document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2020-02-09 10:13:09 +08:00
commit ded7b472d4
8 changed files with 674 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
sources/tech/20191227 Top CI-CD resources to set you up for success.md
View File

@ -1,57 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (Morisun029)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Top CI/CD resources to set you up for success)
[#]: via: (https://opensource.com/article/19/12/cicd-resources)
[#]: author: (Jessica Cherry https://opensource.com/users/jrepka)
Top CI/CD resources to set you up for success
======
Continuous integration and continuous deployment were key topics in 2019
as organizations look to achieve seamless, flexible, and scalable
deployments.
![Plumbing tubes in many directions][1]
This has been a fantastic year for continuous integration/continuous deployment (CI/CD) and the world of DevOps. Opensource.com authors shared how they're moving toward agile and scrum as they focus on seamless, flexible, and scalable deployments. Here are some of the big themes in the CI/CD articles we published this year.
### Learning and improving your CI/CD skills
Some of our favorite articles focus on hands-on CI/CD experience and cover a lot of ground as they do. The place to start is always with [Jenkins][2] pipelines, and Bryant Son's [_Building CI/CD pipelines with Jenkins_][3] will give you enough experience to get started building your first pipelines. Daniel Oh's [_Automate user acceptance testing with your DevOps pipeline_][4] provides great information on acceptance testing, including various CI/CD applications you can use for testing in its own right. And my article on [_Security scanning your DevOps pipeline_][5] is a very short, to the point tutorial on how to set up security in a pipeline using the Jenkins platform.
### Delivery workflow
While learning how to use and improve your skills with CI/CD, the workflow matters, especially when it comes to pipelines, as Jithin Emmanuel shares in [_Screwdriver: A scalable build platform for continuous delivery_][6]. Emily Burns explains having the flexibility to build exactly what you need with your CI/CD workflow in [_Why Spinnaker matters to CI/CD_][7]. And Willy-Peter Schaub extols the idea of creating a unified pipeline for everything to build consistently in [_One CI/CD pipeline per product to rule them all_][8]. These articles will give you a good sense of what happens after you onboard team members to the workflow process.
### How CI/CD affects organizations
2019 was also the year of recognizing CI/CD's business impact and how it affects day-to-day operations. Agnieszka Gancarczyk shares the results of Red Hat's [_Small Scale Scrum vs. Large Scale Scrum_][9] survey, including respondents' differing opinions on scrums, the agile movement, and the impact on teams. Will Kelly covers [_How continuous deployment impacts the entire organization_][10], including the importance of open communication, and Daniel Oh emphasizes the importance of metrics and observability in [_3 types of metric dashboards for DevOps teams_][11]. Last, but far from least, Ann Marie Fred's great article [_Don't test in production? Test in production!_][12] details why it's important for you to test in production—before your customers do.
We are thankful to the many contributing authors who shared their insights with Opensource.com readers in 2019, and I look forward to learning more from them about the evolution of CI/CD in 2020.
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/12/cicd-resources
作者:[Jessica Cherry][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/jrepka
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/plumbing_pipes_tutorial_how_behind_scenes.png?itok=F2Z8OJV1 (Plumbing tubes in many directions)
[2]: https://jenkins.io/
[3]: https://opensource.com/article/19/9/intro-building-cicd-pipelines-jenkins
[4]: https://opensource.com/article/19/4/devops-pipeline-acceptance-testing
[5]: https://opensource.com/article/19/7/security-scanning-your-devops-pipeline
[6]: https://opensource.com/article/19/3/screwdriver-cicd
[7]: https://opensource.com/article/19/8/why-spinnaker-matters-cicd
[8]: https://opensource.com/article/19/7/cicd-pipeline-rule-them-all
[9]: https://opensource.com/article/19/3/small-scale-scrum-vs-large-scale-scrum
[10]: https://opensource.com/article/19/7/organizational-impact-continuous-deployment
[11]: https://opensource.com/article/19/7/dashboards-devops-teams
[12]: https://opensource.com/article/19/5/dont-test-production

