
Go 1.15 Released - mapl
https://golang.org/dl/
======
benhoyt
I think the link should be changed to the 1.15 release notes (now published):
[https://golang.org/doc/go1.15](https://golang.org/doc/go1.15) \-- these are
much more interesting and useful.

~~~
gautamcgoel
Yes, I agree. No point on linking to the download page, most people use their
package manager to update their Go installation.

~~~
jaytaylor
I'm curious which package managers / repositories allow you to update to the
latest version of go as soon as it's released * ?

* In any remotely trustable and reliable way; random PPAs relying on somebody's free time don't count, IMHO.

I've noticed Ubuntu, Debian, Centos, and Oracle Enterprise Linux are always
trailing by quite a clip. Often years.

The strategy I've been using is to just manually install it on the machines
where I need it. The production go versions only get updated as required.

~~~
Foxboron
> I'm curious which package managers / repositories allow you to update to the
> latest version of go as soon as it's released * ?

Arch Linux.

I just saw the release when I was checking for updated versions of packages I
maintain, and built it before users started bugging me about outdated go
binaries.

[https://www.archlinux.org/packages/community/x86_64/go/](https://www.archlinux.org/packages/community/x86_64/go/)

~~~
snazz
I continue to love how this works out with security updates too. I usually get
new browser and kernel versions after particularly bad CVEs within a few hours
from the upstream release.

------
mholt
Caddy binaries on Linux shrink by ~2.5 MB with Go 1.15! (~33 MB down to ~31
MB)

3 MB savings on Mac, and 2 MB on Windows:
[https://github.com/caddyserver/caddy/pull/3642#issuecomment-...](https://github.com/caddyserver/caddy/pull/3642#issuecomment-669929674)

So about 8-10% reduction.

~~~
sagichmal
I'm so confused by this. Given the context that Go primarily targets, which is
daemon services running on server class machines, binary size, so long as it's
not totally absurd, is almost completely irrelevant. Is it like a code golf
thing? Why do you care?

~~~
cle
These days, server-class machines are often ephemeral and spun up-and-down
based on demand. At work, I operate services that have 2 GB of Java code
packages, and others that use a single 10 MB Go binary. Guess which one can
scale up much more quickly to handle increased demand?

~~~
wokwokwok
Obviously.

...but the point being made is at 10% reduction, a 9MB and a 10MB binary are
indistinguishable.

They scale almost identically.

so... it seems a bit like premature optimisation to devote such a large amount
of effort to what appears to be a win that affects virtually no one except
those few (FANG) who deploy to thousands of services daily.

------
pansa2
> _There are no changes to the language._

Are there other mainstream languages that are as conservative as Go when it
comes to adding new features?

I don't love Go as a language, but coming from C++ and Python, both of which
have non-stop accumulation of features (and complexity), Go's _philosophy_ is
a breath of fresh air.

~~~
psanford
The Go 1.x compatibility promise is one of Go's best features.

~~~
naikrovek
Yes.

Though, I wonder how much more the language could be improved if it weren't
tied down to the bad decisions of the past. Those must all continue in
perpetuity while the compatibility promise is kept.

~~~
psanford
Not in perpetuity. Go 2 does not promise to be backward compatible.

~~~
tapirl
The current Go 2 drafts do.

------
piinbinary
> Changing the -timeout flag now invalidates cached test results. A cached
> result for a test run with a long timeout will no longer count as passing
> when go test is re-invoked with a short one.

I'm glad this is fixed! That will make life that one bit less annoying.

------
ainar-g
Announcement E-Mail: [https://groups.google.com/forum/#!topic/golang-
announce/Z-cY...](https://groups.google.com/forum/#!topic/golang-
announce/Z-cY6ZdGdEU).

Official blog post:
[https://blog.golang.org/go1.15](https://blog.golang.org/go1.15).

Some fixes already planned for Go 1.15.1:
[https://github.com/golang/go/milestone/162](https://github.com/golang/go/milestone/162).

------
edflsafoiewq
> The compiler's -json optimization logging now reports large (>= 128 byte)
> copies and includes explanations of escape analysis decisions.

This sounds interesting.

