HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ashishb

1,042 karmajoined قبل 14 سنة
Software engineer & blogger - https://ashishb.net/about

Submissions

EMF and Kids

ashishb.net
2 points·by ashishb·قبل 5 أيام·0 comments

I was asked to install malware during a fake interview

ashishb.net
54 points·by ashishb·قبل شهرين·10 comments

Amazing Sandbox (asb) – a Docker-based sandbox for running third-party code

github.com
1 points·by ashishb·قبل 7 أشهر·0 comments

The real lock-in in GitHub is not the code, but the stars

ashishb.net
6 points·by ashishb·قبل 7 أشهر·7 comments

Reddit Migrates Comment Back End from Python to Go Microservice to Halve Latency

infoq.com
6 points·by ashishb·قبل 7 أشهر·1 comments

Best practices for using Python and uv inside Docker

ashishb.net
7 points·by ashishb·قبل 9 أشهر·0 comments

comments

ashishb
·قبل 8 أيام·discuss
Listen to any on the Elon Musk interviews, he knows more technical intricacies of his 1000+ employee companies than your average startup founder with 10 employees.
ashishb
·قبل 25 يومًا·discuss
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.
ashishb
·قبل 25 يومًا·discuss
I wonder what percentage of pull requests are cascading updates caused by dependabot and multiple code review bots reviewing those PRs.

My belief is it is likely 1% or more. And likely coming in as an avalanche.
ashishb
·الشهر الماضي·discuss
Right now, not. Eventually, they will.

You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
ashishb
·الشهر الماضي·discuss
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?
ashishb
·الشهر الماضي·discuss
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
ashishb
·الشهر الماضي·discuss
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
ashishb
·الشهر الماضي·discuss
I have some ideas around it. And indeed that's one likely direction of this project in the future.
ashishb
·الشهر الماضي·discuss
This has been responded to in the past by another HN poster: https://news.ycombinator.com/item?id=47612726

Furthermore, you can use native sandboxing on macOS if you prefer.

If neither looks serious to you, then please educate me on a better sandboxing approach.
ashishb
·الشهر الماضي·discuss
Nobody should do 'npm install' or 'pip install' on their machine.

Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
ashishb
·الشهر الماضي·discuss
I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.

I smelled something fishy and never ran it though.

https://news.ycombinator.com/item?id=48127469
ashishb
·الشهر الماضي·discuss
> For dependabot it's as simple as > cooldown.default-days: 1

Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.
ashishb
·الشهر الماضي·discuss
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.

So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.

Even for single page website built using Vue, I would get about 5 updates a week.
ashishb
·الشهر الماضي·discuss
And why didn't they chose self-hosted for git then?
ashishb
·الشهر الماضي·discuss
Simpler answer: TINA (there is no better alternative)
ashishb
·الشهر الماضي·discuss
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?

And how will the project accumulate more?

> everyone knows it's gamed anyway, so why not?

Then why do they still have purchase value?
ashishb
·الشهر الماضي·discuss
> What stops a new platform from just mirroring GitHub stars on import or something, actually?

So, the source is still GitHub, right?

Which means I have to keep my FOSS project on GitHub to accumulate stars.
ashishb
·الشهر الماضي·discuss
Nginx was compelled to move to GitHub [1].

The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]

Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.

Well, that's not how the world works.

Fake stars can propel a good project to great.

A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.

The real lock-in is in GitHub stars [3].

1 - https://blog.nginx.org/blog/nginx-open-source-moves-to-githu...

2 - https://finance.biggo.com/podcast/1c9f14e134095b87

3 - https://ashishb.net/tech/github-stars/
ashishb
·قبل شهرين·discuss
Alpine is a bad idea for a non-trivial application written in Python, Node.js, or any other interpreted language.

Too many weird edge cases to deal with, especially related to Alpine using musl libc instead of glibc.

At best, your builds are slower.

At worst, certain code paths are broken.
ashishb
·قبل شهرين·discuss
Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.