Pleopods Weekly #9 — May 1, 2026

This Week on Lobste.rs

Trending topics: rust security vibecoding zig vcs

1. Do I belong in tech anymore? vibecoding

submitted by Shorden — 197 points (+196 this week) — 63 comments

Realized too late that burnout wasn't about the work—it was about watching the company quietly abandon every principle that made it interesting in the first place.

2. Contributor Poker and Zig's AI Ban zig

submitted by kristoff — 172 points (+163 this week) — 85 comments

Zig's AI contribution ban isn't moral posturing—it's economic: AI breaks the trust loop where maintainers invest in onboarding early contributors expecting years of reliable expertise in return, and so far LLMs mostly deliver hallucinations, massive unfocused PRs, and subtle regurgitations of existing bugs.

3. Ghostty Is Leaving GitHub vcs

submitted by carlana — 194 points (+159 this week) — 52 comments

Mitchell Hashimoto is moving Ghostty off GitHub after 18 years of daily use — citing nearly constant outages that block work for hours at a time, with a read-only mirror staying behind.

4. jjj vcs

submitted by op — 112 points (+109 this week) — 13 comments

A short shell script called jjj wraps the Jujutsu VCS tool with an interactive fzf picker for selecting revsets.

5. Niri v26.04 linux release rust

submitted by ana_glz — 109 points (+98 this week) — 11 comments

Niri finally shipped blur in v26.04, but not the simple kind—they had to thread window positions through the entire rendering pipeline to keep screencasts from accidentally leaking data behind the blur, and build it so Overview doesn't re-render everything just to show a blurred background.

6. Lua can be a really cool HTML templating engine lua web

submitted by riki — 103 points (+98 this week) — 67 comments

Handlebars' default HTML escaping and scoping mechanics are enough of a headache that building templates in Lua itself—which lets you write DSLs with minimal syntax overhead—becomes genuinely more pleasant than fighting curly braces and ../parent lookups.

7. How The Heck Does Shazam Work? math programming

submitted by indigo — 96 points (+92 this week) — 7 comments

Shazam builds a "constellation map" of the loudest frequency peaks in a song, then creates fingerprints from pairs of peaks — a trick that survives noisy rooms because background noise rarely creates the dominant peaks, but also why it fails completely on humming.

8. The people do not yearn for automation vibecoding

submitted by simonw — 90 points (+80 this week) — 58 comments

The tech industry keeps treating AI skepticism as a PR problem when it's actually a product problem—people aren't rejecting the pitch, they're rejecting what it does to their actual lives, and no amount of reframing from Nadella or better ads from Altman will change that.

9. Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain security

submitted by knedl — 100 points (+78 this week) — 40 comments

A compromised GitHub Action in Bitwarden's build pipeline injected credential-stealing code into the CLI releases, which then used stolen npm tokens to backdoor downstream packages—and the attackers added Dune quotes to their malware for some reason.

10. I Built My Own Hair Electrolysis Machine hardware rust

submitted by sloanelybutsurely — 97 points (+77 this week) — 12 comments

Someone built a working galvanic electrolysis hair removal machine from a car battery, potentiometer, and pop can — and then designed it properly with timing circuits and a 3D-printed pen, because the FDA-approved method deserves better than alligator clips.

11. Asahi Linux Progress Report: Linux 7.0 linux release

submitted by polywolf — 78 points (+76 this week) — 3 comments

Asahi Linux automated its release pipeline after manual builds fell out of sync with newer kernels, causing live media to fail to boot — the fix also includes fresh ALS support and power tuning for M-series chips.

12. Functional Programmers need to take a look at Zig haskell zig

submitted by doyougnu — 76 points (+67 this week) — 21 comments

Zig lets you write functional code—monads, sum types, nominal typing—without a garbage collector, using compile-time computation and explicit memory management instead. It's functional programming that actually fits modern systems constraints rather than pretending they don't exist.

13. Carrot disclosure: Forgejo security

submitted by 7tehdt3cnw6kir6o — 95 points (+65 this week) — 50 comments

A security researcher chained multiple Forgejo vulnerabilities into RCE and persistent access, then leaked redacted PoC output to force a full audit instead of the patch-by-patch cycle they say won't fix the root problems.

14. From Milliseconds to 26 Nanoseconds: How a $20 eBay SFP Module Beat My Entire NTP Setup hardware

submitted by varesa — 67 points (+65 this week) — 7 comments

A $20 eBay surplus GPS-disciplined PTP grandmaster beats years of NTP tuning — and the real lesson is that chrony's trust flag will happily ignore better data if you tell it to.

15. Email is crazy email networking security

submitted by FlyingSnake — 68 points (+63 this week) — 39 comments

Email's fundamental identity crisis—the envelope sender and visible From: header don't have to match—is why we've spent decades bolting SPF, DKIM, and DMARC onto a protocol that predates the internet's adversarial nature.

16. GitHub Actions is the weakest link devops security

submitted by untitaker — 75 points (+62 this week) — 1 comments

GitHub Actions' attack surface isn't a secret—it's baked into the defaults. pull_request_target gives untrusted forks full secret access, mutable tags let attackers swap out trusted actions mid-run, and shell expansion turns user input into code. The same vulnerabilities keep compromising major projects because GitHub hasn't restricted any of it.

17. Zed is 1.0 editors rust

submitted by notmeta — 95 points (+61 this week) — 36 comments

Zed ditched the browser engine entirely, building on a custom Rust GPU framework instead—and after five years they're declaring 1.0 with AI agents as a first-class primitive rather than a tacked-on feature.

18. Bugs Rust Won't Catch rust

submitted by PuercoPop — 72 points (+60 this week) — 27 comments

Canonical's audit of uutils uncovered 44 CVEs that Rust's safety guarantees didn't catch: mostly TOCTOU races from re-resolving paths between syscalls, and silent corruption from forcing byte data through UTF-8 validation when Unix tools need to handle arbitrary bytes. Shows that memory safety alone doesn't prevent logic bugs or semantic mismatches between language design and system semantics.

19. What are your favorite Emacs packages? ask emacs

submitted by jussi — 96 points (+56 this week) — 70 comments

A Lobsters thread where people share their Emacs essentials—you'll find the predictable winners (magit, eglot, vertico) alongside genuinely weird archaeology, like someone's folding mode ported from a 1980s transputer editor and still in active use.

20. I am building a cloud devops

submitted by tsg — 59 points (+56 this week) — 24 comments

A founder argues cloud pricing and VM abstractions are fundamentally misaligned with how we'll actually build software at scale—and he's building a different platform because LLM agents will make cheap, granular compute non-negotiable.

Pleopods is a weekly digest of the top links from Lobste.rs. Unsubscribe | Archive