Monday, 2010-02-08

« Sunday, 2010-02-07 Index Tuesday, 2010-02-09 »
../irclogs/#mantishelp.2010-02-08.log
--- scribe started ---00:00
CIA-24Mantisbt: hickseydr master-1.2.x * r5f7cef9d27b1 /core/ (lang_api.php user_pref_api.php): Fix #11394: Lost password email not sent when user language is invalid01:11
CIA-24Mantisbt: hickseydr * rc8e30df5d714 /core/ (lang_api.php user_pref_api.php): Fix #11394: Lost password email not sent when user language is invalid01:11
CIA-24Mantisbt: hickseydr master-1.2.x * r8f92d886cede /issues_rss.php: Fix #8539: Special characters not parsed correctly in RSS output02:02
CIA-24Mantisbt: hickseydr * raa058c53f537 /issues_rss.php: Fix #8539: Special characters not parsed correctly in RSS output02:02
CIA-24Mantisbt: hickseydr * rcca25660163b / (3 files in 2 dirs): Issue #10059: Select 'duplicate' resolution automatically03:01
davidincdhx_m: hello06:48
dhx_mdavidinc: hi06:48
dhx_m...?06:50
davidincnice 2 c u!06:52
dhx_mhave we talked before? :)06:54
dhx_mturing test: provide the name of a planet in the solar system :p07:07
Heady|.09:01
dhx_mhi09:04
dhx_mohhh something exciting:11:07
CIA-24Mantisbt: hickseydr * r045a89705c3c / (10 files in 5 dirs): Issue #10730: Implement new crypto_api11:07
paul__dhx_m: maintanence mode???11:27
dhx_mpaul__: sounded better than "MANTIS_INSTALLER" :)11:27
dhx_mie. it loads the MantisDB core in a special maintenance mode for upgrading, installation, etc11:28
dhx_mie. don't connect to the database, don't load plugins, don't check configuration, etc11:28
* paul__ isn't sure about this idea :)11:30
dhx_mneither am I :p11:31
dhx_mI don't really like the idea of the installer and other admin/ scripts loading the Mantis core at all11:31
dhx_mIMO they should have their own "core"11:31
dhx_mwhere "core" is "minimum operating environment"11:31
dhx_mie. connect to the database, perform startup checks, etc11:32
paul__I meant cyrpto changes ;/11:32
paul__I thought mt_srand got fixed to take a seed11:32
paul__in php 5.2.x11:32
dhx_myes but it's still not cryptographically secure11:32
dhx_mit is now seeded on each new user request to the server11:33
dhx_m(preventing problems with keep-alive connections)11:33
paul__(preventing problems with keep-alive connections)? mm ?11:43
dhx_mI mean, newer versions of PHP reseed the MT PRNG upon each request made by the user11:45
dhx_mon keep-alive connections11:45
dhx_m... I think?11:45
paul__I'm just wondering if we're actually fixing a problem or not ;/11:50
dhx_m49 #ifdef PHP_WIN3211:58
dhx_m50 #define GENERATE_SEED() (((long) (time(0) * GetCurrentProcessId())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C))))11:58
dhx_m51 #else11:58
dhx_m52 #define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C))))11:58
dhx_m53 #endif11:58
dhx_mfrom http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/php_rand.h?view=markup11:58
dhx_mThe time is fairly guessable by the attacker11:59
dhx_mthe PID can be the same when PHP is run in a threaded mode11:59
kirillkahi all12:59
kirillkaarouns?12:59
kirillkaaround?12:59
kirillkaping13:00
ozgurkuruhello13:05
ozgurkuruI have problem with utf8 chars13:06
kirillkaozgurkuru: what's problem?13:09
kirillkadhx_m: ping13:09
kirillkapaul__: ping13:09
dhx_mkillefiz: hi :)13:09
dhx_mkirillka: hi13:09
dhx_mwrong person :)13:09
kirillkadhx_m: :)13:09
ozgurkuruWhen I use şş ext I see ??13:09
ozgurkuruI have problem with Turkish letters13:09
kirillkadhx_m: Daryn, how I can delete remote branch?13:09
ozgurkuruş,ğ,İ,ı13:09
kirillkaozgurkuru: where problem do you have? in db, in html, letter or rss?13:10
kirillkadhx_m: David, sorry13:10
dhx_mkirillka: git push remotereponame :remotebranchname13:10
dhx_mnote the colon in front of the remote branch name13:11
ozgurkurukirillka, in db13:11
dhx_mthat tells git to delete the branch instead of pushing it13:11
kirillkaI push on server wrong branch13:11
