Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's a bunch of interesting recent commits from someone without a public signing key.

    Removed excess checks before free()
    Fixed possible wrong result bit shifting on 64bit after left op type overflow
    Fixed possible wrong result bit shifting on 64bit after left operand type overflow
    Fixed possible access out-of-bounds items array better check index before using
Could be legit or flawed. Or even fixes for the possible flaw.


1. Unsigned commits is the norm. It's weird to sign git commits. It's weird to upload your gpg key to github. gpg is a nightmare mess.

2. They aren't introducing the bug, those are all unreleased commits, so advice to "uninstall now" for something no distros are shipping would be silly.

3. The diff is trivial, you can read it and figure out if it looks like they're fixing a real exploitable thing. The answer is obviously no.


> It's weird to upload your gpg key to github. gpg is a nightmare mess.

I agree on that, but note that you're also able to use your existing SSH key for signing commits. https://docs.github.com/en/authentication/managing-commit-si...


Seems they also are not coming PR. Sus


https://github.com/Atoptool/atop/pull/327 and https://github.com/Atoptool/atop/pull/325 are the PRs with those commits.

Come on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: