2025-11-25 Hacker News Headlines

>

>

> Fran Sans 是受旧金山 Muni Breda 3×5 分段目的地显示屏启发，用可复用模块重构出三种风格并保留显示器的不完美细节。

> Shai-Hulud 恶意蠕虫伪装 Bun 运行时注入 preinstall 脚本感染 300+ npm 包，窃取凭证并自我复制到数万仓库。

> X 推出账号“国家归属地”功能后发现大量自称美国的政治账号实为海外操控，暴露身份真实性与外国干预问题。

> 爱荷华城试行免费公交后公交客流上升、驾车里程与尾气排放下降，交通与空气质量改善但长期可持续性存疑。

> macOS Tahoe 原生支持通过 Secure Enclave 生成与管理需 Touch ID 的 SSH 密钥，增强安全性但存在备份与社工风险。

> µcad 是一门开源专用编程语言，用于生成 2D 草图与 3D 模型并快速迭代，适合教学与本地化设计工作流。

> Shai Hulud 发起第二波供应链攻击，感染数百 npm 包并影响 Zapier、ENS、PostHog、Postman 等知名项目，需紧急审查依赖。

> RuBee 是基于 131 kHz 磁场耦合的有源低频标签系统，抗金属水干扰、寿命长并适用于高安全性资产的存在状态追踪。

> 文章指责 IETF 在后量子密码部署上受 NSA 主导排斥混合方案，压制异议并侵蚀标准组织的透明性与公信力。

> 日本推进将北海道打造为全球半导体中心并与 Rapidus 合作研发先进工艺，但在资金、量产经验与人才等方面面临重大挑战。

>

>

Fran Sans——灵感源自旧金山 Muni Breda 轻轨车辆目的地显示屏的字体 (Fran Sans – font inspired by San Francisco light rail displays) #

https://emilysneddon.com/fran-sans-essay

Fran Sans 是一款灵感源自旧金山 Muni Breda 轻轨车辆上独特目的地显示屏的展示字体。这些显示屏采用 3×5 网格的几何模块构成字母，由方形、四分之一圆和斜角等基本元素拼接而成，呈现出一种机械感与个人风格兼具的原始美感。

旧金山的公共交通系统由超过二十个独立机构运营，导致各线路使用不同的显示系统，而 Breda 轻轨的 LCD 面板因其独特的视觉风格脱颖而出。作者在一次前往外太阳谷的 N-Judah 线途中首次注意到这些显示屏，被其不完美却充满魅力的字符设计所吸引。

在 SFMTA 电子车间，技术人员阿曼多·伦巴德向作者展示了这些显示屏的工作原理：通过输入三位数字代码，控制面板激活特定网格段，拼出目的地信息。这些显示屏由康涅狄格州的 Trans-Lite 公司于 1999 年设计制造，其字体由工程师 Gary Wallberg 主导，强调功能性和极简主义，仅根据实际需求设计字符，未包含 Q、X 等字母及标准标点。

作者深受其设计哲学启发，将其转化为字体项目 Fran Sans。使用 Glyphs 软件，她将字母拆解为可重复使用的模块，像积木一样构建出完整的字符集，包括大写字母、数字和基础标点。目前版本尚未包含小写字母和 @ 符号，但保留了原始显示屏中那些“不完美”的特征，如 N 和 0 的粗斜线、Z 和 7 的细斜线，以及 M 在小尺寸下可能误读为 H 的视觉现象。

Fran Sans 提供三种风格：Solid（实心）、Tile（拼贴）和 Panel（面板），分别呈现不同层次的视觉复杂度。其中 Solid 风格受到澳大利亚贝尔莎士比亚剧团品牌字体 Hotspur 的启发，强调单一字体在不同语境下的多用途表现力。

创作过程中，作者还受到旧金山字体档案馆的启发，特别是 Joan Trochut 的 Tipo Veloz（1942）和 Zuzana Licko 的 Lo-Res（1985）作品。前者体现资源匮乏下的模块化创意，后者展示了数字与物理设计之间的迭代关系，深刻影响了她对字体创作的理解。

---

HN 热度 1110 points | 评论 136 comments | 作者：ChrisArchitect | 1 day ago #

https://news.ycombinator.com/item?id=46025942

• 作者通过深入调查，成功追溯到旧金山 Muni 地铁标志字体的原始设计公司 Trans-Lite 和设计师 Gary Wallberg，展现了极强的探究精神。
• 有评论指出纽约地铁 R142A 并非字体名称，而是列车型号，最新车型为 R211 系列，纠正了对名称的误解。
• 新泽西交通系统也使用类似分段显示的字体，但段数更多，视觉效果更为复杂。
• 虽然 Ansaldo Breda 是意大利公司，但其为旧金山地铁提供的设备采用了具有特色的分段显示技术，与欧洲常见的 LCD 显示系统有所不同。
• 有人调侃旧金山地铁设备的采购过程涉及贿赂，暗示其技术可靠性存疑，尽管部分设备如车钩来自欧洲。
• 该字体设计灵感源自 Andrew Glassner 的计算机图形学研究，特别是其 55 段式字体设计，具有高度模块化和可编程性。
• 有人将 Glassner 的 55 段字体设计实现为 JavaScript 交互式网页，供用户探索多种分段字体的组合效果。
• 分段字体虽然形式独特，但部分设计如六段式字体在熟练后仍具备良好可读性，令人意外。
• 旧金山地铁字体的命名“San Fran”虽被部分人视为不正式，但因其巧妙和幽默感，最终被作者采纳并获得广泛认可。
• 有人指出“San Fran”这一简称在本地并不常用，本地人更倾向于使用“SF”或“the city”来指代旧金山，认为“San Fran”缺乏尊重。
• 该字体设计在 Hacker News 上引发热议，反映出技术社区对字体设计的浓厚兴趣，尤其是具有历史和技术背景的设计。
• 有评论认为，分段显示字体的设计体现了对信息传达的极致简化，其背后蕴含的模块化思想在现代设计中仍有启发意义。
• 一些人将分段字体与艺术设计结合，如 MOMA 收藏的 Kombinations-Schrift 字体，展示了其在艺术与工业设计中的跨界应用。

---

Shai-Hulud 归来：超 300 个 NPM 包遭感染 (Shai-Hulud Returns: Over 300 NPM Packages Infected) #

https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

2025 年 11 月 24 日，HelixGuard 检测到超过 1000 个 NPM 包在数小时内被恶意篡改，攻击者通过伪造 Bun 运行时的名义，向这些包的 package.json 中注入 preinstall 脚本，调用一个名为 setup_bun.js 的文件，并附带一个高度混淆的 bun_environment.js 文件。

该恶意代码在执行时会下载并运行 TruffleHog 工具，扫描本地系统，窃取包括 NPM 令牌、AWS/GCP/Azure 云凭证、GitHub 令牌及环境变量在内的敏感信息。

窃取的数据通过创建名为 SHA1HULUD 的 GitHub Actions 运行器和一个名为“Sha1-Hulud: The Second Coming”的新仓库进行外泄。攻击者利用 GitHub Actions 实现隐蔽的数据回传，具备类似蠕虫的传播能力。

分析显示，攻击者通过修改 package.json，注入恶意脚本，并利用窃取的 NPM 令牌重新发布恶意包，实现自我复制。bun_environment.js 文件超过 10MB，包含跨平台（Linux、Windows、macOS）的恶意逻辑，能够自动下载 GitHub Actions Runner 并配置为持久化运行。

目前已有超过 27,000 个 GitHub 仓库被感染。攻击者创建了名为.formatter_123456789.yml 的恶意工作流，将窃取的密钥以双重 Base64 编码方式打包为 actionsSecrets.json。

受影响的包涵盖多个知名项目，如 @asyncapi/specs、@asyncapi/diff、cbre-flow-common、@asyncapi/generator-react-sdk 等，版本从 0.5.1 到 99.6.0 不等，部分包被多次篡改。

该事件极有可能是 2025 年 9 月“Shai-Hulud”攻击的延续，表明攻击者具备持续性、组织性与高度自动化能力，对开源生态构成严重威胁。

---

HN 热度 847 points | 评论 687 comments | 作者：mrdosija | 14 hours ago #

https://news.ycombinator.com/item?id=46032539

• 使用 pnpm 可以有效减少 npm 包攻击的漏洞，因其默认不运行 post-install 脚本且支持设置新版本发布后的最小等待时间。
• npm 工具长期积累的技术债务导致其在锁文件、文件传输完整性校验等方面存在严重缺陷，影响生产环境使用。
• npm 的锁文件机制本质上是权宜之计，应放弃依赖 npm install 作为构建流程的核心工具，转而采用内容寻址的分布式版本控制系统。
• 文件传输过程中无法检测提前结束的 EOF 问题，导致缓存中残留不完整文件，需手动清除缓存才能修复。
• Node.js 的 I/O 流 API 设计缺陷是导致文件传输完整性校验失败的原因之一，需在底层改进。
• 开发者普遍依赖“在我机器上能跑通”的开发模式，忽视了环境差异和系统可靠性问题。
• 现代编程语言和包管理生态存在“重复发明轮子”的问题，忽视了已有成熟技术方案。
• 优秀的系统设计应借鉴 Unix 时代经验，由有经验的专家主导，而非自然演进。
• 包管理生态中“无打包者”现象导致信任完全依赖发布者，缺乏传统发行版的审核与验证机制。
• 使用 Hashicorp Vault 等动态密钥管理系统可实现 CI/CD 中短期、自动撤销的发布密钥，提升安全性并支持审计。

