Programming Leftovers

posted by Roy Schestowitz on May 14, 2026

• Tom's Hardware ☛ Standard 90-day vulnerability disclosure policy is likely dead thanks to AI, expert warns that AI can weaponize patches in 30 minutes — LLM-assisted bug-hunting ushers in a new cyberworld order

  The crux of the matter is the fact that although a bot isn't necessarily any smarter than a human at programming or hunting for security vulnerabilities, a LLM that can do so at full mental capacity 24/7 and is brutally effective at pattern recognition (built with pattern recognition, if we must). The vast majority of security exploits are rooted in specific bad programming habits, something a bot excels at noticing quickly and repeatedly.

• Linuxize ☛ Bash Best Practices: Writing Safer, Cleaner Scripts

  Practical Bash best practices for writing safer and more predictable scripts, covering strict mode, quoting, error handling, and everyday patterns.

• Max Bernstein ☛ Partial static single information form

  In compilers, static single information form (SSI) is a common extension to static single assignment form (SSA). It was introduced by C. Scott Ananian in 1999 in his MS thesis (PDF) 1.

  SSI extends your existing SSA intermediate representation by discovering facts from your existing program and reifying them as path-dependent/flow-sensitive IR nodes. That might sound complicated, but at least the basic idea is pretty natural. I talk a little bit about it in What I talk about when I talk about IRs and I’ll rehash here in more depth, starting with some motivating examples. Consider this admittedly contrived example: [...]

• Kane Narraway ☛ You Can't Bootstrap Trust

  A while back I worked with a guy named Phil. Often we’d have situations where teams would suggest bolting on security at a later stage rather than fixing the underlying problem, and he would always clap back with “you can’t bootstrap trust” and thats what I wanted to talk about today. Trust has to be end to end, if any link in the chain is weak, the whole thing collapses. You can build on a rocky foundation, but it’s going to reduce the security of the control and lead to gaps in your design that are impossible to plug.

• Sandor Dargo ☛ C++26: Standard library hardening

  Undefined behavior (UB) in C++ is one of the hardest categories of bugs to deal with. It can silently corrupt memory, cause crashes far from the actual mistake, or — worst of all — just happens to work on your machine. A significant share of UB in real codebases comes not from exotic language features, but from basic misuse of the standard library: accessing a vector out of bounds, calling front() on an empty container, or dereferencing an empty optional.

• Erlang ☛ Erlang/OTP 29.0

  Erlang/OTP 29 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.

  Many thanks to all contributors!

• Ian Erik Varatalu ☛ what 262,715 regex questions on stack overflow haven't answered | ian erik varatalu

  as part of my PhD research on regex engine algorithms and efficiency, i've been building RE#, a regex engine with complement, intersection, and lookarounds. i wanted to update some outdated regex answers on stack overflow, but i need 10 reputation to answer, and with no one asking questions on there anymore i got a little worried i wouldn't get the chance:

  you need 10 reputation to answer

  so instead i downloaded the Stack Overflow data dump, about 106GB of XML posts, and went through all 262,715 questions tagged regex, totalling 859,351,734 views. i wanted to test RE# against what people actually use regex for.

  this post is both a survey of common regex pain points and a demonstration of how these can be solved with RE#. a lot of the most-viewed questions are about complement and intersection. [...]

• Perl / Raku

  • Perl ☛ Introducing Time::Str

    Time::Str is a Perl module for parsing and formatting date/time strings across 20+ standard formats. It has an optional C/XS backend, nanosecond precision, and rejects input it cannot parse unambiguously rather than guessing.

• Python

  • Andrew Nesbitt ☛ Showing Our Work

    A preprint went up on arXiv this week from Alexandros Tsakpinis, Emil Schwenger and Alexander Pretschner at fortiss and TU Munich: Modeling Dependency-Propagated Ecosystem Impact of Changes in Maintenance Activities. They built a model of how maintenance changes propagate through the Python dependency graph, ran it over 718,750 PyPI packages and two million dependency edges, and then benchmarked three real-world support mechanisms against it to see how well each one’s package selection lined up with where the model says support would do the most good.

• R / R-Script

  • Rlang ☛ 15 Years of rOpenSci, and We’re Just Getting Started 🎉

    On July 13, 2011, an email was sent with the idea of a shared blog, a clever domain name, and a way to connect R package developers who cared about open science. The name “rOpenSci” appear in that email. A few months before that, the first commits had already been pushed to what would become taxize and treeBASE, two packages that quietly planted the seed of something much bigger.

• Rust

  • Rust Weekly Updates ☛ This Week In Rust: This Week in Rust 651

    Hello and welcome to another issue of This Week in Rust!

  • Collabora ☛ Tyr for first place at RustWeek 2026

    Join us next week in Utrecht for RustWeek! We'll be running a SuperTuxKart tournament to showcase Tyr, the Rust driver for Arm Mali GPUs. Come and see if you've got what it takes!