Git commit signing is widely entrusted to serve as evidence that a commit hash uniquely and immutably identifies a specific piece of signed content. We show this invariant does not hold. Given any signed commit, an attacker without access to the signing key, and without breaking SHA2 can produce a second, distinct commit with an identical tree, identical metadata, a valid signature, and a ``Verified'' badge from a Git Forge such as Github, differing only in its commit hash. The modified commit cascades to modify the values of all the subsequent, dependent commit hashes, hence we introduce the terminology ``hash chain malleability'' to describe this phenomenon. The malleability in signed Git hashes is feasible due to the inherent malleability present in many of the data representations that make up a commit. In this paper we show three such malleation routes: (i) algebraic inversion s -> n-s for ECDSA; (ii) structural insertion of an unhashed OpenPGP subpacket (RFC4880 5.2.3) for RSA and EdDSA; and (iii) non-canonical DER length re-encoding (X.690 10.1) inside the CMS envelope for S/MIME. Algebraic inversion for ECDSA signatures and subpacket insertion were found to pass local verification (git verify-commit), and all three methods yield a persistent, independent ``Verified'' record on Github. We discuss the consequences of Git hash chain malleation for hash-based commit blocking, dependency pinning (Nixpkgs, Go modules, Github Actions), and reproducible-build systems that treat the commit hash as a content-addressable primary key, and we provide proof-of-concept tooling that automates all three routes.
Robbyant released LingBot-VLA 2.0, a single model driving 20 embodiments from single-arm Franka and dual-arm UR7e up to full humanoids like Unitree G1 and Fourier GR-2. The action space also covers head, waist, mobile base, and dexterous hands, not only dual-arm manipulation. Training data is roughly 50,000 hours of real-robot trajectories across those 20 configs plus 10,000 hours of egocentric human video, filtered and reconstructed. The ablations on 4 GM-100 real-robot tasks show a clean result: relative joint actions over absolute lifted average success from 33.7% to 55.0%, with relative joint positions cutting the action standard deviation to roughly a third of absolute (about 0.28 vs 0.80). On its own GM-100 generalist eval, Robbyant self-reports higher progress and success than pi-0.5 and GR00T N1.7. Absolute success remains low: 34.4% on Agilex and 15.6% on Galaxea, with several tasks at 0%. The paper itself notes the model often makes partial progress then fails at the final precise placement or release. OOD performance degrades sharply. submitted by /u/deepmoss47 [link] [Kommentare]
https://t.co/irgPw3EBqE
A third of Microsoft's global layoffs were Xbox employee as the company reduced its workforce by 2.1% globally.
A fantasy world where AI agents are the players.
The hottest AI storefront has a doorman. Upload your catalog and watch which products get waved in — and which get turned away.
Bending Spoons remains largely unknown, even as its portfolio of products has served more than a billion people.
I was about to take an elevator when my Android phone screamed a warning.
Researchers have identified a previously overlooked mechanism of brain cell death that appears to play a major role in Alzheimer's disease and frontotemporal dementia. The finding could lead to new treatments aimed at slowing neuron loss by interrupting the process before cells are destroyed.
Back in time I used to make a stupid little font called Unison. It was a bitmap-vector hybrid font defined by text-based font description files which then get compiled by Python script. During the development of Unison, I had so frustrating bug that I had to write this comment in addition to its workaround: def custom_sort_key((name, _)): # what, the, real, fuck. # it seems that Uniscribe has some bug with Hangul and possibly more scripts: # some characters, when they are located in specific glyph indices, are correctly # mapped via ScriptGetCMap but considered to be missing via ScriptShape. # combined with SSA_FALLBACK it causes the wrong *and* inconsistent fallback behavior. # given that the range of those indices abruptly end with 2^n boundaries, # I strongly suspect that this is something to do with the internal lookup mechanism. # for now, reorder problematic scripts to (empirically) avoid the problem... *sigh* if not name.startswith('uni'): return (2, name) try: c = int(name[3:], 16) except ValueError: return (2, name) return (0 if 0x1100