Links to two years ago. Surely jpg png or bmp parsers had security issues whatever years ago as well?

Six months ago, distributed crawling hit code.forgejo.org, and the mitigation measures put in place then held until a few weeks ago. The mitigation measures relied on JavaScript-based proof-of-work, but the crawling software learned to resolve the measures, allowing the attack to return.

Since November 24, a new blocking strategy has been implemented and successfully blocked around one million unique IPs daily. Only 5,000 unique IP addresses reach code.forgejo.org daily, and no reports of legitimate traffic being blocked have been received.

Crazy. A 1M to 5k ratio.

The linked to ‘new strategy’ information is interesting too. They’re blocking a specific user agent.

TL;DR: 26 November ~900,000 unique IPs sent requests to code.forgejo.org and blocking one user agent effectively blocks over 90% of them. At the moment ~50,000 unique IP hit code.forgejo.org per hour, ~5,000 of them are not using the suspicious user agent and are sent to Anubis, ~1,000 of them pass the challenge and reach code.forgejo.org.

&& Header(`user-agent`, `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36`)

Sharing, because I had to look up Abstract Wikipedia

Abstract Wikipedia is an in-development project of the Wikimedia Foundation. It aims to use Wikifunctions to create a language-independent version of Wikipedia using its structured data.

Godot is certainly the easiest and simplest to install in terms of full engine and game dev IDE.

Whether they wanted to showcase or deliberately chose it for how it looks or not, I think the simple install onto a presentation desk/PC/Steam Machine may have been a reason as well.

A lot of them look (very) interesting. Now I have a bunch of tabs open to sift through.

That’s wild

😏

The plan is to eventually make it incremental, however that isn’t yet implemented. It is however already pretty fast even without incremental linking.

Not stable yet, either:

The following is working with the caveat that there may be bugs:

Invidious says video unavailable

I created a Nushell plugin in Rust that merely converts between Nushell and BSON data formats.

It works, but I still have a fundamental lack of understanding of the magic abstract generalized data transformation framework/interface.

I wish there were fewer magic conversions and transformations, and less required knowledge of them and calling or knowing the correct ones. Magic traits leading to magic conversions for magic reasons. Or something.

What is the vulnerability, what is the attack vector, and how does it work? The technical context from the linked source Edera

This vulnerability is a desynchronization flaw that allows an attacker to “smuggle” additional archive entries into TAR extractions. It occurs when processing nested TAR files that exhibit a specific mismatch between their PAX extended headers and ustar headers.

The flaw stems from the parser’s inconsistent logic when determining file data boundaries:

1. A file entry has both PAX and ustar headers.
2. The PAX header correctly specifies the actual file size (size=X, e.g., 1MB).
3. The ustar header incorrectly specifies zero size (size=0).
4. The vulnerable tokio-tar parser incorrectly advances the stream position based on the ustar size (0 bytes) instead of the PAX size (X bytes).

By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive. It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.

This leads to:

• File overwriting attacks within extraction directories.
• Supply chain attacks via build system and package manager exploitation.
• Bill-of-materials (BOM) bypass for security scanning.

wow they god really scared and ran off fast

https://doc.rust-lang.org/style-guide/index.html#small-items

We leave it to individual tools to decide on exactly what small means. In particular, tools are free to use different definitions in different circumstances.

What does this mean?

What does Linus when he says rustfmtcheck? cargo fmt check? A util I can’t find with a simple search? Maybe they have makefile targets or sth for it?

The concerns raised by Linus make sense to me, but should be simple to solve. The small items description already mentions variance, and the need for tools to decide. So shouldn’t it be a simple configuration change?

godot-rust v0.4

40% complete! /s

No.

Concentric AI’s 2025 Data Risk Report found Copilot accessed almost three million confidential records per organization in the first half of this year alone.

Is this about a not-yet-published report?

They don’t link to the report they are talking about, but only to the publisher. I can’t find a report about Copilot risk.

There’s a data risk report, supposedly updated twice a year, but from 2H 2023 (despite the web page being titled 2H 2025), and with no mention of Copilot.

