Hacker News: Replies to

New comment by cluckindan in "Kraftwerk's radical 1976 track"

cluckindan — Sat, 16 May 2026 02:46:03 +0000

Why don’t you show your claims to be true?

New comment by vi_sextus_vi in "Does Trump Mobile know how many stripes are on the American flag?"

vi_sextus_vi — Sat, 16 May 2026 02:45:52 +0000

Looks like we were both paying attention to boomer versus millennial (genZ?) takes on the Caltech honor code.

I then swiped the vector embedding:

   pride is to 'honor-code' as gratitude is to reciprocity

New comment by driggs in "Echoes (Live at Pompeii) (1972)"

driggs — Sat, 16 May 2026 02:45:51 +0000

The Live at Pompeii "concert" in that empty amphitheatre has always felt to me like they were playing to an audience of ghosts or spirits.

If you have the opportunity to see it on a big screen or IMAX, it's an incredibly moving experience.

New comment by Davidzheng in "The Zulip Foundation"

Davidzheng — Sat, 16 May 2026 02:45:43 +0000

My only gripe is that on my phone sometimes it takes like 30 seconds to load, which doesn't seem to happen for almost anything else

New comment by skeledrew in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

skeledrew — Sat, 16 May 2026 02:45:36 +0000

No surprise here. That's what you get when you have a language/ecosystem where core devs refuse to fix fundamental flaws, cuz for them breaking backwards compatibility is the worse crime that can ever be committed. And so all that happens in JS-land will eternally be layering lipstick on the pig in the cesspool. Too afraid of going through something similar to the Python 2 -> 3 fiasco, I guess because too many web devs and site admins would be incensed at being forced to fix their broken universe; as if it isn't already broken in its current condition.

New comment by andrekandre in "Amazon workers under pressure to up their AI usage are making up tasks"

andrekandre — Sat, 16 May 2026 02:45:29 +0000

  > What they don't like is anything being forced on them

raises hand (n=1), i'm fine to use it when i need it, but the derangement by management about it is a total put-off and unnecessary (and in the end counter-productive)

New comment by bigyabai in "We don't know why Malawi is poor"

bigyabai — Sat, 16 May 2026 02:45:27 +0000

C'mon now, you don't get to break the guidelines when the site disagrees with you: https://news.ycombinator.com/newsguidelines.html

  Please don't post comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.

New comment by germandiago in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

germandiago — Sat, 16 May 2026 02:45:06 +0000

I use C++ and Conan with my iwn recipes and pre-built artifacts.

This mitigates things to a great extent.

I do not know who thought that having your dependencies depend on the internet with a zillion users doing stuff to each package was a good idea for enterprise environments...

It is crazy how much things can get endangered this way.

New comment by Akronymus in "California bill would require patches or refunds when online games shut down"

Akronymus — Sat, 16 May 2026 02:44:47 +0000

Not quite, afaict. When the auth servers are shut down, you wouldnt be able to play it anymore, even in single player.

New comment by sciencejerk in "The main thing about P2P meth is that there's so much of it (2022)"

sciencejerk — Sat, 16 May 2026 02:44:45 +0000

The article links the Rhodium site archive, which hosts recipes and chemistry lab setup for making P2P precursor and the real stuff https://www.erowid.org/archive/rhodium/chemistry/

New comment by keepamovin in "The main thing about P2P meth is that there's so much of it (2022)"

keepamovin — Sat, 16 May 2026 02:44:45 +0000

Right, I appreciate you getting into the nuance, but I feel like you take the argument to polar extremes (with an attitude of confident, final certainty), when the expected outcome is across the middle. This smells more like ideology than practicality.

Look, I’m not an expert in drug policy. It just sounds like a logical way to reduce harm overall. The conceivable parties who would lose out are: government funded agencies charged with fighting drug crime because their caseload and budgets would probably decrease; and on the other side the cartels and dealers. Although what seems to happen with the latter is once something is legalized, the supply chains morph into legitimate businesses somehow.

