创业投融资
Plex adds new social features ahead of a major price hike for its lifetime pass
Plex has come a long way from being just a personal media server. Over the past few years, it has transformed into a streaming hub, today featuring ad-supported content and movie rental options. Now, the company is setting its sights on competing with social networking platforms like Reddit and Letterboxd: on Wednesday, Plex unveiled several […]
AI 资讯
Docker on Proxmox LXC: What Actually Works (and Why Unprivileged Doesn't)
The Setup I run a Proxmox 9 homelab (pve-manager/9.0.5, kernel 6.14.8-2-pve) and I needed to run Docker inside an LXC container — not a VM — to test a customer-style "bring-your-own-VPS" deployment path for a PaaS I'm building. The container had to act like a standard Ubuntu cloud VM: Docker, systemd, the works. LXC over a full VM gets me near-bare-metal performance, a fraction of the RAM overhead, and instant boots. The catch: the "Docker on LXC" recipes you'll find on most blog posts and Proxmox forum threads are out of date . They assume kernel 5.x and runc 1.1.x. On a modern Proxmox (kernel 6.14 + runc 1.2+ shipped with Docker 29) those recipes fail in two new and confusing ways before you even reach the workarounds we used to know about. This article walks through exactly what fails, why it fails, and the config that actually works in 2026 — plus an honest look at the security tradeoffs, because spoiler: the working config is privileged , and that matters. The Goal A Proxmox LXC container that can: Run docker run hello-world cleanly Pull and build complex images (multi-stage builds, overlay2 storage driver) Run nested containers with their own systemd Use systemd --user for per-service lingering processes Attempt 1: Unprivileged LXC (the path you "should" take) Conventional wisdom says: use unprivileged LXC. The container's root is mapped to an unprivileged UID on the host (typically 100000 ), so even a full container compromise can't escape to host root. Modern Proxmox makes this the default and recommended mode. I started with an unprivileged Ubuntu 25.04 container, added the now-standard features: pct set <vmid> -features nesting = 1,keyctl = 1,fuse = 1 Then inside the container, installed Docker from the official download.docker.com repo and ran: docker run --rm hello-world Here's what happened: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start
开发者
WSL 2: Die wichtigsten Befehle für deinen Entwickler-Alltag (Cheatsheet)
Wer täglich in anspruchsvollen Agenturprojekten arbeitet und zwischen Windows-Host und Linux-Umgebung wechselt, weiß: WSL 2 ist ein Gamechanger. Doch selbst wenn man das perfekte Setup einmal konfiguriert hat, kommt unweigerlich der Moment, in dem eine Distribution hängt, RAM freigegeben werden muss oder man ein Backup ziehen will. Anstatt jedes Mal Stack Overflow zu durchsuchen, habe ich mir angewöhnt, die essenziellen Konsolen-Befehle immer griffbereit zu haben. Hier sind die 5 WSL-Befehle, die ich in meinem Setup am häufigsten brauche: Wer täglich in anspruchsvollen Agenturprojekten arbeitet und zwischen Windows-Host und Linux-Umgebung wechselt, weiß: WSL 2 ist ein Gamechanger. Doch selbst wenn man das perfekte Setup einmal konfiguriert hat, kommt unweigerlich der Moment, in dem eine Distribution hängt, RAM freigegeben werden muss oder man ein Backup ziehen will. Anstatt jedes Mal Stack Overflow zu durchsuchen, habe ich mir angewöhnt, die essenziellen Konsolen-Befehle immer griffbereit zu haben. Hier sind die 5 WSL-Befehle, die ich in meinem Setup am häufigsten brauche: 1. Den Status aller Distributionen prüfen Der absolute Standard-Befehl, um zu sehen, welche Linux-Instanzen laufen und welche WSL-Version sie nutzen. wsl --list --verbose # oder kurz: wsl -l -v 2. Der Notaus-Schalter (RAM freigeben) Wenn Docker oder ein Node-Prozess im Hintergrund den gesamten Arbeitsspeicher blockieren, fährt dieser Befehl alle WSL 2 Instanzen sauber herunter. wsl --shutdown 3. Eine bestimmte Distribution als Standard setzen Wichtig, wenn man beispielsweise neben Ubuntu noch Debian installiert hat und festlegen will, was sich beim reinen Befehl wsl öffnet. wsl --set-default <Distributionsname> 4. Die WSL-Umgebung neustarten Es gibt keinen direkten "Restart"-Befehl. Die sauberste Lösung ist das Beenden (Terminate) der spezifischen Instanz. Beim nächsten Aufruf startet sie frisch. wsl --terminate <Distributionsname> 5. IP-Adresse der WSL-Instanz herausfinden Extrem hilfreich für be
开发者
React + Mapbox GL JS: Custom Markers, Popups, and Bounds-Based Data Fetching
