HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ashishb

1,042 karmajoined vor 14 Jahren
Software engineer & blogger - https://ashishb.net/about

Submissions

EMF and Kids

ashishb.net
2 points·by ashishb·vor 5 Tagen·0 comments

I was asked to install malware during a fake interview

ashishb.net
54 points·by ashishb·vor 2 Monaten·10 comments

Amazing Sandbox (asb) – a Docker-based sandbox for running third-party code

github.com
1 points·by ashishb·vor 7 Monaten·0 comments

The real lock-in in GitHub is not the code, but the stars

ashishb.net
6 points·by ashishb·vor 7 Monaten·7 comments

Reddit Migrates Comment Back End from Python to Go Microservice to Halve Latency

infoq.com
6 points·by ashishb·vor 7 Monaten·1 comments

Best practices for using Python and uv inside Docker

ashishb.net
7 points·by ashishb·vor 9 Monaten·0 comments

comments

ashishb
·vor 8 Tagen·discuss
Listen to any on the Elon Musk interviews, he knows more technical intricacies of his 1000+ employee companies than your average startup founder with 10 employees.
ashishb
·vor 25 Tagen·discuss
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.
ashishb
·vor 25 Tagen·discuss
I wonder what percentage of pull requests are cascading updates caused by dependabot and multiple code review bots reviewing those PRs.

My belief is it is likely 1% or more. And likely coming in as an avalanche.
ashishb
·letzten Monat·discuss
Right now, not. Eventually, they will.

You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
ashishb
·letzten Monat·discuss
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?
ashishb
·letzten Monat·discuss
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
ashishb
·letzten Monat·discuss
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
ashishb
·letzten Monat·discuss
I have some ideas around it. And indeed that's one likely direction of this project in the future.
ashishb
·letzten Monat·discuss
This has been responded to in the past by another HN poster: https://news.ycombinator.com/item?id=47612726

Furthermore, you can use native sandboxing on macOS if you prefer.

If neither looks serious to you, then please educate me on a better sandboxing approach.
ashishb
·letzten Monat·discuss
Nobody should do 'npm install' or 'pip install' on their machine.

Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
ashishb
·letzten Monat·discuss
I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.

I smelled something fishy and never ran it though.

https://news.ycombinator.com/item?id=48127469
ashishb
·letzten Monat·discuss
> For dependabot it's as simple as > cooldown.default-days: 1

Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.
ashishb
·letzten Monat·discuss
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.

So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.

Even for single page website built using Vue, I would get about 5 updates a week.
ashishb
·letzten Monat·discuss
And why didn't they chose self-hosted for git then?
ashishb
·letzten Monat·discuss
Simpler answer: TINA (there is no better alternative)
ashishb
·letzten Monat·discuss
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?

And how will the project accumulate more?

> everyone knows it's gamed anyway, so why not?

Then why do they still have purchase value?
ashishb
·letzten Monat·discuss
> What stops a new platform from just mirroring GitHub stars on import or something, actually?

So, the source is still GitHub, right?

Which means I have to keep my FOSS project on GitHub to accumulate stars.
ashishb
·letzten Monat·discuss
Nginx was compelled to move to GitHub [1].

The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]

Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.

Well, that's not how the world works.

Fake stars can propel a good project to great.

A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.

The real lock-in is in GitHub stars [3].

1 - https://blog.nginx.org/blog/nginx-open-source-moves-to-githu...

2 - https://finance.biggo.com/podcast/1c9f14e134095b87

3 - https://ashishb.net/tech/github-stars/
ashishb
·vor 2 Monaten·discuss
Alpine is a bad idea for a non-trivial application written in Python, Node.js, or any other interpreted language.

Too many weird edge cases to deal with, especially related to Alpine using musl libc instead of glibc.

At best, your builds are slower.

At worst, certain code paths are broken.
ashishb
·vor 2 Monaten·discuss
Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.