AWS 提供 Console-to-Code 功能

這個是在 Reddit 上看到的:「Convert AWS console actions to reusable code with AWS Console-to-Code, now generally available (aws.amazon.com)」,原文在「Convert AWS console actions to reusable code with AWS Console-to-Code, now generally available」。

先前是在 GCP 上用到這個功能,把操作的指令拉出來改,放到 shell script 裡面管理還蠻好用的。

現在 AWS 搞的是可以錄影轉指令,所以就是把操作都轉換成指令的意思,不過兩者骨子裡還是類似的想法。

從文章裡面有提到,現在的版本只支援 Amazon EC2Amazon VPCAmazon RDS

At GA, AWS Console-to-Code only records actions in Amazon EC2, Amazon VPC and Amazon RDS consoles.

這樣用途就大打折扣了,在 GCP 上這個功能最好用的地方是在還不熟悉的產品上,可以降低你要查一堆文件才知道 web console 上操作對應到 cli 的指令是哪些...

.io 網域的後續討論

最近因為「The Disappearance of an Internet Domain」這篇文章的關係,大家在討論 .io 網域後續的存廢問題。

起因是英國放棄了英屬印度洋領地 (British Indian Ocean Territory) 的主權/統治權 (sovereignty),交還給模里西斯:「UK and Mauritius joint statement, 3 October 2024」。

而這觸發了 ccTLD 的消滅條件,這邊用維基百科的說明:

With the United Kingdom giving up sovereignty of the British Indian Ocean Territory to Mauritius (but maintaining the military base on Diego Garcia via an initial 99 year lease), it is possible under IANA rules, the .io domain will eventually have to be phased out within the following several years, although historically, some exceptions been granted, as was the case for .su.

不過就如同作者提到的,.io 網域實在太多人用了,而且受到許多人的熱愛,或者講的更直接的「是個金雞母」,在金錢的面前,大量的遊說很有可能會使得 IANA 修正現有條款,或是開出例外條款:

The IANA may fudge its own rules and allow .io to continue to exist. Money talks, and there is a lot of it tied up in .io domains.

接下來應該會有會議討論看怎麼玩...

我來猜個可能性... 最後會改 rule,以後這種 ccTLD 通通會變成 gTLD 的模式,拿到商業市場上競標 & 賣給廠商營運?畢竟兩個字實在太香了...

LINE 推出的 ts-remove-unused,移除掉沒有用到的程式碼

出國前看到的東西,LINEGitHub 上發表了整理 TypeScript 程式碼的套件:「Show HN: ts-remove-unused – Remove unused code from your TypeScript project (github.com/line)」,專案在「line/ts-remove-unused」這邊:

Remove unused code from your TypeScript project

不過 Hacker News 上的反應其實頗差,其中一個原因是預設值不太友善,沒有好的 ignore path 設定,test case 這種從 entry point 不會接觸到的就會被誤判了:

It deleted 100s of files, most of which were Jest test files, and potentially all of which were a mistake. I restored them all with `git restore $(git ls-files -d)`.

另外改出來的東西是爛的:

I then ran `tsc` on the remaining _modified_ files and `Found 3920 errors in 511 files.`

另外有不少人抱怨預設不是 dry run mode,被砍了一堆東西:

You should switch the default to not delete any files and modify/remove the files only with some flag (--dry-run=false, --rm, --delete, etc). I just deleted all files accidentally in a monorepo :D Luckily I didn't had any uncommitted changes and could recover using git

反倒是有人提了另外一個已經在停止發展,但運作的很好的 project:

I've been using ts-prune[1] for years at this point. The project is in maintenance mode but works fine so I've kept using it. I've been looking into Knip[2] which is recommended by the authors of ts-prune though it's been slow mostly because there's little incentive with the current tool working fine.

[1]: https://github.com/nadeesha/ts-prune

[2]: https://github.com/webpro-nl/knip

這邊反而值得看看...

Winamp 官方放出 Legacy 版本的程式碼

看到「Winamp Legacy player source code (github.com/winampdesktop)」這個,官方放出 Winamp 程式碼:「Winamp」,主要算是歷史的記錄,用電腦聽音樂如果是有設備的人應該會挑 foobar2000 之類的軟體,如果只是隨意聽的話應該就是開各家 streaming 的應用程式?

