Commit Graph

966 Commits

Author SHA1 Message Date
Greg Price 0691724836 passwords: Set default zxcvbn threshold to 10k guesses.
See the discussion in the revised docs for background and motivation,
and an explanation of why this value.
2017-10-08 15:48:44 -07:00
Greg Price a116303604 passwords: Express the quality threshold as guesses required.
The original "quality score" was invented purely for populating
our password-strength progress bar, and isn't expressed in terms
that are particularly meaningful.  For configuration and the core
accept/reject logic, it's better to use units that are readily
understood.  Switch to those.

I considered using "bits of entropy", defined loosely as the log
of this number, but both the zxcvbn paper and the linked CACM
article (which I recommend!) are written in terms of the number
of guesses.  And reading (most of) those two papers made me
less happy about referring to "entropy" in our terminology.
I already knew that notion was a little fuzzy if looked at
too closely, and I gained a better appreciation of how it's
contributed to confusion in discussing password policies and
to adoption of perverse policies that favor "Password1!" over
"derived unusual ravioli raft".  So, "guesses" it is.

And although the log is handy for some analysis purposes
(certainly for a graph like those in the zxcvbn paper), it adds
a layer of abstraction, and I think makes it harder to think
clearly about attacks, especially in the online setting.  So
just use the actual number, and if someone wants to set a
gigantic value, they will have the pleasure of seeing just
how many digits are involved.

(Thanks to @YJDave for a prototype that the code changes in this
 commit are based on.)
2017-10-08 15:48:44 -07:00
Tim Abbott 1ceaedb2c5 docs: Remove html_unescape.py.
This was just for 1-time use exported the original Zulip documentation.
2017-10-08 15:41:41 -07:00
Tim Abbott 630037967f docs: Stop linking to removed whitespace section of style guide.
We should probably just encourage linting for this.
2017-10-06 14:02:32 -07:00
Tim Abbott 0ac78cb14d code-style: Simplify discussion of third-party code. 2017-10-06 13:28:45 -07:00
Tim Abbott a632c8471d code-style: Improve state and logs discussion. 2017-10-06 13:26:13 -07:00
Tim Abbott e660faa225 docs: Remove code style section on jQuery global state.
I don't think anyone has tried to do this for a long time, since the
channel module makes it pretty clear how to do an ajax call.
2017-10-06 13:24:26 -07:00
Tim Abbott 0054fa17f1 docs: Simplify javascript var discussion.
We don't need as much as before, since it's enforced by the linter.
2017-10-06 13:24:06 -07:00
derAnfaenger 7ff697d053 linter: Add rule against using `pk` instead of `id`.
There's one exception here, for model._meta.pk.  To support this
nicely, we added this exclude-pattern feature.
2017-10-06 12:56:26 -07:00
derAnfaenger 64b8930225 linter: Add rules against improper shebangs. 2017-10-06 12:46:19 -07:00
derAnfaenger 71159fe19a code style guide: Remove obsolete space-around-bracket rule.
For .py files, our pep8 linter enforces this rule.
For .js files, eslint enforces this rule.
2017-10-06 12:46:12 -07:00
derAnfaenger c022b7a8fa linter: Add rule against using the `style` attribute.
This has a ton of exclude rules, for two reasons:

(1) We haven't been particularly systematic about avoiding unnecessary
inline style in the past, so there's a lot of code we need to fix.

