frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Public Sans – A strong, neutral typeface

https://public-sans.digital.gov/
104•mhb•1h ago•28 comments

Netflix: Open Content

https://opencontent.netflix.com/
368•tosh•6h ago•60 comments

Non-Zero-Sum Games

https://nonzerosum.games/
180•8organicbits•4h ago•48 comments

The British Empire's Resilient Subsea Telegraph Network

https://subseacables.blogspot.com/2025/12/the-british-empires-resilient-subsea.html
53•giuliomagnifico•3h ago•8 comments

Postgres extension complements pgvector for performance and scale

https://github.com/timescale/pgvectorscale
39•flyaway123•5d ago•1 comments

The Legacy of Undersea Cables

https://blog.sciencemuseumgroup.org.uk/the-legacy-of-undersea-cables/
10•teleforce•1h ago•0 comments

Times New American: A Tale of Two Fonts

https://hsu.cy/2025/12/times-new-american/
94•firexcy•3h ago•58 comments

Go away Python

https://lorentz.app/blog-item.html?id=go-shebang
170•baalimago•7h ago•124 comments

Hive (YC S14) Is Hiring a Staff Software Engineer (Data Systems)

https://jobs.ashbyhq.com/hive.co/cb0dc490-0e32-4734-8d91-8b56a31ed497
1•patman_h•1h ago

Approachable Swift Concurrency

https://fuckingapproachableswiftconcurrency.com/en/
58•wrxd•3h ago•22 comments

GOG is getting acquired by its original co-founder

https://www.gog.com/blog/gog-is-getting-acquired-by-its-original-co-founder-what-it-means-for-you/
786•haunter•23h ago•463 comments

No strcpy either

https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/
107•firesteelrain•2h ago•44 comments

Stranger Things creator says turn off "garbage" settings

https://screenrant.com/stranger-things-creator-turn-off-settings-premiere/
292•1970-01-01•16h ago•525 comments

Show HN: One clean, developer-focused page for every Unicode symbol

https://fontgenerator.design/symbols
101•yarlinghe•5d ago•45 comments

Tesla's 4680 battery supply chain collapses as partner writes down deal by 99%

https://electrek.co/2025/12/29/tesla-4680-battery-supply-chain-collapses-partner-writes-down-dea/
563•coloneltcb•22h ago•621 comments

Hacking Washing Machines [video]

https://media.ccc.de/v/39c3-hacking-washing-machines
169•clausecker•14h ago•35 comments

ManusAI Joins Meta

https://manus.im/blog/manus-joins-meta-for-next-era-of-innovation
279•gniting•17h ago•170 comments

The future of software development is software developers

https://codemanship.wordpress.com/2025/11/25/the-future-of-software-development-is-software-devel...
313•cdrnsf•20h ago•335 comments

Nicolas Guillou, French ICC judge sanctioned by the US and “debanked”

https://www.lemonde.fr/en/international/article/2025/11/19/nicolas-guillou-french-icc-judge-sanct...
202•lifeisstillgood•4h ago•145 comments

Charm Ruby – Glamorous Terminal Libraries for Ruby

https://charm-ruby.dev/
70•todsacerdoti•8h ago•10 comments

UNIX Fourth Edition

http://squoze.net/UNIX/v4/README
84•dcminter•1w ago•7 comments

Concurrent Hash Table Designs

https://bluuewhale.github.io/posts/concurrent-hashmap-designs/
18•signa11•3d ago•0 comments

AI is forcing us to write good code

https://bits.logic.inc/p/ai-is-forcing-us-to-write-good-code
250•sgk284•21h ago•186 comments

Turning an old Amazon Kindle into a eInk development platform (2021)

https://blog.lidskialf.net/2021/02/08/turning-an-old-kindle-into-a-eink-development-platform/
48•fanf2•4d ago•8 comments

Singapore Study Links Heavy Infant Screen Time to Teen Anxiety

https://www.bloomberg.com/news/articles/2025-12-30/singapore-study-links-heavy-infant-screen-time...
45•1vuio0pswjnm7•3h ago•19 comments

Graph Algorithms in Rayon

https://davidlattimore.github.io/posts/2025/11/27/graph-algorithms-in-rayon.html
32•PaulHoule•4d ago•0 comments

Google is dead. Where do we go now?

https://www.circusscientist.com/2025/12/29/google-is-dead-where-do-we-go-now/
974•tomjuggler•19h ago•767 comments

Win32 is the stable Linux ABI

https://loss32.org/
140•krautburglar•2h ago•106 comments

MongoDB Server Security Update, December 2025

https://www.mongodb.com/company/blog/news/mongodb-server-security-update-december-2025
99•plorkyeran•15h ago•40 comments

Outside, Dungeon, Town: Integrating the Three Places in Videogames (2024)

https://keithburgun.net/outside-dungeon-town-integrating-the-three-places-in-videogames/
91•vector_spaces•15h ago•42 comments
Open in hackernews

No strcpy either

https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/
106•firesteelrain•2h ago

Comments

senthil_rajasek•2h ago
Title is :

No strcpy either

@dang

Snild•2h ago
I don't see a problem with that, but for the record, the title on the site is lower-case for me (both browser tab title, and the header when in reader mode).
1f60c•1h ago
I think the submission originally had a typo ("strpy", with no C)
Snild•44m ago
Ah.
pama•2h ago
Congrats on the completion of this effort! C/C++ can be memory safe but take some effort.

