• 1 Post
  • 421 Comments
Joined 1 year ago
cake
Cake day: August 9th, 2023

help-circle



  • Yeah, that’s my thinking, too. But the library only takes b64.

    Edit: also, if anything, this system reduces the benefit of strong typing. You can feed whatever string you want into it and the compiler will say it’s OK, even if it would fail at run time. If it were a Vec<u8>, then the compiler can check things. Especially if you do something to let the compiler enforce the length (if possible).

    Or hand over a UUID object directly. Yeah, it ties it to a specific library, but it’s either that or you’re not taking full advantage of strong typing.

    Or just have a sensible default implementation.



  • None of this has much to do with type safety at all. A dynamically typed language might have a Salt object that has a constructor that takes a base64 string. If its common uuid library doesn’t output base64, then you can’t use it directly.

    Nor does a specific uuid library matter much. It just needs to be able to output base64 strings, which is an uncommon uuid encoding, but it’s out there.

    Nor does type safety prevent providing a sensible default implementation.

    The crate uses phc strings, which store the salt together with the hashed password, so no, it can handle it all on its own.

    There was just no thought into how components work together.



  • Edit: for any possible future readers, there is a sensible default that I hadn’t found yet during this work in progress. It’s just in a different struct: SaltString::generate().

    I’d like it better if things were designed to work together better.

    Right now, I’m working on a password storage system using the password_hash crate. You need to provide the salt yourself; this is already a bit silly for not providing a simple default that just gives you 16 bytes from a CSPRNG, but let’s continue.

    You read the Salt struct documentation, and it talks about UUIDs being pretty good salts (well, using v4, anyway). So that pushes you toward the uuid crate, right? Except no. That crate doesn’t produce formats that the functions on the Salt struct will accept, like base64. So maybe the uuid_b64 crate will do it? I don’t think so, because that crate uses a URL-safe version of base64, and it’s not clear Salt will take that, either.

    You’re now forced to use a cumbersome interface from the rand crate to make your salt. I’m still working through some of the “size not known at compile time” errors from this approach.

    All of which would work better if there was a little thought into connecting the pieces together, or just providing a default salt generator that’s going to do the right thing 90% of the time.

    Don’t get me started on how Actix hasn’t thought through how automated testing is supposed to work.










  • France, Germany, and Austria all have a military-industrial complex problem. MIL money might not dominate their politics the same way as the US, but there is a problem there.

    Even with their post-WW2 defensive militaries, Germany and Austria are perfectly ready to sell military hardware to anyone with the cash. H&K, Glock, and Steyr all hail from those two.

    France sold off the Exocet anti-ship missile to just about anyone. As far as I can tell, it has only been fired in anger at the boats of other NATO members. Thanks, France!


  • I think there’s value to mandatory military service when your aims are primarily defensive. Country gets invaded and not only are there lots of people in the army already, but also there’s plenty of reserves who just need refresher training. When you’re the one getting invaded, you usually don’t have problems with motivation unless the current regime has really fucked up.

    When you try to use a largely conscripted army for invasions, like Russia is doing, people start to wonder why the hell they’re doing this.

    Conversely, when your country is known for military adventurism like the United States, it’s easier to motivate volunteers. They signed up for this, and as fucked up as it is, they almost want to be sent off to war in some far off land. England also has generally used a volunteer military throughout its imperialist history. Giving your citizens the choice works better if you’re going to be doing imperialism.

    Thanks for coming to my TED talk.