Hacker News: lukeschlather

New comment by lukeschlather in "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate"

lukeschlather — Fri, 10 Apr 2026 17:09:40 +0000

> Let me rephrase this, 17% of the most popular Rust packages contain code that virtually nobody knows what it does (I can't imagine about the long tail which receives less attention).

I dug into the linked article, and I would really say this means something closer to 17% of the most popular Rust package versions are either unbuildable or have some weird quirks that make building them not work the way you expect, and not in a remotely reproducible fashion.

https://lawngno.me/blog/2024/06/10/divine-provenance.html

Pulling things into the standard lib is fine if you think everyone should stop using packages entirely, but that doesn't seem like it really does anything to solve the actual problem. There are a number of things it seems like we might be forced to adopt across the board very soon, and for Rust it seems tractable, but I shudder to think about doing it for messier languages like Ruby, Python, Perl, etc.

* Reproducible builds seems like the first thing.

* This means you can't pull in git submodules or anything from the Internet during your build.

* Specifically for the issues in this post, we're going to need proactive security scanners. One thing I could imagine is if a company funnels all their packages through a proxy, you could have a service that goes and attempts to rebuild the package from source, and flags differences. This requires the builds to be remotely reproducible.

* Maybe the latest LLMs like Claude Mythos are smart enough that you don't need reproducible builds, and you can ask some LLM agent workflow to review the discrepancies between the repo and the actual package version.

New comment by lukeschlather in "Anthropic expands partnership with Google and Broadcom for next-gen compute"

lukeschlather — Tue, 07 Apr 2026 01:14:04 +0000

Transformers operate on images and a variety of sensor data. They can also operate completely on non-textual inputs and outputs. I don't know what the ceiling on their capabilities is, but the complaint that they only operate on text seems just obviously wrong. There are numerous examples but one is meteorological forecasting which takes in a variety of time series sensor inputs and outputs e.g. time-series temperature maps. https://www.nature.com/articles/s41598-025-07897-4

New comment by lukeschlather in "My Google Workspace account suspension"

lukeschlather — Sun, 05 Apr 2026 16:21:00 +0000

> On Saturday, April 4, at 5:06 AM, I received a notification saying my authenticator had been removed. It hadn’t. The authenticator was still active on my phone - it was the recovery phone I had removed. Google apparently conflated the two.

This is a massive bug here. I was also surprised recently that Google won't let you enroll multiple Authenticators. If we had functional security regulations I think there would be some pretty large fines for Google's error here.

New comment by lukeschlather in "Axios compromised on NPM – Malicious versions drop remote access trojan"

lukeschlather — Wed, 01 Apr 2026 15:08:27 +0000

I have never consciously wrapped Axios or fetch, but a cursory search suggests that there was a time when it was impossible for either to force TLS1.3. It's easy to imagine alternate implementations exist for frivolous reasons, but sometimes there are hard security or performance requirements that force you into them.

New comment by lukeschlather in "People inside Microsoft are fighting to drop mandatory Microsoft Account"

lukeschlather — Fri, 27 Mar 2026 18:40:39 +0000

Do browsers and Electron apps magically take up less memory on Macs? What is "good enough?" I never notice problems on my 16GB Windows laptop, so just for fun I closed all of my 6 always-on Electron-type apps, all of the 10 browser windows I had open, a couple other ever-present apps, and it looks like without anything else Windows 10 takes about 4GB, which I think is in the same ballpark as OS X. And I probably have some stuff running that I didn't close, this is very unscientific.

Anecdotally also, my one laptop that I've upgraded to Windows 11 is a lot snappier. As a rule I haven't noticed memory pressure on any device I've owned ever as a "regular user," it only really applies to gaming and heavy development with lots of VMs, especially these days.

New comment by lukeschlather in "Mayor of Paris removed parking spaces, reduced the number of cars"

lukeschlather — Sat, 21 Mar 2026 19:10:31 +0000

That larger cars cause diminished throughput is pretty solidly demonstrated through a variety of modeling and real-world traffic analysis.

https://www.researchgate.net/publication/365069344_How_the_r...

New comment by lukeschlather in "Mayor of Paris removed parking spaces, reduced the number of cars"

lukeschlather — Sat, 21 Mar 2026 15:49:44 +0000

Throughput is directly proportional to the volume of cars, and SUVs have larger volume. Technically perhaps surface area, but there is a psychological effect to height. I believe people also give taller vehicles more space as a rule.

New comment by lukeschlather in "I love my dumb watches"

lukeschlather — Fri, 20 Mar 2026 23:58:02 +0000

The heart-rate monitoring on my Garmin gives highly accurate tracking of calories burned, better than anything I could do by hand. Very valuable, I was able to lose 50 pounds and I was able to do minimal calorie counting. Basically I ate a very consistent weekly diet and used the watch to tell me if I had done enough exercise that I could eat something else. It's still very useful, I look at my calorie count regularly to guide how much extra to eat before and after activities.

I've also found some of the other ML-powered derived metrics surprisingly useful. There's a "training status" that has "productive/maintaining/strained/recovery/detraining." When I've got a bad cold/flu/covid type illness it often says "strained" which I can feel in my body but it's nice to have that objective external metric of "yes, your body is not working right and you should take it easy."

Similarly when I am working out it's nice to be able to look at my heart rate at a glance and know if I am over/under exerting myself.

New comment by lukeschlather in "Our commitment to Windows quality"

lukeschlather — Fri, 20 Mar 2026 22:16:20 +0000

I actually think Gemini Pro is great and I don't have a problem paying for it, but I don't want its tendrils in Drive and Gmail or anywhere else, it actively damages the product experience there. Everywhere they've tried to integrate LLMs, it generally provides an experience that's inferior to just chatting with Gemini.

