IRC Archive for channel #xwiki on 20 March 2010
Last modified by Vincent Massol on 2012/10/18 19:11
{{{
nickless left at 03:38 (Ping timeout: 240 seconds
vmassol joined #xwiki at 08:02
nickless joined #xwiki at 09:18
DV__ left at 09:32 (Ping timeout: 264 seconds
mflorea joined #xwiki at 09:44
DV joined #xwiki at 09:59
CalebJamesDeLisl - (10:05): Good morning, I think I'm going to override the LiveValidation borders in the registration page on xwiki.org, and remove them from the css file for future releases. In toucan, they cause the text below to shift.
vmassol - (10:06): good morning caleb
CalebJamesDeLisl - (10:07): Good morning, I've been playing with a FF addon called perspectives which bypasses CA signatures if the site's key has been the same (stored on some mit servers.) neat stuff.
CalebJamesDeLisl - (10:08): I'll have to tell bblfish. I think this could be integrated into foafssl.
xenon75 joined #xwiki at 10:11
xenon751 joined #xwiki at 10:11
xenon75 left at 10:11 (Read error: Connection reset by peer
xenon75 joined #xwiki at 10:13
xenon751 left at 10:13 (Read error: Connection reset by peer
DV left at 10:16 (Ping timeout: 256 seconds
tmortagne joined #xwiki at 10:17
tmortagne left at 10:17 (Client Quit
florinciu joined #xwiki at 10:20
headache joined #xwiki at 10:23
headache - (10:23): hello
xenon75 left at 10:30 (Quit: Leaving.
CalebJamesDeLisl - (10:35): Hi headache, is it just me or is everyone getting a big aggravating panel on the left side of the google search today?
sdumitriu joined #xwiki at 10:36
headache - (10:37): CalebJamesDeLisl, I've noticed no change
headache - (10:37): however could be some new feature
headache - (10:37): maybe something semantic
headache - (10:37): :D
headache - (10:37): maybe...
CalebJamesDeLisl - (10:38): Meh, I've already got a greasemonkey script to deal with it.
headache - (10:40): :D
tmortagne joined #xwiki at 10:59
tmortagne - (11:02): sdumitriu: hi, would you have any idea why the jsx at http://l10n.xwiki.org/xwiki/bin/edit/L10N/Flags?editor=object is not loaded ? it used to work well, core version did not changed, only thing i can see is maybe a restart
tmortagne - (11:02): would that be that in this version there is a bug that makes jsx not loaded when restarting xwiki ?
tmortagne - (11:02): (2.0.4 it seems)
tmortagne - (11:03): i did not tryinf to resave it yet
tmortagne - (11:03): it wanted to know what was the issue (i don't plan to resave it each time the wiki is restarted)
tmortagne - (11:04): s/was/is/
tmortagne - (11:05): btw i'm only talking about jsx set as "Always" loaded
sdumitriu - (11:06): Do you mean ssx?
tmortagne - (11:06): i mean XWiki.StyleSheetExtension
tmortagne - (11:06): so yes ssx sorry
tmortagne - (11:07): but i guess that's the same behavior
CalebJamesDeLisl - (11:07): Hmm http://l10n.xwiki.org/xwiki/bin/ssx/L10N/Flags loads fine.
tmortagne - (11:08): sure but that's not the issue
tmortagne - (11:08): it's not listed in the <head>
tmortagne - (11:09): it's not automatically loaded
sdumitriu - (11:10): I've seen this problem on the incubator, too
vmassol - (11:11): the strange thing is that the l10n wiki hasn't been upgraded
tmortagne - (11:11): yes but ot's possible it has been restarted
tmortagne - (11:11): sdumitriu: how the list of extension "Always" is loaded ? for each page ? or is it when you save the extension ?
sdumitriu - (11:12): Yes, when you save the extension
tmortagne - (11:12): so maybe the issue is that it's not reloaded at startup
tmortagne - (11:12): in this version at least
tmortagne - (11:13): maybe it is now
tmortagne - (11:13): do you remember something like that ?
sdumitriu - (11:14): I have an idea, I'll check it in a few minutes
sdumitriu - (11:14): (now eating...)
