rav1d is a port of dav1d, created by (1) running c2rust on dav1d, (2) incorporating dav1d’s asm-optimized functions, and (3) changing the code to be more Rust-y and safer.

Video decoders are notoriously complex pieces of software, but because we are comparing the performance of two similar deterministic binaries we might be able to avoid a lot of that complexity - with the right tooling.

source: HN

I spent a lot of time doodling in middle school in lieu of whatever it is middle schoolers are supposed to be doing. Somewhere between the Cool S’s and Penrose triangles I stumbled upon a neat way to fill up graph paper by repeatedly combining and copying squares. I suspected there was more to the doodle but wasn’t quite sure how to analyze it. Deciding to delegate to a future version of me that knows more math, I put it up on the wall behind my desk where it has followed me from high school to college to the present day.

Anyway, after a series of accidents I am now the prophesized future version of me that knows a bit more math. Due to its petal-like blooming structure and timeless presence scotch taped to my wall I’ll be referring to the fractal affectionately as “the wallflower,” although further down we’ll see it’s closely related to some well-known fractals.

source: HN

Understanding the Go scheduler is crucial for Go programmer to write efficient concurrent programs. It also helps us become better at troubleshooting performance issues or tuning the performance of our Go programs. In this post, we will explore how Go scheduler evolved over time, and how the Go code we write happens under the hood.

source: HN

I wrote a script that downloaded all stable Rust releases all the way back to 1.0, executed each stable version of the compiler on a set of small programs containing an error and gathered the compiler standard (error) output.

source: HN

Don’t let a computer write for you! I say this not for reasons of intellectual honesty, or for the spirit of fairness. I say this because I believe that your original thoughts are far more interesting, meaningful, and valuable than whatever a large language model can transform them into. For the rest of this piece, I’ll briefly examine some guesses as to why people write with large language models so often, and argue that there’s no good reason to use one for creative expression.

source: HN

But what if the USB connection could be made wirelessly? For a few years, real honest-to-goodness wireless USB devices were actually a thing. Competing standards led to market fracture and the technologies fizzled out relatively quickly in the marketplace, but like the parallel universe of FireWire hubs there was another parallel world of wireless USB devices, at least for a few years. As it happens, we now have a couple of them here, so it’s worth exploring what wireless USB was and what happened to it, how the competing standards worked (and how well), and if it would have helped.

Also with a detailed explanation of UWB.

The key basis technology instead was the concept of ultra wide-band, or UWB, which in modern parlance collectively refers to technologies allowing very weak, very wide-spectrum (in excess of 500MHz) signals to become a short range yet high bandwidth communications channel.

source: HN

PV modules are cheap enough today that the simple fixed East-West arrays are cheaper and faster to install than the industry’s darling, the single-axis tracked array.

source: HN

Earlier this year, scientists discovered a peculiar term appearing in published papers: “vegetative electron microscopy”. This phrase, which sounds technical but is actually nonsense, has become a “digital fossil” – an error preserved and reinforced in artificial intelligence (AI) systems that is nearly impossible to remove from our knowledge repositories.

source: HN

This is the story of how I found one of my favorite iOS vulnerabilities so far. It’s one of my favorites because of how simple it was to implement an exploit for it. There’s also the fact that it uses a legacy public API that’s still relied upon by many components of Apple’s operating systems, and that many developers have never heard of.

However, just as any process on the system can register to receive Darwin notifications, the same is true for sending them. Considering these properties, I began to wonder if there were places on iOS using Darwin notifications for powerful operations that could potentially be exploited as a denial-of-service attack from within a sandboxed app.

source: HN

These things mean that despite Go having a GC, it’s possible to do manual memory management in pure Go and in cooperation with the GC (although without any help from the runtime package). To demonstrate this, we will be building an untyped, garbage-collected arena abstraction in Go which relies on several GC implementation details.

source: HN

I’ve found a way of describing occurrences through distance functions. This means that instead of implementing logic for all combinations of frequencies and parameters - as that spooky table from before suggests one might do - we can simply compose a couple of distance functions together.

source: HN

But there is currently one smartphone that qualifies for a “Made in the USA” title from the FTC. It’s the Liberty Phone, which is made by a company called Purism. The phone is a version of Purism’s Librem 5. The Made-in-China Librem 5 costs $800, and the Liberty phone costs $2,000. It has 4 GB of memory, and reviewers say that its specs are pretty outdated. Not every single component in the Liberty Phone is made in the USA, but the company has been trying very hard to make it as American-made as possible.

source: HN

Apache ECharts provides more than 20 chart types available out of the box, along with a dozen components, and each of them can be arbitrarily combined to use.

source: HN

In the years leading up to its 7 April 1964 launch, however, the 360 was one of the scariest dramas in American business. It took a nearly fanatical commitment at all levels of IBM to bring forth this remarkable collection of machines and software. While the technological innovations that went into the S/360 were important, how they were created and deployed bordered on disaster. The company experienced what science policy expert Keith Pavitt called “tribal warfare”: people clashing and collaborating in a rapidly growing company with unstable, and in some instances unknown, technologies, as uncertainty and ambiguity dogged all the protagonists.

source: HN

Using Ctrl-r and fzf roughly doubled my efficiency in the shell overnight. Interestingly, it had an even greater long term effect: I became a more ambitious user of shell commands because I knew I could outsource my memory to fzf. For example, since it’s now very easy to recall past commands, I no longer set global environment variables, which had previously caused me grief when I forgot about them. Now I set environment variables on a per-command basis, knowing that I can recall them with Ctrl-r and fzf.

source: HN

Whilst the Isosceles and Dark Navy posts explained the underlying memory corruption vulnerability in great detail, they were unable to solve another fascinating part of the puzzle: just how exactly do you land an exploit for this vulnerability in a one-shot, zero-click setup? As we’ll soon see, the corruption primitive is very limited. Without access to the samples it was almost impossible to know.

source: HN

An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish.

source: HN

The FreeType library is used by Chrome to compute metrics and load hinted outlines from fonts. Overall, use of FreeType has been a huge win for Google. It does a complex job, and does it well, we rely on it extensively and contribute back to it. However, it is written in unsafe code and has its origins in a time when malicious inputs were less likely. Merely keeping up with the stream of issues found by fuzzing costs Google at least 0.25 full time software engineers. Worse, we observably don’t find everything or find things only after the code has shipped to users.

source: HN

Time for me to write this blog post and prepare everyone for the implementation blitz that needs to happen to make defer a success for the C programming language.

source: HN

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, we’ll shed light on how these vulnerabilities that rely on a parser differential were uncovered.

As shown once again: relying on two different parsers in a security context can be tricky and error-prone.

source: HN