> although the real cleverness is in the testcase, which we have not made public

What is the point of keeping it private? I'd bet feeding this patch to Opus and asking to look for specific TOCTOU issue fixed by the patch will make it come up with a testcase sooner or later.

The same is also true of a good security researcher, and has been for a long time. The question is mostly whether it takes long enough to come up with a testcase that we've managed to ship the fix to all affected releases, and given people some time to update. (And maybe LLMs do change the calculus there! We'll have to wait and see.)

Possibly! One of the many areas that might need rethinking in the age of AI (that started in February of this year) is how long security bugs should be hidden. We live in interesting times.

No embargo exists (or could possibly exist) in the first place.

Linux is open source, so every patch fixing the security bug is immediately visible to everyone. There is no workaround to that by the very design how the kernel is developed. The "embargo" people talking about is the rather stupid notion that if people keep their mouth shut and not write "THIS IS A LPE" straight in the patch description, everyone can pretend vulnerability is not leaked until the "official" message in the mailing list is sent.

This approach might have been defensible before, but in LLM era, when people have automated pipelines feeding diffs straight from the mailing lists to SotA models asking to identify probable security issues fixed by those, it is both stupid and dangerous.

My (novice) understanding is that embargoes are intended to provide time to 1) develop a patch and 2) distribute the patch.

For Linux/public open source, what you said is right about 2). Once the patch is visible to anyone, it's trivial to identify exploits for unpatched systems. But 1) is still a valid use-case for embargoes for Linux vulns, right? Like, if this patch had taken a few weeks to develop before being confirmed working and published, that's potentially valid grounds for not sharing details during that time (within reason), no?

Linux does actually have a proper embargo process. But, you're correct that in this case it wouldn't usually have been followed anyway. Bugs like this are fixed multiple times a week, anyone with basic kernel knowledge can see that they are potentially LPEs.

Usually, nobody even bothers to check. LPEs like this are too common to even categorise effectively.

The linked announcement specifically mentions that an embargo has been broken.

What is the current status of the DV program? What will happen with last year's quotas?

And another question: has 100k$ requirement on H1Bs make any meaningful impact on applications count (e. g. to remove the lottery)?

We don't handle DV applications (we just advise our clients to handle on their own because the application process is easy) but my understanding is that the current 2027 DV process has been paused. Although the government hasn't published statistics yet, by all accounts the selection rate this year in the H-1B lottery was much higher than last year and in years past and I believe that this is in part the result of the $100K fee.

It depends on your legal framework. It might be seller's problem, not yours, and 20$ is a price for shifting responsibility.

Well, I live in a country with both huge distillation culture and significantly non-zero number of methanol poisonings, and they never happen from home brewing. It's really hard to homebrew/distill methanol in a quantity enough to poison you in an otherwise ethanol solution (which acts as an antidote).

It's so rare this thread is literally the first time I've heard about possibility of methanol poisoning from homebrewing.

Methanol poisonings happen from bootlegging, where someone in the chain of supply sells industrial methanol as an ethanol, because the first one is cheaper, easier to obtain and untaxed.

Homebrewing isn't the issue per se. Methanol from fruit and stuff people normally ferment is pretty negligible. The problem happens when the spirit is sold and broken down/stretched to go futher by middlemen by adding cheaper MeOH.

Unfortunately, that has happened enough times with people dying for it to be a problem. Seems some societies are more susceptible to these extremely dangerous ripoffs than others.

Isn't that an issue with alteration and distribution rather than risk during production for self consumption and could happen for just about any product?

Yes exactly.

No one adds MeOH to homebrew. Bootlegging fake hard drinks is a completely different industry, which has zero relation to homebrewing.

