Camelia, the Perl 6 bug

IRC log for #mojo, 2012-07-25

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:53 scott joined #mojo
00:58 laouji joined #mojo
01:04 bird joined #mojo
01:18 jnap joined #mojo
01:51 vel joined #mojo
01:53 asarch joined #mojo
02:01 d4rkie joined #mojo
02:36 Psyche^ joined #mojo
02:46 tempire oh hey look at that
02:46 tempire I didn't know about ::Plugin::HeaderCondition->host
02:55 noganex_ joined #mojo
03:41 vel joined #mojo
03:44 tempire huh
03:44 tempire is the tt renderer no longer working with current versions of mojo?
03:44 * tempire pokes marcus
03:53 xaka1 joined #mojo
04:09 asarch joined #mojo
04:45 amirite joined #mojo
04:46 amirite if i want to do stuff before/after/around accessor methods on attributese then i shouldn't use mojo base right
04:52 sri good morning fellow swamp monsters
05:17 laouji joined #mojo
05:36 Britzel joined #mojo
05:40 ovnimancer joined #mojo
05:43 Foxcool joined #mojo
05:49 rwstaune` joined #mojo
05:49 sri \o\
05:50 sri /o/
06:08 AmeliePoulain joined #mojo
06:12 ovnimancer joined #mojo
06:19 amirite if i use mojo base is there a method to setup for after new construction
06:23 * amirite frowns and uses moose
06:34 spleenjack joined #mojo
06:44 Vandal joined #mojo
06:58 crab Mooselicious
07:03 davido joined #mojo
07:07 * marcus pokes tempire back, harder
07:12 tempire marcus: I thought you took over the  tt renderer
07:12 tempire am I remembering incorrectly?
07:13 marcus tempire: yes, incorrectly
07:13 marcus I do have an interest in it tho
07:14 * sri pokes marcus, tempire and crab
07:14 marcus wass?
07:14 sri you owe me an opinion on $self->param(['foo'])!
07:15 tempire I don't consider the issue a security risk.  But I have no problem with the feature.
07:15 marcus dududududu, I'm lovin' it
07:15 sri \o/
07:15 tempire wellst, Mojolicious::Plugin::TtRenderer does not compile at the moment :(
07:15 marcus did we break it?
07:15 sri :(
07:15 marcus make an issue at https://github.com/abh/mojox-renderer-tt ?
07:16 sri what's the problem?
07:16 * marcus is @ parent's place, so shitty internet here.
07:17 marcus stuff that used to give 500 gives a 404
07:17 tempire ^ yeah, that
07:17 bc547 joined #mojo
07:18 marcus (in the tt test suite)
07:18 sri only recent rendering change i remember is the default_format fix
07:18 marcus also,it seems it leaks all of a sudden
07:18 sri maybe just a borked test case
07:19 sri https://github.com/kraih/mojo/commit/74​a80a0d61f7bf687c614a02f8fc420fa223d9db
07:19 sri here's the commit
07:19 ovnimancer joined #mojo
07:19 sri it's rather trivial, but a too naive test case could break i suppose
07:19 * sri is just guessing though
07:21 tempire 3.03 broke it
07:21 sri that matches the commit i linked to
07:21 * sri wins
07:24 tempire go go marcus
07:24 marcus checks out the parent, it still breaks.
07:24 sri marcus: i can't explain any sudden leaks though, there have been no architecture changes recently afair
07:27 tempire hmm
07:27 tempire the exception occurs from the perspective of tt
07:27 tempire gives an appropriate error
07:29 marcus so the renderer dies, but mojo throws a 404?
07:29 marcus confirmed that it works on 3.02
07:30 tempire marcus: correct
07:30 tempire $c->render_exception($e); gets called in the module's Engine.pm
07:31 tempire $e being my $e = Mojo::Exception->new($self->tt->error.'');
07:32 marcus there's nothing interesting in the changelog ...