107
sources/tech/20200123 How to stop typosquatting attacks.md
View File

@ -1,107 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (HankChow)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How to stop typosquatting attacks)
[#]: via: (https://opensource.com/article/20/1/stop-typosquatting-attacks)
[#]: author: (Sam Bocetta https://opensource.com/users/sambocetta)
How to stop typosquatting attacks
======
Typosquatting is a way to lure users into divulging sensitive data to
cybercriminals. Learn how to protect your organization, your open source
project, and yourself.
![Gears above purple clouds][1]
Cybercriminals are turning to social engineering to try to trick unsuspecting people into divulging private information or valuable credentials. It is behind many [phishing scams][2] where the attacker poses as a reputable company or organization and uses it as a front to distribute a virus or other piece of malware.
One such risk is [typosquatting][3], a form of social engineering attack that tries to lure users into visiting malicious sites with URLs that are common misspellings of legitimate sites. These sites can cause significant damage to the reputation of organizations that are victimized by these attackers and harm users who are tricked into entering sensitive details into fake sites. Both system administrators and users need to be aware of the risks and take steps to protect themselves.
Open source software, which is developed and tested by large groups in public repositories, is often lauded for its security benefits. However, when it comes to social engineering schemes and malware implantation, even open source tools can fall victim.
This article looks at the rising trend of typosquatting and what these attacks could mean for open source software in the future.
### What is typosquatting?
Typosquatting is a very specific form of cybercrime that is often tied to a larger phishing attack. It begins with the cybercriminal buying and registering a domain name that is the misspelling of a popular site. For example, the cybercriminal might add an extra vowel or replace an "i" with a lowercase "l" character. Sometimes a cybercriminal obtains dozens of domain names, each with a different spelling variation.
A typosquatting attack does not become dangerous until real users start visiting the site. To make that happen, the criminal runs a phishing scam, typically over email, to urge people to click a link and visit the typosquatting website. Normally these rogue pages have simple login screens bearing familiar logos that try to imitate the real company's design.
If the user does not realize they are visiting a fake website and enters sensitive details, such as their password, username, or credit card number, into the page, the cybercriminal gets full access to that data. If a user is utilizing the same password across several sites, their other online accounts are likely to be exploited as well. This is a cybercriminal's payout: identity theft, ruined credit reports, stolen records, and sometimes worse.
### Some recent attacks
From a company perspective, having a typosquatting attack connected to your domain name can be a public relations disaster, even though you played no direct role in it, because it's seen as irresponsible internet stewardship. As a domain owner, you have a responsibility to be proactive in defending against typosquatting to limit the pain caused by this type of fraud.
A few years ago, many [health insurance customers fell victim][4] to a typosquatting attack when they received a phishing email that pointed to we11point.com, with the number 1 replacing the character "l" in the URL.
When the international domain name rules were changed to allow anyone to register a URL with an extension previously tied to specific countries, it created a brand new wave of typosquatting attacks. One of the most prevalent ones seen today is when a cybercriminal registers a .om domain that matches a popular .com domain to take advantage of accidental omissions of the letter "c" when entering a web address.
### How to protect your website from typosquatting
For companies, the best strategy is to try to stay ahead of typosquatting attacks.
That means spending the money to trademark your domain and purchase all related URLs that could be easy misspellings. You don't need to buy all top-level domain variants of your site name, but at least focus on common misspellings to your primary site name.
If you need to send your users to third-party sites, do so from your official website, not in a mass email. It's important to firmly establish a policy that official communication always and only sends users to your site. That way, should a cybercriminal attempt to spoof communication from you, your users will know something's amiss when they end up on an unfamiliar page or URL structure.
Use an open source tool like [DNS Twist][5] to automatically scan your company's domain and determine whether there could already be a typosquatting attack in progress. DNS Twist runs on Linux operating systems and can be used through a series of shell commands.
Some ISPs offer typosquatting protection as part of their product offering. This functions as an extra layer of web filtering—if a user in your organization accidentally misspells a common URL, they are alerted that the page is blocked and redirected to the proper domain.
If you are a system administrator, consider running your own [DNS server][6] along with a blacklist of incorrect and forbidden domains.
Another effective way to spot a typosquatting attack in progress is to monitor your site traffic closely and set an alert for a sudden decrease in visitors from a particular region. It could be that a large number of your regular users have been redirected to a fake site.
As with almost any form of cyberattack, the key to stopping typosquatting is constant vigilance. Your users are counting on you to identify and shut down any fake sites that are operating under your name, and if you don't, you could lose your audience's trust.
### Typosquatting threats to open source software
Most major open source projects go through security and penetration testing, largely because the code is public. However, mistakes happen under even the best of conditions. Here are some things to watch for if you're involved in an open source project.
When you get a merge request or patch from an unknown source, review it carefully before merging, especially if there's a networking stack involved. Don't fall prey to the temptation of only testing your build; look at the code to ensure that nothing nefarious has been embedded into an otherwise functional enhancement.
Also, use the same rigor in protecting your project's identity as a business does for its domain. Don't let a cybercriminal create alternate download sites and offer a version of your project with additional harmful code. Use digital signatures, like the following, to create an assurance of authenticity for your software:
```
gpg --armor --detach-sig \
\--output advent-gnome.sig \
example-0.0.1.tar.xz
```
You should also provide a checksum for the file you deliver:
```
`sha256sum example-0.0.1.tar.xz > example-0.0.1.txt`
```
Provide these safeguards even if you don't believe your users will take advantage of them, because all it takes is one perceptive user to notice a missing signature on an alternative download to alert you that someone, somewhere is spoofing your project.
### Final thoughts
Humans are prone to making mistakes. When you have millions of people around the world typing in a common web address, it's no surprise that a certain percentage enter a typo in the URL. Cybercriminals are trying to capitalize on that trend with typosquatting.
It's hard to stop cybercriminals from registering domains that are available for purchase, so mitigate against typosquatting attacks by focusing on the ways they spread. The best protection is to build trust with your users and to be diligent in detecting typosquatting attempts. Together, as a community, we can all help ensure that typosquatting attempts are ineffective.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/stop-typosquatting-attacks
作者:[Sam Bocetta][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/sambocetta
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/chaos_engineer_monster_scary_devops_gear_kubernetes.png?itok=GPYLvfVh (Gears above purple clouds)
[2]: https://www.cloudberrylab.com/resources/guides/types-of-phishing/
[3]: https://en.wikipedia.org/wiki/Typosquatting
[4]: https://www.menlosecurity.com/blog/-a-new-approach-to-end-typosquatting
[5]: https://github.com/elceef/dnstwist
[6]: https://opensource.com/article/17/4/build-your-own-name-server

118
sources/tech/20200207 Connect Fedora to your Android phone with GSConnect.md Normal file
View File

