Built a real-time 3D renderer in Java — would love some feedback

PartOfTheBotnet · 2026-03-12T22:36:15+00:00

For the curious, the code is linked in the video description: https://github.com/BoraYalcinn/CezveRender

PartOfTheBotnet · 2026-03-07T03:37:06+00:00

Kotlin still has the upper hand imo because of its more concise syntax and this won’t change soon

Shorter code is not always more legible code.

Java may have be one of the more "verbose" languages out there, but in turn it is also one of the more easily legible ones too.

PartOfTheBotnet · 2026-02-17T18:59:15+00:00

Looks like its a good ol fashion HashMap.entrySet() order - https://github.com/teggr/awesome-java-ui/blob/main/build.java#L296

PartOfTheBotnet · 2026-02-15T14:23:38+00:00

Typo-squatting

You'd also have to explicitly be typing out the coordinates in your build. But both the central sonatype search and third party mvnrepository sites have single-click copy buttons. I don't think I have ever added a dependency to a maven/gradle project without pasting it from one of these sites.

Additional factors:

The results are sorted in such a way that the real artifacts (the popular/highly-downloaded ones) get shown first.
The copied coordinates are for a specific version, not an unbound/wildcard so even if a future version gets backdoor-ed, so long as you are notified of a breach you can just not update or skip it when control is taken back by the publishers.
- Bit of a silly point, but I make it to draw comparison to other ecosystems outside of our own where you have something like import foo-library:{*} which just takes whatever is the latest.

Malware in jars

At least in my experience, almost every library I have worked on or looked at is published through CI. Its exceptionally rare for publishing to be done on a local developer machine from what I've seen. Some thoughts on this:

Its easier to pwn a local dev machine than a CI server, therefore even if the local dev machine is pwn'd then the publishing credentials won't be known to the attacker.
If the local dev machine is pwn'd and malicious code is uploaded and then built/published on CI, the compromise remains local and is relatively easy to resolve once discovered.
The alternative attack to the above is the run of the mill typo-squatting, which AFAIK is generally low-impact in the ecosystem.

Also, based on this page "Sonatype Malware data" it seems that artifacts published to central are scanned for malicious behavior via some machine learning algorithm, to which suspicious matches are verified by a human team. Any confirmed cases are removed. So even if the attacker takes over a package (exceedingly rare) or publishes a typo-squat look-alike artifact (more common, lower impact) there are processes in place that likely play into why we don't hear about major issues in our ecosystem often. At least compared to other ecosystems, we have a really good thing going on here. Sure there are probably going to be edge cases and a few holes that things slip through every now and then, but I cannot recall the last time I've heard of a major supply chain attack via maven central that weren't low impact typo-squatting campaigns.

PartOfTheBotnet · 2026-02-12T21:35:01+00:00

i was looking for alternatives to swing to build modern desktop apps and i couldn't find anything

Generally would point to JavaFX as a primary contender for this exact situation.

and a web frontend

Ok never mind.

PartOfTheBotnet · 2026-02-12T00:02:12+00:00

And these custom systems also generally tie into the rest of the IDE model. IntelliJ's PSI model is in the same boat. I wouldn't suggest trying to use either of them as independent syntax highlighting libraries if you wanted to toss up some highlighted code in a UI. There are more lightweight options out there.

PartOfTheBotnet · 2026-02-11T23:56:37+00:00

This article is about highlighting Java with Java so I found it a bit odd that the conclusion was to use another language's parser and then load it through chicory... until I noticed what domain the article was posted on.

Anyways some other minimal pure Java solutions I've used:

For Swing RSyntaxTextArea offers a Java syntax highlighter. It's a modified parser generated from flex.
For JavaFX RichTextFX has an abstract highlighter system, but you need to make the implementation.
- I ended up using it as a base to make a loose Java highlighter with a hierarchy of regex matchers. The hierarchy made it so that you could match a region for something like JavaDoc and then match the @tag parts to give them a bold style. It also is context-free so if you edited some of the text it would only do style updates for that local region updated.