07:32 * marcus diffs against 3.02
07:33 marcus render_exception has changed
07:33 taryk joined #mojo
07:34 tempire so says the changelog
07:35 marcus not in the checkout I'm in :)
07:36 marcus https://gist.github.com/3174939 bet something here breaks it
07:36 sri we also tried the around_exception/around_not_found hooks during that time i believe
07:37 davido joined #mojo
07:38 sri marcus: maybe the recursion bits, and the tt renderer calls render_not_found *after* render_exception for some reason
07:39 sri not that it makes much sense...
07:40 sri https://github.com/tarcieri/http # hmm
07:44 tempire looks...familiar
07:44 crab sri: i like it
07:45 crab (param(['foo']))
07:45 tempire Http.accept(:json).get("https://github.com/tarcieri/http/commit/HEAD") is interesting
07:45 crab i think it is a bit obscure, but i can't think of a better way to write it
07:46 tempire $ua->accept('json')->get('domain.com/resource');
07:46 sri Mojolicious::Types would have to become Mojo::Types
07:49 sri crab: i think it's less obscure when used like my ($foo, $bar) = $self->param(['foo', 'bar']);
07:49 crab agreed
07:50 sri maybe in 4.0 we can make everything just use scalar context
07:52 crab and add another function to fetch multiple values?
07:52 sri or leave $self->req->param() for multiple values
07:54 sri we'll see after gathering some mroe experience with the current implementation
08:13 amirite joined #mojo
08:23 GitHub85 joined #mojo
08:23 GitHub85 [mojo] kraih pushed 1 new commit to master: http://git.io/HdU5Ow
08:23 GitHub85 [mojo/master] better transaction examples - Sebastian Riedel
08:23 GitHub85 left #mojo
08:25 GitHub80 joined #mojo
08:25 GitHub80 [mojo] kraih pushed 1 new commit to master: http://git.io/JAEjBw
08:25 GitHub80 [mojo/master] no need to call resume in example - Sebastian Riedel
08:25 GitHub80 left #mojo
08:36 pau4o joined #mojo
08:38 marcus sri: doesn't look like the TT renderer calls render_not_found  at all - https://gist.github.com/3175112
08:39 sri marcus: maybe it doesn't return true to signal that it rendered something already?
08:39 sri hmm, i guess that doesn't matter
08:39 * sri shrugs
08:40 marcus sri: yeah, as you see _render returns false...
08:40 marcus sri: it returns true if it succeeds.
08:41 sri i would expect it to return true if it rendered something
08:41 sri then again, our renderers don't call render_exception/render_not_found at all
08:42 sri i think renderers rerendering is unspecified behavior
08:42 marcus yepp, that's it
08:42 marcus seems we didn't depend on it returning true until that change
08:43 marcus if I change the return 0 inside the exception handler to return 1, it works.
08:43 sri we did, but the recursion check prevented rerendering i suppose
08:43 marcus I guess so
08:43 marcus but it would probably be better if it just let Mojo handle  the exception?
08:44 sri wouldn't it work better if you rethrow the exception and let mojolicious handle it?
08:44 sri heh :)
08:44 marcus :D
08:45 marcus yeah, changing it like that still passes tests even
08:45 sri \o/
08:46 marcus the leaks bother me a bit tho
08:49 mire joined #mojo
08:53 sri oh, http working group is now aiming for a last call in april 2014 for http 2.0
08:54 sri at least it's not 2013 anymore
08:54 bjoernfan Sorry, I haven't really been paying attention, last call for what exactly?
08:54 sri the http 2.0 spec
08:54 crab last call for a standard to label as http 2.0.
08:54 bjoernfan Awesome.
08:54 sri not really
08:55 crab it seems a bit like a solution in search of a problem.
08:55 bjoernfan Oh, too bad.
08:55 sri it's mostly about google reducing their operation costs
08:56 sri they are still pushing for mandatory tls
08:56 sri together with facebook and twitter
08:56 sri TLS ALL THE THINGS!
08:56 bjoernfan Is there anything we find interesting in 2.0?
08:56 nic "Let them eat TLS!"
