Hacker News: xlii

New comment by xlii in "SecurityBaseline.eu"

xlii — Wed, 13 May 2026 08:57:05 +0000

I checked Warsaw, Poland.

It has 3 HIGH RISK issues because

    - DNSSEC is not configured
    - Few cookies are send and (ALERT!) Google marketing cookie
    - Missing ROA

The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order).

I get it, it's aggregator but showing red maps is at leals sensationalists

Seems that results are taken from internet.nl, which has WAY better UI than page posted.

https://batch.internet.nl/site/um.warszawa.pl/17768032/#

New comment by xlii in "Postmortem: TanStack NPM supply-chain compromise"

xlii — Tue, 12 May 2026 08:39:55 +0000

Stupid thought.

Make alias called sdo that echoes sudo path and hash every time you use it to stderr.

That's security by obscurity though.

New comment by xlii in "Idempotency is easy until the second request is different"

xlii — Mon, 11 May 2026 10:32:22 +0000

> I do retry because I wanted the outcome. I'm not giving it a new key (firstly because I'm a user clicking a form, not choosing UUIDs for my shopping cart) but more importantly, if I did supply a second key, it's now my fault for ordering two copies.

Upon initial request I have you "URPAY1". If you never check URPAY1 for status, we'll callback you and expect the result. If neither check nor callback succeeded rollback actions are ran (this is contractual agreement on partnership level).

You can verify your status with URPAY1. You need to provide your status check with check ID (URPAY1) and an unique request ID. You will receive a timestamped response. You won't get different responses for same CheckID + RequestID because it's a activity log and also procedure check (e.g. grossly simplifying success at 23:59:58 might be something different than success at 00:00:05 - these times can vary depending on partner, continent, so it's not only midnight etc.) If at any point you didn't get response you can retry and you will always get the same response.

Didn't get URPAY1 for the first time? No problem try againt second time. You'll get the same URPAY1. No new effects needed.

In this design you, as requester are in full power. You can make the same request 100 times which will cause only 1 effect. If networking is lost, something will crash you're still guaranteed to have effect AT MOST once.

In case you're curious for the full flows and handling edge cases Stripe has great documentation regarding how process looks like from merchant's customer's side (as this is their business and you can integrate with them).

New comment by xlii in "Idempotency Is Easy Until the Second Request Is Different"

xlii — Sun, 10 May 2026 11:58:10 +0000

That's why you need to separate work from actual input.

It's not about trying again but about making sure you get consistent state.

Imagine request for payment. You made one and timeouted. Why did it timeout? Your network or payment service error?

You don't know, so you can't decide between retry and not retry.

Thus practice is: make request - ack request with status request id (idempotent, same request gives same status id) - status checks might or might not be idempotent but they usually are - each request need to have unique id to validate if caller even tried to check (idenpotency requires state registration).

If you want to try again you give new key and that's it.

There might of course be bug in implementation (naive example: idempotency key is uint8) but proper implementation should scope keys so they don't clash. (Example implementation: idempotency keys are reusable after 48h).

If same calls result in different responses (doesn't matter if you saw it or not) then API isn't idempotent.

New comment by xlii in "Idempotency is easy until the second request is different"

xlii — Sun, 10 May 2026 11:49:19 +0000

Don't fix other people problems.

If idempotent key was seen then send back response.

Clients intention is outside the scope. If contract says "idempotency on key" the idempotent response on key. If contract says "idempotent on body hash" then response on body hash (which might or might not include extra data).

APIs are contracts. Not the pinky promise of "I'll do my best guess"

Show HN: SVG Fitter – Rust+WASM Vectorizer

xlii — Sat, 25 Apr 2026 16:51:18 +0000

I went crazy with a tool that helps me tracing raster images. Thought other might like it.

It doesn't auto vectorize image, but rather allow for guided process. Final SVG still should be edited.

Few fun features like genetic algorithm fit optimization, semi-manual tracing and color preservation.

Perfect if you want to have lightweight SVG from huge PNG image.

Note: If there's interest I might open-source it, just not sure if anyone would want to see it :)

Comments URL: https://news.ycombinator.com/item?id=47902793

Points: 3

# Comments: 0

New comment by xlii in "I cancelled Claude: Token issues, declining quality, and poor support"

xlii — Fri, 24 Apr 2026 23:21:13 +0000

+1 for pi. I used claude and opencode but pi is the first agent tool that made me excited about the whole thing.

New comment by xlii in "AI-assisted cognition endangers human development?"

xlii — Wed, 15 Apr 2026 18:48:32 +0000

Gemini can be asked about current events. I was quite surprised it was able to give structured information about love boxing event in realtime.

New comment by xlii in "Ask HN: What Are You Working On? (April 2026)"

xlii — Mon, 13 Apr 2026 06:52:55 +0000

A small project but something that I'm happy about: Postgresql backed persistent queues crate for Rust.

