•  


페이지를 파싱하기 어렵습니다. Samuel Giddins Staff Software Engineer http://blog.segiddins.me/ 2024-05-22T17:28:11+00:00 Samuel Giddins Residency Update http://blog.segiddins.me/2024/05/17/residency-update/ 2024-05-17T19:00:00Z 2024-05-22T17:28:11+00:00 Samuel Giddins <p>Welcome to my update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I was at Ruby Kaigi, and gave a talk about Marshal!</p> <h2 id="ruby-kaigi">Ruby Kaigi</h2> <p>This was my first Ruby Kaigi, and boy was it quite an experience. Coming right off the heels of RailsConf, it was strange to fly home, get four hours of sleep, and then spend more time sleeping on the plane on the way to Japan, but such is conference speaker life.</p> <p>My first day in Okinawa, I attended the Ruby Developer in-person meeting. Thanks to some help from tenderlove, I got a long-awaited change merged into Zlib that should help RubyGems and RubyGems.org be able to read gem files much more efficiently. I then gave a talk in the second talk slot on the first day of the conference, which was a bit earlier than is my preference, and I think it went rather well. It was a talk about the history of the Marshal file format, an explanation of how it works, what&rsquo;s good about it, what&rsquo;s bad, what we can learn from it, sort of moving forward, evaluating different binary file formats. I think it was well received, but it&rsquo;s always hard to tell when there&rsquo;s no Q&amp;A after the talk.</p> <p>After that, I spent some time talking to a bunch of different Ruby committers. I caught up with Charles from JRuby to discuss ways I could use different cryptographic primitives in JRuby instead of the JRuby OpenSSL gem for my sigstore work. Talked a bit with Jeremy about performance and reducing allocations. Also got to spend a bunch of time with the Shopifolks discussing pretty much everything because they&rsquo;re working on pretty much everything across the ecosystem. Not too much development happened this week, but it was great to spend time with Ruby committers from around the world, and I&rsquo;m really excited to collaborate and build off of the things we talked about.</p> <p>Unfortunately, I don&rsquo;t think I&rsquo;ll be able to attend Kaigi next year since it was scheduled for over Passover, which is a bit of a disappointment since it was a great event and one I benefited a lot from attending.</p> <h2 id="rubygems-research">rubygems-research</h2> <p>Thanks to a bunch of help from Colby, I managed to get RubyGems research deployed on the new Kubernetes cluster that Andre helped me set up last week. It started ingesting gems, and I think we&rsquo;re ready to use it again in the new setup after we tore down the old installation that was horrifically insecure. Stay tuned here once I have time to start developing some new features and to be able to start exposing stuff such as code search and faceted search for files or gem versions, et cetera.</p> <h2 id="protobug">protobug</h2> <p>started optimizing performance under yjit</p> <p><a href="https://github.com/segiddins/protobug/pull/23">https://github.com/segiddins/protobug/pull/23</a> <a href="https://github.com/segiddins/protobug/pull/24">https://github.com/segiddins/protobug/pull/24</a> <a href="https://github.com/segiddins/protobug/pull/25">https://github.com/segiddins/protobug/pull/25</a></p> Residency Update http://blog.segiddins.me/2024/05/10/residency-update/ 2024-05-10T19:00:00Z 2024-05-22T17:28:04+00:00 Samuel Giddins <p>Welcome to my update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I attended RailsConf, and shipped a gem that makes setting up trusted publishing for an existing gem fit into a 5 minute lightning talk.</p> <h2 id="railsconf">RailsConf</h2> <h2 id="rubygems-research">RubyGems Research</h2> <p>got andre to help me set up a new k8s cluster for rubygems research, also wiping the machine in the process</p> <p>wrote up &amp; executed on deploy steps <a href="https://github.com/segiddins/rubygems-research/issues/12">https://github.com/segiddins/rubygems-research/issues/12</a></p> <p>added a docker image workflow to the repo so it could be deployed in k8s <a href="https://github.com/segiddins/rubygems-research/pull/14">https://github.com/segiddins/rubygems-research/pull/14</a></p> <h2 id="api-security">API Security</h2> <p>Refactored api key scopes to make it easier to introduce new scopes.