Hacker News: anderskaseorg

New comment by anderskaseorg in "Show HN: A game where you build a GPU"

anderskaseorg — Sat, 04 Apr 2026 19:46:13 +0000

The “next level” button takes you to the next level even if you haven’t solved that level’s prerequisites.

New comment by anderskaseorg in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

anderskaseorg — Tue, 31 Mar 2026 06:48:48 +0000

Right, the public was able to spend manual effort hand-auditing one specific tarball after it had already been singled out as suspicious for other reasons. In order for verification to effectively increase supply chain security, it needs to become uniformly standardized, fully automated, and ubiquitous. That’s the ultimate goal of the provenance attestation mechanisms that would be defeated by indirection through private repositories.

If you want to require extra maintainer intervention for releases, there are better mechanisms available for that, such as workflow_dispatch.

New comment by anderskaseorg in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

anderskaseorg — Sun, 29 Mar 2026 19:48:44 +0000

The maintainer can verify the correspondence between source and release, but the public has been deprived of this verifiability.

This matters. Consider the XZ Utils compromise where a malicious maintainer hid the line that triggers compilation of the (otherwise dormant) backdoor payload in a generated file present only in the release tarball: https://www.openwall.com/lists/oss-security/2024/03/29/4. If the public had the ability to audit that the release tarball was correctly built from the version-controlled code, this would have been much more difficult to hide.

New comment by anderskaseorg in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

anderskaseorg — Tue, 24 Mar 2026 17:12:38 +0000

The point of trusted publishing is supposed to be that the public can verifiably audit the exact source from which the published artifacts were generated. Breaking that chain via a private repo is a step backwards.

https://docs.npmjs.com/generating-provenance-statements

https://packaging.python.org/en/latest/specifications/index-...

New comment by anderskaseorg in "Subsecond: A runtime hotpatching engine for Rust hot-reloading"

anderskaseorg — Wed, 25 Jun 2025 02:48:38 +0000

There is a well-defined reload point—it’s the `subsecond::call` wrapper around `tick()`. But the hypothetical design that you seem to have in mind where this doesn’t exist would not have a well-defined reload point, so it would need to be able to preempt your program anywhere.

Layout changes are supported for structs that don’t persist across the well-defined reload point.

New comment by anderskaseorg in "uv: An extremely fast Python package and project manager, written in Rust"

anderskaseorg — Mon, 23 Jun 2025 22:14:05 +0000

Yes, uv has a standard permissive open source license (Apache-2.0 OR MIT): https://github.com/astral-sh/uv/?tab=readme-ov-file#license

New comment by anderskaseorg in "Rust's Sneaky Deadlock With `if let` Blocks"

anderskaseorg — Wed, 13 Nov 2024 02:20:09 +0000

Of course (but that’s not relevant to the original scenario, where the programmer is hypothetically not aware that the read lock is still being held, let alone that they could manually upgrade it after changing to a different lock library).

New comment by anderskaseorg in "Rust's Sneaky Deadlock With `if let` Blocks"

anderskaseorg — Wed, 13 Nov 2024 01:38:14 +0000

Yes, allowing this to execute would be very unsound:

    let lock = RwLock::new(Box::new(111));
    let r: &i32 = &**lock.read().unwrap(); // points to 111
    *lock.write().unwrap() = Box::new(222); // allocates a new Box and deallocates 111
    println!("{}", *r); // use after free

New comment by anderskaseorg in "Rust's Sneaky Deadlock With `if let` Blocks"

anderskaseorg — Wed, 13 Nov 2024 01:00:17 +0000

Clippy already has an error for this pattern with Mutex. It should be trivial to extend it to cover RwLock.

    error: calling `Mutex::lock` inside the scope of another `Mutex::lock` causes a deadlock
      --> src/main.rs:5:5
       |
    5  |       if let Some(num) = *map.lock().unwrap() {
       |       ^                   --- this Mutex will remain locked for the entire `if let`-block...
       |  _____|
       | |
    6  | |         eprintln!("There's a number in there: {num}");
    7  | |     } else {
    8  | |         let mut lock2 = map.lock().unwrap();
       | |                         --- ... and is tried to lock again here, which will always deadlock.
    9  | |         *lock2 = Some(5);
    10 | |         eprintln!("There will now be a number {lock2:?}");
    11 | |     }
       | |_____^
       |
       = help: move the lock call outside of the `if let ...` expression
       = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#if_let_mutex
       = note: `#[deny(clippy::if_let_mutex)]` on by default

New comment by anderskaseorg in "An illustrated proof of the CAP theorem (2018)"

anderskaseorg — Tue, 08 Oct 2024 02:11:28 +0000

There are plenty of systems that sacrifice consistency even while the network is fully connected, in the name of performance—for example, DNS, or any system with a caching proxy server.

New comment by anderskaseorg in "An illustrated proof of the CAP theorem (2018)"

anderskaseorg — Tue, 08 Oct 2024 02:04:14 +0000

You’re certainly allowed to make the client a more active participant in your consensus protocol, but then it needs to play by the same rules if you want the system to have guarantees. For example, you need to handle network partitions between clients and some servers, and you need to be able to reconcile multiple reads from servers that might have seen different sets of writes. The CAP theorem still applies to the system as a whole.

New comment by anderskaseorg in "Rewrite cname uncloaking code to account for new ipaddress= option"

anderskaseorg — Mon, 07 Oct 2024 22:27:26 +0000

They’re doing a slow phase-out over a long time to try to avert a wave of bad publicity that threatens their browser monopoly, but that timeline has already started as of June.

https://developer.chrome.com/docs/extensions/develop/migrate...

https://www.bleepingcomputer.com/news/google/google-chrome-w...

