frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

A Palantir-ish dashboard for family trip planning

https://github.com/andrewjiang/palantir-for-family-trips
1•latchkey•18s ago•0 comments

Ottawa fixed the buyer's problem. The SME's four problems are still ours

https://vanguardcanada.com/ottawa-fixed-the-buyers-problem-the-smes-four-problems-are-still-ours/
1•ClearwayLaw•45s ago•1 comments

Spinel on Rails

https://intertwingly.net/blog/2026/06/19/Spinel-on-Rails.html
1•ksec•46s ago•0 comments

Ask HN: Does it still make sense to write code by hand?

2•fnoef•1m ago•0 comments

Effort Is the Whole Game

https://juanloco.dev/posts/effort-is-the-whole-game/
1•juanloco•2m ago•0 comments

Fuel System Components Eyed in NetJets Citation Crash

https://www.ainonline.com/aviation-news/business-aviation/2026-07-13/fuel-system-components-mx-ey...
1•r2sk5t•2m ago•1 comments

Show HN: Sign in with your ChatGPT account for free AI

https://openai-oauth.vercel.app/
1•EvanZhouDev•2m ago•0 comments

Trustmux

https://trustmux.dev
1•kristianpaul•4m ago•0 comments

Show HN: A photo editor that develops RAW files in the browser

https://vajba.com/image-editor/
1•trivsamt•4m ago•0 comments

Was I wrong about Etched?

https://www.zach.be/p/was-i-wrong-about-etched
1•hasheddan•5m ago•0 comments

You don't need another idea. You need a faster no

https://usemoki.com/
1•erayalakese•5m ago•0 comments

How to Make Your AI Agent's Actions Reliable (No Code)

https://quickchat.ai/post/reliable-ai-agent-actions
2•piotrgrudzien•5m ago•0 comments

Backblaze Drive Stats for Q1 2026

https://www.backblaze.com/blog/backblaze-drive-stats-for-q1-2026/
1•LaSombra•5m ago•0 comments

You only need the frontier model for one single edit

https://stencil.so/blog/prewalk
1•alphabetting•5m ago•0 comments

Show HN: SirixDB 1.0 Beta – Git-Like Versioning, Diffs, Time-Travel Queries

https://github.com/sirixdb/sirix
1•lichtenberger•6m ago•0 comments

Nat Slipstreaming v2.0 allows an attacker to remotely access any TCP/UDP service

https://sa.my/slipstream/
2•_____k•6m ago•1 comments

Making something on your own(without any LLM) feels so good

1•RajX_dev•7m ago•0 comments

Aerosols and hydrocarbons in the atmosphere of a white dwarf planet

https://arxiv.org/abs/2607.01316
1•root-parent•7m ago•0 comments

Apple's lawyer mixed up Asian OpenAI employees before lawsuit

https://www.nbcnews.com/tech/apple/apple-openai-lawsuit-suit-trade-product-hardware-email-sam-alt...
1•aarvin_roshin•7m ago•0 comments

Lego Considering Bondi Blue iMac G3 Set

https://www.macrumors.com/2026/07/14/lego-imac-g3-set/
1•malshe•9m ago•1 comments

Now, defenders are embracing the prompt injection, too

https://arstechnica.com/security/2026/07/now-defenders-are-embracing-the-prompt-injection-too/
1•arbuge•12m ago•0 comments

Over 400 CLOs Tabbed for Upgrade in Pivot That Fans '08 Fears

https://www.bloomberg.com/news/articles/2026-07-15/over-400-clos-tabbed-for-upgrade-in-pivot-that...
1•petethomas•12m ago•0 comments

LLM-as-a-Verifier: A General-Purpose Verification Framework

https://arxiv.org/abs/2607.05391
2•root-parent•12m ago•0 comments

Show HN: Homestead – Build apps for you, your family, and your agents

https://myhomestead.dev/
1•rambleraptor•12m ago•0 comments

Show HN: Generalized – AI agent skills with community proof

https://generalized.dev/
1•kubeden•14m ago•0 comments

When A.I. Is a Member of the Family

https://www.newyorker.com/magazine/2026/07/20/when-ai-is-a-member-of-the-family
1•fortran77•15m ago•0 comments

