=> Re: "What is a good Small Web programing language ? While I like..." | In: s/programming
@norayr If you want to be extra safe against disappearance of your dependencies, just use go mod vendor and push the vendor directory to your VCS (same thing you'd do in other languages).
=> ๐ dimkr
2024-11-19 ยท 2 months ago
=> ๐ฆ zzo38 ยท Nov 19 at 20:34:
Forcing version of dependencies by cryptographic hashes can do; in addition to protecting against malicious changes, it would potentially allow to find the same file elsewhere. (I still think that it is better to not have too many dependencies, though. Some programs might not have any, and for some, the dependencies can be included with the program.)
Another issue that I had seen with Go is how ASN.1 object identifiers are handled. You shouldn't need to decode object identifiers in order to compare them (although decoding can be useful for display, or for converting to text); decoding them is an unnecessary step for most purposes. The fact that it insists on doing so sometimes causes problems. (If you merely want to validate them (which is also usually unnecessary), you can use a regular expression: /^(([\x81-\xFF][\x80-\xFF]*)?[\x00-\x7F])+$/)
(It does not normally need to be implemented as a regular expression; you can also just use a simple loop that does the same thing as the regular expression.)
=> ๐ adam ยท Nov 20 at 02:17:
Lua is small. I just downloaded it and it compiled in about 2 seconds.
https://www.lua.org/about.html
=> ๐ f008600 ยท Nov 20 at 08:21:
@norayr: Good point, but for that, the go.sum file will contain checksums for all the used dependencies. So it is not possible to "sneak in" some malicious code. You need to be careful when updating dependencies, tho.
But you are right, using less dependencies and stick to the standard lib is in any case better. Just look at the mess in the javascript/npm/yarn/bun/... ecosystem. Every external used source need to be maintained too (do updates, adjust your code to the new API, find alternatives when a project gets abandoned, check for security problems, ...).
My biggest concern with Go, related to security, is the static compilation. As an example: curl, wget, ssh, and countless other tools are dynamically linked against libssl. If there is a security issue inside the SSL implementation, all hands are on deck to fix libssl, updates are provided, notifications pop up and after the next "apt-get update", all tools are safe.
For a statically linked Go binary, sitting somewhere in a container, cranking along, nobody cares. You are in charge of monitor for security issues, update dependencies, recompile your code, deploy it, ...
=> ๐ norayr ยท Nov 20 at 14:41:
no no, i am not at all worried about it. i was saying that though i consider go to be the best among mainstream languages, all of them share more or less one security problem, not only go - and that is dependency management.
most of them do not allow to review the dependencies prior to building, let's say how apt or emerge does, they just startt downloading tons of stuff.
that is done by rust's cargo, js's npm, etc.
and go mitigated the problem now - it is possible to import not just by url but by exact git commit with its hash, and when the import mentions the hash, then it is much safer, or maybe very safe.
just go, of course does not require it. it allows it.
=> ๐ norayr ยท Nov 20 at 14:49:
@dimkr i need to learn to mention people here on bubble. so yes, that was a reply to your comment.
and again, i think the language go is so good as language, that it doesn't make sense to use most of the alternatives. there can be special needs and tast like taste for lisp metaprogramming but otherwise go suits most of needs of most programmers.
and where it doesn't, i think it could, it is a compiler issue, not a language issue.
static linking mentioned by @f008600 is an example of that - the same language could have different compiler and different linking policy.
=> ๐ norayr ยท Nov 20 at 14:52:
oberon is a language go borrowed lots of ideas from, and it is used in embedded world. there are different types of machinery and even aircraft with an operating system written in oberon and control software written in oberon.
oberon is more 'dry' if it makes sense, and i like it.
both compilers are small, go, the compiler part is easy to build.
and it generates native code, how bad can native code be? it almost always will be faster and always will take more memory than interpreted language.
=> โ๏ธ Morgan ยท Nov 20 at 15:12:
It sounds like you might enjoy reproducible-builds.org ... and for go: go.dev/blog/rebuild
Secure builds is an important topic :)
=> ๐ norayr ยท Nov 21 at 17:28:
@f008600 i have been written that go compiler can generate small binaries, and apparently there is
=> โ tinygo
=> ๐ f008600 ยท Nov 21 at 18:36:
I've tried TinyGo last year and sadly it was not nearly usable. Some hardware was supported, but lacking essential features. For example, there was no way to use the WiFi stack on an ESP32, so it is essentially useless. But maybe this has changed. Will have a second look at it!
=> ๐ ahappydeath [mod] ยท Nov 22 at 00:19:
Burrito is one way to package, but I was referring to Mix releases. When building a mix release, you can include the erlang runtime with it and it is somewhat portable (on a machine with the same architecture)
What is a good Small Web programing language ? While I like Python, it's corporate driven featuritis is getting me down.... C is an obvious Small Web language, but I'd rather use something a bit higher level than that. Any thoughts ?
=> ๐ฌ random-elephant ยท 55 comments ยท 1 like ยท 2024-11-14 ยท 2 months ago This content has been proxied by September (ba2dc).Proxy Information
text/gemini; charset=utf-8