news
Programming Leftovers
-
The Register UK ☛ React2Shell vuln exploited by China, Iran, Google warns
Unauthenticated attackers can abuse the flaw, tracked as CVE-2025-55182, to remotely execute code, and the Chocolate Factory's threat hunters said multiple groups are using this vulnerability to deploy backdoors, tunnelers, and cryptocurrency miners.
-
Simon Willison ☛ I ported JustHTML from Python to JavaScript with Codex CLI and GPT-5.2 in 4.5 hours
I built simonw/justjshtml, a dependency-free HTML5 parsing library in JavaScript which passes 9,200 tests from the html5lib-tests suite and imitates the API design of Emil’s JustHTML library.
-
Andrew Nesbitt ☛ How I Assess Open Source Libraries
Licensing has to be sorted. If a library doesn’t have an OSI-approved license, I won’t use it, and I don’t spend time negotiating or hoping.
I pay attention to who maintains the library. If it’s someone whose other work I already depend on, I’m more confident they’ll stick around and respond when something goes wrong. Projects with multiple active maintainers are better bets than solo efforts, since one person burning out or getting a new job shouldn’t mean the library dies.
-
Rlang ☛ Better Code, Without Any Effort, Without Even AI
We are experiencing a programming revolution, with the democratization of artificial intelligence, but also with the creation and improvement of more traditional software tools to improve your code: local, free, deterministic.
In this post, we will introduce you to [...]
-
The New Stack ☛ Making the Cyber Resilience Act Work for Open Source
The CRA will inevitably raise expectations for security design and transparency across the software industry. Given the legal requirement to conduct due diligence on open source components they wish to integrate, manufacturers will need to be more selective about the open source components they use, incentivizing prioritization of projects that demonstrate strong security practices, provide clear documentation and publish essential security metadata such as software bills of materials (SBOMs).
This is a positive step, but it also introduces challenges. The risk is that smaller, less-resourced projects may be overlooked, creating an uneven playing field. To prevent sacrificing innovation for compliance, manufacturers, foundations and contributors must work together to share best practices and provide the resources projects need to meet these new standards.
-
Kerrick Long ☛ Re: More Fluent Method Signatures in Ruby
I like this a lot. It makes me want to go even harder: [...]
-
Anton Zhiyanov ☛ Timing 'Hello, world'
Here's a little unscientific chart showing the compile/run times of a "hello world" program in different languages: [...]
-
Andrew Nesbitt ☛ Supply Chain Security Tools for Ruby
I’ve published four Ruby gems that work together to help people build supply chain security tools: purl, vers, sbom, and swhid. They handle the specs that security tooling depends on.
I built these for Ecosyste.ms, which tracks dependencies across package registries. We deal with a lot of cross-ecosystem data: vulnerability reports that reference packages by PURL, version ranges from security advisories, SBOMs from various sources. If you’re building security scanners, registry tooling, or compliance pipelines in Ruby, these might be useful.
-
Aman Mittal ☛ Wait, there are smart quotes in my docs
Vale is a prose linter that can help catch these issues automatically. You can create a custom rule to flag smart quotes in your documentation.
Here’s a Vale rule that catches all four types of smart quotes: [...]
-
Ubuntu ☛ Native integration available between Canonical LXD and HPE Alletra MP B10000
HPE Alletra is designed to deliver mission-critical storage at mid range economics, with a consistent data experience across various cloud environments. With this integration, Canonical LXD and MicroCloud users can now provision and manage Alletra block storage directly through the LXD interface, without the need for any third-party plugins or additional abstraction layers.
-
Perl / Raku
-
Perl ☛ German Perl/Raku Workshop 2026
Most of the talks will be held in German, German talks will have English slides at least. English talks are welcome as well.
-
-
Python
-
Jamie Zawinski ☛ Fucking Python
Today I got my periodic reminder of how much I fucking despise Python, and every so-called tool that has chosen to depend upon Python.
Fuck this whole "ecosystem". I mean really get right up in there and fuck it.
-
-
Java/Golang
-
Daniel Lemire ☛ Multiplying the Shuffle Speed in Go with Batched Shuffling
Programmers often want to randomly shuffle arrays. Evidently, we want to do so as efficiently as possible. Maybe surprisingly, I found that the performance of random shuffling was not limited by memory bandwidth or latency, but rather by computation. Specifically, it is the computation of the random indexes itself that is slow.
-
Kevin McDonald ☛ Traceroute Tool from Scratch in Go
Traceroute is a network diagnostic utility that maps the path that packets take across an IP network. It provides a list of the intermediate routers a packet traverses on its way to a final destination, along with the time taken for each “hop.” This information is crucial for diagnosing network latency and identifying points of failure. Personally, I think it is super cool that there’s a way to figure out the route that your packets are taking.
In this article, I’ll dig into how traceroute works and show you how to build a simple version from scratch using Go.
-
-
Rust
-
Alisa Sireneva ☛ Rust's v0 mangling scheme in a nutshel
Functions in binary files need to have unique names, so Rust needs to decide what to call its functions and statics. This format needs to be standardized so that debuggers and profilers can recover the full names (e.g. alloc::vec::Vec instead of just Vec).
-