ChanServ changed the topic of #picolisp to: PicoLisp language | Channel Log: https://irclog.whitequark.org/picolisp/ | Check also http://www.picolisp.com for more information
rcs_ has joined #picolisp
rcs_ is now known as Guest44825
xkapastel has quit [Quit: Connection closed for inactivity]
ubLIX has quit [Ping timeout: 245 seconds]
<Guest44825> whois rcs_
Guest44825 has quit [Quit: Leaving]
Guest44825 has joined #picolisp
Guest44825 has quit [Client Quit]
Guest34125 has joined #picolisp
Guest34125 has left #picolisp [#picolisp]
rcs__ has joined #picolisp
rcs__ has quit [Quit: Leaving]
<razzy> Good morning :]
<razzy> Regenaxer: could you please give example of "clash"? reason behind using (de usect ("Var" . "Execu") (...)) exept passing multiple Arguments to function?
<Regenaxer> see the faq
<razzy> ok
<razzy> Regenaxer: could you point me closer? function FAQ at picolisp.com does not seem to hold answer.
<Regenaxer> doc/faq.html#problems
<beneroth> Good morning Regenaxer
<Regenaxer> Hi beneroth!
<Regenaxer> razzy: Or use namespaces
<Regenaxer> But debugging transient variables is also possible, with 'loc'
<Regenaxer> or simply 'bt' backtracing
<razzy> Regenaxer: thx, i found reasoning. i will not use transients. i need to add tooling slowly. and if self referencing is only problem, i can live with that.
<razzy> namespaces i will use in future
<Regenaxer> ok, but try first to understand 'exe's vs. 'prg's and the resulting use of FEXPRs
<Regenaxer> and the resulting meaningful naming of parameters/variables
<beneroth> razzy, follow the naming conventions
<Regenaxer> You call something which is an exe a "Prg", and thats messing it up
<razzy> Regenaxer: is "Prg" and "Exe" just naming convention important for programmer?
<Regenaxer> Sorry, I will not answer this question.
<razzy> i will try to follow naming conventions. but i would like to know if interpretter somehow care about Prg name.
<Regenaxer> Think about it
<Regenaxer> please
<beneroth> forget it, Regenaxer.
<Regenaxer> sigh
<tankf33der> picolisp can compile and pass tests on linux 5.0 kernel
<beneroth> nice! thanks tankf33der !
<Regenaxer> Hi tankf33der
<Regenaxer> great!
<Regenaxer> tankf33der, which cryptographic hash would you recommend to sign (verify) a small set of data (perhaps 5 to 10 pieces, name, address, tel, email etc.)?
<Regenaxer> sha256 ?
<tankf33der> how you will hash it? by picolisp?
<Regenaxer> yes
<tankf33der> or native call with library?
<tankf33der> picolisp, ok
<Regenaxer> It should be verifyable by everybody
<Regenaxer> so a command line tool
<Regenaxer> on every OS
<tankf33der> i see
<tankf33der> you meant sha1sum like, right?
<Regenaxer> yeah
<Regenaxer> not tool long hash would be good
<Regenaxer> so easy to check by non-specialists
<tankf33der> sha1 is ok then
<Regenaxer> *not too long* I mean
<beneroth> must it be safe against malicious attackers?
<Regenaxer> yes
<tankf33der> attackers?
<Regenaxer> perhaps
<Regenaxer> generating false names, addresses
<tankf33der> then take b2sum and switch to blacke2
<tankf33der> blake2
<Regenaxer> cause it is very strong?
<tankf33der> modern and safe
<tankf33der> very strong
<Regenaxer> And available on Windows etc.?
<tankf33der> its a part of gnu coreutils, should be
<Regenaxer> Also, it should be safe in the future (quantum attacks?)
<Regenaxer> Background:
<Regenaxer> A database of addresses and UUIDs, which can be checked by everybody
<beneroth> quantum = parallelism. if quantum computers with feasible power can be built - a very big if.
<tankf33der> b2sum i found in msys, so cygwin also will work
<Regenaxer> Users are noobs
<tankf33der> its not safe against quantum attacks.
<Regenaxer> ok
<beneroth> what can be checked?
<beneroth> input -> output
<Regenaxer> Check is to verify that the UUID belongs indeed to that address data
<Regenaxer> The UUID will be a global company key
<Regenaxer> The project is supported by the Consumer Goods Forum
<beneroth> why hash? why not just input: UUID + address -> output: bool ?
