01:33 woosley joined
TimToady blog.booking.com/hardening-perls-ha...ction.html is probably in important read in here, though perhaps with diakopter++'s lock-free hashes it's not an issue 04:54
for unshared hashes, maybe we should think about stealing 5.18's impl
nwc10: opinions? 04:58
also, interesting second reply regarding distinguishing static EnumMaps from general bullet-proof dynamic hashes 04:59
p5 doesn't really have the type system to distinguish those well, but p5 does
tadzik s:2nd/p5/p6/? 05:05
TimToady si. 05:42
06:10 johnny5_ joined 06:13 johnny5_ joined 07:38 FROGGS joined 08:37 cognominal joined 09:05 FROGGS joined
nwc10 TimToady: in order 09:50
-1: I'm not a mathemetician. I'm really not a cryptographer 09:51
0: For all that's been reported about the possibility of these attacks, it's not clear than anyone is exploiting them. (Python's hash function is intentionally fast, and hence weak. Even their randomisation is not very good. There's an open bug or two about this, but offhand I don't know the IDs. Despite this, I'm not aware of people taking out django sites for "fun" or profit) 09:52
1: If you don't randomise your hashes you're at risk
2) On current hardware, anything less than 40 bits of entropy is easy to brute-force 09:53
3) you need to mix in all that entropy into the output hash function, however short the string, else you can attack the hash function using progressively longer strings 09:54
4) There isn't any formal cryptoanalysis on the hash function adopted by perl 5, but IIRC there actually isn't any *either* for Siphash. The perl 5 hash function (a) uses both arithmetic and bitwise operators in each hashing round, which as I understand it makes it harder to analyse (so IIRC does SipHash), and by merging in the key 1 byte at a time (rather than 4 or 8 at a time) does more rounds, which hinders analysis 09:55
5) The aim of all of this is only to ensure that an attacker can't cheat - to avoid giving an attack a way to DOS that costs less than sending all the data anyway 09:56
I think that that's about it
And if there are obvious flaws in what I said, please don't report them here on a publicly logged channel. 09:57
I didn't get time to read the article in draft form - I think that there's one part that isn't accurate - the theoretical Perl 5 attack would be with <40 keys. So Apache's 512 limit isn't going to help.
10:32 ssutch_ joined 11:00 wsri joined 12:16 moritz_ joined 12:17 krunen_ joined, rjbs- joined, Util_ joined 12:22 nwc10 joined 12:23 rblackwe joined 14:07 jnap joined 14:30 colomon joined 14:32 cognominal joined 15:11 cognominal joined 15:46 jnap joined
FROGGS diakopter: re github.com/MoarVM/MoarVM/commit/d1...nt-4538837 17:21
diakopter: these would be MVM_OSHANDLE_FD then I guess?
I can implement uv_close for these... 17:22
diakopter FD?
I thought there was a boolean flag
last I knew
as to whether it's a standard one of the 3
FROGGS MVM_OSHANDLE_FD 17:23
err
github.com/MoarVM/MoarVM/blob/mast...ndle.c#L54
diakopter yeah, that's different from how I did it
wth is the difference between a _HANDLE and a _FD 17:24
and what happened to the dir handle type?
TimToady well, technically, an FD should be an integer
FROGGS yes, open_fh sets type to MVM_OSHANDLE_FD 17:25
and getstd* sets MVM_OSHANDLE_HANDLE
diakopter sigh.
you'd think someone was reviewing those libuv commits :P
FROGGS diakopter: dir_open sets MVM_OSHANDLE_DIR 17:26
diakopter ok, but that's not listed in that switch/case
FROGGS true
diakopter
.oO( two eyes are better than zero.. )
 17:27
TimToady winks
diakopter jnthn: GREETINGS FROM THE ONLINE REALMS OF NOT_QUITE_REAL_LIFE_BUT_REALLY_REAL_LIFE 17:28
TimToady gets a num feeling 17:45
diakopter gets a float feeling 17:52
jnthn gets a long feeling
lizmat gets a double feeling 17:53
timotimo gets a string feeling 17:54
jnthn
.oO( and when I get that feeling, I need strongly typed healing... )
 17:56
17:56 colomon joined 17:58 cognominal joined
TimToady r: say "string" ~~ Real 17:58
camelia rakudo-jvm 882e33: OUTPUT«(timeout)» 17:59
..rakudo-parrot 158e90: OUTPUT«False␤»
TimToady r: say num ~~ Real
camelia rakudo-jvm 882e33: OUTPUT«(timeout)»
..rakudo-parrot 158e90: OUTPUT«False␤»
TimToady hmm
p: say Num ~~ Real
camelia rakudo-parrot 158e90: OUTPUT«True␤»
TimToady meseemeth that num should ~~ Real 18:00
diakopter meesa cold beans
r-j: ;
camelia rakudo-jvm 882e33: OUTPUT«(timeout)» 18:01
diakopter r-j: 1
camelia rakudo-jvm 882e33: OUTPUT«(timeout)»
diakopter r-j: 1 18:02
camelia rakudo-jvm 882e33: OUTPUT«Can't call method "syswrite" on an undefined value at /home/p6eval/jvm-rakudo/eval-client.pl line 32.␤»
diakopter -_-
18:09 dalek joined
FROGGS nqp: nqp::shell('echo $PWD', '/tmp', {}); nqp::spawn(['echo', '$PWD'], '/tmp', {}) 19:12
camelia nqp-moarvm, nqp-jvm, nqp-parrot: OUTPUT«/tmp␤$PWD␤» 19:13
FROGGS lovely
jnthn Is that how it's meant to be? :) 19:19
FROGGS jnthn: yes :o) 19:24
jnthn ok, then FROGGS++ :)
FROGGS spawn is meant to exeute the program directly, which means that shell variables are not recognized
(and it really does not spawn a shell fwiw)
jnthn ah, gotcha 19:25
FROGGS but it still does a PATH search for the program... the path supplied by the %env hash as the last arg 19:27
nqp: say(nqp::shell('true', '/tmp', nqp::hash('PATH', ''))); say(nqp::spawn(['true'], '/tmp', nqp::hash('PATH', ''))) 19:30
camelia nqp-moarvm: OUTPUT«execvp(): No such file or directory␤0␤-2␤»
..nqp-parrot: OUTPUT«65280␤65280␤»
..nqp-jvm: OUTPUT«0␤0␤»
FROGGS not very consistent nor portable :/
20:39 woolfy joined 20:44 ssutch joined
timotimo bleh :( 20:48
FROGGS well, everything is fixable 20:51
diakopter but not everything is fixable with a feasible amount of resources, including time 21:31
<- spoilsport 21:32
21:48 BenGoldberg joined 21:59 lue joined 23:15 colomon joined

Powered by Cro and the Raku® Programming Language.

Please report any issues / comments / feature requests as an issue on App::Raku::Log.

Thank you!