logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: 739f2b57fa5102326a47d32f181a119ac62f1d60
parent 4f1c0176ebeff09061afcbc04bf9662f3d13d057
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sat,  6 May 2023 15:40:25 +0200

bookmarks: https://moyix.blogspot.com/2022/09/someones-been-messing-with-my-subnormals.html


Diffstat:


Mbookmarks.xbel8++++++--


1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/bookmarks.xbel b/bookmarks.xbel
@@ -76,8 +76,12 @@
 		<bookmark href="https://tails.boum.org/contribute/design"><title>Tails Design</title></bookmark>
 		<bookmark href="https://www.viva64.com/en/b/0558/"><title>Why it is important to check what the malloc function returned</title></bookmark>
 		<!-- or rather insecurity… -->
-		<bookmark href="https://github.com/pypa/pip/issues/7325"><title>Disallow execution of setup.py when "pip download --no-deps someproject"</title></bookmark>
-		<bookmark href="https://github.com/pypa/pip/issues/1884"><title>Avoid generating metadata in `pip download --no-deps ...`</title></bookmark>
+		<bookmark href="https://moyix.blogspot.com/2022/09/someones-been-messing-with-my-subnormals.html">
+			<title>Someone’s Been Messing With My Subnormals!</title>
+			<desc>"TL;DR: After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results." But also "Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 and 1884 for more details)!"</desc>
+		</bookmark>
+		<bookmark href="https://github.com/pypa/pip/issues/7325"><title>Disallow execution of setup.py when "pip download --no-deps someproject" · Issue #7325 · pypa/pip · GitHub</title></bookmark>
+		<bookmark href="https://github.com/pypa/pip/issues/1884"><title>Avoid generating metadata in `pip download --no-deps ...` · Issue #1884 · pypa/pip · GitHub</title></bookmark>
 		<bookmark href="https://www.vusec.net/projects/anc/">
 			<title>ASLR⊕Cache (AnC)</title>
 			<desc>Demonstration of a cache-based attack of ASLR, browser JavaScript and Native Code</desc>