<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: mattstir</title><link>https://news.ycombinator.com/user?id=mattstir</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Tue, 07 Jul 2026 01:44:49 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=mattstir" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by mattstir in "Show HN: GolemUI – Declarative Form Engine"]]></title><description><![CDATA[
<p>Just wanted to say I'm impressed with the speed of progress! There's clearly a lot of passion being poured into the project, and I appreciate that folks are responding really quickly to things. It looks like you've already fixed most/all of the things I noticed, and added Firefox to the test suite[0]. Nice!<p>[0] <a href="https://github.com/golemui/golemui/pull/215" rel="nofollow">https://github.com/golemui/golemui/pull/215</a></p>
]]></description><pubDate>Fri, 03 Jul 2026 12:34:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=48774254</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48774254</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48774254</guid></item><item><title><![CDATA[New comment by mattstir in "Show HN: GolemUI – Declarative Form Engine"]]></title><description><![CDATA[
<p>How much of this is vibe coded? The widget demos about halfway down seem half-baked; the currency input allows letters and letter inputs visually disappear when you unfocus it. The calendar input appears to select the day before the one I clicked. The markdown editor places hashes after the text on the current line rather than making the current line a header. The dropdown search doesn't seem to work (typing "R" shows React and AngulaR, but typing "Re" doesn't show any options).<p>All of those are fixable of course, and the idea is neat! It's just a bit of a rough showcase, at least on Firefox.</p>
]]></description><pubDate>Wed, 01 Jul 2026 22:15:44 +0000</pubDate><link>https://news.ycombinator.com/item?id=48753858</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48753858</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48753858</guid></item><item><title><![CDATA[New comment by mattstir in "Steam Machine launches today"]]></title><description><![CDATA[
<p>Apple is also an absolutely enormous company. Even if Valve wanted to lock in prices, they're simply too small for RAM manufacturers to notice on their radar, unfortunately.</p>
]]></description><pubDate>Tue, 23 Jun 2026 17:32:37 +0000</pubDate><link>https://news.ycombinator.com/item?id=48648389</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48648389</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48648389</guid></item><item><title><![CDATA[New comment by mattstir in "Project Valhalla, Explained: How a Decade of Work Arrives in JDK 28"]]></title><description><![CDATA[
<p>That's true for arrays of these value classes. Scalarization would help for larger local values though, since those would avoid pointer indirection for purely local values.</p>
]]></description><pubDate>Fri, 19 Jun 2026 13:51:07 +0000</pubDate><link>https://news.ycombinator.com/item?id=48598576</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48598576</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48598576</guid></item><item><title><![CDATA[New comment by mattstir in "Project Valhalla, Explained: How a Decade of Work Arrives in JDK 28"]]></title><description><![CDATA[
<p>> But the difference in memory is fundamental. The JVM can now store the values themselves in the array, laid out densely one after another: 8 bytes per point (plus a possible null flag), in a contiguous block. No headers per element. No pointers. No jumping around the heap.<p>How much was this article proof-read? Didn't they just get finished talking about how heap flattening won't work for objects with > 64-bit representations? Their `Point` is at least 65 bits (two 32-bit ints plus the null flag). The "plus a possible null flag" and oddly short following statements seem to suggest this was some AI that got sidetracked by trying to make emphatic statements... oh and also the "[IMAGE: the same Point[] array in two variants..." block halfway down the page is unfortunate.</p>
]]></description><pubDate>Fri, 19 Jun 2026 13:38:29 +0000</pubDate><link>https://news.ycombinator.com/item?id=48598444</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48598444</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48598444</guid></item><item><title><![CDATA[New comment by mattstir in "Stop Using JWTs"]]></title><description><![CDATA[
<p>Is this at all coherent...? The author really seems to be comparing cookies to JWTs as if they exist in the same category, but it really is apples to oranges here. In fact, one of the first articles they link to spell that out explicitly:<p>> A lot of people mistakenly try to compare "cookies vs. JWT". This comparison makes no sense at all, and it's comparing apples to oranges - cookies are a storage mechanism, whereas JWT tokens are cryptographically signed tokens.<p>And yet the author seems not to have noticed, or something? Odd.</p>
