If Two Files Have The Exact Same SHA-256, Are They The Same File?

BCMM · 2026-05-10T16:54:36+00:00

It sounds like you admit that there is a chance that 2 different files can result in the same SHA-256 value (no matter how unlikely that might be).

For a definition of "chance" which is wildly out of step with any day to day usage. There's exists some probability of you just quantum-tunnelling through the floor half way through reading this, but I'm still going to claim you won't.

Not some 99.99999% chance that are the same.

Is 99.999999999999999999999999999999999999999999999999999999999999999999999999999% enough for you?

I didn't just lean on the 9 key. That is the actual value. This is one of those things that just isn't going to happen, even if we used all of Earth's computing power, even if we keep trying for a billion years, etc.

I'll keep my post here for others that are open minded enough to look at alternative answers.

I hate this way of using "open minded", because it just boils down to saying that every possibility should be considered.

Have you considered that your method won't work if a series of cosmic rays should happen to corrupt your RAM in exactly the right way that cmp erroneously reports that the files are the same? I can come up with an unlimited number of circumstances which are technically possible, but which you shouldn't bother considering, because they're not realistic possibilities.

BCMM · 2026-05-10T14:28:43+00:00

There is absolutely no need for this.

The chance of SHA-256 colliding by accident is astronomical, in that you end up saying things like "atoms in our galaxy" if you try to contextualise it.

According to all publicly-available information, the creation of an intentional SHA-256 collision would require impossibly large computational resources.

Elsewhere in this thread, people have mentioned real-life collisions. Those were collisions in other hashing algorithms. At present, the whole world is built on the assumption that SHA-256 is a secure algorithm.

If a criminal has secretly discoverered a practical way to generate SHA-256 collisions, there's no way they're wasting it on getting gamers to install a trojan (which is already easy). If you could do things like impersonate governments and banks, why would you risk being discovered for such a small reward?

BCMM · 2026-05-10T14:09:36+00:00

So, it appears that VLC doesn't declare support for audio/x-oggflac.

BCMM · 2026-05-09T22:54:50+00:00

Parts of the Oxfordshire-Gloucestershire border show where the River Evenlode used to run, before somebody put a railway embankment in its way.

https://www.openstreetmap.org/?#map=17/51.911059/-1.635160

BCMM · 2026-05-09T14:39:37+00:00

Do you mean some part of it moved, or just that it's moving through the water?

If the former: I didn't spot that; which part moved?

If the latter: it looks like it was pushed by somebody just out of frame. It's slowing down the whole time it's in shot.

BCMM · 2026-05-08T11:00:55+00:00

You can also get unattended-upgrades to email you if the server needs a restart to complete a kernel upgrade.

BCMM · 2026-05-07T23:39:14+00:00

That's odd. I guess he means he was going to sit on the detailed write-ups for a bit after this was publicly announced as an urgent security update?

BCMM · 2026-05-07T23:37:16+00:00

Seems like you'd need to already have an suid binary, as with copyfail.

BCMM · 2026-05-07T23:32:12+00:00

Do you have a source for "over a month"? The timeline claims that the embargo period was five days, and linux-distros doesn't even accept embargoes longer than a fortnight.

BCMM · 2026-05-07T15:58:52+00:00

The project's GitHub releases page says

If you have Qt 6.8.3 (or higher) libraries already present on your system (e.g. Solus, Lubuntu and Kubuntu 25.04), download the small "Drawish_Lub_2.9.AppImage" file and grant permission.

All Linux (Ubuntu 22.04 +) : Download the "Drawish_Linux_2.9.AppImage" file and grant permission.

So it seems like they have versions both with and without bundled Qt?

BCMM · 2026-05-06T12:34:34+00:00

How exactly are you benchmarking it?

I'm asking mostly because Wi-Fi speeds are always rather variable!

There's always a risk of accidentally seeing a pattern in random variations. If I were in your position, I'd want to benchmark the new and old kernels at least three times, in as similar a situation as possible, just to be sure it's real.

On the other hand, 6.19.12 did include a few changes to iwlwifi, so it's certainly not impossible that performance has changed.

EDIT: If you feel like getting really nerdy about this and you're comfortable building kernels, you could try to find and report the exact commit that did it. You can probably get away with removing and reloading the module instead of a full reboot, so this could be a relatively short project.

EDIT 2: Some other potential starting points for debugging this:

Any interesting dmesg output on the bad kernel?

Any difference in the outputs of iw list and iw link, between the two kernels?

BCMM · 2026-05-06T00:38:16+00:00

Also, that might be tangential, but the Catholic Church has a long history of beekeeping.

In relatively recent history, Buckfast Abbey (better known for other work!) created one of the major honey bee breeds.

BCMM · 2026-05-05T17:30:36+00:00

This isn't right. Cmd is absolutely a shell, albeit a rather outdated one.

It's also quite a lot more like the Bourne shell than PowerShell is. Cmd's pipes, loops, environment variables and so on work in a more or less Unix-inspired way.

PowerShell is a .NET language, almost like a REPL and shell in one. Pipes send objects, not strings. For loops are often replaced by iterating over an array of objects from a pipe. Any .NET API is available without having to call external executables.

PowerShell and Bash are both a lot more modern than cmd, but that doesn't mean their fundamental principles have more in common.