---

X 新国籍功能曝光大量“美国”账号实为海外运营 (X’s new country-of-origin feature reveals many ‘US’ accounts to be foreign-run) #

https://www.hindustantimes.com/world-news/us-news/xs-new-country-of-origin-feature-shakes-maga-and-democrat-circles-as-many-us-accounts-revealed-to-be-foreignrun-101763857104296.html

X（原推特）推出新功能，显示用户账号的国家归属地，引发美国政治圈剧烈震动。该功能位于用户资料页的“加入日期”标签中，可查看账号实际运营国家。尽管初期短暂下线，现已重新上线。

该功能曝光大量自称“美国本土”的政治账号实为海外运营。例如，拥有 39.2 万粉丝的“MAGA NATION”账号位于东欧，1.5 万粉丝的“Dark Maga”在泰国，5.1 万粉丝的“MAGA Scope”来自尼日利亚，6.7 万粉丝的“America First”账号位于孟加拉国。

民主党阵营也未能幸免。自称“骄傲民主党人”且以“猎捕麦卡锡”为名的“Ron Smith”账号实为肯尼亚运营；反特朗普账号“共和党反对特朗普”（97.8 万粉丝）被指来自奥地利，目前使用 VPN 隐藏真实位置。此外，拥有 7.8 万粉丝、发布亲以内容的“Mariana Times”账号也位于印度。

部分美国政界人士对此反应强烈。国会女议员安娜·保琳娜·卢娜称，这些伪装成美国人的账号是“外国操纵者”，旨在制造内部分裂。前联邦调查局官员卡什·帕特尔的女友艾丽克斯·威尔金斯则警告，这些海外账号有共同目标——破坏美国。

该事件引发对社交媒体政治影响力真实性的广泛质疑，也凸显了网络身份真实性与信息操纵的深层问题。

---

HN 热度 526 points | 评论 287 comments | 作者：ourmandave | 1 day ago #

https://news.ycombinator.com/item?id=46028422

• Reddit 年度回顾曾显示“最上瘾城市”为埃格林空军基地，引发关于军事网络行动的猜测，但该数据可能因基地人口与实际居民差异导致统计异常。
• 埃格林空军基地虽有军事网络行动背景，但将社交平台活跃度归因于军事操作缺乏实证，更可能是统计偏差所致。
• 社交媒体上的“上瘾”数据可能受企业、公关公司或利益集团操控账号影响，这类商业“人造舆论”与国家行为类似，不应被忽视。
• 企业或组织通过集中地点运营大量社交媒体账号进行舆论引导，这种“人造社区”现象在社交媒体中普遍存在。
• 社交媒体平台的社区功能被商业和权力机构劫持，导致原本健康的社交互动异化为被操控的“精神控制”工具。
• 社交媒体成瘾源于人类对社区归属感的深层需求，但当前平台已不再服务于用户，反而成为剥削性工具。
• 短期应对策略是减少对商业化社交平台的依赖，长期则需重建本地社区，并发展真正去中心化、易用的点对点技术。
• 现有去中心化方案如 Matrix 或联邦服务仍不够理想，未来技术需在易用性和去中心化程度上实现质的飞跃。
• 社交媒体内容为吸引注意力而优化，而非追求真实，导致 AI 训练数据中充斥错误信息，影响模型输出质量。
• 优质 AI 输出依赖高质量训练数据，少量优质数据可显著提升模型表现，但劣质数据可能严重污染模型。
• 当前 AI 模型易受“数据污染”影响，少量恶意或错误数据即可对模型产生显著负面影响。

---

爱荷华城推行公交免费后，交通畅通，空气也清新了 (Iowa City made its buses free. Traffic cleared, and so did the air) #

https://www.nytimes.com/2025/11/18/climate/iowa-city-free-buses.html

Iowa City 自 2023 年 8 月起实施公交车免费政策，旨在减少汽车尾气排放并鼓励市民使用公共交通。该两年期试点项目广受欢迎，市议会于今年夏天决定将其延长一年。项目资金来自 1% 的公用事业税上调以及公共停车费从 1.50 美元提高至 3 美元（部分区域为 2 美元）。

实施以来，公交乘客量比疫情前水平高出 18%。交通拥堵明显缓解，司机反映道路更通畅。政府数据显示，市民在城市道路上的驾车里程减少了 180 万英里，每年减少二氧化碳排放 778 吨，相当于让 167 辆汽车退出道路。

乘客群体多样，包括精神科医生、图书管理员、代课教师、生物医学工程研究生、亚马逊仓库工人，以及因佛罗里达州事件失去驾照的男子。他们普遍对免费乘车政策表示支持，认为这提升了出行便利性并减少了对私家车的依赖。

该案例是《纽约时报》“50 个州，50 个解决方案”系列的一部分，展示地方性环保举措如何有效应对气候变化。

---

HN 热度 466 points | 评论 573 comments | 作者：bookofjoe | 1 day ago #

https://news.ycombinator.com/item?id=46027833

• 纽约时报的报道属于“解决方案新闻”，旨在颂扬项目而非深入分析，存在美化倾向。
• 免费公交难以同时实现免费、可扩展性和财务可持续性，三者难以兼得。
• 大城市公共交通存在一个稳定的均衡状态：收取票价，补贴低收入群体，通过税收资助基础系统。
• 任何试图大规模推行免费公交的城市最终都会回归到这一均衡状态，因为这是唯一能避免系统崩溃的配置。
• 该观点存在选择性举例的问题，例如爱荷华城、布里斯班和兰州的成功案例表明，免费或象征性收费模式在某些城市可行。
• 布里斯班的免费公交仅限于城市环线，其余线路仍收费，因此不能完全视为“免费公交”。
• 即使是象征性收费（如 30 美分），也能提供重要的使用数据追踪功能，如乘客出行路径分析。
• 完全取消票价可节省票务系统成本，但也会失去对乘客行为的精准数据收集能力。
• 票价不仅是收入来源，更是一种激励机制，有助于合理分配资源并防止过度使用。
• 降低票价或取消票价可能引发“短距离步行者转乘公交”的问题，导致公交停靠频率增加，影响长距离乘客效率。
• 通过设置快速直达线路可缓解因频繁停靠带来的效率下降问题。
• 实际上，大多数乘客不会因为票价低廉而放弃步行，尤其在有票价上限的情况下，这种行为并不普遍。

---

macOS 安全飞地（Secure Enclave）原生支持 SSH 密钥生成与管理 (Native Secure Enclave backed SSH keys on macOS) #

https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf

MacOS Tahoe 系统现已支持使用安全飞地（Secure Enclave）生成和管理 SSH 密钥，无需依赖第三方工具如 Secretive。系统通过 /usr/lib/ssh-keychain.dylib 这一共享库实现对安全飞地的访问，该库原本用于支持智能卡，现也支持 FIDO2 安全密钥接口（SecurityKeyProvider），可直接与设备的安全飞地通信。

创建受生物识别保护的 SSH 密钥，需使用 sc_auth 命令：

sc_auth create-ctk-identity -l ssh -k p-256-ne -t bio

此命令会创建一个基于 P-256 算法、需 Touch ID 验证的密钥。可通过 list-ctk-identities 查看已创建的密钥，支持以 SSH 指纹形式输出。

使用密钥时，可通过以下方式将密钥从安全飞地“下载”到本地文件：

ssh-keygen -w /usr/lib/ssh-keychain.dylib -K -N ""

输入 PIN（可为空）后，系统会提示 Touch ID 验证，成功后生成 id_ecdsa_sk_rk 私钥文件（实际为密钥引用，不包含密钥材料）。公钥可复制至远程服务器的 authorized_keys 文件中。

也可通过 ssh-add -K -S /usr/lib/ssh-keychain.dylib 将密钥直接加载到 ssh-agent，实现免密登录。

推荐将 export SSH_SK_PROVIDER=/usr/lib/ssh-keychain.dylib 添加至 .zprofile，使 SSH 工具默认使用安全飞地密钥，简化操作。

