I'm so happy that we're not currently in the process of handing these people the keys to our economy, making us an order of magnitude more dependent on them. Because that would be utterly brainde... Oh, it translates Rust to Java? Forget what I said, so cool, totally worth it!
28.02.2026 07:56
π 6
π 0
π¬ 0
π 0
Java has IO.print and IO.println now. Time to update the lazy memes.
25.02.2026 10:32
π 0
π 0
π¬ 0
π 0
Towards Better Checked Exceptions - Inside Java Newscast #107
YouTube video by Java
Let's talk about #Java's checked exceptions - smartly. Not whether we should have them (that ship has sailed) but where the friction comes from and what could be done to reduce it:
www.youtube.com/watch?v=99s7...
19.02.2026 16:17
π 10
π 3
π¬ 1
π 0
Java is old! Yes, but the people working on Java are not (all) old :) Yagmur Eren works on the JDK in Stockholm, Sweden. She will be speaking at JavaOne about "Intelligent JVM Monitoring: Combining JDK Flight Recorder with AI". Join us at JavaOne and learn from the people who work on and with Java!
18.02.2026 07:50
π 8
π 2
π¬ 0
π 0
First JDK 26 Release Candidate: mail.openjdk.org/pipermail/jd...
Downloads: jdk.java.net/26/
#JDK26 #Java26 #OpenJDK #TestItNow
09.02.2026 14:27
π 27
π 9
π¬ 0
π 0
LazyConstants in JDK 26 - Inside Java Newscast #106
YouTube video by Java
Lazily initializing fields in #Java is error-prone and undermines constant-folding. JDK 26 comes with JEP 526, which previews `LazyConstant` - the remedy to this malady.
More details in Inside Java Newscast #106 - join me for the premiere tomorrow morning, 0700 UTC:
www.youtube.com/watch?v=BZlX...
04.02.2026 17:10
π 14
π 3
π¬ 1
π 0
Chore/java 25 by loicmathieu Β· Pull Request #14221 Β· kestra-io/kestra
We read every piece of feedback, and take your input very seriously.
After migrating Kestra from Java 21 to Java 25, we see a significant improvement in memory usage.
It uses 35% less heap and 12% less metaspace!
Upgrading always brings benefits ;)
#java #kestra
github.com/kestra-io/ke...
30.01.2026 11:23
π 21
π 3
π¬ 2
π 0
Come to JavaOne 2026 in Redwood City (California, USA), March 17th-19th, and get 100$ off with code J12026YTS: www.oracle.com/javaone/
27.01.2026 15:58
π 0
π 0
π¬ 0
π 0
HTTP/3 support is coming in #Java 26. ππΎ
27.01.2026 15:34
π 10
π 4
π¬ 1
π 0
The end of the curl bug-bounty
tldr: an attempt to reduce the _terror reporting_.
**There is no longer a curl bug-bounty program.** It officially stops on January 31, 2026.
After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first it has been quite successful I think.
We attracted skilled researchers who reported plenty of actual vulnerabilities for which we paid fine monetary rewards. We have certainly made curl better as a direct result of this: **87 confirmed vulnerabilities and over 100,000 USD** paid as rewards to researchers. Iβm quite happy and proud of this accomplishment.
I would like to especially highlight the awesome Internet Bug Bounty project, which has paid the bounties for us for many years. We could not have done this without them. Also of course Hackerone, who has graciously hosted us and been our partner through these years.
Thanks!
## How we got here
Looking back, I think we can say that the downfall of the bug-bounty program started slowly in the second half of 2024 but accelerated badly in 2025.
We saw an explosion in AI slop reports combined with a lower quality even in the reports that were not obvious slop β presumably because they too were actually misled by AI but with that fact just hidden better.
Maybe the first five years made it possible for researchers to find and report the low hanging fruit. Previous years we have had a rate of somewhere north of 15% of the submissions ending up confirmed vulnerabilities. Starting 2025, the confirmed-rate plummeted to below 5%. Not even one in twenty was _real_.
The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live.
I have also started to get the feeling that a lot of the security reporters submit reports with a _bad faith attitude._ These βhelpersβ try too hard to twist whatever they find into something horribly bad and a critical vulnerability, but they rarely actively contribute to actually _improve_ curl. They can go to extreme efforts to argue and insist on their specific current finding, but not to write a fix or work with the team on improving curl long-term etc. I donβt think we need more of that.
