12:12:46 <tomejaguar> What's the simplest way to do HTTP Auth Basic?
12:57:52 <dcoutts> tomejaguar: happstack server has simple basic auth support
12:58:22 <dcoutts> ACTION notes that we don't use it in the hackage-server because it's too simple
12:58:37 <dcoutts> hackage-server has code for http basic and digest
12:58:44 <HugoDaniel> :)
16:01:47 <tomejaguar> dcoutts: Thanks, I know it's too simple, but I just wanted to hack together something really quickly.  I'll have a look at hackage-server.
16:02:14 <dcoutts> tomejaguar: if it's simple you're after then the happstack server one is fine
16:02:28 <dcoutts> you just give it a Map of username to password and it does it
16:03:25 <donri> and make sure to use happstack-server-tls to secure it
16:04:47 <tomejaguar> That's funny.  Happstack's basicAuth is almost exactly what I ended up writing myself, including "Data.ByteString.drop 6"!
16:05:11 <tomejaguar> I wish I'd spotted your answer before I plunged in ...
16:05:17 <tomejaguar> donri: you are right, of course.
16:06:56 <donri> mhm wouldn't basicAuth be much more flexible and still about as easy to use if it took validLogin as a parameter instead of the Map
16:08:30 <tomejaguar> What's validLogin?
16:08:45 <donri> validLogin name password = M.lookup name authMap == Just password
16:08:53 <donri> it's in the where definitions for basicAuth
16:09:52 <donri> i'm suggesting change it to, basicAuth :: String -> (String -> String -> Bool) -> m a -> m a
16:10:13 <donri> i don't see anything in the code that really needs the Map?
16:10:58 <tomejaguar> Yes you are wise.
16:11:13 <donri> maybe even make the function effectful so you could do database lookups
16:12:08 <donri> maybe better add my version as basicAuthM and keep the other one for back compat ;)
16:12:56 <tomejaguar> What monad would it be done in?
16:13:00 <tomejaguar> m?
16:13:43 <donri> yes
16:14:10 <donri> + maybe add support for digest auth and require tls in both versions
16:14:23 <donri> ACTION adds to his todo
16:14:56 <tomejaguar> Please don't require TLS.
16:15:05 <donri> it's useless without
16:15:26 <donri> except in development
16:15:41 <tomejaguar> Basic Auth is useful for trivial little applications where you want to stop your kids accessing your accounts or something.
16:15:46 <donri> and even then you have to take care to restrict the server to the loopback interface
16:18:20 <donri> tomejaguar: may not need tls for digest, i'd need to research that more though
16:18:42 <donri> i'm not sure if it protects against session hijacking
16:24:30 <donri> stepcut: you know maybe we should add something to the server Conf that controls things like this. like a bool for "development mode" that disables some inconvenient security checks but instead makes it only listen on loopback and reject external requests ...
16:25:02 <donri> tomejaguar: or do you want it for "production" deployments?
16:25:47 <donri> not really advisable, and maybe you shouldn't use security features if you don't want something secure ;) maybe just read a password in the query string? :p
16:26:59 <tomejaguar> Well, all I can say is that it was secure enough for http://www.metapaw.co.uk/projects/metapaw-dip/
16:27:06 <tomejaguar> which was intended for playing games with friends
16:27:43 <tomejaguar> If I'd developed the project further I would have used something more secure, but having Basic auth easily accessible helped ship quicker
16:28:07 <donri> well tls isn't exactly hard to set up
16:28:45 <tomejaguar> Well fair enough.  I've never tried.
16:29:13 <tomejaguar> But when I'm trying to develop a new product all the half-an-hours spent on things that aren't exactly hard to set up can really take away momentum.
16:29:21 <donri> i guess
16:30:09 <donri> i just read so many security blogs where it becomes obvious that most web security problems result from lazy developers who think "it won't really matter" ;)
16:30:36 <tomejaguar> "It doesn't matter *now*" is slightly different.
16:30:55 <donri> not really :p "now" never changes
16:30:56 <tomejaguar> The best solution is to make a decent form of auth no harder to use than HTTP Basic.  Perhaps it's already possible.