~~~
kristianp
I haven't found any more info about this feature. Anyone have better search
skills than me?

~~~
clktmr
As far as I understand, it's only about including more information in the
compilers json output. But that information was already available in non-json
output in previos Go versions.

To get explanations on the optimization decisions by the compiler build your
package with:

    
    
        go build -gcflags="-m -m"
    

See also:

    
    
        go tool compile -h
        go doc cmd/compile

~~~
kristianp
Thanks.

------
FiloSottile
Release notes -> [
[https://golang.org/doc/go1.15](https://golang.org/doc/go1.15) ] <-

Blog post -> [
[https://blog.golang.org/go1.15](https://blog.golang.org/go1.15) ] <-

So much good stuff in this release, COVID notwithstanding, including an
extremely improved linker and smaller binaries. Definitely the best Go release
ever :)

Here's some details on the changes in the corner of it that Katie and I take
care of.

The long deprecated Common Name field on X.509 certificates is now ignored,
reducing complexity and removing a gnarly conflict with Name constraints.
Public CAs are unaffected, the only major service that broke was AWS RDS, and
they've been awesome and fixed it in time for the release (but customers need
to regenerate certificates). I honestly did not expect this change to make it
and I am thrilled about it and what it means for keeping the Go X.509
ecosystem modern and secure.
[https://github.com/golang/go/issues/39568#issuecomment-67142...](https://github.com/golang/go/issues/39568#issuecomment-671424481)

crypto/tls Configs now have a spiffy VerifyConnection callback that runs for
all connections (which is easier to think about than VerifyPeerCertificate)
and that gets passed a ConnectionState. This was Katie's idea to make the
callback have access to SCTs and stapled OCSP (which makes it possible to
write verifying callbacks for those, although we are working on built-in
suppport!) but I also love how it delivers the parsed certificates and makes
it trivial to customize verification.
[https://golang.org/pkg/crypto/tls/#example_Config_verifyConn...](https://golang.org/pkg/crypto/tls/#example_Config_verifyConnection)
[https://golang.org/cl/229122](https://golang.org/cl/229122)

What I should have started with: session ticket keys and session tickets are
now rotated automatically without any impact on the application :sparkles:,
greatly mitigating the main weak link in the forward security chain of TLS
1.2. :happydance: This is a. big. deal. [https://blog.filippo.io/we-need-to-
talk-about-session-ticket...](https://blog.filippo.io/we-need-to-talk-about-
session-tickets/) [https://golang.org/cl/231317](https://golang.org/cl/231317)
[https://golang.org/cl/230679](https://golang.org/cl/230679)

Besides deprecating Common Name, X.509 verification also now has a consistent
story on how to handle invalid hostnames: they are matched case-insensitively
1:1 to certificate fields without wildcard or trailing dot processing. There
is no spec that says what to do with them, so we had to come with a policy
that is predictable, doesn't break applications, but can be implemented
securely. It was amazingly difficult.
[https://golang.org/cl/231378](https://golang.org/cl/231378)
[https://golang.org/cl/231380](https://golang.org/cl/231380)
[https://golang.org/cl/231381](https://golang.org/cl/231381)

crypto/ecdsa now has SignASN1 and VerifyASN1 functions that do what Sign and
Verify should have done all along and operate on byte slices instead of
big.Ints. [https://golang.org/cl/217940](https://golang.org/cl/217940)

There is now a function to make RFC 5280-compliant X.509 v2 Certificate
Revocation Lists. [https://golang.org/cl/217298](https://golang.org/cl/217298)

