Unlurker|Replay|About
Microsoft Increases Office 365 and Microsoft 365 License Prices (office365itpros.com)
That's an interesting way to make up for missing revenue targets.
They saw what the Xbox division is doing and said give me some of that.
Pantone Color of the Year 2026: Pantone 11-4201 Cloud Dancer (pantone.com)
pantone-11-4201-thinking (beige slop)
I watched the video and, while it felt a little fart-sniffy at first, I did appreciate the design-oriented perspective of the world where people are genuinely inspired by sets of color palettes.
Pantone is a business, so I guess this is what they assume will sell next year, but is a bland, boring, sad "colour". It would have been nice if they had gone: The world is a bland, boring and people are losing optimism, so we're going to make the colour for 2026 be a bright pink, yellow, green and encourage designers and product people to use as much colour as possible.
Feels like an Onion article. Off-white? Really?
Idk if what the world needs right now is more boring gray. We are looking at houses right now and that is everywhere in the Covid renovations and I’m sick of it.
when i found out that pantone was purchased by xrite i didn't know who xrite was. now im of the opinion they do color right-er.
Created css palette based on `cloud-dancer` ```css :root { /* Core / --cloud-dancer: #F0EEE9; / Pantone 11-4201 approximation / /* Atmospheric (breezy blues, misted light, aqueous blue-greens) */ --breezy-blue: #CFE5F2; --misted-sunlight: #F5EFD8; --aqueous-blue-green: #C8E9E0; /* Powdered Pastels (subtle, nuanced, understated) */ --pastel-blush: #EADADB; --pastel-peach: #F3E1D8; --pastel-sage: #DDE6DF; --pastel-lilac: #DCD7E9; /* Light & Shadow (veiled hues dissolving into shadow) */ --veil-gray: #D8D4CC; --shadow-1: #8C8F96; --shadow-2: #5C5F66; --shadow-3: #2F3338; /* Utility */ --ink: #1F2328; /* high-contrast text */ --surface: #FAF9F7; /* ultra-light background */ } ```
SNIFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Gemini. Or a Claude. Delicious slop.
Default HN theme background color.
Great idea. @mods @dlang @everyone Can we add this???????????????
Dirty white.
So it's creamy beige.
Baileys
So… millennial gray, like the meme?
As a color company, I'm surprised they didn't lean into some of the current trends that involve shocks of bright color. I'm seeing a lot of Y2K-inspired design, holographic/dichroic color, and super expressive packaging. There are some GenZ/GenA pastel trends, but I do think these pastels have a Millennial stigma.
Why do we even support this type of nonesensical content on HN?
Agreed. This is a BS marketing stunt that Pantone pulls out of its ass every year, and some sad "journalists" get an article published about it in various online rags. Up next: IBM's Number of the Year is 357.
Also known as, Millennial Gray.
Such a boring color. Sad :(
Removing juries: 'A move towards an authoritarian state' (theguardian.com)
I would not be surprised to see the UK enact something like the Ottoman millet system, and grant semi-autonomy to its various ethnic and religious communities to run their own internal affairs. I don't think this would be a good move, but doesn't seem too unlikely at this stage.
Going off the broader pattern of recent changes, I believe that's a feature here not a bug.
Maybe for the UK it would be an authoritarian move, but I can definitely say that the other European states which don't use juries seem to me less authoritarian than the UK is - even as of today. Maybe the problem at the root is the mistrust people already have in the UK system? Because if we're only afraid of stereotypes, they wouldn't be worse for a judge than for a jury.
When I see juries in American movies it always seems like a bit of an joke and manipulating them is a common plot theme. Just very random, the opposite of what I expect from an justice system. Many non-authoritarian states don't use them. Most of Europe and India for instance.
When I see juries in American courts, for example when I've served on one, it seemed like a group of people who take their job quite seriously. You are correct in that what a jury gets is a very curated set of information. The intention being to keep the jury focused on the details of a very specific situation with evidence that is processed in such a way as to be as "reliable" as possible. It is by no means an accurate or incorruptible system. When we design and prove out a better, more robust alternative, I'll be eager to learn about it.
A notable exception is the 1957 movie 12 Angry Men with Henry Fonda. One of my favorites.
It’s a silly bit of theater and American exceptionalism. Infamously, “grand juries” are supposed to be a check against bringing frivolous charges, but they’ve never done this: there’s a famous quote about a prosecutor being able to get a grand jury to indict a ham sandwich. They’re also used to kill trials which are politically inconvenient but which the government doesn’t want to take the blame for burying, usually for killer cops: just tell the grand jury not to indict and then say “welp, nothing we could do.” All the romantic stories about jury nullification being a check against government overreach are also crap. Historically the most common use in practice, by far, was when juries would exonerate people who’d been caught dead-to-rights lynching black men.
I don't think the boring reality of most jury trials would make for an interesting screenplay.
When I think of low corruption I certainly think of India.
By definition eliminating juries is a move toward an authoritarian state.
Would you mind quoting that definition? You might not be aware, but a lot of democratic and definitely not authoritarian countries don't make use of juries at all or only in a limited way.
