So Go’s handling of out-of-memory situations is to, more or less, die.
None of the embedded language implementations in Go that I’m aware of allow you to limit how much memory the script can use. This means that it’s basically impossible to run untrusted code, as they can simply consume a ton of memory and DoS the application.
To a lesser extent several implementations also have no support for limiting runtimes, so an infinite loop is also a DoS.
This isn’t a complaint, just an observation that means it’s difficult to use these tools with untrusted code.
For me, the use case of running a JS interpreter in Go would be to do isomorphic templates in JS and render them clientside, not to run arbitrary JS from the web, so it’s not a dealbreaker for what I want to do.
The article reflects my own experience too. These days I prefer to script in Go than Python, either for the portability or the type system. However, it does require some sort of boilerplate to do some boring tasks, be it the stated amount of if errs, building HTTP API wrappers or handling databases.
Agreed. I use Go for “big” stuff at work, but more and more I’ve found myself also using it for scripting in places where I might have used Python in the past. I’m not sure why, though, it wasn’t something I’d even considered until just now.
I find that for scripts I’ll either go to Bash or write a Go tool, I generally skip right over Python (unless it is purely standard lib) because I don’t want to have to deal with dependencies. Of course if you go the Bash route then you can have dependency issues too.
For me it’s the fact that I can build it locally and deploy it without worrying about the dependency environment. Dealing with Python or Node dependencies can be excruciating. Go deps rarely break 2-3 years out too which is nice.
Yeah, this has been the case for me as well. Even when I worked in a Python shop (and despite having had much more Python experience than Go experience), I would prototype in Go because the static typing was so much better and then I would rewrite it in Python and make sure it was sufficiently performant. This was the fastest way I could find to actually prototype somewhat complex programs (using vanilla Python would have me either fighting dynamic type errors or else fighting with Python’s type annotation syntax, etc).
Unpopular opinion: Regardless of what you think of the language it’s naming is too easily confused with e.g. the board game of Go (weiqi/baduk) or day-to-day walking !
I kind concur. I generally end up just searching for “something golang” instead of “something go” because the later will probably give me incorrect results.
I think it’s a failure of naming/branding that it’s so frequently called golang. There are plenty of other languages with easily confusable names, but for some reason “golang” has really stuck.
In its defense, C was born many years before searching the web became the default way for most people to look a thing up. And Go was created by people who peddle web searches, and who know what web searches work well and what don’t.
I find that having a copy of the C standard [1] and the POSIX standard [2] to answer nearly anything I would want about C. What about C are you trying to find and can’t?
[1] I’ve been able to find PDFs of C89, C99, C11 and C23 quite easily.
Unfortunately I don’t have a specific example in mind, and my Google is configured not to save search history apparently.
But for context, I’m not primarily a C developer, in only write C a few hours a week as support for another language. In this context I often need to search for compiler error or warning messages, or look for how to optimize some algorithm, or more general “how to” queries.
So no, reading the standard isn’t helpful to me. If I need info about a POSIX API, I just go to the man page. That’s not the kind of search I’m talking about.
Most of the time it’s fine, but sometime I will only get irrelevant C++ results and it drives me nuts.
I agree it’s a real problem for C, but I’ve never had a problem with golang and that has been the standard term since the earliest days of the language.
Presumably they meant “no one (who uses Go) cares” in the sense that it’s not a real problem, but rather a problem invented by people who are trying to post-facto rationalize their prejudice for the language. That’s how I read the parent comment, anyway.
Well… as I understand it, Go was created by people who were around basically when C was created, and I find it unsurprising that they like two-letter variable names :)
Also would guess their “marketing challenge” was internal not external - its cute that Go is a language for Googlers to Go faster, etc, etc. Drumming up excitement within Google ensured the funding to get it off the ground.
Finally, I’ve had many misinterpretted web searches for Rust, Julia, Swift, Java, etc. What’s the alternative? Find a unique and beautiful word like OCaml? Maybe Kotlin is a pretty good one.
Right at this moment? My browser calls them “private” windows, and when I open one with a google search for “go” I get no results; it blocks on a modal saying that “Google recommends using Chrome.”