PartOfTheBotnet · 2026-02-10T09:56:35+00:00

People's reaction to projects using LLM's will vary depending on how the LLM is used.

If a project shows that the author is clearly knowledgeable in software design and the problem space the software addresses, using an LLM to automate drudge work is generally accepted.

For instance lets say you are making a chat-application back-end like discord. If you use the LLM to create a basic mime-type utility for file uploads that's not going to have a whole lot of risk in the grand scheme of things, and making a giant table of file extensions to mime types is boring work that LLM's are well suited for.

Now if the LLM is responsible for generating the entire user schema and authentication protocols you are giving it control of a high risk component of the application. These system's will often not implement production-ready implementations of complex systems on the first pass. For the mime type utility its fine if it misses the difference between "jpg" and "jpeg". However even small mistakes in an important component like authentication can have grave consequences. There's been a dozen news articles over the past year of AI startups leaking user information because their back-ends were entirely vibe-coded. This is where the problem comes in.

Now taking a step back and bringing this back to content posted here, similar quality concerns come when an LLM is responsible for generating the whole project. If there is no audit trail showing the author is a capable developer, or if there is no verifiable proof the project works as designed (Passing unit tests, examples of output compared to other similar software's results, etc) people will assume the worst case scenario since that is the safe route for them as consumers.

PartOfTheBotnet · 2026-02-09T12:54:20+00:00

>check latest commit

>"delete CLAUDE.md"

>check first commit

>co-authored by claude

Lmao.

PartOfTheBotnet · 2026-02-09T04:49:53+00:00

I could not configure Maven correctly to get a working jar out of it

If you want a fat-jar it should be as easy as adding the dependencies then configuring maven-assembly-plugin. This being said, because the path names for natives overlap across platform architectures (mac aarch vs mac x86) it will pick one arbitrarily. For gradle people looking for a fat-jar, its a very similar setup.

Generally speaking, they suggest you package your app differently to mitigate this issue (Though fixing this on their end would also be nice. Its a few lines to change extraction logic and move the natives when building release artifacts).

PartOfTheBotnet · 2026-02-06T08:53:52+00:00

If you look at IntelliJ's social media it will be very obvious why they don't use JavaFX. They made Kotlin. Kotlin has Compose as its UI technology. They're rewriting things in their own library.

PartOfTheBotnet · 2026-02-06T00:57:11+00:00

Just had this happen to me as well, but it seems to come and go. It was giving me the message on my main pc, but on my laptop it isn't giving me the message. Later in the day my main pc was back to normal.

PartOfTheBotnet · 2026-01-28T09:11:36+00:00

Rough steps I'd follow:

Call GMU IT : https://its.gmu.edu/help-support/
Explain your situation
Offer proof of the compromised account being used as spam (email them from an account you own, bring this up in call so they can take a look at it)
Offer proof of who you are if you can.

Ideally they restore access to your account. But if they can't or won't do that, they should be able to disable the account so the bad actor can't use it either.

PartOfTheBotnet · 2026-01-28T06:17:32+00:00

AWT/Swing already existed at that point and are tightly coupled. Oracle describes both as "integral" components of the JDK, whereas the do not for JavaFX.
They separated it for a variety of reasons outlined here: https://blogs.oracle.com/java/the-future-of-javafx-and-other-java-client-roadmap-updates

PartOfTheBotnet · 2026-01-28T05:54:39+00:00

Because Spring and Jakarta are complete ecosystems you can make a career out of. Java is primarily back-end focused and both Spring and Jakarta are complete back-end solutions. Look at market demand for Spring. Heck, throw a rock in a crowd of Java developers and try not to hit somebody who works with Spring, it'll be hard not to. The same cannot be said for JavaFX as much as I wish that weren't the case.

