is it not obvious?

> These issues are present in the patches published last week.

> The patches published last week are vulnerable.

> If you already updated for the Critical Security Vulnerability, you will need to update again.

the OP was specifically about jetstream so i guess you just didn't read it?

just imagine I'm claude,

smoke bomb

He Vanished!? Find him you fools!

> When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not

It prevents the npm publish from locally modified source code.

if you want to look at existing implementations on top of kvm then these might be useful - rust-vmm is a core library for AWS' firecracker vmm.

https://github.com/rust-vmm/kvm https://github.com/kvmtool/kvmtool https://github.com/sysprog21/kvm-host

yes. most folks don't seem to understand this. but, you can get something approaching such guarantees if you are able to limit yourself to something as (seemingly) simple as updating a ledger. this approach is used in a lot of places where high performance and strong consistency is needed (see e.g. LMAX disruptor for similar). https://tigerbeetle.com/

i can't see how these numbers can be anywhere near correct (nor the ones above). in JavaScript on an old Core i5 the overhead of a simple ffi call is on the order of 5 nanoseconds. on a recent x64/arm64 cpu it's more like 2 nanoseconds.

you can verify this easily with Deno ffi which is pretty much optimal for JS runtimes. also, from everything i have seen and read, luajit should be even lower overhead than this.

you really shouldn't be asking chatgpt questions like this imo. these are facts, that need to be proven, not just vibes.

I agree. was just following the parents pattern, to make it work for me :)

is there anything good written up on this?

I don't think so? It's not complicated. Most LPEs get you the local kernel. The KVM security model assumes an untrusted local (guest) kernel. To compromise KVM, they either need to be fundamental architectural flaws (rare) or bugs in KVM itself (also rare).

there's a pretty good summary of things with links from daniel stenberg - the curl guy - here : https://daniel.haxx.se/blog/2021/10/25/the-quic-api-openssl-...

this is nice. i like the idea which has been tried in a few places of running sqlite in the browser directly/locally. the only thing that is really missing to make this work at a bigger scale for read-heavy databases is a very cheap or free static hosting service which does range requests, allows you control of CORS and doesn't have the file size limitations of gist or github pages. maybe this exists already? S3 would do i guess?

you can do kinda magic things like this and build websites that connect to multiple different databases around the web and... well, i'll leave the rest up to your imagination.

go here: https://just.billywhizz.io/sqlite/squeel/

hit CTRL/CMD + Q on your keyboard.

paste in this sql

``` attach database 'https://raw.githubusercontent.com/just-js/just.billywhizz.io...' as chinook ;

select * from albums ; ```

and hit CTRL/CMD + g to run the queries.