Top Stories

Ghostty is leaving GitHub

1835 points · mitchellh.com

The clear lead story of the day, and an unusually consequential one. Mitchell Hashimoto’s terminal emulator Ghostty — one of the most-watched open source projects of the last two years — is moving off GitHub, and Hashimoto’s writeup explains exactly why: AI scraper traffic that GitHub is unwilling or unable to throttle, an unfixed pattern of issue spam from Copilot-driven agents, and a creeping sense that Microsoft’s own product strategy on the platform now conflicts with the interests of the projects living on it. The 576-comment thread is the most substantive software-politics discussion HN has had in months, with a parade of other maintainers describing the same scraper and bot-spam pressure on their own repos and a serious sub-thread comparing the actual ergonomics of Codeberg, sourcehut, and self-hosted Forgejo. If you maintain anything in the open, this is the post of the week.

Your phone is about to stop being yours

1041 points · keepandroidopen.org

A coordinated open-letter campaign from the F-Droid, GrapheneOS, and Calyx communities aimed at Google’s upcoming changes to Android sideloading — specifically the new developer-identity requirements that, in their reading, effectively end the era of installing arbitrary unsigned APKs on a stock Android device. The 494-comment thread is heated but technically literate: Google’s product managers occasionally show up to argue the malware case, EU regulators get cited approvingly several times, and a useful sub-thread walks through which alternative ROMs will and won’t be affected. Whether you read the petition itself or not, the comments are required reading if you ship Android software.

LocalSend: An open-source cross-platform alternative to AirDrop

751 points · github.com/localsend

LocalSend has been quietly excellent for a couple of years, but a fresh 2.0 release pushed it to the front page — and a 235-comment thread that reads like the definitive 2026 review. The headline upgrades are end-to-end encryption that no longer relies on a central rendezvous server, a much faster Rust-rewritten transfer core, and a Linux-native UX that finally feels first-class. The commenters’ verdict is consistent: this is the rare cross-platform app where Mac↔iPhone, Windows↔Android, and Linux↔anything actually all work, with no accounts and no cloud round-trip. If you’ve been waiting for a serious AirDrop competitor, the wait is over.

UAE to leave OPEC

354 points · ft.com

The most-discussed non-tech story on HN today, with 489 comments and climbing. The FT’s reporting frames the UAE’s exit as the culmination of a multi-year quota dispute, but the real story per the thread’s energy-economics commenters is that ADNOC’s actual production capacity has grown well past its OPEC+ quota and the country has decided it would rather sell every barrel it can pump into a tightening market than honor a cartel discipline that increasingly benefits Saudi Arabia. Worth reading even (especially) if you don’t normally follow oil markets — the second-order effects on shipping rates, the dollar, and AI-data-center power contracts are all live discussion in the thread.

VibeVoice: Open-source frontier voice AI

327 points · github.com/microsoft

Microsoft has open-sourced VibeVoice — a multi-speaker, long-form text-to-speech model that’s competitive with the best closed offerings from ElevenLabs and Google. The 168-comment thread is doing the careful comparison work: side-by-side samples vs. the latest ElevenLabs and Cartesia, an honest accounting of where the model still mispronounces uncommon proper nouns, and a useful sub-thread on the licensing (genuinely permissive, with a narrow non-disinformation use restriction). The standout demo in the thread is a 22-minute multi-host podcast generated from a single prompt; the result is good enough that the “you can hear it’s AI” tells require concentration to spot. The bar for indie audio production just moved.

An update on GitHub availability

325 points · github.blog

GitHub’s official postmortem of the multi-region outage that took down most of git operations earlier this week. The writeup is more transparent than usual — they walk through the specific MySQL replication-lag cascade that ate the API tier, the dependency on a single internal feature-flag service that turned a degraded read path into a full outage, and the changes that have since landed. The 214-comment thread is a parallel discussion: the SRE community on HN comparing this incident to its 2018 and 2021 predecessors and (less charitably) to the ongoing AI-scraper pressure that several commenters argue made the underlying systems more brittle. Reads cleanly alongside the Ghostty post above.

Before GitHub

287 points · pocoo.org

Armin Ronacher’s elegiac essay on what open source actually felt like before GitHub centralized it — SourceForge, Google Code, the patches-by-email Linux kernel workflow, and the long tail of project-specific Trac and Bugzilla instances that each had their own culture. The 85-comment thread is unexpectedly emotional, with senior contributors reminiscing about specific maintainers and bug trackers, but it’s also forward-looking: a serious discussion of whether the federation tools (ActivityPub for forges, ForgeFed) are finally good enough to host a real project on, or whether the Ghostty-style move to a single alternate forge is the more realistic path. A nice complement to today’s other GitHub-themed reading.

Who owns the code Claude Code wrote?

276 points · legallayer.substack.com

A careful legal-layer breakdown of the IP-ownership questions that have been quietly hanging over agentic coding since Claude Code, Cursor, and Aider all started shipping multi-file edits last year. The author works through the live cases — the pending Thomson Reuters precedent, the OpenAI-vs-NYT discovery findings, and the under-examined boilerplate in most coding-agent terms — and lands on a useful set of practical rules for engineers and counsel. The 305-comment thread is unusually substantive for a legal post, with several attorneys weighing in and a vigorous debate about whether the current generation of agent-written code is a derivative work, a “Bridgeport Music” moment, or something genuinely new. If you ship code with help from an agent, skim the post and read the comments.

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

261 points · wiz.io

Wiz’s writeup of the recently disclosed RCE in GitHub Actions runners — a chain that started with an over-permissive workflow-token issuance bug and ended with cross-org runner takeover. The post is the kind of detailed, well-illustrated vuln writeup HN loves; the 63-comment thread adds the operational context, with a senior security engineer from a well-known company describing how they detected the vector internally before the disclosure landed and a separate sub-thread on what to actually audit in your own Actions configuration this week. Patch already shipped, but the auditing checklist is the takeaway.

Waymo in Portland

256 points · waymo.com

Waymo’s expansion announcement for Portland — its 14th metro and the first of the 2026 Pacific Northwest rollout. The post itself is mostly marketing, but the 418-comment thread is one of the better Waymo discussions HN has had: a substantive split between the “robotaxis are now safer than my Uber” cohort and the residents-of-other-Waymo-cities cohort describing the specific failure modes (right-hook conflicts with cyclists, unprotected-left timidity, an ongoing pattern of pulling over in traffic for ambiguous reasons). Useful read whether you’re rooting for AVs or skeptical of them.