news
Programming Leftovers
Modus Create LLC ☛ Nickel since 1.0
We released Nickel 1.0 in May 2023. Since then, we’ve been working so hard on new features, bug fixes, and performance improvements that we haven’t had the opportunity to write about them as much as we would’ve liked. This post rounds up some of the big changes that we’ve landed over the past few years.
-
Vincent Delft ☛ Vincent's blog
Game of Trees (Got) provides a secure, simple, and audit-friendly version control system designed with OpenBSD principles in mind. When combined with gotd, it allows you to host repositories over SSH with fine-grained access control — without the complexity of Git hosting platforms.
This post walks through the complete process of: [...]
-
Andrew Nesbitt ☛ What Package Registries Could Borrow from OCI
Every package manager ships code as an archive, and every one of them has a slightly different way to do it. npm wraps tarballs in a package/ directory prefix. RubyGems nests gzipped files inside an uncompressed tar. Alpine concatenates three gzip streams and calls it a package. Python cycled through four distribution formats in twenty years. RPM used cpio as its payload format for nearly three decades before finally dropping it in 2025.
Meanwhile, the container world converged on a single format: OCI, the Open Container Initiative spec. And over the past few years, OCI registries have quietly started storing things that aren’t containers at all: Helm charts, Homebrew bottles, WebAssembly modules, AI models. The format was designed for container images, but the underlying primitives turn out to be general enough that it’s worth asking whether every package manager could use OCI for distribution.
-
Ben Werdmuller ☛ Stop calling optimization "innovation."
"The problem is, if you’re optimizing a product that fundamentally isn’t working for how people get news in 2026, all you’re really doing is riding that buggy off of a cliff with style."
-
Lukáš Lalinský ☛ Six months of yak shaving a Zig web backend stack
A while back I wrote about Zio, my async I/O library for Zig. At the end of that post I said the next step was to update my NATS client and write an HTTP server. Well, one thing led to another, and I now have a whole web backend stack written entirely in Zig.
-
[Old] Bruce Schneier ☛ Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'
Full disclosure does this. Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies—who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities.
Later on, researchers announced that particular vulnerabilities existed, but did not publish details. Software companies would then call the vulnerabilities “theoretical” and deny that they actually existed. Of course, they would still ignore the problems, and occasionally threaten the researcher with legal action. Then, of course, some hacker would create an exploit using the vulnerability—and the company would release a really quick patch, apologize profusely, and then go on to explain that the whole thing was entirely the fault of the evil, vile hackers.
It wasn’t until researchers published complete details of the vulnerabilities that the software companies started fixing them.
-
[Old] Vincent Driessen ☛ Git power tools for daily use
Every developer has their own favorite Git tricks they use daily. Here are some of my favorite ones I have been using for as long as I can remember.
-
[Old] Vincent Driessen ☛ Beautiful code » nvie.com
The book's concept is simple: each of the 33 chapters is written by a well-respected professional programmer who answers the question: "What is the most beautiful code you've ever seen?" after which they discuss elaborately why they think it's beautiful.
It's surprising how uncommon it is in our industry to look at existing code just to learn from it. In almost any other engineering or art field, people constantly study the results of their peers. Books on architecture are a great example. What makes a certain design so beautiful or effective? Can I learn something from it to make me a better engineer? I feel we would benefit as an industry if we would collectively take a little more time to reflect and study. We should ask ourselves those question more often, and allocate study time for it occasionally.
-
Java/Golang
-
Andrew Nesbitt ☛ Go Modules for Package Management Tooling
I’ve been working on a reusable layer for building ecosystem-agnostic package and supply chain tools in Go: fourteen modules under git-pkgs covering manifest parsing, registry clients, license normalization, platform translation, vulnerability feeds, and more.
These are rebuilds of libraries I’ve written and used in Ruby for years, some going back to Libraries.io and more recently for Ecosyste.ms, which I wrote about previously. I built the Go versions for git-pkgs, a tool for exploring the dependency history of your repositories that compiles to a single binary with no runtime dependencies, which matters for a git subcommand that needs to just work on any machine. When I went looking for Go equivalents of my Ruby libraries, most were either abandoned, incomplete, or only covered a single ecosystem, so I rebuilt them.
-