Hacker News: raphinou

New comment by raphinou in "Ask HN: What are you working on? (June 2026)"

raphinou — Sun, 14 Jun 2026 17:22:33 +0000

Putting finishing touches on an open source multi sig solution to authenticate digital artifact, aiming to increase security of the software supply chain. It's open source, completely self hostable, incl internally, support air gapped signers, fully auditable (data store is a puglic git repo). It's an alternative to sigstore, making different decision.

Website: https://www.asfaload.com/

Code: https://github.com/asfaload/asfaload

Sunset of the Consumer Version of Gemini Code Assist on GitHub

raphinou — Thu, 04 Jun 2026 14:23:21 +0000

Article URL: https://developers.google.com/gemini-code-assist/docs/deprecations/consumer-code-review

Comments URL: https://news.ycombinator.com/item?id=48399109

Points: 2

# Comments: 0

New comment by raphinou in "A Post-Quantum Future for Let's Encrypt"

raphinou — Thu, 04 Jun 2026 09:55:54 +0000

The open source project I'm working on aims to authenticate artifact downloads (project name is asfaload, in short it is a sigstore alternative). My understanding is that in a post-quantum world, the private key can be derived from an ed25519 pub key. That means that an attacker can generate new signatures. But I don't think an attacker would be able to generate a malicious artifact that matches an existing signature. It would seem that once we are nearing PQC, Asfaload would need to support PQC signatures, and its uses would need to migrate to new keys, but that existing signatures would still be safe to use for validation. Is that right?

New comment by raphinou in "A Post-Quantum Future for Let's Encrypt"

raphinou — Wed, 03 Jun 2026 19:06:00 +0000

I've been working on a new project using ed25519 signatures and discovered they are not quantum resistant.... I went with ed25519 due to possibility of using openssh keys. Any opinion on this choice at the light of this article and other quantum computing news?

New comment by raphinou in "Infomaniak transitions to a foundation model to protect user data privacy"

raphinou — Wed, 20 May 2026 12:48:59 +0000

I agree! It's amazing to require the visitor to edit the url to go from blog to main site. For my projects I pay attention to avoid this as I find it so annoying. I want visitor that are interested to have easy access to the website!

New comment by raphinou in "Hackers breach JDownloader's website to serve malware-laced downloads"

raphinou — Fri, 08 May 2026 14:10:50 +0000

When will we finally sign artifacts?

I'm not only complaining, I also work on a solution (asfaload) that I want easy to use. As it is multisig, such platform breaches become impossible. Below is the doc of the CLI, i'm looking for testers and challengers of the solution!

https://asfaload.com/doc/

New comment by raphinou in "From Supabase to Clerk to Better Auth"

raphinou — Thu, 07 May 2026 06:15:52 +0000

I've had good experience with authelia. Simple and light to self host.

New comment by raphinou in "Should I Run Plain Docker Compose in Production in 2026?"

raphinou — Tue, 05 May 2026 16:15:32 +0000

I'm very happy using docker swarm on a single host with traefik as reverse proxy using the setup described here: https://dockerswarm.rocks/

Super easy deployment of additional apps, defined completely in one file (incl setup on host, backups, reverse proxy config, etc).

Never found a reason to migrate away. Swarm was already considered dead when I started using it in 2022[1], but the investment was so low and benefits so big, that it was the right choice for me. I think a lot of people are replicating swarm features with compose, losing a lot of time. But hey, to each their own choice!

1: https://www.yvesdennels.com/posts/docker-swarm-in-2022/

New comment by raphinou in "HERMES.md: Anthropic bug causes $200 extra charge, refuses refund"

raphinou — Wed, 29 Apr 2026 19:31:33 +0000

My understanding was they would process a refund, but no further compensation? Otherwise why would they look for an account to process the refund?

English is not my first language, so I might have misunderstood....

New comment by raphinou in "It's OK to abandon your side-project (2024)"

raphinou — Mon, 27 Apr 2026 19:28:22 +0000

Thanks for the positive feedback! It combines administration features and end user interace. The definition of data structure is not very intuitive, and that would be the first and most important thing to fix. I think a lot of people get lost at the definition of their first table....