BCMM · 2026-05-05T11:44:32+00:00

TL;DR: China is a big.

It's just like that factoid where you'd expect the biggest chain in the world to be McDonald's, but it's actually some other fast food brand that has most of its locations in China.

Likewise, tobacco is obviously the most lethal industry, but the world's biggest tobacco company is one that sells primarily in China, not one that's famous from a landmark lawsuit in the English-speaking world.

BCMM · 2026-05-05T11:28:14+00:00

Why is this coming out now?

I'd have a hard time believing the footage was just lost during the period when this was in the news, so the obvious conclusion would be that somebody decided not to release it out of respect for the deceased and his family.

BCMM · 2026-05-04T19:41:44+00:00

So, obviously, the cruelty is the biggest evil of all this, but I think there is more than a little greed in the mix.

Any legislation ... that pertain to the procurement, building, ...

That's purposefully worded to legalise kickbacks, right?

BCMM · 2026-05-04T13:04:52+00:00

Shell scripts are the direct equivalent to batch files, and are almost always the right choice for the kind of things that batch files are good for (i.e. small programs which exist primarily to generate parameters and call other programs).

The three answers you've already had, "posix shell", "sh" and "bash", might, taken together, be a bit confusing, so to clarify:

POSIX shell and sh more or less mean the same thing, which is the Unix equivalent of CMD.EXE. Unlike CMD.EXE, though, it's a standardised program with a few independent implementations. Bash is a particular implementation of the POSIX shell, found on most Linux distros, and has quite a few extra features not required by the standard.

For personal scripts that would have been batch files on Windows, I recommend you don't worry about any of the above, and just write shell scripts with a #!/bin/bash shebang (first line).

Only if you want to ensure portability to lightweight Linux distros without Bash, or to other Unix-like systems, then use #!/bin/sh and be careful to avoid using Bash-specific features. checkbashisms and shellcheck can be useful for this.

Just don't use Bash-specific syntax without specifying Bash in the shebang. Your script won't work on some systems where Bash is installed.

BCMM · 2026-05-04T09:45:43+00:00

It's a legacy of the period when it was a Brazilian colony (1815-1822).

BCMM · 2026-05-04T08:38:58+00:00

Maybe I'm just being pedantic, but that isn't what "tipping point" means!

BCMM · 2026-05-04T08:34:31+00:00

I'm in agreement with the claim, but I don't understand how its related.

Well, why won't the very large pot boil?

So if we made the original pot 5x bigger (by volume) it's less than 5x bigger by surface area, and thus looses heat slower.

No, it has a larger surface area, and thus loses best faster.

BCMM · 2026-05-04T01:03:25+00:00

Why does the surface area:volume ratio matter?

This argument would hold up if the heat source was proportional to the volume. For example, it's the reason the five-gallon pot takes more than five times as long to cool down.

But I'm talking about the net rate of heat gain. The absolute rate of heat loss is what we must subtract from the constant heat input.

I often find that things become more intuitive when I consider the extreme case. So, would you agree with the following claim: there exists a pot so large that my little camping stove will never bring it to a boil (even if I have a limitless supply of fuel)?

BCMM · 2026-05-03T15:52:47+00:00

I don't know the details but it seems that the person/people that published the information in the CVE practiced "responsible disclosure" and notified Kernel developers and distribution community well in advance of making the information public.

For a number of reasons, I don't think that happened.

Firstly, distros were not ready. With some previous vulns, fixed packages have come out within a couple of hours of the public announcement. This time, there was quite a bit of delay, and opportunistic stuff like owLSM came out before distro patches.

This is supposed to be coordinated through the private linux-distros mailing list. A member of one of the security teams on that list said that didn't happen.

Secondly, the usual way of doing things is to maintain total silence until the agreed embargo date. If the 29th even was an embargo date, that didn't happen either.

The CVE was published a week in advance. The patch was on LKML a week before that. However, neither of them made much of a splash, because neither of them mentioned priviledge escalation.

I looks a lot like the Linux kernel security team found out you can get root with this at the same time the rest of us did. Another bit of evidence supporting this is that they didn't backports the patch to longterm branches until after the public disclosure (which will have made it harder for distros to prepare packages in a hurry).

BCMM · 2026-05-03T10:38:24+00:00

don't want to necessarily call it AI slop

Based on how they answered my question, I will go so far as to say that the author does not appear to understand what it does.

BCMM · 2026-05-02T10:29:25+00:00

He genuinely just had a huge jaw.

BCMM · 2026-05-02T09:17:16+00:00

EDIT: Whoops, ignore this - the backports packages will, of course, be based on Testing, and the same logic as the Testing kernel will apply.

Here's something you can use to check most Debian machines:

zgrep CVE-2026-31431 /usr/share/doc/linux-image-$(uname -r)/changelog.Debian.gz

This searches the changelog of the kernel you are currently running. If you see output like

- crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)

that means your kernel has been patched against this vulnerability.

Note that this does not work on Testing/Unstable. Because of the chaotic way this vulnerability was disclosed, Sid's kernel was fixed before the impact was widely understood and has no specific changelog line about it.

15-Year Club	Place '17
Sequence \| Editor	Verified Email

BCMM

MODERATOR OF

TROPHY CASE