16:31:14 <tomejaguar> I was just already familiar with basic.
16:31:25 <tomejaguar> And I new I could get it out of the door in a few minutes.
16:31:40 <tomejaguar> donri: that's not true, but it does take discipline
16:34:13 <donri> on the other hand if you learn to set up tls it will become easy and part of the routine for new apps to come ;)
16:34:58 <tomejaguar> Is it actually hard?
16:35:08 <tomejaguar> I guess it requires a certificate ...
16:35:33 <donri> you can self-sign, which sorta defeats the purpose, but still works with code that requires TLS :p
16:35:42 <donri> there are also free CAs
16:38:25 <donri> i guess we need nullConf { unsafeI'dLikeToGetHackedPlease = True }
16:41:23 <stepkut> using TLS is almost as easy ase using not-TLS
16:41:36 <donri> we do need better docs though ;)
16:41:49 <donri> i seem to recall you did document it, but maybe it was in a blog post or something
16:42:41 <stepkut> http://hub.darcs.net/stepcut/happstack/browse/happstack-server-tls/example/Main.hs
16:44:21 <donri> i suspect the main pain point is having to make the certificates and get them signed
16:44:43 <donri> and i guess they're per domain so you need to do that for each deployment
16:45:18 <donri> and for development i guess you'd self-sign and then you have to tell your browser to accept it
16:45:21 <donri> but not too hard
16:46:52 <donri> to me it seems a bit odd to put a password on something if you don't actually need it to be secure - why then put a password at it to begin with? shrug
16:48:12 <stepkut> it does add some security
16:48:20 <stepkut> and really.. that is all you ever get
16:48:49 <donri> it only adds obscurity, not true security :p
16:48:55 <donri> found docs https://groups.google.com/forum/?fromgroups=#!topic/happs/2Swkp6ga3-g
16:50:58 <stepkut> if you use basicAuth with https, then you are prone to someone sniffing the connection.. but how often is that actually a problem?
16:51:14 <donri> you mean without?
16:51:31 <stepkut> yeah with out
16:52:51 <donri> it seems most bad security comes from that line of thinking
16:52:54 <donri> "it won't matter"
16:53:15 <donri> in any case it's a problem on any wlan or network hub
16:53:52 <donri> if we're going to assume that all the ISPs and governments are to be trusted, that is
16:54:27 <stepkut> aren't wlan connections encrypted?
16:54:40 <donri> and if you use something like tor, you have to trust all the exit nodes that are run by some really shady people
16:55:46 <donri> wlan encryption doesn't matter if the attacker has the wifi key :p which is often the case on e.g. internet cafes
16:56:29 <donri> i'm not sure though if wpa fixes that problem or not
16:58:09 <donri> https://en.wikipedia.org/wiki/Promiscuous_mode doesn't seem to mention wpa at all, so i'd suspect not
17:00:59 <stepkut> so, if someone tried to build a site like reddit, that didn't use https, it would never fly?
17:01:21 <donri> reddit doesn't use https right, so it's vulnerable in deed
17:01:46 <stepkut> :)
17:02:17 <donri> as a user you can fix it by using a vpn you trust, but normal users don't do that
17:04:19 <donri> and also you can crack wpa in six minutes for less than $2 with amazon ec2
17:04:57 <mm_freak> donri: why would it?
17:05:05 <mm_freak> promiscuous mode is ethernet layer
17:05:48 <donri> mm_freak: so that page is wrong then? it does mention WLAN as vulnerable
17:06:48 <mm_freak> donri: it is, regardless of which link layer authentication (WPA/WEP/…) you use
17:07:16 <donri> i'm not sure what you're trying to tell me
17:07:35 <mm_freak> donri: you may have a misconception about that mode
17:07:43 <mm_freak> the wifi equivalent is the monitor mode
17:07:48 <donri> probably do, so please enlighten me :)
17:08:19 <mm_freak> monitor mode:  receive all wifi packets, even when you are not associated with the corresponding network
17:08:41 <mm_freak> promiscuous mode:  receive all ethernet packets, even when the destination MAC is not mine
17:08:56 <donri> i don't see how that invalidates anything i said
17:09:16 <mm_freak> donri: it doesn't…  i'm just resolving your misconception =)
17:09:35 <donri> i don't see what my misconception was
17:10:14 <mm_freak> this:  <donri> https://en.wikipedia.org/wiki/Promiscuous_mode doesn't seem to mention wpa at all ⇐ why would it?
