Both are billion dollar companies, we as individuals have nothing in common with them. Enshittification happens due to market conditions that apply to small and large companies alike. Redis and elasticsearch aren't underdogs fighting for the little guy, they are just a smaller scale version of the same shit.
I'd rather have a software commons and have tech be owned by the workers and not soul-sucking corporations, no matter the size.
+1 for Node-RED. If we've learned anything from elasticsearch/redis/bitnami/and dozens of others, it should be "don't build important things on code that isn't enshittification-resistant"
If you are actually against the policy and suspect a lot of people are too, then don't silence your employees by keeping their feedback isolated to 1:1s which you admit are ineffective.
Executives need clear feedback to avoid making major mistakes.
Code signing, 2FA, and reducing dependencies are all incomplete solutions. What we need is fine-grained sandboxing, down to the function and type level. You will always be vulnerable as long as you're relying on fallible humans (even yourself) to catch or prevent vulnerabilities.
Apparently they've tried to implement this in JavaScript but the language is generally too flexible to resist a malicious package running in the same process.
We need to be using different languages with runtimes that don't allow privileged operations by default.
Amazon really encourages valkey in the elasticache dashboard. There's a banner advertising lower prices and it's listed first in the dropdown when you go to create one. Default settings do have power.
When you all self-host this, you also do the following, right?
- Create threat models that identify weaknesses in the design of your self-hosted setup.
- Harden the OS with things like MAC, and harden the container with dropped privs, read-only root filesystem, and outbound network filtering.
- Deploy an intrusion detection system to know if you've been compromised.
- Perform all OS and app patching automatically, or regularly without fail.
- Follow CVE feeds in case a zero day needs to be fixed before the next patch window.
- Arrange for an expert to perform regular penetration tests.
- Deploy a tool that detects and alerts on things like firewall misconfigurations.
- Regularly test your backup and recovery methods, since if you also store 2FA codes and backup codes in there, you could be permanently locked out of your accounts.
In my case, I couldn't imagine configuring LittleSnitch to only allow certain hostnames from my browser. It has a "allow all traffic to 53/80/443" rule, otherwise most websites would flood me with hundreds of new LittleSnitch popups.