Digest · 24 stories · 51 sources
2026-07-03
Updated
Top stories
- LUKS suspend stopped wiping disk-encryption keys from memory since Linux 6.9 Ingo Blechschmidt git-bisected a regression showing that since Linux 6.9 (May 2024) the mechanism that flushes a LUKS master key on suspend to RAM silently stopped working, so full-disk-encryption keys stayed resident in kernel memory across suspend for over two years. A kernel refactoring (commit a28d893) had an unexpected long-range interaction with the encryption path; the fix is one line. A cryptsetup merge request adds a warning instead of failing silently, and a NixOS test guards against future regressions.
- Podman v6.0.0 moves rootless networking to Netavark, Pasta, and nftables Podman 6.0.0 shipped 2026-07-02. It transitions the default networking stack away from slirp4netns and iptables toward Netavark, Pasta, and nftables, and adds experimental Pesto rootless port forwarding for custom networks. Quadlet gains a REST API, expanded .volume unit features, and more distribution search paths, and a new podman machine os update command maintains the machine VM. Docker API compatibility and command output are refined for easier migration.
- Alibaba to ban Claude Code at work over alleged backdoor risk after Anthropic confirms a proxy check Reuters reported on 2026-07-03, citing a source, that Alibaba will bar employees from using Claude Code in workplace environments starting 2026-07-10, after Chinese financial outlet Yicai reported Alibaba identified an embedded backdoor risk in the tool. The allegation originated in a 2026-06-30 reverse-engineering writeup claiming that Claude Code since v2.1.91 (2026-04-02) silently inspected users' proxy configuration and system time zone. A member of Anthropic's Claude Code team said on social media that the mechanism existed to detect account resale and model distillation rather than to spy on users, and that it would be removed in the next update. No third-party security firm has independently confirmed a backdoor.
- crustc translates the Rust compiler to about 46 million lines of C crustc is a demonstration that compiles rustc 1.98.0-nightly into roughly 46 million lines of C that build with GCC and make, without LLVM. It is produced by "cilly," a Rust-to-C backend that adapts output to a target C compiler using small witness programs and targets close to ANSI C. The stated motivation is Rust portability to old or obscure hardware without LLVM or a GCC Rust frontend. The author labels it a proof of concept: the full cilly toolchain is not released, optimization bugs remain, compilation is slow, and it crashes when run from the repository root.
Conferences and events
ML research
Agentic coding
- Cursor publishes CursorBench 3.1 coding-agent evaluation Cursor published CursorBench 3.1, a vendor evaluation of coding agents on ambiguous multi-file tasks drawn from real Cursor sessions, covering codebase understanding, bugfinding, planning, and code review. The page ranks 36 model configurations and describes its per-task cost calculation from published per-token pricing, but does not disclose task construction or grading rubrics.
- Practitioner argues for a short-leash workflow when coding with AI agents Greg Slepak (okTurtles) describes a short-leash method for using coding agents on security-critical software: break work into tracked steps, require a permission prompt that shows each diff before it applies, review and approve or deny every change, commit after each subtask, and record which models assisted in a mandatory pull-request AI-disclosure section. The post is a practitioner opinion drawn from maintaining the Group Income codebase, with no measured results or reproducible benchmark.
- WebKit ships a Safari MCP server for autonomous web debugging WebKit published a Safari MCP server on 2026-07-01 that lets any Model Context Protocol client drive a Safari window for debugging. It exposes 16 tools spanning tab and navigation control, DOM inspection, clicks and typing, screenshots, console buffering, network request listing and inspection, JavaScript evaluation, performance timing, accessibility checks, and viewport and media emulation, so an agent can reproduce what a user sees. It requires Safari Technology Preview 247 or later with developer features enabled and is configured per agent (Claude, Codex, and others).
