| 6 May 2025 |
 GGG | I wonder what's the likelyhood of c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 appearing in a normal binary | 13:49:39 |
| GGG | maybe as a set of bytes it could happen, but as a sequence of ASCII characters I'm not sure | 13:49:51 |
 Corngood | I think that would depend on where it came from. Maybe I can track that down. | 13:50:32 |
| Corngood | If it's guid-ish then ~0 | 13:50:46 |
| GGG | I'm doing a simple preliminary test by doing grep -sRl 'c3ab8ff13720e8ad9047dd39466b3c89' /nix/store | 13:50:55 |
| GGG | it seems like they just SHA-256'd "foobar" | 13:51:13 |
| GGG | according to the comment on the code you posted | 13:51:19 |
| Corngood | oh, lol. that was stupid of them | 13:51:29 |
| Corngood | it's probably fine, but they could have easily avoided the possibility of someone else doing the same thing | 13:51:59 |
| Corngood | still, they were only concerned about their codebase and dependencies | 13:52:28 |
| Corngood | we don't need to differentiate already-patched or source-built binaries, do we? | 13:53:39 |
| GGG | no, this was only so I could make a hook to do the patching we do for pre-built .NET apps | 13:54:13 |
| GGG | that adds the whole ICU, Kerberos, OpenSSL and etc. deps | 13:54:25 |
| Corngood | But I mean we're not mixing other stuff in the same outputs that are being patched? | 13:56:10 |
| GGG | even if we do, there shouldn't be any harm I think | 13:56:36 |
