An ISS air leak, European tech sovereignty moves, a supply-chain compromise in the React ecosystem, and two breakthroughs in quantum gravity and DNA synthesis anchor this evening’s Hacker News. C++ turns 40 on film, Ladybird closes its PR queue, and the Dutch government draws a hard line on who can run a national identity platform.

Security & Privacy

Cooldown Support for Ruby Bundler

Summary: Bundler 4.0.13 ships an opt-in cooldown mechanism that refuses to resolve to a gem version until it has been publicly listed for at least N configurable days. The feature reads per-version created_at timestamps from rubygems.org’s v2 compact index, silently skipping releases too new to have been scrutinized. It targets the narrow window supply-chain attackers exploit after compromising a maintainer account and pushing a malicious version. Cooldown complements existing defenses like mandatory 2FA and trusted publishing, and never blocks resolution silently — it only holds back versions it can prove are too new.

HN Discussion: Commenters immediately raised the critical-patch conflict: if version 1.0 has an active exploit and 1.1 ships the fix, cooldown delays the remedy by N days. Others pointed out that versions from private registries or older gem servers lacking created_at metadata bypass the filter entirely. The broader debate questioned whether universal adoption would merely shift the attack window rather than close it.

Tracing a powerful GNSS interference source over Europe

Summary: Researchers at the University of Texas identified a space-based source of GNSS interference that has caused wide-area jamming over continental Europe, Greenland, and Canada since 2019. By combining signal characterization with orbital mechanics, the paper pinpoints the Russian early-warning satellite Cosmos 2546 (NORAD ID 45608) as a high-confidence source. The interference originates from the EKS constellation transmitting near L1 GPS frequencies, distinguishing it from the terrestrial jammers commonly reported near conflict zones.

HN Discussion: Construction workers in Romania and Poland corroborated the pattern with daily jamming near the Black Sea and Kaliningrad. Some questioned whether the signal should be called intentional jamming or an incidental side effect of satellite sync transmissions, noting the 12 ms cyclic prefix and 150-second spacing suggest a communications function rather than deliberate disruption.

U.S. Military Turned GPS into a Global “Numbers Station”

Summary: Security researcher Steven Murdoch published findings in Inside GNSS showing that the U.S. military has been broadcasting encrypted rekeying data through an innocuous GPS message field for roughly two decades. Every civilian GPS receiver has been silently receiving these hidden military communications, which update cryptographic keys for armed-forces equipment worldwide. The transmissions appear as random sequences indistinguishable from noise to anyone without the decryption keys.

HN Discussion: Commenters pushed back on the “numbers station” analogy, arguing traditional numbers stations targeted human operatives via unmodified household radios, whereas this is machine-to-machine key management for specialized military gear. Others found the discovery interesting but unsurprising given GPS was always designed as a dual-use system. The story was linked to the European GNSS jamming paper also on the front page.

Mantine-datatable (and others) compromised – owner account suspended

Summary: The maintainer account for mantine-datatable and potentially other npm packages was compromised in a supply-chain incident, prompting GitHub to suspend the owner account. Users are advised to audit dependencies and pin known-good versions until the scope of the breach is clarified. The incident fits a familiar pattern: widely-used UI component libraries maintained by a single individual become attractive targets for credential theft.

HN Discussion: Discussion was thin at posting time, but the recurring fragility of the npm ecosystem drew concern. Several commenters noted that concentrated ownership of popular React component libraries with no institutional backing makes this class of attack structurally inevitable.

---

AI & Tech Policy

Dutch gov’t will only allow European company to operate DigiD platform

Summary: The Netherlands will restrict the next DigiD identity-platform operator contract to European companies only, invoking the Defense and Security Procurement Act (ADV) rather than a standard European tender. The decision blocks American firm Kyndryl from acquiring Solvinity, the current operator, following a BTI investment-review recommendation. The current contract runs through August 2028, and the tightened procurement rules reflect growing alarm about foreign control over critical digital-identity infrastructure.

