Writing secure Go code
(jarosz.dev)381 points by gus_leonel 8 months ago
381 points by gus_leonel 8 months ago
It indeed is. Please read https://go101.org/blog/2024-03-01-for-loop-semantic-changes-... and https://github.com/golang/go/issues/66156
There might be some bugs in .2: https://github.com/golang/go/issues/70035
The examples in that ticket are convoluted, who would write code like that? Has this issue been spotted in the wild?
I agree that there is some issue and a lint should probably warn you about these, but I doubt a lot of people will run into it.
You should read that article carefully.
Some Go core team members don't agree with you: https://github.com/golang/go/issues/66156
Please note, currently, there are no tools to detect the new footguns created by the new semantics of 3-clause "for;;" loops: https://github.com/golang/go/issues/66156
> The second step is to keep the Go versions in our projects current. Even though we don’t use the latest and greatest language features, bumping the Go version gives us all security patches for discovered vulnerabilities.
It is not always a good strategy to use the latest toolchain version. There are often some fresh bugs in it. From the security perspective, it is better to use the previous version, which is also still being maintained.