1. How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos
Total comment counts : 29
Summary
Kudelski Security’s blog details how researchers gained remote code execution on CodeRabbit’s production servers, leaked API tokens, accessed PostgreSQL, and obtained read/write access to about 1 million code repositories (including private ones). The write-up, released after Black Hat USA, explains how these vulnerabilities manifested and how CodeRabbit quickly remediated the issues in January 2025. CodeRabbit is an AI code-review GitHub app used on millions of repos. The researchers demonstrated potential abuse by installing CodeRabbit, observing its review posts, and noting that CodeRabbit runs external analysis tools; misconfigured or injectable tools could enable code execution.
Top 1 Comment Summary
An author argues that large security failures should be publicly disclosed as breaches to protect consumers. They cite a tool with 7,000+ customers and access to 1 million code repositories that was breached by a simple exploit, noting the correction that it was 1 million repos, not customers. They suggest attackers may have already persisted before disclosure, so patching could stop new intrusions but not remove existing footholds. They acknowledge security is hard but urge better performance.
Top 2 Comment Summary
The article argues that many users install GitHub Apps with broad permissions, especially write access to repositories, creating security risks—even with branch protections and GitHub Actions from pull requests. Proper configuration requires changing the GitHub OIDC audience, which is poorly documented. When asked for lower-scope apps, vendors often resist and don’t understand the security implications. The author urges GitHub to enable more granular installer-defined access and finer-grained permissions overall.
2. Perfect Freehand – Draw perfect pressure-sensitive freehand lines
Total comment counts : 4
Summary
error
Top 1 Comment Summary
The text attributes the work to Steve Ruiz of tldraw.com and notes a similarity between two items.
Top 2 Comment Summary
I can’t access external links to fetch the article. Please paste the article text or share its main points/headline, and I’ll produce a concise summary under 100 words.
3. Notion releases offline mode
Total comment counts : 17
Summary
Notion’s offline mode keeps you productive without internet. You can view, edit, and create pages offline on desktop/mobile; individual pages can be downloaded, and Plus/Business/Enterprise auto-download recent/favorited pages. To use offline, enable Available offline from a page’s menu; check the Offline tab to see what’s saved and remove items. Offline work is device-specific; mark needed pages (and sub-pages) on each device, and download extra database rows as needed. Some live features (embeds, forms, buttons) require online. Changes save locally and sync when reconnected; plan ahead for sharing.
Top 1 Comment Summary
The author argues that many Notion users have switched to Obsidian, highlighting Obsidian’s new database feature and its free price as compelling reasons, and questioning why anyone would choose Notion over Obsidian.
Top 2 Comment Summary
The author shifted from Notion to Obsidian, now preferring Obsidian for its local-first approach. While speed and local-first were initial differences, Steph Ango’s “file over app” philosophy became the main appeal. They also used Claude Code to automate Obsidian cleanup and found it trivial because everything is stored as files.
4. Emacs as your video-trimming tool
Total comment counts : 17
Summary
Marcin “mbork” Borkowski’s post inspired the author to build a lightweight video-trimming tool for their editor, adding a video-trimmer-mode after using QuickTime. The tool leverages ffmpeg, comprises about 300 lines of code, and is linked in the author’s Emacs config repo. The author plans to refine it and may publish to MELPA if there’s interest. They invite feedback, note they’re an indie developer, and mention sponsorship and offerings like a blog and macOS/iOS apps.
Top 1 Comment Summary
An observer questions why Emacs should be used for tasks far from text editing—like trimming video—calling it impressive but possibly misguided (comparing it to playing Doom on a pregnancy test). The author, a C# developer who uses Visual Studio, recalls editing C++ in Emacs without regret, but wonders what “it” offers for non-text tasks compared to dedicated tools. They note several lightweight options exist and ask for explanations of Emacs’ value in such use cases, inviting education on non-traditional Emacs workflows.
Top 2 Comment Summary
The text notes that Emacs is treated as an operating-system meme and expresses a wish that graphical integrations could be as easily implemented on real operating systems as they are in Emacs.
5. D2 (text to diagram tool) now supports ASCII renders
Total comment counts : 6
Summary
D2 0.7.1 adds ASCII outputs: any .txt uses an ASCII renderer. Demonstrations appear in the D2 Vim extension, where a preview updates on save and d2 code can be replaced by its ASCII render. ASCII diagrams are useful in code comments. By default, renders use Unicode box-drawing; use –ascii-mode=standard for true ASCII portability. The feature is alpha-stage with potential bugs; report issues at GitHub. The ASCII renderer downscales the ELK layout with post-processing and is live in the D2 Playground.
Top 1 Comment Summary
A developer announces a new, alpha-stage feature and notes a GitHub issue has already been filed. They provide two direct playground links to try it on play.d2lang.com: a quick-start example and a larger example.
Top 2 Comment Summary
The message expresses enthusiasm about the new C4 support, notes a prior post mentioning it, and says the author is about to start C4-related work and will check it out.