When I click “Don’t Switch” in that modal, it takes me back to the search prompt without showing me any results. If I then decide to search again, my top results are the programming language, the game, the film from 1999, the “American Go Association” and the Disney-owned web site go.com.
I think my statement must have been ambiguous, though; I was referring to the results in the search engine run by the company that sponsors the programming language at the time the language was named, 14 years ago. Not so much now that it’s had time to gain traction.
The entire first page of search results for C are all related to the programming language. The vitamin appears nowhere on the first page.
I’m not sure what the point of the exercise is, but if you’re trying to get Go programming language search results, the search term has always been golang. The top 5 results are:
The Go programming language website
The wiki for the Go programming language
The subreddit for the Go programming language (r/golang)
The GitHub page for the Go programming language (golang/go)
The GeeksForGeeks page for the Go programming language (/golang)
For go or golang? I am explicitly asking about the former. My point is that Google makes sure that Go programming language results are high up for searches involving go. Because, you know, they created the language.
Those were for golang, because I wasn’t sure what point you were making.
My point is that Google makes sure that Go programming language results are high up for searches involving go. Because, you know, they created the language.
This seems kind of absurd. Google doesn’t care about Go’s success, Go is a tool that they built and they don’t profit a single iota from its success. Google cares quite a lot more about JavaScript or Dart than they do about Go. But we don’t have to speculate, we can search go in other search engines:
Bing:
go.dev
Wikipedia entry for Go programming language
go.dev/doc
go.dev/learn
online-go.com (the game Go)
DuckDuckGo:
Wikipedia entry for Go programming language
go.dev
go.dev/learn
go.dev/doc
w3schools.com’s Go tutorial
Google:
go.dev
Wikipedia entry for Go (the game)
Disney’s go.com
The American Go Association (the game)
Wikipedia entry for the Go programming language
Of the 3 search engines, Google’s results are the least golang-centric.
You (again) didn’t say what the search term was, but assuming it was go, I have to say that the result is exactly what I said it would be: Google made sure that the Go language-related pages are high up in the results.
What a strange claim. I mentioned the search term in both of my responses to you.
My first post: “the search term has always been golang. The top 5 results are:”
My second post: “we can search go in other search engines”
I’m putting the search term in preformatted text just like you did when you said “Google the term go”.
Google made sure that the Go language-related pages are high up in the results.
What are you claiming by “Google makes sure that Go programming language results are high up”? Is it something completely innocuous like “someone on the Go team who is employed by Google spent 5 minutes on SEO”? Or is it more nefarious e.g. “the CEO of Google threw the full heft of the marketing department behind this initiative”? And if it’s nefarious, why did Google make its own results for Go so poor, despite that they could obviously easily boost Go’s performance and the overwhelming incentive to do so given that its own search engine has a supermajority marketshare? Maybe they’re just covering their tracks?
And what does Google stand to gain from it? How much of Google’s profit is derived from Go’s success? If Google is willing to do something so conspiratorial for so little gain, why not
And which large company is making sure that rust, python, java, haskell, c, etc all yield top results for the programming language on all prominent search engines (despite the ambiguity in the search terms)? Is that also Google, or some other company? Have you considered that some larger organization–maybe the US government or perhaps NATO–is behind it all?
Or maybe it’s not a grand conspiracy and something simpler: search engines naturally surface the programming language material because that’s what people have tended to click on over time?
I mentioned the search term in both of my responses to you.
My bad. You did, and I missed it.
What are you claiming
I’m not saying they are doing anything either innocuous or nefarious. They are just making sure the Go programming language is easy to Google. They are not going out of their way to fill up the top of the results page with Go language results, they’re just making sure it’s there somewhere near the top.
what does Google stand to gain from it
Nothing directly, after all they don’t sell Go. They just want to make it easy to Google, because presumably they at some point heard the feedback that it’s not a very searchable name. And since they and their colleagues control the search engine, they just do it.
Or maybe it’s not a grand conspiracy and something simpler
It’s not a grand conspiracy and it is pretty simple. The name ‘Go’ is not very searchable, and appears in many contexts. It’s literally a verb. Other language names are at least nouns. So all I’m saying is that Google just make sure that when your search term involves go, they put the programming language results near the top.
