The activity monitor does show all kinds of Electron apps active, on top of a presumably model-loaded Handy and a virtual machine for Claude Code, so I guess that's the real root cause for all the swapping. If your laptop starts trashing I can't imagine you have any use for those apps, which will grind to a halt.

[1] https://huggingface.co/mlx-community/gemma-4-31b-it-4bit

I frequently debug issues while keeping my carefully curated but long context active for days. Losing potentially very important context while in the middle of a debugging session resulting in less optimal answers, is costing me a lot more money than the cache misses would.

In my eyes, Claude Code is mainly a context management tool. I build a foundation of apparent understanding of the problem domain, and then try to work towards a solution in a dialogue. Now you tell me Anthrophic has been silently breaking down that foundation without telling me, wasting potentially hours of my time.

It's a clear reminder that these closed-source harnesses cannot be trusted (now or in the future), and I should find proper alternatives for Claude Code as soon as possible.

[1] https://code.claude.com/docs/en/changelog

IIRC the last public exploit for all LG TVs for webOS > 5 was in the beginning of 2025 (so pretty recent), but as most sellers on the second hand market have auto-updates turned on, there's no way to know which TVs are vulnerable.

It should be doable to strip down much of webOS with root access. It's nice that webOS in general is very well documented and much is implemented around the Luna service bus. LG offers a developer mode for non-rooted TVs, and there's an active homebrew community because of it. It's a pity that you can't modify the boot partitions, as the firmware verifies their integrity. It would be nice to have an exploit for that.

[1] https://github.com/throwaway96/dejavuln-autoroot

[2] https://cani.rootmy.tv

> pip3 install git+https://github.com/ml-explore/mlx-lm.git

> ./venv/bin/mlx_lm.generate --model "$MODEL" --temp 1.0 --top-p 0.95 --top-k 64 --max-tokens 128000 --prompt "Hello world"

Where $MODEL is an unsloth model like:

- unsloth/gemma-4-E4B-it-UD-MLX-4bit

- unsloth/gemma-4-26b-a4b-it-UD-MLX-4bit

As you have so much RAM I would suggest running Q8_0 directly. It's not slower (perhaps except for the initial model load), and might even be faster, while being almost identical in quality to the original model.

And just to be sure: you're are running the MLX version, right? The mlx-community quantization seemed to be broken when I tried it last week (it spit out garbage), so I downloaded the unsloth version instead. That too was broken in mlx-lm (it crashed), but has since been fixed on the main branch of https://github.com/ml-explore/mlx-lm.

I unfortunately only have 16 GiB of RAM on a Macbook M1, but I just tried to run the Q8_0 GGUF version on a 2023 AMD Framework 13 with 64 GiB RAM just using the CPU, and that works surprisingly well with tokens/s much faster than I can read the output. The prompt cache is also very useful to quickly insert a large system prompt or file to datamine although there are probably better ways to do that instead of manually through a script.

Some models of inverter brands like Victron (which isn't very common outside its niche of self-sufficiency because they are rather expensive and sometimes complex) can form a micro-grid. They have the option of a special circuit breaker [1] that decouples the inverter from the grid if the grid is detected to be down, which allows their use during a power outage.

[1] https://www.victronenergy.com/accessories/anti-islanding-box...

[1] https://nextcloud.com/partners/

And don't get me wrong: there's nothing wrong with starting a business rebranding Nextcloud and keeping your development closed source, as long as you're honest about that, which this initiative is not.

If you're looking for a Nextcloud hoster, there's a long list of partners here [2] that have contractually obligated themselves to contribute back to Nextcloud for every user they onboard.

[1] https://blog.tomaszdunia.pl/officeeu-eng/

[2] https://nextcloud.com/partners/

Comments URL: https://news.ycombinator.com/item?id=47223610

Points: 2

# Comments: 0

You are mistaken. In the EUDI wallet project, unlinkable signature schemes are currently being discussed among cryptographers and a month ago Longfellow very basic support for Longfellow has been merged into the reference wallet.

