Gitlab is a security nightmare. Self-hosting Gitlab is pain and a lot of work. Or course you can neglect security if you don't expose it to the internet, but it's not exactly a dream.
I'm all for self-hosting btw, we do it at my company. But it's not as easy as you make it sound.
>the "developer" didn't bother doing the same before committing huge chunks of AI generated code?
This is something that you assume, not something that you have any proof of. To put it a bit more strongly, this is something that you (and hundreds of other people in that github thread) made up in your head. The maintainer is a very experienced OS developer and there's no reason to suspect they didn't review the committed code.
Bugs happen, and the mere existence of bugs is not a proof that someone is doing a poor job. Assuming those bugs even exist. I am inclined to believe they do, but the issue does a poor job of reporting them. Instead of factually reporting regressions, the "issue" is a screenshot of a viral tweet.
Your vicious reaction is not justified, and you should do better in the future.
>The effort put into the issue was roughly the same as was put into the release that caused the issue to be made. Fair is fair.
It is not fair. The rsync maintainer does not owe you anything. You owe them for using their software. How much did you donate to rsync this year?
I'm sorry, but you're calling the kettle black here. You made up a scenario in your head in which the developer decided to save time by using AI to generate thousands of lines of code instead of writing it themselves, but then also decided to spend time carefully reviewing and understanding said code to look for issues before committing, even though it's a well known fact that properly reviewing such large amounts of code written by others can sometimes be a more daunting task than just writing it yourself.
We both know what the more likely scenario is here. We both know that AI fanatics have spent the last year bragging about how many thousands of lines of code they can pump out per hour. Do not claim otherwise, because to do so would be an insult to my intelligence. And from a quick look at the developer's Github profile, it's clear they've gone all in on the hype, as I cannot find a single significant commit made this year that is not signed by Claude. Even the most experienced developers are not immune to AI psychosis.
> You owe them for using their software. How much did you donate to rsync this year?
I don't remember reading this in the license. Could you point it out for me? I can't find any such clause.
It's a pretty big one, published today. Fortunately it was found and submitted by a legitimate security researcher, and it was (as far as I know) not used in the wild. Pretty scary to think what could happen instead.
Root cause was a shared library (Szafir SDK) used by many Polish commercial and public institutions. It implemented login with Polish e-signature (qualified certificate), but the library API was so convoluted that basically nobody used it correctly (registered as CVE-2026-9058 by Polish CERT: https://cert.pl/en/posts/2026/05/CVE-2026-9058/). This allowed complete login bypass to affected institutions, most importantly ZUS (universal Social Insurance system), official online labor/employment portal, and many online court and universal healthcare systems.
Unfortunately I couldn't find anything about it in English, so you need to use your favourite translator.
Wow! I didn't expect to see mapofmetal on HN, and I *definitely* didn't expect to see the author's response.
I just wanted to say thank you for making it, it was really important for me when exploring music back in 2010s. It was also great to see the "big picture" of metal genres, and start the long journey down the rabbit hole.
In a fun turn of events, I showed this to my wife just a few days ago, to show what I was up to when I was younger. And now less than a week later this is submitted to HN. Fun coincidence.
In addition to what others have said, this usage is very common in the CTF world. "The challenge has no solves", "We just got the first solve" etc are very idiomatic. It would actually look weird to me if this was "solution".
I don't know what to tell you. If you don't know what "CTF" is you're not the target of this blog post. It's like stumbling upon article "What's new in HTTP/2" and complaining that "HTTP" acronym is not explained.
I don't mean that everyone must know what CTF is, but sometimes it's OK to write things just for your community (CTF community in this case), not for general population.
1) You see a headline on HN about some open format being broken by frontier-level AI. You don't recognise the acronym.
2) You visit the site, you read the first few paragraphs, you still have no effing clue what the site is talking about
3) You come back to HN and read the comments to figure out WTF is going on. Oh, it's just some game style, so not a Cryptographic Trust File, or something you have to care about after all.
The point is you can't know what some opaque acronym is about until you visit the source of something that will hopefully explain this opaque acronym. Leaving the site being still none-the-wiser is a failure of the site, in my view. If you don't agree, that's fine, we're adults, we can differ, but it seems like a valid complaint to me.
FWIW (this means "for what it's worth" :) I'm not railing against acronyms in general, and HTTP is probably one of the most-used ones on the internet so I'm not sure it really applies as a good counterpoint. Using CTF without an explanation is more like using SSTP (Secure socket tunneling protocol) without one, IMHO (this means In My Humble Opinion :) ...
The second form has no built-in meaning, but is frequently used in the wild. Often in local variables to avoid shadowing builtin types (`id_ = get_id()`) and in various libraries. Out of the top of my head, ORMs also use it to mangle reserved names.
edit: I googled a bit and PEP8 explicitly says "Thus class_ is better than clss". and "single_trailing_underscore_: used by convention to avoid conflicts with Python keyword, e.g..."
The fourth form is the mangling used for __x names internally (__x field in class Foo is actually _Foo__x
I don't know where GP saw sixth form, but considering all other forms are from real-world usage, someone probably uses it too.
No this is not what GP said, and I don't get how you reached this conclusion. This is like saying that AES is security through obscurity because it relies on key being secret. See [1] (linked in the OP) to understand the difference better.
I am pretty sure everyone who works in security agrees that obscurity is not security.
I'm all for self-hosting btw, we do it at my company. But it's not as easy as you make it sound.
reply