tmortagne - (11:15): hmm CssSkinExtensionPlugin doe snot seems to do anything at startup
tmortagne - (11:15): ha it's in AbstractDocumentSkinExtensionPlugin probably
tmortagne - (11:16): same thing it just register events
DV joined #xwiki at 11:16
tmortagne - (11:17): if that's the issue, it's weird we did not seen that before since it makes this kind of extension unusable
sdumitriu - (11:23): tmortagne: Please check exactly what version of the xwiki-skinx plugin is used on that wiki
tmortagne - (11:24): it's a standard 2.0.4 AFAIK
tmortagne - (11:24): but as i just looked at trunk skinx and it doe snot seems to load extension at startup either
tmortagne - (11:26): going to eat, back in 30 min
DV left at 11:26 (Read error: Connection reset by peer
DV joined #xwiki at 11:26
CalebJamesDeLisl - (11:32): $xwiki.getDocument("L10N.Flags").getContentAuthor() == XWiki.AndreasJonsson
sdumitriu - (11:33): Ah, wait
CalebJamesDeLisl - (11:33): / Only add the extension as being "always used" if the page holding it has been saved with programming rights.
sdumitriu - (11:33): AlwaysUsed extensions are used only when the author has admin rights
sdumitriu - (11:33): Or programming, right
marta joined #xwiki at 11:33
CalebJamesDeLisl - (11:34): Love that preview button.
sdumitriu - (11:36): Which one?
CalebJamesDeLisl - (11:36): In the edit window, open my profile, edit, write some code, preview.
CalebJamesDeLisl - (11:37): Wonder why the notification function isn't working, it should have stopped working on save.
headache left at 11:49 (Ping timeout: 240 seconds
tmortagne - (11:50): sdumitriu: ok that make sense, so i should move this object in another document then
tmortagne - (12:07): sdumitriu, CalebJamesDeLisl: thanks for you help, all is working well now
bblfish joined #xwiki at 12:07
headache joined #xwiki at 12:08
CalebJamesDeLisl - (12:08): bblfish: I found something you might be interested in: http://www.cs.cmu.edu/~perspectives/firefox.html
CalebJamesDeLisl - (12:09): Bypass the firefox self signed key cop, I am looking at the code and it looks like we can make it validate the website using foaf+ssl
bblfish - (12:11): that sounds good. But it won't be widely deployed enough to start off with. It is something to keep in mind though, along with the option of doing something more general with DNSsec
bblfish - (12:11): initially we are just going to have to pay those CAs
bblfish - (12:11): but it's something we should try to fix, I agree
CalebJamesDeLisl - (12:13): I was thinking of it as another option so we can support 3 ways of connecting.
CalebJamesDeLisl - (12:14): 1. bounce off of foafssl.org or some other site, 2. get your site ca signed, 3. use foafssl to authenticate the user and the website :)
CalebJamesDeLisl - (12:16): bblfish: The CA model is already quite broken, not sure if you saw my message earlier but read this: https://blog.startcom.org/?p=145
tmortagne left at 12:17 (Quit: Leaving.
bblfish - (12:17): yes, I saw the talks by Dan Kaminsky at HAR http://is.gd/aPfo5 (view with FF).
bblfish - (12:17): and at Chaos Communication Congress
bblfish - (12:18): He was quite positive about foaf+ssl though
bblfish - (12:18): the problems dissapear with dnssec, as CA's are no longer needed
bblfish - (12:18): but we can get going with the system as it is
bblfish - (12:19): when it comes into place things will just be a lot easier
CalebJamesDeLisl - (12:24): I admit I have to read more about dnssec. The problem I see now with dns is that the root servers can still MTIM you.
CalebJamesDeLisl - (12:24): (that's with the dns we have now)
bblfish - (12:24): DNS is about to fall over
bblfish - (12:24): that is why DNSsec is being implemented
bblfish - (12:25): the US government and the owners of .com are starting to deploy it
bblfish - (12:25): that was the message of all the talks at HAR on the subject
CalebJamesDeLisl - (12:27): I know .se has dnssec implemented. I just downloaded the pdf...
DV left at 12:31 (Read error: Connection reset by peer
CalebJamesDeLisl - (12:39): Reading the wiki: "These starting points are known as trust anchors and are typically obtained with the operating system or via some other trusted source." hmm looks like the CA model...
bblfish - (12:39): which wiki?
CalebJamesDeLisl - (12:41): wikipedia.
CalebJamesDeLisl - (12:42): "Other countries are concerned about U.S. control over the Internet, and may reject any centralized keying"
bblfish - (12:43): ah ok
bblfish - (12:43): yes, that's the problem. But the other option is the internet breaks down
CalebJamesDeLisl - (12:44): The internet breaks down? how?
bblfish - (12:44): without DNS no internet
CalebJamesDeLisl - (12:44): You are suggesting that the DNS will just cease up.
