Posts by el-keef

Atlassian make it hard to avoid this

Atlassian have a history of merging accounts between personal and work - it's not that easy to avoid. I nearly lost all my personal Bitbucket content when leaving an employer because Atlassian had managed to combine my personal account with my work account despite me trying to keep them separate. I think it happened when they converted standalone Bitbucket accounts into Atlassian accounts, just as they're currently doing with Trello. Luckily I had a good relationship with the account manager at that company and managed to get it sorted out, but it took a while between us to figure out what we had to do.

All the people saying "don't mix work and personal" - it really isn't that straightforward to avoid with Atlassian, they link stuff up behind the scenes without being explicit about it.

How to access?

Anyone know how to get access to these? I can't find any mention of free stuff on their website, still charging lots of dosh..

Context lacking

One problem with the npm vulnerability scans is that they don't take account of the context of the dependency inclusion.

For example, a fresh out-of-the-box Angular 6 install will show several dependencies with vulnerabilities. But, if you look closer, some are only vulnerabilities if e.g. deployed on the server-side in Node.js, or if they hit production browser code. Within Angular they're only used as part of the build system which means they'll never see anything public facing, they never become part of the code actually used to provide a service to the end user, so will never cause any issues.

While it's fantastic that tools like npm and Github are reporting library vulnerabilities, the trouble here is that you get 'boy-cried-wolf' syndrome. If everything is is always reporting security audit issues which are easy to ignore then the one that matters, when it happens, will be missed.

v2 LTS release announcement?

That Amazon Linux 2 LTS release seems to have happened very quietly - they've apparently removed mentions of 'release candidate' from most of the relevant pages but I can't find any press release or blog post - anyone found something announcing this?

The v2 LTS release is more interesting (to me, at least) than v1 as they're providing externally hostable VM images (e.g. KVM, which can be easily adapted for OpenStack) so it's a tiny bit less locked-in to AWS. A tiny bit.