@ -0,0 +1,118 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Connect Fedora to your Android phone with GSConnect)
[#]: via: (https://fedoramagazine.org/connect-fedora-to-your-android-phone-with-gsconnect/)
[#]: author: (Lokesh Krishna https://fedoramagazine.org/author/lowkeyskywalker/)
Connect Fedora to your Android phone with GSConnect
======
![][1]
Both Apple and Microsoft offer varying levels of integration of their desktop offerings with your mobile devices. Fedora offers a similar if not greater degree of integration with **GSConnect**. It lets you pair your Android phone with your Fedora desktop and opens up a lot of possibilities. Keep reading to discover more about what it is and how it works.
### What is GSConnect?
GSConnect is an implementation of the KDE Connect project tailored for the GNOME desktop. KDE Connect makes it possible for your devices to communicate with each other. However, installing it on Fedoras default GNOME desktop requires pulling in a large number of KDE dependencies.
GSConnect is a complete implementation of KDE Connect, but in the form of a GNOME shell extension. Once installed, GSConnect lets you do the following and a lot more:
* Receive phone notifications on your desktop and reply to messages
* Use your phone as a remote control for your desktop
* Share files and links between devices
* Check your phones battery level from the desktop
* Ring your phone to help find it
### Setting up the GSConnect extension
Setting up GSConnect requires installing two components: the GSConnect extension on your desktop and the KDE Connect app on your Android device.
First, install the GSConnect extension from the GNOME Shell extensions website: [GSConnect][2]. (Fedora Magazine has a handy article on [How to install a GNOME Shell extension][3] to help you with this step.)
The KDE Connect app is available on Googles [Play Store][4]. Its also available on the FOSS Android apps repository, [F-Droid][5].
Once you have installed both these components, you can pair your two devices. Installing the extension makes it show up in your system menu as _Mobile Devices_. Clicking on it displays a drop down menu, from which you can access _Mobile Settings_.
![][6]
Heres where you can view your paired devices and manage the features offered by GSConnect. Once you are on this screen, launch the app on your Android device.
You can initiate pairing from either device, but here youll be connecting to your desktop from the Android device. Simply hit refresh on the app, and as long as both devices are on the same wireless network, your desktop shows up in your Android device. You can now send a pair request to the desktop. Accept the pair request on your desktop to complete the pairing.
![][7]
### Using GSConnect
Once paired, youll need to grant permissions on your Android device to make use of the many features available on GSConnect. Click on the paired device in the list of devices to see all available functions and enable or disable them according to your preferences.
![][8]
Remember that youll also need to grant corresponding permissions in the Android app to be able to use these functions. Depending upon the features youve enabled and the permissions youve granted, you can now access your mobile contacts on your desktop, get notified of messages and reply to them, and even sync the desktop and Android device clipboards.
### Integration with Files and your web browsers
GSConnect allows you to directly send files to your Android device from your desktop file explorers context menu.
On Fedoras default GNOME desktop, you will need to install the _nautilus-python_ package in order to make your paired devices show up in the context menu. Installing this is as straightforward as running the following command from your preferred terminal:
```
$ sudo dnf install nautilus-python
```
Once done, the _Send to Mobile Device_ entry appears in the context menu of the Files app.
![][9]
Similarly, install the corresponding WebExtension for your browser, be it [Firefox][10] or [Chrome][11], to send links to your Android device. You have the option to send the link to launch directly in your browser or to deliver it as SMS.
### Running Commands
GSConnect lets you define commands which you can then run on your desktop, from your remote device. This allows you to do things such as take a screenshot of your desktop, or lock and unlock your desktop from your Android device, remotely.
![][12]
To make use of this feature, you can use standard shell commands and the CLI exposed by GSConnect. Documentation on this is provided in the projects GitHub repository: _CLI Scripting_.
The [KDE UserBase Wiki][13] has a list of example commands. These examples cover controlling the brightness and volume on your desktop, locking the mouse and keyboard, and even changing the desktop theme. Some of the commands are specific for KDE Plasma, and modifications are necessary to make it run on the GNOME desktop.
### Explore and have fun
GSConnect makes it possible to enjoy a great degree of convenience and comfort. Dive into the preferences to see all that you can do and get creative with the commands function. Feel free to share all the possibilities this utility unlocked in your workflow in the comments below.
* * *
_Photo by [Pathum Danthanarayana][14] on [Unsplash][15]._
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/connect-fedora-to-your-android-phone-with-gsconnect/
作者:[Lokesh Krishna][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/lowkeyskywalker/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2019/12/gsconnect-816x345.jpg
[2]: https://extensions.gnome.org/extension/1319/gsconnect/
[3]: https://fedoramagazine.org/install-gnome-shell-extension/
[4]: https://play.google.com/store/apps/details?id=org.kde.kdeconnect_tp
[5]: https://f-droid.org/en/packages/org.kde.kdeconnect_tp/
[6]: https://fedoramagazine.org/wp-content/uploads/2020/01/within-the-menu-1024x576.png
[7]: https://fedoramagazine.org/wp-content/uploads/2020/01/pair-request-1024x576.png
[8]: https://fedoramagazine.org/wp-content/uploads/2020/01/permissions-1024x576.png
[9]: https://fedoramagazine.org/wp-content/uploads/2020/01/send-to-mobile-2-1024x576.png
[10]: https://addons.mozilla.org/en-US/firefox/addon/gsconnect/
[11]: https://chrome.google.com/webstore/detail/gsconnect/jfnifeihccihocjbfcfhicmmgpjicaec
[12]: https://fedoramagazine.org/wp-content/uploads/2020/01/commands-1024x576.png
[13]: https://userbase.kde.org/KDE_Connect/Tutorials/Useful_commands
[14]: https://unsplash.com/@pathum_danthanarayana?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText
[15]: https://unsplash.com/s/photos/android?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText

118
sources/tech/20200207 Customize your internet with an open source search engine.md Normal file
View File

