Re: Policy on global variables

2014-01-16 Thread Eric Wong
Lars Hjemli hje...@gmail.com wrote: On Thu, Jan 16, 2014 at 2:00 AM, Jason A. Donenfeld ja...@zx2c4.com wrote: On Thu, Jan 16, 2014 at 1:59 AM, Eric Wong normalper...@yhbt.net wrote: This. I prefer we keep passing around the ctx variable to keep the code more flexible for future reuse. Of

Re: owner links? (was: author/committer/tagger links -- kernel.org?)

2014-01-16 Thread Jason A. Donenfeld
On Thu, Jan 16, 2014 at 4:28 AM, Kyle J. McKay mack...@gmail.com wrote: On repo.or.cz I've hooked up project owner to a link that shows a list of all projects owned by the same person. So, for example, the owner name is passed in and you end up getting back links like [1] and [2]. (You can

Re: Policy on global variables

2014-01-16 Thread Jason A. Donenfeld
On Thu, Jan 16, 2014 at 11:47 AM, Eric Wong normalper...@yhbt.net wrote: Lars Hjemli hje...@gmail.com wrote: Supporting something like FCGI in cgit will require a fork(2) for each request, before invoking libgit.a functions, since these functions are not generally reentrant (they tend to use

TODO list for next release

2014-01-16 Thread Jason A. Donenfeld
Hi guys, We're getting close to release time. Here's what I'm hoping for between now and then: - Review lua - Review authentication filter - Write tests for authentication filter - Implement time invariant string compare function in lua for simple-authentication.lua - Potentially merge or reject

Time Invariant String Comparison

2014-01-16 Thread Jason A. Donenfeld
Hi guys, Over at cgit [1] we use Lua for our authentication framework [2]. One thing we're doing wrong is lines like these: if password == post[password] then Since an attacker can control the post params, this test is vulnerable to a timing attack, by which an attacker could determine

Re: Policy on global variables

2014-01-16 Thread John Keeping
On Thu, Jan 16, 2014 at 12:31:15PM +0100, Jason A. Donenfeld wrote: On Thu, Jan 16, 2014 at 11:47 AM, Eric Wong normalper...@yhbt.net wrote: Lars Hjemli hje...@gmail.com wrote: Supporting something like FCGI in cgit will require a fork(2) for each request, before invoking libgit.a

Re: Policy on global variables

2014-01-16 Thread Jason A. Donenfeld
On Thu, Jan 16, 2014 at 2:08 PM, John Keeping j...@keeping.me.uk wrote: I had a look at porting to libgit2 about a year ago and it mostly isn't too bad. IIRC the only problematic area is the graph output which we currently get from libgit.a but would have to do ourselves if we switch to

Re: Policy on global variables

2014-01-16 Thread John Keeping
On Thu, Jan 16, 2014 at 07:38:02PM +0100, Jason A. Donenfeld wrote: On Thu, Jan 16, 2014 at 2:08 PM, John Keeping j...@keeping.me.uk wrote: I had a look at porting to libgit2 about a year ago and it mostly isn't too bad. IIRC the only problematic area is the graph output which we

Re: Policy on global variables

2014-01-16 Thread John Keeping
On Thu, Jan 16, 2014 at 10:26:08PM +0100, Jason A. Donenfeld wrote: On Thu, Jan 16, 2014 at 10:21 PM, John Keeping j...@keeping.me.uk wrote: The first step in this direction may actually be useful even if we stick with embedding libgit.a. So what do you think ought to be done with the

Re: owner links? (was: author/committer/tagger links -- kernel.org?)

2014-01-16 Thread Jason A. Donenfeld
On Thu, Jan 16, 2014 at 2:46 PM, Kyle J. McKay mack...@gmail.com wrote: And we use this hook: $owner_link_hook = sub { url_path($Girocco::Config::webadmurl). /projlist.cgi?name=.md5_hex($_[0]); }; Well, that wound up being totally trivial, and a logical thing to have by

[PATCH] repolist: make owner clickable to search

2014-01-16 Thread Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld ja...@zx2c4.com --- ** MAYBE THIS WON'T BE MERGED ** This is super simple and seems like a no brainer but... As an alternative to this, we could pretty easily pipe the owner through the email-filter, even though the owner name isn't associated with an email

Re: Policy on global variables

2014-01-16 Thread John Keeping
On Thu, Jan 16, 2014 at 10:36:34PM +0100, Jason A. Donenfeld wrote: On Thu, Jan 16, 2014 at 10:34 PM, John Keeping j...@keeping.me.uk wrote: I'm not sure it makes much difference either way. Even if we use libgit2, providing we're not processing more than one request at once we can still

Re: Policy on global variables

2014-01-16 Thread Jason A. Donenfeld
On Thu, Jan 16, 2014 at 11:20 PM, John Keeping j...@keeping.me.uk wrote: At once (as in in parallel), or without needing to fork for every request? I think that many requests serially in the same process is a much more likely scenario (that's what FastCGI does); in that case all we need to do

Re: [RFC] Moving the about tab to the left

2014-01-16 Thread Jason A. Donenfeld
There were no comments about this after I posted this seven months ago, so I'm going to merge this, pending no objections. On May 26, 2013 4:36 PM, Jason A. Donenfeld ja...@zx2c4.com wrote: Hello, I'm considering a cosmetic change that may be controversial. If the about tab is enabled, then