17:11:00 <donri> ah. well i did say i wasn't sure if wpa fixed it, i wasn't claiming that it would. so no misconception, rather, conscious ignorance ;)
17:13:01 <stepkut> using authentication with out https is like locking your bicycle
17:14:23 <donri> haha i actually thought of a similar analogy the other day. most people use passwords on the internet like a bathroom lock. it's easy to unlock from the outside, it's just a signal to say "private"
17:15:34 <stepkut> yeah
17:15:40 <donri> the idea being that no one is interested in hacking *me* specifically, but of course the real issue is that hacks are often done in bulk, against anyone, everyone
17:15:41 <mm_freak> stepkut: HTTPS also has a drawback
17:15:50 <mm_freak> i need to pay money to people i don't trust
17:16:03 <donri> mm_freak: mhm? there are free CAs
17:16:18 <mm_freak> donri: name one that has made it into the major browsers
17:16:40 <donri> mm_freak: https://www.startssl.com/
17:18:14 <bergmark> what's the deal with this cabal error :O? Trying to install clckwrks and i get: rejecting: web-plugins-0.2.1, 0.2.0, 0.1.2, 0.1.1 (conflict: snap =>
17:18:17 <bergmark> stm==2.3/installed-71d..., web-plugins => stm==2.4.*)
17:18:31 <bergmark> but snap allows stm 2.4...
17:18:45 <dcoutts> bergmark: try --max-backjump=-1
17:18:46 <stepkut> it may allow stm 2.4, but it was built against 2.3
17:18:47 <donri> bergmark: cabal install snap clckwrks
17:19:56 <stepkut> in other news.. I expect web-plugins would work fine with stm 2.3 as well if I changed that bounds
17:20:08 <mm_freak> donri: hmm…  i've heard doubts about them
17:20:16 <donri> oh?
17:20:23 <mm_freak> but who cares…  the rest of the world trusts them, i don't have to
17:20:31 <donri> hehe
17:20:45 <mm_freak> donri: i think they were mentioned in one of those moxie-marlinspike-videos
17:20:55 <donri> i don't know what that is
17:21:11 <bergmark> donri's suggestion works, but shouldn't --force-reinstalls do the trick if i have both snap and clckwrks in my .cabal?
17:21:26 <mm_freak> donri: http://www.youtube.com/watch?v=pDmj_xe7EIQ
17:21:29 <stepkut> bergmark: no idea
17:21:49 <donri> bergmark: that option will leave snap a broken package
17:22:05 <dcoutts> --force-reinstalls is independent of finding a solution
17:22:15 <donri> mm_freak: thanks
17:22:53 <stepkut> my solution is to just remove every problem package and then reinstall
17:23:06 <dcoutts> bergmark: and yes, if your .cabal file has both snap and clckwrks in the build-depends, then that's more or less the same as doing cabal install snap clckwrks
17:23:11 <stepkut> in part, because my system is often broken due to mixing debian and cabal packages
17:23:23 <bergmark> dcoutts: but that's what triggered the problem initially :/
17:23:31 <donri> stepkut: adding the problematic packages to the install invocation should have a similar effect without removing packages
17:24:00 <dcoutts> bergmark: did you try --max-backjumps=-1 ?
17:24:21 <mm_freak> ok, i think my xmonad is sufficiently set up such that i can finally get back to programming =)
17:24:37 <bergmark> dcoutts: doh i typoed =1
17:24:52 <bergmark> let me see if i can get it back to the initial broken state :>
17:25:10 <mm_freak> my incentive to switch back to KDE+compiz seems gone =)
17:25:34 <donri> mm_freak: emacs or vim?
