frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Box of Secrets: Discreetly modding an apartment intercom to work with Apple Home

https://www.jackhogan.me/blog/box-of-secrets/
114•jackhogan11•20h ago•34 comments

Log File Viewer for the Terminal

https://lnav.org/
104•wiradikusuma•3h ago•13 comments

Show HN: ProofShot – Give AI coding agents eyes to verify the UI they build

https://proofshot.argil.io/
20•jberthom•1h ago•14 comments

Opera: Rewind The Web to 1996 (Opera at 30)

https://www.web-rewind.com
13•thushanfernando•1h ago•5 comments

BIO – The Bao I/O Co-Processor

https://www.crowdsupply.com/baochip/dabao/updates/bio-the-bao-i-o-co-processor
37•hasheddan•2d ago•8 comments

Autoresearch on an old research idea

https://ykumar.me/blog/eclip-autoresearch/
354•ykumards•14h ago•72 comments

iPhone 17 Pro Demonstrated Running a 400B LLM

https://twitter.com/anemll/status/2035901335984611412
602•anemll•18h ago•272 comments

FCC updates covered list to include foreign-made consumer routers

https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers
309•moonka•11h ago•210 comments

A 6502 disassembler with a TUI: A modern take on Regenerator

https://github.com/ricardoquesada/regenerator2000
30•wslh•3d ago•2 comments

Show HN: Cq – Stack Overflow for AI coding agents

https://blog.mozilla.ai/cq-stack-overflow-for-agents/
139•peteski22•17h ago•49 comments

Gerd Faltings, who proved the Mordell conjecture, wins the Abel Prize

https://www.scientificamerican.com/article/gerd-faltings-mathematician-who-proved-the-mordell-con...
32•digital55•4d ago•3 comments

Microservices and the First Law of Distributed Objects (2014)

https://martinfowler.com/articles/distributed-objects-microservices.html
18•pjmlp•3d ago•8 comments

Epoch confirms GPT5.4 Pro solved a frontier math open problem

https://epoch.ai/frontiermath/open-problems/ramsey-hypergraphs
327•in-silico•7h ago•334 comments

Abusing Customizable Selects

https://css-tricks.com/abusing-customizable-selects/
115•speckx•5d ago•5 comments

Dune3d: A parametric 3D CAD application

https://github.com/dune3d/dune3d
158•luu•2d ago•56 comments

Claude Code Cheat Sheet

https://cc.storyfox.cz
379•phasE89•11h ago•114 comments

The Resolv hack: How one compromised key printed $23M

https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/
90•timbowhite•11h ago•123 comments

Pompeii's battle scars linked to an ancient 'machine gun'

https://phys.org/news/2026-03-pompeii-scars-linked-ancient-machine.html
71•pseudolus•3d ago•18 comments

Finding all regex matches has always been O(n²)

https://iev.ee/blog/the-quadratic-problem-nobody-fixed/
203•lalitmaganti•4d ago•51 comments

IRIX 3dfx Voodoo driver and glide2x IRIX port

https://sdz-mods.com/index.php/2026/03/23/irix-3dfx-voodoo-driver-glide2x-irix-port/
67•zdw•10h ago•6 comments

An incoherent Rust

https://www.boxyuwu.blog/posts/an-incoherent-rust/
187•emschwartz•18h ago•90 comments

Ju Ci: The Art of Repairing Porcelain

https://thesublimeblog.org/2025/03/13/ju-ci-the-ancient-art-of-repairing-porcelain/
89•lawrenceyan•2d ago•8 comments

Trivy under attack again: Widespread GitHub Actions tag compromise secrets

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
202•jicea•1d ago•69 comments

Sunsetting the Techempower Framework Benchmarks

https://github.com/TechEmpower/FrameworkBenchmarks/issues/10932
39•nbrady•7h ago•7 comments

How to Spot a Liar: Kate White on the Techniques of Deception in Mysteries

https://crimereads.com/how-to-spot-a-liar-kate-white-on-the-techniques-of-deception-in-mysteries/
6•ohjeez•3d ago•3 comments

How I'm Productive with Claude Code

https://neilkakkar.com/productive-with-claude-code.html
197•neilkakkar•12h ago•116 comments

A retro terminal music player inspired by Winamp

https://github.com/bjarneo/cliamp
91•mkagenius•12h ago•25 comments

I built an AI receptionist for a mechanic shop

https://www.itsthatlady.dev/blog/building-an-ai-receptionist-for-my-brother/
272•mooreds•22h ago•281 comments

Local Stack Archived their GitHub repo and requires an account to run

https://github.com/localstack/localstack
193•ecshafer•14h ago•112 comments

March, 19-21: God is a comedian

https://no01.substack.com/p/march-19-21-god-is-a-comedian
9•tastyface•1h ago•1 comments
Open in hackernews

Shell-secrets – GPG-encrypted environment variables

https://github.com/waj/shell-secrets
93•mgarciaisaia•11mo ago

Comments

woodruffw•11mo ago
The more general version of this is probably sops[1].

