Hacker News — 2026-05-10#

Top Story#

A classic HN breaking point narrative: an early AWS evangelist logs back in to spin up a 192-core instance, triggers an automated account suspension, and remembers exactly why they abandoned the ecosystem. The author’s litany of grievances—Lambda vendor lock-in, predatory open-source strip-mining, and 9-cents-a-gigabyte egress fees—resonates deeply with anyone suffering from modern cloud fatigue.

Front Page Highlights#

[Incident CVE-2024-Yikes] · nesbitt.io A painfully accurate satire of the modern software supply chain, where a stolen YubiKey leads to a compromised npm package, which poisons a vendored Rust dependency in a Python build tool. The malware infects millions of developers before being inadvertently patched by an entirely unrelated cryptocurrency mining worm. It is the best piece of tech fiction written all year because every single failure mode highlighted is entirely plausible.

[Idempotency Is Easy Until the Second Request Is Different] · blog.dochia.dev A masterclass in distributed systems engineering that correctly points out that idempotency isn’t just about putting a key in a header and caching the result. The real nightmare begins when the second request arrives with the exact same idempotency key but a different payload, forcing the server to decide between silent replay or throwing a hard conflict.

[Replacing a 3 GB SQLite db with a 10 MB FST (finite state transducer) binary] · til.andrew-quinn.me The developer of a Finnish-English dictionary swaps out a massive SQLite database hack for a Finite State Transducer written in Rust, achieving a 300x reduction in memory footprint. It is a perfect reminder that sometimes understanding your domain—in this case, compressing both prefixes and suffixes of a highly agglutinative language—lets you build a specialized data structure that completely obliterates general-purpose tools.

[FreeBSD – A Lesson in Poor Defaults] · vez.mrsk.me A blistering critique of the FreeBSD security model, highlighting the project’s historical tendency to prioritize backwards compatibility and performance over actual security. The author meticulously documents issues ranging from dangerous package manager operations running as root to a years-long reliance on legacy OpenSSL branches, sparking the inevitable OS holy wars in the comments.

[France moves to break encrypted messaging] · reclaimthenet.org French lawmakers are officially pushing to mandate “targeted access” to platforms like WhatsApp and Signal by silently injecting a “ghost user” into encrypted conversations. It is yet another exhausting instance of politicians ignoring thirty years of cryptographic consensus: there is no such thing as a backdoor that only the good guys can use.

Show HN & Launches#

• Show HN: Building a web server in assembly to give my life (a lack of) meaning: Peak hacker flex. A syscall-only, no-libc web server for macOS written entirely by hand in ARM64 assembly. Despite the absolute raw-metal approach, it surprisingly handles path traversal protection, MIME type detection, and atomic PUT requests safely.
• Show HN: I made a Clojure-like language in Go, boots in 7ms: A Clojure dialect with a bytecode compiler and stack VM written in Go that achieves a 6.7ms cold start without the JVM overhead.
• Show HN: Rust but Lisp: A weekend project that bolts Lisp s-expressions and macros directly onto Rust’s semantics, proving that structural editing and Lisp macros are still the ultimate developer UX.

Discussion & Debate#

• PS3 Emulator Devs Politely Ask That People Stop Flooding It with AI PRs: The maintainers of the open-source RPCS3 emulator have officially threatened to ban users who submit “AI slop code” pull requests that simply do not work. It is a stark warning about the rising hidden tax of LLMs: open-source maintainers are drowning in hallucinated PRs from tech bros trying to “vibe-code” complex C++ projects.
• Distributing Mac software is increasing my cortisol levels: A developer rants about the punishing UX and extortionate yearly subscription fees required by the Apple Developer Program just to stop macOS from throwing terrifying quarantine warnings on a simple, 7-dollar indie utility. The thread is full of devs commiserating over how the economics of the walled garden are intentionally designed to gatekeep hobbyists out of desktop software distribution.