I loved vibe coding in 2026. Would love to learn about your games and play them. My son (toddler) has an interest in visual/spatial/math reasoning and I think a game can help him be better at it.
Another Lamy Safari fan here. It’s my preferred pen amongst the others in my collection. Though, I just discovered the Lamy CP1, which feels like a sleeker version of the Safari. I’m giving the CP1 an honest go right now.
You will not be disappointed! I use a black Lamy cp1 as my "daily driver" for the last, I don't know, 35 years? I got it in school as a present and it is lying here, next to me right now. The varnish has rubbed off at the sharper edges and the metal shows. I changed the nib about 20 years ago, at the end of my academic career. Somewhere in the 2010s the small ring in the cap broke, so that it did not stay closed anymore and I had to replace it. I started out with black ink (uh edgy) but changed to blue later. I love Pelikan's 4001 Royal Blue, it is so smooth.
I also have a few other fountain pens, among them a Montblanc M146. It is crap for writing and I only bring it to put it on the table in certain meetings -- the same ones where I actually wear my Speedmaster ;)
I'm confused. When would I need "https://dependencytrack.org/"? Is it when I've completely lost my marbles and can no longer answer the questions "what does your app run on" and "what are your app's dependencies"? Is the idea that I would then download and install this "dependency tracker", hoping it would give me a list of things I depend on, so that I could inform the end user? What's the use case?
It's for the end user who purchases a lot of things which include software components to understand the total set of software they're running and be able to ask questions about licensing, vulnerabilities, and establish policies.
A developer (or even administrator of a single computer system) is not the user of something like this, typically.
Here's an example:
A small manufacturing business may have a dozen different machines. Each one has a set of software to control it, running on a computer embedded in the machine. The business also has a website (developed by a contractor), a bunch of software packages purchased from different vendors for accounting, inventory, payroll and scheduling. They probably have some internal home-grown tools too.
1. A new remotely exploitable CVE is announced in a widely-used open source library. Is the company vulnerable to it? Anywhere?
If each one of the pieces of software was delivered with a SBOM along with the actual code, you can use tools like this to look at this globally. It starts to make more sense at the scale of "all the software in the business" is provided by tens to hundreds of different vendors or teams that not only don't communicate with each other but also don't even know that the others exist.
They could sign up for a CTI (Cyber Threat Intelligence) service with a security company. Basically, they send you notifications about CVEs and related stuff.
My client isn't exactly a "small manufacturing business", but they do subscribe to such a service, and they did have the Java issue in a parent process. They have a security guy who's the main one expected to look at these, but he's not the one operating anything directly, so he can't be expected to know every last random lib that's used.
So when the Log4j2 issue came up, for example, he was aware there was "a Java issue" but had no automated way of knowing which systems, if any, were affected.
Before the government SBOM standard that kicked all this off was finalized, I'd asked about this and related items such as reproducible builds. The response I got is that getting honest information out of vendors would be a huge step forward for end customers. Being able to validate that information would require a lot more work. Things like SLSA levels 3+4 (https://slsa.dev/spec/v0.1/levels) go further to prevent lying, at least in situations where all the code can be compiled by third parties.
The idea is you feed a tool like that all of your SBOMs, and all of the SBOMs from your vendors. Then it'll tell you "these four widgets in your hospital are vulnerable to a newly discovered vulnerability called 'Log4Shell', they need to upgrade Log4j to version 2.17.0"
There's a cottage industry forming to do this sort of thing, mostly in the medical field, but it'll probably spread out.
It's less about first-party software and more for third-party off-the-shelf stuff you might run. For first-party stuff SBOMs can definitely feel useless.
Vibe coding helped me build several small games for my daughter and unlocked her interest in programming.
Wishing everyone a wonderful 2026 - it's going to be a great year!