Hacker News: wereHamster

New comment by wereHamster in "Pull request limits are cutting down the noise"

wereHamster — Wed, 24 Jun 2026 18:30:29 +0000

> Add a mechanism to donate tokens

Or donate money. Crazy idea, eh?

New comment by wereHamster in "Running MicroVMs in Proxmox VE, the Easy Way"

wereHamster — Sun, 21 Jun 2026 11:38:11 +0000

I was just looking into microvm (via microvm.nix) to isolate coding agents. While the machine starts quickly, as in the article, the userspace (nixos) takes much longer. I'd probably need to spend some time to strip the system of all non-essential services. I also briefly considered running the agent harness as PID 0. That would speed things up, but also mean a lot of responsibility on my end. My biggest struggle is how to imperatively manage agent microvms on nixos. microvm.nix isn't really well suited for that task. For longer-running VMs, that I can manage via my nixos config, I'm quite happy with microvm.nix. Related article by Michael Stapelberg: https://michael.stapelberg.ch/posts/2026-02-01-coding-agent-...

New comment by wereHamster in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"

wereHamster — Tue, 19 May 2026 09:06:33 +0000

After I upgraded pnpm to v11, I set all allowBuilds to false and have not observed any failures. Made me wonder why the packages even need build scripts. My guess is for obscure or old platforms, but for most users running on Linux or Darwin build scripts seem to be unnecessary.

New comment by wereHamster in "Postmortem: TanStack NPM supply-chain compromise"

wereHamster — Mon, 11 May 2026 23:02:25 +0000

I'm looking forward to the analysis how the attacker managed to compromise CI. I was reading through the workflow and what immediately jumped out was a cache poisoning attack. Seems plausible, given https://github.com/TanStack/config/pull/381

edit: two hard things in computer science: naming things, cache invalidation, off-by-one errors, security. something something

New comment by wereHamster in "Show HN: Prompt-to-Excalidraw demo with Gemma 4 E2B in the browser (3.1GB)"

wereHamster — Sun, 19 Apr 2026 13:51:04 +0000

CDN wouldn't help much. These days browsers partition caches by origin, so if two different tools (running on different domains) fetch the same model from the CDN, the browser would download it twice.

New comment by wereHamster in "Filing the corners off my MacBooks"

wereHamster — Sat, 11 Apr 2026 07:42:45 +0000

I bought a light HF acid (rust remover) so I can properly clean titanium parts before anodizing. Worked like a charm...

New comment by wereHamster in "Apple Business"

wereHamster — Tue, 24 Mar 2026 16:44:09 +0000

business.apple.com doesn't work in Firefox, it redirects you to https://business.apple.com/abm_unsupported_browser?reason=Br...

Fuck you Apple.

New comment by wereHamster in "Global Warming Has Accelerated Significantly"

wereHamster — Fri, 06 Mar 2026 15:27:45 +0000

China is already slowing down the addition new fossil fuel power plants. Yes, they still build new ones, yes they generate a lot of emissions. But they are also adding more than the rest of the world combined of renewable (solar, wind) electricity generation each year. Realistically, if China stopped 100% of emissions tomorrow, they'd be in much better position to replace it with clean alternatives than most other countries.

New comment by wereHamster in "Understanding ZFS Scrubs and Data Integrity"

wereHamster — Tue, 20 Jan 2026 09:45:16 +0000

A loooong time age (OpenSolaris days) I had a system that had corrupted its zfs. No fsck was available because the developers claimed (maybe still do) that it's unnecessary.

I had to poke around the raw device (with dd and such) to restore the primary superblock with one of the copies (that zfs keeps in different locations on the device). So clearly the zfs devs thought about the possibility of a corrupt superblock, but didn't feel the need to provide a tool to compare the superblocks and restore one from the other copies. That was the point when I stopped trusting zfs.

Such arrogance…

New comment by wereHamster in "Go.sum is not a lockfile"

wereHamster — Thu, 08 Jan 2026 16:18:38 +0000

Ok. So to answer the question whether the code for v1.0.0 that I downloaded today is the same as I downloaded yesterday (or whether the code that I get is the same as the one my coworker is getting) you basically have to trust Google.

New comment by wereHamster in "Go.sum is not a lockfile"

wereHamster — Thu, 08 Jan 2026 13:02:15 +0000

Let's assume I publish a github repo with some go code, and tag a particular commit with tag v1.0.0. People start using it and put v1.0.0 into their go.mod file. They use the golang proxy to fetch the code (and that proxy does the "verification", according to your comment). Now I delete the v1.0.0 tag and re-create the tag to point to different (malicious) commit. Will the golang proxy notice? How does it verify that the people that expect the former commit under the v1.0.0 tag will actually get that and not the other (malicious) commit?

New comment by wereHamster in "Go.sum is not a lockfile"

wereHamster — Thu, 08 Jan 2026 09:20:55 +0000

Now I understand :) thanks for clarifying

New comment by wereHamster in "Go.sum is not a lockfile"

wereHamster — Thu, 08 Jan 2026 08:44:42 +0000

A lock file, in my world, contains a cryptographic hash of dependencies. go.mod does not, it only lists tags, which are (in git) movable references.

If go.sum has "no observable effect on builds", you don't know what you're building and go can download and run unverified code.

I'm not a go developer and must be misunderstanding something...

New comment by wereHamster in "Deliberate Internet Shutdowns"

wereHamster — Mon, 22 Dec 2025 14:14:51 +0000

I just recently learned of Meshtastic (https://en.wikipedia.org/wiki/Meshtastic) and MeshCore (https://meshcore.nz/), which provide a platform for private and group messaging over P2P LoRa. They don't depend on internet, rely on the community to provide routing nodes, and thus harder to block for governments. It's gaining steam in Europe and can already be used for messaging across wide distances. It's slow though, so forget streaming videos or images. It can only carry messages. But that's often enough to coordinate or spread news.

New comment by wereHamster in "Pricing Changes for GitHub Actions"

wereHamster — Wed, 17 Dec 2025 12:19:01 +0000

I repurposed old M1/M4 Mac Mini's at my workplace into GitHub action runners. Works like a charm, and made our workflows simpler and faster. Persisting the working directory between runs was a big performance boost.

New comment by wereHamster in "Not all OCuLink eGPU docks are created equal"

wereHamster — Mon, 29 Sep 2025 23:18:02 +0000

I just ordered the BD790i X3D mainboard. A while ago Minisforum has been known for their slow BIOS updates, but hope that they have improved their processes since. I'll see…

New comment by wereHamster in "Slack has raised our charges by $195k per year"

wereHamster — Sat, 20 Sep 2025 10:09:16 +0000

We got rid of all Rails apps (that needed a backend). We've moved our Postgres databases to Neon, and run our docker containers on Google Cloud Run (these are containers that don't need to run 24/7, we're paying just a few cents each month, also cold starts are much faster and more reliable than on Heroku).

New comment by wereHamster in "Slack has raised our charges by $195k per year"

wereHamster — Thu, 18 Sep 2025 08:14:36 +0000

We just managed to shut down our last Heroku service a week ago. Good riddance.

New comment by wereHamster in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

wereHamster — Wed, 17 Sep 2025 06:14:14 +0000

AGPL is a no-go for many companies (even when it's just a tool that touches your code and not a dependency you link to).

New comment by wereHamster in "Campfire: Web-Based Chat Application"

wereHamster — Sun, 07 Sep 2025 18:33:20 +0000

Could it be that they removed /all/ comments from the codebase when they made it public, to not release some sensitive information that was in them?