While looking into something else I came across the Zip Slip vulnerability. Kind of annoying since it’s nearly a year old and I’ve only heard of it now. Every now and then I keep thinking a neat tool would be something that would run over a project, track every dependancy it has and then alert you when there’s a a security issue. However it seems like one of those things people would want but not pay for.
One issue with infrastructure sorts of repositories is what to do with sensitive data. Keys, tokens and other secrets shouldn’t be committed to git repos, but they have to go somewhere. In some cases you can put them in your CI/CD system and import them as variables. But that gets complicated quickly. One way to address it is to use git crypt. It’s not a standard git extension, but it’s been around for a fair bit of time.
Modifying low level authentication is a worrisome thing. If you do it wrong the fear is that you can’t log back in to fix it. So unlike some other guides out there I’ll point out the danger points here and some ideas on how to address them. This is kind of long so a high level overview is this: install client software, install server software, activate server software, generate key, done!
I’m returning a server to a hoster. I generally trust them and have no reason to believe that they’d go snooping through my disk but it’s always nice to clean things up. There are a lot of tools for this: wipe, secure-delete and several others. But none really fit my use case. I was trying to clean up free space as I backed up and deleted personal data on the server.