HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ashishb

1,042 karmajoined 14 ปีที่แล้ว
Software engineer & blogger - https://ashishb.net/about

Submissions

EMF and Kids

ashishb.net
2 points·by ashishb·5 วันที่ผ่านมา·0 comments

I was asked to install malware during a fake interview

ashishb.net
54 points·by ashishb·2 เดือนที่ผ่านมา·10 comments

Amazing Sandbox (asb) – a Docker-based sandbox for running third-party code

github.com
1 points·by ashishb·7 เดือนที่ผ่านมา·0 comments

The real lock-in in GitHub is not the code, but the stars

ashishb.net
6 points·by ashishb·7 เดือนที่ผ่านมา·7 comments

Reddit Migrates Comment Back End from Python to Go Microservice to Halve Latency

infoq.com
6 points·by ashishb·7 เดือนที่ผ่านมา·1 comments

Best practices for using Python and uv inside Docker

ashishb.net
7 points·by ashishb·9 เดือนที่ผ่านมา·0 comments

comments

ashishb
·8 วันที่ผ่านมา·discuss
Listen to any on the Elon Musk interviews, he knows more technical intricacies of his 1000+ employee companies than your average startup founder with 10 employees.
ashishb
·25 วันที่ผ่านมา·discuss
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.
ashishb
·25 วันที่ผ่านมา·discuss
I wonder what percentage of pull requests are cascading updates caused by dependabot and multiple code review bots reviewing those PRs.

My belief is it is likely 1% or more. And likely coming in as an avalanche.
ashishb
·เดือนที่แล้ว·discuss
Right now, not. Eventually, they will.

You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
ashishb
·เดือนที่แล้ว·discuss
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?
ashishb
·เดือนที่แล้ว·discuss
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
ashishb
·เดือนที่แล้ว·discuss
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
ashishb
·เดือนที่แล้ว·discuss
I have some ideas around it. And indeed that's one likely direction of this project in the future.
ashishb
·เดือนที่แล้ว·discuss
This has been responded to in the past by another HN poster: https://news.ycombinator.com/item?id=47612726

Furthermore, you can use native sandboxing on macOS if you prefer.

If neither looks serious to you, then please educate me on a better sandboxing approach.
ashishb
·เดือนที่แล้ว·discuss
Nobody should do 'npm install' or 'pip install' on their machine.

Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
ashishb
·เดือนที่แล้ว·discuss
I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.

I smelled something fishy and never ran it though.

https://news.ycombinator.com/item?id=48127469
ashishb
·เดือนที่แล้ว·discuss
> For dependabot it's as simple as > cooldown.default-days: 1

Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.
ashishb
·เดือนที่แล้ว·discuss
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.

So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.

Even for single page website built using Vue, I would get about 5 updates a week.
ashishb
·เดือนที่แล้ว·discuss
And why didn't they chose self-hosted for git then?
ashishb
·เดือนที่แล้ว·discuss
Simpler answer: TINA (there is no better alternative)
ashishb
·เดือนที่แล้ว·discuss
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?

And how will the project accumulate more?

> everyone knows it's gamed anyway, so why not?

Then why do they still have purchase value?
ashishb
·เดือนที่แล้ว·discuss
> What stops a new platform from just mirroring GitHub stars on import or something, actually?

So, the source is still GitHub, right?

Which means I have to keep my FOSS project on GitHub to accumulate stars.
ashishb
·เดือนที่แล้ว·discuss
Nginx was compelled to move to GitHub [1].

The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]

Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.

Well, that's not how the world works.

Fake stars can propel a good project to great.

A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.

The real lock-in is in GitHub stars [3].

1 - https://blog.nginx.org/blog/nginx-open-source-moves-to-githu...

2 - https://finance.biggo.com/podcast/1c9f14e134095b87

3 - https://ashishb.net/tech/github-stars/
ashishb
·2 เดือนที่ผ่านมา·discuss
Alpine is a bad idea for a non-trivial application written in Python, Node.js, or any other interpreted language.

Too many weird edge cases to deal with, especially related to Alpine using musl libc instead of glibc.

At best, your builds are slower.

At worst, certain code paths are broken.
ashishb
·2 เดือนที่ผ่านมา·discuss
Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.