6. Without the futex, it’s futile
Total comment counts : 15
Summary
Phil Eaton’s book club picked The Art of Multiprocessor Programming, 2nd Edition (2021). The author admires concurrency but wouldn’t recommend the book, arguing it underemphasizes fundamentals for upper-level students and neglects topics like futexes. Futexes revolutionized locking by separating locking from waiting, a departure from SysV semaphores, and enabling kernel-assisted blocking. Since 2002, futex-based locking has driven major speedups and widespread adoption in Windows and macOS. A futex wait blocks a thread on a kernel queue tied to a memory address and can timeout; wake dequeues waiters. The wait() call checks the expected value to avoid missed wakes.
Top 1 Comment Summary
Windows gained WaitForMultipleObjects, while Linux 5.16 added futex2. Since then, futex2 has rapidly improved, including NUMA support (crucial for performance) and further enhancements in Linux 6.7 and 6.16 (such as small requeue and single-wait features). Linux 6.7 also adds IO_uring support, speeding up asynchronous I/O for PostgreSQL. Overall, futex2 has matured significantly, boosting scalability and I/O performance on modern Linux systems.
Top 2 Comment Summary
The piece praises futex as a handle-less primitive: no user-space allocations via syscall, just a kernel-based memory watcher that’s highly useful. It fully cleans up when there are no waiters, and the kernel never sees a mutex with no contention. The author desires a technical deep dive into how the kernel manages futexes efficiently and notes futex2 as an area to explore.
7. How Figma’s multiplayer technology works (2019)
Total comment counts : 11
Summary
Figma built its own multiplayer editing system instead of operational transforms, finding OTs too complex for design collaboration. They implemented a simpler, custom protocol with a client/server setup: each document has a dedicated server process and WebSockets, plus offline edits replayed on reconnect. Document changes synchronize live, while other data (comments, users, teams, projects) use a separate Postgres-based system. They tested ideas in a prototype playground before committing. The goal: broaden participation (writers, developers) with minimal disruption and no exporting or emailing of files.
Top 1 Comment Summary
Despite progress, the problem remains hard, though some advanced tech exists to address it. The author longs for more accessible solutions—easier to use than CRDTs. They also ask how others have perceived the world shifting over the past six years.
Top 2 Comment Summary
I can’t access the linked article to read its content. If you paste the article text or its main points here, I’ll summarize it in 100 words or less. Alternatively, I can provide a brief, general overview of how Figma’s real-time multiplayer collaboration typically works (state synchronization, presence, and conflict resolution) without citing specifics. Which would you prefer?
8. The new geography of stolen goods
Total comment counts : 8
Summary
error
Top 1 Comment Summary
Sorry—I can’t access external links in this chat. Please paste the article text (or an excerpt) here, and I’ll summarize it in 100 words or fewer. If you only have parts, share them and I’ll condense those.
Top 2 Comment Summary
Encrypted communications enable criminal gangs to operate and coordinate globally, forming supply chains. The article notes cars have GPS and smartphones—even when offline—that can reveal when a theft occurred, aiding tracking. Customs hold vast container databases. Yet identifying thieves remains hard due to the sheer volume of data. The author questions whether banning cryptography and adding more data would actually improve efforts to track criminals.
9. Candle Flame Oscillations as a Clock
Total comment counts : 10
Summary
Three candles, normally optimized to avoid flicker, synchronize when bundled and exhibit a stable ~9.9 Hz flame oscillation driven by gravity and flame diameter. The coupled flames flicker with a sawtooth brightness cycle as they trade height and energy. The author measured the signal with a high-resolution ambient light sensor, confirming a consistent 9.9 Hz. Because the oscillation depends mainly on gravity and fuel-source size, it could serve as a fire-based time base. The article also describes converting this to electronics: a wire senses flame-capacitance changes, and a phototransistor with a resistor captures the ~9.9 Hz, enabling 1 Hz derivation.
Top 1 Comment Summary
The piece investigates how a candle-flicker LED generates randomness in its flicker and outlines the reverse-engineering steps used to uncover the mechanism. It explains how the LED mimics a natural flame and what can be learned from dissecting its flicker pattern.
Top 2 Comment Summary
The article notes a stable oscillation frequency of about 9.9 Hz, mainly set by gravity and flame diameter. It also compares this to Dolbear’s law, which estimates air temperature from a cricket’s chirp rate, and cites a link to its Wikipedia page.
10. The SSO Wall of Shame – Vendors that treat SSO as luxury feature
Total comment counts : 18
Summary
Single sign-on (SSO) lets a business outsource authentication to an identity provider (e.g., Google, Azure AD) so IT can centrally manage users across many vendors. It’s critical for larger teams to quickly disable access and audit across apps. Yet many SaaS vendors restrict SSO to Enterprise plans, charging 2–4x base pricing or using non-public quotes, making it expensive and non-linear with seats. The article notes pricing data is crowdsourced and invites corrections, and argues SSO should be priced separately from other value-added features.
Top 1 Comment Summary
The so-called SSO tax is more about market segmentation than tech or support costs. Larger, price-insensitive customers require SSO due to SOC 2 attestations, and their payments subsidize price-sensitive customers. While pricing that elevates the insensible may irritate, this universal segmentation remains common. The author also notes a prior related post with a link.
Top 2 Comment Summary
SSO tends to increase support burden because it’s complex with many adjustable settings, making it hard to determine whether issues come from the customer’s configuration (or identity provider) or the vendor. A recent incident highlighted misreads of the spec and provider-specific behavior. It’s painful to start, though it tends to improve as the implementation matures.