Hacker News: prdonahue

New comment by prdonahue in "Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign"

prdonahue — Thu, 23 Apr 2026 17:56:05 +0000

> Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)?

Most of these attacks don't make it into the upstream source, so solutions[1] that build from source get you ~98% of the way there. If you can't get a from-source build vs. pulling directly from the registries, can reduce risk somewhat with a cooldown period.

For the long tail of stuff that makes it into GitHub, you need to do some combination of heuristics on the commits/maintainers and AI-driven analysis of the code change itself. Typically run that and then flag for human review.

[1] Here's the only one I know that builds everything from source: https://www.chainguard.dev/libraries

(Disclaimer: I work there.)

New comment by prdonahue in "Claude Code to be removed from Anthropic's Pro plan?"

prdonahue — Tue, 21 Apr 2026 23:55:51 +0000

Hmm, we just bought my wife an annual subscription at the Pro tier, largely to use Claude Code. Wonder if she'd be grandfathered in or if we'll need to get a refund.

Docker Hodgepodge Images

prdonahue — Wed, 15 Apr 2026 23:19:13 +0000

Article URL: https://www.chainguard.dev/unchained/docker-hodgepodge-images

Comments URL: https://news.ycombinator.com/item?id=47786633

Points: 4

# Comments: 1

New comment by prdonahue in "Google restricting Google AI Pro/Ultra subscribers for using OpenClaw"

prdonahue — Mon, 23 Feb 2026 04:10:46 +0000

Isn't this sort of repeated communication gaffe why they hired @OfficialLoganK?

New comment by prdonahue in "CURL's Daniel Stenberg: AI slop is DDoSing open source"

prdonahue — Mon, 16 Feb 2026 20:08:41 +0000

Do any of the bug bounty programs let you filter by some scoring of the source reporter?

Seems like it’d be helpful to bury mass reporters in a de facto spam bucket (where “mass” is some absolute quantity of reports along with percent that are accepted).

New comment by prdonahue in "AI is killing B2B SaaS"

prdonahue — Thu, 05 Feb 2026 00:51:49 +0000

I stopped reading the article because of it.

Secure containers market: from men's room at Taylor Swift concert to NBA finals

prdonahue — Thu, 15 Jan 2026 15:32:00 +0000

Article URL: https://www.chainguard.dev/unchained/well-that-escalated-quickly-zero-cves-lots-of-vendors

Comments URL: https://news.ycombinator.com/item?id=46633951

Points: 5

# Comments: 0

New comment by prdonahue in "Cloudflare outage on December 5, 2025"

prdonahue — Fri, 05 Dec 2025 16:35:30 +0000

And you moved at a glacial pace compared to Cloudflare. There are tradeoffs.

New comment by prdonahue in "Ask HN: What alternatives to Docker Desktop are people using?"

prdonahue — Tue, 02 Dec 2025 02:17:45 +0000

Nice, are you collaborating with developers at your company? Or is this more for personal use?

Ask HN: What alternatives to Docker Desktop are people using?

prdonahue — Mon, 01 Dec 2025 23:42:09 +0000

We're now a few years out from the Docker licensing fiasco. Who has successfully migrated their company to an alternative? What is working well and what's not?

Comments URL: https://news.ycombinator.com/item?id=46115185

Points: 3

# Comments: 9

New comment by prdonahue in "Ask HN: Who is hiring? (December 2025)"

prdonahue — Mon, 01 Dec 2025 22:39:49 +0000

Chainguard | Senior and Staff-level Product Managers and Engineers, and Engineering Managers | REMOTE (US/CAN)

We're building the safe, trusted source for open source. We created the secure Container Image market and we've recently expanded into VMs and Libraries for popular language ecosystems such as JavaScript, Python, and Java.

We're hiring quite a few PMs and engineers for our Containers and Libraries products, amongst other roles. Check out the listings here https://www.chainguard.dev/careers and if you're a highly-technical PM that wants to SHIP email me directly at patrick at chainguard dot dev.

New comment by prdonahue in "crates.io: Malicious crates faster_log and async_println"

prdonahue — Fri, 26 Sep 2025 22:03:17 +0000

It's the same principle as a company blocking access to domains registered in the past 30 days. Doing so eliminates a huge percent of phishing/malware as these domains are typically identified and taken down otherwise blocked in that window.

In this particular case, the bogus libraries had been out there for months. But if in addition to a delay, you mirror just the most common subset of packages with some opinionated selection criteria and build directly from source, you eliminate most of these attacks. (The same is true across whatever language ecosystems, including JS as you mention npm, etc.)

Is this 100% infallible? No, but security is a risk reduction game.

New comment by prdonahue in "crates.io: Malicious crates faster_log and async_println"

prdonahue — Fri, 26 Sep 2025 19:47:43 +0000

We're taking a very different[1] approach at Chainguard.

Essentially: building the world from GitHub repos on SLSA L2 hardened infra and delivering directly to our customers to bypass the registry threat vector (which is where vast, vast majority of attacks occur—we'll be blogging about this soon with more data).

[1] https://www.chainguard.dev/unchained/announcing-chainguard-l...

Chainguard Libraries for JavaScript: Malware-Resistant Depend. Built from Source

prdonahue — Thu, 25 Sep 2025 14:56:29 +0000

Article URL: https://www.chainguard.dev/unchained/announcing-chainguard-libraries-for-javascript-malware-resistant-dependencies-built-securely-from-source

Comments URL: https://news.ycombinator.com/item?id=45373403

Points: 2

# Comments: 0

New comment by prdonahue in "Oracle attempt to hide cybersecurity incident from customers?"

prdonahue — Mon, 31 Mar 2025 19:00:32 +0000

Yeah, they've clearly been given some minimal company line and aren't deviating from it. Not going to win any trust.

New comment by prdonahue in "Oracle attempt to hide cybersecurity incident from customers?"

prdonahue — Mon, 31 Mar 2025 18:56:49 +0000

We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.

I asked for an incident report and received this terse response:

> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.

New comment by prdonahue in "Next.js version 15.2.3 has been released to address a security vulnerability"

prdonahue — Sun, 23 Mar 2025 00:13:57 +0000

Vibe security.

Vercel knew critical NextJS security vulnerability 5 days before disclosing it

prdonahue — Sat, 22 Mar 2025 18:44:33 +0000

Article URL: https://twitter.com/javasquip/status/1903480443158298994

Comments URL: https://news.ycombinator.com/item?id=43447683

Points: 7

# Comments: 0

New comment by prdonahue in "OpenAI Audio Models"

prdonahue — Thu, 20 Mar 2025 18:08:52 +0000

Do you have any affiliation with Elevenlabs?

Ask HN: Best local AI note taker?

prdonahue — Fri, 31 Jan 2025 01:02:48 +0000

I'm looking for a way to run a model locally that will listen to Zoom calls and create notes for me. Want to make sure that notes (and audio) stay private to my machine.

What are my best options?

Comments URL: https://news.ycombinator.com/item?id=42883807

Points: 1

# Comments: 2