There are these three bad trends combined that makes us take this step: the mind-numbing AI slop, humans doing worse than ever and the apparent will to poke holes rather than to help.
## Actions
In an attempt to do something about the sorry state of curl security reports, this is what we do:
* We no longer offer any monetary rewards for security reports β no matter which severity. In an attempt to remove the incentives for submitting made up lies.
* We stop using Hackerone as the recommended channel to report security problems. To make the change immediately obvious and because without a bug-bounty program we donβt need it.
* We refer everyone to submit suspected curl security problems on GitHub using their _Private vulnerability reporting_ feature.
* We continue to immediately _ban and publicly_ _ridicule_ everyone who submits AI slop to the project.
## Maintain curl security
We believe that we can maintain and continue to evolve curl security in spite of this change. Maybe even improve thanks to this, as hopefully this step helps prevent more people pouring sand into the machine. Ideally we reduce the amount of wasted time and effort.
I believe the best and our most valued security reporters still will tell us when they find security vulnerabilities.
## Instead
If you suspect a security problem in curl going forward, we advise you to head over to GitHub and submit them there.
Alternatively, you send an email with the full report to `security @ curl.se`.
In both cases, the report is received and handled privately by the curl security team. But with _no monetary reward offered_.
## Leaving Hackerone
Hackerone was good to us and they have graciously allowed us to run our program on their platform for free for many years. We thank them for that service.
As we now drop the rewards, we feel it makes a clear cut and displays a clearer message to everyone involved by also moving away from Hackerone as a platform for vulnerability reporting. It makes the change more visible.
## Future disclosures
It is probably going to be harder for us to publicly disclose every incoming security report in the same way we have done it on Hackerone for the last year. We need to work out something to make sure that we can keep doing it at least imperfectly, because I believe in the goodness of such transparency.
## We stay on GitHub
Let me emphasize that this change does not impact our presence and mode of operation with the curl repository and its hosting on GitHub. We hear about projects having problems with low-quality AI slop submissions on GitHub as well, in the form of issues and pull-requests, but for curl we have not (yet) seen this β and frankly I donβt think switching to a GitHub alternative saves us from that.
## Other projects do better
Compared to others, we seem to be affected by the sloppy security reports to a higher degree than the average Open Source project.
With the help of Hackerone, we got numbers of how the curl bug-bounty has compared with other programs over the last year. It turns out curlβs program has seen more volume and noise than other public open source bug bounty programs in the same cohort. Over the past four quarters, curlβs inbound report volume has risen sharply, while other bounty-paying open source programs in the cohort, such as Ruby, Node, and Rails, have not seen a meaningful increase and have remained mostly flat or declined slightly. In the chart, the pink line represents curlβs report volume, and the gray line reflects the broader cohort.
Inbound Report Volume on Hackerone: curl compared to OSS peers
We suspect the idea of getting money for it is a big part of the explanation. It brings in real reports, but makes it too easy to be annoying with little to no penalty to the user. The reputation system and available program settings were not sufficient for us to prevent sand from getting into the machine.
The exact reason why we suffer more of this abuse than others remains a subject for further speculation and research.
## If the volume keeps up
There is a non-zero risk that our guesses are wrong and that the volume and security report frequency will keep up even after these changes go into effect.
If that happens, we will deal with it then and take further appropriate steps. I prefer not to overdo things or _overplan_ already now for something that ideally does not happen.
## We wonβt charge
People keep suggesting that one way to deal with the report tsunami is to _charge_ security researchers a small amount of money for the privilege of submitting a vulnerability report to us. A _curl reporters security club_ with an entrance fee.
I think that is a less good solution than just dropping the bounty. Some of the reasons include:
* Charging people money in an International context is complicated and a maintenance burden.
* Dealing with charge-backs, returns and other complaints and friction add work.
* It would limit who could or would submit issues. Even some who actually find legitimate issues.
Maybe we need to do this later anyway, but we stay away from it for now.
## Pull requests are less of a problem
We have seen other projects and repositories see similar AI-induced problems for pull requests, but this has not been a problem for the curl project. I believe for PRs we have better much means to sort out the weed with automatic means, since we have tools, tests and scanners to verify such contributions. We donβt need to waste any human time on pull requests until the quality is good enough to get green check-marks from 200 CI jobs.
## Related
I will do a talk at FOSDEM 2026 titled Open Source Security in spite of AI that of course will touch on this subject.
