I finished the tasks I decided to do today, as always.
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication.
Note: A precondition for this vulnerability is that the username must be or exceed 52 characters any time a cache key is generated for the user.
The precondition to have 52 or more characters for a username looks super simple, especially in a famous security company like Okta, but that kind of thing happens sometimes. I think disclosing mistakes is key to getting customers to believe in the business (or anything).
uv supported by GitHub Dependabot? (as of Nov 2 2024)Motivation: There is a discussion to migrate poetry
-> uv as uv is getting tractions from the
industry, providing super-fast implementation of Python package (or say,
project) management. Last time I checked, there is no native support by
Dependabot, and because Dependagot is so useful to keep packages
up-to-date and patch security issues, I prefer not to switch to
uv if it still lacks support by Dependabot.
Support for uv is not yet available. Progress can be tracked at:
- dependabot/dependabot-core#10478 for
uv.lockoutput
- dependabot/dependabot-core#10039 for
uv pip compileoutputs
uv.lock is a cross-platform lockfile that contains exact information about your project's dependencies. Unlike the pyproject.toml which is used to specify the broad requirements of your project, the lockfile contains the exact resolved versions that are installed in the project environment. This file should be checked into version control, allowing for consistent and reproducible installations across machines.
uv.lock is a human-readable TOML file but is managed by uv and should not be edited manually.
Similar to poetry.lock in poetry,
uv.lock is the lock file of all the dependencies in a
project. As I see this issue in the GitHub repository of Dependabot
Support
updating uv.lock #10478
It's still open, and I don't see any related pull request, so I can say it's not supported by Dependabot at the moment.
There seem to be another way to lock dependencies with
uv, uv pip compile.
uv allows dependencies to be locked in the requirements.txt format.
And, as I see the issue and pull request in the Dependabot repository
Support python uv as pip-compile compatible replacement #10039
Support uv compiled requirements files #10040
They are still in review. It is interesting that the pull request was created around five months ago and have been staled.
Maybe the Dependabot team does not have enough resources? Do they
just don't like the idea to support uv? I browsed the
thread but could not figure out.
The author communicated in a polite manner even though he has been (sort of) ignored. I respect the his attitude… I cannot guarantee that I wouldn’t go mad if I were in his shoes.
TODO: I know uv is super-fast, but is it important?
:thinking_face:
Fruits 200 Protein bars 300 Pocky 200 Biriyani 1000 Herbal tea 100
Total 1800 kcal
MUST:
TODO:
uv is fast” means and if it's
important