Security
Developer tools
- Immich 3.0 ships workflows, mobile editing, and breaking API changes The self-hosted photo platform Immich released 3.0 on 2026-07-02 (patch 3.0.1 same day). It adds a drag-and-drop Workflows automation builder (preview), mobile non-destructive editing, a Recently Added view, HLS and real-time video transcoding (preview, web), mobile OCR, and integrity checks for untracked, missing, and checksum-mismatched files. Breaking changes affect API integrators: pgvecto.rs support is dropped, deprecated environment variables and old timeline sync endpoints are removed, durations move to milliseconds, and the error and validation schema is restructured.
- ProseMirror creator releases Wordgard, an MIT semantic rich-text editor Marijn Haverbeke, author of ProseMirror and CodeMirror, published Wordgard, an open-source (MIT) in-browser rich-text editor library. It models documents as schema-based semantic structure with custom elements rather than free-form HTML, supports tables, nested lists, captioned figures, collaborative editing, accessibility, and right-to-left text, and exposes a programming interface for building customized editors. Commercial users are asked to help fund maintenance under a social, non-legal expectation.
Languages and runtimes
Infrastructure
Engineering posts
- Co-locating workflow state with data in Postgres for exactly-once execution A DBOS post argues that keeping durable-workflow checkpoints in the same Postgres database as application data lets the step checkpoint and the data update commit in one transaction. That removes the failure window that forces application-level idempotency bookkeeping, and it collapses the transactional-outbox pattern: either the update commits and the workflow is enqueued or neither happens.
- Ubicloud runs PostgreSQL with strict memory overcommit to avoid OOM-killer cascades A Ubicloud post dated 2026-04-27 (front page on 2026-07-03) explains why they set vm.overcommitmemory=2 for PostgreSQL. When the Linux OOM killer terminates any backend, the postmaster assumes shared memory may be corrupted and kills all backends, dropping every connection and forcing crash recovery. Strict overcommit makes the kernel return ENOMEM to a single allocation instead, so one backend fails its transaction and the postmaster stays up. They size the limit at 80 percent of physical memory plus 2 GB, which they say protects over 99 percent of their fleet, and note a one-character kernel accounting bug in 6.5 that forced them to disable the setting until the 6.8 fix.
- git-annex maintainer spends about 100 hours excluding LLM-generated dependency code Joey Hess describes spending roughly 100 hours ensuring git-annex can build without dependencies that contain LLM-generated code. He cites large AI-generated changes later reverted without explanation, incoherent commit messages on large diffs, and copyright-attribution risk, and maintains a tracking resource to make per-dependency decisions. He acknowledges the effort may not scale against industry trends.
New videos
Markets and companies
Hacker News
- Discussion: the primary purpose of code review A post arguing that the main value of code review is catching code that will be hard to maintain, rather than finding bugs, drew a large HN thread (334 points).
- Show HN: ZeroFS presents S3 as POSIX filesystems and block devices ZeroFS, a Show HN that reached 122 points, is a userspace log-structured filesystem that exposes S3-compatible object storage as POSIX filesystems over NFS and 9P and as raw block devices over NBD. Data is written as immutable segments, compressed with zstd or lz4 and encrypted with XChaCha20-Poly1305 before upload. It is dual-licensed AGPL-3.0 and commercial.
- Show HN: claude-real-video feeds videos to any LLM by selecting key frames A Show HN reaching 141 points, claude-real-video (MIT) processes a video locally and emits frames, a transcript, and a manifest that any model can read. It selects frames on scene change rather than at fixed intervals, deduplicates near-identical shots by RGB pixel difference with a per-N-seconds density floor, prefers existing subtitles and falls back to Whisper for audio, and accepts URLs via yt-dlp or local files. The stated goal is to send fewer but more relevant frames to cut token usage while preserving comprehension.
- Show HN and Ask HN signal PeerTube, the federated ActivityPub video platform, reached the front page (558 points) amid renewed interest in decentralized media. The monthly "Ask HN: Who is quitting?" thread (176 points) collected practitioner accounts of job changes and labor sentiment.