I didn't say they did. If you think this ruling (if upheld) won't change things then you're kidding yourself

In Poland and other European countries where home distillation has been practiced for centuries nothing would happen but an instant cultural shift in the US with a major uptake in homebrewing certainly will. Ratbags and carpetbaggers will find ways to get in on the act and that's when the trouble will start.

this is wrong and dangerious! Home brewing very well can cause methanol poinonings. It doesn't happen often because the process is complex enough to get settup that anyone likey talk to someone (or read a book) and get the simple process to avoid it (throw out the beginnigs of each batch since the harmful stuff comes first).

That's not how that works. You're repeating a myth that was started by the intentional addition of methanol during prohibition.

There's no way to produce a dangerous amount of methanol at homebrew scales unless you are trying to do so.

Methanol does not all come out in the heads. It is present across the whole distillation run. There's just not enough of it to be dangerous.

It is not a myth. It might be overblown (in the typical home batch sizes there probably isn't enough methanol to worry about anyway.) However methanol will start to boil out first and so the head will have measurable more methanol than latter - this is the basic physics of distillation. You won't get all the methanol out by discarding the head (again this is how distillation works), but you will get an elevated portion.

The myth is that a home distiller can unknowingly produce something that is poisonous due to methanol.

Your statement about methanol being in the heads is also wrong, because the evaporative properties change when you have ethanol, methanol, and water all mixed together. It's not as simple as the naive "lower boiling point means it comes out first".

Here's more info if you're interested https://fx5.com/dispelling-misconceptions-about-methanol-hea...

I concluded from that, distillation cannot be used to concentrate alcohol. I'm on chemist, but I know enough to know that your article fails the sniff test - it is taking some facts but it is misapplying them.

If that's the conclusion you drew from that article, you either didn't read large sections of it or failed to understand it. Not sure how to help you but to suggest you try again.

The principle is the same reason why when you distill at 180 degrees, you do not wind up with a distillate with zero water in it.

Sure you don't get zero water at 180 degrees - but you get less water which is why we can distill alcohol at all to remove water. Likewise you get more methanol in the early stages - that doesn't mean you get it all in the early stages, but you will get an elevated amount.

Exactly, now you've got it! The last caveat is that while methanol is slightly elevated in the heads, it's not meaningfully so. It's present throughout the run at nearly the same concentration. There just isn't enough methanol in a home brew to produce a meaningful early spike. And you certainly do not discard all or even a majority of the methanol if you toss the heads.

And this is why home brewing and distillation cannot cause methanol poisoning.

That's incorrect. The methanol bonds tighter to water and doesn't distill out clean in the heads.

Some does. You don't need perfection of distilation to make a difference.

More is in the tails, neither is enough to be of concern.

In small batches. In very large batches there is enough to be a concern. Where the line is, is something I don't know but you better figure out if you are going to make concentrated alcohol.

Batch size has nothing to do with it.

One leads to the other. Once you have distillation everywhere, bootlegging follows.

This was literally the basis of one of the first conflicts of the early federal government.

I'm not talking about homebrew bootlegging here. It's large-scale frauds where industrial ethanol (which often contains poisonous amounts of methanol, or _is_ methanol) is mixed with flavorants and colorants to cheaply imitate various hard drinks.

Not sure it is true anymore. I've encountered few userspace breaks in io_uring, at least.

Unless AliExpress has a local entity, like they do in some countries, yes.

Fun hypothetical question - will it be restricted to users in sanctioned locations (where it's most needed) because of, well, sanctions?

Amusingly, there typically are various exceptions made for those. All technical and whatnot, but for example, Iran is heavily sanctioned, but has all sorts of exceptions for stuff like that precisely because of the impact it can have.

When U.S. Govt sponsors Tor, which does expose exactly what your describe, the reaction is usually positive.

> This excuse is hollow to me. In an organization of this size, it takes multiple people screwing up for a failure to reach the public, or at least it should.

Only if this is considered a failure.

Native English speakers may not know, but for a very long time (since before automatic translation tools became adequate) pretty much all MSFT docs were machine translated to the user agent language by default. Initially they were as useless as they were hilarious - a true slop before the term was invented.