https://news.ycombinator.com/Links for the intellectually curious, ranked by readers.https://words.filippo.io/vuln-reports/Tue, 23 Jun 2026 23:42:46 +0000https://news.ycombinator.com/item?id=48653216<a href="https://news.ycombinator.com/item?id=48653216">Comments</a><article morss_own_score="6.371707317073171" morss_score="11.554465937762824"> <time> 23 Jun 2026</time> <h1>Vulnerability Reports Are Not Special Anymore</h1> <section morss_own_score="6.36551724137931" morss_score="58.22059212790314"> <p>A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all.</p> <p>Except…</p> <p>For years, as lead of the Go Security team at the time,^{<a href="https://words.filippo.io/vuln-reports/#fn:lead">1</a>} I’ve told new team members that it doesn’t apply to vulnerability reports. No, vulnerability reports are special. Security researchers are doing us a favor by reporting things confidentially instead of doing full disclosure, so we owe them something, which is not true of regular issues opened on the issue tracker.^{<a href="https://words.filippo.io/vuln-reports/#fn:coc">2</a>}</p> <p>Different projects have different policies, but the general expectations are responsiveness and attribution. We’re supposed to acknowledge reports quickly, investigate them, keep the reporter posted, and eventually credit them with the discovery.</p> <p morss_own_score="6.7142857142857135" morss_score="8.714285714285714">Why? Well, because the reporter is providing <em>us</em> a service, not asking us to provide one (such as a bug fix or a feature implementation). In exchange for responsiveness and attribution, they are offering precious insight and the confidentiality we need to ship a fix before attackers ship an exploit.^{<a href="https://words.filippo.io/vuln-reports/#fn:discl">3</a>}</p> <p>Ultimately, it all stems from our responsibility to our users. The security researchers are not special, the insight and confidentiality are, and we need them to keep our users safe. Ignoring a security report communicates you don’t care about users’ security, and it’s rightly a reason for shame.</p> <p>Except…</p> <p>It’s 2026 and none of the premises are true anymore.</p> <p>LLMs are as good as almost any security researcher, and anyone^{<a href="https://words.filippo.io/vuln-reports/#fn:ymmv">4</a>} can run them. The maintainers can run them. The attackers can run them.</p> <p>The insight is not scarce and precious anymore. The bottleneck now is not finding potential issues but assessing which ones are real. Unless there’s already a trust relationship, external researchers can’t meaningfully contribute to that triage process, and picking through an LLM’s output or through a <code>security@</code> inbox has approximately the same signal-to-noise ratio.</p> <p>Confidentiality, embargoes, and coordination also don’t matter nearly as much as they used to. The attackers don’t need to read the full disclosure post to learn about the vulnerability: they can ask their own LLM and, in fact, they also probably have the same triage bottleneck as the defenders do.</p> <p>The years of vulnerability reports being special might be over, as weird and uncomfortable^{<a href="https://words.filippo.io/vuln-reports/#fn:uncomfy">5</a>} as that feels. Triage, rapid remediation, and—as ever—prevention are the job now. And we should all figure out how to run LLM analysis in CI, I suppose.</p> <p>For more, subscribe or follow me on Bluesky at <a href="https://bsky.app/profile/filippo.abyssdomain.expert">@filippo.abyssdomain.expert</a> or on Mastodon at <a href="https://abyssdomain.expert/@filippo">@filippo@abyssdomain.expert</a>.</p> <h2>The picture</h2> <p>A few weeks ago, like every year, I ran the <a href="https://centopassi.net">CENTOPASSI</a>, a GPS-tracked motorcycle competition involving careful planning, 100 coordinates, and 1700 km of secondary roads over three days and a half. It always takes me to incredible places, like this abandoned bauxite mine in Puglia.