Hacker News: talkin

New comment by talkin in "Everything in C is undefined behavior"

talkin — Wed, 20 May 2026 08:27:38 +0000

Fixing easy cases makes the list shorter, so enables more focus on harder cases.

And it also signals that you actually do want to improve, just a little bit of boy scout rule goes a long way.

New comment by talkin in "Schedule tasks on the web"

talkin — Fri, 27 Mar 2026 12:33:34 +0000

> for some reason the industry stubbornly refuses to solve the "cron job as a service" problem for end-users, whether on the web or in the OS.

Such a service will always be destroyed by the bell-ends who want to run spam or worse activities.

New comment by talkin in "Shell Tricks That Make Life Easier (and Save Your Sanity)"

talkin — Thu, 26 Mar 2026 09:02:19 +0000

> cd -: The classic channel-flipper. Perfect for toggling back and forth.

And not only cd. Gotta love 'git checkout -'

New comment by talkin in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

talkin — Wed, 25 Mar 2026 18:37:12 +0000

There will always be early adopters.

And maybe more importantly: security tools and researchers.

New comment by talkin in "UUID package coming to Go standard library"

talkin — Sat, 07 Mar 2026 16:14:23 +0000

Or even an autoincrement int primary key internally. Depending on your scale and env etc, but still fits enough use cases.

New comment by talkin in "Turn Dependabot off"

talkin — Sat, 21 Feb 2026 10:44:26 +0000

Most regex usage actually doesnt require near infinite backtracking, so limited unless opted in wouldn’t be that weird.

New comment by talkin in "Bugs Apple loves"

talkin — Fri, 23 Jan 2026 07:37:12 +0000

“Intuitive!”

New comment by talkin in "CSRF protection without tokens or hidden form fields"

talkin — Thu, 25 Dec 2025 11:43:25 +0000

NO. Please don’t spread wrong solutions.

Your attempt has similarities to the idea behind Checking Sec-Fetch-Site. Implementing that header is the same amount of work. But this header is exactly meant for this purpose, and referer is haunted with problems.

So for officially intended protections, implementing this header and samesite cookies gets you a very long way without any complexity, assumptions, or tricks of old lore.

New comment by talkin in "Libxml2's "no security embargoes" policy"

talkin — Thu, 26 Jun 2025 06:51:24 +0000

No. The Regex DoS class of bugs is about infinite backtracking or looping inside the regex engine. Completely isolated component, just hogging CPU inside the regex engine. It may also have ‘DoS’ in its name, but there’s no relation to network (D)DoS attacks.

It could still be a security error, but only if all availability errors are for that project. But after triage, the outcome is almost always “user can hang own browser on input which isn’t likely”. And yes, it’s a pity I wrote ‘almost’, which means having to check 99% false alarms.

New comment by talkin in "Base44 sells to Wix for $80M cash"

talkin — Thu, 19 Jun 2025 14:02:49 +0000

Backup/restore tends too look less important until it isn’t. ;)

New comment by talkin in "Getting free internet on a cruise, saving $170"

talkin — Mon, 16 Jun 2025 21:37:25 +0000

Interferes with the business model. ;)

New comment by talkin in "Tesla sales dropped 60% in Germany"

talkin — Wed, 12 Feb 2025 22:03:55 +0000

> Well, I don't think most folks could name a CEO of another car company.

Yup, and I don’t care. I liked the brand better without the drama queen.

New comment by talkin in "Mad at Meta? Don't Let Them Collect and Monetize Your Personal Data"

talkin — Fri, 07 Feb 2025 11:50:44 +0000

Spreading the message inside FB helps the mission. The people who already stopped don’t need to be convinced anymore. ;)

But sure, ironic and counterintuitive.

New comment by talkin in "A story on home server security"

talkin — Sun, 05 Jan 2025 17:23:39 +0000

Nobody said you shouldn’t do any due diligence. But 1 sprint vs 2 months of review really smells like ‘processes over people’. ;)

New comment by talkin in "Redis is trying to take over the all of the OSS Redis libraries"

talkin — Tue, 26 Nov 2024 11:42:30 +0000

All true, but lets be honest: For the technical users searching a library, nothing beats having The Keyword being part of the name.

New comment by talkin in "Upcoming Hardening in PHP"

talkin — Fri, 15 Nov 2024 12:45:43 +0000

Yes. Just like the Log4j issue root cause. Too powerful and abstract features to wield securely.

Or maybe if we keep intent out of it; features were added in a time when we all worried less about security and internet implications. I would like to say ‘in the security dark ages’ but we are probably still in that era. ;)

New comment by talkin in "Upcoming Hardening in PHP"

talkin — Fri, 15 Nov 2024 12:39:54 +0000

This comment and all siblings fight over PHP vs Pyhton etc, but that just isn’t the bottleneck in most apps.

By far, for most apps, the biggest bottleneck is the database.

New comment by talkin in "Upcoming Hardening in PHP"

talkin — Fri, 15 Nov 2024 12:34:37 +0000

To be specific about static analysis: Lots of tools catch this. Sure, making some checks native would be nice, but for instance PHPStan always catches this, and more.

Regardless of the ‘improve the language angle’: Is somebody isn’t running PHPStan (or Psalm, Sonar, etc), then they’re missing out.

PHPStan is currently so good that using it should be non-negiotable. So the question would then even be: “I’d like rule 123 of the tool to be native, we helps with the RFC?”

New comment by talkin in "HTML Form Validation is underused"

talkin — Tue, 29 Oct 2024 07:31:38 +0000

You’re technically right but that doesn’t matter.

That you’re correctly using html forms won’t quickly lead to browser improvements.. so the result is that users will hate your forms. Users/your customer might possibly even think that you’re to blame, and not $browserVendor.

New comment by talkin in "Chromium uses web search for .internal TLD instead of opening URL"

talkin — Thu, 24 Oct 2024 06:52:14 +0000

> I think it's the autocomplete in particular that leaks a lot of private data.

That’s the beauty. The whole unified input can be presented as a UX simplicity gain, while this quote points at the actual business value. ;)