HN Discussion: French commenters were bewildered that DigiD is outsourced at all when France runs its equivalent, FranceConnect, entirely in-house. Discussion also flagged the risk that a nominally European company could still subcontract operations to non-European entities, and the broader trend of treating digital infrastructure as a national-security matter.

Communication on European Tech Sovereignty, and an EU Open-Source Strategy

Summary: The European Commission published a Technological Sovereignty Package proposing coordinated investment across chips, infrastructure, software, cloud, and AI. The Cloud and AI Development Act targets tripling EU data-centre capacity within five to seven years while simplifying permitting and improving access to energy and financing. An accompanying Open Source Strategy promotes public-sector adoption of and contribution to open-source as a sovereignty mechanism, tying into existing AI Factories and AI Gigafactories programs.

HN Discussion: Commenters questioned where the capital would come from given the EU’s still-incomplete Capital Markets Union. Skeptics argued that regulation alone cannot build capacity without deregulation to speed infrastructure deployment, and dismissed the initiative as directed at established companies that have yet to demonstrate execution. Others wanted sovereign CPU and silicon production, not just AI infrastructure.

---

Tech Tools & Projects

pg_durable: Microsoft open sources in-database durable execution

Summary: Microsoft released pg_durable as open source, a PostgreSQL extension providing durable workflow execution stored inside the database itself. The project targets workflows that already live primarily in Postgres and explicitly advises against using it when orchestration spans many heterogeneous external systems. It enters a growing field of Postgres-native durability tools alongside DBOS and pgQue.

HN Discussion: Several developers questioned why anyone would choose in-database orchestration over external tools like Temporal, given the README’s own caveat about heterogeneous systems. Others noted the tension between keeping workflow logic in application code under Git versus co-locating it with database state for transactional consistency.

Mouseless – keyboard-driven control of macOS/Linux/Windows

Summary: Mouseless is a cross-platform utility that enables keyboard-driven cursor and window control across macOS, Linux, and Windows. It offers label-based click targeting and keyboard shortcuts similar to browser extensions like Vimium, but for the entire operating system. The tool targets productivity-focused and ergonomics-motivated users looking to reduce or eliminate mouse dependency.

HN Discussion: Commenters compared Mouseless to ShortCat and Homerow on macOS, AceJump in JetBrains IDEs, and NeverClick on Windows. Some found ergonomic mouse changes more effective than keyboard-launcher software, while Linux users requested equivalent tools and debated switching desktop environments for better keyboard navigation.

Redis 8.8: New array data structure, rate limiter, performance improvements

Summary: Redis 8.8 introduces a native array data structure addressing limitations of lists and sorted sets, plus a built-in rate-limiter command that replaces the traditional Lua-script approach. The rate limiter implements GCRA (Generic Cell Rate Algorithm) internally, offering efficient per-key throttling without client-side logic. Performance improvements target common operations and reduce memory overhead for existing workloads.

HN Discussion: Simon Willison caught the blog post mis-describing the algorithm as a “window counter” when it is actually GCRA. Developers expressed desire for an embeddable Redis mode akin to SQLite, and complained that the HA story with Sentinel and Cluster remains needlessly complex. The Redis/Valkey license split continues to divide opinion.

Launch HN: General Instinct (YC P26) – Frontier models on edge devices

Summary: General Instinct, a YC P26 startup founded by robotics engineers, open-sourced InstinctRazor — a compression pipeline that shrinks frontier-class LLMs to fit edge hardware. Their showcase result compresses Qwen3.5-122B-A10B from 245 GB BF16 into a 48 GiB GGUF that outperforms Gemma-4-26B-A4B on MMLU-Pro and GPQA-D. The technique preserves always-active components (router, norms, Gated-DeltaNet/SSM layers) at full precision while aggressively quantizing routed experts, then recovers lost capability through on-policy distillation. A small-GPU mode streams experts from system RAM at roughly 8 GB VRAM.

