|
The built in fully capable performant multi-threaded HTTP/2 server is a real selling point for me and the work I do. I guess everybody already knows Go is good at this, but I feel like I need to jump on the bandwagon here.
|
#
?
Apr 15, 2022 04:07
|
|
|
|
| # ? Apr 19, 2024 20:23 |
|
|
Hughmoris posted:For you Go'ers (or whatever you call yourselves...): do you use Go for any sort of data analytics / data analyst jobs? I keep seeing it pop up on those type of job postings, and can't tell if I'm missing a big chunk of the data sector or if they are just spitballing keywords for the job description. I wrote many scientific research pipelines in Go at a previous job, a lot of which hinged on analytics for making sure everything was working how it was intended to work. Go was lacking a lot of high level statistical functions at the time, but the other language features made it a very good fit for the job of reliably gathering the information (or erroring properly when the data was busted) to do statistics on. There were some points at the very end of finalizing a paper we'd pass small pieces of the data to R, but if we had ever exposed R to all the data it would have fallen over instantly or never finished the analysis we wanted to do. So in some ways Go is not the sexiest choice for doing that kind of work, but it is frequently one of the best tools for doing 99% of the job. cruft posted:The built in fully capable performant multi-threaded HTTP/2 server is a real selling point for me and the work I do. I also made a lot of use of this, and I was always expecting to find a point where it fell over or it was somehow worse than the more common stacks. I never did. Every bottleneck I found in stress-testing my endpoints was either in the firewall, Linux itself, or the database/app. It always kept up and worked reliably. The other benefit I found over other stacks is that layers of the stack just disappear when you use Go because those things are built-in. It becomes so much easier to debug problems. ErIog fucked around with this message at 03:34 on Apr 17, 2022 |
|
#
?
Apr 17, 2022 03:27
|
|
|
I discovered today that some internal tool that interacts with MAAS to provision hardware is actually poorly written and can't handle hardware profiles with > 2 disks. Also it's hardcoded to expect a satadom disk as your boot partition and our latest hardware shipment doesn't actually have one of those. Unfortunately, I need this to work 2 weeks ago as this is blocking a trainwreck, zero-notice, suddenly-my-problem project I have that is more than a week overdue now; because I've been dealing with constant interruptions with being an acting team lead and project manager for like 6 other people because the senior-most engineer of the team left and the real manager is ¯\_(ツ)_/¯ So I went down a rabbit hole of setting myself up with a dev environment for the tool, trying to understand how it works (the relevant code was literally in a file named `todo.go` to give you a sense of how half-written this thing is. The official MAAS api docs are god awful too. Between all of that and the half-written api client this tool is using, it's wasted like 5 hours of my time to get set up and to make changes to provision all non-boot partition disks into one big LVM as a fix. Except it doesn't work. I ended up having to read the real MAAS server's unit tests to figure out what the gently caress it actually wanted as parameters for my create PV and create LV calls because the docs just don't tell you. I'm still having type errors I don't fully understand because my http client doesn't make any sense and finally threw my hands up in frustration for the night. honestly I don't even know if making it all one big ext4 LVM is even a good idea, it might not be because we're running databases and elasticsearch on this eventually and ??? Overall pretty disappointed in myself right now for taking so long to still have not actually fixed the problem. programming sucks. I hate reading about people who claim to do this for fun. It's not fun. Computers shouldn't exist. Methanar fucked around with this message at 03:23 on Jun 21, 2022 |
|
#
?
Jun 21, 2022 03:13
|
|
|
Wow, I figured there were like zero people outside of Canonical who have ever read the MAAS code, but here we are. Sorry for your suffering, friend. We can all relate.
|
|
#
?
Jun 21, 2022 04:35
|
|
|
How come nobody told me Go has generics now?
|
|
#
?
Apr 10, 2023 23:22
|
|
|
They're pretty great. We used them to write a workflow system and it was a massive improvement to the prior implementation. The limitation that variadic arguments have to all be the same type is a little frustrating.
|
|
#
?
Apr 10, 2023 23:39
|
|
|
Breaking Glass posted:The limitation that variadic arguments have to all be the same type is a little frustrating. I assume Russ Cox has a frustratingly thorough explanation for why this is the only correct choice.
|
|
#
?
Apr 10, 2023 23:41
|
|
|
I'm rusty on the proposal but I think it was cut from an implementation complexity standpoint rather than a design issue, but I don't totally remember.
|
|
#
?
Apr 10, 2023 23:53
|
|
|
that's okay I'll just make them all interface{}
|
|
#
?
Apr 11, 2023 02:15
|
|
|
Jabor posted:that's okay I'll just make them all interface{} actual lol for some reason
|
|
#
?
Apr 11, 2023 05:10
|
|
|
I guess it makes sense in that slices are also invariant. There'd have to be a runtime type assertion when accessing a generic slice, which you can just do yourself. It's still annoying for our thing's API, which ended up like: Dep1(thing) Dep2(thing, thing) ... Still, having the compile time type safety did catch errors and make refactoring easier than it was without generics. Anyway I wanna learn rust after like the last 8 years of my life being Go.
|
|
#
?
Apr 11, 2023 14:00
|
|
|
Can anybody help me understand what I need to do in order to make "go get github.com/dirtbags/moth/pkg/jsend" work outside of that source tree? Like, I thought I was setting things up so other software could use that library, but apparently I'm missing something, because it tells me: code:
|
|
#
?
Apr 11, 2023 23:58
|
|
|
cruft posted:Can anybody help me understand what I need to do in order to make "go get github.com/dirtbags/moth/pkg/jsend" work outside of that source tree? So you're trying to write software to use that jsend library? If you've done a `go mod init` in your code, you should be able to do `go get github.com/dirtbags/moth/pkg/jsend@v4.4.9` from within your code dir and it'll Just Work? edit: oh, they've hosed up their versioning, poo poo, I forget how to fix this edit 2: yeahhhh they haven't set up their go.mod correctly. They've tagged up through v4.x.x, which means go.mod should say "module github.com/dirtbags/moth/v4" but they didn't do that. See https://go.dev/doc/modules/major-version edit 3: jsend is just a single small file so just copy it into your own tree, with correct attribution of course (these guys ALSO didn't bother to do copyright headers...) Pham Nuwen fucked around with this message at 00:27 on Apr 12, 2023 |
|
#
?
Apr 12, 2023 00:15
|
|
|
Pham Nuwen posted:So you're trying to write software to use that jsend library? If you've done a `go mod init` in your code, you should be able to do `go get github.com/dirtbags/moth/pkg/jsend@v4.4.9` from within your code dir and it'll Just Work? Dirtbags is me. I'm trying to fix this  Your link has me down some sort of path, maybe there's a working import at the end of it.Regarding copyright headers, what's the preferred way to denote that? I thought you just dropped LICENSE.md in the top level?
|
|
#
?
Apr 12, 2023 01:05
|
|
|
cruft posted:Dirtbags is me. I'm trying to fix this lol sorry for ripping on your code, good luck because while go mod is an improvement over what came before, wrestling it is also my least favorite part of the job. As for headers, I suggest just doing what the Go code does: code:
|
|
#
?
Apr 12, 2023 02:26
|
|
|
Pham Nuwen posted:lol sorry for ripping on your code Ha. No worries, everything you said is true: I'm too battle-scarred to think my code is some paragon of design or anything. I appreciate the pointers! This will save me hours of head scratching and reading unrelated documents.
|
|
#
?
Apr 12, 2023 03:01
|
|
|
cruft posted:I appreciate the pointers! These words should never be uttered in the Go thread
|
|
#
?
Apr 12, 2023 03:09
|
|
|
I've been writing Go now professionally since 2019. Mostly for boring automation type stuff, but I deeply appreciate being able to write code, have it hermetically sealed and just loving work every where on a fairly large fleet. Rust is there, but it's weird man. I hated Go with a passion when I first came to it, but I'm like a pod person now. I've been writing utility UI's in react served by gin and gorilla and stuffed into lambdas and chuffed is a word I'd use to describe deployment.
|
|
#
?
Jun 2, 2023 09:32
|
|
|
Ebitengine is a game engine but makes for an amazing x-plat/x-arch UI middleware. For whatever reason I have an easier time with it than building web UIs to serve out. Was inspired by some firm's use of it for dataviz, I forget who now though. 
|
|
#
?
Jun 2, 2023 11:22
|
|
|
Pimblor posted:I've been writing Go now professionally since 2019. Mostly for boring automation type stuff, but I deeply appreciate being able to write code, have it hermetically sealed and just loving work every where on a fairly large fleet. Rust is there, but it's weird man. I hated Go with a passion when I first came to it, but I'm like a pod person now. I've been writing utility UI's in react served by gin and gorilla and stuffed into lambdas and chuffed is a word I'd use to describe deployment. The thing I think about constantly is whether or not Go got to where it is because other people were off bike-shedding Rust. That said, I don't like the changes they made to modules and stuff past a certain point. They're not that hard to work around, though. But yes, it does do the thing you're saying without the overhead of something like Java. It'll give you a set of swole binaries that never give you dependency issues anywhere.
|
|
#
?
