Okay sure, but what happens when a high CVE is discovered that requires immediate patching – does that get around the Upload Queue? If so, it's possible one could opportunistically co-author the patch and shuttle in a vulnerability, circumventing the Upload Queue.
If you instead decide that the Upload Queue can't be circumvented, now you're increasing the duration a patch for a CVE is visible. Even if the CVE disclosure is not made public, the patch sitting in the Upload Queue makes it far more discoverable.
Best as I can tell, neither one of these fairly obvious issues are covered in this blog post, but they clearly need to be addressed for Upload Queues to be a good alternative.
--
Separately, at least with NPM, you can define a cooldown in your global .npmrc, so the argument that cooldowns need to be implemented per project is, for at least one (very) common package manger, patently untrue.
# Wait 7 days before installing
> npm config set min-release-age 7
This literal example is actually addressed by the Debian example - the security team has powers to shuttle critical CVEs through but it’s a manual review process.
There’s a bunch of other improvements they call out like automated scanners before distribution and exactly what changed between two distributed versions.
The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing
> The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing
That is indeed an oversight - I wish I had thought of that idea!
Also rather than a UUID a hash of the package name is probably sufficient for back compat and avoiding people trying to rotate UUIDs to get sooner / later distribution.
> Okay sure, but what happens when a high CVE is discovered that requires immediate patching
I'm pretty sure, once cooldowns are widely implemented, the first priority of attackers will become to convince people to make an exception for their update because "this is really really urgent" etc.
At least it’s a bit harder because you need to finesse the manual review somehow; and it’ll leave a bigger paper trail. It’s not a perfect defence but it’s an improvement.
I just experienced this same issue with Gemini. I pasted a text message thread into Gemini (Pro, Thinking, Flash – all are affected) and it was misattributing dialogue. It said Alice said x, which Bob had said; it said Bob said y, which Alice had said. This was a two person dialogue and clearly marked with:
Alice: x
Bob: y
Alice : z
...
While the analysis was mostly coherent with the exception of said misattributions, I filed away the mental note that this misattribution error happened frequently in these type of exchanges.
It's funny because the author notes a prior attempt to uncover Satoshi's identity and giving up because an implied lack of technical depth.
I guess this time they were undaunted. Perhaps they received an AI assist and felt validated by AI sycophancy.
Much of the technical evidence cited is weak (e.g. strong knowledge of public-key cryptography, both used C++, etc.). Still, the (somewhat lazy) forensic linguistics is interesting.
The hyphenating patterns are particularly curious, to me.
Some supposed idiosyncrasies ('bugfix', for example) are just standard renderings amongst programmers/tech types; using those as evidence somewhat betrays the author's lack of familiarity with the field/community (as if the C++ and public-key cryptography 'evidence' didn't make that plain enough...).
This completely ignores that: 1. Russia was the aggressor in Ukraine, 2. Putin has made clear his desire to pursue expansionist goals through military action targeting prior members of the Soviet Union, 3. Putin regular threatens nuclear war with Ukraine, 4. Russia has shown outward hostility towards Western democracies and sought to manipulate elections with information warfare to reach their goals (most notably, 2016 US Election and Brexit), 5. Russian regularly cuts cables connecting countries, and 6. Though completely unrelated, Putin has a history of assassinating political opponents. That's wolfish behavior if I've ever seen it.
Need to look into how this turned out – I've sent letters to Merkley and Wyden over the years about privacy concerns relating to facial recognition and similarly invasive technologies. We need more regulation in this space.
That said, the TSA is in some respects the lesser concern. Don't get me wrong, the TSA not having free rein with facial and biometric technologies is a good thing. But when companies like Clearview AI (https://www.clearview.ai) sell their facial recognition technologies to local police departments – technologies that were built on illegally obtained data and have a history of substantial racial bias – we have bigger issues. It's opaque, unregulated, invites a wellspring of social injustice, and doesn't past muster under any ELSI framework.
Government regulating government is important. But we, as a society, need to stop giving private companies like Clearview AI a pass on harmful, exploitative behavior – especially when they're run by founders like Hoan Ton-That who offer post-hoc rationalizations that amount to (and I'm paraphrasing here) 'Well, if we hadn't done it, someone else would have, so why not us?'
We need a bigger bill that enshrines and elevates privacy for the modern world.