I still think it would work. I’m not convinced by what you said.

New comment by ricardo_lien in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

ricardo_lien — Sat, 16 May 2026 02:44:41 +0000

pnpm

New comment by timfsu in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

timfsu — Sat, 16 May 2026 02:44:37 +0000

Pnpm - installs are faster to boot. We haven’t missed anything

New comment by saghm in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

saghm — Sat, 16 May 2026 02:44:23 +0000

I'm not convinced that Python should be the standard for package management either. Earlier this week I was trying to publish a Python package for the first time wrapping a Rust library I wrote (for use only on Linux and Python 3.12+), and it literally took me hours to get from "I have a wheel that I can import and it works on my system" to "I have published that wheel and can install the package from PyPI on the set of systems that I'm trying to support and it actually works". Everything I've heard about this indicates that the situation for Python packaging is literally better than it ever has been before with the current tooling, so I can't even imagine how bad it was for the decades before. In comparison, having literally never touched npm before, I was able to publish a wrapper around the same library and validate that it was working in maybe 10 minutes (most of which were spent from not realizing that a certain tool was failing with a vague "file not found" error because I hadn't installed npm yet).

I'm not saying that npm is doing everything right, but I suspect that beyond the obvious low-hanging fruit that we hear about pretty consistently with npm there's probably a long tail of less obvious stuff that can be exploited that will not be specific to npm. The fundamental problems with supply-chain vulnerabilities aren't going to go away if npm magically became pip or go modules overnight.

New comment by cluckindan in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

cluckindan — Sat, 16 May 2026 02:44:17 +0000

So N=1? 2? 3?

New comment by eranation in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

eranation — Sat, 16 May 2026 02:44:01 +0000

Sorry for hijacking threads like this again, and I know people have opinions about cooldowns etc. But the fact is that if you work in a large company, you already likely have cooldowns via Artifactory / Nexus, and if you don't, it's easy to set up.

Why cooldowns? Most npm (or pypi) compromises were taken down within hours, cooldowns simply mean - ignore any package with release date younger than N days (1 day can work, 3 days is ok, 7 days is a bit overkill but common)

How to set them up?

- use latest pnpm, they added 1 day cooldown by default https://pnpm.io/supply-chain-security

- or if you want a one click fix, use https://depsguard.com (cli that adds cooldowns + other recommended settings to npm, pnpm, yarn, bun, uv, dependabot and renovabot)

- or use https://cooldowns.dev which is more focused on, well, cooldowns, with also a script to help set it up locally

All are open source / free.

If you know how to edit your ~/.npmrc etc, you don't really need any of them, but if you have a loved one who just needs a one click fix, these can likely save them from the next attack.

Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown, but each of them have a way to do so. In the past few weeks, while I don't have hard numbers, it seems more risk has come from Software Supply Chain attacks (malicious versions pushed) than from new zero day CVEs (even in the age of Mythos driven vulnerability discovery)

Disclaimer - I maintain depsguard.

New comment by cgio in "Amazon workers under pressure to up their AI usage are making up tasks"

cgio — Sat, 16 May 2026 02:44:01 +0000

Next feature is creating stories. Double burn.

New comment by badtuple in "I believe there are entire companies right now under AI psychosis"

badtuple — Sat, 16 May 2026 02:43:54 +0000

I've worked with many people over the years. A bunch of product people have struck out to make their own thing now that they can get a feedback loop going. I just keep in touch with people. They know my services are available, so if they have a need they reach out.

The greatest asset in this type of work is genuinely liking people, being good at what you do, and keeping in touch. My email is easily findable for a reason.

New comment by VB6-Programming in "I'm writing a history of Visual Basic, Chapter 1 is up"

VB6-Programming — Sat, 16 May 2026 02:43:46 +0000

The twinBASIC programming language is a modern VB6 - and it can import VB6 source code and forms.

New comment by brooksc in "'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens"

brooksc — Sat, 16 May 2026 02:43:45 +0000

Thoughts and Prayers to those affected