Search engines are luckily smart enough so that if you search for “go function” you get results about the programming language, and if you search for “go strategy” you get results about the strategy game. Is searching for just “go” really a problem? What is the use case that makes just “go” a bad choice, in the context of search?
My apologies; I did not articulate my context appropriately. When the language was first released, they just called it “go” and it was a terrible choice in the context of search because the search results were useless, even on the search engine run by the developers of the language, at the time. Much of what you wanted to look up about the language would take you to random crap on go.com. Given that the people who made the language also operated what was, at the time, the dominant search engine that gave you such terrible results, it seemed reasonable to expect a little better naming from them at that time.
Current engines (as opposed to the ones that we used when the language was released) do provide significantly better results. But my comments were pointed at the context when the language was named, not at what current searchers see. I apologize, again, for that ambiguity.
About fifteen years back, I got an e-mail three days before payday that roughly read:
URGENT!
The accounting database has crashed and all of our payroll information has been lost. Follow the link below an re-enter all of your personal information.
Anyone who does not fill out the form by noon on Thursday WILL NOT BE PAID ON FRIDAY
This e-mail did come from a member of the accounting department, but was a random, low-level employee and not CFO or even a manager. The site it linked to was not our domain and popped up a self-signed certificate warning when accessed. It was then a single page form that asked for my name, address, social security number, and bank routing number.
I took me the better part of a day to find anyone that who could at least confirm that the accounting database had crashed. Most of my colleagues filled it out without a second thought. As promised, the employees who flagged the message as phishing didn’t get paid until late into the next week.
The IT department was upset, but upper management learned the wrong lesson from the incident. Essentially, management said that, since the e-mail and site were ultimately legitimate, that the message was, by definition, not a phishing e-mail. Anyone who had flagged it as a phishing e-mail, therefore, was obviously unqualified to identify phishing e-mails. Since the majority of the IT department had not put their banking details into the new site, those employees had not been properly trained on phishing. The fact that IT leadership were sharing the same ignorance as their subordinates proved that the rot was coming from the top and IT functionality needed to be outsourced to competent professionals who wouldn’t make such a mistake.
This is a deep normalization of deviance - a computer (the TV) causes an entirely unrelated computer to crash, and the response is not “report it to Hisense, they’ll be deeply embarassed and fix it ASAP” but “all hope is lost, avoid that brand of TVs”. What the hell? Yes, it’s a rational response to the circumstances we find ourselves in, but it’s not a remotely reasonable situation.
What’s worse is that it’s not particular to Hisense; swap out the company name and it wouldn’t make this more surprising.
Every time this sort of thing happens again, I become more convinced the FSF was right and we should just only buy devices that are RYF certified (and let’s be honest, the FSF is a “move to Canada” sort of ideology).
The FSF wasn’t right because your average consumer cares more about Netflix and Disney+ working than them, people who are non-programmers, being theoretically able to fix the bugs the software has by themselves. And they are absolutely right in making this decision, had they purchased an rms-approved smart TV they’d just have 20 problems they can’t fix as opposed to one problem they can’t fix.
So Go’s handling of out-of-memory situations is to, more or less, die.
None of the embedded language implementations in Go that I’m aware of allow you to limit how much memory the script can use. This means that it’s basically impossible to run untrusted code, as they can simply consume a ton of memory and DoS the application.
To a lesser extent several implementations also have no support for limiting runtimes, so an infinite loop is also a DoS.
This isn’t a complaint, just an observation that means it’s difficult to use these tools with untrusted code.
I’d love to be proven wrong, BTW.
For me, the use case of running a JS interpreter in Go would be to do isomorphic templates in JS and render them clientside, not to run arbitrary JS from the web, so it’s not a dealbreaker for what I want to do.
You would want to run this as a separate service within a container. Really you’d want to do that for any and all untrusted code in any language.
That’s what we ended up doing anyway, but it would be nice to have a more controlled VM environment.
My reply got put under the wrong comment: https://lobste.rs/s/dzsgie/exploring_goja_golang_javascript#c_rcu9mg
Defragging was more about sound than anything else.