此外，系统支持“可导出”密钥，即密钥由安全飞地加密保护，可备份。创建方式：

sc_auth create-ctk-identity -l ssh-exportable -k p-256 -t bio

导出命令：

sc_auth export-ctk-identity -h-f ssh-exportable.pem

可生成加密的 PEM 文件，用于在其他设备导入。

目前不支持更细粒度的生物识别控制（如 .biometryCurrentSet），但可通过逆向分析 ssh-keychain.dylib 实现自定义扩展，例如添加支持特定生物识别策略的注册函数。

---

HN 热度 446 points | 评论 186 comments | 作者：arianvanp | 1 day ago #

https://news.ycombinator.com/item?id=46025721

• 使用 Secure Enclave 生成的 SSH 密钥无法备份，一旦丢失设备将无法恢复，但可通过其他方式（如管理员重置）访问远程机器。
• 可通过 sc_auth 工具创建可导出的加密私钥，导出时使用密码保护，支持在其他设备上重新导入。
• 目前无法将外部生成的密钥导入 Secure Enclave，只能由 Apple 生成并管理，且密钥在使用时可能以明文形式暴露。
• 导出的密钥在 Secure Enclave 内部完成签名操作，不会将明文私钥暴露在操作系统内存中，提升了安全性。
• 即使密钥可导出，其导出过程仍需 Touch ID 验证，防止恶意软件自动导出，但若用户被欺骗仍可能被利用。
• 与传统密钥文件相比，Secure Enclave 密钥在签名时更安全，因为私钥始终在安全环境中处理，不会进入内存。
• 导出的密钥文件应妥善保管，避免长期存储在设备上，且导出密码应足够强以防止破解。
• 为实现双重备份，可同时使用 Secure Enclave 生成的密钥和离线存储的备份密钥，但需在多处添加公钥。
• 由于无法将现有密钥导入 Secure Enclave，因此无法实现“导入外部密钥并标记为不可导出”的功能，限制了灵活性。
• 从安全角度看，Secure Enclave 密钥的保护机制优于普通加密密钥文件，尤其在防止内存泄露方面具有优势。
• 然而，恶意软件仍可能通过诱导用户进行 Touch ID 验证来获取导出密钥，因此需警惕社会工程攻击。
• macOS biometric authentication lacks contextual awareness, allowing malware to easily mimic the fingerprint recognition interface, making it difficult for users to discern authenticity.

---

µcad: An Open-Source Programming Language for Generating 2D Sketches and 3D Models

https://microcad.xyz/

µcad is an open-source programming language designed to generate 2D sketches and 3D models. It is currently in early development but is gradually becoming more stable. New features are added every week, and the project receives continuous updates.

The latest released version is Alpha 0.2.14. Although there were some technical hurdles during the release process, such as Issue #289, the release was ultimately successful.

Recent highlights include:

• Spirograph — A dynamic pattern made up of five components, resembling minimalistic Christmas decorations. Successfully implemented and printable.
• Lego Bricks — Demonstrated the real-time coding process for generating LEGO-like bricks, showcasing µcad’s potential for constructing complex structures.
• Gears — Showcased real-time coding to generate gear structures, demonstrating its mechanical design applications.

The project is supported by the Open Knowledge Foundation Deutschland, which is committed to open knowledge and technology sharing. The website provides source code, printable outputs, and video resources for learning and development participation.

---

Discussion Highlights from Hacker News

HN Score: 374 points | Comments: 122 | Link to thread

• LEGO enforces strict brand protection; third-party use of its name or imagery may risk legal action. Removing LEGO references from project sites and examples is advised.
• While LEGO’s trademark is strong, its brand protection intensity is not as high as Nintendo’s.
• µcad and zoo’s KCL language are similar in functionality, but KCL’s pipeline programming style is considered more favorable by some.
• KCL suffers from vendor lock-in as its geometric kernel only supports cloud hosting, with no local alternative; it is unclear whether µcad addresses this issue.
• build123d supports STEP format export, enabling interoperability with FreeCAD and similar tools, but being Python-based, it might be less efficient than a dedicated DSL.
• Both KCL and µcad support STEP format export, but compatibility and implementation specifics need verification.
• Converting from STL to STEP loses information and cannot automatically fix geometric defects—manual correction is necessary.
• FreeCAD’s OpenSCAD import feature can reconstruct original geometry, but supports complex models only to a limited extent and has compatibility issues.
• STEP format preserves geometric information as vectors, unlike STL’s mesh-based representation, making it better suited for future design modification.
• MeshLab and AutoCAD MeshMixer outperform FreeCAD when it comes to repairing damaged meshes.

---

With the growing interest in open-source modeling tools like µcad, creators today have more pathways for designing and sharing innovative CAD work. For those wanting to distribute and monetize AI-generated or computationally designed content efficiently across multiple platforms, tools such as AiToEarn官网 offer integrated pipelines for AI content generation, cross-platform publishing, analytics, and model ranking. This can be invaluable for developers and designers alike, helping them publish simultaneously to platforms from Douyin and Bilibili to YouTube and LinkedIn, while ensuring content earns visibility and potential revenue.

• OpenSCAD 无法直接导出 STEP，而 FreeCAD 可通过 OpenSCAD 导入实现部分转换。
• STEP 文件支持在 FreeCAD 中进行特征删除、面分割和曲面编辑，适合高级设计操作。
• 与图像处理中从 PSD 转 JPEG 类似，STL 是最终输出格式，不适合设计修改。
• 3D 打印切片软件如 Cura、Orca 等虽支持 STEP，但内部仍需转换为网格，影响效率。
• µcad 项目代码托管在 Codeberg，具备本地运行潜力，可能规避云端依赖问题。
• 一些用户怀念 Autolisp 等早期 CAD 脚本语言的简洁与强大。
• KCL 语言可与不同几何内核结合，已有尝试者，但未被广泛知晓或持续发展。

---

Shai Hulud 发起第二次供应链攻击：Zapier、ENS、AsyncAPI、PostHog、Postman 等项目遭 compromise (Shai Hulud launches second supply-chain attack) #

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

该网页是一篇关于网络安全威胁的博客文章，发布于 2025 年 11 月 24 日，标题为《Shai Hulud 发起第二次供应链攻击：Zapier、ENS、AsyncAPI、PostHog、Postman 等项目遭 compromise》。

文章指出，名为 Shai Hulud 的恶意 npm 蠕虫再次发动攻击，被称为“第二次降临”（Second Coming），攻击时间紧贴 npm 将于 12 月 9 日撤销旧版认证令牌的截止日期，利用开发者尚未完成迁移的窗口期实施破坏。

Shai Hulud 是一种自传播型恶意软件，以《沙丘》中的巨型沙虫命名，具有高度隐蔽性和破坏性。其主要行为包括：

• 通过安装 bun 工具并执行恶意脚本（setup_bun.js 和 bun_environment.js）来运行恶意代码；
• 自动扫描系统中泄露的敏感信息（如 API 密钥、令牌），使用 TruffleHog 工具；
• 将窃取的数据上传至随机命名的公开 GitHub 仓库，避免被轻易追踪；
• 试图向 npm 推送自身副本，实现跨项目传播；
• 若无法登录 GitHub 或 npm，将删除用户主目录下所有文件，造成严重破坏；
• 本次攻击影响范围扩大，可感染最多 100 个 npm 包，远超上一次的 20 个。

受影响的包多达 492 个，累计月下载量高达 1.32 亿次，涉及多个知名项目，包括：

• AsyncAPI 生态相关工具（如 generator、parser、cli、templates 等）；
• PostHog 的多个插件与核心组件（如 cli、react-native-session-replay、plugin-contrib 等）；
• Zapier、ENS、Postman 等平台的关联包；
• 多个由 quick-start-soft 和 strapbuild 等组织维护的工具包。

文章提醒开发者立即检查依赖项，避免使用受感染版本，并建议尽快迁移至 npm 的可信发布机制，以防范类似供应链攻击。

---

HN 热度 339 points | 评论 19 comments | 作者：birdculture | 9 hours ago #

https://news.ycombinator.com/item?id=46035533

• Bubblewrap 可以有效减少 npm/node 的攻击面，尽管不是万能解，但比使用无根 Podman 更简便。
• 有人分享了一个 Python 脚本，用于检查项目中是否存在被污染的 pnpm 或 npm 依赖包。
• 该帖子与另一则关于相同事件的帖子内容高度重合，因此被合并，但新信息已补充至原帖。
• 该事件涉及超过 300 个 npm 包被感染，影响了 Postman、Zapier、PostHog 等知名工具。
• 帖子标题存在拼写错误，应为“Shai-Hulud”而非“SHA1-Hulud”，但攻击者在 GitHub 仓库名中使用了错误拼写。
• 攻击者将窃取的密钥上传至名为 “Sha1-Hulud: The Second Coming” 的仓库中。
• 有用户发现大量 AWS 密钥被泄露，且采用双重 Base64 编码，令人担忧。
• 泄露的密钥可能对安全研究人员更有价值，而非攻击者，因为其存在时间可能已过。
• 有猜测认为这些泄露的密钥将被迅速清理，以防止滥用。
• “coming” 应为单“m”拼写，但该错误可能是有意为之或误写。

