HackerNews Digest

None

Azure Linux 4.0, announced at Build 2026, is Microsoft’s first general‑purpose Linux distribution, now available for any Azure VM via the Marketplace. Built from a Fedora 43 snapshot, it replaces the hand‑crafted package set of earlier releases with declarative overlays that document every deviation from upstream. Key components include an Azure‑tuned Linux 6.18 LTS kernel with Hyper‑V, GPU and AI‑accelerator support, dnf5 (replacing the custom tdnf), glibc 2.42, systemd 258, OpenSSL 3.5 (with post‑quantum extensions), Python 3.14, and RPM 6.0 with enhanced signature verification; FIPS 140‑3 certification is pending. Security defaults enable SELinux, ASLR, stack protection, seccomp, and systemd sandboxing, and all packages are cryptographically signed with published SBOMs. Azure Linux ships minimal server‑only images and distroless container bases, and is deployable as VMs, scale‑sets, AKS hosts, and via WSL. Major customers (Databricks, LinkedIn) have migrated large workloads. Its upstream‑first, auditable supply‑chain distinguishes it from other cloud‑focused distros.

The Defending‑Code Reference Harness is an open‑source, Claude‑based pipeline for autonomous vulnerability discovery and remediation. It provides interactive skills (quickstart, threat‑model, vuln‑scan, triage, patch, customize) and an autonomous harness that runs a recon → find → verify → report → patch loop, currently configured for C/C++ memory bugs using Docker and ASAN. The pipeline executes inside gVisor containers, restricting egress to the Claude API; sandbox setup is performed with scripts/setup_sandbox.sh and invoked via bin/vp‑sandboxed. Seven stages compose the pipeline: Build (Docker image with ASAN), Recon (partition input parsing subsystems), Find (parallel fuzz agents), Verify (grader reproduces crashes), Dedupe (judge removes duplicates), Report (exploitability analysis), and Patch (fix generation and validation). Users start with Day 1 static scanning and triage, progress to Day 2 autonomous runs on a known‑vulnerable library, then customize the harness for their own codebase (Day 3‑5) and scale to continuous scanning, triage, and patching (Week 2). Documentation includes security, sandboxing, customization, and patching guidelines.

The paper systematically investigates the necessity of three separate linear projections (query, key, value – QKV) in Transformer attention. It evaluates three projection‑sharing schemes: (a) shared key‑value (Q‑K = V), (b) shared query‑key (Q = K‑V), and (c) a single shared projection (Q = K = V). Since the latter two produce symmetric attention maps, the authors also test asymmetric attention using 2‑D positional encodings. Experiments cover synthetic tasks, vision datasets (MNIST, CIFAR, TinyImageNet, anomaly detection) and large‑scale language modeling (300 M and 1.2 B‑parameter models trained on 10 B tokens). Findings include: – Transformers with Q‑K = V perform on par with or slightly better than standard QKV models. – In language modeling, Q‑K = V reduces key‑value cache size by 50 % with only a 3.1 % increase in perplexity. – Combining projection sharing with head sharing (GQA‑4 or MQA) yields up to 96.9 % cache reduction, facilitating on‑device inference. – The authors attribute the success of Q‑K = V to overlapping representational spaces for keys and values and low‑rank attention dynamics, whereas Q = K‑V disrupts directional attention. The study positions projection sharing as a practical weight‑tying technique for memory‑efficient Transformers.

Open Code Review (OCR) is an AI‑powered CLI tool for automated code review, originated from Alibaba’s internal system and now open‑sourced under Apache‑2.0. It processes Git diffs, sends changed files to a configurable LLM (OpenAI, Anthropic, etc.) via an agent with tool‑use capabilities, and returns structured, line‑level comments. **Hybrid architecture**: - *Deterministic engineering* enforces hard constraints—precise file selection, smart bundling of related files, rule‑based matching, and independent positioning/reflection modules to guarantee coverage and comment accuracy. - *Agent* handles dynamic decisions—scenario‑tuned prompts, a curated toolset, and contextual code retrieval. **Installation**: available via npm (`npm i -g @alibaba-group/open-code-review`), pre‑built binaries for macOS/ Linux/ Windows, or source build (`make build`). **Configuration**: set LLM endpoint, token, model via `ocr config set` or environment variables (`OCR_LLM_URL`, `OCR_LLM_TOKEN`, etc.). Config stored in `~/.opencodereview/config.json`. **Usage**: `ocr review` for workspace, `ocr review --from main --to feature-branch`, `ocr review --commit `, with `--format json` for CI integration. Supports rule files (four‑layer priority, first‑match‑wins) and concurrency control. **Integrations**: can be added as a skill (`npx skills add alibaba/open-code-review`), Claude Code plugin, or direct command file; also provides a web viewer for session logs with host‑allowlist security. Telemetry via OpenTelemetry is optional.

