I made a $100k mistake early in my career ($100 per visit to 1000 point of sale terminals to replace an EPROM with my buggy code) and it was indeed an important learning experience. I can’t even imagine the stress of thinking that I had destroyed a $500M piece of equipment.
Jeff Geerling’s video on the Pi 5 is pretty comprehensive, too - looks like he’s had his hands on one for a little while and has been able to get some decent benchmarks/comparisons together. Hopefully people will actually be able to get their hands on these when they do release, rather than them all going straight to scalpers (as happened with the Pi 4)…
As I read the article it occurred to me that none of the excuses given really let stale-bots off the hook. In every case, leaving issues unread and/or unhandled is IMO less rude than having a bot close them. It’s the difference between saying “I can’t get to this right now” and saying “Your contribution has no value to us now, and never will.”
Sorry if I wasn’t clear. To clarify, leaving a PR unread says “I can’t get to this right now” but doesn’t make any judgement about the PR itself, and leaves open the possibility that the maintainer (or some future maintainer) will look at it. Having a bot close the PR says “this is worthless to us and we will never look at it.”
I assumed we’re talking about issues, not PRs, but I still disagree.
Bot closing the PR did not say “worthless”. It just said, “stale”. The PR (or an issue) going “stale” is almost literaly the function of the person “not having the time to do this right now”.
In certain cases, not responding to someone’s work can be worse. “Great, I opened a PR months ago and they’re ignoring me!” vs “I opened a PR, but since nobody had time for it, it got marked as stale.”.
I think the underlying issue is often people attributing things to events that are not necessarily there. Throughout the whole comment thread here on lobsters, people are expressing differing opinions. But look at the observable facts:
A maintainer has a publicly accessible repository.
A user is using it. They found a bug and reported it.
The bug got marked as stale.
A thousand people will interpret it a thousand different ways. Should I report a bug if I find it? Am I allowed to ignore it? If I do report a bug, am I entitled an answer? Or at least a look? Or 5 minutes of that maintainer’s time? We just assume, since the project is public, that it is also a community project, and there is an obligation on the maintainer to maintain.
Personally I remember the “good” old times of BOFHs and every question you ask on mailing lists being answered with RTFM. I’m happy that it’s not like that any more - for most things that I need, I can probably ask a question, someone’ll answer me. But I’m still keeping that mindset of old ways of open source - if I have a problem, I am in charge of fixing it. And I’ll send the patch back to source, or perhaps a PR or a comment, but I don’t have expectations that anything will be done about it.
But I understand this isn’t how most people expect things to work.
Trying Babish’s recipe for gluten-free pasta[0]. It’s a lot of effort since it has 5 ingredients in the flour mix alone but let’s hope it’s worth it. Pretty much all dry GF pasta is awful but I was surprised at how easy it is to make fresh pasta and fresh GF pasta isn’t bad. The King Arthur recipe[1] is OK and it’s very easy.
Goodluck. My gf is gf and we’ve mostly given up and just use rice vermicelli, which is always good. There is also.perfectly acceptable corn pasta available in Prague if you’re ever in these parts…
Babish’s recipe made dough that was difficult to work with but the pasta tasted great! The texture of the cooked pasta was closer to regular pasta than any recipe I’ve tried so far.
Prague is a city that I’ve always wanted to visit but haven’t had the chance yet!
Summary: If you run it on Windows or macOS but don’t watch the news and don’t know that there is a new version, now it’s going to start popping up suggestions that you update.
I just truncate the message to 1,024 characters and process it anyway (assuming it wasn’t so large that it hit the web server’s request message size limit). The user still receives something, and if they care that it’s truncated, they can investigate why.
If this guy thinks it’s anything but completely fucked up to deliberately drop customer data and make them “investigate why” then I won’t ever touch one of his APIs.
This entirely depends on the service though, and they are describing a service for push notifications. I would say that delivering a truncated message is better than not delivering it at all in that case. If the data is supposed to be stored long term then it’s another matter.
He could be hardline and 400 all requests that don’t conform, and I bet that was the case, originally.
I’m curious what you would do? How would you balance correctness, support concerns / customer happiness, operational concerns to protect the service (eg rate limiting of legitimately bad/abusive requests), and all the other things as a single person providing this service?
