Deliberately not calling API functions that you're supposed to.
To gain speed at application exit.
I'm just dumbfounded by this. What the actual frick?
This all is fine and dandy if your library is guaranteed to link to libc malloc that gets released at app exit. But this is assuming quite a bit about how shared libraries work. Not every platform has linkage like this in both ways. Ours doesn't and as a result XZ utilities leak memory on every invocation. It would be fine if the API would be used correctly, but the XZ utilities themselves opt out from calling the lzma_end() function "to be faster" at application exit. You'd think the authors would realize that this is not very speed critical, esp since you've just spent millions cycles more compressing or decompressing.
#dailywtf #development #programming
@[email protected] I had the following enabled for me:
I had specifically disabled "Item-level purchase data" before, and I'm fairly confident I did not explicitly enable those other two.
@[email protected] I sure did. I also renamed the variable to a name that makes its existence obvious to anyone reading the code.
The code originally made a copy of a struct before modifying the copy. The original was then used afterwards. I entirely missed the later use and that it was critical that the original struct was used as is. So I passed a subtly modified struct to the later processing, which, in combination with a second bug I had introduced some time earlier, caused all kinds of havoc.
There was another bug I also introduced, which funnily had similar effects. This bug was added months ago, and it affected only older OS versions. I typically only run the bleeding version during development (but I had tested the change with older versions, too). Unfortunately, this issue was random as it depended on stack contents to get triggered, and thus went unnoticed until the additional scrutiny introduced this intense debugging session.
The combination of these factors made this highly frustrating thing to debug, as any kind of A-B testing fails when you have multiple or random issues.
#bugstories
The feeling when you notice a bug in your binutils port that has been generating semi-randomly broken branch relaxation trampolines for decades.
#programming #coding #oops
@[email protected] Ooof. I wonder if it's available in some states though, for example California? They have https://oag.ca.gov/privacy/ccpa
If you're a #facebook user, you can object to your information being used for #aItraining: https://www.facebook.com/help/contact/6359191084165019
As part of the process, they demand you to explain how the process impacts you. Of course, this is just another step to stop you from exercising your right to object. You can enter "I refuse to explain my reasons" or similar, and it will be equally valid as an actual explanation.
#privacy #enshittification
This here is the prime example of why we must stay vigilant about the collection and dissemination of personal information.
Also, while this article only mentions "algorithm", it's not difficult to predict that AI models are or will be used for this kind of task.
AI advocates often claim that any plans to regulate AI are just a hindrance to progress. I will take regulation if it will stop this kind of madness.
@[email protected] Sure, those methods might work for now. But if Microsoft follows their reasoning ("We’re removing X from the build to enhance security and user experience of Windows 11. This change ensures that all users exit setup with internet connectivity and a Microsoft Account.") they will remove these methods eventually as well.
@infinity Yeah, it does for now. I fully expect Microsoft to remove that registry key or the associated functionality next.
After all not doing so would mean that users could accidentally setup the system "without working internet connectivity and a Microsoft Account".
That would be terrible for security and user experience *cough* business.
@jerry It largely depends on how well the initial impact is cleaned up. I'm hoping we won't see a ton of backdoors in various components next.
The httpget 0.2 doesn't quite work in the form it was uploaded.
First it uses hardcoded argv, argc instead of getting from the app invocation (as args in main, the code uses void main).
Second obtaining any data from the socket will result in the app stopping and leaving behind an empty file (if (nread) break;).
This program could never download anything. It is likely some work in progress or modified test version of httpget. Since it includes some windows specific headers and has disabled the unix ones I can only presume it was some earlier attempt to get the tool running on windows.
So while the code has a local stack buffer overflow it can't be triggered for this early version.
If this trend continues, we will be losing the ability to use secure means of communication with UK friends and colleagues. For example, #signalapp will rather get out of the UK than add backdoors: https://www.bbc.com/news/technology-64584001
Here's the more constructive part of the (I still think warranted - but likely a bit tone deaf) rant: https://github.com/tukaani-project/xz/pull/181