CalebJamesDeLisl - (12:44): ?
bblfish - (12:44): watch Dan Kaminsky's talk
bblfish - (12:45): yes, you can hack a DNS server in 2 months
bblfish - (12:45): and it is getting easier all the time
bblfish - (12:45): so all financial transactions are at risk
mflorea left at 12:45 (Quit: Leaving.
bblfish - (12:46): I think you can imagine that when something this big is a problem, people find solutions
bblfish - (12:46): or policial problems are solved
CalebJamesDeLisl - (12:46): Can you point me to the exact video, I see a lot.
bblfish - (12:46): Search Dan Kaminsky
CalebJamesDeLisl - (12:47): Lots of videos, where was it taken?
bblfish - (12:47): It's all on the page
bblfish - (12:48): HAckers at Random, Holland
bblfish - (12:48): HAR
CalebJamesDeLisl - (12:48): Is the point that dns can be spoofed because I know it can.
bblfish - (12:48): yes, very fast
bblfish - (12:48): pretty easily
bblfish - (12:49): and usually X509 comes to the rescue
bblfish - (12:49): but it can't
bblfish - (12:49): that's his point
bblfish - (12:49): that is why the CAs have to be built into the DNS
CalebJamesDeLisl - (12:49): Ok now I'm interested, you're saying https can be spoofed?
bblfish - (12:50): watch the video
CalebJamesDeLisl - (12:50): All right, be back when it's done.
bblfish - (12:50): The point is the problem is MASSIVE
bblfish - (12:51): and part of it is a problem of X509, because it was thought to be the solution
bblfish - (12:51): but that does NOT mean https won't continue to exist
bblfish - (12:51): or be the right solution - it's just that DNS has to change
CalebJamesDeLisl - (12:53): I'm at har and still can't find the video, is it one of the videos at your blog?
bblfish - (12:54): yes, you have to watch it on Firefox
bblfish - (12:54): (I hope the videos are still available)
bblfish - (12:55): as they are ogg video format
CalebJamesDeLisl - (12:55): Ok it looks like the second video down.
CalebJamesDeLisl - (12:58): Downloading the file, it's skipping bad.
CalebJamesDeLisl - (12:59): I heard the first minute or so and he points out the problem I pointed out, you have to trust a bunch of CAs you don't know.
CalebJamesDeLisl - (13:01): I can see why verisign would want to apply the CA model to the .com and .net zones (which they control) because they are a huge CA.
xenon75 joined #xwiki at 13:02
CalebJamesDeLisl - (13:08): bblfish: Movie still downloading... Can you explain to me how this works? I go to website x but dns is spoofed, and I get website y. How does site y get it's web address signed so my browser accepts it?
bblfish - (13:10): when I watch it in FF it plays immediately
CalebJamesDeLisl - (13:10): Yes it skipped badly though.
CalebJamesDeLisl - (13:11): Am I to understand that the jist of the problem is that I can get a signed key for a web address that isn't mine because the CA's don't know the DNS guys?
sdumitriu - (13:43): Hm, I thought that XWIKI-4637 was fixed already...
vmassol - (13:44): I thought it was too
vmassol - (13:44): have you checked fisheye?
vmassol - (13:44): IMO jerome forgot to close it (he forgets quite frequently to close issues ;))
sdumitriu - (13:45): I'll check if it was included in 2.2 also
vmassol - (13:45): yes it is
vmassol - (13:45): I changed the fix for
vmassol - (13:46): closing it
sdumitriu - (13:46): Yep
sdumitriu - (13:47): Components: templates and UI
vmassol - (13:47): ah can you change it?
sdumitriu - (13:47): Sure
vmassol - (13:47): (I put core without knowing)
bblfish - (13:54): CalebJamesDeLisl: Je viens de revoir le video. Il n'en parle que tout a la fin
bblfish - (13:54): Je pense que son dernier video au CCC etait mieux
sdumitriu - (13:55): bblfish: Caleb doesn't speak french that well
bblfish - (13:55): en ce qui nous concerne
CalebJamesDeLisl - (13:55): (At all :) )
CalebJamesDeLisl - (13:56): Watched almost all of the video, very funny.
bblfish - (13:56): ah sorry
CalebJamesDeLisl - (13:56): He's just getting to the dnssec stuff.
bblfish - (13:56): Yes, I was saying he mentions what I was tlaking about at the end
bblfish - (13:56): In the CCC at Xmas that is the main focus
bblfish - (13:56): Let me see if I can find that video
CalebJamesDeLisl - (13:57): I still don't see why we need to mess with dns just to get ssl to work but I still have 5 minutes left on the video.
bblfish - (13:58): this http://events.ccc.de/congress/2009/Fahrplan/events/3658.en.html
bblfish - (13:58): yes, he gets there right at the end
bblfish - (13:58): the next video goes into more depth
bblfish - (13:59): I am downloading that
CalebJamesDeLisl - (14:00): I suppose you already know I get paranoid about new technology (especially when people want to force everybody on to the "new internet") My feeling is fix the problem with ssl, dns wasn't and shouldn't be about trust.
bblfish - (14:01): yes. as I say in the last few minutes he points out that you can use DNS-SEC to put your certificate in the DNS
bblfish - (14:01): but he just touches on it
sdumitriu - (14:02): Caleb, did you watch "That 70's Show"?