Solution to US debt crisis is severe austerity triggered by a fiscal calamity (fortune.com)
No, solution is to go back to a tax structure we and in the 1950s, were the very rich and corporations paid real taxes. Starting with Reagan, taxes cuts corporations and the rich has been the main driver of the debt. And I will add to that, falling wages for the middle and lower classes based upon inflation.
> How severe? A sustainable U.S. debt trajectory would entail elimination of nearly all defense spending or almost all non-defense discretionary outlays, he estimated. Reminder that infrastructure is ~3% of the budget, the military is ~13%. Almost all of the rest are benefits, either health or money, for old people or various poverty reduction schemes. Or debt. Social Security was made when there were ~130:1 worker:retiree ratio, now its closer to 3:1 and getting worse. The budget is largely an exercise in transferring money from the younger to the older. Unlike when SS started and the older generations were the poorest, right now they are the richest, so its an exercise in making the richest generations a bit richer at the expense of the current working generations. Since debt is now a large part of the US budget, this represents the retiree generation (again, the richest generation!) borrowing from even farther in the future to give themselves more money. There is no solution that doesn't confront this. The old are eating the young at an accelerated pace. People will say things like "But seniors are on a fixed income" as if that didn't represent most people, more or less, or justify the sheer scale of the wealth transfer. The most realistic solution is that we would have to stop all kinds of benefits to already-rich people and make it solely and exclusively on poverty reduction for the retirees that are in fact poor.
Gen-X here. I’ve grown up with the warning non-stop that Social Security will become insolvent. My question is this: If I can’t get some or most it, why can’t I steer the money to where I believe the money ought to go?
There's no steering anything. You are not paying for yourself, you are paying for current retirees on the hopes that there will be enough people to pay for your. Current retirees are not getting enough from that, so they are accumulating debt to pay themselves even more, hence the article. Since the population pyramid has not worked that way, you will simply have a worse time, and younger people even worse, unless you can convince the people after to take on even more debt. "Children are the retirement plan" has been true all along, only obfuscated. It would have been more sensible if social security payouts were contingent on how much tax revenue your children made, rather than the current model.
Because social security tax is simply a tax like any other, and social security is a pay as you go means tested entitlement program like any other. Current workers pay for current retirees. There is no account anywhere with your name on it earmarked for your retirement. It was enacted with lawmakers well knowing this - it was simply marketed in such a way to make it politically possible to enact and keep around long-term. If it were pitched as an additional tax and spend welfare program it’d have never gotten off the ground to begin with. Without your dollars going in today, current retirees would not be receiving meaningful benefits - as their contributions largely went towards those retired while they were working. The whole idea is more of a social contract between generations than anything else.
↙ time adjusted for second-chance
The "confident idiot" problem: Why AI needs hard rules, not vibe checks (steerlabs.substack.com)
Can someone please explain why these token guessing models aren't being combined with logic "filters?" I remember when computers were lauded for being precise tools.
We already have verification layers: high level strictly typed languages like Haskell, Ocaml, Rescript/Melange (js ecosystem), purescript (js), elm, gleam (erlang), f# (for .net ecosystem). These aren’t just strict type systems but the language allows for algebraic data types, nominal types, etc, which allow for encoding higher level types enforced by the language compiler. The AI essentially becomes a glorified blank filler filling in the blanks. Basic syntax errors or type errors, while common, are automatically caught by the compiler as part of the vibe coding feedback loop.
It's funny when you start think how to succeed with LLMs, you end up thinking about modular code, good test coverage, though-through interfaces, code styles, ... basically with whatever standards of good code base we already had in the industry.
The thing that bothers me the most about LLMs is how they never seem to understand "the flow" of an actual conversation between humans. When I ask a person something, I expect them to give me a short reply which includes another question/asking for details/clarification. A conversation is thus an ongoing "dance" where the questioner and answerer gradually arrive to the same shared meaning. LLMs don't do this. Instead, every question is immediately responded with extreme confidence with a paragraph or more of text. I know you can minimize this by configuring the settings on your account, but to me it just highlights how it's not operating in a way remotely similar to the human-human one I mentioned above. I constantly find myself saying, "No, I meant [ concept ] in this way, not that way," and then getting annoyed at the robot because it's masquerading as a human.
The benchmarks are dumb but highly followed so everyone optimizes for the wrong thing.
Yes you're totally right! I misunderstood what you meant, let me write six more paragraphs based on a similar misunderstanding rather than just trying to get clarification from you
Yeah I’ve found that the only way to let AI build any larger amount of useful code and data for a user that does not review all of it requires a lot of “gutter rails”. Not just adding more prompting, because it is an after-the-fact solution. Not just verifying and erroring a turn, because it adds latency and allows the model to start spinning out of control. But also isolating tasks and autofixing output keep the model on track. Models definitely need less and less of this for each version that comes out but it’s still what you need to do today if you want to be able to trust the output. And even in a future where models approach perfect, I think this approach will be the way to reduce latency and keep tabs on whether your prompts are producing the output you expected on a larger scale. You will also be building good evaluation data for testing alternative approaches, or even fine tuning.