話說 Nullsoft 做了不少有名的東西,除了 Winamp 以外還有 SHOUTcastNSIS 這兩個比較有名的軟體,不過都算是歷史了。

RAID6 的 Erasure code 實作

Daily Hacker News 上看到的紋章,「Erasure Coding for Distributed Systems」這篇討論了 Erasure code

以前在學校裡面學 coding theory 的時候有學到一些經典的演算法,尤其是一定會教到 Reed-Solomon error correction 這個演算法,不過實務上 Reed-Solomon 因為用到 finite field 運算 (又稱 Galois field,所以簡寫常用 GF),所以效率並不算好,在 RAID 系統上面除非 controller 的 CPU 或是晶片對 GF 運算加速,不然大多都會用替代算法。

For the special cases of 1-3 parity chunks (m \in {1,2,3}), there are algorithms not derived from Reed-Solomon and which use only XORs:

允許掛一顆的演算法就是 RAID 5,這邊用 XOR 就很容易導出來,並且分析證明。

開始有難度的是允許掛兩顆的演算法,也就是一般熟知的 RAID 6,在這篇文章裡面提到了好幾個演算法,不過有些有專利問題:

m=2 is also known as RAID-6, for which I would recommend Liberation codes[8][9] as nearly optimal with an implementation available as part of Jerasure, and HDP codes[10] and EVENODD[11] as notable but patented. If k+m+2 is prime, then X-Codes[12] are also optimal.

允許掛三顆的則是提到 STAR coding:

m=3 can be done via STAR coding

算是留個記錄好了,這些演算法又讓我想到先前剛進 Migo 的時候還學到 Raptor code,但使用場景不對反而遇到問題,又是另外一個故事了...

回到開頭的 Reed-Solomon,會印象很深還是因為當初在數學系的集合論學了 finite field 好幾年後,在資工系第一次看到居然可以用 finite field 解決這個問題...

OpenBSD 程式碼的忒修斯之船

在「We have reached OpenBSD of Theseus (marc.info)」這邊看到的有趣主題,連結到的是 OpenBSD 的 commit log:「CVS: cvs.openbsd.org: src」。

The greek quiz is so obscure that it is ridiculous -- noone can play this. Replace it with a new quiz about galley (ship) parts. This commit changes the *LAST UNMODIFIED ORIGINAL FILE* (meaning revision 1.1.1.1) from the original import that created OpenBSD on Oct 18, 1995. With this commit, we have completed an amusing mission of replacing the final parts of the original OpenBSD.

We have reached OpenBSD of Theseus.

這邊提到的 Theseus 是指「忒修斯之船 (Ship of Theseus)」,引用中文維基百科的說明比較好理解:

如果忒修斯的船上的木頭逐漸被替換,直到所有的木頭都不是原來的木頭,那這艘船還是原來的那艘船嗎?

回到 OpenBSD 來說,這次的這個修改據說是最後一個沒有被動過的檔案,所以在改完以後才會說「We have reached OpenBSD of Theseus.」,是個有趣的里程碑。

Microsoft Authenticator 的長年 bug

在「Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out (csoonline.com)」這邊看到的,原文在「Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out」,在講 Microsoft Authenticator (Android 版iOS 版) 這個支援 TOTP 的 MFA 程式的長年 bug... (對一般人比較好理解的,這是六位數字的動態密碼 app)

會造成無法登入的 bug 是因為透過 QR code scan 加入新的帳號時,會蓋掉既有的帳號資料,所以產生的 QR code 就無法在舊的帳號/網站上面使用了:

That’s because, due to an issue involving which fields it uses, Microsoft Authenticator often overwrites accounts when a user adds a new account via QR scan — the most common method of doing so.

原因是因為 username 相同就會蓋掉,而大多數人在不同的地方都會用同樣的 username (像是我的 gslin):

The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.

然後 workaround 是不要用 Microsoft Authenticator,或是不要用 QR code scan:

There are multiple workarounds. The easiest is for companies to use any other authentication app. Not using the QR code scan feature — and manually entering the code — will also sidestep the issue, which doesn’t appear to arise when the authenticated accounts belong to Microsoft.

然後這個問題可以找到 2020 年開始有人抱怨,但作者測試看起來 2016 年的版本就已經是這樣了:

CSO Online found complaints of this problem dating back to 2020, but it appears to have been in place since Microsoft Authenticator was released in June 2016. (For historical context, Google was the first Authenticator app, having been launched in 2010.)

然後 Microsoft 確認有這樣的行為,但不認為是 bug 而是 feature (怎麼梗圖突然從腦袋裡冒出來...):

Microsoft confirmed the issue but said it was a feature not a bug, and that it was the fault of users or companies that use the app for authentication.

然後專欄作者找了其他專家測試其他的 app,可以發現只有 Microsoft Authenticator 的處理是 override 然後炸掉:

By the way, I’ve tested this behavior in 14 other authenticator apps so far. None of them exhibit the same collision behavior that Microsoft Authenticator does,” he added. “I gave up at 14 because at that point, it’s obvious Microsoft are the ones who are doing things poorly here.

大概是大家都懶得吵了,反正可以用 Google Authenticator 或是其他 TOTP app...

polyfill.io 被放 malicious code 的事件

台灣的圈子蠻多人是從「請儘速遠離 cdn.polyfill.io 之惡意程式碼淺析」這邊看到的,一些 code 相關的分析部分可以移駕過去看。裡面提到的 GitHub 上面 alitonium 所寫的 comment 蠻值得讀一下 (第一次點的時候會出現 GitHub 的警告,再點一次應該就會跳到正確的 comment 上)。

polyfill.js 算是老專案了,從 https://github.com/polyfillpolyfill/polyfill-service/graphs/contributors 這邊可以看到是 2013 年開始有記錄,主要是針對舊的瀏覽器 (像是 IE11),透過 javascript 的方式補上對應的功能。

現在的瀏覽器都是一直在更新,大多數的情況不太需要 polyfill 了,但畢竟很多舊的案子還在用,在這次 domain 被中國公司拿走後,Cloudflare 在今年 2024/2/29 就有先寫一篇算是預警的文章了:「polyfill.io now available on cdnjs: reduce your supply chain risk」,不過這種事情都是還沒發生前大家不會有太多重視,接下來就是 GitHub 上面的討論,然後是真的被動手加 malicious code 進去後,有人發現的討論。

後續大家都被迫要開始處理這件事情,GitHub 的作法看起來沒什麼問題:先標注 malicious repository 但是還是讓人可以進去翻歷史資料與討論。

不過 Cloudflare 這邊動作有點大,直接主動幫 CDN 客戶過濾了:「Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet」,這篇在 Hacker News 上也有討論:「Cloudflare automatically fixes Polyfill.io for free sites (cloudflare.com)」。

這個「越界」有點多,這應該也是直接讓 CEO Matthew Prince 出來掛文章作者的原因。這次 Cloudflare 主動做的事情包括了將免費的客戶預設開啟過濾,而付費的客戶則不會主動開啟,但提供一鍵開關:

Any website on the free plan has this feature automatically activated now. Websites on any paid plan can turn on this feature with a single click.

另外也允許所有客戶關掉這個保護:

All customers can turn off the feature at any time.

所以後續就會有另外一條大支線討論:在使用者沒有事前同意的情況下,以「安全」為名主動更改使用者頁面上的東西,這件事情是不是可以接受?如果以「安全」為名可以接受,為什麼是免費的先動,付費的卻不動?雖然我猜 Cloudflare 會裝死到底就是了...

Google Public DNS 接受法國法院的阻擋要求

看到「Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention」這篇,法國在 2022 年通過的體育法律反過來干涉 ISP 或是服務提供商需要配合阻擋:

Tampering with public DNS is a step too far for many internet advocates but for major rightsholders, if the law can be shaped to allow it, that’s what will happen. In this case, Article L333-10 of the French Sports Code (active Jan 2022) seems capable of accommodating almost anything.

拿文章裡面提到的 footybite.cc 測試,實際在法國開一台 Vultr 的 VPS 測試各家 Public DNS 服務,看起來目前 Google Public DNS 已經實作了,而且傳回了 RFC 8914: Extended DNS Errors 內的 EDE 16:

$ dig footybite.cc @8.8.8.8

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 16 (Censored): (The requested domain is on a court ordered copyright piracy blocklist for FR (ISO country code). To learn more about this specific removal, please visit https://lumendatabase.org/notices/41606068.)
;; QUESTION SECTION:
;footybite.cc.                  IN      A

目前拿 1.1.1.1 (Cloudflare)、9.9.9.9 (Quad9) 以及 208.67.222.222 (OpenDNS) 都還沒有看到被擋。

另外實際測試,自己架設 Unbound 看起來就可以繞過去了,不知道後續會不會要求更多,像是直接要求在 internet backbone 上面過濾 DNS?(當年推 DNS over TLSDNS over HTTPS 總算要派上用場了?)

另外就是看 Cloudflare 以及其他 Public DNS 服務有沒有反對的動作...