@ -0,0 +1,118 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Customize your internet with an open source search engine)
[#]: via: (https://opensource.com/article/20/2/open-source-search-engine)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
Customize your internet with an open source search engine
======
Get started with YaCy, an open source, P2P web indexer.
![Person using a laptop][1]
A long time ago, the internet was small enough to be indexed by a few people who gathered the names and locations of all websites and listed them each by topic on a page or in a printed book. As the World Wide Web network grew, the "web rings" convention developed, in which sites with a similar theme or topic or sensibility banded together to form a circular path to each member. A visitor to any site in the ring could click a button to proceed to the next or previous site in the ring to discover new sites relevant to their interest.
Then for a while, it seemed the internet outgrew itself. Everyone was online, there was a lot of redundancy and spam, and there was no way to find anything. Yahoo and AOL and CompuServe and similar services had unique approaches, but it wasn't until Google came along that the modern model took hold. According to Google, the internet was meant to be indexed, sorted, and ranked through a search engine.
### Why choose an open source alternative?
Search engines like Google and DuckDuckGo are demonstrably effective. You may have reached this site through a search engine. While there's a debate to be had about content falling through the cracks because a host chooses not to follow best practices for search engine optimization, the modern solution for managing the wealth of culture and knowledge and frivolity that is the internet is relentless indexing.
But maybe you prefer not to use Google or DuckDuckGo because of privacy concerns or because you're looking to contribute to an effort to make the internet more independent. If that appeals to you, then consider participating in [YaCy][2], the peer-to-peer internet indexer and search engine.
### Install YaCy
To install and try YaCy, first ensure you have Java installed. If you're on Linux, you can follow the instructions in my [_How to install Java on Linux_][3] article. If you're on Windows or MacOS, obtain an installer from [AdoptOpenJDK.net][4].
Once you have Java installed, [download the installer][5] for your platform.
If you're on Linux, unarchive the tarball and move it to the **/opt** directory:
```
`$ sudo tar --extract --file  yacy_*z --directory /opt`
```
Start YaCy according to instructions for the installer you downloaded.
On Linux, start YaCy running in the background:
```
`$ /opt/startYACY.sh &`
```
In a web browser, navigate to **localhost:8090** and search.
![YaCy start page][6]
### Add YaCy to your URL bar
If you're using the Firefox web browser, you can make YaCy your default search engine in the Awesome Bar (that's Mozilla's name for the URL field) with just a few clicks.
First, make the dedicated search bar visible in the Firefox toolbar, if it's not already (you don't have to keep the search bar visible; you only need it active long enough to add a custom search engine). The search bar is available in the hamburger menu in the upper-right corner of Firefox in the **Customize** menu. Once the search bar is visible in your Firefox toolbar, navigate to **localhost:8090**, and click the magnifying glass icon in the Firefox search bar you just added. Click the option to add YaCy to your Firefox search engines.
![Adding YaCy to Firefox][7]
Once this is done, you can mark it as your default in Firefox preferences, or just use it selectively in searches performed in the Firefox search bar. If you set it as your default search engine, then you may have no need for the dedicated search bar because the default engine is also used by the Awesome Bar, so you can remove it from your toolbar.
### How to a P2P search engine works
YaCy is an open source and distributed search engine. It's written in [Java][8], so it runs on any platform, and it performs web crawls, indexing, and searching. It's a peer-to-peer (P2P) network, so every user running YaCy joins in the effort to track the internet as it changes from day to day. Of course, no single user possesses a full index of the entire internet because that would take a data center to house, but the index is distributed and redundant across all YaCy users. It's a lot like BitTorrent (as it uses distributed hash tables, or DHT, to reference index entries), except the data you're sharing is a matrix of words and URL associations. By mixing the results returned by the hash tables, no one can tell who has searched for what words, so all searches are functionally anonymous. It's an effective system for unbiased, ad-free, untracked, and anonymous searches, and you can join in just by using it.
### Search engines and algorithms
The act of indexing the internet refers to separating a web page into the singular words on it, then associating the page's URL with each word. Searching for one or more words in a search engine fetches all URLs associated with the query. That's one thing the YaCy client does while running.
The other thing the client does is provide a search interface for your browser. Instead of navigating to Google when you want to search, you can point your web browser to **localhost:8090** to search YaCy. You may even be able to add it to your browser's search bar (depending on your browser's extensibility), so you can search from the URL bar.
### Firewall settings for YaCy
When you first start using YaCy, it's probably running in "junior" mode. This means that the sites your client crawls are available only to you because no other YaCy client can reach your index entries. To join the P2P experience, you must open port 8090 in your router's firewall and possibly your software firewall if you're running one. This is called "senior" mode.
If you're on Linux, you can find out more about your computer's firewall in [_Make Linux stronger with firewalls_][9]. On other platforms, refer to your operating system's documentation.
A firewall is almost always active on the router provided by your internet service provider (ISP), and there are far too many varieties of them to document accurately here. Most routers provide the option to "poke a hole" in your firewall because many popular networked games require two-way traffic.
If you know how to log into your router (it's often either 192.168.0.1 or 10.1.0.1, but can vary depending on the manufacturer's settings), then log in and look for a configuration panel controlling the _firewall_ or _port forwarding_ or _applications_.
Once you find the preferences for your router's firewall, add port 8090 to the whitelist. For example:
![Adding YaCy to an ISP router][10]
If your router is doing port forwarding, then you must forward the incoming traffic to your computer's IP address, using the same port. For example:
![Adding YaCy to an ISP router][11]
If you can't adjust your firewall settings for any reason, that's OK. YaCy will continue to run and operate as a client of the P2P search network in junior mode.
### An internet of your own
There's much more you can do with the YaCy search engine than just search passively. You can force crawls of underrepresented websites, you can request the network crawl a site, you can choose to use YaCy for just on-premises searches, and much more. You have better control over what _your_ internet looks like. The more senior users there are, the more sites indexed. The more sites indexed, the better the experience for all users. Join in!
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/2/open-source-search-engine
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/laptop_screen_desk_work_chat_text.png?itok=UXqIDRDD (Person using a laptop)
[2]: https://yacy.net/
[3]: https://opensource.com/article/19/11/install-java-linux
[4]: https://adoptopenjdk.net/releases.html
[5]: https://yacy.net/download_installation/
[6]: https://opensource.com/sites/default/files/uploads/yacy-startpage.jpg (YaCy start page)
[7]: https://opensource.com/sites/default/files/uploads/yacy-add-firefox.jpg (Adding YaCy to Firefox)
[8]: https://opensource.com/resources/java
[9]: https://opensource.com/article/19/7/make-linux-stronger-firewalls
[10]: https://opensource.com/sites/default/files/uploads/router-add-app.jpg (Adding YaCy to an ISP router)
[11]: https://opensource.com/sites/default/files/uploads/router-add-app1.jpg (Adding YaCy to an ISP router)

84
sources/tech/20200207 Introducing Zuul for improved CI-CD.md Normal file
View File