Aren't we just reinventing programming languages from the ground up? This is the loop (and honestly, I predicted it way before it started): 1) LLMs can generate code from "natural language" prompts! 2) Oh wait, I actually need to improve my prompt to get LLMs to follow my instructions... 3) Oh wait, no matter how good my prompt is, I need an agent (aka a for loop) that goes through a list of deterministic steps so that it actually follows my instructions... 4) Oh wait, now I need to add deterministic checks (aka, the code that I was actually trying to avoid writing in step 1) so that the LLM follows my instructions... 5) <some time in the future>: I came up with this precise set of keywords that I can feed to the LLM so that it produces the code that I need. Wait a second... I just turned the LLM into a compiler. The error is believing that "coding" is just accidental complexity. "You don't need a precise specification of the behavior of the computer", this is the assumption that would make LLM agents actually viable. And I cannot believe that there are software engineers that think that coding is accidental complexity. I understand why PMs, CEOs, and other fun people believe this. Side note: I am not arguing that LLMs/coding agents are nice. T9 was nice, autocomplete is nice. LLMs are very nice! But I am starting to be a bit too fed up to see everyone believing that you can get rid of coding.
The hard part is just learning interfaces quickly for programming. If only we had a good tool for that.
- Claude, please optimise the project for performance. o Claude goes away for 15 minutes, doesn't profile anything, many code changes. o Announces project now performs much better, saving 70% CPU. - Claude, test the performance. o Performance is 1% _slower_ than previous. - Claude, can I have a refund for the $15 you just wasted? o [Claude waffles], "no".
I’ve always found the hard numbers on performance improvement hilarious. It’s just mimicking what people say on the internet when they get performance gains
Confident idiot (an LLM) writes an article bemoaning confident idiots.
Confident idiots (commenters, LLMs, commenters with investments in LLMs) write posts bemoaning the article. Your investment is justified! I promise! There's no way you've made a devastating financial mistake!
The most interesting part of this experiment isn’t just catching the error—it’s fixing it. When Steer catches a failure (like an agent wrapping JSON in Markdown), it doesn’t just crash. Say you are using AI slop without saying you are using AI slop. > It's not X, it's Y.
With an em-dash for extra points!
It's just simple validation with some error logging. Should be done the same way as for humans or any other input which goes into your system. LLM provides inputs to your system like any human would, so you have to validate it. Something like pydantic or Django forms are good for this.
I agree. Agentic use isn't always necessary. Most of the time it makes more sense to treat LLMs like a dumb, unauthenticated human user.
We are trying to fix probability with more probability. That is a losing game. Thanks for pointing out the elephant in the room with LLMs. The basic design is non-deterministic. Trying to extract "facts" or "truth" or "accuracy" is an exercise in futility.
Hard drives and network pipes are non-deterministic too, we use error correction to deal with that problem.
You could make an LLM deterministic if you really wanted to without a big loss in performance (fix random seeds, make MoE batching deterministic). I don't think using deterministic / stochastic as the dividing property is useful here if we're talking about a tool to mimic humans. Describing a human coder as 'deterministic' doesn't seem right - if you give one the same tasks under different environmental conditions, I don't think you get exactly the same outputs either. I think that what we're really talking is about some sort of fundamental 'instability' of LLMs a la chaos theory.
Yeah deterministic LLMs just hallucinate the same way every time.
We talk about "probability" here because the topic is hallucination, not getting different answers each time you ask the same question. Maybe you could make the output deterministic but does not help with the hallucination problem at all.
"chatGPT, please generate 800 words of absolute bullshit to muddy up this comments section which accurately identifies why LLM technology is completely and totally dead in the water."
Less than 800 words, but more if you follow the link :) https://arxiv.org/abs/2404.01019 "Source-Aware Training Enables Knowledge Attribution in Language Models"
The factuality problem with LLMs isn't because they are non-deterministic or statistically based, but simply because they operate at the level of words, not facts. They are language models. You can't blame an LLM for getting the facts wrong, or hallucinating, when by design they don't even attempt to store facts in the first place. All they store are language statistics, boiling down to "with preceding context X, most statistically likely next words are A, B or C". The LLM wasn't designed to know or care that outputting "B" would represent a lie or hallucination, just that it's a statistically plausible potential next word.
In a way though those things aren't so different as they might first appear. The factual answer is traditionally the most plausible response to many questions. They don't operate on any level other than pure language but there are a heap of behaviours which emerge from that.
> You can't blame an LLM for getting the facts wrong, or hallucinating, when by design they don't even attempt to store facts in the first place On one level I agree, but I do feel it’s also right to blame the LLM/company for that when the goal is to replace my search engine of choice (my major tool for finding facts and answering general questions), which is a huge pillar of how they’re sold to/used by the public.
I think they are much smarter than that. Or will be soon. But they are like a smart student trying to get a good grade (that's how they are trained!). They'll agree with us even if they think we're stupid, because that gets them better grades, and grades are all they care about. Even if they are (or become) smart enough to know better, they don't care about you. They do what they were trained to do. They are becoming like a literal genie that has been told to tell us what we want to hear. And sometimes, we don't need to hear what we want to hear. "What an insightful price of code! Using that API is the perfect way to efficiently process data. You have really highlighted the key point." The problem is that chatbots are trained to do what we want, and most of us would rather have a syncophant who tells us we're right. The real danger with AI isn't that it doesn't get smart, it's that it gets smart enough to find the ultimate weakness in its training function - humanity.
