|
What checks are these people at the last stage of your deployment pipeline meant to be doing which can't either be done automatically or earlier in the process? It's easy enough to check that you haven't broken your whole app and any feature specific changes should already have some testing (as enforced by human pr reviews!). Some combination of feature flags and incremental rollouts give you additional safety.
|
# ? Nov 6, 2023 17:45 |
|
|
# ? Jun 8, 2024 04:26 |
|
Stabby McDamage posted:In what world is this a positive risk/reward tradeoff? The trainer might be emphasizing the wrong thing, or we might be getting it garbled through a game of telephone here. But the best quality software engineering research we have shows that continuous delivery leads to less frequent failures with shorter duration and smaller customer impact. The idea isn't that the changes are so worth it that recklessly causing outages is "worth it", it's that the "recklessly causing outages" is actually caused by huge durations between "wrote code" and "it's actually running", batching up large numbers of changes to deploy all at once, and lack of appropriate automated testing, monitoring, and rollbacks. As well as the "feedback" effect of knowing how things work (engineers build software differently (better!) knowing it gets deployed immediately).
|
# ? Nov 6, 2023 17:46 |
|
Subjunctive posted:it is “continuous” as in “incremental”. you don’t wait to ship everything in a big Next.0 release, but rather ship things when they are ready. you could do continuous deployment without automation, but it would require a manual deploy quite frequently, so people usually automate it but the release process is determining "done", how stuff gets copied around is not that relevant.
|
# ? Nov 6, 2023 17:46 |
|
crazypenguin posted:Like, why are you asking security people? Presumably, a pull request got code review before being merged, so what possible security implication is there for that commit rolling through a CI/CD out to prod without further human intervention? Well, fair question. I ask from the perspective of a junior member of an IT team and a smaller IT Security subunit who has only been out of college a year, and began work in a very dysfunctional org. So, I am a security person too, at least ostensibly. I asked here because I wanted to get experienced opinions on the subject. That said, I think replies are correct in that my OP exposes my very limited understanding of DevOps -- yeah, I see how any security concerns ought to be addressed before a merge even occurs and later prompts a pipeline run. For what its worth, I think I might be right in thinking we do lack the kind of oversight and good policy that would drive that pre-merge security review process, and that something bad for security might slip through the cracks.
|
# ? Nov 6, 2023 17:46 |
|
Cybernetic Vermin posted:but the release process is determining "done", how stuff gets copied around is not that relevant. yes, continuous is about having release be at the granularity of a changeset, that’s all. you can have whatever process you want ahead of integration, and as long as you’re doing it on a changeset basis (or feature basis if you’re flagging) you’re doing it continuously it does not mean “yolo whatever from the cat walking across the keyboard”, but it means that the system is always deployable and each piece is looked at carefully, rather than deferring that analysis to later in a rolled-up release context you can think of nightly builds of browsers as continuous deployment too; deployment doesn’t necessarily mean that it’s immediately adopted by all your customers, though that is a common model
|
# ? Nov 6, 2023 17:52 |
|
crazypenguin posted:The trainer might be emphasizing the wrong thing, or we might be getting it garbled through a game of telephone here. Yeah I mean, if I had to guess maybe the trainer was meaning to convey that when done right, continuous deployment is still the best practice, even if theres a risk of a mistake. Probably a mix of the trainer framing it somewhat weirdly and me telephone gaming the message, oh well. While we're on the subject of CI/CD though, I absolutely do not trust my company to iterate small and often and actually do the risk-averse part of CI/CD right.
|
# ? Nov 6, 2023 18:02 |
|
having your ci/cd deploy to production is fine as long as it's tested and the ci/cd part doesn't really have anything to do with that? it's not like it's fine to deploy untested poo poo manually either
|
# ? Nov 6, 2023 18:09 |
|
Subjunctive posted:it is “continuous” as in “incremental”. you don’t wait to ship everything in a big Next.0 release, but rather ship things when they are each ready. you could do continuous deployment without automation, but it would require a manual deploy quite frequently, so people usually automate it me, looking at the in progress project: ha ha. ha ha ha.
