There was an RFD for Hubris; it laid out the basic concepts and design goals, as well as non-goals. But after that, it's largely just iterating. When I joined there were four or five people working on Hubris regularly; we have weekly meetings where we sync up, talking about what we're working on, and discuss things.
There's local groceries though, also local services that can't be remote or online. Groceries alone is a big part of my budget after rent. Clothes & stuff I have managed to bring to the minimum: one or two online purchases per month at most (some months even zero)
My local grocer is a Safeway (a nationwide American store chain). For most of the year, fruits and vegetables are imported from other states or countries, like cherries from South America and lettuce from California. And I doubt my Cheerios and Nutella are cooked locally. Pretty much the only local impact of grocery shopping is all the low-paying jobs they create, like shelf stockers and Instacart people.
To mitigate this kind of supply chain attacks for python, we have created following tool [1], that will check python packages on Artifactory instance you specify and create packages with the same name on the PyPi.
Yes, if you have packages on the artifactory the `index-url` is always a way to go. However, if you forget to specify `no-index`, you might not get what you wanted, see [1] for how packages are found. And it's easy to make such mistake when using local resources (you forget to set proxy or internal DNS, new developer is not familiar with the setup and does plain `pip install`, internal server is temporarily unreachable).
>It just pollutes PyPi and a nuisance to others.
I agree, but so are the packages that are no longer maintained. You also reserve pakcage name if you decide to opensource it. Furthermore, by creating package you are leaking metadata about your organization, i.e. some functionality can be inferred from package names.
And sure you can train and try to enforce security awareness, but your people need to be right 100% of the time, while attackers need them to make only one mistake. Similar with namesquatting of the popular packages.
The thing that just happened is like a catastrophic chain-reaction collision in space. Now we will have to use guids for everything. Nothing has meaning.
Here is one interesting project that lets you see in almost real time leaked secrets (or suscpected secrets there might be fasle positives) across Github, Gists, Gitlab, and Bitbucket: https://www.shhgit.com/
you could add those checks to pre-commit hooks. However, the problem with those hooks is that they need to be added locally by user. There are already modules/libraries with sets of regexes that are able to perform filtering you are suggesting.
Another option is to use pipeline to perform those checks. Sure, by the time pipeline runs, the secrets are already in the repository, but at least you caught them early. However, in this case you should definitively do secrets replacement.
Thanks. Too bad Ansible playbooks are not public. To be clear I'm not defending Hashicorp, as I have played quite a bit with their tools (only opensource versions) and getting deployments production ready, can be painful, especially setting up security correctly, with so many moving parts.
I know about Helm chart for Vault (btw also created and maintained by Hashicorp). It's quite handy for quick deployments, but getting it to production will require changes, as most security things are disabled. All Helm chart does, it gets Vault up and running, unsealing has to be done either manually or via third party (cool thing, if your use-case allows storing such secret on third party HW). Not to mention, that if you want to use Consul as storage backend, you will have to deal with that using separate chart.
Without knowledge what Ansible playbook does, it's hard to compare the two. If ansible is configuring host OS from scratch (updates/tools installation etc) then yes, it might take much longer, then deploying to fully managed K8s cluster.
True, I think the nice thing about Vault Helm chart (and Consul) is that you can swap in the enterprise image. You can customize the image to your liking as well. It is lightweight and easy to scale comparably. There is definitely extra work involved, but the Ansible playbook is just sequential tasks that could be baked into the container and make it a lot faster.
I'm a big fan of Kubernetes and Helm/Kustomize as a whole, though there are times where Terraform and Ansible makes sense too.
Thanks for the links, those projects look cool. I'm not a beekeeper, but one day I would like to become one. For now I'm just reading on the subject And of course I stmbled up on the mite problem.
Do you by any chance know of anyone doing something similar to this article [1] It's noted as WIP, but I didn't manage to find any follow up papers, or some open source projects doing something similar. apic.ai looks similar but I don't think it's using lasers to remove mites from them.
From what I've seen the best practices are around ideas that seem like "the best defense is a good offense" -- or providing the bees the best possible chances and situation and letting them take care of themselves, which they do white well when fed a range of foods and not squeezed too tightly for profits and trucked across country.
Rev. Langstroth's work on this is dated ( 1850s and 1860s ) but still incredibly relevant. He's given a lot of credit for his work on moveable-frame hives, but 'd say he did a lot to advocate for the practice of bee keeping as a practice that could be engaged, as gardening, by anyone with interest.
No expert, but just happened to watch a video this morning.
According to a talk by Paul Stamets [1], common viruses transmitted from mites to bees may be managed better by adding mushroom derivatives to sugar water feed.
This spooked me as well. I never used any of the Samsung apps on my phone and never created the Samsung account. Since apps come pre-installed, it was in the back of my head that Samsung could access the data anyway, but I dismissed it as company suicide to do something like this.
Since so many people received notification, it could be that some "Samsung God mode" exists.
hi, I'm one of the contributors to this plugin. Thanks for the feedback, I'll try to make README more clear to people landing to this repo without prior knowledge of the ACME DNS or certbot plugin system.
For more on ACME DNS server the source repo can be found here [1].
The link you pasted to wiki seems to be a kubenetes how-to guide. I'll add direct link to ACME DNS repo to README as well.
But someone from Oxide would need to tell you exactly how many RFDs took to desing and implement Hubris.
[1] https://oxide.computer/blog/rfd-1-requests-for-discussion