</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4676">https://github.com/rubygems/rubygems.org/pull/4676</a></p> <p>allowed users to create API keys with expiration dates</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4681">https://github.com/rubygems/rubygems.org/pull/4681</a></p> <p>allow API keys that were created with an expiration under 15min to skip MFA &ndash; makes creating ephemeral API keys much more convenient, not losing any security since the user <em>just</em> MFA&rsquo;d to create it</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4691">https://github.com/rubygems/rubygems.org/pull/4691</a></p> <h2 id="trusted-publishing">Trusted publishing</h2> <p>Added API for trusted publishing. Wrote rubygems plugin to use the API &amp; set up trusted publishing for an existing gem.</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4690">https://github.com/rubygems/rubygems.org/pull/4690</a> <a href="https://github.com/rubygems/rubygems.org/pull/4693">https://github.com/rubygems/rubygems.org/pull/4693</a></p> <p>CLI</p> <p><a href="https://github.com/rubygems/configure_trusted_publisher">https://github.com/rubygems/configure_trusted_publisher</a></p> <h2 id="sigstore">Sigstore</h2> <p>Begin implementing dsse/in-toto support <a href="https://github.com/segiddins/sigstore-ruby/pull/11">https://github.com/segiddins/sigstore-ruby/pull/11</a></p> <p>needed to be able to verify sigstore bundles produced by github&rsquo;s new attestation action</p> <p>hacked on ruby/openssl support for difficult times <a href="https://github.com/ruby/openssl/pull/757">https://github.com/ruby/openssl/pull/757</a></p> Residency Update http://blog.segiddins.me/2024/05/03/residency-update/ 2024-05-03T19:00:00Z 2024-05-22T17:27:03+00:00 Samuel Giddins <p>Welcome to my update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I spent a bunch of time refactoring the Sigstore implementation, and banged my head against timestamping verification, which is mostly implemented but not yet working.</p> <h2 id="sigstore">Sigstore</h2> <p>Discovered some more jruby issues <a href="https://github.com/jruby/jruby-openssl/issues/299">https://github.com/jruby/jruby-openssl/issues/299</a> <a href="https://github.com/jruby/jruby-openssl/issues/298">https://github.com/jruby/jruby-openssl/issues/298</a> <a href="https://github.com/jruby/jruby/issues/8216">https://github.com/jruby/jruby/issues/8216</a></p> <p>made a PR to ruby/openssl to add tbs certificate support <a href="https://github.com/ruby/openssl/pull/753">https://github.com/ruby/openssl/pull/753</a></p> <p>significantly refactored the usage of x509 extensions to properly parse them, vs using only debug strings</p> <p><a href="https://github.com/segiddins/sigstore-ruby/pull/9">https://github.com/segiddins/sigstore-ruby/pull/9</a></p> <p>started preparations for donating the implementation to the sigstore org</p> <p><a href="https://github.com/segiddins/sigstore-ruby/pull/2">https://github.com/segiddins/sigstore-ruby/pull/2</a></p> <p>fixed tbs der implementation to work on linux by directly manipulating ASN.1</p> <p><a href="https://github.com/segiddins/sigstore-ruby/commit/656d992fa816613fd9936f53ce30972c2f2f4957">https://github.com/segiddins/sigstore-ruby/commit/656d992fa816613fd9936f53ce30972c2f2f4957</a></p> <p>fixed support for running on ruby 3.0</p> <p>started work on timestamp verification, but it&rsquo;s not working yet because of some issues with the ruby openssl bindings</p> <h2 id="protobug">Protobug</h2> <p>Finished support for running on jruby</p> <p><a href="https://github.com/segiddins/protobug/pull/2">https://github.com/segiddins/protobug/pull/2</a></p> <p>also got truffleruby working</p> Residency Update http://blog.segiddins.me/2024/04/26/residency-update/ 2024-04-26T19:00:00Z 2024-05-22T17:24:54+00:00 Samuel Giddins <p>Welcome to my update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I focused on implementing SCT verification in Sigstore, and made some improvements to the Protobug gem (which is now released!).