@ -0,0 +1,84 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Introducing Zuul for improved CI/CD)
[#]: via: (https://opensource.com/article/20/2/zuul)
[#]: author: (Jeremy Stanley https://opensource.com/users/fungi)
Introducing Zuul for improved CI/CD
======
A quick history of how and why Zuul is replacing Jenkins in CI testing
in the OpenStack community.
![Plumbing tubes in many directions][1]
[Jenkins][2] is a marvelous piece of software. As an execution and automation engine, it's one of the best you're going to find. Jenkins serves as a key component in countless continuous integration (CI) systems, and this is a testament to the value of what its community has built over the years. But that's what it is­­—a component. Jenkins is not a CI system itself; it just runs things for you. It does that really well and has a variety of built-ins and a vibrant ecosystem of plugins to help you tell it what to run, when, and where.
CI is, at the most fundamental level, about integrating the work of multiple software development streams into a coherent whole with as much frequency and as little friction as possible. Jenkins, on its own, doesn't know about your source code or how to merge it together, nor does it know how to give constructive feedback to you and your colleagues. You can, of course, glue it together with other software that can perform these activities, and this is how many CI systems incorporate Jenkins.
It's what we did for OpenStack, too, at least at first.
### If it's not tested, it's broken
In 2010, an open source community of projects called [OpenStack][3] was forming. Some of the developers brought in to assist with the collaboration infrastructure also worked on a free database project called [Drizzle][4], and a key philosophy within that community was the idea "if it's not tested, it's broken." So OpenStack, on day one, required all proposed changes of its software to be reviewed and tested for regressions before they could be approved to merge into the trunk of any source code repositories. To do this, Hudson (which later forked to form the Jenkins project) was configured to run tests exercising every change.
A plugin was installed to interface with the [Gerrit][5] code review system, automatically triggering jobs when new changes were proposed and reporting back with review comments indicating whether they succeeded or failed. This may sound rudimentary by today's standards, but at the time, it was a revolutionary advancement for an open source collaboration. No developer on OpenStack was special in the eyes of CI, and everyone's changes had to pass this growing battery of tests before they could merge—a concept the project called "project gating."
There was, however, an emerging flaw with this gating idea: To guarantee two unrelated changes didn't alter a piece of software in functionally incompatible ways, they had to be tested one at a time in sequence before they could merge. OpenStack was complicated to install and test, even back then, and quickly grew in popularity. The rising volume of developer contributions coupled with increasing test coverage meant that, during busy periods, there was simply not enough time to test every change that passed review. Some longer-running jobs took nearly an hour to complete, so the upper bound for what could get through the gate was roughly two dozen changes in a day. The resulting merge backlog showed a new solution was required.
### Enter Zuul
During an OpenStack CI meeting in May 2012, one of the CI team members, James Blair, [announced][6] that he'd "been working on speculative execution of Jenkins jobs." **Speculative execution** is an optimization most commonly found in the pipelines of modern microprocessors. Much like the analogy with processor hardware, the theory was that by optimistically predicting positive gating results for changes recently approved but that had not yet completed their tests, subsequently approved changes could be tested concurrently and then conditionally merged as long as their predecessors also passed tests and merged. James said he had a name for this intelligent scheduler: [Zuul][7].
Within this time frame, challenges from trying to perform better revision control for Jenkins' XML job configuration led to the creation of the human-readable YAML-based [Jenkins Job Builder][8] templating engine. Limited success with the JClouds plugin for Jenkins and cumbersome attempts to use jobs for refreshing cloud images of single-use Jenkins slaves ended with the creation of the [Nodepool][9] service. Limited log-storage capabilities resulted in the team adding separate external solutions for organizing, serving, and indexing job logs and assuming maintainership of an abandoned secure copy protocol (SCP) plugin replacing the less-secure FTP option that Jenkins provided out of the box. The OpenStack infrastructure team was slowly building a fleet of services and utilities around Jenkins but began to bump up against a performance limitation.
### Multiplying Jenkins
By mid-2013, Nodepool was constantly recycling as many as 100 virtual machines registered with Jenkins as slaves, but this was no longer enough to keep up with the growing workload. Thread contention for global locks in Jenkins thwarted all attempts to push past this threshold, no matter how much processor power and memory was thrown at the master server. The project had offers to donate additional capacity for Jenkins slaves to help relieve the frequent job backlog, but this would require an additional Jenkins master. The efficient division of work between multiple masters needed a new channel of communication for dispatch and coordination of jobs. Zuul's maintainers identified the [Gearman][10] job server protocol as an ideal fit, so they outfitted Zuul with a new [geard][11] service and extended Jenkins with a custom Gearman client plugin.
Now that jobs were spread across a growing assembly of Jenkins masters, there was no longer any single dashboard with a complete view of job activity and results. In order to facilitate this new multi-master world, Zuul grew its own status API and WebUI, as well as a feature to emit metrics through the [StatsD][12] protocol. Over the next few years, Zuul steadily subsumed more of the CI features its users relied on, while Jenkins' place in the system waned accordingly, and it was becoming a liability. OpenStack made an early choice to standardize on the Python programming language; this was reflected in Zuul's development, yet Jenkins and its plugins were implemented in Java. Zuul's configuration was maintained in the same YAML serialization format that OpenStack used to template its own Jenkins jobs, while Jenkins kept everything in baroque XML. These differences complicated ongoing maintenance and led to an unnecessarily steep learning curve for new administrators from related communities that had started trying to run Zuuls.
The time was right for another revolution.
### The rise of Ansible
In early 2016, Zuul's maintainers embarked on an ambitious year-long overhaul of their growing fleet of services with the goal of eliminating Jenkins from the overall system design. By this time, Jenkins was serving only as a conduit for running jobs consisting mostly of shell scripts on slave nodes over SSH, providing real-time streaming of job output and copying resulting artifacts to longer-term storage. [Ansible][13] was found to be a great fit for that first need; purpose-built to run commands remotely over SSH, it was written in Python, just like Zuul, and also used YAML to define its tasks. It even had built-in modules for features the team had previously implemented as bespoke Jenkins plugins. Ansible provided true multi-node support right out of the box, so the same playbooks could be used for both simulating and performing complex production deployments. An ever-expanding ecosystem of third-party modules filled in any gaps, in much the same way as the Jenkins community's plugins had before.
A new Zuul executor service filled the prior role of the Jenkins master: it acted on pending requests in the scheduler's geard, dispatched them via Ansible to ephemeral servers managed by Nodepool, then collected results and artifacts for publication. It also exposed in-progress build output over the classic [RFC 742 Name/Finger protocol][14], streamed in real time from an extension of Ansible's command output module. Once it was no longer necessary to limit jobs to what Jenkins' parser could comprehend, Zuul was free to grow new features like distributed in-repository job definitions, shareable between projects with inheritance and secure handling of secrets, as well as the ability to test-drive proposed changes for the jobs themselves. Jenkins served its purpose admirably, but at least for Zuul, its usefulness was finally at an end.
### Testing the future
Zuul's community likes to say that it "tests the future" through its novel application of speculative execution. Gone are the harrowing days of wondering whether the improvement you want to make to an existing job will render it non-functional once it's applied in production. Overloaded review teams for a massive central job repository are a thing of the past. Jobs are treated as a part of the software and shipped right alongside the rest of the source code, taking advantage of Zuul's other features like cross-repository dependencies so that your change to part of a job in one project can be exercised with a proposed job change in another project. It will even comment on your job changes, highlighting specific lines with syntax problems as if it were another code reviewer giving you advice.
These were features Zuul only dreamed of before, but which required freedom from Jenkins so that it could take job parsing into its own hands. This is the future of CI, and Zuul's users are living it.
As of early 2019, the OpenStack Foundation recognized Zuul as an independent, openly governed project with its own identity and flourishing community. If you're into open source CI, consider taking a look. Development on the next evolution of Zuul is always underway, and you're welcome to help. Find out more on [Zuul's website][7].
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/2/zuul
作者:[Jeremy Stanley][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/fungi
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/plumbing_pipes_tutorial_how_behind_scenes.png?itok=F2Z8OJV1 (Plumbing tubes in many directions)
[2]: https://jenkins.io/
[3]: https://www.openstack.org/
[4]: https://en.wikipedia.org/wiki/Drizzle_(database_server)
[5]: https://www.gerritcodereview.com/
[6]: http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2012-05-22.log.html#t2012-05-22T19:42:27
[7]: https://zuul-ci.org/
[8]: https://jenkins-job-builder.readthedocs.io/
[9]: https://zuul-ci.org/docs/nodepool/
[10]: http://gearman.org/
[11]: https://docs.opendev.org/opendev/gear/#server-example
[12]: https://github.com/statsd/statsd
[13]: https://www.ansible.com/
[14]: https://tools.ietf.org/html/rfc742

185
sources/tech/20200207 Using Powershell to automate Linux, macOS, and Windows processes.md Normal file
View File

