[01:15:35] <Reedy>	 So... Why does RL use md4?
[01:37:07] <RoanKattouw>	 md4? Where?
[01:38:04] <bawolff>	 RoanKattouw: In the caching code for less
[01:38:27] <bawolff>	 i did some git blaming, added in 12afb3607
[01:38:55] <bawolff>	 "ResourceLoaderFileModule.php" line 969
[01:39:30] <bawolff>	 There's a comment at https://gerrit.wikimedia.org/r/#/c/240316/ that its about speed
[01:40:59] <bawolff>	 There are probably better hashes than md4 if its about speed. Murmer or whatever
[01:42:09] <Reedy>	 There's md4 in other parts of the code too :D
[01:43:25] <RoanKattouw>	 Oh, yeah, it's not used as a cryptographic hash
[01:44:04] <RoanKattouw>	 We just need a content hash for cache keys
[01:44:56] <bawolff>	 Its just kind of surprising to see "md4"
[01:45:16] <bawolff>	 but I guess that makes sense. Performance critical and input not maliciously controlled
[01:47:13] <RoanKattouw>	 Yeah I guess for LESS in particular, there is no way for a user to control the input, it only comes from the file system
[01:47:29] <RoanKattouw>	 For JS/CSS minfication and processing, we do allow user input via pages like User:Catrope/common.js
[01:47:44] <RoanKattouw>	 But I don't think we make LESS available there
[01:51:27] <bawolff>	 Even if the user controlled it, I think the worse they could do is stop cache from purging. Not exactly a scary attack
[01:52:21] <RoanKattouw>	 They could replace the output of the LESS compilation for a core module with something else
[01:52:40] <RoanKattouw>	 Although that something else would have to be the result of lessc-ing an input that md4-collides with the core module's LESS
[01:53:10] <bawolff>	 And they have to think that's a better attack then just putting malicious stuff in MediaWiki:Common.js
[01:53:14] <RoanKattouw>	 So I guess this could possibly allow someone to serve their user CSS to all users
[01:53:25] <RoanKattouw>	 bawolff: Or not be sysop
[01:54:38] <bawolff>	 oh hmm, that does actually kind of sound not ideal
[01:54:44] <RoanKattouw>	 Yeah
[01:54:56] <RoanKattouw>	 I wonder how other hash-based caching methods deal with this
[01:55:02] <RoanKattouw>	 e.g. the JS minification cache, that one sounds scarier
[01:57:21] <RoanKattouw>	 An easy thing I can think of is putting something like the origin number (the "trustedness level") in the cache key, then ORIGIN_USER_INDIVIDUAL cache entries could pollute ORIGIN_CORE_SITEWIDE ones, but still other user-individual ones which is still not great
[01:57:33] <RoanKattouw>	 *could NOT pollute
[02:01:25] <bawolff>	 Well we could use a strong cryptographic hash
[02:01:40] <bawolff>	 These are small files, this may all be premature optimizaiton
[02:01:54] <bawolff>	 How long does sha512 really take for a 10 kb file?
[02:03:12] <RoanKattouw>	 I do remember lessc being a bottleneck, that's probably why the people doing this at the time were in an optimization frame of mind
[02:03:30] <RoanKattouw>	 But yeah not sure how slow it would be to use a real hash
[02:04:12] <RoanKattouw>	 Some code paths might need to hash many files though, but that's a conversation best had with Krinkle, he knows much better than I what hashes what when and how oftne
[02:05:23] <bawolff>	 Well I'll file a bug so this isnt forgotten
[02:05:29] <RoanKattouw>	 Cool
[02:06:14] <legoktm>	 we don't use lessc anymore
[02:06:43] <legoktm>	 and the new less parser is supposed to have some incremental caching support
[02:08:09] <bawolff>	 https://phabricator.wikimedia.org/T182478
[02:10:44] <legoktm>	 no_justification: is the announcement for 1.30 getting sent out...later?
[02:31:39] <no_justification>	 I figured Cindy should send it for consistency but it was already late in her timezone
[02:31:44] <no_justification>	 So I just said meh
[02:32:02] <no_justification>	 Plus I have a headache. 
[02:32:07] <legoktm>	 :(
[04:42:59] <tgr>	 common cryptographic hashes are somewhere on the 1 us/K range 
[04:43:30] <tgr>	 they take a few hundred ops to compute
[04:43:47] <tgr>	 so not exactly a bottleneck
[09:57:23] <legoktm>	 when you realize that /usr/bin/lilypond isn't actually lilypond:
[09:57:26] <legoktm>	 $ cat /usr/bin/lilypond
[09:57:26] <legoktm>	 #!/bin/sh
[09:57:26] <legoktm>	 export LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/lilypond/2.18.2/guile"
[09:57:26] <legoktm>	 exec "/usr/bin/lilypond.real" "$@"
[11:00:42] <MaxSem>	 legoktm: yes
[11:01:00] <legoktm>	 MaxSem: to my inline comment?
[11:01:09] <MaxSem>	 yes
[11:02:08] <legoktm>	 ok :)
[11:02:16] <legoktm>	 also, did you switch timezones?
[11:03:29] <MaxSem>	 yes
[11:08:26] <MaxSem>	 grrr, my vagrant hangs on `vagrant ssh`
[11:38:52] <MaxSem>	 aaaaaa
[11:39:01] <MaxSem>	 $ vagrant ssh -- php '/vagrant/mediawiki/tests/phpunit/phpunit.php'
[11:39:01] <MaxSem>	 Could not open input file: E:/Soft/Git/vagrant/mediawiki/tests/phpunit/phpunit.php
[11:46:06] <MaxSem>	 Amir1: did you just say that ORES is more important than RCFilters? :P
[11:47:06] <Amir1>	 MaxSem: Well, for me, as the maintainer of the ORES functionality in mediawiki yes it definitely is 
[11:47:19] <Amir1>	 :P