news
Programming Leftovers
-
Vermaden ☛ GitLab on FreeBSD
Today I will share how to install and setup a GitLab server on FreeBSD. Most people just use Microslopft GitHub these days but this approach has one big drawback – its cloud only solution. When it comes to on premise solutions there are GitLab and there is also Gitea. GitLab is closest to what GitHub provides while Gitea is very light and smaller brother trying to achieve the same goals by doing less. Good to have alternatives.
-
Peter Mbanugo ☛ Control Flow in Odin
Reading control flow in many production codebases is a daunting exercise in mental reconstruction. You dig through exception handlers, nested conditionals, defensive checks, and early exits before you finally uncover the code that does the actual work. Oftentimes the error is hidden in a chain of catch-rethrow-finally blocks, such that when an error occurs, you can hardly pinpoint the root cause. This leads to a whack-a-mole style of debugging.
Control flow in Odin is readable and comprehensible. There are no hidden exceptions. No implicit fallthrough. No invisible jumps across stack frames.
Odin code is imperative, therefore, what you see is what executes.
-
Josh Lospinoso ☛ Abrade After the Happy Path | Josh Lospinoso
In 2017, Abrade had a narrow premise: many web systems expose resources through patterned URLs, and a small command-line program can make those patterns visible. It was not a theory of the web. It was a tool for one kind of pressure: generate candidate paths, request them, and record which ones appear to exist.
That premise still holds, but it is less clean than it first looks. A patterned URL is only the beginning of the interface. Between a generated path and a useful record sit DNS names, TLS handshakes, virtual hosts, HTTP methods, redirects, status codes, shell pages, application defaults, cancellation pages, empty records, rate limits, transport errors, and operator mistakes.
A crawler that treats all of those as one question - did this URL work? - will eventually lie.
-
University of Toronto ☛ Notes on pulling from multiple upstream Git mirrors
Given how 'git pull' works, I believe this would give me the same 'you asked to pull ... but didn't specify a branch' error as 'git pull savannah' does in a standard configuration. It's possible that 'git fetch savannah' followed by 'git merge --ff-only' would work (if the shared remote HEAD was updated by my fetch), but that's already two commands and not much different than other options (at the cost of possibly confusing Git).
-
Andrew Nesbitt ☛ Unboxed: Zig
This is the first in a series of posts working through individual package managers against a fixed set of headings, so they can be compared directly. The headings come from earlier posts: the client and registry categorisations, the governance post, and the threat model.
Zig’s package manager has been built into the zig binary since 0.11 in August 2023, with no separate tool and no central registry. A build.zig.zon file lists dependencies as URLs with content hashes, and zig build fetches and compiles everything together. The language and the tool are both run by the Zig Software Foundation, a 501(c)(3).
-
Sebastian ☛ two case studies of NaN
IEEE-754 NaN is weird. and because of that, it's often accidentally left unaccounted for. i found two instances of this leaking into programming language design. that is, the semantics of these languages hold implicit assumptions which break with NaN.
-
Security Week ☛ Critical Gitea Flaw Under Active Exploitation, Researchers Warn
“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” the researcher notes.
The patch that was introduced in Gitea versions 1.26.3 / 1.26.4 makes reverse-proxy authentication an opt-in feature.
-
Simon Späti ☛ The Grammar of Data: Define Once, Run Anywhere with Cross-Engine Expressions
Having a grammar for data engineering means we can express the workloads in a declarative manner, and then be sure we can deterministically reproduce and apply that exact definition.
It’s similar to the concept of a Declarative Data Stack I introduced a while back, but it gives the stack not only configurations but also a language with in-built manifestation and execution engines.
-
Sandor Dargo ☛ Propagating exceptions from destructors with std::exception_ptr
A few weeks ago, I wrote about what happens when a destructor actually throws and why it is a dangerous idea. One of the readers commented that he was once in a situation where he had to propagate an exception from a destructor. But as a destructor cannot safely throw and it also cannot return any value, he needed a better solution.