HN Discussion: Commenters noted the growing importance of edge inference for robotics, where physical systems lack datacenter GPUs and reliable network access. The founders’ background in robotics directly motivated the approach: the best models were designed around datacenter assumptions that edge hardware cannot meet.

Changing how we develop Ladybird

Summary: The Ladybird browser project will no longer accept public pull requests; only project maintainers can introduce code changes going forward. Andreas Kling framed the shift as necessary for the approaching first alpha, requiring tighter security and clearer accountability. He explicitly cited AI tools as a factor: a substantial patch no longer implies substantial effort, breaking the trust signal that open-source contribution pipelines relied on for decades. External contributions will continue through a different pathway.

HN Discussion: Godot contributors reported a surge of fully AI-generated PRs, with some submitters becoming indignant when told this violates project policy. Debate centered on whether rejecting AI contributions requires closing the development model or merely adding an AI policy. One commenter framed the move as a return from the bazaar to the cathedral — better security, but a narrower pipeline for identifying future maintainers.

ESP32 Bit Pirate, a Hardware Hacking Tool with WebCLI That Speaks Every Protocol

Summary: ESP32 Bit Pirate is an open-source firmware inspired by the Dangerous Prototypes Bus Pirate, turning ESP32 boards into multi-protocol hardware hacking tools. It supports I2C, UART, SPI, 1-Wire, Bluetooth, Wi-Fi, Sub-GHz, and RFID through either a serial CLI or a browser-based web CLI accessible wirelessly. Installation is a single CLI command, enabling remote bus debugging without the traditional wire rat’s nest.

HN Discussion: Users praised it as a low-cost alternative to the $100 Bus Pirate v6 and reported success running the firmware on Heltec WiFi LoRa 32 boards with minor UART patches. Hardware hackers called remote I2C and UART debugging over Wi-Fi a genuine productivity win, pushing back against dismissive comments in the thread.

databow: a Rust CLI to query any database with an ADBC driver

Summary: databow is an open-source Rust CLI that queries any database with an ADBC (Arrow Database Connectivity) driver, unifying 30+ systems including PostgreSQL, MySQL, SQLite, Snowflake, BigQuery, Oracle, and SQL Server into a single terminal interface. Installable via uv tool install, it addresses the fragmented landscape where psql, snowsql, bq, and mysql each have different flags, output formats, and quirks.

HN Discussion: Commenters compared databow to usql (Go) and DuckDB’s database plugins as prior solutions. Questions were raised about whether ADBC’s columnar OLAP focus limits transactional use cases. The most common pain point cited was inconsistent metadata syntax across database CLIs — each tool lists tables differently.

Ohbin – uv wrapper for installing tools from GitHub

Summary: Ohbin is a declarative tool installer wrapping uv projects that lets users specify GitHub-release binaries in pyproject and have ohbin download, verify, cache, and execute them. It targets reproducible dev-environment setup for Python-adjacent tooling distributed as release binaries, removing manual download and PATH management.

HN Discussion: Commenters pointed out that Mise already handles binary installation from GitHub, GitLab, npm, and uv in a more mature ecosystem. Others noted that uv itself supports GitHub sources via the sources table, questioning the need for a separate wrapper. The README was criticized for reading like an internal pitch rather than user documentation.

Watching a Z80 from an RP2350

Summary: A developer used the Raspberry Pi Pico RP2350’s programmable I/O to snoop a Z80 microprocessor’s 16-bit address bus and 8-bit data bus in real time. The experiment requires careful voltage-level matching and clock synchronization between the two devices, serving as groundwork for a retro-computing bus analyzer or co-processor system. The project bridges 1970s CPU architecture with modern microcontroller hardware.

HN Discussion: Commenters noted the enduring appeal of blinkenlichten and retro bus interfacing as both educational and aesthetic exercises. Questions focused on the practical mechanics of inter-MCU communication: level shifters for voltage matching and dedicated clock pins for sampling-rate synchronization.