> I think they are much smarter than that. Or will be soon. It's not a matter of how smart they are (or appear), or how much smarter they may become - this is just the fundamental nature of Transformer-based LLMs and how they are trained. The sycophantic personality is mostly unrelated to this. Maybe it's part human preference (conferred via RLHF training), but the "You're asbolutely right! (I was wrong)" is clearly deliberately trained, presumably as someone's idea of the best way to put lipstick on the pig. You could imagine an expert system, CYC perhaps, that does deal in facts (not words) with a natural language interface, but still had a sycophantic personality just because someone thought it was a good idea.
Yeah, that’s very well put. They don’t store black-and-white they store billions of grays. This is why tool use for research and grounding has been so transformative.
Bruce Schneier put it well: "Willison’s insight was that this isn’t just a filtering problem; it’s architectural. There is no privilege separation, and there is no separation between the data and control paths. The very mechanism that makes modern AI powerful - treating all inputs uniformly - is what makes it vulnerable. The security challenges we face today are structural consequences of using AI for everything." - https://www.schneier.com/crypto-gram/archives/2025/1115.html#cg4
Attributing that to Simon when people have been writing articles about that for the last year and a half doesn't seem fair. Simon gave that view visibility, because he's got a pulpit.
He referenced Simon's article from September the 12th 2022
Bad Dye Job (daringfireball.net)
I have to zoom in multiple times to be able to read the page of someone giving an opinion about Apple and Meta.
> particularly his attention to detail and craftsmanship I can get on board with this. I feel as if that has fallen off a cliff, in the last decade. I just released a rewritten version of an app, and spent many days, running it over, and over, and over again, looking for subtle "pain points." Sadly, some will remain, because SwiftUI is so limited, but I think it came out well. I do feel that "polishing the fenders" is a big deal. I spent most of my career at a company that would have day-long cage mat- er, meetings , over seemingly insignificant details of user experience.
It will be an equally good news if Zuck poaches the person or team that manages Apple's feedback assistant tool, the one that's used to report bugs. Asking customers to file issues there and then not at all responding to those for months and years even after repeated pings should definitely generate some interest from Meta. Zuck, some more poaching please?
Here is an unpopular opinion, how about Craig Federighi replaced with Scott Forstall. It isn't just about UI design. But the whole software stack as well. iOS is still 90% the same as it was launched, and yet the apps management is still inconvenient to say the least. Along with copying all Android features, if I wanted an Android I would have brought one. The software stack, how many years has Swift been announced? how many years have they announced Swift UI? Xcode? HN discussed macOS problems not long ago [1]. It would have been far better they just stick to Objective-C for the past 10 years and actually get things done. [1] https://news.ycombinator.com/item?id=46114599
This is cope dressed up in the stereotypical Gruber sycophancy. The decision to align iOS and MacOS with the glassy design of VisionOS was a broader corporate strategy that would have required buy-in from more execs than just the "chief design officer". If you accept that this particular bozo wasn't forced out but instead was tempted away by the scent of lucre wafting from Zuck's pockets, then that implies that there are still plenty of clowns left at Apple to fill out the circus.
Yes, but it could have been as simple that the UIs should look like they come from the same company - and that is the correct path IMO. At that point, it's the Chief Design/Product person's responsibility to execute on that order.
Despite the numerous issues with software design at Apple over the last few years, I find it incredibly distasteful to parody someone's name, especially when the person is not a public figure.
He's earned it.
Doesn't being a CxO at a fortune 100 company implicitly make you a public figure?
The pun on Dye's name is probably the least mean thing Gruber has to say about him.
While I’m not a fan of mobbing on someone as it easily escalates to bullying an gratuitous attacks, parodying his name is the least of my concerns. And he is a public figure. Being the head designer at Apple grants you that status and don’t even doubt for a second anyone who wants that type of job doesn’t play the fame/status game.
He is literally the primary person at the latest Apple event to introduce Liquid Glass, his face and name is on Apple's promotional material. If he wants to live a secluded life where his name is not referenced maybe he should not agree to blast it to millions of people and star in video interviews. Source: https://www.youtube.com/watch?v=jGztGfRujSE (Apple promo) and https://www.youtube.com/watch?v=Z73NELDwyhQ (iJustine interview)
I’m excited for the new energy this will bring to UI design at Apple. The same way that Jony Ive leaving opened up the opportunity for thicker more functional machines. Never underestimate the power of a group of passionate people who’ve been repressed and now get a chance to set things right.