CalebJamesDeLisl - (14:02): I don't have tv :)
CalebJamesDeLisl - (14:02): But I'm the phes guy right? Someone told me that.
sdumitriu - (14:02): Neither do I, but there's the internet
sdumitriu - (14:03): No, you're Hyde
CalebJamesDeLisl - (14:03): I'll have to look up the wiki on Hyde.
sdumitriu - (14:04): My favorite guy
bblfish - (14:08): anyway he even has a wikipedia page http://en.wikipedia.org/wiki/Dan_Kaminsky
vmassol - (14:08): sdumitriu: and you're Jekyll?
vmassol - (14:09): :)
sdumitriu - (14:09): vmassol: I guess you didn't watch that 70s show either
vmassol - (14:09): nope
bblfish - (14:19): CalebJamesDeLisl: on that wikipedia page is a link to the DNS spoofing attack
bblfish - (14:19): and a wired article
CalebJamesDeLisl - (14:20): Yea reading about Hyde. lol.
CalebJamesDeLisl - (14:39): Reading the wired article: "could use an automated system to flood a server with an endless stream of guesses. With a high-speed connection, a week of nonstop attacking would likely succeed." c'mon a root dns server and nobody notices for a week that it's being flooded out by somebody's residential fiber line?
marta left #xwiki at 14:46
marta joined #xwiki at 14:46
CalebJamesDeLisl - (14:50): bblfish: I read the article, I tend to take a lot of these super high profile secret security flaws with a grain of salt. Joanna Rutkowska found a cache poisoning attack on every intel processor since 486, Jack C. Louis found out how to knock over any server running tcp, weev figured out how to break firefox with recursive javascript. And yet the internet is still here.
CalebJamesDeLisl - (14:55): dns poisoning is only effective if we use dns for trust which is wrong and if Firefox were to simply store certificates from all ssl sites it viewed, the x509 attacks all become very unlikely to work.
bblfish - (15:03): CalebJamesDeLisl: I am just going to watch the CCC video again
CalebJamesDeLisl - (15:03): I'm downloading your video now.
jvelociter joined #xwiki at 15:08
bblfish - (15:12): I think you will like it a lot
bblfish - (15:12): :-)
bblfish - (15:12): It's real good
CalebJamesDeLisl - (15:15): I'm also hacking my firefox perspectives addon to store every server cert so the x509 attacks would only work if it's the first time you viewed the site.
anamarias joined #xwiki at 15:45
vmassol - (15:50): jvelociter: not sure we should remove these warnings actually
vmassol - (15:51): you could upgrade it to 1.9 and later though
vmassol - (15:51): s/upgrade/update/
vmassol - (15:51): (but even that isn't necessary I think)
jvelociter - (15:51): yeah.. I'm not very sure either. Maybe we should have them in a floating box on the right
jvelociter - (15:51): (right now it's ugly)
vmassol - (15:51): yes, I think we need something normalized for the whole site
jvelociter - (15:52): yep
vmassol - (15:52): some icon that gives the version in it
jvelociter - (15:52): but we are going to redesign the extensions site aren't we ?]
jvelociter - (15:52): :)
vmassol - (15:52): it's not for extensions only
vmassol - (15:52): it's for any content
jvelociter - (15:52): yes it's for everything
vmassol - (15:52): on the whole xwiki.org farm
jvelociter - (15:52): so it needs to be in the skin
jvelociter - (15:52): (or IX)
jvelociter - (15:53): an object of type XWiki.SinceClass or something
jvelociter - (15:53): and hop automagically we add the warning
vmassol - (15:53): sinceclass is too coarse grained
vmassol - (15:53): I think we need annotations actually :p
jvelociter - (15:53): I rolledbacked the doc for now
vmassol - (15:53): (or something similar)
jvelociter - (15:54): you mean from the annotation feature ?
