This Go package was archived. What do we do now?
Vložit
- čas přidán 8. 04. 2023
- At the end of 2022, something unexpected happened in the Go ecosystem. Due to this, a lot of code will likely need to be refactored and migrated in order to prevent against any potential future CVEs or vulnerabilities.
In this video, I look at three other options to gorilla/mux, how to easily migrate over to any of these options and to talk about what I think this says about Go in the long term.
#golang #coding #discussion
My socials:
Twitter: / dreamsofcode_io
Discord Server: / discord
Please consider supporting me as well!
Patreon: / dreamsofcode - Věda a technologie
If people were so concerned about this then they would take the project on themselves, one of the biggest negatives of open source is that people just expect everything to be free and accessible but no one contributes back
Companies will if they make money from it
@@user-fr2fm3ri3w i would disagree, I've never seen a company take on an open source repo, they've taken advantage of them endlessly but hardly ever pay back in any way
@@user-fr2fm3ri3w I've worked at 8 different companies and never seen them contribute back let alone sponsor.
@@joro550 the key part is “if the make money from it”. Look at chromium Linux servers and JavaScript frameworks. Sometimes big companies even start opensource projects them selves like react.
@@joro550 many people contribute to opensource as a way to demonstrate their skills and secure high paying positions. It’s especially useful if someone just finished uni but has 0 work experience. I’m this case contributing to an opensource project can make future employers feel more confident about hiring you than somebody who just has a uni degree and has had 0 experience in the industry.
As an open source contributer and developer myself, people are greedy and tell you about issues or what features they want but never bother fixing or contributing 😢
This will look greedy but have you ever considered to ask for money for every bigger feature request?
If there is a real need for it, someone will pay for it
@@Mempler you maybe correct, donation button or something might persuade me to do the work rather than relying on the open source community.
It's actually because a lot of developers are not as experienced, the waorld is now filled with devs who wouldnt pass as juniors even 10 years ago.. muddle themselves thru via examples and tutorial videos, how to make something... ofc they cant contribute to open source...
also opensource contribution doesnt actually work like you think.. most projects have handful of main devs who have made it... good example is in web JS ecosystem...
good luck contributing into React, go make something and see if they will accept ur PR lol... never going to happen, ur just going to break the framework, because you dont understand how it all goes together and how it works under the hood .
@@Microphunktv-jb3kj You make good points.
@@Microphunktv-jb3kj You're taking an extreme exemple, most projects don't represent a percent of React but yes lack of skill is a thing
The issue with Gorilla/mux was the fact that existing maintainers didn’t want anyone new and had bullshit level requirements for new maintainers. I wanted to participate in the project, but according to them, I’m too young, have not enough experience (7+ years in Go were a requirement) and they wanted someone with 3+ years experience in maintaining OSS projects.
Some of you might be reading this and thinking that we didn’t give a fair shot to potential new maintainers, or that the bar for new maintainers was too high. The problem there is two-fold:
There were no active contributors even triaging issues. The call for maintainers made it clear we’d help merge and do a final review for anyone wanting to start contributing. Instead, a number of folks raised their hands (read: commented in the thread) and then were never seen again. Many OSS projects have a number of casual maintainers: we just never seemed to get anyone to stick. Maybe the “utilitarian” nature of the libraries didn’t help, or maybe it was more compelling to author your own?
These are widely used libraries. As we said in the original call for maintainers: “no maintainer is better than an adversarial maintainer!” - just handing the reins of even a single software package that has north of 13k unique clones a week (mux) is just not something I’d ever be comfortable with. This has tended to play out poorly with other projects.
@sergio by no means I want to disregard or disrespect og maintainers, I think the main issue is the lack of “giving back” culture in companies using and depending on Open Source projects. Every company using OSS projects should donate time, resources or money to the projects they are using, not simply grab them and use them.
mfw people think having "must have 15 undecillion years of experience in underwater bucket weaving" is a good requirement:
Dude more peoples does not always equate to better product if you have enough time on dev world you'll know that 😁
@@SergiobgEngineer For the first one, I think this is why extra modes of communication are helpful. It is easy to talk the talk, but not walk the walk.
The second one I cannot comment on because I want to get into Open Source (Ruby, Go and C# in particular) but I don’t know where to start, how much your claim of clones in a month matter, what the impact is for the software ecosystem etc etc.
