-
SamWhited
I think the website is down; I don't appear to be able to ssh in either and downforeveryoneorjustme.com agrees.
-
SamWhited
huh, and there it goes responding well… short outage.
-
Zash
Dey took ur nines
-
jonasw
Tobias: http://docs.getpelican.com/en/stable/faq.html#how-do-i-assign-custom-templates-on-a-per-page-basis A custom template for the XEP / client page is probably sane. Load the data in the pelican config and access it from within the template. Jinja templates should offer enough computatational capability for that.
-
jonasw
(they’re probably turing complete via recursion)
-
jonasw
https://xmpp.org/extensions/diff/api/xep/0369/diff/0.8/vs/0.8.1
-
jonasw
that throws a 500
-
Zash
Not the most reliable differ unfortunately
-
Zash
WFM now, but it was real slow
-
Ge0rG
jonasw: yeah, it's rendered on first access. you need to call it, wait some minutes and refreshe then
-
Ge0rG
I'm sure Zash could provide his awesome retro fixed-font markdiff version.
-
Zash
Ge0rG: The thing where I don't get along with git so well makes that a pain
-
Zash
but here's the latest 313 version: https://www.zash.se/xep-0313-0.6-vs-0.6.1.html
-
Ge0rG
Zash: I can provide you with the required shell magic
-
intosi
Our differ fails on the first load of a diff, but succeeds the second load. I think it's a timing issue.
-
intosi
Ge0rG: a few minutes is excessive. The next reload always succeeds for me.
-
Ge0rG
intosi: maybe my internets is just slow :)
-
Zash
Ge0rG: Random SO answers point to horrible things that no longer exist, and things that apparently require tons of extra configuration.
-
Ge0rG
Zash: what exact input do you wish to get?
-
Zash
Ge0rG: Two filenames.
-
Zash
One being the old version, one being the new version
-
Ge0rG
Zash: easy. "echo filename1 filename2"
-
Zash
`hg extdiff -p echo`
-
Zash
<3
-
jonasw
intosi, I reloaded one or two times, but what Ge0rG says makes sense ...
-
jonasw
Zash: what’s wrong with git checkout identifier_of_version1:path/to/file > file.version1 git checkout identifier_of_version2:path/to/file > file.version2 ? identifier_of_versionX can be a commit id, a tag, a branch or whatever
-
Zash
That's pretty much what I've been doing
-
Tobias
jonasw, yeah..using a custom template for client/library/server pages could work, although it feels a bit ugly :)
-
jonasw
it’s less ugly than sed.
-
jonasw
by orders of magnitude ;-)
-
Tobias
true
-
Tobias
jonasw, happen to know with what format pelican/jinja2 can read and turn into tables most easily?
-
jonasw
you can use anything python can read
-
jonasw
but JSON is probably the most easiest
-
jonasw
load it in the pelican config, you should be able to access it as a global in the template then
-
Tobias
k..will give that a shot sometime the next days
-
jonasw
in pelicanconf.py you could for example do: import json with open("clientdb.json", "r") as f: CLIENT_DB = json.load(f) and in the template you could: {% for client in CLIENT_DB %} {% if client.show_on_page %} … some table row markup … {% endif %} {% endfor %} with clientdb.json: [{"name": "fancy client", "show_on_page": true}, {"name": "legacy client", "show_on_page": false}] or anything like that :)
-
Tobias
great...then we could simply add a property in the json for each item for "last_updated" to have a date and on rendering just omit the ones that are older than a year or so
-
jonasw
yes :)
-
jonasw
(of course, you could also abuse the blog feature and create articles for each client and use the metadata and so on, but that’s probably worse.)
-
Tobias
https://shattered.io/ :)
-
jonasw
oh dear
-
MattJ
How widespread is this? As far as we know our example collision is the first ever created.
-
MattJ
That must have been a great feeling
-
jonasw
> This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.
-
mimi89999
It's good that SHA1 got depreciated for certificates and TLS.
-
intosi
Indeed. Because what you really can do is spend a few weeks brute-forcing the hash for a single bit of data, with the same prefix :)
-
intosi
It means SHA-1 should go, sure, but it doesn't mean SHA-1 is now suddenly worthless ;)
-
Zash
Website too shiny, what have they actually done?
-
intosi
Created a PDF that has the same SHA-1 checksum as another PDF.
-
intosi
And yes, that site is too shiny.
-
Zash
And that's what, marginally harder than finding two random blobs of data with the same sha1, if they have to be valid PDF files too?
-
SamWhited
that's not the important part; that's just a demo. The important part is that they can generate two blobs of data that have the same sha1 with much greater efficiency than brute force.
-
SamWhited
just a demo of an actual bad thing you could do with it, I mean.
-
intosi
^ what SamWhited said.
-
intosi
The fact that they created another perfectly fine PDF with altered content is the gravy.
-
Zash
I've gotten the impression that it's much harder if the data needs to fit some strict format, like say signed blob of ASN.1 DER
-
SamWhited
Indeed; makes it practical and not just some abstract thing that everyone using SHA-1 can just ignore.
-
SamWhited
Yah, it's probably harder, which is why the announcement is even more impactful.
-
Zash
What dwd wrote to the list.
-
SamWhited
Yah, probably doesn't matter for us immediately (eg. in the case of SCRAM-SHA-1 where it's just used as the hash for the HMAC, so we probably don't care), but it's still a pretty big deal.
-
SamWhited
Actually, that's the only place where we use SHA-1 that I can think of… there are probably more.
-
Zash
SCRAM-MD5 would probably be just as safe
-
jonasw
SamWhited: entity caps?
-
jonasw
but that’s broken anyways iirc
-
SamWhited
ah yah, forgot about that. It's broken?
-
Zash
It's unclear about the escaping of special XML characters.
-
SamWhited
oh fun
-
Zash
So it is possible to produce a collision based on moving the attributes around.
-
Zash
Pretty sure waqas has talked about this loooooooooooooong ago
-
Zash
Might even be what that link on the list was, since I didn't follow it
-
Flow
Zash: It was that link