(A general problem with these kinds of “wrap GPG” tools is that you end up with “mystery meat” encryption/signatures: your tool’s security margin is at the mercy of GPG’s opaque and historically not very good defaults.)

[1]: https://github.com/getsops/sops

aborsy•11mo ago
GPG man page is long. But to be fair, GPG, which I have used for decades, has never failed me.
theteapot•11mo ago
This is 13 lines of Bash plus GPG which is available ~everywhere and a pretty lowish level Linux dependency. SOPS is +20KLOC of Go with support for cloud KMS etc etc. I think you got your mystery meat analogy backwards.
woodruffw•11mo ago
The mystery meat in question is GPG, not sops or this.

(I also wouldn’t call GPG a low level dependency.)

theteapot•11mo ago
lowish. Meaning if you run a Linux desktop env with a mild amount of software installed it's likely pulled in already.
ikiris•11mo ago
So is Perl, that doesn’t make it a good argument to use it still for the same reasons.
akoboldfrying•11mo ago
Perl is horrible, but for one-liners it's strictly less horrible than either sed or awk, which people still use because they are less horrible than pure Bourne shell for some common tasks.
woodruffw•11mo ago
I’ve used a Linux desktop for my entire adult life, and I’m pretty sure GPG has never been bundled directly with my environment. I used to install it directly, but I haven’t needed that in years either since everything I needed GPG for (= git) supports SSH signing instead.
mgarciaisaia•11mo ago
I didn't know about sops, thanks for sharing!

Encrypting YAML files' values may be handy for another project - will take note of it.

pluto_modadic•11mo ago
for a newer password manager... https://github.com/FiloSottile/passage
qyckudnefDi5•11mo ago
Looks like FiloSottile may have switched from passage to 1Password:

https://bsky.app/profile/filippo.abyssdomain.expert/post/3l5...

Would be interesting to get more context why move from storing passwords locally to an online service.

FiloSottile•11mo ago
Team sharing with a non-technical person, mostly.

I still have high-value passwords and CLI credentials in passage + age-plugin-yubikey.

bitbasher•11mo ago
Couldn't you just use pass and have something like this in your bash script/env:

export SOME_SECRET="$(pass show some/secret)"

Piraty•11mo ago
this in a credentials file to source before doing some operation? sure. I usually do: ` ( . ./credentials && ./the_thing ) ` so the secrets are only in the subshell and don't linger in my shell session forever.

but don't put that in <shell>rc , as it a) will be visible for all other (child) processes of your shell b) will spawn pinentry everytime the agent's cache ttl expires

varenc•11mo ago
That hides it in the source, but doesn't hide it in the execution environment that can access the ENV. Everything you run inside your shell could still read it. (but if you're running untrusted things...you've already lost)
ognarb•11mo ago
I like the idea. GPG encryption are super helful when sharing secrets.

Disclaimer: I work on some UI for GPG as my day job.

hnlmorg•11mo ago
Coincidentally I’ve written something similar to this too.

My main takeaway was that GPG isn’t nearly as user friendly as it needs to be.

mmh0000•11mo ago
Highly true. Yet. If you complain or even offer patches (which will, always, without fail, be rejected).

You'll get told off by the GPG devs with something along the lines of "encryption is supposed to be hard".

9dev•11mo ago
How hard would it be to devise an easy to use wrapper on top of GPG, kind of porcelain-like?
thayne•11mo ago
You may be interested in https://sequoia-pgp.org/

It isn't exactly a wrapper, but it has an easier to use interface (as well as a more gpg compatible interface).

ognarb•11mo ago
It already exists and it's called Kleopatra. It's developed by KDE with some support from the GPG developers and is part of the Gpg4Win suite.

It's used by quite a few companies and public administrations.

akerl_•11mo ago
The easier and more productive thing is to make an easy-to-use tool that does a specific workflow vs trying to be a swiss army knife.

https://github.com/FiloSottile/age is this for encrypting files.

https://en.wikipedia.org/wiki/Signify_(OpenBSD) and https://jedisct1.github.io/minisign/ are this for signing files.

Signal/Whatsapp/etc that use the Signal Protocal are this for messaging.

It turns out solving one problem at a time and ending up with a bunch of purpose-built tools is way easier to get right than trying to jam an entire toolbox into one thing.

emmelaich•11mo ago
There's a library wrapper, https://www.gnupg.org/software/gpgme/index.html

>GnuPG Made Easy (GPGME) is a library designed to make access to GnuPG easier for applications. It provides a High-Level Crypto API for encryption, decryption, signing, signature verification and key management. Currently it uses GnuPG's OpenPGP backend as the default, but the API isn't restricted to this engine. We have, in fact, already developed a backend for CMS (S/MIME).

upofadown•11mo ago
I have been following the GnuPG mailing list for some years now. I must of missed that. Could we have some references to where someone has been told something to the effect of "encryption is supposed to be hard".
Valodim•11mo ago
The correct way to do stuff like this these days with openpgp is to use a SOP (stateless openpgp) implementation. https://www.openpgp.org/about/sop/
viraptor•11mo ago
Unless you're good at actually maintaining your gpg keychain and need other people to access this, I really wouldn't bother with gpg. There are way better and simpler options.