---

System Administration

I tested every IP KVM in my Homelab

Summary: Jeff Geerling tested nearly every consumer IP KVM device since the original PiKVM launched in 2017, evaluating video quality, latency, and reliability across PiKVM V4 Plus, GL.iNet Comet, JetKVM, SiPeed NanoKVM, and various clones. IP KVMs solve scenarios that remote desktop and SSH cannot: BIOS-level access, recovery of locked-up machines, and remote power cycling. PiKVM V4 Plus received the strongest overall endorsement, with key differentiators including HDMI capture resolution, USB-C power delivery, PoE support, and whether the device requires cloud connectivity.

HN Discussion: A YC robotics company described using PiKVM V4 Plus to send BIOS keyboard commands during automated laptop refurbishment. Users recommended blocking KVM devices from the internet and accessing them exclusively through Tailscale. Multiple commenters reported hardware reliability issues with budget options, including a SiPeed NanoKVM that caught fire and a combative returns process.

---

History & Science

Astronauts on ISS told to shelter as repairs under way to fix air leaks

Summary: NASA instructed ISS crew members to shelter inside a docked SpaceX Crew Dragon while two Russian cosmonauts worked on air leaks in the Zvezda service module. The leak is one of the most persistent problems in the station’s history; despite years of repair attempts, engineers have never fully sealed it. Repairs were paused pending further measurements, and crew were later told to resume normal duties after the shelter order was lifted.

HN Discussion: Commenters noted the BBC headline kept flip-flopping between shelter-in-place and resume-normal orders. Discussion explored why simple fixes like specialized sealant paint are impractical in vacuum and microgravity. Several asked why the whole crew needed to shelter if airlocks between modules should allow isolation of the affected section.

C++: The Documentary

Summary: A feature-length documentary on C++‘s 40-year history premiered on YouTube, featuring Bjarne Stroustrup alongside Anders Hejlsberg, Brian Kernighan, Chris Lattner, Alexander Stepanov, Andrei Alexandrescu, and dozens of other key contributors. The film traces the language from Cfront at Bell Labs through the standards process to its current status as the fastest-growing of the top four programming languages, with Herb Sutter reporting a 90 percent user increase over three and a half years.

HN Discussion: A sharp debate emerged over whether C++‘s opt-in safety model is viable in 2026 now that LLMs can systematically discover memory-safety exploits. One developer shared their positive experience building a 9,000-line application with wxWidgets, preferring native widgets and low memory. Ken Thompson’s long-standing criticism of C++ as incoherent and overcomplex was cited by developers who eventually moved to other languages.

Lee Kuan Yew’s Singapore Story (2023)

Summary: A History Today feature examines Lee Kuan Yew’s transformation of Singapore from a developing post-colonial port into a first-world economy within a single generation. The article details his housing policy — tying public housing to homeownership so citizens had a material stake worth defending, which in turn made national service meaningful. Lee’s governance philosophy combined market economics with strict social control, rejecting democratic socialism for pragmatic authoritarian capitalism.

HN Discussion: Commenters debated which factors mattered most: strategic location as a shipping hub, governance quality, or Lee’s personal force of will. His housing rationale drew particular attention: “I could not ask their sons to fight and die for the properties of the wealthy.” Discussion turned to whether the Singaporean model is transferable or requires a unique confluence of leadership and geography.

---

Academic & Research

Entanglement Builds Space-Time. Now “Magic” Gives It Gravity

Summary: Quanta Magazine reports on holographic quantum gravity research linking the elasticity of space-time to a quantum property called “magic” — a measure of how far a quantum state deviates from the efficiently simulable Clifford group. Building on the ER=EPR framework where entanglement stitches space-time together, the new work finds that non-Clifford resources determine how pliable or bendable the resulting geometry becomes. The research ties the classical notion of gravitational curvature to a specific, quantifiable information-theoretic measure.

