packj VS .NET Runtime

Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?

https://github.com/ossillate-inc/packj/blob/main/.packj.yaml

Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?

I built Packj [1] sandboxing for securing “pip/NPM install”. It uses strace for sandboxing and blocks access to sensitive files and limits traffic to known-good IP addresses.

1. https://github.com/ossillate-inc/packj

Great work! This provenance check is going to be very valuable for enforcing supply-chain security. We are working on adding support to check for provenance in Packj.

1. https://github.com/ossillate-inc/packj flags risky/malicious NPM/PyPI/Ruby dependencies

Cool project. Would love to integrate this in Packj [1] as one of the open-source SAST scanners. Will DM you.

1. https://github.com/ossillate-inc/packj flags malicious/risky open-source dependencies.

Very cool! I've built something similar, but for packages: https://github.com/ossillate-inc/packj Would love to talk.

Working on a marketplace (based on Packj [1]) to allow open-source developers to make money by selling "assured" software artifacts.

1. Packj https://github.com/ossillate-inc/packj flags malicious and other "risky" open-source dependencies in your software supply chain.

I’ve created Packj sandbox [1] for “safe installation” of PyPI/NPM/Rubygems packages

1. https://github.com/ossillate-inc/packj

It DOES NOT require a VM/Container; uses strace. It shows you a preview of file system changes that installation will make and can also block arbitrary network communication during installation (uses an allow-list).

Great to see a developer-friendly tool around OSV! Packj [1] uses OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. Disclaimer: I built it.

1. https://github.com/ossillate-inc/packj flags malicious/risky packages.

It's an interesting "time is a circle" problem given that a century only has 100 years and then we loop around again. 2-digit years is convenient for people in many situations but they are very lossy, and horrible for machines.

It reminds me of this breaking change to .Net from last year.[1][2] Maybe AA just needs to update .Net which would pad them out until the 2050's when someone born in the 1950s would be having...exactly the same problem in the article. (It is configurable now so you could just keep pushing it each decade, until it wraps again).

Or they could use 4-digit years.

[1] https://github.com/dotnet/runtime/issues/75148

These can also be passed as arguments to `dotnet publish` if necessary.

Reference:

- https://learn.microsoft.com/en-us/dotnet/core/deploying/nati...

- https://github.com/dotnet/runtime/blob/main/src/coreclr/nati...

- https://github.com/dotnet/runtime/blob/5b4e770daa190ce69f402... (full list of recognized keys for IlcInstructionSet)

Yes, that is true. I'm not sure about JVM implementation details but the reason the comment says "virtual and interface" calls is to outline the difference. Virtual calls in .NET are sufficiently close[0] to virtual calls in C++. Interface calls, however, are coded differently[1].

Also you are correct - virtual calls are not terribly expensive, but they encroach on ever limited* CPU resources like indirect jump and load predictors and, as noted in parent comments, block inlining, which is highly undesirable for small and frequently called methods, particularly when they are in a loop.

* through great effort of our industry to take back whatever performance wins each generation brings with even more abstractions that fail to improve our productivity

[0] https://github.com/dotnet/coreclr/blob/4895a06c/src/vm/amd64...

[1] https://github.com/dotnet/runtime/blob/main/docs/design/core... (mind you, the text was initially written 18 ago, wow)

If you care about portable SIMD and performance, you may want to save yourself trouble and skip to C# instead, it also has an extensive guide to using it: https://github.com/dotnet/runtime/blob/69110bfdcf5590db1d32c...

CoreLib and many new libraries are using it heavily to match performance of manually intensified C++ code.

DEBUG: packageFiles with updates (repository=local) "config": { "nuget": [ { "deps": [ { "datasource": "nuget", "depType": "nuget", "depName": "Microsoft.Extensions.Hosting", "currentValue": "7.0.0", "updates": [ { "bucket": "non-major", "newVersion": "7.0.1", "newValue": "7.0.1", "releaseTimestamp": "2023-02-14T13:21:52.713Z", "newMajor": 7, "newMinor": 0, "updateType": "patch", "branchName": "renovate/dotnet-monorepo" }, { "bucket": "major", "newVersion": "8.0.0", "newValue": "8.0.0", "releaseTimestamp": "2023-11-14T13:23:17.653Z", "newMajor": 8, "newMinor": 0, "updateType": "major", "branchName": "renovate/major-dotnet-monorepo" } ], "packageName": "Microsoft.Extensions.Hosting", "versioning": "nuget", "warnings": [], "sourceUrl": "https://github.com/dotnet/runtime", "registryUrl": "https://api.nuget.org/v3/index.json", "homepage": "https://dot.net/", "currentVersion": "7.0.0", "isSingleVersion": true, "fixedVersion": "7.0.0" } ], "packageFile": "RenovateDemo.csproj" } ] }

https://github.com/dotnet/runtime/issues/59591

Support zstd Content-Encoding:

We might not be that far away already. There is this issue[1] on Github, where Microsoft and the community discuss some significant changes.

There is still a lot of questions unanswered, but initial tests look promising.

Ref: https://github.com/dotnet/runtime/issues/94620

https://github.com/dotnet/dotnet exists for source build that stitches together SDK, Roslyn, runtime and other dependencies. A lot of them can be built and used individually, which is what contributors usually do. For example, you can clone and build https://github.com/dotnet/runtime and use the produced artifacts to execute .NET assemblies or build .NET binaries.

Yeah, it kind of is. There are quite a few of experiments that are conducted to see if they show promise in the prototype form and then are taken further for proper integration if they do.

Unfortunately, object stack allocation was not one of them even though DOTNET_JitObjectStackAllocation configuration knob exists today, enabling it makes zero impact as it almost never kicks in. By the end of the experiment[0], it was concluded that before investing effort in this kind of feature becomes profitable given how a lot of C# code is written, there are many other lower hanging fruits.

To contrast this, in continuation to green threads experiment, a runtime handled tasks experiment[1] which moves async state machine handling from IL emitted by Roslyn to special-cased methods and then handling purely in runtime code has been a massive success and is now being worked on to be integrated in one of the future version of .NET (hopefully 10?)

[0] https://github.com/dotnet/runtime/issues/11192

[1] https://github.com/dotnet/runtimelab/blob/feature/async2-exp...