undefined | Better HN

0 pointssimion3141y ago0 comments

So you are afraid of evil packages but then you deploy them in production? So you are safe and screw your users ?

0 comments

Here’s a scenario: my development pipeline scans every package in the build but I can’t reach into a developer’s local shell session to prevent them from making a typo. Using a dev container changes that from “the attacker gets their data, keys, and anything their session credentials can access” to a more limited exposure and gives your other safeguards a chance to catch it.

simion314OP1y ago

So you force your devs to use your favortie IDE rhater then the best one? why not force them to use soem better stuff for this security purpose like virtual machines, docker , something that would be usefull for them to have experience with

acdha1y ago

This does use Docker - it’s literally just working in a container so it’s both useful experience and overlaps with your deployments so you avoid multiple layers of waste from VMs: everything is reproducible, people don’t hit problems due to untracked local state, and they don’t spend time on sysadmin work which isn’t directly related to what you deploy.

OutOfHere1y ago

Huh. That makes no sense. If I am experimenting with something, I won't necessarily deploy it.

simion314OP1y ago

I am 100% sure that everything you deploy you review? Maybe is safer to setup a secure environment for your system and for production if you use dangerous packages.

j / k navigate · click thread line to collapse

0 comments

acdha1y ago

simion314OP1y ago

acdha1y ago

OutOfHere1y ago

Huh. That makes no sense. If I am experimenting with something, I won't necessarily deploy it.

simion314OP1y ago

I am 100% sure that everything you deploy you review? Maybe is safer to setup a secure environment for your system and for production if you use dangerous packages.

j / k navigate · click thread line to collapse