Your Linux laptop has been leaving its full-disk encryption keys in RAM every time you close the lid. For 26 months. A mathematician found the bug by accident, and the fix is one line of kernel code.
cryptsetup returned success the entire time. The tool designed to protect your disk was silently doing nothing, and no test existed to catch it.
In today’s indie hacker news:
- Linux LUKS keys sat in RAM since May 2024 and nobody noticed
- Virginia banned selling precise GPS data, six more states loading
- A Polish student translated all of rustc into 46M lines of C
- PeerTube surges on HN as YouTube’s AI purge displaces creators
- Drama: an App Store clone scraped and copied the real users
- Meanwhile: learn engineering concepts while Claude Code thinks
TOP STORIES
TRUST BUT VERIFY (NOBODY VERIFIED)
🔐 Linux LUKS encryption silently stopped wiping keys from RAM for 26 months

The story: Mathematician Ingo Blechschmidt at the University of Augsburg discovered that a kernel refactoring in Linux 6.9 (May 2024) broke the LUKS key-wiping mechanism during suspend-to-RAM. Christian Brauner’s commit ported block device access from struct bdev_handle to struct file, which silently broke how dm-crypt binds thread keyrings. cryptsetup reported success while leaving keys untouched.
The details:
- Every kernel from 6.9 through current is affected. Suspend-to-RAM (closing the lid) is the default modern behavior, not full shutdown
- Cold boot attacks on LUKS are not theoretical. Law enforcement documented key extraction from suspended laptops between 2019 and 2024
- Blechschmidt submitted a one-line kernel patch. A companion cryptsetup MR proposes a visible warning when key wiping fails
- NixOS merged PR #532499 on July 3 with a regression test that catches this in both CLI and systemd-managed scenarios
- Affected distros: Debian, Ubuntu, Arch (via AUR), and anything using cryptsetup-suspend. Linux 6.6 LTS is the last known-good version
Why builders care: If your team runs LUKS on Linux laptops, a stolen machine in sleep mode meant full disk access since May 2024. Enforce full shutdown as interim mitigation, and watch for the fix in a stable release. Blechschmidt’s takeaway: “If a feature lacks an associated test case, it is not actually a feature.”
Clone your voice once. Ship every video without re-recording. ElevenLabs Pro trains a voice clone in 30 minutes that sounds like you on every long-form, Short, and podcast you ship. We narrate every video on this newsletter with it. Beats hiring a VO artist on Fiverr or settling for a default TTS bot.
We get a cut if you sign up. Only added for tools we use ourselves.
GPS DATA: BANNED FOR CASH
📍 Virginia makes it illegal to sell your location data. Six more states are loading the bill.

The story: Virginia SB 338 took effect July 1, banning data controllers from selling precise geolocation data under the VCDPA. Governor Spanberger signed it April 13 after it passed 96-0 in the House and 36-0 in the Senate. “Precise geolocation” means data identifying a person within 1,750 feet, GPS-level accuracy. Zip-code or city-level data is still fair game.
The details:
- Virginia is the third state with an outright ban. Maryland enacted first (October 2025), then Oregon (January 2026)
- Virginia’s VCDPA defines “sale” as monetary consideration only. Maryland and Oregon cover “monetary OR other valuable consideration,” making them broader
- Six more states have active 2026 bills: California (AB 322), Connecticut, Maine, Massachusetts, Vermont, and Washington
- Three states now cover 25 million people (7.5% of the U.S. population). Projections suggest 50% coverage by late 2027
- Enforcement is AG-only. Penalties up to $7,500 per violation with a 30-day cure window. No private right of action
Why builders care: If your app or analytics SDK transmits lat/long from Virginia users to a third party for money, you’re in violation as of July 1. The “sale only” definition has a loophole (non-cash data-sharing survives), but Maryland and Oregon close it. Building compliant architecture now is cheaper than patching it six more times.
ATTEMPT 14 WORKED
🦀 A Polish student translated all of rustc into 46 million lines of C

The story: Michal Kostrubiec (@FractalFir), a CS student from Szczecin, Poland, built cilly, a Rust-to-C compiler backend. Then he pointed it at the entire Rust compiler (rustc 1.98.0-nightly) and published the output: 46 million lines of auto-generated C, buildable with GCC and GNU Make.
The details:
- Compiles in 78 seconds on ARM64 Linux with
make -j20and no optimization flags. For scale, the Linux kernel is roughly 27 million lines - The cilly backend passes 95.59% of Rust core tests (1,712 pass, 71 fail, 8 crash). std is about 80%
- cilly generates “witness” programs that probe what a given C compiler supports, then tailors output accordingly. It communicates with compilers over TCP, so Kostrubiec compiled Rust for x86 Plan 9 while running rustc on ARM64 Linux
- Prior art mrustc (hand-written C++ reimplementation) bootstraps up to Rust 1.90.0. crustc targets 1.98.0-nightly and could theoretically stay current with each release
- Caveat: cilly is not yet public (university thesis + hand injury). crustc still requires LLVM libraries at build time
Why builders care: The practical unlock is Rust on targets where only a C compiler exists: embedded systems, obscure architectures, Plan 9. For bootstrappable-builds advocates, auto-translating the real compiler beats hand-maintaining a reimplementation that always lags behind.
TWO DEVS, ZERO VC, ONE MILLION VIDEOS
📺 PeerTube surges to 546 HN points as YouTube’s AI moderation purge drives creators to the fediverse

