<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: szmarczak</title><link>https://news.ycombinator.com/user?id=szmarczak</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Sat, 11 Jul 2026 22:03:26 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=szmarczak" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by szmarczak in "My thoughts on the Bun Rust rewrite"]]></title><description><![CDATA[
<p>> Jarred was already writing slop well before he had access to LLMs.<p>I don't see anything business related in that statement.<p>What's this new level of gaslighting? "It was not because of me, but because of the business situation I was in". Wait... wasn't he in that "business situation" because of actions HE took?</p>
]]></description><pubDate>Thu, 09 Jul 2026 11:15:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=48844041</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48844041</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48844041</guid></item><item><title><![CDATA[New comment by szmarczak in "CS2 Fog Of War: Server-sided anti-wallhack occlusion culling for CS2 servers"]]></title><description><![CDATA[
<p>This is good. However, it still sends info about the players ~200ms ahead which still makes you lose.</p>
]]></description><pubDate>Mon, 06 Jul 2026 18:11:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48808339</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48808339</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48808339</guid></item><item><title><![CDATA[New comment by szmarczak in "Vaclav Havel, the Power of the Powerless (1978)"]]></title><description><![CDATA[
<p>Why does the website render a word or two per line on mobile</p>
]]></description><pubDate>Mon, 06 Jul 2026 03:37:52 +0000</pubDate><link>https://news.ycombinator.com/item?id=48800387</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48800387</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48800387</guid></item><item><title><![CDATA[New comment by szmarczak in "PostgreSQL and the OOM killer: Why we use strict memory overcommit"]]></title><description><![CDATA[
<p>> memory monitoring would be part of the application monitoring stack<p>You don't need it if you have everything allocated upfront. TigerBeetle does this, everybody else can.<p>Using something like Rust is already a huge win when compared to shipping a browser or running Node.js.<p>> Your argument falls flat when a page file can be multi-GB and automatically grow<p>This doesn't solve the original issue and only masks the underlying problem.</p>
]]></description><pubDate>Fri, 03 Jul 2026 17:05:41 +0000</pubDate><link>https://news.ycombinator.com/item?id=48777282</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48777282</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48777282</guid></item><item><title><![CDATA[New comment by szmarczak in "PostgreSQL and the OOM killer: Why we use strict memory overcommit"]]></title><description><![CDATA[
<p>> this leads to application crashes instead<p>Same happens if the page file is full. In that case, why don't those programs use disk directly instead?<p>No such problem would've ever occured if programs hadn't allocated more than they actually use.</p>
]]></description><pubDate>Fri, 03 Jul 2026 16:31:29 +0000</pubDate><link>https://news.ycombinator.com/item?id=48776896</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48776896</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48776896</guid></item><item><title><![CDATA[New comment by szmarczak in "PostgreSQL and the OOM killer: Why we use strict memory overcommit"]]></title><description><![CDATA[
<p>> Does this result in programs more frequently erroring/crashing because they can't allocate?<p>I run Firefox, VSCodium with LSP, Discord, Signal and there's still space left for a game like CS2. I'm not a heavy user by any means.<p>> I'm not sure they would do much better than crash<p>I have yet to see a program that silently handles allocation failures and doesn't crash. These days everything is coded to crash if no memory :(<p>> About once a year a real runaway process (usually a throwaway program I'm working on) gets OOM-killed<p>In my case it killed system critical processes with no way to recover. With disabled overcommit, it freezes for a while (usually for a minute or two), I close some random program of my choosing and then see in Resource Monitor what's eating my ram.</p>
]]></description><pubDate>Fri, 03 Jul 2026 16:18:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=48776757</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48776757</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48776757</guid></item><item><title><![CDATA[New comment by szmarczak in "PostgreSQL and the OOM killer: Why we use strict memory overcommit"]]></title><description><![CDATA[
<p>Settings -> View advanced system settings -> Performance (Settings) -> Advanced -> Virtual memory (Change...) -> No paging file</p>
]]></description><pubDate>Fri, 03 Jul 2026 16:07:42 +0000</pubDate><link>https://news.ycombinator.com/item?id=48776663</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48776663</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48776663</guid></item><item><title><![CDATA[New comment by szmarczak in "PostgreSQL and the OOM killer: Why we use strict memory overcommit"]]></title><description><![CDATA[
<p>I have disabled overcommit both on Windows and on Linux. I hate having random programs being killed.<p>Unfortunately, many programs commit 2x memory than they actually use. Often I see ~32GB committed and ~16GB resident.</p>
]]></description><pubDate>Fri, 03 Jul 2026 13:49:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48775029</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48775029</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48775029</guid></item><item><title><![CDATA[New comment by szmarczak in "The US ambassador had Belgian police stop our reporting"]]></title><description><![CDATA[
<p>The wording is so ambiguous, they should've determined what's the threat first. Or else anybody could point at anybody and say "active threat".<p>Most likely they still would've been kicked, but without being detained.</p>
]]></description><pubDate>Wed, 01 Jul 2026 16:44:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=48749660</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48749660</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48749660</guid></item><item><title><![CDATA[New comment by szmarczak in "The US ambassador had Belgian police stop our reporting"]]></title><description><![CDATA[
<p>Ah yes. Let me detain you for 8 hours for doing what you're legally allowed to do. Sorry for my mistake, it's all paid by the taxpayers anyway.</p>
]]></description><pubDate>Tue, 30 Jun 2026 17:13:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=48735867</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48735867</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48735867</guid></item><item><title><![CDATA[New comment by szmarczak in "The US ambassador had Belgian police stop our reporting"]]></title><description><![CDATA[