</p> <h2 id="sigstore">Sigstore</h2> <p>switched to plain-ruby protos</p> <p><a href="https://github.com/segiddins/sigstore-ruby/pull/1">https://github.com/segiddins/sigstore-ruby/pull/1</a></p> <p>contributed testing improvements to the nascent TUF conformance test suite</p> <p><a href="https://github.com/jku/tuf-conformance/pull/16">https://github.com/jku/tuf-conformance/pull/16</a></p> <p>automated updating the vendored trust root</p> <p><a href="https://github.com/segiddins/sigstore-ruby/commit/cc0d44c778bf8764a4c906bc8540f40ab79755cf">https://github.com/segiddins/sigstore-ruby/commit/cc0d44c778bf8764a4c906bc8540f40ab79755cf</a></p> <p>big one: sct verification</p> <p><a href="https://github.com/segiddins/sigstore-ruby/commit/9c8a6b389c3f72b7c20ffbbb9d5c37a0a2243837">https://github.com/segiddins/sigstore-ruby/commit/9c8a6b389c3f72b7c20ffbbb9d5c37a0a2243837</a></p> <h2 id="protobug">Protobug</h2> <p>set up automated releases</p> <p>added support for running on truffleruby and jruby <a href="https://github.com/segiddins/protobug/commit/20290313f4452a70214acf46a6bf2191c9bdf7a3">https://github.com/segiddins/protobug/commit/20290313f4452a70214acf46a6bf2191c9bdf7a3</a></p> <h2 id="rubygems-org">RubyGems.org</h2> <p>enabled yjit for RubyGems.org</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4639">https://github.com/rubygems/rubygems.org/pull/4639</a></p> <p><a href="https://x.com/oceanicpanda/status/1783042354649428149">improved average latency by 20%</a></p> <p>updated to ruby 3.3.1 to keep up with the latest security patches</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4638">https://github.com/rubygems/rubygems.org/pull/4638</a></p> <p>landed storing api key scopes in array column <a href="https://github.com/rubygems/rubygems.org/pull/4610">https://github.com/rubygems/rubygems.org/pull/4610</a></p> Residency Update http://blog.segiddins.me/2024/04/19/residency-update/ 2024-04-19T19:00:00Z 2024-05-22T17:23:04+00:00 Samuel Giddins <p>Welcome to my eleventh update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I attending the Linux Foundation&rsquo;s Open Source Summit North America 2024, and spent a whole bunch of time talking to my peers about packaging ecosystem security.</p> <h2 id="trusted-publisher-apis">Trusted publisher APIs</h2> <p>prep work: store api key scopes in jsonb column (to make it easier to add new ones going forward)</p> <p><a href="https://github.com/rubygems/rubygems.org/pull/4610">https://github.com/rubygems/rubygems.org/pull/4610</a></p> <h2 id="rubygems-org">RubyGems.org</h2> <p>Preventing yanking of gems that are either too old or have too many downloads</p> <p>Landed disabling loading YAML aliases in RubyGems.org <a href="https://github.com/rubygems/rubygems.org/commit/8fc65dbdeedffedc337b0abc7f1b67818aec5941">https://github.com/rubygems/rubygems.org/commit/8fc65dbdeedffedc337b0abc7f1b67818aec5941</a></p> <p>Landed user avatar proxying <a href="https://github.com/rubygems/rubygems.org/commit/b8d842c4f0f6f5afe93bb51c5d7660a5c504b5f7">https://github.com/rubygems/rubygems.org/commit/b8d842c4f0f6f5afe93bb51c5d7660a5c504b5f7</a></p> <h2 id="sigstore-plan">Sigstore Plan</h2> <ul> <li>Be able to verify a signature given a sigstore bundle</li> <li>Be able to securely update the sigstore trust root (i.e. a working TUF client)</li> <li>Use github actions to create a sigstore bundle for a built gem</li> <li>Create a new gem push endpoint that takes both a gem and a sigstore bundle <ul> <li>Only usable from trusted publishing</li> <li>RubyGems.org will verify the signature before accepting the gem</li> <li>Only bundles signed by the trusted publisher will be accepted</li> </ul></li> <li>Upload sigstore bundles to a new directory on S3</li> <li>Add a piece of metadata on the /info endpoint that declares that the gem has an associated sigstore bundle</li> <li>Bundler downloads the sigstore bundle and verifies the signature before installing the gem</li> <li>RubyGems downloads the sigstore bundle and verifies the signature before installing the gem</li> <li>RubyGems.org exposes trusted publishers configured for a gem via API</li> </ul> <p>Future work:</p> <ul> <li>Allow users to configure their own trust policies</li> <li>Allow users to configure their own trust roots</li> <li>TOFU for known claims</li> </ul> Residency Update http://blog.segiddins.me/2024/04/12/residency-update/ 2024-04-12T19:00:00Z 2024-04-15T06:39:51+00:00 Samuel Giddins <p>Welcome to my thenth update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I fixed some DoS vectors in RubyGems.org.