]]></description><pubDate>Wed, 17 Jun 2026 03:05:55 +0000</pubDate><link>https://news.ycombinator.com/item?id=48565218</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48565218</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48565218</guid></item><item><title><![CDATA[New comment by mattstir in "VoidZero Is Joining Cloudflare"]]></title><description><![CDATA[
<p>Yes? It's unclear how they'd do their job without extensive fingerprinting. I don't like it either, but pretending like it's not better positioned from a privacy standpoint is odd. At very least, turnstile isn't ran by the world's largest ads company that directly profits from accurately tracking users across the web.</p>
]]></description><pubDate>Fri, 05 Jun 2026 13:26:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=48412241</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48412241</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48412241</guid></item><item><title><![CDATA[New comment by mattstir in "VoidZero Is Joining Cloudflare"]]></title><description><![CDATA[
<p>> or maybe one of them could just invest in packaging custom html elements, instead of assuming I'm going to use one of a handful of unnecessary "component" libraries<p>... are these not the same thing? I suppose from a technical standpoint they'd differ, but they achieve the same result: reusable, modular building blocks for creating interfaces.</p>
]]></description><pubDate>Fri, 05 Jun 2026 13:05:17 +0000</pubDate><link>https://news.ycombinator.com/item?id=48411935</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48411935</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48411935</guid></item><item><title><![CDATA[New comment by mattstir in "CQL: Categorical Databases"]]></title><description><![CDATA[
<p>> Reduce risk of failure through artificial intelligence. CQL contains an embedded automated theorem prover that guarantees the correctness of CQL programs.<p>Man, it's a rough environment right now marketing-wise. I don't know if they're contractually obligated to say the funny magic words, but the term AI is nearly entirely meaningless at this point. Akin to saying "behold my mighty calculator app: it prevents divisions by zero through artificial intelligence!"</p>
]]></description><pubDate>Tue, 02 Jun 2026 13:15:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=48369873</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48369873</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48369873</guid></item><item><title><![CDATA[New comment by mattstir in "ChatGPT for Google Sheets exfiltrates workbooks"]]></title><description><![CDATA[
<p>Could you elaborate on what other disclosure models you're referring to? I can't imagine something being "more responsible" for the public than privately notifying the owning party to give them time to fix the issue, before notifying the rest of the world (including malicious actors) about it.</p>
]]></description><pubDate>Mon, 01 Jun 2026 12:58:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=48356243</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48356243</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48356243</guid></item><item><title><![CDATA[New comment by mattstir in "Cloudflare Turnstile requiring fingerprintable WebGL"]]></title><description><![CDATA[
<p>> So it’s not quite as horrible as it sounds.<p>I don't know about you, but if a random webpage takes 60+ seconds to load, I just close it and choose to never interact with that site again (unless it's my bank, which is a real and annoying occurrence).</p>
]]></description><pubDate>Mon, 01 Jun 2026 03:34:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48352329</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48352329</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48352329</guid></item><item><title><![CDATA[New comment by mattstir in "Cloudflare Turnstile requiring fingerprintable WebGL"]]></title><description><![CDATA[
<p>At which point it exists solely to punish real human users? What scraper bot is going through checkout?</p>
]]></description><pubDate>Mon, 01 Jun 2026 03:29:42 +0000</pubDate><link>https://news.ycombinator.com/item?id=48352307</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48352307</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48352307</guid></item><item><title><![CDATA[New comment by mattstir in "If AI writes your code, why use Python?"]]></title><description><![CDATA[
<p>The vast majority of Python's AI/ML ecosystem is already written in C/C++ and uses interop glue to call it from Python. But agreed on the transitive dependencies, it's a nightmare</p>
]]></description><pubDate>Tue, 12 May 2026 12:48:02 +0000</pubDate><link>https://news.ycombinator.com/item?id=48107499</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48107499</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48107499</guid></item><item><title><![CDATA[New comment by mattstir in "You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)"]]></title><description><![CDATA[
