by bkudria on 12/1/22, 10:15 PM with 33 comments
by gitgud on 12/2/22, 8:32 AM
A good solution I've just seen is to validate the environment variables using a schema like [1] zod. Which will guarantee that the ENV variables are the exact type that you expect when the program starts, or it will throw an error.
[1] Example -> https://github.com/t3-oss/create-t3-app/blob/bc57d02789209f1...
by fefe23 on 12/2/22, 10:58 AM
As soon as you have components talk to each other over IPC, you pass strings of bytes. It does not matter whether you create a nice abstraction class around a string. Over the wire it is still a string.
What is he proposing we do to prevent confusion between strings?
Adding namespaces does not appear to be a useful idea because it boils down to "do input validation", which you are hopefully already doing.
by skybrian on 12/2/22, 8:13 AM
by tonto on 12/2/22, 7:38 AM
by jeffparsons on 12/2/22, 12:05 PM
An outer component, in this example a web service, might be provided with a handle to a secret that it needs for connecting to some other system — let's take Consul, for example. The web service is trusted to basically _intend_ to do the right thing, but it is not trusted to be vigilant enough to avoid leaking the secret, so it is not allowed to ever actually resolve that secret itself.
What it _can_ do is provide the secret-handle to another component whose job is to establish the connection to Consul for it. That second component has to be given a handle to a secret (it can't just look them up by itself) but once it has one, it can resolve it to the actual secret string. This second component does as little as possible, and is trusted to not accidentally leak the actual secret string — not even to the outer component that is using it.
The Wasm component model makes this sort of scheme really easy to implement because capabilities / unforgeable handles are a first-class concept and they are available for all components to create and communicate between each other.
I guess this might already be a well-established pattern elsewhere, but I don't remember seeing it anywhere.
by AtlasBarfed on 12/2/22, 4:08 PM
- "fully qualified names" ... to some arbitrary obvious-after-the-fact degree, because fully FULL qualification becomes one of the heavyweight barriers he doesn't like: a central name validator/registry, reduced ability to reuse data because of the funny wrapping/name
- universal data typing, but that doesn't exist, and would be a barrier if it was
- universal data formats: oh god, that means standards bodies, doesn't it.
I totally agree about the make services interact --> they interact, but there's security holes --> impose security loop.
by Animats on 12/2/22, 5:20 PM
OK, whatever.
What he's railing against is canned strings which identify things. URLs, names in key/value stores, etc.
Attempts to get rid of that include the Windows Registry. That may not be a good example. Another attempt is identifying everything with an arbitrary GUID or UUID. Pixar moved away from that in their USD format for animation data.
by Guthur on 12/2/22, 8:42 AM
by nivertech on 12/3/22, 4:31 PM
by nemo1618 on 12/2/22, 3:31 PM