I couldn't find any crate that would be ergonomic enough to use and provide features I deem essential, i.e. retryability, scheduling, poison job detection, barriers, backoff strategies etc.

it's an area I'm familiar with so after spending 2 days trying to integrate external libs I decided to roll my own and I'm quite happy how it turned out in 2 days of development.

I plan to open-source it in the near future but right now using it in my another project and it's running quite well.

New comment by xlii in "A Faster Alternative to Jq"

xlii — Fri, 27 Mar 2026 10:34:40 +0000

It's a simple loop:

- Someone likes tool X

- Figures, that they can vibe code alternative

- They take Rust for performance or FAVORITE_LANG for credentials

- Claude implements small subset of features

- Benchmark subset

- Claim win, profit on showcase

Note: this particular project doesn't have many visible tells, but there's pattern of overdocumentation (17% comment-to-code ratio, >1000 words in README, Claude-like comment patterns), so it might be a guided process.

I still think that the project follows the "subset is faster than set" trend.

Show HN: Dataf*ck – An Esoteric Data Format

xlii — Thu, 26 Mar 2026 16:08:04 +0000

Article URL: https://xlii.space/projects/datafuck/

Comments URL: https://news.ycombinator.com/item?id=47532242

Points: 2

# Comments: 0

New comment by xlii in "Grafeo – A fast, lean, embeddable graph database built in Rust"

xlii — Sat, 21 Mar 2026 20:53:44 +0000

I wonder if people are using (or intend to use) vibe-coded projects like the one linked.

I mean - I understand, some people have fun looking at new tech no matter the source, but my question is is there a person who would be designated to pick a GraphQL in language and would ignore all the LLM flags and put it in production.

New comment by xlii in "I was interviewed by an AI bot for a job"

xlii — Thu, 12 Mar 2026 22:05:00 +0000

Fingers crossed.

One thing to keep in mind is that leetcode is testing (surprise) social anxiety. You can be a great engineer, terrific peer to have in the time when crisis hits but still fail at leetcode problem because someone is watching.

New comment by xlii in "I was interviewed by an AI bot for a job"

xlii — Wed, 11 Mar 2026 21:46:39 +0000

Geez. Good one. Was in something similar lately. 10 weeks wasted and a shittiest feedback ever. These companies should be legally required to pay candidates for gauntlets they put them through.

Show HN: Filtering "Who's Hiring" with LLMs – native desktop app in Rust/egui

xlii — Tue, 10 Mar 2026 13:02:55 +0000

Every month "Who's Hiring" drops 300+ free-form listings. Inconsistent keywords - "US only", "United States candidates exclusively", and "on-site NYC" is semantically same if you're looking for a remote job from Europe, but term-based search allows them to slip through. The thread reorders on every reload, so you lose your place.

This is a solved problem if you just throw an LLM at it. Define your requirements, attach your resume, Gemini scores and ranks everything. Built in Rust with egui.

Bring your own Gemini key — no backend, no subscription. Desktop because some listings are walls of text and a scrollable cell in a scrollable table was the only UI that made sense.

Comments URL: https://news.ycombinator.com/item?id=47322713

Points: 1

# Comments: 0

New comment by xlii in "Windows: Microsoft broke the only thing that mattered"

xlii — Tue, 10 Mar 2026 08:09:36 +0000

After recent update fiascos I decided to install PopOS on a gaming rig that ran Windows 11 (as a pre-made set).

As they say, you can't see the light in the darkness and the difference between two is like between night and day.

Stable performance, consistent Remote Play to Steam Deck, quick bootup and no "hey want to play, that's a shame cause I got 20 minutes of patches to install".

Sure it's still a Linux with all consequences (had to switch from Wayland to Xorg for remote play and being returning user after couple years it wasn't straightforward) but it works much better.

I won't ever install Windows on my family computers. If I can afford to equip them with Macs I'll do so. If not - they'll get Linux instead.

New comment by xlii in "Code Review for Claude Code"

xlii — Mon, 09 Mar 2026 22:14:02 +0000

> We've been running Code Review internally for months: on large PRs (over 1,000 lines changed), 84% get findings, averaging 7.5 issues. On small PRs under 50 lines, that drops to 31%, averaging 0.5 issues. Engineers largely agree with what it surfaces: less than 1% of findings are marked incorrect.

So the take would be that 84% heavily Claude driven PRs are riddled with ~7.5 issues worthy bugs.

Not a great ad of agent based development quality.

New comment by xlii in "Approved. Unread. Shipped"

xlii — Thu, 05 Mar 2026 22:21:49 +0000

I think I can imagine them clearly, stay tuned.

Approved. Unread. Shipped

xlii — Wed, 04 Mar 2026 21:12:37 +0000

Article URL: https://xlii.space/blog/approved_unread_shipped/

Comments URL: https://news.ycombinator.com/item?id=47253922

Points: 2

# Comments: 2

New comment by xlii in "Claude's Cycles [pdf]"

xlii — Tue, 03 Mar 2026 23:47:09 +0000

So the actors who portrait great thinkers are great thinkers?