Hacker News: tytho

New comment by tytho in "Native Instant Space Switching on macOS"

tytho — Thu, 09 Apr 2026 21:51:03 +0000

I was a heavy macOS Spaces user. Upon a recommendation to use Aerospace from somewhere else here a few months ago, I switched and love it. I considered Yabai, but some features required disabling SIP (System Integrity Protection).

New comment by tytho in "Axios compromised on NPM – Malicious versions drop remote access trojan"

tytho — Tue, 31 Mar 2026 12:26:18 +0000

At least with pnpm, you can specify minimumReleaseAgeExclude, temporarily until the time passes. I imagine the other package managers have similar options.

[1]: https://pnpm.io/settings#minimumreleaseageexclude

New comment by tytho in "Why craft-lovers are losing their craft"

tytho — Sun, 22 Mar 2026 03:20:00 +0000

Game development is often a completely different set of skills and maintenance profile compared to enterprise SaaS development. Many single-player games especially indie ones don’t need to worry about multi-year contracts or having to work through many cycles of different developers coming in and out of a project. Having a 1000+ line switch statement seems totally reasonable on a project with a handful of developers that will continue to work on the project.

My understanding is that the switch statement was for npc character conversation text. That seems pretty reasonable, even in enterprise SaaS for something like translations. It might not be as easy to maintain in other circumstances.

New comment by tytho in "VS Code deactivates IntelliCode in favor of the paid Copilot"

tytho — Tue, 16 Dec 2025 13:12:13 +0000

I’ve been using Zed [1] for some time now. They are also pretty AI focused so it may only be a matter of time, but so far I’ve been able to disable all of the AI interactions.

[1] https://zed.dev/

New comment by tytho in "Email verification protocol"

tytho — Sun, 09 Nov 2025 14:52:17 +0000

Many applications need a way to contact a user (security breach, password reset). If one only has a username and forgets the password, there’s no way to reverify the user.

New comment by tytho in "Subway Stories"

tytho — Mon, 13 Jan 2025 15:55:51 +0000

Fly has a form of auto-scaling. You have to provision the max amount of machines then you configure them to auto-sleep. It's possible that the creator didn't anticipate this much traffic or didn't want to pre-pay for all those sleeping machines.

New comment by tytho in "Just use Postgres"

tytho — Sat, 17 Aug 2024 10:45:43 +0000

I can’t speak to the official decisions made by these camps/courses, but from my own experience as an undergrad, I was first introduce to MySQL, and the professors at my university did not teach using migration management tools for bringing a schema in a database up. You were either using a GUI to set up the tables, or running your own cobbled together sql files. For class assignments this was fine. Then I had a professor introduce mongo to me. I was floored by the idea of having my schema live along-side the application code! No more messing around in SQL GUIs! Then of course over time I realized you still need to maintain a schema over time and provide someway to “upgrade” data when your schema evolves, and keep your data consistent. Then I discovered the tools around migrating mongo data are not nearly as mature as the ones you’ll find for SQL databases.

I find mongo alright at producing a short-lived prototype of an application (e.g. school assignments), but the risk of it shipping to production for a long period is too risky for the “benefit”.

New comment by tytho in "Neon Postgres vs. Supabase"

tytho — Tue, 13 Aug 2024 23:24:27 +0000

They can be, but they both offer PostgreSQL services. The article touches on Supabase’s other offerings, but the comparison is mostly on the database offerings.

New comment by tytho in "WebSockets vs. Server-Sent-Events vs. Long-Polling vs. WebRTC vs. WebTransport"

tytho — Mon, 18 Mar 2024 18:31:30 +0000

The browser EventSource constructor does not have options to pass in your own headers. You can pass an option to have it use the cookies for the domain you’re using. There are libraries that allow you to pass in additional HTTP options, but they essentially reimplement the built-in EventSource object in order to do so. Not terribly difficult, fairly simple spec.

New comment by tytho in "Ask HN: Resources for learning niche aspects of authentication services?"

tytho — Sun, 19 Mar 2023 03:34:59 +0000

Ah, I titled that wrong. Fixed! Mostly authentication, but authorization is also a topic I’m studying a lot recently. I feel like there’s more resources on that than the questions I have about authentication. I’m currently diving into the Google Zanzibar papers.

Ask HN: Resources for learning niche aspects of authentication services?

tytho — Sun, 19 Mar 2023 02:49:52 +0000

Over the course of my career, I've learned a lot about authentication, but I find that there's not a lot of resources for things you might need to know if you need to write your own auth service or even learn how one is written.

Some aspects that I feel aren't talked about as much are things like:

- How to store records of personal auth tokens (like GitHub personal tokens)

Using JWTs for these kinds of tokens is widely deemed a bad idea because it's not revokable (without changing the JWT key and essentially revoking all tokens signed with the same key). What I hear is that just generating a token with cryptographically random bytes is good enough for most applications, but does one just store those bytes raw in the database? Or is a hash stored? Or does the database record have an id and hash (similar to a username/password) and the token given to the user is an encoded string that contains the id and raw token? Most things I find when I search "How to store record of token in database" are questions about how to store an auth token given from an OAuth2 handshake or how to store a GitHub token securely. Nothing about how the identity service itself stores a token.

