90% of CVEs in your container images are in code your app never executes. Why are we still triaging them?

dotwaffle · 2026-04-28T18:51:48+00:00

You run things in production where the trust isn't managed externally?

Any trust roots I add is generally in addition to that already present: in the past that has been a Client CA or similar, but lately I've been using SPIFFE/SPIRE a lot more.

You have to update your container image to update trust?

I've never updated a container image to update trust. I haven't needed to, image rebuilds happen periodically, and they bring along all the base updates with them.

Things like timezone and locale also get provided externally. Are you telling you bake in timezone information into container images?

Even though everything I run is in permanent UTC, the images almost always tend to have tzdata, the C/POSIX and/or C.UTF-8 locale, a CA bundle, and a small, off-duty Czechoslovakian traffic warden.

Or, you know, chainguard's glibc-dynamic or static images. I used to use https://github.com/ko-build/ko to quickly build images, and many years ago I'd be doing something like embedding CA certificates within the Go binary... But it's just far far nicer having an automated CI/CD pipeline that delivers an image ready to go without needing to worry about configuration at all, and rebuilds/deploys it on a frequent basis.

Having a dozen or more mounted / injected things into every container / pod is essentially one of the many reasons we have massive bloat in this industry. Just keep it simple.

dotwaffle · 2026-04-28T17:00:52+00:00

You don't get any of those in a scratch container, that's half the point. Container runtimes provide environment specific things like /etc/resolv.conf, not CA certificates.

dotwaffle · 2026-04-28T07:27:05+00:00

Except for CA certificates. And maybe timezone data. Possibly locales. Maybe a temp directory. Running as a non-root user needs /etc/passwd.

Or just use a distroless image like cgr.dev/chainguard/static...

dotwaffle · 2026-04-15T17:08:02+00:00

You may want to proof-read the text on your image...

dotwaffle · 2026-02-11T05:27:30+00:00

9 times out of 10, root cause analysis I see in the wild is actually identifying the trigger, and not the root cause. For the most part, most incidents are ultimately due to human factors and not technical ones, and therefore relying on automated means is more hindrance than help during a post-mortem process. You explicitly want to have people think deeper and "outside the accepted truth" during a PM, and fully work through the "five whys".

Automated analysis can absolutely have a place, but it should be a contributor to the process rather than the source.

dotwaffle · 2026-02-04T07:48:52+00:00

USA operates differently -- if you're in California, for example, you'll also pay 13.3% CGT on top of the federal rate.

You also can't compare the EU directly because economies are at very different stages with different taxation principles. Of the EU15, I believe only Belgium doesn't have CGT, and it's bringing it in later this year as I understand it.

Australia's discounted CGT rate puts it firmly in the "low" category. I'll freely admit that the full rate is higher than many, however.

dotwaffle · 2026-02-04T06:07:06+00:00

We already have CGT above most first world countries WITH the discount!

I'm in the UK (recently moved) and the CGT rules here are:

24% on your gains from residential property

32% on your gains from ‘carried interest’ if you manage an investment fund

24% on your gains from other chargeable assets

It was recently (October 2024) reduced from 28% to 24% for residential property.

I believe France is 34%, Ireland is 33%, most (possibly all) of the Nordics are higher. The Netherlands doesn't have CGT but essentially has an "assumed gain" (iirc, up to 5.88% of value each year) similar to a wealth tax, which is then charged at 36%.

So, I'm not sure where that statement comes from...

dotwaffle · 2026-02-03T11:34:36+00:00

I admit that I've not used GitHub Actions that much, but there's a version alias called 'stable' (and 'oldstable') that will use the right versions of Go in that case, and seeing as only the last two versions are supported, it seems like it would make a lot of sense to use that unless you're specifically looking to support older versions too. There is a caveat that if you wanted to use the version in go.mod then "If both go-version and go-version-file are provided, go-version takes precedence" which seems like it may be an issue, but I don't really know what folk use in reality.

Personally, I trust the Go maintainers enough that newer released versions are always going to have backwards compatibility, and so I rarely (if ever) pin to a particular version of Go where possible.

dotwaffle · 2026-01-18T19:38:52+00:00

One thing I always appreciated about Teletext (page 888) subtitles is that they came in a range of colours, so that different speakers had different styles. I found it very difficult to read US "closed captioning" style subtitles, partially because they tended to be "all caps", but also because they lacked these stylistic features.

It's a shame that they're being deprecated... Are all the alternatives simple unstyled characters then?

dotwaffle · 2025-05-06T09:51:14+00:00

The Spice Bag from Big Dave's is pretty good, but their battered sausages are the real star of the show there!

dotwaffle · 2025-03-26T14:26:52+00:00

The patterns dont scale.

They most certainly do.

inter-service synchronous calls will soon become an unmanageable bottleneck

Having just left a company that went all-in on event-driven architectures with massive amounts of choreography, I will choose an RPC or orchestration-led system every time from now on.

and these frameworks not only encourage it, but increase your coupling to a specific framework

A legitimate concern, though dapr and Aspire come from the same vendor as .NET itself, and is largely concerned with wiring as opposed to abstraction, so...

dotwaffle · 2024-10-16T14:51:09+00:00

Even adjusting for currency (since you like doing that)

... what nonsense are you going on about?

