292 private links
I think that what you're actually looking for is The Rule of Least Power, just applied to types. You should choose the lightest weight, conceptually simplest approach you can that keeps the code intelligible to others.
Smart Pointers should be used only when regular borrowing does not work.
LA seule chose qui retient Facebook en France, c'est la communauté. Il y a beaucoup de personnes qui utilisent ce réseau car tout le monde est dessus.
ses bilans financiers reconnaissaient 60 milliards de dette fin 2025, soit le double de l’année précédente, et ce malgré une comptabilité très créative.
D'un autre côté, il s'agit d'une négligence du client, alors que la voiture était rappelé au garage par Volkswagen, stationner en extérieur et éviter de charger la batterie au delà de 80%.
Instead of Sentry: https://www.bugsink.com/
Instead of Stripe: https://www.mollie.com/
The client is not a thin view requesting permission to show data. The client is a node in a distributed system with its own database.
It’s overkill for simple CRUD apps with no offline or collaboration needs.
But here’s where it shines: note-taking, document editing, collaborative design tools, project management, field apps with unreliable connectivity, basically anything where data privacy is a selling point, as well as anything with real-time collaboration.
One more thing I wish someone had told me earlier: you don’t have to go all-in. I’ve had the best results using local-first for specific features within otherwise traditional apps. Offline drafts in a blog editor. Real-time collaborative notes inside a project management tool that’s otherwise standard REST.
To do so: SQLite in the browser via WebAssembly; persisted to the Origin Private File System (OPFS). The author describes the method used.
To avoid conflicts: CRDT. Yjs exists. There is also Automerge and the newer Loro.
To grasp the data: replicate rows via database replication.
PowerSync does this well from Postgres to SQLite.
Triplit is a full-stack database with sync built-in.
LiveStore use an event-based approach.
TinyBase for prototyping or small apps.
PGLite (Postgres compiled to WASM) but it has a significant bundle size and memory footprint for mobile browsers.
Often the last-write-wins (LWW) is the best strategy at the field level.
For a document body, CRDT should be used.
To book a meeting, one must verify there is no other meeting booked by someone else. " The approach I’ve landed on (after getting it wrong twice) is: validate on the server during the write-back phase, but flag violations rather than silently rejecting them. When the client pushes mutations to the server during sync, the server runs them through a constraint validation layer before applying them to Postgres". See the example.
The conflict should then be resolved by the user.
For something like inventory management where two people “buy” the last item, that window is unacceptable, and that’s exactly why I said earlier that local-first is wrong for systems requiring strong transactional consistency.
Conflict resolution works well for texts with CRDT.
See such app architecture: https://www.smashingmagazine.com/2026/05/architecture-local-first-web-development/#building-a-real-app-architecture-auth-and-migrations
Example of E2E (local, on device) encryption for https://anytype.io/
One thing to consider is migrations: Design your migrations to be additive. New columns with defaults. New tables. Don’t rename or drop columns unless you absolutely must, because users running old app versions will still be syncing data, and your server needs to handle the mismatch. I learned this the hard way when I dropped a column that an older client was still writing to, which caused silent sync failures for about 200 users over a weekend.
Performance are awesome (< 10ms for read or writes). The initial sync is where the cost occurs.
The architecture can be tested with Playwright and context.setOffline(true).
I’m excited about where this is going. PGlite (full Postgres in the browser) feels like a glimpse of a future where the client/server data layer distinction just dissolves. You write SQL, it runs everywhere, sync is a runtime concern rather than an architectural decision. We’re not there yet, but you can see it from here.
There is also no standard for a sync engine. Migrating away a sync engine is not trivial. I’m also worried about the complexity budget. Local-first adds real architectural complexity: sync engines, conflict resolution, client-side migrations, partial replication, and auth at the sync boundary.
It’s not how much you have. It’s the difference between what you have and what you spend. If you have more than you spend, you’re rich. If you spend more than you have, you’re not. If you live cheaply, it’s easy to be free.
That's the ladybird browser's website by the way
CoMaps est plus simple. OsmAnd requiert de bien comprendre les différentes couches de l'application.
CoMaps est plus simple à mettre en navigation GPS uniquement; soit l'assistance réseau (Wi-Fi, Bluetooth, triangulation via Google Play Services) est activable. Cela est plus complexe sur OsmAnd.
OsmAnd est un couteau suisse: : couches météo, relief, courbes de niveau, profils multiples, traces GPX, plugins…
CoMaps fait moins mais plus simple.
j'aime beaucoup le système de grille du planning. Il permet de situer plusieurs évènements dans la journée.
L'implémentation est décrite sur https://fourbi.eu/billet/2026-05-13-paris-web-2026-la-grille-de-programmes
AppWrite support Rust with a dedicated SDK
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
"The result of this is that the X:\Windows\System32\winpeshl.ini is deleted, and when Windows Recovery is entered, rather than launching the actual Windows Recovery environment, it pops up a CMD.EXE. With the disk still unlocked" - Will Dormann
Why?
Async in Rust is hard. The biggest drawback of async is the fragmentation of the ecosystem. Now you have sync functions and libs, async functions and libs, and different runtimes that are incompatible and thus require dedicated libraries for I/O.
An anemic standard library for daily needs.
The steep learning curve before being productive.
When Rust makes the most sense?
- common core for cross-platform apps. Proton leads the way.
- system programming
- embedded development
- insane scale
The websites must renew their certificates. Certificates are issued for two years but it's hard to renew certificates after two years! Let's Encrypt came up with a brilliant idea: all certificates are valid for only 90 days.
It has two advantates: it rotates the private key every 90 days and it pushes website owner to automate the renewal process.
In case of private key compromission, there are two methods to revoke the certificates: CRL and OCSP.
In principle, CA certificates themselves carry this information, informing clients that when verifying a certificate, they should visit this URL list to check if the certificate they are validating is in the revocation list. If it is, they should not trust it.
The CRL provides exactly that with the DER format.
The OCSP method needs to verify every URL of each certificates. This method has downsides:
- The website's performance will decrease due to the additional time required for CA requests. The OCSP servers could become htspots and might be overloaded by clients.
- The CA will know which domain names the client has accessed.
- If the CA's OCSP service is down, the client has two choices: ignore verification or no trust the target site.
There can be workarounds with the OCSP Stapling: the website itself query the CA's OCSP service and when a client visits the website, the website provides the OCSP response.
All of these methods works if the CA can be trusted. WoSign had for example a chaotic organization that issued certificates for websites directly, whereas the CA should have issued certificates for Chinese users only.
That's what Certificate Transparency (CT) should address after the DigiNotar incident in 2011.n CT must log the issued certificate in a CT database and the CT will provide a Signed Certificate Timestamp (SCT) back to the website. The clients will only trust certificates that have an SCT when visiting websites and websites (and everyone) can monitor the CT database to check if any certificates have been issued for their domains.