</p> <p><img src="https://assets.buttondown.email/images/1ec4ddf5-598f-4d72-8d55-10dc1328aa76.jpeg?w=960&amp;fit=max"></p> <p>My work is made possible by <a href="https://geomys.org">Geomys</a>, an organization of professional Go maintainers, which is funded by <a href="https://www.avalabs.org/">Ava Labs</a>, <a href="https://goteleport.com/">Teleport</a>, <a href="https://www.datadoghq.com/">Datadog</a>, <a href="https://tailscale.com/">Tailscale</a>, and <a href="https://sentry.io/">Sentry</a>. Through our retainer contracts they ensure the sustainability and reliability of our open source maintenance work and get a direct line to my expertise and that of the other Geomys maintainers. (Learn more in the <a href="https://words.filippo.io/geomys">Geomys announcement</a>.) Here are a few words from some of them!</p> <p>Teleport — For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. <a href="https://goteleport.com/platform/identity/?utm=filippo">Teleport Identity</a> is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.</p> <p>Ava Labs — We at <a href="https://www.avalabs.org">Ava Labs</a>, maintainer of <a href="https://github.com/ava-labs/avalanchego">AvalancheGo</a> (the most widely used client for interacting with the <a href="https://www.avax.network">Avalanche Network</a>), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.</p> <hr> <ol> <li> <p>A role I passed on to capable hands when I left Google, so despite still being involved in the maintenance of the Go project, none of this is the official position of the Go Security team. <a href="https://words.filippo.io/vuln-reports/#fnref:lead" title="Jump back to footnote 1 in the text">↩</a></p> </li> <li> <p>This gets messy quickly at the intersection of vulnerability report handling and Code of Conduct enforcement. If a security vulnerability is reported by someone who is also violating the CoC, what do you do? Do you ignore it? Fix it silently? Realistically, there’s no squaring the circle. It comes down to a judgment call based on how egregious the behavior is, on whether it is private or affecting the community, and on the resources available to the team members servicing <code>security@</code>. It’s an interesting job. <a href="https://words.filippo.io/vuln-reports/#fnref:coc" title="Jump back to footnote 2 in the text">↩</a></p> </li> <li> <p>There’s actually a lot of complex history to disclosure practices, and in a different era it was genuinely dangerous to report security issues: well-intentioned researchers were frequently met with legal threats or prosecution. It took the full disclosure movement to make the industry internalize how counterproductive and unreasonable that was. Part of the coordinated disclosure (or “responsible” disclosure, a morally loaded term I dislike) trade was a promise, implicit or otherwise, not to go after researchers. Thankfully, that angle is mostly irrelevant to the reality of open source in 2026: no researcher fears prosecution in reporting a security vulnerability, and no project should even imply prosecution is on the table as the alternative to its documented reporting policy. <a href="https://words.filippo.io/vuln-reports/#fnref:discl" title="Jump back to footnote 3 in the text">↩</a></p> </li> <li> <p>Welp. Sort of. But give it 1-3 months and the open models will catch up. <a href="https://words.filippo.io/vuln-reports/#fnref:ymmv" title="Jump back to footnote 4 in the text">↩</a></p> </li> <li> <p>Just a few days ago, at the Geomys retreat, I was arguing that <a href="https://daniel.haxx.se/blog/2026/06/15/curl-summer-of-bliss/">curl’s month-long suspension of vulnerability reporting channels</a> was going too far, because it feels viscerally wrong to drop a security report on the floor. And yet, as I write this, I have no argument