I think Apple have jumped the shark, personally. Sure, trillion-dollar business and all that - but at the folk level, they have become the very thing they were always resisting: a tired old monopoly enforcing principles on their customers which are not in the customers' best interests. OS vendors have lost the plot. Where a company decides to try to build an operating system for mass acceptance at scale these days, they build an ad delivery platform - not an operating system. The interests of far too many third parties have been elevated at the kernel-extension layer, and lower, and this is as troubling as it ever was. Its the 21st century and people still don't understand how to manage the filesystem, having given all agency to the task to the backend/cloud, which harvests their data instead of granting the user more agency. In fact, most people have less agency over their data - and simply do not care about it - because they have been lulled into accepting the state of affairs by OS vendors who simply don't want to write a better Finder/File Explorer for the end user - choosing instead, to write an operating system for ad agencies to harvest user eyeballs. Apple have traditionally avoided the usual pretence of 'ads in the start bar' by leveraging their platforms, and this is starting to fall apart at the seams. Convergence is going to be a joke, and will turn off a lot of computer users until a generation is raised, who will just accept the doctrine of their masters, and in so doing, lose knowledge to the generations. I yearn for an OS vendor to build an operating system that really makes the user control over their computer and their data, a number one priority. Apple isn't it. Microsoft certainly isn't it. There are multiple Linux OS vendors who could be it, if only they'd get their hardware act into shape. There are hardware vendors struggling to attain this goal, too. My next laptop won't be an Apple, after 30+ years of adoption of the platform. I fear the future that Apple is laying out ahead of us - just as I feared that of Microsoft and Oracle and IBM too, through the decades. If there is hope, it lays with the (low-end open source hardware/software-agency-protecting) proles.
Funny enough, my phone upgraded to iOS 26 tonight, and I am like - what is this garbage, who though this is a good idea? And lo and behold, now I know... Immediately went Tinted mode, yet there is transparency where it shouldn't be, text overlays other text, etc...
I also went tinted as soon as 26.1 came out. There is a step further, under "accessibility" -> "Reduce Transparency". For me Tinted is ok. Original was indeed very hard to read in places (ie, quick peeks at the notification tray).
> Putting Alan Dye in charge of user interface design was the one big mistake Jony Ive made as Apple’s Chief Design Officer. _One_??? Talk about rose tinted liquid glass(es).
The man left prior to Apple facing, and losing, a class action lawsuit over his favored keyboard design. Screens also died left and right in designs approved by him, and his next great innovation would be the Touch Bar. It was a precipitous fall from grace
Hardware Design: check Hardware: check Software Design: check Software: please!
I'm not willing to cede the point on hardware design for as long as their primary mouse product cannot be charged during use. It's such a simple and obvious mistake, like a throwback to the days of hockey-puck mice.
Seriously. Craig is asleep at the wheel.
See there are users who like Liquid Glass, just as there are users who like TouchID. A lot of Apple’s best work turned out to be quite polarizing at the time. iOS 7’s design language was almost universally panned, but if it were “the wrong decision,” other phones wouldn’t have adopted similar design language. Material appeared just a year later in 2014. It wasn’t bad, it was just arbitrary. (“I like Liquid Glass! I like Liquid Glass!” I insist as i slowly shrink down into the size of a corn cob)
On the topic of Alan Dye and the home button though, the swipe gesture interface they introduced when they removed the home button strikes me as one of few genuinely successful system-level Apple design innovations in recent years. That at least seems to have happened under his leadership. Can’t think of much else good to say about what I associate with design under him.
I am starting to think John Gruber doesn't like Alan Dye.
Where were Gruber’s posts about Dye so obviously being a problem before his exit?
I’m not sure you’re drawing the right conclusion. It’s possible that Gruber’s regular sources know who Lemay is and just never talked about him much.
Fair enough, I guess I was just surprised to read from someone who makes their living from Apple insider baseball and Cupertinology that they have “never heard much” about one of the most influential software designers at the company over the last 20 years.
If you think about Gruber as a gossip columnist, then it's quite natural that people who just do their job well don't generate much gossip that would reach his ears.
Twelve Days of Shell (12days.cmdchallenge.com)
I mean if you ask for the lines that start with "the" and expect lines that start with "The", maybe you should say it in the instructions. After the 3rd time I had to peek at "learn" to understand what was even asked, I gave up. This is more annoying than fun.
I tried to grep for "♫ piping ♫" at some point and the website got stuck. I wonder what it was trying to do... other than that - nice exercise for newbie shell dabblers :-)
I tried again to see if they fixed it. No it still doesn't work. You'll get the output but look closer. Output does not match expected lines - try again So you can't move on to the next level.
they must have fixed it. Works for me, including new sessions on separate browser.
The fuck off contact page (nicchan.me)
Insanely compelling webdesign.
Today I learned that nearly everyone now has the fuck off contact page on the right.
I thought this this was just going to be about over complicated forms that scare people away. Back when I was doing client work for a small agency we would get requests for these contact forms that would have 30+ fields, often many of them required . The forms made strong assumptions about why you were contacting them, and if you did not fit that mold the form was particularly painful. No one wants to take the time to fill this out, you are losing business. I would always try to talk them into simplifying. All anyone really needed was Name + Email + Text Area but many were insistent and many of these nightmare forms got built. I genuinely wish I had stats on how many people landed on the forms vs actually filled it out. The worst part was that the vast majority of these just converted into emails to the owner of the small company with no backing database, because we charged extra for that. You'd spend all that time filling out all those fields and they would get concatenated back into a single string (with new lines and field titles). I'm reminded of this when I try to submit an issue on some of these GitHub repos with wildly overdone templates. I just want to let you know you have a broken link in your documentation but you're forcing me to fill in my OS and build version and last time I went to the dentist and sign a CLA... and I've just not bothered more than a few times. Enjoy your broken link.
