Readit News logoReadit News
throwaway_62022 commented on Dev rejects CVE severity, makes his GitHub repo read-only   bleepingcomputer.com/news... · Posted by u/rntn
nostrademons · a year ago
There's an interesting point hiding in the article about security being an emergent property of the whole software system.

Many libraries are flagged with CVEs because they can be used as part of the trust boundary of the whole software system, and they have corner cases that allow certain malicious inputs to give outputs that may be surprising and unexpected to the clients of the library. The library developers push back and say "Can you point to one real-world vulnerability where the library is actually used in the way that the CVE says constitutes a vulnerability?", effectively pushing the responsibility back onto the clients of the library.

But that's exactly how real malware usually works. Individual components that are correct in isolation get combined in ways where the developer thinks that one component offers a guarantee that it doesn't really, and so some combination of inputs does something unexpected. An enterprising hacker exploits that to access the unexpected behavior.

There isn't really a good solution here, but it seems like understanding this tradeoff would point research toward topics like proof-carrying code, fuzzing, trust boundaries, capabilities, simplifying your system, and other whole-system approaches to security rather than nitpicking individual libraries for potential security vulnerabilities.

throwaway_62022 · a year ago
Ugh - say I wrote a daemon that runs every 2 hours, it exposes no end points and has no metrics. But just because I depend on some library that brings in promethus which in turn brings some http2 library, I am on the hook for fixing this Cve in my code.

Shouldn't it be on security researcher to prove that how this can be exploited if no http end points are created?

So much of security scanning is such bullshit.

throwaway_62022 commented on Dev rejects CVE severity, makes his GitHub repo read-only   bleepingcomputer.com/news... · Posted by u/rntn
ang_cire · a year ago
Frankly, the end of the article where it says that CNAs don't have the time to verify the vulns being reported for new CVE issuance, is the real problem.

If you're an authoritative entity over a system (CVEs) that can break production systems (and to be clear, NIST recommends blocking builds/deploys that contain high CVEs), then it's also on you to make sure you're not issuing bogus CVEs.

throwaway_62022 · a year ago
Ha ha. The part that isn't being discussed how it is more profitable for certain commercial interests to have more vulnerabilities even if they are bogus.

There is something wrong with security industry and we are all paying the price. At my day job some tool automatically opens security bugs against 15 or so repos we maintain and now we are on the hook for arguing how the report was bogus or fix the vulnerability. Just PR and Jira dance one has to do is exhausting.

throwaway_62022 commented on GPT-4o   openai.com/index/hello-gp... · Posted by u/Lealen
coldtea · a year ago
Perhaps everybody is right, and what is amazing is not what matters, and what matters is hardly amazing...
throwaway_62022 · a year ago
As John Stewart says in https://www.youtube.com/watch?v=20TAkcy3aBY - "How about I hold the fort on making peanut butter sandwiches, because that is something I can do. How about we let AI solve this world climate problem".

Yet to see a true "killer" feature of AI, that isn't doing a job badly which humans can already do badly.

throwaway_62022 commented on Ruby might be faster than you think   johnhawthorn.com/2024/rub... · Posted by u/todsacerdoti
throwaway_62022 · a year ago
>The Ruby implementation has a subtle mistake which causes signficantly more work than it needs to.

To be fair, I do not think that is a "mistake" as such. I have written Ruby professionally for 6 years or so and have committed to several Ruby open source projects and haven't seen an innocus `nil` sitting at the end of a loop, to prevent array allocation.

The argument would be fair, if it wasn't idiomatic Ruby.

More like - knowing internals of a language will allow one to gain more performance out of it. That has been true for almost every programming language, but general speaking the goal of a VM based language is to not require that _specialized_ knowledge.

throwaway_62022 commented on RedHat employee bans Hyprland creator from FDO   blog.vaxry.net/articles/2... · Posted by u/Zephyo_
ChocolateGod · a year ago
Can you give a source that backs up your claim that the banned person here has shared any kind of hate.
throwaway_62022 · a year ago
So, whatever is posted publicly on "polite" forums about what was going on Hyprland discord is tip of the iceberg. See for yourself - https://imgur.com/a/6Po3Paq

Changing someone's pronouns without their permissions seems like least of their offenses.