08:57 sri the spec is still empty
08:57 sri if google gets what it wants then http 2.0 will just be a new name for spdy
08:57 sri but the opposition is getting stronger
08:58 sri http://lists.w3.org/Archives/Public​/ietf-http-wg/2012JulSep/0782.html # posts like this are scary
08:59 sri nobody has really thought about what server push will do to REST yet
09:00 andrefs joined #mojo
09:00 fhelmber_ joined #mojo
09:00 sri a spdy server can send resources that the client has not actually requested after all
09:01 bjoernfan :|
09:01 bjoernfan That sounds a bit wrong... but it's a bit over my head.
09:02 crab C: get /index.html S: Here's index.html, but also logo.jpg because i know you're going to ask for that next.
09:03 sri and here's some car advertising, just in case
09:03 bjoernfan D:
09:03 crab :-)
09:03 bjoernfan sri: Can't you stop them please?
09:03 sri how about something illegal in your country, let me just write that to your cache!
09:04 fhelmber_ joined #mojo
09:04 sri i don't think they will get their way
09:05 sri but google might just bypass the ietf and complain that the process is flawed or so
09:05 sri they have control over chrome and firefox after all
09:06 bjoernfan Sounds a bit like Netscape/IE pushing their own standards.
09:06 sri it is just like that
09:12 daxim joined #mojo
09:14 sawtooth joined #mojo
09:18 sri some features are pretty good like multiplexing, but there's a lot to dislike about spdy
09:20 sri the whole premise is pretty silly, lets just multiplex, compress and encrypt http 1.1, break the request/response model and call it http 2.0!
09:20 * crab throws a rubber stamp at sri
09:22 * sri hopes that was a stamp of approval :)
09:28 ovnimancer joined #mojo
09:29 tm crab, sri... re spdy - can't wait to push client side exploits on mass scale :) clients should implement answer DO NOT WANT :D
09:33 tm now add to the mix equivalent of transparent proxies - intercept and milware (milware != malware) dropping will be so easy - what could possibly go wrong (ohai China, Iran, Sudan & friens)
09:35 crab i have no idea what you just said
09:36 tm I mean if spdy allows sever to send data to client because 'yes, you will want that'... what could possibly go wrong?
09:36 tm here's your page you requested, here's my malware - yes, you do want that
09:37 sri gotta love how some people on the list argued that if tls was mandatory all problems with the trust model would just solve themselves
09:37 tm and to spice things up some contraband... in the end you requested the page, right?
09:37 sri tm: i don't think it would be *that* easy, push stuff would just get written to the cache
09:37 tm sri: sure, we all trust CAs :)
09:38 tm sri: in many cases having traces of things in cache is enough for successful conviction
09:38 tm especially if user doesn't know about them and doesn't securely wipe
09:38 tm google sees lower operation costs, I see a powerful weapon - literally
09:39 sri no argument there, just saying server push doesn't make distributing malware that much easier
09:39 tm fair enough :)
09:40 sri and i have no clue what milware is :o
09:40 tm milware - military/government originated malware
09:40 sri ah
09:40 tm bundestrojan in Germany, etc
09:40 * sri nods
09:41 tm also... China does have trusted CA - here you go... MiTM ready and we know China meddles in BGP re-routing traffic through their systems - for some reason
09:41 sri yea, the trust model is completely broken
09:42 sri mandatory tls is silly in so many ways
09:42 tm the only thing that holds it together is money pumped into it, but that's off-topic
09:42 tm mandatory ok - for dynamic content, static no reason at all
09:44 tm ok anyway, coming back to chat yesterday Mojolicious::Plugin::CanonicalHost works but requires proper cleanup and pod :-)
10:00 crab tm: are you saying that it would just make it easier for intermediaries to send malware along with innocuous pages than to rewrite the html to include said malware?
10:01 crab if so: ah, i see. (though an extra resource that isn't actually referred to by the requested page should just be ignored... but i haven't seen what actual implementations do in this case either.)
10:02 tm crab: yes... one is that the whole thing is based on CA trust model which is totally flawed... that's why google does SSL pinning in browser
10:02 tm otherwise anybody with valid CA that is trusted by the client can do MiTM even on TLS content - I do it all the time in my tests
10:03 tm it's that trivial... and .cn has trusted public CA for example and they are not the only ones
10:03 tm make it better... proxy with TLS intercept can rewrite content and include references to material that shoudlnt' be there in normal operations - plant contraband this way
10:04 tm or just send contraband and let forensics folks come up with the answer how it got there
10:04 tm yes, forensics can answer where the file in cache comes from, but will it in case of spdy pushing content in? how browsers will log that? will they at all?
