Programming Leftovers

posted by Roy Schestowitz on Jul 03, 2025

• Threat Source ☛ PDFs: Portable documents, or perfect deliveries for phish?

  The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation.

  Brand impersonation is a social engineering technique that exploits the popularity of well-known brands to persuade email recipients to disclose sensitive information. As discussed in our previous blog, adversaries can deliver brand logos and names to victims using multiple types of payloads. One of the most common methods of delivering brand logos and names is through PDF payloads (or attachments).

• University of Toronto ☛ How you can wind up trying to allocate zero bytes in C

  One of the reactions I saw to my entry on malloc(0) being allowed to return NULL is to wonder why you'd ever do a zero-size allocation in the first place. Unfortunately, it's relatively easy to stumble into this situation with simple code in certain sorts of not particularly uncommon situations. The most obvious one is if you're allocating memory for a variable size object, such as a Python tuple or a JSON array. In a simple C implementation these will typically have a fixed struct that contains a pointer to a C memory block with either the actual elements or an array of pointers to them. The natural way to set this up is to write code that winds up calling 'malloc(nelems * sizeof(...))' or something like that, like this: [...]

• Earthly ☛ I Declared Platform Engineering Dead. At PlatformCon.

  I used the weekend to design a two-sided funeral card: front side read like a eulogy, with a cartoon of an engineer crushed under labeled tech boxes (overwhelming the engineer due to its sheer diversity). The back explained the “cause of death”: golden paths, legacy migrations, broken scorecards, and standards documented that no one followed.

• Buttondown LLC ☛ Logical Quantifiers in Software

  I realize that for all I've talked about Logic for Programmers in this newsletter, I never once explained basic logical quantifiers. They're both simple and incredibly useful, so let's do that this week!

• Nico Cartron ☛ Using man/doc is always a good idea!

  So here we go, folks: using man or --help is always a good idea, even in the AI area!

• Tony Finch ☛ clamp / median / range

  Here are a few tangentially-related ideas vaguely near the theme of comparison operators.

• Yoshua Wuyts ☛ Tree-Structured Concurrency II: Replacing Background Tasks With Actors

  (Tree-)Structured Concurrency is neat because it greatly simplifies concurrent programs. It greatly reduces, if not outright eliminates the possibility of logical races due to concurrency issues. And conceptually it’s not that hard either, as we can encode structured concurrency with just two rules: [...]

• The New Stack ☛ Why Quality Code Matters and How To Achieve It

  Bad code isn’t just an inconvenience; it’s a significant liability that can lead to expensive outages and frustrated development teams. With the increasing use of AI-generated code, the potential for introducing problematic code into software systems is growing. Regardless of how the software development landscape evolves, consistently applied best practices will always be crucial for maintaining code quality.

  Let’s explore the concept of technical debt, differences between good and bad code, essential best practices and practical strategies for integrating them into your development workflow.

• The New Stack ☛ The Cure for Your ‘Zero CVE’ Hangover Is Transparency

  The pursuit of “zero CVEs” (common vulnerabilities and exposures) in software is not only unattainable: It diverts critical resources from real-world security challenges. Leaders who have adopted the zero-CVEs tagline are finding themselves with a proverbial hangover from their complicated and fragile mitigation strategy. This obscures a true understanding of your security posture, and leaves you with a foggy, if not incomplete, picture of how vulnerable you really are.

  The best way to avoid this hangover is by adopting a transparent approach to your vulnerability management situation.

• André Arko ☛ You should delete tests

  To know why we should delete tests, let’s start with why we write tests in the first place. Why do we write tests? At the surface level, it’s to see if our program works the way we expect. But that doesn’t explain why we would write automated tests rather than simply run our program and observe if it works.

• [Old] Marc Brooker ☛ Tail Latency Might Matter More Than You Think

  These patterns make tail latency more important than you may think.

  To understand why, let’s do a simple numerical experiment. Let’s simplify the world so that all services respond with the same latency, and that latency follows a very simple bimodal distribution: 99% of the time with a mean of 10ms (normally distributed with a standard deviation of 2ms), and 1% of the time with a mean of 100ms (and SD of 10ms). In the real world, service latencies are almost always multi-modal like this, but typically not just a sum of normal distributions (but that doesn’t matter here).

• Python

  • LWN ☛ Getting extensions to work with free-threaded Python

    One of the biggest changes to come to the Python world is the addition of the free-threading interpreter, which eliminates the global interpreter lock (GIL) that kept the interpreter thread-safe, but also serialized multi-threaded Python code. Over the years, the GIL has been a source of complaints about the scalability of Python code using threads, so many developers have been looking forward to the change, which has been an experimental feature since Python 3.13 was released in October 2024. Making the free-threaded version work with the rest of the Python ecosystem, especially native extensions, is an ongoing effort, however; Nathan Goldbaum and Lysandros Nikolaou spoke at PyCon US 2025 about those efforts.

  • Max Bernstein ☛ ClassDistribution from S6 JIT is really neat | Max Bernstein

    Hidden classes give you the ability to more quickly read from objects, but you, the runtime implementor, have to decide what kind of cache you want to use. Should you have a monomorphic cache? Or a polymorphic cache?

  • Python Speed ☛ 500× faster: Four different ways to speed up your code

    If your Python code is slow and needs to be fast, there are many different approaches you can take, from parallelism to writing a compiled extension. But if you just stick to one approach, it’s easy to miss potential speedups, and end up with code that is much slower than it could be.

• Shell/Bash/Zsh/Ksh

  • Hold The Robot LLC ☛ A CRDT-based Messenger in 12 Lines of Bash Using a Synced Folder | Hold The Robot

    This is hardly a Discord killer, but as far as messengers go there are some interesting properties: [...]