Not possible in case your clients are not stupid. Any company with SOC2 and <5 people is a red flag.

You might find auditors that would go along but any reasonable client will check your SOC2 report and quality of your auditors.

SOC2 requires tons of paperwork and management and separation of duties with also mandatory roles in your company - never feasible in a one man show.

I've seen a small company do a SOC2 where the "CEO" seems to be the only actual employee..

Its a lot of paperwork but it is supposed to scale for company size so you could dismiss with a lot of the separation if the CEO accepts risks and perhaps relies on a fair amount of external systems that are already certified and has some contractors for specific tasks etc.

So that means that solo-entrepreneurs can't sell apps to big enterprises due to SOC2 limitation? I think that it is not fair

It’s a disadvantage for sure but not usually a blocker.

They often have security questionnaires you can complete instead. Or, as part of signing with them, you can promise to get SOC2 by x date (which will hopefully be easier with the funds from an enterprise contract).

I’d recommend looking online at some example security questionnaires or the types of things soc2 covers and writing an internal security doc for yourself so you know your position on everything and don’t have to scramble when it comes to it.

Thank you for your comment!

You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.

Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.

If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.

Like it or not, having a bus factor of 1 is a pretty big risk. You are a giant single-point-of-failure, which means that operations-wise you are a far riskier option to your customers than a significantly larger competitor.

Big enterprise SOC2 gates are generally not real. In the limit, if you have a real deal with a real economic buyer who is actually sold on your product, you can do a conditional PO on your Type I (your Type I is automatic and can issue in a matter of weeks), but that really feels like more of a 2018 concern at this point; it's been awhile since I talked to anyone who truly had to SOC2 to close a sale.

It's important to really understand how unserious SOC2 is.

As the other respondent says, it's tricky but not impossible. We're a small custom shop, too small to have all the roles required, all of our software is open-source (Github/Codeberg), and we neither store nor process any customer data or PII. Almost every single item that SOC2 and similar are supposed to cover are a bad miss - https://www.youtube.com/watch?v=Utxu7pI8CeU. Not only do most things not apply to us but some are completely nonsensical, such as what physical and IT security measures we apply to keep our code confidential.

At the moment things look a bit uncertain, we're both going to run into more and more situations like this but also hopefully lawmakers will eventually realise that this stuff just doesn't work for OSS code and orgs.

It isn’t fair, but few rackets are.

I read this exact comment with I would say completely the same words several times in X and I would bet my money it's LLM generated by someone who has not even tried both the tools. This AI slop even in the site like this without direct monetisation implications from fake engagement is making me sick...

Finally... We had two days without large outage, I started to worry a little

This is why I go to hackernews every day <3

If you finally decided to support proper server-side middleware, why is there still a limitation for only one middleware function and not a chain of middleewares as every other sane server implementation offers?

Consider middleware.ts as a root middleware. Nothing is stopping you from creating your own chain (which is trivial) in there. I mean, that would eventually work the same if nextjs implemented that feature — there would be a root somewhere.

That doesn't answer parent's question.

People expect "middleware" to mean a certain thing and work a certain way.

  middleware = fn(req) → next(req).

express/koa give you the use() chain. next.js gives you one root, but nothing stops you from chaining yourself. same semantics, just manual wiring.

  type mw = (req: Request, next: () => Response) => Response;
  
  const logger: mw = (req, next) => {
  console.log(req.url);
  return next();

};

  const auth: mw = (req, next) => {
    if (!req.headers.get("x-auth")) return new   Response("forbidden", { status: 403 });
    return next();
  };
  
  function chain(mws: mw[]) {
    return (req: Request) =>
      mws.reduceRight((next, mw) => () => mw(req, next), () => new Response("ok"))();
  }
  
  export function middleware(req: Request) {
    return chain([logger, auth])(req);
  }

root is given, chain is trivial. that’s middleware.

Nothing trivial about that implementation in my mind - need to keep track of where middleware is registered, reduceRight is non obvious.

I expect these things to be standardized by the framework and all the sharp edges filed off - thats why I go to a framework in the first place.

The reduceRight is just a bit of cute FP code golf. All it’s saying is that chaining an empty list of middleware yields an ‘OK’ response, and that the first middleware is passed a function which, when called, executes the remaining middleware chain, and so on. It would be obvious enough if written out as a for loop, or via direct recursion.

(My username has never been more appropriate!)

The last hop showed in the BGP route is AS60068 (cdn77) which is a Czech company with global physical network. It does not mean the data are going through GB, it's not that easy.

$ whois AS60068 [...] organisation: ORG-DL201-RIPE org-name: Datacamp Limited country: GB org-type: LIR address: 207 Regent Street address: W1B 3HH address: London [...]

In the era of relatively complicated company ownership structures (especially in a capital heavy business such as Datacamp), the company on the whois does have the same level of meaning as you seem to expect it to.

207 Regent Street, it's a relatively well known virtual office type address, I would be shocked to learn that there were any datacamp employees at that address)

Virtual office addresses don't help to make it better.

I have no doubts that V8 has a rich test suites - including tests for the absolute value function.

But then a production optimized build apparently contains different code? This sounds to me like a system flaw

I believe in reality it's a bit more complicated

CDNs do not choose datacenters for users based on a geographic distance. The number one metric is latency but latency != physical distance. Second metric is optimizations of price of data transfer between peers and IXPs which results in very dynamic routing rules. Then consider also network/software hickups/maintanance and distribution of datacenters' load...

For people without Twitter/X account, this is a summary as a single post https://threadreaderapp.com/thread/1850658084491874555.html

Glad you did this. Thanks.

Wow I hear for the first time that some TLD registrar would explicitelly allow zone transfer of the whole zone... talking about the Swedish TLD mentioned in the article.

This really works

dig @zonedata.iis.se se axfr