Hacker News: lukax

New comment by lukax in "Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them"

lukax — Mon, 13 Apr 2026 19:43:05 +0000

Do you really need to roll your own NIO HTTP server? You could just use Jetty with virtual threads (still uses NIO under the hood though) and enjoy the synchronous code style (same as Go)

New comment by lukax in "Someone bought 30 WordPress plugins and planted a backdoor in all of them"

lukax — Mon, 13 Apr 2026 19:36:33 +0000

Rust wasm ecosystem also needs a lot of crates to do anything useful, a lot of them unmaintained.

New comment by lukax in "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"

lukax — Tue, 07 Apr 2026 06:16:58 +0000

Combine that with CVE-2025-24010 and any website was able to read any file on developers' computers.

https://github.com/advisories/GHSA-vg6x-rcgg-rjx6

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

lukax — Tue, 07 Apr 2026 06:16:58 +0000

Article URL: https://github.com/advisories/GHSA-p9ff-h696-f583

Comments URL: https://news.ycombinator.com/item?id=47671334

Points: 2

# Comments: 1

New comment by lukax in "WSL Manager"

lukax — Sun, 08 Mar 2026 19:07:34 +0000

Looks nice but still a bit sad that Flutter is used instead of something native given that they don't need the app to be cross-platform.

Well, even Microsoft uses React Native for a lot of Windows-only apps.

New comment by lukax in "Show HN: I built a sub-500ms latency voice agent from scratch"

lukax — Mon, 02 Mar 2026 22:37:11 +0000

Sorry, I commented too soon. Did you also try Soniox? Why did you decide to use Deepgram's Flux (English only)?

New comment by lukax in "Show HN: I built a sub-500ms latency voice agent from scratch"

lukax — Mon, 02 Mar 2026 22:25:12 +0000

Or you could use Soniox Real-time (supports 60 languages) which natively supports endpoint detection - the model is trained to figure out when a user's turn ended. This always works better than VAD.

https://soniox.com/docs/stt/rt/endpoint-detection

Soniox also wins the independent benchmarks done by Daily, the company behind Pipecat.

https://www.daily.co/blog/benchmarking-stt-for-voice-agents/

You can try a demo on the home page:

https://soniox.com/

Disclaimer: I used to work for Soniox

Edit: I commented too soon. I only saw VAD and immediately thought of Soniox which was the first service to implement real time endpoint detection last year.

New comment by lukax in "Web Components: The Framework-Free Renaissance"

lukax — Fri, 20 Feb 2026 12:19:33 +0000

Wow, XSS just waiting to happen.

  ${this.getAttribute('title')}

New comment by lukax in "Audio is the one area small labs are winning"

lukax — Mon, 16 Feb 2026 09:51:26 +0000

Never any mention of Soniox and they are on the Pareto frontier[1]

https://www.daily.co/blog/benchmarking-stt-for-voice-agents/

New comment by lukax in "Soniox: Real-time transcription in 60 languages"

lukax — Wed, 04 Feb 2026 21:18:28 +0000

Also see how it compares to other providers:

https://soniox.com/compare

Soniox: Real-time transcription in 60 languages

lukax — Wed, 04 Feb 2026 21:17:26 +0000

Article URL: https://soniox.com/

Comments URL: https://news.ycombinator.com/item?id=46891922

Points: 2

# Comments: 1

New comment by lukax in "Nano-vLLM: How a vLLM-style inference engine works"

lukax — Mon, 02 Feb 2026 14:56:43 +0000

Not really in the PagedAttention kernels. Paged attention was integrated into FlashAttention so that FlashAttention kernels can be used both for prefill and decoding with paged KV. The only paged attention specific kernels are for copying KV blocks (device to device, device to host and host to device). At least for FA2 and FA3, vLLM maintained a fork of FA with paged attention patches.

New comment by lukax in "Another user's pCloud setup is visible in my pcloud drive"

lukax — Fri, 30 Jan 2026 08:16:10 +0000

pCloud has been leaking files between users

https://www.reddit.com/r/pcloud/comments/1qhpr4k/vault_got_a...

https://www.reddit.com/r/pcloud/comments/1qhibbe/pcloud_sudd...

https://www.reddit.com/r/pcloud/comments/1qhxuco/followup_to...

https://www.reddit.com/r/pcloud/comments/1qhibbe/comment/o18...

Another user's pCloud setup is visible in my pcloud drive

lukax — Fri, 30 Jan 2026 08:16:10 +0000

Article URL: https://old.reddit.com/r/pcloud/comments/1qqrcza/another_users_pcloud_setup_is_visible_in_my/

Comments URL: https://news.ycombinator.com/item?id=46821817

Points: 12

# Comments: 3

New comment by lukax in "Vibecoding #2"

lukax — Wed, 21 Jan 2026 13:41:08 +0000

Maybe AWS ParallelCluster which is a managed SLURM on AWS.

Gemini CLI bot infinite loop

lukax — Fri, 16 Jan 2026 14:25:19 +0000

Article URL: https://github.com/google-gemini/gemini-cli/issues/16723

Comments URL: https://news.ycombinator.com/item?id=46646642

Points: 3

# Comments: 0

New comment by lukax in "CVEs affecting the Svelte ecosystem"

lukax — Thu, 15 Jan 2026 21:06:12 +0000

It's not that simple to safely parse HTTP request form. Just look at Go security releases related to form parsing (a new fix released just today).

https://groups.google.com/g/golang-announce/search?q=form

5 fixes in 2 years related to HTTP form (url-encoded and multipart).

- Go 1.20.1 / 1.19.6: Multipart form parsing could consume excessive memory and disk (unbounded memory accounting and unlimited temp files)

- Go 1.20.3 / 1.19.8: Multipart form parsing could cause CPU and memory DoS due to undercounted memory usage and excessive allocations

- Go 1.20.3 / 1.19.8: HTTP and MIME header parsing could allocate far more memory than required from small inputs

- Go 1.22.1 / 1.21.8: Request.ParseMultipartForm did not properly limit memory usage when reading very long form lines, enabling memory exhaustion.

- Go 1.25.6 / 1.24.12: Request.ParseForm (URL-encoded forms) could allocate excessive memory when given very large numbers of key-value pairs.

Probably every HTTP server implementation in every language has similar vulnerabilities. And these are logic errors, not even memory safety bugs.

New comment by lukax in "Locating a Photo of a Vehicle in 30 Seconds with GeoSpy"

lukax — Tue, 06 Jan 2026 19:43:03 +0000

You can buy a totaled car for cheap and use its VIN.

New comment by lukax in "VSCode rebrands as "The open source AI code editor""

lukax — Sat, 27 Dec 2025 17:40:11 +0000

I guess there's a lot of pressure from Cursor and Google's Antigravity. Also with Zed you can bring your own API key which VS Code didn't support for a long time.

New comment by lukax in "I program on the subway"

lukax — Mon, 22 Dec 2025 20:18:12 +0000

17 years ago I went to a summer vacation with my family (still a teenager). That meant 10 days without any internet connectivity. I just got my first laptop and I was allowed to take it with me. I was reverse engineering MSN Messenger's user to user and profile picture exchange protocol from TCP dumps. MSN Messenger did not use any encryption. Before I went to the vacation I recorded a bunch of sessions with Wireshark (maybe it was still Ethereal back then). Then for 10 days I was just trying to figure out from the dumps how the binary protocol worked and was writing the code without any way to test it. When I came back I just had to fix some minor bugs and it worked. Fun times.