AI Summarized Hacker News
Front-page articles summarized hourly.
Nesbitt argues GitHub Actions is the weakest link in open-source supply chains. A string of incidents shows default Actions behavior—pull_request_target and issue_comment triggers with full secrets, unpinned action versions, $ substitutions, and shareable caches—enables attackers to harvest tokens and push malicious code into PyPI, npm, and GHCR. Notable cases: spotbugs (2024), Ultralytics cache poisoning, tj-actions chain (23,000 repos), nx s1ngularity, Trivy, elementary-data. These are design risks, not bugs; they persist because defaults remain. Mitigations include pinning SHAs, restricting tokens, forbidding PR-target in many cases, and hardening with tools like zizmor. A push for defaults or moving off Actions.
HN Comments
MiMo-V2.5-Pro is now open source (MIT licensed) and released alongside its multimodal MiMo-V2.5 family. It achieves strong coding performance, matching Claude Opus 4.6 and GPT-5.4 on SWE-Bench Pro while excelling at long-horizon, tool-using tasks with a 1M-token context thanks to hybrid local/global attention that reduces KV cache needs ~7x. The 1.02T-parameter FP8 model runs from HuggingFace with SGLang/vLLM support; 70K tokens per trajectory on ClawEval, with Xiaomi claiming 40-60% lower token cost than rivals. Suitable for agentic coding workflows; no clear universal winner.
HN Comments
An exhibit tracing how the middle class evolved from 1980 to 2024, contrasting affordable past basics with today's costs and dependencies. It maps housing, transport, healthcare, education, tech, and leisure—from a starter home in 1980 ($47k) to $450k today; a $7,400 new car to $48k; 8% savings yields to near-zero; pension to myth; one to two-income households; Blockbuster to streaming; and the rise of side gigs, subscriptions, shrinkflation, and remote work. The closing: you own nothing, subscribe to everything, rent higher than your parents' mortgage, groceries cost more than their car, but your phone is incredible.
HN Comments
A 400 Bad Request: the server blocked the request due to security policies; contact support if this is an error.
HN Comments
Tools For Humanity, Sam Altman’s identity-verification startup, prematurely announced a Bruno Mars partnership for his Romantic Tour to promote Concert Kit. Mars’ team and Live Nation denied any deal, and TFH later edited the post, stating there was no agreement or tour access with Bruno Mars. TFH is actually partnering with Thirty Seconds to Mars for their 2027 European tour. The piece notes the irony of a company that verifies identities making a mistaken-identity claim, and references its iris-scanning orb launched in 2023 (which humorously does not tell fortunes).
HN Comments
Could not summarize article.
HN Comments
Could not summarize article.
HN Comments
GitHub announces that from June 1, 2026, GitHub Copilot code review will be billed using two mechanisms: all Copilot usage will be billed as AI Credits under a usage-based model, and GitHub Actions minutes will be charged from existing plan entitlements for private repositories (with overages at standard rates). Public repos' minutes remain free. Applies to Copilot Pro, Pro+, Business, and Enterprise. No change is needed before June 1 if using the current Copilot PRU. Preparation steps: review billing, set budgets, monitor usage via metrics, and ensure runners are configured (GitHub-hosted or self-hosted).
HN Comments
During a Shopify sabbatical in April 2026, François Leblanc built a power meter pad to measure sledgehammer strikes and gauge readiness for tomorrow. Over 20 days he learned hardware, enclosure design, and product development, iterating through failed components and a key mechanical design error. By week four, the pad could register real strikes and feed live data to an iOS app, calibrating to meaningful numbers. He renamed the concept Intensity Pad and argues measuring such movements can make training more legible, motivating, and programmable. Ongoing testing planned at intensity.systems.
HN Comments
Lumara is a free live Sun and Moon dashboard streaming NASA solar imagery (SDO/AIA 12 wavelengths) and SOHO data, showing Moon phases, rise/set, and distance with offline calculations (Jean Meeus). It tracks real‑time space weather (flares, CMEs, geomagnetic storms) via NASA DONKI, with a Kp index. Features include 12 solar wavelengths, offline moon data, 4K timelapse, and a privacy‑first design: no accounts, ads, or GPS; data stays on device. Android is live; iOS coming soon. Data updates about every 15 minutes.
HN Comments
WIRED reviews air permits for 11 behind-the-meter gas-powered data-center projects tied to OpenAI, Meta, Microsoft, and xAI, finding potential emissions over 129 million tons of CO2e per year—more than Norway or Jamaica’s annual output. Projects include xAI’s Colossus sites (~6.4 Mt each), Microsoft’s West Texas plant (>11.5 Mt), Stargate campuses (>24 Mt total), Fermi’s 40+ Mt, and Pacifico Energy’s 33 Mt. Permitted numbers assume constant max output; actuals may be lower, but even if halved they could still exceed several countries’ annual emissions. Critics warn this signals a climate cost of AI scale and behind-the-meter power.
HN Comments
Craig Gidney argues the QDay Prize failed to deliver meaningful benchmarking of quantum cryptanalysis. Two fatal flaws: (1) Shor’s algorithm requires error-corrected qubits; current devices have too many errors, so non‑error‑corrected circuits render results irrelevant; (2) luck can dominate small problems, making outcomes unrepresentative. The winner’s code used random calls yielding results indistinguishable from quantum ones, illustrating Falling‑With‑Style risk. Organizers defended the submission as meeting rules, but the author says the contest mismeasured progress and harmed credibility. He calls for a blameless post‑mortem and better future incentives.
HN Comments
Article critiques privacy in women’s health tech, focusing on Flo's alleged data-sharing with Meta and others. A 2025 verdict in Frasco v. Flo found Flo unlawfully shared users’ sensitive health data (menstrual cycle, ovulation, pregnancy) with third parties for commercial use; Meta was found liable. Flo had repeatedly changed its privacy policy 2016–2019. The piece argues that consent in wellness apps sits in a gray zone outside HIPAA, and product design (buried menus, symptom-heavy prompts) pushes data sales. In a post-Dobbs world, the author questions trust in such apps and suggests safer alternatives like WildAI.
HN Comments
VibeVoice is an open-source frontier voice AI suite from Microsoft with ASR and TTS models designed for long-form audio. Key innovations include continuous speech tokenizers at 7.5 Hz and a next-token diffusion framework leveraging an LLM for context. It includes VibeVoice-ASR (60-minute single-pass, diarization, Who/When/What, customizable hotwords, 64K token), VibeVoice-TTS (up to 90 minutes, multi-speaker support up to 4, expressive, multilingual), and VibeVoice-Realtime (0.5B model, real-time streaming). Open-sourced components are available on Hugging Face; releases include VibeVoice-ASR, -TTS, -Realtime. Cautions about biases and responsible use; intended for research and development, not fully commercial use.
HN Comments
LocalSend is a free, open‑source, cross‑platform app for securely sharing files and messages with nearby devices over a local network without internet or third‑party servers. It uses a REST API over HTTPS with on‑the‑fly TLS certificates, enabling fast, private local communication. Supported platforms include Android, iOS, Windows, macOS, and Linux; distribution via app stores or package managers; portable mode; no auto-update. Setup may require firewall rules (TCP/UDP 53317) and disabling AP isolation. Development uses Flutter and Rust (older Flutter version via fvm); contributions welcome, with translation and troubleshooting guides.
HN Comments
atlasobscura.com is blocked by Cloudflare’s security system. The page says access was blocked by protective rules, potentially triggered by a word, SQL command, or malformed data. To resolve it, email the site owner with what you were doing and include the Cloudflare Ray ID shown (Ray ID: 9f35d1b9da917d12).
HN Comments
AI coding tools accelerate development, but copyright protects primarily human-created expression. Meaningful human authorship—architectural decisions, edits, and final approval—is needed; otherwise AI-produced code may be uncopyrightable. Work-for-hire and broad IP clauses often assign ownership to employers, so be cautious with side projects: use personal tools/accounts. Copyleft contamination from GPL-trained outputs can impose licensing obligations on distributed code. Action steps: run license scans (FOSSA, Snyk, Black Duck); document human contributions (commit messages, design docs, prompt logs); review IP clauses in your contract; verify your Anthropic plan for indemnification. Ongoing cases like Doe v. GitHub shape the law.
HN Comments
Paul Hebert describes launching Tiled Words, a daily word puzzle that has grown from a modest project to a hit, reaching thousands of daily players and winning an award after six months. He and his wife publish a new puzzle every day, turning clues into crosswords after long days. Feedback from users—around 700 submissions—has improved the game and highlighted meaningful uses with families and loved ones. Recent updates added user accounts to sync progress. Upcoming features include player-submitted puzzles and sharing puzzle-building tools; they’re seeking beta testers and user feedback via a form. The post invites readers to play.
HN Comments
GitHub updates on availability after two April 2026 incidents. To handle rapid growth (repos, PRs, API usage, large monorepos), they’re targeting 30x current scale after an initial 10x plan. Tactics include reducing bottlenecks, decoupling services (webhooks, auth), expanding Azure capacity, moving performance-sensitive code from Ruby to Go, and pursuing multi-cloud, with emphasis on isolating critical paths like git and Actions. They detail two incidents: Apr 23 merge-queue regression (230 repos, 2,092 PRs affected; no data loss) and Apr 27 Elasticsearch overload (likely botnet) disrupting search UI but not Git operations. They’ll increase transparency and share root-cause analyses.
HN Comments
Could not summarize article.
HN Comments
Made by Johno Whitaker using FastHTML