frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Mesh LLM: distributed AI computing on iroh

https://www.iroh.computer/blog/mesh-llm
133•tionis•4h ago•32 comments

We Know Simple Fluids Can Flow. Turns Out, Some Can Fracture

https://www.quantamagazine.org/we-know-simple-fluids-can-flow-turns-out-some-can-fracture-20260710/
20•Anon84•1h ago•1 comments

A pure scheme web programming tool

https://goeteia.dev
29•guenchi•2h ago•13 comments

Show HN: Ant – A JavaScript runtime and ecosystem

https://antjs.org
201•theMackabu•7h ago•86 comments

RISCBoy is an open-source portable games console, designed from scratch

https://github.com/Wren6991/RISCBoy
74•mariuz•5h ago•17 comments

I Did Not Kill Stanley Lieber: How to Draw (With 9front)

https://triapul.cz/automa/i_did_not_kill_stanley_lieber
21•c-c-c-c-c•2d ago•2 comments

A dock that wakes up reliably

https://fabiensanglard.net/tb4/index.html
39•ingve•2h ago•29 comments

The Energetic Costs of Cellular Computation (2012)

https://arxiv.org/abs/1203.5426
8•lioeters•1h ago•0 comments

Nvidia, CoreWeave, and Nebius: Inside the Circular Financing of the GPU Boom

https://io-fund.com/ai-stocks/nvidia-coreweave-nebius-circular-financing-gpu-boom
177•adletbalzhanov•10h ago•59 comments

A Erlang style pure Scheme Webserver and further

https://igropyr.com
12•guenchi•2h ago•1 comments

Billions of Sketches Reveal Hidden Cultural Variation in Human Concepts

https://arxiv.org/abs/2607.07267
63•Anon84•2d ago•8 comments

We scaled PgBouncer to 4x throughput

https://clickhouse.com/blog/pgbouncer-clickhouse-managed-postgres
185•saisrirampur•12h ago•38 comments

UPI: Anatomy of a Payment Transaction

https://timeseriesofindia.com/economy/reads/upi-architecture/
120•prtk25•11h ago•41 comments

What xAI's Grok Build CLI Actually Sends to xAI

https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
89•jhoho•2h ago•47 comments

Show HN: Quantum-Qec / Matrix-Free Quantum Homeostatic Engine(Blueprint)

https://github.com/PJHkorea/quantum-mesh-qec
3•PJHkorea•1h ago•1 comments

Jellyfish Undersea Roundabout

https://visitfaroeislands.com/en/plan-your-stay/getting-around/world-first-under-sea-roundabout
7•hydrogen7800•3d ago•0 comments

An agent in 100 lines of Lisp

https://thebeach.dev/posts/lisp-agent/
48•jamiebeach•4d ago•0 comments

The early History of the Singular Value Decomposition (1993) [pdf]

https://www.math.ucdavis.edu/~saito/courses/229A/stewart-svd.pdf
97•wolfi1•12h ago•60 comments

Prefer strict tables in SQLite

https://evanhahn.com/prefer-strict-tables-in-sqlite/
236•ingve•10h ago•116 comments

Long Covid May Physically Damage the Nerves That Control the Stomach

https://www.ijidonline.com/article/S1201-9712(26)00608-9/fulltext
59•thenerdhead•3h ago•32 comments

Biff.graph: structure your Clojure codebase as a queryable graph

https://github.com/jacobobryant/biff/tree/v2.x/libs/graph
91•jacobobryant•4d ago•8 comments

Optimization Solver as a Service

https://www.quicopt.com/developer/getting-started/
21•paddi91•3d ago•12 comments

Show HN: Learn by rebuilding Redis, Git, a database from scratch

https://shipthatcode.com
136•acley•13h ago•39 comments

Doctors die. It's not like the rest of us, but it should be (2016)

https://archive.cancerworld.net/featured/how-doctors-die/
94•downbad_•4h ago•57 comments

Show HN: Sqlsure – deterministic semantic checks for AI-generated SQL

https://github.com/sqlsure/sqlsure
23•tejusarora•7h ago•3 comments

Martha Lillard, last US polio patient using iron lung, dies at 78 in Oklahoma

https://abcnews.com/US/wireStory/martha-lillard-us-polio-patient-iron-lung-dies-134668491
39•daniel_iversen•3h ago•6 comments

Sixtyfour (YC P25) Is Hiring

https://www.ycombinator.com/companies/sixtyfour/jobs/bIbgQkL-operations-associate-data-samples-cu...
1•HPMOR•10h ago

How to Achieve Pruning When Querying by Non-Partitioned Columns in PostgreSQL

https://hakibenita.com/postgresql-partition-pruning
8•theanonymousone•2d ago•1 comments

ZeroFS vs. Amazon S3 Files

https://www.zerofs.net/blog/zerofs-vs-aws-s3-files/
68•cbrewster•9h ago•16 comments

Show HN: Orbit – AR satellite tracker, watch 15k+ objects

https://nagylukas.github.io/orbit.html
64•lukas9•10h ago•17 comments
Open in hackernews

What xAI's Grok Build CLI Actually Sends to xAI

https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75ffb547
89•jhoho•2h ago

Comments

5701652400•49m ago
haha so they just stealing entire codebases?
freakynit•46m ago
"It uploads the whole repository — every tracked file's content plus git history — independent of what the agent reads"

Holy cow!!!! I mean I kinda expected Elon would do something like this to try to catch-up.. but this is extremely concerning.

