Top HN Daily Digest · Tue, Apr 14, 2026

Backblaze has updated its backup client to automatically exclude folders from cloud storage providers like OneDrive, Dropbox, and Google Drive, as well as `.git` directories. Users are criticizing the company for implementing these exclusions silently without direct notification or clear documentation on their website. [src]

Backblaze's decision to exclude OneDrive and Dropbox folders from its personal backup service is seen by users as a breach of its "unlimited" storage promise and a failure to act as a reliable last-resort backup [0][3][8]. While some commenters suggest the change is a technical necessity to prevent "files on demand" features from crashing laptops by forcing massive downloads [1], others argue that excluding synced folders leaves users vulnerable to data loss if a sync service accidentally overwrites or corrupts files [3][5]. Critics contend that "unlimited" marketing is inherently unsustainable and signals that financial teams are prioritizing cost-cutting over data integrity [2][9].

Blackmagic Design has introduced a dedicated Photo page to DaVinci Resolve, bringing its advanced Hollywood color grading tools, AI-powered effects, and RAW support to still photography. The update includes non-destructive editing, GPU-accelerated processing, and cloud-based collaboration for professional photographers and retouchers. [src]

Users are excited that DaVinci Resolve is bringing advanced video-centric color science and creative tools like relighting and film emulation to the stagnant photography market [0][3]. While some praise its performance on Linux via containerization [9], others report significant frustration with outdated audio APIs and codec support on the platform [2]. Early testers find the interface confusing and "tacked on" compared to Lightroom, suggesting that while the software is powerful, it currently lacks the intuitive workflow required to sway professional photographers [7].

Google has introduced a new spam policy targeting "back button hijacking," a technique that prevents users from returning to search results by manipulating browser history. The policy aims to improve user experience by penalizing sites that trap visitors or redirect them to unwanted content. [src]

Users identify major platforms like LinkedIn, Reddit, and Microsoft as frequent offenders that manipulate browser history to trap visitors within their ecosystems [0][3][7]. While some argue that the History API is essential for modern single-page applications and bookmarking, there is a strong consensus that these features are being weaponized for "encrapification" and advertising [1][9]. Proposed solutions include restricting third-party domains from modifying history stacks and broader calls to limit how much JavaScript can override native browser behaviors [2][5][6].

Jujutsu (`jj`) is a distributed version control system that aims to be simpler and more powerful than Git while maintaining full Git compatibility, allowing users to adopt its advanced workflows without requiring their collaborators to switch. [src]

The primary debate surrounding `jj` centers on its "automatic commit" behavior, which some users find intuitive for tracking logical changes while others view it as a "footgun" that risks accidentally rewriting history [0][1][2]. Critics argue that the `jj edit` command leads to unintended rebases of subsequent work, though proponents suggest using `jj new` to create cheap snapshots instead of traditional Git-style staging [2][7][8]. Despite disagreements over the workflow's "backward" mental model, there is strong consensus that `jj`’s Git-compatible backend makes it a low-risk tool to trial within existing ecosystems [6][9].

Claude Code routines are automated, cloud-based configurations that execute tasks like code reviews and backlog maintenance via scheduled, API, or GitHub event triggers. [src]

The introduction of Claude Code Routines has sparked significant skepticism regarding vendor lock-in, with users expressing a lack of trust in Anthropic’s long-term stability and a preference for "dumb pipe" API access over integrated platforms [0][2]. Developers are particularly concerned about confusing Terms of Service regarding third-party harnesses and the potential for account termination when integrating these tools into external applications [1][4]. Additionally, many users report a perceived decline in model performance and "nerfing," questioning how autonomous routines can function effectively under increasingly restrictive usage limits [3][5][8]. While some compare these fears to early cloud adoption anxieties that never fully materialized [6], others are impressed by Anthropic's rapid feature delivery, which is quickly outpacing open-source alternatives [9].

We couldn't summarize this story. [src]

The debate centers on whether Spain’s aggressive internet blocking is a response to a "service problem" or a "pricing problem." Some argue that piracy persists because official services are fragmented, laden with ads, and difficult to cancel [0][2], while others contend that many users pirate simply to get "free stuff" as a game or cultural habit, even when they can afford to pay [1][3]. Critics suggest these blocks are an "absurd" overreach by a bureaucratic state that undermines privacy and should be regulated at the EU level [4][6][7]. Ultimately, some believe pirate sites will always offer a superior user experience because they lack the legal and financial constraints of official channels [8].

Flock Safety denied a California resident's CCPA request to delete personal and vehicle data, claiming that as a service provider, it cannot fulfill requests directly because its customers own and control the collected information. [src]

The primary debate centers on whether Flock Safety acts as a mere service provider, similar to a cloud storage vendor, or as a data broker responsible for the information its cameras collect [1][3][9]. Flock claims that customers own the data, but critics argue the company maintains "unfettered access" to a massive surveillance network to drive its multi-billion dollar valuation while shifting legal liability to local agencies [0][8]. There is significant disagreement over whether license plate captures in public constitute "personal information" under the CCPA and whether the company's ownership of the hardware makes them legally responsible for deletion requests [4][5][6][7].

