I assume they are advocating for package managers to preferably grab signed git tags from repositories rather than download tarballs.
The backdoor relied on the source in the tarballs being different from the git tag, adding additional script code. This is common for projects that uses GNU autotools as build system; maintainers traditionally run autoconf so that users don't have to and ship the results in the tarballs.
I agree that this should be discouraged, and that distros should, when possible, at least verify that tarbal contents are reproducible / match git tags when importing new versions.
I think saying that the backdoor relied on it is too strong. The changes were obfuscated enough that it's unlikely anyone would have noticed if they were pushed to git, not doing that is just an additional layer of safety.
Correct. The onus should be now be on the package delivery to provide transperant packages maybe? Maybe add the extra step of pulling instead of trusting the push from maintainers? It's just an extra step the might get more eyes. All said, even in hindsight I wouldn't have called this one out.
I remember them saying that in a follow-on email on one of the mail list servers. That was not their original statement but I can't remember exactly what they said. I just remember it was quite smarmy and did not sit well with me coming from such an organization. Regardless Serpent won the challenge by their criteria but then they moved the goal posts after the fact.
Both Rijndael and Serpent could have equally become more performant in the AES-NI CPU instruction sets and I am also not ok with how that evolved either. Cipher fixation is a security vulnerability. AES-NI CPU instructions should have included a few ciphers for performance. Probably Rijndael, Serpent and Twofish. There are folks in the cryptography community that are very much against using more than one cipher and that makes it clear to me they have been compromised or manipulated by something.
Please cite for me the most credible cryptographic researcher you can find who advocates cascades of ciphers. I'm not certain, but if I had to bet, I'd bet that you can't even find one.
You can believe whatever you want to believe, but the threshold you've just claimed to have for believing someone is compromised suggests that essentially every academic cryptographic researcher in the world is compromised.
Games at that size are not clocking in because of their models and textures. It's from use of lossless, uncompressed audio files, and shipping multiple language files.
The issue is most common on games that release on consoles, but also for ones that want to support older hardware: the audio formats they use are designed to minimize the amount of decompression necessary for play, and so reduce resource requirements in exchange for storage space.
i’ve not yet seen a sound sample above a few 100mb, uncompressed. however it’s quite common to see a source model, or even a cooked down version, can absolutely be above 1gb. sound, except soundtracks (mostly), are also reused whereas models are not usually. couple that with one of your reasons, supporting all possible resolutions (PC games are the big offender here), and i don’t see sound being a huge issue. you can also compress sound while in transit, textures will only compress so much. wavs/PCM compress quite well
Trial court judges in jury trials do not (in principal) decide fact questions (though even that is misleading, since they can decide “as a matter of law” that offered evidence is insufficient for a particular fact conclusion even over the jury’s determination of fact, except in the case where that would be unfavorable to the defense in a criminal trial.)
Judges in bench trial, and appellate judges in many cases, do, in fact, decide matters of fact, though in the latter case the usual rules are generally, but not infinitely, deferential to trial court decisions.
Climate models as far back as the 1970s have predicted the temperature changes in the time from then to now -- those are not predictions that are coming from hindsight, but rather predictions where their effects were observed over the last 50 years.
The current consensus on the impact of climate is NOT "something that might not happen".
Climate change is happening right now, with effects that are observable as trends across the globe. Even the most optimistic model is predicting widespread catastrophe.
Climate is long term patterns. Weather is what is happening at a specific time. If the distinction wasn't made then someone could argue that a cold winter day disproves warming.
It is not possible if there aren't valid temperature measurements available for all points throughout the measured period of time, so that many temperatures are "interpolated", estimated etc.
Except that we do have a massive number of recorded temperatures across a massive number of locations in the last 100 years. Climate models, some dating back to the 1970s, have correctly predicted global temperature changes in the 50 years since based on this data.
The measurements are real, and there is an established history of the models being generally correct (if not in specific details) by now. Climate study is not the new science you seem to think it is.
> Climate models, some dating back to the 1970s, have correctly predicted global temperature changes in the 50 years since based on this data.
Can you point me to one such model? One that actually predicted temperatures correctly back in the 1970s and not after various recent "adaptations" like "corrected" emission data?
> The measurements are real
Yes, measurements are real. Interpolations, resulting "global" temperatures and predictions aren't.
