Now that's the kind of industry secrets I opened this thread for.
I would love for the UK to rejoin the EU, but the survey results mentioned in the article don't really support the claim that there is a general desire to do so. A shift from 52% against to 52% in favor of EU membership is really not that significant.
A major political agenda of Vim is to support children in Uganda. A message about that is displayed whenever you open Vim's start page. Bram Moolenaar insisted on users donating to the ICCF charity instead of to him, making Vim a very political editor in my view.
The premise is already wrong. No orchestra can play Beethoven's 9th symphony in 40 minutes, this piece is longer than an hour.
I would say for whether or not your vote really counts it doesn't matter if the party has 20.5% or 0.5%. Each vote counts the same towards the next seat, which may be the first or the twentieth. So I would encourage everyone to vote small parties (except for the crazy ones).
Yup, we are experiencing more extreme weather situations. Until 2022 it was unusually dry, now 2023 and 2024 had relatively more rain, sometimes in a very short timespan causing flooding.
What does Temu have to do with YouTube now?
IEEE 754 is the standard to which basically all computer systems implement floating point numbers. It specifically distinguishes between +0 and -0 among other weird quirks.
Okay, who will go to court for the cereal soup question next?
The fact that every 4-digit pin is in this picture shows quite well how these are pretty easy to crack.
I don't think I've ever seen a game on Steam with "Overwhelmingly Negative" reviews before. Usually "Mixed" is already a good indicator to leave your hands off a game.
That's wrong, it calculates the surface distance not the distance through the earth, while claiming otherwise. From the geopy.distance.great_circle documentation:
Use spherical geometry to calculate the surface distance between points.
This would be a correct calculation, using the formula for the chord length from here:
from math import *
# Coordinates for Atlanta, West Georgia
atlanta_coords = (33.7490, -84.3880)
# Coordinates for Tbilisi, Georgia
tbilisi_coords = (41.7151, 44.8271)
# Convert from degrees to radians
phi = (radians(atlanta_coords[0]), radians(tbilisi_coords[0]))
lambd = (radians(atlanta_coords[1]), radians(tbilisi_coords[1]))
# Spherical law of cosines
central_angle = acos(sin(phi[0]) * sin(phi[1]) + cos(phi[0]) * cos(phi[1]) * cos(lambd[1] - lambd[0]))
chord_length = 2 * sin(central_angle/2)
earth_radius = 6335.439 #km
print(f"Tunnel length: {chord_length * earth_radius:.3f}km")
A straight tunnel from Atlanta to Tbilisi would be 9060.898km long.
Ever since I've understood that it accepts objectively wrong answers as long as it somehow seems as if you gave it some thought, I've made sure to hinder the accuracy of models that try to use my data.
Very experimental, not just with microtonality but making the singers do noises that few composers dared to put into their music.
While the exact details of this vulnerability are still investigated (see here if you want to catch up on the topic), I wanted to share some of the thoughts I had regarding to what this incident means for the wider open source ecosystem.
TL;DR: To summarize, these are the main points I found remarkable in this entire development:
- A backdoor was snuck relatively openly into an open source project
- It was done by a somewhat trusted maintainer
- The target was not even xz itself, but rather sshd through an obscure chain of dependencies
- Luckily, it was discovered within a few weeks before the backdoored version was widely adopted
Obviously, there are many examples of security vulnerabilities occurring in open source software. But these are usually due to oversights or mistakes of most likely well-meaning developers that end up enabling the possibility for critical exploits. In the case of the xz backdoor however, it was obviously constructed with malicious intent and high effort towards a precise target. Does anybody know of another vulnerability ending up in a high-profile open source project that is similar in that sense?
This was only possible because the malicious actor under the pseudonym Jia Tan had direct write access to the xz repository as a maintainer. I don't think it is too unreasonable that with enough time and effort, anyone can get maintenance access to openly developed projects like xz. That is part of the beauty of the democratic process in open source. But what this incident shows is that for projects that are as widely used as xz, even changes coming from seemingly trusted maintainers should be properly reviewed. I don't mean to say that the original maintainer Lasse Collin has any fault in this matter, or that he should have prevented it, this is too much of a burden to expect from a single person. Instead I think the large tech corporations should put more resources into vetting these kind of open source projects that much of their infrastructure so heavily relies on (in fact, this backdoor seems to mainly target servers).
Even just looking at the source code, the backdoor was very cleverly hidden in testing binaries for the compression algorithm. These things are always easy to say in hindsight, but I do believe that a closer review of the build system shenanigans used to install the backdoor would have at least raised some questions. There was just too much luck involved in the discovery of the backdoor with someone noticing ssh access taking 0.5 seconds longer than usual.
This isn't really news, but this incident again shows that just like a chain is only as strong as its weakest link, a program is only as strong as its weakest dependency. The fact that the backdoor just hooks into the dynamic library loading process and completely hijacks authorization functions of ssh from inside xz is pretty scary. Maybe this will encourage developers to be more careful and sparing with adding dependencies. However to be honest, up until recently I would have pretty blindly trusted xz to be a very safe dependency due to its popularity and relatively simple use-case.
By opening a backdoor into ssh servers, this is a very critical issue, and there was clearly a lot of time and effort put into making it seem innocuous and hard to detect. I'm very glad that it got found and patched by the time it did, but it does leave me wondering what else is out there. It would be illusionary to think that such attack vectors always get found out eventually.
Gobbel2000 @programming.dev Same person as @Gobbel2000@feddit.de, different instance.