Hacker News new | past | comments | ask | show | jobs | submit | zekrioca's comments login


> even if it increased emissions

And shift the health and environmental issues to other places?


Loved the name!


username checks out ;)


lol exactly :)


(Embraer) which Boeing tried buying but the deal was reverted due to the failure of the 737-max..


Wait, what? How did that caused the deal to fall apart?

(I was actually under the impression this acquisition had happened until a few minutes ago)


I thought that too. From Wikipedia:

> in April 2020 Boeing terminated the joint venture deal due to impact of the 2019–20 coronavirus pandemic on aviation and market uncertainty. Embraer alleges that the financial impact of the Boeing 737 MAX groundings contributed to the demise of the deal

So, the deal was broken before both governments had time to decide if they allowed it.

(I do remember some of Embraer clients canceling orders in 2020. AFAIK, they are still bottlenecked by their manufacturing capacity.)


Didn't it look like Brazilian government was almost 100% gonna have it called off because of the "hit" to national reputation? (losing one of their largest and most internationally famous powerhouses)


It didn't look that way to me. But then, I'm not good at guessing this.


Why not?


This doesn’t answer the question. How were VMs designed with security in mind and not with host emulation? Untrusted code? I’m confused, people are talking about vulnerabilities.


VMs don’t share the kernel with the host. Any host escape would need to happen through a device driver exposed to the guest (virtio, etc.) Containers use the same kernel, obviously a much larger set of code. More code means a greater chance of vulnerabilities.


How do you think the VM itself is spawned? Something in the host instantiate it. But even if we ignore that, I would argue that concentrating in one location only (e.g., some exposed driver) to escape is also easier, since an attacker would need to spend time trying to find only one vulnerability rather than several.

I think the hardware can help bridging the gap between containers and VMs by enabling userspace processes behave as VMs, which is more or less what QEMU+KVM try to do, except that it still comes with some overheads and less flexibility.


I have to disagree. With a VM, there is less shared code shared with the host to review and audit for vulnerabilities. The developers can go over those device drivers, system calls for VM management, etc. with a fined-tooth comb. With containers, you have essentially the entire kernel, much more surface area to potentially exploit.

Maybe I am wrong. We can wait for a security professional to comment.


When you switch between VMs and the host the CPU executes an instruction to isolate the data of each VMs entirely (flushing caches). This doesn't happen with containers.


Although this feature does improve security, it is due to the CPU, the VM and the main idea was to reduce performance overheads. I do not see adding layers and layers of abstractions the same as more secure. In fact, meltdown and spectre serve as counter-examples.

Also, one can achieve similar effects with containers as well, just think AppArmor, capabilities, permissions, etc., all layers of administrative privileges between some untrusted code and the host.


There is nothing you can do in the OS that replaces the VMENTER instruction. You need this precisely because it mitigates SPECTRE and Meltdown, assuming your microcode is up to date.



Nice explanation, thanks!

Did you mean Spivak, Michael [1]?

[1] https://en.wikipedia.org/wiki/Michael_Spivak


Yes, and this book: https://openlibrary.org/books/OL28292750M (no opinion about differences between the editions, this is the final one). Yes, it’s a doorstopper, but unlike most other people’s attempts at the kitchen sink that is the traditional calculus course, it actually affords proper respect to the half-dozen or so different subjects whose basics are crammed in there. The discussion of associativity I was referring to is in Chapter 1, so perhaps it can serve as a taster.


Couldn’t agree more.


Don’t forget the mining efficiency improvements are reaching their limits, regardless if they keep creating new ASIC for it.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: