Hacker News: AgentME

New comment by AgentME in "Gmail thinks I'm stupid, so I left"

AgentME — Tue, 02 Jun 2026 21:58:21 +0000

Gmail stopped using email contents for ad targeting in 2017.

New comment by AgentME in "Expanding Project Glasswing"

AgentME — Tue, 02 Jun 2026 19:39:54 +0000

GPT-4 was announced in March 2023 and wasn't made available to all developers until July 2023.

New comment by AgentME in "The Pirate Bay Remains Resilient, 20 Years After the Raid"

AgentME — Tue, 02 Jun 2026 19:28:47 +0000

Are there standards for a video to declare a default subtitle track to use?

New comment by AgentME in "Malicious npm packages detected across Red Hat Cloud Services"

AgentME — Tue, 02 Jun 2026 19:26:53 +0000

No, the reference to May 19 in the article is about a previous supply chain attack against AntV (https://www.stepsecurity.io/blog/shai-hulud-here-we-go-again...). I think there may be some copy-paste mistakes where they reused part of that previous article and didn't contextualize it correctly.

The npm package `@redhat-cloud-services/chrome` version 2.3.1, which was part of this current supply chain attack, was published on June 1. The malicious package version is no longer listed on npmjs.com's web UI since it was taken down, but the publish date of 2.3.1 can still be seen in https://registry.npmjs.org/@redhat-cloud-services/chrome by searching for the version number there, and the publish date was 2026-06-01T10:54:42.121Z.

I find the article extremely annoying for not having a clear timeline of when these malicious package versions were available.

New comment by AgentME in "Malicious npm packages detected across Red Hat Cloud Services"

AgentME — Mon, 01 Jun 2026 23:08:14 +0000

The security companies looking for and reporting the issues aren't going to use the cooldown too.

New comment by AgentME in "The Pirate Bay Remains Resilient, 20 Years After the Raid"

AgentME — Mon, 01 Jun 2026 22:59:27 +0000

Even for English speakers, the subtitle experience with pirated movies is often lacking. Movies with non-English-speaking characters are often meant to have subtitles for their dialog and not for English speakers by default, but many pirated versions don't do this. I recently saw discussions online of a lot of people saying they went an embarrassingly long time without knowing there were supposed to be subtitles for the aliens in District 9 or the mute hand-signing girl in The Boys.

New comment by AgentME in "Should you normalize RGB values by 255 or 256?"

AgentME — Mon, 01 Jun 2026 20:48:58 +0000

It's worth pointing out that the article explicitly calls out your first mixed technique:

> Finally, one should never mix the encode and decode steps of the two quantizers. That’s just broken code. It’s an easy mistake to make, though.

New comment by AgentME in "Should you normalize RGB values by 255 or 256?"

AgentME — Mon, 01 Jun 2026 20:41:55 +0000

OpenImageIO uses the standard division by 255 technique: https://openimageio.readthedocs.io/en/latest/imageoutput.htm...

New comment by AgentME in "Malicious npm packages detected across Red Hat Cloud Services"

AgentME — Mon, 01 Jun 2026 19:12:48 +0000

But there is a second level of people reviewing packages on npm. They're the ones that report issues like the github issue this HN thread is linked to, and they very frequently get malicious npm packages taken down within a day of publishing. The big issue is just that not everyone is using a cooldown to avoid packages less than a day old and so people who install new packages at unlucky times don't get the benefit of that layer of review.

New comment by AgentME in "Algebraic Effects for the Rest of Us"

AgentME — Sat, 30 May 2026 20:45:24 +0000

I was thinking this through more and realized that a callback directly in a thread local variable isn't quite enough: You need to keep a stack in the thread local variable. Every try-handle block pushes a callback in and pops it when exited. (Javascript's AsyncLocalStorage is naturally nestable so you don't need to manage a stack yourself with it.)

