XSF Discussion - 2017-02-23

I think the website is down; I don't appear to be able to ssh in either and downforeveryoneorjustme.com agrees.

huh, and there it goes responding well… short outage.

Dey took ur nines

Tobias: http://docs.getpelican.com/en/stable/faq.html#how-do-i-assign-custom-templates-on-a-per-page-basis A custom template for the XEP / client page is probably sane. Load the data in the pelican config and access it from within the template. Jinja templates should offer enough computatational capability for that.

(they’re probably turing complete via recursion)

https://xmpp.org/extensions/diff/api/xep/0369/diff/0.8/vs/0.8.1

that throws a 500

Not the most reliable differ unfortunately

WFM now, but it was real slow

jonasw: yeah, it's rendered on first access. you need to call it, wait some minutes and refreshe then

I'm sure Zash could provide his awesome retro fixed-font markdiff version.

Ge0rG: The thing where I don't get along with git so well makes that a pain

but here's the latest 313 version: https://www.zash.se/xep-0313-0.6-vs-0.6.1.html

Zash: I can provide you with the required shell magic

Our differ fails on the first load of a diff, but succeeds the second load. I think it's a timing issue.

Ge0rG: a few minutes is excessive. The next reload always succeeds for me.

intosi: maybe my internets is just slow :)

Ge0rG: Random SO answers point to horrible things that no longer exist, and things that apparently require tons of extra configuration.

Zash: what exact input do you wish to get?

Ge0rG: Two filenames.

One being the old version, one being the new version

Zash: easy. "echo filename1 filename2"

`hg extdiff -p echo`

<3

intosi, I reloaded one or two times, but what Ge0rG says makes sense ...

Zash: what’s wrong with git checkout identifier_of_version1:path/to/file > file.version1 git checkout identifier_of_version2:path/to/file > file.version2 ? identifier_of_versionX can be a commit id, a tag, a branch or whatever

That's pretty much what I've been doing

jonasw, yeah..using a custom template for client/library/server pages could work, although it feels a bit ugly :)

it’s less ugly than sed.

by orders of magnitude ;-)

true

jonasw, happen to know with what format pelican/jinja2 can read and turn into tables most easily?

you can use anything python can read

but JSON is probably the most easiest

load it in the pelican config, you should be able to access it as a global in the template then

k..will give that a shot sometime the next days

in pelicanconf.py you could for example do: import json with open("clientdb.json", "r") as f: CLIENT_DB = json.load(f) and in the template you could: {% for client in CLIENT_DB %} {% if client.show_on_page %} … some table row markup … {% endif %} {% endfor %} with clientdb.json: [{"name": "fancy client", "show_on_page": true}, {"name": "legacy client", "show_on_page": false}] or anything like that :)

great...then we could simply add a property in the json for each item for "last_updated" to have a date and on rendering just omit the ones that are older than a year or so

yes :)

(of course, you could also abuse the blog feature and create articles for each client and use the metadata and so on, but that’s probably worse.)

https://shattered.io/ :)

oh dear

How widespread is this? As far as we know our example collision is the first ever created.

That must have been a great feeling

> This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.

It's good that SHA1 got depreciated for certificates and TLS.

Indeed. Because what you really can do is spend a few weeks brute-forcing the hash for a single bit of data, with the same prefix :)

It means SHA-1 should go, sure, but it doesn't mean SHA-1 is now suddenly worthless ;)

Website too shiny, what have they actually done?

Created a PDF that has the same SHA-1 checksum as another PDF.

And yes, that site is too shiny.

And that's what, marginally harder than finding two random blobs of data with the same sha1, if they have to be valid PDF files too?

that's not the important part; that's just a demo. The important part is that they can generate two blobs of data that have the same sha1 with much greater efficiency than brute force.

just a demo of an actual bad thing you could do with it, I mean.

^ what SamWhited said.

The fact that they created another perfectly fine PDF with altered content is the gravy.

I've gotten the impression that it's much harder if the data needs to fit some strict format, like say signed blob of ASN.1 DER

Indeed; makes it practical and not just some abstract thing that everyone using SHA-1 can just ignore.

Yah, it's probably harder, which is why the announcement is even more impactful.

What dwd wrote to the list.

Yah, probably doesn't matter for us immediately (eg. in the case of SCRAM-SHA-1 where it's just used as the hash for the HMAC, so we probably don't care), but it's still a pretty big deal.

Actually, that's the only place where we use SHA-1 that I can think of… there are probably more.

SCRAM-MD5 would probably be just as safe

SamWhited: entity caps?

but that’s broken anyways iirc

ah yah, forgot about that. It's broken?

It's unclear about the escaping of special XML characters.

oh fun

So it is possible to produce a collision based on moving the attributes around.

Pretty sure waqas has talked about this loooooooooooooong ago

Might even be what that link on the list was, since I didn't follow it

Zash: It was that link