17:29:38 <mm_freak> emacs
17:30:19 <donri> i have this theory that kde users will prefer emacs and vice versa, whereas vim and gnome share more users ;)
17:32:46 <bergmark> --max-backjumps=-1 didn't help
17:33:00 <bergmark> but i can just unregister some stuff of course :)
17:33:18 <mm_freak> donri: i actually started with gnome and emacs
17:33:29 <mm_freak> later i moved to FVWM, then KDE and now xmonad
17:33:33 <donri> mm_freak: don't ruin my confirmation bias!
17:33:39 <mm_freak> i think there was a short XFCE period, too
17:34:05 <mm_freak> donri: you just have to adjust your hypothesis:  emacs users are more drawn to KDE than to gnome =)
17:34:16 <donri> hindsight bias: well of course you would move away from gnome if you were using emacs!
17:35:47 <donri> btw this video is hilarious
18:26:23 <donri> stepkut: http://www.kickstarter.com/projects/435742530/udoo-android-linux-arduino-in-a-tiny-single-board
18:30:28 <bergmark> tried to make a darcs pull request :<
18:30:44 <donri> bergmark: no such thing!
18:30:58 <donri> except "just ask"
18:31:00 <bergmark> tried to da a darcs push :<
18:31:39 <donri> to hub? did you fork and push to your repo
18:31:54 <bergmark> yeah i forked and then
18:32:06 <bergmark> well, i can't even get from my fork
18:32:15 <donri> darcs push oppan-adnam-style@hub.darcs.net:super-awesome-repo
18:32:19 <bergmark> `darcs get AdamBergmark@hub.darcs.net:AdamBergmark/happstack` ?
18:32:30 <donri> no just :happstack
18:32:54 <bergmark> darcs get AdamBergmark@hub.darcs.net:happstack
18:32:54 <bergmark> darcs failed:  Not a repository:
18:33:04 <donri> your syntax is for when you're added to other's repos
18:33:58 <donri> you'd usually use http for get, but that ssh should work too i think...?
18:34:01 <donri> sm?
18:34:14 <bergmark> darcs push AdamBergmark@hub.darcs.net:happstack
18:34:14 <bergmark> darcs failed:  Not a repository: AdamBergmark@hub.darcs.net:happstack ((scp) failed to fetch: AdamBergmark@hub.darcs.net:happstack/_darcs/inventory)
18:34:37 <donri> looks broken
18:34:44 <bergmark> >_<
18:35:36 <bergmark> stepkut: can happstack-hsp just be bumped to allow syb 0.4?
18:36:03 <stepkut> bergmark: if it compiles.. I would say yes
18:36:08 <bergmark> then: yes!
18:41:16 <bergmark> it's breaking my install-everything-interesting.cabal
18:41:59 <stepkut> looks like happstack-authenticate needs some bounds bumps too :-/
18:44:52 <bergmark> bump it up!
18:46:03 <stepkut> ok, happstack-hsp bumped
18:49:09 <bergmark> cool thanks
18:53:33 <bergmark> dep resolution working!
19:05:23 <bergmark> my interesting.cabal has grown way to big :/
19:05:27 <bergmark> too*
19:09:27 <stepkut> :)
19:12:36 <bergmark> cool clckwrks compiled
19:12:38 <bergmark> time to go buy shampoo
19:28:19 <sm> donri, bergmark: yes, according to http://hub.darcs.net/simon/hub.darcs.net-docs/FAQ.md those ssh get and push commands should work
19:30:53 <sm> the repo is there and darcs check passes. bergmark, is your ssh access set up ? ssh AdamBergmark@hub.darcs.net should not say Permission denied (publickey)
19:39:56 <bergmark> sm: ah i hadn't set up a pubkey, i assumed i could use my password
19:42:24 <bergmark> works now, thanks
19:55:46 <sm> bergmark: np
20:41:48 <donri> odd that the error didn't indicate that?
21:14:51 <bergmark> well confusing at least :)
22:24:17 <sm> darcs get is well known for.. less than helpful errors