I’m curious what you would do? How would you balance correctness, support concerns / customer happiness, operational concerns to protect the service (eg rate limiting of legitimately bad/abusive requests), and all the other things as a single person providing this service?
It all depends on what the API is doing.
It looks like the messages in question are basically status updates delivered to end-user devices. I guess it’s unlikely that the message consumers will be doing anything other than printing them to a screen, and it’s entirely possible that message producers wouldn’t know about the size limit for a single recipient. In this (specific) case, truncating the message is at least arguably beneficial vs. rejecting it outright.
But this feels to me like an exceptional use case. If these messages were expected to be machine-readable, or any of a hundred other variables were different, then truncating them would make them unreliable, likely useless. As you note, you usually want to reject bad requests (with a 400 or whatever) by default, and carve out exceptions based on use case.
I drew the same conclusion as you and the sibling. I want to know what @caboteria thinks since they are hardline against it. I am assuming they didn’t think much about the nuance of the problem and stopped at “truncate” before aggressively stomping their foot and writing a mean spirited comment void of any substance.
TBH, I wasn’t familiar with the Pushover service so when I read that data gets truncated I recoiled a bit. @caboteria might have been similarly ignorant. That section might be a bit better with some context on the service.
Every story on lobste.rs has an archive link underneath it, between save and <n> comments. If you click on archive, the Archive.today option takes you to a capture from the time the link was submitted, with no paywall of any kind.
I usually go to archive.today and paste in medium links, but I recently noticed and really appreciate this feature of the site.
I don’t have much of a use for this tool since I don’t do much C/C++ programming but I wanted to give the team props for an excellent landing page at https://build2.org/ . It starts with two clear paragraphs that say what the tool does, and then lists its important features. I wish all tools had such a clear introduction!
Why do you need containers for running a single binary? I suppose it would make sense if everything else in the stack is running in containers and you want to create isolated networks, but part from that, idk. Perhaps someone could enlighten me?
I can think of two reasons. The first, as you say, is that you have some infrastructure for deploying containers, making things look like containers is useful. The second is that there’s often more to a system than just the program. You probably have configuration and data. The configuration is easy to add as a new container layer. The data may be stored in a separate service (e.g. accessed via the network) but if it’s filesystem based the container orchestration tools provide a good way of attaching filesystem trees to containers.
There’s also a bad reason: security. People often conflate containers (a distribution and orchestration model) with a specific isolation mechanism. On Linux this is a mess of cgroups, namespaces, and seccomp-bpf that keeps having security holes. On most cloud platforms, it’s VM isolation because the shared-kernel model doesn’t give sufficiently strong guarantee for tenant isolation.
There’s also a silly but real argument: cost. A lot of cloud providers have container billing that does finer accounting of memory and CPU usage than their IaaS (VM) services and so running a program on their container infrastructure is cheaper than running it on a rented VM.
Security is a really good reason. The “security holes” you’re talking about are kernel exploits - not enough for tenancy, certainly, but definitely nice given that putting something in a container is virtually free.
That said, it’s worth noting that this is a build tool.
For “security” using containers is not needed as you can have that on Linux without all that fuss. Just deploy binary and systemd’s unit for your service (which in case of single binary can be even within your binary with just single command away) and you are good to go. Much less stuff needed, and also this can give you some additional features that not all container runtimes provide.
If you want to use systemd, go for it. Obviously there’s nothing you can do with a container that can’t be done natively - but if you’re already using containers there’s some good stuff that you get “for free”.
Putting something in a container and checking the ‘isolation’ box on a cloud provider (gvisor on GCP and IIRC firecracker on AWS) is a lot easier than managing Linux hosts and configuring all of the security/isolation stuff yourself.
Security is a really good reason. The “security holes” you’re talking about are kernel exploits
They are sometimes kernel exploits, they are sometimes misconfigurations in policy. For example, there was one that I recall that was caused by the fact that the Docker seccomp-bpf policy didn’t default to deny and so a kernel upgrade added a system call that allowed a container escape. Sometimes they’re exploits but, importantly, they’re exploits relative to a threat model that 99% of the kernel code was never written to consider. The Linux kernel still doesn’t really have a notion of a jailed process (unlike the FreeBSD or Solaris kernels) and so you are reliant on the kernel enforcing isolation built out of a set of distinct subsystems that were not designed together and where any kernel subsystem may forget a check.
but definitely nice given that putting something in a container is virtually free.
