All systems go on security with Go 1.12 language release

All systems go on security with Go 1.12 language release

After two good weeks of bug squashing, container ecosystem favourite Go 1.12 is finally generally available with TLS 1.3 support, an improved compiler toolchain, better performance, and all kinds of other good stuff.

The core library of the new release is the first with opt-in support for TLS 1.3, which can be enabled by adding tls13=1 to the GODEBUG environment variable. Though TLS 1.3 is backwards compatible with its predecessors, certain legacy systems as well as RSA certificate keys which are too small to be secure might not work with the protocol. Something to keep in mind when Go 1.13 hits, as it will make TLS 1.3 the default.

It is also worth mentioning that cipher suites for the new protocol version aren’t configurable and 0-RTT mode, also known as early data, isn’t currently supported as a client or server.

Once updated, a pointer to a zero-value Reader can be used as a substitute for NewReader(nil) and a ReplaceAll function provides a copy of a byte slice with non-overlapping instances of a value replaced. Also expvar now features a Delete method for deleting key/value pairs from a Map, and key-sorted maps in fmt are meant to ease testing.

If you didn’t like the strict behaviour of the http2 package regarding the maximum number of TCP connections introduced in Go 1.10, you’re in luck since it’s back to the more relaxed ways of having up to MAX_CONCURRENT_STREAMS requests active for a connection and creating new ones as needed. The more strict approach can be used by setting the appropriate parameter.

As for compiler toolchain changes, live variable analysis has been improved and more functions will be inlined by default, so make sure not to iterate over results of runtime.Callers directly but use runtime.CallersFrame instead. To use a specific Go version during compilation, there is now a -lang flag to pass on such information.

On top of that, behavior of the gc and gccgo toolchain has been aligned slightly, and improvements to the DWARF debug information for things like argument printing and variable location information have been introduced. To help profiling tools like perf on linux/arm64, Go v1.12 programs maintain stack frame pointers on those systems. Since this might introduce a small overhead, setting GOEXPERIMENT=noframepointer before building the toolchain will get you one that works as before.

To improve performance, the Go runtime now frees memory back to the operating system more aggressively and makes use of MADV-FREE on Linux. The team behind the project could also speed up the timer and deadline code of the runtime and improve memory profiling by fixing some issues happening during allocation.

A complete list of changes can be found in the language documentation. Go was initially developed by Google and can be found in most major containerisation projects. This makes the language quite relied upon, and led the Go team to set up a proposal evaluation process in late 2018 to ensure changes cause as little damage as possible.