Hacker News: jorams

New comment by jorams in "PHP's Oddities"

jorams — Sun, 24 May 2026 13:39:08 +0000

Something you'll see in real codebases is code that cares whether an input value is "empty", but it doesn't matter if it's null or an empty string. It's very easy to go for this:

    if ($input) {}

It'll work through every test case you try, and then someone enters a 0 into the field and it's also unexpectedly considered empty.

New comment by jorams in "Leaving GitHub for Forgejo"

jorams — Thu, 14 May 2026 08:56:32 +0000

You didn't mention private repos in your comment, but I guess that was implied in the $7 thing.

That said: SourceHut has private repos and access control.

New comment by jorams in "Bun's experimental Rust rewrite hits 99.8% test compatibility on Linux x64 glibc"

jorams — Sun, 10 May 2026 13:26:31 +0000

This is at least partially disingenuous. Zig is working on, and has already shipped for some situations, a faster compiler. Bun runs on an outdated version of Zig that doesn't include it.

New comment by jorams in "Debian must ship reproducible packages"

jorams — Sun, 10 May 2026 11:52:07 +0000

Reproducible builds exist to reduce the need for trust, while commercial vendors are in the business of selling trust.

New comment by jorams in "I’ve banned query strings"

jorams — Sun, 10 May 2026 10:49:29 +0000

This is because of a deeply annoying default in Apache, where for "security reasons" the underlying script doesn't get to see auth details that might already be handled by Apache. At some point they added the CGIPassAuth directive[1] but all kinds of other workarounds are floating around on the internet.

[1]: https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassau...

New comment by jorams in "I’ve banned query strings"

jorams — Sat, 09 May 2026 18:33:27 +0000

The website uses the feature for its intended purpose. Adding random trash to the query string of another website assuming it'll ignore it is in fact a bad idea, always, even if you can usually get away with it.

New comment by jorams in "Removable batteries in smartphones will be mandatory in the EU starting in 2027"

jorams — Mon, 04 May 2026 17:31:09 +0000

The batteries regulation[1] doesn't contain such an exemption. The legal argument that iPhones may be exempt goes like this:

- The batteries regulation is a general regulation and article 11 specifically says the following:

> This paragraph shall be without prejudice to any specific provisions ensuring a higher level of protection of the environment and human health relating to the removability and replaceability of portable batteries by end-users laid down in any Union law on electrical and electronic equipment as defined in Article 3(1), point (a), of Directive 2012/19/EU.

- There is a different regulation, the ecodesign regulation for smartphones and tablets[2], that is more specific and therefore might supersede the batteries regulation on this front, which says:

> (ii) manufacturers, importers or authorised representatives may provide the battery or batteries referred to in point (i)(a) only to professional repairers if manufacturers, importers or authorised representatives ensure that the following requirements are met:

> (a) after 500 full charge cycles the battery has, in a fully charged state, a remaining capacity of at least 83 % of the rated capacity;

> (b) the battery endurance in cycles achieves a minimum of 1 000 full charge cycles and after 1 000 full charge cycles the battery has, in a fully charged state, a remaining capacity of at least 80 % of the rated capacity;

> (c) the device meets IP67 rating.

[1]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[2]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

New comment by jorams in "Removable batteries in smartphones will be mandatory in the EU starting in 2027"

jorams — Mon, 04 May 2026 17:08:23 +0000

A recall means the manufacturer shipped a faulty product. If you can prove you received a faulty product such requirements also don't apply.

New comment by jorams in "Removable batteries in smartphones will be mandatory in the EU starting in 2027"

jorams — Mon, 04 May 2026 16:19:34 +0000

> I am not allowed to replace it on my own as it would invalidate the five year long guarantee provided by the manufacturer. Why is this stuff not considered as well?

They're the ones paying for repairs, so it doesn't seem that unreasonable? That said: If you can prove the car is being maintained according to the manufacturer's specifications they can't require you to go to a brand dealership. That's just not necessarily easy to prove.

New comment by jorams in "Care homes and hotels in Japan shut as expansion strategy unravels"

jorams — Sun, 03 May 2026 07:35:36 +0000

> facilities were purchased for between 1 million yen and 5 million yen and resold to Chinese buyers for between 40 million yen and as much as 100 million yen depending on location

Those prices seem weird. They were buying entire care homes and hotels for less than the price of a car? I understand they come with obligations, but these businesses were apparently financially ok before the acquisition.