You might want to run some benchmarks before deciding that it’s free. Depending on the workload, it can be as much as a 20% perf hit to run via runc Linux versus running in the root namespace with no seccomp-bpf policy or custom cgroup. For others, the overhead is close to zero. The overhead can be even worse depending on the filesystem layering mechanism that your container platform is using (some of the union-based drivers can have a huge impact on anything with a moderately large disk I/O component).
Sometimes they’re exploits but, importantly, they’re exploits relative to a threat model that 99% of the kernel code was never written to consider
I don’t really agree. The kernel has long had a security model of “unprivileged users should not be able to escalate privileges”. It has not had “privileged users should not be able to escalate to kernel” until much more recently.
I don’t know what notion of jailed you want but namespaces certainly seem to fit the bill. They’re a security boundary from the kernel that applies to a namespaced process.
Depending on the workload, it can be as much as a 20% perf hit to run via runc Linux versus running in the root namespace with no seccomp-bpf policy or custom cgroup.
Source?
I think the point here is that, yes, the Linux kernel is a security trashfire, but I think you are underestimating the effort to escape a sandbox. Building a reliable kernel exploit, even for an nday, can be weeks or months of work.
There’s also a silly but real argument: cost. A lot of cloud providers have container billing that does finer accounting of memory and CPU usage than their IaaS (VM) services and so running a program on their container infrastructure is cheaper than running it on a rented VM.
This is not always true though, because often these more “finer accounting” solutions have a higher price on their own, so it really depends on utilization.
I sort of see your point, but I’m inclined to argue the contrary. Statically linked binaries essentially are a deployable unit. Maybe you’d argue that containers can bundle configuration, but so can binaries. Maybe you’d make some distinction about “not needing to recompile the binary to change configuration” but you still need to rebuild the container which is the more expensive part by far (for a Go app, anyway), even with a decent hit rate on the build cache–there’s no fundamental difference between compiling a binary and running a Docker build except that the latter is wayyyyy more complex and expensive (in most cases, you need a daemon running installed rather than just a compiler/toolchain).
Containers are great for apps that can’t easily be distributed as a static binary (particularly when it would be very large, since container layers are individually addressable/cacheable) or for cases where you’re deploying a static binary in a containerized environment (e.g., your org uses k8s), but a single binary absolutely is a unit of deployment.
What cloud providers support isn’t useful for answering the question. One can easily imagine a cloud service that takes a static elf file and drops it into a firecracker VM—the reason this doesn’t exist (to my knowledge) is that their customers are typically deploying apps in languages that don’t have a good story for static ELF binaries (and the ones that are can just wrap their binaries in a container), not because ELF isn’t a deployment format.
Typically containers run one app each anyway, but in my experience it’s just generally nice to have one unified format to build, distribute and run server side software. I can build an image on my windows computer, throw it onto my mac and it works with zero changes then I can push that same image up to our hosting provider and it runs there too, and we can switch hosting provider (which I have done a few times) with minimal effort. Sure, under the hood you’ve got EXE, ELF, DMG, PKG, etc on all the various operating systems but when it comes to getting production code live, containers really do make life easier!
Agreed, but I still think it would be cool if we orchestrators had decent support for ELF files. I’m pretty tired of creating all of these single-binary containers just because there’s no way to run binaries without taking on the full burden of managing one’s own hosts.
That’s a sensible requirement. How hard could it be for the hosting providers to detect an EXE / ELF file and just wrap it inside a stereotypical container? I’d think it’s something close to a five-line shell script.
This was a mis-division of a service. Because of the amount of data transfer they were getting absolutely shredded on egress. I don’t think it’s a sweeping argument against microservice architecture, as building with that mindset allowed them to design a monolith as a set of composable, independent programs.
Well, this isn’t all of prime video, it’s just one team for a part of the product (Video Quality Analysis). Not saying either way is better or worse, but Amazon has many teams, and this isn’t indicative of them as a whole.
Finally, although trusted publishers is currently limited to GitHub Actions, much of the underlying work that went into making this feature possible is generalizable and not specific to a single publisher. We’re interested in supporting the ability to publish from additional services that provide OpenID Connect identities.
It‘s probably up to other project to provide an integration.
