double avgTime = timings.stream().mapToLong(Long::longValue).average().orElse(0.0);
                long maxTime = timings.stream().mapToLong(Long::longValue).max().orElse(0L);
                long minTime = timings.stream().mapToLong(Long::longValue).min().orElse(0L);

                double variance = (maxTime - minTime) / avgTime;
                // JVM timing in concurrent scenarios is inherently variable

    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And they send a request with a username `johndoe` and a password `love123`.

package org.apache.maven.api;

import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZoneOffset;

/**
 * A Clock implementation that combines monotonic timing with wall-clock time.
 * <p>
 * This class provides precise time measurements using {@link System#nanoTime()}
 * while maintaining wall-clock time information in UTC. The wall-clock time

        assertTrue(
                later.minus(initial).toMillis() >= 45,
                "Elapsed time difference should be at least 45ms (accounting for some timing variance)");
    }

    @Test
    @DisplayName("MonotonicClock start time should remain constant")
    void testStartTime() throws InterruptedException {
        Instant start1 = MonotonicClock.start();

# limitations under the License.
# ==============================================================================
source "${BASH_SOURCE%/*}/utilities/setup.sh"

import org.codelibs.fess.exception.FessSystemException;
import org.codelibs.fess.util.ComponentUtil;

/**
 * Helper class for controlling crawler execution intervals and timing.
 * This class manages crawler execution timing based on configurable rules
 * that can specify different delays for different time periods and days.
 */
public class IntervalControlHelper {

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # 어떤 오류를 반환
    ...
```

하지만 `secrets.compare_digest()`를 사용하면 "timing attacks"라고 불리는 한 유형의 공격에 대해 안전해집니다.

### 타이밍 공격 { #timing-attacks }

그렇다면 "timing attack"이란 무엇일까요?

공격자들이 사용자명과 비밀번호를 추측하려고 한다고 가정해봅시다.

그리고 사용자명 `johndoe`, 비밀번호 `love123`으로 요청을 보냅니다.

그러면 애플리케이션의 Python 코드는 대략 다음과 같을 것입니다:

```Python

* load balancer: load balancer (do not translate to "balanceador de carga")
* load balance: load balance (do not translate to "balancear carga")
* self hosting: self hosting (do not translate to "auto alojamiento")

# limitations under the License.
# ==============================================================================
source "${BASH_SOURCE%/*}/utilities/setup.sh"

    /**
     * Attaches [tag] to the request using [T] as a key. Tags can be read from a request using
     * [Request.tag]. Use null to remove any existing tag assigned for [T].
     *
     * Use this API to attach timing, debugging, or other application data to a request so that
     * you may read it in interceptors, event listeners, or callbacks.
     */
    @JvmName("reifiedTag")