Rich Sutton on AI creativity and discovery
https://www.youtube.com/watch?v=K5LAFEjTlBA
Comments URL: https://news.ycombinator.com/item?id=48470581
Points: 14
# Comments: 1
TechBrief — تازهترین اخبار فناوری
آخرین خبرها
German ruling declares Google liable for false answers in AI Overviews
Comments URL: https://news.ycombinator.com/item?id=48470248
Points: 52
# Comments: 12
macOS Container Machines
Article URL: https://github.com/apple/container/blob/main/docs/container-machine.md
Comments URL: https://news.ycombinator.com/item?id=48469658
Points: 226
# Comments: 86
Google just fired a warning shot in the AI subscription price wars
Google just made it significantly cheaper to enjoy its budget AI subscription tier.
It's death
Article URL: https://jesseduffield.com/ITS-DEATH/
Comments URL: https://news.ycombinator.com/item?id=48469347
Points: 120
# Comments: 25
I tried Siri AI, and so far it actually works
Parents want one thing, and one thing only, out of AI: to add a list of soccer games or "spirit week" theme days from an email or a poorly formatted flyer onto their calendar in one shot. And I have good news for parents with iPhones - the new Siri can finally do this. After […]
GM thinks EVs can help offset AI’s energy suck with vehicle-to-grid tech
At an event in San Francisco today, General Motors made a series of announcements around EV batteries, energy storage, and grid resiliency in the face of growing electricity demand from AI data centers. The automaker announced that it would be activating new vehicle-to-grid capabilities for its current EV and home energy customers. It's releasing a […]
How Justin Ernest invested nearly $500M into hot startups without a traditional VC fund
Instead of spending a year raising a formal venture fund, the Sabertooth VC founder used a captive network of LPs to invest in startups like Anthropic, Anduril, and SpaceX.
Congress just gave DHS another $70 billion
Congress narrowly voted to fund President Donald Trump's mass deportation agenda, giving the Department of Homeland Security $70 billion over the next three years. The house voted 214 to 212 in favor of the reconciliation bill Tuesday, following the Senate's 52-47 vote last Friday morning. The vote fell largely along party lines. Sen. Lisa Murkowski […]
Show HN: Nucleus – A security-hardened, Nix-native container runtime
Hi HN, I've been building Nucleus, a lightweight Linux container runtime focused on two workloads: ephemeral AI-agent sandboxes and declarative NixOS services. It's a single Rust binary, no daemon.
It is not a Docker replacement and not a strict subset of Docker either. I dropped the entire image-and-distribution half (no Dockerfile, no layers, no registry, no pull/push, no persistent storage layer) in exchange for going deeper on isolation and reproducibility. The rootfs is either a directory copied into tmpfs (agent mode) or a Nix-built closure mounted read-only (production mode). If your mental model is "run my image instead of docker run," this won't fit. If it's "run untrusted or ephemeral workloads with stronger, auditable isolation on a single host," that's the target.
Things that I think are interesting:
- Defense-in-depth defaults. All capabilities dropped, ~100-syscall seccomp allowlist (vs Docker's ~300), up to 8 namespaces including time/cgroup, Landlock LSM path ACLs per service.
- Deny-by-default egress. Outbound traffic is denied unless you allow specific CIDRs or DNS-resolved domains. Enforced with namespace-local iptables rules.
- Externalized, hash-pinned security policies. seccomp (JSON), capabilities (TOML), and Landlock (TOML) live as separate SHA-256-verified files, decoupled from the rootfs build. There's a nucleus seccomp generate that records syscalls in trace mode and emits a minimal profile.
- gVisor as a first-class integrated runtime, not an add-on. Explicit network modes including a gvisor-host mode that's intentionally separate from native host networking.
- Nix-native production path. nucleus.lib.mkRootfs builds locked-down closures; rootfs attestation verifies a per-file SHA-256 manifest at startup; first-class NixOS module.
- Formal verification. TLA+ specs for the isolation/resource/filesystem/security/gVisor subsystems, checked with Apalache, plus property-based tests that drive the Rust implementation against the specs.
Cold-start is ~12ms in the native runtime. Postgres 18 pgbench numbers under Nucleus are within noise of bare metal in our harness (full results in benches/).
Comments URL: https://news.ycombinator.com/item?id=48469039
Points: 17
# Comments: 0