---

RuBee：一种用于高安全性环境的低频无线资产追踪技术 (RuBee) #

https://computer.rip/2025-11-22-RuBee.html

本文介绍了一种名为 RuBee 的小众无线通信协议，它被用于美国能源部（DoE）设施中防止员工携带手机进入保密区域。当检测到手机时，门边设备会播放“政府手机已检测到”的语音提示，这一系统依赖于 RuBee 技术。

RuBee 由 Visible Assets Inc.（VAI）开发，创始人 John K. Stevens 有生物物理和基因检测背景。他最初因医疗冷链运输中温控验证问题而萌生开发想法，希望实现对样本和试剂在运输与存储过程中的持续监控。

RuBee 被定义为“可见性网络”（visibility network），核心目标是可靠地追踪资产存在状态，而非传输大量数据。它与蓝牙、RFID 等技术有相似之处，但设计目标不同：强调高可靠性、抗干扰能力，尤其适用于高价值物品的追踪。

关键特性包括：

• 使用低频（131 kHz）运行，波长长达 2.5 公里，实现近场磁耦合通信；
• 通过磁场而非电场传输信号，因此对金属和水屏蔽具有极强抗性；
• 通信距离可达 30 米，远超传统 RFID；
• 标签为有源设备，内置 4 位微控制器，电池寿命 5 至 25 年。

与 RFID 相比，RuBee 在金属容器、潮湿环境或人体携带场景下表现更优。例如，沃尔玛早期 RFID 应用中，因金属、水分和干扰导致读取失败率高达 33%，即使使用多天线阵列（成本超万元）也只能达到 95% 的成功率。

而 RuBee 的高可靠性使其在安全敏感领域更具优势，尤其适合追踪枪支、爆炸物和机密材料。标签可嵌入枪械框架或改装安装，不易被屏蔽，成为武器资产管理的理想方案。

尽管 RuBee 起源于医疗冷链监控，但其最成功应用却在军事与安保领域，体现了技术路径与市场需求之间的意外契合。

---

HN 热度 329 points | 评论 58 comments | 作者：Sniffnoy | 22 hours ago #

https://news.ycombinator.com/item?id=46029932

• ANT+ 虽被部分人视为“失败”标准，但因其在健身设备中的稳定性和多设备同时连接能力，仍被广泛应用于 Garmin 等产品中。
• Garmin 宣布将在 2025 年停止 ANT+ 认证，主要原因是无线通信法规变化，预示 ANT+ 可能逐步被 BLE 取代。
• ANT+ 在团体健身场景中表现优于 BLE，因其连接无须建立连接，能高效接收多个设备的广播数据，而 BLE 需逐个连接，效率较低。
• BLE 理论上可通过广告包实现类似 ANT+ 的广播接收功能，但实际应用中因软件栈质量差，尤其是非苹果平台，导致体验不佳。
• ANT+ 作为 Garmin 的专有协议，缺乏广泛生态支持，难以突破其在健身设备领域的局限，最终被市场边缘化。
• 有观点认为，ANT+ 的衰落是由于其封闭性，而更开放的 BLE 更适合未来的发展方向。
• 在冷链运输中，温度指示标签可提供简单有效的温度变化反馈，但无法提前预警，与持续通信的传感器应用有本质区别。
• “政府手机检测”语音提示可被用于恶搞或心理惊吓，但其音频来源可能涉及法律问题，不宜随意传播。
• “智能枪”技术在海外市场难以推广，主要受限于美国市场主导地位及 NRA 的影响力，且全球多数国家禁止公民持枪。
• 智能枪在民用市场缺乏需求，因用户更关注武器的可用性而非追踪或生物识别功能，且存在可靠性风险。
• 智能枪若强制推广，可能引发安全顾虑，如在紧急情况下无法快速使用，或被误判为不可靠工具。

---

NSA 与 IETF，第四部分：被压制的不同意见实例 (NSA and IETF, part 3: Dodging the issues at hand) #

https://blog.cr.yp.to/20251123-dodging.html

该网页是 cr.yp.to 博客的一篇技术评论文章，发布于 2025 年 11 月 23 日，标题为《NSA 和 IETF，第四部分：被压制的不同意见的实例》。文章延续了此前关于美国国家安全局（NSA）对互联网工程任务组（IETF）标准制定过程施加影响的系列批评。

The article points out that the mainstream practice in deploying Post-Quantum Cryptography (PQC) today is to use an ECC+PQ hybrid scheme—that is, combining Elliptic Curve Cryptography with post-quantum algorithms—to enhance security. The IETF’s TLS working group is also moving forward with standardizing ECC+PQ.

However, the IETF leadership has been pushing forward, without broad consensus, an NSA-driven “non-hybrid” document in which PQ is simply an optional feature for TLS, completely ignoring the ECC+PQ combination. The author sarcastically likens this to standardizing cars by keeping both models with seat belts and, at the same time, forcing in models without seat belts—disregarding safety objections.

The article reviews three prior parts of the series:

• Part 1: Background introduction
• Part 2: Exposure of corrupt practices
• Part 3: Strategies for “avoiding core issues”

This fourth part focuses specifically on how voices opposing the NSA-driven approach have been systematically suppressed.

According to the article, in April 2025, the TLS Working Group chair initiated an adoption vote for the NSA-led document. During the comment period, 20 members explicitly supported, 2 conditionally supported, and 7 opposed. The author notes that dissenting views were ignored, while many of the supporters came from organizations with ties to the NSA.

The central argument: The IETF’s concept of “consensus” has deteriorated into the will of the powerful; genuine technical democracy and security debates are being marginalized. The author warns that suppressing dissent in this way is eroding the credibility of the IETF as an open, transparent standards body.

---

HN score: 294 points | Comments: 169 | Link: HN Discussion

---

Related discussion points

• djb has defended the right to freely publish encryption technology since his student days, winning Bernstein v. United States, where the court ruled that source code is speech protected under the First Amendment.
• Figures like djb, Phil Zimmermann, and Richard Stallman have stood firm against government censorship, greatly contributing to the development of modern free software and encryption—a stance worthy of respect.
• Standing by principles often demands major sacrifices, and resisting authority while maintaining belief despite convenience and temptation in real life is rare.
• djb has consistently emphasized that cryptographic standards must account for implementation reliability, guarding against failures caused by timing vulnerabilities, compiler optimizations, and similar issues.
• Although Curve25519 and Ed25519 are widely adopted, their initial specifications contained ambiguities leading to implementation differences—underscoring the importance of clear standards and variable normalization.
• Cryptographic standards should not focus solely on algorithmic security; they must also be easy to implement correctly to avoid security gaps created by complex specifications.
• Standardization cannot exempt the process from responsibility for implementation security. Adoption of a standard does not mean all implementations will be safe or feasible—implementation issues require ongoing attention.
• The NIST-approved algorithm Kyber, though standardized, had serious early timing side-channel vulnerabilities—demonstrating that robustness in implementation must be prioritized during standardization.
• Even authoritative institutions like NIST cannot guarantee correct implementation everywhere; standard design should prioritize feasibility and consistency in real systems.
• Many Web standards are so complex or unclear that even large companies struggle to implement them correctly—a reminder that clarity and implementability must be core concerns in drafting any standard.

---

In the broader conversation about open standards and the safeguarding of technical integrity, platforms like AiToEarn官网 are beginning to show how decentralized, open-source ecosystems can empower creators and technical experts alike. AiToEarn allows content creators to use AI to generate, publish, and monetize work across multiple platforms—integrating tools for AI content generation, cross-platform publishing, analytics, and model ranking (AI模型排名). While not directly related to cryptographic standards, its open, transparent, and multi-platform approach reflects values similar to those championed by proponents of open encryption standards: enabling creators and technologists to own and control their work.

