<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: Liskni_si</title><link>https://news.ycombinator.com/user?id=Liskni_si</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Thu, 02 Jul 2026 23:49:49 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=Liskni_si" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by Liskni_si in "Yserver: A modern X11 server written in Rust"]]></title><description><![CDATA[
<p>2007 is when xrandr 1.2 came and made it feasible to use on a laptop - enable/disable outputs dynamically without restarting X.<p>Xinerama (the extension that enables one virtual screen over multiple outputs) existed before but the layout could only be defined statically - so you'd need to restart your X server with a different config if you wanted to connect a monitor or a projector or something.</p>
]]></description><pubDate>Sun, 14 Jun 2026 22:49:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48533799</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48533799</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48533799</guid></item><item><title><![CDATA[New comment by Liskni_si in "Yserver: A modern X11 server written in Rust"]]></title><description><![CDATA[
<p>> So realistically no application did this.<p>Old versions of GIMP (back when the toolbars etc. were separate windows) used to let you move any of its windows to a different X screen. And by "move" I don't mean drag - there was a menu where you could select the screen to move to.</p>
]]></description><pubDate>Sun, 14 Jun 2026 22:44:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48533747</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48533747</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48533747</guid></item><item><title><![CDATA[New comment by Liskni_si in "Chrome is looking to permanently drop MV2 extension"]]></title><description><![CDATA[
<p>What about this (actively maintained) fork of uBO that polyfills some MV2 APIs to make uBO work as an MV3 extension:
<a href="https://github.com/r58playz/uBlock-mv3" rel="nofollow">https://github.com/r58playz/uBlock-mv3</a><p>Anyone tried that?</p>
]]></description><pubDate>Thu, 11 Jun 2026 08:32:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=48487796</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48487796</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48487796</guid></item><item><title><![CDATA[New comment by Liskni_si in "Mouseless – keyboard-driven control of macOS/Linux/Windows"]]></title><description><![CDATA[
<p>I'm somewhat aware of some of this but also... External keyboard only works if you're using the laptop as a desktop computer. It's not really practical if one uses a laptop as a laptop.<p>And yeah I know there are people lugging a massive mechanical keyboard to cafes but I find that about as annoying as getting used to the ridiculously bad keyboard and no trackpoint of Apple laptops.</p>
]]></description><pubDate>Sun, 07 Jun 2026 16:26:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48436345</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48436345</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48436345</guid></item><item><title><![CDATA[New comment by Liskni_si in "Mouseless – keyboard-driven control of macOS/Linux/Windows"]]></title><description><![CDATA[
<p>Not just hard - impossible. To the point of making it harder to find a job, as very few jobs let you use a non-Windows ThinkPad.<p>(I mean yeah, of course AuDHD makes it harder to find a job, no surprise there. But it's a shame that laptop manufacturers make it even harder.)</p>
]]></description><pubDate>Fri, 05 Jun 2026 17:09:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=48415411</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48415411</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48415411</guid></item><item><title><![CDATA[New comment by Liskni_si in "A few interesting modern pixel fonts"]]></title><description><![CDATA[
<p>Anyone else still using the 7x13 "misc fixed" font that comes with X11? I just can't switch. Perfectly readable on both 14" 1920×1200 and 35" 3440×1440. Yes it's small but that's kinda the point.<p>The only issue is that Nerd Font symbols are really hard to read at that size, even if one manages to get them to render (which isn't that hard in alacritty but needs some extra hacks in rxvt-unicode).</p>
]]></description><pubDate>Wed, 27 May 2026 10:04:35 +0000</pubDate><link>https://news.ycombinator.com/item?id=48292005</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=48292005</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48292005</guid></item><item><title><![CDATA[New comment by Liskni_si in "Meta to start capturing employee mouse movements, keystrokes for AI training"]]></title><description><![CDATA[
<p>What if "the IT department" is just this one guy who asks me to Cc him an invoice when I buy a laptop and that's the end of it?<p>(yes that's a real story from my career, and the company was 100+ employees at the time)</p>
]]></description><pubDate>Tue, 21 Apr 2026 22:08:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=47855232</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47855232</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47855232</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>> But they won't get your private key.<p>Indeed, that was my point exactly a couple posts up the thread. :-)<p>> you may realise that something wrong happened<p>I think I can iterate on the exact mechanics to make this less likely. I mean it's getting off-topic but the one thing that comes to mind is to enable ControlMaster for all ssh connections which allows any second ssh invocation to skip the auth and just re-use the existing connection. ssh-copy-id is near instant then and doesn't ask anything.<p>At that point you might—rightly so—argue that they're no longer tricking the user into authorising a different operation. Just a reminder that if someone can run code as your local user, they can easily and sneakily gain access elsewhere. Even if you need a yubikey touch to connect there.<p>The original attack idea of timing the yubikey touch for when you normally expect to touch it might still be relevant for a scenario like ssh-agent forwarding to a malicious box. They can't run code as your local user, but can still perhaps trigger the agent to interact with the yubikey. Maybe.</p>
