HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theden

no profile record

Submissions

Killed by Apple

killedbyapple.theden.sh
132 points·by theden·2 माह पहले·129 comments

Show HN: Killed by Apple – a graveyard of discontinued Apple products

killedbyapple.theden.sh
3 points·by theden·2 माह पहले·0 comments

Show HN: Browser Sysinfo – See everything a webpage can learn about you

sysinfo.theden.sh
3 points·by theden·3 माह पहले·0 comments

Show HN: Ghapin – Tool to pin GitHub Actions to SHAs for supply-chain security

github.com
2 points·by theden·3 माह पहले·0 comments

comments

theden
·2 माह पहले·discuss
Glad they're not changing the API! I'm hopeful things will get better with them regaining their independence.

Shameless plug: We run https://songstitch.art/ for collage generation.
theden
·3 माह पहले·discuss
For those that don't know, Erin Patterson (the mushroom murderer in Australia) allegedly used iNaturalist to find the poisonous mushrooms

https://www.abc.net.au/news/science/2025-07-10/inaturalist-d...

https://www.sydney.edu.au/news-opinion/news/2025/05/09/the-c...
theden
·3 माह पहले·discuss
> We do indeed have a staging environment as mentioned previously. The issue arose in the rollout to production as mentioned previously.

You may have misunderstood, I said staged release, i.e., I'm referencing the rollout

> I've gone ahead and added the surrogate key mention into the post mortem. We initially got in trouble for having it be too technical centric and not enough on the user impact. It's a delicate balance; apologies. As I mention, we are open to critical feedback here.

You can do both. If you have different audiences, have two separate posts and mutually link to redirect audiences. Ask your sec staff instead of relying on paying customers to give post-hoc feedback on your dodgy disclosure practices. If I have ping a platform company to correct and clarify info about their security disclosure, I'm out.
theden
·3 माह पहले·discuss
I'm sorry, but there's a lot of spin here. Basically you guys handled this terribly, and your reliability has tanked recently, hence why customers that need reliability in production are leaving or have already migrated.

> We went deep on them, tested them prior, and then when rubber met road in production we ran into cases we didn't see in testing. The large issue, and mentioned in the blogpost, is that we didn't have a mechanism to to a staged release.

Honestly for a production-grade _platform_ company, that also does compliance (SOC2/3, HIPAA etc.), not having a staged release is negligent, and how you guys are handling this is a huge red flag. I've done such changes myself in production envs, for deployments that don't have the stakes you guys have. I'm normally more sympathetic on incidents, but the lack of transparency thus far from railway leaves me doubting more than anything.

> Our initial post definitely could have been more clear, and we revised it the moment we got customer feedback to do so.

Please read the room, there's still a lot of confusion about the blog post in this thread (https://news.ycombinator.com/item?id=47582295). The technical detail isn't there, we only know it about the surrogate keys from the status incident (https://status.railway.com/incident/X0Q39H56) which is not linked in the post. The blog post reads like PR compared to the initial incident status report, and the resolved timestamp does not match which is sloppy. Your little edit to the title only made it from a bad post to a slightly less bad post.

> We notified customers even before we did a wide release, as is process for anything security related. You create space for as much disclosure area as possible, and then follow up with a public disclosure

Emailing only affected users isn't working out, because affected people aren't yet emailed (I know one personally). Just check the post on your own forum (https://station.railway.com/questions/data-getting-cached-or... did you actually read it?) and see the list of people affected still not emailed, and left on read. You guy should email everyone, this is a security incident not a service interruption. There's a lot of loss trust by your customers now, i.e., if you guys can't figure out who to email, what else are you doing wrong?

> Do you have any specifics here? We're scaling the system at 100x YoY growth right now, working 24/7 to scale the entire thing. Again, all ears on if you have specific crits as we're always open to receiving feedback on how we can do things better!

https://x.com/JustJake/status/2038806338915152350

Again, it's not an excuse if you're a _platform_ company that customers pay a lot of money to be reliable. You can't just keep saying you're open to feedback and being transparent as vanity. There's plenty of feedback on here, your twitter, your forum, and feedback is people are telling you to focus on reliability, because railway keeps breaking their deployments. If you don't care about reliability and prefer to scale with features, be honest about it. Railway's poor uptime does not lie.

> There are team members in that thread linked, are you certain you linked the right thread? Happy to have a look at anything you believe we're missing!

Did you read the thread? Yes, only _one_ employee commented 5 hours after my HN comment. Still almost everyone left of read, unanswered questions etc.

By way that's only one forum post, there are many that are just ignored, one where a user mentioned they're reporting railway to ICO for a GDPR breach, rightfully.
theden
·3 माह पहले·discuss
I'm kinda shocked (yet not surprised) at how bad railway has been with this:

- Why were they making CDN changes in prod? With their 100M funding recently they could afford a separate env to test CDN changes. Did their engineering team even properly understand surrogate keys to feel confident to roll out a change in prod? I don't think they're beating the AI allegations to figure out CDN configs, a human would not be this confident to test surrogate keys in prod.