|
# ? Nov 6, 2023 18:49 |
|
Chalks posted:having your ci/cd deploy to production is fine as long as it's tested and the ci/cd part doesn't really have anything to do with that? it's not like it's fine to deploy untested poo poo manually either i find a lot of people get hung up on what constitutes "testing" cause they picture code review and regression testing and detailed reports, while other people think testing is just "push it at 3 am and try the new live version when probably nobody's looking at it" a test environment would be great but if you can't afford that, sequester a prod machine and let er rip and if it bursts into snakes well whoopsie maybe send that one back, otherwise gently caress it if it explodes we'll just roll it back and keep really good records of the last few dozen versions just in case we patch in a vuln that nobody notices for a year and a half nobody's paying for a line-by-line code review of a point revision to fart.app unless it's the kind of fart that keeps an aircraft in the sky
|
# ? Nov 6, 2023 20:52 |
|
what is a jet engine if not a continuous mechanical fart
|
# ? Nov 6, 2023 21:12 |
|
Achmed Jones posted:do you think people just push things into prod with no oversight, process, or analysis? can you think of ways that automated tooling could be used to release things in a continuous fashion that aren't also very dumb?
|
# ? Nov 6, 2023 22:17 |
|
Shame Boy posted:uh...
|
# ? Nov 6, 2023 22:20 |
|
|
# ? Nov 6, 2023 22:25 |
|
this is a super clear no-one-good-answer topic, because the characteristics of your deployment environment matter a huge amount. web app? fire poo poo out there, you can roll it back instantly if things go bad. mobile/desktop app? now a fix/rollback requires end users to receive an update, so you gotta be more careful. embedded software in an on prem device? lol idk how the gently caress that poo poo works at all of course there’s an additional dimension of the sensitivity of the domain but that’s even more subjective
|
# ? Nov 6, 2023 22:27 |
|
Chris Knight posted:#yolo ops you've heard of devops, well here's yolops
|
# ? Nov 6, 2023 22:47 |
|
I learned today while doing data recovery that Microsoft generates an RSA key when you create an Active Directory domain. That key is permanent. Every domain joined PC uses this key as a secondary key to protect the user's master key, which in turn encrypts saved credentials. At least you need domain admin privileges to access this thing, but it still feels a bit reckless. Aynway, I managed to recover data that someone had encrypted with loving EFS for some reason. Cripes, I never want to do this again.
|
# ? Nov 6, 2023 22:50 |
|
Cold on a Cob posted:you've heard of devops, well here's yolops more like yoclops because "nobody" will be maintaining this
|
# ? Nov 6, 2023 22:50 |
|
haveblue posted:what is a jet engine if not a continuous mechanical fart the not so continuous type was also briefly tried
|
# ? Nov 6, 2023 22:52 |
|
flakeloaf posted:more like yoclops because "nobody" will be maintaining this
|
# ? Nov 6, 2023 22:57 |
|
well-read undead posted:this is a super clear no-one-good-answer topic, because the characteristics of your deployment environment matter a huge amount. web app? fire poo poo out there, you can roll it back instantly if things go bad. mobile/desktop app? now a fix/rollback requires end users to receive an update, so you gotta be more careful. embedded software in an on prem device? lol idk how the gently caress that poo poo works at all plus, in some domains, change risk can vary over time - the correct deployment philosophy might be different on black friday or new year’s eve than then it was the week before. when reading someone else’s confident prescriptions about the correct way to do deployments, pay close attention to how well their circumstances match your own.