<Regenaxer> If it works, it is planned to be a global standard to veryfy companies
<tankf33der> then blake2b, it also support keying
<beneroth> Regenaxer, there is a trusted authority (the operators of the central service), I assume ?
<tankf33der> and hash length 1-64 bytes
<Regenaxer> Everybody must be able to verify that the UUID belongs to the company data in the DB
<Regenaxer> publicly visible
<Regenaxer> Company A communicates with company B
<beneroth> so like Umsatz-Steuer-ID (VAT-ID) in a national company registry, no?
<Regenaxer> yes, exactly
<beneroth> no magic.
<Regenaxer> but globally
<Regenaxer> yes
<beneroth> why hash?
<beneroth> in Europe we already have standardized VAT-IDs.
<Regenaxer> To be sure the data are not tampered
<beneroth> https. signature from the server/central authority.
<Regenaxer> The global page holds UUID, the hash, and data
<Regenaxer> yes, TLS cert too
<beneroth> sounds like digital signature, like PGP, nothing to do with hashes I think ?
<Regenaxer> I will host, but other companies too
<Regenaxer> no
<Regenaxer> hash is neede
<Regenaxer> d
<Regenaxer> The data may change
<beneroth> tankf33der, correct me if I talk bullshit :)
<Regenaxer> The UUID will never change
<beneroth> I would use the existing VAT-IDs for European countries :)
<Regenaxer> No
<Regenaxer> Must be a global standard
<beneroth> there is no global standard for what "a company" is.
<Regenaxer> Must not be a company
<beneroth> yeah uuid is good.
<tankf33der> maybe ed25519?
<Regenaxer> But target audience are consumer goods companies
<Regenaxer> Coca Cola, Nestle, Intel, IBM, *all*
<beneroth> so result should be a an URL (possible as QR-Code) to be printed on products, leading to the profile website of the trader on the webserver of that central authority?
<Regenaxer> Most important is safety of the hash, but even more easy to check
<beneroth> Regenaxer, it sounds like a lot like the business plans of your friends in netherlands... you should maybe get them on board...
<tankf33der> blake2b!
<Regenaxer> haha, yes, in fact the idea is from SIM in Nethrlands
<Regenaxer> they asked CGF
<tankf33der> you can create hash by my code or use monocypher library.
<Regenaxer> Can a farmer in Equador check it easily? He has only a phone probably
<beneroth> with or without internet access? :P
<Regenaxer> So *ease of use* is perhaps most important
<Regenaxer> The check without
<Regenaxer> Perhaps he has an invoice on paper
<tankf33der> but with phone you cant check also sha1 or md5
<Regenaxer> I can make a PilBox app though
<Regenaxer> yeah, I see
<Regenaxer> So an app is no problem
<Regenaxer> But Windows and Mac etc. must be easy too
<Regenaxer> I cant write apps for them
<beneroth> blake2b should be available there, too
<Regenaxer> or iPhone :(
<tankf33der> b2sum is in cygwin too.
<beneroth> the more likely problem is, that your farmer out in the nowhere is using old devices and old OSes
<Regenaxer> good, so we plan blake2b ?
<beneroth> are you not also required to generate digital signatures somehow?
<Regenaxer> tankf33der, cygwin is not an option for the target users
<tankf33der> then there is a zip
<Regenaxer> I generate it on my page, Nestle generates it on their
<Regenaxer> tankf33der, thanks
yunfan has joined #picolisp
<beneroth> WinRAR supports Blake2, so there are surely available on windows too
<Regenaxer> I see
<tankf33der> sha3 and blake are far beyond any sha1 family and md5.
<Regenaxer> Ideally it should be easy on every OS, without installing anything
<beneroth> Regenaxer, apart from the technical details, I don't get the supposed benefit. who is the main customer of that solution: traders, to get security about where their goods come from?
<tankf33der> farmer dont have installed sha1sum.exe on their windows xp, right? :)
<Regenaxer> We could provide an online service to calculate it
<Regenaxer> but that must be trusted again
<beneroth> and latency is a problem out in nowhere
<Regenaxer> tankf33der, probably
<Regenaxer> T
<Regenaxer> Well, I make a PilBox
<Regenaxer> so out in nowhere will be OK
<beneroth> android 5+ ?
