I’m not an open source guy - redistribution restrictions (as well as restrictions for corporate and commercial use) are non negotiable for me. You’re welcome to learn from the source code, and anyone is free to fork and make whatever changes they want for personal use.

The license history for this project goes MIT > PolyForm Strict > Forked PolyForm Strict to explicitly allow changes for personal use (named as the “Komorebi” license as changing the text of PolyForm licenses requires removal of the PolyForm trademark).

If anyone is interested in the story behind the initial MIT > PolyForm Strict switch, the tl;dr is that I decided to explicitly restrict redistribution after someone did a rename of the project and started selling it on the Windows Store. A lot has happened since then that has changed my views on open source in general.

non-standard

OSI licenses are not “standard” by any stretch of the imagination, and I personally don’t want to have anything to do with licenses which would permit the use of my software in the mass murder of children.

tl;dr all the same caveats with self-hosted software apply; don’t do anything you wouldn’t do with a self hosted database or monitoring stack.

Well the actual rules — who gets access to what

The rules themselves are the same public rules in the IAM docs on AWS, GCP etc., while the collections of these public rules (eg. the storage_analytics_ro example in the README) defined at the org level will likely be stored in two ways: 1) in a (presumably private) infra-as-code repo most probably using the Terraform provider or a future Pulumi provider, 2) the data store backing the service which I talk about more below.

“Who received access to what” is something that is tracked in the runtime logs and audit logs, but as this is a temporary elevated access management solution where anyone who is given access to the service can make a request that can be approved or denied, this is not the right place or tool for a general long-lived least-privilege mapping of “this rule => this person/this whole team”.

where is that stored and how is it secured, to what standards?

This is largely up to the the team responsible for the implementation and maintenance, just like it would be for a self-hosted monitoring stack like Prom + Grafana or a self-hosted PostgreSQL instance; you can have your data exposed through public IPs, FQDNs and buckets with PostgreSQL or Prom + Grafana, or you can have them completely locked down and only available through a private network, and the same applies with Satounki.

Is there logging, audit, non-repudiation, tamper-proof, time-stamping etc.

Yes, yes, yes, yes and yes, though the degree of confidence in each of these depends to some degree on the competence of the people responsible for the implementation and the maintenance of the service as is the case with all things self-hosted.

If deployed in an organization which doesn’t adhere to at least a basic least-privilege permissions approach, there is nothing stopping a bad internal actor with Administrator permissions wherever this is deployed from opening up the database directly and making whatever malicious changes they want.

What sort of sensitive data are you imagining in your reading of the README? It would be useful to understand to update the language appropriately 🙏

Thanks! Turns out I have a lot more time on my hands to be found around the internet since I got laid off last month 😅

This looks cool! It’s not packaged on nixpkgs yet so I might package it and then try to selfhost 👀

I wish I had more advice, but I’m in a similar boat, just got laid off earlier this month after being with the same company from Series A in 2018 all the way until today. I’m sending job applications and trying to get interviews, but it’s hard to get past the resume screening stage, even with 8+ years of experience.

I’ve mainly been working in DevOps/SRE/Platform Infrastructure, but I am also an accomplished developer with a pretty thick portfolio of widely used open source projects, though it doesn’t seem to matter.

There are so many applicants for every single job now that it feels hopeless, and of course every single opening wants you to waste your time on multiple asinine LeetCode gotcha questions.

If I lived somewhere with a public health system I’d love to take what money I have saved up and open a traditional middle eastern bakery, but I need to do something that will bring health coverage for myself and my family. Who knows, I might just end up working at Trader Joe’s. 🤷‍♀

I think it’s a stack that really pays off in the long run for solo projects. After a long week of work the last thing I want to do is go tracking down runtime errors (undefined is not a function, my old friend) or messing around with Docker containers and Kubernetes clusters. It also doesn’t hurt that once you throw away the costly deployment abstractions, the operating expenses turn out to be a lot cheaper.

I actually stayed there (I’m still there); just finished taking my 2 month paid sabbatical, I now have an 8 hour time zone difference with most engineers so I get to work on my own without distractions, and I have a strong policy of not developing anything bespoke and only plugging together off-the-shelf components (I specialize in Platform and Infrastructure).

With the mindset shift, it’s actually a pretty relaxing job. I make $180k, which isn’t the best salary, but also far from the worst, and I have both an abundance of time and very little oversight (amplified with the timezone difference now that I’m in the US) which means that I can use that salary to pursue things that I am interested in, spend time with my family etc.

I definitely thought about quitting at the time, but visa restrictions (I had just arrived in the US on an L1-B visa which is non-transferable) meant that I couldn’t. Now I’m a permanent resident, so I could leave if I wanted to, but I think that “quiet quitting” is still the right choice for where I’m at in my life.

A few years ago, back when I still gave a damn (and probably during my most productive quarter in my entire professional career), somebody complained that my language was too curt on Slack, and I was a denied a 20k performance bonus as a result. It was pretty easy to not care after that.

If you see links that you find interesting, throw them into kulli.sh, and you get back a consolidated comment feed of every Lemmy community it is being discussed in. You can take a look at the kind of comments and discussions in different communities and see if there are any that have the sort of vibe that you’re looking for and then go ahead and subscribe!

More and more lulls with more and more years of experience. I hit the gym more, socialize more, cook more extravagantly, take walks more often etc. The most important thing was to train myself to not give a damn when people were making stupid decisions at work that were going to bite them N months down the line during those lulls.