Leaderboard

Hi, Some might already know Delphinus. But for those who don't i thought i make a little introduction post, to have a thread for discussion, as I never made one for the international Delphi-Praxis. Questions are always welcome. Delphinus is an opensource Packagemanager for Delphi, which I started in 2015. It has support for Delphi XE and newer. In addition to an IDE integration for package-management, Delphinus comes with a commandline, too. This has the benefit of having a single interface for managing multiple IDEs or run setup-scripts automatically. Currently, packages are provided through Github by preparing a repo to appear in a special Github-Query Delphinus uses to detect packages (See wiki link below). For optimal use, you should add a OAuth-Token to the Delphinus-Config(See wiki link below). Otherwhise you'll hit rate-limits. Offline installation from a folder is provided through the IDE-UI(Folder Symbol). Adding support for creating local folder based repositories for mirroing is planned. Delphinus packages have support for: Copying (source) files Compiling and (if Designtime) installing BPLs Compiling and installing IDE-Experts setting up Search/Browsing path Dependencies to other Delphinus-Packages Optionally, BPLs and Experts may be included as precompiled binary, if your project is closed source. Packages are installed per IDE. I'm working on per project installations. GithubRepository of Delphinus: https://github.com/Memnarch/Delphinus Wiki: https://github.com/Memnarch/Delphinus/wiki My Blog were I (in addition to ther Delphiprojects) post updates about Delphinus: http://memnarch.bplaced.net/ Websetup: http://memnarch.bplaced.net/blog/delphinus/

I would love that too!

It sounds like you really just need protection against casual discovery of the information. In that case just obfuscate it. E.g. with a simple ROT13 or even base64 encode. If someone already has access to the physical machine, and is willing to do the work required, the battle is lost any way. There are a million ways to circumvent any local encryption scheme so forget about that.

Hi, I just updated my header translation for LLVM 10. It's available on Delphinus or on my Githubrepo and comes along with the precompiled binary. http://memnarch.bplaced.net/blog/2020/04/llvm4d-llvm-c-headers-for-delphi/

@Primož Gabrijelčič From the wishful thinking department: I'd love to see OTL evolve to support Linux/MacOS, iOS and Android. Hence, I'd love to see solutions that do NOT use Windows messaging - or at least hide it inside the notification implementation.

This is more an FYI, instead of hardcasting a Pointer, you could use Variant Parts in Records to get the illusion of typesafety.

Encrypting a string or password is easy, harder is how you protect the key used for the encryption. Angus

Although do anticipate that any hacker will be able to see the plain text when you decrypt in memory.

you could just work 7/24, problem solved

It's on a horizon... still a little to go 🙂

Indeed, currently Hyper-V doesn't play well with any other hypervisor system. This is going to change in the near future at least for VMware Workstation, though.

What would that look like? I guess I could try adding overloads that take regular methods, I'll have a stab at it. As for captures, yes I've been caught out myself a few times.

Soji wrote "legacy application", I think it is not a mobile app, but a desktop one, which connects directly to a database.

This does not smell right to me. You're using inheritance to model composition, IMO. Your base object is a file. You don't really need to make a class around just a file. If you want to operate on two files, you don't do that by inheritance -- that's composition. You'd want a function that takes two files and compares them and returns some kind of result. You don't need a class for this either. Another function could take one input file and the diff data and regenerate the second file. In a typical Linux command shell, you'd use: diff -e file1 file2 >diff_f1_f2 You also have directionality, so you could go the other way: diff -e file2 file 1, >diff_f2_f1 These output files are called "deltas" and one is a "forward delta" while the other is a "reverse delta". The "diff -e" command gives you an output file that consists of a series of edit commands (for 'ed') that you can feed into it with the first file to get at the second file. ed -f diff_f1_f2 file1 > file2_again I'm hard-pressed to think how I'd build classes around these commands. You could have a file mirroring scheme that uses a LocalStore and a RemoteStore. Each store would keep reverse deltas, but the LocalStore would generate forward deltas to send to the RemoteStore to reflect the latest changes to a file without having to send the entire file. This makes sense -- this scheme is maintaining state by keeping the RemoteStore an accurate reflection of the LocalStore while minimizing transmission bandwidth. If all you're trying to do is visualize things, that's a little different, but you could think of the output as commands to colorize the text rather than edit it. You'd go one direction then the other and colorize each file based on changes needed to get one side from the other. But you're still not maintaining any kind of state, since the files are static and everything can be derived again at any time from the same input files. The FILES themselves represent the "current state" of their relationship that you're looking to visualize. The 3-way compare simply uses three files and does three (or six) different comparisons. A class implements behavior and maintains state. There's no state that needs to be maintained here -- just some functions that take input files and generate output files. The same output is produced for the same input, every time. One could argue that the functions implement behavior -- yes, but they don't change the state of the underlying data. So it's just a container of convenience. This seems like a rather far reach to come up with a class design when it's of no obvious benefit.