Age has a simpler interface and SSH key support https://github.com/FiloSottile/age

ejson2env has the environment variable integration and ejson has multiple backends https://github.com/Shopify/ejson2env

direnv can support any cli secrets manager per project directory https://direnv.net/

I've dealt with enough "why did this break" situations with gpg secrets files used by capable teams that I'd never recommend that to anyone. And unless you really need the public key support (teams and deployment support), you're unlikely to gain anything better over a password manager.

akoboldfrying•11mo ago
age looks really interesting, thanks. I also learned from that page that appending ".keys" to your GitHub profile URL (so https://github.com/yourusername.keys) returns a list of your SSH public keys! (Where is this documented...?)
tomjakubowski•11mo ago
Another trick with github urls: you can append .patch or .diff to any PR or commit URL, and you'll get back a git-formatted patch or diff.

https://github.com/rust-lang/rust/pull/139966

https://github.com/rust-lang/rust/pull/139966.patch

https://github.com/rust-lang/rust/pull/139966.diff

theteapot•11mo ago
The tool is just pulling one encryption key from your local GPG keyring. What's to maintain?
viraptor•11mo ago
What happens when you have multiple matching keys? What happens when your key expires? What happens when the output format changes? What happens when the key expires and it's attached to a hardware device? Gpg can fail in ways which do not tell you anything about the real underlying issue.

I promise this happens all the time to people for lots of stupid reasons.

theteapot•11mo ago
> What happens when you have multiple matching keys?

Use keyid instead.

> What happens when your key expires?

GPG will refuse to use it for encryption. Create a new encryption key.

> What happens when the output format changes?

N/A here (?)

> What happens when the key expires and it's attached to a hardware device?

You got me.

XorNot•11mo ago
Also.. expired keys aren't unusable. The encryption doesn't stop working.

If you have an expired GPG private key it will still decrypt things encrypted with the public key.

viraptor•11mo ago
They're not unusable, but depending on the gpg wrapper it may look like it. Gpgme is the one I had most issues with raining with fatal errors where gpg on its own only reports a warning.

Non of this is impossible to overcome. Yet, I still was sometimes relied on to debug things.

XorNot•11mo ago
Gonna have to give that a try because it sounds like a very bad interpretation of the expiry mechanism in keys - encryption functionally never expires if you have the key, because you have the key. It's solely an error on the part of the sender to use an expired key, because it might be no longer available.

(admittedly AFAIK encryption is handled by key expiry poorly overall in GPG - the lack of perfect forward secrecy means an expired key which leaks can still decrypt all the old messages if they were intercepted).

mgarciaisaia•11mo ago
Oh - so age would be a gpg replacement, and not a shell-secrets replacement. I guess it could work, but also I haven't had any issues with GPG yet (in my ~4 years regularly using shell-secrets).

ejson2env sounds nice. Don't like the syntax of `eval $(...)`, but it does THE thing that most don't - it encrypts the secrets at rest!

Also, I have multiple logins for some services (company account vs company's client account), so separating concerns is cool. And having the "context" name in the PS1 helps avoid issuing the wrong command on the wrong account - you can even add emojis to the name for maximum discernability.

upofadown•11mo ago
Age doesn't even have a keychain. You are expected to maintain your keys manually. So yeah, you will never have a problem with the age keychain. In the same way you will never get into trouble with the law in an anarchy. Not everyone wants to have to deal with all the details themselves.
asveikau•11mo ago
I do something like this in my .muttrc. It was showing up in documentation iirc, as the typical way to store credentials for mutt.
dvektor•11mo ago
I store my secrets in gpg encrypted files and inject them into my environment in my shell rc file.

AWS_SECRET_ACCESS_KEY=$(gpg -d ~/.secrets/aws/key.asc)

type of deal. its annoying to put in a password every time i open a new tmux pane but hey, better than plain text.

viraptor•11mo ago
If you're using more complicated systems than just a single root account, have a look at https://github.com/99designs/aws-vault too.
mgarciaisaia•11mo ago
That was what I did before knowing about shell-secrets. But I also need different "contexts" on the same domains/tools (different AWS accounts and credentials for different clients), and having none "set" by default prevents me from running _whatever command_ by mistake the majority of the time.
ykonstant•11mo ago
Since GPG and openssh support the TPM for some operations, I am tempted to store secrets in the TPM instead; I think a hardware safe is better than messing with persistent envars and having to pay attention to children etc.

But I am very nervous about doing so, since I have heard bad things about the reliability of the TPM (limited writes or something?) and locking myself out of important places. Any people with experience using the TPM for secrets in Linux?

vcdimension•11mo ago
I've forked the repo and created a zsh version: https://github.com/vapniks/shell-secrets