HN Reader

Does anyone think the current AI approach will hit a dead end?

7 points by rh121 4h ago 9 comments

Ask HN: How much can we trust open-source projects or our hardware?

3 points by solosquad 6h ago 6 comments

Ask HN: Is Reddit going the way of Stack Overflow?

6 points by NotAnOtter 3h ago 11 comments

Ask HN: Can an amateur make contributions to pure math or theoretical physics?

3 points by career_question 11h ago 9 comments

Ask HN: How to avoid passive use of AI?

6 points by uscnep-hn 19h ago 9 comments

Ask HN: Looking for headless CMS recommendation

83 points by rakshithbellare 7d ago 86 comments

Ask HN: Are api.nasa.gov, data.nasa.gov down or shutdown?

15 points by srameshc 17h ago 1 comments

Ask HN: Who wants to be hired? (September 2025)

122 points by whoishiring 6d ago 347 comments

Ask HN: Who is hiring? (September 2025)

262 points by whoishiring 6d ago 388 comments

Why the Technological Singularity May Be a "Big Nothing"

7 points by starchild3001 1d ago 8 comments

Ask HN: Significant reduction in AI related submissions?

8 points by 3vidence 1d ago 4 comments

Automated Workday check in/check out and Microsoft Teams messages monitoring

4 points by quacktheboss 1d ago 0 comments

Ask HN: What do you think of the new Digg?

5 points by LorenDB 1d ago 4 comments

If AI agents take the jobs, who buys the stuff?

21 points by babua 2d ago 20 comments

Ask HN: Moving from Dev to PM

5 points by madmonk 1d ago 8 comments

New Member Alert

3 points by FatMike 1d ago 4 comments

Ask HN: Why does Google word privacy settings like you agree even when off?

29 points by matesz 4d ago 21 comments

Ask HN: LLM struggles to center div too?

4 points by divan 1d ago 6 comments

Ask HN: How long did it take you to learn Git?

5 points by Forgret 17h ago 9 comments

Ask HN: Useful AI applications in regular businesses?

9 points by dmos62 1d ago 0 comments

Ask HN: Is your company still hiring junior engineers?

43 points by wafflemaker 5d ago 57 comments

Ask HN: Why do LLMs struggle with word count?

2 points by rishikeshs 1d ago 4 comments

A16Z scouting ambitious Swiss founders for $1M accelerator

3 points by boggsss 1d ago 1 comments

ASIC: Proof-of-Concept Binary Optimizer Reduces Size, More to Come

2 points by Forgret 1d ago 4 comments

Tell HN: My advice after I applied to 450 positions before getting hired

135 points by usernamed7 8d ago 179 comments

Ask HN: When was the last time you visited Stack Overflow?

14 points by TimLeland 3d ago 25 comments

Ask HN: VSCode AI Autocomplete Woes

4 points by blinkbat 3d ago 4 comments

Ask HN: How do you fight YouTube addiction and procrastination? I'm struggling

148 points by angelochecked 7d ago 148 comments

File protection: anonymous, open source and fast

3 points by Gravyt1 5d ago 6 comments

Ask HN: Is anyone here deliberately low‑tech? If so, why and how?

17 points by scdnc 2d ago 18 comments

Ask HN: How much can we trust open-source projects or our hardware?

3 solosquad 6 9/8/2025, 12:52:52 AM
For large open-source security-focused projects like Kali Linux, we’re told there are no backdoors but with millions of lines of code, how can we actually verify that? Full manual auditing isn’t feasible for most individuals.

Some thoughts/questions:

Are reproducible builds and supply-chain audits enough to trust the binaries?

What strategies exist for spotting subtle backdoors in such large codebases?

For hardware, how do you approach the risk of compromised firmware, microcode, or hidden subsystems (e.g. Intel ME, AMD PSP)?

Do projects like Coreboot, Heads, or formally verified kernels meaningfully reduce this risk in practice?

Beyond reading every line yourself, what’s the best way to build confidence?

How much trust (percentage-wise) do you personally put in OSS security projects or commodity hardware, and what technical mitigations do you use to minimize blind trust?

Comments (6)

lordkrandel · 1h ago
Secure for what? Intrusion? Spying? Data collection? Dont use internet then. Disconnect. No data will be taken from your laptop this way, unless you are a secret agent, or a criminal.
benoau · 6h ago
You have to at a minimum trust the OS vendor, probably a slew of development tools, and blindly trust all the hardware you work upon and cloud platforms you deploy to to only-work as advertised.

You shouldn't particularly trust any software, monitor outbound traffic, silo your different projects to minimize what software is adjacent to your projects and the fallout if something got access, minimize programming dependencies and browser and IDE extensions and add-ons and stuff coming from unknown 3rd parties. Stay behind the latest builds/updates/releases so problems have time to be identified.

pabs3 · 5h ago
Reproducible builds aren't enough, you need projects that are reproducibly bootstrappable solely from source without any binaries. Usually the starting point is a small amount (an MBR) of manually entered documented machine code.

https://bootstrappable.org/ https://stagex.tools/

pabs3 · 5h ago
Almost all firmware is proprietary, so you aren't going to be able to trust it at all. Try to use hardware that has at least open boot firmware like u-boot or coreboot.

https://wiki.debian.org/Firmware/Open

bigyabai · 6h ago
Kali Linux is a pentesting distro. It's not claimed to be secure and AFAIK it makes deliberately insecure design decisions to enable spoofing/SDR attacks.

  Are reproducible builds and supply-chain audits enough to trust the binaries?
No. But for most applications trust isn't really required.

  What strategies exist for spotting subtle backdoors in such large codebases?
It's not hard. For big projects, contributors are usually a tight-knit group that heavily scrutinize any outsider PRs. By creating a rigorous system of code review (and implementing reminders for bad dependencies) you can deter backdoors decently well.

  For hardware, how do you approach the risk of compromised firmware, microcode, or hidden subsystems
You cannot.

  Do projects like Coreboot, Heads, or formally verified kernels meaningfully reduce this risk in practice?
No, but if properly configured they can reduce attack surface as-advertised.

  Beyond reading every line yourself, what’s the best way to build confidence?
I know this is a dumb answer, but "be smart" will get you a really long ways. Stick to the main roads, don't use software developed by 2 or 3 people if your personal security is paramount. Keep your systems slim and minimally networked, route any home servers through a VPN or proxy to prevent it from being harassed on the open internet.
solosquad · 6h ago
that’s true kali it’s designed for pentesting and not necessarily as a secure daily driver, but I was using it more as a stand-in example for large OSS projects where security is critical. Maybe a better example would be Qubes OS or OpenBSD