So I am just going to nod my head and agree with what you said 😂
Org went through an API refactor to Go last year, and went with Gin seeing the concerns with gorilla/mux. So far it's met our needs. Migrated existing codebase from express, and have built out several new microservices since with largely no issues.
where i work, we migrated to chi a couple weeks ago. it took like 30 minutes to do so. so far we have no problem with it.
I think that's what we're going to end up needing to do as well!
I'm currently using gin, i think is great, well documented, nice syntax. Is super easy to use
I like these microbenchmarks. 40x better, wow, most of the Go services have up to like 50 routes and also call database or other services. Performance of a router is literally non-issue in most scenarios.
I agree 100%. Optimizing anything that isn't the bottleneck isn't real optimization, especially as I/O is always going to be slower. I always prefer readable and maintainable code over "performance", hence why Chi is more appealing to me.
At this point, i think, i should do my best to stick with the standard library even if that implies more boilerplate.
I like your funny words magic man
Haha thanks
How do u edit your videos the style looks dope reason mainly why I sub 🎉
Haha it takes me a long time to edit them. I use davinci resolve!
I'm glad you like the style.
Archived, just means read-only. It wasn't deleted so it is still usable.
I've been trying to create a reactive app where the backend uses rest apis for processing transactions and we sockets for providing alerts and so far guerilla seems like the only holistic solution in golang. I decided to just use the http library instead and write the logic by hand. Seems fairly easy to do in golang for now. Will worry about logging and middleware in the future
Agreed. It really is a wonderful package. Fortunately there's no CVE's at the moment, so it's still safe to use.
I don’t see the issue with gin
The reason I started to work with go from the get go
Heartbreaking to see so many problems in OSS happening recently.
I'm personally now switching over to my own router to have more control over that layer
That's cool! Are you using http.ServeMux or building your own abstraction?
@@dreamsofcode yes
It's no longer archived now. Fun fact: I didn't even notice it had been archived
I have another video on its return!
Watched it. It’s a great update 🔥
i know i'm asking something I'm sure others asked for also, would have loved to have you compare against the Fiber framework also.
Haha yes a few have! I've got a video in the backlog to look at Fiber in more detail. Looking forward to doing so!
No maintainer means everybody is switched to rust
This is probably more true than we all realize.
Haha.
Rust had a similar drama a few years ago with Actix, although that turned out differently.
For me, the root issue lies more with the industries relationship with open source.
@@dreamsofcode this :(
but I don't know how community will react if some industry tries to take over hte project
or elixir :D
Anything other than this canceric languge
Migrated to Chi. Went very smoothly as it has very similar interface and features compared to Gorilla.
what's your thought on fiber?
It's really not that much of a problem, the library is pretty complete
The bigger problem for me is the lack of maintainers who could take over the toolkit.
There's no active CVEs though so you're right, the library is fine currently.
But what happens with new go versions and any deprecation or security fixes.
@@satisfyingly1 Yep. This is a big potential problem down the line.
No need to migrate! It's alive!
It is! I have another video on its return 😁
lol the overstatement !!
It's a gorilla sized problem! Haha
Lol
Hmm, this is disappointing news to hear. Luckily its in a good state right now, hopefully it'll get forked or maintained once something like a CVE occurs.
Agreed!
I never used but the standard HTTP library or Gin.
What are your thoughts about Fiber ? From speed perspective according to the default tests, it seems to be the fastest.
A few have mentioned it so I'm gonna do a deep dive into it. Thanks for bringing it up!
@@Microphunktv-jb3kj webapps these days are an (or several) API + a frontend framework, if you're referring to a Django for go then no, but few languages have one and Django is also heavily used as an API framework these days
Bad reputation because based on fasthttp, being the fastest is a niche use case and you should know what you're sacrificing, namely net/http compatibility and thus a large portion of the ecosystem, it may not be worth for most people.
Personally, I like Go Fiber a lot as I'm building an Auth and CMS system. Losing HTTP/2 wasn't a big deal as I think HTTP/3 that uses QUIC and UDP will be a big game changer once everyone figures out how to implement it. Fiber has a healthy amount of premade middlewares also so it's quite nice, but writing your own is pretty easy. I think my biggest fear is that Fasthttp will fall by the wayside like Gorilla, but hopefully by then there will be an HTTP/3 framework.
