Threads for solarce

  1. 9

    Semantically, who is to say the old string wasn’t deallocated and a new string allocated in the same memory location.

    1. 9

      But my string of Theseus!

      1. 1

        At the risk of being off topic, I burst out laughing at this, and then failed to explain to my family why it was so funny. Good show!

    1. 37

      This one isn’t really a “this week”, though there will be plenty to do every week for a while, but…

      I’M GONNA BE A NEW FATHER!!

      Finally hit the 12-week mark and told friends/family the news, and my wife and I are absolutely ecstatic still about it. Due date is in August. So much to buy, so much to prepare, so much to learn!

      1. 8

        First of all, congrats!

        So much to buy,

        My advice, if you want it, is holding back on buying too many things. Buy the minimum and adjust. In the first weeks/month children really do not need that much stuff. They need their parents and care. They do not need all these “OMG you need all these things” on baby lists. With online ordering you can always get something quickly, if you see a need for it. We def. bought things we never needed or could get by without them easily. Less is more!

        1. 2

          Yes this. The stuff can take on an oppressive weight of its own.

          1. 1

            Fantastic advice thank you! Are there any things you can think of that are the “must buy” things right away? Don’t assume anything is “too obvious” to suggest please!

            1. 3

              Diapers+wipes. Your child will either need (from my local sizing guide) “n” or “1”. Don’t overbuy the “n” but have the “1” available.

              Infant clothes.

              Onezies.

              “Burp cloths” (though any fabric that can be washed regularly as well as thrown over your shoulder will do)

              Any soft place to put down a child on the floor. (any towel or rug or carpet or possibly even hardwood will do this job.) They can roll, accidentally, long before they can intentionally roll.

              That’s it. Oh, and if you will be driving back from the place of birth, you will need an infant car seat.

              1. 6

                One secret is that you very very very badly need onesies with zippers or snaps, not buttons. The people who put buttons on infant clothes are sadists.

                1. 3

                  There needs to be an ISO on the number and placement of onezie snaps because every single one puts them in different places and it’s impossible to keep straight.

                2. 4

                  I would add a sleeping bag - for babies, not for camping (better 2 so you can wash/dry one) and a heat lamp for changing diapers/clothes.

                  You def. do not need any sort of toy, plush animals, books, fully furnished children room or any of that stuff. That will all come a lot later. Remember the first 3 months your child is basically doing its fourth trimester, just outside the body of its mother.

                  1. 1

                    Hospitals give you diapers and blankets, so there’s no point in buying those now. Definitely do stock up on baby blankets when you’re in the hospital though. You’re paying for them!

                    1. 1

                      Not if you don’t give birth in a hospital. Home births, birthing centers, and hospitals, are all valid choices people make eyes wide open to the risks and rewards of each approach.

                      1. 1

                        That depends on your country/city/hospital etc. We did not get any take-home blankets or diapers from the hospital, but that may have been due to the pandemic. Not sure.

                        1. 1

                          We had a pandemic baby and took home a bunch of blankets again. They don’t give you the blankets; you just take them when you leave because, again, you’re totally paying for them.

                          1. 1

                            In your country. In my country I am not paying the hospital one cent out of my own pocket. It is all covered by public health insurance.

                            1. 1

                              It’s nice that you live in a civilized country, but you’re still paying for it, just on tax day. Anyway this is not worth arguing about. Either the hospital has a bunch of extra blankets or they don’t.

                  2. 1

                    Yeah, we were given so many hand-me-downs I don’t think we have actually bought any clothes for our kids ourselves still, three years later. We did have to break down and buy some shoes though, alas.

                  3. 4

                    Congrats! It’s off topic for this forum, but I think we are really living in the golden age of parenting. Really, congrats!

                    1. 1

                      Why a golden age of parenting?

                      1. 7

                        In the past we’ve seen two extremes of “parenting” (this pseudo science to describe being responsible for little people). One extreme is Control, where you make kids do things and they will do it. The other is “Whatever kids do, they do.” We now are re-learning the lessons of time immemorial that children are little people.

                        These lessons have become mainstreamed in recent years, making this the golden age of parenting.