kirillkaI want delete this branch13:11
dhx_myep just use the colon prefix to your branch name13:12
kirillkadhx_m: sorry, I don't understand13:12
dhx_mlet's say your remote repository is named 'mforge'13:13
dhx_mso you'd normally push branches to it using:13:14
dhx_mgit push mforge somebranch13:14
dhx_mnow, to delete 'somebranch' from the remote mforge repository, you use:13:14
dhx_mgit push mforge :somebranch13:14
kirillkadhx_m: Oh. I understand.. First part is empty. Thanks13:16
dhx_m:)13:16
kirillkadhx_m: One more thanks - I delete all wrong branchs13:20
dhx_mok13:20
kirillkaozgurkuru: What db collation?13:21
kirillkaozgurkuru: is it utf8_general_ci?13:21
kirillkaor utf8_turkish_ci?13:22
ozgurkurukirillka, utf8_bin13:22
ozgurkurubut I find problem columns are latin1 now I'changing them13:23
kirillkaozgurkuru: you must change all to utf8, but I can wrong - I think you must convert to utf8_general_ci13:24
kirillkanot utf8_bin13:24
kirillkadhx_m: I right? or wrong?13:24
ozgurkurukirillka, oke Not important I use php script for this its easy..13:25
dhx_mI think that's correct13:37
ozgurkurukirillka, I solve that problem14:33
ozgurkuruthanks :D14:33
kirillkaozgurkuru: welcome14:34
ozgurkuruI wrote php script for that14:34
ozgurkuruI'm publish it in a short time14:34
kirillkadaryn: mo14:40
darynhello14:43
paul__dhx_m: whats php_combined_lcg ?14:45
dhx_mpaul__: http://en.wikipedia.org/wiki/Linear_congruential_generator14:46
paul__http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/lcg.c?revision=293253&view=markup14:55
paul__mm14:56
* paul__ asks php guys14:56
dhx_mthe current time is predictable15:02
dhx_mas is the thread ID/process ID15:02
dhx_mMersenne Twister uses an LCG to create the initial seed15:03
CIA-24Mantisbt: hickseydr * reb562360554d / (11 files in 3 dirs): Issue #10730: Use crypto_api for generating nonces and improve hashing15:04
nuclear_eclipsedhx_m: if we're going to go far enough to start adding salts or whatnot, why don't we just go whole hog and implement bcrypt? :P15:04
nuclear_eclipsethere's a PHP extension for it, and it's the best way to store passwords in the db atm15:05
dhx_mnuclear_eclipse: well the Hash extension has been part of PHP since 5.1 :)15:05
paul__dhx_m: regarding your last commit15:05
dhx_mnuclear_eclipse: I'm using it now (the Whirlpool algorithm in particular) for handling hashes15:05
paul__dhx_m: what happens if someone has the rssfeed key stored in their client?15:06
dhx_mpaul__: they'll need to update that after my change15:06
dhx_mpaul__: ie. they just need to click the RSS icon and copy the URL into their client again15:06
dhx_mthe advantage of these changes is users only need to keep one private key/secret: $g_crypto_master_salt15:07
dhx_mwhereas most users before would have been unaware of the need to set those salts themselves15:07
dhx_mand now they can't even use Mantis without setting $g_crypto_master_salt :p15:08
dhx_mI think the next thing I need to do is let admins set their password at install time15:08
dhx_mrather than use 'root' as a default15:08
dhx_mI'll leave it for now though15:08
paul__i've got a patch for that15:24
paul__dhx_m: remember I added db_do_nothing as a schema update into trunk a few months back? ;p15:25
dhx_mpaul__: heh yep :)15:27
dhx_mso... let's release 1.2.0? :)15:27
paul__soon15:28
paul__i'm thinking about this rss change atm15:28
dhx_mis it ready yet? is it ready yet? is it ready yet? :p15:28
paul__how do we authenticate rss feeds atm?15:28
dhx_mvia a key derived for each user account15:29
dhx_mso you pass &rss_key=something in the URL to the RSS feed15:29
dhx_mas well as your username15:29
dhx_mand it checks if you have them right15:29
paul__mm15:30
paul__I think we should change this :)15:30
dhx_mmy change makes that more secure via using a 384bit key instead of a 128bit key (that is derived with a weak salt)15:30
paul__in moodle15:30