日本押注北海道打造全球半导体新中心 (Japan’s gamble to turn island of Hokkaido into global chip hub) #

https://www.bbc.com/news/articles/c8676qpxgnqo

日本正押注北海道，试图将其从农业与旅游重镇转型为全球半导体产业新中心。作为日本最北端的岛屿，北海道长期以来以奶制品和自然风光闻名，但如今正迎来大规模工业变革。政府与丰田、软银、索尼等企业联合成立的芯片公司 Rapidus，正推动建设日本数十年来首个先进制程芯片制造厂。

Rapidus 计划在北海道千岁市建设一座采用极端紫外光刻（EUV）技术的晶圆厂，已成功研发出日本首枚 2 纳米制程原型芯片，达到全球顶尖水平。这一突破得益于与 IBM 的合作，标志着日本在高端芯片制造领域迈出关键一步。工厂设计融入自然环境，覆盖草皮以减少生态影响，选址也考虑了稳定的水电供应和较低地震风险。

尽管取得进展，Rapidus 仍面临严峻挑战。专家指出，其资金缺口巨大，远未达到启动量产所需的 318 亿美元；缺乏先进制程的量产经验，且难以获取台积电、三星等企业的核心技术知识。此外，客户资源稀缺，全球客户长期依赖现有巨头。

日本半导体产业曾于上世纪占据全球半壁江山，但因美日贸易摩擦及后续政策支持不足，逐渐落后。如今政府已投入 270 亿美元支持芯片产业，2024 年底更推出 650 亿美元的 AI 与半导体振兴计划，力度超过美国的 CHIPS 法案。

然而，日本整体经济面临人口萎缩、老龄化加剧、科研投入受限等结构性难题，同时面临约 4 万名半导体工程师的严重短缺。Rapidus 正与北海道大学合作培养人才，但未来仍需大量引进外籍技术人才，而这与国内公众对移民的保守态度形成矛盾。

与此同时，台积电已在九州熊本建设 12–28 纳米芯片厂，带动当地产业链升级，显示“建厂即聚生态”的战略正在奏效。Rapidus 的崛起，或将重塑日本科技产业格局，但能否真正实现从“制造”到“引领”的跨越，仍需时间验证。

---

HN 热度 281 points | 评论 423 comments | 作者：1659447091 | 22 hours ago #

https://news.ycombinator.com/item?id=46029929

• 日本发展本土芯片制造是合理且必然的选择，不应被过度解读为地缘政治博弈。
• 由于日本工作文化中企业对员工的长期忠诚，员工在非核心城市工作也具有稳定性，因此对工作地点的依赖性较低。
• 与美国相比，日本的经济环境更稳定，尽管机会可能较少，但企业破产风险较低。
• 人才吸引是关键挑战，尽管 Hokkaido 自然环境优美、生活成本低、生活质量高，但相比东京等大城市，仍缺乏足够的就业机会和产业聚集效应。
• Hokkaido 拥有独特的自然风光，包括壮丽的雪景、森林、温泉、河流和丰富的户外活动，适合度假和长期居住。
• Tokachi 地区尤其美丽，拥有广袤的农田、清澈的河流、雪山环绕，夜晚星空璀璨，是生态与人文的完美结合。
• 该地区居民友善热情，社区氛围浓厚，人与人之间关系紧密，适合建立家庭和长期生活。
• 与美国蒙大拿州相比，Hokkaido 地理位置更优越，不内陆、有城市（如札幌），且自然景观更丰富，更适合发展成科技与生活并重的区域。
• 若能提供远程工作机会，Hokkaido 将成为理想的生活与工作选择。
• 有评论调侃称，这些描述像极了房地产推销文案，带有强烈的情感渲染。
• 一些人对历史问题表示感慨，认为如果萨哈林岛（库页岛）未被苏联占领，可能也会发展出类似 Hokkaido 的繁荣与自然和谐共存的景象。
• 从地缘安全角度出发，芯片制造基地设在日本而非欧洲，可以减少因政治冲突导致供应链中断的风险。

---

Shai-Hulud Returns: Over 300 NPM Packages Infected #

https://news.ycombinator.com/item?id=46032672

It’s not “node” or “Javascript” the problem, it’s this convenient packaging model.

This is gonna ruffle some feathers, but it’s only a matter of time until it’ll happen on the Rust ecosystem which loves to depend on a billion subpackages, and it won’t be fault of the language itself.

The more I think about it, the more I believe that C, C++ or Odin’s decision not to have a convenient package manager that fosters a cambrian explosion of dependencies to be a very good idea security-wise. Ambivalent about Go: they have a semblance of packaging system, but nothing so reckless like allowing third-party tarballs uploaded in the cloud to effectively run code on the dev’s machine.

sph

问题的根源不在于 “Node” 或 “JavaScript”，而在于这种方便的打包模式。

这可能会引起一些争议，但我认为这只是时间问题。同样的事情也终将发生在依赖海量子包的 Rust 生态系统中，而这并非语言本身的过错。

我越是思考这个问题，就越是相信 C、C++ 或 Odin 不设方便的包管理器、从而避免催生出大量（寒武纪式的）依赖，这从安全角度来看是个非常好的主意。对于 Go，我的看法则比较矛盾：它们有一个像样的打包系统，但却没有像允许开发者把第三方云上传的 tar 包直接在本地运行代码那样鲁莽的做法。

---

X’s new country-of-origin feature reveals many ‘US… #

https://news.ycombinator.com/item?id=46028791

Reminds me of when Reddit published their year-end roundup https://web.archive.org/web/20140409152507/http://www.redditblog.com/2013/05/get-ready-for-global-reddit-meetup-day.html?m=1 and revealed that their “most addicted city” turned out to be the home of Eglin Air Force Base — a location hosting a significant amount of military cyber operations. They swiftly edited the article afterwards to remove this inconvenient statistic.

---

Claude Opus 4.5 #

https://news.ycombinator.com/item?id=46037979

The burying of the lede here is wild. $5/$25 per MTok is a 3× price drop from Opus 4. At that price, Opus stops being “the model you use only for important things” and becomes something that is actually viable for production workloads.

Also noteworthy: they are claiming state-of-the-art prompt injection resistance. The industry has largely abandoned the idea of solving this purely through training, so if the figures in the system card hold up under adversarial testing, that’s legitimately important for anyone deploying agents with tool access.

That “most aligned model” framing is doing a lot of heavy lifting, though. I’d still love to see third-party red team results.

---

It’s interesting to see how AI model pricing shifts the conversation from niche, high-value use cases to broader production-scale deployments. For creators and developers looking to leverage AI across platforms, tools like AiToEarn官网 offer an open-source ecosystem for AI-powered content monetization — enabling simultaneous publishing to platforms such as Douyin, Kwai, WeChat, Bilibili, Rednote, Facebook, Instagram, LinkedIn, Threads, YouTube, Pinterest, and X (Twitter), while connecting generation, analytics, and model rankings through integrations like AI模型排名. This kind of infrastructure can complement the capabilities of advanced models like Opus 4.5 when moving from experimentation to real-world application.

France threatens GrapheneOS with arrests / server … #

https://news.ycombinator.com/item?id=46036823

I think your devices should have government-mandated backdoors if and only if you are a public servant. I don’t understand why private citizens are held to higher standards of conduct than politicians and cops.

konmok

我认为，只有当你是公职人员时，你的设备才应该被政府强制开后门。我不明白，为什么普通公民的行为标准要比政客和警察更高。

---

Japan’s gamble to turn island of Hokkaido into glo… #

https://news.ycombinator.com/item?id=46033675

Why are all the comments here so weird? It’s like people saw (but didn’t read) an article entitled “Man Opens a Taqueria in his Hometown” and the only responses are

-

Why didn’t he open it in my hometown? This location isn’t convenient for me.

-

Wouldn’t it be better for someone else to open a taqueria instead? My cousin is looking for work. Shouldn’t we be putting resources into helping him open a restaurant instead?

It’s like people hear “X in Asian country” and all they can think about is their own geopolitical narrative fed to them by the US state department. Obviously Japan is going to want to develop lucrative manufacturing… within Japan.

tdeck

为什么这里的评论都这么奇怪？就好像人们看到了（但没读）一篇题为“男子在家乡开设墨西哥卷饼店”的文章，然后唯一的回应就是：

-

他为什么不在我的家乡开店？这个位置对我来说不方便。

-

换个人来开墨西哥卷饼店不是更好吗？我表哥正在找工作。我们难道不应该把资源用来帮他开一家餐厅吗？

就好像人们听到“亚洲国家的X”时，脑子里只有美国国务院灌输给他们的地缘政治叙事。显然，日本肯定想在日本国内发展利润丰厚的制造业……毕竟是在日本国内。

---

We stopped roadmap work for a week and fixed bugs #

https://news.ycombinator.com/item?id=46030124

I love the idea, but this line:

>

>

> no bug should take over 2 days

>

>

Is odd. It’s virtually impossible for me to estimate how long it will take to fix a bug, until the job is done.

That said, unless fixing a bug requires a significant refactor/rewrite, I can’t imagine spending more than a day on one.

Also, I tend to attack bugs by priority/severity, as opposed to difficulty.

Some of the most serious bugs are often quite easy to find.

Once I find the cause of a bug, the fix is usually just around the corner.

