Hacker News: kpcyrd

New comment by kpcyrd in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

kpcyrd — Sun, 12 Apr 2026 13:04:55 +0000

You don't need vendoring for this, Cargo.lock already gives you locked-dependencies until you run `cargo update`. There is an ongoing RFC to support having cargo intentionally only use library versions that are least X days old:

https://github.com/rust-lang/rfcs/pull/3923

New comment by kpcyrd in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

kpcyrd — Sun, 12 Apr 2026 13:00:22 +0000

The repository suddenly contains thousands of files that I need to worry about. With regular locked-dependencies (but non-vendored) like Cargo.lock does, I have them contained in archives with well-known hashes that other people have also looked at.

If I have to manually match the content of the vendor/ folder with the contents of the Cargo.lock referenced source code anyway, I could just use Cargo.lock directly without having to concern myself with the thousands of files in your vendor/ folder.

New comment by kpcyrd in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

kpcyrd — Sun, 12 Apr 2026 12:55:09 +0000

You are getting distracted by domain names, your Cargo.lock files already cryptographically address the source code. Either make sure all your Cargo.lock files contain no known-bad hashes, or make sure all your Cargo.lock files contain only known-good hashes. Maybe also mirror the .crate files for the absolute worst case scenario of crates.io going offline.

New comment by kpcyrd in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

kpcyrd — Sun, 12 Apr 2026 12:48:16 +0000

1) This is only relevant for rustup.rs, most Rust source code is coming from crates.io 2) Most projects have a Cargo.lock that contain sha256 checksums of the source code. You can still announce new versions of everything and hope people pull them in through `cargo update`, but you are not going to get anywhere close to "all Rust users".

New comment by kpcyrd in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

kpcyrd — Sun, 12 Apr 2026 12:34:56 +0000

crates.io _is_ the source code repository (: It's explicitly the source of truth that cargo-crev and cargo-vet reviews are based on, linking it to a git repository first is not a substitute for reading the source code.

New comment by kpcyrd in "Employers use your personal data to figure out the lowest salary you'll accept"

kpcyrd — Mon, 06 Apr 2026 13:15:52 +0000

This is "only" used for loans and renting, the German government is never going to query the score this company has assigned you. Social services are never impacted.

Equifax on the other hand claims:

> Social Services - When government agencies can't verify your information, you may have to wait longer to start receiving benefits.

New comment by kpcyrd in "Blocking Internet Archive Won't Stop AI, but Will Erase Web's Historical Record"

kpcyrd — Sat, 21 Mar 2026 12:52:44 +0000

You don't think non-consensually revealing somebody's identity is a problem?

Resorting to DDoS is not pretty, but "why is my violent behavior met with violence" is a little oblivious and reversal of victim and perpetrator roles.

New comment by kpcyrd in "Astral to Join OpenAI"

kpcyrd — Fri, 20 Mar 2026 01:36:17 +0000

I stopped programming in python about 8-9 years ago because the tooling was so bad.

New comment by kpcyrd in "Astral to Join OpenAI"

kpcyrd — Fri, 20 Mar 2026 01:23:08 +0000

Step 1: discontinue the public repository, step 2: sell access to your GPL codebase.

The GPL (and even the AGPL) doesn't require you to make your modified source code publicly available (Debian explicitly considers licenses with this requirement non-free). The GPL only states you need to provide your customers with source code.

New comment by kpcyrd in "Astral to Join OpenAI"

kpcyrd — Fri, 20 Mar 2026 01:09:25 +0000

I think this was more about "please choose _any_ license" because of the problem outlined here:

https://opensource.stackexchange.com/questions/1150/is-my-co...

New comment by kpcyrd in "Malus – Clean Room as a Service"

kpcyrd — Thu, 12 Mar 2026 17:30:12 +0000

I feel like this is related to these issues (with somebody attempting this approach for real):

https://github.com/chardet/chardet/issues/327

https://github.com/chardet/chardet/issues/331

New comment by kpcyrd in "Making WebAssembly a first-class language on the Web"

kpcyrd — Wed, 11 Mar 2026 22:50:39 +0000

Many of the anti-debugging techniques for desktop binaries do not work on WebAssembly: it can't jump to an address, it can't read the instruction pointer, it can't read/access it's own machine code, ...

New comment by kpcyrd in "Making WebAssembly a first-class language on the Web"

kpcyrd — Wed, 11 Mar 2026 22:46:32 +0000

Obfuscated javascript could still import a WebAssembly polyfill, if there really was any advantage in doing so: https://github.com/evanw/polywasm

Since WebAssembly instructions are much easier to reason about, you could probably auto-optimize away a lot of the obfuscation, like "this is a silly way to do X, so we can just do X directly".

New comment by kpcyrd in "Making WebAssembly a first-class language on the Web"

kpcyrd — Wed, 11 Mar 2026 22:21:58 +0000

It's mostly Rust compiled to wasm binaries. There's also TinyGo and you could use C/C++ as well, but those 3 are a lot less common as far as I can tell.

New comment by kpcyrd in "Redox OS has adopted a Certificate of Origin policy and a strict no-LLM policy"

kpcyrd — Tue, 10 Mar 2026 12:54:35 +0000

Your open source experience is very different from my open source experience.

New comment by kpcyrd in "PCB devboard the size of a USB-C plug"

kpcyrd — Mon, 09 Mar 2026 13:33:32 +0000

Running Rust on them worked well for me: https://github.com/kpcyrd/ch32v003-demo

I had to put in more effort regarding RAM use and flash size, but I managed to fit a game into the 16kb limit regardless: https://github.com/kpcyrd/game-streetcat2026

New comment by kpcyrd in "My “grand vision” for Rust"

kpcyrd — Mon, 09 Mar 2026 13:19:28 +0000

I just want to be able to call Default::default() from within const {}

New comment by kpcyrd in "100M-Row Challenge with PHP"

kpcyrd — Wed, 25 Feb 2026 16:16:49 +0000

The time you lose at the syscall boundary you may be able to win back during much shorter GC pauses.

New comment by kpcyrd in "Gentoo on Codeberg"

kpcyrd — Wed, 25 Feb 2026 14:40:04 +0000

Security, sha1 was deprecated in 2011 by NIST due to security concerns, and browsers reject sha1 certificates as invalid since 2017.

Yet programmers in 2026 for some reason are still using it when signing their git tags and commits. Unless they are using a sha256 git repository.

New comment by kpcyrd in "100M-Row Challenge with PHP"

kpcyrd — Wed, 25 Feb 2026 14:18:37 +0000

What about using the filesystem as an optimized dict implementation?