September 17, 2019

Cloud Functions Simple(st) HTTP Proxy

I’m investigating the use of LetsEncrypt for gRPC services. I found this straightforward post by Scott Devoid and am going to try this approach.

Before I can do that, I need to be able to publish services (make them Internet-accessible) and would like to try to continue to use GCP for free.

Some time ago, I wrote about using the excellent Microk8s on GCP. Using an f1-micro, I’m hoping (!) to stay within the Compute Engine free tier. I’ll also try to be diligent and delete the instance when it’s not needed. This gives me a runtime platform and I can expose services to the Instance’s (Node)Ports but, I’d prefer to not be billed for a simple proxy.

September 10, 2019

Visual Studio Code: gopls and YAML

The Go team is developing a Language Server Protocol [LSP] implementation) called gopls. Visual Studio Code (and others) support LSP. Other languages (e.g. Python have LSP implementations too). I’ve been using gopls for some time. It works (mostly) very well and replaces multiple, indepedent tools with two (gopls and delve).

My Visual Studio Code settings that include gopls is:

    "go.autocompleteUnimportedPackages": true,
    "go.useLanguageServer": true,
    "[go]": {
        "editor.snippetSuggestions": "none",
        "editor.formatOnSave": true,
        "editor.codeActionsOnSave": {
            "source.organizeImports": true
        }
    },
    "gopls": {
        "usePlaceholders": true,
        "wantCompletionDocumentation": true,
    },
    "go.toolsEnvVars": {
    },
    "go.languageServerFlags": [
        "-rpc.trace",
        "serve",
        "--debug=localhost:6060",
    ],
    "go.enableCodeLens": {
        "references": true,
        "runtest": true
    },

One of the Google engineers working on gopls gave a comprehensive and interesting overview of the tool at GopherCon 2019.

September 7, 2019

pypi-transparency

The goal of pypi-transparency is very similar to the underlying motivation for the Golang team’s Checksum Database (also built with Trillian).

Even though, PyPi provides hashes of the content of packages it hosts, the developer must trust that PyPi’s data is consistent. One ambition with pypi-transparency is to provide a companion, tamperproof log of PyPi package files in order to provide a double-check of these hashes.

It is important to understand what this does (and does not) provide. There’s no validation of a package’s content. The only calculation is that, on first observation, a SHA-256 hash is computed of the package’s content and the hash is recorded. If the package is subsequently altered, it’s very probable that the hash will change and this provides a signal to the user that the package’s contents has changed. Because pypi-transparency uses a tamperproof log, it’s very difficult to update the hash recorded in the tamperproof log, to reflect this change. Corrolary: pypi-transparency will record the hashes of packages that include malicious code.

September 6, 2019

Welcome

Now that I’ve (p)retired from Google, I’m starting this blog and will no longer post stories to Medium.

As I concluded my time at Google, I wrapped up work on a Trillian prototype. As it remains Google’s IP, I’m not permitted to discuss it here.

I’ve begun work on another Trillian prototype for Python package transparency, informally pypi-transparency.