Public and private key types now have an Equal method that works with go-cmp,
and lets you make your own non-empty PublicKey interface.
[https://golang.org/cl/231417](https://golang.org/cl/231417)

crypto/elliptic now has functions to marshal and unmarshal compressed elliptic
curve points. Too many people had to implement this one!
[https://golang.org/cl/202819](https://golang.org/cl/202819)

math/big.Int now has a method that makes me extremely happy. FillBytes takes a
fixed size buffer and puts the value in it, which is both more performant, and
saves annoying padding steps in most crypto applications. If you ever had a
bug that only happened 1/256 of the times because you were not adding the
padding zero at the beginning if the value happened to be small, this is for
you. You know who you are, remember that the support group this week meets on
Wednesday not Thursday.
[https://golang.org/cl/230397](https://golang.org/cl/230397)

Finally, Cthulhu. On macOS we now use the system root store even if there's no
cgo, by calling straight into Security.framework with... there's assembly
involved, that is all. This code is my nemesis, so it was all worth it.
[https://golang.org/cl/227037](https://golang.org/cl/227037)

And more! Check out the release notes. I also plan to write in details about
the changes on my newsletter, like I did for Go 1.14.

[https://buttondown.email/cryptography-
dispatches?tag=hn](https://buttondown.email/cryptography-dispatches?tag=hn)

~~~
jchw
> On macOS we now use the system root store even if there's no cgo, by calling
> straight into Security.framework with... there's assembly involved, that is
> all.

I feel like I’m developing an addiction to hacks like this. Ever since I
started to gain a more intuitive understanding of calling conventions and C/++
ABI I’ve been doing asm calls into MSVC functions and manually laying out COM
vtables in pure Go. It’s powerful as long as you have reasonable assurances
the ABI rug won’t be pulled from under you!

------
maxioatic
> When the flag package sees -h or -help, and those flags are not defined, it
> now prints a usage message. If the FlagSet was created with ExitOnError,
> FlagSet.Parse would then exit with a status of 2. In this release, the exit
> status for -h or -help has been changed to 0.

This is nice. I basically only write small CLIs with Go and don't explicitly
define help flags. I always wondered why it returned an exit code of 2.

------
quicklime
Anyone know why [https://go.dev](https://go.dev) still has a download link for
"1.14.6", and there's no mention of it over at golang.org?

~~~
ainar-g
That website is updated separately, if I recall correctly. It will probably be
updated later today.

------
xorcist
Where are signatures for these binaries published?

~~~
throwaway43234
I've always been a bit confused as to what the attack vector those protect
against is for self-hosted packages (i.e. not torrents, third party hosting
services, etc.). If the attacker is able to coerce the web server into sending
a compromised package when you `GET
[https://dl.google.com/go/go1.15.src.tar.gz`](https://dl.google.com/go/go1.15.src.tar.gz`),
couldn't they just as easily send a compromised checksum when you `GET
[https://golang.org/dl/`](https://golang.org/dl/`)?

~~~
TallGuyShort
With very large, very important downloads, I also appreciate a quick check
that no corruption or loss was involved in the download for benign reasons
either.

~~~
majewsky
Has this actually happened to someone in the last 10 years?

~~~
TallGuyShort
Yes, I've had it happen. Not in subtle ways - usually a size check would show
that something is very wrong anyway, but I appreciate the peace of mind. I
usually like to bake a check into automation and had that catch things like
the binary being replaced by a 404 page, etc... When I update the version I
pull, I also update the checksum.

------
chocolatkey
It seems it hasn't received a blog post/entry in the release history yet

~~~
ra7
Will be similar to what's in the tip:
[https://tip.golang.org/doc/go1.15](https://tip.golang.org/doc/go1.15)

~~~
chocolatkey
Thanks, I was not aware of that subdomain

------
Konohamaru
"There are no changes to the language."

Rob Pike is the ultimate troll.

~~~
ainar-g
What do you mean? Go has been known for its philosophy of “Boring is Good”.
Lots of releases these days come with either no changes to the language or
some very minor ones.

~~~
meddlepal
> Boring is good.

Until you reach channels and realize that mantra apparently went out the
window at some point.

~~~
ainar-g
Can you elaborate? I'm asking because I've almost never had any issues with
channels.

