-
UkoeHB_
is there dev meeting today?
-
moneromooo
I remember someone asking for one a couple days ago, so yes.
-
rbrunner
All devs still drunk from Monero anniversary ...
-
sarang
No meeting then?
-
moneromooo
If anyone has something to say or ask, feel free.
-
sarang
I know UkoeHB_ had been working this weekend on a particular issue summary regarding Janus handling
-
sarang
Not sure if they wanted to discuss this
-
moneromooo
I think ErCiccione[m] was the one who asked for a meeting.
-
rbrunner
I remember likewise, maybe because of the recent move back to GitHub for the Monero website
-
binaryFate
-
UkoeHB_
nothing to discuss from me, please read the issue and leave comments if possible ^.^
-
binaryFate
Note the jump in timestamp from first line to second one is becayse my computer was hibernating in between
-
sarang
Ah ok UkoeHB_!
-
sarang
Lots to catch up on with your discussions with knaccc this weekend
-
moneromooo
binaryFate: repeatedly fails to load.
-
binaryFate
load what?
-
moneromooo
The data from the URL you posted.
-
moneromooo
"The connection to paste.centos.org was interrupted while the page was loading." all the time.
-
binaryFate
Mmm works for me without any issue over clearnet
-
binaryFate
what else is tor-friendly?
-
moneromooo
paste.debian.net is. pastebin.com usually is these days.
-
moneromooo
paste.ubuntu.com is also ok.
-
moneromooo
I suspect anything that goes cloudflare is likely to be not ok.
-
sarang
Would it be possible to set up a self-hosted pastebin?
-
sarang
Then it's understood where the data is stored and how it can be accessed
-
sarang
Surely there's a useful service that's also FOSS and can be hosted
-
binaryFate
agree, would be useful to us + other projects, and a nice "statement"
-
binaryFate
-
sarang
A random search found this (no clue if it's actually trustworthy):
github.com/PrivateBin/PrivateBin
-
needbrrrrrrr90
-
needbrrrrrrr90
Please note that that isn't a red flag for me, but one of the other mods thought I should raise it here.
-
sarang
Remind me again why we don't just use GitHub for signed release binaries?
-
sarang
We already trust GitHub (to an extent) for source
-
wizardsmoke
because GitHub are evil now
-
sarang
Sure, but everyone is ideally checking signatures anyway
-
sarang
and it provides a nice firewall between the web hosting (which provides the hashes) and the binaries
-
sarang
I get the idealism of self-hosting binaries
-
sarang
but in practice it's failed at least once
-
binaryFate
needbrrrrrrr90 the throttling is pretty strict on downloads and I get myself some error on a particular link/bin until I wait few tens of seconds again. It would correspond to what the post describes.
-
needbrrrrrrr90
Would you mind commenting as such, and potentially indicating that we're looking at alternative hosting platforms (like github)?
-
needbrrrrrrr90
I can also comment too, but I would prefer it not be second-hand if they ask more questions :)
-
sarang
(AFAIK github is not being considered by anyone for this; that was purely my question)
-
needbrrrrrrr90
I mean. It's a valid suggestion.
-
binaryFate
What do you mean with platforms? Currently we do CDN -> cloudflare -> our server
-
needbrrrrrrr90
I'd consider it lol
-
sarang
I certainly think it is
-
binaryFate
The throttling might come from any of these layers I'm not sure
-
binaryFate
Oh you mean using github to serv our binaries?
-
needbrrrrrrr90
The suggestion of hosting binaries on GitHub (perhaps in parallel) is what I was thinking of when I said alternative hosting platforms
-
needbrrrrrrr90
Yes
-
sarang
yes
-
ErCiccione[m]
Sorry, i didn't think understand people wanted to actually have the meeting at the end. Here now
-
sarang
We have a huge example of when self-hosting failed
-
binaryFate
Ok was not aware of that. Anyway sure I can comment to the post
-
ErCiccione[m]
good idea the self hosted pastebin.
-
needbrrrrrrr90
I guess you could say this might be our Binary Fate, so to speak 👀
-
sarang
-_____-
-
sarang
To be clear, I don't particular trust Microsoft to be a good steward of so much of the open-source community
-
binaryFate
sarang I think it's not fair to say that self-hosting "failed". A one-off one-in-many-yeasr shit event might well occure on github as well
-
sarang
Sure, but in that case, you at least have a much bigger firewall
-
sarang
between the web hosting and the binary serving
-
needbrrrrrrr90
Those five nines are hard to get
-
sarang
and github almost certainly has many more engineers on staff working specifically to ensure that kind of safety
-
sarang
and at that point, why not just offload the bandwidth to github?
