Slashdot

News for nerds, stuff that matters

Linus Torvalds on Rust, C, Bugs, and AI Patch-Checking Tools

"Git and email are the two really only tools I use," Linus Torvalds said at Open Source Summit India 2026. But ZDNet reports that he also shared his thoughts on Rust, C, and patch-checking tools:



"I use Google as a way to look things up." He added, "I'm unusual; most of the other maintainers end up using many more tools, and I think a lot of them are starting to use AI tools for patch checking," while he "works at a higher level. I work with people, not tools."

When asked about Rust both in Git and the kernel, he pushed back against hype: "I'm not sure Rust is going to take over the world. I still think Rust is very interesting, [but] I still find C to be a much simpler tool." Torvalds continued, "I'm much more excited about all the tools we have for verification of C," including "automated patch verification tools" and "automated email checking tools for patches like Sashiko." Summing up, Torvalds told the Mumbai audience: "I'm more of a hack-and-slash kind of person, and I still like the raw and simple power of C, and I don't think that's going to change."

Torvalds also warned against overestimating Rust's benefits: "Rust fixes a few easy bugs that you can make in C, but it does not fix the logic errors, right? It does not think for you, and when you write incorrect code, the language does not matter. The end result will be incorrect." On mixed C/Rust code bases, he pointed out that guarantees are limited: "The guarantees that Rust give you only apply in the Rust-only parts of your code base, and wherever you interact with C code, all bets are off," with most Rust code in Linux talking to "core kernel C code" that is "much better quality... because that code has been tested in every single environment."

At the same time, Torvalds pointed out, "some of our big and more high-profile bugs in the kernel lately have been logic errors" rather than the kind of memory errors Rust prevents.

"It was just bad programming, which sadly happens even in carefully maintained subsystems and important kernels that are supposed to be very secure."

Read more of this story at Slashdot.

Japan's Space Agency Conducts First Test Flight For Experimental Reusable Rocket

"Japan's experimental reusable rocket took off and safely landed in a first test flight Saturday," reports the Associated Press, as Japan "seeks to achieve the technology key to cut launch costs and compete in the global space market dominated by SpaceX."


The RV-X rocket lifted off, hovered and moved horizontally before landing [watch the video here] during its less than one-minute flight at the Japan Aerospace Exploration Agency's Noshiro Testing Center in northeastern Japan, which was livestreamed by the NVS, a group of space fans...
Saturday's flight is a step forward for Japan in achieving the technology needed to develop a lower cost successor to the country's current mainstay, single-use H3 series.

Japan's test comes the same week that China recovered an orbital booster rocket for the first time.

Read more of this story at Slashdot.

ANCIENT LOTUS

ajpscs posted a photo:

ANCIENT LOTUS

LOTUS & WATER LILIES
ON MY KNEES, I CAN SEE FOREVER
© ajpscs

Touch the Magic

Thomas Hawk posted a photo:

Touch the Magic

Found Photograph

Thomas Hawk posted a photo:

Found Photograph

Vanillasludge posted a photo:

Lately More or Less

Thomas Hawk posted a photo:

Lately More or Less

I Wandered Out Into the Water

Thomas Hawk posted a photo:

I Wandered Out Into the Water

Kama River Kyoto

rohantstevens posted a photo:

Kama River Kyoto

Scheidsrechter Rob Dieperink (38) dood

Gruwelijk. Scheidsrechter Rob Dieperink (Borculo) is dood en dan hebben we een donkerbruin vermoeden hoe dat komt. Dieperink werd twee maanden geleden in Londen opgepakt op verdenking van aanranding van een zeventienjarige jongen. Hij was daar voor de wedstrijd Crystal Palace-Fiorentina in de Conference League. De zaak werd geseponeerd, maar Dieperink werd toch niet meegenomen naar het WK, waar hij in actie zou komen als videoref. Sinds 2012 floot hij in het profvoetbal, sinds 2017 ook in de Eredivisie. Dieperink werd slechts 38 jaar oud.