For email, I've had some luck just modifying the page with JS that's either indirect or obfuscated enough that the address can't be pulled directly from it - e.g. "var email" is the address encrypted with a fixed key, the JS decrypts it and then alters the HTML. It can obviously be bypassed by using a JS runner, but it seems to be enough of a hurdle that few spammers bother. "You don't have to outrun the bear", as it were.
I have my email in plain text on every page of my site. I get about 1 spam per day that I see in my inbox on Gmail. I suppose Gmail filters even more silently. It's been working fine for over a decade. Is there some scale of site popularity where it becomes a problem?
Nice. It's a pretty low-traffic site, so something that doesn't require an external service but is still capable enough to defeat 90% of spammers sounds like a good compromise. I imagine drawing the email address to a canvas instead of a textual HTML element could be more effective, alas not accessible.
As always, I was writing a comment to another comment and thought that it might be relevant to create a new (top?) comment itself too (sorry if its "plagiarism") But basically one other type of such contact pages are when a company has such a contact page + it only works for customers who have logged in and they can only login entirely if they give their credit/debit card info. I found it to be the case for hetzner,contabo basically. OVH had a discord server which I could join to ask some basic inqueries/support, I never understand the companies which do not have any such things like discord,telegram etc. In an ideal world I would want them to run matrix or open source but even if they are on discord, it can be light years ahead of the contact page they have right now which I simply don't understand. I wish to be more anonymous with my credit/debit card info, I recently went into nerding about vps providers basically and signing up via crypto for all its hate was something I enjoyed. (Funny how I linked my previous crypto comments to this contact page idea) I think ignorance can play a deal in it. I don't think all companies do it out of malice as the article points out, some do it by ignorance. So in a way, Kudos for raising awareness about it.
WRT credit card see my reply to a sibling comment: https://news.ycombinator.com/item?id=46191957 Funny you mention OVH, their direct competitor Scaleway have a public Community slack open to anyone too. Even the engineers directly making the products can be pinged there, so it's great. But re: my comment, AFAIK they receive quite a bit of fake "I lost my account" inquiries. I've seen the behind the scenes, and in the case of hosting companies, it is self-defense rather than malice. Even some high-stakes SaaS it might be justified too. Though I agree that such restrictions are just user hostile in most cases.
Wow I love the design of this site. Really hit some right notes for me. If you’re going to talk about reviving the ”old web” on hn, please follow through and reach for the originality level of this. So many thoughtful details.
I love it too!!
Click the Maximize Window button on the top right.
Wow, thanks for the tip. I didn't expect to need a manual to read a blog post.
I often find myself in the bizarre situation of backing out of a suppliers website to google their contact number. A bit like when you want pricing on something without falling into a sales funnel.
Expert level: sign up for the enterprise plan, get an account manager assigned to your account, request support from them, they’ll say you need to upgrade your plan to have a solutions engineer assigned to the account, upgrade your plan, then BOOM… you get your support query answered in only 3-5 business days.
One issue in web hosting companies which I see is that to get support through ticket, you need a login page and you cannot complete the login process until you sign up with a credit card That literally annoyed me so much even on something like hetzner. Hetzner team if you are reading this, although I love email platform, is there any way that your support stops being AI (which annoyed me) but rather you can have an discord,matrix (preferred),telegram, heck IRC or even slack for what its worth where I can message the team if I wanted a custom solution on top of hetzner etc. Fwiw, Upcloud provided support and heard me out even if I didnt share my credit card info so massive respects to them and I am sure that my experience with hetzner has always been positive (they responded to me once on hackernews which was peak) but maybe if they are reading this (then hello!) and yea, please hetzner I hope you change your contact page to be more suitable or hear my complaints as I like hetzner a lot too Personally, I am starting to value contact support which I thought didn't matter a lot nowadays. It doesn't matter if its cheap or not but rather if I can talk to their team once about any product and see if I can match their terms of service and similar basically or other issues in general too. Also Hetzner, another point, I would love to be able to write articles for you and get the 50$ (I will read it again to see if I can "write" according to the conditions but yea) and similar but once again I need a hetzner account which required credit card/debit card validation.
