envkey VS jj

envkey-vscode is a VSCode extension that provides autocomplete, type checking, and peek-on-hover for environment variables in 46 different programming languages. Instead of a typeless, error-prone blob, the environment now acts like a strongly-typed object in every language you work in.

I’ve been using this extension myself for a couple weeks now and it feels like a pretty significant upgrade to my development workflow, especially when working on integrations across multiple languages, so I thought it was worth showing you all.

envkey-vscode relies on EnvKey, an open-source, end-to-end encrypted configuration and secrets manager that is focused on security and ease-of-use. It’s cross-platform, can integrate with any language or host, and can be cloud-hosted or self-hosted. Getting a project integrated normally takes a couple minutes.

More on EnvKey: https://www.envkey.com

Building and testing it has been an interesting process, as I relied quite heavily on ChatGPT/GPT-4 to cover languages that I’m not very familiar with. It helped me to develop regexes to cover the common forms of environment access in each language, as well as to produce small test cases and Dockerfiles that can run them. While it took a lot of passes and tweaking to root out hallucinations and get each language right, I don’t think there’s any way I could have built a tool like this in a reasonable amount of time. Having a single `test` command that runs examples in dozens of languages is pretty amazing—sort of like a rudimentary version of Replit that runs locally.

All the code for the extension lives in EnvKey’s monorepo here: https://github.com/envkey/envkey/tree/main/public/sdks/tools...

I’m planning to write up a blog post on this process and what I’ve learned about how to get the most out of GPT on a polyglot coding project like this. If you’re interested, you can sign up to get notified here when this post is live: https://envkey.us15.list-manage.com/subscribe?u=623039cd8518...

envkey-source code is here: https://github.com/envkey/envkey/tree/main/public/sdks/envkey-source

If anyone needs help keeping secrets out of git, you could give EnvKey[1] a look (disclaimer: I'm the founder). It aims to keep all secrets out of the repo completely so that you can't be burned by forgetting to add something to .gitignore

It takes a few minutes to install and then all your secrets and config will be in the environment, and will stay automatically up-to-date when there are changes.

Might be a way to cut out that particular failure mode when using Gut (which looks interesting btw--kinda like Git: the good parts).

1 - https://github.com/envkey/envkey

We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

EnvKey[1] moved from OpenPGP(RSA) to NaCl for its v2, which recently launched.

It’s causing a difficult migration for our v1 users. Moving to a new encryption scheme is not fun for a product with client-side end-to-end encryption.

But within a year or so after releasing the v1, it seemed like the writing was on the wall for OpenPGP and RSA. I didn’t want to go down with a dying standard.

NaCl is so much better. In spite of the migration headaches that will likely cost us some users, I’m very happy I made this decision. It’s so much faster, lighter, and more intuitive.

It’s legitimately fun to work with, which I never thought I’d say about an encryption library after cutting my teeth on OpenPGP.

1 - https://github.com/envkey/envkey

The process management code lives here: https://github.com/envkey/envkey/blob/main/public/sdks/envke...

Basically the command you pass in to envkey-source is run via:

exec.Command("sh", "-c", c)

(c is the command you passed as a string.)

Stdout/stderr is piped through, and .Wait() is called on the command. If envkey-source is in watch mode, it will send a SIGTERM when the environment is updated, then re-run the process once the initial process has died. I can verify that, for example, if a server listening on ports is restarted in this way, the process will die and the ports will be cleared before the new process is started (this has been well-tested).

Do you see a problem with this approach? We will prioritize making all this bulletproof.

Jujutsu is along the lines of what you describe: https://github.com/martinvonz/jj

You can drop it in and work seamlessly from git repos

Pull Requests (or Merge Requests) are merged only when (1) all of the automated tests pass; and (2) enough necessary reviewers have indicated approval.

Git doesn't tell you when it's necessary to have full test coverage and manual infosec review in development cycles that produce releases, and neither do Pull Requests.

https://westurner.github.io/hnlog/#comment-19552164 ctrl-f hubflow

It looks like datasift's gitflow/hubflow docs are 404'ing, but the original nvie blog post [1] has the Git branching workflow diagrams; which the wpsharks/hubflow fork [3] of datasift/gitflow fork [2] of gitflow [1]has a copy of in the README:

[1] https://github.com/nvie/gitflow

[2] https://github.com/datasift/gitflow

[3] https://github.com/wpsharks/hubflow?tab=readme-ov-file

https://learngitbranching.js.org/ is still a great resource, and it could work on mobile devices.

The math of VCS deltas and mutable and immutable content-addressed DAG nodes identified by 2^n bits describing repo/$((2*inf)) bits ;

>> "ugit – Learn Git Internals by Building Git in Python" https://www.leshenko.net/p/ugit/

SLSA.dev is a social construct atop e.g. git, which is really a low-level purpose-built tool and Perl and now Python porcelain.

jj (jujutsu) is a git-compatible VCS CLI: https://github.com/martinvonz/jj

"Ask HN: Best Git workflow for small teams" (2016)

You will probably like Jujutsu, which takes much inspiration from Mercurial: https://github.com/martinvonz/jj

It isn't a 1-to-1 clone, either. But tools like revsets are there, cset evolution is "built in" to the design, etc. There is no concept of phases, we might think about adding that, but there is a concept of immutable commits (so you don't overwrite public ones.)

It also has many novel features that make it stand out. We care a lot about performance and usability. Give it a shot. I think you might be pleasantly surprised.

Disclosure: I am a developer of Jujutsu. I do it in my spare time.

I have created a discussion. Thank you both

https://github.com/martinvonz/jj/discussions/2691

> why don't version control systems (especially ones that can change history) have undo/redo functionality out of the box?

It's true. And Jujutsu has undo functionality out of the box, too. It's not just Sapling. :) https://github.com/martinvonz/jj

Git made the only choice a popular VCS can make. History rewrites will exist, period. If you're opposed to history rewrites, then git gives you the tools to ensure the repos you control are not rewritten, and that's all it can do in a world where people have control of their own computers.

If Fossil ever becomes as popular as git, people will create software that allows history rewriting in Fossil, and that's fine. People will do what they want on their own computer, and I think it's morally wrong to try and stop that.

Another user in this thread linked to jj [0], an alternative git client that does some pretty weird things. For example, it replaces the working tree with a working commit and commits quite often. I like git and that seems weird to me, but I'm not offended, people can do what they want on their own computer and I have the tools to ensure repos under my control are not effected. That's all I can hope for.

[0]: https://github.com/martinvonz/jj

I recently found out about another project called jj: https://github.com/martinvonz/jj. It takes inspiration from Pijul and others but is git-compatible.

https://github.com/martinvonz/jj

I think maybe both fossil and bitkeeper are more intuitive too.

Did you try any of those?