docs: discussions: Alice Engineering Comms: 2024-06-21T06:02:19+00:00

docs/discussions/alice_engineering_comms/0641/reply_0000.md

@@ -1,5 +1,6 @@
 - https://github.com/pdm-project/pdm
 - https://docs.redpanda.com/redpanda-connect/guides/getting_started/
+  - https://docs.redpanda.com/redpanda-connect/components/inputs/http_server/
   - Agent pipelines combine with policy engine
 
 ```bash

docs/discussions/alice_engineering_comms/0644/reply_0000.md

@@ -0,0 +1,7 @@
+## 2024-06-03 @pdxjohnny Engineering Logs
+
+- Manifest based comms with LLM
+  - Metaschema translation across ontologies
+    - Transparency Service secured ontologies
+      - https://github.com/ietf-scitt/use-cases/pull/18
+      - https://github.com/intel/dffml/blob/aa6442f1a4bb32e8cd7e924fd59db920f2b708a7/docs/discussions/alice_engineering_comms/0243/reply_0000.md?plain=1#L19-L117

docs/discussions/alice_engineering_comms/0645/index.md

@@ -0,0 +1 @@
+# 2024-06-04 Engineering Logs

docs/discussions/alice_engineering_comms/0645/reply_0000.md

@@ -0,0 +1,13 @@
+## 2024-06-04 @pdxjohnny Engineering Logs
+
+- https://github.com/bottlerocket-os/bottlerocket
+  - > OS for containers
+- https://brandur.org/two-phase-render
+  - N+1 query problem
+- A viewpoint on software supply chain security, are we getting lost in translation?
+  - https://www.researchgate.net/publication/375626773_A_Viewpoint_on_Software_Supply_Chain_Security_Are_We_Getting_Lost_in_Translation
+  - https://www.researchgate.net/
+    - Created account to download
+    - https://www.sciencedirect.com/science/article/pii/S0264275123003827
+    - https://apps.dtic.mil/sti/tr/pdf/ADA383563.pdf
+      - > we showed that student eye movements could serve to predict when they were going to make errors and to disambiguate the interpretation of various actions

docs/discussions/alice_engineering_comms/0646/index.md

@@ -0,0 +1 @@
+# 2024-06-05 Engineering Logs

docs/discussions/alice_engineering_comms/0646/reply_0000.md

@@ -0,0 +1 @@
+- https://magazine.sebastianraschka.com/p/understanding-large-language-models

docs/discussions/alice_engineering_comms/0647/index.md

@@ -0,0 +1 @@
+# 2024-06-06 Engineering Logs

docs/discussions/alice_engineering_comms/0647/reply_0000.md

@@ -0,0 +1,125 @@
+## 2024-06-06 @pdxjohnny Engineering Logs
+
+- https://github.com/directus/directus
+  - #1400
+- GitHub custom properties are world readable
+- https://henryjacksonsociety.org/publications/lessons-from-the-first-cyberwar-how-supporting-ukraine-on-the-digital-battlefield-can-help-improve-the-uks-online-resilience/
+- https://docs.directus.io/self-hosted/config-options.html#file-storage
+  - `STORAGE_LOCATIONS`
+    - > A CSV of storage locations (e.g., local,[digitalocean](https://pdxjohnny.github.io/tricks/#digital-ocean),amazon) to use. You can use any names you'd like for these keys.
+      - https://github.com/s3fs-fuse/s3fs-fuse
+        - https://docs.digitalocean.com/reference/api/spaces-api/
+          - DO doesn't do event notifications
+- https://docs.directus.io/self-hosted/sso-examples.html#keycloak
+- https://github.com/pdxjohnny/pdxjohnny/discussions/1
+- https://forgejo.org/download/
+- https://github.com/go-gitea/gitea/issues/3816
+- https://github.com/go-gitea/gitea/issues/5482#issuecomment-491940322
+
+```bash
+GITEA_WORK_DIR=$HOME/.local/appdata forgejo web
+```
+
+- [x] http://localhost:3000/.well-known/openid-configuration
+
+```json
+{
+    "issuer": "http://localhost:3000/",
+    "authorization_endpoint": "http://localhost:3000/login/oauth/authorize",
+    "token_endpoint": "http://localhost:3000/login/oauth/access_token",
+    "jwks_uri": "http://localhost:3000/login/oauth/keys",
+    "userinfo_endpoint": "http://localhost:3000/login/oauth/userinfo",
+    "introspection_endpoint": "http://localhost:3000/login/oauth/introspect",
+    "response_types_supported": [
+        "code",
+        "id_token"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "subject_types_supported": [
+        "public"
+    ],
+    "scopes_supported": [
+        "openid",
+        "profile",
+        "email",
+        "groups"
+    ],
+    "claims_supported": [
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "sub",
+        "name",
+        "preferred_username",
+        "profile",
+        "picture",
+        "website",
+        "locale",
+        "updated_at",
+        "email",
+        "email_verified",
+        "groups"
+    ],
+    "code_challenge_methods_supported": [
+        "plain",
+        "S256"
+    ],
+    "grant_types_supported": [
+        "authorization_code",
+        "refresh_token"
+    ]
+}
+```
+
+[![asciicast](https://asciinema.org/a/662966.svg)](https://asciinema.org/a/662966)
+
+- https://docs.directus.io/self-hosted/sso-examples.html#github
+- http://localhost:3000/admin/applications/oauth2
+- https://github.com/directus/directus/blob/b5c4c6dc7c65af75a7e1e8d9cba5e1cdc2b1901e/docs/self-hosted/sso.md?plain=1#L61
+  - > 3. On **Authorized redirect URIs** put your Directus instance address plus `/auth/login/google/callback`. For example, you should put
+    > `https://directus.myserver.com/auth/login/google/callback` where
+    > `https://directus.myserver.com` should be the address of your Directus instance.