New comment by AgentME in "Algebraic Effects for the Rest of Us"

AgentME — Sat, 30 May 2026 09:28:35 +0000

That's what I was thinking. You could get almost all of this pretty directly in Javascript by putting a callback function in an AsyncLocalStorage instance or, in other languages, in a thread local variable.

New comment by AgentME in "Theseus: Translating Win32 to WASM"

AgentME — Wed, 27 May 2026 19:41:44 +0000

People in the WebAssembly standards group are recently considering relaxing the limitation that the main thread can't use atomic.wait: https://github.com/WebAssembly/threads/issues/177#issuecomme...

New comment by AgentME in "Are we self-sovereign PKI yet?"

AgentME — Tue, 26 May 2026 19:46:22 +0000

> Spaces takes this shape. (Disclosure: I work on it.) Issued names live in a binary Merkle trie. The root of that trie is committed to Bitcoin’s chain

Who can update and publish the merkle trie onto the blockchain? Is it only Spaces themselves who can? If so, this seems a little inferior to more direct blockchain solutions like the Ethereum Name Service which exists as a smart contract on a blockchain that anyone can use directly.

New comment by AgentME in "Deno 2.8"

AgentME — Tue, 26 May 2026 19:19:04 +0000

Your deno.json/package.json should generally pin things to their major version (eg. "^3.1.4"). Your application's lockfile (deno.lock/package-lock.json) which is generated by default pins your dependencies and your sub-dependencies to exact versions.

New comment by AgentME in "Deno 2.8"

AgentME — Tue, 26 May 2026 19:16:24 +0000

Isn't Lua equally monkey-patchable? Both of the languages, along with Python and Ruby, represent nearly everything as mutable objects.

New comment by AgentME in "Deno 2.8"

AgentME — Fri, 22 May 2026 20:48:59 +0000

Javascript/Typescript as it is now isn't a great language for a real capability system because any code can monkey-patch global objects and use that to steal capability objects from elsewhere. JS code of different privilege levels needs to be run in separate realms at the very least. (Though there are proposals for things like frozen realms that try to make JS more suitable for capability systems.)

New comment by AgentME in "Deno 2.8"

AgentME — Fri, 22 May 2026 20:17:47 +0000

One issue was that all dependencies had to be pinned to exact versions. If some sub-dependency of yours got a bugfix in a minor or patch update, your project only gets that update once the dependency updates to bump its dependencies and then you update that dependency. (Pinning exact versions of everything has its place but that place generally should be in your own project's lockfile.)

Also, if multiple dependencies of yours share a sub-dependency, then unless they pick the exact same patch version then you're almost always going to have multiple versions of common sub-dependencies loaded. (It's great that multiple versions of a dependency can be loaded at once because it lets you avoid the classic "dependency hell" issue, but having multiple versions of nearly all of your common sub-dependencies gets wasteful at some point. Generally there's rarely a good reason to have multiple versions of the same dependency that only differ in patch or minor version.)

(Deno's current support for NPM and JSR avoids these issues.)

New comment by AgentME in "AI is just unauthorised plagiarism at a bigger scale"

AgentME — Thu, 21 May 2026 17:37:15 +0000

It would be one thing for someone to say "AI is enabling plagiarism at a bigger scale", but to say it's "just plagiarism", surely one needs to explain who exactly the unit distance breakthrough was plagiarized from.

New comment by AgentME in "Everything in C is undefined behavior"

AgentME — Wed, 20 May 2026 10:07:50 +0000

If someone is switching from C because it's too easy to trigger undefined behavior, picking one of the few other not memory safe languages is missing the point.

New comment by AgentME in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"

AgentME — Tue, 19 May 2026 09:34:36 +0000

Another supply chain attack found and blocked in a day. Everyone regularly using npm to install new packages should be using npm's min-release-age setting to avoid package versions that are newer than a few days old to avoid most attacks in practice like this. You can set it to two days with `npm config set min-release-age=2` for example. https://cooldowns.dev/ has info about equivalent settings in other dependency managers like PyPI and Cargo.