<p>> They were “just doing their job,”<p>It's always this one exact excuse. They were simply "following orders". The police don't have their own brains capable of thinking.</p>
]]></description><pubDate>Tue, 30 Jun 2026 13:26:23 +0000</pubDate><link>https://news.ycombinator.com/item?id=48732468</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48732468</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48732468</guid></item><item><title><![CDATA[New comment by szmarczak in "A C++ implementation of a fast hash map and hash set using hopscotch hashing"]]></title><description><![CDATA[
<p>> claiming it's the fastest across all datasets<p>I never claimed so. Please stop stating I said something when I didn't.<p>> as a general purpose hash table<p>That's what I claimed. The question IS about hash tables. If you want a hash table of any content, it's impossible to get faster. Unless you check all possible keys at once - only this will get you faster.</p>
]]></description><pubDate>Sat, 27 Jun 2026 07:38:45 +0000</pubDate><link>https://news.ycombinator.com/item?id=48696068</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48696068</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48696068</guid></item><item><title><![CDATA[New comment by szmarczak in "A C++ implementation of a fast hash map and hash set using hopscotch hashing"]]></title><description><![CDATA[
<p>No. Fundamentally it's not possible to be faster.</p>
]]></description><pubDate>Sat, 27 Jun 2026 00:04:23 +0000</pubDate><link>https://news.ycombinator.com/item?id=48693621</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48693621</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48693621</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>> isn't available in all cases<p>Which ones? Websites that ship no JavaScript? All browsers support this.<p>> can in some cases completely break sessions<p>Or you can just remove local storage from window and have it just for yourself, which seems what Discord is doing as well.<p>Attackers cannot use local storage because there is no local storage on the window object.<p>> A separate attack vector for the same problem<p>It's not exactly the same problem. The example you mentioned is a footgun because you don't vendor your dependencies. Deliberately giving someone else access to your website is an issue in itself.</p>
]]></description><pubDate>Sun, 21 Jun 2026 10:29:02 +0000</pubDate><link>https://news.ycombinator.com/item?id=48617509</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48617509</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48617509</guid></item><item><title><![CDATA[New comment by szmarczak in "Where to Find the Colors Your Screen Can't Show You"]]></title><description><![CDATA[
<p>There's color space and there's color depth. You may be using D-P3 with 8 bit, which is worse (less accurate?) than sRGB with 8 bit. And there's bandwidth. Your monitor may not be able to handle 4k 240fps 16 bit.</p>
]]></description><pubDate>Sat, 20 Jun 2026 12:03:47 +0000</pubDate><link>https://news.ycombinator.com/item?id=48608624</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48608624</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48608624</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>> There's a reason "don't use local storage for security sensitive stuff" is part of the OWASP cheatsheet<p>Local storage was released more than 16 years ago, and back then PHP was wayy too popular. XSS is almost impossible to execute these days (unless you do selfxss).<p>Discord has mitigations for grabbing the token from local storage: <a href="https://news.ycombinator.com/item?id=48563286">https://news.ycombinator.com/item?id=48563286</a></p>
]]></description><pubDate>Sat, 20 Jun 2026 08:58:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=48607590</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48607590</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48607590</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>> XSS which local storage does not  [mitigate]<p>True. However it's not impossible to mitigate that: <a href="https://news.ycombinator.com/item?id=48563286">https://news.ycombinator.com/item?id=48563286</a><p>But arguably it's harder to do so.<p>> this doesn't protect from supply chain attacks<p>It's a separate attack vector. It's easily mitigated by having a one week back-off before upgrading. (and as I have said already, also affects binary executables)<p>> unsafe-eval<p>Technically speaking, nothing prevents you from shipping a JS-in-JS runtime that proxies objects and bypasses eval, which is just eval without eval.</p>
]]></description><pubDate>Sat, 20 Jun 2026 08:42:31 +0000</pubDate><link>https://news.ycombinator.com/item?id=48607493</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48607493</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48607493</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>> You have to mitigate CSRF server-side (with a CSRF token<p>> when you're using tokens in JavaScript then you don't have to worry because you already have your CSRF token<p>No reason to have a dedicated CSRF token because your local storage token already works as a CSRF token.</p>
]]></description><pubDate>Sat, 20 Jun 2026 07:56:11 +0000</pubDate><link>https://news.ycombinator.com/item?id=48607261</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48607261</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48607261</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>That's why I wouldn't say the below.<p>> A lot of times local storage is much less secure<p>Without XSS, local storage is actually more secure. You don't have worry 'did I set up this right' because there is nothing to set up and CSRF is impossible to execute.<p>If you're still paranoid about XSS, CSP is your friend. Also check isTrusted on events.</p>
]]></description><pubDate>Thu, 18 Jun 2026 09:16:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=48582842</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48582842</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48582842</guid></item><item><title><![CDATA[New comment by szmarczak in "Stop Using JWTs"]]></title><description><![CDATA[
<p>> they tend to require disabling HttpOnly for not very good reasons<p>First time I'm hearing that frameworks require disabling HttpOnly.<p>> Disabling iframes doesn't fix CSRF. You can still <form method="..." /> or <img /> tags or whatever.<p>Obviously. IMG tags don't work because of CORS (unless you explicitly allow this) nor script tags etc. Browsers send Origin and Sec-Fetch- headers which you can use to block POST navigation requests from other origins, like you mentioned.<p>But when you're using tokens in JavaScript then you don't have to worry because you already have your CSRF token, which is inaccessible to third parties and no form submit will include it. That's why local storage is more secure.</p>
]]></description><pubDate>Thu, 18 Jun 2026 09:07:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48582786</link><dc:creator>szmarczak</dc:creator><comments>https://news.ycombinator.com/item?id=48582786</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48582786</guid></item></channel></rss>