Jun 2, 2023 19:55
|
|
|
Startyde posted:Ebitengine is a game engine but makes for an amazing x-plat/x-arch UI middleware. For whatever reason I have an easier time with it than building web UIs to serve out. Have you seen https://github.com/rivo/tview? Not as good as a game engine for general graphics, but if you're looking to to upgrade a CLI from a bunch of flags to something more interactive, you get a pretty high impressiveness-to-effort ratio out of it.
|
|
#
?
Jun 17, 2023 01:01
|
|
|
If you’re doing that direction you could also check our charm.sh
|
|
#
?
Jun 19, 2023 08:34
|
|
|
30.5 Days posted:If you’re doing that direction you could also check our charm.sh Did you make that?? Those examples look incredible. I'm moved over to Rust and C++ for work these days but will recommend charm.sh for future gophers
|
|
#
?
Jun 19, 2023 13:18
|
|
|
Naw I'm not that cool lol
|
|
#
?
Jun 21, 2023 05:18
|
|
|
30.5 Days posted:Naw I'm not that cool lol Look we’re talking about terminal UIs in 2023. I think it’s safe to say nobody involved in this product or it’s discussion is cool
|
|
#
?
Jun 21, 2023 12:40
|
|
|
When I first started Whispers of the dead it popped up some help text I accidentally closed. Anything to know besides run the dungeons highlighted with red stars? edit: wrong thread. DARPA fucked around with this message at 13:33 on Jun 21, 2023 |
|
#
?
Jun 21, 2023 13:25
|
|
|
DARPA posted:When I first started Whispers of the dead it popped up some help text I accidentally closed. Anything to know besides run the dungeons highlighted with red stars? Super curious about the answer now, op. Please keep us updated!
|
|
#
?
Jun 21, 2023 14:27
|
|
|
cruft posted:Super curious about the answer now, op. Please keep us updated! Diablo 4 (video game) side quest system. It's alright. If you enjoyed previous diablos good chance you'd like this one. As for Go, I put out a release on Friday and have this week off. Love how much more confident I am I won't be called with an issue compared to v1 of the software that is written in Python .
|
|
#
?
Jun 26, 2023 04:47
|
|
|
why the hell do "go mod get thing" and all the other various actions that leave go.mod untidy not just simply automatically run "go mod tidy" what ridiculous scenario is there where you actually want to leave it untidy and why is accommodating _that_ the default instead of having a "leave everything hosed up, im doing SCIENCE" flag to disable automatic tidy on all the other commands
|
|
#
?
Aug 23, 2023 20:57
|
|
|
Auto updating all my packages everytime I add one is generally not what I want
|
|
#
?
Aug 23, 2023 23:49
|
|
|
I have zero experience with go but I was interested in installing a subsonic server https://github.com/sentriz/gonic, and had a question about the installation from source instructions which mention:code:The route I ended up going with was: code:
|
|
#
?
Aug 31, 2023 08:32
|
|
|
I would try doing go install with GitHub instead of their custom path. Their path almost certainly just proxies through to GitHub. I don't know why people do that.
|
|
#
?
Aug 31, 2023 09:09
|
|
|
Go modules are identified by url. From their go.mod, go.senan.xyz/gonic is the official name of the module. One reason to use your own domain is to not be tied down to one code hosting site. Another example of a project that uses its own domain is k8s.io/kubernetes Checking out the git repo and compiling from there is totally fine. But I would point out that for the dependencies specified in gonic's go.mod, the go tool is effectively doing "go install ..." (actually go get) for each of those, and that's normal. skul-gun fucked around with this message at 10:26 on Aug 31, 2023 |
|
#
?
Aug 31, 2023 10:16
|
|
|
fletcher posted:I have no idea what this go.senan.xyz host is, and wasn't sure about the security aspect of installing something from it. It seems somewhat like a "curl ... | bash" type of install that I'm not a fan of. Is that sort of recommendation typical for a go app? You'd rather compile and install source code you can't/won't review from GitHub than from the author's server? That is an interesting threat model.
|
|
#
?
Aug 31, 2023 13:33
|
|
|
It’s still ‘curl | bash’ if the fetch command is ‘git’ and you compile and exec the binary yourself. Unless you deeply inspect the source code you’re just replacing a pipe with the file system. I’m a little salty about this because it’s a difficult sell to package internal tools to engineers with “curl | sh” (from a trusted URL and verifiable source!) but nobody really thinks about their normal dependancy process with the same skepticism. I don’t quite understand it!
|
|
#
?
