Tim Perry

We need a European Sovereign Tech Fund With a new feasibility study, GitHub’s developer policy team is building a coalition of policymakers and industry to close the maintenance funding gap.

Is more funding possible for open source maintainers in Europe? 🇪🇺 A new study commissioned by GitHub explores why creating an EU Sovereign Tech Fund could provide sustainable resources for critical OS projects.

Learn how you can help make it a reality.👇
github.blog/open-source/...

Seems unlikely to go anywhere, but it's very frustrating that any company would seriously think this is a good way to handle somebody reporting a major security vulnerability in 2025.

From what I can understand, seems they thought a local mobility app was bad, took a look with HTTP Toolkit, found lots of hardcoded API keys visible in the traffic, among other problems, posted about it on reddit semi-anonymously & filed an official report in Italy, and the company is Not Happy.

From the Avvocati community on Reddit Explore this post and more from the Avvocati community

New milestone, first person being threatened with legal action for using HTTP Toolkit 😬

www.reddit.com/r/Avvocati/c...

Also, it's way more popular than I expected - malla.meshtastic.es/map gives a good idea, there's 30 or so nodes currently visible just inside Barcelona center. Longer range isn't bad either - I've picked up devices as far as the French border & down past Valencia.

Meshtastic An open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices

Started exploring Meshtastic recently (meshtastic.org).

It's... surprisingly mature? I expected something much rougher, but it's basically a very functional text/gps-only whatsapp that just doesn't need an internet connection. Feels like magic.

Celebrating 20 years of MDN | MDN Blog MDN turns 20! Let's look at how we started, how MDN became the most trusted resource for web developers, the impact it's had on the open web, and yes, there's cake, too.

For 20 years Mozilla has developed one of the most useful tools for web devs.

developer.mozilla.org/en-US/blog/m...

Congrats to the MDN team on an awesome milestone. I'm happy that we've played a small part in its history and I'm excited to see it continue to be at the core of every web dev's job.

All this coming to HTTP Toolkit imminently.

In practice that means the one-click Android interception will now transparently intercept Flutter apps too, so you can inspect & modify HTTPS even in the hardest cases (of course this skips any cert pinning en route as well). Release coming soon!

GitHub - radareorg/radare2: UNIX-like reverse engineering framework and command-line toolset UNIX-like reverse engineering framework and command-line toolset - radareorg/radare2

Honestly, I didn't realize even half of this was practical! But you can actually easily script reverse engineering steps with Radare2 (www.radare.org/n/radare2.html), LLMs are great for explaining asm to build the masks, and Frida (frida.re) brings the whole result together at runtime perfectly.

Those scripts download every vX.Y.0 Flutter release's debug build, for each Android CPU architecture, find the functions we want and grab the ASM, and mask the bits from instructions that may vary (e.g. relative addresses) for each instruction set, to give us a minimal set of reliable fingerprints.

re-scraps/flutter at main · httptoolkit/re-scraps Scrappy scripts & WIP outputs from reverse engineering work, generally as part of scripting for https://github.com/httptoolkit/frida-interception-and-unpinning/ - httptoolkit/re-scraps

Second, the function fingerprints are all automatically & systematically generated - not handmade from individual cases.

Check out the analysis scripts in github.com/httptoolkit/... for the full setup.

First, this doesn't just patch out certificate verification, thereby dropping all TLS security.

Instead it hooks the validation flow 'properly', then modifies it just to trust our one extra certificate - entirely by calling functions with nothing more than these pointers into assembly.

Credit where it's due, I only really got into this technique after seeing the approach in github.com/NVISOsecurit....

Very neat work by Jeroen Beckers at NVISO! (no account here, AFAICT).

I've taken it further though, in two fun ways.

I've been doing some ridiculously neat reverse engineering recently.

Check this out: github.com/httptoolkit/...

That code is modifying functions inside Flutter apps, without debug info, by *fingerprinting known chunks of assembly* for each CPU architecture, and then scanning memory to find them 🤯

MinorMiner: we turn your kid's maths homework into Bitcoin | Robert Heaton Hello! Hello! Welcome, welcome. My name is Hobert Reaton, and I’m here in this shabby motel conference room to present you with yet another once-in-a-lifetime investment opportunity.

Love to see parody this good being delivered with a working Python implementation: robertheaton.com/minor-miner/

An exciting milestone: I just received my first "You must've removed/broken this feature, because ChatGPT said this would work but it doesn't" bug report, for a feature that has never existed 🤦

Node.js Next 10 Survey - 2025 Shape the future of Node.js by sharing your feedback!

🚀 Help shape the future of Node.js!

If you're a contributor or maintainer, the Next 10 Survey is your chance to make your voice heard. 🗳️ Take the survey + make a difference: linuxfoundation.research.net/r/2025nodene...

Pushing the boundaries of clean, maintainable Python.

susam.net/elliptical-p...

Ahh awesome, thanks @rossipedia.com! Glad it's working well for you 😊

Most of the world just sat in the plazas & parks, hoping their friends would walk past, and clustering around the few people with a radio. Pleasant for one sunny afternoon, could've been a lot worse if it was longer/hotter/colder.

Full outage: non-functional telecoms, no ATMs & card payments but also no tills means many shops can't even take cash, no traffic lights, no lifts, no metro/trains, no doorbells (which in a flat-based world means you can't even visit your friends).

Just spent 7 hours experiencing life sans electricity here in Spain - we're totally fine, but wow the world does not function in very basic ways, and if you don't own a radio you really have zero information or ability to communicate.

📅 Reminder: Node.js 18 is scheduled to reach End-of-Life on April 30, 2025.

We recommend that you update to Node.js 20 or 22 as Node.js 18 will no longer receive security updates once it reaches End-of-Life.

hello, world

If you control the build yourself, things like bsky.app/profile/dana... for example never happen.

You define your container entirely work any way you like, platform runs the container as-is, CDN caches traffic for cheap. Works identically locally & remotely, with any platform & any CDN.

Highly recommend setting up a site -> Docker image build flow going.

Makes everything much more portable. Then you can trivially host on any Docker hosting (AWS Fargate, Google Cloud Run, Digital Ocean, Scaleway serverless containers) + dumb CDN, and switch later with zero code or build changes.

This scanning has been made significantly worse by certificate transparency. CT is great, but a side effect is that when you publish a new HTTPS site everybody on the internet gets notified about it, and oh my word are they keen to come visit every accidentally published subdirectory.

[bluesky timeline]

me: [chanting] blogs, blogs-

other users: blogs, BLOGS

bluesky staff: [pounding their computers] BLOGS, BLOGS, BLOGS!

0.1 + 0.2 == 0.3

Styled components has officially moved into maintenance-only mode: https://opencollective.com/styled-components/updates/thank-you

That's the bell I think, the era of runtime css-in-js libraries is now definitively over. So long and thanks for all the divs.