(even if sufficiely smart attacker would find the key somewhere and skip this kind of prodection, not sure where but write-allowing-key it must exist somewhere in runtime if actions/cache can us it)
Someone else on this thread:
> On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.
> This is a critical insight: SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended. A compromised build step can produce a validly-attested but malicious package.
They basically confirm that this whole provenance only proves origin. That origin was broken/flawed and was coerced to do something bad. (?)
Again, untrusted workflows can't write anywhere - cache poisoning was they key problem. If cache would be clean, release build/run would be clean too.
Well, one of simplest mitigation is that `pull_request_target` jobs shouldn't have access to write to cache, they can read for performance, but not write.
To extrapolate rule, the `pull_request_target` shouldn't have any ways to invoke external side effects.
In most strict scenario, they shouldn't have access to network at all ... or only to GET <safeUrl> - where safeUrls are somehow vetted previously on main, derived from yarn.locks and similar manifests. Pita to setup, no wonder nobody does that.
I can only juggle 3, but I prefer clubs. Balls are so boring they are so small and not spectacular. Clubs on the other hand, man they are rotating. Once, twice, treetimes, backwards. I believe that if someone stuck at this basic level of juggling 3 balls, he should try clubs - at least for me it's pure satisfaction watching these rotating in various variants before.
Many years ago one Saturday morning I happened upon a juggling shop. I could already do three balls so I asked if I could try the clubs. After about an hour of failing the shop owner said something like "some people never get it". So of course I bought a set. After 12 hours that day and 12 hours the next I got the hang of it. They are harder to learn than balls but still doable for an unsporty person like me. And, as you say, very satisfying.
I am not the person you're asking, but they were a thing in The Netherlands at least. Not super common, but they did exist. Typically they sold other related things too, like diabolos, flower sticks, etc. This was a while ago, before Amazon, when there were just a lot more different types of shops. I am not sure they still still exist.
You can also pass clubs. In fact, at my local juggling meetup (Castro Valley BART), it really breaks into two groups: passers and numbers. Passers get together and pass. It's quite social. Someone explains a group pattern and they work through it. OTOH, numbers jugglers can juggle 5 or more clubs+balls. They segregate themselves off and really only talk to each other. We're in the same place but numbers only talk to other numbers.
I would agree that the proper next step after getting comfortable with 3 balls is to learn 3 clubs, not 4 balls. It's much easier to go 3 balls -> 3 clubs than 3 balls -> 4 balls. So many fun things to do with clubs, and of course once you learn clubs you have learned torches/knives which never fail to impress.
Clubs do indeed look great. I like juggling with random objects. It's quite hard, especially if different sizes/weights but it looks really cool IMO because it's so unexpected and doesn't need any special equipment. Plus you can do it anywhere.
Learning club juggling was fun. That led to partner club juggling as well as flaming clubs. Got a nice video of me juggling flames and overrotating a club so I catch the flaming end. Whoops.
The other Hail Mary reference is on top of HN today.
Well done Andy Weir.
reply