Login

u/esiy0676

If you have been using Termius, there's sshid.io now
▲ 74 r/selfhosted

If you have been using Termius, there's sshid.io now

I put this under "password managers" because it will likely turn out to be the next great breach. Termius is probably known to many as their cross-platform SSH client.

I gave up some time ago when it started pushing sharing my private keys through their infra. I also went asking where this company is based, what they do, but it miraculously gets removed (do your own homework, I guess).

Now, I am still getting promo for: https://sshid.io

To each their own, they say, but I'd like to believe I am not the only one who can see where this will be another "injection" vector of another great (or silent) breach somewhere. Intentional or not, the design is utterly stupid.

That's all - just my opinion and maybe gives you a reason to take a second thought.

u/esiy0676 — 1 day ago
▲ 9 r/privacy

Back into the future of 1986?

I came across a BBC Archive video posted on YouTube:

> 1986: Email - the Perfect Tech for the Jet Set? | Micro Live | BBC Archive

[Apologies, but you have to look it up yourself, links not allowed in this sub because ... spam.]

With all the verification requirements going on and in general - need to have accounts everywhere - so that everything can be safe, I feel like this video might as well have been a look ... back into the future.

Imagine you want to send a memo to someone, but it needs to be from verified account, but then it has to go to another country, you might need to have another "registration" with authority there to even allow you to "cross-message", and then as the lady concludes her reportage:

> Until the [ISPs] get their act together ...

Oh yeah, that would be great, if they go on share all their data with everyone else, so that e.g. an authority in North Korea knows who made this snarky Reddit post ... oh well.

reddit.com
u/esiy0676 — 3 days ago
▲ 5 r/opensource

Radicle: peer-to-peer collaboration with Git

Radicle is a decentralized forge built on top of Git, however it is not federated, but entirely peer-to-peer, i.e. virtually serverless. In turn, this also means it is local-first: network access is only required for operations such as retrieving or sending changes. A repo is associated with signing keys, which allows its identity to be authenticated regardless of where it is stored. No one controls your Radicle node but yourself, repos cannot be deleted from your node by any third party.

Radicle is licensed under MIT/Apache and sources can be found at: https://radicle.network

This post is back from 2024, you will find more docs at: https://radicle.dev/guides

(While the funding organisation is Radworks (RAD token holders can participate in governance and operators can stake tokens and receive compensation from the network users), Radicle as such does not use any blockchain or cryptocurrency technology.)

lwn.net
u/esiy0676 — 4 days ago
▲ 6 r/Information_Security+1 crossposts

Deep Dive into XZ Utils Backdoor - Columbia Engineering, Advanced Systems Programming Guest Lecture

I did not find this particular lecture posted here before and it's the best one I have seen so far that covers what became the most famous backdoor of recent history - all in well under an hour (net duration, see chapters).

It is easily distinguished from all the others as it mainly focuses on the "second" part, i.e. how the exploit worked, including with a demo - and so not "just" how it got sneaked into the repo that intrigued many others the most instead.

youtube.com
u/esiy0676 — 8 days ago
▲ 0 r/github

When will Ubuntu 26.04 come as a GH runner?

I got the idea that 24.04 image came up as early as May, but no clue about 26. Not aware of any roadmap either.

reddit.com
u/esiy0676 — 8 days ago
▲ 10 r/programming

Reproducible Builds, a very brief summary of the last 12 years and a glimpse into the future

I have been trying to dig out more information about reproducible builds due to my own project only to find out that most devs do not really care - based on limited resources online. Users do not care either - not demanding it.

Shocked at how many devs do not even know about SOURCE_DATE_EPOCH - which means we do not care about security, despite tooling has supported this for years, I'd like to share this talk to spread the awareness.

PS Maybe you have your own 2 cents to comment, why it's not a priority for you.

youtube.com
u/esiy0676 — 12 days ago
▲ 75 r/devops

Reproducible Builds - why are we not doing it as standard?