+    > If you are testing locally you should add
+    > `http://localhost:8055/auth/login/google/callback` too
+
+![image](https://github.com/intel/dffml/assets/5950433/301aedad-bb8a-4745-bca1-133eb941c399)
+
+```bash
+echo AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA | python -m keyring set directus auth.forgejo.client_id
+echo 'AAA_AAAAAAAAAA' | python -m keyring set directus auth.forgejo.client_secret
+```
+
+- https://docs.directus.io/getting-started/quickstart.html
+
+```bash
+export HOST_IP="$(ip address show docker0 | grep inet | awk '{print $2}' | sed -e 's/\/.*//g')" && \
+echo 'using --net host so localhost' && \
+export HOST_IP="localhost" && \
+docker run \
+  -ti \
+  --rm \
+  -p 8055:8055 \
+  -e AUTH_FORGEJO_REDIRECT_ALLOW_LIST="http://localhost:8055/auth/login/forgejo" \
+  -e AUTH_FORGEJO_DRIVER="oauth2" \
+  -e AUTH_FORGEJO_AUTHORIZE_URL="http://${HOST_IP}:3000/login/oauth/authorize" \
+  -e AUTH_FORGEJO_ACCESS_URL="https://${HOST_IP}:3000/login/oauth/access_token" \
+    -e AUTH_FORGEJO_PROFILE_URL="https://${HOST_IP}:3000/api/user" \
+    -e AUTH_FORGEJO_CLIENT_ID="$(python -m keyring get directus auth.forgejo.client_id)" \
+    -e AUTH_FORGEJO_CLIENT_SECRET="$(python -m keyring get directus auth.forgejo.client_secret)" \
+  -e AUTH_PROVIDERS="forgejo" \
+  -e AUTH_DISABLE_DEFAULT=true \
+  -e PUBLIC_URL=https://localhost:3000 \
+  -e AUTH_FOREGOJO_ALLOW_PUBLIC_REGISTRATION=true \
+  --net host \
+  -e SECRET="$(head -n 99999 /dev/urandom | sha384sum - | awk '{print $1}')" \
+  directus/directus
+```
+
+[![asciicast](https://asciinema.org/a/662976.svg)](https://asciinema.org/a/662976)
+
+- TODO
+  - [ ] Why is it insecure to bind `0.0.0.0`? 
+    - We should bind to UNIX sockets when possible or the loopback if not (127.0.0.1). Anyone on your local network scan connect to `0.0.0.0`.

docs/discussions/alice_engineering_comms/0647/reply_0001.md

@@ -0,0 +1,32 @@
+Using UNIX domain sockets instead of TCP/IP loopback for local inter-process communication (IPC) provides several security and performance advantages. Here's a detailed look at why binding to UNIX sockets can be beneficial, particularly in terms of security and efficiency:
+
+### Security Advantages of UNIX Domain Sockets
+
+1. **File System Permissions**:
+   - UNIX domain sockets use the file system for addressing, which allows the use of traditional UNIX file permissions to control access. This means you can restrict which users or processes can communicate through the socket using standard file permissions (e.g., setting ownership and mode)【33†source】.
+   - This fine-grained access control is not available with TCP/IP sockets, where any process running on the local machine that knows the port number can attempt to connect.
+
+2. **Credential Passing**:
+   - UNIX domain sockets support passing credentials between processes. This means a server can validate the identity of the connecting client process, ensuring that only authorized processes can communicate with it【33†source】.
+
+3. **Reduced Exposure**:
+   - Since UNIX domain sockets do not use the network stack, they are inherently local. This reduces the risk of exposure to network-based attacks that might exploit vulnerabilities in the TCP/IP stack or the configuration of the network interfaces.
+
+### Performance Benefits
+
+1. **Lower Overhead**:
+   - UNIX domain sockets avoid the overhead associated with the TCP/IP stack, such as checksums, three-way handshakes, and packet routing. This results in lower latency and higher throughput for local IPC【32†source】【33†source】.
+
+2. **Fewer Context Switches**:
+   - Communication via UNIX domain sockets typically involves fewer context switches compared to TCP loopback, since the data does not need to traverse the network stack. This can lead to more efficient CPU usage and faster communication【32†source】.
+
+### Comparison to Zero Trust Architecture
+
+Using TCP/IP loopback still necessitates a robust security architecture like Zero Trust because the network stack is still involved, and potential vulnerabilities within it could be exploited. With Zero Trust, every connection is treated as potentially insecure, and continuous verification and strict access controls are applied. However, by using UNIX domain sockets, you leverage the operating system's built-in security mechanisms (like file permissions and credential passing) to add another layer of security, reducing the attack surface.
+
+In summary, while TCP/IP loopback requires comprehensive security measures to mitigate network-based risks, UNIX domain sockets offer a more secure and efficient alternative for local IPC by leveraging the file system and reducing the involvement of the network stack.
+
+For further reading, you might find the following resources useful:
+- [PostgreSQL: Unix domain socket vs TCP/IP loopback](https://zaiste.net/posts/postgresql-unix-socket-tcpip-loopback/)
+- [GitHub - Unix Domains Sockets vs Loopback TCP Sockets](https://github.com/nicmcd/uds_vs_tcp)
+- [FreeBSD Mailing List Discussion on Unix Domain Sockets vs Internet Sockets](https://lists.freebsd.org)

docs/discussions/alice_engineering_comms/0648/index.md

@@ -0,0 +1 @@
+# 2024-06-07 Engineering Logs