HackerTrans
TopNewTrendsCommentsPastAskShowJobs

foresterre

no profile record

Submissions

2025 State of Rust Survey

surveyhero.com
17 points·by foresterre·il y a 8 mois·0 comments

GitHub's Malicious Notification Problem

gribnau.dev
1 points·by foresterre·il y a 8 mois·0 comments

Resilient Homes Program data breach

nsw.gov.au
3 points·by foresterre·il y a 9 mois·2 comments

Where are the security advisories of the recently compromised NPM packages?

gribnau.dev
4 points·by foresterre·il y a 10 mois·0 comments

comments

foresterre
·il y a 14 jours·discuss
As a general rule, you always include the currency code (EUR, SEK, USD etc.) and if possible also the amount of decimals, when using minor units.

Currency codes can be found in ISO 4217.
foresterre
·il y a 22 jours·discuss
What's a problem though is that while it includes a reference, its distillation from the source, or worse, from the combination of sources, is often plain wrong. I check them regularly, and it made me very distrustful of Claude's capacity to faithfully summarise or explain from a source.

When asked to give specific links, it's usually even worse.
foresterre
·il y a 24 jours·discuss
> stdx is a monorepo of, as of today, 64 crates

It's quite an, ahem, interesting mix of libraries, including three csv libraries, hyper_utils (but not hyper itself), and a ton of copied crates from other maintainers.

I hope the author has a good way of updating these with upstream fixes (some look out-of-date already), otherwise you may replace one security issue with another.

And the name stdx has been taken on crates.io, more than 11 years ago which can also be equally confusing.
foresterre
·il y a 27 jours·discuss
This and PEP-783 do remind me a bit of the story of watt (1) and serde_derive, where the latter was published containing a to WebAssembly compiled proc macro with the former as WebAssembly runtime (2).

It tried amonst others to improve isolation and long compile times in a fairly foundational Rust library which can be found in many dependency trees. I found it a cool proof of concept at the time.

Having a WebAssembly binary embedded in a library was relatively unpopular in the Rust community (3). serde_derive 1.0.184 restored the uncompiled source version, but the release notes mention they hope that crates.io (Rust equivalent of PyPi) will add WebAssembly support in the future.

One of the reasons why this wasn't very popular was that WebAssembly is much harder to inspect than Rust source code (4).

I'm not a PyPi expert. The PEP itself seems to permit adding WebAssembly to a wheel (a python package). The PEP literally mentions "There are no security implications in this PEP" (security for whom?). In 2022 the supply chain attack surface was notably smaller since powerful enough LLM's didn't exist yet, yet it was for many a concern to include WebAssembly to package s in another ecosystem back then.

I do think other forms of binaries were already permitted, such as precompiled C/C++ libraries, so if that's true, then this is indeed relatively not that big of a security concern, but _no_ security implications seems to be a bit much.

I do see the added advantage to reduce friction of loading pre-compiled webassembly from PyPi directly instead of going through alternative packaging registries though.

(1) https://crates.io/crates/watt

(2) https://github.com/serde-rs/serde/commit/1afae183b06ffe47d05...

(3) https://github.com/serde-rs/serde/issues/2538

(4) https://old.reddit.com/r/rust/comments/15wx2xe/precompiled_b...

(5) https://peps.python.org/pep-0783/
foresterre
·le mois dernier·discuss
Their strategy always was "buy company" and "instantly lay off about everyone" to save costs and rapidly increase subscription pricing (1).

So far they've been relatively soft (for their doing) on Komoot, which I too am most anxious off.

Bikepacking.com has a good read about Komoot; it was probably unsustainable in the long run before bending spoons took over anyways (2), yet I much rather had they stayed a sort of indie company driven by their passion. I will cancel my long standing Komoot subscription the day enshittification news breaks.

(1) https://www.dcrainmaker.com/2025/03/komoot-acquired-history-... (2) https://bikepacking.com/plog/when-we-get-komooted/
foresterre
·le mois dernier·discuss
The "local" company is already UK owned though, so at most "European", not national or EU.

What I find strange is that the Dutch government does have its own datacenters, e.g. ODC-Noord (1), but they're still looking to outsource the hosting even after the current contract ends in 2027.

