Hacker News: loginatnine

New comment by loginatnine in "Postmortem: TanStack npm supply-chain compromise"

loginatnine — Tue, 12 May 2026 01:12:54 +0000

https://github.com/opensearch-project/opensearch-js/issues/1...

The worm is spreading...

New comment by loginatnine in "Pricing Changes for GitHub Actions"

loginatnine — Tue, 16 Dec 2025 22:02:57 +0000

At our company, it's ~35k USD increase annually. This is not negligeable.

New comment by loginatnine in "GitLab discovers widespread NPM supply chain attack"

loginatnine — Fri, 28 Nov 2025 16:48:39 +0000

Send them a request to have Trusted publishers support at central-support (at) sonatype.com

I did that a couple of weeks ago and received an acknowledgment "Another request on Trusted Publishing option. Assigning to Product for review and further action." so this is a bit encouraging.

At least Maven dependencies don't execute scripts on install, but Maven plugins could have a big blast radius.

New comment by loginatnine in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

loginatnine — Wed, 17 Sep 2025 01:30:33 +0000

That's a feature of stepsecurity though, it's not built-in.

New comment by loginatnine in "Firebase Firestore down or high latency"

loginatnine — Fri, 18 Jul 2025 15:33:37 +0000

We've been having timeouts, 504, 500 for about 30 minutes now on our "Login with Google" feature.

New comment by loginatnine in "Pgactive: Postgres active-active replication extension"

loginatnine — Wed, 16 Jul 2025 15:22:51 +0000

It's definitely DSQL with the multi-region active active feature[1].

[1]https://aws.amazon.com/rds/aurora/dsql/features/#topic-1

New comment by loginatnine in "My first attempt at iOS app development"

loginatnine — Mon, 09 Jun 2025 13:21:15 +0000

You calculated based on a 0.99$ purchase price though, at 2.99$ it's 4825 purchases to break even.

New comment by loginatnine in "Just make it scale: An Aurora DSQL story"

loginatnine — Tue, 27 May 2025 19:32:39 +0000

For me it's RO views.

New comment by loginatnine in "Just make it scale: An Aurora DSQL story"

loginatnine — Tue, 27 May 2025 19:00:34 +0000

Views and foreign keys!

New comment by loginatnine in "How to harden GitHub Actions"

loginatnine — Thu, 08 May 2025 17:16:18 +0000

This is good, just bear in mind that if you put the hash of an external composite action and that action pulls on another one without a hash, you're still vulnerable on that transitive dependency.

New comment by loginatnine in "First and 2nd gen Nest Thermostats will lose support in Oct 2025"

loginatnine — Sat, 26 Apr 2025 13:43:51 +0000

This week, Hydro-Québec, the nationalized company that provide electricity to residents of the province, has announced a major investment program to reduce electricity usage by using smart thermostats. I'm extremely worried about the life expectancy of those smart thermostats in the long run and whether it's a good use of public funds. I'm also not super thrilled of the amount of functional regular thermostats that will end up in landfills because of that initiative.

[1]https://news.hydroquebec.com/en/press-releases/2172/hydro-qu...

New comment by loginatnine in "Good-bye core types; Hello Go as we know and love it"

loginatnine — Thu, 27 Mar 2025 00:25:55 +0000

Unless the object is immutable, like String, Integer, Long, ImmutableCollections, etc. Or your own immutable objects.

New comment by loginatnine in "JReleaser: quick and effortless way to release your project"

loginatnine — Wed, 22 Jan 2025 02:04:29 +0000

It's inspired by it. It's mentioned here[1].

[1] https://jreleaser.org/guide/latest/index.html#_acknowledgmen...

New comment by loginatnine in "Google’s OAuth login doesn’t protect against purchasing a failed startup domain"

loginatnine — Tue, 14 Jan 2025 17:53:11 +0000

I've been working with an app that uses Google to login for the past 10 years, and I've had problems with sub changing when these situations happened : - Domain change - Company being bought by another one and being integrated in their Google Workspace - Employee leaving and coming back

To us, it's very very far from the quoted 0.04% which is to me very high. I had to deal with it 5-6 times in the past 10 years but of course that number will vary depending on the usage of your app and I'm not gonna venture and put a percentage on it.

New comment by loginatnine in "Google’s OAuth login doesn’t protect against purchasing a failed startup domain"

loginatnine — Tue, 14 Jan 2025 17:44:58 +0000

At my current company, if an employee leave and come back, they'll keep the same OID in Entra but they'll get a new `sub` in Google workspace. We had to put in place a process to be able to use an internal tool that used the login with Google.

That's most likely dependant on how the IT department handled the deprovisioning/provisioning of users in our Google Workspace, I unfortunately don't have the details for that.

New comment by loginatnine in "Google’s OAuth login doesn’t protect against purchasing a failed startup domain"

loginatnine — Tue, 14 Jan 2025 17:40:48 +0000

I really don't understand here, the proper way to use Google's OpenID implementation to authenticate someone is to use the `sub` claim. Don't use the email, don't verify it yourself, use the `sub` claim. It's a known fact and is properly documented[1].

If the `sub` changes, it's because it's not necessarily the same person so have a flow ready for that. It could be an employee left and came back, a domain change, an IT error that lead to a reprovisioning of the user, etc.

I also fail to see how the proposed solution of having a 'A unique user ID that doesn’t change over time' is different from the `sub` claim. However, the new ID associated to the domain could make sense to enforce a strong 'Everyone from the @domain.com has access' statement.

[1] https://developers.google.com/identity/gsi/web/reference/js-...

New comment by loginatnine in "You cannot simply publicly access private secure links, can you?"

loginatnine — Fri, 08 Mar 2024 12:33:45 +0000

Interesting, thanks for the additional info.

New comment by loginatnine in "You cannot simply publicly access private secure links, can you?"

loginatnine — Thu, 07 Mar 2024 21:02:18 +0000

It's called a fragment FYI!

New comment by loginatnine in "Detect when your installed Chrome extensions have changed owners"

loginatnine — Thu, 07 Mar 2024 13:22:07 +0000

Good find! I've dug a bit and the extension, at least for now, does not send any metadata associated to your browser[1], only a comma separated list of extension IDs. Of course the IP could be easily used.

Looking at the result from the API of one extension I had installed[2], it lists metadata associated to the developer. I've tried to use the `chrome.management.get(id)` Chrome API and it does not return this information, and there does not seem to be a way to get the content of the manifest.json programatically. Therefore, to do the job of the extension as it is, it does need an external source.

[1]: https://github.com/classvsoftware/under-new-management/blob/...

[2]: https://api.extensionboost.com/v1/developer?extension_ids=gh...

New comment by loginatnine in "Hackers stole access tokens from Okta's support unit"

loginatnine — Fri, 20 Oct 2023 23:29:32 +0000

It's now called Entra ID btw.