I have found it very difficult to use aider as it makes many changes I don’t always agree with. Personally, I either use Cursor to make edits, or ask oh one to write a whole script or single-file module.
Pretty much. It's part of the same ecosystem as Sysdig OSS[1], which works much like strace. It uses the same underlying libraries as sysdig and Falco, and you can move capture files between them.
It'd be interesting to see if we can integrate more fully with strace as well, but that might require updating strace itself.
With the falco plugins [1] a broad range of "cloud native" services can be captured in Stratoshark. At the moment we have AWS cloudtrail and GCP Audit included in the macOS and Win installers.
As a user of PyPI, what’s a best practice to protect against compromised libraries?
I fear that freezing the version number is inadequate because attackers (who don’t forget, control the dependency) could change the git tag and redeploy a commonly used version with different code.
Is it really viable to use hashes to lock the requirements.txt?
Release files on PyPI are immutable: an attacker can’t overwrite a pre-existing file for a version. So if you pin to an exact version, you are (in principle) protected from downloading a new malicious one.
The main caveat to the above is that files are immutable on PyPI, but releases are not. So an attacker can’t overwrite an existing file (or delete and replace one), but they can always add a more specific distribution to a release if one doesn’t already exist. In practice, this means that a release that doesn’t have an arm64 wheel (for example) could have one uploaded to it.
TL;DR: pinning to a version is suitable for most settings; pinning to the exact set of hashes for that version’s file will prevent new files from being added to that version without you knowing.
That seems like short-sighted advice. My company probably isn't paying me to write crypto, web frameworks, database drivers, etc. If it's not where I'm adding business value, I would generally try to use a third-party solution, assuming there's no stdlib equivalent. That likely means my code is an overwhelming minority of what gets executed.
If C dominates your codebase or you're squeezing out every inch of performance, then sure, you may well have written everything libc is missing. In Python, or another language that had a thriving ecosystem of third-party packages, it seems wasteful to write it all in-house.
They aren't paying you to integrate a bunch of third-party dependencies either, especially not when you could be using the time to generate actual business value.
The specific examples you listed are usually fine for generic SAAS companies (I'd usually object to a "full" web framework), but advice of the flavor "most code should be your own" is advocating for a transitive dependency list you can actually understand.
Anecdotally, by far the worst bugs I've ever had to triage were all in 3rd-party frameworks or in the mess created by adapting the code the business cares about into the shape a library demands (impedence mismatches). They're also the nastiest to fix since you don't own the code and are faced with a slow update schedule, forking, writing it yourself _anyway_ (and now probably in the impedence-mismatched API you used to talk to the last version instead of what your application actually wants), or adding an extra layer of hacks to insulate yourself from the problem.
That, combined with just how easy it is to write most software a business needs, pushes me to avoid most dependencies. It's really freeing to own enough of the code that when somebody asks for a new feature you can immediately put the right code in the right spot and generate business value instead of fighting with this or that framework.
"They aren't paying you to integrate a bunch of third-party dependencies either, especially not when you could be using the time to generate actual business value."
They might, but in my experience, it's bottom of the barrel clients playing out of their league. Example, a single store that is using shopify and wants to migrate to their own website because the fees are too high, might pay 500-1000$ for you to build something with wordpress and woocommerce, or worse, a mysql react website.
You win most of the time, until you get log4jed or left-padded. Then my company survives you.
Also I might win even without vulns. I don't write frameworks, I just write the service or website directly. And less abstractions and 3rd party code can mean more quality.
It surprises me how much companies rely on that kind of projects without 1) making a proper assessment and 2) cloning the project to ensure it isn't tampered in the future.
Not only do they not clone projects or freeze their dependencies, but they are pressured to constantly update to the latest version to avoid vulnerabilities ( while introducing risk of new ones)
Download the libraries' real source repos, apply static analysis tools, audit the source code manually, then build wheels from source instead of using prebuilt stuff from PyPI. Repeat for every update of every library. Publish your audits using crev, so others can benefit from them. Push the Python community to think about Reproducible Builds and Bootstrappable Builds.
This is where tools like poetry, uv with lock files shine. The lock files contains all transient dependencies (like pip freeze) but they do it automatically.
I once designed and configured a satellite-microwave hybrid network for a large US customer with field offices around Borneo. I’ll never forget making the leased line handoffs back in Jakarta. I had exactly zero experience doing this so I googled around and read that BGP is what you would use to connect between our OSPF/UBNT net and their IGRP/Cisco corporate WAN. When asked to configure BGP on their routers, the guys from Tata were like “what do you think you are AT&T or something?” We did kind of feel that way until one season of lightning strikes took out most of our AirFibers.
I see “just” as an invitation to win the argument by agreeing with the person. “Ooo yeah good idea, I think we could. Can you help me think through this?” — And then they ideally proceed to come around to essentially what you wanted to do anyways.
> At least once in every five minutes the cable was used as a condenser. A charge from a battery of about one hundred cells was given and in turn discharged through a properly shunted Sullivan galvanometer and the “throw” of the needle carefully noted.
Note that “condenser” means “capacitor”.
—-
Another good read is the biography of Oliver Heaviside who is famed for his (armchair) contributions to both wireless and subsea communications!
I used to be super productive at the raw keyboard. Then RSI got to me. But with CoPilot, I’m back to my normal productivity. For me it’s a life-saver as it allows fast typing with minimal hand strain.
reply