IRC channel logs

2025-10-16.log

back to list of logs

<dthompson>hello fellow goblins
<dpk>greetings, dthompson
<dthompson>hey dpk
<dpk>news potentially of interest to Spritely people: we are holding a new election to the Scheme Steering Committee
<dpk> https://r7rs.org/sc/
<dpk>register! nominate!
<dthompson>good to know, thanks!
<jfred>ACTION waves
<dthompson>hey jfred
<jfred>When some of my meetings got shuffled around recently, I managed to block off the 2pm Wednesday timeslot. So I should hopefully be able to make it to the Spritely office hours more often again :)
<dthompson>oh that's awesome :)
<dthompson>I guess that's an opportunity for me to plug the next office hours on 10/29 https://community.spritely.institute/t/next-office-hours-on-10-29/772/1
<jfred>:D
<dthompson>join us and talk about ocaps and goblins and hoots
<jfred>I've been trying to spread the good word of POLA at work lately haha
<jfred>With some hints towards "hey there's this ocap thing that can help with this..."
<dthompson>:)
<dthompson>POLA is a PITA in an ACL world
<jfred>It suuuuure is. Hashicorp Vault was one of my example cases when I was talking about that recently
<dthompson>I spent a lot of time at my previous devops job trying to approximate POLA within AWS
<jfred>We have some teams with one set of permissions that would actually like to restrict some automated process ss
<jfred>oops
<dthompson>to their credit, AWS lets you manage permissions at a very fine-grained level so it's *possible* to constrain a server to have the minimum level of privilege but in practice it's very annoying to develop that way.
<dthompson>since IAM is ACL-based, in practice you have to play whack-a-mole by starting with the minimum rules that you know the server needs and then keep adding to the IAM policy when the server throws an error due to AWS permissions.
<jfred>*to a subset of the permissions it would otherwise have. But Vault is kinda all-or-nothing with "are you able to modify policies or not?" so doing that means you need an account with full policy management powers to be involved
<dthompson>ugh yeah coarse permissions are frustrating
<dthompson>it wasn't until working with ocaps that I realized how POLA could actually have good dev ergonomics.
<dthompson>POLA is frustrating in an ACL environment because what the code wants to do is often not in sync with the ACL. and once rules are added it's hard to prove that they're no longer needed as the code evolves so things tend to get less POLA over time.
<jfred>Yeah. It does still feel like you need to be very careful to maintain auditability with ocaps (one day I'll get back to guile-horton...) and how to do secret rotation well with sturdyrefs is still a bit unclear to me, but achieving POLA is *much* easier
<dthompson>yeah audability is a necessary piece of the puzzle but auditability of acl systems is also terrible soooo
<cwebber>friends! goblins!
<cwebber>we've got GOOD NEWS
<cwebber> https://spritely.institute/news/spritely-goblins-v0-17-0-persistence-is-better-than-ever.html a brand new release of Spritely Goblins!
<cwebber>and a cool animation to celebrate it ;D
<crmsnbleyd>awesome!
<jfred>oooooo
<identity>grammar mistake the blogpost: «When an actor changes it’s [it is] behavior»
<dthompson>identity: thanks :)
<dthompson>I caught one of those in review and I guess I missed (or introduced!) the other
<dthompson>fixed!
<identity>a certain way to not miss any such mistakes is to not use contractions and possesive -'s at all; doing so also makes certain sentences clearer
<dthompson>personally I like contractions and possesives