ChrisMarshallNY

我赞同这个想法，但这一条：

>

>

> 任何一个bug都不应超过2天

>

>

很奇怪。对我来说，在修复工作完成之前，几乎不可能预估需要多长时间。

话虽如此，除非修复一个bug需要进行重大的重构/重写，否则我无法想象会花超过一天的时间在一个bug上。

另外，我倾向于根据优先级/严重性，而不是难度来处理bug。

一些最严重的bug往往相当容易找到。

一旦我找到了bug的原因，修复通常就在眼前。

---

Shai-Hulud Returns: Over 300 NPM Packages Infected #

https://news.ycombinator.com/item?id=46036328

ProTip: use PNPM, not NPM. PNPM 10.x shutdown a lot of these attack vectors.

-

Does not default to running post-install scripts (must manually approve each)

-

Let’s you set a min age for new releases before pnpm install will pull them in - e.g. 4 days - so publishers have time to cleanup.

NPM is too insecure for production CLI usage.

And of course, make sure to create a very limited-scope publisher key, bind it to specific packages (for example, workflow A can only publish package A), and IP-bind it to your self-hosted CI/CD runners. No one should have publish keys on their local machines. Even if they somehow obtained a publish key, they should not be able to publish locally. (Granted, GitHub Actions fans can also use OIDC Trusted Publishers, but well-configured tokens can be just as secure.)

---

Recommendation Tip: Use PNPM instead of NPM. PNPM 10.x has closed off many of these attack vectors.

• By default, it does not run post-install scripts (you have to manually approve each one).
• Allows you to set a minimum “age” for new versions, for example, 4 days — giving publishers time to clean up issues before `pnpm install` pulls the new version.

For production CLI use, NPM is simply too insecure.

---

X’s New Country-of-Origin Feature Reveals Many “US...”

https://news.ycombinator.com/item?id=46028536

Walk willingly into Plato’s cave, pay for cave verification, take a seat, and enjoy all the illusions projected on the wall. Then, you spit your drink out when you realize all the shadows on the wall are fake.

---

Shai-Hulud Returns: Over 300 NPM Packages Infected

https://news.ycombinator.com/item?id=46032650

Co-founder of PostHog here. We were a victim of this attack. We had a batch of packages published a couple of hours ago. The main affected packages/versions were:

• `posthog-node` 4.18.1, 5.13.3, and 5.11.3
• `posthog-js` 1.297.3
• `posthog-react-native` 4.11.1

---

In light of these incidents, many developers are exploring more robust workflows not only for security but also for efficient content and package management. Platforms like AiToEarn官网 offer open-source solutions that help creators and teams use AI to generate, publish, and monetize content across multiple platforms — including Douyin, Kwai, WeChat, Bilibili, Rednote (Xiaohongshu), Facebook, Instagram, LinkedIn, Threads, YouTube, Pinterest, and X (Twitter). For software and creative projects alike, integrating secure automation with multi-channel publishing can streamline operations while minimizing risk.

-

posthog-docusaurus 2.0.6

We’ve rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you’re on the latest version of our SDKs.

We’re still figuring out how this key got compromised, and we’ll follow up with a post-mortem. We’ll update status.posthog.com with more updates as well.

timgl

PostHog的联合创始人，我们这次成了攻击的受害者。几小时前，我们的一批包被发布了。受影响的主包/版本有：

• posthog-node 4.18.1, 5.13.3 和 5.11.3
• posthog-js 1.297.3
• posthog-react-native 4.11.1
• posthog-docusaurus 2.0.6

我们已经轮换了密钥和密码，撤销了所有受影响的包，并发布了新版本，所以请确保你使用的是我们SDK的最新版本。

我们仍在调查此密钥是如何泄露的，之后我们会跟进发布事后报告。我们也会在 status.posthog.com 上更新更多信息。

---

The Cloudflare outage might be a good thing #

https://news.ycombinator.com/item?id=46030461

It would be a good thing, if it would cause anything to change. It obviously won’t. As if a single person reading this post wasn’t aware that the Internet is centralized, and couldn’t name specifically a few sources of centralization (Cloudflare, AWS, Gmail, Github). As if it’s the first time this happens. As if after the last time AWS failed (or the one before that, or one before…) anybody stopped using AWS. As if anybody could viably stop using them.

krick

如果能因此带来任何改变，那当然是件好事。但显然，这什么都不会改变。就好像看这个帖子的有谁不知道互联网是中心化的，说不出几个中心化的源头（Cloudflare、AWS、Gmail、Github）似的。就好像这是第一次发生这种事。就好像上次AWS宕机（或者再上一次，或者更早那一次）之后，就有人停止使用AWS了一样。就好像谁真的能不用得起它们似的。

---

Claude Opus 4.5 #

https://news.ycombinator.com/item?id=46038081

This is gonna be game-changing for the next 2-4 weeks before they nerf the model.

Then for the next 2-3 months people complaining about the degradation will be labeled “skill issue”.

Then a sacrificial Anthropic engineer will “discover” a couple obscure bugs that “in some cases” might have lead to less than optimal performance. Still largely a user skill issue though.

Then a couple months later they’ll release Opus 4.7 and go through the cycle again.

My allegiance to these companies is now measured in nerf cycles.

I’m a nerf cycle customer.

unsupp0rted

在模型被削弱前的未来2到4周，这将会改变游戏规则。

然后，在接下来的2到3个月里，抱怨性能下降的人会被贴上“技术问题”的标签。

接着，一位“祭品”级的Anthropic工程师会“发现”几个晦涩的bug，这些bug“在某些情况下”可能导致性能不佳。不过，这很大程度上还是用户的技术问题。

再过几个月，他们会发布Opus 4.7，然后循环再次开始。

我现在对这些公司的忠诚度，是以削弱周期来衡量的。

我就是一个削弱周期的顾客。

---

Git 3.0 will use main as the default branch #

https://news.ycombinator.com/item?id=46031387

Maybe they resisted because it was completely ridiculous waste of engineering resources all over the country and for absolutely no tangible reason other than white people trying to feel better about themselves.

I work in the field of film mastering (with countless product names with the word “master” in it) and luckily no one got the ridiculous idea in their head that we need to change this lingo.

Show me a single person who has a valid reason for me not calling my branch “master” or my bedroom “the master”. I honestly think this sort of ridiculing word policing is why we lost this last damned election. And if you’re somehow proud that you’ve renamed your git branches, you’re very likely a contributor to that lost election.

matt-attack

或许他们之所以抵制，是因为这在全国范围内完全是工程资源的巨大浪费，而且除了白人想让自己感觉好一点之外，没有任何实质性的理由。

我在电影母版制作领域工作（有无数产品名称里都带有“master”这个词），幸运的是，没有人会异想天开地觉得我们需要改变这种术语。

给我看一个能给我充分理由，让我不能把我的分支叫做“master”，或者把我的卧室叫做“主卧”的人。我真心认为，这种荒唐的词语审查正是我们输掉该死大选的原因。如果你为重命名了你的 git 分支而感到自豪，那你很可能就是导致那次大选失利的罪人之一。

---

Iowa City made its buses free. Traffic cleared, an… #

https://news.ycombinator.com/item?id=46029926

>

> Big-city transit has an equilibrium point, and it is incredibly stable. Every serious transit city in the world ends up in the same place

>

You’re cherry-picking your own examples. It worked in Iowa City.

Y Combinator and much of SV would be out of business if innovators followed that thinking. One reason is that people do come up with new ideas; that’s how the world changes. The other is that the world changes, and what didn’t work before now works - costs change and value changes, and now it’s worthwhile. For example, with congestion pricing and other rapidly increasong costs of NYC car ownership, there’s more value in free transit.

Oddly, it’s the thinking advocated by many HN posts, denigrating the innovation under discussion as impossible, useless, etc.

>

> without sustainability, a political shift will kill it

>

That can be said of many things. A political shift could kill military funding in the US.

mmooss

大城市的公共交通有其平衡点，而且这个平衡点异常稳定。世界上所有重要的公交城市最终都会走向同一种模式。

你这是在挑选你自己的例子。它爱荷华城就行得通。

如果创新者都遵循那种想法，Y Combinator和硅谷的大部分公司早就倒闭了。原因之一是人们确实会想出新点子，世界就是这样改变的。另一个原因是世界在变化，以前行不通的现在行得通了——成本和价值都变了，现在值得去做了。例如，随着纽约市拥堵费和其他汽车持有成本的快速上涨，公共交通的价值就更大了。

奇怪的是，这正是许多HN帖子的观点，它们贬低正在讨论的创新，说它不可能、没用等等。

>

> 没有可持续性，一次政治变动就会扼杀它

>

很多事都可以这么说。一次政治变动就可能扼杀美国的军事开支。

---

NSA and IETF, Part 3: Dodging the Issues at Hand

https://news.ycombinator.com/item?id=46033811

For context, djb has been acting and speaking on these matters since his college years:

While a graduate student at the University of California at Berkeley, Bernstein completed the development of an encryption formula (an “algorithm”) he calls “Snuffle.” Bernstein sought to publish (a) the algorithm, (b) a mathematical paper describing and explaining it, and (c) the “source code” for a computer program implementing the algorithm. He also planned to discuss these materials at mathematical conferences, college classrooms, and other open public meetings.

