Hacker News: Arbortheus

New comment by Arbortheus in "Decisions that eroded trust in Azure – by a former Azure Core engineer"

Arbortheus — Fri, 03 Apr 2026 08:35:26 +0000

I use GCP, but it also has the idea of a metadata server. When you use a Google Cloud library in your server code like PubSub or Firestore or GCS or BigQuery, it is automatically authenticated as the service account you assigned to that VM (or K8S deployment).

This is because the metadata server provides an access token for the service account you assigned. Internally, those client libraries automatically retrieve the access token and therefore auth to those services.

New comment by Arbortheus in "Google releases Gemma 4 open models"

Arbortheus — Thu, 02 Apr 2026 19:02:02 +0000

What’s it like to work on the frontier of AI model creation? What do you do in your typical day?

I’ve been really enjoying using frontier LLMs in my work, but really have no idea what goes into making one.

New comment by Arbortheus in "macOS code injection for fun and no profit (2024)"

Arbortheus — Sun, 08 Mar 2026 15:33:40 +0000

Not game dev related, but I program in both Go and Python, and there really is no difference in my feedback loop / iteration because Go builds are so fast and cache unchanged parts.

New comment by Arbortheus in "Another GitHub outage in the same day"

Arbortheus — Tue, 10 Feb 2026 08:50:53 +0000

It seems to be correct now

New comment by Arbortheus in "Why E cores make Apple silicon fast"

Arbortheus — Sun, 08 Feb 2026 15:32:51 +0000

I also have to run Defender on my MacBook at work.

If you have access to the Defender settings, I found it to be much better after setting an exclusion for the folder that you clone your git repositories to. You can also set exclusions for the git binary and your IDE.

New comment by Arbortheus in "GitHub Actions is slowly killing engineering teams"

Arbortheus — Fri, 06 Feb 2026 11:09:14 +0000

There are two solutions GitHub Actions people will tell you about. Both are fundamentally flawed because GitHub Actions Has a Package Manager, and It Might Be the Worst [1].

One thing people will say is to pin the commit SHA, so don't do "uses: randomAuthor/some-normal-action@v1", instead do "uses: randomAuthor/some-normal-action@e20fd1d81c3f403df57f5f06e2aa9653a6a60763". Alternatively, just fork the action into your own GitHub account and import that instead.

However, neither of these "solutions" work, because they do not pin the transitive dependencies.

Suppose I pin the action at a SHA or fork it, but that action still imports "tj-actions/changed-files". In that case, you would have still been pwned in the "tj-actions/changed-files" incident [2].

The only way to be sure is to manually traverse the dependency hierarchy, forking each action as you go down the "tree" and updating every action to only depend on code you control.

In other package managers, this is solved with a lockfile - go.sum, yarn.lock, ...

[1] https://nesbitt.io/2025/12/06/github-actions-package-manager...

[2] https://unit42.paloaltonetworks.com/github-actions-supply-ch...

New comment by Arbortheus in "Treasures found on HS2 route"

Arbortheus — Mon, 02 Feb 2026 19:13:27 +0000

London has loads of exceptional museums that are completely free. If you ever have the chance to visit the city, do try to take advantage!

New comment by Arbortheus in "In praise of –dry-run"

Arbortheus — Sun, 01 Feb 2026 12:46:34 +0000

I prefer “—really-do”, so the default behaviour of the tool is to do nothing. That’s more fault tolerant for the scenario you forget to add “—dry-run”.

New comment by Arbortheus in "The Vietnam government has banned rooted phones from using any banking app"

Arbortheus — Fri, 09 Jan 2026 17:10:41 +0000

Do those same banks have websites that you can access from a computer with root access? Most likely, yes.

New comment by Arbortheus in "Cloudflare CEO on the Italy fines"

Arbortheus — Fri, 09 Jan 2026 17:07:34 +0000

I agree with the CEO, while also feeling a bit nauseous at the MAGA Musk suck-up at the end - I suppose this is the game you have to play with this current administration.

New comment by Arbortheus in "HTTP Strict Transport Security (HSTS)"

Arbortheus — Tue, 30 Dec 2025 22:32:05 +0000

It would be nice. Our security team started complaining that we serve a 301 redirect on port 80 for our website (just like 99.9% of websites do... sigh) and wanted port 80 shut down.

To appease them, I switched the redirect off in dev/staging, and soon enough even devs are having trouble accessing the site because they type 'website.com' and that can't resolve, only 'https://website.com' can.

(And before you say it, yes we use HSTS, but I presume there were some scenarios where that wasn't already cached/hit).