The article reflects my own experience too. These days I prefer to script in Go than Python, either for the portability or the type system. However, it does require some sort of boilerplate to do some boring tasks, be it the stated amount of
if errs, building HTTP API wrappers or handling databases.I’m fine with these trade-offs.
Agreed. I use Go for “big” stuff at work, but more and more I’ve found myself also using it for scripting in places where I might have used Python in the past. I’m not sure why, though, it wasn’t something I’d even considered until just now.
I find that for scripts I’ll either go to Bash or write a Go tool, I generally skip right over Python (unless it is purely standard lib) because I don’t want to have to deal with dependencies. Of course if you go the Bash route then you can have dependency issues too.
For me it’s the fact that I can build it locally and deploy it without worrying about the dependency environment. Dealing with Python or Node dependencies can be excruciating. Go deps rarely break 2-3 years out too which is nice.
Yeah, this has been the case for me as well. Even when I worked in a Python shop (and despite having had much more Python experience than Go experience), I would prototype in Go because the static typing was so much better and then I would rewrite it in Python and make sure it was sufficiently performant. This was the fastest way I could find to actually prototype somewhat complex programs (using vanilla Python would have me either fighting dynamic type errors or else fighting with Python’s type annotation syntax, etc).
Unpopular opinion: Regardless of what you think of the language it’s naming is too easily confused with e.g. the board game of Go (weiqi/baduk) or day-to-day walking !
I kind concur. I generally end up just searching for “something golang” instead of “something go” because the later will probably give me incorrect results.
I think it’s a failure of naming/branding that it’s so frequently called golang. There are plenty of other languages with easily confusable names, but for some reason “golang” has really stuck.
Yeah and C is easily confused with the vitamin.
In its defense, C was born many years before searching the web became the default way for most people to look a thing up. And Go was created by people who peddle web searches, and who know what web searches work well and what don’t.
My point is that it’s not a real problem and no-one cares.
Searching information about C is a PITA though. First because
Cis a bad search term, but also because Google will feed you tons ofC++orC#results.And searching for
clangis worse.So it’s a real problem for me, and I do care.
I find that having a copy of the C standard [1] and the POSIX standard [2] to answer nearly anything I would want about C. What about C are you trying to find and can’t?
[1] I’ve been able to find PDFs of C89, C99, C11 and C23 quite easily.
[2] https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/
Unfortunately I don’t have a specific example in mind, and my Google is configured not to save search history apparently.
But for context, I’m not primarily a C developer, in only write C a few hours a week as support for another language. In this context I often need to search for compiler error or warning messages, or look for how to optimize some algorithm, or more general “how to” queries.
So no, reading the standard isn’t helpful to me. If I need info about a POSIX API, I just go to the man page. That’s not the kind of search I’m talking about.
Most of the time it’s fine, but sometime I will only get irrelevant C++ results and it drives me nuts.
I agree it’s a real problem for C, but I’ve never had a problem with
golangand that has been the standard term since the earliest days of the language.Enough people care to make this the longest comment thread on this story.
Isn’t that the whole point behind the “bike shedding” observation? People will talk the most about the least important details?
Yes. The issue is that everyone cares too much.
Does it matter? No, but nobody has claimed it doesn’t matter. Somebody claimed “no one cares.” No one cares is the opposite problem.
Presumably they meant “no one (who uses Go) cares” in the sense that it’s not a real problem, but rather a problem invented by people who are trying to post-facto rationalize their prejudice for the language. That’s how I read the parent comment, anyway.
Well… as I understand it, Go was created by people who were around basically when C was created, and I find it unsurprising that they like two-letter variable names :)
Also would guess their “marketing challenge” was internal not external - its cute that Go is a language for Googlers to Go faster, etc, etc. Drumming up excitement within Google ensured the funding to get it off the ground.
Finally, I’ve had many misinterpretted web searches for Rust, Julia, Swift, Java, etc. What’s the alternative? Find a unique and beautiful word like OCaml? Maybe Kotlin is a pretty good one.
