The Go team is developing a Language Server Protocol [LSP] implementation) called gopls. Visual Studio Code (and others) support LSP. Other languages (e.g. Python have LSP implementations too). I’ve been using gopls for some time. It works (mostly) very well and replaces multiple, indepedent tools with two (gopls and delve).

My Visual Studio Code settings that include gopls is:

    "go.autocompleteUnimportedPackages": true,
    "go.useLanguageServer": true,
    "[go]": {
        "editor.snippetSuggestions": "none",
        "editor.formatOnSave": true,
        "editor.codeActionsOnSave": {
            "source.organizeImports": true
        }
    },
    "gopls": {
        "usePlaceholders": true,
        "wantCompletionDocumentation": true,
    },
    "go.toolsEnvVars": {
    },
    "go.languageServerFlags": [
        "-rpc.trace",
        "serve",
        "--debug=localhost:6060",
    ],
    "go.enableCodeLens": {
        "references": true,
        "runtest": true
    },

One of the Google engineers working on gopls gave a comprehensive and interesting overview of the tool at GopherCon 2019.

The goal of pypi-transparency is very similar to the underlying motivation for the Golang team’s Checksum Database (also built with Trillian).

Even though, PyPi provides hashes of the content of packages it hosts, the developer must trust that PyPi’s data is consistent. One ambition with pypi-transparency is to provide a companion, tamperproof log of PyPi package files in order to provide a double-check of these hashes.

It is important to understand what this does (and does not) provide. There’s no validation of a package’s content. The only calculation is that, on first observation, a SHA-256 hash is computed of the package’s content and the hash is recorded. If the package is subsequently altered, it’s very probable that the hash will change and this provides a signal to the user that the package’s contents has changed. Because pypi-transparency uses a tamperproof log, it’s very difficult to update the hash recorded in the tamperproof log, to reflect this change. Corrolary: pypi-transparency will record the hashes of packages that include malicious code.

Now that I’ve (p)retired from Google, I’m starting this blog and will no longer post stories to Medium.

As I concluded my time at Google, I wrapped up work on a Trillian prototype. As it remains Google’s IP, I’m not permitted to discuss it here.

I’ve begun work on another Trillian prototype for Python package transparency, informally pypi-transparency.