- During and post-incident, the comms has been terrible. Initial blog post buried the lede (and didn't even have Incident Report in the title). They only updated this after negative feedback from their customers. I still get the impression they're trying to minimise this, it's pretty dodgy. As other comments mentioned, the post is vague.

- They didn't immediately notify customers about the security incident (people learned from their users). The apparently have emailed affected customers only, many hours after. Some people that were affected that still haven't been emailed, and they seem to be radio silent lately.

- Their founder on twitter keeps using their growth as an excuse for their shoddy engineering, especially lately. Their uptime for what's supposed to be a serious production platform is abysmal, they've clearly prioritised pushing features over reliability https://status.railway.com/ and the issues I've outlined here have little to do with growth, and more to do with company culture.

Honestly, I don't think railway is cut out for real production work (let alone compliance deployments), at least nothing beyond hobby projects.

Their forum is also getting heated, customers have lost revenue, had medical data leaked etc., with no proper followup from the railway team

https://station.railway.com/questions/data-getting-cached-or...
theden
·5 माह पहले·discuss
So the solution is to use a proprietary password manager instead? No thanks
theden
·5 माह पहले·discuss
This happened to me and I finally ditched time machine for BorgBackup https://www.borgbackup.org/

Not as nice UI-wise, but at least it's stable
theden
·6 माह पहले·discuss
Personal site: https://theden.sh/

Blog: https://thoughts.theden.sh/
theden
·6 माह पहले·discuss
Kinda funny that a lot of devs accepted that LLMs are basically doing RCE on their machines, but instead of halting from using `--dangerously-skip-permissions` or similar bad ideas, we're finding workarounds to convince ourselves it's not that bad
theden
·6 माह पहले·discuss
Way back when I was young and broke, I played through Half Life 2 and the episodes on a ThinkPad T420 using an ExpressCard/34 PCMCIA to PCI with a graphics card I borrowed and an old crappy PSU I pulled from a business Dell desktop.

Managed to complete the games with decent graphics and framerate at the time. It wasn't an ideal setup, but I didn't care. In fact, I thought it was a cool hack to play games at the time without forking out a lot of money to build a gaming PC.

Maybe there are probably better options now to game than attaching a dedicated GPU with whatever hardware you already have, but I can verify that external GPUs are really cool and useful (though a 5090 is definitely not needed). You also don't have to care about cooling the GPU, since it's "atmosphere" cooled (though headphones and/or ANC are a must).
theden
·10 माह पहले·discuss
I must be out of the loop, I didn't know people were actually doing this in their workflow. When I do use LLMs, it's in a separate app, where I can cherry pick what I input and output at my own pace.

Maybe I'm naive, but the ever-increasing tradeoffs for even more velocity does not seem worth it.
theden
·10 माह पहले·discuss
People underestimate how much our socially and culturally constructed gender roles impact interests and/or career paths. People have different tolerances with respect to conformity, and at different stages in their lives.

It's a shame something as fundamental as computing is seen as a "boy" thing by many, often fatalistically, and I think we've been worse off for it.
theden
·11 माह पहले·discuss
Pretty cool! You can force a miss by setting these vars in the console

  scoreMinute += 1
Or

  forceMissPaddle = rightPaddle; // or leftPaddle
theden
·5 वर्ष पहले·discuss
idk I always find writing code easier than reading code. Perl is a fantastic example of this.
theden
·5 वर्ष पहले·discuss
Those extra steps can be valuable, since you'll have to work to even find the right code to copy/paste, and the context which it's in can teach you something.

Even something as simple as copying from the docs, it's usually a good place to signal deprecation, use-case applicability, API updates etc. you lose all that with the automation.

Oftentimes there's also discussion around a solution, and in many ways can swing one's decision on whether to use the code or not.
theden
·5 वर्ष पहले·discuss
Calling it now, there will be a "Copilot considered harmful" post.

If you need to go through the suggested code to ensure it's correct, you may as well write it yourself?

If you glance at it and it looks about right, you can potentially overlook bugs or edge cases, you'll lose confidence in your own code since you didn't properly conceptualise it yourself.

Potentially for newer developers it robs them of active experience of writing code.

Much like learning an instrument, improvisation, or say physics, a lot of people learn by doing it, even if it's grunt work. IMO this is necessary for any professional.

Maybe it will be seen as a crutch, maybe I'm getting old? I have tons of code snippets, but it's usually stuff I've written and understood and battle tested, even if it was initially sourced from SO. Having it in the text editor and appear out of nowhere with no context seems like it'd need some adjustment in apprehension.

Edit: I should have been clear, I'm not against others using Copilot and will try it out myself. I can see it being useful in replacing one-line libs like in nodejs, i.e., copying a useful well-known and needed snippet vs installing yet another lib that could be a sec issue.

Also the industry is the real gatekeeper—we have tools that don't require us to repeat prior-art, yet have to go through hurdles of leetcode-style interviews for a job. Maybe in the future the hardest part of being a (AI-driven) developer will be getting a job?