There’s also this blog post, which appears to connect their data risk report with Copilot.

The blog post seems a lot more concrete, specific, elaborate, approachable, and actionable than the Techradar post. To me, at least.

I don’t think they care about those small movements.

This seems like a response to 1. the state of reality (half(?) of installs are still on 10) and 2. EU criticism and looming regulation/imposed requirements.

They paid hard cash so it better be a hard disk!

GodotCon Boston 2025 by Godot Engine video playlist items with direct links:

• Compositor Effects And You: Unlocking Godot’s Potential For Advanced Graphics Techniques – Acerola
• Events Are The Way To Go(dot) – Eric Peterson
• Building cross-platform non-game applications with Godot – HP van Braam – GodotCon2025
• Making Stylized 3D Games In Godot – Shane Denhardt & Kiril Pashev
• Improving Your UI in Godot – Rawb Herb
• Introducing 3D Tiles For Godot –Leonidas Neftalí
• Narrative Design for Solo Devs – Nicholas O’Brien
• HolyOS - making a fake operating system in Godot – Davide Di Staso
• I Make Games On My Phone (And They Actually Work) – Chad Stewart
• State of Godot and the Web – Adam Scott
• The Youtube Crash Course for Game Devs – @stayathomedev
• Adding new Script Languages to Godot – Jeff Ward
• LibGodot - Embed Godot Engine Everywhere – Gergely Kis
• Xogot – Miguel de Icaza
• Enjoyable Game Architecture with Godot & C# – Mark Wilson
• Unit Testing Games - TDD/Godot/GUT – Butch Wesley
• Keeper to Keepers: Adding Multiplayer to Dome Keeper – Chris Ridenour
• Introducing Aspire - Local dev for your full stack made easy – Maddy Montaquila
• Building a Godot Plugin with GDExtension – Scott Doxey
• I Work For Godot, AMA – Emilio Coppola, David Snopek, Adam Scott
• Multiplayer Basics in Godot – Travis Hunter
• Markov Chain with a Shotgun: Open Language Models in Godot – Simon
• Embedding Godot: spicing up your app with SwiftGodotKit and more – Miguel de Icaza
• Lessons from 25+ Game Jams with Godot – Marek Belski
• From Local Networking to Scalable Solutions – JamesClancey
• Custom Resources for global state management – Sam Szuflita
• Time Management in Game Development – Matthew Ponder
• Going Mobile with Godot – Joseph Hill
• Log.gd, a Godot pretty-printer – Russell Matney
• Synths and Sound Design in Godot with Csound – Werner Mendizabal
• Preparing Anime-Style 3D Characters for Godot Using Blender – Jesse (CoderNunk)
• Cross-Disciplinary Collaboration in Godot –Casey Dahlgren, Sarah Nuse
• Using Godot for mixed-reality livestreaming – badcop
• Profiling Godot Engine Games on Android with Arm Performance Studio – Ian Bolton
• Making Operation Outbreak – Andrés Colubri & Harmony Honey Monroe
• The Player to Contributor Pathway – Heather Drolet, Justin Borque
• What’s new in XR & Android – David, Fredia, Logan
• Bringing the Arcade to the Museum with Godot – Annalivia, Tyler

Array.from(document.querySelectorAll('#video-title')).map(x => `* [${x.innerText.replace(/ – GodotCon 2025$/, '')}](${x.href})`).join("\n")

Feel free to copy into post description (via comment source).

I deliberately chose KeePass with no Webbrowser extension and no cloud service that other password managers and password manager services provide to reduce risks.

Webbrowsers are very interconnected tech with non-obvious relations and risks. Having my webbrowser access my password database feels inherently irritating.

Webbrowser’s own password managers with optional sync have the benefit of auto-fill only being offered for the correct domain names. But I’d never store my critical passwords in them.

Having to launch a separate password manager, enter a long master key, and then copy-paste/trigger-auto-type the content from it is cumbersome, but the only way to add a reasonable robust separation.

In KeePass you can use auto-typing or the clipboard. Evading the clipboard is certainly good security practice.