maxed's comments

maxed · 2025-03-30T15:46:15 1743349575

I took a closer look; uv installs the inline required packages in it's cache directory `~/.cache/uv` (if they are not already there). So the packages will probably exist until the cache is cleared with for example `uv clear`.

It's not that the inline requirements make a new `.venv` directory or something, uv seems to link the packages to a central location and reuse them if already there.

maxed · 2025-02-23T21:22:38 1740345758

Is Hacker News also affected by this act?

Rochus · 2025-02-23T23:35:13 1740353713

International law limits state jurisdiction to territorial boundaries (Art. 2(1) UN Charter). Hacker News is a US web site and Y Combinator LLC is a US company. The OSA, which is a UK law, cannot mandate physical enforcement (e.g., server seizures) on foreign soil. If they really didn't like HN, UK government could try to suppress HN access for their citicens by local means. If HN had a branch in the UK, the UK government could take action against that branch. As far as I know that's not the case.

kelnos · 2025-02-23T22:04:24 1740348264

Yes, but I don't really understand how the UK can expect to enforce this law against non-UK entities that don't have any employees or physical presence in the UK.

HN/YC could just tell them to go pound sand, no? (Assuming YC doesn't have any operations in the UK; I have no idea.)

SSLy · 2025-02-23T23:14:31 1740352471

they could impound you while on a layover in UK (not that you'd ever want to do that)

_trampeltier · 2025-02-24T16:57:41 1740416261

They could open an international arrest warrant. So you can't travel at all.

ekianjo · 2025-02-24T03:20:08 1740367208

a good reason never to visit the UK again

milesrout · 2025-02-23T22:35:15 1740350115

pg lives in Britain if I'm not mistaken.

Mindwipe · 2025-02-23T21:49:45 1740347385

maxed · 2025-02-12T15:59:23 1739375963

It does not make sense to value these kind of (web) bugs by their potential price on the grey market. I think its better to value these bugs by their potential impact, although that is hard to express in money.

In this case there were 4 billion email addresses on the line from being scraped, imagine if this was exploited and the data was leaked. The news would hit the headliners which would definitely be bad for Google's reputation and stock price.

However, the impact of the leak is not that high as it only consists of a channel <> email address mapping, and therefore I think 10k is a fair price

maxed · on Jan 11, 2025

I tested this last year, they properly reject mails signed with DKIM keys from <1024 bits

maxed · on Jan 11, 2025

The latest RFC does require it though (RFC8301):

  Verifiers MUST be able to validate signatures with
  keys ranging from 512 bits to 2048 bits, and they MAY be able to
  validate signatures with larger keys.

I did my master thesis on this topic one year ago and found that all popular mail providers nowadays support 4096 bits, and some even up to 16384 bits.

Twirrim · on Jan 11, 2025

Unfortunately MAY is not MUST. When it comes to RFCs, it's all too common that people won't implement MAYs, and you should operate expecting that. I wouldn't trust any key over 2048 bits to work.

maxed · on Jan 12, 2025

Sorry, I somehow made a typo in the quoted text, the RFC says

  Verifiers MUST be able to validate signatures with keys ranging from 1024 bits to 4096* bits

So mail providers MUST support up to 4096 bits if they follow the latest RFC.