One company I worked for had a system with a read-only database replica. One of my co-workers noticed that the primary read/write db was very lightly loaded so he and I ripped out the replication code. Net result: the speed was the same and the system as a whole was simpler and easier to run. It turns out that the read-only replica was specified by an architect because “you always need one.”
I really wish that we could move past the “how dare people train AI on code that we gave away for free” thing.
Imagine, if you would, that Microsoft used cheap labor in Elbonia (some fictional nation, cribbed from the days when Dilbert was something to have on your cube wall) to implement copilot. In this thought experiment, these people spend all day reading code, getting some facility with it (arguable), and then mechanical turk questions submitted using knowledge gained by their reading.
If that’s okay, or okayish, we need to find some other reason to be upset about our current reality where we have replaced the Elbonians with AI–and I think that there is probably a good argument, but dear Lord I haven’t seen it presented as of yet.
I really wish that we could move past the “how dare people train AI on code that we gave away for free” thing.
Only public domain / CC0 code is given away for free. When I give away my code under the MIT license, it is on the condition that you acknowledge me when you create a derived work or build anything from my code. If you create anything that is a derived work of my code then you have a legal obligation to credit me.
Imagine, if you would, that Microsoft used cheap labor in Elbonia (some fictional nation, cribbed from the days when Dilbert was something to have on your cube wall) to implement copilot. In this thought experiment, these people spend all day reading code, getting some facility with it (arguable), and then mechanical turk questions submitted using knowledge gained by their reading.
If you pay a team of Elbonians to create derived works of my code without attribution then I would have standing sue you. If they read my code but then produced things that are independent creative works that are not derived works then I would not have standing to sue you.
The question for the courts is which of these the current systems are more like.
Besides @david_chisnall’s excellent answer (which to me is the main one), I feel like there’s also a fundamental difference in scale. Similar to arguments about “it’s just metadata” and mass surveillance, I believe that there’s a phase change that occurs somewhere along the way once things get big enough. A few Elbonian’s reading some code here and there to learn to programmight be one thing. Million’s of Elbonian’s memorizing every line of code ever published on GitHub might be something else.
There’s also something that feels kind of skeevy about taking my free code and then selling it back to me as a service. I put my code out there because I want to see people make cool stuff with it and only ask that they give me credit for my part in their success. If someone wants to use my code as a component in an app (where the thing the app does is much more than just my code) with attribution, that’s one thing. A for-pay service that’s built around just selling that code back to me or to someone else without attribution is another thing entirely.
I think people can be upset with things regardless of what things they’re not upset at.
It’s fine to posit different scenarios but as soon as you make that scenario a discrediting argument then you are using a bad faith argument tactic known as a whataboutism. (It’s also a logical fallacy).
When I see argument tactics my brain short circuits and I get a bit sad. I want a community where we can hear others and express our opinions without these tactics. Can you consider reframing your thought experiment as a personal one rather than one that is discrediting OP?
I agree with your experiment as posed, but let me make a small twist: “In this thought experiment, these people spend all day reading code, getting some facility with it (arguable), and then cut-and-paste excerpts of the code to answer questions submitted using knowledge gained by their reading.” To me that’s not OK.
What if the elbonians read the code out verbatim? That’s the main problem here.
The second problem is that the ai model is a derivative work of the code it was fed; at least some of that code is agpl and the model has not been open sourced under the agpl.
I really wish that we could move past the “how dare people train AI on code that we gave away for free” thing.
Okay, here’s my presentation of it: I think that a machine learning model trained on my code is a derivative of that work. Most of my code is released under licenses that require reciprocation, so training proprietary models on that code is a violation of its license.
Microsoft / GitHub have fundamentally betrayed the trust of the community that created, used, and promoted GitHub in the open source / free software world.
I don’t think we should move past it, and in fact, I think that wherever possible, we should withdraw our support. I only maintain a GitHub account to contribute to open source projects that remain there; otherwise, I’m on Soucehut now, like the author.
I made a $100k mistake early in my career ($100 per visit to 1000 point of sale terminals to replace an EPROM with my buggy code) and it was indeed an important learning experience. I can’t even imagine the stress of thinking that I had destroyed a $500M piece of equipment.
This was the first TSC meeting that’s open to the public.
I don’t do much Rails work anymore but I really miss its gentle weirdness.
