Just a regular Joe.

  • 0 Posts
  • 62 Comments
Joined 1 year ago
cake
Cake day: July 7th, 2023

help-circle

  • I have two apparmor profiles targeting shell scripts, which can run other programs. One is “audit” (permissive with logging) and the other is “safe” (enforcing).

    The safe profile still has a lot of read access, but not to any directories or files with secrets or private data. Write access is only to the paths and files it needs, and I regularly extend it.

    For a specific program that should have very restricted network access, I have some iptables (& ip6tables) rules that only apply to a particular gid, and I have a setgid wrapper script.

    Note: This is all better than nothing, but proper segregation would be better. Running things on separate PCs, VMs or even unpriviliged containers.



  • Temporal is MIT licensed and comes with multi-tenant security features and its durable execution model is solid and scalability is phenomenal. They upsell to the cloud offering and the default OSS auth plugin is intentionally limited (you might want to develop your own if you self-host). You’d probably only look at the Temporal UI when debugging.

    Windmill is very cool, but it is only suitable for trusted teams due to its security model. If you want to be able to develop scripts and workflows in the web browser and run them together with trusted colleagues, on a schedule etc., then windmill might just be for you!




  • NFSv3 (udp, stateless) was always as reliable as the network infra under Linux, I found. NFSv4 made things a bit more complicated.

    You don’t want any NAT / stateful connection tracking in the network path (anything that could hiccup and forget), and wired connections only for permanent storage mounts, of course.


  • Hah. I hadn’t seen that article / heard of the theory, but as far as crackpot theories/hypotheses go, it’s one of the more likely (edit: to come about). I doubt it’s anywhere near the majority yet, personally.

    It was already obvious that propaganda news articles (on obscure websites) had orchestrated releases and promotion on social media, in a massive circle jerk, and I assumed machine generated/assisted content was involved. Then ChatGPT hit the headlines and we all had the power.


  • Whose deepfake influencers do you “trust” more? US, China, russia and a few lesser players are already working to control the information space / spread propaganda (note: not necessarily/always lies, but there is typically a focus or spin) far and wide.

    We know people are highly influenced by propaganda (some more than others, but all of us are) and that quantity and repetition plays a role. Since this is now an established battlefield, I’d like our (western) defences to be strong.

    It has potential for abuse, certainly. That’s par for the course. There is also the potential for it to be used to debunk fake news, shock people out of false beliefs, and help reconnect people to reality. Let’s see how this plays out. popcorn time





  • https://opensource.stackexchange.com/questions/8367/is-the-term-open-source-a-trademark has a discussion about this.

    The short story is that the OSI failed to obtain a legal trademark in the US for the term “open source” (software), resulting in many opportunistic companies and individuals adopting the term popularized by the OSI (which was founded by Eric Raymond, Michael Tiemann and Bruce Perens).

    There was controversy at the time due to it being a business-friendly spin on the ideological “free software”, and I personally avoided using the term for many years as a result. Even without a trademark on the now generic term of Open Source, there is still value in the OSI brand and its stamp of approval on a license.

    Those who want to be crystal clear, should probably always say OSI Approved Open Source License.

    Now, I’m off to have a Nescafé Approved Coffee.





  • It is possible to wrap something like python into a single file, which is extracted (using standard shell tools) into a tmpdir at runtime.

    You might also consider languages that can compile to static binaries - something like nim (python like syntax), although you could also make use of nimscript. Imagine nimscript as your own extensible interpreter.

    Similarly, golang has some extensible scripting languages like https://github.com/traefik/yaegi - go has the advantage of easy cross compiling if you need to support different machine architectures.