New comment by Arbortheus in "Fix HDMI-CEC weirdness with a Raspberry Pi and a $7 cable"

Arbortheus — Mon, 15 Dec 2025 23:29:57 +0000

In my home media setup (LG UQ81 TV, WiiM Amp via ARC, Xbox Series X, Chromecast with Google TV), the CEC setup _almost_ works perfectly.

* I can use the LG TV’s remote alone to control everything including the Chromecast and amp’s volume controls.

* The amp automatically switches on and off with the TV.

* Turning the Xbox on/off via its controller also turns on/off the TV and the amplifier together.

Mostly good, except sometimes when I have my Chromecast on and switch the Xbox on via the controller it gets stuck in an endless loop of flicking back and forth between HDMI 1 and HDMI 2, between Chromecast and Xbox. Nothing I can do will stop it except to power cycle the TV.

If anyone has experienced anything similar or has any tips on how to debug this that would be much appreciated!

New comment by Arbortheus in "Sick of smart TVs? Here are your best options"

Arbortheus — Sat, 13 Dec 2025 09:31:33 +0000

What a horrid thought…

You might be interested to read about the findings by Ruter, the publicly owned transport company for Oslo. They discovered their Chinese Yutong electric buses contained SIM cards, likely to allow the buses to receive OTA updates, but consequentially means they could be modified at any moment remotely. Thankfully they use physical SIMs, so some security hardening is possible.

Of course, with eSIMs becoming more widespread, it’s not inconceivable you could have a SoC containing a 5G modem with no real way to disable or remove it without destroying the device itself.

[1] https://ruter.no/en/ruter-with-extensive-security-testing-of...

New comment by Arbortheus in "UniFi 5G"

Arbortheus — Fri, 05 Dec 2025 14:25:00 +0000

Where I live, all the 4G is oversaturated and really slow.

New comment by Arbortheus in "Django 6"

Arbortheus — Thu, 04 Dec 2025 23:08:59 +0000

I love Django. Thanks Django people, keep making great stuff.

New comment by Arbortheus in "SmartTube Compromised"

Arbortheus — Mon, 01 Dec 2025 13:51:26 +0000

The cost of being brainwashed by ads and sponsor slots is also high.

Even with YouTube Premium you don’t get the feature set you get with SmartTube. The sponsor block integration on my TV is brilliant.

New comment by Arbortheus in "Liquid Glass Is Cracked, and Usability Suffers in iOS 26"

Arbortheus — Sat, 11 Oct 2025 09:12:57 +0000

A few years ago, I’d install all iOS major updates practically as soon as they came out.

Nowadays I feel that the quality of iOS has slipped, so will wait for 26.1 first.

New comment by Arbortheus in "DataTables CDN Outage – post incident review"

Arbortheus — Wed, 17 Sep 2025 19:03:39 +0000

Thanks for the pleasant reply!

I thought I was not using the CDN as I had self-hosted the static sources, but some image sources seemed to be imported from the CDN in stylesheets in the version of data tables I linked.

I just updated my application from v1.11 to v1.13 without any trouble (aside from some minor aesthetic changes to padding), so at the very least I now benefit from your styled elements.

Thanks for your dedication on this package, I’ve used it for years and it works very well.

New comment by Arbortheus in "DataTables CDN Outage – post incident review"

Arbortheus — Wed, 17 Sep 2025 14:23:52 +0000

Out of curiosity, could this have been a vector for a supply chain attack?

I am currently running an fairly outdated version of datatables on a personal project, v1.11.3 from 2021. I'm not too worried about running this older version, because according to dependency scanning software there's no CVEs for it [1]. Also, upgrading this package is too tricky as there's been some pretty huge breaking changes, so I'm stuck at this older version.

I am _not_ using the datatables CDN but instead self-hosting the static files. However, I did not notice until recently that in v1.11.3 it comes with a CSS stylesheet [2] that loads a static resource from that CDN: `url("https://www.datatables.net/examples/resources/details_open.p...")`

It looks like newer versions of datatables don't import static files from the datatables CDN like this.

Presumably if this domain was hijacked as stated in this incident review, users on affect datatables version could have had their site compromised?

Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?

[1] https://security.snyk.io/package/npm/datatables.net/1.11.3

[2] https://cdn.datatables.net/1.11.3/css/jquery.dataTables.css

New comment by Arbortheus in "Speeding up PostgreSQL dump/restore snapshots"

Arbortheus — Sat, 05 Jul 2025 22:14:59 +0000

Offsite replica is only applicable if the cause is a failure of the primary. What if I’m restoring a backup because someone accidentally dropped the wrong table?