Potenramvrije zones tijdens Pride Amsterdam

pride amsterdam

Nadat 'jongens op fatbikes' geprobeerd hebben een bezoeker van Amersfoort Pride tot hetero te rammen staat iedereen weer op de achterste.. euh, poten. Niet prettig, zo met de grootse Amsterdam Pride voor de deur. En het gaat met de LHBTI-acceptatie in Nederland zó goed, dat er in Amsterdam potenramvrije zones zijn ingericht. "Als je als lhbti'er wordt lastiggevallen, kun je in Amsterdam straks in 35 hotels met beveiliging terecht. Ook plekken als het Stedelijk Museum, De Nieuwe Kerk en het stadsarchief zijn aangesloten. 'Je bent daar in ieder geval veilig en iemand helpt je verder'." Wat natuurlijk goedbedoeld en fijn is, maar besef: tijdens de Pride in onze lieve, vrije, homovriendelijke en supertolerante hoofdstad Amsterdam moeten specifieke plekken worden aangewezen en ingericht waar je als homo 'in ieder geval veilig' bent. Sad.

De Speld

Uw vaste prik voor betrouwbaar nieuws.

​Rustdag in Tour de France met 3 uur ingekort

'Het is veel te warm om te rusten'

De rustdag die vandaag op het programma staat in de Tour de France, wordt met 3 uur ingekort vanwege de hitte. Daarmee telt de dag 21 uur, in plaats van de geplande 24 uur. Volgens Tourorganisator ASO is het besluit 'noodzakelijk vanwege de extreme weersomstandigheden'. In grote delen van Frankrijk kan het kwik vandaag oplopen tot 40 graden en geldt code rood.

Een verstandig besluit, vindt analist Tom Dumoulin: "Op zo'n klamme dag komt je lijf niet tot rust. Ik heb zulke rustdagen zelf ook wel eens meegemaakt: dan lig je uren te woelen in je bed, terwijl je elk uur van de klok ziet. Dan ga je van frustratie compleet in het rood terwijl er de volgende dag weer gefietst moet worden. Dat is vragen om ongelukken."

De wielrenners mogen van de organisatie zelf weten welke drie uur ze uit hun dag schrappen, als ze morgenochtend maar op tijd aan de start staan van de tiende etappe (10.25 in plaats van 13.25).

&


White-throated Honeyeater, Myponga Beach, full story at https://naturallysouthaustralia.com

Naturallysouthaustralia.com has added a photo to the pool:

White-throated Honeyeater, Myponga Beach, full story at https://naturallysouthaustralia.com

