Programming Leftovers

posted by Roy Schestowitz on May 12, 2026

• Lukáš Lalinský ☛ Async I/O in Zig 0.16, today

  Zig 0.16 shipped last month with std.Io, a cross-platform interface for I/O and concurrency. This is a big step for the ecosystem. Libraries can now be written against a standard I/O abstraction, independent of the runtime, and application developers can plug in whatever implementation they want.

• Himanshu Anand ☛ the 90 day disclosure policy is dead

  The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately. Not tomorrow. Not next sprint. Now.

  I have been doing security work for a while now, and the last 12 months feel different. Not in a “AI is going to take over the world” way. In a much more boring, much more practical way. The tools we use, the tools attackers use, and the tools researchers use to find bugs have all gotten smarter at roughly the same speed. And that has quietly killed some of the fundamental assumptions the security industry has been running on for over a decade. Let me walk you through what I mean, with stories.

• Ruby ☛ Ruby 4.0.4 Released

  Ruby 4.0.4 has been released.

  This is a routine update that includes bugfixes. Please see the GitHub Releases for further details.

  We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent regular release. Ruby 4.0.5 will be released in July, 4.0.6 in September, and 4.0.7 in November.

• Qt ☛ Introducing the QML Coding Skill for Agentic Workflows

  Frontier Large Language Models have become genuinely capable QML authors. Benchmarks show models like Claude, GPT, and Gemini achieving between 75% and 86% accuracy on the QML100 benchmark for single-turn coding tasks - a result that reflects the depth of Qt’s open-source ecosystem and the decades of publicly available QML code that has served as training material. For everyday UI components, a well-prompted Hey Hi (AI) agent can produce working, readable QML on the first attempt.

• Perl / Raku

  • Rakulang ☛ Rakudo Weekly 2026.19 Art of Failure

    Post Image: Art of Failure by XoMEoX, CC BY 2.0 https://creativecommons.org/licenses/by/2.0, via Wikimedia Commons Avuserow’s Corner Avuserow tells us that Raku’s Failures are a Great Success while bathed in a beautiful retro orange glow. Raku has failures, a type of delayed exceptions.

• Python

  • University of Toronto ☛ A code (reformatting) conundrum in Python, and heuristics

    Here's the question: should you reindent 'some-statement' so that it's part of the 'if' block?

• Shell/Bash/Zsh/Ksh

  • Kyrylo Silin ☛ The magic of typing terminal commands

    This is the beauty of the terminal: its power lies in simplicity. A few letters typed on a black screen can search vast amounts of data, launch processes, and reshape entire systems.

    Here, you are not a passive user. You are the one who speaks — and the machine listens. Every time you type a command in the terminal, you feel it: the ancient, elegant magic of turning thought into action with nothing but words.

• Java/Golang

  • Techstrong Group Inc ☛ Java Code Isn’t the Problem – The Container Is

    Learn how integrating Docker Scout into Java CI pipelines shifts container security left, replacing manual reviews with automated gates to secure base images and dependencies.

  • Vikash Patel ☛ Just About Go Time

    As engineers, we like to pretend that time.Now() returns an objective truth. It doesn’t. It returns a snapshot of a highly contested, historically unstable set of political boundaries. In 2011, the island nation of Samoa decided they wanted to align their workweek with Australia rather than the United States. To do this, they didn’t just change their clocks; they completely skipped Friday, December 30th. At 11:59 PM on Thursday, the clock ticked over, and it was suddenly Saturday.

    A whole day, erased from existence because a prime minister signed a piece of paper. If your backend job ran a cron on December 30th in Samoa, it just… didn’t happen.

    If we are going to build distributed systems, we have to stop trusting human time. Handling time is the kind of thing that will keep you awake at 3 AM questioning your career choices. This guide details the mechanics of temporal measurement and the architectural protocols required to handle it safely.

  • Kevin Boone ☛ Running a Java server application in a chroot jail

    This article is about running a Java server application on Linux in a least-privileges way, without resorting to containers or virtual machines. In particular, we want to run the application:

    • As an unprivileged user, and
    • With access only to that part of the filesystem that contains the applications’ own data and code.

  • Andrew Nesbitt ☛ proxy

    proxy is a single Go binary that speaks the wire protocols of npm, PyPI, RubyGems, Cargo, Go modules, Maven, NuGet, Composer, Hex, pub.dev, Conan, Conda, CRAN, Debian, RPM, and the OCI container registry. Start it, point a package manager at localhost:8080, and the first install fetches from upstream and writes the artifact to local storage; every install after that is served from the cache. Metadata responses are rewritten on the way through so tarball URLs point back at the proxy rather than the origin, which is the part most simple HTTP caches get wrong.