wg-best-practices-os-developers
tz
Our great sponsors
wg-best-practices-os-developers | tz | |
---|---|---|
14 | 75 | |
604 | 1,359 | |
4.7% | - | |
9.7 | 9.1 | |
about 22 hours ago | 10 days ago | |
JavaScript | C | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
wg-best-practices-os-developers
-
Compiler Options Hardening Guide for C and C++
https://github.com/ossf/wg-best-practices-os-developers/issu...
The idea of using `-fsanitize-minimal-runtime` is interesting. I don't have any direct experience with that option. I've created an issue to investigate maybe adding that to the guide. Thanks for the tip!
-
OSCM: The Open Source Consumption Manifesto
These are technical details that are out of the scope of this article, but we think that it is important to mention them because the security strategy of a company should be based on a solid foundation, and these frameworks show that there are already some good starting points, companies don't have to start from scratch. If you want to know more about them or other ways to improve the security of your software supply chain, visit the OpenSSF website.
-
Best practices for effective attack surface analysis
Participating in the cybersecurity community can be a useful way to gain information about security trends and possible risks. Organizations such as the OWASP, OpenSSF, SANS Institute, and ISC2 promote the exchange of information between organizations and can raise the alarm about emerging issues or hacking strategies.
-
Wake-up call: why it's urgent to deal with your hardcoded credentials
Today corporations, open source projects, nonprofit foundations, and even governments are all trying to figure out how to improve the global software supply chain security. While these efforts are more than welcome, for the moment, there is hardly any straightforward way for organizations to improve on that front.
- 'Securing Open Source Software Act' Introduced to US Senate
-
Great Time at JavaZone 2022
Cross industry best practices - openssf.org
- Ask HN: Who is hiring? (June 2022)
-
runk
The Open Source Security Foundation is the continuation(?) of the group CII that was originally founded after this mess came to light. Can't say anything about the salary, but they're currently hiring for a few positions.
-
Ask HN: Is funding the actual problem for healthy Open Source?
TL;DR: Is there any data to suggest that funding an Open Source project materially benefits the users of that project? If you know of any, please share!
This is a question that has been on my mind ever since Log4Shell. I want to know if funding could have an impact on preventing major vulnerabilities or if the issue is something else (lack of guidance for projects, too many cooks, rampant dev ADHD, etc).
It seems like a lot of people are talking about this[0][1] and how funding Open Source would help, but I'm concerned that it's simply wishful thinking that money alone would solve the problem. Sometimes reality is cruel like that.
Is it possible that more funding would help prevent the next Log4Shell or Heartbleed? Maybe! Or are we simply touting a solution, without any data, and our hubris could actually end up hurting security further by just having companies "wash their hands" of responsibility? If FAANG/Fortune 500 throws money over the fence at developers, how much of that money will actually translate into improving the Open Source software?
I personally believe that funding would _help_ with the security of Open Source software. And it would also help with documentation, support, and a number of other "health problems", all of which would likely help with security. But I'm also concerned that this could backfire too in spectacular ways (increased library proliferation to get funding, people pocketing it for a vacation, hackers targeting popular, dormant libs to harvest money from them, etc).
I'm not aware of any actual research/data to provide evidence around improving Open Source security. That's why I wanted to ask y'all. Hacker News is a pretty small community and I wouldn't be surprised if somebody from OpenSSF[2] chimed in to help answer this, lol.
Beyond funding, there are also some projects that I've found like CHAOSS[3][4] that seem to be thinking about quantifying risk for Open Source dependencies and other problems like the "bus factor". It doesn't matter if you fund a project if the dev behind it MIA.
If this data doesn't exist, then it's something that I'll likely start investing my time into generating. (I'm working on some Open Source tooling for dealing with managing dependency security[5] that follows up the Log4Shell tooling we also built[6], which is why this has been on my mind a lot recently.)
Anyway, if you're interested in brainstorming about this further, please shoot me an email (on my profile). Cheers!
0: https://www.wsj.com/articles/protect-open-source-software-prevention-oss-public-use-cybersecurity-innovation-cyberattack-apache-log4j-11643316125
1: https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/
2: https://openssf.org/
3: https://chaoss.community/
4: https://chaoss.community/wp-content/uploads/2021/10/English-Release-2021-10-21.pdf
(Search for "Business Risk" or use the Nav to find the section about how they're attempting to measure the security of Open Source packages)
5: https://github.com/lunasec-io/lunasec/tree/master/lunatrace
(This is under active development and is something that is a week or two away from being polished enough for serious usage.)