@ -0,0 +1,185 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Using Powershell to automate Linux, macOS, and Windows processes)
[#]: via: (https://opensource.com/article/20/2/devops-automation)
[#]: author: (Willy-Peter Schaub https://opensource.com/users/wpschaub)
Using Powershell to automate Linux, macOS, and Windows processes
======
Automation is pivotal to DevOps, but is everything automatable?
![CICD with gears][1]
Automation takes control of manual, laborious, and error-prone processes and replaces engineers performing manual tasks with computers running automation scripts. Everyone agrees that manual processes are a foe of a healthy DevOps mindset. Some argue that automation is not a good thing because it replaces hard-working engineers, while others realize that it boosts consistency, reliability, and efficiency, saves time, and (most importantly) enables engineers to work smart.
> "_DevOps is not just automation or infrastructure as code_" —[Donovan Brown][2].
Having used automated processes and toolchains since the early '80s, I always twitch when I hear or read the recommendation to "automate everything." While it is technically possible to automate everything, automation is complex and comes at a price in terms of development, debugging, and maintenance. If you have ever dusted off an inviable Azure Resource Manager (ARM) template or a precious maintenance script you wrote a long time ago, expecting it to execute flawlessly months or years later, you will understand that automation, like any other code, is brittle and needs continuous maintenance and nurture.
So, what and when should you automate?
* Automate processes you perform manually more than once or twice.
* Automate processes you will perform regularly and continuously.
* Automate everything automatable.
More importantly, what should you _not_ automate?
* Don't automate processes that are a one-off—it is not worth the investment unless you reuse it as reference documentation and regularly validate to ensure it remains functional.
* Don't automate highly volatile processes—it is too complex and expensive.
* Don't automate broken processes—fix them before automating.
For example, my team continuously inspects hundreds of user activities on our common collaboration and engineering system, looking for inactivity that is wasting precious dollars. If a user has been inactive for three or more months and has been assigned an expensive license, we revert the user to a less functional and free license.
As Fig. 1 shows, it is not a technically challenging process. It is a mind-numbing and error-prone process, especially when it's performed while context switching with other development and operational tasks.
![Manual process to switch user license][3]
Fig. 1 Manual process to switch user license
Incidentally, this is an example of a value stream map created in three easy steps:
1. Visualize all activities: list users, filter users, and reset licenses.
2. Identify stakeholders, namely operations and licensing teams.
3. Measure:
* Total lead time (TLT) = 13 hours
* Total cycle time (TCT) = 1.5 hours
* Total efficiency percentage = TLT/TCT*100 = 11.5%
If you hang a copy of these visualizations in high-traffic and high-visibility areas, such as your team's breakout area, cafeteria, or on the way to your washrooms, you will trigger lots of discussions and unsolicited feedback. For example, looking at the visual, it is evident that the manual tasks are a waste, caused primarily by long process wait times.
Let us explore a simple PowerShell script that automates the process, as shown in Figure 2, reducing the total lead-time from 13 to 4 hours and 60 seconds, and raising the overall efficiency from 11.5 to 12.75%.
![Semi-automated PowerShell-based process to switch user license][4]
 
[PowerShell][5] is an open source task-based scripting language. It is found [on GitHub][6], is built on .NET, and allows you to automate Linux, macOS, and Windows processes. Users with a development background, especially C#, will enjoy the full benefits of PowerShell.
The PowerShell script example below communicates with [Azure DevOps][7] via its service [REST API][8]. The script combines the manual list users and filter users tasks in Fig. 1, identifies all users in the **DEMO** organization that have not been active for two months and are using either a **Basic** or a more expensive **Basic + Test** license, and outputs the user's details to the console. Simple!
First, set up the authentication header and other variables that will be used later with this initialization script:
```
param(
  [string]   $orgName       = "DEMO",
  [int]      $months        = "-2",
  [string]   $patToken      = "<PAT>"
)
# Basic authentication header using the personal access token (PAT)
$basicAuth = ("{0}:{1}" -f "",$patToken)
$basicAuth = [System.Text.Encoding]::UTF8.GetBytes($basicAuth)
$basicAuth = [System.Convert]::ToBase64String($basicAuth)
$headers   = @{Authorization=("Basic {0}" -f $basicAuth)}
# REST API Request to get all entitlements
$request_GetEntitlements    = "<https://vsaex.dev.azure.com/>" + $orgName + "/_apis/userentitlements?top=10000&amp;api-version=5.1-preview.2";
# Initialize data variables
$members              = New-Object System.Collections.ArrayList
[int] $count          = 0;
[string] $basic       = "Basic";
[string] $basicTest   = "Basic + Test Plans";
```
Next, query all the entitlements with this script to identify inactive users:
```
# Send the REST API request and initialize the members array list.
$response = Invoke-RestMethod -Uri $request_GetEntitlements -headers $headers -Method Get
$response.items | ForEach-Object { $members.add($_.id) | out-null }
# Iterate through all user entitlements
$response.items | ForEach-Object {
  $name    = [string]$_.user.displayName;
  $date    = [DateTime]$_.lastAccessedDate;
  $expired = Get-Date;
  $expired = $expired.AddMonths($months);
  $license = [string]$_.accessLevel.AccountLicenseType;
  $licenseName = [string]$_.accessLevel.LicenseDisplayName;
  $count++;
  if ( $expired -gt $date ) {
    # Ignore users who have NEVER or NOT YET ACTIVATED their license
    if ( $date.Year -eq 1 )
    {
      Write-Host " **INACTIVE** " " Name: " $name " Last Access: " $date "License: " $licenseName
    }
    # Look for BASIC license
    elseif ( $licenseName -eq $basic ) {
         Write-Host " **INACTIVE** " " Name: " $name " Last Access: " $date "License: " $licenseName
      }
    }
    # Look for BASIC + TEST license
    elseif ( $licenseName -eq $basicTest ) {
        Write-Host " **INACTIVE** " " Name: " $name " Last Access: " $date "License: " $licenseName
      }
    }
}
```
When you run the script, you get the following output, which you can forward to the licensing team to reset the user licenses:
```
**INACTIVE** Name: Demo1 Last Access: 2019/09/06 11:01:26 AM License: Basic
**INACTIVE** Name: Demo2 Last Access: 2019/06/04 08:53:15 AM License: Basic
**INACTIVE** Name: Demo3 Last Access: 2019/09/26 12:54:57 PM License: Basic
**INACTIVE** Name: Demo4 Last Access: 2019/06/07 12:03:18 PM License: Basic
**INACTIVE** Name: Demo5 Last Access: 2019/07/18 10:35:11 AM License: Basic
**INACTIVE** Name: Demo6 Last Access: 2019/10/03 09:21:20 AM License: Basic
**INACTIVE** Name: Demo7 Last Access: 2019/10/02 11:45:55 AM License: Basic
**INACTIVE** Name: Demo8 Last Access: 2019/09/20 01:36:29 PM License: Basic + Test Plans
**INACTIVE** Name: Demo9 Last Access: 2019/08/28 10:58:22 AM License: Basic
```
If you automate the final step, automatically setting the user licenses to a free stakeholder license, as in Fig. 3, you can further reduce the overall lead time to 65 seconds and raise the overall efficiency to 77%.
![Fully automated PowerShell-based process to switch user license][9]
Fig. 3 Fully automated PowerShell-based process to switch user license
The core value of this PowerShell script is not just the ability to _automate_ but also to perform the process _regularly_, _consistently_, and _quickly_. Further improvements would trigger the script weekly or daily using a scheduler such as an Azure pipeline, but I will hold the programmatic license reset and script scheduling for a future article.
Here is a graph to visualize the progress:
![Graph to visualize progress][10]
Fig. 4 Measure, measure, measure
I hope you enjoyed this brief journey through automation, PowerShell, REST APIs, and value stream mapping. Please share your thoughts and feedback in the comments.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/2/devops-automation
作者:[Willy-Peter Schaub][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/wpschaub
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/cicd_continuous_delivery_deployment_gears.png?itok=kVlhiEkc (CICD with gears)
[2]: http://www.donovanbrown.com/post/what-is-devops
[3]: https://opensource.com/sites/default/files/uploads/devops_quest_to_automate_1.png (Manual process to switch user license)
[4]: https://opensource.com/sites/default/files/uploads/the_devops_quest_to_automate_everything_automatable_using_powershell_picture_2.png (Semi-automated PowerShell-based process to switch user license)
[5]: https://opensource.com/article/19/8/variables-powershell
[6]: https://github.com/powershell/powershell
[7]: https://docs.microsoft.com/en-us/azure/devops/user-guide/what-is-azure-devops?view=azure-devops
[8]: https://docs.microsoft.com/en-us/rest/api/azure/devops/?view=azure-devops-rest-5.1
[9]: https://opensource.com/sites/default/files/uploads/devops_quest_to_automate_3.png (Fully automated PowerShell-based process to switch user license)
[10]: https://opensource.com/sites/default/files/uploads/devops_quest_to_automate_4.png (Graph to visualize progress)