I think facial recognition is a good vehicle for those bills. For example, it should be illegal for a business to use facial recognition for decisions about pricing. I think that's a no-brainer. Put that together with other protections for facial recognition and I think it will leave the station.
Thanks for the recommendation – took a look, but I'm not seeing an odoo app that clearly seems to fit the criteria mentioned. Was there a specific odoo app you had in mind?
I once read that some people who are blind from an early age, as they get older, start to click their tongue, but often those around them (parents, siblings, etc.) will discourage them. Thing is, that clicking can actually be used to develop a type of vision that operates similarly to echo location in cetaceans (whales, dolphins, etc.) – it comes about because the child realizes that if they make a sharp sound, they can begin to orient themselves with the reflections of the sound waves. After all, vision is in the brain; the eyes are just the sensors. Point being, if your son starts making clicking sounds with his tongue, you likely won't want to discourage that. And on the flip, teaching him to click may provide a means of developing his vision in an alternative way.
Learning to understand the world around you via clicking isn't a natural or easy thing to do. I can't do it personally but have looked into it. For me the benefits didn't seem worth the time investment (plus I was older when I looked into it.)
Learning to click to understand what is around you is, IMO, a viable thing to look into for your kid and decide if you want to undertake that training. Daniel Kish is the name of the guy most famous for it and would be a decent place to start looking.
Fellow blind person here, adding my own anecdote. I click and echolocate. I have two different kinds of clicks. A soft click for very immediate surrounding which I can do rapidly if I need to, and a loud click for figuring out large spaces which I don't use very often for relatively obvious reasons. They're quite helpful for me and especially in new unfamiliar spaces it's almost a reflex that happens on its own unless I consciously try to stop it for social reasons. Just to add another datapoint. What works for one might not work for another, so there's a lot of trial and error involved in figuring out what works and what doesn't. This can be very frustrating sometimes but sympathy will go a long way.
Something I wanted to add, maybe this thread in particular isn't the best place for this but in general, I'm very lucky that my parents did not prevent me from doing things that others may have. For example, I climbed trees, rode a bike, and generally tried to do all of the things my sighted peers were doing. Naturally there were accidents, but not preventing me from doing those things, not preventing me from learning my limits, learning my balance and physical control, getting hurt and getting back up, I believe were absolutely vital to making me the person I am today. I imagine as a parent this can be very stressful or worrying, but I honestly do not believe I would be as independent now if I wasn't allowed to do those things back then. So unless it is absolutely certain that this is something that they will not be able to do at all, maybe consider letting them try it. It will absolutely help confidence, self worth and skills for later independence that are very, very, very badly needed and very easily missed.
I'm not a parent however, so of course take this with a grain of salt. My experience may be slightly biased here.
What age did you start learning to echolocate and how long did it take?
I alluded to it in my other post, but I fully agree with your sentiment around independence and figuring out your own boundaries. Even if I'm all but guaranteed a bit of pain along the way.
Your lucky! I never got to climb trees until I was in my late 20s because apparently it was something, for some reason, I just couldn't do. Skydiving though was cool! I'm not kidding.
Blind people could benefit of carrying one or several ultrasonic sensor like those used on cars to park. That would emit soft bleeps, faster when something is on the way or closer to an obstacle.
Can be built easily with an Arduino
I think that another possibility could be to fill your home or workplace with those devices put on walls or furniture. The idea would be that your table could say to you "lookout, I'm here" when you are about to crash against it. Use it first in the areas that were more problematic. The volume of the bleeps should be reduced to a low comfortable whispering level so they don't annoy the user. I wonder why nobody has created still a kitt providing a soundscape for blind people. That product should have a different click sound for each object marked in the soundscape.
Another possibility would be a snapshot soundscape, where a remote control could turn on/off the system only when necessary providing the blind people with a mental picture hearing all the blips at the same time and its position respect to the other blips. Like a cane, but covering much more distance
I want to propose this system. Imagine that you are on a workplace where blind people came often to work or as clients. There is a soft, low, slow and sparse music that is pleasing to hear as a background for anybody and is always changing.
Now lets imagine that this music is codified and played on a 3D system.
Every time we hear a piano note it means "door here", all bass notes mean "danger/stairs" and a flute means for example "WC". That would be awesome for blind people navigating new places without interrupting other workers asking for directions. Each one of this signals would be played on intervals of one minute or more, never less, so most of the time you have either silence or pleasant sounds that don't bother other people and the notes played by a particular instrument are changed each time for the same reason.
