01:54:32 <UkoeHB_> can sc_reduce32 return 0?
05:41:17 <khayrullo> hello
05:42:02 <khayrullo> recommend node js library to talk to monero node please
05:43:16 <khayrullo> most libraries ive googled seem to be vulnrable
05:43:18 <khayrullo> https://labs.f-secure.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/
08:54:50 <lza_menace> huh? what does nodejs library have to do with this khayrullo? this would indicate that these wallet projects just need to improve their implementation of running the local wallet RPC process
08:56:03 <lza_menace> these projects are super old anyways...
09:01:31 <lza_menace> wouldn't the right recommendation be to run the monero wallet RPC with at least authentication? and at most with full DNS and TLS cert setup?
09:07:55 <lza_menace> wouldn't the attacker have to guess the right amount, too? it will fail to send the TX if it's more funds than are available
09:58:54 <xiphon> are there any v0.15.0.5 reproducible builds available?
10:00:20 <xiphon> ^ hyc: iDunk: selsta: or anybody else doing reproducible builds
10:00:55 <selsta> xiphon: https://gui.xmr.pm/files/cli/v0.15.0.5/
10:01:03 <selsta> but they are also on getmonero.org
10:04:16 <xiphon> thanks
10:07:35 <selsta> xiphon: are you looking at the glibc issue? we used a newer gcc version, I guess that’s the problem
10:22:59 <xiphon> "we used a newer gcc version" -> it won't affect glibc version
10:30:42 <xiphon> i would say that reproducible builds doesn't support anything older Ubuntu bionic 18.04
10:32:57 <selsta> weird that no one complained until now
11:55:21 <selsta> xiphon: ok, people are reporting that v0.15.0.1 works on Ubuntu 16.04, the only thing we changed is newer gcc and updated libsodium
12:09:23 <xiphon> selsta: yeah, my bad - apparently inspecting the binaries i misread `gnu_get_libc_version@@GLIBC_2.2.5` as `GLIBC_2.25`
12:52:04 <xiphon> libsodium 1.0.18 uses getrandom(...) which is availabe only since glibc 2.25
14:05:35 <dEBRUYNE> Some PRs that require (final) review or approval (after rebase), would appreciate if people could have a look
14:05:37 <dEBRUYNE> Needs review:
14:05:37 <dEBRUYNE> 6269 6296 6298 6304
14:05:37 <dEBRUYNE> Needs final approval (after rebase):
14:05:37 <dEBRUYNE> 6227 6260
14:05:37 <dEBRUYNE> Needs final review:
14:05:38 <dEBRUYNE> 6214 6278 6299
15:50:25 <xiphon> selsta: could you do linux x64 reproducible build with https://github.com/monero-project/monero/pull/6397 ?
15:52:02 <selsta> I can do a depends build which should be equal.
15:52:07 <moneromooo> That... prevents building if you're using an old glibc ?
15:52:59 <selsta> I don’t know how to do a reproduce build only for 1 platform.
15:56:59 <xiphon> moneromooo: it prevents invoking these functions, i would expect libsodium will use some workaround then
15:57:20 <xiphon> like getrandom syscall
16:00:23 <xiphon> selsta: "I can do a depends build which should be equal" <- sounds good
16:00:42 <moneromooo> So this is making configure think there is no getrandom call. It looks like purposefully undermining random quality, no ?
16:01:24 <moneromooo> Then again we're using /dev directly. Any places we use sodium random ?
16:11:48 <xiphon> "It looks like purposefully undermining random quality, no ?" -> nope, why do you think so?
16:14:08 <moneromooo> Because if a configure test fails, I expect it won't be using that symbol.
16:14:21 <moneromooo> That's usually what those tests are used for anyway.
16:15:16 <moneromooo> What is this intended to do anyway ?
16:20:10 <xiphon> "Then again we're using /dev directly. Any places we use sodium random ?" -> will have a look, maybe we can drop the code using sodium random
16:21:08 <xiphon> "What is this intended to do anyway ?" -> to not link agains getrandom/getentropy that require glibc 2.25
16:21:52 <xiphon> and let monero wallet binaries run on Ubuntu 16.04, for example
16:26:16 <moneromooo> OK, still seems like a landmine if we end up using libsodium's random later, we'd need to not forget to undo that...
16:27:03 <xiphon> yep, would be better just drop fairly outdated OSes support
16:27:30 <omartijn> Well 16.04 is still supported because it's LTS
16:27:39 <xiphon> i know
16:29:04 <xiphon> moneromooo: "OK, still seems like a landmine if we end up using libsodium's random later" -> we can integrate a check in to build process
16:30:07 <xiphon> the check will get the glibc version required by resulted monero binaries and fail if it is greater than the version we want
16:31:49 <xiphon> ^ if we follow the way of dropping the code that uses sodium random, of course
16:45:30 <xiphon> Inspected the code
16:45:55 <xiphon> Libsodium uses getrandom() during initialization
16:47:42 <xiphon> No way we can drop this, once you call sodium_init(), it will initialize its entropy buffers and invoke getrandom() (if it is available)
16:48:22 <TheCharlatan> building your patch now xiphon
16:49:10 <xiphon> TheCharlatan: sounds good, let me know the results
17:39:59 <TheCharlatan> Left one more comment on the pr xiphon. With that done, I have verified that getrandom is no longer in the symbol table. Should obv. test creating a wallet etc.
23:08:53 <selsta> xiphon: do you still need the build?
23:48:50 <xiphon> selsta: nope, seems TheCharlatan already checked the patch
23:49:07 <selsta> oki