Jeff Geerling’s video on the Pi 5 is pretty comprehensive, too - looks like he’s had his hands on one for a little while and has been able to get some decent benchmarks/comparisons together. Hopefully people will actually be able to get their hands on these when they do release, rather than them all going straight to scalpers (as happened with the Pi 4)…
Any mention of the power draw?
Yup! https://youtu.be/nBtOEmUqASQ?t=343
As I read the article it occurred to me that none of the excuses given really let stale-bots off the hook. In every case, leaving issues unread and/or unhandled is IMO less rude than having a bot close them. It’s the difference between saying “I can’t get to this right now” and saying “Your contribution has no value to us now, and never will.”
“I haven’t had time to look at this” tells you “your contribution has no value”?
Sorry if I wasn’t clear. To clarify, leaving a PR unread says “I can’t get to this right now” but doesn’t make any judgement about the PR itself, and leaves open the possibility that the maintainer (or some future maintainer) will look at it. Having a bot close the PR says “this is worthless to us and we will never look at it.”
I assumed we’re talking about issues, not PRs, but I still disagree.
Bot closing the PR did not say “worthless”. It just said, “stale”. The PR (or an issue) going “stale” is almost literaly the function of the person “not having the time to do this right now”.
In certain cases, not responding to someone’s work can be worse. “Great, I opened a PR months ago and they’re ignoring me!” vs “I opened a PR, but since nobody had time for it, it got marked as stale.”.
I think the underlying issue is often people attributing things to events that are not necessarily there. Throughout the whole comment thread here on lobsters, people are expressing differing opinions. But look at the observable facts:
A thousand people will interpret it a thousand different ways. Should I report a bug if I find it? Am I allowed to ignore it? If I do report a bug, am I entitled an answer? Or at least a look? Or 5 minutes of that maintainer’s time? We just assume, since the project is public, that it is also a community project, and there is an obligation on the maintainer to maintain.
Personally I remember the “good” old times of BOFHs and every question you ask on mailing lists being answered with RTFM. I’m happy that it’s not like that any more - for most things that I need, I can probably ask a question, someone’ll answer me. But I’m still keeping that mindset of old ways of open source - if I have a problem, I am in charge of fixing it. And I’ll send the patch back to source, or perhaps a PR or a comment, but I don’t have expectations that anything will be done about it.
But I understand this isn’t how most people expect things to work.
Trying Babish’s recipe for gluten-free pasta[0]. It’s a lot of effort since it has 5 ingredients in the flour mix alone but let’s hope it’s worth it. Pretty much all dry GF pasta is awful but I was surprised at how easy it is to make fresh pasta and fresh GF pasta isn’t bad. The King Arthur recipe[1] is OK and it’s very easy.
[0] https://basicswithbabish.co/basicsepisodes/gluten-free-pasta [1] https://www.kingarthurbaking.com/recipes/gluten-free-pasta-recipe
Goodluck. My gf is gf and we’ve mostly given up and just use rice vermicelli, which is always good. There is also.perfectly acceptable corn pasta available in Prague if you’re ever in these parts…
Babish’s recipe made dough that was difficult to work with but the pasta tasted great! The texture of the cooked pasta was closer to regular pasta than any recipe I’ve tried so far.
Prague is a city that I’ve always wanted to visit but haven’t had the chance yet!
This launch was 2 months ago. Any particular reason for posting it now?
Because now it is a recommended upgrade for users of the previous stable version, 102.
https://www.techgoing.com/mozilla-opens-thunderbird-upgrade-path-to-115-for-users-of-version-102/
https://www.ghacks.net/2023/09/08/thunderbird-102-to-115-upgrades-are-now-enabled/
Summary: If you run it on Windows or macOS but don’t watch the news and don’t know that there is a new version, now it’s going to start popping up suggestions that you update.
Makes sense!
Ha! I wondered why the headline was dark blue!
Recovering from COVID. Be careful folks, it’s still around!
I hope you find your weekend restful and your recovery swift
If this guy thinks it’s anything but completely fucked up to deliberately drop customer data and make them “investigate why” then I won’t ever touch one of his APIs.
You might want to check the about page to see who created lobster.rs before saying you’ll not use his stuff 🙃
This entirely depends on the service though, and they are describing a service for push notifications. I would say that delivering a truncated message is better than not delivering it at all in that case. If the data is supposed to be stored long term then it’s another matter.
