The only reason someone would need access to the management account would be maintaining child accounts and IAM roles or reviewing logs, none of which should need root.
Does it? Pretty sure that logging in as root generates one cloudtrail per action, regardless of whether or not you did it with a saved password or you reset the password. Resetting the password doesn't generate a cloudtrail event as far as I've seen.
The problem, as with every package manager, is transitive dependencies. It's all well and good to set up direct dependencies to only pull from git repositories, but bundler still needs a way to resolve those gems' dependencies.
You could pre-resolve every dependency in your chain to a git repository, even to a fork under your own control, but that will end up being a maintenance nightmare.
Can't a middle compromise happen as it happens in something like golang?
Can some vps/serverless provider not do this like fly.io as an recent example with kurt got got? or hetzner?
I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall
Retrofitting Go's dependency model into Ruby is not trivial. Go has used full URLs for dependencies from the jump, making a central package repository irrelevant. Ruby doesn't have that. At best you might have a source code URL in the gem source that you can access from a gem server, but that doesn't really anything. Someone still has to provide the index.
> I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall
It also means no code signing and the natural capture of most of the ecosystem by Microsoft (due to devs preferring to host their code on github, a bundler that lacks package hosting will be entirely at the whim of MS)
If you are worried about github/MS capture...
Then my suggestion is to just create mirrors of golang projects you like on gitlab/codeberg
But this is so so much better than having arko or somebody having your PII.
Like I hate github but I am pretty sure that people there aren't actively looking for my PII when I download go projects or that a single person couldn't really access it I suppose
I am not really familiar but if I remember the heads project related to coreboot isn't there a way to sign your github repository with your ssh key or something related (I can be wrong, I usually am)
Like I know it could be a pain in the ass but if you are so worried about github, what if we could optionally have everything be gpg'd via ssh keys & the project could only work if someone shares a ssh key
And something like rubygems could just have a name <-> github mapping <-> gpg mapping and it might require some additional software right now but I am just giving ideas maybe for new languages as well I am not sure
What are your thoughts? And what do you think the ideal way could be. I have heard from many people (like primagen) that golang is the best package model and I also resonate with that statement but yeah github is a bit of menace/threat to open source
All the more reason to use something like codeberg!
First, sorry for you and your friend. Mental decline is terrifying and I can only imagine how difficult it is to deal with like that.
Could you say more about what your friend did differently than you and what makes it so difficult? Are/were they self hosting but don't remember how it all works?
With no insider knowledge whatsoever I can assure you that they do. Large enterprise shops always have these things cached because why take a hard deploy-time external dependency when you can spin up a rubygems (etc) cache backed entirely by your object storage of choice.
Former Shopifolk here. As of 2022 - 2023 they had some private packages in their SCM and an internal Artifactory deployment that was a caching proxy of Rubygems and other upstream dependencies. This may be changed since, but as far as I’m aware many Shopify devs occasionally volunteer time and fixes to Rubygems and related projects from time to time.
They certainly have the capacity to run their own full on mirror service, but I doubt they have serious incentive to do so given exciting controls and culture re: Ruby and OSS contributions.
Ultimately the US taxpayers will eat the loss in either case. If the government tried to charge it back to Lockheed Martin they'd just raise the price on subsequent programs to compensate.
The government does insure weapons of war. Who would write the policy?
is insurance for military equipment a thing? I had no idea.
If you have very deep pockets like a nation has, why not simply replace the lost hardware and never insure/pay premiums(which would be calculated to net a profit to the insurer)?
It's not really custom. It's industry standard protocols for connecting independent (one might say "autonomous") networks.
Tailscale is this on easy mode, of course. There's a blog post by apenwarr somewhere that I can't find right now that lays out the fundamental thesis of Tailscale and its very similar to these folks' manifesto.
reply