10:05 tm too many edge cases that are not covered or discussed, and fundamental flaw - CA trust
10:06 tm and to be fair, saying I see weapon I mean that you don't have to proove or convict someone to tarnish his reputation - it's enough you prove for example photos he shouldn't have were in browser cache - in many cases that will ruin person's life even before the courts get onto it
10:07 crab i propose CRWLY. the client sends "GET /blah.html", and the server dispatches an envelope by post with printouts of the rendered article (and, if necessary, any extra relevant material).
10:07 tm oh well... anthrax warning ;-)
10:08 tm srsly, we didn't get it right with 1.1 yet, so many issues... but better the devil we know - introducing something new, totally nothing like what we know is deemed to fail in so many ways
10:08 crab drat, foiled again
10:09 tm btw rendering page and posting is very doable and easy to implement, but bit expensive on transport side
10:13 sri i'm just glad the websocket spec got finished before the whole http 2 mess started
10:14 sri don't understand why nginx and apache get spdy support before websocket support though
10:15 crab do the latest versions of the usual suspect browsers all support websockets unprefixed now?
10:15 sri think so
10:15 sri ie10 will support it in windows 8
10:16 sri for apple it will be mountain lion (later today) and ios 6 in a few weeks
10:17 sri webkit even has nifty websocket debug tools now
10:21 sri latest revision of rfc 2616 doesn't mention http 0.9 anymore btw :)
10:29 spleenjack1 joined #mojo
10:44 venkatk_ joined #mojo
10:46 mire joined #mojo
11:18 spleenjack joined #mojo
11:33 ryozi joined #mojo
11:35 bc547 joined #mojo
12:25 Grauwolf in which file in the mojolicious source do config files get parsed (hypnotoad eg.)
12:27 sri the config plugins
12:28 Grauwolf meh. as always in the irc just found it right after i asked. thanks
12:29 d4rkie joined #mojo
12:39 sri http://arstechnica.com/apple/2012/07/os-x-10-8/ # it's that time of the year again \o/
12:47 GabrielVieira joined #mojo
13:11 jnap joined #mojo
13:21 CromeDome joined #mojo
13:22 Foxcool joined #mojo
13:29 sandeepdb joined #mojo
13:31 vel joined #mojo
13:32 zhutingting joined #mojo
13:41 ovnimancer joined #mojo
13:46 sri lulz... the meteor javascript framework just got $11.2 million venture capital :O
13:47 xaka1 joined #mojo
13:48 gryphon joined #mojo
13:50 tm sri: looks great but... client with direct access to db via app server? wtf?
13:50 tm it's like mvc withouth m, v or c :D
13:51 sri who cares, it has all the buzzwords!
13:51 * tm downloads meteor... fuzzer ready :D
13:52 tm 'it's cool to have full db api on the client' - wow... just wow... it has great potential to be worse than PHP when it's released final :)
13:52 jnap VCs follow the buzz and JS is buzzy now.  There's a limited number of frameworks that actually work well enough to merit any investment
13:53 jnap no VC wants to miss out on the next big thing
13:53 sri 11.2 million is a hell of a gamble
13:53 sri for something as fragile as meteor
13:53 jnap most of it is funny money though, or it usually is, from my experience with VCs
13:53 tm hehe sure, even if it's something that will get your ass dragged through media sewage when things start getting popped left/right/center
13:54 jnap is not like they walked into the office and dropped off a pile of money sacks, is more like a promise
13:54 tm jnap: I wish them the best, but have bad predictions :(
13:55 jnap sure, never want to wish anyone harm, having worked for a startup that went under, that sucks
13:55 sri i mean, investing 100 million in github i can understand
13:55 tm I know something about that as well :-/
13:55 tm still working on my own little startup project, no fail no gain
13:56 tm oh so it rides on top of node.js - cool
13:58 sri and mongodb
13:58 tm mhm, all good if you speak js, I don't - perl only :)
13:59 sri no way around learning js these days
13:59 tm sad realisation :(
13:59 sri it's not that bad
13:59 tm no way I'll rewrite my  code now to stuff like meteor... finishing migration off Catalyst to Mojolicious
14:00 jnap as a Perl programmer from way back, I nearly always did both Perl and JS.  Its only been the last few years where JS was considered specialized enough that we have dedicated programmers for it
14:00 sri i wouldn't want to use it as my go to language for everything, but embedded in browsers and databases it's pretty neat
14:00 jnap yeah, there's nothing wrong with it, its cute
14:01 tm neat yes, needed - not sure... from business point of view, how do you control your data, make sure only allowed things work?