He could be hardline and 400 all requests that don’t conform, and I bet that was the case, originally.
I’m curious what you would do? How would you balance correctness, support concerns / customer happiness, operational concerns to protect the service (eg rate limiting of legitimately bad/abusive requests), and all the other things as a single person providing this service?
It all depends on what the API is doing.
It looks like the messages in question are basically status updates delivered to end-user devices. I guess it’s unlikely that the message consumers will be doing anything other than printing them to a screen, and it’s entirely possible that message producers wouldn’t know about the size limit for a single recipient. In this (specific) case, truncating the message is at least arguably beneficial vs. rejecting it outright.
But this feels to me like an exceptional use case. If these messages were expected to be machine-readable, or any of a hundred other variables were different, then truncating them would make them unreliable, likely useless. As you note, you usually want to reject bad requests (with a 400 or whatever) by default, and carve out exceptions based on use case.
edit: basically a +1 to Brekkjern’s sibling comment
I drew the same conclusion as you and the sibling. I want to know what @caboteria thinks since they are hardline against it. I am assuming they didn’t think much about the nuance of the problem and stopped at “truncate” before aggressively stomping their foot and writing a mean spirited comment void of any substance.
TBH, I wasn’t familiar with the Pushover service so when I read that data gets truncated I recoiled a bit. @caboteria might have been similarly ignorant. That section might be a bit better with some context on the service.
That’s a fair point!
This should have a “paywall” tag or some indication that it’s paywalled. It’s annoying to start reading and then find a paywall below the fold.
Every story on lobste.rs has an archive link underneath it, between save and <n> comments. If you click on archive, the Archive.today option takes you to a capture from the time the link was submitted, with no paywall of any kind.
I usually go to archive.today and paste in medium links, but I recently noticed and really appreciate this feature of the site.
Nice! Thank you for the tip!
Oh. It was just working for me. If I had known….
Worked for me too. There might have been some nag dialog that I clicked away.
I don’t have much of a use for this tool since I don’t do much C/C++ programming but I wanted to give the team props for an excellent landing page at https://build2.org/ . It starts with two clear paragraphs that say what the tool does, and then lists its important features. I wish all tools had such a clear introduction!
Thank you to everyone involved in bringing us this excellent site!
IPV4 addresses.
Why do you need containers for running a single binary? I suppose it would make sense if everything else in the stack is running in containers and you want to create isolated networks, but part from that, idk. Perhaps someone could enlighten me?
I can think of two reasons. The first, as you say, is that you have some infrastructure for deploying containers, making things look like containers is useful. The second is that there’s often more to a system than just the program. You probably have configuration and data. The configuration is easy to add as a new container layer. The data may be stored in a separate service (e.g. accessed via the network) but if it’s filesystem based the container orchestration tools provide a good way of attaching filesystem trees to containers.
There’s also a bad reason: security. People often conflate containers (a distribution and orchestration model) with a specific isolation mechanism. On Linux this is a mess of cgroups, namespaces, and seccomp-bpf that keeps having security holes. On most cloud platforms, it’s VM isolation because the shared-kernel model doesn’t give sufficiently strong guarantee for tenant isolation.
There’s also a silly but real argument: cost. A lot of cloud providers have container billing that does finer accounting of memory and CPU usage than their IaaS (VM) services and so running a program on their container infrastructure is cheaper than running it on a rented VM.
Security is a really good reason. The “security holes” you’re talking about are kernel exploits - not enough for tenancy, certainly, but definitely nice given that putting something in a container is virtually free.
That said, it’s worth noting that this is a build tool.
For “security” using containers is not needed as you can have that on Linux without all that fuss. Just deploy binary and systemd’s unit for your service (which in case of single binary can be even within your binary with just single command away) and you are good to go. Much less stuff needed, and also this can give you some additional features that not all container runtimes provide.
If you want to use systemd, go for it. Obviously there’s nothing you can do with a container that can’t be done natively - but if you’re already using containers there’s some good stuff that you get “for free”.
Putting something in a container and checking the ‘isolation’ box on a cloud provider (gvisor on GCP and IIRC firecracker on AWS) is a lot easier than managing Linux hosts and configuring all of the security/isolation stuff yourself.