]]></description><pubDate>Thu, 16 Apr 2026 23:08:24 +0000</pubDate><link>https://news.ycombinator.com/item?id=47800682</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47800682</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47800682</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Okay let me elaborate how I envision that attack to work:<p>1. attacker wants to use your yubikey-backed ssh key, let's say for running ssh-copy-id once with their own key so they can gain access to your server<p>2. thus they need to trick you into touching the key when they run that command<p>3. the best way to trick you is to wait until you do something where you'd normally need to touch that key yourself<p>4. so they alias ssh to a script that detects when you're trying to connect to this server yourself, and invoke ssh-copy-id instead, which prompts you to touch the yubikey and you do<p>5. spit out a reasonable looking error (something that makes you think "bloody DNS, it's always DNS, innit" or something silly like that); then they undo the alias so you succeed on the next try and suspect nothing</p>
]]></description><pubDate>Thu, 16 Apr 2026 20:33:21 +0000</pubDate><link>https://news.ycombinator.com/item?id=47799134</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47799134</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47799134</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Perhaps one extra bit to add: you've mentioned consuming slots on the device - that's what happens if you generate a resident key. Those keys live on the device and can be used from any computer you plug them into, without having to retain/copy any files. A non-resident key, on the other hand, is derived from the master key on the device, and a "handle" that's stored as a file on your computer. You can have as many as you want, but if you lose either the file or the hardware device, they're gone.<p>(Others in the thread have confirmed that both resident and non-resident keys never leave the hardware. If you generate one that requires touch, they're fairly secure - you need physical presence and confirmation for every operation.)</p>
]]></description><pubDate>Thu, 16 Apr 2026 20:18:27 +0000</pubDate><link>https://news.ycombinator.com/item?id=47798945</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47798945</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47798945</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Well I wasn't talking about ssh keys at all - that's where the misunderstanding comes from. I was simply trying to counter your claim that TPMs are never ever useful for individuals. They can be useful to individuals worried about having their boot tampered with.<p>I absolutely agree that they do zilch to protect your SSH keys. Hardware security keys that need physical confirmation of presence are much better for that use-case.</p>
]]></description><pubDate>Thu, 16 Apr 2026 18:43:38 +0000</pubDate><link>https://news.ycombinator.com/item?id=47797716</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47797716</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47797716</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>I don't see how entering a passphrase into a compromised boot loader/kernel/initramfs is as safe as a measured boot with TPM providing the decryption key only if nothing seems to have been tampered with. Can you elaborate please?</p>
]]></description><pubDate>Thu, 16 Apr 2026 18:31:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=47797548</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47797548</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47797548</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>I really don't think this is true for FIDO2 like Yubikey. My understanding is that your ssh client gets a challenge from the server, reads the key "handle" from the private key file, and sends both to Yubikey. The device then combines its master key with the handle to get the actual private key, signs the challenge, and gives the result back to your ssh client. At no point does the private key leave the Yubikey.<p>What am I missing?</p>
]]></description><pubDate>Thu, 16 Apr 2026 17:48:53 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796993</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796993</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796993</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Yeah but they already mentioned that they expect the attacker to hijack your ssh command so you'll touch it yourself, thinking you're authorizing something else than you actually are.<p>It does mean that they can't use the key a thousand times. But once? Yeah sure.</p>
]]></description><pubDate>Thu, 16 Apr 2026 17:13:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796493</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796493</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796493</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Fair point. Ubuntu 18.04 won't support this. :-)</p>