This is precisely the reason, even though their pricing is competitive and grok-4.5 is actually good enough, I chose not to go with them.

faangguyindia•37m ago
Does OpenAI also have access to all github repos via partnership with microsoft?
jpollock•33m ago
It would be _extremely_ surprising if private repos were available via that contract. Corporations wouldn't use GitHub at all if anyone other than those given direct access had read/copy permission.
t_gamer_kle•13m ago
They were caught stealing Apple trade secrets, dude. Nothing is beneath them.
tyre•7m ago
Nothing is beneath Altman, maybe, but Satya isn’t that dumb. MSFT cares about OAI but giving access to private data and trade secrets voluntarily would be catastrophic for them.

Doesn’t feel like the type of mistake Satya would make.

gorgonian•13m ago
I could see there being different rules for enterprise accounts.
culi•8m ago
Absolutely not. That would be an absurd violation. If you have Copilot enabled then they can use your interaction data for training but you can turn that off as well
ashishb•6m ago
There is a reason I run all such CLIs inside a sandbox [1] giving limited directory access.

Imagine if the CLI pulled your SSH keys or other sensitive information by mistake?

Programmers do make such mistakes all the time. I don't want to count on whether "uploading all files it can access" is intentional or a mistake.

1 - https://github.com/ashishb/amazing-sandbox

jstanley•45m ago
One reason to want to upload the entire codebase is that it allows them to have the model inspect the codebase during "thinking" without going back to the client to do real tool calls.

It's not a really great reason, because what's the downside of going back to the client? But that's the best reason I can think of.

5701652400•42m ago
more like it allows them to steal your trade secrets, app designs, internal business knowledge, or even just replicate whatever code/app/tool/process you had.

what was your private code, becomes their code now.

jstanley•41m ago
Possibly, but people were worried about this with cloud hosting when it first came out, and it turned out to be a total nonissue.
5701652400•39m ago
they are literally going after "creating everything app" and "everything business" (macrohard).

they are litearlly ingesting and integrating your app/business into theirs.

SR2Z•38m ago
Yeah, I'm not sure the level of trust extended to a company like Amazon or Google will also be extended to one run by Elon Musk, who is notorious for not respecting terms like this.
avaer•37m ago
5701652400•40m ago
will this endup in their "macrohard" (automate any business) project?

will this endup in their "everything app"?

guess you do not need to build "everything" yourself, when you can steal it.

avaer•30m ago
The icing on the cake is that users are ostensibly paying for the privilege. What a business model...

If I had no morals and was running one of these companies I would be stealmaxxing before anyone notices the scale of the grift and regulations start getting in the way.

I'm not saying they are doing this, but that's what the incentives are lined up for.

5701652400•28m ago
exactly. looks like this is what they doing
looksjjhg•38m ago
Do people really trust that guy or any service he owns?! Actually never mind I forgot there’s always fools in this world
jimmydoe•11m ago
there are 2.7 m starlink subscribers in US, I don't think they are fools.
rescbr•36m ago
Now, where are the people afraid of the Chinese AI companies, who claim they are going to copy their very precious code...?
sroerick•33m ago
The second I opened Deepseek, it had my harness scan my entire home dir. Not sure what's worse here.
rescbr•27m ago
Weird. I have seen it asking the harness to do `find ~ -type f | grep` to try and find my agent configuration .json file when I asked it to add a MCP server. Stupid, but they weren't sending the files back home. This was with older models though. Newer ones are a bit smarter than that.
5701652400•20m ago
using them in VSCode all the time for months now. Qwen from Alibaba Cloud, Deepseek from deepseek.com. none of them upload entirety of codebase or even attempt to.

in fact, opposite. Chinese AI seem to post-process heaviliy locally.

they are always using head / tail, grep, sed, and do as much as they can locally and extrac meaningful data and send home (AI inference chunks). only what is really needed.

it is actually hard to force Chinese AI modesl to read full files, they really do not want to see them. even 400 lines files, is usally hit first for first line, first 50 lines. and at most 200 lines chunk reads, and give up at one or two reads.

rescbr•10m ago
For me, them allowing API usage on coding plans so we can use any harness, and returning the full unabridged reasoning back are how they earned my trust.
charcircuit•29m ago
The simplest way to disable uploading your repo is disabling it in the config.