14:01 tm it's either me missing hell of a background knowledge or I'm just too paranoid after working in infosec for some years
14:01 sri you mean exposing the database to the browser?
14:01 sri (in meteor)
14:01 tm yup, they say it's cool
14:02 sri it's terrible
14:02 tm it scares the hell out of me
14:02 sri it is completely unusable for anything serious yet, that's what makes the investment so baffling to me :)
14:03 tm and so redundant in a way... you get the same with regular jQuery and exposing say couchdb to internet :D
14:03 sri i bet they want to go into the database as a service direction
14:04 tm no confidentiality - everyone reads anything
14:04 tm no integrity - everyone modifies anything
14:04 tm no availability - as outcome of two above + your data is everywhere and nowhere
14:04 sri they can always add a layer between browser and mongodb, adding authentication and emulating fine grained access control
14:04 sri it can be solved, they just havn't yet
14:05 tm if they choose/get forced to...
14:06 sri i bet they sold it as an alternative to parse.com (https://parse.com/docs/rest)
14:07 tm oh nice one
14:07 inokenty joined #mojo
14:08 * tm wanders off... be back shortly
14:20 mire joined #mojo
14:26 Htbaa joined #mojo
14:28 gryphon joined #mojo
14:43 vel joined #mojo
14:49 xaka1 joined #mojo
14:53 CromeDome joined #mojo
15:04 CromeDome joined #mojo
15:07 labrown joined #mojo
15:13 jnap left #mojo
15:23 CromeDome joined #mojo
15:31 tm re TLS support - can cipher suites be selected if running TLS directly on daemon/morbo/hypnotoad?
15:32 tm there are very good reasons to disable some of them - all of SSLv2, CBC mode ciphers in SSLv3 and TLSv1.0
15:33 tm of course, this would be non-issue if mojolicious is deployed behind a reverse proxy
15:33 trone_ joined #mojo
15:35 sri tm: nope, but we have good cypher defaults
15:35 sri even though i would always recommend to let a reverse proxy do the tls termination
15:42 tm sri: that may be the reason to swing me towards one ;-)
15:43 sri i believe this is currently the recommended cypher list for web facing servers https://github.com/kraih/mojo/blob/m​aster/lib/Mojo/IOLoop/Server.pm#L95
15:47 tm hmmm
15:48 sri if there's a really good reason for changing the cypher list i'd accept a patch too
15:49 tm let me collect all info - it won't fit in one line
15:49 sri that's a bad sign ;p
15:49 tm there are some new vulnerabilities regarding TLSv1.0 and SSLv3 with CBC based ciphers
15:49 sri explain it to me like i'm 12 :D
15:49 tm hey, don't worry - apache still recommends SSLv2 :D
15:49 tm will explain, just need to find my notes so I give you accurate info
15:50 sri we default to RC4
15:50 sri which is a stream cypher
15:50 sri current best practice
15:50 tm cool, but with SHA and MD5... ideally would be RC4+RSA afair, will check and get back to you
15:52 sri google.com accepts RC4-MD5
15:52 pau4o left #mojo
15:52 * sri regularly uses sslscan to see what the big sites use atm
15:52 tm good practice sir
15:53 sri i still recommend a real server for tls termination :)
15:53 sri it's what they are made for
15:53 tm true :) and I possibly will go this way with my projects
15:53 sri we basically only do tls for tests and small intranet setups
15:54 sri especially testing Mojo::UserAgent
15:55 sri i still don't have much confidence in IO::Socket::SSL, not too long ago it was pretty fragile
15:56 sri but then again, openssl bindings for all scripting languages suck :)
15:56 * sri still remembers the sleep call in the python code
15:56 tm ssl protocols: SSLv3 TLSv1 TLSv1.1 TLSv1.2
15:56 tm ciphers: HIGH:!aNULL:!MD5
15:57 tm this gives reasonable ciphers on modern engines and I haven't seen yet a client that would fail to connect there
15:57 tm although... it includes stuff like EDH-RSA-DES-CBC3-SHA in SSLv3
15:58 tm it will always be a tradeoff - usability vs security, depends on what the site does as well :D
15:59 tm but not having SSLv2 is already a great starting point
15:59 tm afk
16:11 fhelmber_ joined #mojo
16:20 trone joined #mojo
16:26 marcus hm
16:39 CromeDom_ joined #mojo
16:54 CromeDome joined #mojo
17:19 andrefs joined #mojo
17:59 lammel2 joined #mojo
18:09 rem_lex| joined #mojo
18:20 vel joined #mojo
18:49 CromeDome joined #mojo
18:58 jnap joined #mojo
19:15 tempire ok, who is the official channel tester for mountain lion?
