For docker images, cgr.dev/chainguard/wolfi-base (https://images.chainguard.dev/directory/image/wolfi-base/ver...) is a great replacement for Alpine. Wolfi is glibc based. It's easy to switch from Alpine since Wolfi uses apk for package management with similar package names and also contains busybox like Alpine.
I’d much rather go with distroless, if its a choice.
But I think you can tweak musl to perform well, and musl is closer to the spec than glibc so I would rather use it; even if its slower in the default case for multithreaded programmes.
Swapping out jemalloc for the system allocator will net you huge performance wins if you link against musl, but you’ll still have issues with multithreading performance due to the slower implementations of necessary helpers.
Sometimes the spec sucks. A lot of the UNIX specs were written before anyone knew how to program multi-threaded systems, and thus are impossible to implement correctly (setenv is probably the most famous example)
When the PR was created in 2016, endpoints were marked as "sensitive" and, for example, the heapdump endpoint would have to be explicitly enabled. However, Spring Boot has evolved over the years, and only the "shutdown" endpoint was made "restricted" in the later solutions. My recent PR will address that weakness in Spring Boot when users misconfigure or ignore security for a Spring Boot app so that heapdumps won't get exposed by default.
I don't get why 2+ years after Log4J we are still dealing with this from Java libraries developers.
Your end users are not security savvy, they will never be security savvy and you need to protect them from themselves instead of handing them loaded handgun. This language more than most is filled with people punching buttons for paycheck.
- Signed, Angry SRE who gets to deal with this crap.
In my opinion, the original sin of Spring Boot Actuator is allowing server.port and management.server.port to be the same. It makes it too convenient for developers to skip the security review that would be done for opening a non-standard port.
I think it would be wise to either disallow the ports being the same, or if they are the same, only enable the health endpoint.
I'm more of the opinion that developers will make smart choices, when motivated.
Sure, punching buttons for money is a widespread issue in the industry, but devs also like convenience.
Security has the hard problem that it's infuriatingly difficult to troubleshoot (ever tried to write security policies for an app or figure out how to let an app through a firewall, or set of firewalls?), and there's a bit of a culture of "security by obscurity".
So it's kind of expected that this is the behavior...
Sure some people will really just not care, mistakes will be made, but secure defaults, easy to configure and simple to understand are features not often seen from security products generally. This is driven by poor motivations from security folk who want to protect their industry...
Just curious if MSS or PMTU blocking has anything to do with the problem.
In the 2 different Wireshark dumps, a relevant difference is MSS=1460 and MSS=1380 in the second one.
I'd recommend setting the local NIC MTU to a low value just to see if it has an impact. However, the Wireshark dump doesn't show packet fragmentation, so perhaps this isn't a problem at all?
This is quite a common issue with PPPoE connections like the one OP seems to use with his own router. You need to increase the MTU of the physical underlying ethernet connection to 1508 to allow a 1500 MTU for the encapsulated packets inside the PPPoE tunnel. Otherwise you'll run into weird issues and unreachable websites.
You also need to make changes on the PPPoE server, which is hard because if a provider is running PPPoE in 2023, they probably don't care about doing things well (but maybe I'm just bitter about CenturyLink)
Currently IPv4 only, requires a somewhat recent browser, and client to server testing is iffy, but if you start the test and get OK in the notes field for both directions, your MTU settings are probably fine (or something is doing proper mss clamping between your client and my server, my server is limited to 1500 MTU so problems with jumbograms can't be detected)
The MTU is only increased between the router and DSL modem to account for PPPoE overhead, so that the MTU inside the PPPoE tunnel (and thus to the internet) can be a standard 1500 (otherwise it would be 1492).
Indeed. Crypto when done to its philosophy is to gain financial and market freedom for businesses and people like you and I. Sadly, there's been a lot of co-opting and from that, a lot of uneducated people who will call anything that empowers individuals to be "shady" and "criminal".
Alas, it would appear there are no such things as fundamental human rights, only laws, according to these people.
AI is undoubtedly useful, perhaps not revolutionary as heralded.
Crypto was never anything else than a grift. The only true feature of de-fi is to evade financial regulators, for a time, and enable large scale movements of shady money.
>Ah, alright then, I guess it's not useful for anything.
No. It's a simple English sentence: it means it's not useful for anything else other than grifting. The grifters find it particularly useful, just like MLMs, traditional ponzi schemes, HYIPs etc. But that doesn't mean any of those grifts are "useful".
> Nice contradiction.
Only for the monkey jpeg brigade, who feel that the artificial demand from criminals laundering money and posing as legitimate crypto investors is a feature, not an unacceptable bug.
If the only ones using it are criminals, then it's no longer useful even for them, because the whole point is to claim legitimate crypto profits.
> it's not useful for anything else other than grifting.
I've paid for my domains and vps with crypto, I can pay for my search engine, send donations to non-profits I support, so there's your use case. I don't even have to hand over my personal banking information, so no worrying about data breaches, another use case!
I'm sure you would consider paying for a legal service to be a legitimate use case.
> monkey jpeg brigade
Whoa, name calling, well that always shows the strength of your argument.
> who feel that the artificial demand from criminals laundering money and posing as legitimate crypto investors is a feature
Didn't realize I was a NFT supporter by calling out your contradiction. Oh, and a straw man too, always nice to see. Also, technology can be abused? Who would have thought?
Its a shame that primary users are the criminal masterminds who've apparently become art connoisseurs of monkey jpegs.
I don't seem to remember supporting "laundering money". Do you mean in the same way that banking at HSBC, BYN Mellon, Deutsche, Swedbank, Danke and others is supporting money laundering? [1-6] Or how banking with BoA is supporting fraud? [7]
Although its nice to see that you believe in "legitimate crypto investors".
