sync/v2 and the 'v2'-ification of Go's standard library

#​541 — February 5, 2025

Unsub  |  Web Version

Go Weekly

How a Malicious Package Exploited Module Proxy Caching for Persistence — Researchers have uncovered a sophisticated supply chain attack exploiting both typosquatting and then Go’s module proxying caching to remain undetected for years. It’s worth understanding the mechanism behind this in case you run into it yourself.

Kirill Boychenko (Socket)

Proposal: math/rand/v2 Worked, Let's Do sync/v2! — Creating ‘v2’ versions of standard packages is Go’s compromise for modernization vs stability. With the evolution of math/rand a success, Ian thinks synchronization primitives are due an upgrade too. Much of the value here comes from a month’s worth of discussion, including people’s discontent over the ‘v2’ approach (outlined further here).

Ian Lance Taylor

Upcoming Workshop on Building Backend Web Apps in Go — Join us for a two day workshop (either online or in person) and develop your Go know-how. We'll focus on using Go to build backend web apps, along with learning Go data structures, interfaces, how to write unit tests, and more.

Frontend Masters sponsor

Go Programs Freezing When Launched by Steam — Ebitengine’s lead developer reported an unusual bug to the Steam team – Go programs (e.g. games) launched by the popular Steam game launcher were failing due to Steam interfering with Go’s runtime in some way. This has since become a bug being discussed on the Go repo with some workarounds but no full resolution yet.

Hajime Hoshi

IN BRIEF:

• While we wait for of Go 1.24's final release, Go 1.23.6 and Go 1.22.12 have been released including a security fix to crypto/elliptic as well as a couple of tiny bug fixes.

• Originally an elaborate set of shell scripts, the latest version of the asdf version manager sees a complete rewrite to Go. (I use this for managing my Ruby versions – it's good.)

httptap: View HTTP/HTTPS Requests Made by Any Linux Program — It uses Linux-only network namespaces for now, but this is a Go-powered process-scoped HTTP tracer you can run without root privileges. It even decrypts TLS traffic by generating a CA on the fly. Handy for debugging or seeing if dependencies or apps are ‘phoning home,’ perhaps..

Monastic Academy for the Preservation of Life on Earth

How to Release to Homebrew with GoReleaser, GitHub Actions and Semantic Release — The steps involved in automating the release of a Go project (maybe your new command line tool or TUI?) that’s available via Homebrew (as most commonly used on macOS).

Billy Hadlow

Product Management Is Broken. Engineers Can Fix It — How redefining how PMs and engineers work together helped PostHog optimize everything they do for speed and autonomy.

PostHog sponsor

📄 Real-Time Batching in Go Viktor Nikolaiev

📄 Recover Panics in All Goroutines You Start Emir Ribic

🛠 Code & Tools

Zog: 'Next Gen' Schema Validation for Go — Zod is a popular TypeScript-based runtime schema validation library and Zog is a take on the same idea in Go so you can define validations and run them against values and structs. GitHub repo.

Tristan Mayo

etree 1.5: A Library to Parse and Generate XML Easily — A simple, straightforward approach to working with XML in Go, inspired by Python’s ElementTree. XML documents are represented as trees for easily traversal and you can create, import, modify and save XML. Queries can be done with a XPath-like approach.

Brett Vickers

Feluda: A Tool to Analyze the Licences of Dependencies — It’s a Rust-powered project but which can be used to process the dependencies of Go, Rust or Node.js projects and return a report (or show a TUI interface) on potentially restrictive licenses that apply.

Kumar Anirudha

🔊 volume-go: A Cross-Platform Way to Control Sound Volume — Leaning on a different technique for each OS, it supports macOS, Linux, and Windows. If you want it wrapped up into a nice Go TUI, Volgo is for you.

itchyny

• 🧋 Bubble Tea 1.3 – A popular way to build terminal apps. v1.3 now handles interrupts better and take your CTRL+Cs 'with grace and poise.'

• genqlient 0.8 – Generate type-safe code to query a GraphQL API.

• Micro 5.0 – Go distributed system abstractions / platform.

• rain 2.2 – BitTorrent client and library for Go.

• fzf 0.59 – Popular command-line fuzzy finder.

• GoBGP 3.34 – BGP implementation in Go.

🕹️  And for a little fun..