HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ashishb

1,042 karmajoined 14 năm trước
Software engineer & blogger - https://ashishb.net/about

Submissions

EMF and Kids

ashishb.net
2 points·by ashishb·5 ngày trước·0 comments

I was asked to install malware during a fake interview

ashishb.net
54 points·by ashishb·2 tháng trước·10 comments

Amazing Sandbox (asb) – a Docker-based sandbox for running third-party code

github.com
1 points·by ashishb·7 tháng trước·0 comments

The real lock-in in GitHub is not the code, but the stars

ashishb.net
6 points·by ashishb·7 tháng trước·7 comments

Reddit Migrates Comment Back End from Python to Go Microservice to Halve Latency

infoq.com
6 points·by ashishb·7 tháng trước·1 comments

Best practices for using Python and uv inside Docker

ashishb.net
7 points·by ashishb·9 tháng trước·0 comments

comments

ashishb
·8 ngày trước·discuss
Listen to any on the Elon Musk interviews, he knows more technical intricacies of his 1000+ employee companies than your average startup founder with 10 employees.
ashishb
·25 ngày trước·discuss
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.
ashishb
·25 ngày trước·discuss
I wonder what percentage of pull requests are cascading updates caused by dependabot and multiple code review bots reviewing those PRs.

My belief is it is likely 1% or more. And likely coming in as an avalanche.
ashishb
·tháng trước·discuss
Right now, not. Eventually, they will.

You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
ashishb
·tháng trước·discuss
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?
ashishb
·tháng trước·discuss
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
ashishb
·tháng trước·discuss
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
ashishb
·tháng trước·discuss
I have some ideas around it. And indeed that's one likely direction of this project in the future.
ashishb
·tháng trước·discuss
This has been responded to in the past by another HN poster: https://news.ycombinator.com/item?id=47612726

Furthermore, you can use native sandboxing on macOS if you prefer.

If neither looks serious to you, then please educate me on a better sandboxing approach.
ashishb
·tháng trước·discuss
Nobody should do 'npm install' or 'pip install' on their machine.

Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
ashishb
·tháng trước·discuss
I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.

I smelled something fishy and never ran it though.

https://news.ycombinator.com/item?id=48127469
ashishb
·tháng trước·discuss
> For dependabot it's as simple as > cooldown.default-days: 1

Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.
ashishb
·tháng trước·discuss
Hypothesis: a big accelerant of these rapid repository compromise (from Red hat to GitHub to Amazon to small startups) might be GitHub+dependabot automatic dependency updates.

So, just like COVID-19 used air travel, modern malware attacks are relying on GitHub+dependabot to speed up the spread.

Even for single page website built using Vue, I would get about 5 updates a week.
ashishb
·tháng trước·discuss
And why didn't they chose self-hosted for git then?
ashishb
·tháng trước·discuss
Simpler answer: TINA (there is no better alternative)
ashishb
·tháng trước·discuss
> I'm thinking like "you had 200 GitHub stars before coming to us so we start you with 200 stars" as a migration process. maybe they wouldn't be as reputable but everyone knows it's gamed anyway, so why not?

And how will the project accumulate more?

> everyone knows it's gamed anyway, so why not?

Then why do they still have purchase value?
ashishb
·tháng trước·discuss
> What stops a new platform from just mirroring GitHub stars on import or something, actually?

So, the source is still GitHub, right?

Which means I have to keep my FOSS project on GitHub to accumulate stars.
ashishb
·tháng trước·discuss
Nginx was compelled to move to GitHub [1].

The fact that companies request you to star them on GitHub and the stars can be bought tells you that there is a value in these stars. [2]

Now, some astute reader, who thinks the $1 trillion global advertisement market does not influence them, will also claim that they don't care about GitHub stars.

Well, that's not how the world works.

Fake stars can propel a good project to great.

A lot of people will use GitHub stars as a currency to decide the importance of certain FOSS (or even open-core) projects.

The real lock-in is in GitHub stars [3].

1 - https://blog.nginx.org/blog/nginx-open-source-moves-to-githu...

2 - https://finance.biggo.com/podcast/1c9f14e134095b87

3 - https://ashishb.net/tech/github-stars/
ashishb
·2 tháng trước·discuss
Alpine is a bad idea for a non-trivial application written in Python, Node.js, or any other interpreted language.

Too many weird edge cases to deal with, especially related to Alpine using musl libc instead of glibc.

At best, your builds are slower.

At worst, certain code paths are broken.
ashishb
·2 tháng trước·discuss
Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.