React + Mapbox GL JS: Custom Markers, Popups, and Bounds-Based Data Fetching If you've added a Mapbox map in a React app before, you've probably hit a wall pretty quickly: Mapbox GL JS manages its own DOM, and React manages a virtual DOM, and getting the two to play nicely takes some thought. Markers and popups are a great example of this tension — they're imperative APIs in a world where you want declarative components. This post walks through a pattern I've landed on for wrapping mapboxgl.Marker and mapboxgl.Popup in composable React components, and combining them with bounds-based data fetching to build something like a real estate or earthquake explorer map — where the data on the map updates as you pan and zoom. Here's what we'll cover: Wrapping mapboxgl.Marker in a React component that handles its own lifecycle Using createPortal to render custom marker content in React Fetching data from an API using the map's current bounding box Tracking an active marker with React state Wrapping mapboxgl.Popup in a component If you want to see the finished product first, the source code is on GitHub . The Core Challenge: Two DOMs Before we get into the code, it's worth understanding why this requires a pattern at all. When you use React's normal component tree, React controls the DOM. But mapboxgl.Marker also creates and manages DOM nodes — it places an element on the map at a specific geographic coordinate, handles repositioning as you pan, and removes itself cleanly when you're done with it. The approach here is to use React to manage the lifecycle of each marker (mount when data arrives, unmount when data goes away), while letting Mapbox handle the positioning . We use React's createPortal to render JSX content into a DOM node that we hand off to Mapbox. The example discussed below is a map that fetches earthquake data for the current viewport, displaying a custom Marker and Popup for each. As you move the map and the bounds change, new data is fetched and the Markers a
AI 资讯
Vercel cron alternative: what to use when built-in cron isn't enough
Vercel's built-in cron triggers your serverless functions on a schedule. For simple use cases it works. But it has no failure alerts, no execution history on the Hobby plan, and no way to know whether your function actually completed successfully — only that it was called. Where Vercel cron falls short Vercel cron works by invoking one of your API routes on a schedule defined in vercel.json . The invocation is fire-and-forget — if your function times out, throws an error, or returns a non-2xx status, you get no alert. You find out when a user reports something is broken. The specific gaps developers run into: No failure alerts. Vercel does not send an email or webhook if your scheduled function fails. No execution history on Hobby. The free plan does not retain cron execution history. Timeout ceiling. Functions are subject to the same timeout limits as all serverless functions — 10 seconds on Hobby, up to 300 seconds on Pro. HTTP-only. Vercel cron calls an HTTP endpoint on your app. You cannot schedule arbitrary background work outside your deployment. No heartbeat monitoring. Even if your function is called successfully, you have no built-in way to verify it completed its work — only that it was invoked. Minimum 1-hour interval on Hobby. Sub-hourly schedules require a paid plan. If you are hitting any of these limitations, you need an external tool. Comparison at a glance Tool Schedules jobs Failure alerts Heartbeat Uptime monitoring Free tier Vercel built-in ✓ ✗ ✗ ✗ ✓ (1h min) Tickstem ✓ ✓ ✓ ✓ ✓ Upstash QStash ✓ ✓ (retries) ✗ ✗ ✓ Inngest ✓ ✓ ✗ ✗ ✓ cron-job.org ✓ ✓ (basic) ✗ ✗ ✓ Tickstem — cron + heartbeat + uptime in one API key Best for: developers who need scheduling, failure alerts, heartbeat monitoring, and uptime checks without managing multiple tools. Tickstem is an external HTTP cron scheduler with built-in monitoring. You register your Vercel endpoint as a cron job, and Tickstem calls it on your schedule — every minute if needed, regardless of your Vercel
AI 资讯
SwitchBot’s acquisition of Nanoleaf is about more than lighting
Smart lighting company Nanoleaf has been acquired by OneRobotics, the parent company of SwitchBot. In an exclusive interview with The Verge, Nanoleaf CEO Gimmy Chu says the company will remain independent and that he and his cofounder and COO, Christian Yan, will continue to run it. "Nothing is changing operationally," says Chu, adding that there […]
创业投融资
The world’s largest privately owned laser just turned on
Fusion startup Xcimer fired up the world's largest privately owned laser.