IMHO the timeline figure could benefit in mobile from using larger fonts. Most plotting libraries have horrible font size defaults. I wonder why no library picked the other extreme end: I have never seen too large an axis label yet.

saagarjha•1h ago
Removing strcpy from your code does not make it memory safe.
kjjfnkeknrn•27m ago
Removing strcpy from your code does make it a little memory safer.
Tempest1981•1h ago
Yes, the graph font-sizes seem intended for printing them on a single sheet of paper, vs squeezed into a single column in a blog.
snvzz•2h ago
The AI chatbot vulnerability reports part sure is sad to read.

Why is this even a thing and isn't opt-in?

I dread the idea of starting to get notifications from them in my own projects.

Y_Y•2h ago
Because humans generate and relay the slop-reports in the hopes of being helpful
captn3m0•1h ago
s/being helpful/making money.
trollbridge•1h ago
Making a strcpy honeypot doesn’t sound like a bad idea…

  void nobody_calls_me(const char *stuff) {
          char *a, *b;
          const size_t c = 1024;

          a = calloc(c);
          if (!a) return;
          b = malloc(c);
          if (!b) {
                  free(a);
                  return;
          }
          strncpy(a, stuff, c - 1);
          strcpy(b, a);
          strcpy(a, b);
          free(a);
          free(b);
  }
Some clever obfuscation would make this even more effective.
easterncalculus•12m ago
It's a symptom of complete failure of this industry that maintainers are even remotely thinking about, much less implementing changes in their work to stave off harassment over false security impact from bots.
Scubabear68•1h ago
From the article:

> It has been proven numerous times already that strcpy in source code is like a honey pot for generating hallucinated vulnerability claims

This closing thought in the article really stood out to me. Why even bother to run AI checking on C code if the AI flags strcpy() as a problem without caveat?

saagarjha•1h ago
Because people are stupid and use AI for things it is not good at.
Tempest1981•1h ago
> people are stupid

people overestimate AI

lesuorac•37m ago
Its weird though because looking through the hackone reports in the slop wiki page there aren't actually reproduction steps. It's basically always just a line of code and an explanation of how a function can be mis-used but not a "make a webserver that has this hardcoded response".

So like why doesn't the person iterate with the AI until they understand the bug (and then ultimately discover it doesn't exist)? Like have any of this bug reports actually paid out? It seems like quickly people should just give up from a lack of rewards.

amenhotep•30m ago
As long as the number of people newly being convinced that AI generated bounty demands are a good way to make money equals or exceeds the number of people realising it isn't and giving up, the problem remains.

Not helped, I imagine, that once you realise it doesn't work, an easy pivot is to start convincing new people that it'll work if they pay you money for a course on it.

CGamesPlay•1h ago
It's not quite as black and white as the article implies. The hallucinated vulnerability reports don't flag it "without caveat", they invent a convoluted proof of vulnerability with a logical error somewhere along the way, and then this is what gets submitted as the vulnerability report. That's why it's so agitating for the maintainers: it requires reading a "proof" and finding the contradiction.
Sharlin•53m ago
Because these people who run AI checks on OSS code and submit bogus bug reports either assume that AIs don't make mistakes, or just don't care if the report is legit or not, because there's little to no personal cost to them even if it isn't.
stabbles•1h ago
Apart from Daniel Sternberg's frequent complaints about AI slop, he also writes [1]

> A new breed of AI-powered high quality code analyzers, primarily ZeroPath and Aisle Research, started pouring in bug reports to us with potential defects. We have fixed several hundred bugs as a direct result of those reports – so far.

[1] https://daniel.haxx.se/blog/2025/12/23/a-curl-2025-review/

p2detar•1h ago
So? Those are automated analysis tools and by "slop" he seems to refer to careless reports crafted using AI, solely for collecting bounties:

https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d...

molf•1h ago
That's very interesting! It links to:

https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyz...

and its HN discussion:

https://news.ycombinator.com/item?id=45449348

swinglock•1h ago
I'm surprised curlx_strcopy doesn't return success. Sure you could check if dest[0] != '/0' if you care to, but that's not only clumsy to write but also error prone, and so checking for success is not encouraged.
AlexeyBrin•1h ago
I guess the idea is that if the code does not crash at this line:

    DEBUGASSERT(slen < dsize);
it means it succeeded. Although some compilers will remove the assertions in release builds.

