frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Tiny C Compiler

https://bellard.org/tcc/
102•guerrilla•3h ago•44 comments

SectorC: A C Compiler in 512 bytes

https://xorvoid.com/sectorc.html
186•valyala•7h ago•34 comments

Speed up responses with fast mode

https://code.claude.com/docs/en/fast-mode
110•surprisetalk•7h ago•116 comments

Brookhaven Lab's RHIC concludes 25-year run with final collisions

https://www.hpcwire.com/off-the-wire/brookhaven-labs-rhic-concludes-25-year-run-with-final-collis...
43•gnufx•6h ago•45 comments

Software factories and the agentic moment

https://factory.strongdm.ai/
130•mellosouls•10h ago•280 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
880•klaussilveira•1d ago•269 comments

Stories from 25 Years of Software Development

https://susam.net/twenty-five-years-of-computing.html
129•vinhnx•10h ago•15 comments

Hoot: Scheme on WebAssembly

https://www.spritely.institute/hoot/
166•AlexeyBrin•12h ago•29 comments

The F Word

http://muratbuffalo.blogspot.com/2026/02/friction.html
97•zdw•3d ago•46 comments

FDA intends to take action against non-FDA-approved GLP-1 drugs

https://www.fda.gov/news-events/press-announcements/fda-intends-take-action-against-non-fda-appro...
60•randycupertino•2h ago•90 comments

First Proof

https://arxiv.org/abs/2602.05192
96•samasblack•9h ago•63 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
265•jesperordrup•17h ago•86 comments

I write games in C (yes, C) (2016)

https://jonathanwhiting.com/writing/blog/games_in_c/
167•valyala•7h ago•148 comments

Al Lowe on model trains, funny deaths and working with Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
85•thelok•9h ago•18 comments

Eigen: Building a Workspace

https://reindernijhoff.net/2025/10/eigen-building-a-workspace/
4•todsacerdoti•4d ago•1 comments

Start all of your commands with a comma (2009)

https://rhodesmill.org/brandon/2009/commands-with-comma/
549•theblazehen•3d ago•203 comments

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

https://github.com/Momciloo/fun-with-clip-path
49•momciloo•7h ago•9 comments

Show HN: A luma dependent chroma compression algorithm (image compression)

https://www.bitsnbites.eu/a-spatial-domain-variable-block-size-luma-dependent-chroma-compression-...
26•mbitsnbites•3d ago•2 comments

The silent death of Good Code

https://amit.prasad.me/blog/rip-good-code
48•amitprasad•1h ago•47 comments

Selection rather than prediction

https://voratiq.com/blog/selection-rather-than-prediction/
24•languid-photic•4d ago•6 comments

The AI boom is causing shortages everywhere else

https://www.washingtonpost.com/technology/2026/02/07/ai-spending-economy-shortages/
246•1vuio0pswjnm7•13h ago•388 comments

Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs?

https://www.windowscentral.com/microsoft/windows-11/windows-locked-me-out-of-notepad-is-the-thin-...
80•josephcsible•5h ago•107 comments

Reinforcement Learning from Human Feedback

https://rlhfbook.com/
108•onurkanbkrc•12h ago•5 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
138•videotopia•4d ago•44 comments

A Fresh Look at IBM 3270 Information Display System

https://www.rs-online.com/designspark/a-fresh-look-at-ibm-3270-information-display-system
57•rbanffy•4d ago•17 comments

Learning from context is harder than we thought

https://hy.tencent.com/research/100025?langVersion=en
215•limoce•4d ago•123 comments

Coding agents have replaced every framework I used

https://blog.alaindichiappari.dev/p/software-engineering-is-back
303•alainrk•12h ago•482 comments

72M Points of Interest

https://tech.marksblogg.com/overture-places-pois.html
48•marklit•5d ago•9 comments

Where did all the starships go?

https://www.datawrapper.de/blog/science-fiction-decline
121•speckx•4d ago•185 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
294•isitcontent•1d ago•39 comments
Open in hackernews

Independently verifying Go's reproducible builds

https://www.agwa.name/blog/post/verifying_go_reproducible_builds
137•speckx•3mo ago