AI 资讯
Creating Robust systemd Services for Embedded Applications
There is a moment every embedded Linux developer hits eventually. You have spent days building something that works beautifully — a sensor pipeline, a streaming server, an MQTT client — and then you reboot the device and everything is silent. Nothing started. You SSH in, manually run your script, and it all comes back to life. The hardware is fine. Your code is fine. You just have no way of automatically running it. That is the gap systemd fills. It is the init system on virtually every modern Linux distribution, and on embedded Linux systems like the Raspberry Pi it is what decides what runs at boot, what gets restarted if it crashes, and where all the logs go. Once you understand how to write a service file, your applications stop being fragile scripts you need to babysit and start being first-class system services that survive reboots, network drops, and unexpected crashes. This tutorial builds up from the simplest possible service file to a production-ready configuration, explaining every line along the way. By the end you will have a service running your own Python application, logging to the system journal, and automatically restarting itself after failures. See Complete Tutorial in Github: Systemd Services Tutorial What systemd Actually Does Before writing any configuration, it helps to understand what problem systemd is solving, because the design of service files makes much more sense once you see the underlying model. When your Raspberry Pi boots, the Linux kernel starts and immediately hands control to process ID 1 — the very first user-space process. On modern systems, that process is systemd . Everything that happens next — mounting filesystems, bringing up the network, starting your application — is orchestrated by systemd. It reads configuration files called unit files that describe what should be started, when, in what order, and what to do if something goes wrong. A service file is just one type of unit file (there are also unit files for timers, so
AI 资讯
Why we built nudges before we built the dashboard (and why you should too)
Most SaaS founders build the dashboard first. It looks impressive in demos, investors love screenshots, and it feels like real progress. We did the opposite. Here's why. The real reason approvals fail When I started building TeamAutomation, I interviewed a dozen people about their approval process. Every single one said the same thing — approvals don't fail because people reject them. They fail because nobody follows up. The requester sends the request. The approver gets busy. Nobody wants to be the annoying person who keeps pinging. Days pass. Project blocked. A dashboard showing "pending approvals" doesn't fix this. The approver still has to remember to open it. Nudges are the product We ship automatic reminders at 24 hours, 3 days, and 7 days — directly in Slack where the approver already lives. No new app to open. No new habit to build. The accountability shifts from the requester to the system. That's the whole unlock. What we learned Build the thing that changes behavior first. The dashboard is just reporting. Nudges are intervention. If you're building any kind of workflow tool, ask yourself — what happens when nobody does anything? Your answer to that question is your core feature. What's next Still in early beta. Slack Directory approval pending. Zero users, full transparency. If you're dealing with approval chaos in your team, drop a comment — happy to give early access.
