サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
WWDC24
research.swtch.com
Posted on Tuesday, April 2, 2024. Updated Wednesday, April 3, 2024. Introduction Andres Freund published the existence of the xz attack on 2024-03-29 to the public oss-security@openwall mailing list. The day before, he alerted Debian security and the (private) distros@openwall list. In his mail, he says that he dug into this after “observing a few odd symptoms around liblzma (part of the xz packag
Posted on Monday, April 1, 2024. Updated Wednesday, April 3, 2024. Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a d
I opened GopherCon Australia in early November with the talk “Go Testing By Example”. Being the first talk, there were some A/V issues, so I re-recorded it at home and have posted it here: Here are the 20 tips from the talk: Make it easy to add new test cases. Use test coverage to find untested code. Coverage is no substitute for thought. Write exhaustive tests. Separate test cases from test logic
This web page runs a Go port of the Research Unix Sixth Edition kernel, running user-mode code in a simulated PDP11 CPU, all compiled to WebAssembly, executed in your browser. A few accounts are root, dmr, and ken. The password is the username. Have fun poking around. cd is spelled chdir. Erase is #, and line kill is @. As a convenience to 21st century users, typing backspace and ^U generate these
This post is about why we need a coroutine package for Go, and what it would look like. But first, what are coroutines? Every programmer today is familiar with function calls (subroutines): F calls G, which stops F and runs G. G does its work, potentially calling and waiting for other functions, and eventually returns. When G returns, G is gone and F continues running. In this pattern, only one fu
A decision that arises over and over when designing concurrent programs is whether to represent program state in control flow or as data. This post is about what that decision means and how to approach it. Done well, taking program state stored in data and storing it instead in control flow can make programs much clearer and more maintainable than they otherwise would be. Before saying much more,
How do software developers understand which parts of their software are being used and whether they are performing as expected? The modern answer is telemetry, which means software sending data to answer those questions back to a collection server. This post is about why I believe telemetry is important for open-source projects, and what it might look like to approach telemetry in an open-source-f
These are the posts in the February 2023 “Transparent Telemetry” series: “Transparent Telemetry for Open-Source Projects” [PDF]. “The Design of Transparent Telemetry” [PDF]. “Use Cases for Transparent Telemetry” [PDF]. A (now closed) GitHub discussion about adding transparent telemetry to Go is at https://go.dev/s/telemetry-discussion. Note that at the start of the discussion the design was opt-ou
Every once in a while someone notices the first commit in the Go repo is dated 1972: % git log --reverse --stat commit 7d7c6a97f815e9279d08cfaea7d5efb5e90695a8 Author: Brian Kernighan <bwk> AuthorDate: Tue Jul 18 19:05:45 1972 -0500 Commit: Brian Kernighan <bwk> CommitDate: Tue Jul 18 19:05:45 1972 -0500 hello, world R=ken DELTA=7 (7 added, 0 deleted, 0 changed) src/pkg/debug/macho/testdata/hello.
What NPM Should Do Today To Stop A New Colors Attack Tomorrow Over the weekend, a developer named Marak Squires intentionally sabotaged his popular NPM package colors and his less popular package faker. As I write this, NPM claims 18,971 direct dependents for colors and 2,751 for faker. Open Source Insights counts at least 42,000 more indirect dependents for colors. Many popular NPM packages depen
There is a paper making the rounds, with a slick accompanying web site, in which the authors describe a software supply chain attack they call “Trojan Source: Invisible Vulnerabilities”. In short, if you use comments containing Unicode LTR and RTL code points, which control whether text is rendered left-to-right or right-to-left, you can make code look different in a standard Unicode rendering tha
These are the posts in the “Memory Models” series that began in June 2021: “Hardware Memory Models” [PDF]. “Programming Language Memory Models” [PDF]. “Updating the Go Memory Model” [PDF].
The current Go language memory model was written in 2009, with minor updates since. It is clear that there are at least a few details that we should add to the current memory model, among them an explicit endorsement of race detectors and a clear statement of how the APIs in sync/atomic synchronize programs. This post restates Go's overall philosophy and the current memory model and then outlines
Programming language memory models answer the question of what behaviors parallel programs can rely on to share memory between their threads. For example, consider this program in a C-like language, where both x and done start out zeroed. // Thread 1 // Thread 2 x = 1; while(done == 0) { /* loop */ } done = 1; print(x); The program attempts to send a message in x from thread 1 to thread 2, using d
Introduction: A Fairy Tale, Ending A long time ago, when everyone wrote single-threaded programs, one of the most effective ways to make a program run faster was to sit back and do nothing. Optimizations in the next generation of hardware and the next generation of compilers would make the program run exactly as before, just faster. During this fairy-tale period, there was an easy test for whether
This blog post is about how we added package versioning to Go, in the form of Go modules, and the reasons we made the choices we did. It is adapted and updated from a talk I gave at GopherCon Singapore in 2018. Why Versions? To start, let’s make sure we’re all on the same page, by taking a look at the ways the GOPATH-based go get breaks. Suppose we have a fresh Go installation and we want to write
I’ve been thinking a lot recently about the Go proposal process, which is the way we propose, discuss, and decide changes to Go itself. Like nearly everything about Go, the proposal process is an experiment, so it makes sense to reflect on what we’ve learned and try to improve it. This post is the first in a series of posts about what works well and, more importantly, what we might want to change.
This is the story of a clever trick that's been around for at least 35 years, in which array values can be left uninitialized and then read during normal operations, yet the code behaves correctly no matter what garbage is sitting in the array. Like the best programming tricks, this one is the right tool for the job in certain situations. The sleaziness of uninitialized data access is offset by pe
Suppose we want to maintain and publish a public, append-only log of data. Suppose also that clients are skeptical about our correct implementation and operation of the log: it might be to our advantage to leave things out of the log, or to enter something in the log today and then remove it tomorrow. How can we convince the client we are behaving? This post is about an elegant data structure we c
For decades, discussion of software reuse was far more common than actual software reuse. Today, the situation is reversed: developers reuse software written by others every day, in the form of software dependencies, and the situation goes mostly unexamined. My own background includes a decade of working with Google’s internal source code system, which treats software dependencies as a first-class
Every programmer has a variable naming philosophy. This is mine: A name's length should not exceed its information content. For a local variable, the name i conveys as much information as index or idx and is quicker to read. Similarly, i and j are a better pair of names for index variables than i1 and i2 (or, worse, index1 and index2), because they are easier to tell apart when skimming the progra
research!rsc Thoughts and links about programming, by Russ Cox Table of Contents (favorites in bold) Running the “Reflections on Trusting Trust” Compiler October 2023
Nearly all of Go’s distinctive design decisions were aimed at making software engineering simpler and easier. We've said this often. The canonical reference is Rob Pike's 2012 article, “Go at Google: Language Design in the Service of Software Engineering.” But what is software engineering? Software engineering is what happens to programming when you add time and other programmers. Programming mean
Last week, the proposal review committee accepted the “vgo approach” elaborated on this blog in February and then summarized as proposal #24301. There has been some confusion about exactly what that means and what happens next. In general, a Go proposal is a discussion about whether to adopt a particular approach and move on to writing, reviewing, and releasing a production implementation. Accepti
What does it mean to add versioning to the go command? The overview post gave a preview, but the followup posts focused mainly on underlying details: the import compatibility rule, minimal version selection, and defining go modules. With those better understood, this post examines the details of how versioning affects the go command line and the reasons for those changes. The major changes are: Al
As introduced in the overview post, a Go module is a collection of packages versioned as a unit, along with a go.mod file listing other required modules. The move to modules is an opportunity for us to revisit and fix many details of how the go command manages source code. The current go get model will be about ten years old when we retire it in favor of modules. We need to make sure that the modu
A versioned Go command must decide which module versions to use in each build. I call this list of modules and versions for use in a given build the build list. For stable development, today's build list must also be tomorrow's build list. But then developers must also be allowed to change the build list: to upgrade all modules, to upgrade one module, or to downgrade one module. The version select
How do you deploy an incompatible change to an existing package? This is the fundamental challenge, the fundamental decision, in any package management system. The answer decides the complexity of the resulting system It decides how easy or difficult package management will be to use. (It also decides how easy or difficult package management will be to implement, but the user experience is more im
For me, design means building, tearing down, and building again, over and over. To write the new versioning proposal, I built an prototype, vgo, to work through many subtle details. This post shows what it's like to use vgo. You can download and try vgo today by running go get golang.org/x/vgo. Vgo is a drop-in replacement for (and a forked copy of) the go command. You run vgo instead of go, and t
次のページ
このページを最初にブックマークしてみませんか?
『research!rsc』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く