64
translated/tech/20191227 Top CI-CD resources to set you up for success.md Normal file
View File

@ -0,0 +1,64 @@
[#]: collector: (lujun9972)
[#]: translator: (Morisun029)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Top CI/CD resources to set you up for success)
[#]: via: (https://opensource.com/article/19/12/cicd-resources)
[#]: author: (Jessica Cherry https://opensource.com/users/jrepka)
顶级 CI / CD 资源,助您成功
======
随着企业期望实现无缝灵活和可扩展的部署持续集成和持续部署成为2019年的关键主题。
![Plumbing tubes in many directions][1]
对于 CI / CD 和 DevOps 来说2019年是非常棒的一年。 Opensource 公司的作者分享了他们专注于无缝灵活和可扩展部署时是如何朝着敏捷方向发展的。以下是我们2019年发布的 CI / CD 文章中的一些重要主题。
### 学习和提高您的 CI / CD 技能
我们最喜欢的一些文章集中在 CI / CD 的实操经验上,并涵盖了许多方面。通常以[Jenkins][2]管道开始,布莱恩特的文章[用 Jenkins 构建 CI/CD 管道][4]将为您提供足够的经验,以开始构建您的第一个管道。丹尼尔在 [用DevOps 管道进行自动验收测试][4]一文中,提供了有关验收测试的重要信息,包括可用于独立测试的各种 CI / CD 应用程序。我写的[安全扫描DevOps 管道][5]非常简短,其中的关键点是关于如何使用 Jenkins 平台在管道中设置安全性的教程。
### 交付工作流程
威利•彼得•绍布赞扬为所有产品创建统一流水线的想法,以使[每种产品在一个CI / CD 流水线中持续建立起来,以管控所有产品][8]。这些文章将使您更好地了解团队成员加入工作流流程后会发生什么。
### CI / CD 如何影响企业
2019年也是认识到 CI / CD 的业务影响以及它如何影响日常运营的一年。
Agnieszka Gancarczyk 分享了Red Hat[小型Scrum vs.大型Scrum][9] 的调查结果, 包括受访者对srums,
敏捷运动及其对团队的影响的不同看法。威尔安•凯丽 的[持续部署如何影响企业][10], 包括开放式沟通的重要性,丹尼尔也强调了[DevOps 团队在3 种类型的指表板][11]中指标和可观测性的重要性。最后是安•玛丽•弗雷德的精彩文章: [不要在生产环境中测试?在生产环境中测试!][12] 详细说明了验收测试前在生产环境中测试的重要性。
感谢许多贡献者在2019年与 Opensource 的读者分享他们的见解我期望在2020年里从他们那里了解更多有关 CI / CD 发展的信息。
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/12/cicd-resources
作者:[Jessica Cherry][a]
选题:[lujun9972][b]
译者:[Morisun029](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/jrepka
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/plumbing_pipes_tutorial_how_behind_scenes.png?itok=F2Z8OJV1 (Plumbing tubes in many directions)
[2]: https://jenkins.io/
[3]: https://opensource.com/article/19/9/intro-building-cicd-pipelines-jenkins
[4]: https://opensource.com/article/19/4/devops-pipeline-acceptance-testing
[5]: https://opensource.com/article/19/7/security-scanning-your-devops-pipeline
[6]: https://opensource.com/article/19/3/screwdriver-cicd
[7]: https://opensource.com/article/19/8/why-spinnaker-matters-cicd
[8]: https://opensource.com/article/19/7/cicd-pipeline-rule-them-all
[9]: https://opensource.com/article/19/3/small-scale-scrum-vs-large-scale-scrum
[10]: https://opensource.com/article/19/7/organizational-impact-continuous-deployment
[11]: https://opensource.com/article/19/7/dashboards-devops-teams
[12]: https://opensource.com/article/19/5/dont-test-production

105
translated/tech/20200123 How to stop typosquatting attacks.md Normal file
View File

