week 09, 2022

Just say no to :latest

It breaks one of the core requirements of continuous delivery: reproducible, idempotent builds. This can cause problems at best when trying to build your project, and at worst in a production failure.

Source: Just say no to :latest, an article by David Norton.

City of the Dead

Los Angeles is a city of sunlight, celebrity, and possibility. The L.A. often experienced by Homicide Lt. Detective Milo Sturgis and psychologist Alex Delaware, is a city of the dead.

Early one morning, the two of them find themselves in a neighborhood of pretty houses, pretty cars, and pretty people. The scene they encounter is anything but. A naked young man lies dead in the street, the apparent victim of a collision with a moving van hurtling through suburbia in the darkness. But any thoughts of accidental death vanish when a blood trail leads to a nearby home.

Inside, a young woman lies butchered. The identity of the male victim and his role in the horror remain elusive, but that of the woman creates additional questions. And adding to the shock, Alex has met her while working a convoluted child custody case. Cordelia Gannett was a self-styled internet influencer who’d gotten into legal troubles by palming herself off as a psychologist. Even after promising to desist, she’s found a loophole and has continued her online career, aiming to amass clicks and ads by cyber-coaching and cyber-counseling people plagued with relationship issues.

But upon closer examination, Alex and Milo discover that her own relationships are troublesome, including a tortured family history and a dubious personal past. Has that come back to haunt her in the worst way? Is the mystery man out in the street collateral damage or will he turn out to be the key to solving a grisly double homicide? As the psychologist and the detective explore L.A.'s meanest streets, they peel back layer after layer of secrets and encounter a savage, psychologically twisted, almost unthinkable motive for violence and bloodshed.

In the evening I started in City of the Dead, an Alex Delaware novel by Jonathan Kellerman.

Safe Pin Projections Through View Types

"Pinning" is one of the harder concepts to wrap your head around when writing async Rust. The idea is that we can mark something as: "This won't change memory addresses from this point forward". This allows self-referential pointers to work, which are needed for async borrowing over await points. Though that's what it's useful for. In practice, how we use it is (generally) through one of three techniques:

  • stack pinning 1: this puts an object on the stack and ensures it doesn't move.
  • heap pinning: using Box::pin to pin a type on the heap to ensure it doesn't move. This is often used as an alternative to stack pinning.
  • pin projections: convert from coarse: "This whole type is pinned" to more fine-grained: "Actually only these fields on the type need to be pinned".

Source: Safe Pin Projections Through View Types, an article by Yoshua Wuyts.

Beginner's Guide to Linkers

This article is intended to help C & C++ programmers understand the essentials of what the linker does. I've explained this to a number of colleagues over the years, so I decided it was time to write it down so that it's more widely available (and so that I don't have to explain it again).

Source: Beginner's Guide to Linkers, an article by David Drysdale.

Exclusive: ‘Mac Studio’ is coming

As Apple gets closer to its deadline for completing the transition from Intel Macs to Apple Silicon, the company is expected to introduce even more computers with its own chips this year. 9to5Mac has learned from sources that in addition to the rumored new Mac mini and Mac Pro, Apple has been developing a brand new “Mac Studio” computer.

Source: Exclusive: ‘Mac Studio’ is coming – is it the pro Mac mini or mini Mac Pro?, an article by Filipe Espósito.

Can Containers Escape?

On Feb. 4, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.

Fortunately, the default security hardenings in most container environments are enough to prevent container escape. Containers running with AppArmor or SELinux are protected. That being said, if you run containers without best practice hardenings, or with additional privileges, you may be at risk. The "Am I Affected?" section lists vulnerable container configurations and provides instructions on how to test whether a container environment is vulnerable.

Source: New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?, an article by Yuval Avrahami.

How to design better APIs

APIs are awesome, but they're also extremely hard to design. When creating an API from scratch, you need to get many details right. From basic security considerations to using the right HTTP methods, implementing authentication, deciding which requests and responses you should accept and return, ... the list goes on.

In this post, I'm trying my best to compress everything I know about what makes a good API. An API, that your consumers will enjoy using. All tips are language-agnostic, so they apply to any framework or technology.

Source: How to design better APIs, an article by Ronald Blüthl.

Demystifying NaN for the working programmer

Easily the strangest thing about floating-point numbers is the floating-point value “NaN”. Short for “Not a Number”, even its name is a paradox. Only floating-point values can be NaN, meaning that from a type-system point of view, only numbers can be “not a number”. NaN’s actual behavior is even stranger, though. The most spectacular bit of weirdness is that NaN is not equal to itself.

Source: If it’s not a number, what is it? Demystifying NaN for the working programmer, an article by James Hart.

Paul (2011)

Two English comic book geeks traveling across the U.S. encounter an alien outside Area 51.

In the evening Esme, Alice, and I watched Paul. Esme and I had seen the movie before, but still, I liked the movie and give it a 7 out of 10.

Reproducing Go binaries byte-by-byte

Fully reproducible builds are important because they bridge the gap between auditable open source and convenient binary artifacts. Technologies like TUF and Binary Transparency provide accountability for what binaries are shipped to users, but that's of limited utility if there is no way (short of reverse engineering) of proving that the binary is in fact the result of compiling the intended source.

That's why the Debian project is putting tremendous effort into making packages reproducible. The good news is that Go builds are reproducible by default.

Source: Reproducing Go binaries byte-by-byte, an article by Filippo Valsorda.

Nftables - Demystifying IPsec expressions

In this article I like to take a look at the expressions provided by Nftables for matching IPsec-related network packets. The common situation is that you need to distinguish packets from normal traffic, which either have been received through a VPN tunnel and already have been decrypted or packets which are to be sent out on a VPN tunnel, but have not been encrypted yet. Those kind of packets can be matched by these expressions within packet filtering rules. I'll explain how these expressions work, what they use as back-end, what their limitations are and how you can use them to get your intended behavior. Further, I take a short glimpse at the Iptables equivalent of these expressions.

Source: Nftables - Demystifying IPsec expressions, an article by Andrej Stender.

Debugging with GDB

During the last 5 years, I mostly worked with Python, and I really like debugging in Python. You’d just put a breakpoint() function call into your code somewhere and repl into the program. I wanted to see how close I get to that in C. As C is not an interpreted language, my hopes weren’t that high, but it turns out debugging in C is quite comfortable.

Source: Debugging with GDB, an article by Felix G. Knorr.

Nix Flakes: Packages and How to Use Them

A package is a bundle of files. These files could be program executables, resources such as stylesheets or images, or even a container image. Most of the time you don't deal with packages directly and instead you use a *package manager* (a program whose sole goal in life is to deal with packages) to do actions for you. This post is going to cover how to define packages in Nix and how Nix flakes let you manage multiple packages per project more easily.

Source: Nix Flakes: Packages and How to Use Them, an article by Christine Dodrill.

understanding higher-kinded types

Kinds and first-order types can help us understand type-classes (or generics) as a logical extension of the type system.

Higher-kinded types take that a step further and include first-order types in our generics. They provide the means to abstract over types which themselves abstract over types.

Source: understanding higher-kinded types, an article by Dan Soucy.

How to Really Use Git: 10 Rules to Make Git More Useful

Version control can be an incredibly helpful tool: it provides a safety net for mistakes, lets you understand how your project evolved - and, ultimately, it gives you the power to take the quality of your software development process to a whole new level.

But only if you know how to use version control and Git effectively. Here are 10 rules that can help you!

Source: How to Really Use Git: 10 Rules to Make Git More Useful, an article by Bruno Brito.