6: https://github.com/lunasec-io/lunasec/tree/master/lunatrace/cli/cmd/log4shell
-
Can Some one here verify whether it is true or false? I saw this passage on Quora. It looks Kinda funny to me.
https://openssf.org/ "OSTIF enhances security for users everywhere. We do this through security reviews. (...) reviews have resulted in hundreds of bug patches, including over 20 with a Critical or High severity."
tz
-
RFC 3339 vs. ISO 8601
A link was added from "Europe/Kiev" to "Europe/Kyiv" in the included-by-default backward file [0], so that any user that doesn't exclude that file will simply treat the old name as an alias for the new name.
[0] https://github.com/eggert/tz/commit/e13e9c531fc48a04fb8d064a...
-
Navigating the timezone nightmare in product development
"Eire" is in there, for instance, to deal with software that assumes that the "is_dst" half of the year is during the (northern) summer, but Ireland technically does it the other way around -- a distinction relevant only to computers.
https://github.com/eggert/tz/blob/c3e966c59b02b1f47f0b7b0e4a...
The only other timezone that currently has a non-1h offset for DST -- Ireland's is -1 hours -- is Australia/Lord_Howe, which has a 30-min positive leap.
It's solved, in that I'm never going to do better than zoneinfo and I'm not going to go crazy trying.
https://en.wikipedia.org/wiki/Tz_database
https://www.iana.org/time-zones
I think of this as "difficulty snap back": Things can only get so difficult before everyone punts and uses some external library.
-
Small parser for the tzdb text file format (based on Esrap)
I've looked at it, but wanted to work with the tz source repository directly (I think local-time gets their zone files from Ubuntu). Also getting zic running in a portable way seemed too much of a hassle. The text file format is not all that complicated and documented in the zic manual pretty well. This approach is also chosen by the JDK as far as I can tell.
-
Proxmox doesn't handle daylight savings time, hangs systemd and breaks systems
Here's the tzdata: https://github.com/eggert/tz/blob/71faa2a55db2c9f21f4099b58c...
Looks like negative DST already caused problems in the past, and applications that can't handle it (OpenJDK), have to build tzdata as per the rearguard section / ziguard.awk.
I have to say these time zone files are fascinating. Any place/time when a jurisdiction has changed the definition of time is in those files, along with a detailed history of why.
Example, California had an energy crisis soon after WWII, and changed when day light savings started/ended. There are time zone rules that track this history exactly:
https://github.com/eggert/tz/blob/71faa2a55db2c9f21f4099b58c...
-
AWS Lambda Smart Feature Flags — Now with Time Based Conditions
If you don’t specify the timezone, UTC is assumed. If you wish to specify a timezone, you can use any IANA time zone (as originally specified in PEP 615 ) as part of your rules definition. Powertools takes care of converting and calculate the correct timestamps for you.
-
Searching for a date/time library with full historical TZ data and adjustments given epoch
If I understand this correctly from the documentation, pytz (or rather the tz database for which the library provides an interface) accounts for political shifts/changes in time zone data / DST.
-
Microsoft FOSS Fund Winner: curl
That comic always reminds me of Paul Eggert, the maintainer of the database that all your favorite software uses for timezones.
-
Change timezone Kiev to Kyiv
Quotes: @yuwata The timezone name is obtained from /usr/share/zoneinfo/tzdata.zi, which is managed by IANA (https://www.iana.org/time-zones). Here is not a right place to report. Closing.
What are some alternatives?
microsoft-foss-fund - The Microsoft FOSS Fund provides a direct way for Microsoft engineers to participate in the nomination and selection process to help communities and projects they are passionate about. The FOSS Fund provides $10,000 sponsorships to open source projects as selected by Microsoft employees.
tpm2-tss - OSS implementation of the TCG TPM2 Software Stack (TSS2)
aper - A Rust data structure library built on state machines.
lcurses - Lua bindings for Curses
powertools-lambda-python - A developer toolkit to implement Serverless best practices and increase developer velocity.
rp-hal - A Rust Embedded-HAL for the rp series microcontrollers
polonius - Defines the Rust borrow checker.
bicep - Bicep is a declarative language for describing and deploying Azure resources
edn - Extensible Data Notation
PowerShell - PowerShell for every system!
Zulip - Zulip server and web application. Open-source team chat that helps teams stay productive and focused.
go - The Go programming language