Tenstorrent builds high-performance AI processors and RISC-V CPUs designed for scalable, efficient machine learning and deep learning workloads in data centers and edge devices.
They haven't released the source, and the compiled versions are non-trivial to diff (e.g. there are nondeterministic numbers from the clojure compiler that seem to have changed from one to the other, and .clj files have been removed from the jar).
Oh, I didn't mean to imply you can, just that it's 404... presumably it exists in a repo checked out on someone's machine, and maybe in a separate private Github repo.
This is silly on my end (I woke up early and have time to kill)...
Also like, note: I would never publicly disclose whatever I find, I'm just curious
I observed exactly what you said about the Clojure filenames not matching up, etc. etc.
#!/bin/bash
# Variables
DIR1=~/metabase-v0.46.6.jar.src # decompiled with jd-cli / jd-gui (java decompiler)
DIR2=~/metabase-v0.46.6.1.jar.src # decompiled with jd-cli / jd-gui (java decompiler)
# Function to create fuzzy hash for each file in a directory
create_fuzzy_hashes() {
dir=$1
for file in $(find $dir -type f)
do
ssdeep -b $file >> ${dir}/hashes.txt
done
}
# Create fuzzy hashes for each file in the directories
create_fuzzy_hashes $DIR1
create_fuzzy_hashes $DIR2
# Compare the hashes
ssdeep -k $DIR1/hashes.txt $DIR2/hashes.txt
How far do you think this gets us (fuzzy hashing)?
I was thinking this, or binary diffing the .class (instead of the "decompiled" .java)?
I found something which is clearly a security fix, using the same idea but more naive: just diffing at the lengths of the decompiled files. It's not at all clear how the issue I found would be triggered by an unauthenticated user though.
> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.
Even though this is technically a violation, licenses aren't black & white. The objective and intent of the AGPL is not being violated by delaying release by a couple weeks to give time for security patches to be applied.
Not sure if this previous thread from years ago will be of any use, sharing it just in case any of the alternatives are still relevant or could be of use for you: https://news.ycombinator.com/item?id=22596082
Curious: you must have done a lot of groundwork to provide the whole stack as a solution, would love to hear from you how you internally select the processors you work with. Or are you directly integrated with banks and card networks?
Sure - it's always evolving as we add more gateways and payment methods. We currently have three Stripe gateways (each region), WorldPay and Checkout.com.
We find that payments getting accepted is dependent on a whole number of things and having the ability to re-route and retry based on the location of the transaction massively helps boost chances of it going through.
You're absolutely correct in that haha - we exist to make sure teams don't have to do all this work internally themselves, as it becomes increasingly messy the more you grow.
Can I ask what category of product it is you're selling?