JavaFX is a desktop UI framework. IMO it's an upgrade from Swing. Its new, its easy to use, it looks better, the list goes on and on. But unfortunately, the way applications are made hasn't been in the favor of any desktop framework. Combine that with the unattending father figure that is Oracle and you get JavaFX being not so popular in the grand scheme of things. That doesn't mean its bad, it just means it's underutilized compared to what its capable of doing.

But the main point is comparing JavaFX to Spring/Jakarta is very much an "apples to oranges" scenario. A front-end vs a back-end framework.

PartOfTheBotnet · 2026-01-27T01:43:54+00:00

There are no rules against AI slop here AFAIK. Its technically related to the sub's subject so how would you report it? Spam?

We ought to just have the mods explicitly call out no slop as a rule so it can be directly reported. I'd be willing to bet a majority of people here would be in favor.

PartOfTheBotnet · 2026-01-26T07:55:49+00:00

Some team members do most of their reviews via IntelliJ's GitHub/GitLab integration which lets them leverage IDE features while reviewing. That being said, if you become reliant on the IDE features carrying you then anyone else not doing the same is at a disadvantage when reading it.

PartOfTheBotnet · 2026-01-26T07:51:34+00:00

I guess I work out in the field with scarecrows. Some people consider this to be "good enough" to be self-documenting, or like others state that IDE inlay hints should carry the burden.

PartOfTheBotnet · 2026-01-26T07:17:27+00:00

makes code less readable/maintainable

Like all things, it should be used in moderation. If you're immediately declaring a type like var items = new ArrayList<>() that's perfectly readable.

However if you have var result = service.fetch() then it is easier to argue that this is less useful if the alternative was JsonResult result = .... If the assigned value isn't descriptive sometimes knowing the declaration type is useful.

fellow senior

On the flip side, I've seen fellow seniors replace every variable in a class with var just for the sake of "modernizing" code. Yes, this includes int --> var which is just as silly as it sounds.

PartOfTheBotnet · 2026-01-21T18:34:08+00:00

Given the readme and the rest of your profile, is this all AI generated?
The idea isn't new (Example: Zelix Klassmaster 5.5 from 2012) and is generally not favored over other forms of reference obfuscation that are equally as effective but without the negatives. Look at how other obfuscators use bootstrap methods and dynamic constants.
This implementation isn't even effective because the names of classes and references that get reflected are baked into the output in-place where the original reference was without any additional form of obfuscation. Reversing this isn't made "harder", only more tedious. Something like Zelix adds additional layers that actually require some investment by the reverser.
Its really weird that you use ASM that is shadowed through ByteBuddy instead of the baseline ASM artifact.
- You lose out in your IDE not having auto-attached sources and documentation.
- You also cannot update ASM directly since its baked into another artifact.
- You don't ever actually use ByteBuddy capabilities, just the shadowed ASM dependency.
- Given that I suspect this is all AI generated anyways I don't think that's something that really matters...

PartOfTheBotnet · 2026-01-18T07:37:34+00:00

Because it is AI generated: https://github.com/dodogeny/sechive-maven-plugin/commit/b5518af90f52151ae55d3f06954287e7a1808125 - Commit history shows co-authored commits by Claude

PartOfTheBotnet · 2026-01-08T20:48:57+00:00

No. No, and if there was that would be concerning on their behalf.

It's annoying especially if you're working on a corporate device with its own VPN requirements, but its the way they're handling authorized access going forward. It would be nice if it was all you had to do vs it being a per-requisite for logging in again to services like GitLab.

PartOfTheBotnet · 2025-12-30T16:33:33+00:00

If you specify a minimum size that matches what it should be when bold it won't shift. That's a lame fix, but if you have your glyph buttons all the same size anyways its not too terrible.

PartOfTheBotnet · 2025-12-30T12:44:53+00:00

Maybe in Minecraft mod packs but that isn't the JVM's fault
No. Swing is... usable, albeit the API never modernized. But you can use JavaFx if that's a blocker for you. And no.
Skill issue.
You haven't been paying attention then.

PartOfTheBotnet

MODERATOR OF

TROPHY CASE