HackerTrans
TopNewTrendsCommentsPastAskShowJobs

xmodem

no profile record

comments

xmodem
·13 dagen geleden·discuss
If you can reproduce it reliably and doing so generates some form of telemetry, then just set up some automation to keep doing that in a loop. From as many machines as possible.

No comment is offered on if I have ever gotten a bug noticed this way.
xmodem
·24 dagen geleden·discuss
Hell, I've hand-written a large PR as a single commit and then asked claude to break it down for me at least once. But I think the fact doing this task by hand is a tedious, time-consuming hassle is not because it inherently has to be but because the tooling for doing it has barely changed in the past 15 years.
xmodem
·24 dagen geleden·discuss
What percentage of CVEs can be used to obtain a shell, but can't otherwise be used to obtain some other form of code execution in a distro-less container?
xmodem
·24 dagen geleden·discuss
I am aware, thank you :). I responded to a sibling dupe-comment over here [1].

To summarize, in my experience there is immense value to having basic shell tools available in the environment where you need them with zero extra friction. Stripping those out provides a security benefit only in specific nebulous and niche scenarios.

1: https://news.ycombinator.com/item?id=48561605
xmodem
·25 dagen geleden·discuss
Nope, not my position at all. I want to have a minimal OS environment with rudimentary tools available with zero extra friction. FROM alpine:latest adds less than 10MB and covers 95% of use cases. Typically depending on the container I will often throw in curl and some other QoL tools too.

For the rare cases where you find yourself needing to attach a debugger to your pods running in staging/prod, a debug container is absolutely the right tool to reach for.
xmodem
·25 dagen geleden·discuss
Yup! They are a good solution to the massive problem you caused for yourself by implementing a different "solution" to a non-problem.

And even that's only true if you assume kubernetes is the only place your container runs where you might want to also debug it.
xmodem
·25 dagen geleden·discuss
> FROM scratch just reduces the surface.

The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.

It's important not to confuse the two.
xmodem
·25 dagen geleden·discuss
> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?
xmodem
·25 dagen geleden·discuss
More than one ~500 employee company I've worked at has had security policies either encouraging or requiring the use of "distro-less" images - images with no OS components other than the absolute minimum required to run the application. For go binaries this meant literally nothing in the container apart from the executable.

In theory it has a couple of benefits. You don't have to re-deploy your image to patch CVE's in OS components if you don't have any OS components. And it provides some measure of defence-in-depth - one could certainly theory-craft a scenario where an attacker gains some limited control over your application and then uses some OS component to escalate.

These days if a security engineer is proposing my team adopt distro-less containers to receive these benefits, I would point out that we need to weigh them against the very real drawbacks of not having standard debugging tools available where and when we need them. And also to consider the relative impact of other defence-in-depth measures they could be pursuing instead - such as any sort of network policy to limit network traffic.
xmodem
·2 maanden geleden·discuss
I see a lot of commentators in this thread who are aggressively critical of volunteer maintainers for making a decision about how to maximize the value of the free labor they donate to the world.

And yet none have offered to volunteer their time to maintain a downstream fork or otherwise rectify the perceived problem.

Strange.
xmodem
·2 maanden geleden·discuss
Rather than have complexity centralised and managed, let's generate the same vulnerable code across millions of apps. Great plan.
xmodem
·2 maanden geleden·discuss
TUIs suck and the only reason they are seeing a re-surgency of relevance is because everything else sucks more along one or more critical metrics. Given the truly incomprehensible amount of CPU and GPU power we have available, this is truly a blight on our industry.
xmodem
·2 maanden geleden·discuss
I just want a button that says "approve and merge these 3 commits now but these two need re-work"
xmodem
·3 maanden geleden·discuss
Don't anthropomorphize the language model. If you stick your hand in there, it'll chop it off. It doesn't care about your feelings. It can't care about your feelings.
xmodem
·3 maanden geleden·discuss
So it's only wrong in a technical and pedantic sense. A better phrasing might have been along the lines of "There are many sequences of tokens that will destroy your production database that are within the set of possible outputs"
xmodem
·3 maanden geleden·discuss
It's an objection to adding a new dependency, not an attempt to remove an existing one. If we can't stop adding new dependencies, we are certain to be stuck with the status quo forever.
xmodem
·4 maanden geleden·discuss
It's almost as if comments on a website called "hacker news" are written by individuals with differing and varying opinions, and not by some nebulous hive-mind that purports to be internally consistent.
xmodem
·4 maanden geleden·discuss
The problem is that the well you are drinking from has in fact been poisoned. Maybe you think you can tolerate it but some projects are taking a policy decision that any exposure is too dangerous and that is IMO perfectly reasonable.
xmodem
·4 maanden geleden·discuss
The fact that the AI agent will just go and attempt to do whatever insane shit I can dream up is both the most fun thing about playing with it, and also terrifying enough to make me review its output carefully before it goes anywhere near production.

(Hot take: If you're not using --dangerously-skip-permissions, you don't have enough confidence in your sandbox and you probably shouldn't be using a coding agent in that environment)
xmodem
·4 maanden geleden·discuss
An engineer recklessly ran untrusted code directly in a production environment. And then told on himself on Twitter.