Skip to main content


Showing posts from July, 2018

docker registry pushing latest

My latest CI/CD performs all the functions that a build and deploy system is supposed to. Sure there are some purists that talk about deploying everything, chaos monkey, and so on... but until you've trashed a financial database with millions of records your opinion might not matter.

CI/CD can promote systems to production either through a push or a pull. And there are not many advantages although some security people would prefer a pull and I understand that... but the last thing you want to do it get your head wrapped around versions. I'm currently tagging my registry images with the pipeline ID. And as each pipeline completes I also push 'latest'.

Depending on the speed of the CI/CD runner 'latest' can be assigned to the wrong image. Also, it really isn't the latest until it's been pushed all the way around the system. Now that I'm using pipeline ID instead of the one ID:latest I'm seeing that latest can be promoted prematurely.

Just look at …

The New Cookies

I'm not sure what happened or what the motivation was but recently I started to notice a trend that just about every website I encountered asked me to accept some terms and conditions associated with cookies and related artifacts... In most cases the documentation would say something about the customer experience and how the user would benefit from allowing cookies. It seems to me that there might be some smoke and mirrors here because these cookies are associated with cross site usage as experienced when you go to amazon, perform a search, and then go to facebook and see the same ads. Clearly the only way either property would know you had been would have been if they shared data but in this case they simply waved a hand to the EU and continued business as usual.

How is this what they intended?

Keeping secrets

There are so many ways to keep secrets but few ways to protect them.

HSM or Host Security Modules are probably the most robust system because they are typically a combination of physical security, network security, and access security. They also have a way to implement a DR or disaster recovery plan. The strategies are complex and expensive and so are the devices.

Home grown HSMs are interesting because the DR is typically easier, however, it usually means that the data is at rest some place and so it's a little more risky.

Expiration dates are the best and the worst. If you've decided that access to the data MUST be cut off by some date and that it's a universal policy for all things... and then someone approves an exception then all hell breaks loose as OPS tries to manage the exceptions.

In continuation when deploying several million unique keys with expiration dates one simply cannot manage the exceptions and so they typically fall-back on one key to drive them all. An…

different tarps

I cannot wait until my next overnight hiking trip into the Big Cypress Preserve. The weather, lately, has been very wet, hot and steamy; so making the right tarp selection is important. The grey tarp did a fine job, kept me dry from the condensation but in the pouring rain I'm way too exposed because the poles are too tall and not adjustable. I think they were 48".

The green, Gossamer Gear Twinn Tarp, has a nice size and is meant to be close to the ground.

The black tarp is an option because unlike the grey tarp it might dry faster. Unlike the Twinn Tarp this one (bearpaw wilderness designs) does not have a seam in the ridge line I'm not concerned about the seams being sealed.

The Twinn Tarp has a nice lineloc, line, grommet etc...

I did some DIY from a poop bag roll and I have a grommet from Yama Mountain Gear (shown but not in use).

Lastly the conditions changed and the visible shade was obvious (unlike the previous pictures). The black tarp provided plenty of shade.