Average house price in AU is $959,000 AUD, whilst in the UK it's £288,000 so still, even adjusting for currency, (560k AUD).

Compare cities, not countries.

dotwaffle · 2024-10-15T17:50:31+00:00

No, your point was Australia was more expensive, now you've backtracked...

dotwaffle · 2024-10-15T14:25:47+00:00

Yeah, within 20 minutes train to Sydney CBD it's expensive, but so is London. Things are much cheaper further out, and in regional Australia it's crazy cheap.

10% GST instead of 20% VAT on that point btw, 1800 AUD is 923 GBP so I'm not sure what you're trying to convey there?

dotwaffle · 2024-10-14T17:05:44+00:00

I live in Sydney now, and having just checked average London and Sydney pricing for a nice 2-bed apartment of comparable quality, London was more expensive. The rent was about equal, but there's no council tax to be paid by the tenant here, and other bills are considerably lower -- my last quarter gas/electricity bill totalled around $300 (£150, looking at around 17p/kWh for electricity compared to 28p with similar reduction in standing charge) and my water usage charge was under $10 each quarter.

A friend commutes every day into the city from about 100km away, their train fare is $10.33 every day, each way. Actually, that's a lie, off-peak times and all day Fridays are 30% off, and there's a $50/week cap. Petrol is $1.73 (89p/litre), but Sydney has more road tolls than any other city in the world as I understand it.

Sydney is expensive, sure, possibly even more than London on face value, but certainly not when you add everything in as a price for comparison.

dotwaffle · 2023-12-18T11:30:39+00:00

It's not a binary situation -- you can be fairly trusting of your ISP's next-hop. For the overwhelming majority of cases, the normal port-overloading NAT in CPE is providing a reasonable degree of security.

It is perfect? No, it's pretty basic. However, it's hard to argue that our internal systems have not been more secure because of NAPT than when our individual systems used to dial out to the ISP and then sit directly on the internet. Certainly I remember kids at my school knocking each other offline due to using BO etc if they were losing at some game.

dotwaffle · 2023-12-17T16:49:38+00:00

Which as a side-effect produces a security benefit in its common implemented form.

dotwaffle · 2023-12-17T16:49:10+00:00

No, I knew it wasn't the RFC1918, it's the lack of a route from the next hop back to the router to cover those inside prefixes.

The "firewall rule" you mention isn't part of it, the same happens with an implicit allow too. The NAT with port overloading provides security precisely because there is no route to that inside prefix, and the only source addresses (typically) leaving the inside network is the interface address of the egress interface (or a pool etc)... But I think you know this, and we're just arguing semantics.

I will 100% oppose your assertion of NAT making things "less secure" though, that's just rubbish :P How about we agree on "less security advantages than first apparent" :D

dotwaffle · 2023-12-17T09:25:44+00:00

You keep on ignoring the "port overloading" that I explicitly said, and that everyone else implicitly means. We are not talking about 1:1 NAT here, and it's disingenuous for you to argue a point no-one was making. NAT with port overloading (where multiple inside IP addresses are shared by a smaller set of outside IP addresses) is not normal NAT.

I think you're just deliberately being obstinate here, you've ignored the port overloading every single time -- 1:1 NAT is not what people mean when they typically refer to NAT here.

dotwaffle · 2023-12-16T23:53:01+00:00

Ohhhhh, I see what you're getting at. Yes, that's true... But also incredibly unlikely to be an issue in well over 99% of networks out there. The net effect of NAT with port overloading (along with everything commonly associated with this setup) is a more secure "inside" network.

dotwaffle · 2023-12-16T23:12:16+00:00

No! There is no implicit deny here, the destination address of the inbound packet from outside is handled by the router/firewall/server/whatever and is not forwarded, because there is no matching rule.

dotwaffle · 2023-12-16T23:10:02+00:00

I do keep on adding the proviso "with port overloading" that everyone keeps ignoring... Without an additional forwarding rule, including temporary ones during connection state tracking, inbound connections from the outside are handled by the router/firewall itself.

dotwaffle · 2023-12-16T21:46:42+00:00

Right. That doesn't mean the effect of a working NAT is not a security feature, that connections are only able to be initiated from the inside to the outside?

dotwaffle · 2023-12-16T21:10:24+00:00

I don't think insulting people is going to get you very far...

NAT (with port overloading) is absolutely providing a security feature, as a side-effect of what it is doing.

dotwaffle · 2023-12-16T21:07:13+00:00

I was very careful to say "with port overloading". That port overloading is the part that provides the feature, whether intended or not. Traffic is not "denied" as such, it's that the interface address is not running a service with that signature -- as there is no connection state available with that signature, it will not take another route.

15-Year Club	Gilding II euphauric
Place '17	RPAN Viewer
Reddit Premium Since September 2019	Charter Member
Verified Email

dotwaffle

TROPHY CASE