- How to store (or not store) records of one-time auth tokens like email auth/verification tokens

Similar to the above token question, though the threat model seems a little different because they're not long-lived tokens.

- Best practice for uphashing password hashes

I've played around with this idea of needing to rehash password hashes. For example, say you have password hashes a bcrypt hashes with 10 rounds. Then it's decided that bcrypt with that many rounds isn't great anymore with today's hardware and you should bump it up to 14 hashes, or switch to a different algorithm. Next time people login, you could use the old algorithm to validate then hash the password while you have it in plaintext, but what about the users who don't sign in? Couldn't you instead store the layers of hash rules (like the algorithm, salt, number of rounds without the hash) and the last "layer" be a hash with the latest algorithm? I vaguely remember someone suggesting that somewhere here, but when I tried to implement it, there wasn't really a standard format for storing those hashing rules beyond the PHC format that argon2 uses.

The goal of learning these sorts of things is not to go off and write my own auth service. At this point, I feel like rolling your own auth is treated a lot like rolling your own crypto: Leave it to the experts. But without expert writings, how are we to learn and maintain existing systems? Or attempt to improve them? Perhaps I'm just impatient and haven't spent the requisite time searching, but I'm hoping to get some ideas from this community.

Comments URL: https://news.ycombinator.com/item?id=35215500

Points: 2

# Comments: 4

New comment by tytho in "A 'CSS reset' for TypeScript, improving types for common JavaScript API's"

tytho — Fri, 03 Mar 2023 15:22:56 +0000

You can still use `tsc` to validate the jsdoc types. It will spit out errors when types don’t match.

You can use `tsc` to export the types defined in jsdoc and other projects that import your module will get all the intellisense and type checking as if it had been written in TypeScript.

New comment by tytho in "A 'CSS reset' for TypeScript, improving types for common JavaScript API's"

tytho — Fri, 03 Mar 2023 15:17:44 +0000

I won’t speak for others, but I for one can’t stand the amount of extra packages needed to get a TypeScript project working. I need to install adapters for my linter, formatter, test runner, editor, bundler to name a few. Hopefully it all works together with all the other plugins and adapters. With the jsdoc version, I just install the `typescript` package, and I can use that to do the typechecking as well export types to be used by a TypeScript project. Sure it’s a bit more verbose, but I’d take that over tinkering with dependencies and configurations.

New comment by tytho in "Pipe Operator (|>) For JavaScript"

tytho — Fri, 20 Jan 2023 16:09:36 +0000

There is another way that isn't _as_ kludgy, but still not as nice as the JavaScript proposal:

    computation() |> then(&Map.put(my_map, key, &1))

It's the big reason the `then/2` function was created from my understanding.

New comment by tytho in "Complete Rewrite of ESLint"

tytho — Mon, 28 Nov 2022 13:36:33 +0000

From personal experience, you don’t ever “just use TypeScript”. You have to install plugins, adapters, parsers for every other tool (linters, formatters, bundlers) to also make them work with TypeScript. Adding TypeScript into the mix increases the number of dependencies (dev or not) dramatically. If you use the jsdoc flavor of TypeScript, you only need to install the one dependency.

Not saying it’s the best reason, but a reason nonetheless.

New comment by tytho in "Hurl: Run and test HTTP requests with plain text"

tytho — Sat, 26 Nov 2022 02:40:28 +0000

That's definitely more convenient. I think it could be nice to have an additional test suite not written in the same language as the thing you're testing. It would force you to interact with your program the way the rest of the world would. Rather than relying on mocking, setting up test data, and reaching into the internals of your code, you have to set up your test data through the API. This wouldn't be feasible in most of work I've done in my professional career, but in an ideal world I think it could be beneficial not to rely on internals for testing, at least for some set of tests.

New comment by tytho in "Is the AWS us-west-2 region experiencing an outage?"

tytho — Thu, 06 Oct 2022 17:02:01 +0000

We're seeing some issues possibly related to s3. Uploads working, but downloads seem to fail occasionally.

New comment by tytho in "Ask HN: Anyone working 4 day week here, as an employee?"

tytho — Mon, 22 Aug 2022 11:11:34 +0000

My input probably isn’t as valuable except as a data point, but the company I work for (around 100 employees) moved all employees over to a 32 hour/4 day work week without a change in salary. No negotiation involved technically, though there were a few employees who have been talking about 4-day work weeks for a long time.

They made this change with a 6-month trial period where we would determine if we would keep it at a later time based on some sort of productivity measurements. Everyone, including the CEO, seemed to agree that trying to measure productivity would yield few meaningful metrics. The consensus at the end was that productivity was either the same or a little less, but we ended up keeping it anyway.

New comment by tytho in "Server-Sent Events: an alternative to WebSockets"

tytho — Sat, 12 Feb 2022 15:56:42 +0000

You can pass a ‘withCredentials’ option.

New comment by tytho in "Server-Sent Events: an alternative to WebSockets"

tytho — Sat, 12 Feb 2022 15:52:45 +0000

I think that works great! The complaint I’ve heard is that you may need to support multiple ways to authenticate opening up more attack surface.