AI 资讯
Openpyxl's Relevance for Freelance Data Cleaning and Automation in 2023: Addressing Concerns and Solutions
Introduction: The Question of Relevance Imagine you’re a college student, fresh off mastering pandas , and you’re eyeing the freelancing market for data cleaning and automation gigs. You’ve heard of openpyxl , but as you dig deeper, you hit a wall: every resource seems to peg it as a relic for handling 2010 Excel sheets . That’s it. No modern use cases, no integration with cutting-edge tools, just a dusty library stuck in the past. So, you pause. Is openpyxl still relevant in 2023, or is it a dead end for someone trying to build a competitive freelancing portfolio? This dilemma isn’t just about openpyxl—it’s about the mechanism of perception in tech. When a tool is associated with outdated formats, its capabilities are often misinterpreted or overlooked . Openpyxl’s documentation and community discourse rarely highlight its modern applications, leaving newcomers like you to assume it’s obsolete. But here’s the catch: openpyxl isn’t just a 2010 Excel handler. It’s a low-level Excel manipulator that, when paired with libraries like pandas and numpy, can handle complex tasks that these libraries alone can’t. The problem isn’t openpyxl’s functionality—it’s the information gap between its perceived and actual utility. The stakes are clear: if you dismiss openpyxl as outdated, you risk missing out on a tool that could complement your pandas and numpy skills , making your freelancing services more efficient and versatile. But if you invest time in it without understanding its modern applications, you might waste effort on a tool that doesn’t align with current demands. The question isn’t whether openpyxl is relevant—it’s whether you’re looking at it through the right lens. In this investigation, we’ll dissect openpyxl’s role in 2023 freelancing, addressing its perceived limitations and uncovering its hidden strengths. By the end, you’ll have a clear rule for deciding whether to include it in your toolkit: If your freelancing gigs involve Excel-specific tasks that pandas ca
AI 资讯
The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites
id CTI-2026-0603-NETSCALER title The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites subtitle CVE-2026-3055: a March-disclosed SAML IdP information-disclosure flaw escalates in June — the gap between the "RCE" label and the real impact author Dennis Kim (김호광 / HoKwang Kim) email gameworker@gmail.com github gameworkerkim date 2026-06-03 classification TLP:GREEN severity CRITICAL lang en tags Edge-Device · Pre-Auth · Memory-Overread · Session-Hijack · SAML-SSO · CitrixBleed · CISA-KEV threat_actors Unattributed (likely a mix of ransomware and state-sponsored actors) cve CVE-2026-3055 (CVSS 9.3 v4.0 · CISA KEV) · related CVE-2026-4368 (CVSS 7.7) frameworks MITRE ATT&CK · NIST SP 800-61 · NIST SP 800-207 (Zero Trust) · CISA KEV · STIX/TAXII license CC BY-NC-SA 4.0 🚨 Heads-up: this is a VPN/remote-access issue — check your company's appliances now. If your organization runs Citrix NetScaler Gateway (the VPN / remote-access front door) or NetScaler ADC with SAML SSO enabled, you may be directly exposed to active, large-scale exploitation. Don't wait for a formal advisory to land in your inbox — inventory your internet-facing NetScaler appliances today , confirm patch level, and (critically) invalidate active sessions after patching . The details below explain why patching alone is not enough. The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites Report ID CTI-2026-0603-NETSCALER · Published 2026-06-03 · Classification TLP:GREEN · Severity 🔴 CRITICAL Author Dennis Kim (김호광) · gameworker@gmail.com · @gameworkerkim CVE-2026-3055: a March-disclosed SAML IdP information-disclosure flaw escalates in June — the gap between the "RCE" label and the real impact Table of Contents Executive Summary (TL;DR) Opening — "An edge device, once it leaks, keeps leaking" Vulnerability Analysis — CVE-2026-3055 Memory Overread "RCE" or "Information Disclosure"? — Decomposing the Real Impact Timeline —
AI 资讯
CIFSwitch - CVE-2026-46243
Just released an open-source bash checker for CIFSwitch (CVE-2026-46243) — the 19-year-old Linux kernel LPE disclosed last week that lets any unprivileged local user get root by abusing the CIFS/SPNEGO upcall path. The script runs on bare-metal, VMs, and inside containers, and is CI/CD-friendly with JSON output and clean exit codes. It checks: ✅ Kernel version against patched thresholds (6.18.22 / 6.19.12 / 7.0+) ✅ cifs-utils presence and exploitable version ✅ CIFS kernel module load state and blacklist status ✅ Unprivileged user namespace sysctl (the pivot point for the exploit) ✅ Active request-key cifs.spnego rules ✅ SELinux / AppArmor enforcement ✅ Container capabilities (CAP_SYS_ADMIN) ✅ Kernel symbol verification for the fix commit Outputs human-readable or JSON for SIEM ingestion. Exit 0 = safe, exit 1 = action needed — drop it straight into a pipeline. CIFSwitch is the fourth Linux LPE in under six weeks (after Copy Fail, Dirty Frag, and Fragnesia). If you're running multi-tenant Linux, CI runners, or container build farms, now is a good time to audit. I have also updated the cve_checks.conf in my my K8s-container_escape_audit toolkit to detect this issue.