And that solution was std::exception_ptr.
Let’s look into what this type is and how it can be used.
-
Kyle Reddoch ☛ Account Inventory and Least Privilege for Small Teams
Small environments have a funny way of collecting access.
A side project starts with one login. Then a friend helps. Then a contractor needs temporary access. Then a family member gets added. Then a tool asks for admin permissions. Six months later nobody knows who can do what, which email owns the account, or whether the person who helped “just for the weekend” can still delete everything.
The first problem is ownership, not technology.
Account inventory and least privilege are the boring controls that make access understandable again. You do not need enterprise identity governance to do this well. You need a list, a review habit, and the willingness to remove access that no longer has a job.
-
Oxide ☛ Performance Has Layers
One of the most beneficial things about building the whole stack is also one of the toughest things: you also own all the problems. When a packet leaves a customer’s guest, travels through a virtual NIC, crosses our software switch, hits the OPTE data path, rides the physical fabric, and arrives at another guest, it passes through several distinct components.
And if you build all of them, as we do, then every one of those components is a place you can make the system faster. It beats the hell out of a five-way call with different vendor support teams.
-
Mijndert Stuij ☛ I was wrong about game development
I thought making a game was all about what it looked like, how it played and how it felt. And in thinking that, I was so close to the truth, but also so far away. The thing I overlooked and underestimated was how hard it is to get the difficulty level of the game just right. Burst only has a couple of levers to pull to make the game easier or more challenging, but even with those few levers, I still got it wrong the first time.
-
Anthony Hobday ☛ Notes on software quality
How I think about quality
-
Kris Shamloo ☛ a software engineering interview question I like: computing the median
I have a number of questions in my quiver when I'm giving technical interviews to candidates. They are all of a similar flavor. I don't ask puzzle questions, I find them low value. Instead, I ask questions that are straightforward but have a few angles with which to explore deeper topics.
Enter the humble median.
-
Justin Le ☛ Extreme Haskell: Typed Expression EDSLs (Part 1) · in Code
In my Seven Levels of Type Safety post, I described different extremes of type safety and fancy code. I talked about how writing effective code was finding the correct compromise for the level of communication and safety you need.
But this is not that kind of blog post. This is the kind of blog post where we celebrate terrifying type-safety, facetious fanciness, and masochistic meta-analysis. This series is about what happens when we dare to go full fancy. Let’s write code that is so inscrutable, so painful and torturous to write, yet so undeniably useful that you can’t help but try to throw it into every single thing you write and will feel a gnawing emptiness in your soul until you do.
-
Robert Lützner ☛ Write better commit messages
The most important rule that I follow is, that a commit message should describe why something was done and not elaborate how something was done. This is the most common mistake I see out in the wild. It’s also something that I absolutely did a lot when I started coding.
-
Mariusz Zaborski ☛ Hunting Memory Leaks in bsnmpd with DTrace
One of my FreeBSD boxes runs bsnmpd, the base system SNMP daemon. The machine is on 15.0-p2, and the daemon kept growing until the kernel ran out of patience and OOM-killed it. That is not a good feature for a daemon.
I could have just added a cron job to restart it and called it a day. But a leak that kills a long-running daemon is exactly the kind of thing I like to chase, and I already had a tool for it.
-
Joost de Valk ☛ Stewarded open source is not enough: who can cut you off?
Here’s the uncomfortable case for Dries’s framework: WordPress. By his definition, WordPress is about as stewarded as open source gets. Full-time maintainers, a security team, release management, long-term support, an enormous plugin directory, update infrastructure serving hundreds of millions of sites. Nobody would call it license-only.
And yet in September 2024, WP Engine, a company hosting a meaningful chunk of the WordPress web, was cut off from WordPress.org overnight. No more plugin and theme updates for their customers, no access to the repository, and shortly after, a popular plugin with millions of installs was taken over on the directory itself. The GPL was never violated. The stewardship never stopped. The access simply ended, because one person decided it should, and one person could.