The Register

Biting the hand that feeds IT — Enterprise Technology News and Analysis

World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection

Hudson Rock says the suspected compromise of the Argentine Football Association (AFA) may be linked to an infostealer infection nearly a year earlier. The incident appears to be the work of an aggrieved football fan, or group of them, after Argentina eliminated Egypt from the World Cup round of 16. Egypt's coach and football association complained about several refereeing and VAR decisions, which they said contributed to the result. The compromise of AFA's systems was spotted after mass emails were sent from legitimate domains stating that Argentina "stole" the win from Egypt and that "the robbery will not go unnoticed." Hudson Rock said it found evidence of an infostealer infection dating back to September 8, 2025, on a device belonging to an AFA software developer who had been employed at the governing body for nearly a decade. The security shop operates a database of known infostealer victims, and noted that the compromised machine was added to its database the following day. Whoever was behind the attack, which was claimed by "All Egyptian Cyber Warriors," they either sat on the credentials for nearly a year, or sought them out after Egypt were controversially eliminated from the World Cup. Once they procured the credentials and authenticated themselves into the AFA's systems, Hudson Rock said they "likely had profound administrative control." This would have included direct access to phpMyAdmin database management panels, root access to certain AFA databases, access to the management portal of AFA's training HQ, the AFA media portal, and its competition management system. After looking at the stolen credentials in their database, the researchers said that weak, easily guessable passwords were reused across several internal systems. In addition to the compromised emails sent from AFA's management and admin portal (afasistemas.com.ar), Hudson Rock spotted a number of posts made to cybercrime forums advertising the body's data for sale. According to the advertisements, the data related to staff, professional clubs, and the AFA's external media partners. The samples appeared to include internal email addresses, phone numbers, user roles, and registration timestamps, as well as listings for access to AFA subdomains. Passwords were also among the data, although much of them were securely hashed. However, a small portion were in plaintext, which Hudson Rock said suggests "a significant security oversight." "The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be," the security outfit said. "A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails. "Because the stolen credentials sat dormant for months, the organization was lulled into a false sense of security, completely unaware of the ticking time bomb in their network infrastructure." The AFA told reporters on Friday that it was investigating the compromise with its IT team after many received the emails sent by the intruders. "There is a possibility that our account has been subject to unauthorized access," the AFA stated. "We are currently working to clarify the situation and implement the necessary security measures." ®

HTTP gets a QUERY method so complex searches can stop pretending to be POST

"Idempotent" may be jargon, but the term performs an important job in HTTP as a hall pass that gives reverse proxies and gateways the go-ahead to cache complex query responses and automatically retry failed requests. HTTP has long allowed automatic retries for idempotent methods, but complex queries are often sent using POST, which intermediaries cannot safely assume is retryable. Developers have worked around that limitation for decades. The Internet Engineering Task Force (IETF) has published a new HTTP request method, QUERY (RFC 10008), joining familiar methods including GET, POST, PUT, and PATCH. In development since 2021, the QUERY request method provides a way for an HTTP client to make an idempotent request to an HTTP server. An idempotent request has the same intended effect whether it is sent once or multiple times (so retrying it should not charge a user's credit card again). The specification defines QUERY as safe and idempotent, and the solution was surprisingly simple. "Thanks to QUERY, we finally have functional HTTP caching for complex requests. Proxies, CDNs, and browsers can now cache requests with a body. This is huge for performance," writes developer Elie Treport in a recent blog post. Query operations have traditionally used the GET method. HTTP defines GET as safe and idempotent, as it made no changes to the server itself, but GET becomes awkward when the query data is too large or complex for a URI. The idea behind GET was to load all the necessary query parameters onto the form's URL, resulting in a very long string that the browser sent to the server. Many search services still work this way, appending query parameters to the URL after a question mark. Those URLs can expose sensitive data through browser histories, server logs, and bookmarks. Festooned with nested filters, sort rules, date ranges, and other database flotsam, GET URLs can become unwieldy. HTTP recommends support for URIs of at least 8,000 octets, but there is no universal maximum, so an oversized URL may be rejected by any of the systems it passes through. Long query strings are also a pain to read and debug. Faced with these Franken-URLs, many developers turned to POST instead. POST can carry query data in the request body, but its semantics do not tell intermediaries that the operation is safe and idempotent. The method is more commonly associated with operations such as submitting form data, uploading a PDF, or creating and modifying resources. For a basic HTML form, switching to moves the encoded form data from the URL into the request body. Crafty developers soon began placing complex query payloads, often encoded as JSON, in POST request bodies and having their applications process the responses. Many APIs adopted the pattern; GraphQL, for example, commonly uses POST for queries, although it also supports GET. It was a hack, though. This was not what POST was designed for. HTTP defines POST as neither safe nor idempotent by default. A POST request could change the server's state. And this is why internet networking software treats POST far more delicately than GET. Intermediaries generally cannot reuse POST responses for later POST requests or automatically retry POST without knowing the operation is idempotent. If the message fails, the browser or gateway will not resend it, necessitating intervention from either the user or the app. QUERY's long road to adoption So basically, QUERY combines request content similar to POST with explicitly safe and idempotent query semantics. No longer will the query URL need to be appended beyond recognition, but, like POST, apps and browsers will get a dedicated space to put their complex query data. Unlike POST, QUERY is a read-only operation, and hence receives the IETF's blessing as idempotent, freeing up HTTP clients and intermediaries to cache and resend QUERY requests after a connection failure. A QUERY request does not ask or expect the server to change the state of the target resource. It's just there to ask a question. Cloudflare and Akamai engineers co-wrote RFC 10008. Both companies provide edge caching for large clients. German internet engineering firm greenbytes also contributed. As a new standard, QUERY still has limited support. The HTML forms standard still only understands GET and POST for ordinary form submission, so it will need to be updated even before the browsers get on board. The good news is that the Web Hypertext Application Technology Working Group is already on the case. However, a whole ecosystem of network software still doesn't understand QUERY and may reject requests using an unfamiliar method. Reverse proxies, load balancers, content delivery networks, API gateways, firewalls, and web frameworks will all need to be updated. "The pattern one would expect is the same seen with other HTTP methods and headers that became standard over the last twenty years: first server-side adoption and dev tools, then consolidation in frameworks, and finally, more slowly, native browser support and JavaScript APIs like fetch()," wrote open source developer Daniele Teti in a blog post. Teti noted that Node.js is adding support in its HTTP module, and the Go programming language is ahead of the game because it can already send custom HTTP methods. Elsewhere, the PHP framework Laravel is already ingesting QUERY. But, as with IPv6, the IETF faces an uphill battle to get the HTTP ecosystem on the same page. ®