The Internet Archive is digitizing music superfan Aadam Jacobs’ collection of over 10,000 rare concert cassette tapes recorded since the 1980s, featuring previously unreleased performances from artists like Nirvana, Phish, and Sonic Youth. [src]

The preservation of rare concert recordings on the Internet Archive highlights the historical value of bootlegging, with recordists sharing anecdotes of bands embracing high-quality fan recordings as valuable additions to their digital legacy [0][7]. While some users lament the loss of physical music shops where such "gems" were once easily accessible, others argue that copyright laws should be reformed to move music into the public domain after 30 years [2][3]. There is a strong consensus that artists benefit from these archives, leading to suggestions that musicians should officially record and sell live sets directly to attendees [1][2].

Stop Flock is a campaign raising awareness about Flock Safety’s AI-powered surveillance network, which uses "vehicle fingerprints" to track movement patterns and associations across a nationwide database accessible to police without a warrant, sparking significant Fourth Amendment and privacy concerns. [src]

The discussion highlights a tension between public safety and the dangers of mass surveillance, with some arguing that institutional leaders face immense pressure to eliminate camera blind spots to track criminals [0]. Critics contend that the current business model of data brokering creates "toxic waste" that threatens privacy, suggesting that data should be treated as a legal extension of the home requiring warrants and mandatory notifications [1][2]. While some argue there is no expectation of privacy in public spaces [3], others emphasize the need to close legal loopholes that allow the government to "launder" information through third parties to bypass Fourth Amendment protections [5][9].

Fiverr is reportedly exposing sensitive customer documents and PII in public Google search results due to the use of unsecured Cloudinary URLs for private messaging and work products. [src]

Fiverr has faced criticism for leaving sensitive customer files—including tax forms, API tokens, admin credentials, and internal reports—publicly searchable and accessible [3][4][5][7]. While Fiverr claims they are working on a resolution and disputed the timeline of initial reports, users argue the leak is so severe that the company should immediately block all static asset access regardless of business impact [1][3][8]. The incident sparked a debate over professional standards: some argue for mandatory software engineering certifications to prevent such incompetence, while others contend that licensing would be an ineffective "hassle" that cannot solve fundamental carelessness [0][2][6][9].

Fuzzing a formally verified Lean implementation of zlib revealed a heap buffer overflow in the Lean 4 runtime and a denial-of-service bug in an unverified archive parser, demonstrating that software remains vulnerable to flaws in its underlying foundations and unproven components. [src]

The discussion centers on whether a "bug" found outside the scope of a formal proof—specifically in the C++ runtime or due to specification gaps—invalidates the claim of a program being "proven correct" [0][2][6]. While some argue the title is clickbait because the verified logic remained sound [0][7], the author contends that for end users, any crash or exploit in the final binary constitutes a failure of the system's promised security [1][8]. Commenters also highlight that formal verification is limited by the difficulty of accurately capturing human intent in specifications and the impossibility of proving a total absence of bugs [3][5].

Aphyr argues that AI integration in the workplace risks deskilling professionals, consolidating wealth among tech giants, and creating "witchcraft-like" engineering practices where humans manage fickle, dishonest models—all while threatening a massive labor shock that current social safety nets are unprepared to handle. [src]

The discussion centers on whether AI has reached a technical plateau or is poised for an unpredictable "singularity," with some arguing that current LLMs have limited headroom while others believe new architectures could still trigger exponential growth [0][1][4]. While some users report significant productivity gains and improved code homogeneity through AI, others warn of a future dominated by "slop," propaganda, and the potential collapse of the open internet [1][3]. There is also a debate regarding the social perception of leadership; some argue that "CEO-bashing" creates a sense of learned helplessness in young workers, while others maintain that executive decisions to replace humans with AI will inevitably degrade product quality [1][2][6].

Global food system efficiency declined between 2010 and 2020, with only half of cropland calories reaching humans directly as food. This inefficiency is primarily driven by livestock feed and biofuels, with beef production alone accounting for 36% of feed calories while returning only 9.1% as edible food. [src]

The discussion centers on whether global food production capacity is a genuine crisis, with several commenters arguing that current shortages are actually failures of logistics, energy supply, and regulation rather than a lack of resources [0][2][6]. While some suggest that market forces and cheap energy will naturally resolve these issues [1][8], others contend that markets prioritize the wealthy at the expense of the global poor and the environment [4][7]. There is notable interest in the efficiency of chicken and legumes over beef, though some defend the practice of overproduction and crop destruction as a necessary buffer against potential supply shocks [3][5][9].