Under the Arms Export Control Act and the International Traffic in Arms Regulations (the ITAR regulatory framework), Bernstein was required to submit his cryptographic ideas to the government for review, register as an arms dealer, and apply for and obtain a government license to publish them. Failure to comply would carry severe civil and criminal penalties. Bernstein believed this violated his First Amendment rights and sued the government.

After four years and one regulatory change, the Ninth Circuit Court of Appeals ruled that software source code was speech protected under the First Amendment, and that government regulations preventing its publication were unconstitutional.

Source: https://www.eff.org/cases/bernstein-v-us-dept-justice

---

It’s cases like Bernstein’s that highlight the deep intersection between law, technology, and free speech—issues that remain highly relevant in today’s debates over encryption standards and governmental influence in technical bodies such as the IETF. In an era when AI-generated content and algorithmic tools are becoming part of mainstream discourse, creators and researchers also face evolving regulatory and monetization challenges.

Open-source initiatives like AiToEarn官网 aim to address some of these modern needs by enabling creators to generate, publish, and earn from content across multiple major platforms — from Douyin and Bilibili to Instagram and X — all while integrating analytics and AI model rankings. For technologists and content creators alike, such tools can help navigate both the opportunities and the constraints of today’s interconnected digital landscape.

When attending graduate school at UC Berkeley, Bernstein developed what he called the “Snuffle” cryptographic equation (or “algorithm”). Bernstein sought to publish (a) the algorithm itself, (b) an academic paper describing and explaining the algorithm, and (c) the “source code” for a computer program that implemented the algorithm. He also wished to discuss these in public venues such as mathematics conferences, university classrooms, and other open forums.

Under the Arms Export Control Act and the International Traffic in Arms Regulations (ITAR), Bernstein was required to submit his cryptographic ideas to government review, register as an arms dealer, and apply for — and obtain — a government license before publishing his work. Otherwise, he faced severe civil and criminal penalties. Bernstein believed this violated his First Amendment rights, and sued the government.

After four years of litigation and a regulatory change, the Ninth Circuit Court of Appeals ruled that software source code is speech protected under the First Amendment, and that the government’s ban on its publication was unconstitutional.

Source: https://www.eff.org/cases/bernstein-v-us-dept-justice

---

Shai-Hulud Returns: Over 300 NPM Packages Infected

https://news.ycombinator.com/item?id=46032719

The “use cooldown” [0] blog post feels particularly relevant today.

I’d argue automated dependency updates may pose an even greater risk than single-day exploits, though I don’t have supporting data. It is far harder to undo a compromised package already embedded in thousands of lock files than to manually patch a vulnerability that has already been exploited in your dependencies.

[0] https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

darkamaul:

This “use cooldown” blog post [0] feels exceptionally timely today.

I believe automated dependency updates carry risks surpassing those of short-lived exploit attacks. Compared with manually fixing vulnerabilities that have already been exploited in dependencies, rolling back a package that has been compromised and locked into thousands of projects is much more difficult.

---

France Threatens GrapheneOS with Arrests / Server Seizures

https://news.ycombinator.com/item?id=46037083

so, they are basically confirming Android and Apple have their backdoors as no arrests or seizures on that matter have taken place

dagi3d:

So they are essentially confirming that both Android and Apple systems contain backdoors, given that no arrests or seizures have ever occurred in relation to this matter.

---

In light of cases like Bernstein’s, issues such as NPM package compromise, and government pressure on projects like GrapheneOS, it is clear that freedom to publish and security in software ecosystems are deeply intertwined with public interest and technology policy. Today, open frameworks like AiToEarn官网 provide creators — including those working with cryptography, software, and digital security — the ability to use AI to generate, publish, and monetize multi-platform content efficiently. By connecting AI content generation with cross-platform publishing and analytics, AiToEarn helps innovators share their work across major channels while safeguarding their creative and technical independence.

Doge ‘doesn’t exist’ with eight months left on its… #

https://news.ycombinator.com/item?id=46029151

I knew some people that were initially very optimistic, and I tried to keep an open mind when DOGE got started despite the outlandish claims that they would be able to cut $2 trillion dollars from the budget, but it’s apparent at this point that the project has been an extreme failure. It’ll probably take a few years to really sort out their damage and overall impact though.

It’s also imperative to mention in every DOGE-related discussion and conversation that the funding freeze to USAID is directly responsible for killing thousands of people [0]. Most of the damage done by DOGE can probably be reversed, but the thousands of death as a direct result of actions taken by the richest man in the world should not be forgotten. (Although I’m told there is a bit of uncertainty with any specific figures because the funding disruption also impacted the mechanisms for tracking and reporting deaths.)

[0] https://www.newyorker.com/culture/the-new-yorker-documentary/the-shutdown-of-usaid-has-already-killed-hundreds-of-thousands

TheAceOfHearts

我认识一些起初非常乐观的人，尽管“狗狗币”（DOGE）项目声称能削减2万亿美元的预算，我当时还是尽量保持开放的心态，但如今看来，这个项目显然已经彻底失败了。不过，要理清他们造成的损害和整体影响，可能还需要几年的时间。

此外，在任何关于“狗狗币”（DOGE）的讨论中，都必须提及，对 USAID（美国国际开发署）的资金冻结直接导致了数千人的死亡[0]。DOGE造成的损害或许大多可以挽回，但作为全球首富采取行动的直接后果，那数千人的死亡不应被遗忘。（尽管有人告诉我，具体数字存在一些不确定性，因为资金中断也影响了追踪和报告死亡数据的机制。）

[0] https://www.newyorker.com/culture/the-new-yorker-documentary/the-shutdown-of-usaid-has-already-killed-hundreds-of-thousands

---

Fran Sans – font inspired by San Francisco light r… #

https://news.ycombinator.com/item?id=46026440

Typography nerds are some of my favourite nerds.

Font specimen pages are so often screaming with design language and intention, they push and prod to evoke and present.

Maybe the secret has something to do with the lack of priority to the actual content; just present the font gosh-darn!

Looks nicely executed within the confines of the inspiration. very cool

oktwtf

字体设计爱好者是我最喜欢的技术宅之一。 字体样本页面常常在设计语言和意图上表现得非常强烈，它们通过推拉和探索来唤起并展现某种效果。 或许秘诀就在于，其重点并不在于实际内容；只需展示字体本身，天哪，这设计简直绝了！ 在灵感的框架内，这 execution（处理）看起来非常出色，非常酷。

---

1M Downloads of Zorin OS 18 #

https://news.ycombinator.com/item?id=46027830

I’ve been a Windows user since 3.1; and I’ve even defended Microsoft in the past (particularly when they made unpopular choices, but for technically correct reasons, like UAC or forcing vendors to rewrite their drivers into userland or using a safer driver model).

BUT, I won’t defend Windows 11 and Microsoft’s general direction. I feel like there has been a slow cultural shift within Microsoft, from a core of fantastic engineers surrounding by marketing/sales, to the org’s direction being set by marketing/sales UX be damned.

Plus it feels like a lot of the technical expertise retired out, and left a bunch of engineers scared to touch core systems instead preferring to build on top using Web tech. It means that Windows/Office stopped improving, and have actually both regressed significantly.

I’ve actually found myself recommending MacOS, particularly the prior generation of Macbook Airs which are absurdly powerful with absurd battery life for a fair price. Combine that with the lack of user hostility, and UX, that MacOS brings relative to Windows 11, and it is hard to ignore.