New comment by raphinou in "It's OK to abandon your side-project (2024)"

raphinou — Mon, 27 Apr 2026 19:24:10 +0000

Backed by postgres, using the crosstab function. Developed and deployed on Linux Ui through the browser, built with https://websharper.com/

Thanks for the star!

New comment by raphinou in "It's OK to abandon your side-project (2024)"

raphinou — Mon, 27 Apr 2026 09:27:41 +0000

I have such a project I just can't shut down: https://myowndb.com/ I started it 20 years ago, with ruby on rails. I neglected it but then decided to rewrite it in F# and publish it as open source (https://gitlab.com/myowndb/myowndb). There are very few users, some from many years ago, all non paying. None gave any feedback I asked during the rewrite. I should have shut it down years ago, but I just can't take the step. I'm focused on another project now, but who knows, maybe I'll get back to it....

New comment by raphinou in "Show HN: I've built a nice home server OS"

raphinou — Sat, 25 Apr 2026 06:53:38 +0000

What solution do you use for declarative deployments? Last time I looked there was no default option?

New comment by raphinou in "Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign"

raphinou — Thu, 23 Apr 2026 17:05:56 +0000

From my understanding the checkmarx attack could have been prevented by the asfaload project I'm working on. See https://github.com/asfaload/asfaload

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore

New comment by raphinou in "Migrating from DigitalOcean to Hetzner"

raphinou — Sat, 18 Apr 2026 15:30:23 +0000

Am I missing something? I'm genuinely surprised it was not deployed from the start on a dedicated server. Don't you make a cost analysis before deploy? And if the cost analysis was ok at initial deploy, why wait to have such a difference in cost before migrating? How much money goes wasted in such situations?

New comment by raphinou in "Ask HN: What Are You Working On? (April 2026)"

raphinou — Mon, 13 Apr 2026 06:37:48 +0000

Working on Asfaload, a multisig sign-off solution applied to release artifacts authentication.

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore

Nearing Alpha release stage.

Code at https://github.com/asfaload/asfaload Info at https://asfaload.com/

New comment by raphinou in "Open source security at Astral"

raphinou — Thu, 09 Apr 2026 06:32:53 +0000

Yes, that's why I aim to make the checks transparant to the user. You only need to provide the download url for the authentication to take place. I really need to record a small demo of it.

New comment by raphinou in "Open Source Security at Astral"

raphinou — Thu, 09 Apr 2026 06:30:49 +0000

Here's the GitHub repo of the backend code: https://github.com/asfaload/asfaload

There's also a spec of the approach at https://github.com/asfaload/spec

I'm looking for early testers, let me know if you are interested to test it !

New comment by raphinou in "Open source security at Astral"

raphinou — Thu, 09 Apr 2026 06:28:45 +0000

Artifact attestation are indeed another solution based on https://www.sigstore.dev/ . I still think Asfaload is a good alternative, making different choices than sigstore:

- Asfaload is accountless(keys are identity) while sigstore relies on openid connect[1], which will tie most user to a mega corp

- Asfaload ' backend is a public git, making it easily auditable

- Asfaload will be easy to self host, meaning you can easily deploy it internally

- Asfaload is multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download is transparant to the user, which only requires the download url, contrary to sigstore [2]

So Asfaload is not the only solution, but I think it has some unique characteristics that make it worth evaluating.

1:https://docs.sigstore.dev/about/security/

2: https://docs.sigstore.dev/cosign/verifying/verify/

New comment by raphinou in "Open source security at Astral"

raphinou — Thu, 09 Apr 2026 06:07:30 +0000

One (amongst other) big problem with current software supply chain is that a lot of tools and dependencies are downloaded (eg from GitHub releases) without any validation that it was published by the expected author. That's why I'm working on an open source, auditable, accountless, self hostable, multi sig file authentication solution. The multi sig approach can protect against axios-like breaches. If this is of interest to you, take a look at https://asfaload.com/