Programming Leftovers

posted by Roy Schestowitz on Mar 14, 2026

• Andrew Nesbitt ☛ Forge | Andrew Nesbitt

  I’ve been building something that needs to talk to all of these forges, a project I’m not quite ready to announce yet, and the idea of wrapping four different CLIs with four different output formats and four different authentication flows was not appealing. I wanted one interface that worked the same way everywhere, for humans on the command line and for AI coding agents that need to interact with forges programmatically.

• SusamPal ☛ Git Checkout, Reset and Restore

  I have always used the git checkout and git reset commands to reset my working tree or index but since Git 2.23 there has been a git restore command available for these purposes. In this post, I record how some of the 'older' commands I use map to the new ones. Well, the new commands aren't exactly new since Git 2.23 was released in 2019, so this post is perhaps six years too late. Even so, I want to write this down for future reference. It is worth noting that the old and new commands are not always equivalent. I'll talk more about this briefly as we discuss the commands. However, they can be used to perform similar tasks. Some of these tasks are discussed below.

• Ben Congdon ☛ Feature Flagging at Databricks

  In late January, I published a post1 (archive) on the Databricks engineering blog about “SAFE”, the feature flagging and experimentation platform I’ve been working on for the past few years. SAFE is what I’ve been spending most of my time on during my time at Databricks, and it’s been rewarding to see the project grow from an initial prototype to a mature internal platform.

• Dan Q ☛ Why Security Engineering needs a Hacker Mentality

  Thinking “like a hacker” involves a certain level of curiosity and creativity with technology. And there’s a huge overlap between that outlook and the attitude required to be a security engineer.

• R / R-Script

  • Rlang ☛ Three Posit Platform Features Worth Knowing About

    The fix is to point R at a binary-supporting mirror, which is exactly what Posit Package Manager provides. With binaries, that same install dropped to under two minutes, no compilation, no hunting down system dependencies.

• Python

  • University of Toronto ☛ You (I) should document the forms of your Django web application

    We have a long-standing Django web application to handle (Unix) account requests. Since these are requests, there is some state involved, so for a long time a request could be pending, approved, or rejected, with the extra complexity that an approved request might be incomplete and waiting on the person to pick their login. Recently I added being able to put a request into a new state, 'held', in order to deal with some local complexities where we might have a request that we didn't want to delete but also didn't want to go through to create an account.

• Java/Golang

  • NVISO Labs ☛ Exploitation of CVE-2026-1281 & CVE-2026-1340 Ivanti EPMM Sleeper Shells

    Decompiling all four payloads/Java classes showed that they serve the same purpose and have the same structure. In short: When invoked, the class retrieves the servlet request/response from whatever object it’s given, runs a hardcoded command as a separate process via the exec(String[] cmdarray) method of java.lang.Runtime, the hardcoded command is stored in the String Array called var9 and returns any output in the HTTP response. The content of the String Array var9 is also the only difference in the decompiled code.

• Rust

  • Rust Blog ☛ The Rust Programming Language Blog: Call for Testing: Build Dir Layout v2

    We would welcome people to try and report issues with the nightly-only cargo -Zbuild-dir-new-layout. While the layout of the build dir is internal-only, many projects need to rely on the unspecified details due to missing features within Cargo.