Programming Leftovers

posted by Roy Schestowitz on Feb 26, 2026

• Daniel Stenberg ☛ curl security moves again

  This move turns out to have been a mistake and we are now undoing that part of the decision. The reward money is still gone, there is no bug-bounty, no money for vulnerability reports, but we return to accepting and handling curl vulnerability and security reports on Hackerone. Starting March 1st 2026, this is now (again) the official place to report security problems to the curl project.

  This zig-zagging is unfortunate but we do it with the best of intentions. In the curl security team we were naively thinking that since so many projects are already using this setup it should be good enough for us too since we don’t have any particular special requirements. We wrongly thought. Now I instead question how other Open Source projects can use this. It feels like an area and use case for Open Source projects that is under-focused: proper, secure and efficient vulnerability reporting without bug-bounty.

• Sandor Dargo ☛ Partial Truth vs Explicit Failure: Designing Honest System Responses

  Systems often face partial failure, yet our interfaces force us into a binary choice: success or error. Treating partial truth as full success hides uncertainty — and is often more dangerous than returning an explicit failure, even though reality usually lies somewhere between these two extremes.

  Let’s admit it: real-world systems rarely fail cleanly. There are many ways things can go partially wrong. Dependencies time out, caches go stale or fail to synchronize, subsystems lag behind or respond slower than expected.

• Max Bernstein ☛ A fuzzer for the Toy Optimizer

  So does it work? If you run it, it’ll hang for a bit and then report no issues. That’s helpful, in a sense… it’s revealing that it is unable to find a certain class of bug in the optimizer.

  Let’s comment out the main load-bearing pillar of correctness in the optimizer—removing aliasing writes—and see what happens.

  We get a crash nearly instantly: [...]

• Tom's Hardware ☛ Enterprising developer somehow writes an x86 CPU emulator in plain CSS — no Javascript, no WASM, just stylesheet computing

  Enterprising developer somehow writes an x86 CPU emulator in plain CSS

• Andrew Nesbitt ☛ Two Kinds of Attestation

  Naming is hard, but it matters more than usual when the names carry assumptions about what’s actually in place. “Attested” sounds rigorous whether or not it is, and “supplier” implies a contractual relationship that doesn’t exist. Once these words are in standards and regulations, people downstream build processes around what they think the words mean, and unpicking those assumptions later is much harder than getting the names right in the first place. Toaster regulations at least have the advantage that everyone agrees on what a toaster is.

• Perl / Raku

  • Fuzzix ☛ fuzzix dot org :: Revisiting Async and the RtMidi Event Loop

    A coupla few years ago I wrote about Integrating RtMidi's event loop with IO::Async. The basic approach involved spawning a routine which set up a RtMidi callback to pass MIDI messages back to the main process via a channel. This routine then went to sleep to allow RtMidi's own event loop to take control.

• Education

  • Raspberry Pi ☛ ‘Using PRIMM to teach programming’: A new short course for educators

    At the Raspberry Pi Foundation, we believe that learning to program equips young people with the knowledge and skills they need to thrive in an increasingly digital world. For many educators, teaching programming effectively can be challenging, particularly when their learners are at different stages in their programming journey. Ask learners to write code too early, and they might struggle or feel intimidated. Rely too heavily on step-by-step instructions, and you limit learners’ chances to explore ideas or develop deeper understanding.

  • Eric MacAdie ☛ 2026-01 Austin Emacs Meetup

    There were two meetings over the past two months for EmacsATX, the Austin Emacs Meetup group. I took notes for January, but never got around to making a write-up. I will make a post for each month. For each month we had no predetermined topic. However, as always, there were mentions of many modes, packages, technologies and websites, some of which I had never heard of before, and some of this may be of interest to you as well. flirts laconically auspiciously

• Java/Golang

  • Redowan Delowar ☛ What canceled my Go context?

    Go 1.20 and 1.21 added cause-tracking functions to the context package that fix this, but there’s a subtlety with WithTimeoutCause that most examples skip.