Kotlin is a brand of ketchup in Poland, so it’s not like it’s the most fortunate name either.
(In my friend circle, we often call Kotlin “the ketchup language.”)
Ketchup would be a great name for language.
Open an incognito window and Google the term
go. What are the top 5 results?Right at this moment? My browser calls them “private” windows, and when I open one with a google search for “go” I get no results; it blocks on a modal saying that “Google recommends using Chrome.”
When I click “Don’t Switch” in that modal, it takes me back to the search prompt without showing me any results. If I then decide to search again, my top results are the programming language, the game, the film from 1999, the “American Go Association” and the Disney-owned web site go.com.
I think my statement must have been ambiguous, though; I was referring to the results in the search engine run by the company that sponsors the programming language at the time the language was named, 14 years ago. Not so much now that it’s had time to gain traction.
The entire first page of search results for C are all related to the programming language. The vitamin appears nowhere on the first page.
I’m not sure what the point of the exercise is, but if you’re trying to get Go programming language search results, the search term has always been
golang. The top 5 results are:/golang)Those seem pretty relevant, no?
For
goorgolang? I am explicitly asking about the former. My point is that Google makes sure that Go programming language results are high up for searches involvinggo. Because, you know, they created the language.Those were for
golang, because I wasn’t sure what point you were making.This seems kind of absurd. Google doesn’t care about Go’s success, Go is a tool that they built and they don’t profit a single iota from its success. Google cares quite a lot more about JavaScript or Dart than they do about Go. But we don’t have to speculate, we can search
goin other search engines:Bing:
DuckDuckGo:
Google:
Of the 3 search engines, Google’s results are the least golang-centric.
You (again) didn’t say what the search term was, but assuming it was
go, I have to say that the result is exactly what I said it would be: Google made sure that the Go language-related pages are high up in the results.What a strange claim. I mentioned the search term in both of my responses to you.
My first post: “the search term has always been
golang. The top 5 results are:”My second post: “we can search
goin other search engines”I’m putting the search term in
preformatted textjust like you did when you said “Google the termgo”.What are you claiming by “Google makes sure that Go programming language results are high up”? Is it something completely innocuous like “someone on the Go team who is employed by Google spent 5 minutes on SEO”? Or is it more nefarious e.g. “the CEO of Google threw the full heft of the marketing department behind this initiative”? And if it’s nefarious, why did Google make its own results for Go so poor, despite that they could obviously easily boost Go’s performance and the overwhelming incentive to do so given that its own search engine has a supermajority marketshare? Maybe they’re just covering their tracks?
And what does Google stand to gain from it? How much of Google’s profit is derived from Go’s success? If Google is willing to do something so conspiratorial for so little gain, why not
And which large company is making sure that
rust,python,java,haskell,c, etc all yield top results for the programming language on all prominent search engines (despite the ambiguity in the search terms)? Is that also Google, or some other company? Have you considered that some larger organization–maybe the US government or perhaps NATO–is behind it all?Or maybe it’s not a grand conspiracy and something simpler: search engines naturally surface the programming language material because that’s what people have tended to click on over time?
My bad. You did, and I missed it.
I’m not saying they are doing anything either innocuous or nefarious. They are just making sure the Go programming language is easy to Google. They are not going out of their way to fill up the top of the results page with Go language results, they’re just making sure it’s there somewhere near the top.
Nothing directly, after all they don’t sell Go. They just want to make it easy to Google, because presumably they at some point heard the feedback that it’s not a very searchable name. And since they and their colleagues control the search engine, they just do it.
It’s not a grand conspiracy and it is pretty simple. The name ‘Go’ is not very searchable, and appears in many contexts. It’s literally a verb. Other language names are at least nouns. So all I’m saying is that Google just make sure that when your search term involves
go, they put the programming language results near the top.I occasionally wonder whether this was a bit of trolling their Google colleagues from Griesemer, Pike, and Thompson.
From its earliest days, the search term for Go was
golang. Web searches have never been a problem in my experience.Search engines are luckily smart enough so that if you search for “go function” you get results about the programming language, and if you search for “go strategy” you get results about the strategy game. Is searching for just “go” really a problem? What is the use case that makes just “go” a bad choice, in the context of search?