They are sometimes kernel exploits, they are sometimes misconfigurations in policy. For example, there was one that I recall that was caused by the fact that the Docker seccomp-bpf policy didn’t default to deny and so a kernel upgrade added a system call that allowed a container escape. Sometimes they’re exploits but, importantly, they’re exploits relative to a threat model that 99% of the kernel code was never written to consider. The Linux kernel still doesn’t really have a notion of a jailed process (unlike the FreeBSD or Solaris kernels) and so you are reliant on the kernel enforcing isolation built out of a set of distinct subsystems that were not designed together and where any kernel subsystem may forget a check.
You might want to run some benchmarks before deciding that it’s free. Depending on the workload, it can be as much as a 20% perf hit to run via
runcLinux versus running in the root namespace with no seccomp-bpf policy or custom cgroup. For others, the overhead is close to zero. The overhead can be even worse depending on the filesystem layering mechanism that your container platform is using (some of the union-based drivers can have a huge impact on anything with a moderately large disk I/O component).Sure. These are increasingly rare though.
I don’t really agree. The kernel has long had a security model of “unprivileged users should not be able to escalate privileges”. It has not had “privileged users should not be able to escalate to kernel” until much more recently.
I don’t know what notion of jailed you want but namespaces certainly seem to fit the bill. They’re a security boundary from the kernel that applies to a namespaced process.
Source?
I think the point here is that, yes, the Linux kernel is a security trashfire, but I think you are underestimating the effort to escape a sandbox. Building a reliable kernel exploit, even for an nday, can be weeks or months of work.
For a lot of stuff you could use a wide range of tools. For example Nomad’s (isolated) exec driver.
Regarding security. Running Go binaries with pledge and unveil is really easy and great.
Usually run it with this simple rc-script then, just replacing
my_binary:This is not always true though, because often these more “finer accounting” solutions have a higher price on their own, so it really depends on utilization.
Likely it’s for people who are running Kubernetes so everything has to be a container.
Binaries are not a deployable unit. Containers are.
I sort of see your point, but I’m inclined to argue the contrary. Statically linked binaries essentially are a deployable unit. Maybe you’d argue that containers can bundle configuration, but so can binaries. Maybe you’d make some distinction about “not needing to recompile the binary to change configuration” but you still need to rebuild the container which is the more expensive part by far (for a Go app, anyway), even with a decent hit rate on the build cache–there’s no fundamental difference between compiling a binary and running a Docker build except that the latter is wayyyyy more complex and expensive (in most cases, you need a daemon running installed rather than just a compiler/toolchain).
Containers are great for apps that can’t easily be distributed as a static binary (particularly when it would be very large, since container layers are individually addressable/cacheable) or for cases where you’re deploying a static binary in a containerized environment (e.g., your org uses k8s), but a single binary absolutely is a unit of deployment.
It isn’t though. Show me the cloud service that allows me to deploy a single Linux binary.
What cloud providers support isn’t useful for answering the question. One can easily imagine a cloud service that takes a static elf file and drops it into a firecracker VM—the reason this doesn’t exist (to my knowledge) is that their customers are typically deploying apps in languages that don’t have a good story for static ELF binaries (and the ones that are can just wrap their binaries in a container), not because ELF isn’t a deployment format.
updating code in a lambda with a zipped binary is significantly faster than with a binary in a container.
Typically containers run one app each anyway, but in my experience it’s just generally nice to have one unified format to build, distribute and run server side software. I can build an image on my windows computer, throw it onto my mac and it works with zero changes then I can push that same image up to our hosting provider and it runs there too, and we can switch hosting provider (which I have done a few times) with minimal effort. Sure, under the hood you’ve got EXE, ELF, DMG, PKG, etc on all the various operating systems but when it comes to getting production code live, containers really do make life easier!
Agreed, but I still think it would be cool if we orchestrators had decent support for ELF files. I’m pretty tired of creating all of these single-binary containers just because there’s no way to run binaries without taking on the full burden of managing one’s own hosts.
That’s a sensible requirement. How hard could it be for the hosting providers to detect an EXE / ELF file and just wrap it inside a stereotypical container? I’d think it’s something close to a five-line shell script.
This will be a useful link to have when some architecture astronaut says “we have to build microservices because that’s what Amazon does.”
