The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2016-12-05

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:07 Grinnz jberger: https://metacpan.org/pod/Digest::Bcrypt#NOTICE
00:08 Grinnz which seems to be what the plugin you mentioned uses anyway
00:09 jberger yeah, but I'm wondering why
00:09 jberger that's why I asked him :-P
00:09 jberger so the plugin does things like generate a random salt
00:10 jberger I guess I could just do that myself
00:10 jberger but it would be nice if I understood why things are the way they are
00:10 jberger (also the plugin has defaults that seem sane-ish, like cost)
00:10 Grinnz Crypt::Eksblowfish::Bcrypt is the standard for bcrypt
00:10 jberger right, the plugin uses it too
00:10 Grinnz looks like Digest::Bcrypt is just a wrapper for it also
00:11 jberger ok how about I phrase it differently, I'm wondering if the logic from the plugin (that picks the default options for me, especially salt) are sane and if I should just copy the logic out of it
00:12 jberger and if so, why don't other modules make the default similarly easy to use
00:13 Grinnz looks like it just generates the salt from running rand a bunch fo times, that doesn't look sane
00:14 Grinnz i usually do something like a hash of time, something specific to the user (userid or username), and random values
00:14 jberger am I right when I think that part of the benefit of bcrypt is that I don't need a consistent salt?
00:14 Grinnz i should say, it doesn't look ideal
00:14 Grinnz consistent?
00:14 jberger I don't need to know what the salt that I used it
00:14 jberger is
00:15 Grinnz right, the salt is stored in the resulting hash
00:15 jberger so if I got some better randomness, is that better than just crypt/rand
00:15 Grinnz as for cost... there might be an ideal default for now, but it may increase over time
00:16 jberger sure, but if I have that hard coded in my code or lean on the default is no different
00:16 jberger actually, I'd argue that if I rely on the library author to bump it at the correct time, then I wont be missing out when that happens and I inevitably miss it
00:17 jberger (a little devils advocate, but only a little)
00:17 Grinnz assuming the library author knows what he's doing
00:18 Grinnz 6 is basically the most conservative cost you can use
00:18 Grinnz that was the default cost of bcrypt in 1999 :P
00:19 Grinnz i think i'm using 8 but thats barely cutting it
00:23 jberger is there a library that gets me true randomness (from the os probably) and maybe with a fallback
00:23 jberger ?
00:25 Grinnz https://metacpan.org/pod/Crypt::URandom
00:27 jberger thanks, I thought there was something like that
00:28 jberger so if I pull a salt from that is that sufficient?
00:29 Grinnz I would still combine it with Time::HiRes::time at least
00:30 jberger that seems less random than os random (assuming it is a decent random source)
00:30 jberger and then, again, it would be nice if there was some module that did this for me; security is best which works correctly by default
00:50 stryx` joined #mojo
01:01 aborazmeh joined #mojo
01:06 stryx` joined #mojo
01:21 genio jberger: I'm around.  About Digest::Bcrypt, the original author/maintainer passed away and it was a simple module to begin some work on, so I adopted it.
01:22 Adura Damn CIA.
01:22 genio jberger: given that, if there's something in particular that can be added to it to make it useful, I'm more than happy to do so
01:41 aborazmeh joined #mojo
01:43 stryx` joined #mojo
01:55 Yysachinyy joined #mojo
02:00 stryx` joined #mojo
02:13 asarch joined #mojo
02:15 jberger genio: if it could generate a salt via some say list of modules or fallbacks that would be awesome
02:15 jberger if the salt is supposed to be super random, then relying on the user to do that right is a weak point
02:15 jberger (not blaming you, just saying I don't trust myself)
02:17 jberger preaction: did you write this poem??! If so that's spectacular!
02:17 genio hrm. Probably doable.
02:17 jberger http://perladvent.org/2016/2016-12-04.html
02:18 preaction yep
02:19 genio :)
02:22 jberger https://twitter.com/joelaberger/status/805597906791231488
02:25 genio I tend to like Crypt::URandom.
02:25 genio Let me read around a bit more to see what all's out there
02:27 stryx` joined #mojo
02:34 jberger I guess its time for your annual reminder of possibly the best christmas recording ever: https://www.youtube.com/watch?v=Yk5ufApUArQ
02:38 genio I've been reading through Zefram's Data::Entropy::* stuff and I think Crypt::URandom seems a bit nicer thus far
02:56 stryx` joined #mojo
03:20 noganex joined #mojo
03:23 stryx` joined #mojo
03:48 stryx` joined #mojo
03:56 stryx` joined #mojo
04:08 stryx` joined #mojo
04:29 stryx` joined #mojo
05:04 dboehmer_ joined #mojo
05:22 bwf joined #mojo
05:56 tyldis joined #mojo
05:58 Lee joined #mojo
06:36 Vandal15263 joined #mojo
06:50 dod joined #mojo
06:53 polettix joined #mojo
06:55 dod joined #mojo
07:04 foursixnine joined #mojo
07:25 mbudde joined #mojo
07:30 dod joined #mojo
08:15 AndrewIsh joined #mojo
08:22 trone joined #mojo
08:26 bwf joined #mojo
08:30 ivi_ joined #mojo
08:31 janl joined #mojo
08:33 bwf joined #mojo
08:34 ashimema joined #mojo
08:35 osfabibisi joined #mojo
09:42 CHYC joined #mojo
09:54 gregf_ joined #mojo
09:55 sri i guess Mojo::Pg will have to support this once it's in DBD::Pg http://paquier.xyz/postgresql-2/postgres-10-multi-host-connstr/
09:58 CHYC Not sure why they chose their own format rather than using DNS SRV records.
