HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wallrat

no profile record

comments

wallrat
·10개월 전·discuss
There are a few commercial products that allow you to do this also for other ecosystems (e.g. maven, nuget, pypi etc), including ours https://docs.bytesafe.dev/policies/delay-upstream/

Good to see some OSS alternatives showing up!
wallrat
·10개월 전·discuss
There are dependency firewalls that let you enforce this (e.g. https://docs.bytesafe.dev/policies/delay-upstream/). Don't know any OSS solutions though.
wallrat
·작년·discuss
How does this relate to the OWASP/Ecma Common Lifecycle Enumeration Specification (https://tc54.org/cle/)?
wallrat
·작년·discuss
Been tracking this project for a while https://github.com/chains-project/ghasum . It creates a verifiable checksum manifest for all actions - still in development but looks very promising.

Will be a good compliment to Github's Immutable Actions when they arrive.
wallrat
·작년·discuss
Very well written (as expected) argument for RSC. It's interesting to see the parallels with Inertia.js.

(a bit sad to see all the commenters that clearly haven't read the article though)
wallrat
·3년 전·discuss
Still have the Turbo Pascal 1.0 manual on my shelf. It was the first language I picked up after Basic and QuickBasic as a child.

Wrote a couple of interesting things a few years later in TP 5.5, including a BBS/Kom system and a MUD (with 4 dial-in lines).

Found the source a few years back, was an interesting read a few decades later.
wallrat
·3년 전·discuss
Is there any effort to integrate SLSA with PyPI? GitHub recently announced[1] that npm support for SLSA is GA now.

[1] https://github.blog/changelog/2023-09-26-npm-provenance-gene...
wallrat
·3년 전·discuss
> Next step ist to establish good tooling around publishing VEX statements (Vulnerability Exploitability Exchange). That is currently not easy.

Agreed.

Tooling is needed for creating/publishing/consuming both VEX statements for applications (i.e. exploitability of a dependency in context), but also VEX statements from library authors (many times the actual experts, like the OP) as a way dispute the weakness/exploitability.

Currently working hard on this [1]. When the tooling is in place the next step for the industry will be discoverability of SBOM/VEX/VDR attestations. Sigstore/Rekor [2] looks to be a viable alternative here.

> Vulnerabilities are reported (using CPE, pURL etc.) at the "library" or "application" level but they really exist at a much more granular level (e.g. a single function is affected and if that's not used there's no problem).

Again, agreed. Reachability info needs to be commoditized, standardized and shared. The current situation where it's a feature used by vendors to compete is not ideal.

[1] <https://sbom.observer> [2] <https://www.sigstore.dev>