## Future
We never say never. This is now and we might have reasons to reconsider and make a different decision in the future. If we do, we will let you know. These changes are applied now with the hope that they will have a positive effect for the project and its maintainers. If that turns out to not be the outcome, we will of course continue and apply further changes later.
## Media
Since I created the pull request for updating the bug-bounty information for curl on January 14, almost two weeks before we merged it, various media picked up the news and published articles. Long before I posted this blog post.
* The Register: Curl shutters bug bounty program to remove incentive for submitting AI slop
* Elektroniktidningen: cURL removes bug bounties
* Heise online: curl: Projekt beendet Bug-Bounty-Programm
* Neowin: Beloved tool, cURL is shutting down its bug bounty over AI slop reports
* Golem: Curl-Entwickler dreht dem βKI-Schrottβ den Geldhahn zu
* Linux Easy: cURL chiude il programma bug bounty: troppi report generati dallβAI
* Bleeping Computer: Curl ending bug bounty program after flood of AI slop reports
* The New Stack: Drowning in AI slop, cURL ends bug bounties
* Ars Technica: Overrun with AI slop, cURL scraps bug bounties to ensure βintact mental healthβ
* PressMind Labs: cURL ko?czy program bug bounty β czy to koniec jako?ci zg?osze??
* Socket: curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports
Also discussed (indirectly) on Hacker News.
The end of the #curl bug-bounty
https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/
26.01.2026 07:25
π 65
π 80
π¬ 5
π 4
Carrier Classes; Beyond Records - Inside Java Newscast #105
YouTube video by Java
In his mail "Data-Oriented Programming, Beyond Records", Project Amber lead Brian Goetz described a new #Java concept:
Carrier Classes
The upcoming Inside Java Newscast discusses them in detail. Join me for the premiere on Thursday (22nd) 8am CET:
www.youtube.com/watch?v=cpGc...
21.01.2026 14:21
π 20
π 4
π¬ 0
π 0
Falls du in der NΓ€he von Hamburg, Paderborn oder Braunschweig wohnst, besuch deine lokale #JUG und wir reden ΓΌber #Java:
* 20.01. @jug-hamburg.bsky.social - Structured Concurrency in Action
* 21.01. @ JUG Paderborn - Java 25
* 22.01. @jug-ostfalen.bsky.social - Java 25
Freue mich! So long... ππΎ
16.01.2026 13:55
π 5
π 3
π¬ 0
π 0
Java 25 - Better Language, Better APIs, Better Runtime
Java 25 ist das nΓ€chste Release mit LangzeitunterstΓΌtzung und seit dem letzten ist jede Menge passiert:
In einer Woche starten wir in unser Vortragsjahr 2026 und freuen uns sehr, dass @nipafx.dev uns besucht. Es sind noch ein paar PlΓ€tze frei. Weitere Infos unter www.jug-ostfalen.de/event/2026/0...
15.01.2026 07:05
π 3
π 3
π¬ 0
π 0
My pleasure! π
08.01.2026 09:55
π 1
π 0
π¬ 0
π 0
Java's Plans for 2026 - Inside Java Newscast #104
YouTube video by Java
If you want to know in what #Java release to expect value types (yes, the answer to "Valhalla, when?" !), what Leyden plans after AOT code compilation, and which pattern magic to expect next from Amber, you don't want to miss this:
www.youtube.com/watch?v=1lYs...
08.01.2026 08:34
π 22
π 5
π¬ 0
π 0
I'm happy that my talk "Code not required! The many ways to support open source projects" has been accepted for @jcon.one 2026. π₯³ See you in Cologne next year (April 20-23 2026) :) #JCON2026
18.12.2025 20:10
π 9
π 1
π¬ 0
π 0
But what comes after the high five?
21.12.2025 19:13
π 0
π 0
π¬ 0
π 0
Nice. I got accepted at @jcon.one 2026 in #Cologne in April. Hear my explaining everything you need to know about #Java and #Jspecify. Looking forward to it and thanks to @richard.fichtner.dev not minding my small rant in one of the submission text fields :D
18.12.2025 13:02
π 14
π 4
π¬ 1
π 0
GitHub - ghillert/image-filters-4j: Image Processing Filters for Java
Image Processing Filters for Java. Contribute to ghillert/image-filters-4j development by creating an account on GitHub.