Joan Westenberg argues that the public often mistakenly attributes "4D chess" brilliance to the impulsive, ego-driven blunders of powerful figures like Napoleon, Elon Musk, and Sam Altman, rather than accepting that high-status individuals frequently make simple, catastrophic mistakes. [src]

The discussion centers on whether the actions of powerful figures are calculated "4D chess" or simply human fallibility, with some arguing that we mistakenly attribute deep genius or evil to what is often just banal stupidity [0][9]. While some commenters contend that maintaining high-level power requires a lack of a moral compass [1], others point out that the extreme scrutiny and unique pressures of these roles make mistakes more visible [3][8]. There is significant disagreement regarding specific examples, such as whether Napoleon’s invasion of Russia was a logistical failure or a misunderstood strategic move [2][6], and whether Elon Musk’s acquisition of Twitter was an irredeemable blunder or a high-leeway gamble that may yet yield massive returns [5][9].

A medical professional used AI coding agents to build a custom patient management system that inadvertently exposed sensitive, unencrypted data and voice recordings to the open internet due to a total lack of security controls. [src]

The discussion is divided over the authenticity of the "vibe coding" horror story, with some users dismissing it as vague internet fiction or a result of human negligence rather than AI failure [0][3][7]. While some argue that software engineering requires professional accreditation and standards similar to civil engineering to prevent such security lapses [1][9], others contend that professional bodies act as rent-seeking gatekeepers and that existing laws already cover these issues [5]. Notable anecdotes include a user reporting a Spanish insurance company to data protection authorities after discovering they had "vibecoded" a CRM with similar vulnerabilities [2].

OpenSSL has officially released version 4.0.0, marking a major new update for the open-source cryptography and TLS library. [src]

The release of OpenSSL 4.0.0 has sparked excitement for its native Encrypted Client Hello (ECH) support [0], though users note that ECH's privacy benefits are limited for individual servers where IP addresses still leak identity; its primary value lies in large-scale cloud hosting [5][7][8]. Despite this milestone, significant criticism remains regarding the library's architecture, with developers arguing that the transition to OpenSSL 3.x introduced severe performance regressions and a "terrible" developer experience due to complex, dynamic API designs [4]. While modern web servers like Nginx are already integrating these features [5][6], some warn that "reasonable" networks may block ECH traffic entirely [1][9].

The Introspective Diffusion Language Model (I-DLM) is the first diffusion-based model to match the quality of same-scale autoregressive counterparts, using a new "introspective strided decoding" method to verify and generate tokens simultaneously for up to 4.1x higher throughput. [src]

The discussion highlights a significant breakthrough in turning autoregressive models into diffusion language models (dLLMs), achieving competitive performance with the base model while doubling generation speeds [1]. Users report that dLLMs like Mercury 2 offer frictionless latency for UX experiments such as note-tagging and autocomplete, though they still struggle with tool-calling accuracy compared to established models like Haiku [3][5]. While the speed and potential for "byte-for-byte" output parity are exciting [1], skeptics question the practical trade-offs regarding time-to-first-token (TTFT) and whether the quality is yet "good enough" for complex tasks like coding [5][7]. There is also emerging interest in whether diffusion can be used for iterative reasoning by passing outputs back through the model for introspection [6][9].

An independent audit by webXray found that Google, Meta, and Microsoft frequently ignore user opt-out signals and continue to set advertising cookies, potentially violating California privacy laws despite the companies' claims of compliance. [src]

The discussion centers on a webXray audit alleging that major tech firms ignore user opt-out signals, with the audit's founder, Dr. Tim Libert, citing his former role as Google’s head of Cookie Compliance to refute claims that he misunderstands their technical processes [0][7]. While some users argue that cookies are not synonymous with tracking and that current privacy specifications like GPC are legally ambiguous regarding cookie placement [1][4], others contend that corporations have no incentive to comply because existing fines are negligible "daily expenditures" rather than true deterrents [2][9]. The consensus among several commenters is that users should assume they are being tracked regardless of settings, as data collection is inherent to the infrastructure and only mitigated by aggressive measures like disabling JavaScript [3][5][6].

A hacker compromised the backend of Doublespeed, an a16z-backed startup that uses phone farms to create AI influencers, and attempted to post memes calling the venture capital firm the "antichrist." [src]

Commenters expressed shock and moral condemnation regarding a16z’s investment in a "bot farm" designed to flood social media with AI-generated content, with some arguing that such ventures lack long-term value and should cause investors to question the firm's thesis [0][3][5][9]. While many believe those involved should be "deeply ashamed" of contributing to the "shittification" of the internet, others adopt an accelerationist perspective, suggesting that ruining discoverability with "slop" might speed up the necessary demise of current social media platforms [2][4][8]. There is a cynical consensus that this type of "black-hat" manipulation represents a race to the bottom for digital content [3][4].

OpenDuck is an open-source implementation of distributed DuckDB that features differential storage, hybrid local-remote execution, and a transparent remote database protocol inspired by MotherDuck’s architecture. [src]

The primary criticism of DuckDB centers on its strict file-locking mechanism, which prevents concurrent read/write access across multiple processes, unlike SQLite [0]. While some users worry that the ecosystem is becoming overly complex with various "lakehouse" and cloud extensions [2], developers argue that the core remains lightweight by isolating these features into an extension-based architecture [6]. To address concurrency and distributed storage, proponents suggest using the DuckLake format with a shared Postgres catalog or exploring hybrid execution models similar to MotherDuck [5][7].