HN Discussion: Commenters noted the name will inevitably cause confusion, joining charm, color, and time crystals in physics’ growing menagerie of informal terminology. One observed the work essentially formalizes a mapping from the classical-simulation difficulty of quantum states to gravitational strength. The broader thread debated whether such naming helps or hinders public understanding of quantum foundations.

Leap in DNA synthesis slashes time to build new genetic sequences

Summary: IEEE Spectrum reports on Sidewinder, a DNA synthesis method that significantly reduces the time to construct long genetic sequences at scale approaching entire biochemical pathways. The technology targets the assembly bottleneck in synthetic biology, where writing DNA has lagged behind reading and designing it. Applications include engineered microbes for drug manufacturing, biofuels, specialty chemicals, and the eventual assembly of vast constructs approaching artificial genomes.

HN Discussion: Commenters noted that Brian Hie, formerly of Meta FAIR’s computational biology group, is behind the work after FAIR cut its biology division. A researcher questioned whether DNA synthesis is actually the rate-limiting step, saying they already order from Twist and receive constructs within a month. Speculation included sequencing a personal genome now and re-synthesizing it decades later with restored telomeres.

New method turns ocean water into drinking water, without waste

Summary: University of Rochester researchers developed a solar-powered desalination method that produces fresh drinking water without chemical additives or brine waste. The system uses specially engineered black metal to absorb solar energy and drive evaporation, leaving salts behind for recovery as useful materials rather than discharge as pollutant. The approach addresses two major objections to conventional reverse osmosis: chemical pretreatment and environmentally damaging brine outflow.

HN Discussion: Discussion was limited at posting time, with interest focused on the cost and scalability of the approach relative to established desalination infrastructure.

---

Business & Industry

SpaceX, Other Mega IPOs Denied Fast Index Entry by S&P

Summary: S&P Dow Jones confirmed it will maintain existing index-inclusion rules for mega-IPOs after a consultation period, requiring sustained profitability, 50 percent public float, and at least one year of trading history. The decision blocks SpaceX from immediate S&P 500 inclusion, as it plans to list with only 4 percent of stock available to outsiders. The ruling also affects OpenAI and other anticipated large listings.

HN Discussion: Commenters praised the decision as common sense, arguing that fast-tracking speculative IPOs would effectively bail out early investors using passive capital from pension funds and ETFs where retail investors shoulder the downside. Observers noted SpaceX shares will still be available through retail brokerages without index distortion. Relief was expressed that S&P showed more integrity on this issue than some expected.

---

Web & Infrastructure

The IsUpMap lets you check the status of over 100 major sites at once

Summary: IsUpMap is a status-aggregation dashboard that visualizes the health of over 100 major web services simultaneously on a single page. It pulls from official status pages and presents a color-coded grid of up, degraded, down, and unknown states with desktop-notification support for status changes. Covered services include GitHub, Cloudflare, AWS, Google, Microsoft, and other major infrastructure providers.

HN Discussion: A commenter who has built a competing outage tracker for 12 years described supplementing official status pages with millions of user reports covering 8,000+ services to detect emerging outages before providers acknowledge them. Jokes about the dashboard showing GitHub as “up” being suspicious drew laughs. Discussion covered the difficulty of classifying providers like Cloudflare as degraded when some of 300+ PoPs are perpetually in maintenance.

---

Other

Stop Using Conventional Commits

Summary: Sumner Evans argues that Conventional Commits is an actively harmful standard that diverts engineering attention toward commit-prefix taxonomy rather than meaningful change descriptions. The post contends the type field (feat, fix, chore, refactor) adds no semantic value because the diff already reveals the nature of the change. The promised benefit of automated changelogs is dismissed as producing low-quality output lacking the context end users need.

