Programming Leftovers

posted by Roy Schestowitz on Nov 01, 2024

• Trail of Bits ☛ Fuzzing between the lines in popular barcode software

  Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post, we show how we fuzzed the ZBar barcode scanning library and why, despite our limited time budget, we found serious bugs: an out-of-bounds stack buffer write that can lead to arbitrary code execution with a malicious barcode, and a memory leak that can be used to perform a denial-of-service attack.

  ZBar is an open-source library for reading barcodes written in C. It supports an impressive number of barcode formats, including QR codes. One of our clients used it, so we wanted to quickly assess its security. Given the extensive amount of code, manual review was not an option. Since we noticed no public mention of fuzzing, we decided to give it a shot.

• Andy Dote ☛ Too Much Configuration | Andy Dote

  When writing software, you will come across many questions which don’t always have a clear answer, and its tempting to not answer the question, and provide it as a configuration option to the user of your software. You might go as far as setting a default value though. This seems good for everyone; you don’t have to make a decision, users can change their minds whenever they want.

  However, too much configuration is a bad thing in general. There are two ways I want to view configuration: internally, from the developer of the software’s perspective, and externally, from the user of the software’s persepective (who might also be writing software.)

• Elias Mårtenson ☛ An imperative introduction to array programming — Elias Mårtenson

  You may have heard about how array programming languages such as APL, J or K. If you have, you've probably heard that code written in these languages is incredibly dense and unreadable. “Line noise” is a term often used to refer to them.

  In this post, I will try to use Kap to give an introduction to the language by using an imperative programming style. Actual Kap code is a mix of terse and verbose styles, but perhaps illustrating the verbose style first provide a different perspective.

• Jacob Nowosad ☛ Comparison of spatial patterns in categorical raster data for overlapping regions using R – Thinking in spatial patterns

  This blog post focuses on the comparison of spatial patterns in categorical raster data for overlapping regions. In other words, here we have two rasters with the same number of rows and columns, and we want to compare their spatial patterns.

  For this blog post, we use two categorical raster datasets: the CORINE Land Cover (CLC) datasets for Tartu (Estonia) for the years 2000 and 2018.

• Rlang ☛ Powering Up Your Variables with Assignments and Expressions in C

  Understanding how to manipulate variables and work with expressions is fundamental to becoming a proficient C programmer. In this comprehensive guide, we’ll explore compound operators, operator precedence, and typecasting – essential concepts that will elevate your C programming skills from basic to professional level.

• Daniel Stenberg ☛ curl source code age

  In every software project that has been around for a while there is of course newer code and older code. A question that often pops up at least in my mind is then: How much of the old code has actually survived over the years and is still being in use today?

  And how would you visualize that in a way that makes it possible to understand the data?

• Scoop News Group ☛ White House to agencies: Don’t wait to test your post-quantum encryption

  A White House official warned federal agencies Wednesday not to wait until their new post-quantum encryption algorithms are deployed in production to test them.

  Agencies have been slowly working to integrate into federal IT systems new encryption algorithms that can defend against future hacks from quantum computers, but the White House wants to make sure the new protections don’t lead to major glitches when they’re deployed to legacy systems and environments.

• Sandor Dargo ☛ (When) performance is not about algorithmic complexity

  I’ve been taking part in coding dojos either as a participant or a facilitator for the last more or less 10 years with some smaller gaps around reorganizations. Coding dojos helped me turn around my career completely. But that’s not what I’m going to write about today.

  As a facilitator, I sometimes drive a session very closely, but sometimes I just sit and listen and let the others go in the direction they want until I join back again more actively to ask some questions about the decisions they made.

• Jonas Hietala ☛ Jonas Hietala: Good and Bad Programmers

  Every now and day blog posts about what it takes to be a good programmer or how you figure out if someone is a bad programmer arrives. There’s always talk about how you find the good programmers in interviews and the topic is always hot in schools and universities.

• Zed ☛ SSH Remoting is Here!

  For the SSH connection, we use the ControlMaster setting to maintain a single connection to each host. This means that you can open new terminals and spawn tasks without having to retype your passphrase or re-authenticate. Once connected, we download the remote server for your operating system and architecture. Unlike our normal Linux builds, the remote server can be compiled with musl, which requires no dynamic linking. This lets it work on older distros (where before we ran into compatibility problems with glibc) and on modern share-nothing distros like Nix that don't have a global set of libraries to dynamically link. Once we've established the connection and installed the remote server, we initialize it as a daemon, so that when connections do drop the remote server continues running and on reconnect your language servers are still fully initialized. We also back up any unsaved changes locally, so you never lose your work.