If i understood right you have mobile application with service that is working in the background. That service should perform some request/response to a database? Here in this design you are missing crucial part and that is web application that will be hosted in the middle, web application code will be on remote server and nobody would see that code ( thats a plus, they basically cant crack it they can only imagine how that application is written although there are some other security concerns ). Your database credentials will be only in web application and only web application will be talking DIRECTLY to a DB. That is why u will be making a public interface that will be available to end user and that is called API ( APplication programming interface ). your API will be public and anybody could guess you api route for example ( www.mysite.com/api/customers ) One common way of protecting routes is to restrict them, example: www.mysite.com/api/customers <- this route is PUBLIC [ GET ] route. Anyone who visit this link will get list of all customers in your database in JSON format for example. www.mysite.com/api/otherRoute <- this route is PUBLIC [ GET ] route but this route will have middleware in between request and response. Middleware will check if PERSON who is visiting this route is authenticated, it is authenticated it will return data. Anyone who visit this link ( if is authenticated - have valid token ) will get list of all customers in your database in JSON format for example. You can basically put any logic in middleware, so for example if user is authenticated we will check if user role is ADMIN, if is we will return list of some stuff that only ADMIN can see. You got the point... Here is brief example how it should actually work behind the scenes. User visit some api route or application itself visits it ( for example www.mysite.com/api/exampleRoute ). Webapplication is checking request, it is first checking if it is POST or GET request, it is checking also for Request parameters that are passed with request and all other stuff. If validation, middleware and all other stuff pass webapplication will connect to a DB and retrieve requested data and return to end user in JSON or some other format ( usually its json ). If validation fails webapplication will not talk to DB and it will return error response for example. Note* Web application could be written in basically any language ( PHP, node js , delphi , python , c....etc... ) I personally use PHP, Laravel ( PHP's Framework ) node and i know little bit Java/Spring... ************* JSON web tokens ( JWT ).. JWT's are lightweight implementation or u could use Oauth or Oauth2 implementation but those are more complicated and heavier.. For any of this implementations you have REST debugger in Rad Studio to help you and give you nice GUI interface instead of writing code on ur own.. NOTE* If you dont know php,nodejs,python and you dont know how to write api's and stuff i mentioned in this post you could use public API's. There is a big number of publicly avialable api's , crypto apis,weather apis or even twitch api. I used twitch api for my desktop app that tracked list of online streamers and some other stuff.. https://jwt.io/introduction/ <- here u can read more about JWT's i can add that JWTs are stateless so with every request you have to add them as a parameter so server can check if that token is valid,blacklisted etc... NOTE* when i say stateless i mean there is no actual session on web server that is attached to particular user.. So when webserver validate user credentials and return JSON web token you could store that web token anywhere. If we talk about websites ( I am sure that you can open local storage on your web browser and search for tokens from some particular web sites that you use ). So you could ask now " What will happen if someone steal ADMIN token from ADMIN's browser local storage and send it with request and perform operations THAT ARE ONLY RELATED TO ADMIN " ... <- This is possible scenario , but on webserver-database end you could put field in database that will check IP, request user agent and client, if those parameters dont match with previous request it means that someone have stolen token and trying to send request with ADMIN token from different device/browser etc so u could possibly limit it or destroy token or prompt login page again... I am probably talking too much and confusing you so i will stop ... Anyway ur question was where do I suggest to save password for a background service? So u are not saving users password, you just prompt login screen so user enters his username and password and perform [ POST ] request to some of your API routes ( for example www.mysite.com/api/login ), if everything is valid you will get JSON web token from server. You save that token. Tokens could have expiration date, that expiration date is set where JSON web token is created. JSON web token that will be sent to user is created in web application.Web application and it's code is running/stored on remote server. So everytime when background task perform some request it will grab Token and send with request. web app validate that and give proper response. If token is expired web server will give a "expired" response to your task. So your task is going to receive response , if response is " expired " it will give notification to user to log in again so he could get new token or something like that. If there is no need for particular data to be accessed from users that are authenticated you can just make a public route i explained that in the top of the post "www.mysite.com/api/customers <- this route is PUBLIC [ GET ] route. Anyone who visit this link will get list of all customers in your database in JSON format for example." You wrote post here saying " Encrypting a string or password is easy, harder is how you protect the key used for the encryption. " In scenario that i tried to explain "key" used for encryption is on remote server, and nobody knows about it. SO that key will check against token that is sent via request.. Also search for terms "Personal access token" it is used in almost any app