<Regenaxer> but desktop users must be able
<Regenaxer> yes
<Regenaxer> 5+ enough I think
<beneroth> I doubt that out in nowhere android 5+ is enough.
<beneroth> but yeah, depends.
<Regenaxer> in the future
<beneroth> out of nowhere is a pretty wide definition :)
<Regenaxer> yeah
<Regenaxer> The farmers usually are in a cooperative
<beneroth> make sure to not sell yourself into a never-ending maintenance burden ;-)
<Regenaxer> They have equipment
<Regenaxer> No, I just make the demo :)
<Regenaxer> or the CGF version
<Regenaxer> *any* company can set up their own later
<Regenaxer> and the big ones will do
<beneroth> ok. and then you watch the oracle/java corporate drones struggling do implement your demo in their stuff ^^
<Regenaxer> yeah, a pain, but not my prob ;)
<Regenaxer> So lets plan blake2b? It has a future?
<tankf33der> has.
<Regenaxer> cool!
<Regenaxer> Thanks!
<Regenaxer> So what do you think of the concept in general?
<Regenaxer> Company data + UUID
<Regenaxer> published with a hash
<Regenaxer> if data change, the hash will change too
<Regenaxer> but the UUID will never change
<tankf33der> uuid is uniq secret data ?
<Regenaxer> To verify the UUID, go to a published page
<Regenaxer> check the page with TLS cert and hash
<Regenaxer> Nothing is secret in all of it
<tankf33der> ok
<Regenaxer> The purpose is to have a short key (UUID)
<tankf33der> blake2b can be 1-64 bytes.
<Regenaxer> eg. in database indexes
<Regenaxer> ok, it is to verify the data
<Regenaxer> the real "key" is the UUID
<Regenaxer> Short hash would be a little better
<Regenaxer> for humans to manually check the consistency
<Regenaxer> TLS + UUID + data + hash
<Regenaxer> ie. when I get an UUID, I can search for it
<Regenaxer> find a page with address etc.
<Regenaxer> check that page with hash to see it is the right one
<tankf33der> and uniq.
<Regenaxer> yes, if address, name and UUID matches
<Regenaxer> then I know this is indeed THAT company
<tankf33der> so UUID is already always uniq.
<Regenaxer> The hash guarantees only that this page has not been tampered with since I saw it last time
<Regenaxer> yes, UUID *must* be unique
<Regenaxer> This seems guaranteed
<Regenaxer> I use UUID.randomUUID() also in PilBox
<Regenaxer> to identify the phones
<tankf33der> how many bytes of hash you want to store, not 8, right?
<Regenaxer> hmm, so 64 chars is a bit long
<Regenaxer> yes, all
<tankf33der> how to get correct implementation of any hash generator.
<Regenaxer> 32 would be nice, but not really important
<tankf33der> ok
<tankf33der> for blake2b there 3 variants: mine, monocypher, libsodium.
<Regenaxer> Would sha256 have disadvantages?
<Regenaxer> It seems more widespread
<Regenaxer> and is shorter
<Regenaxer> We must only guarantee that nobody can set up a fake page
<Regenaxer> for that UUID
<tankf33der> blake2 can generate shorted output.
<Regenaxer> ah, cool
<Regenaxer> that would be nice
<tankf33der> any in range 1-64 bytes
<Regenaxer> cool, so we could also go with e.g. 16
<tankf33der> sha2 ~2002
<Regenaxer> should have enough entropy
<tankf33der> blake2b ~2015
<Regenaxer> ok
<Regenaxer> 16 hex digits are enough perhaps
<tankf33der> or 32 ? :)
<Regenaxer> yeah, but ideally users can write them into some paper notebook privately
<Regenaxer> for future checks
<Regenaxer> 16 or 20 are less error-prone
<Regenaxer> Not so important atm
<Regenaxer> can be decided later
<tankf33der> ok
<Regenaxer> In practice, we may even change the hash fun later
<Regenaxer> But we must recommend something to start with
<Regenaxer> and I provide an app
<Nistur> mornin'
<Regenaxer> Hi Nistur
<beneroth> Hi Nistur
<beneroth> Regenaxer, how does that system defend against fake companies?
<Regenaxer> Not at all
<tankf33der> blake2b is perfect startpoint.
