Pleopods Weekly #10 — May 8, 2026

This Week on Lobste.rs

Trending topics: web security release osdev vibecoding

1. Contributor Poker and Zig's AI Ban zig

submitted by kristoff — 205 points (+109 this week) — 111 comments

The Zig project's AI contribution ban isn't about purity—it's about the economics of open source: you invest in onboarding contributors hoping they become long-term assets, and LLM-generated PRs (hallucinations, sneaky regurgitation, 10k-line drive-bys) break that game by eroding trust and burning reviewer time with no return on the bet.

2. Async Rust never left the MVP state rust

submitted by radim — 119 points (+102 this week) — 10 comments

Async Rust generates bloated state machines even for trivial futures — a foo() that returns 5 creates 360 lines of MIR with three unused states (Returned, Panicked) that prevent optimization, but replacing panic-on-reuse with just returning Pending in release builds recovers 2-5% binary size.

3. Reminder: You Can Stitch Together Lots of Little HTML Pages With Navigations For Interactions web

submitted by LesleyLai — 113 points (+93 this week) — 37 comments

Jim Nielsen ditches JavaScript overlays for CSS view transitions and plain links — the result is smaller, works without JS, and actually simpler to build.

4. The text mode lie: why modern TUIs are a nightmare for accessibility a11y

submitted by eterps — 88 points (+86 this week) — 30 comments

Modern TUI frameworks like Ink and Bubble Tea redraw the entire terminal on every update, which makes screen readers announce cursor jumps and timers instead of content, and can even crash NVDA when pasting into tools like gemini-cli that regenerate thousands of lines synchronously on a single thread.

5. NetHack 5.0.0 games release

submitted by sanxiyn — 83 points (+81 this week) — 9 comments

After 16 years, NetHack 5.0 modernizes a roguelike with C99 compliance and cross-compilation support, replacing its build-time yacc/lex toolchain with Lua processing at runtime — though your old saves won't carry over.

6. RSS Feeds Send Me More Traffic Than Google web

submitted by repl — 102 points (+79 this week) — 51 comments

One blogger's RSS subscribers send 25% of their traffic—more than Google search—without any aggressive SEO optimization, suggesting the algorithmic squeeze on search click-through rates has quietly made subscription feeds valuable again.

7. Principia Softwarica osdev

submitted by runxiyu — 82 points (+79 this week) — 50 comments

The kernel's 35K lines of annotated source code are meant to be genuinely readable—a bet that deep understanding of something coherent beats shallow skimming of something vast, and that the mental models stick when you move to real systems.

8. Building the deployment tool I wish I had devops release

submitted by ruuda — 85 points (+78 this week) — 20 comments

He built a deployment tool because existing options made too many wrong trade-offs — then discovered that if you limit scope to "copy files and restart services," you can get sub-second deploys with reliable rollback and a clean diff before you even touch a host.

9. Mozilla's position on the Prompt API web

submitted by untitaker — 84 points (+75 this week) — 15 comments

Mozilla is blocking the Prompt API standard over vendor lock-in concerns, specifically that browsers would control which AI models get baked in without clear rules about what that means.

10. A text editor as a user interface editors

submitted by jbauer — 81 points (+75 this week) — 11 comments

Once you accept that users can edit text, plain files beat custom GUIs for configuration, data storage, and even interactive tools—and the tradeoffs are worth it.

11. Multi-stroke text effect in CSS css design

submitted by fanf — 100 points (+74 this week) — 4 comments

Layering text-stroke with incrementally different widths creates that retro multi-color outline effect — Firefox renders it smoother than Chrome/Safari, but performance tanks fast with larger fonts, so it's more of a neat trick than a production technique.

12. NHS Goes To War Against Open Source ai security

submitted by agoose77 — 87 points (+70 this week) — 7 comments

NHS is about to nuke thousands of open-source repos over AI-detected vulnerabilities, ignoring their own Tech Code of Practice and the precedent of the Covid app running fine in the open.

13. cursed_browser: A web browser with no rendering engine — the VLM reads the HTML and hallucinates the page browsers satire vibecoding

submitted by aoeu — 79 points (+69 this week) — 6 comments

A VLM that reads HTML and draws what it thinks the page looks like instead of actually rendering it — which somehow passes the Acid test (100/100) and feels less like a joke than it should.

14. Open Source Does Not Imply Open Community programming

submitted by fab23 — 77 points (+69 this week) — 22 comments

The author argues most open source projects mistake "open source" (free code) for "open development" (public issue trackers and community contributions), and suggests many maintainers would burn out less if they just shipped code drops instead of managing endless GitHub discussions unpaid.

15. I accidentally made law enforcement shut down their stresser honeypot security

submitted by kwas — 70 points (+69 this week) — 4 comments

Dutch police ran a DDoS honeypot so poorly disguised that a researcher found it by noticing the hosting provider pattern, then signed up with an email basically saying "I'm researching you" — and the panic takedown that followed suggests the elaborate fake dashboard never caught actual attackers.

16. Oasis Linux c linux osdev

submitted by kneeawn — 72 points (+66 this week) — 16 comments

A Linux distro where everything—display server, browser, the works—compiles into single static binaries, with the entire system config taking up 16 lines of /etc. Reproducible builds mean you can verify byte-for-byte what you're running.

17. What fun websites do you know? ask web

submitted by Aks — 84 points (+65 this week) — 50 comments

The thread itself is just a list of time-wasters, but the replies are where people surface genuinely weird corners of the web—http.cat, floor796's endless clickable pixel art rabbit hole, and similar oddities worth bookmarking.

18. Security Advisory: Local privilege escalation in Lix and Nix nix security

submitted by raito — 68 points (+64 this week) — 4 comments

Buffer overflow in the Nix/Lix daemon allows local privilege escalation to root if you can already talk to the daemon and bypass ASLR — patches are out for maintained versions.

19. Why I Don’t Vibe Code practices vibecoding

submitted by lollipopman — 74 points (+60 this week) — 21 comments

LLMs are genuinely useful for boilerplate and repetitive coding tasks, but they hit a wall the moment you need to justify architectural decisions—which is exactly where the hard thinking actually happens.

20. Go is FIPS 140-3 certified cryptography go

submitted by runxiyu — 61 points (+59 this week) — 18 comments

Go's standard library crypto is now FIPS 140-3 certified for federal procurement and regulated industries, but only in approved mode and without guarantees on key generation strength.

Pleopods is a weekly digest of the top links from Lobste.rs. Unsubscribe | Archive