]]></description><pubDate>Thu, 16 Apr 2026 17:10:45 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796442</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796442</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796442</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>TPMs can be useful to you as an individual if you're trying to protect against an evil maid attack. Although I think Linux isn't quite there yet with its support for it. The systemd folks are making progress though.</p>
]]></description><pubDate>Thu, 16 Apr 2026 16:51:24 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796168</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796168</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796168</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>They can use the key as long as they can access your computer, but they shouldn't be able to get the secret key out of the TPM or Yubikey and use it elsewhere while your computer is off. That's the main point of HSMs.</p>
]]></description><pubDate>Thu, 16 Apr 2026 16:46:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796096</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796096</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796096</guid></item><item><title><![CDATA[New comment by Liskni_si in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>It's also a bit outdated. OpenSSH supports FIDO2 natively, so all this gnupg stuff is unnecessary for ssh. One can even use yubikey-backed ssh keys for commit signing.<p>And the best thing is that you can create several different ssh keys this way, each with a different password, if that's something you prefer. Then you need to type the password _and_ touch the yubikey.</p>
]]></description><pubDate>Thu, 16 Apr 2026 16:41:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=47796024</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47796024</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47796024</guid></item><item><title><![CDATA[New comment by Liskni_si in "The exponential curve behind open source backlogs"]]></title><description><![CDATA[
<p>Many of those are "Merge branch 'master' into armanc/subtitle-sync-refactor". Rebasing the PR on top of master would bring that down to like 15 or something.</p>
]]></description><pubDate>Tue, 14 Apr 2026 15:44:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=47767158</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47767158</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47767158</guid></item><item><title><![CDATA[New comment by Liskni_si in "GitHub Stacked PRs"]]></title><description><![CDATA[
<p>It's awesome that they're adding a UI for stacked branches¹! The UX of the CLI tool seems weird, though. Why do I need to explicitly create and add branches to the stack if all I really want is to open PRs from my commits? Here's the workflow that I built for myself instead:<p>∙ `git checkout -b feature-branch-xyz`<p>∙ make a few commits, perhaps some fixups, rebase, whatever<p>∙ start tig, look at the history, decide at which points I want to break the branch into stacked PRs, and mark those points using shift-s (which calls my own `git gh-stack branch create $commit` and creates a specially named branch there)<p>∙ `git gh-stack sync` — collects all the specially named branches, builds a graph of how they're stacked on one another, pushes them, opens stacked PRs<p>GitHub has had some "support" for stacked PRs for a while, so merging the first one to main will automatically change the target branch of the second to main.<p>If I need to change anything, I can just `git rebase --interactive --update-refs`, amend commits, split commits, rearrange commits, and then running `git gh-stack sync` will update the PRs for me. If I split a commit in the middle and shift-s to mark it, it will open an extra PR and restack everything to update the order.<p>Furthermore, the "PR stack" doesn't actually need to be a stack (linear chain), it can be a tree. If I know that some commits are independent of the rest, I don't need to create a separate stack, I just create another local branch, mark PR-ready commits with shift-s, and `git gh-stack sync` will do the right thing. If I need to rebase the whole tree on top of current main, then `git rebase -i --rebase-merges --update-refs` does the job.<p>I guess what I'm saying is that as someone who's been using git since its inception, it feels much more natural to just do everything in git, and then have a single command that pushes my work to GitHub. And I think this might work even better with jujutsu — just point `git gh-stack sync` at the branches jj makes and it'll make a stack/tree of PRs out of them. :-)<p><a href="https://github.com/liskin/dotfiles/blob/home/bin/git-gh-stack" rel="nofollow">https://github.com/liskin/dotfiles/blob/home/bin/git-gh-stac...</a> if anyone's curious. It's just a few hundred lines of code. Building the graph is done by `git log --simplify-by-decoration`. Opening PRs is shelled out to `gh pr create`.<p>¹) I mean, I'd much rather they added a UI for reviewing PRs commit-by-commit, with the option to approve/request-changes on each, and the possibility to merge the first few approved ones while continuing work on the rest… But in a world of almost every $dayjob insisting on squash-merging, a UI for stacked PRs is a total game changer, positively.</p>
]]></description><pubDate>Tue, 14 Apr 2026 14:14:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47765953</link><dc:creator>Liskni_si</dc:creator><comments>https://news.ycombinator.com/item?id=47765953</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47765953</guid></item></channel></rss>