with caution. Alex Edwards examines the cases where panicking is considered bad and where it is an appropriate measure.
Leak and Seek: A Go Runtime Mystery | Cyolo
A tale of hunting down a complex memory leak to a blocking I/O inside a finalizer.
Go 1.24.2 and Go 1.23.8 are released
Go 1.24.2 includes security fixes to the net/http package, as well as bug fixes to the compiler, the runtime, the go command, and the crypto/tls, go/types, net/http, and testing packages. Also, Go 1.23.8 was released. Get them via https://go.dev/dl or through your favorite package manager.
Golang sync.Pool is not a silver bullet - WunderGraph
In a concurrent app, pooling resources for reuse can increase performance and reduce memory usage—or do the opposite. Jens Neuse inspects good and bad use cases for sync.Pool.
Projects
Libraries
GitHub - rah-0/parsort: Parallel Sorting for Go
Some sort algorithms are great for concurrent sorting. Here is a concurrent implementation of merge sort.
Tools and applications
GitHub - venkat1017/Opengit: This is a smaller version for git. Other details:
If you want to learn about Git's internal workings, studying its source code may perhaps not be a good idea, as opposed to studying this Go implementation of Git that was specifically written for educational purposes.
GitHub - xaaha/hulak: File-based API client written in Go, for users who prefer working with files and terminal-based tools.
Manage your API workflows like a code repository, by configuring requests in YAML files.
GitHub - basebandit/kai: An MCP Server for Kubernetes
For the adventurous who want to let an LLM manage their Kubernetes clusters.
Completely unrelated to Go
Is Clean Architecture Overengineering?
Robert and Miłosz of Three Dots Labs discuss the pros and cons of Clean Architecture. Their verdict: Don't apply software architectures dogmatically. Clean Architecture isn't a one-size-fits-all solution; rather, its usefulness depends (as so often) on the specific context.
Happy coding! ʕ◔ϖ◔ʔ
Questions or feedback? Drop me a line. I'd love to hear from you.
Best from Munich, Christoph
Not a subscriber yet?
If you read this newsletter issue online, or if someone forwarded the newsletter to you, subscribe for regular updates to get every new issue earlier than the online version, and more reliable than an occasional forwarding.
Find the subscription form at the end of this page.
How I can help
If you're looking for more useful content around Go, here are some ways I can help you become a better Gopher (or a Gopher at all):
On AppliedGo.net, I blog about Go projects, algorithms and data structures in Go, and other fun stuff.
Or visit the AppliedGo.com blog and learn about language specifics, Go updates, and programming-related stuff.
My AppliedGo YouTube channel hosts quick tip and crash course videos that help you get more productive and creative with Go.
Enroll in my Go course for developers that stands out for its intense use of animated graphics for explaining abstract concepts in an intuitive way. Numerous short and concise lectures allow you to schedule your learning flow as you like.
Christoph Berger IT Products and Services
Dachauer Straße 29
Bergkirchen
Germany