(2) There are cases where one wants to dynamically compute style
rules. For the latter category, ideally we'd figure out a way to
exclude these automatically (e.g. checking for mustache tags in the
style tag).
2017-10-06 08:33:10 -07:00
Tim Abbott 930eef3caa tools: Add new script to sync translations.
We just learned we should be using the "onlytranslated" mode of
Transifex.  Since the command is getting a bit complex (and you need
to remember to run `makemessages` first), it makes sense to have a
tool for it.
2017-10-05 23:07:16 -07:00
Tim Abbott 26982ff55f puppet: Remove pageduty_nagios.pl.
This hasn't been used in like 4 years, and clutters the repo.
2017-10-05 18:46:09 -07:00
derAnfaenger 2cdde8b168 linter: Add rule against verbose $(document).ready() calls. 2017-10-05 10:11:34 -07:00
derAnfaenger 6b99022a02 linter: Add rule against using inline event handlers. 2017-10-05 10:08:40 -07:00
derAnfaenger c01981a65f linter: Extend no-space-before-bracket linting rule. 2017-10-05 10:05:27 -07:00
derAnfaenger c957d1857e code style guide: Update and remove outdated rules.
These are all enforced by our linters, and thus a source of clutter in
this code style guide.
2017-10-05 10:05:17 -07:00
Tim Abbott ab71c42ab8 docs: Update confusing changelog entry.
The original text meant to say "lost", not "last", but also was a bit
confusing anyway.
2017-10-05 09:32:02 -07:00
Joshua Pan a38d275aeb docs: Capitalize Zulip in changelog.md. 2017-10-05 09:24:09 -07:00
Tim Abbott de51eb9e7f docs: Update changelog and roadmap through present. 2017-10-04 22:39:49 -07:00
rht ac01b0c559 docs: Add type annotation.
Discovered while running the 2to3 type annotation.
2017-10-04 16:31:27 -07:00
Vishnu Ks 119157b205 docs: Update email testing section to include EmailLogBackEnd.
Rewritten by tabbott for extra clarity.
2017-10-04 14:44:58 -07:00
Tim Abbott 8d4f084623 code-style: Remove discussion of absolute_import.
It's no longer accurate on Python 3.
2017-10-04 14:09:05 -07:00
Tim Abbott b7974fc9f8 docs: Delete useless/wrong content from JavaScript code style.
One of these isn't true (not requiring braces) and the rest are
already handled by our linters.
2017-10-04 13:59:38 -07:00
Tim Abbott a001b8aef3 docs: Remove unnecessary CSS section from code style.
This is already handled by our linter, so no need to repeat it here.
2017-10-04 13:58:50 -07:00
Tim Abbott 4230871503 docs: Update code style guide for Python. 2017-10-04 13:53:06 -07:00
neiljp (Neil Pilgrim) dbc8415fa5 docs: typos in code-style.md; zephyr -> zerver. 2017-10-04 13:52:31 -07:00
Tim Abbott 4eafec12ac docs: Rewrite the intro to writing bots. 2017-10-04 12:22:02 -07:00
Tim Abbott 26dd1ab6a7 docs: Simplify the guide for running bots. 2017-10-04 12:11:27 -07:00
derAnfaenger 7a43ab00a2 running bots guide: Clarify bot's directory statement. 2017-10-04 11:49:22 -07:00
derAnfaenger 543500bab5 bots guides: Refactor layout.
This flattens the layout, shifts passages and unitizes headings to
use gerunds for the running and writing bots guides.
2017-10-04 11:49:22 -07:00
derAnfaenger b6106ca7ac running bots guide: Add cross-references to writing bots guide. 2017-10-04 11:49:21 -07:00
derAnfaenger 8449ea300b running bots guide: Shorten installation section. 2017-10-04 11:49:21 -07:00
derAnfaenger 6b879a2b04 docs: Split bots guide into running and writing guides. 2017-10-04 11:49:20 -07:00
Vishnu Ks 2267f09813 docs: Change place to ask help from mailing list to chat.zulip.org. 2017-10-04 08:20:29 -07:00
Tim Abbott 1b637658df docs: Add a section documenting the chat.zulip.org traffic level. 2017-10-03 15:41:46 -07:00
Tim Abbott c447e7530b docs: Update realms documentation for REALMS_HAVE_SUBDOMAINS removal. 2017-10-02 16:32:10 -07:00
Eeshan Garg 502e93a5d2 docs: Recommend check_send_stream_message for stream messages.
This commit updates various places where check_send_message had
been previously recommended to recommend check_send_stream_message
for sending messages to a public stream.
2017-10-02 15:27:26 -07:00
Tim Abbott 50eb94f7ee docs: Remove broken link to shell tips.
In theory, we could replace it, but it's not clear that's necessary.
2017-10-01 23:27:29 -07:00
Priscilla 7c0431a60f docs: Correct the instructions for re-running provision.
We apparently missed this when renaming provision.py to simply
provision.
2017-10-01 15:51:32 -07:00
rht e0f7b6f8ef docs: Remove the yarn.lock stutter.
Maybe someday someone will spot this err. However, the documentation is
clear in conveying its content even with the extra yarn.lock.
2017-09-30 09:16:46 -07:00
Alena Volkova e216801be8 docs: Fix a typo in version-control.md. 2017-09-29 18:04:07 -07:00
Greg Price 7e8bbda171 docs/logging: Update for the revised log format.
This accumulates several changes in recent commits: decimal point
rather than comma, compact log level, and logger names, the latter
abbreviated `zr` in the case of `zulip.request`.
2017-09-28 18:26:39 -07:00
Alena Volkova bcb9c76457 docs: Clarify who can collaborate in area label teams.
Collaboration in area label teams is only available to members of the
Zulip organization on GitHub. For non-members the related links are
not working, which can be confusing.  Address this by explaining the
links won't work and also that anyone can join.
2017-09-28 17:26:07 -07:00
Greg Price 85f7764ed4 docs/settings: Small tweaks for clarity. 2017-09-28 17:01:50 -07:00
Robert Hönig db5ed277d1 bots guide: Update outdated `run.py` to `zulip-run-bot`. 2017-09-28 11:10:09 -07:00
Robert Hönig a7d3355fd6 bots guide: Remove need to subscribe bots to streams.
Since 7878c70, bots don't need to to be subscribed to a
stream to be notified on @-mentions.
2017-09-28 11:10:09 -07:00
Greg Price 7b8f725707 APNs: Accept 1.6-format payloads in bouncer.
This is just enough of a quick fix to work with a stock Zulip 1.6
server.  We should really also make this robust to arbitrary input
from the remote Zulip server, even though it'll be a little tedious.
2017-09-28 10:01:16 -07:00
Tim Abbott 2317b63068 docs: Document narrowing reporting. 2017-09-27 19:47:45 -07:00