Someone1234

我从 Windows 3.1 时代起就是 Windows 用户；我甚至过去一直为微软辩护（尤其是在他们做出不受欢迎但技术上正确的决定时，比如用户账户控制 或强制供应商将驱动程序重写到用户模式，或使用更安全的驱动模型）。

但是，我不会为 Windows 11 和微软的整体方向辩护。我感觉微软内部的文化正在慢慢转变，从一个由出色的工程师为核心、市场/销售为辅的组织，变成了一个由市场/销售来决定方向、完全不顾及用户体验的公司。

此外，感觉很多技术专家都退休了，留下了一群不敢触碰核心系统，反而更倾向于使用 Web 技术在其上层构建的工程师。这意味着 Windows 和 Office 停止了进步，实际上两者都出现了严重的倒退。

我发现自己现在真的会推荐 macOS，特别是前几代的 MacBook Air，它们拥有惊人的性能和电池续航，价格还相当公道。再加上 macOS 相较于 Windows 11，不再带有那种“用户敌意”和糟糕的用户体验，这让它的优势很难被忽视。

---

Disney Lost Roger Rabbit #

https://news.ycombinator.com/item?id=46031069

Sorta related since Disney held a share in it previously but Dick Tracy exclusive rights are still held by Warren Beatty who produced and starred in the role back in 1990. He had to fight off a challenge from Tribune Media in court decades ago but stipulation was he had to produce new Dick Tracy stuff every few years. It’s lead to a series of increasingly surreal late night specials on TCM where he appears in character and talks about random stuff and the 1990 movie, last time was in 2023: https://m.youtube.com/watch?v=MwKncYwtec4

joecool1029

虽然迪士尼曾持有其部分股份，但这事儿有点关联：迪克·崔西的专属版权仍由沃伦·比蒂持有，他曾在1990年担任该片的制作人和主演。几十年前，他曾在法庭上击败了论坛媒体的挑战，但协议规定他必须每隔几年就推出新的迪克·崔西相关作品。这也导致了TCM（特纳经典电影台）上的一系列越来越超现实的深夜特别节目，他在节目中会以角色身份登场，谈论一些随机的话题和1990年的那部电影，最近一次是在2023年：https://m.youtube.com/watch?v=MwKncYwtec4

---

We stopped roadmap work for a week and fixed bugs #

https://news.ycombinator.com/item?id=46032576

Ex-Meta employee here. I worked at reality labs, perhaps in other orgs the situation is different.

At Meta we did “fix-it weeks”, more or less every quarter. At the beginning I was thrilled: leadership that actually cares about fixing bugs!

Then reality hit: it’s the worst possible decision for code and software quality. Basically this turned into: you are allowed to land all the possible crap you want. Then you have one week to “fix all the bugs”. Guess what: most of the time we couldn’t even fix a single bug because we were drown in tech debt.

etamponi

前Meta员工，曾在现实实验室（Reality Labs）工作过，也许其他部门的情况有所不同。

在Meta，我们每季度会有一段“修复周”。起初我对此感到非常兴奋：终于有领导真正关心修复Bug了！

但现实很快就给了我一击：这对代码和软件质量来说，是最糟糕的决定。基本上，这一周就变成了：你可以随意提交任何垃圾代码。然后，你有一周的时间去“修复所有Bug”。猜猜结果是什么：大多数时候，我们连一个Bug都修不完，因为我们早已被技术债务淹没了。

---

Implications of AI to schools #

https://news.ycombinator.com/item?id=46037449

One of my students recently came to me with an interesting dilemma. His sister had written (without AI tools) an essay for another class, and her teacher told her that an “AI detection tool” had classified it as having been written by AI with “100% confidence”. He was going to give her a zero on the assignment.

Putting aside the ludicrous confidence score, the student’s question was: how could his sister convince the teacher she had actually written the essay herself? My only suggestion was for her to ask the teacher to sit down with her and have a 30-60 minute oral discussion on the essay so she could demonstrate she in fact knew the material. It’s a dilemma that an increasing number of honest students will face, unfortunately.

ubj

我的一名学生最近带着一个有趣的难题来找我。他的妹妹（没用AI工具）为另一门课写了篇论文，可她的老师却告诉她，某个“AI检测工具”以“100%的置信度”判定这篇论文是AI写的。他打算给她判零分。

暂且抛开那个荒谬的置信度不谈，学生的问题是：他妹妹要怎样才能说服老师，让她相信自己确实是亲手写的这篇论文？我唯一的建议是，让老师和她一起坐下来，就这篇论文进行一场30到60分钟的口头讨论，借此证明她确实掌握了相关内容。不幸的是，越来越多的诚实学生将面临这样的困境。

---

Several core problems with Rust #

https://news.ycombinator.com/item?id=46028367

Rust has its issues and there are plenty of things to not like about Rust, but this article is giving me the impression that this person has not written much Rust. Unfortunately, many such cases with Rust criticism.

>

> Memory safety is not that sacred. In fact, for many applications malfunctioning is better than crashing — particulary in the embedded world where Rust wants to be present. You cannot get 99.999% reliability with Rust — it crashes all the time.

>

Yeah until that memory safety issue causes memory corruption in a completely different area of code and suddenly you’re wasting time debugging difficult-to-diagnose crashes once they do start to surface.

>

> We actually had a recent Cloudflare outage caused by a crash on unwrap() function: https://blog.cloudflare.com/18-november-2025-outage/

>

There were multiple failures before that unwrap() and the argument can easily be made that this is no different than an unchecked exception or a release assertion.

>

> Sync/Send, Mutex and reference counting (Arc)? Unfortuantely, those lock or simply mess with CPU caches badly, so they are inefficient for multithreaded communication, at least an intensive one. They are safe, but inefficient. Which kinda destroys the first uncompromising thing in Rust — performance.

>

Doing this the “correct” way in other languages has similar impact? So I’m not sure why Rust forcing you to do the correct thing which causes perf issues is uniquely a Rust issue. Doing this the “just get it done” way in other languages will likely come back to bite you eventually even if it does unblock you temporarily.

There are plenty of times I did a static mut global in Rust just to get some shit done and oops, accidentally hit some UB as the project grew.

landr0id

Rust 有它的问题，也有许多让人不喜欢的地方，但这篇文章给我的感觉是作者没写过多少 Rust。不幸的是，对 Rust 的批评大多如此。

>

> 内存安全并非那么神圣。事实上，对于许多应用来说，出错总比崩溃好——尤其是在 Rust 想要立足的嵌入式领域。你不能用 Rust 实现 99.999% 的可靠性——因为它总是在崩溃。

>

是啊，直到那个内存安全问题在代码的完全不同区域导致内存损坏，然后一旦崩溃开始显现，你就得浪费时间调试那些难以诊断的崩溃。

>

> 我们最近确实遇到了一次由 unwrap() 函数崩溃导致的 Cloudflare 服务中断：https://blog.cloudflare.com/18-november-2025-outage/

>

在那次 unwrap() 之前已经发生了多次故障，而且很容易就能论证说，这和未经检查的异常或发布时的断言没什么不同。

>

> Sync/Send、Mutex 和引用计数（Arc）？遗憾的是，它们会严重锁定或破坏 CPU 缓存，因此在多线程通信中效率低下，至少在高强度通信时是这样。它们是安全的，但效率低下。这在某种程度上破坏了 Rust 的首要信条——性能。

>

在其他语言中用“正确”的方式做这件事也会有类似影响吗？所以我不明白为什么 Rust 强迫你去做那些会导致性能问题的“正确”事情，就成了 Rust 独有的问题。在其他语言中用“先做完再说”的方式去做，即便能暂时让你不受阻碍，最终也可能会反噬自身。

很多时候，为了完成一些事情，我在 Rust 中直接用了 static mut 全局变量，结果 oops，随着项目变大，不小心就触发了一些未定义行为。

---

After my dad died, we found the love letters #

https://news.ycombinator.com/item?id=46022960

Ouch. This hits incredibly hard.

I’ve been this dad who sits frozen at the TV every evening. I had the affairs with the emotionally unavailable men, and became one myself.

Before you judge the man in this story too harshly — and there’s certainly much to judge, especially given the follow-up post — consider the environment he and I grew up in. Being gay as a young teenager in the early 1990s could feel literally like a death sentence. AIDS panic was everywhere. Gay men in movies were comedy sidekicks or dying wrecks (“Philadelphia”). There was a real threat of violence from other kids. If you could pass as straight, why wouldn’t you give it your best shot? The alternative was to be a laughing stock and die alone in a hospital where nurses don’t dare touch you. (This is literally how I imagined gay life at age 13.)

I still feel like I’m barely getting started on the therapy journey to recover from those decades. Seems like the man in the story never had the chance for professional help (or didn’t seek it). The compartmentalization can be extremely taxing. He disappointed many people, but that doesn’t mean he was a bad person.

pavlov

哎，这话真是扎心了。

我曾经就是那个每晚都僵坐在电视机前的父亲。我曾和那些情感上无法敞开心扉的男人有染，后来自己也活成了那样。

在你过于苛刻地评判这个故事里的那个男人时——考虑到后续的帖子，他确实有很多地方值得批评——请先想想我们成长的环境。在90年代初，作为一名青少年同性恋者，那感觉简直就像是被判了死刑。艾滋病恐慌无处不在。电影里的同性恋角色要么是喜剧里的跟班，要么就是将死的病人（比如《费城故事》）。来自其他孩子的暴力威胁也是真实存在的。如果你能混入直人的圈子，为何不拼尽全力一试呢？另一个选择就是成为笑柄，在一家护士连碰都不敢碰你的医院里孤独地死去。（这真的就是我13岁时对同性恋生活的想象。）

我依然觉得，为了从那段岁月里恢复过来，我的疗愈之路才刚刚开始。故事里的那个男人似乎从未有过寻求专业帮助的机会（或者他没有去寻求）。那种将生活割裂成不同部分来应对的做法，会让人心力交瘁。他让许多人失望了，但这不代表他是个坏人。