HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wallrat

no profile record

Submissions

Nezha: Deployable and High-Performance Consensus Using Synchronized Clocks

dl.acm.org
2 points·by wallrat·hace 3 años·0 comments

comments

wallrat
·hace 10 meses·discuss
There are a few commercial products that allow you to do this also for other ecosystems (e.g. maven, nuget, pypi etc), including ours https://docs.bytesafe.dev/policies/delay-upstream/

Good to see some OSS alternatives showing up!
wallrat
·hace 10 meses·discuss
There are dependency firewalls that let you enforce this (e.g. https://docs.bytesafe.dev/policies/delay-upstream/). Don't know any OSS solutions though.
wallrat
·el año pasado·discuss
How does this relate to the OWASP/Ecma Common Lifecycle Enumeration Specification (https://tc54.org/cle/)?
wallrat
·el año pasado·discuss
Been tracking this project for a while https://github.com/chains-project/ghasum . It creates a verifiable checksum manifest for all actions - still in development but looks very promising.

Will be a good compliment to Github's Immutable Actions when they arrive.
wallrat
·el año pasado·discuss
Very well written (as expected) argument for RSC. It's interesting to see the parallels with Inertia.js.

(a bit sad to see all the commenters that clearly haven't read the article though)
wallrat
·hace 3 años·discuss
Still have the Turbo Pascal 1.0 manual on my shelf. It was the first language I picked up after Basic and QuickBasic as a child.

Wrote a couple of interesting things a few years later in TP 5.5, including a BBS/Kom system and a MUD (with 4 dial-in lines).

Found the source a few years back, was an interesting read a few decades later.
wallrat
·hace 3 años·discuss
Is there any effort to integrate SLSA with PyPI? GitHub recently announced[1] that npm support for SLSA is GA now.

[1] https://github.blog/changelog/2023-09-26-npm-provenance-gene...
wallrat
·hace 3 años·discuss
> Next step ist to establish good tooling around publishing VEX statements (Vulnerability Exploitability Exchange). That is currently not easy.

Agreed.

Tooling is needed for creating/publishing/consuming both VEX statements for applications (i.e. exploitability of a dependency in context), but also VEX statements from library authors (many times the actual experts, like the OP) as a way dispute the weakness/exploitability.

Currently working hard on this [1]. When the tooling is in place the next step for the industry will be discoverability of SBOM/VEX/VDR attestations. Sigstore/Rekor [2] looks to be a viable alternative here.

> Vulnerabilities are reported (using CPE, pURL etc.) at the "library" or "application" level but they really exist at a much more granular level (e.g. a single function is affected and if that's not used there's no problem).

Again, agreed. Reachability info needs to be commoditized, standardized and shared. The current situation where it's a feature used by vendors to compete is not ideal.

[1] <https://sbom.observer> [2] <https://www.sigstore.dev>
wallrat
·hace 3 años·discuss
The best kind of "problem" to have. Expect to build features, integrations and other customizations, and factor in the costs. You can do that with a higher "base" price, or include professional services into the contract (but be careful with IP rights). Use a per-seat model internally (more users = more support etc) and offer fixed price point per year. Expect to them to want to negotiate a large discount on the "list" price, so start higher than you might think.
wallrat
·hace 3 años·discuss
DISCLOSURE: I'm working on commercial tooling for this exact problem [1]

> 1) What would your expectations be towards a software vendor in terms of what issues to "fix"?

I would want the vendor to communicate their analysis for all CVEs, i.e. letting us know which are exploitable or not, and what kind of response they are planning, or any fixes released.

There are efforts to standardize this workflow with Vulnerability Disclosure Reports (VDRs)[2] and Vulnerability Exploitability eXchange VEXs[3]. Both these use cases are covered by OWASP CycloneDx[4].

> 2) Is anyone aware of a security database & evaluation tool geared for vendors not for end-users?

IMHO, there are not any good tools available that solve the complete workflow. We are certainly aiming to fix that with[1], but it will take some time.

[1] https://sbom.observer

[2] https://www.cisa.gov/resources-tools/resources/minimum-requi...

[3] https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/f...

[4] https://cyclonedx.org/capabilities/vex/