cosmopolitan
packj
| cosmopolitan | packj | |
|---|---|---|
| 201 | 38 | |
| 15,241 | 616 | |
| - | 3.6% | |
| 9.8 | 7.2 | |
| 4 days ago | about 1 month ago | |
| C | Python | |
| ISC License | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cosmopolitan
-
Python Is Portable
The reality is a bit different, the work on Python 3.6 was checked into the Cosmopolitan repo and I have been able to use it for production workloads that are in pure python. [0]
As Cosmopolitan Libc has evolved, it has been possible to compile more software without modifications, and that includes latest Python through a project called superconfigure[1].
Last person who tried to reproduce it from scratch did it last week (granted it too them a few days of solid work) but in the end they ended with a portable binary with Python 3.11.9, brotli, ssl and asyncio for their work related project.[2]
[0] https://github.com/jart/cosmopolitan/tree/master/third_party...
-
Ask HN: What Underrated Open Source Project Deserves More Recognition?
Cosmopolitan https://github.com/jart/cosmopolitan and https://justine.lol/cosmopolitan/index.html
Some genius realized that you can actually embed valid win32 programs inside valid posix shell scripts, and found a way to make a C cross-platform solution out of it, meaning that you can write C programs that compile to a single executable that will run on (quoting the site) Linux + Mac + Windows + FreeBSD + OpenBSD + NetBSD + BIOS
It all started from this post.
- Cosmopolitan – build-once run-anywhere C library
-
Show HN: Usr/bin/env Docker run
For this .args file, put one argument per line. This will run on start. You can use `/zip/mydepencency.anything` to read from files, but if you have an executable dependency you'll need to extract it first.
You can do this with any software you can compile with comsocc, by adding a call to LoadZipArgs[1] in the main function.
It'seasy to get started, your ideas will branch out as soon as you start playing with it.
[1]: https://github.com/jart/cosmopolitan/blob/master/tool/args/a...
-
Libwebsockets
FWIW there is ongoing work with good progress to add websocket support to redbean (https://github.com/jart/cosmopolitan/pull/967)
- Release Cosmopolitan v3.2
- Cosmopolitan v3.2
-
Ask HN: ANSI escape sequences reference docs?
Check out this comment by jart (cosmpolitan author) here: https://github.com/jart/cosmopolitan/issues/766#issuecomment...
it might help but not sure how comprehensive it is! would it be a bad idea for you to check out the source code of other popular emulators (maybe iTerm 2^0) ?
0: https://github.com/search?q=repo%3Agnachman%2FiTerm2%20ansi&...
-
Actually Portable Vim (With a Cute Vimrc)
The binary was compiled with Cosmopolitan Libc [0], and therefore the binary will execute natively on Linux, Mac, Windows, FreeBSD, OpenBSD, NetBSD, and bare metal (BIOS boot).
I would call that portable.
[0] https://github.com/jart/cosmopolitan
-
Show HN: PyApp – runtime installer for Python applications
will go on my "to try" list where i already have cosmopolitan [2]. my last setup (windows) was shiv + wine + nsis (used that as pyinstaller had some issues)[2]
[1] https://github.com/jart/cosmopolitan/issues/141#issuecomment...
packj
-
Rust Without Crates.io
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
-
A Study of Malicious Code in PyPI Ecosystem
Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?
https://github.com/ossillate-inc/packj/blob/main/.packj.yaml
Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?
-
How to use Podman inside of a container
I built Packj [1] sandboxing for securing “pip/NPM install”. It uses strace for sandboxing and blocks access to sensitive files and limits traffic to known-good IP addresses.
1. https://github.com/ossillate-inc/packj
-
NPM Provenance Public Beta
Great work! This provenance check is going to be very valuable for enforcing supply-chain security. We are working on adding support to check for provenance in Packj.
1. https://github.com/ossillate-inc/packj flags risky/malicious NPM/PyPI/Ruby dependencies
-
Show HN: TypeScript Security Scanner
Cool project. Would love to integrate this in Packj [1] as one of the open-source SAST scanners. Will DM you.
1. https://github.com/ossillate-inc/packj flags malicious/risky open-source dependencies.
- Packj flags malicious/risky open-source packages
-
Show HN: Coder Guard – Protect Your IDE from Malicious Extensions
Very cool! I've built something similar, but for packages: https://github.com/ossillate-inc/packj Would love to talk.
-
Ask HN: What Are You Working on This Year?
Working on a marketplace (based on Packj [1]) to allow open-source developers to make money by selling "assured" software artifacts.
1. Packj https://github.com/ossillate-inc/packj flags malicious and other "risky" open-source dependencies in your software supply chain.
-
Compromised PyTorch-nightly dependency chain December 30th, 2022
I’ve created Packj sandbox [1] for “safe installation” of PyPI/NPM/Rubygems packages
1. https://github.com/ossillate-inc/packj
It DOES NOT require a VM/Container; uses strace. It shows you a preview of file system changes that installation will make and can also block arbitrary network communication during installation (uses an allow-list).
-
Vulnerability scanner written in Go that uses osv.dev data
Great to see a developer-friendly tool around OSV! Packj [1] uses OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. Disclaimer: I built it.
1. https://github.com/ossillate-inc/packj flags malicious/risky packages.
What are some alternatives?
libc - libc targeted for embedded systems usage. Reduced set of functionality (due to embedded nature). Chosen for portability and quick bringup.
kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
src - Read-only git conversion of OpenBSD's official CVS src repository. Pull requests not accepted - send diffs to the tech@ mailing list.
paperclips - Universal Paperclips mirror
SDL - Simple Directmedia Layer
meta - Meta discussions and unicorns. Not necessarily in that order.
llvm-project - The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
maloss - Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
luastatic - Build a standalone executable from a Lua program.
roqr - QR codes that will rock your world
v - Simple, fast, safe, compiled language for developing maintainable software. Compiles itself in <1s with zero library dependencies. Supports automatic C => V translation. https://vlang.io
firejail - Linux namespaces and seccomp-bpf sandbox