Google Cloud has introduced a new update to the Go programming language they are touting as the most significant release of the language to date — with features that enhance security and developer productivity and improve the performance of Go.
Steve Francia, Google Cloud’s Product & Strategic Lead for Go, called the new update — Go 1.18, released today — “monumental” and noted that the key new features, including support of generics, are responses to feature requests from the vast community of millions of Go developers around the world.
Key updates in Go 1.18 include the aforementioned new support for generics; fuzzing, which will be integrated into Go 1.18’s standard toolchain and CPU performance improvements of up to 20% and more, Francia said.
“Stagnation is always bad, and the same applies also to new revisions of programming languages. Today is the turn of the Go language, which is getting key new features, and most importantly a performance boost,” said Holger Mueller, an analyst at Constellation Research. “Innovation is always critical, but it also means change and the verdict is still out on how the community of Go developers will appreciate the new version. That said — Go developers are pretty dedicated and passionate about their language — so the feedback is likely going to be positive.”
Go was created at Google in 2007, designed to help developers build fast, reliable and secure software. And that goal remains the same as the language maintains a six-month release cadence. There are about two million Go developers, Google said.
The Case for Generics
“The largest change ever to the Go language is coming in 1.18. With generics, this specific feature has been the most sought-after feature in go for the last 10 years,” Francia wrote in a blog post. “And we’re really happy to be able to provide it to our users and to give them the ability to simplify their applications and provide them better performance.”
Generic programming is a style of computer programming in which algorithms are written in terms of types to be specified later that are then instantiated when needed for specific types provided as parameters.
“The support for generics through type parameters allows Gophers to increase the reuse of their code,” Bryan Liles, principal engineer at VMWare and self-proclaimed Gopher. “I’m already seeing interesting collections handling products based on the betas. This one feature alone makes Go more useful in more places with less typing.”
Indeed, generics support was the most sought-after feature and thus the biggest change to Go since the language was created, Francia noted.
“Last year in our Go developer survey results we shared that of the developers who feel that Go lacks critical features, the vast majority view generics as the missing piece,” he said in the post. “With Go 1.18, new and existing Go developers will be able to take advantage of the productivity, performance, and maintenance benefits that generics bring. We’ve already begun to see the new kinds of libraries and projects gophers are building with generics in its short beta period and expect this creativity to grow as time goes on.”
The big deal is that without support for generics, Go users have had to explicitly define each type, or behavior for each individual type, Francia further explained in an interview with The New Stack.
“So a simple way to think about this is if you wanted to write a min function — that’s a function that takes multiple values and tells you which one the minimum is,” he said. “You’d have to write this once for integers and once for floats. And actually, you’d have to write it for every size of integer and every size of float. So it ends up having some repetitive code.”
Yet that’s just one very simple example. But that example applies in a lot of spaces, Francia said.
“But with the addition of generics, you’re able to consolidate all of that code to one specific operation while retaining all the safety that you get from a typed language,” he said. “So users are really looking forward to being able to have much more readable code. And in many instances, higher-performing code, with the same type safety that Go has always provided. That’s a huge boon to productivity. It’s a boon to performance.”
Fuzzing in the Toolchain
The second major milestone in Go 1.18 is that it makes Go the first major programming language to incorporate fuzzing as part of its standard toolchain, Francia said.
“This will enable us to enable Go users to harden their applications, not only for their current codebases but even provide protections as their codebases evolve and as dependencies change,” he said.
Fuzzing is a type of vulnerability testing that throws arbitrary data at a piece of software to expose unknown errors and is emerging as a common testing scheme in enterprise development, Francia explained in his blog post.
And Go is now the first major language to provide fuzzing support with no third-party integrations necessary, allowing developers to start building more secure software with minimal overhead cost.
Go’s approach to fuzzing provides extra security for the current code as well as ongoing protection as code and dependencies evolve.
“With attacks on software becoming more common and complex, vulnerability detection is a critical part of the enterprise development lifecycle, and Go’s fuzzing capabilities help simplify that work,” Francia wrote.
