news
Programming Leftovers
-
Andrew Nesbitt ☛ The Mismeasure of Open Source
Every attempt to score open source projects for criticality, risk, or funding need ends up built on roughly the same dozen signals, because those are the dozen signals you can get from a registry API and the GitHub REST endpoints in an afternoon. I wrote earlier this week about the 2015 CII census, whose formula scored xz-utils a 6 out of 13 and let it sink to row 254, and which nonetheless got more right than it’s usually given credit for.
Ten years on there are several successor efforts running, from foundations, academics, and funders, and I’ve contributed data to most of them. With far more data and far more people working on the problem they are still largely built on the same inputs, so they inherit most of the same blind spots plus a few new ones, and I wanted to write those down in one place without picking on any single model.
-
Andrew Nesbitt ☛ Weekend at Bernie’s
I have spent the last couple of weeks trying to work out how many of the open source packages we all depend on are in roughly that condition: resolving in every install, pulling millions of downloads a week, accepting new issues, with nobody behind the sunglasses. I’m asking now rather than a few years ago because AI-assisted vulnerability discovery is changing how often somebody actually checks for a pulse.
This matters most at the point where one of those packages gets a security report. Sometimes nobody responds at all, the embargo expires, and a CVE is published with no fixed version to point at. Sometimes a fix does get written, often by the reporter or a drive-by contributor, and it lands in git or sits in an open PR, but the one account with publish rights on the registry has gone and the patched code never reaches anyone’s install command.
- [Old]
Richard P Gabriel ☛ Patterns of Software: Tales from the Software Community [PDF]
The essays in this book started out as a series of columns for the Journal of Object-Oriented Programming. I was trying to model myself somewhat after Samuel Johnson, and the series was aimed at being the digital age’s equivalent of The Rambler. I’m certain I didn’t succeed in matching Johnson’s wit and style, but I matched at least two of his characteristics—procrastination and laziness. Johnson was well known for writing his essays right up to the deadline, often keeping the publisher’s runner waiting for the manuscript as Johnson completed it. In fact, you can notice the eff ect in many of his essays: An essay starts to make an argument in one direction (corresponding to the first sheets Johnson handed the runner) and then the argument shifts radically or even to the opposite pole as Johnson continued writing and thinking—but revision of the earlier parts was impossible, as it was being typeset for final copy as Johnson pondered.
-
Dirk Eddelbuettel ☛ Dirk Eddelbuettel: RcppSpdlog 0.0.29 on CRAN: Small Enhancement
Version 0.0.29 of RcppSpdlog arrived
This release features a rewritten internal routine unpacking the R variadic arguments into C++ variadic template arguments. This in turn allows to turn back to
std::formatin C++ mode when C++20 is used. We also adjust for the not-quite-ready-for-this state of the x86-64 based macOS machine at CRAN. -
Rlang ☛ How to Build an Expected Goals (xG) Model in R with worldfootballR
Expected goals has become one of the most important concepts in modern football analytics. Instead of judging a team only by goals scored, xG helps us estimate the quality of the chances created.
-
Perl / Raku
-
Perl ☛ The Perl Toolchain Summit 2026
I came with a set of work needing to be completed and things I wanted to discuss with people there. The discussions were the most important part and are the raison d'être of the event, and over the four days I had plenty of useful discussions, both planned and non-planned. The first one started whilst walking to the venue on the first day with Paul Evans. We discussed the possibility of separating the behaviour of $^P and PL_perldb - perhaps by using another bit. Devel::Cover uses $^P but doesn't want the behaviour of PL_perldb.
-
-
Python
-
Rahul Gopinath ☛ Generalized LR (GLR) Parser
TLDR; This tutorial is a complete implementation of a GLR Parser in Python. The Python interpreter is embedded so that you can work through the implementation steps. A GLR parser is a generalization of LR parsers. We previously discussed LR(0), SLR(1), LALR(1), and LR(1) parsers. These are deterministic bottom-up parsers that are fast and powerful, but require conflict-free parse tables. They require conflict-free parse tables. Ambiguous grammars, and many grammars that produce shift/reduce or reduce/reduce conflicts, therefore cannot be parsed deterministically without additional conflict-resolution mechanisms such as precedence or associativity declarations. The Generalized LR (GLR) parser, introduced by Tomita [^tomita1986efficient], solves this by pursuing all possible parse actions in parallel whenever a conflict arises. A conflict is no longer an error — it is simply a branch point. This is combined with the Graph Structured Stack (GSS) [^tomita1986efficient] that compactly shares common prefixes between simultaneously-live parse stacks. Similar to Earley, CYK, and GLL parsers, the worst case for GLR parsing is \(O(n^3)\). For LR(1) grammars there are no conflicts, and the parse time is \(O(n)\).
-
Mathieu ☛ Typing some python quirks
Its roots then very obviously pre-date the introduction of any kind of type checking, annotations, as well as a lot of modern tooling. It has both grown very organically on a feature-by-feature basis, and has at times also taken advantage from a lot of the liberties given by python with regards to dynamic return types, decorators and the likes.
-
University of Toronto ☛ Using a Python 3 LSP server with Python 2 code works (more or less)
I still have a certain amount of Python 2 code, both for work and for personal projects (for example, DWiki, the wiki software behind this blog; it will be Python 3 someday, but not so far). For a long time, I've preferred to do any significant editing of Python code in GNU Emacs, my normal choice for a superintelligent editor, and for a while, I've used LSP based Python editing. There's a very old LSP server for Python 2, but all of the Python LSP servers you actually want to use are specifically for Python 3, and recently I hit a problem that made me turn off the Python 2 LSP server. Since then I've been editing my Python 2 code (cautiously) with pylsp (my normal Python 3 LSP server) and recently, a little bit with 'ruff'. Somewhat to my surprise, this has more or less worked.
-
-
Shell/Bash/Zsh/Ksh
-
Abhinav Gopalakrishnan ☛ Speeding up zsh
Something that had been irking me for a while was how long Zsh took to load.
“How long” was subjective until I finally decided to profile it.
-
HowTo Geek ☛ These 6 Linux command defaults make the terminal much less frustrating
Almost every Linux command has options to control the way it works, and applies default values when you don’t provide any. But these defaults are very sticky, and what made sense in 1970 doesn’t always make sense today.
Many of the original defaults make sense for scripting, but less so for an interactive end-user. Check out these common tools and how you can radically improve them with better default options.
-
-
Java/Golang
-
Redowan Delowar ☛ Type-safe slogging | Redowan Delowar
Typically on a brownfield project I don’t care much about logging libraries and just go with whatever’s already set up. Before slog, I was an avid zap/zerolog user for years. But since Go 1.21, I’ve dropped third-party logging libraries in favor of slog. I even recently ranted a bit on r/golang about people pulling in third-party libs when slog is right there. The common complaints against slog are: [...]
-
DEV Community ☛ Yggdrasil Network as an Embedded GO Library - DEV Community
Yggdrasil is an experimental overlay IPv6 mesh network. In short, it lets you build a "network on top of a network": each node gets a stable IPv6 address derived from its public key, and that address does not depend on where the node is physically located or what external IP address it currently has.
-