                        Show them empathy. Be the responsible one, setting bounds. Prune negative behavior, cultivate positive behavior, but don’t pretend you can declare what positive or negative behavior a child will or will not exhibit. State things the child can accomplish (You did a good job putting that puzzle together) rather than the things a child can’t change (You finished the puzzle? You are so smart!) Let children help. They will want to unless you stop them (You brought me a dozen eggs? Thank you! as opposed to Stop! Put down the eggs!) Let children play. Danger of mild bodily harm during play is good for children over time, even if occasionally individual children will need stitches or casts.

                        These “respectful” styles of parenting that also don’t allow children to run roughshod over all the adults in their lives are out there. Parenting is no longer about self sacrifice or discipline above all else, but about building real relationships with little people that survive while those little people become bigger. (and of course real relationships involve sacrifice)

                        Not everybody subscribes to a single worldview. But this worldview is available, with support groups for those who want them. A golden age.

                        1. 2

                          I presume because it was never easier to work from home and spend time with your children.

                          1. 3

                            if you are in tech…

                            1. 1

                              As the majority of people on here are, I think :)

                            2. 2

                              Not quite :) explanation

                              1. 2

                                ? You can’t watch a child and get any work done. (I guess if your job is doing social media. Paternity leave was a great time for Twitter for me.) People act like working from home makes child care easier, but all it means is you have a short commute so you can “get home” faster.

                                1. 2

                                  People act like working from home makes child care easier, but all it means is you have a short commute so you can “get home” faster.

                                  That is huge though. That means saving multiple hours each day for many people.

                                  1. 2

                                    Oh yes, it’s definitely a plus, but it seems like there’s some common misconception I run into that you can somehow both watch a baby and do work, and that is just not possible for a job with any mental demands whatsoever.

                                    1. 1

                                      Though you could hold a child and type, if you had a one handed keyboard.

                          2. 1

                            Congratulations!

                            1. 1

                              Congrats!!

                              1. 1

                                Congrats!!

                                1. 1

                                  Congratulations to your family!

                                  1. 1

                                    Mazel tov!

                                    1. 1

                                      Congrats! If you’re not part of it, the /r/daddit community on Reddit is pretty nice, especially for those early “are they supposed to be this exhausting?” days :)

                                      1. 2

                                        I feel like you just sent me down the deepest rabbit hole of my life…😂

                                        1. 2

                                          The answer to that question is, of course, always an emphatic yes.

                                      1. 4

                                        Same to you and everyone in this wonderful community

                                        1. 1
                                          • Enjoying some last bits of family getaway in Lake Tahoe and preparing for the drive back to Los Angeles tomorrow.
                                          • Nearly done with a reread of the Kingkiller Chronicles.
                                          • Need to pick which days my son and I gonna resume lifting at our gym.
                                          1. 13

                                            My daughter was born last Friday. I was fortunate enough to arrange three weeks parental leave where I work, and that’s naturally what am at this weekend too.

                                            Interestingly enough I found dabbing into my pet projects in between the chores and the little one’s feeding is quite doable. It feels like permanent tiredness and slight sleep deprivation allows for easier focusing, somehow? Or perhaps it’s just less coffee throughout the day.

                                            1. 5

                                              Congrats

                                              1. 2

                                                Thanks!

                                              2. 4

                                                Congratulations :)

                                                1. 2

                                                  Thank you!

                                                2. 2

                                                  Congratulations! Glad you’re able to find time for tech as well.

                                                  1. 2

                                                    Thanks! Was bit afraid that the rest of my personal life will be completely derailed but it’s going good.

                                                  2. 2

                                                    Congrats and best of luck. 🎉 Mine are both teenagers but I still remember those early days.

                                                    1. 1

                                                      Thanks! Our older is 17 now, so our recollections are quite dim :)

                                                  1. 13

                                                    tl;dr security is hard, authorization is hard, authentication is hard, authenticating non-humans is hard. Don’t despair. Use least-privileges, apply policies on both clients and resources, monitor usage of credentials, if you are forced to use hard-coded credentials let them only be able to call sts:AssumeRole and rotate them frequently.

                                                    There’s a lot of discussion here about hard-coding AWS credentials into files, and how to authenticate and authorize non-human tools for AWS access. Here are my two cents.