Progress orders emergency ShareFile server shutdown over mystery security threat

Progress Software has ordered some ShareFile customers to pull the plug on their own servers after detecting what it describes as a "credible external security threat" targeting the on-premises component of its enterprise file-sharing platform. The emergency warning, sent by email and seen by The Register, instructed organizations running ShareFile Storage Zone Controllers to take the unusual step of manually shutting down the Windows servers that host the software, with no patch or configuration workaround yet announced. "We have reason to believe there is a credible external security threat targeting Progress Software's ShareFile Storage Zone Controllers," the company wrote, adding that it had already disabled access to ShareFile accounts using Storage Zone Controllers, but warned this alone was not enough. "IMMEDIATE ACTION REQUIRED: You must manually shut down the server hosting your Storage Zone Controllers," the email continued. “This is a critical additional step to ensure the safety of your data." The company said the restrictions were being imposed "out of an abundance of caution" as it works with internal and external security experts to investigate the threat. Customers reported that Progress was also calling affected organizations directly to reinforce the message. A follow-up notice over the weekend offered little additional detail. Progress said it had "no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat," but instructed customers to keep Storage Zone Controllers offline even as cloud services were gradually restored. Exactly what prompted such a dramatic response remains unclear. Progress has not disclosed the nature of the threat, whether any customers have been compromised, which software versions are affected, or when administrators can safely power systems back on. A spokesperson at Progress Software did not answer our questions, instead they sent a statement to The Register: "Protecting our customers' data and maintaining the security of our services remain our highest priorities. As of 5 p.m. ET on Sunday, July 12, we notified all ShareFile customers with Storage Zone Controllers that their access to the Progress ShareFile cloud service has been restored. However, Storage Zone Controllers must remain turned off while we complete our investigation. At this time, we have no evidence of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat. We will continue to provide customers with updates as additional information becomes available. " The information vacuum has fueled speculation. One Progress customer on Reddit speculated that if the vendor is telling customers to completely shut down servers, "it's almost certainly an unauthenticated RCE being exploited in the wild." Storage Zone Controllers are the on-premises component of ShareFile that allows organizations to keep files on their own infrastructure while continuing to use Progress's cloud platform for authentication and management. Because they typically sit on internet-facing Windows servers, they present an attractive target if a serious, remotely exploitable flaw emerges. The incident also arrives just months after Progress patched two critical vulnerabilities in ShareFile Storage Zone Controller v5 that could be chained into unauthenticated remote code execution, although the company has not linked the current incident to those bugs. Progress is no stranger to security crises. The vendor spent much of 2023 and 2024 dealing with the fallout from mass exploitation of its MOVEit Transfer software by the Clop ransomware gang, a campaign that snowballed into one of the largest supply chain breaches on record. Whatever Progress has found this time around, it has decided that customers are better off with their servers powered down than running. ®