You're making it seem that unlinkable signatures are very established and the default, while they are not. They're not yet properly defined, experimental and mostly unimplemented by member states. Linkable ECDSA signature are currently the default in the EUDI wallet project.

Indeed according to some (i.e. the Commission) it's supposed to, but they should know better. And many member state wallet developers do know better.

Play Integrity can easily be bypassed unless you want to exclude a very large amount of users – especially disadvantaged people using older phones – because there are many vulnerable phones in use by those users, and you only need one to build such an age attribute faucet.

See also this comment: https://news.ycombinator.com/item?id=45363853

You're mistaken. SD-JWT with linkable ECDSA signature is the main mechanism. An unlinkable signature scheme is being discussed on the fringes of the EUDI-project (whether it be BBS+ or Longfellow) and very bare-bones support for Longfellow has been added to the reference wallet a month ago. However the Implementing Acts have no support for such a mechanism yet, and most member states will only implement ECDSA based mechanisms (SD-JWT and ISO 18013) for the foreseeable future.

It's therefore very likely the EUDI wallet and/or a age verification solutions will launch with issuer linkable ("easily trackable") signatures.

See also this thread: https://news.ycombinator.com/item?id=45363275

Of course this really isn't something you'd want to do for these kinds of simple cases. But threatening to do so often goes pretty far. The court in the country of the data subject has jurisdiction, so any company operating from another country would need to defend themselves abroad, which can be a strong incentive to cooperate or settle the case.

I've gotten results for GPDR article 20 requests (data portability) multiple times after some strongly worded letters (Spotify [1], NLZiet, AliveCor and Albert Heijn), and have gone to court twice. Once won against Eneco (although that was only about court fees they didn't want to pay without an NDA), and once didn't lose but regrettably didn't win on a quite complicated case against ABN AMRO in which the court just didn't understand what machine readable means despite the clear guidelines by the EDPD.

[1] https://news.ycombinator.com/item?id=24764371

That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).

Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.

The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.

The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.

You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).

The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.

Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.

[1] https://www.nrc.nl/nieuws/2025/12/03/baas-van-solvinity-prob...

[2] https://www.adviescollegeicttoetsing.nl/site/binaries/site-c...

[3] https://www.logius.nl/onze-dienstverlening/infrastructuur/st...

No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).

I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.

> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.

Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.

So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.

[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).

Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.

[1] https://github.com/paolo-de-rosa

This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).

The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.

It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.

[1] https://news.ycombinator.com/item?id=44458323

Their response:

    Thank you for reaching out to Otter.ai. Under Articles 12 and 17 of the GDPR, Otter.ai is able to delete personal data that is stored in and controlled by your own account. However, Otter.ai cannot delete personal data that is stored in another user’s account. In those cases, Otter.ai acts as the processor or hosting platform, and the other user is the controller for that content. As such, only that account holder has the authority to remove the content.

    If you wish to have such data deleted, we recommend that you contact the relevant user directly and exercise your rights under the GDPR with them.

    Thank you,
    Otter.ai Privacy Team

    To whom am I speaking? Is this the Privacy Officer? Why have you been ignoring emails for 3,5 weeks since the 23rd of July, while a GDPR request was filed on the 8th of July?

    You know very well that a meeting agent of Otter.ai, the emails by Otter.ai and the website of Otter.ai fall under the direct responsibility of Otter.ai as data controller. Your privacy statement in no way supports a narrative that Otter.ai would act as a so called "hosting platform". It's preposterous to suggest that every one of your users – not being a company but a private person – would be it's own little GDPR data controller island and you're merely an accidental processor of data. Jurisprudence is very clear on this and this notion will be outright rejected.

    The deadline has long passed, I'm initiating a court procedure this week.

    Hoogachtend,