HackerTrans
トップ新着トレンドコメント過去質問紹介求人

brasic

no profile record

投稿

Twitter accuses Threads of IP theft

dexerto.com
3 ポイント·投稿者 brasic·3 年前·1 コメント

Sign your Git commits with 1Password

blog.1password.com
16 ポイント·投稿者 brasic·4 年前·0 コメント

Better suggested pull request description from commit message

github.blog
3 ポイント·投稿者 brasic·4 年前·0 コメント

コメント

brasic
·2 年前·議論
The web-flow signing system is for users’ convenience in places where it’s not feasible to sign the commit with their own private key: commits made in the web interface or on an ephemeral GH-provisioned VM (codespace). For the latter, you are free to send your own private key to your codespace so you can sign your own commits but GitHub cannot because they don’t have your private key and don’t want to have it. Defaults matter and signed commits are important.

As a sibling notes, this use case and similar ones is the reason the committer field exists as distinct from the author field. I think a $10K bounty for this bug speaks to how seriously they stand behind the fact that they will only sign and mark as verified commits whose author field matches an authenticated user.

(Disclaimer: former GH employee)
brasic
·3 年前·議論
The research you do in that scenario would just tell you the prices which shares had actually changed hands at. A decentralized market-based price discovery mechanism cannot be considered collusion or price fixing, since it’s exactly the opposite.
brasic
·3 年前·議論


  > but you still need a Personal Access Token to integrate pull requests and issues with your Git client
(Nitpick from a former GH employee) PATs really are almost exclusively intended for personal testing with curl and such. The strongly preferred way for apps like you describe to work is a pseudo-OAuth flow (“GitHub Apps”) which yields a token that is not a Personal Access Token. Better in just about every way: more ergonomic, more secure (revocable, shorter duration, predictable fine grain scope with a mechanism for requesting additional permissions as apps change, etc), and requests are attributable to the application which generated them instead of just the user. If you use an app that actually requires generating and pasting a PAT, it’s either extremely old or made by someone who is not prioritizing security and user experience. It even works well in CLI apps, cf. the `gh` command line utility.
brasic
·3 年前·議論
Thanks for the links! I guess I shouldn’t be surprised that “E2E” doesn’t mean much for a meta service.
brasic
·3 年前·議論
Yep, to be clear I was agreeing with lolinder. I would have posted top level but they had already expressed almost exactly my objection to the article so I replied to avoid redundancy.
brasic
·3 年前·議論
It sounds almost exactly like the mechanics of a session cookie as implemented on nearly every website on earth. Exchange a password for a bearer credential that is randomly chosen and revocable. There are only so many basic ideas in security.
brasic
·3 年前·議論
“Please read my rant about how this useless hair-shirt I wear to clear first party cookies too often breaks the web (for me)”

  > the web has no notion of a “device”, and this is a very intentional design choice made for privacy purposes [...] why do web developers persist in believing in this fiction of a “device”?
Cookies are a core part of the web which enable the construction of stateful applications on top of a stateless protocol. “Remembered device” is usually just an extra cookie set on login, or a row in a backend database. It’s no more fictional than the web itself, which is after all just a series of electrical impulses over wires.

Whether a device (however you build that abstraction) has previously logged in is a high-signal data point that meaningfully increases account security at login time and all serious web security teams use it to protect their users.
brasic
·3 年前·議論
Mr. President, we must not allow a mutant AI super soldier gap!
brasic
·3 年前·議論
It doesn’t show as flagged for me. Time heals all wounds, if your comment is not objectionable it will usually be vouched for eventually. Which is one of the reasons it’s a rule here that you don’t complain about voting. Such comments also rarely age like wine :)
brasic
·3 年前·議論
What do you mean? WhatsApp rolled out E2E encryption between 2014 and 2016.

It’s by far the largest messaging service that is e2e encrypted by default. I think it’s more than fair to call it ahead of the curve for a service of its size.

https://www.wired.com/2014/11/whatsapp-encrypted-messaging/ https://blog.whatsapp.com/end-to-end-encryption
brasic
·3 年前·議論
Process separation was already in place. The PKCS#11 library is loaded by a long lived helper process, not ssh-agent itself.

  > (Note to the curious readers: for security reasons, and as explained in
  > the "Background" section below, ssh-agent does not actually load such a
  > shared library in its own address space (where private keys are stored),
  > but in a separate, dedicated process, ssh-pkcs11-helper.)