For those who say performance doesn't matter has never ran into the issue of scaling or having to pay for compute. Being able to stuff an app into a 1vCPU $2.50 VPS per month is pretty big for testing cheaply. Then deployment prices start to skyrocket if your app isn't able to sustain users. $20/2vCPU, $40/4vCPU, $80/6vCPU, $160/8vCPU... Go Fiber just delays the inevitable scaling issue that much longer without having to learn Rust APIs to squeeze out more efficiency.
@@Microphunktv-jb3kj Go is built for networking applications so it's incredibly powerful here with contexts and goroutines. I gave Rust the old college try at building an API and that was really rough with Axum which uses Tokio. I'd need another 6 months of learning Rust before I'd ever attempt that again. I remember looking at Elixir and running the other way as it gave me JVM vibes.
As for the frontend material you are probably looking for a separate Node framework like Astro, SvelteKit, Solid...
Fiber is also a solid alternative.
I'm going to have to give it a go!
Go "purists" ditch Fiber because it's not compatible with standard net/http library...
Someone is going to fork it, guaranteed.
I hope so
Wes McKinney is laughing in the background...
We have alternatives, and you can roll your own. It's your job, quite literally.
😭😭 no one wants to do it though
Lol
You know
Express js is not maintained at all but every single backend js dev I know still use it even though there are so many properly maintained options
It’s wrong to say that express is not maintained. Express is stable. Expres 5 is beta for long time as they are working slowly for new feature due to stability.
@@victorray9369 Very slowly then, still no async route handlers, and nobody but the stability thing, the tracking issue for 5.0 has been opened in 2014 ... the developer himself have moved to another library, namely Koa, people just don't want to move because following the bandwagon, so yeah "somehow" maintained
Express is stable and does not need any new stuff. It's minimal and works like a tank.
the last commit on mux was 2 weeks ago
what about fiber ?
I mean, someone's gonna pick it up eventually if it gets outdated. Or start a new project. People can always migrate their systems to a more up-to-date library if they needed to. Also, maintainers often work for free, and they may lose motivation or dont have time, etc. In the first place - OSS is free to use, and you just cannot demand someone work for free. And finally, it's not a problem in OSS, but with people being used to thinking that they should get things for free.
I think the problem is that no one picked it up, despite lots of companies using it. Surely the cost of maintaining the package is cheaper than migrating.
I don't think there's any expectation that anyone work for free. I just ask for more from the stdlib.
The solution is to make it copyleft
I like Chi
if using native language features is such a headache, then at this point you should consider using another language...
They got some red hat devs maintaining it now
I have another video about this!
Just build your own. The go community pretty much is anti packages
what you think about Fiber?
A few people have mentioned it so I'm interested. Going to take a look and maybe do a video!
Fiber is number 1
Go devs, JavaScript is waiting for you :D
Nooo haha.
Go-Fiber
Thoughts about Fiber?
It looks pretty good, although it's similar to Gin and Echo it seems, so breaks the `http.Handler` interface.
So back to Gin I guess 😂
rip go
They killed my boy 😭
I knew it..lot of open source projects are going to be abandoned.
Gorilla Mux is now being maintained again and is unarchived.
You're correct. I have another video on this as well
How about fiber ? :D
A few have mentioned it so I'm gonna do a video on it. Thanks for bringing it up!
What about Fiber???
I'm going to have to give it a go! A lot of people have recommended it. Excited to try it
I'm going to have to give it a go! A lot of people have recommended it. Excited to try it
Did you try fiber?
Not yet! But going to give it a go!
This is already fixed, gorilla has new maintainers
I have a video about this!
What about fiber?
Fiber is awesome!
This is really bad for Caddy.
You know what, I think there is a bigger problem. The learning resources. Why are there tons of tutorials on these APIs but hardly any for not using them.
An archived project feels like it's treated like the death of a god and their magical blood will soon dry out.
I really really wish content would better show how "black magic" everything actually isn't.
I thought programming was about making solutions not waiting for others to. Just a rant from me where I accidentally figured out how to do season auth from standard go and my brain broke because "it can't be that simple otherwise there wouldn't be 0 tutorials on it"
Interesting take! Of course, everything can be achieved using the stdlib, but then we live in a world now where we have reusable code and abstractions. Coming from C++, I tend to use dependencies less, but that doesn't change the fact that a large number of repositories were dependent on gorilla/mux and other packages in the gorilla toolkit.
I don't think it's going to be the death of Go or anything close to that, just a moderate headache in the long term as projects have to be migrated. I'm more concerned how a package like gorilla/mux can end up archived and without maintainers, especially as I would consider some larger companies are using it.