First off, I have no interest in promoting any particular project, but a few days ago, an article showed up on [dev dot to] with title:

> Reproducible Builds: The Only Way to Verify Your Software Wasn't Tampered With

For some reason, I can't share that link, so I used the more generic one - in fact there's not that much dedicated posts on this topic, it seems. Anyhow, it's not about one particular project, but for discussion in general.

I have been after looking for established models of proving to the wider audience that releases of my OSS contain no malware and further that the supply chain does not use any dubious sources so to speak.

Typically, this can be done by making sure a build is reproducible and then - for many who do not feel like building on their own - demonstrating the reproducibility on some public platform, e.g. GH - this gives you best of both worlds - transparency and not depending on that platform - because it's building the same results, only digests need to published, no need to lock myself into releases, etc.

In the process of researching how to make my build truly reproducible and be able to demonstrate it, I figured there's very few devs out there who bother with the same. As if we spent all the energy on "must build on another machine", but not enough to make it truly reproducible.

It generally gave me a vibe the likes of 2000s era of self-signed certs (or just http) when no one cared.

I wonder how come "we" - as users - do not demand this now that there's all the tools available. Why does everyone get away with "the source is public" while no one seems to be seemingly checking, at least not regularly?

And as devs, do you have any good reasons not to bother to make your projects more transparent this way?

reproducible-builds.org
u/esiy0676 — 12 days ago
▲ 37 r/selfhosted

Leaving GitHub, or ... a sovereign approach to "hosting" a forge

I came across a post about "Leaving GitHub" (https://lord.io/leaving-github/) lately - one of many that started popping up after 2018 and while it revolves around discussing reasons and motivations (incl. of various other people) for taking the plunge, I particularly liked the Appendix A that shows there's other alternatives to forges that do not need to be centralised - because Git also was never meant to be a CVS.

In particular the federated and p2p working models are something I would like to see being prevalent in the future, so that there's no more "leaving GitHub" problems.

I do know that Forgejo was working on federation with ForgeFed (https://forgefed.org), but not sure about the state of things as of today. Another great project I found was git-bug (https://github.com/git-bug/git-bug) which specifically adds issue tracker into the repo itself seamlessly. For publishing your repos alone, there's also Stagit (https://codemadness.org/stagit.html), but from them all, Radicle (https://radicle.dev) is the most "back to the drawing board" one because it is essentially serverless.

What other projects do you use or know that allow you to be free and independent?

reddit.com
u/esiy0676 — 14 days ago
▲ 21 r/git+2 crossposts

> The future of Open Source Software (OSS) as a global public good is at risk. The need for a resilient, community-owned alternative has never been more urgent: OSS may have "taken over the world", but... did someone take control of OSS itself in the process, locking it into a proprietary platform, controlled by a single vendor? Is this still a sustainable path today, in the time of trade wars, volatile tariffs, GenAI mandates and countries fighting for data sovereignty?

> This talk will introduce you to Radicle, a new, decentralized code forge that's built on a peer-to-peer architecture. We'll explore how Radicle works and how it extends Git to create a secure and resilient network for code collaboration. We'll cover its peer-to-peer replication protocol, its decentralized identity system, and its novel approach to code discovery.

> This talk is for developers of all levels interested in the future of Open Source. You'll leave with a better understanding of the challenges involved in designing and running distributed, peer-to-peer systems. You'll also learn how you can start mirroring / migrating your code to the Radicle network, so you can #FreeYourCode !

u/esiy0676 — 9 days ago
▲ 22 r/github+2 crossposts

Ever since sfconservancy.org's campain to GiveUpGitHub of 2022 - and it's not just about GH - I am happy to bump into even the most niche sites/posts that help people appreciate the freedom of the free. Please, give this one a chance, at least reach the:

> What is "patch-based" code review?

lord.io
u/esiy0676 — 15 days ago
▲ 233 r/github+1 crossposts

Looking at it backwards - where is this heading? The official toolkit is falling behind, the action repos READMEs all state:

> We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time.