As there is a shortage of decent πΌοΈ image processing filters in (native) #Java, I am surprised that Jerry Huxtable's Java Image Processing Classes are not in #Maven Central, yet. Well, hopefully next week they are π. #opensource #MIT
github.com/ghillert/ima...
20.12.2025 20:10
π 4
π 2
π¬ 1
π 0
Java 25 - Better Language, Better APIs, Better Runtime
Java 25 ist das nΓ€chste Release mit LangzeitunterstΓΌtzung und seit dem letzten ist jede Menge passiert:
Mit guten VorsΓ€tzen, wie z.B. die JUG besuchen, kΓΆnnt Ihr bei uns sogar schon vor dem Jahreswechsel beginnen. Wir haben soeben die Anmeldungen fΓΌr den 22. Januar 2026 freigeschaltet und freuen uns auf @nipafx.dev mit seinem Vortrag ΓΌber Java 25.
www.jug-ostfalen.de/event/2026/0...
14.12.2025 07:17
π 4
π 3
π¬ 0
π 0
Learn.java: The Destination for Java Beginners, Students, and Teachers
What's new on Learn.java this week?
- array practice
- array tutorial images to illustrate what it looks like
- String split method practice
- 2D array tutorial
- December newsletter
- Recording of J Card Visuals with Text Blocks
12.12.2025 16:27
π 6
π 2
π¬ 0
π 0
Java Next!
Slides:
* Java 25: slides.nipafx.dev/java-x/2025-...
* exception handling: none - I spontaneously filled a slot on the topic and we just chatted
* OpenJDK projects: slides.nipafx.dev/java-next/20...
* AMA: no useful slides
11.12.2025 17:57
π 1
π 0
π¬ 0
π 0
#ITTage in Frankfurt is always a great way to end the conference year. β¨ Had a lot of fun presenting on #Java 25 features, exception handling, and OpenJDK projects, but the AMA I got to do was my highlight. Looking forward to doing that more frequently in 2026. π
11.12.2025 17:55
π 4
π 1
π¬ 1
π 0
Lots to talk about! If you want to follow up or check out what we had to skip, here are the slides:
slides.nipafx.dev/java-x/2025-...
Btw, I'll spontaneously fill in the 1pm session - let's talk about exceptions: www.ittage.informatik-aktuell.de/programm/202...
#ittage
10.12.2025 10:51
π 6
π 0
π¬ 0
π 0
All Features in Java 26 - Inside Java Newscast #102
YouTube video by Java
#Java 26 enters rampdown phase 1 today, which sets its feature set in stone. The latest inside Java Newscast goes over the full list (don't click, it's boring):
www.youtube.com/watch?v=RPX5...
04.12.2025 09:24
π 17
π 5
π¬ 2
π 1
Disclaimer: This is my private account, so this thread is no "message from Oracle" - just from me. Also, I know Marc (the aforementioned maintainer who stands to benefit from your support) personally.
(β© 3/3)
26.11.2025 11:34
π 9
π 0
π¬ 0
π 0
Sponsor @junit-team on GitHub Sponsors
JUnit is maintained by a team of passionate volunteers. This is your chance to give back and support the project!
So let's make this happen πͺ:
* github.com/sponsors/jun...
* steady.page/en/junit
And talk to your company first - they profit materially from JUnit, so they should contribute.
(I don't usually do this, but: Please share the first Skeet for wider reach.)
(β© 2/3 β©)
26.11.2025 11:33
π 7
π 1
π¬ 1
π 0
Support JUnit
JUnit is maintained by a team of passionate volunteers. This is your chance to give back and support the project!
JUnit is undoubtedly one of the most important projects in the #Java ecosystem. And it's 100% free and open!
Let me be frank: If we can't get THIS project to the point where a single maintainer can focus on it, then what does that say about our commitment to Free & Open Source Software?
1/3 β©
26.11.2025 11:27
π 69
π 47
π¬ 1
π 3
Finally!
25.11.2025 08:19
π 1
π 0
π¬ 0
π 0
Java 26 Warns of Deep Reflection - Inside Java Newscast #101
YouTube video by Java
If you use reflection in #Java, be aware that, starting with JDK 26, you may have to add a command-line option or two to keep it working. Alternatively (and recommended), move away from reflective final field mutation.
Details in the latest Inside Java Newscast:
www.youtube.com/watch?v=bdHk...
20.11.2025 13:12
π 16
π 7
π¬ 1
π 0