The one and only way to do this is how i described .. what i told you is best practice and how it is done, there is no other way "We use an config file to store the database connection string". <- this is bad , security risk, it is unacceptable "We are thinking about encrypting the connection string". <- this can be a "solution" but u will never be sure that you are safe Is there any best practices to keep the connection string information safe? People can give you ideas and solutions how to encrypt string but you will still not be safe 100%.. From what you told us about your application i can see that it is not that big and that u already have hosting for database. That said u can just put some php code there and make api .. U can even make api in delphi

When he submit credentials ( for example email and user password) over post request to api server will validate credentials and if true server will return JSON token, that token will be stored on users phone. you can set token expiration time for example 30 min and that token will be valid only for that particular user for next 30 minutes... After retriving token you will be submitting that token for every future request and server will walidate it.. SO basically he is talking to web server, web server validate data and talks to DB. It is way more secure.. Password for DB is stored on web server and code logic for talking to DB is on web server so users dont know DB password or logic how web server communicated to DB Next security level that he could add is to ( if web app - web server and DB are hosted on the same machine ) disable remote login, or if they are split to two different servers he can just allow his IP web server to talk and retrieve data from DB.. It is almost never good practice to talk directly to DB from almost any app .. Sry if i was offtopic

You are storing information to connect to remote database fore example MySql ? It is not good to store any password related stuff in any application, have you consider making API and perform DB request over it ?

btw. did also a benchmark of Indy based custom Httpd (Soap, Webbroker) and Linux version is 3x more performant (ClearLinux) than Windows patched with Intel Performance Libraries.

Hi, I never thought about including animation in a ListView but, why not 😉 However my guess is TListView is not a good candidate for this sort of usage. Instead think about the ancestor, a TScrollBox. In my mind, this Jaques Nascimento video or videos from CodeRage2019 (Paul Thoth and Adriano Santos interventions)

ok, I was unable to tune apache for massive load testing, also changing the settings in conf files. Seems that a limit of 150 concurrent users is set somewhere (or a syn flood protection probably). Anyway the performance until limit reach is great. We need that Embarcadero should add FAST-CGI to webbroker, so to bind Nginx, Lighttpd and other modern httpd non-blocking-IO (and largely scalable). I ask this to quality central. Let'see. Kind regards.

I guess you meant "Congratulations LLVM team!" 🙂

Dynamic arrays cannot leak unless you circumvent the compiler generated code controlling their reference counting.

It's very plausible that you have a memory leak. Just because fastmm4 says you don't doesn't mean you don't. It's one thing returning memory when the program closes, another returning it in a timely fashion during execution.

For the same reason I abandoned using VM for Delphi, productivity is the key to me. But benefits described by Dave Novo Dave Novo still stand. And the factors that might affect the performance listed by John Kouraklis definitely worth checking, especially anti-virus software. The real-time protection of any AV software is the major, most significant culprit of performance loss, I think you should use an AV without or allow you to disable real-time protection like me :) IMHO a program don't really need real-time AV protection, you should have the necessary habits to keep you safe from dark side of the Internet.