frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

https://chillphysicsenjoyer.substack.com/p/trying-to-make-an-automated-ecologist
1•crescit_eundo•36s ago•0 comments

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

https://www.twz.com/air/watch-ukraines-minigun-firing-drone-hunting-turboprop-in-action
1•breve•1m ago•0 comments

Free Trial: AI Interviewer

https://ai-interviewer.nuvoice.ai/
1•sijain2•1m ago•0 comments

FDA Intends to Take Action Against Non-FDA-Approved GLP-1 Drugs

https://www.fda.gov/news-events/press-announcements/fda-intends-take-action-against-non-fda-appro...
1•randycupertino•2m ago•0 comments

Supernote e-ink devices for writing like paper

https://supernote.eu/choose-your-product/
1•janandonly•5m ago•0 comments

We are QA Engineers now

https://serce.me/posts/2026-02-05-we-are-qa-engineers-now
1•SerCe•5m ago•0 comments

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

https://arxiv.org/abs/2602.01465
2•NBenkovich•5m ago•0 comments

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

https://www.latent.space/p/adversarial-reasoning
1•swyx•6m ago•0 comments

Show HN: Poddley.com – Follow people, not podcasts

https://poddley.com/guests/ana-kasparian/episodes
1•onesandofgrain•14m ago•0 comments

Layoffs Surge 118% in January – The Highest Since 2009

https://www.cnbc.com/2026/02/05/layoff-and-hiring-announcements-hit-their-worst-january-levels-si...
7•karakoram•14m ago•0 comments

Papyrus 114: Homer's Iliad

https://p114.homemade.systems/
1•mwenge•14m ago•1 comments

DicePit – Real-time multiplayer Knucklebones in the browser

https://dicepit.pages.dev/
1•r1z4•14m ago•1 comments

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

https://arxiv.org/abs/2601.14340
2•PaulHoule•16m ago•0 comments

Show HN: AI Agent Tool That Keeps You in the Loop

https://github.com/dshearer/misatay
2•dshearer•17m ago•0 comments

Why Every R Package Wrapping External Tools Needs a Sitrep() Function

https://drmowinckels.io/blog/2026/sitrep-functions/
1•todsacerdoti•17m ago•0 comments

Achieving Ultra-Fast AI Chat Widgets

https://www.cjroth.com/blog/2026-02-06-chat-widgets
1•thoughtfulchris•19m ago•0 comments

Show HN: Runtime Fence – Kill switch for AI agents

https://github.com/RunTimeAdmin/ai-agent-killswitch
1•ccie14019•22m ago•1 comments

Researchers surprised by the brain benefits of cannabis usage in adults over 40

https://nypost.com/2026/02/07/health/cannabis-may-benefit-aging-brains-study-finds/
1•SirLJ•23m ago•0 comments

Peter Thiel warns the Antichrist, apocalypse linked to the 'end of modernity'

https://fortune.com/2026/02/04/peter-thiel-antichrist-greta-thunberg-end-of-modernity-billionaires/
3•randycupertino•24m ago•2 comments

USS Preble Used Helios Laser to Zap Four Drones in Expanding Testing

https://www.twz.com/sea/uss-preble-used-helios-laser-to-zap-four-drones-in-expanding-testing
3•breve•29m ago•0 comments

Show HN: Animated beach scene, made with CSS

https://ahmed-machine.github.io/beach-scene/
1•ahmedoo•30m ago•0 comments

An update on unredacting select Epstein files – DBC12.pdf liberated

https://neosmart.net/blog/efta00400459-has-been-cracked-dbc12-pdf-liberated/
3•ks2048•30m ago•0 comments

Was going to share my work

1•hiddenarchitect•34m ago•0 comments

Pitchfork: A devilishly good process manager for developers

https://pitchfork.jdx.dev/
1•ahamez•34m ago•0 comments

You Are Here

https://brooker.co.za/blog/2026/02/07/you-are-here.html
3•mltvc•38m ago•1 comments

Why social apps need to become proactive, not reactive

https://www.heyflare.app/blog/from-reactive-to-proactive-how-ai-agents-will-reshape-social-apps
1•JoanMDuarte•39m ago•1 comments

How patient are AI scrapers, anyway? – Random Thoughts

https://lars.ingebrigtsen.no/2026/02/07/how-patient-are-ai-scrapers-anyway/
1•samtrack2019•39m ago•0 comments

Vouch: A contributor trust management system

https://github.com/mitchellh/vouch
3•SchwKatze•39m ago•0 comments

I built a terminal monitoring app and custom firmware for a clock with Claude

https://duggan.ie/posts/i-built-a-terminal-monitoring-app-and-custom-firmware-for-a-desktop-clock...
1•duggan•40m ago•0 comments

Tiny C Compiler

https://bellard.org/tcc/
6•guerrilla•42m ago•1 comments
Open in hackernews

Show HN: SecureBuild – Zero-CVE Images That Pay OSS Projects

https://securebuild.com
40•grantlmiller•7mo ago
We're launching SecureBuild: https://securebuild.com — a new way for open source projects and maintainers to earn revenue by partnering with and endorsing our Zero-CVE container images of their project.