</p> <h2 id="documentation-for-the-compact-index">Documentation for the compact index</h2> <p>I spent a few hours helping Martin write down some <a href="https://guides.rubygems.org/rubygems-org-compact-index-api/">authoritative documentation for the compact index API</a>, which should help implementers of other RubyGems package repositories support the format, which comes with some big security benefits (largely, the ability to verify gem checksums on download &amp; install).</p> <h2 id="re-introducing-avatars-to-rubygems-org">Re-introducing avatars to RubyGems.org</h2> <p>I spent a few hours working on a <a href="https://github.com/rubygems/rubygems.org/pull/4603">PR to re-introduce avatars to RubyGems.org</a>. This is a feature that was removed a few months ago due to some privacy concerns, but switching to serving avatars via a secure reverse proxy should sufficiently protect users email addresses.</p> <p>This should hopefully get rid of all the red gem triangles showing up on every gem page, and make it easier to see at a glance who the owners of gems are.</p> <h2 id="disabling-yaml-aliases-in-rubygems-org">Disabling YAML aliases in RubyGems.org</h2> <p>There was a theoretical DoS vector in the gem upload endpoint, whereby a specially crafted gemspec being pushed could cause the application server to run out of memory. <a href="https://github.com/rubygems/rubygems.org/pull/4603">Disabling resolution of YAML aliases</a> fixes that vector.</p> <h2 id="limiting-uploaded-gem-metadata-size">Limiting uploaded gem metadata size</h2> <p>Another theoretical DoS vector, <a href="https://github.com/rubygems/rubygems/pull/7568">another patch in RubyGems</a>. This time, the vulnerability was in the process of reading the metadata of a pushed gem, where the server could be forced to allocate roughly 1000x as much memory as the size of the uploaded gemspec (which is already limited to 500M). Since the servers don&rsquo;t have half a terabyte of RAM available, that could make things go boom. This patch puts an upper bound on how much RubyGems will un-gzip from the uploaded gemspec, which should prevent the server from running out of memory. Full credit for this one goes to me, as I thought up the vulnerability, because what else am I going to do in my free time.</p> <h2 id="upcoming">Upcoming</h2> <p>I will be in Seattle this upcoming week for Open Source Summit North America 2024! Come say hi and talk about open source &amp; package security with me!</p> Residency Update http://blog.segiddins.me/2024/04/05/residency-update/ 2024-04-05T19:00:00Z 2024-04-15T06:28:20+00:00 Samuel Giddins <p>Welcome to my ninth update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I dealt with the fallout from the xz/liblzma backdoor. I also took a last minute trip to NY for a funeral, which was honestly more exhausting than firefighting the backdoor.</p> <h2 id="xz-liblzma-backdoor">xz/liblzma backdoor</h2> <p>Thanks for ruining my Friday, Saturday, &amp; Sunday, world. Like every other infosec professional, I spent several days chasing down the impact of the xz backdoor on RubyGems and the Ruby ecosystem writ large. The major product of those dozens of hours of work was a <a href="https://blog.rubygems.org/2024/03/31/rubygems-and-xz.html">blog post</a>.</p> <p>I&rsquo;m glad that my work building rubygems-research has not been in vain, as it was instrumental in being able to examine the spread of liblzma in the RubyGems ecosystem (essentially non-existant, phew).</p> Residency Update http://blog.segiddins.me/2024/03/29/residency-update/ 2024-03-29T19:00:00Z 2024-04-15T06:24:46+00:00 Samuel Giddins <p>Welcome to my eighth update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>This week I wrapped up the pure-Ruby proto implementation.</p> <h2 id="plain-ruby-protos">Plain Ruby Protos</h2> <p>I landed a <a href="https://github.com/segiddins/protobug/pull/1">massive PR</a> that basically makes the implementation compliant! There are only a few failing test cases, and they relate to Ruby&rsquo;s JSON parser being too lenient. I&rsquo;m calling this project wrapped for now.