-
Ankur Sethi ☛ Data locality (sometimes) beats algorithmic complexity — Ankur Sethi
I've been ECS-curious ever since I learned about it in the Bevy game engine documentation.
The ECS architecture predictably improves performance in languages that give you low-level control over memory (C, C++, Rust, Zig, and friends). But how does it fare when used in high-level, dynamic, garbage-collected languages such as JavaScript?
-
Shell
-
Michael Greenberg ☛ try and hs at osdi 2026
Modern CPUs are fast (in part) due to out-of-order execution, which relies on two things that are pretty easy to do in hardware: selective commit/rollback (to drop bad speculations) and dependency tracking (to detect bad speculations). While it's hard to do these things within a program---surprisingly!---it's not so hard to do these things for UNIX processes!
-
Christian Hofstede-Kuhn ☛ chana_masala.sh: A Recipe as a Shell Script
Every household has one dish that started as an accident and ended up in production. Ours arrived some years ago in a HelloFresh box - yes, the meal-kit subscription, our guilty pleasure phase - as an unassuming chickpea curry. We cooked it once, looked at each other, and knew this thing was not going back into the backlog. The subscription is long gone; the recipe survived the migration. It has been running in our kitchen on a roughly weekly release cadence ever since, patched and tuned along the way like any long-lived service: the spice list grew, the onion-garlic-ginger paste became a hard dependency, and whole spices got promoted from experiment to optional-but-recommended.
-
-
R / R-Script
-
Rlang ☛ SummaryTables: Publication-Ready Summary Tables for jamovi
Powered by the gtsummary package in R, this module bridges the gap between running your analyses and publishing them. Instead of piecing together multiple separate outputs into a final manuscript table, SummaryTables generates beautifully formatted, publication-ready tables directly within jamovi. By making complex analyses simple and accessible, it saves you valuable time and reduces the risk of transcription errors. It summarizes data sets, regression models, and more, using sensible defaults while offering highly customizable capabilities.
-
Rlang ☛ An API for Everything There Is to Know About Packages
On R-Universe you can discover and learn everything there is to know about R packages. But did you know it does only provide a human-friendly website, but also programmatic access to all information through APIs! Thanks to those APIs you can list universes, list packages in an universe, get information on packages, and perform searches; all without any need for authentication.
The R-Universe APIs are both handy and reliable. You can build upon them, as both rOpenSci and community members have done. This post shows some examples of use cases with the R-Universe API.
-
-
Java/Golang
-
Andrii ☛ Eliminating Go bound checks with unsafe
Hot path optimization: unsafe pointer arithmetic to eliminate bound checks the Go compiler can't remove, given you can prove they are truly unnecessary.
-
Frank Delporte ☛ My Book 'Java Programming for Raspberry Pi' is Now Available as Softcover and Hardcover on Amazon · webtechie.be
“Java Programming for Raspberry Pi: A Hands-On Guide to Electronics and IoT Projects” is now available as a softcover and hardcover paper book through Amazon, on top of the Kindle ebook and the pay-as-you-wish version on Leanpub . If you prefer holding a physical book while you’re wiring up LEDs and sensors on your Raspberry Pi, that’s now possible again.
-
Anton Zhiyanov ☛ Go-flavored concurrency in C
Go's concurrency is one of the main reasons people like the language. You write go f(), send values through channels, and the runtime scheduler runs thousands of goroutines on just a few OS threads. It feels effortless.
None of that machinery exists in C. Which made me wonder: how close can you get to Go's concurrency model using only POSIX threads? Obviously, native OS threads can't match the efficiency of lightweight goroutines, but what is the actual cost, when does it become a problem, and is there any way to at least partially avoid it?
I ran into these questions while adding concurrency to Solod (So), a strict subset of Go that translates to plain C, with no runtime and no garbage collector. In the end, I came to the conclusion that you can do quite a lot with pthreads — as long as you're honest about the tradeoffs.
This post is about the POSIX threads-based concurrency model I chose, the benefits it offers, and its limitations.
-