HN Reader

Hive-like spatial DB for GIS workloads (bitsgonewild.ghost.io)

1 points by jspuri 3m ago 0 comments

Ask HN: Any recommendations for a portable music player

1 points by laserstrahl 3m ago 0 comments

Show HN: Turn your football knowledge into a challenge game (apps.apple.com)

1 points by wyethdev 4m ago 0 comments

Django Firefly Tasks – simple and easy to use background tasks in Django (github.com)

1 points by lukas346 7m ago 1 comments

Racing airplane design for a concept art of a fictional aerial world (instagram.com)

1 points by epicusdraw 11m ago 0 comments

Ask HN: What tool, tech or process in front-end dev would you improve/change?

1 points by herol3oy 12m ago 0 comments

Connecting SharePoint and Microsoft OneDrive to ChatGPT Deep Research (help.openai.com)

1 points by gfortaine 13m ago 0 comments

CoCalc HTTP-Proxy-3 (npmjs.com)

1 points by BlaecBejarano 13m ago 1 comments

Email domain to tell everyone that you use Vim editor (iusevimbtw.com)

1 points by zhisme 14m ago 0 comments

Auction to Dine with Trump Creates Foreign Influence Opportunity (nytimes.com)

1 points by ChrisArchitect 14m ago 1 comments

Two Months in Servo: CSS Nesting, Shadow DOM, Clipboard API, and More (servo.org)

1 points by todsacerdoti 15m ago 0 comments

Understanding customers: it starts with specificity, not generality (doinghandstands.substack.com)

1 points by newsinsposhare 15m ago 0 comments

HealthBench (openai.com)

2 points by mfiguiere 16m ago 0 comments

Chegg to lay off 22% of workforce as AI tools shake up edtech industry (reuters.com)

4 points by speckx 20m ago 1 comments

Tables for Layout? Absurd. (2017) (thehistoryoftheweb.com)

2 points by ArinaS 22m ago 0 comments

iOS 18.5 (macrumors.com)

1 points by tosh 23m ago 0 comments

Intro to Autograd Engines: Karpathy's Micrograd Implemented in Go (nathan.rs)

1 points by nathan-barry 23m ago 1 comments

Visual Studio Code beefs up AI coding features (infoworld.com)

1 points by aard 24m ago 0 comments

WebKit Features in Safari 18.5 (webkit.org)

1 points by feross 25m ago 0 comments

Ask HN: How should we version our models?

2 points by joshdavham 27m ago 1 comments

Show HN: The missing inbox for GitHub pull requests (github.com)

1 points by pvcnt 29m ago 0 comments

Germ-theory skeptic RFK Jr. goes swimming in sewage-tainted water (arstechnica.com)

3 points by rntn 29m ago 1 comments

Hunyuan-TurboS: the first ultra-large Hybrid-Transformer-Mamba MoE model (twitter.com)

1 points by tosh 30m ago 0 comments

Access to the United States' President for Sale via Meme Coin (mastodon.social)

12 points by doener 32m ago 5 comments

Show HN: Running C code inside of Scratch – proof-of-concept (github.com)

1 points by QuantumTaco74 36m ago 0 comments

My Superbooth 2025 Experience (blog.orhun.dev)

2 points by orhunp_ 38m ago 0 comments

U.S. Nuclear Emergency Support aircraft touched down in Pakistan (thecommunemag.com)

4 points by rustoo 40m ago 0 comments

Thanks to Trump, OpenAI is struggling to get its Stargate project off the ground (neowin.net)

1 points by bundie 40m ago 0 comments

An update on the OSU-OSL funding situation (discourse.osgeo.org)

2 points by zinekeller 43m ago 0 comments

DuckDB: H3 (duckdb.org)

1 points by tosh 48m ago 0 comments

Create a new type of PKM for everyone (vetis.ai)

1 points by AiVetis 53m ago 0 comments

Several conferences relocate north of the border as Canadians refuse U.S. travel (cbc.ca)