for servicing vulnerability reports being the best way to spend time to protect users. Gotta change to keep up with what the job actually is. <a href="https://words.filippo.io/vuln-reports/#fnref:uncomfy" title="Jump back to footnote 5 in the text">↩</a></p> </li> </ol> </section> </article> https://glyphcss.comSat, 20 Jun 2026 19:10:41 +0000https://news.ycombinator.com/item?id=48612025<a href="https://news.ycombinator.com/item?id=48612025">Comments</a><div class="home astro-j7pv25f6" morss_own_score="2.7379310344827585" morss_score="15.499498222080824"> <div>Loading…</div> <div class="hero-overlay astro-j7pv25f6" morss_own_score="2.275862068965517" morss_score="12.275862068965516"> <h1> <span>glyph</span><span>css</span> </h1> <p> <span>&gt;</span> Render textured 3D meshes in the DOM with ASCII. No WebGL. No <code>&lt;canvas&gt;</code>. Each scene is a single <code>&lt;pre&gt;</code> you can inspect, hover, and click. </p> <p> <span>&gt;</span> Supports OBJ, glTF, GLB, and MagicaVoxel VOX — including UV textures and material colors. Works with vanilla JS, React, and Vue. </p> <span>runtimes:</span> <span>vanilla js</span> <span>react</span> <span>vue</span> </div> <span>[ INSTALLATION ]</span> <p> <span>┌─</span> package managers <span>─┐</span> </p> <span>terminal</span> <pre><span>$</span> <code>npm install glyphcss</code></pre> <span>terminal</span> <pre><span>$</span> <code>npm install @glyphcss/react</code></pre> <span>terminal</span> <pre><span>$</span> <code>npm install @glyphcss/vue</code></pre> <p> <span>┌─</span> cdn <span>─┐</span> </p> <span>index.html</span> <pre><code><span>&lt;<span>script</span> <span>type</span>=<span>"module"</span> <span>src</span>=<span>"https://esm.sh/glyphcss/elements"</span>&gt;</span><span>&lt;/<span>script</span>&gt;</span></code></pre> <span>[ HOW IT WORKS ]</span> <p> <span>&gt;</span> glyphcss loads OBJ, glTF, GLB, STL, and VOX mesh files. Each scene renders into a single <code>&lt;pre&gt;</code>: the rasteriser projects every polygon, fills a <code>cols × rows</code> character grid, and writes one string to <code>textContent</code> per render. There are no per-polygon DOM nodes and no <code>matrix3d</code>. </p> <p> <span>&gt;</span> Interactivity is opt-in and sparse: drop a <code>&lt;GlyphHotspot&gt;</code> at any 3D anchor and glyphcss emits one absolutely-positioned <code>&lt;div&gt;</code> over the projected cell. Real DOM events, real <code>:hover</code> styles, real <code>role="button"</code> accessibility — without one DOM node per polygon. </p> <p> <a href="https://glyphcss.com/core-concepts">[ → core concepts ]</a> </p> <span>[ HELLO WORLD ]</span> <p> <span>&gt;</span> glyphcss provides custom elements (<code>&lt;glyph-scene&gt;</code>, <code>&lt;glyph-mesh&gt;</code>), an imperative <code>createGlyphScene</code> API, and optional React / Vue bindings. Use whichever entry point fits your stack. </p> <div class="term-editor-shell astro-j7pv25f6" morss_own_score="3.0" morss_score="12.0"> <span>~/project/</span> <pre><code><span>&lt;<span>script</span> <span>type</span>=<span>"module"</span> <span>src</span>=<span>"https://esm.sh/glyphcss/elements"</span>&gt;</span><span>&lt;/<span>script</span>&gt;</span> <span>&lt;<span>glyph-camera</span> <span>rot-x</span>=<span>"23"</span> <span>zoom</span>=<span>"1.3"</span>&gt;</span> <span>&lt;<span>glyph-scene</span>&gt;</span> <span>&lt;<span>glyph-orbit-controls</span> <span>drag</span> <span>wheel</span>&gt;</span><span>&lt;/<span>glyph-orbit-controls</span>&gt;</span> <span>&lt;<span>glyph-mesh</span> <span>geometry</span>=<span>"dodecahedron"</span>&gt;</span> <span>&lt;<span>glyph-hotspot</span> <span>at</span>=<span>"0,1,0"</span>&gt;</span><span>&lt;/<span>glyph-hotspot</span>&gt;</span> <span>&lt;/<span>glyph-mesh</span>&gt;</span> <span>&lt;/<span>glyph-scene</span>&gt;</span> <span>&lt;/<span>glyph-camera</span>&gt;</span></code></pre></div> <p> <a