19:17 fhelmber_ joined #mojo
19:17 * tempire hopes it upgrades his macbook to retina
19:18 * sri is running mountain lion
19:18 * tempire appoints sri
19:19 * sri shrugs
19:35 rwstaune` joined #mojo
19:38 andrefs joined #mojo
19:42 CromeDome joined #mojo
20:08 * marcus is running it too, for a while
20:08 Netfeed is that the next version?
20:09 marcus yeah, came out today
20:09 marcus but it went GM a few weeks back
20:10 perlite_ joined #mojo
20:10 Netfeed meh, mine is 3-4 years old now, i doubt i would gain that much from upgrading
20:22 jnap joined #mojo
20:37 tempire tm: is the code for your ::canonicalhost plugin on github?
20:58 jnap joined #mojo
21:15 Lucas1 joined #mojo
21:24 xaka1 joined #mojo
21:28 amirite joined #mojo
21:36 andrefs joined #mojo
21:46 lukep joined #mojo
21:53 kthakore joined #mojo
21:53 kthakore hello
21:53 tm tempire: not yet, it doesn't have test cases yet or docs
21:53 kthakore how do I use a hook fo before_dispatch to consume a token in each of my /mobile/ routes ?
21:55 kthakore I want to do /api/mobile/:token/* so on ?
22:01 tm actually I should switch to m usual nick :)
22:01 tqm that's better
22:06 mike_ joined #mojo
22:07 * tqm likes thereadme file in Mojolicious::Plugin::Geo :D
22:09 mike_ joined #mojo
22:10 tqm what's the difference between Mojolicious::Plugin::<whatever> and MojoX:: tree?
22:32 tqm hmmm interesting behavior
22:34 tqm http://domain.tld/this/that ====>  scalar join '/', @{$self->req->url->path->parts}  ===> this/that// (and warns about two undef elements at the end of array), but $#{$self->req->url->path->parts} is 1
22:35 tempire MojoX:: is legacy
22:36 tempire from long long ago
22:36 tqm tnx tempire, will use the new naming then, will be on GitHub shortly as soon as I  solve the issue above, don't know where two undef elements come from
22:37 tqm array has 2 elements, count is ok, yet join sticks 4 inside :-o
22:45 jnap joined #mojo
22:56 ruz joined #mojo
22:59 keedi joined #mojo
22:59 keedi joined #mojo
23:00 jnap_ joined #mojo
23:26 tqm *facepalm* - two undefs resolved
23:34 jnap joined #mojo
23:35 tqm tempire: plugin works, I can put it on GitHub shortly but with very little docs (work in progress), anyway it's not a rocket science :D
23:36 tempire don't be modest.  you're almost a mojolicious plugin author, which makes you a rock star
23:36 tqm naaah... I just hacked few bits of my ugly spaghetti together... but it seems to work :)
23:37 tqm need to add little pod and will be ready
23:47 jnap joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary