๐พ Archived View for bbs.geminispace.org โบ u โบ f008600 โบ 21979 captured on 2024-12-17 at 15:52:11. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Re: "What is a good Small Web programing language ? While I like..."
@norayr: Good point, but for that, the go.sum file will contain checksums for all the used dependencies. So it is not possible to "sneak in" some malicious code. You need to be careful when updating dependencies, tho.
But you are right, using less dependencies and stick to the standard lib is in any case better. Just look at the mess in the javascript/npm/yarn/bun/... ecosystem. Every external used source need to be maintained too (do updates, adjust your code to the new API, find alternatives when a project gets abandoned, check for security problems, ...).
My biggest concern with Go, related to security, is the static compilation. As an example: curl, wget, ssh, and countless other tools are dynamically linked against libssl. If there is a security issue inside the SSL implementation, all hands are on deck to fix libssl, updates are provided, notifications pop up and after the next "apt-get update", all tools are safe.
For a statically linked Go binary, sitting somewhere in a container, cranking along, nobody cares. You are in charge of monitor for security issues, update dependencies, recompile your code, deploy it, ...
Nov 20 ยท 4 weeks ago
๐ norayr ยท Nov 20 at 14:41:
no no, i am not at all worried about it. i was saying that though i consider go to be the best among mainstream languages, all of them share more or less one security problem, not only go - and that is dependency management.
most of them do not allow to review the dependencies prior to building, let's say how apt or emerge does, they just startt downloading tons of stuff.
that is done by rust's cargo, js's npm, etc.
and go mitigated the problem now - it is possible to import not just by url but by exact git commit with its hash, and when the import mentions the hash, then it is much safer, or maybe very safe.
just go, of course does not require it. it allows it.
๐ norayr ยท Nov 20 at 14:49:
@dimkr i need to learn to mention people here on bubble. so yes, that was a reply to your comment.
and again, i think the language go is so good as language, that it doesn't make sense to use most of the alternatives. there can be special needs and tast like taste for lisp metaprogramming but otherwise go suits most of needs of most programmers.
and where it doesn't, i think it could, it is a compiler issue, not a language issue.
static linking mentioned by @f008600 is an example of that - the same language could have different compiler and different linking policy.
๐ norayr ยท Nov 20 at 14:52:
oberon is a language go borrowed lots of ideas from, and it is used in embedded world. there are different types of machinery and even aircraft with an operating system written in oberon and control software written in oberon.
oberon is more 'dry' if it makes sense, and i like it.
both compilers are small, go, the compiler part is easy to build.
and it generates native code, how bad can native code be? it almost always will be faster and always will take more memory than interpreted language.
โ๏ธ Morgan ยท Nov 20 at 15:12:
It sounds like you might enjoy reproducible-builds.org ... and for go: go.dev/blog/rebuild
Secure builds is an important topic :)
๐ norayr ยท Nov 21 at 17:28:
@f008600 i have been written that go compiler can generate small binaries, and apparently there is
๐ f008600 ยท Nov 21 at 18:36:
I've tried TinyGo last year and sadly it was not nearly usable. Some hardware was supported, but lacking essential features. For example, there was no way to use the WiFi stack on an ESP32, so it is essentially useless. But maybe this has changed. Will have a second look at it!
๐ ahappydeath [mod] ยท Nov 22 at 00:19:
Burrito is one way to package, but I was referring to Mix releases. When building a mix release, you can include the erlang runtime with it and it is somewhat portable (on a machine with the same architecture)
What is a good Small Web programing language ? While I like Python, it's corporate driven featuritis is getting me down.... C is an obvious Small Web language, but I'd rather use something a bit higher level than that. Any thoughts ?
๐ฌ alice-sur-le-nuage ยท 55 comments ยท 1 like ยท Nov 14 ยท 5 weeks ago