<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: woodruffw</title><link>https://news.ycombinator.com/user?id=woodruffw</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 17 Jul 2026 15:24:25 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=woodruffw" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[Readme, Not]]></title><description><![CDATA[
<p>Article URL: <a href="https://blog.yossarian.net/2026/07/16/README-not">https://blog.yossarian.net/2026/07/16/README-not</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=48934858">https://news.ycombinator.com/item?id=48934858</a></p>
<p>Points: 3</p>
<p># Comments: 0</p>
]]></description><pubDate>Thu, 16 Jul 2026 14:10:49 +0000</pubDate><link>https://blog.yossarian.net/2026/07/16/README-not</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48934858</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48934858</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>I gave Shai Hulud as an example above. If you want precise timeline examples that demonstrate the efficacy of cooldowns, here’s some examples I collected last year[1].<p>(See the “Window of opportunity” column in the table.)<p>[1]: <a href="https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns" rel="nofollow">https://blog.yossarian.net/2025/11/21/We-should-all-be-using...</a></p>
]]></description><pubDate>Wed, 15 Jul 2026 15:47:04 +0000</pubDate><link>https://news.ycombinator.com/item?id=48922635</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48922635</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48922635</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>To be clear, the RSA key thing isn’t really about it being a security issue
— that’s a part of it, but the bigger point was that it reflects structural failure/inertia that’s commonplace in distribution packaging.<p>(I am not a hater of distribution packaging, either. But I typically find comparisons between it and language packaging lacking, because the two have very different trust topologies.)</p>
]]></description><pubDate>Wed, 15 Jul 2026 15:44:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48922599</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48922599</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48922599</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>Well, yeah. There’s no package police that’ll stop you from installing malware. The argument has never revolved around that; the argument is solely that cooldowns are effective <i>if</i> you use them, and timely detection by third parties is strong evidence of that.</p>
]]></description><pubDate>Wed, 15 Jul 2026 12:42:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=48919990</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48919990</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48919990</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>I generally try not to name the companies directly, because I don’t want to give them free advertising. But you can look up e.g. the recent Shai Hulud campaign.<p>> Just post one link of a "supply chain" problem that was prevented by any of these companies before it went into the wild and affected users.<p>This is not the claim being made, since cooldowns are <i>not</i> widely adopted at the moment.</p>
]]></description><pubDate>Wed, 15 Jul 2026 11:35:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=48919274</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48919274</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48919274</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>If you google “supply chain security company” you will find various companies of various reputations vying for attention in this space.</p>
]]></description><pubDate>Wed, 15 Jul 2026 07:41:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48917508</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48917508</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48917508</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>Being unable to rotate the same weak RSA key for over a decade because it was too operationally cumbersome[1] does not strike me as “modern best practices.” I also don’t think any Linux distribution package maintainer would make a legally binding claim to have “vetted” packages: the filter is reputational, not a strong guarantee that the package is not malicious. The xz incident demonstrates that tidily: the only reason it was caught it because it was noisy; the package itself was <i>presumed</i> to be safe.<p>(This is, to be clear, fine. But we should be clear-headed about what package distribution mechanisms actually provide in terms of guarantees.)<p>[1]: <a href="https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1461834" rel="nofollow">https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1461834</a></p>
]]></description><pubDate>Wed, 15 Jul 2026 07:39:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48917487</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48917487</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48917487</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>They are very fundamentally different solutions: the entire premise of distribution packaging is that you’re relying on some distribution maintainer’s discretion. It’s <i>not</i> an open index.</p>
]]></description><pubDate>Wed, 15 Jul 2026 06:38:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48917056</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48917056</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48917056</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>Fundamentally, this is a cat-and-mouse game. But I suspect that "time bomb" techniques aren't economically viable for attackers, at least not with current patterns: current attackers demonstrate "smash and grab" tendencies because they know their access is limited anyways. Attempting to wait out a cooldown exposes them to additional detection risk.<p>Of course, maybe the attacker profile changes over time. But that's the nature of the game.</p>
]]></description><pubDate>Wed, 15 Jul 2026 00:49:37 +0000</pubDate><link>https://news.ycombinator.com/item?id=48914874</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48914874</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48914874</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>The publishing topology is pretty fundamentally different: the entire power (and danger) of language package managers is that anybody can publish, not just a privileged few.<p>(This cuts both ways: I’d say that distribution package managers have learned valuable lessons about what users <i>actually</i> want from language package managers. Learning is a good thing.)</p>