href="https://glyphcss.com/api/headless">[ → api reference ]</a> </p> </div> https://gitlab.com/baiyibai/pico-usb-wifiWed, 24 Jun 2026 03:17:47 +0000https://news.ycombinator.com/item?id=48654676<a href="https://news.ycombinator.com/item?id=48654676">Comments</a>http://www.jerrysmap.com/the-mapTue, 23 Jun 2026 18:40:22 +0000https://news.ycombinator.com/item?id=48649435<a href="https://news.ycombinator.com/item?id=48649435">Comments</a><div class="sqs-html-content" data-sqsp-text-block-content="" morss_own_score="6.0" morss_score="49.0"> <h2>The Layers</h2><p>The Map is expressed, over time, in successive layers, each one replacing its predecessor. The process of developing and revising a panel results in several iterations of that panel.</p><p>The <strong>Base Layer</strong> is divided into four phases:</p><p>A. The <strong>blank page</strong> is an 8 by 10 inch patchwork of paperboard or is a sheet of heavy paper on which is a photo or a lumen print.</p><p>B. The blank is gradually covered in successive <strong>bands of painted color</strong>.</p><p>C. The paint is replaced by <strong>1" squares of paper collage</strong>.</p><p>D. The collage is replaced by <strong>1" city squares</strong> in:</p><p>1. <strong>Green</strong> with 400 new inhabitants</p><p>2. <strong>Red</strong> with 800 new inhabitants</p><p>3. <strong>Grey</strong> with 1200 new inhabitants</p><p>4. <strong>Black</strong> with 2400 new inhabitants</p><p>The next layer is <strong>The Void</strong>. Its initial phase is composed of irregular pieces of <strong>plain, white collage</strong>. That is followed by a layer of <strong>2" squares of black-and-white collage</strong>. On that layer <strong>1" squares of grey city</strong> form followed by <strong>1" squares of black city</strong>.</p><p>The third layer is called <strong>The Red Dimension</strong> and is expressed by irregular flame-shaped solid red collage.</p><p><strong>Black Ness</strong>, composed of 2" squares of black collage, supercedes The Red Dimension.</p><p>Then follows <strong>The Ziggurat Phase</strong> in which successively smaller squares of collage, starting with 2 by 2, are stacked on top of each other. That layer, and the ones that follow, have yet to manifest themselves on The Map.</p><p><strong>The Flood</strong>, represented by irregular pieces of blue collage, and <strong>Re-Birth</strong>, composed of hand-torn pieces of kraft paper, are the final stages in the Map cycle.</p><p>Then the whole process starts over with new <strong>Paint Bands</strong>.</p> </div> https://swipe.futo.tech/Tue, 23 Jun 2026 17:50:22 +0000https://news.ycombinator.com/item?id=48648619<a href="https://news.ycombinator.com/item?id=48648619">Comments</a><body class="antialiased selection:bg-brand-accent selection:text-brand-dark" morss_own_score="5.943349463000118" morss_score="35.565783795223574"> <img src="https://swipe.futo.tech/hero-2.webp"> <img src="https://swipe.futo.tech/circles.webp"> <img src="https://swipe.futo.tech/logo.png"> <p> Fast, accurate swipe typing system. Use it today in FUTO Keyboard, our fully offline Android keyboard app. Or download the models and build with it. </p> <p>This is a serverside demo to keep this webpage small. In production, it runs on-device, with much lower latency.