Hacker Newsnew | past | comments | ask | show | jobs | submit | calvins's commentslogin


What do you mean by 'out of the box'? jsonschema needs to be installed. It's not in the stdlib.


It seems no security audit has been performed, but they plan on it at some point: https://discussion.enpass.io/index.php?/topic/404-security-a...

Their responses in that thread do not inspire confidence in the product for me, to put it mildly.


That was scary. I'm not going to be recommending Enpass.


I think you should put the disclaimer at the top of the github page, and clearly state that it is not secure.

The disclaimer currently is near the end of the document and says only "Purely experimental project. Designed for learning purposes not production use.".

Some people will miss that at the bottom of the page (after how to install, how to use, etc.), or might not realize that textbook RSA is insecure (https://crypto.stanford.edu/~dabo/courses/cs255_winter00/RSA...).


https.cio.gov SSL Labs test result: https://www.ssllabs.com/ssltest/analyze.html?d=https.cio.gov

Of note is that they're using a Let's Encrypt cert and running in AWS.


Not the OP, but I'd really like to be able to run containers with all unnecessary capabilities dropped:

https://github.com/aws/amazon-ecs-agent/issues/223


But doing a 360 doesn't mean doing a 180, and then sometime much later, doing another 180.


I think it's a matter of context and time-frame. If the end up pointing the same way they started, that's 360 degrees. That might entail two 180 flips at different points, and if talking about one of those specifically, it would be appropriate to say they did a 180 when referring to that specific situation.


Pip has a constraints file now. Running

  $ pip freeze -r requirements.txt > constraints.txt
after you've installed all your packages gives you a constraints file that can be used to reinstall exactly the same versions:

  $ pip install -r requirements.txt -c constraints.txt


Didn't know that option thanks. Better than nothing, but unfortunately your environment is still subject to the remarks in my second paragraph. So pip-tools is still required if you want more guarantees.


It's easier to disambiguate shapes and colors than just shapes or just colors -- something like a checkmark of one color, and an X of a different color.


FWIW We've got colored indicators that have appropriate iconography for these kinds of users.


> if it's _truly_ agent-less why do they care about the python version on the target, I feel that python target code is the agent?

"Agentless" means that it works by pushing to the machine and that there isn't an agent process already running on the target. It doesn't mean that there aren't any requirements on what needs to be installed on the target already.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: