cassact[m]1: why couldn't the subscription payment be Dollar-valued each time it's run?

the wallet could lookup the current exchange rate on some mutually agreed sources, say CMC and CoinGecko, average the two, and off you go

Yeah that’s true it could.

For reasons that are opaque to me in retrospect I dismissed the idea of having that kind of integration in the wallet

But yeah that would totally work

Is it just me or does the MAC CLI hash for the 16.0 download not match the website?

ignore - it's my fault. i am looking at the GUI. apologies

sorry for the false alarm - i appreciate that it was not helpful.

midipoet: thanks for giving me a heart-attack

Not gonna lie, had an elevated heart rate for a brief amount of time :P

-___-

I remember some earlier suggestions to have a bot periodically download the binaries and check signatures and hashes

although it was also pointed out that a super clever attacker could account for this

It could at least catch errors or less-sophisticated attackers

I like the idea

The GUI auto updater checks hashes and if there is a mismatch if would get displayed.

gui auto updater?

yep, gui has an updater now

v16?

you still have to accept it (and manually install after it got downloaded)

yes

but it automatically checks hashes and signature

from 2 maintainers

so valid signature of 2 maintainers are required that an update gets displayed which should make it hack proof

Are the verification keys hardcoded?

public keys of bF, fluffy and luigi are hardcoded

Where does it get the signed hashes?

first one: web.getmonero.org/downloads/hashes.txt

got it

second one: web.getmonero.org/downloads/hashes.txt.sig (by a different maintainer)

Is that the tool that mooo built, or something else?

I don't have the link handy to the mooo tool

not the same tool

Out of curiosity, has it been tested by pointing the updater to a different binary?

Even with matching (but obv. unsigned) hashes?

To test it

don’t understand, different binary but matching hash?

just not signed?

Bad wording: assuming that the adversary replaced the hash list so the hashes match the bad binary

In the earlier actual attack, the hashes didn't match... but one should assume that matching hashes would be something an adversary would do

The updater would need to be modified (or some local DNS hijinks played) to point to some different (but of course benign) binary

My real question is: how was the tool tested?

`--verify-update` flag

it requires the binary, signed hashes.txt with correct hash of binary, detach signature of hashes.txt form a different maintainer

Cool; do you know if these failure modes were tested?

I'm not implying they weren't; simply curious to know

if the hashes match the bad binary it still requires a valid signature

this was tested, yes

also step back a second

the alert is a DNSSEC-signed DNS record

and it checks 4 different domains

and requires 3 of them to be valid

so an attacked would need to compromise:

1. DNS records on 3 domains

2. the downloads on the website

3. the hashes file on the website

all without anyone noticing

:D

and forge sigs, right?

yes

That would be... extremely impressive

extremely

there is obviously still the possibility of an implementation bug

but we tested it quite well and mooo also reviewed it

Yeah, hence my question about testing failure modes

cool

I also suggested (to dEBRUYNE?) to make the blog/announcement language about checking hashes _and_ signatures more direct

Which was done AFAIK

so first-time downloads are verified properly

the ideal scenario in the future is that people download the GUI safely once and then the GUI will always automatically do the hash and sig checking

but yea the first download is it

yah

It'd be wild to also include options to check against the repro build results

Of course, there'd be a risk of sybil from that

and a malicious maintainer could disable that check or something, I suppose

sybil how?

If repro results were checked against a source that anyone could add to

we have github.com/monero-project/gitian.sigs/pulls

Bots could post random hashes or something

but obviously trusted people get merged first

Right, it'd need to be from a source that's reasonably trusted

Sybil's the wrong choice of term for that

But anyway, given that the failure mode for that could be a malicious maintainer, it's probably a bad signal anyway

The maintainer could bypass the check and just print "yep, matches!"

Only way to check reliably is your own local build

yep

reminds me that I wanted to do a tutorial for it

step by step tutorial :D

Gitian?

yep

Nice!

Along with a good explanation of why repro builds are important and useful?

someday gui :)

fluffypony: yeah, sorry about that. brain freeze on my end. happens a lot.

np

is there any solution for the GUI needing 10.12+ on MAC?

i am guessing not...

we can spin up a MacStadium box again and use it for builds?

Apple dropped support for it 3 years ago, now also Qt dropped support for it

so it becomes difficult to support at this point

yeah looks like 10.13 is still getting updates, but not 10.12

midipoet is asking about 10.11

last security update to 10.12 was Sep 2019

it supports 10.12

last security update for 10.11 was July 2018

hmm 2 years ok

wow. i didn't realise i was sooo far behind.

hmm

so we already support a version of macOS that no longer gets security updates

Qt 5.9 was the last LTS version that supported 10.11

but it is EOL now

and I don't think encouraging people to run a Monero wallet on that is a good idea

We should not use a framework without security updates

+1

CLI still supports 10.11

plus 10.13 runs on old Macs -

iMac: Late 2009 or later

MacBook: Late 2009 or later

MacBook Pro: Mid 2010 or later

MacBook Air: Late 2010 or later

Mac Mini: Mid 2010 or later

Mac Pro: Mid 2010 or later

so no reason not to update to 10.13

allegedly extended support for 10.13 will end in Sept 2020, and then everyone will need to be on 10.14, which changes the supported devices somewhat

you mostly need a 2012 or newer device to do that

i understand the issue. just trying to figure the best way to deal with the situation on my side...

midipoet: what prevents you from updating?

32 bit audio software

hmmmm - can't you run it in a macOS VM in Parallels?

Oh yeah, they dropped 32-bit support entirely, right?

didn’t only 10.15 killed 32bit?

so you can upgrade to 10.12-10.14

oh yeah - they come with warnings in everything but then don't work at all in 10.15

you may be right. i have to look into it properly. or move my monero wallet off this mac - which seems far easier.

either way, thanks for the security check up peeps ;-)

can’t wait to run GUI on ARM mac :D

soon^tm

Oh yeah, is that actually happening?

Heard rumblings on it for a while

apparently, will be announced this month

heard the same

I wonder how far into the line it'll extend

but first hardware will only come out next year

ARM on the pro line seems like a risky move

but maybe for the consumer line?

e.g. the airs

sarang: they'll do the Air and maybe bring back the 12" Macbook next year

and then Pro the year after

(I'm guessing)

there's already a large body of libraries and stuff with ARM support because of iPadOS and iOS

But so many major players will need to overhaul, no?

But I suppose "everyone needs to overhaul everything" is not unheard of for Apple =p

A lot of open source programs already support ARM

I guess some less supported niche apps will be more difficult

Sure, but I'm wondering about the stuff that Mac Pro folks might need that don't already

they'll probably also have an emulator for a few years

(I don't know much about that)

and they'll get Adobe, Microsoft, etc. to buy into it

Apple spent years not caring about the Pro untli the recent overhaul

Best not to upset those users once again

sarang: Mac Pro I agree, but MacBook Pro they can probably take the risk in 2 years

I still have a 2014 Pro one, these were the best IMO

That makes more sense

until 2015

I wonder what it'll do for battery life

good things hopefully :P

can’t get worse I guess

selsta: lol. i recently bought a 2012 Pro for someone. rock of a machine.

+1 older macbooks

+1 older thinkpads

12 Pro works fine if you get SSD, upgrade RAM, and avoid the newer OS

An update/overview of the website's security features could be a cool read