Comments

GauntletWizard•3mo ago
This is important work, and I thank you for it. These public transparency logs are important for keeping honest people honest, but also for keeping dishonest people out - If someone does manage to backdoor Google's build process, this is how they'll know.
charcircuit•3mo ago
Why is this important work to you? Reproducible builds to me is a complete waste of engineering resources and times that could be used elsewhere. All of this work goes towards protecting against theoretical attacks rather than practical ones that are actually happening in the wild.
anilgulecha•3mo ago
Supply chain attacks are not theoretical! Just take a look at npm, docker and other repo lands.
charcircuit•3mo ago
Those attacks were not prevented by reproducible builds. Those supply chain attacks are the kind of things resources should be put into preventing.
cpuguy83•3mo ago
They were completely preventable by independent verification. Just that without reproducible build you can't independently verify anything.
charcircuit•3mo ago
Maybe some of them were preventable, but if it was in place attackers would easily adapt to fool the automated systems and we would be back at status quo.

>without reproducible build you can't independently verify anything.

This is myth propagated by reproducible builds people. Byte for byte similarity is not required to detect a Trojan was injected into one.

cpuguy83•3mo ago
You are right, I should not have said "you can't independently verify anything", but then you generally need to know what you are looking for.
cpuguy83•3mo ago
Distributing software is a lot harder than just building it (with the caveat that people don't want to install build dependencies). So we rely on centralized distribution (and build). Because of this we have to assume trust of that entire chain.

When builds are reproducible they are independently verifiable which means you only have to trust the code and not the entire distribution chain (build systems, storage, etc).

Of course if no one bothers to verify then it doesn't matter. This is sort of how xz happened, no one verified that the release tarballs were what they were purported to be.

charcircuit•3mo ago
I know what reproducible builds are, but they do not solve practical problems. That are actively happening.

>This is sort of how xz happened

Reproducible builds wouldn't have caught this. You would reproduce the malicous library the same since the vulnerability is in the input.

cpuguy83•3mo ago
Right, my point was that nobody bothered to check the source tarballs which should be completely reproducible already,
Orygin•3mo ago
Wasn't the vulnerability triggered by a malicious script that was added silently to the tarball? Reproducible builds would have shown that the tarball is not the exact output of the build. Even though the malicious payload was already in the code, the trigger was not and was hidden
charcircuit•3mo ago
>Reproducible builds would have shown that the tarball is not the exact output of the build

That is not what reproducible builds do. Reproducible builds shows that the compiled binary comes from the inputs. You have to use the same inputs as the distro else it will most likely not match. The vulnerability is part of the input which means that anyone else reproducing the build would have a byte exact copy of the vulnerable library and no discrepancy would be found. Reproducible builds would monitor for when the builds don't match.

In this scenario you could compare release tarbells against the git repository, but that has nothing to do with reproducible builds.

Orygin•3mo ago
If you do reproducible builds for only the binary of the program and not what's around it I don't know if it makes any sense. Related software like the installation script should be checked too against the source. Otherwise that would be like signing the binary but not the whole package.

In case of XZ, the source code was modified, in the install script and not in the binary itself. Checking against a reproducible tarball would have shown the package is not identical, as the trigger was put manually by the maintainer and not checked in the repo. If you had a "byte exact copy" of the repository, it would show immediately it's not the same used to build the package.

Otherwise, reproducible builds are useless if you only check for the binary and not the whole generated package, as XZ has shown, because the malicious code could be somewhere else than the binary.

Nix packages seem to be geared toward reproducible builds of the whole package and not just the binary. So it seems possible to do.

h4ck_th3_pl4n3t•3mo ago
Repo of sourcespotter: https://github.com/SSLMate/sourcespotter
jasonthorsness•3mo ago
It’s great that these reproducible builds are possible and this is an incredibly thorough and careful validation. Thanks!
donatj•3mo ago
I started compiling the Go compiler myself over well over ten years ago when you had to compile it yourself to enable cross-compiling. That has not been the case in almost as long.

I have not stopped. I really should stop. At this point it's just kind of fun, but I have an unbroken chain of self-compiled Go compilers going back to the days when Go was written in C and not Go.

I am frankly really curious if my Go binary lives up to the reproducible build, or if some sort of Reflections on Trusting Trust type flaw worked itself in 10 years ago.