Multipaint: Draw pictures with color limitations of 8-bit and 16-bit platforms (multipaint.kameli.net)

37 points by doener 2d ago 17 comments

Milwaukee M18 Battery Reverse Engineering (quagmirerepair.com)

210 points by jakogut 1d ago 101 comments

Ocean Tides and the Earth's Rotation (2001) (core2.gsfc.nasa.gov)

32 points by susam 3d ago 7 comments

1,700 year old egg never broke (atlasobscura.com)

83 points by demadog 4d ago 29 comments

The Size of Packets (potaroo.net)

82 points by todsacerdoti 21h ago 39 comments

Show HN: Attune - Build and publish APT repositories in seconds

55 ilikebits 18 4/18/2025, 4:14:18 PM github.com ↗

Hey HN, we're Eliza and Xin, and we’ve been working on Attune. Attune is a tool for publishing Linux packages.

Previously, we worked at other startups building open source developer tools that ran on our customers’ CI and development machines. For many of them, being able to `apt-get install` our tools was a requirement.

When we went to actually set up APT repositories, we were really surprised by the state of tooling around package publishing. The open source tools we found were old, slow, and difficult to figure out how to run in CI. The commercial tools we found were not much better. The cloud-hosted vendors required us to provide our signing keys to a cloud vendor (which was a non-starter), while the self-hosted vendors required us to operate our own specialized hosting servers.

We just wanted something simple: sign locally, run quickly, be easy to use, and deploy to managed object storage.

We couldn’t find it, so we built it. If you want to try it out, you can create a repository with three commands:

    attune repo create --uri https://apt.releases.example.com
    attune repo pkg add --repo-id 123 package.deb
    attune repo sync --repo-id 123

You can get the tool at https://github.com/attunehq/attune. There are a lot of rough edges right now since it's so new - sorry in advance, we're working on sanding those down.

It’s fully open source under Apache 2. We’re also working with some early customers to build enterprise features like audit logging, RBAC, and HSM integrations, and we’re thinking about building a managed cloud hosting service as well.

We’d love your feedback on whether this is useful for you, and what you’d like to see next. We’re well aware that publishing is a small piece of CI/CD, but we think a lot of the tooling in this area (publishing, artifact registries, package repositories) could really use some love.

What do you think? Comment here, or email us at founders@attunehq.com.

Comments (18)

yjftsjthsd-h · 5h ago

It's probably intuitive to anybody who's tried to do this the hard way, but if your target is people without that experience, you might want to dumb it down even more. So this is from your readme:

  attune repo create -u 'http://localhost:9000/debian' -d bookworm
  attune repo pkg -r 1 add -c stable/v17 ~/Downloads/teleport_17.4.4_arm64.deb

And I think I know what `-d bookworm` must be, but I've no clue what -r or -c are doing in the second command.

Also, from your post here (and why are the quick start steps different here?),

  attune repo create --uri https://apt.releases.example.com

What is that URI supposed to be? Is that where the thing will eventually get served from and I have to run this on the server, or synchronize an output directory to the server, or is that going to do some sort of magic upload itself?

ilikebits · 5h ago

Totally agree here. The current target is people who are familiar with the process, and we plan to write more documentation as we start thinking more about accessibility to a broader audience. We actually ran into this issue ourselves while building the tool - the Debian documentation is all there, but not the easiest to approach. These docs are one of the rough edges (sorry!) since we wanted to get this out earlier for feedback.

To answer your direct question: on self-hosted repositories, the URI right now is just a string identifier. We are working right now on a cloud hosted service, and there the URI will help us figure out which repository to actually serve.

3np · 34m ago

Looks neat!

What would be really valuable for us would be future support for other distros/repos.

A more unified interface for synchronized publishing across say dep/rpm/archlinux/alpine when we have multi-distro packages to build and publish.

Hackbraten · 5h ago

How is this different to aptly, especially if one already has object storage?

ilikebits · 5h ago

One of the tools we tried was Aptly! A couple issues we had with Aptly:

1. Aptly needs to rebuild the entire repository before it can do any changes. One of our customers builds packages for every Linux OS, and every architecture, and each release contains 10-something separately packaged tools, and they do regular releases. This means their repository of packages is _huge_. When they try to do small maintenance actions like removing a package that has a bug, they need to rebuild their entire repository to do this, which takes upwards of 30 minutes. On Attune, since we have a centralized control plane, it takes about 10 seconds.

2. Aptly doesn't have concurrency controls. This makes it annoying to run in CI. Imagine you're setting up a CI pipeline that runs on every commit and publishes a package. You need to make sure you don't have two different instances of Aptly running at the same time, because their updates will clobber each other if they publish at the same time. Can you ensure that your CI only ever runs one publish at a time? This is easy in some setups, but surprisingly hard in GitHub Actions - concurrency keys don't quite work the way you'd expect them to.

