Most supply-chain attacks using Ruby's package hosting site "exploit a narrow window," according to a new blog post form Ruby core maintainer Hiroshi Shibata.

So its packaging-managing Bundler tool now offers a filter that blocks new version until it's been public "for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window." The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing... Cooldown is unset by default, so a project without it keeps resolving to the newest versions.... Passing 0 disables cooldown for the run...

Cooldown is most useful as one part of the wider security investment happening on rubygems.org. The registry now validates gem contents at push time and checks logins against Have I Been Pwned so that compromised passwords cannot be reused, work described in Protecting rubygems.org from the outside in. A dedicated team is running AI-assisted vulnerability scanning against the most critical gems, backed by Alpha Omega and Anthropic, and the direction of all of this is tracked on a public roadmap. Trusted publishing and mandatory 2FA already raise the bar for who can push a release in the first place.

Yesterday 2026's International Obfuscated C Code Contest concluded, with 22 new winners announced in a special three-hour livestreamed ceremony! Started 42 years ago, it's been described as the internet's longest-running contest, with entrants concocting convoluted programs glorying in the C programming language's subtleties, all while having some fun. And "For IOCCC29, the volume and quality of submissions were at near-historic heights," explains its home page.

There's a "Tetris-optimized" GameBoy emulator with source code that looks like a GameBoy, as well as a quasi-Rogue-like game voted "most likely to teleport." Awards were also given for the best imaginary emulator (a virtual machine in 366 bytes of C) and the best fractional emulator (a maze generator for the Commodore 64). But every one of the 22 winning programs seems wildly creative...

• Quine Pong. "Running the program produces the source code to generate the next frame, formatted to display the current frame. By repeatedly compiling and running each successive frame, you can play the game. To move, pass either "w" (up) or "e" (down) as an argument..."

• A winning Taiwanese programmer formatted their source code in the shape of a Tardis from Doctor Who — code that displays an intricate ASCII animation of Doctor Who's 1963 opening title sequence.

• One winning entry emulates an IBM 7040 mainframe, first converting a program (encoded in whitespace) into ASCII-character drawings of punchcards for a FORTRAN program — and then executing that program to calculate the light visible to an observer looking at black hole, ultimately creating an image. It's all recreating what astrophysicist Jean-Pierre Luminet had to do in 1978 to generate the first-ever simulated photograph of a black hole (on an IBM 7040 mainframe). "The entry can also run other FORTRAN programs — but "they must be provided as a deck of punch cards... Tools have been provided to convert to/from decks and to interpret..."

"We have added fun challenges to this year's winning entries competition..." the web site notes. "After you figure out what a given winning entry does, we encourage you to attempt the fun challenge!"

Thanks to long-time Slashdot reader achowe for bringing the news (who has submitted winning entries in four different decades, starting in 1991 and continuing through 2025) — and who won again this year for a program simulating the Space Invaders-like game from Casio's 1980 MG-880 calculator.

Follow the IOCCC on Mastodon.

The University of California at Berkeley discovered the percentage of failing grades in multiple CS classes this spring "is significantly higher than past semesters," reports the campus's student newspaper.

"Instructors point to students' increased reliance on AI, lack of mathematical preparedness and understaffing as potential contributing factors." According to [coursework platform] Berkeleytime, 35.3% of CS 10 students and 10.6% of CS 61A students received F's in spring 2026. In spring 2025 and spring 2024, the percentage of F's did not exceed 10% for either class. The electrical engineering and computer sciences department's grading guidelines state that 7% of students in lower division courses, including CS 10 and CS 61A, should receive D's and F's...

[UC Berkeley teaching professor Dan Garcia, who taught both classes] believes the "primary driver" of these abnormally high failing rates is due to a "vast increase in academic dishonesty" due to students' usage of large language models, such as Claude, ChatGPT and Google Gemini. "Some of the numbers that you saw from the number of students who receive failing grades were because we caught them (cheating) and prosecuted them and are sending their cases to the Center for Student Conduct," Garcia said. "But in other cases, it's students who are leaning a little too hard on LLMs to do their work for them, and then at exam time just really aren't ready." According to Garcia, nearly 30 students in CS 10 were "caught cheating on take-home exams" in spring 2026...

In addition to overreliance on AI, Garcia also pointed out that many students are underprepared mathematically, a concern echoed by campus associate teaching professor Gireeja Ranade. Ranade noticed a similar lack of prerequisite mathematical skills in her spring 2026 EECS 127 class, "Optimization Models in Engineering," which she described as "differently challenging" to teach this semester. The class saw a 16.8% F rate, far higher than the 5% of D's and F's that the EECS department describes as "typical" for an upper division course...

Both Garcia and Ranade have joined more than 1,300 UC faculty in signing a petition calling for the reinstatement of ACT and SAT standardized testing scores for STEM admissions in the UC system.
Thanks to long-time Slashdot reader theodp for sharing the article.