09:59 janl they probably don't know about SRV
10:04 CHYC Shame, as SRV allows you to define weights and prios, so you can load balance to your servers' capabilities.
10:06 janl yes
10:24 ssm joined #mojo
10:28 cpan_mojo Mojolicious-Plugin-ContextResources-0.01 by RSHADOW https://metacpan.org/release/RSHADOW/Mojolicious-Plugin-ContextResources-0.01
10:29 polettix joined #mojo
10:38 parv joined #mojo
11:13 tchaves joined #mojo
11:22 rshadow joined #mojo
11:25 rshadow joined #mojo
11:26 tchaves joined #mojo
11:28 rshadow joined #mojo
12:50 polettix joined #mojo
13:09 asarch joined #mojo
13:18 osfabibisi joined #mojo
13:37 stryx` joined #mojo
13:38 gryphon joined #mojo
14:02 gizmomathboy joined #mojo
14:09 q_gone joined #mojo
14:10 Pyritic joined #mojo
14:13 ramortegui joined #mojo
14:17 khfeng_ joined #mojo
14:17 Pyritic joined #mojo
14:59 mcsnolte joined #mojo
15:00 orev joined #mojo
15:42 orev joined #mojo
15:50 ashimema joined #mojo
15:54 rshadow joined #mojo
16:00 Pyritic joined #mojo
16:30 batman joined #mojo
16:38 Janos joined #mojo
16:39 zivester joined #mojo
16:42 lluad joined #mojo
16:42 Zen_ I prefork 6 workers, and just saw that when one of those workers gets to one of my .pm files which on their turn use a rather big .pm file that the allocated memory in use from that worker will stay instead of cleaning up after it's done
16:42 Zen_ is there maybe a way to force itself to clean up or maybe another approach resulting in something like this?
16:45 coolo Zen_: no, perl doesn't return memory to the system. you can tweak the -a and -r options so the workers will restart after some time
16:47 Zen_ thank you coolo, I was already afraid this would be the case: where do those -a and -r options apply to?
16:48 coolo the prefork command. where you have now -w 6
16:49 Grinnz on top of that, loaded .pm files never "unload" normally
16:49 Grinnz subsequent calls to use or require will not need to reload the module from the filesystem thus
16:52 Zen_ Grinnz: yeah I know, and I should have known that preforking would do this, just trying to clean it up a little :)
16:53 Zen_ thank you for you answers and info!
16:53 Grinnz if it's really a problem, you could run the code which loads the large module in a(nother) subprocess using Mojo::IOLoop->subprocess
16:54 Grinnz which i think i should write a plugin for like ForkCall has :P
16:54 Grinnz basically, using the delay helper if using it in a mojolicious action
16:55 Zen_ woa, that sounds even better
16:56 Grinnz https://metacpan.org/source/JBERGER/Mojo-IOLoop-ForkCall-0.17/lib/Mojolicious/Plugin/ForkCall.pm#L21-34
16:56 Grinnz do this, but with Mojo::IOLoop->subprocess
16:56 jberger I suspect I will end up deprecating ForkCall at some point
16:57 Grinnz do you (jberger and sri) think it would be worth putting a plugin like that in core or should i just release it to cpan?
16:57 jberger I personally have never used that, I think it was only you :P
16:58 Zen_ Grinnz: thanks man! will try to
17:10 disputin joined #mojo
17:17 rshadow joined #mojo
17:20 polettix joined #mojo
17:20 dotan_convos joined #mojo
17:40 disputin joined #mojo
17:47 jzawodn joined #mojo
17:48 rshadow joined #mojo
18:01 rshadow joined #mojo
18:02 Pyritic joined #mojo
18:18 dod joined #mojo
18:29 rshadow joined #mojo
18:41 onix joined #mojo
18:42 wilma joined #mojo
18:52 rshadow joined #mojo
19:03 rshadow joined #mojo
19:06 polettix joined #mojo
19:07 gizmomathboy joined #mojo
19:24 PryMar56 joined #mojo
19:58 rshadow joined #mojo
20:03 tledet joined #mojo
20:07 ribasushi joined #mojo
20:09 inokenty joined #mojo
20:17 sri someone please ask charlie brady on the mailing-list to make a minimal test case
20:19 sri and OMG, Arrival is one of the best movies i've ever seen
20:19 genio can confirm! was very good (much better than I expected).
20:21 stephan48 yes
20:21 stephan48 i was glad i watched it in the cinema
20:38 jberger Arrival was really good
20:38 jberger even the wife really liked it
20:40 mishanti1 That's the "sign language but with aliens" movie right?
20:41 jberger yeah
20:41 mishanti1 The trailer looked awesome.
20:43 jberger so many movies to see this month
20:43 mishanti1 s/this month/this life/
20:43 jberger fantastic beasts, rogue one, passengers
20:48 polettix joined #mojo
22:22 gryphon joined #mojo
22:22 ramortegui left #mojo
23:50 dvinciguerra joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary