Bugs Rust Won't Catch In April 2026, Canonical disclosed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils that ships by default since 25.10. Most of them came out of an external audit commissioned ahead of the 26.04 LTS. I read through the list and thought there’s a lot to learn from it. What’s notable is that all of these bugs landed in a production Rust codebase, written by people who knew what they were doing, and none of them were caught by the borrow checker, clippy lints, or cargo audit.
- https://corrode.dev/blog/bugs-rust-wont-catch/
interesting!
https://lawsofsoftwareengineering.com/
i like this quite a lot. now i'm going to look for the same thing for logical fallacies, rhetoric manipulations etc.
to read later:
For the last two years, technologists have ominously predicted that AI coding agents will be responsible for a deluge of security vulnerabilities. They were right! Just, not for the reasons they thought. Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement won’t be a slow burn, but rather a step function. Substantial amounts of high-impact vulnerability research (maybe even most of it) will happen simply by pointing an agent at a source tree and typing “find me zero days”. I think this outcome is locked in. That we’re starting to see its first clear indications. And that it will profoundly alter information security, and the Internet itself.
- https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/
the situation on facebook is becoming more and more insufferable every single day. apart from the poisoning of the public discourse by bot armies i'm getting drowned in friend request from fake profiles.
if we were to go back to creating a social network for people we have actual social connections with, how could we design a system that ensures the people on it are real, while keeping the effort low (i.e. no manual intervention by admins, not data gathering like license upload).
maybe "bad behaviour" of a person should reflect back on the person that vouched for them, but that'd necessite some form of "social capital" you can earn or lose.
at some point you always have an incentive for people to game the system and those bad actors could probably circumvent the invite and vouching system. maybe the way for that would be to limit reach. if you get to see posts from "third parties", i.e. people you didn't chose to connect with, those can achieve reach without having direct personal connections.
a few days ago i linked apenwarr's post "Every layer of review makes you 10x slower".
yesterday i read the_guardian's AI got the blame for the Iran school bombing. The truth is far more worrying.
they fit together beautifully and terrifyingly. palantir's maven made the people skip the review stage in favor of faster targeting times, which resulted in the bombing of an iranian girls school.
song of the day:
in case you don't know Genny_Harrison's substack yet: https://substack.com/@surfnukumoi
Mostly Tolkien, sometimes other books and films. I write about Gandalf, Elrond, Éomer, Faramir. Middle-earth shows how power, collapse, and hope work, and why these stories still matter now.
e.g. https://surfnukumoi.substack.com/p/when-the-ring-came-to-faramir-he
she's great.
A Compiler Writing Journey
In this Github repository, I'm documenting my journey to write a self-compiling compiler for a subset of the C language. I'm also writing out the details so that, if you want to follow along, there will be an explanation of what I did, why, and with some references back to the theory of compilers.