As of today, gorilla/mux is not archived and seems to be actively maintained. Isn't it?
I have a couple of other videos in this series! There's one about Gorilla being back and another about using the standard library following Go 1.22.
Why no gofiber?
Because it's based on fasthttp, which isn't compatible with the standard library, and doesn't support HTTP/2. Very niche (if at all) circumstances where it would even remotely be beneficial.
Gorilla can still be used. It is just not developed anymore.
Absolutely, although let's hope there's no bugs in there.
Well, you still can use Rust, with its web frameworks, like Actix-Web, Axum or Rocket :D
Rust frameworks are very good. Rocket could be maintained more and Axum could do with more documentation but it's a very good start.
Is this actually a go killer situation ?
For user-facing web services? Maybe. Not necessarily for glue / automation / protocol implementation.
no
Lol what the fuck are you talking about
No, absolutely not. Go will be fine, especially as there's alternatives. I think it's just a headache to migrate over.
The main issue for me is the lack of a decent router in the stdlib and that gorilla was unable to find maintainers.
@@dreamsofcode It's because oldschool coders are not morons and dont want to work for free... my freiend always laugh how stupid JS ecosystem people are.. early 20s people maintain stuff for free like slaves.. and by the time theyh are 30, completley burnt out
that was the answer when i asked why he has almost empty github profile since he has worked as back-end engineer for 15~ years.
Your content would be much better without background sound. Please consider.
I shall consider! Thank you for the feedback.
You missed Fiber, the best one of all
A lot of people do love Fiber! It looks pretty good.
WTF thumbnail says. 😝
Its a problem with mux, not Go.
Hello, why are you deleting my comments with help on the topic?
youtube removes any comment contains a link
Not me. Might be that CZcams is removing them?
Go Fiber is sooooo much better
PHP for the win :-)
Keep on thinking that.
Lambo
Cringe
Never
@ lol
hetchTTP?
Haytch-tea-tea-pea
It's British
Go's wasm frameworks has also been dying. I don't know if Go will still be around in the future. I moved to Rust
Where did you get this information??
Go and tinygo both support wasm
@@baxiry. I mean like Vecty and Vugu for frontend wasm. I'm using Yew now
Welcome to the Rust-Family :D
I moved from python to Assembly
I'm a big fan of Rust.
Was going to try go and the install kept failing. That's all she wrote for go😂
I remember back when you had to only write code in the $GO_PATH. That was a nope from me. I'm glad they changed that.
lol that’s what happens when you use third party dependencies.
Aye. It's always a risk. I just wish the stdlib would provide a better solution.
Its aitch not haitch 😅
I will never forgive whoever created a letter without it's own sound at the front 😂
@@dreamsofcode yeah .. this year I've discovered many stupid things about how english write things vs how it pronounce them - it's so unbelivebly inconsistent.
In my language (czech) we are very consistent about how things are written and read. English is just a mess overall.
PS: in the video you sometimes say 'aitch' and sometimes 'haitch', I've found that very interesting. Mostly people say it just one way, right .. or wrong xD
@@jsonkody I grew up saying "haitch" which I later realized was incorrect. Now I try to force myself to say "aitch" but it's very hard to relearn how to pronounce something. Since moving to the U.S. I also try to pronouce `tu` sounds as `too` instead of `choo` which is the British way. (i.e. "Toosday" instead of "Choosday")
@@dreamsofcode hmm, that must be difficult .. I was told as a little youngling that H is pronounced 'aitch' so I really never didn't think about that much. And a few years back I've discovered that there is a lot of people who say 'haitch' and that it's all some secret war of 'haitchers' vs grammar nazis.
Btw also I've found that many people across the world mistake two words: his/her .. and I absolutely don't know why. Maybe there are languages where they have only one word for both sexes? I don't know :D
Just move on nothing to see here 😂
Its just the way oss nowadays, either that or its being under developed project owned by enterprise like flutter it goes nowhere now so F slow in development 😂
Not going to miss it, Erlang is better
Miss what? How does a third party dependency equate to a programming language?
I really like Elixir, but that memory usage is so high 😭
@@nictibbetts Man you're on CZcams, that's like Reddit, the average comment is made by a dunce.
Overrated package
Now I know why GO is garbage.
fibre is better
I'm also a fan of the British spelling 😉
@@dreamsofcode yes....spelt be the English