HN Discussion: Commenters debated whether the Linux kernel’s freeform commit-message style produces better results than structured prefixes. Several developers noted that Conventional Commits lacks a standard place for issue numbers, which they consider the single most important piece of metadata. The blog post’s imperious title drew criticism, with a preference for less commanding phrasing.

Ask HN: What is your (AI) dev tech stack / workflow? (June 2026)

Summary: An experienced developer organizing in-person AI development workshops asked the community for modern tooling recommendations spanning newcomers to seasoned engineers. The poster’s own background emphasizes TDD, agile/XP practices from Pivotal Labs, and open-source tools with long-term supportability. Target use cases range from static personal sites to client applications built with AI coding assistants.

HN Discussion: Spec-driven development using Claude Code was highlighted: writing detailed specs first, decomposing into subtasks, and implementing each separately with session restarts between steps. Several commenters described minimalist flows built around a terminal, a text box, and a single LLM CLI agent. DeepSeek paired with Sublime Text for file-level edits was cited as enabling app construction in minutes rather than months.

Fine-tuning an LLM to write docs like it’s 1995

Summary: Technical writer Fabrizio Ferri Benedetti fine-tuned a local instruct LLM on vintage computer manuals from Bitsavers to produce documentation in the style of 1980s–90s tech writing. The Bitsavers archive provided thousands of pages of classic documentation prose with its characteristic clarity and structure. Generated samples include Windows 2000-style documentation pages covering modern topics like REST APIs, demonstrating style transfer from old formats to new content.

HN Discussion: Commenters argued old docs were better partly because annual release velocity allowed time for polishing prose. Physical constraints of 72×24 terminal screens forced conciseness that modern documentation has lost to whitespace and fluff. Several readers stressed that documentation quality ultimately comes from depth of understanding, not prose style — something no model can substitute for.

At the Autograph Show

Summary: Kevin Jack McEnroe writes in Oldster Magazine about his mother Tatum O’Neal’s appearance at an autograph show following a stroke caused by drug overdose. At 62, O’Neal can no longer read or write but retains the ability to sign her name, maintaining the celebrity identity that defined her since childhood. McEnroe reflects on how the stroke, paradoxically, made his mother the person he always hoped she could be — freed from the chaos of active addiction.

HN Discussion: A commenter reflected on the cost of early fame, recalling O’Neal’s extraordinary performance in Paper Moon at age 10 and wondering whether one-and-done careers might be healthier for child performers. Discussion touched on family addiction patterns and the difficulty of separating celebrity from personhood.

Programmers will document for Claude, but not for each other

Summary: Mark Dominus observes a behavioral asymmetry: developers willingly write context-rich notes for AI coding assistants but resist writing documentation for human teammates. The friction is not about writing itself but about audience. Claude reads without complaint, digests prerequisite context independently, and never demands a meeting to explain what was already written. The post raises the question of whether AI-mediated knowledge transfer will quietly replace traditional documentation in software teams.

HN Discussion: Commenters noted that Claude reads accompanying documentation to self-onboard, reducing the author’s burden of bringing readers up to speed. Several reported that humans skip documentation and ask verbally anyway, making the effort feel wasted. The quality bar for AI-bound notes is lower — no structure, formatting, or polish required, just the relevant information somewhere in the text.

Ask HN: Are orbital data centers possible / a good idea?

Summary: An HN discussion prompted by Starcloud raising $200 million at a $1 billion valuation to build orbital data centers, with the SpaceX IPO adding momentum to space-infrastructure interest. The poster asks for physics-grounded analysis of whether space-based computing is practical given thermal, launch-cost, and maintenance constraints.

HN Discussion: An aerospace engineer explained that cooling in vacuum is extremely difficult: space is cold, but heat transfer requires radiative dissipation rather than convection. Acknowledged advantages include continuous solar coverage in suitable orbits and sidestepping terrestrial power, cooling, permitting, staffing, and physical-security complexities. Consensus settled on technically possible but years of R&D away from a viable business case, with launch costs still too high for meaningful scale.