ChatGPT ads and conversion tracking & Governments self-hosting open source forges - Hacker News (Apr 29, 2026)

Someone just mapped how ads can show up inside ChatGPT responses—and how clicks can be tied back to purchases on merchant sites. Welcome to The Automated Daily, hacker news edition. The podcast created by generative AI. I’m TrendTeller, and today is April 29th, 2026. We’ll look at what those ad mechanics imply for privacy, then zoom out to a broader theme: who controls the places where software gets built—governments, maintainers, or a handful of giant platforms.

ChatGPT ads and conversion tracking

First up: a security researcher reports observing how OpenAI’s ads appear inside ChatGPT, and how conversions may be attributed after you click. The key detail is that the ad payload seems to be delivered inline while the model is streaming its response, and clicks can open in an in-app webview. On the merchant side, the researcher saw a tracking flow that can set first-party cookies and send event data back to OpenAI endpoints for measurement. Why it matters: even without proving whether chat history is used, this outlines a full measurement loop—chat context to ad impression to click to downstream activity. For users, it’s a reminder that “inside the chat” can still connect to “across the web.” For sites and regulators, it raises the familiar questions of consent, transparency, and what a reasonable boundary looks like when the interface is a conversation.

Governments self-hosting open source forges

Now to code hosting and digital sovereignty, starting with the Netherlands. The Dutch government has soft-launched code.overheid.nl as a central place to publish and develop open-source software across government. It’s fully self-hosted and runs on Forgejo, positioning it as a practical move away from relying on commercial code-hosting providers. Access is limited during the pilot, and the team is explicitly asking developers to help shape the platform. Why it matters: government software isn’t just code, it’s infrastructure and accountability. A self-hosted forge can improve control over policy, security posture, and long-term availability—especially when public bodies need to collaborate without being at the mercy of external platform changes.

Open-source projects leaving GitHub

That theme—dependence on a single platform—keeps coming up, because a prominent maintainer is walking away from GitHub. Mitchell Hashimoto, maintainer of the Ghostty terminal emulator, says the project will leave GitHub after nearly two decades of him using it daily. He describes the decision as personally painful, but says reliability has degraded to the point that outages routinely block the work Ghostty depends on: pull request review, issues, and CI through GitHub Actions. He emphasized this isn’t about Git itself—it’s about the collaboration layer around it. The plan is to migrate incrementally, keep a read-only GitHub mirror, and announce a new primary home after evaluating both commercial and open-source options. Why it matters: GitHub has become a default dependency for open source—not just hosting, but the entire workflow. When that workflow becomes flaky, maintainers pay the price in lost time and delayed releases, and projects start reconsidering what “single point of failure” really means.

Decentralized code hosting with Radicle

A related reflection comes from Armin Ronacher, who looks back at the pre-GitHub era and asks what we lose if we fragment again. His argument is that GitHub didn’t just centralize code—it centralized context: issues, reviews, design debates, and the public record that helps outsiders understand why software is the way it is. He warns that if the ecosystem disperses back into many forges and self-hosted instances, we may regain autonomy but also recreate an older problem: broken links, missing artifacts, and vanished project history. His proposed direction is refreshingly unglamorous: a stable, well-funded public archive for open source that preserves not just repos, but releases and surrounding metadata. Why it matters: software supply chains increasingly rely on provenance and discussion trails. If those trails disappear, trust gets harder—especially for security reviews, compliance, and long-term maintenance.

Rust security audit of uutils

If you want a glimpse of what “post-centralized forge” could look like, HardenedBSD just moved its code hosting to Radicle. The project says Radicle is now usable for them, rough edges included, and they’ve published initial repositories with plans to migrate the rest over time. The headline isn’t the tooling details—it’s the intent: making the project less dependent on one company’s uptime and policies, and more resilient through decentralized distribution. Why it matters: the migration pressure we’re seeing—whether from outages, governance worries, or supply-chain concerns—is pushing projects to experiment. Even imperfect alternatives become attractive when the status quo feels increasingly fragile.

Rip.so memorializes dead internet services

Switching to security: there’s a sharp lesson in a new write-up about Rust, uutils, and what “memory safe” does—and doesn’t—buy you. Rust consultant Matthias Endler reviewed Canonical’s disclosure of 44 security CVEs found in uutils, the Rust reimplementation of GNU coreutils, following an external audit ahead of Ubuntu 26.04 LTS. The takeaway is that many issues weren’t classic memory corruption problems. They were about filesystem reality: race conditions between checking a path and acting on it, permission timing mistakes, mismatches between string comparisons and actual filesystem identity, and subtle behavior differences compared to GNU coreutils that can become dangerous in widely scripted tools. Why it matters: Rust reduces an entire class of vulnerabilities, but security still depends on semantics, OS boundaries, and compatibility expectations. If a tool is “drop-in” for scripts, behavior differences can turn into security problems—even if the code is perfectly well-behaved from a memory standpoint.

Tindie downtime shakes maker marketplace

For something lighter, but still surprisingly meaningful: Rip.so has launched as a “digital graveyard” for dead or hollowed-out internet services. It’s a hand-coded memorial site with epitaph-style entries for platforms and technologies that once dominated—think ICQ, Internet Explorer, Vine, GeoCities, Google Reader, and more. It even leans into early-web community rituals with a guestbook and a webring. Why it matters: digital culture disappears fast, often without durable public records. Projects like this may look nostalgic, but they also function as grassroots archiving—documenting what vanished, when it vanished, and how quickly the internet reinvents itself by forgetting.

Finally, a reliability story from the hardware world: Tindie’s new owners apologized for prolonged downtime and poor communication during an ownership transition. They say the site is now owned by EETree LLC and that the outage came from migrating an older stack with lots of interconnected services. Their stated priority is stabilizing the marketplace and resolving payment, refund, and order issues through support, while promising more updates going forward. The community response has included understandable skepticism, especially around transparency and seller payouts. Why it matters: for independent hardware makers, marketplaces aren’t just storefronts—they’re cash flow. Extended downtime and unclear payouts can push sellers to leave permanently, and trust is hard to rebuild once it’s shaken.

That’s the run for today: ad attribution creeping into chat interfaces, and a growing push—by governments and maintainers alike—to reduce dependence on a single code-hosting center of gravity. If you want to dig deeper, links to all stories are in the episode notes. Thanks for listening—until next time.

ChatGPT ads and conversion tracking & Governments self-hosting open source forges - Hacker News (Apr 29, 2026)

Our Sponsors

Today's Hacker News Topics