We’ve spent the last decade at Replicated (https://news.ycombinator.com/item?id=9841243) helping commercial and open source software vendors securely distribute their apps to enterprise environments. During that time, we saw firsthand how hard it is for maintainers to fund their work, and how increasingly demanding enterprises have become when it comes to demonstrable security and scanning.

SecureBuild is our attempt to bridge that gap. Built on top of Wolfi (https://news.ycombinator.com/item?id=36489847), we provide Zero-CVE container images with tight SLAs, full SBOMs, etc, but we route 70% of direct subscription revenue back to the open source projects that create them.

We’re especially interested in partnering with open source maintainers who want to make their projects more secure and sustainable without changing licenses. We handle builds, hosting, sales, patching, and customer delivery.

I'm Grant (https://news.ycombinator.com/user?id=grantmiller), co-founder of Replicated & co-creator of SecureBuild, working with my co-founder Marc Campbell (https://news.ycombinator.com/user?id=marcc). We hope this can be part of a broader push toward a more secure, economically sustainable future for open source.

Happy to answer questions and share more details!

Comments

dhorthy•7mo ago
this looks cool - your homepage video should open with what it is though!
grantlmiller•7mo ago
thanks! say more about what you mean... you're saying instead of: Secure, Sustainable Open Source Partner with SecureBuild to offer secure, vulnerability-free builds of your open source project while generating recurring software revenue, no support contracts required.

we should say something different?

justinludwig•7mo ago
More about what you actually do -- I'd suggest something like "Secure, Sustainable Open Source: We partner with open source projects to monitor their upstream dependencies for security fixes, and automatically rebuild and distribute our partners' projects with those fixes. Our partners don't have to change what they do, and we share 70% of our subscription revenue with them."

Also:

> New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.

Surely this should be "New SecureBuilds are created whenever upstream fixes for CVEs are available" -- you cut new builds for the fixes, not the bugs, no?

grantlmiller•7mo ago
i like it! and yes, that is correct :)
siggy•7mo ago
thanks for sharing. what's the onboarding process look like? if i'm maintaining my own Dockerfiles today, do you or I evaluate and port those to SecureBuild/Wolfi?
marcc•7mo ago
We work together on it. Assuming you have a build process and dockerfile (we all do), generally our team can get you listed in the catalog quickly.

It's not too much work since we built on an existing set of tools (melange & apko). I've actually found that putting a Dockerfile into ChatGPT generates a really good first iteration.

cube00•7mo ago
> New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.

Aren't most SecOps pushing 48 hours as the absolute limit for critical vulns or are ours just being extra pushy?

marcc•7mo ago
We often deliver in way less than 6 days but sometimes the dependency tree is deep for a patch.

I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that.

grantlmiller•7mo ago
the goal is going to be 6 hours!
mike_d•7mo ago
> I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that.

You seem to fundamentally not understand security. A proper security program should never be driven by an auditors expectations or even used as a reasonable guideline.

Don't track CVEs and SLAs in days. You need to have patches out before active exploitation in the wild begins, that is the only metric that matters. Go talk to Greynoise about how to get that data.

grantlmiller•7mo ago
We’d love for this to be true... most images fill up with CVEs so fast in dependencies, we’re providing minimal images (much less surface area) and have the automation to rebuild the entire dependency graph at least daily, if not multiple times per day.

Hopefully everyone will run a "proper security program" someday!

mike_d•7mo ago
It can be true for you if your correct your thinking on the problem.

CVEs are basically just bugs that are not triggered by normal operation. If you race to "fix" them all, you are going to drown (as you are discovering).

Focus on your solution for tracking actively exploited vulnerabilities and a prioritization system and you'll greatly simplify the problem while better serving your customers.

jenny91•7mo ago
The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.
grantlmiller•7mo ago
well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.
westwater•7mo ago
What's the process to add new images?

I assume this is limited to CVEs in the underlying layers, and adding in the latest of the primary package. Given that how/are you testing the images after you fix the CVEs?

marcc•7mo ago
Adding images involves us creating a new package (APK) in our APK repo. This is done by creating a melange build config (https://github.com/chainguard-dev/melange). The melange config defines some basic tests. It's not comprehensive, but generally validates that the binary produced is functional.

When we build the OCI image, we validate it via some custom tests that we've written. We have identified the canonical image (i.e. DockerHub, GHCR, etc), and we confirm that our image has the same entrypoint, args, env that the canonical image has. Then we have some generated scenarios we run the OCI image through to make sure it functions the same as the canonical image runs.

For example, we have Postgres in the catalog today. When we rebuild, we have some tests that run with various configurations of PG_DATABASE/PG_PASSWORD, etc env vars. We run these with our image and with index.docker.io/library/postgres, and expect to see the same output with both.

sheepybloke•7mo ago
How does this compare with something like IronBank? Looks like that could be a great partnership!