<Regenaxer> ok
<beneroth> Regenaxer, put some version numbering into your standard data format, so you can change it later.
<Regenaxer> right!
<Regenaxer> Mostly for *which* data are included
<Regenaxer> address, name, tel and most important GPS coordinates
<Regenaxer> To check we have the company we mean
<Regenaxer> (if that company is fake it is not our problem)
<beneroth> how is it ensured that wrong data is not entered in your database in the first place?
<Regenaxer> Not ensured. Companies enter their data themselves
<Regenaxer> It must be their own interest to do it right
<beneroth> hmm. I think malicious fake-websites or MitM-attacks will be the least of the problems of that system :P
<Regenaxer> yes, they have another UUID so they are worthless
<Regenaxer> And if the UUID and all data plus hash are the same, no harm is done
<Regenaxer> The purpose is only to guarantee that the UUID is related to the same data
<beneroth> aye. I think this is just a minor attack vector all in all, anyway.
<Regenaxer> We must verify that *this* UUID belongs to CocaCola
<Regenaxer> yeah, not clear how useful such an atback would be
<Regenaxer> eg send a fake invoice
<beneroth> yeah. but I put CocaCola UUID and stamps all over my goods, even when they are something else :)
<Regenaxer> yes, but CocaCola will sue me
<beneroth> if they find out.
<Regenaxer> true
<beneroth> if they can identify you.
<beneroth> well the system might still be worthwhile even if its cheated somewhat.
<Regenaxer> The UUID is needed as a unique key into databases
<Regenaxer> You can always send fake invoices
<Regenaxer> without UUID
<Regenaxer> The UUID is not for security
<Regenaxer> Only the relation to the data must be sure
<Regenaxer> Avoid duplicates in databases
<Regenaxer> This was the original purpose
<tankf33der> afk.
<Regenaxer> thanks tankf33der
_whitelogger has joined #picolisp
ubLIX has joined #picolisp
ubLIX has quit [Ping timeout: 245 seconds]
alexshendi has joined #picolisp
alexshendi has quit [Read error: Connection reset by peer]
<tankf33der> Regenaxer: your hash will be like git”s hash on different fields of commit
<tankf33der> every field is public, boom, uniq hash point all of them as index
<tankf33der> list of fields:
<Regenaxer> kind of, though the hash is no index
<Regenaxer> it is just a shortcut to check it is not modified
<Regenaxer> The index is the UUID
<tankf33der> yea
yunfan has left #picolisp ["leave for finding the question of 42"]
<tankf33der> afk
<Regenaxer> cu :)
orivej has quit [Ping timeout: 250 seconds]
orivej has joined #picolisp
<beneroth> Regenaxer, which indexing scheme do you use for website URLs (as contact data) ? +Sn +IdxFold ?
orivej has quit [Ping timeout: 250 seconds]
orivej has joined #picolisp
<Regenaxer> beneroth, I can't find a case, but for E-mails I always use (+IdxFold +String)
<Regenaxer> +Sn I use only for (european) family names
<beneroth> ok, thanks
<beneroth> can +Swap +String be indexed? :P
<Regenaxer> good question. I never did, but I think it should work
<Regenaxer> The wiki does something similar, but uses a custom index
<Regenaxer> not +Swap but +Blob
<beneroth> aye, similar use case
<Regenaxer> You could try and let us know the result :)
<beneroth> aye Sir
<Regenaxer> :)
orivej has quit [Ping timeout: 250 seconds]
orivej has joined #picolisp
xkapastel has joined #picolisp
orivej has quit [Ping timeout: 258 seconds]
orivej has joined #picolisp
xkapastel has quit [Quit: Connection closed for inactivity]
alexshendi has joined #picolisp
alexshendi has quit [Ping timeout: 250 seconds]
jibanes has quit [Ping timeout: 250 seconds]
jibanes has joined #picolisp
alexshendi has joined #picolisp
mtsd has joined #picolisp
orivej has quit [Ping timeout: 240 seconds]
alexshendi has quit [Ping timeout: 252 seconds]
alexshendi has joined #picolisp
razzy has quit [Ping timeout: 250 seconds]
alexshendi has quit [Read error: Connection reset by peer]
mtsd has quit [Quit: leaving]
alexshendi has joined #picolisp
xkapastel has joined #picolisp
gko has quit [Ping timeout: 252 seconds]
gko has joined #picolisp