Hacker News: om2

New comment by om2 in "Venom and hot peppers offer a key to killing resistant bacteria"

om2 — Mon, 11 May 2026 15:27:35 +0000

That article doesn’t explain why acupuncture works, just gives a hint of a possible mechanism. It also doesn’t contain any evidence that acupuncture works at all (other than as a placebo).

New comment by om2 in "Local privilege escalation via execve()"

om2 — Sun, 10 May 2026 04:07:31 +0000

- and + operators have the same precedence. And a similar bug is possible if the operators were the same (both -). So I’m not sure it’s right to blame this on operator precedence or mixed operators. It’s just that, ultimately, the “consume” needs to be subtracted, not added.

New comment by om2 in "FFmpeg to Google: Fund us or stop sending bugs"

om2 — Wed, 12 Nov 2025 06:45:22 +0000

> They also have the option to not spend resources finding the bugs in the first place.

The Copenhagen interpretation of security bugs: if you don’t look for it, it doesn’t exist and is not a problem.

New comment by om2 in "FFmpeg to Google: Fund us or stop sending bugs"

om2 — Wed, 12 Nov 2025 06:41:10 +0000

The codec is compiled in, enabled by default, and auto detected through file magic, so the fact that it is an obscure 1990s hobby codec does not in any way make the vulnerability less exploitable. At this point I think FFmpeg is being intentionally deceptive by constantly mentioning only the ancient obscure hobby status and not the fact that it’s on by default and autodetected. They have also rejected suggestions to turn obscure hobby codecs off by default, giving more priority to their goal of playing every media format ever than to security.

New comment by om2 in "FFmpeg to Google: Fund us or stop sending bugs"

om2 — Wed, 12 Nov 2025 06:34:11 +0000

Nation-states are a very relevant part of the threat model.

New comment by om2 in "FFmpeg to Google: Fund us or stop sending bugs"

om2 — Wed, 12 Nov 2025 06:32:06 +0000

In this world and the alternate universe both, attackers can also use _un_published vulnerabilities because they have high incentive to do research. Keeping a bug secret does not prevent it from existing or from being exploited.

New comment by om2 in "Intent to Deprecate and Remove XSLT"

om2 — Mon, 03 Nov 2025 07:09:21 +0000

Take it up with the parent of my comment, who compared them directly.

New comment by om2 in "Intent to Deprecate and Remove XSLT"

om2 — Mon, 03 Nov 2025 07:08:04 +0000

Implementing it without tons of security bugs is apparently pretty hard.

New comment by om2 in "Intent to Deprecate and Remove XSLT"

om2 — Sat, 01 Nov 2025 22:40:29 +0000

It doesn’t scale well to content that changes dynamically on the client side very well. Dynamic manipulation of the post transform XSL-FO is confusing and difficult, retransforming the whole document from source is too slow and loses state. This is a big part of why CSS won.

New comment by om2 in "Intent to Deprecate and Remove XSLT"

om2 — Sat, 01 Nov 2025 22:37:07 +0000

Fetch API is a pretty recent addition to the web platform. Back in the day, you could absolutely embed images of stylesheets from ftp: URLs. You could even use it with XMLHttpRequest (predecessor of Fetch). Even further back, gopher: was integrated with the web. URL schemes were invented for the web with the idea that http: is not the only one. These other protocols were really part of the web until they weren’t.

New comment by om2 in "Intent to Deprecate and Remove XSLT"

om2 — Sat, 01 Nov 2025 07:40:44 +0000

XSLT is also a really problematic feature from an implementation perspective (albeit in a different way than showModalDialog or MutationObservers).

I’m not a Chrome dev but I think they have decent reasons for going this way.

New comment by om2 in "Libxml2's "no security embargoes" policy"

om2 — Thu, 26 Jun 2025 17:16:59 +0000

We have contributed a number of upstream fixes

  $ cd gnome-libxml2.git
  $ git log --oneline --author=@apple.com | wc -l
      43

The main reason we have a fork at all is that upstream libxml2 has broken source and binary compatibility in various ways, and we can't take those changes because libxml2 is public API on our platforms. We do make an effort to upstream all security fixes, though we sometimes get to it only after we ship.

New comment by om2 in "Missing Matter in Universe Found"

om2 — Sat, 21 Jun 2025 18:52:30 +0000

The speed of light in a vacuum does not change. The speed of light in a non-vacuum medium can be different than the speed of light in a vacuum, however. And light passing from one medium to another changes speed (and is refracted). See https://en.wikipedia.org/wiki/Refractive_index

New comment by om2 in "Missing Matter in Universe Found"

om2 — Fri, 20 Jun 2025 04:46:16 +0000

This study accounts for missing ordinary matter, not dark matter. The linked article makes this clear in the first paragraph. Sometimes I wonder if the first commenters (and often top commenters) on HN read the article at all or just respond based on the headline, because these comments often seem barely related to the actual article content.

New comment by om2 in "Declarative Web Push"

om2 — Fri, 04 Apr 2025 05:56:00 +0000

Web Push does have the sound option now.

New comment by om2 in "Declarative Web Push"

om2 — Fri, 04 Apr 2025 03:36:42 +0000

It reduces notification display latency because they can be displayed directly by the system services managing push, without having to wait for an opportune time to fire up a service worker process. It does still allow customizing the notification with code, but even in that case, having the declarative notification as a fallback improves reliability.

New comment by om2 in "Declarative Web Push"

om2 — Thu, 03 Apr 2025 23:50:13 +0000

Battery friendly because notifications can be coalesced by the OS and processed without having to fire up a full browser engine process and JS VM just to unpack the notification and post a visible notification.

Even in the case where the app needs local processing to show the best notification, having this as fallback removes the risk that the app misses the deadline to display a visible notification and therefore loses its push subscription (which is a behavior Chrome and Firefox have too).

We're also not removing classic Web Push, so web apps can deny themselves the benefits of Declarative Web Push if they don't like it.

New comment by om2 in "Declarative Web Push"

om2 — Thu, 03 Apr 2025 23:48:33 +0000

It's standards track and we've had positive signals from Mozilla and Google. Apple is just the first to ship in this case. Are you also mad when Apple is _not_ the first to ship a feature? Is there any way to win?

New comment by om2 in "Declarative Web Push"

om2 — Thu, 03 Apr 2025 23:46:22 +0000

In Safari 18.4 (currently in beta) tags are supported and notifications can replace each other.

New comment by om2 in "Declarative Web Push"

om2 — Thu, 03 Apr 2025 20:30:51 +0000

iOS and macOS native app notifications already work the way Declarative Web Push does, not like classic Web Push. This is giving web apps the same ability to be battery friendly and more reliable that native apps already have.