开发者
Microsoft plans Linux tools and an RTX Spark desktop for Windows developers
One hardware announcement and several software highlights from Microsoft Build.
AI 资讯
Next.js 16 Caching for E-Commerce: Cache Components, use cache, revalidateTag, and Fresh Product Data
Caching in e-commerce is never just about speed. A fast storefront is useful only if it still shows the right price, the correct stock level, and the right experience for the current customer. That is why caching in a Next.js storefront can be deceptively hard. Some data should be shared broadly and kept warm for SEO and performance. Some data should be refreshed often. Some should never be shared between users at all. Next.js 16 gives teams a much clearer toolbox for solving this problem with Cache Components, use cache , tag-based invalidation, and explicit cache lifetime controls. Used properly, these features let you keep pages fast without drifting into stale commerce data. In this guide, I will walk through a practical way to think about caching in a modern storefront and show how to combine use cache , cacheLife , and revalidateTag for real e-commerce use cases. Why Caching Is Harder in E-Commerce Than in a Typical Content Site On a standard marketing site, most content changes infrequently. If a page is cached for a few minutes or even a few hours, the business impact is usually negligible. Commerce systems work differently. The same product page may contain: stable product descriptions and category copy semi-dynamic data such as price, availability, shipping estimates, or promotion labels private data such as cart state, recently viewed items, or customer-specific pricing Treating all of that data the same way leads to one of two bad outcomes: You cache too aggressively and serve stale prices or availability. You disable caching everywhere and lose the performance benefits that help SEO and conversion. The better approach is to split your data by volatility and audience. The Three Cache Boundaries That Matter Most For most commerce projects, the cleanest mental model is to divide data into three groups. 1. Stable catalog content This is the part of the page that usually changes only when content editors or merchandisers update the catalog. Examples: product
AI 资讯
How to Integrate the OpenAI API into a Production Express App
Last year I helped a startup integrate the OpenAI API into their product. It was a chat feature — users could ask questions about their data and get natural language answers. The integration took about a day. Three days after launch, the founder messaged me: "Hey, something's wrong. Our AWS bill just showed an unexpected charge." It was $340. For three days. They had 60 users. The issue wasn't a bug — it was that production API usage looks nothing like a tutorial. The tutorial shows you openai.chat.completions.create() and returns a response. The tutorial doesn't show you what happens when users send 500-token messages, when they open 15 browser tabs each maintaining their own chat context, or when one user fires requests 30 times per minute because they think it's broken. This guide covers what the tutorials skip: rate limiting, token counting, cost guards, streaming, error handling with retries, and model selection. These aren't optional additions — they're what separates a demo from a production feature. Why Production Is Different Here's the gap between tutorial code and production code, stated plainly: Concern Tutorial Code Production Code Cost control Not mentioned Token counting, spending limits, model selection by task Rate limiting Not mentioned Per-user and per-IP limits to prevent abuse Error handling try/catch that logs to console Typed errors, retries with backoff, user-facing messages Response delivery Wait for full completion, return at once Streaming via SSE — response appears as it generates Context management Each request is independent Conversation history managed, truncated at token limit Secrets management API key hardcoded or in .env (no rotation) Rotation strategy, usage monitoring, per-feature keys Let's build a production-grade Express API that addresses all of this. We'll go layer by layer. The Architecture ┌─────────────────────────────────────────────────────────┐ │ CLIENT (Browser / Mobile) │ │ POST /api/chat { messages: [...] } │ │ GET
AI 资讯
Deploying a Next.js App to AWS with CI/CD Pipelines (Step-by-Step)