                                                    Firstly when it comes to AWS resources there are always 2 sides to the coin - the client and the resource. Your blog post talks about how to authorize a client to access an S3 bucket, but never mentions the IAM resource policy on the S3 bucket itself. This is because when you call boto3’s create_bucket function, which calls S3’s CreateBucket API, for backwards-compatibility reasons it creates a publicly-readable S3 bucket, which is why the news is full of “omg the cloud is insecure everyone’s personal information got leaked”. Please avoid creating publicly-readable S3 buckets; the console makes it extremely difficult to do this any more, but the API is just an API and will let you do it.

                                                    AWS users who use S3 buckets should enable and run the Access Analyzer for S3, identify publicly accessible S3 buckets in their account, and take appropriate action. They may just be e.g. static websites, which is fine, or may store personally identifiable information (PII), which is not fine. Also consider whether your data should be encrypted-at-rest. with a KMS key that you own and control. or even a straight-up symmetric key you own. This is again defense-in-depth in case someone gets access to the S3 bucket.

                                                    Secondly, if your goal is “give a user access to a particular bucket/prefix and only be able to use a subset of APIs”, instead of creating credentials you could use S3 access points. An S3 access point creates a completely new DNS endpoint https://[access_point_name]-[accountID].s3-accesspoint.[region].amazonaws.com and when users hit this DNS endpoint to perform options S3 enforces policies like “You can only call GetObject and PutObject” on your behalf. This is an easy way to enforce IAM resource policies on the S3-side instead, and you can create multiple S3 access points for a single bucket (unlike an S3 bucket policy).

                                                    That just simplifies the authorization story, what am I allowed to do. But authentication, who am I, is always tricky. This DNS endpoint for an S3 access point is not a secret nor should it be, anyone can call it. If I am a human I can call e.g. AWS STS AssumeRoleWithWebIdentity, assume some role, and then on the S3 access point only allow access from that role. OK. But how do I know e.g. the backup script that is running nightly on your VPS is the backup script?

                                                    This is simple to answer for e.g. an AWS EC2 instance. If you attach an IAM role to an AWS EC2 instance’s execution role, you delegate this problem to AWS. But this doesn’t help you, you want to access an S3 bucket from a VPS host. That’s fine, but then you need to solve the problem on a VPS host.

                                                    • If you hard-code credentials on the VPS host that e.g. gives sts:AssumeRole permission for this new role, what happens if you accidentally version-control those credentials or the VPS provider steals those credentials? Maybe this is OK if you rotate these hard-coded credentials regularly and monitor AWS CloudTrail logs for who uses the credentials.
                                                    • You could enforce that clients form certain IP ranges are allowed to assume a role but these is not a sufficient control.
                                                    • Aha! Maybe an EC2 instance has permissions and you SSH to it before uploading files or something. But how do you provision and control access to the SSH private/public key pair?
                                                    • Set up some secure service that you call over HTTP to get temporary credentials. But how do you authenticate your script with the secure service?

                                                    It’s at this point that people throw up their hands and say “Authentication is hard! I’ll just put the credentials in a file and set a calendar reminder to rotate them once every 30 days, and set up some tools to analyze CloudTrail access logs”. For your threat model this may be fine.

                                                    But maybe you can dive deeper into your threat model and think…hmmm. I’m backing up data from a VPS to S3. Surely this can be an append-only backup, and I only need to grant s3:PutObject permission to some role that the VPS can assume using STS. That way if someone steals the credentials the worst they can do is put more data in. I’d have to pay for it which sucks but they can’t read my data. Hmm, they could overwrite it? But I can set up object locks to prevent overwrites. etc.

                                                    1. 2

                                                      This is because when you call boto3’s create_bucket function, which calls S3’s CreateBucket API, for backwards-compatibility reasons it creates a publicly-readable S3 bucket, which is why the news is full of “omg the cloud is insecure everyone’s personal information got leaked”.

                                                      In the code I’m using s3.create_bucket(...) without any extra options - https://github.com/simonw/s3-credentials/blob/0.3/s3_credentials/cli.py#L92-L100 - and, as far as I can tell, the resulting buckets are not public. I just tried creating one, uploaded a file to it and then attempted to access the file by URL and got a permission error: https://simonw-test-bucket-is-this-public.s3.amazonaws.com/yourfilename.csv - am I missing something here? I definitely don’t want to be creating public buckets by default!

                                                      If you hard-code credentials on the VPS host that e.g. gives sts:AssumeRole permission for this new role, what happens if you accidentally version-control those credentials or the VPS provider steals those credentials?