(1) https://www.odc-noord.nl/
foresterre
·le mois dernier·discuss
Almost all licenses have requirements to redistribute copies of the work, or derivatives thereof. Even permissive licenses do. It's very little to ask when open source dev's provided thousands of hours of free work.

For example, the Apache 2.0 license requires in just 4.c:

  You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works;
Just because they're tokenized and transformed into a probabilistic mapping, doesn't suddenly mean that they weren't copied.

I find it morally unethical that they (likely) just ingest IP of all open source repo's without asking, but also importantly without any attribution.

Let me also note that I'm not against LLM's in general. But I do think training on open source must be opt-in, and I look forward to a world with actually ethical, and traceable (i.e. on what they were trained on, like a bill of materials (BOM)), models.
foresterre
·le mois dernier·discuss
I've used Fastmail for years but a year ago switched to Proton. For me the only reason to switch to Proton was that its hosted within the European continent, while Fastmail is hosted in

I would say that Fastmail is the "Ferrari of e-mail" services. It does everything well, or extremely well, especially if you have more advanced setups like wildcard domains.

In particularly, I miss being able to send from wildcard domains. While proton has a thing called simplelogin, it only works kind of seamlessly if you get an e-mail on a wildcard address and want to reply to that same address. Sending from any * domain requires you to make the address via the simplelogin page and isn't nearly as seamless. While you can make some sending addresses (i.e. regular aliases) in the protonmail interface, that's a trap, because once you've made an alias, you can't delete it unless there's no mail related to it in your mailbox anymore (even if you have a catch-all setup; I wonder if it has anything to do with how the encryption keys are setup, but it still sucks).

I also miss both snoozing and pinning mail. Officially, the proton mail apps (1) do support snoozing, but that requires "conversation view" to be enabled. I think the conversation view over groups e-mails too aggressively, and don't really understand why snoozing without conversation view isn't possible. It's utterly annoying. As far as I know, pinning e-mails isn't a thing in the proton apps. There are "stars" but these could have been labels (which also exist). They don't pin the e-mail to the top.

The proton mobile apps also lack various settings which are in the web interface, like access to sieves. The apps are sometimes a bit laggy, especially if you have a lot of e-mails, although there seem to have been some improvement on this end. I also still get double "fingerprint to unlock" requests sometimes.

Then there's theming, which I can imagine is (even) more of an opinion, but I liked the Fastmail interface more than the proton interface. I think its cleaner. Not a particular fan of any of the themes of protonmail.

I left Fastmail just as it added offline access. This was originally my biggest gripe. I might have stayed longer if they added it just before I left.

For Proton, they have been releasing a lot of new services lately. I hope they will spend a year or more, just polishing what they currently have. They did say they will spend some time on polish in a blogpost recently, but haven't really seen the fruits from this yet (or I care about different things than they do?). And I hope I will one day be able to add more domains to my account. Even with Visionary, you only get 6 domains for 6 users, and no way to add more.

I sincerely hope Proton will never add any of the AI nagging , the OP was talking about. If they do, I'll leave the instant.

(1) https://proton.me/support/snooze-emails
foresterre
·le mois dernier·discuss
I would really like to see what "appropriately licensed data" means. Cannot imagine they didn't copy all open repo's on GitHub, and can't imagine they asked for permission, or are reproducing license texts from these repo's now. It sounds hand wavy.

P.S. A fairly basic website otherwise, but it unfortunately seems to be hacking scroll for no good reason.
foresterre
·le mois dernier·discuss
I've played both Factorio and Bitburner extensively (both >1000h, but that's unfair wrt bitburner, because you let it run in the background sometimes), but I don't find they compare that well. Factorio can be played without any optimization and completely mechanically if you wanted (i.e. no "programming" of circuits). It's visual style also makes interfacing with the game more like most games you encounter.

In bitburner, you literally have sort of editor (or terminal), which is also the world (you can use an external editor though). The whole game is about programming your way to destroy a BitNode.