vmassol - (15:54): since a potion of doc can be related only to a specific version
vmassol - (15:54): *portion
jvelociter - (15:54): yep
vmassol - (15:54): yes I mean as in the annotation feature
jvelociter - (15:54): but you also want to say "this whole feature described in the doc"
sdumitriu - (15:54): Really weird behavior here... I have this code:
sdumitriu - (15:54): #macro(elementMetaData $element)
sdumitriu - (15:54): #themePropertyClasses($element) #inlineStyle($element)##
sdumitriu - (15:54): #end
sdumitriu - (15:54): Which generates something absurd. If I add another letter, like in:
sdumitriu - (15:54): #macro(elementMetaData $element)
sdumitriu - (15:54): asd
sdumitriu - (15:54): #themePropertyClasses($element) #inlineStyle($element)##
sdumitriu - (15:54): #end
sdumitriu - (15:54): it suddenly works better. If I remove the extra line and save again, it goes right back to the absurd result
jvelociter - (15:54): you want both
vmassol - (15:54): so either annotations or
vmassol - (15:55): some special verrtical margin
vmassol - (15:55): that can have version icons in it
vmassol - (15:55): and the text on the right of that margin would be for the version specified in the margin
vmassol - (15:55): (or on the left if the margin is located on the right of the screen)
jvelociter - (15:56): for portion of text I agree annotations are ideal
jvelociter - (15:56): though maybe a bit modified
jvelociter - (15:56): since you don't want to associate it to a particular author I guess
vmassol - (15:57): why not?
jvelociter - (15:57): or rather you don't want to display that association
jvelociter - (15:58): i'd say because it's not very relevant
jvelociter - (15:58): but yes you can display it
vmassol - (15:58): it's important to know who made a change
jvelociter - (16:00): yes it's relevant for us
jvelociter - (16:00): "authors"
sdumitriu - (16:05): vmassol, jvelociter: In my fix for XWIKI-4960 I removed any : introduced by a guest user in the username (to prevent impersonating another user)
sdumitriu - (16:06): This means that URLs used as guest names will be broken
sdumitriu - (16:06): Is that OK?
jvelociter - (16:07): then we maybe need a "homepage" field in the comment class
jvelociter - (16:07): it's good value to provide this link, especially when commenting as guest
sdumitriu - (16:08): Yep
jvelociter - (16:08): you want to know who really is the person
sdumitriu - (16:08): OK, good idea
CalebJamesDeLisl - (16:09): sdumitriu: did you test with "XWiki.XWiki.Admin" ? ;)
sdumitriu - (16:09): But otherwise, any points agains removing : ?
sdumitriu - (16:09): Caleb: Wow, good catch
CalebJamesDeLisl - (16:09): That's why I didn't try to fix it. You need a loop.
CalebJamesDeLisl - (16:10): Then you have to handle XWXWiki.iki.Admin
CalebJamesDeLisl - (16:10): (If you remove XWiki. from the middle that is.)
sdumitriu - (16:10): No, that's just from the start
sdumitriu - (16:10): Hm, how about just removing all the dots, too?
CalebJamesDeLisl - (16:10): I decided it was a mess and gave up.
CalebJamesDeLisl - (16:11): I think you're safe if you remove all : then remove "XWiki." from the start but do it in a loop.
mflorea joined #xwiki at 16:25
anamarias left at 16:26 (Remote host closed the connection
anamarias joined #xwiki at 16:26
bblfish - (16:27): ok, just watched that video again. He starts off explaining a lot better the importance of DNSsec. He does not go into details about why it is going to be implemented. I think the other HAR talk did that
bblfish - (16:35): I think the big talk about why DNS is fatally broken is http://bert-hubert.blogspot.com/'s talk http://blogs.sun.com/bblfish/entry/camping_and_hacking_at_har2009
bblfish - (16:37): the pdf is here http://bert-hubert.blogspot.com/2009/08/har2009-thoughts-returning-back-to.html
lucaa joined #xwiki at 16:40
jvelociter - (16:47): vmassol: do you have a snippet to delete spam users ?
vmassol - (16:47): yes
jvelociter - (16:47): found a very spammed wiki on myxwiki.org
vmassol - (16:47): both on xwiki.org and on myxwiki.org
jvelociter - (16:47): it's published?
vmassol - (16:47): hold on
CalebJamesDeLisl - (16:55): bblfish: Does this mean flashing all of the home dsl boxes?
bblfish - (16:55): ah yes, those are the weakest points. A FroSCon there was a great talk on how to halk those with javascript
bblfish - (16:56): see the talk "http://programm.froscon.org/2009/events/323.en.html" http://blogs.sun.com/bblfish/entry/froscon_the_free_and_open
CalebJamesDeLisl - (16:56): But dnssec will require reflashing them all?
bblfish - (16:57): no, I think they solve the main routers first, then the OSes will slowly be upgraded
bblfish - (16:57): one problem at a time
CalebJamesDeLisl - (16:58): So no security until every modem supports it.
