Programming Leftovers

posted by Roy Schestowitz on Dec 16, 2024

• Carlos Becker ☛ Announcing GoReleaser v2.5 - multi languages, 9th anniversary edition

  But I digress… GoReleaser now officially, albeit in alpha, supports both Rust and Zig!

• Yoshua Wuyts ☛ What are temporal and spatial memory safety?

  The lovely folks working on security over at Google have recently been writing about "temporal (memory) safety" and "spatial (memory) safety". When I first saw these terms it took me a minute to figure out what they meant, as searching for it online didn't yield immediate answers. So I figured it might be helpful to write it down for others to find:

  • Spatial memory safety: describes violations like out-of-bounds access. Say you have a vec of 10 items, it's undefined behavior if you try and read from the memory location of the non-existent 11th item. You can think of these as violations that have to do with memory regions (space).

  • Temporal memory safety: describes violations like use-after-free. Say you have a type that has been de-initialized already ("dropped" in Rust), it's undefined behavior to then try and read from any of its fields. You can think of these as violations that have to do with the ordering of memory operations (time).

• Python

  • Justin Duke ☛ Hypermodern Django · Applied Cartography

    I've been on the hunt for a new way to dogfood Buttondown for the past month or so, and I've finally found it: Hypermodern Django.

    At this point, all of my/our usages of Buttondown for Buttondown don't involve archives: we're using it headlessly, with RSS-to-email and APIs powering both this site's newsletter and the 'official' one. This is great, and I'm proud of the fact that we can even do that, but it means: [...]

  • Jeff Triplett ☛ New project to shorten django-admin to django because we are not monsters

    One of the biggest mysteries in Django is why I have to run django-admin from my terminal instead of just running django. Confusingly, django-admin has nothing to do with Django’s admin app.

    If you have ever wondered why and wanted to type django from your terminal, my new project, django-cli-no-admin solves this problem for you.

• Golang

  • Platform.sh GmbH ☛ Platform.sh team finds auth bypass in Go SSH package

    Systems that implement this callback function incorrectly end up with a vulnerability that allows an authorization bypass in Go's x/crypto/ssh. Our analysis suggests that this issue is prevalent across multiple projects utilizing this (golang.org/x/crypto/ssh) package, leading to potentially severe security implications. At the time of writing, there are ~19k known importers of this ssh package.