Programming Leftovers

posted by Roy Schestowitz on May 13, 2026

• OSTechNix ☛ JavaScript Timestamp Bugs: How UTC Mistakes Break Web Apps

  JavaScript's Date object is at the centre of most of these incidents because it behaves differently depending on input format, timezone, browser environment, and serialization method.

• Vittorio Romeo ☛ vittorio romeo's website: cost of enum-to-string: C++26 reflection vs the old ways

  That article used a prerelease GCC 16 snapshot. Since then, GCC 16 has been officially released1 and is now widely available, which seemed like a good excuse to revisit the topic with a more realistic example: enum-to-string conversion.

• Feld ☛ Spam Resistant Forges

  There is a lot of consternation lately about the growing onslaught of low-quality (spam) and completely AI submitted bug reports, pull requests, etc. This is unrelated to AI scrapers which can be another problem, but I'm more interested in the concerns about the bottleneck of "code review".

  Perhaps you can't take my advice and shutdown your public repos. I've experienced firsthand the burden of dealing with 100% human-made spam getting published on our GitLab which no amount of captcha or email verification can stop. Unfortunately, "open registration" is a pretty big vulnerability. If you opt instead to require admins to approve accounts, you're just asking someone to sit there all day and click APPROVE or DENY hundreds to thousands of times. (It really gets that bad!)

  We don't yet have a functional "federated" git forge and I'm skeptical it will ever work well. To me this feels like reinventing the wheel, and the benefits appear limited.

• Gergely Nagy ☛ Federated Forge Fantasy: The Protocol

  I have been looking forward to ForgeFed for a long time. I even contributed a little to Forgejo’s federation efforts - and while I’m not involved in either project anymore, ever since sinking my teeth into forge federation, I have a recurring dream about a federated forge. One that is very different from ForgeFed’s model, and does not resemble Forgejo much either. Something closer in spirit - but spirit only - to SourceHut. Every dream is more vivid, and every time it becomes harder and harder to ignore it. I chose to ignore it, because I don’t have the time or the resources to work on it, nor to get involved in these efforts, really. But lately, it’s taking a form that I cannot ignore further, it wants out. What I have in mind right now is too big for a single blog post, so this tome was born: I will put the parts I manage to write in it, starting with a rough description of…

• Andrew Nesbitt ☛ Not a Security Issue

  Daniel Stenberg wrote yesterday about Mythos finding a real curl vulnerability, which sent me poking around the curl tree with a couple of AI-assisted scanners to see what else turned up in a codebase that has already had every fuzzer and auditor on earth pointed at it. The findings were better than expected, and one reason stood out: the scanners had read docs/VULN-DISCLOSURE-POLICY.md and applied it.

  A whole class of results came back labelled in effect “real bug, worth fixing, but not a security issue per the project’s own policy”: server-triggered NULL dereferences, small leaks, things that only fire if you can already control the command line. The tool had found them, checked them against curl’s published list of what doesn’t count, and demoted them before I had to.

• Undeadly ☛ Game of Trees 0.125 released

  Version 0.125 of Game of Trees has been released (and the port updated). Note the security fixes: [...]

• Qt ☛ From Classroom to Code II: Innovative Qt Apps by Future Developers

  Last year, we shared the story of a new collaboration with the Cologne University of Applied Sciences (German: TH Köln) for a new course titled Engineering Desktop Applications with C++ and Qt (EDA). The first edition gave students the chance to explore modern C++ and Qt development in a hands-on setting, with teams designing and building their own music player application.

  Now, the collaboration has successfully entered its second round.

• R / R-Script

  • Rlang ☛ Setting function parameters for debugging

    I tend to write a lot of functions that create specific graphics implemented with ggplot2. Although I try to pick graphic parameters (e.g. colors, text size, etc.) that are reasonable, I will typically define all relevant aesthetics as parameters to my function. As a result, my functions tend to have a lot of parameters. When I need to debug the function I need to have all those parameters set in the global environment which usually requires me highlighting each assignment and running it. This function automates this process. You can pass any function and it will attempt to set parameters to the given environment (the global environment by default). It will return a data frame with a column indicating if the variable was set and the value. This is useful to know what parameters don’t have a default value that need to be set yourself.

• Python

  • Henry Schreiner ☛ Python 3.15

    Python 3.15 beta 1 is out! This is a really impactful release, with some really big additions. A new lazy import system, a powerful sampling profiler, not one but two new builtins, the usual color/types/errors updates, and lots of key changes for developers.

• Java/Golang

  • Trail of Bits ☛ Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.

    Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built gosentry, a fuzzing-oriented fork of the Go toolchain that keeps the standard testing.F workflow while using a stronger fuzzing stack underneath to tackle those issues.