HackerTrans
トップ新着トレンドコメント過去質問紹介求人

ashishb

1,042 カルマ登録 14 年前
Software engineer & blogger - https://ashishb.net/about

投稿

EMF and Kids

ashishb.net
2 ポイント·投稿者 ashishb·5 日前·0 コメント

I was asked to install malware during a fake interview

ashishb.net
54 ポイント·投稿者 ashishb·2 か月前·10 コメント

Amazing Sandbox (asb) – a Docker-based sandbox for running third-party code

github.com
1 ポイント·投稿者 ashishb·7 か月前·0 コメント

The real lock-in in GitHub is not the code, but the stars

ashishb.net
6 ポイント·投稿者 ashishb·7 か月前·7 コメント

Reddit Migrates Comment Back End from Python to Go Microservice to Halve Latency

infoq.com
6 ポイント·投稿者 ashishb·7 か月前·1 コメント

Best practices for using Python and uv inside Docker

ashishb.net
7 ポイント·投稿者 ashishb·9 か月前·0 コメント

コメント

ashishb
·8 日前·議論
Listen to any on the Elon Musk interviews, he knows more technical intricacies of his 1000+ employee companies than your average startup founder with 10 employees.
ashishb
·25 日前·議論
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.
ashishb
·25 日前·議論
I wonder what percentage of pull requests are cascading updates caused by dependabot and multiple code review bots reviewing those PRs.

My belief is it is likely 1% or more. And likely coming in as an avalanche.
ashishb
·先月·議論
Right now, not. Eventually, they will.

You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
ashishb
·先月·議論
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?
ashishb
·先月·議論
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
ashishb
·先月·議論
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
ashishb
·先月·議論
I have some ideas around it. And indeed that's one likely direction of this project in the future.
ashishb
·先月·議論
This has been responded to in the past by another HN poster: https://news.ycombinator.com/item?id=47612726

Furthermore, you can use native sandboxing on macOS if you prefer.

If neither looks serious to you, then please educate me on a better sandboxing approach.
ashishb
·先月·議論
Nobody should do 'npm install' or 'pip install' on their machine.

Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
ashishb
·先月·議論
I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.

I smelled something fishy and never ran it though.

https://news.ycombinator.com/item?id=48127469
ashishb
·先月·議論
> For dependabot it's as simple as > cooldown.default-days: 1

Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.
ashishb
·先月·議論
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.

So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.

Even for single page website built using Vue, I would get about 5 updates a week.
ashishb
·先月·議論
And why didn't they chose self-hosted for git then?
ashishb
·先月·議論
Simpler answer: TINA (there is no better alternative)
ashishb
·先月·議論
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?

And how will the project accumulate more?

> everyone knows it's gamed anyway, so why not?

Then why do they still have purchase value?
ashishb
·先月·議論
> What stops a new platform from just mirroring GitHub stars on import or something, actually?

So, the source is still GitHub, right?

Which means I have to keep my FOSS project on GitHub to accumulate stars.
ashishb
·先月·議論
Nginx was compelled to move to GitHub [1].

The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]

Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.

Well, that's not how the world works.

Fake stars can propel a good project to great.

A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.

The real lock-in is in GitHub stars [3].

1 - https://blog.nginx.org/blog/nginx-open-source-moves-to-githu...

2 - https://finance.biggo.com/podcast/1c9f14e134095b87

3 - https://ashishb.net/tech/github-stars/
ashishb
·2 か月前·議論
Alpine is a bad idea for a non-trivial application written in Python, Node.js, or any other interpreted language.

Too many weird edge cases to deal with, especially related to Alpine using musl libc instead of glibc.

At best, your builds are slower.

At worst, certain code paths are broken.
ashishb
·2 か月前·議論
Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.