The first time I deployed a Next.js app to production, it took me three days. Not because the app was complicated — it was a straightforward portfolio site. It took three days because I had no idea what I was doing with AWS, I'd never written a GitHub Actions workflow, and every tutorial I found either skipped the hard parts or assumed I already knew them. By the time I was done, I had a deployment pipeline I was genuinely proud of: push to main, GitHub Actions runs the build, tests pass, the app deploys to an EC2 instance behind CloudFront. Zero manual steps. Zero downtime deploys. Total cost: about $5/month. This guide is the one I wish had existed. We're going to deploy a Next.js app to AWS from scratch — EC2 for compute, CloudFront for CDN, GitHub Actions for CI/CD — with every step explained so you understand what you're building, not just copying commands. Why AWS Instead of Vercel? This is a fair question. Vercel is genuinely excellent for Next.js, and for most projects it's the right call. You push, it deploys. Done. AWS makes sense when: You need to control the infrastructure (compliance, data residency, custom VPC configuration) You're running other services (databases, queues, lambdas) in AWS and want everything in the same network You want to learn infrastructure skills that transfer to enterprise environments Your app has specific performance requirements that benefit from custom CloudFront configuration You're a freelancer or consultant who wants to bill separately for infrastructure If none of those apply to you, use Vercel. This guide is for when they do. The Architecture Here's what we're building: ┌────────────────────────────────────────────────────────┐ │ GITHUB ACTIONS CI/CD │ │ │ │ Push to main → Build → Test → Deploy to EC2 │ └──────────────────────┬─────────────────────────────────┘ │ SSH deploy ▼ ┌────────────────────────────────────────────────────────┐ │ AWS EC2 INSTANCE │ │ │ │ Ubuntu 22.04 LTS │ │ Node.js 20 + PM2 (process manager) │ │ N
产品设计
After 7 Next.js 16 Caching Bugs, I Stopped Guessing and Built a System
There's a specific feeling you get after your third production caching incident. It's not panic....
科技前沿
Cyberdecks are having a moment, rejecting big tech surveillance with style and substance
Over the last few months, these DIY hardware communities have exploded in popularity as people on social media show off their solar-powered game emulators, pocket-sized ereaders, and clamshell purse computers.
工具
If I had a hammer... it might actually be a rhino tooth
Neanderthals had some wild stuff in their toolkits.
AI 资讯
How I Wrote a SOC-Grade Endpoint Investigation Playbook Without Being a Security Engineer
My father worked in IT for over thirty years, and growing up around that shaped how I thought about computers. The earliest memory I have is sitting in my father's lap as he does something on his computer. One of the oldest photos I have is of me sitting on a chair in front of a computer. I grew up idolizing him. I switched to Linux when I was 12, by myself. I taught myself scripting, picked up programming basics, and spent more time in a terminal than most adults I knew. I have memories of sitting on the roof at 13 with my laptop, trying to crack my neighbor's WiFi with aircrack-ng (they were aware of my endeavors). However, growing up in a politically volatile neighborhood (Lyari) also made me politically aware and literate from a young age. With that, I developed an interest in political science and philosophy. I sat my A levels in economics and sociology, and I did not look back. For the next few years, the technical side of my life became just a habit rather than a professional direction. Then I realized I do not have to choose one or the other. I can carry on doing both. Today, I am an academic and technical editor. The social sciences gave me the writing skills: reading long blocks of dense theory, explaining abstract concepts in plain language, writing long analytical essays. And I understand technical concepts well enough to work with them seriously. I thought of synthesizing both. When I started building a technical writing portfolio, cybersecurity documentation felt like a natural place to go. Not because I had operational experience, but because I had grown up adjacent to that world. I understood the culture, the tooling, and the mindset, even if I had never worked a SOC shift. I knew I wanted to cover security documentation. Security teams produce some of the most consequential written work in any organization, and most of it is poorly structured, inconsistently formatted, or written for the person who already knows the answer rather than the person who