Comments on: Announcement Listory

By: David Strauss

David Strauss — Thu, 15 Sep 2005 19:03:33 +0000

You guys need to fundamentally change the way your primary key and authentication mechanism work, not just improve the random number generator. You should be using a simple incrementing counter as the primary key. The “goop” code should should be the primary key (or email) HMACed against a key you have somewhere on your server. Whenever someone clicks the link, your server HMACs the primary key against your private key and checks it against the link’s submission. A good hash makes it near impossible for someone to figure out your key and generate the codes themselves.

Another way to fix your system is using a normal incrementing primary key and a random number in a separate field. When someone clicks the link to verify, look up the record and check if the separate random number field matches.

By: Daniel

Daniel — Wed, 07 Sep 2005 20:46:14 +0000

POST MORE!!!! I’ve made this blog one of the websites I repeatedly check throughout the day while working (to look busy) and am disappointed everytime I don’t find new posts!

By: Louis

Louis — Wed, 07 Sep 2005 12:49:22 +0000

So, is anybody at DreamHost secretly working on a Rails version of the control panel, like how Apple was compiling OS X for Intel for years? ;)

By: shazow

shazow — Sun, 04 Sep 2005 16:12:51 +0000

RE: Kelly
Good point, just wouldn’t be nearly as fun without the goop :-)

By: Kelly

Kelly — Fri, 02 Sep 2005 18:32:47 +0000

To reply to shazow, the problem with an autoincrementing ID is then people can reasonably guess what our “goop” is going to be. This means they could subscribe someone to the list just by subscribing themselves and someone else in rapid succession, and just trying a bunch of sequential numbers.

We also couldn’t really call it goop at that point, and where is the fun in that? ;-)

By: Ben

Ben — Fri, 02 Sep 2005 00:37:55 +0000

Blech – don’t do that;

As Martin pointed out, don’t call srand each time through the loop. It’s not necessary and can even be bad, depending on the arguments.

More to the point, you a) likely don’t need to srand() at all — Perl 5.004 onwards calls it implicitly the first time rand is used — and b) if you call srand() without arguments, it’s going to do the right thing anyway:

“…the generally acceptable default, which is based on time of day, process ID, and memory allocation, or the /dev/urandom device, if available.”

‘perldoc -f srand’ is your friend.

By: riki

riki — Fri, 02 Sep 2005 00:28:42 +0000

One feature I’d love to see on the Announcement Lists, would be the ability to give subscribers the option to specify areas of interest when they subscribe. That way we wouldn’t have to use multiple Announcement lists for different areas of our company and Users would only get info that they were interested in. Which could be good for DH as well.

As my Mum use to say “Pay me don’t thank me!” :)

By: shazow

shazow — Wed, 31 Aug 2005 22:14:36 +0000

Just thought I’d point out a couple of things:

Then, strangely we started getting reports the panel was timing out AGAIN! Why, God, why?! Well, it turned out even INSERTing thousands of emails into the database was too slow for the panel
[...]
So, to fix it this time, we created a temporary table that would just immediately store the whole list of addresses in just one INSERT.

Most databases support “INSERT DELAYED” for this very reason. What this does is it sends the query to the database, and instantly returns to the client without waiting for the database to finish processing the query.

Also, instead of using randomly-generated “goop”, would an auto-incrementing integer id not suffice?

- shazow

By: Brian

Brian — Wed, 31 Aug 2005 03:13:10 +0000

a) thanks for fixing it
b) thanks for describing the problem in verbose detail.

By: Chris

Chris — Tue, 30 Aug 2005 22:28:21 +0000

See, this is why I love Dreamhost. Like Martey said, you folk actually tell us what the hell is going on rather than treating us like mushrooms.