I would have preferred an explicit error code though.

swinglock•9m ago
assert() is always only compiled if NDEBUG is not defined. I hope DEBUGASSERT is just that too because it really sounds like it, even more so than assert does.

But regardless of whether the assert is compiled or not, its presence strongly signals that "in a C program strcpy should only be used when we have full control of both" is true for this new function as well.

jutter•1h ago
This is especially bizarre given that he explains above that "it is rare that copying a partial string is the right choice" and that the previous solution returned an error...

So now it silently fails and sets dest to an empty string without even partially copying anything!?

loeg•1h ago
A weird Annex-K like API. The destination buffer size includes space for the trailing nul, but the source size only includes non-nul string bytes.

I don't really think this adds anything over forcing callers to use memcpy directly, instead of strcpy.

t43562•1h ago
I've always wondered at the motivatons of the various string routines in C - every one of them seems to have some huge caveat which makes them useless.

After years I now think it's essential to have a library which records at least how much memory is allocated to a string along with the pointer.

Something like this: https://github.com/msteinert/bstring

formerly_proven•1h ago
strncpy is fairly easy, that's a special-purpose function for copying a C string into a fixed-width string, like typically used in old C applications for on-disk formats. E.g. you might have a char username[20] field which can contain up to 20 characters, with unused characters filled with NULs. That's what strncpy is for. The destination argument should always be a fixed-size char array.

A couple years ago we got a new manual page courtesy of Alejandro Colomar just about this: https://man.archlinux.org/man/string_copying.7.en

ufo•1h ago
A big footgun with strncpy is that the output string may not be null terminated.
kccqzy•1h ago
Yeah but fixed width strings don’t need null termination. You know exactly how long the string is. No need to find that null byte.
ninkendo•58m ago
Until you pass them as a `char *` by accident and it eventually makes its way to some code that does expect null termination.

There’s languages where you can be quite confident your string will never need null termination… but C is not one of them.

Sharlin•55m ago
Good luck though remembering not to pass one to any function that does expect to find a null terminator.
andrepd•49m ago
Seriously. We have type systems and compilers that help us to not forget these things. It's not the 70s anymore!
kccqzy•42m ago
Seriously. Use `char[20]` instead of `char*` as the type if that helps you remember.
kevin_thibedeau•24m ago
Ignore the prefix and always treat strncpy() as a special binary data operation for an era where shaving bytes on storage was important. It's for copying into a struct with array fields or direct to an encoded block of memory. In that context you will never be dependent on the presence of NUL. The only safe usage with strings is to check for NUL on every use or wrap it. At that point you may as well switch to a new function with better semantics.
Cyph0n•1h ago
strncpy doesn’t handle overlapping buffers (undefined behavior). Better to use strncpy_s (if you can) as it is safer overall. See: https://en.cppreference.com/w/c/string/byte/strncpy.html.

As an aside, this is part of the reason why there are so many C successor languages: you can end up with undefined behavior if you don’t always carefully read the docs.

Asooka•27m ago
Back when strncpy was written there was no undefined behaviour (as the compiler interprets it today). The result would depend on the implementation and might differ between invocations, but it was never the "this will not happen" footgun of today. The modern interpretation of undefined behaviour in C is a big blemish on the otherwise excellent standards committee, committed (hah) in the name of extremely dubious performance claims. If "undefined" meaning "left to the implementation" was good enough when CPU frequency was measured in MHz and nobody had more than one, surely it is good enough today too.

Also I'm not sure what you mean with C successor languages not having undefined behaviour, as both Rust and Zig inherit it wholesale from LLVM. At least last I checked that was the case, correct me if I am wrong. Go, Java and C# all have sane behaviour, but those are much higher level.

dundarious•8m ago
Yes, these were also common in several wire formats I had to use for market data/entry.

You would think char symbol[20] would be inefficient for such performance sensitive software, but for the vast majority of exchanges, their technical competencies were not there to properly replace these readable symbol/IDs with a compact/opaque integer ID like a u32. Several exchanges tried and they had numerous issues with IDs not being "properly" unique across symbol types, or time (intra-day or shortly before the open restarts were a common nightmare), etc. A char symbol[20] and strncpy was a dream by comparison.

lesuorac•50m ago
It's from a time before computer viruses no?

But also all of this book-keeping takes up extra time and space which is a trade-off easily made nowadays.

rini17•28m ago
Yes, in the old times if you crashed a program or whole computer with invalid input, it was your fault.

Viruses did exist, and these were considered users' fault too.

TZubiri•1h ago
LMAO

After all this time the initial AI Slop report was right:

https://hackerone.com/reports/2298307

lesuorac•40m ago
?

Nonce and websockets don't appear at all in the blog post. The only thing the ai slop got right is that by removing strcpy curl will get less issues [submitted about it].