]]></description><pubDate>Tue, 14 Jul 2026 23:04:43 +0000</pubDate><link>https://news.ycombinator.com/item?id=48914061</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48914061</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48914061</guid></item><item><title><![CDATA[New comment by woodruffw in "Dependabot version updates introduce default package cooldown"]]></title><description><![CDATA[
<p>> But if everyone will be delaying updates, won't be there less chances to catch it in time?<p>No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties.<p>> I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.<p>It’s not <i>that</i> much data, particularly for parties that are directly financially incentivized to be the first to report malware.</p>
]]></description><pubDate>Tue, 14 Jul 2026 23:01:07 +0000</pubDate><link>https://news.ycombinator.com/item?id=48914027</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48914027</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48914027</guid></item><item><title><![CDATA[Dependabot version updates introduce default package cooldown]]></title><description><![CDATA[
<p>Article URL: <a href="https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/">https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=48913050">https://news.ycombinator.com/item?id=48913050</a></p>
<p>Points: 207</p>
<p># Comments: 143</p>
]]></description><pubDate>Tue, 14 Jul 2026 21:15:51 +0000</pubDate><link>https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48913050</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48913050</guid></item><item><title><![CDATA[New comment by woodruffw in "Our Amish Language"]]></title><description><![CDATA[
<p>I really enjoyed this article. I grew up with a small amount of a similarly uncommon (outside of religious groups) Germanic language, one that I’ve learned more of as an adult, and many of the experiences (around struggling to get people to speak it, even when they know it) ring true.<p>> I grew up using this term, but upon encountering Louden’s work, I learned that “dialect” often functions more as an insult than a linguistically useful designation.<p>A shprakh iz a dyalekt mit armey un flot!</p>
]]></description><pubDate>Tue, 14 Jul 2026 06:30:35 +0000</pubDate><link>https://news.ycombinator.com/item?id=48902983</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48902983</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48902983</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>I don’t have an opinion about whether Bun is poorly coded or not. I also don’t have an opinions on it being a good project or not.<p>I do find these kinds of “get good” arguments tiresome, though. Our job as responsible engineers is to develop strong and safe abstractions for the next group of engineers to use. Rust is one such abstraction.</p>
]]></description><pubDate>Tue, 14 Jul 2026 05:51:49 +0000</pubDate><link>https://news.ycombinator.com/item?id=48902750</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48902750</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48902750</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>There’s a difference between having a negative reaction, which is a natural human thing, and talking out of both sides of your mouth. You can also have negative things to say (or just strong opinions) without being indecorous or unkind.</p>
]]></description><pubDate>Tue, 14 Jul 2026 05:45:02 +0000</pubDate><link>https://news.ycombinator.com/item?id=48902713</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48902713</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48902713</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>The word “fuss” doesn’t occur in the original Bun article.<p>I also don’t think that forking the compiler is a big fuss. Large companies do that all the time, to carry whatever patches they haven’t upstreamed yet (or can’t). It’s really not that big of a deal.</p>
]]></description><pubDate>Tue, 14 Jul 2026 05:38:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=48902683</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48902683</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48902683</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>I don’t think the basic idea that Zig is less safe than a language like Rust (and therefore has different classes of “endemic” bugs) is controversial among Zig programmers.<p>The points they make around explicit defers are a lot more subtle than it being too many lines. Quoting:<p>> For Zig code, when exactly should we be running the cleanup code? If we're passing the same *T to many different functions, how do we know when it's no longer accessible and can be cleaned up? How does it work when some functions need to continue to reference the memory after the function is called?</p>
]]></description><pubDate>Mon, 13 Jul 2026 21:53:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=48899420</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48899420</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48899420</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>Ah yeah, I agree with you.</p>
]]></description><pubDate>Mon, 13 Jul 2026 19:54:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48897905</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48897905</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48897905</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>I don't understand how a port is a "provocation." That's a very cynical and  transactional way of thinking about open source.<p>(As for Anthropic's motivation: only they know. But I suspect that they saw Zig's AI policy as a potentially existential risk, and moved to de-risk their position. That <i>is</i> a technical decision, just not one rooted in the merits of any particular language.)</p>
]]></description><pubDate>Mon, 13 Jul 2026 19:25:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48897547</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48897547</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48897547</guid></item><item><title><![CDATA[New comment by woodruffw in "Zig Creator Calls Spade a Spade, Anthropic Blows Smoke"]]></title><description><![CDATA[
<p>I really struggle to find a plain, non-motivated reading of the Bun's post that could be fairly described as a "trashing." It's a very bland post.</p>
]]></description><pubDate>Mon, 13 Jul 2026 19:20:18 +0000</pubDate><link>https://news.ycombinator.com/item?id=48897458</link><dc:creator>woodruffw</dc:creator><comments>https://news.ycombinator.com/item?id=48897458</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48897458</guid></item></channel></rss>