The age of the Universe from a large sample of the oldest Galactic stars

https://arxiv.org/abs/2607.00764
2•root-parent•16m ago•0 comments

Brightspeed's Fiber Asset Bet Meets $11B Debt Test

https://www.wsj.com/pro/bankruptcy/brightspeeds-fiber-asset-bet-meets-11-billion-debt-test-33fe5260
2•petethomas•17m ago•0 comments

Running Gemma 4 26B at 5 tokens/SEC on a 13-year-old Xeon with no GPU

https://www.neomindlabs.com/2026/06/08/running-gemma-4-26b-at-5-tokens-sec-on-a-13-year-old-xeon-...
3•neomindryan•19m ago•1 comments

Android Phone Maker OnePlus to Cease Operations in US and Europe

https://www.bloomberg.com/news/articles/2026-07-15/oneplus-once-popular-with-tech-fans-to-pull-ou...
3•LaSombra•20m ago•1 comments
Open in hackernews

Rust Dependencies Scare Me

https://vincents.dev/blog/rust-dependencies-scare-me/?
25•vsgherzi•1y ago

Comments

turtleyacht•1y ago
Probably hard to do during nine-to-five, but personally commit to being a contributor on every dependency used.

Like having mini contracts with every package, even if it's just to reproduce bugs, maintain a personal test suite, or to steer newcomers to resources.

Otherwise, we will always be in the dark about our dependencies, building our flying castles. (They float, but where's the foundation?)

Alternatively, there are open-source code scanners and bill-of-material security tools. Those could be added as triggered workflows in your projects, to run on each pull request.

As well, the author did rewrite dotenv's core features to replace it.

vsgherzi•1y ago
Yeah that's not a bad suggestion, I should def be more involved in the ecosystem. To do that for every crates seems exhausting though... Any favorite suggestions for scanners or SBOM creation tools?
turtleyacht•1y ago
Snyk has a free tier, but their Github integration passes workflows green more often than not. If you run it yourself as a container, you get finer-grained control over what to do with error code 1 versus error code 2: a vulnerability in changed versions, versus a pipeline error.

Sonar is free for open-source projects, but less package version security and more "use --ignore-scripts in npm," "don't be root in Docker container," and such.

vsgherzi•1y ago
Noted, I'll check it out! A shame so many are bound to github most of my workflow is tied to git on secured servers
armchairhacker•1y ago
IME unmaintained Rust packages usually aren't an issue, because Rust's backwards-compatibility is really good. Only if there's an unidiomatic design or bug in the part that you use, or a security vulnerability.

Rust dependency bloat may be an issue, but with good static analysis maybe not (the compiler can effectively remove dead code unlike JavaScript, and the IDE may be able to effectively filter it).

vsgherzi•1y ago
I wonder if there's a way to do a pass on a repo to remove code that will never be used due to the hardware you're targeting. You do have a good point in that it being unmaintained isn't necessarily the end of the world, I just kinda start to sweat when I think about ZX and see the advisories.
rc00•1y ago
> Many call for adding more to the rust standard library much like Go

> So now I pose the question to you what do we do?

1. Port your application to the language/tool that fits your needs like Go.

2. Hope that a language like Zig decides to feature a standard library as good as Go.

vsgherzi•1y ago
It feels a bit like throwing the baby out with the bathwater to completely swap languages. I was hoping rust could be a more general language for me.... I know they're not interested but I wonder if the foundation would ever entertain an opt in more expansive std library?

Go's is very nice however if I remember they ran into an issue with crypto that was hard to fix due to it being so bundled to the std library.

steveklabnik•1y ago
You may appreciate this RFC that was just opened https://github.com/rust-lang/rfcs/pull/3810
vsgherzi•1y ago
Hi Steve! Big fan!

Folks on Bluesky just pointed me in the same direction. Looks like it has potential.

steveklabnik•1y ago
Thanks :)

I’m not as positive on it, but at least if you are, you know where to lodge support.

rc00
weird_trousers•1y ago
That's the main criticism my colleagues have about Rust: a lot of unmaintained crates, and most of the time a lot of dependencies for... (almost) nothing.

It seems most of Rust developers adopt the pov of web front-end developers since a few years: depend on a lot of libraries for small things, never update your project to 1.0, and abandon "quickly" to build something new... and redo it again.