I guess they're comparable because they are both about optimization of bottlenecks. In my experience though, having played Factorio for hundreds of hours with software engineer friends, BitBurner with its text only interface is far more niche, and only the thought of playing it reminds some of them of work (so they don't try) ;).
foresterre
·il y a 2 mois·discuss
The first link states literally

"AI will take over almost all the work of software engineers (SWEs) end - to - end in just 6 - 12 months!"

What you describe is >50% of the job of SWEs, even when they write all code by hand.

Are you saying that "for many start-ups", this isn't done by SWE's but by some other career type or are you implying that it's just the code written (and first review) is replaced by AI?
foresterre
·il y a 2 mois·discuss
And if you like Lisp and ownership, there's also Carp [1]. It doesn't mimic Rust's features and naming schemes though.

Carp is about 10 years old and has some cool demo's (like SDL for gamedev).

> The key features of Carp are the following:

> * Automatic and deterministic memory management (no garbage collector or VM)

> * Inferred static types for great speed and reliability

> * Ownership tracking enables a functional programming style while still using mutation of cache-friendly data structures under the hood

> * No hidden performance penalties – allocation and copying are explicit > * Straightforward integration with existing C code

> * Lisp macros, compile time scripting and a helpful REPL

[1]: https://github.com/carp-lang/Carp
foresterre
·il y a 2 mois·discuss
There are other reasons why a project like Zig might not want to accept LLM generated contributions.

Zig, as programming language, has a multiplier codebase. A bug may affect a significant larger portion of users than most libraries or binaries will, as it's a fundamental building block of everything that uses Zig. Just that could be worth the extra scrutiny on every individual commit.

There's also the usual arguments: copyright ethics, environmental ethics and maintainer burden.
foresterre
·il y a 3 mois·discuss
The Try trait (representing the ? the operation) is super cool though! I wish it was marked stable so you could implement it for types without using the nightly compiler.

Note that both Option and Result implement that same trait.

Perhaps if try blocks ever become a thing... we can finally use it for our own types ;)

https://doc.rust-lang.org/std/ops/trait.Try.html
foresterre
·il y a 3 mois·discuss
Finally! Glad they will now offer something which doesn't have a bending frame.

... but I wish they would make something with a bit more screen estate without being heavy and bulky. Their 16" is just too big. I really like the Dell XPS 14 and MBP 14", which I think is the right trade-off between screen size and portability.
foresterre
·il y a 3 mois·discuss
With the advent of AI, these "life" events are probably even simpler to fake than AI though, and unlike the faking of stars not against the ToS.
foresterre
·il y a 3 mois·discuss
Fun :)

Small idea for improvement: the "fast" text is often over the same space as the ball, which makes it harder to see where the ball would be going.
foresterre
·il y a 3 mois·discuss
According to the Financial Times (1), the straight is "open" but Iran is extorting fees for passing ships.

> "Iran will demand that shipping companies pay tolls in cryptocurrency for oil tankers passing through the Strait of Hormuz, as it seeks to retain control over passage through the key waterway during the two-week ceasefire."

If they really will start doing so for all shipping, that would be odd since the straight itself is in Oman's territorial waters. Even so, the UNCLOS convention (2) requires free transit:

> Article 44 > Duties of States bordering straits > > States bordering straits shall not hamper transit passage and shall give appropriate publicity to any danger to navigation or overflight within or over the strait of which they have knowledge. There shall be no suspension of transit passage.

It would be unprecedented and unlawful, but I guess previous actions of Israel, the US and Iran have shown our world is beyond adhering to laws and agreements now.

(1) https://www.ft.com/content/02aefac4-ea62-48db-9326-c0da373b1... (2) United Nations Convention on Law of the Sea: https://www.un.org/depts/los/convention_agreements/texts/unc...
foresterre
·il y a 3 mois·discuss
I am a developer by profession and this is the opposite of what I would want. The code is your ground truth. If all else fails, the code should reasonably be able to tell you why, and by being able to read it, it makes me independent from some closed model.
foresterre
·il y a 3 mois·discuss
But even that is vague and possibly not true. If they used LLM's to generate all of the code, then it may not fall under copyright, by the requirement of human authorship (which for code I think has not been tested yet in court) [1].

[1] https://www.congress.gov/crs-product/LSB10922