This was a mis-division of a service. Because of the amount of data transfer they were getting absolutely shredded on egress. I don’t think it’s a sweeping argument against microservice architecture, as building with that mindset allowed them to design a monolith as a set of composable, independent programs.
Well, this isn’t all of prime video, it’s just one team for a part of the product (Video Quality Analysis). Not saying either way is better or worse, but Amazon has many teams, and this isn’t indicative of them as a whole.
Are there any alternatives to GitHub here?
It says it in the article:
It‘s probably up to other project to provide an integration.
In fewer words: no.
One company I worked for had a system with a read-only database replica. One of my co-workers noticed that the primary read/write db was very lightly loaded so he and I ripped out the replication code. Net result: the speed was the same and the system as a whole was simpler and easier to run. It turns out that the read-only replica was specified by an architect because “you always need one.”
I really wish that we could move past the “how dare people train AI on code that we gave away for free” thing.
Imagine, if you would, that Microsoft used cheap labor in Elbonia (some fictional nation, cribbed from the days when Dilbert was something to have on your cube wall) to implement copilot. In this thought experiment, these people spend all day reading code, getting some facility with it (arguable), and then mechanical turk questions submitted using knowledge gained by their reading.
If that’s okay, or okayish, we need to find some other reason to be upset about our current reality where we have replaced the Elbonians with AI–and I think that there is probably a good argument, but dear Lord I haven’t seen it presented as of yet.
Only public domain / CC0 code is given away for free. When I give away my code under the MIT license, it is on the condition that you acknowledge me when you create a derived work or build anything from my code. If you create anything that is a derived work of my code then you have a legal obligation to credit me.
If you pay a team of Elbonians to create derived works of my code without attribution then I would have standing sue you. If they read my code but then produced things that are independent creative works that are not derived works then I would not have standing to sue you.
The question for the courts is which of these the current systems are more like.
“code that we gave away for free as long as you follow these rules” - that’s where a lot of the concerns and unhappiness is coming from
Besides @david_chisnall’s excellent answer (which to me is the main one), I feel like there’s also a fundamental difference in scale. Similar to arguments about “it’s just metadata” and mass surveillance, I believe that there’s a phase change that occurs somewhere along the way once things get big enough. A few Elbonian’s reading some code here and there to learn to programmight be one thing. Million’s of Elbonian’s memorizing every line of code ever published on GitHub might be something else.
There’s also something that feels kind of skeevy about taking my free code and then selling it back to me as a service. I put my code out there because I want to see people make cool stuff with it and only ask that they give me credit for my part in their success. If someone wants to use my code as a component in an app (where the thing the app does is much more than just my code) with attribution, that’s one thing. A for-pay service that’s built around just selling that code back to me or to someone else without attribution is another thing entirely.
I think people can be upset with things regardless of what things they’re not upset at.
It’s fine to posit different scenarios but as soon as you make that scenario a discrediting argument then you are using a bad faith argument tactic known as a whataboutism. (It’s also a logical fallacy).
When I see argument tactics my brain short circuits and I get a bit sad. I want a community where we can hear others and express our opinions without these tactics. Can you consider reframing your thought experiment as a personal one rather than one that is discrediting OP?
I agree with your experiment as posed, but let me make a small twist: “In this thought experiment, these people spend all day reading code, getting some facility with it (arguable), and then cut-and-paste excerpts of the code to answer questions submitted using knowledge gained by their reading.” To me that’s not OK.
What if the elbonians read the code out verbatim? That’s the main problem here.
The second problem is that the ai model is a derivative work of the code it was fed; at least some of that code is agpl and the model has not been open sourced under the agpl.
Is it ok? I think that we have pretty heavyweight procedures for clean room engineering because it’s not ok.
Okay, here’s my presentation of it: I think that a machine learning model trained on my code is a derivative of that work. Most of my code is released under licenses that require reciprocation, so training proprietary models on that code is a violation of its license.
Microsoft / GitHub have fundamentally betrayed the trust of the community that created, used, and promoted GitHub in the open source / free software world.
I don’t think we should move past it, and in fact, I think that wherever possible, we should withdraw our support. I only maintain a GitHub account to contribute to open source projects that remain there; otherwise, I’m on Soucehut now, like the author.
58008
More generally, calculator spelling
My first thought, as well.