New comment by jorams in "Roblox shares plummet 18% as child safety measures weigh on bookings"

jorams — Sat, 02 May 2026 23:28:14 +0000

And I assume this[1] is the reference to Backblaze? Notably not Hindenburg and more recent, but I believe there is some team overlap and there doesn't seem to be anything else.

[1]: https://www.morpheus-research.com/backblaze/

New comment by jorams in "Mozilla's opposition to Chrome's Prompt API"

jorams — Fri, 01 May 2026 02:19:11 +0000

> So it's very unlikely we'll see developers build sites that are gated on this API existing.

I think this is an oddly optimistic outlook from someone who until recently worked at Google. A company that has shipped, and probably still ships, lots of sites and versions of sites gated behind "does your user agent say it is Chrome".

New comment by jorams in "Carrot Disclosure: Forgejo"

jorams — Wed, 29 Apr 2026 00:25:54 +0000

> It sounds like it has some security vulnerabilities that the maintainers aren't taking seriously

It may, and they may or may not, but the author hasn't actually reported any. They're explicitly ignoring the security policy and vagueposting instead.

New comment by jorams in "Carrot Disclosure: Forgejo"

jorams — Wed, 29 Apr 2026 00:12:29 +0000

This is a weird post to be honest. You've found a whole bunch of serious security issues, filed two PRs, one of which is adding some quotes because

> Those aren't exploitable XSS, but it doesn't hurt to have a second layer of defense.

The other suggests breaking clients that aren't using the more secure version of an OAuth method because

> I can't think of any OAuth client that would like to [use it]

That second one is a good idea, but the maintainer is also right to ask for some discussion before introducing a breaking change.

But crucially: neither of these are the kind of significant security issues you've found. Maybe lead with an actual bug?

New comment by jorams in "Anthropic Joins the Blender Development Fund as Corporate Patron"

jorams — Tue, 28 Apr 2026 16:37:38 +0000

What it means is here[1]. Anthropic is paying €240k a year and in return they get some marketing in the form of a press release and a website mention, as well as someone to talk to.

[1]: https://fund.blender.org/corporate-memberships/

New comment by jorams in "Anna's Archive loses $322M Spotify piracy case without a fight"

jorams — Wed, 15 Apr 2026 21:57:26 +0000

I see your point for most of these but why rutracker? It is entirely in Russian.

New comment by jorams in "GitHub Stacked PRs"

jorams — Tue, 14 Apr 2026 05:52:34 +0000

So far you've only gotten responses to "how can a worse product win?", and they are valid, but honestly the problem here is that Mercurial is not a better product in at least one very important way: branches.

You can visit any resource about git and branches will have a prominent role. Git is very good at branches. Mercurial fans will counter by explaining one of the several different branching options it has available and how it is better than the one git has. They may very well be right. It also doesn't matter, because the fact that there's a discussion about what branching method to use really just means Mercurial doesn't solve branches. For close to 20 years the Mercurial website contained a guide that explained only how to have "branches" by having multiple copies of the repository on your system. It looks like the website has now been updated: it doesn't have any explanation about branches at all that I can find. Instead it links to several different external resources that don't focus on branches either. One of them mentions "topic", introduced in 2015. Maybe that's the answer to Git's branching model. I don't care enough to look into it. By 2015 Git had long since won.

Mercurial is a cool toolbox of stuff. Some of them are almost certainly better than git. It's not a better product.

New comment by jorams in "Ripgrep is faster than grep, ag, git grep, ucg, pt, sift (2016)"

jorams — Tue, 24 Mar 2026 19:14:10 +0000

--no-ignore-vcs

Or some combination of --no-ignore (or -u/--unrestricted) with --ignore-file or --glob.

New comment by jorams in "Have a fucking website"

jorams — Wed, 18 Mar 2026 08:50:15 +0000

Literally type "webhosting" into a search engine and every single provider that comes up will do that all-in-one. They'll also throw in a database and PHP, probably with an automatic installer for things like WordPress. There's a good chance your registrar will even try to upsell you the whole package.

These things are not the hard part.

New comment by jorams in "Bucketsquatting is finally dead"

jorams — Fri, 13 Mar 2026 22:23:03 +0000

Small correction: .nl is a ccTLD, or country code TLD. Not a gTLD, or generic TLD.