                                                      This is why I wanted separate per-bucket credentials in the first place: I want to minimize the damage someone could do with stolen credentials should they access them. Much rather my VPS provider steals credentials for a single bucket than for my entire account!

                                                      But maybe you can dive deeper into your threat model and think…hmmm. I’m backing up data from a VPS to S3. Surely this can be an append-only backup, and I only need to grant s3:PutObject permission to some role that the VPS can assume using STS.

                                                      That’s essentially what my s3-credentials create name-of-bucket --write-only option does - it creates a brand new user and applies this inline policy to them so that they can only write (with PutObject) to the specified bucket: https://github.com/simonw/s3-credentials/blob/0.3/s3_credentials/policies.py#L38-L48

                                                      Object locks are interesting - I hadn’t seen those! I like the idea of using them to prevent leaked write-only credentials from being used to over-write previously written paths.

                                                      Secondly, if your goal is “give a user access to a particular bucket/prefix and only be able to use a subset of APIs”, instead of creating credentials you could use S3 access points.

                                                      Whoa, I had not seen those before - looks like they were only added in 2019. Shall investigate, thank you!

                                                      I’d love to provide a link in the README to material people can read that has solid, easy-to-follow recommendations for the absolute best practices on this kind of stuff- but I’ve been hoping to run into useful information like that for years, and the best material still seems to show up in comments like this one!

                                                      1. 1

                                                        am I missing something here? I definitely don’t want to be creating public buckets by default!

                                                        No, then I am wrong, when you call CreateBucket the bucket is not publicly-readable by default.

                                                        I’d love to provide a link in the README to material people can read that has solid, easy-to-follow recommendations for the absolute best practices on this kind of stuff- but I’ve been hoping to run into useful information like that for years, and the best material still seems to show up in comments like this one!

                                                        Maybe a blog post idea for me! It’s always tough putting your neck out giving prescriptive best practice advice because you may be wrong, or things may change. Also it’s a broad topic, it’s hard to focus and come up with narrow objectives.

                                                      2. 1

                                                        As someone who spent a lot of this year on compliance audits and thinking about “least privilege in AWS”, this is such a detailed but also clear write up on this topic. Thank you for taking the time to write and post it.

                                                        PS: at first I wondered “who are you, who are so wise in the ways of science?”, but then I checked and saw you work at AWS, https://asim.ihsan.io/about/, and went 💡

                                                        1. 1

                                                          You’re welcome!

                                                          My views don’t represent AWS. And maybe I’m missing something obvious about authenticating non-human tools. Please correct or enlighten me, I’m always learning.

                                                        2. 1

                                                          This is a fantastically useful comment, thank you!

                                                          Do you mind if I quote bits of it in this issue thread? https://github.com/simonw/s3-credentials/issues/7

                                                          1. 2

                                                            Yes you can quote it parts of it, just add “These views don’t represent AWS” at the end.

                                                        1. 2

                                                          A cool demo but mostly I am in awe of the domain, smart!

                                                          1. 1

                                                            And tag metric whatever thing pointing to yandex :)

                                                          1. 4

                                                            Had to smile when I saw jcs’ first two screenshots, from the late 90s/early 2000s. I’m pretty certain I have a directory of desktop screenshots I took in the mid-late 90s, complete with various incarnations of fvwm, AfterStep, WindowMaker and Bowman (the window manager that really kicked off the NeXT-lookalike craze).

                                                            1. 5

                                                              Right? It takes me back to when I’d spend hours browsing themes.org (RIP)

                                                              1. 5

                                                                I’m still using WindowMaker, to this day. At some point about 10 years ago I took a detour through wmii and ratpoison land but it never stuck, and afterwards I found very few window managers come even close to matching WindowMaker’s speed and ergonomics. I tend to have a lot of windows open (datasheets, reference manuals, code windows, debuggers etc.), so “modern” interfaces, with flat windows and fat titlebars, are pretty much impossible to manage. On the other hand, the “layouts” are too fluid (thanks to many of these docs being PDFs with various font sizes, margins etc.) to meaningfully manage with a tiling WM, I don’t have enough monitors to make that work :).

                                                                1. 1

                                                                  I tried it many times but I never understood how to really manage windows with it. Somehow things where always on top of each other and it never felt ergonomic. I guess I never read a good tutorial.