Hyprland discord appears to be a cesspool and one fermented by Vaxry himself, trans hate or otherwise. Now some people are saying - they have improved (and others are saying they have not). But reading his blog posts and seeing current status, I am not optimistic. I mean you can't make this stuff up. Why use a opensource discord community for sharing porn? (which likely have minors).

throwaway_62022 commented on RedHat employee bans Hyprland creator from FDO   blog.vaxry.net/articles/2... · Posted by u/Zephyo_
pests · a year ago
[flagged]
throwaway_62022 · a year ago
So, whatever is posted publicly on "polite" forums about what was going on Hyprland discord is tip of the iceberg. See for yourself - https://imgur.com/a/6Po3Paq

Hyprland discord appears to be a cesspool and one fermented by Vaxry himself, trans hate or otherwise. Now some people are saying - they have improved (and others are saying they have not). But reading his blog posts and seeing current status, I am not optimistic. I mean you can't make this stuff up. Why use a opensource discord community for sharing porn? (which likely have minors).

throwaway_62022 commented on Why are there suddenly so many car washes?   bloomberg.com/news/featur... · Posted by u/philip1209
tacomonstrous · a year ago
Yes, I remember when I first moved to New England, and asked where I could get a hand carwash. No one had heard of such a thing.
throwaway_62022 · a year ago
I can find them in Georgia (far and few in-between) and they are super useful, if I must say - if not for folks across the border, hand carwashes will entirely disappear from US.
throwaway_62022 commented on A case for dynamic scoring of high-skilled immigration   slowboring.com/p/a-seriou... · Posted by u/btilly
seanmcdirmid · 2 years ago
It really isn’t hard to move those tech jobs abroad and then have Americans go to India or China instead on working visas (eg a Chinese Z visa I had for 9 years). The USA is maintaining some kind of balance with their H1 program: enough to encourage keeping those jobs in the USA, but not enough to be a free for all for immigration. It isn’t doing really good at that, but an overly punitive H1B program will simply cause those jobs to switch to other countries.
throwaway_62022 · 2 years ago
Yep. Since OP mentions working as IT consultant, I can easily see how that field being dominated by IT shops that merely checkbox one or more of H1B critireas. I can see how his/her perspective is colored.

But if you make visa program too punitive, then folks will simply chose not to come. A person in their 30-40s, want stability so as they can raise their kids, have a place to call home and not be on a perpetual cycle of anxiety.

In my mind, this will disincentivize folks who have most to contribute to US economy. I don't know much about China but for folks who are really good, salaries in India is already pretty high and closer to US salaries and will have fewer reasons to immigrate.

throwaway_62022 commented on Keep Linux Open and Free–We Can’t Afford Not To   oracle.com/news/announcem... · Posted by u/geerlingguy
itsokimbatman · 2 years ago
I will say that Oracle does contribute to gcc, gdb, and other parts of the GNU tool chain. I interviewed a few years ago with the team that does it. I don’t know how large the contributions are, but they seem super passionate about what they do and believe strongly in giving back
throwaway_62022 · 2 years ago
I tried to find some Oracle contributions to gcc and I could find none. See gtk contributors - https://puri.sm/posts/proud-to-be-top-contributor-to-gtk4/ and being a RHEL clone, they actually ship this stuff by default.

They might have an occasional commit or two but clearly they can't stand behind their own promise of developing/supporting an EL distro the way Red hat does. I also don't see it changing tbh. I don't see troves of Open source engineers at Red Hat(or other companies) making a bee line for joining Oracle.

throwaway_62022 commented on Keep Linux Open and Free–We Can’t Afford Not To   oracle.com/news/announcem... · Posted by u/geerlingguy
chasil · 2 years ago
I do not understand how, as Solaris was open previous to Oracle's acquisition.

Red Hat does not maintain all of the code in RHEL - they repackage and patch everything taken from other developers. Very few packages are authored solely by them.

I don't know what relationship Oracle has with the current owner of the UNIX System V source (appears to be The Open Group), but Oracle is responsible for vastly more of the kernel and userspace in Solaris than RHEL.

throwaway_62022 · 2 years ago
> Red Hat does not maintain all of the code in RHEL - they repackage and patch everything taken from other developers.

This is false. Red Hat does maintain code that is shipped by default with RHEL. It should be noted though, the number of packages that are part of default RHEL installation is small. Also upstream first policy basically means, any proposed patch must first be merged in upstream before being backported to rhel. If that does not make them maintainers, I don't know what will. Being sole author and maintainer are not the same thing.

t

u/throwaway_62022

KarmaCake day116July 6, 2022View Original