From 30b0561646edbb0dd42dd65b6f0c07f360e431ab Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 23 Jul 2022 23:42:38 -0400 Subject: [PATCH] Update Wonderfall's blog posts Signed-off-by: Tommy --- content/apps/F-Droid Security Analysis.md | 2 +- content/os/Docker and OCI Hardening.md | 4 ++-- external-blogs.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/apps/F-Droid Security Analysis.md b/content/apps/F-Droid Security Analysis.md index acfbd7b..5612587 100644 --- a/content/apps/F-Droid Security Analysis.md +++ b/content/apps/F-Droid Security Analysis.md @@ -108,7 +108,7 @@ Their client also lacks **TLS certificate pinning**, unlike Play Store which imp It is an important security feature that is also straightforward to implement using the [declarative network security configuration](https://developer.android.com/training/articles/security-config) available since Android 7.0 (API level 24). See how GrapheneOS pins both root and CA certificates in their [app repository client](https://github.com/GrapheneOS/Apps): -``` +```xml diff --git a/content/os/Docker and OCI Hardening.md b/content/os/Docker and OCI Hardening.md index 2d5d657..840aabc 100644 --- a/content/os/Docker and OCI Hardening.md +++ b/content/os/Docker and OCI Hardening.md @@ -63,7 +63,7 @@ For these reasons, good practices were established: However, distroless images are not suited for every application. In my experience though, distroless is an excellent option with pure Go binaries. Going with minimal images drastically reduces the available attack surface in the container. For example, here's a [multi-stage Dockerfile](https://docs.docker.com/develop/develop-images/multistage-build/) resulting in a minimal non-root image for a simple Go project: -``` +```Dockerfile FROM golang:alpine as build WORKDIR /app COPY . . @@ -221,7 +221,7 @@ A platform like ptrace or KVM is used to intercept system calls and redirect the The security model of gVisor is comparable to what you would expect from a virtual machine. It is also very easy to [install and use](https://gvisor.dev/docs/user_guide/install/). The path to runsc along with its different configuration flags (`runsc flags`) should be added to `/etc/docker/daemon.json`: -``` +```json "runtimes": { "runsc-ptrace": { "path": "/usr/local/bin/runsc", diff --git a/external-blogs.sh b/external-blogs.sh index de1016f..1107769 100755 --- a/external-blogs.sh +++ b/external-blogs.sh @@ -32,7 +32,7 @@ sed -i '/draft:.*/d' './content/os/Securing OpenSSH with FIDO2.md' sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/os/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/os/Securing OpenSSH with FIDO2.md' -sed -i '/^tags:.*/a author: Wonderfall' +sed -i '/^tags:.*/a author: Wonderfall' './content/os/Securing OpenSSH with FIDO2.md' # Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown. # His GitHub repo: https://github.com/Seirdy/seirdy.one \ No newline at end of file