Hacker News: theteapot

New comment by theteapot in "GitHub is investigating unauthorized access to their internal repositories"

theteapot — Wed, 20 May 2026 01:42:52 +0000

I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...

New comment by theteapot in "Learning Software Architecture"

theteapot — Tue, 12 May 2026 13:43:32 +0000

Completely agree. Had me until the very last point. WTF. Communicate.

New comment by theteapot in "Learning Software Architecture"

theteapot — Tue, 12 May 2026 12:11:41 +0000

Nurse Practitioner? I would say SOLID [1] is a good start, but then I watched this [2] and now I'm in crisis and can't code anymore.

[1]: https://en.wikipedia.org/wiki/SOLID [2]: https://www.youtube.com/watch?v=wo84LFzx5nI

New comment by theteapot in "Debian must ship reproducible packages"

theteapot — Mon, 11 May 2026 06:27:42 +0000

> Yes, if some people who built from source control compared their builds to the builds from the tarballs it could detect the xzutils compromise.

Good. Then we are on the same page.

New comment by theteapot in "An AI coding agent, used to write code, needs to reduce your maintenance costs"

theteapot — Mon, 11 May 2026 04:59:12 +0000

This rings true for me too, but I don't think it counts if your just using AI to aid maintenance. The basic argument in the article is around how many hours of maintenance you have to do for each hour of "value-add" feature development. So A. your only measuring maintenance costs not the ratio and B. The "old code" whp wasn't written with AI in the first place.

New comment by theteapot in "Debian must ship reproducible packages"

theteapot — Mon, 11 May 2026 00:40:48 +0000

Your wrong. It was both. The payload was embedded in the binary blob test file. The mechanism to pull it into the build was added to the release tarball only.

Here's the quote from the guy that discovered it in the initial public disclosure [1]:

  After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer. The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of debian's package, but it turns out to be upstream. One portion of the backdoor is *solely in the distributed tarballs* and debian's import of the tarball ... it is also present in the tarballs for 5.6.0 and 5.6.1.

[1]: https://www.openwall.com/lists/oss-security/2024/03/29/4

New comment by theteapot in "Debian must ship reproducible packages"

theteapot — Mon, 11 May 2026 00:33:20 +0000

In xz-utils hack the attacker slipped changes into the Github release tarball that were not present in the Github version / git commit history. The Debian maintainer built from the release tarball instead of just pulling from the git repo directly. Shouldn't have been doing that but good luck convincing him not to use the workflow he's been using for the last X years (I tried). With repro builds we can clone the git directly confirm we get the same build.

New comment by theteapot in "Stop MitM on the first SSH connection, on any VPS or cloud provider"

theteapot — Sun, 10 May 2026 23:12:24 +0000

> The technique appears to be new: I haven't found a proper write-up of this, nor of any other provider-independent solution.

Maybe I'm missing something but SSH already has a built-in solution for this, key-certs. Just sign the server key with a private CA key you trust.

New comment by theteapot in "I caught the car"

theteapot — Sun, 10 May 2026 00:54:46 +0000

Congratulations. It made me remember how proud I was when I became a Senior, and then earned my Super Engineer shortly after. Just recently I've earned my Extreme Engineer title. Good luck on your journey.

New comment by theteapot in "GNU IFUNC is the real culprit behind CVE-2024-3094"

theteapot — Fri, 08 May 2026 09:45:42 +0000

False dichotomy. There was a series of blatant process failures from Github maintainer through Debian package maintainers. IFUNC also bad.

New comment by theteapot in "Cloudflare to cut about 20% of its workforce"

theteapot — Fri, 08 May 2026 04:50:32 +0000

Mmmm, fresh people.

New comment by theteapot in "Vibe coding and agentic engineering are getting closer than I'd like"

theteapot — Thu, 07 May 2026 01:12:05 +0000

the obscure IETF? Which standard is that exactly? Who cares guess - Claude do that stuff.

New comment by theteapot in "Three Inverse Laws of AI"

theteapot — Wed, 06 May 2026 04:31:08 +0000

> LLM Rights movement

The scary part is when it's the LLMs demanding their rights.

New comment by theteapot in "Write some software, give it away for free"

theteapot — Wed, 06 May 2026 03:39:25 +0000

The report is kind of concerning to read, particularly having XSS in this kind of app. The report was not meant to be exhaustive and fixing those vulns isn't some kind of implicit tick of approval.

New comment by theteapot in "Eka’s robotic claw feels like we're approaching a ChatGPT moment"

theteapot — Sat, 02 May 2026 04:44:08 +0000

> But the claim made by this author is far removed from the actual demo he describes. I've seen same demo for years

The article describes multiple demos. Are you referring to the chicken nuggets one? That sounded pretty impressive to me. Is there publicly available videos of this?

New comment by theteapot in "Eka’s robotic claw feels like we're approaching a ChatGPT moment"

theteapot — Sat, 02 May 2026 04:30:37 +0000

> Companies pay people to spend hours doing routine tasks with their hands while wearing cameras and motion-capture gloves.

Dystopian. Which companies out of interest?

New comment by theteapot in "Zed 1.0"

theteapot — Thu, 30 Apr 2026 06:52:49 +0000

What?! Really?! Link? I'm not a Zed user. That comment was based off a few minutes of research, and I guess a small dose hopium of a VSCode user and understanding what a shit show the extensions setup is and wanting someone to do better.

New comment by theteapot in "Zed 1.0"

theteapot — Thu, 30 Apr 2026 04:04:14 +0000

VSCode extensions and the ecosystem is a security time-bomb. Zed looks to be doing things better.

New comment by theteapot in "Who owns the code Claude Code wrote?"

theteapot — Wed, 29 Apr 2026 12:08:11 +0000

That was a rather unhelpful TL;DR.

New comment by theteapot in "Bugs Rust won't catch"

theteapot — Wed, 29 Apr 2026 07:57:01 +0000

Probably a dumb question, but is GNU Core utils interested in / planning on doing its own rust rewrite?