MetaFilter

The past 24 hours of MetaFilter

Surprisingly elastic

If Foucault is inescapable, then he is also, perversely, elusive: both celebrated and reviled, sometimes by people in the same political camp. He's been called a relativist, a reactionary, a faux-radical, an anarchist, a nihilist and an idealist, among many other things. Foucault himself took pleasure in being hard to pin down. [NY Times; ungated (note: archive site)]

Free Thread - Idioms and sayings

What's an idiom you find yourself using a lot in life or that you used to hear but rarely do now? This is your free thread! So you can also talk about anything like food, love, life or the number 42. Just no politics.

AI Data Centers and the Concentration of Wealth

This essay was written with Nathan E. Sanders, and originally appeared in The Guardian.

Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fall along party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data centers bring is worth their costs. Still, we worry that a focus on data centers obscures the larger impacts of AI on people’s lives: the concentration of power of AI companies, and their widespread political and financial influence.

Local data center opposition is grounded in legitimate concerns about misallocation of land resources when housing is at a premium, pressures on already higher energy prices, and localized environmental impact. Unlike other resource-consuming and polluting industrial facilities, data centers produce very few jobs. The fact that US opposition to data centers seems to be most fierce among lower-income communities reflects righteous indignation with an inequitable bargain, where tech companies and developers profit from exploiting local resources but offer little in return. On a global scale, their carbon footprint could grow unsustainably if usage accelerates. And all this is in aid of a technology that many fear will propagate misinformation, take their jobs, or even cause existential risks for humanity.

For some, data center opposition may feel like the only tangible mechanism for registering their concern, disapproval, or even anger about AI. The problem is that this may be exactly what the AI companies are banking on. They can overcome the protest when it matters to them, and live with a significant fraction of proposals being defeated. More importantly, focusing political opponents on the data center issue obscures the bigger prize they’re after.

While there is a staggering three-quarters of a trillion dollars being spent on data center infrastructure by US companies this year alone, this investment should be taken in perspective. The market for enterprise software, for example, is about twice this size. And it’s small compared with what these companies actually want.

AI companies have their eyes set on capturing all the value created by entire industries. The technology has arguably already conquered customer service and consumer sales. But on the horizon are bigger targets, such as enterprise software development, creative design, management and even legal services. In AI companies and their allies’ vision of the future, AI replaces teachers and doctors. The companies would rather spend time fighting resistance to how fast they are building computing infrastructure than dealing with issues of how their products should be used in those fields, or how those fields should be protected from their products.

And while data center opposition campaigns have been successful in building widespread appeal, their effectiveness in the US is mixed. They seem to be most successful when organizing against speculative, early-stage data center proposals that have a relatively low likelihood to ever see fruition. Meanwhile, advanced-stage, well-capitalized data center projects have proven to have the resources to overcome local opposition. An OpenAI- and Oracle-backed facility in Saline township, Michigan, is breaking ground on construction even after local officials voted to reject it. The developers sued the town of 3,000 and forced a settlement that involved their project going forward. Meanwhile, the Trump administration, a vigorous ally of corporate AI, has signaled its willingness to advance AI infrastructure development by overriding state objections and even using federal lands.