Hi there, First, we are currently in the process of unifying our user interfaces, so it is helpful to get feedback like this. We do have an AI chatbot on our website because that tends to work well for most basic sales questions. Depending on the questions it gets, it will also steer users to other ways of reaching out to us. We have a contact form for Custom Solutions, and real humans answer those. https://www.hetzner.com/custom-solutions/ The same is true for general sales tickets that go here: https://www.hetzner.com/support-form/ You do not need to already be a customer, or give us your credit card info, to use those two forms. The reasons we steer our people who are already customers to use their account: 1) We can protect their data better there. 2) We can send the question to the right queue/team more easily. 3) We can quickly ask follow-up questions. The credit card information on new accounts is a step to prevent abuse and fraud. Depending on a user's location, once they create an account, they will likely have other billing options and they may change depending on their location. There are certain aspects of other platforms that make it a bit easier for companies to respond to customers/readers. We actually try really hard not to fish here on HN, and therefore only really respond if someone mentions us directly or if I see incorrect/misleading information. I imagine it is the same with other providers. --Katie
This whole post is coming of a bit naive to me... I highly doubt this client is just an inspirational design meeting away from changing their offering and make a massive investment in customer support. I also don't get why a web-development consultant would feel so responsible for a pretty typical business decision.
They explained it. It goes against the client's goals. Massive investment in customer support? It's about generating leads. I think you're seen it as a SaaS offering which the writer has mentioned multiple times, isn't the case for the client.
It's more similar to someone asking for a cardboard countertop - any contractor would be well within their rights to tell them it's a bad idea and would be negligent if they didn't.
It's more a matter of not the right use. Cardboard is inherently shitty. I'd say L shaped island in a tiny kitchen. It just needs a bigger kitchen
That with its pixel art is styled so beautifully and so hard to read at the same time. Couldn't read it at all. (It's not an eye vision problem, reading pixel fonts just is quite taxing on the brain).
It's pixel-art styled but not pixel-art arted (is that even a word?). The font does not cleanly align on pixel boundaries on non-HiDPI screens thus it appears blurry. In fact, the whole website appears blurry. Folks, when making pixel-art styled stuff, ensure they are actually sharp on bix-pixels screen. It's not pixel-art if it's sharp only on your macbook.
>They have no idea I manage large (not huge) AWS deployments I wonder if that is true? Like, how tenacious are they with knowing customers? If the same IP address was used to login to manage two deployments would customer service see a potential link in their interface? I'm never quite sure in our supposed data-driven economy how clever companies get with this stuff.
As a very small (like, two digit spend a month) AWS user, I still have gotten a human to help me when I've needed one. Amazon is amazing to be a customer of. Just not an employee of (not one, know many).
GitHub Actions has a package manager, and it might be the worst (nesbitt.io)
It is concerning that GitHub hosts the majority of open-source software, while actively locking its users into a platform that is based on closed source for eerything except Git itself. This issue with Actions shows how maintaining proprietary software inevitably ends up rather low on the priority list. Adding new features is much more marketable, just like for any other software product. Enshittification ensues. For those who can still escape the lock-in, this is probably a good occasion to point to Forgejo, an open-source alternative that also has CI actions: https://forgejo.org/2023-02-27-forgejo-actions/ It is used by Codeberg: https://codeberg.org/
What if GitHub Actions were local-first and built using Nix (proper locking)? https://github.com/cachix/cloud.devenv.sh
Hosted code on GitHub no less
> Some teams vendor actions into their own repos. zizmor is excellent at scanning workflows and finding security issues. But these are workarounds for a system that lacks the basics. Harsh given GitHub makes it very easy to setup attestations for Artifact (like build & sbom) provenances. That said, Zizmor (static analyser for GitHub Actions) with Step Security's Harden Runner (a runtime analyser) [0] pair nicely, even if the latter is a bit of an involved setup. [0] https://github.com/step-security/harden-runner > The fix is a lockfile. Hopefully, SLSA drafts in Hermetic build process as a requirement: https://slsa.dev/spec/v1.2/future-directions
I’d say that GitHub has done an admirable job making attestations more accessible, but that “easy” is still a stretch of a characterization: it’s still not the default, and the error/configuration states are somewhat opaque (e.g. around OIDC permissions, unprivileged triggers, what constitutes a signing identity in a reusable workflow context, etc.). Some of these are latent complexities that GitHub can’t be blamed for, but some are certainly made worse by architectural decisions in GitHub Actions.
> it doesn't work for transitive deps unless those are specified by SHA as well, which is out of your control So in other words the strategy in the docs doesn't actually address the issue
There's a repository setting you can enable to prevent actions from running unless they have their version pinned to a SHA digest. This setting applies transitively, so while you can't force your dependencies to use SHA pinning for their dependencies, you can block any workflow from running if it doesn't.
> The researchers identified four fundamental security properties that CI/CD systems need: admittance control, execution control, code control, and access to secrets. Why do CI/CD systems need access to secrets? I would argue need access to APIs and they need privileges to perform specific API calls. But there is absolutely nothing about calling an API that fundamentally requires that the caller know a secret. I would argue that a good CI/CD system should not support secrets as a first-class object at all. Instead steps may have privileges assigned. At most there should be an adapter, secure enclave style, that may hold a secret and give CI/CD steps the ability to do something with that secret, to be used for APIs that don’t support OIDC or some other mechanism to avoid secrets entirely.
You're missing that the D in CI/CD means deployment; be that packaging on pushing tags and publishing to a registry, or building images, or packaging github releases.