Liles, who has said Go is his favorite programming language, applauded this new feature as well.
“Not being satisfied with one huge feature, the integrated fuzzing takes testing to a new level,” he said. “Edge cases are a huge problem for development teams. Now the standard library comes with support for generating inputs to test edge cases at test time. I haven’t seen this level of support built into a programming language before,” Liles told The New Stack.
Native fuzzing takes Go that one step further, into really leading as the secure language, Francia mused.
20% Performance Increase and Workspaces
Meanwhile, developers using Go 1.18 on Apple M1, ARM64, and PowerPC64 architectures will gain CPU performance improvements of up to 20% due to the expansion of Go 1.17’s register ABI calling convention to these architectures.
Also, though Go modules have been almost universally adopted, in the 2021 user survey, the most common challenge users identified with modules was working across multiple modules in a single repo, Google said. Go 1.18 addresses this with a new Go workspace mode, which makes it simple to work with multiple modules.
“A smaller feature is the introduction of workspaces which allow for changing module parameters without modifying the
go.mod file.” Liles said. “Small quality of life additions like these will make editing code in teams easier.”
Why Go with Go?
Perhaps the biggest draw of Go is that it’s a language that feels like and gives the developer productivity of a dynamic language like Python, with the performance of a compiled language like C and C++, and with security and stability that’s beyond any of those languages.
“And so you find this really sweet spot for developers where they feel productive,” Francia said. “They can write secure code and performant code all at the same time. Developers, when they start using Go, love it for those three reasons.”
The Language for Cloud Native
Google is among the pioneers of writing software at scale and Go is Google’s language to meet that need. Google pioneered writing software at scale, both in terms of the number of people writing it collaborating across big teams, and in terms of the scale of the programs written running all the world’s information.
In chasing that goal, “we found challenges with existing programming languages,” Francia said. “In particular, they weren’t designed for these modern multicore systems that today we would call cloud computing systems. And they also weren’t designed to be shared across large groups of people. And as a result, the languages are typically much easier to write than they are to read. And with Go, we made a huge emphasis on supporting concurrency and working well across multicore systems, a big emphasis on networking and services, and a big emphasis on readability. Go is widely recognized as one of, if not the, most readable language out there. And generics in particular will help with that readability even more. And so I think this takes us even one step closer to our original vision of having a language that makes programming fun again and makes it scale well across people and across different systems.”
Google also notes that more than 75% of CNCF projects including Kubernetes and Istio are written in Go and 10% of developers are writing in Go worldwide. Go ranks number 14 on the Stack Overflow list of most popular languages and number eight on the 2022 Coding Dojo list of top programming languages for getting hired. Interestingly, Go did not even rank on that Coding Dojo list last year.
“Our modern cloud infrastructure is based on Kubernetes at its core and our strong support for Istio and Knative have formed the base of our leading services like Google Kubernetes Engine (GKE), our managed application platform with Anthos, Cloud Functions, and Cloud Run,” Francia wrote. “Google uses Go extensively for a wide range of things from our indexing platform that powers Google Search, to the server side optimizations that power Chrome’s 1B+ users, to the infrastructure Google cloud is built on.”
Security Is Paramount
Go has been designed to create the most secure applications, minimizing risk as much as possible, he said. Go applications compile down to a single binary without any local dependencies.
“Go’s dependency management uses an industry-leading, tamper-evident transparency log, with built-in tooling that ensures that your dependencies are exactly what you expect,” Francia wrote. “Go has native encryption, which is used to power much of the internet, including key components of Google. Go even supports distroless containers, where there are zero local dependencies to worry about. GCP, CI/CD, and Artifact Manager have direct access to Go’s Vulnerability Database and can provide you instant warnings about security threats.”
Key to this is the ability to understand and verify the security of open source dependency chains, said Eric Brewer, VP Infrastructure and Google Fellow and a computer science professor at UC Berkeley.
“The 1.18 release of Go is an important step towards ensuring that developers are able to build the most secure applications, understand risk when vulnerabilities are discovered, and reduce the impact of cybersecurity attacks,” he said.