2 points by colinprince 54m ago 0 comments

Show HN: C1 – an OpenAI-compatible LLM API that renders real UI instead of md

1 points by rabisg 56m ago 0 comments

Linux Kernel Exploitation Series (r1ru.github.io)

1 points by hkopp 1h ago 0 comments

Rescission of Recordkeeping on Restricted Pesticides by Certified Applications (federalregister.gov)

2 points by impish9208 1h ago 0 comments

Byte Latent Transformer: Patches Scale Better Than Tokens (arxiv.org)

9 points by dlojudice 1h ago 1 comments

Hacker News Dark Mode (Chrome Extension) (chromewebstore.google.com)

2 points by michalpleban 1h ago 1 comments

The USA's First Pope (amazingfacts.org)

1 points by afaxwebgirl 1h ago 1 comments

Cartwheel Robotics Wants to Build Humanoids That People Love (spectrum.ieee.org)

1 points by purpleko 1h ago 0 comments

Show HN: UsePRD-Plan new features with full codebase context- drop into Cursor (useprd.com)

1 points by hotrod46 1h ago 1 comments

A new type of AI is helping police skirt facial recognition bans (technologyreview.com)

2 points by gnabgib 1h ago 1 comments

Combine Hash and Limited Preimage Data to Improve Security of Password Hash (github.com)

1 points by Edmond 1h ago 0 comments

Why Magician David Blaine Fasts for Days Before His Shows (wsj.com)

1 points by elsewhen 1h ago 1 comments

Ask HN: Can On-device AI solve projected energy crisis?

1 points by vkkhare 1h ago 1 comments

Fingers wrinkle in the same pattern every time (binghamton.edu)

1 points by geox 1h ago 0 comments

Perplexity wrapping talks to raise $500M at $14B valuation (cnbc.com)

1 points by mfiguiere 1h ago 1 comments

If Everyone Has Trauma, Everyone Has Trauma (freddiedeboer.substack.com)

3 points by paulpauper 1h ago 0 comments

I hacked a dating app (and how not to treat a security researcher) (alexschapiro.com)

164 points by bearsyankees 1h ago 66 comments

At least five interesting things: Requiem for capitalism edition (#63) (noahpinion.blog)

1 points by paulpauper 1h ago 0 comments

Show HN: Shorts Stopper – Block YouTube Shorts on Safari iOS (apps.apple.com)

1 points by abyesilyurt 1h ago 0 comments

Demonstrably Secure Software Supply Chains with Nix

36 todsacerdoti 5 5/12/2025, 2:54:31 PM nixcademy.com ↗

Comments (5)

beardedwizard · 1h ago
The bummer about lots of supply chain work is that it does not address the attacks we see in the wild like xz where malicious code was added at the source, and attested all the way through.

There are gains to be had through these approaches, like inventory, but nobody has a good approach to stopping malicious code entering the ecosystem through the front door and attackers find this much easier than tampering with artifacts after the fact.

yencabulator · 1h ago
I think a big part of the push is just being able to easily & conclusively answer "are we vulnerable or not" when a new attack is discovered. Exhaustive inventory already is huge.
tough · 12m ago
i read somewhere go has a great package for this that checks statically typed usage of the vuln specific functions not whole package deps
XiZhao · 1h ago
I run a sw supply chain company (fossa.com) -- agree that there's a lot of low hanging gains like inventory still around. There is a shocking amount of very basic but invisible surface area that leads to downstream attack vectors.

From a company's PoV -- I think you'd have to just assume all 3rd party code is popped and install some kind of control step given that assumption. I like the idea of reviewing all 3rd party code as if its your own which is now possible with some scalable code review tools.

sollewitt · 53m ago
Valuably you also get demonstrable _insecure_ status - half the pain for our org of log4js was figuring out where it was in the stacks, and at which versions. This kind of accounting is really valuable when you're trying to figure out if and where you are affected.