CalebJamesDeLisl - (16:58): Sounds like ipv6. It might be a nice idea but it's going to stay that way.
CalebJamesDeLisl - (17:00): My only real opposition to dnssec is because of the problems which we don't yet know about. Most of the DNS issues are resolved, with DNSSEC we get to start over.
bblfish - (17:03): watch those videos
bblfish - (17:04): dns wihtout port randomisation can be broken in two sec
bblfish - (17:04): with port randomization in 10 hours
bblfish - (17:04): that is slide 21
bblfish - (17:05): Bert Hubert is quite good, and I think the third video there points to another one
CalebJamesDeLisl - (17:05): Just think of all the people just like me working at the ISPs and backbone companies who know what they know and don't like new tech :)
bblfish - (17:05): yes none of those speakers like DNSsec
bblfish - (17:05): they say so
bblfish - (17:05): but it is unavoidable
CalebJamesDeLisl - (17:07): I think the way the isp and backbone people see it is it's either working or it's broken. If it's broken then we must fix it as soon as possible (not a time for upgrade). If it's working then all you possibly could do is break it.
bblfish - (17:07): let's discuss this in one year
CalebJamesDeLisl - (17:08): You think there will be major change in a year's time?
bblfish - (17:08): that's what the top guys in the field are all saying
CalebJamesDeLisl - (17:10): I'll become more interested when I hear cogent, level3, globalcrossing etc. start pushing it.
CalebJamesDeLisl - (17:17): Actually dnssec would be easy if it were implemented opendns style. Not sure if/how that would work.
anamarias left at 17:20 (Quit: anamarias
bblfish - (17:20): http://bert-hubert.blogspot.com/'s is quite critical of it in his talk
bblfish - (17:20): He wrote an open dns
bblfish - (17:20): PowerDNS
CalebJamesDeLisl - (17:22): I'm listening right now.
CalebJamesDeLisl - (17:22): I say opendns meaning opendns.org
anamarias joined #xwiki at 17:36
CalebJamesDeLisl - (18:07): bblfish: "If you take a look at dns security vulnerabilities in the last 5 years most were dnssec." -bert hubert
CalebJamesDeLisl - (18:07): I really liked his idea about just slapping one more id number on the dns packets.
bblfish - (18:09): the last talk on http://blogs.sun.com/bblfish/entry/camping_and_hacking_at_har2009 is a lot more positive - it also shows that a lot of big providers were deploying it a year ago
bblfish - (18:09): http://www.domainpulse.com/2010/03/18/org-to-enable-dnssec-by-june-2010/
CalebJamesDeLisl - (18:10): I'm in favor of it as long as they don't take down the old dns system, 2 systems are harder to spoof than one.
bblfish - (18:11): http://www.icann.org/en/announcements/announcement-27jan10-en.htm
bblfish - (18:11): http://news.techworld.com/networking/3214097/verisign-dnssec-to-improve-internet-security/
xenon751 joined #xwiki at 18:12
xenon75 left at 18:12 (Read error: Connection reset by peer
CalebJamesDeLisl - (18:13): Hmm, so there's .com .org and .net
CalebJamesDeLisl - (18:14): Unfortunately the root servers are the most highly maintained so it's the home routers that need better security.
CalebJamesDeLisl - (18:18): I guess breakable dns doesn't really matter as long as we have foafssl because a MITM attack would cause the user to be logged in as the wrong username.
headache left at 18:20 (Ping timeout: 240 seconds
bblfish - (18:22): CalebJamesDeLisl: that is where the trick of putting your public key in the DNS registry can do the final trick
bblfish - (18:23): so you put your domain public key in the DNS registry and now you no longer need CAs
bblfish - (18:23): so it is not worth solving that problem for the moment
CalebJamesDeLisl - (18:23): But dnssec is so new and complex that I am for reversing the foafssl process to verify the server.
bblfish - (18:24): foaf+ssl verifies the user
bblfish - (18:24): dnssec the server
CalebJamesDeLisl - (18:24): You got me interested and now you must pay the price :)
bblfish - (18:24): 2 different things
CalebJamesDeLisl - (18:25): Suppose the user connects to the server. The server key has a url just like the user's
CalebJamesDeLisl - (18:25): The user connects to the url and verifies the server key.
CalebJamesDeLisl - (18:25): what do you think?
bblfish - (18:25): the subject alternative name allows you to place a dns in that field
bblfish - (18:25): so it's done
CalebJamesDeLisl - (18:26): Sure we can use dns but why not layer the security?
bblfish - (18:26): I am just saying: it will be worth playing with that when dnssec is on .com and .org
CalebJamesDeLisl - (18:27): And it looks very easy if I make a few small changes to the "perspectives" firefox addon.
bblfish - (18:27): yes, that would be the way to go
bblfish - (18:27): tie it into dnssec, Kaminsky will back you
CalebJamesDeLisl - (18:28): I'm not against using dnssec I just love the foafssl model and I'd like to see it applied in reverse as well.