</p> Residency Update http://blog.segiddins.me/2024/03/22/residency-update/ 2024-03-22T19:00:00Z 2024-04-15T06:44:06+00:00 Samuel Giddins <p>Welcome to my seventh update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>The past week I was mostly on airplanes and working on sigstore &amp; protobufs.</p> <h2 id="sigstore-verification">Sigstore Verification</h2> <p>What is there to say?</p> <h2 id="tuf-client">TUF Client</h2> <p>As I&rsquo;ve mentioned before, this is also a part of the sigstore work. I&rsquo;ve been working on a TUF client in Ruby, which is a bit of a challenge because TUF is so loosely defined and there is no conformance test suite to implement againt. Testing an implementation like this is by far the hardest part, and I sort of have run out of steam. There&rsquo;s a nascent conformance test repo I&rsquo;ve <a href="https://github.com/jku/tuf-conformance/pull/13">started contributing to</a>, but it needs some meaty test cases to be added before it becomes truly useful. My plan is to implement the specs against the reference TUF client, and presume whatever it does in various scenarios is correct, because that spec is dense.</p> <h2 id="plain-ruby-protos">Plain Ruby Protos</h2> <p>Continued progress here.</p> Residency Update http://blog.segiddins.me/2024/03/15/residency-update/ 2024-03-15T15:00:00Z 2024-03-15T15:02:00+00:00 Samuel Giddins <p>Welcome to my sixth update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <h2 id="fixing-a-common-source-of-oncall-pages">Fixing a common source of ONCALL pages</h2> <p>As I mentioned <a href="https://blog.segiddins.me/2024/03/08/residency-update/#fixing-a-common-source-of-oncall-pages">last week</a>, I had found that by far our most expensive query was for reverse dependencies of a gem. I shipped my fix last weekend, and it sure made a difference.</p> <p><img alt="alt text" width="1560" height="546" src="/images/2024-03-15-residency-update/reverse_dependencies_p75.png" /></p> <h2 id="fixing-n-1-queries">Fixing N+1 Queries</h2> <p>Unfortunately, most of my week was spent on RubyGems.org operational issues. I had noticed that many of our slowest endpoints had a very large number of queries being executed, and I spent a bunch of time digging into root causes in DataDog to figure out why. It turned out we had a spate of N+1 queries, and heavy automated usage of the site&rsquo;s API (along with scraping of the HTML pages) caused heavy load on those endpoints.</p> <p>As a result, our postgres database got overloaded several times during the week, leading to multiple members of the oncall rotation (including yours truly) to be paged over and over. It wasn&rsquo;t fun.</p> <p>Fortunately, the Rails ecosystem has several tools to help narrow in on N+1 queries! After slapping <code>strict_loading</code> on several queries and adding in <code>includes</code> and <code>preload</code> calls, I brought out the big guns to find the remaining offenders.</p> <p>Setting up the wonderful <a href="https://rubygems.org/gems/prosopite">prosopite</a> gem led to <a href="https://github.com/rubygems/rubygems.org/pull/4525">several more fixes</a>. After a hurried emergency deploy on Thursday afternoon, we saw an immediate improvement across the board and the site once again appears to be stable!</p> <p><img alt="alt text" width="1550" height="524" src="/images/2024-03-15-residency-update/image.png" /></p> <p><img alt="alt text" width="1528" height="552" src="/images/2024-03-15-residency-update/image-1.png" /></p> <p>Top requests over the past 24 hours</p> <p><img alt="alt text" width="3172" height="754" src="/images/2024-03-15-residency-update/image-2.png" /></p> <p>Average time spent per request on Api::V1::VersionsController#show</p> <p><img alt="alt text" width="1550" height="526" src="/images/2024-03-15-residency-update/image-3.png" /></p> <p>Problematic N+1 query (getting gem version download count)</p> <p><img alt="alt text" width="2140" height="598" src="/images/2024-03-15-residency-update/image-4.png" /></p> <p>Finally, it appears that there are some users who are scraping every gem &amp; version page/endpoint. We would strongly reccomend that researchers &amp; other automated platforms use the data dumps we provide if possible, and make decisions on what endpoints to call to refresh data based upon changes in the <code>/versions</code> file, which is statically generated and thus causes no load on the rails app or database.