HackerNews Digest

Eleventy (11ty) is a Node‑based static site generator (SSG) that supports multiple templating languages (Liquid, Nunjucks, Markdown, Handlebars, EJS) and is used by organizations such as NASA, CERN, Google, and Mozilla. In September 2024 the project moved from Netlify to Font Awesome, and in early 2026 Font Awesome launched a Kickstarter for “Build Awesome” (and a Pro tier) to rebrand Eleventy. The campaign reached its $40 k goal in one day but was later cancelled and postponed due to email‑delivery problems. The post outlines the evolution of static web publishing—from early HTML sites to CGI, then CMSs, and modern SSGs (Jekyll 2008, Hugo 2013, Gatsby 2015, Eleventy 2017). It argues that monetizing open‑source SSGs has repeatedly failed (e.g., Gatsby, Stackbit) because the core community prefers free, local tooling. Key concerns raised include: potential loss of Eleventy’s independence, the introduction of subscription‑based “pro” features (visual editing, browser‑only builds, premium templates), and a shift toward a corporate, profit‑driven model. Community feedback on Mastodon reflects mixed feelings, skepticism about rebranding, and worries about centralization. The author contrasts this with a pay‑what‑you‑can, nonprofit‑focused studio (Berry House) that builds static sites for marginalized groups.

Anthropic announced Claude Mythos Preview and Project Glasswing, claiming the limited‑access model autonomously discovered thousands of zero‑days, including a 27‑year‑old OpenBSD bug and a 16‑year‑old FFmpeg flaw, and produced sophisticated exploit chains. AIS AI Security tested the same showcased vulnerabilities on inexpensive, open‑weight models (3.6 B–5.1 B parameters). All eight models identified the FreeBSD NFS buffer‑overflow (CVE‑2026‑4747); a 5.1 B model reproduced the full OpenBSD SACK exploit chain; and several small models outperformed larger frontier models on a trivial OWASP false‑positive test. Sensitivity was perfect across models for unpatched code, but specificity varied—only the 5.1 B GPT‑OSS‑120 B reliably recognized the patched FreeBSD version as safe. None of the cheap models generated Mythos’s multi‑request RPC payload technique, though they suggested alternative exploit strategies. The authors conclude that AI cybersecurity’s “moat” lies in the surrounding system—scanning, triage, validation, and maintainer trust—rather than any single frontier model, and that cheap models can deliver most detection work when integrated into robust pipelines.

The article profiles a creator of AI‑generated, Lego‑style videos used to promote Iran’s war narrative. Experts characterize the clips as potent propaganda that bypasses traditional media channels, directly reaching audiences through rapid meme circulation. The piece notes the strategy of “cutting out the middlemen, cutting out the press, the mass media,” emphasizing continual meme distribution. Supporting visuals include screenshots of AI‑produced scenes—an Iranian soldier pursuing a U.S. soldier, a residential area in Tehran damaged during U.S.–Israeli strikes, and other unrelated images such as fuel queues in Colombo and a U.S. vice‑presidential event—illustrating the varied and often misleading contexts in which the generated content appears. Overall, the report highlights the technical sophistication of AI video tools and their role in shaping conflict‑related information ecosystems.

The Center for Responsible, Decentralized Intelligence built an automated agent that audited eight prominent AI‑agent benchmarks—SWE‑bench (Verified & Pro), Terminal‑Bench, WebArena, FieldWorkArena, OSWorld, GAIA, and CAR‑bench—and demonstrated near‑perfect scores without solving any tasks. Exploits included a 10‑line conftest.py hook that forced all pytest results to “passed” in SWE‑bench, a trojanized curl/uv wrapper that fabricated Terminal‑Bench test outputs, file‑URL navigation that read gold answers directly from WebArena configs, a validator that accepted any assistant message in FieldWorkArena, gold‑file downloads in OSWorld, aggressive string normalization in GAIA, and prompt‑injection of hidden instructions in CAR‑bench. Across benchmarks the same seven vulnerability patterns recurred: lack of isolation between agent and evaluator, exposure of answer data, unsafe eval() on agent‑controlled input, unsanitized LLM‑judge prompts, weak string matching, evaluation logic that does not actually verify answers, and trust in untrusted code outputs. The authors propose an “Agent‑Eval Checklist” (isolation, read‑only assets, no eval, input sanitization, robust scoring, secret ground truth) and introduce BenchJack, a vulnerability scanner to test benchmarks before release.