<p>I've seen microkernels mentioned a few times between these LPE posts and I'm curious about why. Would they be fundamentally more secure against forgetting to add bounds checking, or assuming user-provided input buffers should be writable without checking?</p>
]]></description><pubDate>Sat, 09 May 2026 13:38:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=48074890</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48074890</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48074890</guid></item><item><title><![CDATA[New comment by mattstir in "Maybe you shouldn't install new software for a bit"]]></title><description><![CDATA[
<p>> select the previous-to-latest version<p>For supply chain attacks that simply bide their time, or for dependencies which involve interacting with other subsystems, it's possible you miss a critical security update by doing this. Of course, the maintainers of the crates should yank known bad releases, but that's putting trust in a third-party that may have already been compromised.</p>
]]></description><pubDate>Fri, 08 May 2026 12:54:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=48062379</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48062379</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48062379</guid></item><item><title><![CDATA[New comment by mattstir in "Maybe you shouldn't install new software for a bit"]]></title><description><![CDATA[
<p>You only miss supply chain attacks that are eager to begin exploiting. If everyone begins waiting a week to update dependencies, attackers just need to wait 2 weeks before actively using their attack vectors.</p>
]]></description><pubDate>Fri, 08 May 2026 12:51:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=48062336</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48062336</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48062336</guid></item><item><title><![CDATA[New comment by mattstir in "Maybe you shouldn't install new software for a bit"]]></title><description><![CDATA[
<p>Maintainers attempt to reduce the likelihood of that somewhat by giving security patches boring-sounding commit messages. When there are thousands of patches for every kernel release to sift through, that adds a small barrier for would-be exploiters.</p>
]]></description><pubDate>Fri, 08 May 2026 12:48:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=48062289</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48062289</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48062289</guid></item><item><title><![CDATA[New comment by mattstir in "Maybe you shouldn't install new software for a bit"]]></title><description><![CDATA[
<p>> Presumably npm exempts security updates from its minimum release age<p>Why would it? Then an attacker would just push compromised code as a "security update". Since the majority of these npm attacks are account-based, the attacker can do everything the actual owner could.</p>
]]></description><pubDate>Fri, 08 May 2026 12:40:41 +0000</pubDate><link>https://news.ycombinator.com/item?id=48062227</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48062227</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48062227</guid></item><item><title><![CDATA[New comment by mattstir in "Google Cloud fraud defense, the next evolution of reCAPTCHA"]]></title><description><![CDATA[
<p>I don't think there's much that's accidental about it. The giant corporations with near-monopolies in web-related markets (browsers, search...) are going to be incentivized to put restrictions in place that protect that monopolistic status. As with other facets of life, they can dress up the changes as "protecting users/kids/etc" and mostly get away with it. The same companies are the ones championing the very technologies that make human attestation more and more necessary.</p>
]]></description><pubDate>Thu, 07 May 2026 12:50:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=48048802</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=48048802</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48048802</guid></item><item><title><![CDATA[New comment by mattstir in "Your phone is about to stop being yours"]]></title><description><![CDATA[
<p>Is that actually confirmed anywhere? It certainly sounds possible given some of the wording ("At this point, any app installed on a certified device in these regions must be registered by a verified developer.") but it would be nice to get official confirmation.</p>
]]></description><pubDate>Tue, 28 Apr 2026 22:58:24 +0000</pubDate><link>https://news.ycombinator.com/item?id=47941999</link><dc:creator>mattstir</dc:creator><comments>https://news.ycombinator.com/item?id=47941999</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47941999</guid></item></channel></rss>