Arc Forumnew | comments | leaders | submitlogin
1 point by dram 4218 days ago | link | parent

Ideally, I would like to see arc3.1 be shown as default, along with a pack contains seperated patch files to critical bugs.

And we can treat anarki as a fully fork, with no restriction and full freedom.

About password issue. If PG switches hash, he surely will consider about compatibility, without that, all users of HN will need to reset their passwords.



2 points by akkartik 4218 days ago | link

You: "About password issue. If PG switches hash, he surely will consider about compatibility.."

I'll quote PG and RTM again: "Arc is still fluid and future releases are guaranteed to break all your code." http://www.arclanguage.org

I interpret this sentence on the frontpage to mean that he will not be concerned about compatibility. Arc is for exploratory programming. If you have users you're on your own. I really don't see how you can interpret it any other way.

The good news is that migrating passwords isn't hard. I've done it for a site myself.

-----

1 point by dram 4218 days ago | link

PG and RTM may break other code, but I think they will not break their own code, as news.arc is inside of Arc, not outside. :)

I'm curious how did you migrate passwords, I thought some more code are needed to migrate them automatically.

-----

3 points by akkartik 4218 days ago | link

Yeah, I wrote some more code :)

First I transformed all existing hashes:

  (maptable [list 'sha512_sha1 (sha512 _)] hpasswords*)
Then, as users login and I momentarily have their unhashed passwords, I hash it with just sha512, making the hpasswords* value:

  (= hpasswords*.user
     (list 'sha512 (sha512 password)))
Password verification can now use the first element (the 'type') to decide how to hash the password.

-----

1 point by akkartik 4218 days ago | link

"I think they will not break their own code, as news.arc is inside of Arc, not outside."

But then how would they ever migrate beyond sha1? Would the hundred-year language save passwords in a way that gets more insecure every year?

I think arc's default assumption is that there's no difference between 'inside' and 'outside'. And this is how lisp used to be.

-----

2 points by dram 4218 days ago | link

Another method would be hash sha1 hashed values directly, like:

  (sha512 (+ (sha1 pw) user-salt site-salt))
Anyway, existing passwords still need to be migrated manually.

BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https.

-----

1 point by akkartik 4218 days ago | link

"BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https."

Yes. Though you can get that with apache or nginx.

-----

1 point by akkartik 4218 days ago | link

"Ideally, I would like to see arc3.1 be shown as default, along with a pack containing separate patch files for critical bugs."

This could actually be quite cool! Full transparency; we show the default, and we enumerate its biggest issues along with their fixes. That sets expectations in advance. Yes, make it so :)

-----