My apologies; I did not articulate my context appropriately. When the language was first released, they just called it “go” and it was a terrible choice in the context of search because the search results were useless, even on the search engine run by the developers of the language, at the time. Much of what you wanted to look up about the language would take you to random crap on
go.com. Given that the people who made the language also operated what was, at the time, the dominant search engine that gave you such terrible results, it seemed reasonable to expect a little better naming from them at that time.Current engines (as opposed to the ones that we used when the language was released) do provide significantly better results. But my comments were pointed at the context when the language was named, not at what current searchers see. I apologize, again, for that ambiguity.
No need for apologies, good sir! I agree that it was a bad choice in light of the search engines of its day.
many, many languages are named after something that exists elsewhere, so this is a strange argument:
Rust is named after a kind of fungus
We need a language called
Jazz- https://www.youtube.com/watch?v=zmRgXOw1o3ACertainly, sir. Would you like
https://www.di.ens.fr/~jv/jazz/
Or perhaps
https://jazz-lang.github.io/Jazz/
Will there be anything else, sir?
i immediately thought of https://github.com/jazzscheme/jazz which is not exactly a language but has enough extensions to scheme to qualify
This ends up being an infinitesimal problem in practice. I can’t think of a single second that this has cost me in the past 3 years.
I believe the collision between the programming language and board game is not entirely accidental.
https://youtu.be/PAAkCSZUG1c?feature=shared&t=27
(Meaning I think they kinda wanted to prank us w.r.t the name collision)
Me too. Remarkable since it was named by a search engine company.
About fifteen years back, I got an e-mail three days before payday that roughly read:
This e-mail did come from a member of the accounting department, but was a random, low-level employee and not CFO or even a manager. The site it linked to was not our domain and popped up a self-signed certificate warning when accessed. It was then a single page form that asked for my name, address, social security number, and bank routing number.
I took me the better part of a day to find anyone that who could at least confirm that the accounting database had crashed. Most of my colleagues filled it out without a second thought. As promised, the employees who flagged the message as phishing didn’t get paid until late into the next week.
that is horrendous
This should have had IT absolutely reeling?
The IT department was upset, but upper management learned the wrong lesson from the incident. Essentially, management said that, since the e-mail and site were ultimately legitimate, that the message was, by definition, not a phishing e-mail. Anyone who had flagged it as a phishing e-mail, therefore, was obviously unqualified to identify phishing e-mails. Since the majority of the IT department had not put their banking details into the new site, those employees had not been properly trained on phishing. The fact that IT leadership were sharing the same ignorance as their subordinates proved that the rot was coming from the top and IT functionality needed to be outsourced to competent professionals who wouldn’t make such a mistake.
This is a deep normalization of deviance - a computer (the TV) causes an entirely unrelated computer to crash, and the response is not “report it to Hisense, they’ll be deeply embarassed and fix it ASAP” but “all hope is lost, avoid that brand of TVs”. What the hell? Yes, it’s a rational response to the circumstances we find ourselves in, but it’s not a remotely reasonable situation.
What’s worse is that it’s not particular to Hisense; swap out the company name and it wouldn’t make this more surprising.
Every time this sort of thing happens again, I become more convinced the FSF was right and we should just only buy devices that are RYF certified (and let’s be honest, the FSF is a “move to Canada” sort of ideology).
It seems absurd to blame this on Hisense. This problem is very clearly a DOS vector in Windows.
Exactly. Windows needs to limit the number of discovered devices and have reasonable timeouts.
Well I wouldn’t say limit, just handle it properly so that it doesn’t crash even itself, let alone other parts of the system.
Canada’s actually kinda nice.
The FSF wasn’t right because your average consumer cares more about Netflix and Disney+ working than them, people who are non-programmers, being theoretically able to fix the bugs the software has by themselves. And they are absolutely right in making this decision, had they purchased an rms-approved smart TV they’d just have 20 problems they can’t fix as opposed to one problem they can’t fix.
Yeah ’cause we know the company is never going to do anything about it.
They might, but not in a timely enough fashion to be helpful.