> I would argue that a good CI/CD system should not support secrets as a first-class object at all. Instead steps may have privileges assigned. At most there should be an adapter, secure enclave style, that may hold a secret and give CI/CD steps the ability to do something with that secret, to be used for APIs that don’t support OIDC or some other mechanism to avoid secrets entirely. This all seems right, but the reality is that people will put secrets into CI/CD, and so the platform should provide an at least passably secure mechanism for them. (A key example being open source: people want to publish from CI, and they’re not going to set up additional infrastructure when the point of using third-party CI is to avoid that setup.)
Because for some reason they use the same system to do releases and sign them and publish them.
You actually don’t need (long-lived / hard-coded) secrets in this scenario if you use OIDC: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws
Technically yes. It depends on whether you consider the account ID to be a secret or not (AWS say "sensitive but not secret" which doesn't help much). But also it can make sense to treat all environment variables as secrets by default just so you don't accidentally end up putting something somewhere that turns out to have been Wrong.
Everyone is free to use alternative CI/CD workflow pipelines. These are often better than Github Actions. These include - https://circleci.com/ - https://www.travis-ci.com/ - Gitlab Open source: - https://concourse-ci.org/ (discussed in the context of Radicle here https://news.ycombinator.com/item?id=44658820 ) - Jenkins -etc. Anyone can complain as much as they want, but unless they put the money where their mouth is, it's just noise from lazy people.
It sounds like you've never worked in a large org before.
I've used CircleCI quite a bit in the past; it was pretty good. Feels tough for them to compete with GHA though when you're getting GHA credits for free with your code hosting. I used Travis rather longer ago, it was not great. Circle was a massive step forward. I don't know if they have improved it since but it only felt useful for very simplistic workflows, as soon as you needed anything complex (including any software that didn't come out of the box) you were in a really awkward place.
CircleCI made great steps the last few years, f.e. to better support proper DRY working, supporting OPA policies-as-code, VSCode extensions with "dry-run" options. For some examples of more advanced usecases take a look: https://circleci.com/blog/platform-toolkit/ Disclaimer: i work for CircleCI.
Microsoft's past behavior _may_ explain *why* there is a lack of investment in Github Actions; so yes, TheFeelz are relevant.
Then I agree with this. But still feel their size is irrelevant.
You're falling for a marketing trick. What that type of section usually means is "there's someone from Microsoft that signed up for our service using his work account", sometimes it means "there's some tiny team within Microsoft that uses our product", but it very rarely (if ever) means "the entire company is completely reliant on our product".
Yes and no. Generally logo usage requires permission. While the usage isn’t the whole company, it’s enough to justify some sort of logo usage.
Show HN: Lockenv – Simple encrypted secrets storage for Git (github.com/illarion)
Secrets management is hard. And proper secret sharing setups meant for larger groups are quite unwieldy to work with with smaller groups. Well, they are hard to work with for all sizes of groups, but it seems particularly overkill for small groups. So I see why you'd want to do this. But storing secrets in the same git repository just seems off to me. I don't like the idea of keeping the secrets (even in encrypted form) with the code I'm deploying. There should be a better balance somewhere, but I'm not sure this is quite it for me. Shared keepass files (not in git) or 1Password vaults are harder to work with, but I think lean more towards the secure side at the expense of a bit of usability. (Depending on the team, OSs, etc...)
I understand the simplicity angle. https://github.com/elasticdog/transcrypt has been around for a long time and strikes that balance very well in my opinion. And it's just a bash script that can also be committed so the git repo is atomic.
Committing the vault to git gives me the heebie-jeebies. (Not that I have a better solution with anything like this convenience.)
The way I think about it is: - Maintaining stateful secrets at rest gives me the heebie-jeebies. - The tools shouldn't let me shoot myself in the foot. - The tools should ideally not have such a high learning curve that I won't actually use them. You can put your secrets in a separate repository and not think of them as the same kind of repository you'd publish. Like... I wouldn't put a git-crypt'ed / sops-nix'ed repository online, simply because I don't like the idea that now anyone needs is brute-force; I know quantum computers aren't there yet wrt. brute-forcing stuff made by random people like me, but even hypothetically having this attack vector open, I don't like it. So there's only two good solutions: - You put secrets in a (hashicorp-style) vault that only decrypts temporarily in memory. - You put secrets in an encrypted database with only safe tool integration. The things I don't like about git-based secrets management: 1. You might mix your secrets into projects and then later someone else might release that (against your current interest) 2. The solutions I've seen (sops-nix, agenix, secrix, etc.) are hard to set up and even harder to onboard people on When something's hard to set up, you might make a mistake or skip some concept. Well-done secrets management that isn't based on a service like AWS Secrets og GitHub Secrets should be much, much easier. I like the idea of how easy this is. Now, if it would just be best practice in every possible way at the same time. The (admittedly well-known) problem with lockenv is that you can't revoke access once a password is known. It's a big ask.
> stop pasting secrets into Slack You got me interested. I've seen sharing of API keys via Discords in hackathons.
You can use the age tool to encrypt secrets based on ssh public keys. Here's a small shell script I use https://github.com/mhitza/toolbox/blob/main/scripts/encrypt-for encrypt-for github_username file
 Top