Account Management / Shared Secret Generator

Matthew Paul Thomas mpt at canonical.com
Sun Jun 14 18:02:09 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Titke wrote on 14/06/15 15:28:
> 
> On 14/06/2015 14:55, Matthew Paul Thomas wrote:
>> ...
>> 
>> None of this is to put you off, I'm just sketching a map of the 
>> terrain. If all you want to do is integrate your generator with
>> what Ubuntu has right now, you could port it from Scheme to a
>> language we ship, and add a new dialog to Seahorse ... but few
>> people would notice. If you have a more substantial goal -- to
>> noticeably improve the quality of Ubuntu users' Internet
>> passwords, say -- the first thing I'd tackle would be the device
>> syncing problem. That could help people who are using KeePass
>> right now, as well as influencing the architecture of any parts
>> of the problem you work on later.
>> 
>> ...
> 
> First of all porting the algorithm is not enough because it 
> constitutes some kind of black box test of your deterministic 
> implementation of /random/. Second it's easier to port things to 
> Scheme with Parallel Objects (just try it with Racket for now)
> than to bump my mind down to C level et al. Third: I'm just
> throwing the seeds here ...

I'm not a programmer, and I'm sure Scheme is just lovely, but I can
see that you're getting a seed from /dev/urandom and mapping it into a
string of random characters. Doing that in C might be nerve-wracking
(since it's security-sensitive code), but I doubt more than a few
hours work.

> If it isn't enough to communicate the idea to the open source
> world then probably it's not worth changing one dozen toolkits, 
> applications etc.

Open source is not magic. In open source just as in closed source,
ideas are cheap, code is expensive, organization is priceless. As I
outlined, improving the quality of Ubuntu users' passwords would
require a lot of organization. That doesn't mean it isn't worth doing.

> This time there even is a reference implementation but what about
> your users: IMHO open source means to open a text file to change
> the behavior of a program (which resembles the descriptions of LISP
> machines) whereas others think it as "managing" a community to do
> the work o to not provide easy to compile source packages etc.

Open source is a license to redistribute, not a license to configure
or a license to direct other people's work.

> The next step isn't GTK, GNUstep - but it should be something where
> is system startup boils down to a maximum of 500 lines of System
> Scheme.

That depends on your objective. Do you want to provide a password
generator that a non-trivial number of Ubuntu users will use? Or do
you want to write an OS in Scheme? Both are fascinating objectives,
but only one of them is relevant to this mailing list.

- -- 
mpt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlV9waEACgkQ6PUxNfU6ecphPQCgiYT3hxnuKsbt7+xXBg3uAlJa
WoYAnRARpM9/ugyO8u4BnGORR6CrWfR4
=VH9X
-----END PGP SIGNATURE-----

More information about the Ubuntu-devel-discuss mailing list