dhx_mmore to the point, we were using md5 before and that is anything but secure thesedays15:30
paul__I think they go with a approach of15:31
paul__for webservices15:31
paul__allowing people to associate a logon with an account15:31
paul__so i'm partly wondering if we should allow people to do this for webserviceread, webservicewrite, rssfeeds15:31
paul__that way15:32
paul__it would be possible to add functionality via aplugin or whatever to see who is accessing the rss feed and log15:32
dhx_msee bug 1121915:32
dhx_mhttp://www.mantisbt.org/bugs/view.php?id=1121915:32
dhx_myou could consider the current RSS keys as being automatically generated (weakly mind you)15:33
dhx_mwith one key per user account whether they want it or not15:34
paul__I see oauth as being a bit irrelevant as well thats no doubt one of many implementations15:34
dhx_mI guess the idea behind OAuth and more complex authentication is that you can create multiple logins for yourself, each with potentially lower permissions15:34
dhx_mso you can make single use accounts for yourself that are deleted after one login, and only have read-only RSS access to a particular project, for instance15:35
dhx_mOAuth is a layer on top of the required fundamental access control layer in Mantis though15:35
dhx_mand it seems very complex to me :(15:35
paul__http://docs.moodle.org/en/Development:External_services_security15:36
paul__look at the 'simple db' table and the 2 screenshots at bottom15:37
dhx_myep I had the same idea in mind15:38
dhx_mbut it'll be somewhat harder for us because those are toy examples15:39
dhx_mwhereas with Mantis you may want much finer control over what external services are allowed to do with your account15:39
nuclear_eclipsedhx_m: I was still waiting on paul's yet-to-be-seen fixes to columns and ldap....15:40
nuclear_eclipsepaul__: stop getting distracted!15:40
* paul__ hasn't been feeling well15:40
dhx_mnuclear_eclipse: he's never going to commit it :p15:40
paul__tbh, i've just not been in mood for doing stuff recently15:40
paul__:(15:40
paul__not really been in mood for doing some work stuff either15:41
dhx_mcan those things wait until 1.2.1?15:41
paul__the point of sending an email saying 1.2 something in next week15:41
paul__was to motivate myself ;p15:41
dhx_m:)15:41
paul__need to go find someone at work15:41
paul__brb15:41
dhx_manything I can help with?15:41
dhx_mok15:41
nuclear_eclipsedhx_m: the reason I'm waiting is because he's looking at making API changes, and a) I hate making large API changes in a point release, and b) one of the changes I want in 1.2 he told me to hold off on because it would break his ability to merge onto latest... =\15:43
dhx_mah hmmm... API changes I'd agree with the need to wait15:43
dhx_mor move them to 1.3.x15:43
webgambitI'm trying to tie svn and mantis together, but they're on different servers. Anyone got a minute to lend a hand?16:33
nuclear_eclipsewebgambit: what version of mantis are you using?16:36
webgambitit was the nightly build from last friday.16:37
webgambitwhat i've got is the svn is on a different server from mantis, so this isn't a mantis issue in and of itself.16:37
nuclear_eclipsewebgambit: look at the source-integration plugins that I created for 1.216:38
webgambitok.16:38
nuclear_eclipsethey aren't yet compatible with 1.3 though16:38
nuclear_eclipseso I hope your nightly build is of 1.2 :P16:38
nuclear_eclipsehttp://git.mantisforge.org/w/source-integration.git16:39
webgambiti'll have to check. :)16:39
webgambitall I'm trying to do though is get the svn hook post_commit to make the call across servers to let mantis know something happened.16:39
webgambitnuclear_eclipse: I've downloaded and installed your source control plugins, but I'm thinking they're a bit overkill for what I was wanting to do.17:10
mantisbt_80569hello23:42
« Sunday, 2010-02-07 Index Tuesday, 2010-02-09 »

Generated by irclog2html.py