Go 1.21.6 Released

From the Guidelines:<p>&gt; What to submit? [...] anything that gratifies one&#x27;s intellectual curiosity.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html</a><p>Maybe it&#x27;s just me, but I don&#x27;t feel very inspired on an intellectual level by news about a patch version ;-)

If you&#x27;re too lazy..<p>From: [0]<p>&quot;go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and the crypto&#x2F;tls, maps, and runtime&#x2F;pprof packages. See the Go 1.21.6 milestone on our issue tracker for details.&quot;<p><a href="https:&#x2F;&#x2F;go.dev&#x2F;doc&#x2F;devel&#x2F;release#go1.21.minor" rel="nofollow">https:&#x2F;&#x2F;go.dev&#x2F;doc&#x2F;devel&#x2F;release#go1.21.minor</a>

This is dot-dot release with just a few minor fixes. Not sure why it&#x27;s on the front page, but since I have your attention... here something I noticed just the other day:<p>&gt; the go command by default downloads and authenticates modules using the Go module mirror<p>Maybe I&#x27;m reading this incorrectly but it sounds as google will be able to see every dependency for every project I ever work on.<p>This is the second time Go adds something that can be used to spy on developers. Obviously they pinky promise to not abuse it, by why does this eventually happens to every Google product?

This one bug greatly undermined my confidence in Go forever: <a href="https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;64474">https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;64474</a><p>That this can happen in the standard library and stay in a stable release for 5-6 months, in fact very nearly making it to Go 1.22, means that Go&#x27;s quality assurance pipeline is not adequate for use in production. (The actual bug is in the runtime, but that&#x27;s irrelevant; it&#x27;s a runtime optimization for an API offered in the standard library)<p>It also reopens a larger question, that if the Go teams seriously believes it is okay for a modern programming language to offer no ways whatsoever to enforce immutability or exclusive ownership, leaving programmers to reason about such things themselves throughout every project, then they have to hold themselves to a higher standard to prove that this is reasonable to expect.<p>Similarly, it is also really concerning that they don&#x27;t consider this a CVE when it obviously could be; a user receiving a shallow cloned map could modify data affecting other users.<p>That the Go team does not consider this a headline item, let alone a CVE, let alone something that should change how Go is developed and qualified, is all I need to know about how little they care about production grade software. People choosing to use Go in production should at least know what they&#x27;re getting themselves into.