If we need more information, we could add short cords from popular music to convey additional words. For example a <garage door> could play on piano the four note sequence "here on my car" from Gary Numan, or iterate over a list of similar parts of very popular songs with the word "car" on it to not be too repetitive.
Of course it just could also just say "garage door" when a modified white cane approach like on elevators, but that could be distracting for non blind workers.
Systems like that have existed for decades in various versions. The only blind people who use them are people who went blind as an adult - and then often only the investor. People who went blind young have learned to deal with the world and discover technology like that is more annoying than helpful.
Dogs and canes work very well and solve most of the problem. It doesn't really matter if they are walking into a wall, piano or door - they need to know to avoid it. If you want useful sounds require every traffic light to have beeps when it is safe to cross loud enough to be heard across the street - because that is a real problem blind people have in navigating. Most of the rest of the world is forgiving to the types of mistakes blind people make and so they don't really need help.
The other way you can help the blind is just be willing to give directions from the sidewalk in front of a building to the front door.
Unless there is a lot of blind workers in the room, much better, yep.
Blind people at least should have a way to be able to evacuate a building with sound clues instead the traditional lights that turn up if there is a fire and are useless for them. The emergency lights are mandatory by law, but including emergency blips could be also useful for everybody in some areas where a lot of blind people are expected (or live).
Blind people should be given the opportunity to evacuate a building or a school just by their own means, even if is alone or left behind in a emergency. You can't always rely on touching to orientate yourself if there is a fire. Specially metallic things.
The glaring issue here would be standardization. Either every place uses the same sounds, or you have to learn a new system for each place you visit using this sort of thing. This is also why you couldn't change notes regularly, which would be boring and repetitive for everyone else.
The same instruments should be used for the same things everywhere. Yep. This is the idea.
Or at least to navigate a complex multistore building with a lot of repeated elements. I wonder if a videogame could be designed as a soundgame for blind people replacing images by sounds.
Blind people don't have a big problem with bumping into furniture in their own home, much the same way you don't wipe out when walking from your bed to the bathroom in the dark. And instead of you getting 30 seconds of practice every other night, they navigate that way all the time.
Also, a bunch of noise playing whenever you walk through your house sounds like a huge bother.
Can confirm, I do this all the time lol. The crashing into furneture thing hah. I think it's too much fun! Also, I wouldn't want too much sound around me. I'm already aversive to overly loud, overly changing sounds. They tend to set off my migraines.
Is the refrigerator door open or closed? What about the drawers? Is the vacuum in the middle of the path?
Blind people don't need to know this things, of course. Don't need anybody, and can navigate everything like champs. On the other way, would really do harm to be able to know this on advance?.
These products exists since the 80s. I have never seen one that is actually practical in real life. The elevator-pitch always sounds nice, to sighted people at least..
Please don't fall for this patronising attitude that just because you are a tech person, you can invent all sorts of helpful gadgets.
Educate yourself about the disability before giving advice or your great $0.02 ideas. They are always ment in a good way, but tiring for those who are in the know.
Well I didn't do this automatically, that's for sure. It was something my mother saw on TV and said you should start doing that, I was like uh no that's weird.
I don't know if this is true – that pupil sizes vary meaningfully between races and folks from Africa and Aboriginal populations in Australia have smaller pupils – but it may make sense. Those are both relatively sunny places; Northern latitudes are less so. Greater dilation (or dynamic range around the dilation), more light, possibly improving certain aspects of vision in low light. Of course, the inverse may also hold – less ability for pupils to constrict in very sunny places would be problematic too. And yet, I say this knowing that hypotheses derived from first principles and uninformed of biological context tend to be very low mileage in the biological sciences. Biology is rarely so simple.
If you instead decide that the Upload Queue can't be circumvented, now you're increasing the duration a patch for a CVE is visible. Even if the CVE disclosure is not made public, the patch sitting in the Upload Queue makes it far more discoverable.
Best as I can tell, neither one of these fairly obvious issues are covered in this blog post, but they clearly need to be addressed for Upload Queues to be a good alternative.
--
Separately, at least with NPM, you can define a cooldown in your global .npmrc, so the argument that cooldowns need to be implemented per project is, for at least one (very) common package manger, patently untrue.
# Wait 7 days before installing > npm config set min-release-age 7
reply