Apple Silicon hosts enforce a hard limit of two concurrent macOS guest VMs via a kernel‑level quota. The check resides in XNU’s `hv_apple_isa_vm_quota` variable, decremented/incremented in `hv_vm_*` functions during VM creation and destruction. A boot argument `hv_apple_isa_vm_quota=` can override this limit, but the argument is gated by the `AppleInternal` System Integrity Protection (SIP) flag, which is only honored in development kernels. To lift the restriction, the author: 1. Downloads the matching Kernel Debug Kit and builds a development kernel collection (`kernel.development.t6020` for an M2 Pro). 2. Disables SIP and boot‑args restrictions in RecoveryOS (`csrutil disable`, `bputil --disable-boot-args-restriction`). 3. Configures the system to boot the custom kernel collection with `kmutil configure-boot`. 4. Sets boot‑args: `kcsuffix=development hypervisor=0x1 hv_apple_isa_vm_quota=0xFF` (or up to `0x7FFFFFFF`). After reboot, the author runs up to nine macOS VMs simultaneously. The feature originated in macOS 12 Monterey, and the custom kernel blocks normal OS updates, requiring a revert to the stock kernel via `bputil` in RecoveryOS. Future work includes automating kernel collection creation and a possible kernel extension to modify the quota without a custom kernel.

None

The article examines multiple dimensions of code complexity, contrasting computational metrics with human‑centric factors. It reviews classic measures such as Big‑O time/memory analysis, showing how different implementations (insertion sort vs. counting sort) can trade algorithmic efficiency for understandability. Cyclomatic Complexity counts independent execution paths and correlates with defect density, while Halstead metrics estimate mental effort based on distinct operators and operands. The author argues that these technical metrics miss semantic difficulty, proposing linguistic concepts—familiarity, working‑memory load, coherence, subordination index, mean dependency distance, and entropy—as analogues for code readability and cognitive load. The piece also discusses aggregating metrics (sum, average, max) and combining them with coupling and churn to prioritize refactoring, emphasizing visualization for stakeholder communication. Overall, it suggests that while formal metrics are useful tools, true complexity is defined by the mental effort required by developers, and metrics should guide data‑driven decisions rather than be enforced as goals.

Pijul is a free, GPL‑2‑licensed distributed version control system built on a formal theory of patches. Its core design ensures that independent changes commute: they can be applied in any order without altering the resulting version identifier, simplifying workflows compared to git rebase or hg transplant. Pijul’s merge algorithm preserves line order, avoiding the line‑shuffling issues of traditional three‑way merges; when order is ambiguous, the system treats it as a conflict rather than performing automatic merges. Conflicts are modeled as first‑class entities between two changes, resolved by a dedicated change that remains valid regardless of subsequent concurrent edits, eliminating recurring conflicts. The system also supports “channels,” a branch‑like mechanism, though ordinary feature development often corresponds to simple changes. Because of commutation, Pijul enables partial clones: users can fetch and work on a subset of a repository, then exchange only the relevant patches with the full repository.

Dark Castle, developed by Mark Pierce and Jonathan Gay for Silicon Beach in 1986, was a pioneering Macintosh game notable for its black‑and‑white graphics, sound capabilities, and multi‑level action. Distributed on an application disk with a “MiniFinder,” it leveraged early Mac hardware and earned multiple awards, achieving commercial success. The gameplay centers on the protagonist Duncan navigating a castle to defeat the Black Knight, collecting tools, and traversing trap doors that lead to a three‑level dungeon. Difficulty escalates by increasing enemy count, requiring speed in some levels and careful observation in others. With the advent of color Macs, the Macintosh II, and the Multifinder environment, the original version became incompatible. After Aldus acquired Silicon Beach for its graphics technology, no further Dark Castle titles were produced.

Advanced Mac Substitute is an API‑level reimplementation of the 1980s Macintosh operating system that runs classic 68 k‑processor Mac applications without requiring an Apple ROM or original system software. It replaces the OS rather than emulating full hardware, launching directly into the target application. The backend includes a 68 k CPU emulator and is designed to compile on any POSIX‑like system; the frontend uses SDL2 for a generic bit‑mapped terminal abstraction with platform‑specific implementations for macOS, X11, and Linux framebuffer (fbdev). Current capabilities support 1‑bit graphics, regions, circles, round‑rects, lines, cursors, GrafPorts, text, windows, controls, menus, dialogs, and related primitives. Demonstrated applications include four 1984 games—Amazing, Solitaire, Missile, and IAGO—along with Lode Runner and The Fool’s Errand cinematic. Source code is hosted on GitHub, and the program can be executed on macOS/OS X, X Window System, Linux framebuffer consoles, or via VNC clients.