Today I Learned
A collection of short posts about things I learned recently. Inspired by
the idea of "Learn in
Public".
-
posts
-
TIL: Custom Third-Party Smart Chips in Google Docs
Google Docs and Google Sheets have a native feature called “smart chips”. You can type “@”, search for, and add links to people, files, events, etc. Apparently Google Docs also allows you to create custom third-party smart chips using App Script. This seems like it would be really useful for private third-party links. I’m really surprised that someone hasn’t written a good script for GitHub links that includes support for private repositories. I searched around but I couldn’t find anything. I think it would be super useful for companies that use Google Docs and GitHub. -
TIL: November 23, 2025 - Weekly Reading: Security and AI
Security Introducing CodeMender: an AI agent for code security - Raluca Ada Popa and Four Flynn, DeepMind CodeMender is a new AI agent developed by DeepMind that automatically identifies and fixes security vulnerabilities in codebases. It seems like a promising tool for finding vulnerabilities and actually patching them. One of the issues in the news recently has been how companies spend money on security audits and submitting reports but not contributing to actually fixing the issues. I hope that companies like Google won’t use these tools as an alternative to actually funding open-source work but I’m not holding my breath.... -
TIL: November 16, 2025 - Weekly Reading: Security and AI
Security Rust in Android: move fast and fix things - Jeff Vander Stoep, Android More new Rust code is now being added to Android’s codebase than C++ and requires less time to review. Rust seems to be a win/win for both security and productivity in Android development. It’s nice to see they are using the Rust support in the Linux kernel and writing drivers in Rust. I have a feeling that C++ isn’t really a good choice for projects anymore. You’ll likely get better value from a memory-safe language like Rust or Go. If you need performance that Rust can’t... -
TIL: fx: the JSON/YAML navigator
I have recently been doing more with YAML (you may be able to guess why). I wanted something that would help me with navigating large complicated YAML objects and fx is exactly what I was looking for. fx can help with viewing JSON or YAML and allows you to collapse and expand sections of the file. # now it's obvious isn't it $ kubectl get pods -o json | fx $ kubectl get pods -o yaml | fx --yaml The GIF from their website shows what it looks like pretty well. -
TIL: November 9, 2025 - Weekly Reading: Productivity
Productivity Steal the Productivity System I Taught to 6,642 Googlers – Jeff Su The video is a bit clicé and Jeff does goes hard into promoting Google Workspace tools but some of the ideas are interesting. Jeff suggests a Capture, Organize, Review, Engage system for capturing and handling tasks. Capture the task and organize it with a due date, or tag in a task app. Next review to make sure the task is still relevant, and schedule time to do it. Finally, actually engage and do the task. He says he reviews new tasks three times a day but that... -
TIL: November 2, 2025 - Weekly Reading: Go, Scripts, and Security
Go I’m Independently Verifying Go’s Reproducible Builds – Andrew Ayer Since Go toolchains were introduced in 1.21, Go’s builds have been byte-for-byte reproducible. This means that anyone can theoretically build Go from source and get the exact same binary as the official Go releases. Reproducible builds are useful for supply chain security because you can verify the entire build process. They can essentially do the same thing (and maybe even more) than provenance (like SLSA) because you can independently verify the build process and the source code used to create the binary. Not many folks have done this however, so... -
TIL: October 26, 2025 - Weekly Reading: Sora 2 and the AI Bubble
Sora 2 and the AI Bubble(?) This week I watched several videos discussing Sora 2, OpenAI’s TikTok clone where users create short AI slop videos using real people’s likenesses. The hubris and obvious ethical issues really make me think that there is a kind of “ethics doesn’t matter, we’ll just do whatever”, grifter nihilism at play with tech business leaders. SORA: the all Ai TikTok Clone. will slop end creativity? – Casey Neistat Casey covers the content creator perspective, and how Sora 2 will likely flood the market with low-effort low-quality AI-generated content. Casey’s key message is that friction in... -
TIL: October 19, 2025 - Weekly Reading: Career and Vibe Engineering
Career You have 12 shots in life – Jessy A thoughtful framework for thinking about career strategy using the concept of “shots”. I’ve heard this expressed before using the term “projects” but it’s basically the same. The idea is that since you have a career of roughly 50 years, and each major opportunity takes about 4 years to materialize, you have about 12 major opportunities in your career to create meaningful work. The reason that the “shots” terminology works is that each opportunity is not guaranteed to succeed. You have to take a shot, and most of the time you... -
TIL: October 8, 2025 - Weekly Reading: Programming and Kubernetes
Programming Processes and Threads – Ben Dicken, PlanetScale A simple overview of the processes, how they are multiplexed on a CPU, how they use memory, and how they differ from threads. It’s a bit simplistic though and I didn’t learn much I didn’t already know. Seven Years of Firecracker – Marc Brooker, AWS A retrospective on Firecracker, a lightweight virtualization technology developed by AWS for running serverless workloads. Marc mentions some areas at AWS where Firecracker is used including Bedrock AgentCore. While I’m partial to the process model that gVisor uses, VM-based isolation does make it easier to provide the... -
TIL: September 29, 2025 - Weekly Reading: Security, Programming, and AI
Security From MCP to Shell – Stephen Xu, Cayden Liao, Raymond, Jayden Yet another method for exploiting Model Context Protocol (MCP) servers to get arbitrary code execution on the local machine. This seems to be mostly an issue for remote MCP servers since a malicious MCP servers installed locally would just be able to run arbitrary code anyway. In this case it’s a fairly straightforward vulnerability due to lack of OAuth redirect URL validation. But I think it’s going to be pretty hard to securely use MCP servers in general. MCP servers will be able to return content that can...