lmfao copilot just flat out filling in a comment saying "TODO: this is terrible" what the fuck
Working on Cloud SIEM at Datadog
Previously:
CEO/ Founder of Grapl, Inc.
Developer on InsightIDR at Rapid7
Security Engineer on DART at Dropbox
InsanityBit
- 547 Followers
- 174 Following
- 439 Posts
Just absolutely insane. I'll never get over this. I can leave details out and it just figures it out. GPT is insane.
cargo-sandbox is working with riff/ nix. This repo contains protobuf definitions and a prost build step - no extra work was done to install protoc, riff takes care of it automagically.
This is actually a smoother than default experience.
Still not ready to publish this to crates.io, I have some big questions to answer. In particular, I want to land on an architecture that's cleaner than what I have now.
One thing I'm also considering is if docker is necessary. I've done plenty of work with seccomp, namespaces, and other technologies manually in the past. People seem to dislike the reliance on Docker and I have some concerns about xplat. I'll have to give this some more thought.
Ultimately, I'm pleased with how the project is progressing. This represents a very meaningful improvement to security given a malicious or compromised dependency.
I thought that these cookie config prompts had to default to not selling your data?
Got a very very basic working version of what I'm currently calling "cargo-sandboxed".
The idea is simple. Different commands get different docker containers. The docker containers act as a barrier against attackers who can execute code as part of cargo's normal workflow (build scripts, proc macros) who are trying to compromise the developer's overall environment.
There are separate build + publish containers (so that your api key is isolated from any build scripts).
For now I'm using a basic container setup but I'll harden it more in the future, plus eventually I can consider other options like microvms.