想到什么写什么周报 第2期 - 2017-10-08
Golang 1.8.4 and 1.9.1 Released
解决了两个安全问题:
第一个是go get的时候拒绝在vcs内部再执行vcs checkout(git submodule除外)
By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the “go get” command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git). The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues. Thanks to Simon Rawet for the report.
第二个是和SMTP通过非TLS通道发送PlainAuth认证信息的问题
In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims. This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues. Thanks to Stevie Johnstone for the report.
A Decade of Dynamo: Powering the next wave of high-performance, internet-scale applications
http://www.allthingsdistributed.com/2017/10/a-decade-of-dynamo.html
Wener Vogels写的关于Amazon Dynamo十周年纪念的文章。
- 2004年Amazon开始遇到Oracle数据库的瓶颈,深度调查后发现70%的数据组织方式都是key-value式,操作只返回一行;20%的数据操作会返回多行,但是都属于同一张表。
- 然后开始根据自己的需要设计Dynamo的原型:Our goal was to build a database that would have the unbounded scalability, consistent performance and the high availability to support the needs of our rapidly growing business.
- 2007年在SOSP上发表论文。
- 然后决定将其作为云服务推出,推出前在多个方面进行了加强和改进。
- 在2012年1月份,正式在公有云上推出DynamoDB。
现在有很多大公司在使用DynamoDB来存储关键数据,包括Lyft, Tinder, Comcase, BMW等。
Amazon Linux AMI 2017.09发布
https://aws.amazon.com/blogs/aws/now-available-amazon-linux-ami-2017-09/
Amazon更新了Linux AMI版本到2017.09,包含主要特性是:
- Kernel升级到4.9.51
- Amazon SSM Agent默认安装
- Python升级到3.6
- Ruby升级到2.4
- OpenSSL升级到1.0.2k
- HTTP/2支持,内置的软件包httpd24, nginx和curl支持HTTP/2
- Postgres升级到9.6版本,MySQL升级到5.7版本
- OpenMPI升级到2.1.1
- 其他软件包升级
Things Go Better With Step Functions
https://aws.amazon.com/blogs/aws/things-go-better-with-step-functions/
介绍了可口可乐公司通过Step Function来降低一个积分系统费用的案例。可口可乐一开始使用一个中间带有等待90秒的Lambda函数来实现一个移动支付的积分逻辑,这个等待是因为需要调用老旧的后端代码来实现计费核算。Lambda函数是按照运行时长收费的,所以等待的90秒钟都是白花花的银子。后来可口可乐开始使用Step Function,将这个Lambda函数拆分成一个具有三次状态转换的状态机(start -> wait -> points -> end),这样就不用在Lambda函数中进行等待。原先等待90秒的费用变成了状态转换的费用,从而节约了开支。