Filippo Valsorda
Filippo Valsorda
> My view is that constant time should be taken on a case by case basis. In cases where the fix is easy and introduces minimal performance overhead then it...
> Most bearer authentication schemes, including OAuth, OIDC and JWTs use signatures, often RSA signatures, as authentication secrets, e.g., Google RSA signs a token which says "I'm google and the...
> > Why not sign "I'm Google and the person who holds random(32) is [[email protected]](mailto:[email protected])" instead, and require knowledge of the secret random(32) to use the signature? > > Some...
I suppose it depends on whether you consider what I described in https://github.com/golang/go/issues/67043#issuecomment-2081649995 a simple fix (and I am not convinced I do), but I am not at all comfortable...
I started with taking an int parameter for the entropy, then started going back and forth on whether it should be the length of the returned string (what if the...
@ulikunitz Efficiency is not a primary concern here, I don't think applications generate passwords or tokens in a hot loop, at least not hot enough that checking that a string...
> I go back and forth on the name String. I wonder if 'Text' is better. I like rand.Text but I wonder if I would think it's more like Lorem...
I don't think compatibility with arbitrary password policies is a goal here. As you state, they can be complex and arbitrary. Good password managers can write their own code to...
Ah, yes, this is pretty much a #65562 duplicate, thanks @zephyrtronium. /cc @lukechampine Even if it solves the name collision, I am not convinced by a package-level Bytes: without Seed,...
`gb-vendor` had a `purge` command. I should definitely introduce one for `gvt`. And maybe `delete` should dry-run purge and print a message saying "X dependencies are not needed anymore, run...