I'd go so far as to say any implementation that doesn't conform to RFC 4180[1] is broken and should be fixed. The vast majority of implementations get this right, it's just that some that don't are so high profile it causes people to throw up their hands and give up.
It helps a bit that it's written in Zig, but its primary differentiating feature in the sea of terminal emulators is that it's created by mitchellh, who is kind of a celebrity in some circles.
You can turn on a feature documented as allowing the terminal to be controlled by escape sequences, but then output of programs can control the terminal! Whoop-de-do.
BearSSL is really cool, but it claims beta quality with the latest release in 2018, doesn't support TLS 1.3, and hasn't seen meaningful development in years. It's averaging about 1 commit per year recently, and they're not big ones.
This documentation page[1] seems pretty clear. One primary at a time, any number of read replicas that automatically proxy writes to the primary, when compute scales to zero the data is in object storage and a new primary can spin up elsewhere.
According to their ToS all customer accounts registered on or after September 3, 2024 are signed on to a US company, so no they're not doing what's necessary to keep US hands off the data.
After a different company detected it, figured out what it did, and reported it to Apple. The app was notarized on November 17, screenshots in the researchers' post are from December 16. That's a month of fully notarized distribution.
What a frustrating article. There was an interesting bug here. It's trivial to explain. It's not a zero-day, this was fixed months before disclosure. Most of the article is basically: "Imagine you were running software with horrific security holes behind this WAF. We even made some examples. It had a flaw. If your entire security posture depended on this WAF, imagine how much damage could have been done. Imagine if AI were involved!"
[1]: https://datatracker.ietf.org/doc/html/rfc4180
reply