CalebJamesDeLisl - (18:30): "tie it into dnssec, Kaminsky will back you" So Kaminsky wouldn't like foafssl if it doesn't depend on dnssec?
bblfish - (18:31): no, he wants people to develop cool apps like the one suggested
bblfish - (18:31): at HAR when I told him about foaf+ssl he was the only one to defend it
bblfish - (18:32): ( which is really funny, because I had NO idea about all these issues )
CalebJamesDeLisl - (18:32): I was initially weary of it because I didn't understand it but I see it is simple and has the potential to be very cool.
bblfish - (18:32): :-)
bblfish - (18:33): There is some work getting the browser vendors to change, but they are doing something
CalebJamesDeLisl - (18:33): I don't see the same simplicity in dnssec which is why I'm more reserved about it.
bblfish - (18:34): can you vote on http://code.google.com/p/chromium/issues/detail?id=29784
bblfish - (18:34): by the way EVERYONE at XWIKI should vote on that bug :-)
bblfish - (18:34): see the picture has xwiki in it
CalebJamesDeLisl - (18:35): Everyone with a code.google account.
CalebJamesDeLisl - (18:36): I wouldn't count on any browser vender to fix their bugs, I think the best we can do is try to implement workarounds.
bblfish - (18:36): the guy at google is very responsive
bblfish - (18:36): look at the picture he put up on that issue
CalebJamesDeLisl - (18:39): That's cool. It might be able to be implemented in a chrome extension.
bblfish - (18:40): I think he might be able to put it in chrome
bblfish - (18:40): for the next release :-)
CalebJamesDeLisl - (18:44): Chrome is 10% of the market, ff is 40 and ie is 30 I think I remember.
bblfish - (18:44): 10% in less than a year is huge!
bblfish - (18:44): They are advertising it on nearly every search page
CalebJamesDeLisl - (18:45): Yea, they pushed it hard right from the start. I think it's a fad, we'll see.
CalebJamesDeLisl - (18:46): +1 for getting firefox to be a little less lazy, this new js engine is fast.
CalebJamesDeLisl - (18:48): If Chrome ruins IE then I'm all for it. You coded for the browser you know what a nightmare IE is.
jvelociter - (18:57): bblfish: a voté
bblfish - (18:57): :-)
bblfish - (18:59): what is amazing is that IE is nearly down to 50% now
CalebJamesDeLisl - (19:04): The sum of IE 6, 7, and 8 I got from w3schools has them at 35.3% and they were over 90% at one time.
mflorea left at 19:21 (Quit: Leaving.
DV joined #xwiki at 19:47
xenon751 left at 19:55 (Quit: Leaving.
anamarias left at 20:05 (Ping timeout: 264 seconds
anamarias joined #xwiki at 20:05
vmassol left at 20:11 (Quit: Leaving.
jvelociter left at 20:20 (Quit: jvelociter
bblfish - (20:22): the wiipedia article on dnssec is good
bblfish - (20:22): [[
bblfish - (20:22): Many are interested in deploying DNSSEC at the root level. If deployed widely at the root level, DNSSEC could support distribution of public keys associated with any arbitrary domain name, countering many spam and spoof attacks. Having a few DNS root-level DNSSEC public keys would greatly simplify the deployment of DNSSEC resolvers, since those few keys could be the basis for any other key.
bblfish - (20:22): ]]
LadySerena joined #xwiki at 20:29
CalebJamesDeLisl - (20:29): Haha, I got firefox to store every key to every ssl site I visit!
CalebJamesDeLisl - (20:30): Now I just have to make sure it makes lots of noise if the site has a signed key which is different and the stored key isn't expired.
CalebJamesDeLisl left at 20:49 (Quit: The user has gone to sleep.
CalebJamesDeLisl joined #xwiki at 20:49
LadySerena - (21:37): I have an issue with images I upload into XWiki. They keep disappearing on me.
nuvolari - (21:38): rawr!
LadySerena - (21:38): mew!
nuvolari - (21:38): :P
DV left at 21:38 (Ping timeout: 240 seconds
LadySerena - (21:39): like, I upload an image, and then when I try to view it, its blank, and when I check the attachments for the document, it says that attachment is 0 bytes.
nuvolari - (21:39): I'm tired. g'night everyone :)
anamarias - (21:59): sdumitriu: saving LargeStringProperties as object as attributes instead of simple StringProperties does it lead to any performance issues ?