3. Aptly uses its storage as its source of truth for the current state of packages. This is a great design choice for simplicity! However, if your CI job dies halfway through during an Aptly publish, this can leave your repository in a corrupted (in this case, half-updated) state. To recover from this, you need to rebuild the repository state... which you can't, because the ground truth is contained in the storage which was just corrupted! We mitigate this issue by tracking metadata in a separate transactional database so CI crashes don't cause corruption.

These are some examples of little cuts that build up over time with all of the tools we've found so far. Lots of the open source tooling is great at low scale, but the cuts start to build up once you are pushing a meaningful amount of packages to production.

Hackbraten · 43m ago

Thanks for the detailed response!

benwilber0 · 5h ago

Maybe I'm wrong, but aren't apt repositories just files in a web root? There are many scripts in the Debian ecosystem to generate and maintain such web directories. Maybe the actual package building would be interesting, but I don't know about just "we'll host your .deb files and keep the index updated"

ilikebits · 5h ago

You are correct. The reason we built this tool is because all of the scripts we found had sharp edges when we tried to use them in production at scale (I talk about some of them here: https://news.ycombinator.com/item?id=43730136).

Most of these scripts were designed for a world where there was A Blessed Deployment Machine that acted as its own de facto centralized control plane. We're designed for a newer world where publishing is just another piece of your CI, so you need more features to handle concurrency control, distributed signing, incremental index rebuilds, etc.

benwilber0 · 5h ago

What is an example of something that would require "distributed signing"?

ilikebits · 5h ago

Our use case is customers who (1) want to use a managed cloud hosting service that we provide, but (2) are not willing to give us their signing keys. Our design allows them to keep all of their signing keys local to their environment.

To our knowledge, we have not found another provider who supports both of these requirements. It's not some amazing technical innovation, but it is one of those annoying paper cuts that builds up with all the others.

benwilber0 · 25m ago

> when we tried to use them in production at scale

Debian and Ubuntu have been using them in production and "at scale" for decades. What are the "sharp edges" that you're trying to solve?

rlpb · 28m ago

Signing an unsigned apt repository is about three gpg commands though. I don't see how this kind of thing requires a whole separate product.

frabona · 3h ago

Curious how different is this from mise and ubi? https://github.com/jdx/mise

I have a few pain points with that for installing cua (https://github.com/trycua/cua/issues/27), so if it can remove the initial friction happy to chat!

0x6c6f6c · 47m ago

I've never heard of mise used for creating and managing APT repositories. Where does that figure in?

powerawq103846 · 3h ago

very cool stuff!

jauntywundrkind · 5h ago

Yes, it's Rust ;). Sign of quality to me.

Excited to try. I ran a reprepo for a couple of years & it wasn't the worst to run, but not fun either. My confidence in efficiently publishing packages was super low, never improved much.

It also mandated running a web server (configuring my nginx to point at the repo filesystem), not very batteries included.

https://wiki.debian.org/DebianRepository/SetupWithReprepro

ilikebits · 5h ago

Thanks for trying, and sorry in advance for the rough edges :)

We're also working on a hosted service! If you'd like a sneak peek, send us a message at founders@attunehq.com (or email me directly at eliza@attunehq.com). I'm happy to talk about your specific needs and see if we can build something for them.

(And yes, it is Rust. I keep trying to find projects where I get to stretch my Haskell wings again, but unfortunately I keep working on things with silly requirements such as "easily understandable performance" and "a cross-compilation story" and "not making my collaborators sit through another monad tutorial".)

eMPee584 · 1h ago

.. for the repo github pages can be used as well, although the disgust when pushing huge .deb files up there is real.

15,000 lines of verified cryptography now in Python (jonathan.protzenko.fr)

Full Text Search of US Court records (judyrecords.com)

Show HN: I made a Doom-like game fit inside a QR code (github.com)

Understanding the Origins and the Evolution of Vi and Vim (pikuma.com)

Hextraction, a free and open source board game (playhextraction.com)

UML diagram for the DDD example in Evans' book (github.com)

Principles for Building One-Shot AI Agents (edgebit.io)

Electric Propulsion's Dirty Secret: Why Lithium Can't Fly (Or Float) Profitably (kumarletter.com)

Judge Rules Blanket Search of Cell Tower Data Unconstitutional (404media.co)

Show HN: (bits) of a Libc, Optimized for Wasm (github.com)

Ink and Switch Constraint System (2023) (inkandswitch.com)

Cyberpunk 1958: The Early Days of the Polish IT Industry (culture.pl)

There's Life Inside Earth's Crust (noemamag.com)

A New ASN.1 API for Python (blog.trailofbits.com)

How a yacht works: sailboat physics and design (onemetre.net)

Loglan'82: programming language for object-oriented and distributed programming (lem12.uksw.edu.pl)

The most famous carbon dioxide absorber (howequipmentworks.com)

Dot (YC S21) is hiring a sales engineer to automate analytics (fully remote) (ycombinator.com)

Defold: cross-platform game engine (defold.com)