That didn’t help because the long lived nature of the helper process exposed it to the shared lib side effects such that they could be chained into a gadget. If I understand correctly, the long life is important for interacting with many smart cards and HSMs because of their APIs.

If you are suggesting that there should be an IPC API for this process and vendors ship a full program that speaks it, that seems reasonable at a glance, but not really something the OpenSSH project can dictate.
brasic
·3 年前·議論
How would this even be mitigated while preserving the (wacky) existing support for runtime-selected PKCS#11 provider libraries? It strikes me that the most compatible way might be to double down on the wackiness and try to perform the required feature detection in some more indirect way like parsing the named lib with readelf(1) or the platform equivalent.

The sensible thing would be to force users to register available provider shared libraries in an ssh-agent config file, but that feels like a pretty big breaking change.

Edit: Didn’t realize a patch was already available. I see that they did in fact fix this with a breaking change, by simply disabling the functionality by default, and recommending that users allowlist their specific libraries:

  Potentially-incompatible changes
  --------------------------------
  
   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added
     to restore the previous behaviour "-Oallow-remote-pkcs11"
https://www.openssh.com/releasenotes.html#9.3p2
brasic
·3 年前·議論
Pre-acquisition WhatsApp was built using Erlang and had an impressively large user-to-server ratio IIRC. I expect that since then things have mostly been rebuilt to use existing meta shared infrastructure which might not be as stable or efficient.
brasic
·3 年前·議論
Glad to see a custom merge driver being used here - they’re one of the most powerful of git’s obscure features. Large teams working on a monorepo inevitably start noticing that particular files are magnets for conflicts (or other times, in cases like this, some files are a huge pain to resolve whenever they conflict).

This happens especially frequently if your team uses a lot of CIGARs (checked in generated artifacts)

In most cases writing a simple driver to automatically handle the conflict resolution is pretty straightforward (especially if the resolution is usually just to regenerate a generated file) and well worth the up front effort to eliminate ongoing conflict headaches.

https://git-scm.com/docs/gitattributes#_defining_a_custom_me...

The main hassle is that for security reasons all developers need to opt in by registering the merge driver , which you can put in a project bootstrap script if you have one. Would be great if GitHub (disclaimer: where I used to work) would integrate custom merge drivers in their internal conflict resolution flow.
brasic
·3 年前·議論
From OP:

  > Now with all those aptitude training [...] that require you to turn on your webcam
They are referring to an automated personality or skills test to screen candidates. The webcam is to make sure the applicant is the one actually doing the test. These things are dehumanizing and snake-oil but there’s’s no question that applicant misrepresentation happens, including situations where the person interviewing is a ringer being paid by an agency or the applicant.
brasic
·3 年前·議論
The conflation of “spyware” ie tracking for monetization purposes with telemetry used by developers to ensure the health of production systems is foolish and harmful.

Homebrew is a complex system that can break in lots of ways, and it’s being developed on an entirely open source basis, with no company behind it.

Having some visibility into the operation of a running system is table stakes. You’re asking the developers donating their time to this very useful project to tie a hand behind their back because you are paranoid.

More often than not, if people like you got their way OSS software just wouldn’t be built, or would be taken over by a for profit entity that has much less benign ideas about spyware.

This is literally a story about the homebrew project listening to the community and migrating to privacy-preserving self-hosted analytics. People like you will never be happy, so they should be entirely ignored.
brasic
·3 年前·議論
I assume OP was referring to “source available” schemes where the source is published or sometimes selectively disclosed but not licensed for anything other than review, ie you lack the right to run or copy it.

Needless to say, it’s not accurate to call that “open source”.
brasic
·3 年前·議論
I’ve done nothing of the sort.

As I said throughout this thread, the injunction prohibits any communications based on a vague and subjective content or motive between a group of approx. 500,000 citizens who are US government employees and several million individuals worldwide who are employed by any of the named social media companies, nonprofits, or similar organizations.

This is not ok. If restrictions on speech are ever justified they have to be narrowly tailored in terms of content and substance, neither of which is true here.
brasic
·3 年前·議論
The actual letter is here: https://twitter.com/Dexerto/status/1677027980940398599

edit: It looks like this was already submitted and I missed it: https://news.ycombinator.com/item?id=36621741. Looks like it’s too late to delete this submission. Apologies.
brasic
·3 年前·議論
Adding a list of carve outs doesn’t make the ban ok.