InFeeo
Global
technology
New
Language
Profile channel

@MrX

No bio yet.

Since 30.05.2026

Git Hash Chain Malleability(doi.org)
Git commit signing is widely entrusted to serve as evidence that a commit hash uniquely and immutably identifies a specific piece of signed content. We show this invariant does not hold. Given any signed commit, an attacker without access to the signing key, and without breaking SHA2 can produce a second, distinct commit with an identical tree, identical metadata, a valid signature, and a ``Verified'' badge from a Git Forge such as Github, differing only in its commit hash. The modified commit cascades to modify the values of all the subsequent, dependent commit hashes, hence we introduce the terminology ``hash chain malleability'' to describe this phenomenon. The malleability in signed Git hashes is feasible due to the inherent malleability present in many of the data representations that make up a commit. In this paper we show three such malleation routes: (i) algebraic inversion s -> n-s for ECDSA; (ii) structural insertion of an unhashed OpenPGP subpacket (RFC4880 5.2.3) for RSA and EdDSA; and (iii) non-canonical DER length re-encoding (X.690 10.1) inside the CMS envelope for S/MIME. Algebraic inversion for ECDSA signatures and subpacket insertion were found to pass local verification (git verify-commit), and all three methods yield a persistent, independent ``Verified'' record on Github. We discuss the consequences of Git hash chain malleation for hash-based commit blocking, dependency pinning (Nixpkgs, Go modules, Github Actions), and reproducible-build systems that treat the commit hash as a content-addressable primary key, and we provide proof-of-concept tooling that automates all three routes.
LingBot-VLA 2.0: one VLA policy, 20 robot bodies, ~60k hours real-robot and human video(reddit.com)
Robbyant released LingBot-VLA 2.0, a single model driving 20 embodiments from single-arm Franka and dual-arm UR7e up to full humanoids like Unitree G1 and Fourier GR-2. The action space also covers head, waist, mobile base, and dexterous hands, not only dual-arm manipulation. Training data is roughly 50,000 hours of real-robot trajectories across those 20 configs plus 10,000 hours of egocentric human video, filtered and reconstructed. The ablations on 4 GM-100 real-robot tasks show a clean result: relative joint actions over absolute lifted average success from 33.7% to 55.0%, with relative joint positions cutting the action standard deviation to roughly a third of absolute (about 0.28 vs 0.80). On its own GM-100 generalist eval, Robbyant self-reports higher progress and success than pi-0.5 and GR00T N1.7. Absolute success remains low: 34.4% on Agilex and 15.6% on Galaxea, with several tasks at 0%. The paper itself notes the model often makes partial progress then fails at the final precise placement or release. OOD performance degrades sharply. submitted by /u/deepmoss47 [link] [Kommentare]
My 11-year-old font bug(play.google.com)
Back in time I used to make a stupid little font called Unison. It was a bitmap-vector hybrid font defined by text-based font description files which then get compiled by Python script. During the development of Unison, I had so frustrating bug that I had to write this comment in addition to its workaround: def custom_sort_key((name, _)): # what, the, real, fuck. # it seems that Uniscribe has some bug with Hangul and possibly more scripts: # some characters, when they are located in specific glyph indices, are correctly # mapped via ScriptGetCMap but considered to be missing via ScriptShape. # combined with SSA_FALLBACK it causes the wrong *and* inconsistent fallback behavior. # given that the range of those indices abruptly end with 2^n boundaries, # I strongly suspect that this is something to do with the internal lookup mechanism. # for now, reorder problematic scripts to (empirically) avoid the problem... *sigh* if not name.startswith('uni'): return (2, name) try: c = int(name[3:], 16) except ValueError: return (2, name) return (0 if 0x1100