LadySerena - (21:59): why do my images keep disappearing?
sdumitriu - (21:59): anamarias: Nothing noticeable
sdumitriu - (22:00): If you need the extra characters, feel free to use LargeString
anamarias - (22:00): and what is the internal database representation for LargeStringProperties ?
sdumitriu - (22:00): Usually varchar
sdumitriu - (22:00): But depends on the database
anamarias - (22:00): not blobs, right?
DV joined #xwiki at 22:01
sdumitriu - (22:01): No, not blobs
anamarias - (22:01): good
sdumitriu - (22:01): The only blobs are attachment content
anamarias - (22:01): another question, why are there 2 types if the performance is almost equal?
sdumitriu - (22:01): Hm, maybe not even those
anamarias - (22:02): why aren't there only LargeStringProperties
sdumitriu - (22:02): Because you can't index on varchar
anamarias - (22:02): ah! ok :p
sdumitriu - (22:02): Well, that's not a really good motive
sdumitriu - (22:02): Since we don't index StringProperties anyway
sdumitriu - (22:03): Personally I don't agree with different database types and different length limitations
sdumitriu - (22:03): I like the way embedded databases do it
anamarias - (22:07): ok, thanks a lot sdumitriu
sdumitriu - (22:11): LadySerena: Back to you
sdumitriu - (22:11): What's the problem?
LadySerena - (22:12): sometimes when I view an image I've attached, the image gets cleared (as in its length goes to 0 bytes)
sdumitriu - (22:12): Can you check the database?
sdumitriu - (22:13): In the database, is the image present?
LadySerena - (22:15): xwikiattachment: says servercollection.jpg is 684062
LadySerena - (22:16): "SELECT * FROM `xwikiattachment_content` WHERE `XWA_ID` = -1880827536 LIMIT 0 , 30" <-- zero rows
sdumitriu - (22:17): Why do you use a different XWA_ID?
LadySerena - (22:17): O.lo
LadySerena - (22:17): that's what it shows in xwikiattachment
sdumitriu - (22:18): OK, then the problem is:
sdumitriu - (22:18): Trying to save the attachment fails
sdumitriu - (22:18): The uploaded image remains in the cache
LadySerena - (22:18): o.o
sdumitriu - (22:18): At some point the image is evicted from the cache (fixed size LRU)
LadySerena - (22:18): so then why does it show an image the first few times I view it?
sdumitriu - (22:18): Then, loading it back from the database, it's actually missing
LadySerena - (22:19): and the solution is?
sdumitriu - (22:19): So, it's normal that it's going AWOL, it's not normal that it fails to get into the database
sdumitriu - (22:19): You should monitor the logs when uploading the file
sdumitriu - (22:19): How big is the image?
sdumitriu - (22:20): Are you on mysql?
DV left at 22:20 (Ping timeout: 258 seconds
LadySerena - (22:20): 684,062 bytes (according to Finder)
sdumitriu - (22:20): There's a default max_packet_size that could forbid large images from being uploaded
LadySerena - (22:20): and ya, I'm using MySQL
LadySerena - (22:22): and I have 1048576 as my max_allowed_packet
sdumitriu - (22:22): Yep, that's it
sdumitriu - (22:23): The image is stored as Base64
LadySerena - (22:23): ...
sdumitriu - (22:23): Which increases the size
LadySerena - (22:23): omg
LadySerena - (22:23): ya, I've done Base64
LadySerena - (22:23): so it looks like I need to double that number
sdumitriu - (22:25): To test it:
sdumitriu - (22:25): - upload the image
sdumitriu - (22:25): - in a page, write: {{velocity}} $xwiki.flushCache() {{/velocity}}
sdumitriu - (22:25): - look at the image
sdumitriu - (22:25): - increase max_paket_size, restart mysql
sdumitriu - (22:25): - repeat the test
sdumitriu - (22:25): max_allowed_packet, sorry
LadySerena - (22:27): updated /etc/mysql/my.cnf
LadySerena - (22:27): issued command: pfexec svcadm restart mysql:version_51
LadySerena - (22:29): yep, now its there
DV joined #xwiki at 22:29
sdumitriu - (22:31): Normally there should be an exception shown when this occurs
sdumitriu - (22:31): Telling exactly to increase max_allowed_packet
CalebJamesDeLisl left at 23:06 (Quit: The user has gone to sleep.
CalebJamesDeLisl joined #xwiki at 23:06
xenon75 joined #xwiki at 23:13
xenon75 left at 23:24 (Ping timeout: 260 seconds
anamarias left at 23:30 (Quit: anamarias
}}}
