fsebugoutzone.org:9999

       Posts by geofft@mastodon.social
 (DIR) Post #ASQMcwt9wJ8JLHih6G by geofft@mastodon.social
       2023-02-07T03:38:22Z
       
       0 likes, 0 repeats
       
       Commit messages, in a newer version of the project than the one you&#39;re trying to track down memory corruption in, with threatening auras:&quot;Make the tests run cleanly under UndefinedBehaviorSanitizer&quot;
       
 (DIR) Post #ASQMcxUNhuuJCj8Q7M by geofft@mastodon.social
       2023-02-07T03:41:46Z
       
       1 likes, 0 repeats
       
       From one of the files modified in that commit:/** * Yes, we have to truncate. * * The on-disk format for Index entries clearly defines * the time and size fields to be 4 bytes each -- so even if * we store these values with 8 bytes on-memory, they must * be truncated to 4 bytes before writing to disk. * * In 2038 I will be either too dead or too rich to care about this */
       
 (DIR) Post #ATzSQKDNvO0VZKIVxg by geofft@mastodon.social
       2023-03-24T20:37:07Z
       
       0 likes, 1 repeats
       
       OpenSSL 1.x reaches end-of-life in under six months. If you do these sorts of things in your organization and you haven&#39;t yet gotten things building with OpenSSL 3, now is an excellent time to start! https://www.openssl.org/policies/releasestrat.html
       
 (DIR) Post #AXl7Mmyw7LUXrLpv7I by geofft@mastodon.social
       2023-07-16T16:43:51Z
       
       0 likes, 0 repeats
       
       @SteveBellovin @marcelias @20002ist Is casting a non-provisional ballot and having it not counted actually a thing that happens? I feel like way more cases are people being told they can&#39;t vote or being pressured out of voting.
       
 (DIR) Post #AiBzCMcBjRulUlTWtc by geofft@mastodon.social
       2024-05-23T12:56:09Z
       
       0 likes, 0 repeats
       
       @dalias @marcan @theartlav But there is no such rule! Plenty of projects that are _not_ security clowncars recommend curl|bash for thoughtful reasons. Plenty of projects that are security clowncars ship source tarballs with unreproducible ./configure scripts.There is a _perception_ that it&#39;s bad, yes. I think a respected project using curl|bash is just as likely to to rehabilitate curl|bash and fix that perception, especially if (as here, as Sandstorm did, etc.) they write about why it&#39;s okay.
       
 (DIR) Post #AiBzCOGHbra4bPF41w by geofft@mastodon.social
       2024-05-23T13:02:13Z
       
       0 likes, 0 repeats
       
       @dalias @marcan @theartlav One argument in favor of curl|bash: all realistic alternatives - third-party rpm/deb/etc., pip install, building from source, etc. - are just as capable of running arbitrary code but they _look_ less dangerous. curl|bash is honest about its risk and makes people think whether they trust the source.If a project can use a sandboxed app store or run on a web page, that&#39;s meaningfully better, but almost no project considering curl|bash can do that.
       
 (DIR) Post #AiC07ajduE2LnKFa6K by geofft@mastodon.social
       2024-05-23T13:31:09Z
       
       0 likes, 0 repeats
       
       @dalias @marcan @theartlav Do any users who are not aware of the risks of curl|bash run ./configure in a build sandbox?Also what build sandbox do you use? I would like to try to escape it. :)