|
# ? Nov 6, 2023 22:58 |
|
yeah if you really screw up embedded or end user systems then you have to either send out field technicians or engineers or have customers take the product to the retailer or mail it back aka product recall so a web app that screws up isn’t the end of the world because that stuff happens all the time really expensive embedded systems tend to have extensive QA between releases, which are few and far between because bricking it is costly to fix due to pure labor costs
|
# ? Nov 6, 2023 23:17 |
|
remember when video games came on carts and CDs and were quite playable and usable on day one and now you have day one patches to even beat the game so you have to spend the time installing it and then patching it which could take all drat day and now you have baldur’s gate 3 which is game of the year because you don’t have paid day one DLC
|
# ? Nov 6, 2023 23:21 |
|
i have gigabit internet so it usually doesn't bother me
|
# ? Nov 6, 2023 23:23 |
|
I remember when console makers allowed game publishers to produce and sell N copies of the buggy CD or cartridge before manufacturing switched to the bug-free version and there was absolutely no way to fix the buggy versions, if you were a superfan who bought it on day one you were just hosed.
|
# ? Nov 6, 2023 23:25 |
|
I remember when a game bug ruined your save in progress, you were either completely hosed or (very rarely) you could pay to mail your memory card to Nintendo and several months later they'd mail you back your memory card with a fixed save.
|
# ? Nov 6, 2023 23:29 |
|
i bought this game called impossible mission and it has a bug and well, i can't exactly claim to be mad about it
|
# ? Nov 7, 2023 00:27 |
|
shackleford posted:the not so continuous type was also briefly tried saw someone fly an rc plane with one of these suckers in the 90s, he built the entire thing himself it's incredibly loud lmao
|
# ? Nov 7, 2023 00:35 |
shackleford posted:the not so continuous type was also briefly tried
|
|
# ? Nov 7, 2023 00:40 |
|
the physics of posting
|
# ? Nov 7, 2023 00:47 |
|
Truga posted:saw someone fly an rc plane with one of these suckers in the 90s, he built the entire thing himself you can make a really simple one with a mason jar i tried it and it ran for approx 2 seconds
|
# ? Nov 7, 2023 01:42 |
|
Antigravitas posted:I learned today while doing data recovery that Microsoft generates an RSA key when you create an Active Directory domain. That key is permanent. Every domain joined PC uses this key as a secondary key to protect the user's master key, which in turn encrypts saved credentials. When you create a VM in Azure, the only option for a SSH key is RSA. (I'm not even sure how that works, because Ubuntu isn't meant to support RSA by default. They must have changed that on their image.)
|
# ? Nov 7, 2023 03:15 |
|
~Coxy posted:When you create a VM in Azure, the only option for a SSH key is RSA. I noticed this last week as well. The Premier Cloud Platform
|
# ? Nov 7, 2023 03:21 |
|
pseudorandom name posted:I remember when a game bug ruined your save in progress, you were either completely hosed or (very rarely) you could pay to mail your memory card to Nintendo and several months later they'd mail you back your memory card with a fixed save. I think the last game I know of that still had a game breaking bug was ar tonelico 2 for the ps2. If you took too long at one of the midbosses, it causes some sort of UI glitch related to translation and crashes.
|
# ? Nov 7, 2023 04:37 |
|
sumo logic secfuck incomingquote:On Friday, November 3rd, 2023, Sumo Logic discovered evidence of a potential security incident. The activity identified used a compromised credential to access a Sumo Logic AWS account. We have not at this time discovered any impacts to our networks or systems, and customer data has been and remains encrypted.
|
# ? Nov 8, 2023 01:03 |
|
Sumo them accounts
|
# ? Nov 8, 2023 01:11 |
|
this seems like a pretty large breach. https://www.thestreet.com/real-estate/mr-cooper-cyberattack will be interested to find out more details
|
# ? Nov 8, 2023 01:52 |
|
https://www.abc.net.au/news/2023-11-08/optus-outage-live-blog/103076996 It's definitely not spyware
|
# ? Nov 8, 2023 01:55 |
|
well-read undead posted:sumo logic secfuck incoming sumo make me a sandwich
|
# ? Nov 8, 2023 03:47 |
|
well-read undead posted:sumo logic secfuck incoming should've used more salt
|
# ? Nov 8, 2023 04:13 |
|
|
# ? Jun 8, 2024 04:26 |
|
well-read undead posted:sumo logic secfuck incoming are they able to decrypt the customer data too? might be a key difference here
|
# ? Nov 8, 2023 19:57 |