Tech
Debian
mandates reproducible builds for all packages
Debian’s release team now requires every package to produce
reproducible builds — binaries independently verifiable against source.
Automated migration blocks prevent non-reproducible packages from
entering testing, and regressions are rejected. This elevates
reproducibility from opt-in best practice to hard shipping requirement,
with significant supply-chain security implications across the
ecosystem.
Sources: debian-devel-announce
· HN
Bun
rewrites 960k lines of C/C++ to Rust in six days with AI
Jarred Sumner converted the entire Bun runtime — 960,000 lines of
C/C++ — to Rust in six days using AI assistance, achieving 99.8% test
compatibility on Linux x64 glibc. The motivation was eliminating memory
safety issues rather than chasing performance. The rewrite preserves the
same architecture while gaining Rust’s compiler-enforced safety
guarantees.
Sources: Thread · HN
LLMs
corrupt ~25% of document content in long workflows
A study across 19 LLM systems and 52 professional domains finds
frontier models corrupt an average of 25% of document content by the end
of long agentic workflows. Errors are sparse but severe, accumulate
silently, and worsen with document size. Even tool use fails to mitigate
the problem — a fundamental reliability issue, not a capability gap.
Sources: arXiv · HN
Security:
cPanel ransomware, React Server Components RCE, FreeBSD privesc
cPanel zero-days. A ransomware campaign exploited
three new vulnerabilities to compromise ~44,000 servers before patches
existed — a significant supply-chain-adjacent incident for shared
hosting. — Copahost
· HN
React Server Components. CVE-2025-55182 — critical
RCE in Next.js 15+’s Flight protocol. Weak type validation allowed
arbitrary server-side JavaScript execution. After initial mitigations,
researchers found 23 distinct WAF bypasses; Vercel paid bounties on all
of them. ~2% of 4 million scanned Next.js domains affected. — Writeup · Lobsters
FreeBSD execve(). Local privilege escalation via
execve() — FreeBSD-SA-26:13.exec. Patch available. — Advisory
AI is
undermining vulnerability disclosure cultures
Jeff Kaufman argues AI coding assistants disrupt both responsible and
full disclosure: they compress the safe window after patches by enabling
rapid exploit development, and scale vulnerability reproduction
unpredictably. The shift in vulnerability economics has concrete
implications for how researchers, vendors, and defenders operate.
Sources: jefftk.com
· Lobsters
Dillo browser
argues for a forked, simpler web
The Dillo project publishes a manifesto for a “forked web” — a subset
that’s simpler, more accessible, and free from the complexity trap of
modern standards. Both a philosophical argument and a practical proposal
for content that works in lightweight browsers without the full
stack.
Sources: Dillo
lab · Lobsters
The moq.dev blog argues WebRTC’s complexity, browser lock-in, and
poor scalability make it a poor foundation for real-time media. Media
over QUIC is presented as a cleaner alternative — more composable,
server-friendly, and aligned with modern transport infrastructure.
Sources: moq.dev · Lobsters
Chrome silently
installs 4GB Gemini Nano model
Google Chrome is downloading a ~4GB Gemini Nano model to users’
machines for AI features, often without clear awareness or consent. The
storage is difficult to reclaim and not presented as optional — a
meaningful precedent for browsers treating disk space as a deployment
target for local inference.
Sources: The
Verge · Lobsters
let-go: Clojure in Go, boots
in 7ms
A Clojure-like language (~90% JVM Clojure compatible) in pure Go —
~10MB static binary, ~7ms cold boot (50x faster than JVM Clojure, 3x
faster than Babashka). Algorithmic throughput within range of GraalVM
alternatives, practical where JVM startup is prohibitive.
Sources: GitHub · HN