HackerTrans
TopNewTrendsCommentsPastAskShowJobs

anderskaseorg

no profile record

comments

anderskaseorg
·16 dni temu·discuss
You have ignored the much larger space and time cost of constructing the range minimum query tree in the first place. Furthermore, nobody would arbitrarily cut off a problem at “billions” and then consider O(√billions) or O(∜billions) to be “effectively O(1)”: a theoretician would complain that O() by definition measures the limiting behavior as the problem size tends to ∞, an engineer would complain that 65536 or 256 is very a important factor in practice, and both types are better served by leaving O(√n) or O(∜n) as-is instead of trying to hand-wave it away.
anderskaseorg
·3 miesiące temu·discuss
The “next level” button takes you to the next level even if you haven’t solved that level’s prerequisites.
anderskaseorg
·3 miesiące temu·discuss
Right, the public was able to spend manual effort hand-auditing one specific tarball after it had already been singled out as suspicious for other reasons. In order for verification to effectively increase supply chain security, it needs to become uniformly standardized, fully automated, and ubiquitous. That’s the ultimate goal of the provenance attestation mechanisms that would be defeated by indirection through private repositories.

If you want to require extra maintainer intervention for releases, there are better mechanisms available for that, such as workflow_dispatch.
anderskaseorg
·3 miesiące temu·discuss
The maintainer can verify the correspondence between source and release, but the public has been deprived of this verifiability.

This matters. Consider the XZ Utils compromise where a malicious maintainer hid the line that triggers compilation of the (otherwise dormant) backdoor payload in a generated file present only in the release tarball: https://www.openwall.com/lists/oss-security/2024/03/29/4. If the public had the ability to audit that the release tarball was correctly built from the version-controlled code, this would have been much more difficult to hide.
anderskaseorg
·4 miesiące temu·discuss
The point of trusted publishing is supposed to be that the public can verifiably audit the exact source from which the published artifacts were generated. Breaking that chain via a private repo is a step backwards.

https://docs.npmjs.com/generating-provenance-statements

https://packaging.python.org/en/latest/specifications/index-...
anderskaseorg
·3 lata temu·discuss
Specific guidance from GNU:

https://www.gnu.org/prep/standards/html_node/_002d_002dhelp....

> The standard --help option should output brief documentation for how to invoke the program, on standard output, then exit successfully.
anderskaseorg
·4 lata temu·discuss
The creator of the original Markdown requested that the standardized version be renamed to avoid using the word “Markdown”.

https://blog.codinghorror.com/standard-markdown-is-now-commo...
anderskaseorg
·7 lat temu·discuss
Totally different kind of cryptography. sec256k1 is an elliptic curve, and 256-bit elliptic curves are generally believed to provide comparable security to 3072-bit RSA or DH or ElGamal. (See https://www.keylength.com for a good compilation of reputable comparisons along these lines.)