</p> <p> For a long time, good mobile swipe typing was locked behind privacy-invasive keyboard apps or unlicensed private libraries. <br></p> <p> FUTO Swipe is our family of open models and algorithms that aims to solve this problem. We developed this primarily for FUTO Keyboard, but we also welcome the broader community to make use of the FUTO Swipe models. As this has been a long-term investment for us, we ask that an attribution is made visible to end-users. <a href="https://huggingface.co/futo-org/futo-swipe/blob/main/LICENSE.md">Read license</a> </p> <h2>Dataset</h2> <aside> <blockquote> We released a dataset of 1 million swipes under the MIT license </blockquote> <p><a href="https://huggingface.co/datasets/futo-org/swipe.futo.org">See dataset on HuggingFace</a></p> <p><a href="https://swipe.futo.org/">Contribute to our validation dataset</a></p> </aside> <article> <p> In August 2024, we launched a dataset collection effort on the swipe.futo.org domain to collect QWERTY English swipes. Users would voluntarily visit the webpage on their mobile phone and be given instructions and information about the dataset. After consenting, they would be given sentences, primarily from Wikipedia, and would be asked to swipe them word-by-word. </p> <p> In the end, this produced over 1 million swipes. We filtered out a small set of low-quality swipes. In March 2025, we released a dataset of 1 million swipes under the MIT license, and it is available today on HuggingFace. </p> <p> We made heavy use of this data to train our models and to evaluate different swipe typing systems. </p> </article> <aside> <img src="https://swipe.futo.tech/quick-rundown.png"> </aside> <article> <h2>Models</h2> <p>Our architecture includes three model types.</p> <p>The Encoder model is a universal layout-agnostic and language-agnostic, and is used for making swipe typing predictions in the general case. However, it does not offer cutting-edge accuracy.</p> <p>The ContextLM model is a very small language model that is trained for a single language. It's used to improve the quality of predictions by eliminating nonsensical words given the preceding words in the sentence. It only requires text data for training.</p> <p>Finally, the decoder is a language-specific and layout-specific model that learns layout's peculiarities and achieves leading accuracy. As it requires swipe typing data for a specific layout and language for training, we only have a QWERTY English decoder for now.</p> <p>With all 3 models and with a beam width of 300, we achieve a top-4 fail rate of only ~4% on our test set. Ignoring out-of-vocabulary cases, the error rate is below 1%.</p> </article> <img src="https://swipe.futo.tech/benchmark.png"> <p>Note: These numbers heavily depend on the benchmark, so real-world use may vary, but we believe we match big tech's keyboards.</p> <aside> <img src="https://swipe.futo.tech/footprint.png"> </aside> <article> <h2>Footprint</h2> <p>The encoder model is just 635,140 parameters, and the decoder is 304,155 extra. The biggest one is the ContextLM at 1.5 million, but 1.1 million of that is just embeddings. This brings us to 1,364,271 active parameters, or 2,494,767 total parameters.</p> <p>This means the footprint of the models are very small, and the model can run on low-end devices in milliseconds. In addition, the environmental costs involved in training the models were also very low, because we never needed more than 1 workstation GPU!</p> </article> <h2>C++ Library</h2> <article> <p>The models themselves are only half of the story when going from a swipe to word predictions. The model predictions are not very useful on their own and it's necessary to perform a dictionary-constrained beam search to score a set of words and find the most likely candidates.</p> <p>For this, we release swipe-library, a library written in C++ that handles the entire inference, decoding, and beam search part so you can easily go from swipe paths to word predictions.</p> </article> <h2>Make something cool!</h2> <p>Swipe typing in VR...</p> <a href="resrec:///U-1ndAnBjY9wm/R-DD05FBF5B7486A4F8DFCA48EE94527DB314B19FCA9FF4A8B676B0EF60B42AF93"> <p>resrec link for demo</p> </a> <p>...or on a laptop trackpad</p> <h2>Want to build with FUTO Swipe?</h2> <p> The FUTO Swipe models are available under the FUTO Model License, and the inference library is under GPL. We are working on a paper that will detail more on the training and architecture. </p> </body>