But then back in 2022, it was the toolkit that was primary, CLI not being worth to keep in sync (linked issue).

So: What other areas?

Is this a subliminal message to let co-pilot put something together without worrying much about any of the architecture? From the design standpoint, GHA looks like on life support, but that's nowhere it should be from the product lifecycle aspect of things.

My OP on r/github:

TL;DR I suppose some of the below might (if you will) be assigned to a "learning curve issue", but all in all and given Microsoft's budget: Are GHA basically a "launch and forget" product? Is the official toolkit supposed to become "outsourced" to the Marketplace?

Is this meant to be production quality tooling? Because it feels a bit like an experiment that got abandoned.

I went to build a relatively simple pipeline with a couple of reusable workflows, bunch of composite actions and make use of GHCR where the images that are used to run the jobs reside - they are built from workflows too. There's been quite a few gotchas to me so far.

Workflows and composite actions discrepancies

  • workflows can define top-level env, actions cannot
  • workflows can (in fact, must) pass in secrets
  • actions do not support secrets (and one better remembers to ::addmask:: on anything passed in)
  • workflows must define types on inputs strictly (and it ends up being string all of the time)
  • workflows must not define types on secrets
  • actions must not define types on inputs

Reusable workflows do not get anything checked out with them, not even if called from separate repo, but composite actions do get everything checked out alongside in that case - in fact all the other actions from their repo get checked out.

There's no reasonable way to share inputs between workflow_call: and repository_dispatch:, i.e. one needs to make extra job to reconcile inputs in these two cases even it could be all structured the same in client_payload.

Composite actions have not been designed to be nested when sharing the same repo, i.e. calling one from within another requires one to fully specify the user/repo/action@ref even if it is meant to use the very same one, thus making it necessary to keep updating @ref for every push - or avoid using the construct altogether and resort to e.g. shared scripts.

Aside: Debugging

Talking of scripts, one cannot see outputs unless tee -a $GITHUB_OUTPUT >&2, which makes one want to use multi-line HEREDOC - not exactly robust approach. And that only works for steps, obviously.

Then having shell run by default with set -e with no indication on which line it exited is a bit of a nightmare. Either good for running single-liners, always setting own trap <echo> ERR or resorting to copious error output that kills readability of CI scripting, always.

I suppose the single-liners were expected because every Run folds into its first line which is best to be some # summary comment since description is not supported on steps. Alas, calling actions has to be with no comments.

The initial temptation to have anything multi-line inside scripts that are then single-liners however results in the realisation that - see above - workflows do not get them checked out.

About jobs

It is impossible to share matrix between jobs, as if the env is evaluated in the same pass - it cannot be used as a constant, so the workaround is to set repository variable and then strategy: matrix: field: ${{ fromJson(vars.CONST) }} in each job - or keep doing copy/paste.

Running jobs in containers does not allow for the very basics to be specified to be meaningful, i.o.w. one cannot really - within the YAML syntax - run the equivalent of e.g. podman run --rm --network=none <...> and select mounts only. In fact, one gets extra stuff (node et al) always mounted. Goodbye hermetic-anything.

Official Actions falling behind

Even though GHCR is a GH product, the accompanying GH actions are rusting, e.g. the actions/delete-package-versions has not been updated since January 2024 and is thus throwing EOL Node warnings.

Even the daily driver actions are somewhat falling behind, e.g. actions/download-artifact keeps throwing: [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. and it seems to be recurrent issue over a long period. I understand deprecation is not a failure, but - this used to be sign of unmaintained software.

And then others where the need naturally come from GHA runs, e.g. creating releases got completely abandoned and one has to resort to the Marketplace or run their own gh CLI.

CLI that is "too much work to keep parity"

At the same time, actions/upload-artifact do not even have a CLI equivalent because "it would be too much work replicating".

u/esiy0676 — 8 days ago