Aug 31, 2023 14:20
|
|
|
30.5 Days posted:I would try doing go install with GitHub instead of their custom path. Their path almost certainly just proxies through to GitHub. I don't know why people do that. I had tried a few attempts of doing this and couldn't figure it out, but maybe I just didn't have the right syntax. I don't have my bash history handy at the moment to see what I had attempted. skul-gun posted:Go modules are identified by url. From their go.mod, go.senan.xyz/gonic is the official name of the module. One reason to use your own domain is to not be tied down to one code hosting site. Another example of a project that uses its own domain is k8s.io/kubernetes At least something like k8s.io has a larger group behind it, and it's way more popular so an issue would have better visibility! I do see some other random hosts though in the dependencies list, so I suppose I would need to do something with "go mod replace" to deal with those? Of course, it's not really feasible to go down through the whole dependency tree and review everything myself, so I could see how this whole exercise to limit my exposure to an issue is kinda futile. cruft posted:You'd rather compile and install source code you can't/won't review from GitHub than from the author's server? That is an interesting threat model. Well, the way I see it is that at least the source code in github has the opportunity for me to review it, and it has more eyeballs on it in general. That random server though, it could be compromised and there would potentially be a lot less visibility on it. So at least installing from source (using the naive way described above) I would just have to worry about somebody re-tagging a compromised revision of the code. That's easy to handle though - I can just switch to a copy of the code that I've frozen at a point in time. Assuming I also do the same for all the dependencies, of course. Jamus posted:It’s still ‘curl | bash’ if the fetch command is ‘git’ and you compile and exec the binary yourself. Unless you deeply inspect the source code you’re just replacing a pipe with the file system. Totally true. The amount of trust you need to have when doing an "apt install <whatever>" is quite high...I guess I was just overall wondering if there's some simple things I can do to reduce exposure at least a little bit!
|
|
#
?
Aug 31, 2023 19:44
|
|
|
fletcher posted:So at least installing from source (using the naive way described above) I would just have to worry about somebody re-tagging a compromised revision of the code. That's easy to handle though - I can just switch to a copy of the code that I've frozen at a point in time. Assuming I also do the same for all the dependencies, of course. Have a look at the gonic go.sum file. The go tool uses this file to verify the integrity of gonic's direct and indirect dependencies. Additionally, the go project runs a module proxy/mirror/checksum database, which the go tool uses by default. So let's say one of gonic's dependencies secretly re-tags a release. If the go module proxy has already seen the module at that version, you'll get a checksum error. Even if the proxy hasn't seen the module before, there's still the checksums committed to the gonic repository. Here's an example I found on github of what a checksum error looks like: https://github.com/ameshkov/dnscrypt/issues/7
|
|
#
?
Aug 31, 2023 20:11
|
|
|
fletcher posted:The route I ended up going with was: The equivalent of this command is code:code:fletcher posted:Well, the way I see it is that at least the source code in github has the opportunity for me to review it, and it has more eyeballs on it in general. skul-gun is correct that by requesting go.senan.xyz/gonic/cmd/gonic@v0.15.2, you're guaranteed to get the same code that is in the checksum database maintained by the Go team at Google. This is documented here: https://go.dev/ref/mod#checksum-database. The checksum database is probably the biggest killer feature for the language, and protects you against the exact kind of risk that you are worried about. It's also independently auditable. The module URL serves as the canonical identifier for that code, and you can verify that with your eyeballs, git client, and your local cache of installed modules on your machine located at # go env GOPATH. I always install with a specific version tag when I don't absolutely trust the source. But @latest is really handy for things you do trust, like go install golang.org/dl/go1.21.0@latest. One last note worth mentioning is that go install is as safe as git then compiling it can be, in terms of curl | bash. No code is evaluated during go compilation like it is by package managers for other languages, such as npm. Edit: You check out the checksum tree node yourself, too: code:Breaking Glass fucked around with this message at 22:01 on Aug 31, 2023 |
|
#
?
Aug 31, 2023 21:30
|
|
|
also note that unlike most build systems the go tool does not allow any arbitrary commands to run so it's not like it can run rm -rf ~ or whatever
|
|
#
?
Aug 31, 2023 21:56
|
|
|
|
| # ? Apr 19, 2024 20:23 |
|
|
Thanks for all the great info! That's really cool they have the safeguards in place already with tracking the dependency checksums to mitigate the concerns. Running arbitrary commands during the build was part of the concern, but the other part of it was the thing it's building doing something malicious when I go to execute whatever it built. I learned a lot here, greatly appreciated and thank you!
|
|
#
?
Aug 31, 2023 23:23
|
|