</p> <h2 id="sigstore">Sigstore</h2> <p>Few updates this week, due to the aformentioned operational work. I did make progress on protobuf compliance, though!</p> Residency Update http://blog.segiddins.me/2024/03/08/residency-update/ 2024-03-08T19:00:00Z 2024-03-08T19:37:43+00:00 Samuel Giddins <p>Welcome to my fifth update as <a href="https://rubycentral.org/news/ruby-central-welcomes-new-software-engineer-in-residence-sponsored-by-aws/">Ruby Central&rsquo;s security engineer in residence, sponsored by AWS</a>.</p> <p>My goal is to write a short update every week, chronicling what I&rsquo;ve been working on, and reminding myself that I was, in fact, productive.</p> <p>The past two weeks I have been heads-down on a pure-ruby Sigstore implementation, which has a lot of moving parts. I hope to outline some of the interesting challenges I&rsquo;ve encountered along the way, either in this update or in another venue.</p> <h2 id="sigstore-verification">Sigstore Verification</h2> <p>This is my big project for the month. (At least a month, it&rsquo;s a real big one.)</p> <p>We have a working implementation of <code>verify</code> and <code>verify-bundle</code> in the <a href="https://github.com/segiddins/sigstore-cosign-verify">sigstore verifier</a> that is passing <em>most</em> of the non-signing conformance tests. I still have to implement DSSE envelope verification and CT log verification.</p> <p>As a part of this, there is also a functional TUF client, that is in desparate need of testing.</p> <p>I have verified that the implementation works on Ruby 3.1+ (3.0 will be supported easily as well) and TruffleRuby, but there are a <a href="https://github.com/jruby/jruby/issues/8146">pair of</a> <a href="https://github.com/jruby/jruby-openssl/issues/292">JRuby issues</a> that prevent the verifier from working there.</p> <p>Next week, I plan to continue my valiant effort to write sufficient test coverage for the verifier, and to implement the missing verification steps.</p> <h2 id="plain-ruby-protos">Plain Ruby Protos</h2> <p>As I hinted last update, as a part of the sigstore work I&rsquo;ve implemented a pure <a href="https://github.com/segiddins/protobug">Ruby protobuf runtime &amp; compiler</a>. This library is meant to be easily embeddable, enabling the sigstore verifier to vendor built Sigstore protos and use them without needing to take a dependency on a precompiled protobuf gem.</p> <p>I&rsquo;m still in the process of fleshing out the functionality, but over half of the protobuf conformance tests are now passing!</p> <p>I&rsquo;ve spent so much time dealing with binary data in Ruby lately, I feel like there&rsquo;s a good talk to be written about <code>pack</code> and <code>unpack</code> and binary strings and integer bit manipulation.</p> <h2 id="fixing-a-common-source-of-oncall-pages">Fixing a common source of ONCALL pages</h2> <p>The PR is still a work in progress, but I <a href="https://github.com/rubygems/rubygems.org/pull/4512">fixed the most common source of ONCALL pages</a> for the RubyGems.org team. This was a good 6 hours of debugging to even reproduce and narrow down the root cause, but it turns out that swapping the order of the two operands on an <code>ON</code> clause in a join completely changes the query plan that gets used, getting postgres to use the index on the joined table instead of doing a full table scan. It looks to be on the order of a 1500x improvement in query time, for the query that the DB was spending the most time on. Wild.</p>
- "漢字路" 한글한자자동변환 서비스는 교육부 고전문헌국역지원사업의 지원으로 구축되었습니다.
- "漢字路" 한글한자자동변환 서비스는 전통문화연구회 "울산대학교한국어처리연구실 옥철영(IT융합전공)교수팀"에서 개발한 한글한자자동변환기를 바탕하여 지속적으로 공동 연구 개발하고 있는 서비스입니다.
- 현재 고유명사(인명, 지명등)을 비롯한 여러 변환오류가 있으며 이를 해결하고자 많은 연구 개발을 진행하고자 하고 있습니다. 이를 인지하시고 다른 곳에서 인용시 한자 변환 결과를 한번 더 검토하시고 사용해 주시기 바랍니다.
- 변환오류 및 건의,문의사항은 juntong@juntong.or.kr로 메일로 보내주시면 감사하겠습니다. .
Copyright ⓒ 2020 By '전통문화연구회(傳統文化硏究會)' All Rights reserved.
 한국   대만   중국   일본 

Close