I loathe tiktok but if someone had banned Reddit while I was still using it I would have been hella mad. On the other hand it would have been “How will I manage without unhinged shitposts mixed with ads” from the outside

In the USA that’s a complicated topic. If you look at how it played out in England and France, yes. Slave owners were compensated for their “losses” after heated debates in parliaments

The problem being that there is always a pretty significant portion of the people that aren’t “normal” and it’s usually not their fault

Even if he didn’t use contacts just experience, education and soft skills are worth a lot

That’s the same argument people made when we abolished slavery. “But if you do that property as a concept will vanish”. No. No it won’t.

It’s fine to prefer renting, it does have benefits. But it should be a choice.

But it’s work that only exists because the landlord decided to extort money from their tenants. No one said the life of a parasite is always easy.

One good thing about zstd is that the main developer is full-time employed to work on it. Alas he’s employed by meta to do that… But it’s likely harder to social engineer your way into that project

Apparently it differs between distributions

Sleeping in your car in public is not allowed in Germany either

No. I won’t not do that. For security reasons.

Yeah they messed up once. It’s still miles better than just not having someone looking at the included stuff

Debian actually started to collect and maintain packages of the most important rust crates. You can use that as a source for cargo

Huh thanks for the link. I knew that just dd’ing doesn’t work for windows Isos but I didn’t know that it was the Linux distros doing the weird shenanigans this time around

I have to admit I have no practical experience as a package maintainer, but this case sounds like there is a diff between files checked into the repo and the ones provided by the tarball.

If the tarball contains new files that contain executable code that’s still weird tbh, but I guess you have to trust the upstream maintainers to some degree. But a diff in a checked in file seems different to me.

The original email talks about a line that is in the release tar balls but not the repository itself that actually arms the exploit. This seems like something a maintainer should be able to verify.

Not saying that they should have immediately seen that that is an exploit, the exploit is obfuscated very well. But this should be a big red flag right?

Yeah I don’t think this is a big-ish problem currently. But by having this vulnerability to point to, other CPU vendors have a good reason not to include this feature in their own chips.

There are definitely bullshit cves out there but I don’t think that’s a good general rule. Especially in this context where it’s literally unpatchable at the root of the problem.

So the attack is (very basically, if I understand correctly)

Setup:

• I control at least one process on the machine I am targeting another process on
• I can send data to the target process and the process will decrypt that

Attack:

• I send data that in some intermediate state of decryption will look like a pointer
• This “pointer” contains some information about the secret key I am trying to steal
• The prefetcher does it’s thing loading the data “pointed to” in the cache
• I can observe via a cache side channel what the prefetcher did, giving me this “pointer” containing information about the secret key
• Repeat until I have gathered enough information about the secret key

Is this somewhat correct? Those speculative execution vulnerabilities always make my brain hurt a little

Most pixeled Shit I’ve ever seen