Also consider that rampant data center development may be a momentary spike rather than a longstanding concern. Demand for the centralized computing that data centers provide may well decline over time. The leading Chinese labs, such as Z.ai, are innovating in technical mechanisms to make frontier-class models smaller and cheaper to run. AI power users have become adept at miniaturizing open weight models, ones published free for anyone to download and use, to run locally on their own computers. Apple and Google both support infrastructure stacks for running AI models directly on mobile phones. It could be that the current mania for data centers will look like the fiber optic cable bubble from the early 2000s, as demand shifts to smaller models and AI usage on people’s own devices.

For those concerned primarily with affordability and environmental protection, singling out data center construction is misplaced. Energy rates and inflation today seem to be most visibly affected by the US-Iran war. The US is disinvesting in long-term energy security by ceding the renewable energy industry to China and actively cancelling climate commitments. Consider that 10% of global carbon emissions stem from heating buildings, which dwarfs energy use by AI and could be cut fivefold by using heat pumps powered by renewable energy. With respect to housing affordability, federal housing subsidies have changed little over three decades, in inflation-adjusted terms, even as housing costs have spiked and homeowners have enjoyed robust tax incentives.

As for AI itself, the concentration of power and wealth in these tech companies is the greatest existential risk facing society today. This means we must limit corporate power, especially corporations’ ability to exploit the public and manipulate our political system.

Opposing data centers should be just a starting point. We can advocate for states to regulate AI, to reject irresponsible uses of the technology, and shape corporate behavior. We can fight for AI computation to be taxed, so that the public can capture some of the profit of AI use while also forcing AI companies to internalize more of the energy and environmental consequences associated with its use. And we all can join the global movement for Public AI, an alternative ecosystem for AI that is developed under public control with an incentive structure to create public benefit rather than private profit.

The US midterm elections present ample opportunity for those seeking to control the AI political agenda. In the recent New York congressional Democratic primary, PACs linked to the dueling AI companies Anthropic and OpenAI spent millions of dollars lobbying for or against “AI safety“, the idea that we must urgently monitor and prevent people from using AI to cause catastrophic harms. We’re already seeing a similar dynamic play out in races in Massachusetts and other states.

Why would Anthropic and OpenAI—bitter industry rivals but fundamentally on the same side politically—support opposing viewpoints? Because they both ultimately profit from the mystique: the idea that their products are so powerful that controlling those products is the world’s most important challenge. Here’s the typical read on the dynamic. To one side (backed by OpenAI affiliates), “safety” comes from the appearance of US industry dominating AI innovation, under the slow-moving control of federal lawmakers (and without pesky state regulators in the way). To the other side (backed by Anthropic), “safety” means a heavier regulatory framework that plays to Anthropic’s posturing as the ethics- and compliance-focused AI vendor. In both cases, it’s more marketing than principled concern about safety.

Political organizers should call out and reject the AI companies’ framing of the debate, and reorient campaign agendas around populist resistance to corporate concentration of wealth and power. When AI companies pump millions into legislative races, the result should not be hyperbolic discussion of AI superintelligence. And when a plot of land in a small town is pitched as a data center site, the debate should be about more than the local costs and benefits. It should include out-of-control money in politics, and Citizens United-proof solutions to limit corporate influence like public financing and state regulation.

We all have a vested interest in what’s on the policy agenda, and what the outcomes are. Today, the greatest risk AI poses to society is the exacerbation of inequality and the concentration of wealth. The real problem is trillion-dollar AI companies and their trillionaire oligarchs cozying up to political power in Washington and governments worldwide, and using their money to enact their agenda over the popular will of the people. This is the issue we’d like to see put front and center, and it requires solutions much more extensive than slowing data center development.

Politie Casting laat geen helikopter over de set van ‘Baantjer’ vliegen: ‘Dat is belangenverstrengeling’

Met zijn bedrijf Politie Casting probeert agent Marco Eradus films en series authentieker te maken. Op de filmset let hij op de kleinste details om frustratie bij kenners thuis te voorkomen.