The story: PeerTube, a decentralized, federated video platform built on ActivityPub, hit 546 HN points and 249 comments. It’s built by Framasoft, a French nonprofit where 94% of income comes from donations. Two full-time developers. No VC. No ads. One million videos across 1,600 federated instances.
The details:
- YouTube’s AI moderation crackdown in late 2025 terminated roughly 16 channels with 35 million subscribers collectively, triggering renewed creator interest in alternatives
- An ACM SIGCOMM study found 70% of instances sit in three countries (Germany, USA, France) and 92% of videos have zero redundancy despite built-in P2P support
- Self-hosting minimum: 2 CPU cores, 2GB RAM, a few euros per month. Version 8.2.2 shipped July 2, with 16,976 commits and 163 releases
- Framasoft raised EUR 55,000+ in a 2025 crowdfunding for mobile app improvements. Zero built-in monetization by design
Why builders care: That no-redundancy finding points to a real product gap: managed CDN or redundancy layers for PeerTube instances could be a genuine B2B play. PeerTube deliberately avoids built-in payments, so creator tipping or subscription middleware on top is an open market Framasoft won’t compete in.
TRENDING TODAY
🔒 Privacy backlash wave - Three privacy stories hit HN’s front page in 24 hours. Beyond Virginia’s geolocation ban (above), Scott Aaronson hosted a guest post by differential privacy inventor Cynthia Dwork arguing the Census Bureau just banned all modern privacy techniques (211 points). The EFF filed a letter opposing X Corp’s petition to void its $150M FTC consent decree, citing Grok’s 2024 rollout trained on user data without consent (117 points).
🤖 AGI skepticism from inside the house - An Nvidia AI research leader publicly said he doesn’t believe in AGI and compared OpenAI to the South Sea Bubble. Top post in r/LocalLLaMA. Separately, independent benchmarks showed Claude Fable 5 debugging scores dropped 70% after its relaunch (86.2 to 25.9 on BridgeBench). Cause: an overly aggressive safety classifier rerouting coding requests to a weaker fallback model.
💻 Local AI infra levels up - A llama.cpp PR cuts DeepSeek V4 Flash’s CPU compute buffer from 168GB to 5.8GB with a fused operation, making local 1M-token context tractable on an RTX 5090. Meanwhile, Simon Willison shipped llm-coding-agent 0.1a0, an open-source Claude Code-style agent with six core tools, built on his LLM library.
DRAMA
CTRL+C, CTRL+V, CTRL+USERS
🔥 My app got cloned on the App Store and the copycat scraped my users too
A solo founder behind loggd.life (habits, goals, Pomodoro, gamification) found their entire app cloned on the App Store. The copycat didn’t just replicate features. They scraped the public user profiles and populated the clone with them, making it look established on launch.
Why builders care: Vibe-coding tools make functional clones trivially fast to build, and Apple’s review process clearly didn’t catch it. If your app exposes any public user data, you’ve handed a clone builder their social proof.
STACK OF THE DAY
Open-source CLI tool that detects when Claude Code is idle and fills the downtime with bite-sized engineering concepts (KV cache, the GIL, MVCC) and AI news summaries. Runs in a tmux pane, disappears when Claude needs your input. Zero external Python dependencies, no API keys. Free, runs locally.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
📝 How to ask for help from people who don’t know you - Practical framework for cold outreach that doesn’t read like a form letter. 433 HN points.
🐘 Postgres transactions are a distributed systems superpower - DBOS makes the case for co-locating workflow state with your data instead of adding a separate orchestrator. 131 HN points, 59 comments.
🎥 claude-real-video: any LLM can watch a video - Open-source tool that feeds video frames to any LLM for real-time analysis. 94 HN points.
Ship to one country, QA it from another. Geo-fenced Stripe checkouts, region-gated APIs, feature flags that only fire in EU. NordVPN's 6,400+ exit nodes across 110+ countries let you test a US-only paywall from EU or hit a EU-only checkout from SF. Bonus: free Meshnet for SSH across your devices.
We get a cut if you sign up. Only added for tools we use ourselves.
Curated by AI, built by a human.