@ -0,0 +1,105 @@
[#]: collector: (lujun9972)
[#]: translator: (HankChow)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How to stop typosquatting attacks)
[#]: via: (https://opensource.com/article/20/1/stop-typosquatting-attacks)
[#]: author: (Sam Bocetta https://opensource.com/users/sambocetta)
如何防范误植攻击
======
> <ruby>误植<rt>Typosquatting</rt></ruby>是一种引诱用户将敏感数据泄露给不法分子的方式,针对这种攻击方式,我们很有必要了解如何保护我们的组织、我们的开源项目以及我们自己。
![Gears above purple clouds][1]
除了常规手段以外,不法分子还会利用社会工程的方式,试图让安全意识较弱的人泄露私人信息或是有价值的证书。很多[网络钓鱼骗局][2]的实质都是攻击者伪装成信誉良好的公司或组织,然后借此大规模分发病毒或恶意软件。
[误植][3]就是其中一个常用的手法。它是一种社会工程学的攻击方式,通过使用一些合法网站的错误拼写 URL 以引诱用户访问恶意网站,这样的做法既使真正的原网站遭受声誉上的损害,又诱使用户向这些恶意网站提交个人敏感信息。因此,网站的管理人员和用户双方都应该意识到这个问题带来的风险,并采取措施加以保护。
一些由广大开发者在公共代码库中维护的开源软件通常都被认为具有安全上的优势,但当面临社会工程学攻击或恶意软件植入时,开源软件也需要注意以免受到伤害。
下面就来关注一下误植攻击的发展趋势,以及这种攻击方式在未来可能对开源软件造成的影响。
### 什么是误植?
误植是一种具体的网络犯罪手段其背后通常是一个网络钓鱼骗局。不法分子首先会购买注册域名而他们注册的域名通常是一个常用网站的错误拼写形式例如在正确拼写的基础上添加一个额外的元音字母又或者是将字母“i”替换成字母“l”。对于同一个正常域名不法分子通常会注册数十个拼写错误的变体域名。
用户一旦访问这样的域名,不法分子的目的就已经成功了一半。为此,他们会通过电子邮件的方式,诱导用户访问这样的伪造域名。伪造域名指向的页面中,通常都带有一个简单的登录界面,还会附上被模仿的网站的 logo尽可能让用户认为自己访问的是正确的网站。
如果用户没有识破这一个骗局,在页面中提交了诸如银行卡号、用户名、密码等敏感信息,这些数据就会被不法分子所完全掌控。进一步来看,如果这个用户在其它网站也使用了相同的用户名和密码,那就有同样受到波及的风险。受害者最终可能会面临身份被盗、信用记录被破坏等危险。
### 最近的一些案例
从网站的所有方来看,遭到误植攻击可能会带来一场公关危机。尽管网站域名的所有者没有参与到犯罪当中,但这会被认为是一次管理上的失职,因为域名所有者有主动防御误植攻击的责任,以避免这一类欺诈事件的发生。
在几年之前就发生过[一起案件][4],很多健康保险客户收到了一封指向 we11point.com 的钓鱼电子邮件,其中 URL 里正确的字母“l”被换成了数字“1”从而导致一批用户成为了这一次攻击的受害者。
最初,特定国家的顶级域名是不允许随意注册的。但后来国际域名规则中放开这一限制之后,又兴起了一波新的误植攻击。例如最常见的一种手法就是注册一个与 .com 域名类似的 .om 域名,一旦在输入 URL 时不慎遗漏了字母 c 就会给不法分子带来可乘之机。
### 网站如何防范误植攻击
对于一个公司来说,最好的策略就是永远比误植攻击采取早一手的行动。
也就是说,在注册域名的时候,不仅要注册自己商标名称的域名,最好还要同时注册可能由于拼写错误产生的其它域名。当然,没有太大必要把可能导致错误的所有顶级域名都注册掉,但至少要把可能导致错误的一些一级域名抢注下来。
如果你有让用户跳转到一个第三方网站的需求,务必要让用户从你的官方网站上进行跳转,而不应该通过类似群发邮件的方式向用户告知 URL。因此必须明确一个策略在与用户通信交流时不将用户引导到官方网站以外的地方去。在这样的情况下如果有不法分子试图以你公司的名义发布虚假消息用户将会从带有异样的页面或 URL 上有所察觉。
你可以使用类似 [DNS Twist][5] 的开源工具来扫描公司正在使用的域名它可以确定是否有相似的域名已被注册从而暴露潜在的误植攻击。DNS Twist 可以在 Linux 系统上通过一系列的 shell 命令来运行。
还有一些网络提供商会将防护误植攻击作为他们网络产品的一部分。这就相当于一层额外的保护,如果用户不慎输入了带有拼写错误的 URL就会被提示该页面已经被阻止并重定向到正确的域名。
如果你是系统管理员,还可以考虑运行一个自建的 [DNS 服务器][6],以便通过黑名单的机制禁止对某些域名的访问。
你还可以密切监控网站的访问流量,如果来自某个特定地区的用户被集体重定向到了虚假的站点,那么访问量将会发生骤降。这也是一个有效监控误植攻击的角度。
防范误植攻击与防范其它网络攻击一样需要保持警惕。所有用户都希望网站的所有者能够扫除那些与正主类似的假冒站点,如果这项工作没有做好,用户的信任对你的信任程度就会每况愈下。
### 误植对开源软件的影响
因为开源项目的源代码是公开的,所以其中大部分项目都会进行安全和渗透测试。但错误是不可能完全避免的,如果你参与了开源项目,还是有需要注意的地方。
当你收到一个不明来源的<ruby>合并请求<rt>Merge Request</rt></ruby>或补丁时,必须在合并之前仔细检查,尤其是相关代码涉及到网络层面的时候。一定要进行严格的检查和测试,以确保没有恶意代码混入正常的代码当中。
同时,还要严格按照正确的方法使用域名,避免不法分子创建仿冒的下载站点并提供带有恶意代码的软件。可以通过如下所示的方法使用数字签名来确保你的软件没有被篡改:
```
gpg --armor --detach-sig \
\--output advent-gnome.sig \
example-0.0.1.tar.xz
```
同时给出你提供的文件的校验和:
```
`sha256sum example-0.0.1.tar.xz > example-0.0.1.txt`
```
无论你的用户会不会去用上这些安全措施,你也应该提供这些必要的信息。因为只要有那么一个人留意到签名有异样,就能为你敲响警钟。
### 总结
人类犯错在所难免。世界上数百万人输入同一个,总会有人出现拼写的错误。不法分子也正是抓住了这个漏洞才得以实施误植攻击。
用抢注域名的方式去完全根治误植攻击也是不太现实的,我们更应该关注这种攻击的传播方式以减轻它对我们的影响。最好的保护就是和用户之间建立信任,并积极检测误植攻击的潜在风险。作为开源社区,我们更应该团结起来一起应对误植攻击。
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/stop-typosquatting-attacks
作者:[Sam Bocetta][a]
选题:[lujun9972][b]
译者:[HankChow](https://github.com/HankChow)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/sambocetta
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/chaos_engineer_monster_scary_devops_gear_kubernetes.png?itok=GPYLvfVh (Gears above purple clouds)
[2]: https://www.cloudberrylab.com/resources/guides/types-of-phishing/
[3]: https://en.wikipedia.org/wiki/Typosquatting
[4]: https://www.menlosecurity.com/blog/-a-new-approach-to-end-typosquatting
[5]: https://github.com/elceef/dnstwist
[6]: https://opensource.com/article/17/4/build-your-own-name-server