gvisor icon indicating copy to clipboard operation
gvisor copied to clipboard

Published 20 hours ago verified publisher icon google

feed does not validate

Open soma-kurisu opened this issue 7 months ago • 1 comments

Description

gvisor's blog page announces invalid RSS feed. The feed's URI is https://gvisor.dev/blog/index.xml.

Steps to reproduce

Tried to open feed in Thunderbird and W3C's feed validation service. W3C's feed validation service reports multiple issues. To reproduce the issues visit: https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml.

Here's a sample of the validation output:

This feed does not validate.

[line 1](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml#l1), column 337: id must be a full and valid URL: /blog/index.xml [[help](https://validator.w3.org/feed/docs/error/InvalidFullLink.html)]

    ... 07:42-05:00</updated><id>/blog/index.xml</id><entry><title type="html">O ...
                                                 ^

[line 1](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml#l1), column 38: Missing feed element: title [[help](https://validator.w3.org/feed/docs/error/MissingElement.html)]

    <?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/At ...
                                          ^

[line 1](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml#l1), column 647: id must be a full and valid URL: /blog/2024/02/01/seccomp (10 occurrences) [[help](https://validator.w3.org/feed/docs/error/InvalidFullLink.html)]

    ... 00</updated><id>/blog/2024/02/01/seccomp</id><content type="html" xml:ba ...
                                                 ^

In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

[line 1](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml#l1), column 224: Relative href value on self link: /blog/index.xml [[help](https://validator.w3.org/feed/docs/warning/RelativeSelf.html)]

    ... el="self" type="application/atom+xml" /><link href="/" rel="alternate" t ...
                                                 ^

style attribute contains potentially dangerous content: max-width (21 occurrences) [[help](https://validator.w3.org/feed/docs/warning/DangerousStyleAttr.html)]

    &lt;a href=&quot;https://gvisor.dev/issue&quot;&gt;issue on Github&lt;/a&gt; ...

[line 1765](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgvisor.dev%2Fblog%2Findex.xml#l1765), column 0: Invalid HTML: Unexpected character in comment found. [[help](https://validator.w3.org/feed/docs/warning/NotHtml.html)]

    &lt;/div&gt;</content><author><name>ayushranjan</name></author><summary type ...

Source: https://gvisor.dev/blog/index.xml

<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.0">Jekyll</generator><link href="/blog/index.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2024-07-16T19:07:42-05:00</updated><id>/blog/index.xml</id><entry><title type="html">Optimizing seccomp usage in gVisor</title><link href="/blog/2024/02/01/seccomp/" rel="alternate" type="text/html" title="Optimizing seccomp usage in gVisor" /><published>2024-02-01T00:00:00-06:00</published><updated>2024-02-01T00:00:00-06:00</updated><id>/blog/2024/02/01/seccomp</id><content type="html" xml:base="/blog/2024/02/01/seccomp/">&lt;p&gt;gVisor is a multi-layered security sandbox. &lt;a href=&quot;https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html&quot;&gt;&lt;code class=&quot;highlighter-rouge&quot;&gt;seccomp-bpf&lt;/code&gt;&lt;/a&gt; is
gVisor’s second layer of defense against container escape attacks. gVisor uses
&lt;code class=&quot;highlighter-rouge&quot;&gt;seccomp-bpf&lt;/code&gt; to filter its own syscalls by the host kernel. This significantly
reduces the attack surface to the host that a compromised gVisor process can
access. However, this layer comes at a cost: every legitimate system call that
gVisor makes must be evaluated against this filter by the host kernel before it
is actually executed. &lt;strong&gt;This blog post contains more than you ever wanted to
know about &lt;code class=&quot;highlighter-rouge&quot;&gt;seccomp-bpf&lt;/code&gt;, and explores the past few months of work to optimize
gVisor’s use of it.&lt;/strong&gt;&lt;/p&gt;

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

soma-kurisu avatar Jul 17 '24 08:07 soma-kurisu