VoidZero, the maintainers of Vite, Vitest, Rolldown, Oxc and Vite+, are joining Cloudflare, with the entire VoidZero team becoming Cloudflare employees. All five projects will stay MIT‑licensed, open‑source, vendor‑agnostic and community‑driven; their roadmaps remain controlled by the broader Vite community. Cloudflare will provide engineering resources and a $1 million Vite ecosystem fund administered by the Vite core team. The companies have already collaborated via the Vite Environment API and the Cloudflare Vite plugin, which lets `vite dev` run server code in Cloudflare’s `workerd` runtime; the plugin now has ~14 M weekly downloads, while Vite itself has ~129 M. Cloudflare plans to base its unified CLI (`cf`) on Vite, making `cf dev` a superset of `vite dev` and integrating build and deployment workflows. Longer‑term goals include adding provider‑agnostic full‑stack primitives to Vite and open‑sourcing the Void platform. No changes to Vite’s open‑source status or usage are expected.

Scott H. Young argues that dramatic school‑reform proposals—project‑based learning, “real‑world” curricula, or heavily gamified ed‑tech—are not supported by rigorous evidence. Large studies (e.g., Project Follow‑Through) show Direct Instruction with structured drills outperforms discovery‑type methods; meta‑analyses in medical education find problem‑based learning yields poorer exam scores and slower study rates. Effective reading instruction still relies on systematic phonics and extensive practice; the most reliable study techniques are practice testing and spaced repetition, while mnemonics or concept maps underperform. General problem‑solving skills are not spontaneously acquired and require explicit teaching. Improvements therefore depend on two levers: increasing learning efficiency (optimizing cognitive load, retrieval practice) and choosing curricula, not on radical pedagogical overhauls. Educational technology can aid motivation and differentiation but often delivers low‑density content; AI tutoring remains inferior to human teachers. Ultralearning succeeds only for highly motivated individuals who can tolerate intensive, self‑directed effort, a condition rarely present in typical classrooms.

South Korean regulators have amended the Telecommunications Business Act (전기통신사업법) to obligate online communities and forum operators to scan all user‑uploaded images and videos with AI‑based detection systems starting July 1. The mandate requires operators to procure datacenter‑grade Nvidia GPUs and implement the specified hardware and software, placing significant cost burdens on small‑scale sites. The law targets illegal content such as non‑consensual pornography and child sexual abuse material (CSAM), but in practice it has been applied to broader categories: drawings, fan‑art depicting minors, mild nudity, swimsuit photos, anime images, memes, and even text‑based content like “sex” references or unrelated material such as linear‑algebra problems. Recent incidents include potential censorship of political memes. Critics argue the requirements are overly punitive, may suppress creative expression, and appear designed to pressure or eliminate independent online communities. No government‑provided hardware is offered, leaving compliance costs entirely on site owners.

Branchless Quicksort (blqs) is a single‑header library providing C and C++ interfaces for fast sorting. Benchmarks on an Apple M1 (Clang ‑O3) and an AMD Ryzen 3 (GCC ‑O3) show that the single‑threaded version sorts 50 M doubles faster than conventional std::sort; on the M1 the multithreaded variant gains an additional 3–4× speedup. The algorithm avoids branch misprediction by using a 1024‑element auxiliary buffer for branchless partitioning, copying blocks alternately to left/right pointers without conditional jumps. For small partitions (2–12 elements) it employs custom sorting‑network code paths. Pivot selection uses median‑of‑medians and switches to heapsort when a large imbalance is detected; already‑sorted partitions are detected early. When sorting non‑trivially‑copyable types (e.g., strings), blqs falls back to a BlockQuicksort variant that operates on indices and minimizes swaps, borrowing ideas from pdqsort. The library is used via `blqs::sort(begin, end)` in C++ or `blqsort(array, size)` in C after defining `BLQS_TYPE` and `BLQS_CMP`. It also supports custom structs through standard comparison operators or macro‑defined comparators.

None