The closest to useful it's been is in the GCP console, but it seems to decide at random to forget context, and it might just be Gemini Flash with minimal thinking, which tends to mean it's just repeating things it's already said.

New comment by lukeschlather in "Google details new 24-hour process to sideload unverified Android apps"

lukeschlather — Thu, 19 Mar 2026 23:42:25 +0000

F-Droid exists and they have a much better track record than Google. I'm not actually serious, I just think if there's a single app repo that should be allowed to install apps without a scary 24h verification cooldown, it's Google's proprietary closed-source app store that needs the scary process, not F-Droid.

New comment by lukeschlather in "Google details new 24-hour process to sideload unverified Android apps"

lukeschlather — Thu, 19 Mar 2026 23:17:55 +0000

All apps should be open source and subject to verification by nonprofit repositories like F-Droid which have scary warnings on software that does undesirable things. For-profit appstores like Google and Apple that allow closed source software are too friendly to scams and malware.

New comment by lukeschlather in "Astral to Join OpenAI"

lukeschlather — Thu, 19 Mar 2026 16:01:27 +0000

I feel like you're overstating the resources required by a couple orders of magnitude. You do need a GPU farm to do training, but probably only $100M, maybe $1B of GPUs. And yes, that's a lot of GPUs, but they will fit in a single datacenter, and even in dollar terms, there are many individual buildings in NYC that are cheaper.

New comment by lukeschlather in "FBI is buying location data to track US citizens, director confirms"

lukeschlather — Thu, 19 Mar 2026 03:21:38 +0000

Good-faith is pretty narrow, mainly talking about emergencies where I implicitly could be said to have given consent, like when calling 911, or services that are close to 911 but privately administered.

New comment by lukeschlather in "FBI is buying location data to track US citizens, director confirms"

lukeschlather — Wed, 18 Mar 2026 22:15:17 +0000

I'd really like to just have legislation to treat location data like audio or video under wiretapping provisions. If you collect my location info and convey it to a third party without my consent or a reasonable good-faith belief that I would consent, that ought to be treated similarly to recording without consent.

And consent needs to be granted explicitly for each party that might get access to my location, you can't just get blanket consent to sell my location to anyone, especially not with real-time identifiable location data.

New comment by lukeschlather in "Allow me to get to know you, mistakes and all"

lukeschlather — Sun, 15 Mar 2026 19:42:38 +0000

DeepL's next-gen translation model is LLM-based. LLMs are kind of translation models that have been generalized to serve other purposes. I think you're not wrong that there's still some value to older models, but if you actually care about translation quality you would use both. If you want to use the cheapest thing I don't think a dedicated translator like DeepL is going to be superior to the free tier of a frontier language model.

New comment by lukeschlather in "Montana passes Right to Compute act (2025)"

lukeschlather — Sat, 14 Mar 2026 15:40:19 +0000

I was really hoping this gave people the right to use their computers, but it really looks like it simply prevents "the government" from regulating the right to "make use of computational resources." So Google or Apple can still prevent me from using my phone for lawful purposes, the government just can't regulate it (and the government might not be able to write restrictions that prevent manufacturers from violating my right to compute.)

New comment by lukeschlather in "Global warming has accelerated significantly"

lukeschlather — Fri, 06 Mar 2026 18:12:23 +0000

China has roughly .4 AC units per person while the USA has roughly 1 AC unit per person. You are simultaneously arguing everyone should have an AC, and that China should stop expanding their usage of AC.

I'd argue everyone should have an AC if they need one (probably China needs more than they have.) But we shouldn't build any more fossil fuel extraction, people who need AC should figure out how to do it with batteries and renewable energy. (Nuclear is fine, if it makes sense economically.) We don't need population control, we just need to add sufficiently large taxes on things we want less of. AC isn't a thing we want less of, it's carbon emissions.

New comment by lukeschlather in "Workers who love ‘synergizing paradigms’ might be bad at their jobs"

lukeschlather — Fri, 06 Mar 2026 17:58:27 +0000

You're confusing bullshit with jargon, which is something they talk about in the paper. The word synergize has a bad reputation, but its mere presence in a sentence is merely a signal, it doesn't mean the sentence is bullshit.

"We will actualize a renewed level of cradle-to-grave credentialing" is an example from the article - you can't actualize a level, you can't renew a level either. And "cradle-to-grave credentialing" is at best a bad way to describe some real concept. It's word-salad from start to finish. It's not coded language, it's bullshit.

New comment by lukeschlather in "US economy unexpectedly sheds 92k jobs in February"

lukeschlather — Fri, 06 Mar 2026 17:27:45 +0000

Children have no frame of reference to understand when AI is totally making things up. 1:1 instruction is more valuable than ever to teach children to be critical and verify misinformation that AIs subtly interleave.

New comment by lukeschlather in "No right to relicense this project"

lukeschlather — Thu, 05 Mar 2026 20:56:59 +0000

> If you wanna get your thing to rewrite curl or something, that's again really weird but fine, but just don't share it or try to make money off of it.

The whole point of the GPL is to encourage sharing! Making money off of GPL code is not encouraged by the text of the license, but it is encouraged by the people who wrote the licenses. Saying "don't share it" is antithetical to the goals of the free software movement.

I feel like everyone is getting distracted by protecting copyright, when in fact the point of the GPL is that we should all share and share alike. The GPL is a negotiation tactic, it is not an end unto itself. And curl, I might note, is permissively licensed so there's no need for a clean room reimplementation. If someone's rewriting it I'm very interested to hear why and I hope they share their work. I'm mostly indifferent to how they license it.