I remember Hans from his work to integrate the Video4Linux libraries into FreeBSD. He was a very gentle person I enjoyed to work with. I will miss him.
A: CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as
it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may
lead to remote code execution (RCE).
During the week of prenotification, several organisations performed testing
and gave us feedback on the issue, looking at the technical details of the
overflow and stack layout on common architectures and platforms.
Firstly, we had reports that on certain Linux distributions the stack layout
was such that the 4 bytes overwrote an adjacent buffer that was yet to be used
and therefore there was no crash or ability to cause remote code execution.
Secondly, many modern platforms implement stack overflow protections which
would mitigate against the risk of remote code execution and usually lead to a
crash instead.
However as OpenSSL is distributed as source code we have no way of knowing how
every platform and compiler combination has arranged the buffers on the stack
and therefore remote code execution may still be possible on some platforms.
Our security policy states that a vulnerability might be described as CRITICAL
if “remote code execution is considered likely in common situations”. We no
longer felt that this rating applied to CVE-2022-3602 and therefore it was
downgraded on 1st November 2022 before being released to HIGH.
Same here. Microsoft Defender is a real productivity killer. Cached C++ compilation now takes nearly twice as much time if the cache is hot.
And git operations or she'll prompts take forever in large repos like LLVM.
Some years ago I tried submitting some fixes for MacPorts. It usually took a long time before they were picked up.
When I did the same for some homebrew formula I got a response a few hours later.
For me homebrew has a much more responsive community and due to their use of Github also a lower bar for contributions. Both might add to homebrew popularity.
MacPorts uses GitHub too now. We maintain much more ports than Homebrew, and few of our committers have time to regularly go through the PR queue, so our community seems inactive. But actually, we just need more hands on PR management.
One important distinction is that most active ports in MacPorts have specific maintainers, and we usually put off merging PRs until the port maintainer approves. With more than 20,000 ports, it hard for the committers to test every change thoroughly, so we rely on our port maintainers to resolve issues and review complex PRs whenever possible.
In Homebrew, any maintainer could review and merge a PR instantly, combined with fewer ports to maintain, average time to merge would be much shorter.
Our internal mono-repo with about 11000 C++ compilation units took about the same time with clang-11 compared to clang-10.
I used the Ubuntu 20.04 packages from apt.llvm.org for testing.