                                                                  1. 1

                                                                    I think you did understand it, there’s not much about it to understand if you’ve used any “mainstream” UIs like Windows. It’s just one of those things that everyone has different preferences about :). Things end up (more or less) on top of each other by design, and you can sort of put some order in it using window icons and window shading (double-click on the titlebar and the window is “folder” underneath it). It’s obviously not as neat as tiling WMs but the way I work usually isn’t neat, either. With tiling WMs, I had the opposite problem: I had so many things open at once that showing all of them at once was impractical, and trying to get them to fit into workspaces just meant I ended up spending forever going between workspaces.

                                                                    There are a lot of things about WindowMaker that I would improve (the dock is one of them, I always wanted something closer to AmiDock, for example) but it works well enough that I never got around actually writing any of that.

                                                                    1. 1

                                                                      I see, that makes sense. I try to work differently, so I guess that is why it never worked for me.

                                                              2. 1

                                                                I wish I had screenshots of my WindowMaker setup from the late 90s. There was a site that had these amazing gothic themes for WM, but I don’t have any of my files from those days.

                                                                1. 1

                                                                  After my post I tried to find my old screenshots but it’s proved to be a bit more difficult than I thought - my fileserver home directory has ~25 years of cruft, some of it not that well organised. I’ve not managed to find them yet :(

                                                                  1. 1

                                                                    Yeah, I went and looked, and I have school work back to 1994(!), but nothing like a home directory with my WindowMaker themes.

                                                                    1. 2

                                                                      It would be really cool if you could find it, as in, I’m pretty sure the folks on the WM mailing list would love to hear about it! One of the things the Window Maker community laments is the disappearance of Freshmeat’s theme repository (which was itself a superset of themes.org’s archive if memory serves me right). It hosted more than 3,000 WindowMaker themes, very few of which were mirrored elsewhere. If you still have some of these, you may be the only one who still has them!

                                                              1. 1
                                                                • some code, some reading, studying for an AWS cert, and family time on Sunday
                                                                1. 12

                                                                  There are a few that seem to have stuck in my rotation:

                                                                  • entr: Runs an arbitrary command when a file changes, I have found this super helpful for running builds or post processing steps on files I am editing.

                                                                  • pandoc: Converts to and from many file formats. I find all sorts of uses for this tool even unblessed ones, but I primarily use it to covert from and to markdown, which allows me to compose in my preferred mode, vim+markdown. As an example I recently used it to add content to Confluence, which bizarrely only support importing Word documents. So I compose in markdown, convert to Word with Pandoc, and finally import into Confluence.

                                                                  1. 3
                                                                    • watch: could always be replaced with a Bash loop, but still super handy
                                                                    1. 1

                                                                      I always do the shell loop because I’ve never managed to actually learn how to use any of the fancy tools, so I just do loops with sleeps

                                                                    2. 1

                                                                      While I have not sat down and used it myself yet, I’ve had my eye on https://github.com/kovetskiy/mark for a while and it may be relevant to your interests.

                                                                      1. 2

                                                                        Coincidentally my coworker @ClashTheBunny has been working with that same tool to sync our knowledge base of markdown files with our Confluence instance, definitely a better option for continuous syncing. Thanks for bringing it up!

                                                                    1. 2

                                                                      I’d love to see folks participate and write some posts.

                                                                      Topics can be intro level or advanced, whatever you feel comfortable with, ideally tying into something you’ve been working on lately.

                                                                      Topic Ideas include:

                                                                      • DynamoDB Intro
                                                                      • Kineses Intro
                                                                      • Lambda Intro
                                                                      • CodeDeploy/CodeCommit/CodePipeline (ALM) Intro
                                                                      • Amazon Aurora Intro
                                                                      • CloudFormation Best Practices for 2014
                                                                      • Securing your AWS Credentials (IAM, MFA, IAM Roles, Launch Configs, Sharing Secrets, using KMS)
                                                                      • S3 And Glacier for Scalable Storage and Archiving
                                                                      • Monitoring, Metrics, and Logging in the Cloud (CloudWatch and CloudTrail best practices)
                                                                      • Managing AWS Billing (Netflix ICE, Hosted Services?)

                                                                      I could also use 5-6 folks to help as editors.