Apart from Python Wheels, the other popular ecosystems using zip files are Java jar files, and NuGet.

Of these Java is the most interesting as there a few JDKs commonly in use.

But I’m also interested in various security scanners that are built in other languages that can be fooled.

Does NPM not use zip files?

(Search results for `npm package format` are entirely not useful for figuring out what an NPM package actually consists of, beyond containing a `package.json` file. `pypi package format` results look wildly different; the first result I get is https://packaging.python.org/en/latest/discussions/package-f... which is quite comprehensive about the exact information I want — disregarding for a moment the fact that I already know this stuff ;) The NPM search results, for me, start with a Geeks4Geeks tutorial on creating a package. Is there even anything analogous to the Python Packaging Authority — misunderstood and not-actually-authoritative as it is — for NPM?)

npm and Cargo use gzipped tarballs.

Tar is an awful format that has multiple ways of specifying file names and file sizes, so there could be some shenanigans happening.

It's also possible to make archives have different content based on case-sensitivity of the file system.

Ah. Python source distributions are the same, so there may be additional considerations there. Though in general it doesn't seem like there's much concern in the Python ecosystem about that, considering that building them will run arbitrary code anyway....

Author here.

It's running a Podman container (like Docker but daemon-less) with a GVisor runtime for isolation inside the docker container.

The outer container is privileged, but doesn't run any attacker controlled code.

But, yeah, seeing those two strings together in the same command is certainly amusing.

Hello! Cool project. Wonder why you need the —privileged for?

Thanks!

`--privileged` is needed to run the container inside a container.

e.g. https://www.docker.com/blog/docker-can-now-run-within-docker...

This is particularly useful for using Kubernetes to manage a cluster of instances.

Dinorwig Power Station in the UK pumps water to store 9.1Gwh https://en.wikipedia.org/wiki/Dinorwig_Power_Station

Doesn't cover perfect forward secrecy (PFS).

Without PFS if the server's private key was stolen (e.g. by hacking the server) then all traffic sniffed in the past could be decrypted.

See: https://en.wikipedia.org/wiki/Forward_secrecy

That website was frustrating.

- splash page that has to load the background video before you can do anything.

- you have to start watching the video on the splash page to skip it.

- horizontal navigation in the about page.

- clicking the obscure "here we go!" back link in the about page has to reload the video before you can do anything.

It looks really nice, but the interaction is incredibly slow and cumbersome.

I don't have javascript enabled. I saw a totally blank screen.

(Enabled javascript, did not get much more useful information...)

I think apps are popular because they are more concrete than the web.

A user knows where an app starts and ends and they know what icon they need to touch to get there.

Websites are far more ethereal and it isn't as clear when you've left one site and landed on another. And it's much harder remembering how to get there.

Case in point: how many people type 'facebook' into google and click the first link instead of entering 'www.facebook.com' into the address bar.