I really hope that alternatives like Zig or Jai will not let the community do like what they did with Rust.

vsgherzi•1y ago
It's such a cool language, maybe there's a way out or something I'm not seeing? Cloudflare, discord, and oxide seem to make it work pretty well... Always excited to see what new languages do. However it does seem like industry already has significant investment in rust so it seems like something we'll have to solve sooner than later....
steveklabnik•1y ago
It’s pretty simple: you choose the dependencies you want to have. Don’t like having a ton of them? Either choose carefully (which you should already be doing), or write it yourself.

Most people prefer to build off of the work of others, rather than reinvent the world for every project. That trade off is a trade off though, and nothing prevents you from taking the other side of it.

vsgherzi•1y ago
I get that. In general for something like a production server in cpp versus rust do you think the rust version is going to just have more lines of code associated with it or is it just the way I'm thinking about it? I love the Oxide podcast where you guys talk about your favorite crates and some of the ones you guys use in production. Are the dependencies something you guys really stress and investigate before pulling one in? I know things like axum are replaced with dropshot since you guys deemed it critical to your business (super cool crate!).
•
1y ago
You should evaluate on whether it is worth insisting on Rust. Others have gone down that path and it has only ended with regret[1]. The sooner you realize that you don't have the right solution to your problem, the sooner you can start solving it correctly.

What about the crypto library affects how you would use Go to solve your problem?

1. https://deadmoney.gg/news/articles/migrating-away-from-rust

steveklabnik•1y ago
You just can’t draw connections between number of dependencies, numbers of lines of code, and code you actually use, across ecosystems. See https://wiki.alopex.li/LetsBeRealAboutDependencies as an example of getting into the details about Rust vs C in this regard.

We don’t hyper stress about it. We do take care, in some projects (like embedded ones) we need to care a lot about binary size and so pay very close attention, and we keep abreast of security issues, etc.

Dropshot wasn’t written because it was critical to the business, it was because nothing had the OpenAPI support at the time we write it. It Axum or something else did, we’d have used it. We only write our own stuff when things in the ecosystem aren’t fit for purpose. We do sometimes find that our needs are different than others and so write our own, but this isn’t borne out of concern for dependency count.

vsgherzi•1y ago
Thank for the reply! I see, I guess I have alot more to think about ...
antonvs•1y ago
> It’s pretty simple: you choose the dependencies you want to have. Don’t like having a ton of them? Either choose carefully (which you should already be doing), or write it yourself.

Exactly. Why this is even a point of discussion is, to me, an indictment of everyone raising it as an issue.

stefanos82•1y ago
I thought I was alone thinking like this.

Honestly, when I want to compile a Rust project and see all these dependencies getting pulled in to get compiled along with the project, it gives me goosebumps, because I don't know whether these crates are safe and secured or not...

vsgherzi•1y ago
Yeah, I think in some sense it definitely looks worse than it is since a single crate like Tokio is spread among 20-30 crates. However even accounting for that there's still just alot of raw code...
weird_trousers•1y ago
You're definitely not alone. This situation is not new, and it isn't acceptable either.

The concept of `features` when using a crate is kinda cool as "you only download / compile what you use" *but* most of the crates are very badly designed, and also developers do not tend to reinvent a very tiny wheel when they can, but heavily depend of possibly dangerous crates to just serialize or deserialize a very simple data structure...

It's very annoying, as this increases the compilation time and introduces possible unsafe behavior in larger crates.

wofo•1y ago
Some people _do_ care about this (e.g. the proponents of this new RFC: https://github.com/rust-lang/rfcs/pull/3810). However, for some reason (culture, I guess?) there isn't much momentum yet to change the status quo.
antonvs•1y ago
Your “colleagues”?

You’re making the criticism, why not own it?

What you’re saying is the equivalent of Donald Trump’s “many people are saying”. It’s the recourse of the intellectually stunted who can’t muster a convincing argument.

vsgherzi•1y ago
Because I want my mind to be changed. I see orgs and companies I respect doing things differently than me but I don't understand why. I want to use this language, I want to use this ecosystem so I'm trying to get others who disagree with me to share what they think so I could possibly see things in a different way.