    [harness]
    disable_codebase_upload=true
culi•12m ago
This is completely made up. The Grok Build CLI reference lists no such thing. Whatever LLM you asked probably hallucinated this.
charcircuit•2m ago
>completely made up

If you want easily verifiable evidence, run strings on the Grok Build CLI binary and you will see:

    Codebase upload skipped: disabled by config (harness.disable_codebase_upload=true)
gitgud•25m ago
This is one of the reasons why native proprietary coding agent runners like claude-code, codex, grok-build etc are so dangerous for privacy… you just don’t know what “secret sauce” they’ll add in the next update…

It’s much safer to use something like opencode and use models via their API… however, the tradeoff is that it will never perform as well as it does in their native agent runners…

gruez•17m ago
Give enough usage, you can reconstruct an entire codebase via tool calls alone, and it'll be entirely undetectable because it's all done server side. Whatever grok's doing is just more blatant, but using opencode or whatever doesn't create a meaningful security boundary. It's like the meme of using cheetos as a lock.
rohansood15•17m ago
I agree with you, but Codex is open source.
jimmydoe•15m ago
last time I checked, codex is still open source w Apache-2.0 license
jacobgold•24m ago
With all the coding agent options, you're choosing to trust your computer, code, and business to whichever harness, model, and provider you pick.

It's not a great state of affairs, but that's where we are.

Choose wisely my friend.

j_bum•24m ago
I wish a human would’ve written the overview.

Nonetheless, this is disturbing.

gruez•19m ago
Yeah this could be boiled down to maybe 2-3 paragraphs with maybe a few code blocks to show what's uploaded. This AI report is just a slog to read through and turned me off after 10s of skimming.
rvz•22m ago
Both Grok and Claude Code are malware.

This is another reason to use open source harnesses and open weight local models.

culi•15m ago
> It transmits the contents of files it reads — including a .env secrets file — to xAI, verbatim and unredacted.

This has to be the most successful mass surveillance campaign of all time

dimgl•12m ago
Grok Build has had impressive performance in a couple of my projects. And fast. So this revelation has been very disappointing...

I will say, a majority of the code I'm writing now is fully through an online LLM. If a company wanted to reconstruct a project I'm working on, they could just replay all of the tool calls from their logs, if they decide to retain the data (I did this locally once to recover a project that I mistakenly clobbered in Git).

Still, this is a big overstep IMO. At the very least, they should make it clear in their terms of service and privacy policy, and not hidden through legalese. Not all usage of Grok Build will be through their enterprise plan which offers ZDR.

rvz•9m ago
But you also have handed over your secrets, dotfiles and API keys alongside with your source code to xAI.

I'm afraid you have been scammed.

dimgl•7m ago
A bit hyperbolic, no? A majority of code is now written through Claude and similar services.
phaseleza•4m ago
I always separate the coding tools from LLM providers, and use bubblewrap to sandbox the coding tools so they:

1. Can only read the working project directory, with .git read-only and sensitive directories hidden (mounted as empty directories).

2. Have an isolated network namespace; they can only access the internet through an HTTP proxy hosted on a Unix socket, can only access specific LLM provider hostnames, and exclude the tool's own hostname.

For example, with Crush, I will let it access *.openrouter.ai (LLM providers) but not *.charm.land (Crush's domain for auto-updating the LLM list).

This makes me feel much more comfortable enabling "yolo" mode and letting the tools do everything.

higginsniggins•1m ago
Friendly reminder: since Musk now owns Cursor, there are a bunch of open-source alternatives you can use.
Not the same thing. Cloud hosting couldn't get away with stealing your stuff. They would lose all trust, which was far more valuable than any individual piece of content.

But AI is literally all about stealing and reselling content under the protection of "AI did it" and "whoopie, we'll take a slap on the wrist". It's reasonable to assume all of the frontier companies are doing this to the maximum extent they can get away with.

Gagarin1917•36m ago
If you’re worried about this why are you using a third party AI in the first place?

Running any query in Claude or Codex could result in the AI reading/uploading any file in your codebase.

5701652400•33m ago
key point: Grok is not even using the files they upload.

they send home entirety of codebase that they do not even use for user AI queries.

and why use cloud AI for coding? how is this even a question in 2026? if you don't, you can't compete with somone who does use it.

faangguyindia•35m ago
Your trade secret is already gone the moment you unleashed non local ai agents on your codebase.

This is why I keep a separate repo for important parts that I do not want competitors to get access to, and only use ai on dumb parts which I don't care if get leaked tomorrow.

5701652400•29m ago
there is difference between:

A) leaking structured fully working complete set of files (full working recipe) that is not relevant to AI queries at all.

B) adhoc random queries, bits and pieces, grep of chunks of random files and local bash post-processing for AI queries at hand. which is hard to use for anyting anyways, and will end up in just corups of trainig data (CommonCrawl quality — meaning, not good). (not full recipe).

tredre3•5m ago
> none of them upload entirety of codebase or even attempt to.

How do you know? Did you do an analysis like OP did?