New comment by anderskaseorg in "Bootstrappable Builds"

anderskaseorg — Tue, 27 Aug 2024 16:46:28 +0000

The mechanism is a clever application of quines (self-reproducing programs), first explained in the classic lecture “Reflections on Trusting Trust” by Ken Thompson:

https://dl.acm.org/doi/pdf/10.1145/358198.358210

Russ Cox obtained the actual code for Thompson’s compiler backdoor and presented it here:

https://research.swtch.com/nih

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Wed, 14 Aug 2024 00:46:43 +0000

When the term “undefined behavior” appears within the C standard, yes, that’s what it means. There is no way for another document to alter the meaning of “undefined behavior” as it appears within the C standard.

When the term “undefined behavior” appears in different context, we use our writing and reading comprehension skills to agree on what it means. If we’re programming in standard C, it refers to one class of behavior. If we’re programming in POSIX C, it refers to a smaller class of behavior (even according to the C standards committee: see the usage of “otherwise undefined behavior” in N2464). If we’re programming in Rust, it refers to a completely different class of behavior.

From my very first message, I did my part by providing the context explicitly: “undefined behavior in the Rust and LLVM memory model”. You complained that it’s nonsense to talk about “undefined behavior” in any context other than the C standard, but I provided references showing that it’s not. Yet you persist in intentionally misinterpreting what I wrote in order to accuse me of gaslighting. Does that make you feel superior?

New comment by anderskaseorg in ".INTERNAL is now reserved for private-use applications"

anderskaseorg — Sat, 10 Aug 2024 00:40:08 +0000

The jurisdictional status of .local and other standards-reserved special use domains is explained by RFC 6761 section 3:

https://datatracker.ietf.org/doc/html/rfc6761#section-3

And ICANN is bound by the IETF/ICANN Memorandum of Understanding Concerning the Technical Work of the IANA, which prevents it from usurping that jurisdiction:

https://www.icann.org/resources/pages/agreements-en

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Tue, 06 Aug 2024 00:12:17 +0000

If a program’s behavior is undefined in one specification and defined in a second, then insofar as both specifications apply to it, that is defined behavior, not undefined behavior. That’s not an obscure property of terms of art and specific formal definitions about which I need to be educated, it’s just basic logic about which we obviously agree. The conclusion would be the same if one specification explicitly said “this may return an empty allocation or NULL or format your hard drive” and a second specification said “this will return an empty allocation or NULL”; the conjunction of those two specifications entails that it will not format your hard drive.

There’s nothing wrong or misleading in what I wrote. If, hypothetically, there were a second specification that constrained the Rust compiler’s translation of programs that over-read memory, then it would have been wrong to write that over-reading memory in Rust is undefined behavior, and misleading to suggest that a statement about “any undefined behavior” is applicable to it. But there is no such second specification (as confirmed by comments on the issue I linked from RalfJung, whose formal specification hat is much pointier than either of ours), and you aren’t even disputing that. Instead, you have deliberately misapplied a statement about “any undefined behavior” to other unrelated behavior that is in fact defined, in order to construct a pretense for calling someone else dishonest. Find better hobbies.

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Tue, 30 Jul 2024 01:03:30 +0000

It seems like you think I’m saying that all compilers are required to recognize all forms of UB and format your hard drive. Of course not; some UB in one specification may be defined in another more restrictive spec, some UB may be defined by compiler flags like -fwrapv, some UB might be detected and converted to a compile-time or runtime error, and some UB might happen to behave like you expect because your compiler didn’t implement certain optimizations yet or you just got lucky.

It sounds like you agree that programmers should avoid relying on luck for UB safety. If you have a way to prove that this UB is actually safe and not just lucky, feel free to present it. Until then, I stand by everything I’ve said.

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Mon, 29 Jul 2024 23:41:37 +0000

You may not like it, and it’s within your rights not to like it, but the reality is that compilers do treat UB this way, and it’s not “grossly dishonest FUD” to point out that this is the reality. Here’s a test case demonstrating that UB can actually format your hard drive: https://bugs.llvm.org/show_bug.cgi?id=49599.

Note that one of the differences between C and Rust is that integer overflow is not UB in Rust (it panics in debug mode and wraps in release mode: https://doc.rust-lang.org/book/ch03-02-data-types.html#integ...). But there are other sources of UB in unsafe Rust, such reads through a pointer not allowed by the memory model.

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Mon, 29 Jul 2024 16:55:30 +0000

Both (unsafe) Rust and LLVM have their own concepts of undefined behavior (https://doc.rust-lang.org/reference/behavior-considered-unde..., https://llvm.org/docs/LangRef.html#undefined-values), and while some of the details vary by language, compilers for all of these languages do in fact optimize based on the assumption that undefined behavior is not invoked in the abstract execution model. This is a real thing (https://blog.llvm.org/2011/05/what-every-c-programmer-should..., https://highassurance.rs/chp3/undef.html), and any debate about whether it’s “justified” is many decades late and entirely academic (but we don’t have any other methodology for building optimizers of the quality that programmers expect from compiled languages).

New comment by anderskaseorg in "tolower() with AVX-512"

anderskaseorg — Mon, 29 Jul 2024 04:15:53 +0000

Note that the “unsafe read beyond of death” trick is considered undefined behavior in the Rust and LLVM memory model, even if it’s allowed by the underlying hardware. Like any undefined behavior, compilers are allowed to assume it doesn’t happen for the purpose of optimization, leading to results you don’t expect. The only way around this is to use inline assembly.

https://github.com/ogxd/gxhash/issues/82