• Lucy D'Agostino McGowan & Nick Strayer ☛ Spooky Seasons Greetings

  I thought it’d be fun to celebrate spooky season with a little stats punny plot. We’re going to turn a normal distribution into a paranormal distribution! HA!

• Karl Seguin ☛ TCP Server in Zig - Part 8 - Epoll & Kqueue

  Now that we're more familiar with epoll and kqueue individually, it's time to bring everything together. We'll begin by looking at the possible interaction between evented I/O and threads and then look at writing a basic cross-platform abstraction over the platform-specific epoll and kqueue.

• Armin Ronacher ☛ Make It Ephemeral: Software Should Decay and Lose Data | Armin Ronacher's Thoughts and Writings

  Most software that exists today does not forget. Creating software that remembers is easy, but designing software that deliberately “forgets” is a bit more complex. By “forgetting,” I don't mean losing data because it wasn’t saved or losing it randomly due to bugs. I'm referring to making a deliberate design decision to discard data at a later time. This ability to forget can be an incredibly benefitial property for many applications. Most importantly software that forgets enables different user experiences.

  I'm willing to bet that your cloud storage or SaaS applications likely serve as dumping grounds for outdated, forgotten files and artifacts. This doesn’t have to be the case.

• Evil Martians ☛ Woah, opacity! A full guide to this badass hero of efficient UI design—Martian Chronicles, Evil Martians’ team blog

  Transparent colors are a staple of modern operating systems, yet, for some reason, web apps still underutilize this marvel of modern interface design. And what happens when you properly integrate transparent colors into your design toolkit? You can minimize the number of design tokens, styles, and component variations—making your workflow more efficient and flexible. So, let’s talk about the ways opacity can be a game-changer in your design practice—and especially useful for startups and fast-moving teams!

• Red Hat ☛ Tutorial: Implement custom policies in 3scale API Management

  This tutorial aims to exemplify the construction and implementation of custom policies. 

• Christian Gmeiner: CI-Tron: A Long Road to a Better Board Farm

  I’m a big supporter of finding problems before they get into the code base. The earlier you catch issues, the easier they are to fix. One of the main tools that helps with this is a Continuous Integration (CI) farm. A CI farm allows you to run extensive tests like deqp or piglit on a merge request or even on a private git branch before any code is merged, which significantly helps catch problems early.

  I’m not the first one at Igalia to think this is really important. We already have a large Raspberry Pi board farm available on freedesktop’s GitLab instance that serves as a powerful tool for validating changes before they hit the main branch.

• Rlang ☛ Delimiting the modelling background for scattered uneven occurrence data

  In species distribution modelling and ecological niche modelling (SDM & ENM), the region from where background or pseudoabsence points are picked is key to how well a model turns out.

• Rlang ☛ Chat with your tabular data in www.techtonique.net

• Rlang ☛ How to Use ‘OR’ Operator in R: A Comprehensive Guide for Beginners

  The OR operator is a fundamental component in R programming that enables you to evaluate multiple conditions simultaneously.

• Qt ☛ [proprietary] LTS Qt 5.15.18 Released

  We have released Qt 5.15.18 LTS for subscription license holders today. As a patch release, Qt 5.15.18 does not add any new functionality but provides bug fixes.

• Qt ☛ Qt Creator 15 Beta2 released

  We are happy to announce the release of Qt Creator 15 Beta2!

• Python

  • The New Stack ☛ Python 3.14.0 Alpha Is Now Available: Here’s What’s Included

    Python developers get excited because the first alpha of version 3.14.0 of the widely popular programming language has been made available.

  • The New Stack ☛ Why Beginning Developers Love Python

    Deb Nicholson, executive director of the Python Software Foundation...

• Java

  • Frank Delporte ☛ Why Java 8 is a Ticking Time Bomb Hiding Within Your Organization

    When I spoke to developers at Devoxx in Belgium in October, I was surprised to learn how many of them are maintaining systems that are still running on Java 8 (released in 2014). One of them even still has a Java 5 application in production, with a runtime of 20 years old!

    I know I’m biased, as I experiment extensively with the latest Java versions to learn what improvements they bring. But it hurts my heart to think of all those developers maintaining old systems, missing out on all the coding and performance improvements that newer versions offer. In this post, I want to highlight some of the many reasons why staying on Java 8 is a ticking time bomb…

• Standards/Consortia

  • Terence Eden ☛ Using phpList for a blog’s newsletter

    Some people like to receive this blog via email. I previously used JetPack to send out subscriber messages - but it became increasingly clear that Automattic isn't a good steward of such things. I couldn't find any services which would let me send a few thousand subscribers a few emails per week, at zero cost.

    So, redecentralise!