-
sarang
they do it for free
-
sarang
If they turn evil, switch back
-
sarang
It's not like they can do anything evil except deny access
-
sarang
and that's already a risk with the source
-
binaryFate
yes you're right, in terms of DoS protection and bandwidth access they're probably more stable than what we can hope for on ourselves
-
sarang
I think there are basically no downsides
-
sarang
none that we don't already take on, at least
-
needbrrrrrrr90
Because of some tin foil hat risk that they intentionally compromise our binaries, which are signed, first. Before any other project around. We would have zero canary in the proverbial coal mine.
-
binaryFate
not sure about access from China though
-
sarang
And sure, have an alternate self-hosting if you want
-
sarang
But if they have a method for serving binaries that's free bandwidth and with a good track record, why not take it?
-
needbrrrrrrr90
I think its silly to assume Monero would be intentionally targeted by Microsoft, first, before any other project
-
sarang
People should always check sigs anyway
-
sarang
agreed
-
binaryFate
All this deserves more discussions clearly, didn't know they were ongoing if they were but yeah let's explore.
-
sarang
And again, I don't particularly trust them. But ideally this is set up so that you don't _need_ to trust them
-
sarang
You're simply using a service they provide, with plenty of distribution to account for any possible evildoing in the future
-
yanmaani
Even if it's not targeted, there's something icky about them IMO
-
sarang
Well, they host the source right now
-
hyc
why don't we just start seeding torrents for binaries
-
yanmaani
Expressed bluntly, a 1 GBit VPS is not exactly expensive
-
needbrrrrrrr90
Hyc aren't torrents not adversarial?
-
sarang
yanmaani: I don't particulary like the idea of needing _any_ hosted service for stuff like PRs and issues and such, but it is what it is
-
needbrrrrrrr90
There's a whole host of attacks that could bring it down afaik
-
yanmaani
That said, the binaries are absurdly large
-
sarang
and we have at least one example where binaries were compromised
-
yanmaani
like 200 MB?
-
sarang
Of course GitHub could be compromised. But self-hosting _was_ compromised
-
yanmaani
needbrrrrrrr90: torrents are rock solid, also I think there already are torrents
-
needbrrrrrrr90
Rock solid until someone with a mind to throw a wrench in your distribution appears*
-
hyc
how?
-
yanmaani
@torrent
-
yanmaani
!torrent
-
yanmaani
hyc: check #monero
-
moneromooo
binaryFate: do you have a stack of the crash ?
-
needbrrrrrrr90
Unless they've improved since I last checked, I thought torrents were vulnerable to attack (either denial of service or otherwise)
-
gingeropolous
i ultimately think multiple solutions should be used.
-
hyc
no, I mean, how does an attacker screw up a torrent
-
gingeropolous
i mean, if the sigs are verified it doesn't matter where it comes from
-
yanmaani
needbrrrrrrr90: torrents are far less vulnerable to DoS than HTTP
-
yanmaani
and have been this way since what, 2002?
-
needbrrrrrrr90
Hm. I'm not sure why I'm recalling otherwise.
-
needbrrrrrrr90
I'm probably wrong
-
ErCiccione[m]
+1 for torrent. We could CCS a seedbox
-
binaryFate
moneromooo: nope sorry :( will try to catch one next time
-
gingeropolous
and really we only need to worry about the monero updater software downloader tool
-
gingeropolous
did that happen?
-
gingeropolous
so you only need to have a trusted event happen once, and then it chains trust from their
-
hyc
mooo wrote the updater tool
-
moneromooo
It also depends on someone to bump the update TXT records, which currently still advertise 0.15.0.1.
-
hyc
haven't seen much about it
-
yanmaani
ErCiccione[m]: CCS? We are not exactly dealing with terabytes of data here
-
gingeropolous
well its always gonna require a human finger to click some buttons
-
needbrrrrrrr90
-
moneromooo
Well, it's finished. Except for the GUI part, which I'm waiting for the GUI to have gitian builds to push.
-
ErCiccione[m]
yanmaani: Would be just for reliability.
-
yanmaani
You can use web seeds for it.
-
yanmaani
Since it's identified by hash, safety is rather unimportant.
-
yanmaani
but I mean, you could just use any random VPS
-
yanmaani
seedboxes are way overkill
-
sarang
How are GUI det. builds going?
-
sarang
I haven't checked in with that in a while
-
gingeropolous
<moneromooo> It also depends on someone to bump the update TXT records, which currently still advertise 0.15.0.1. >>> who's sposed to do this?
-
moneromooo
pony for now, binaryFate as soon as the massive security enhanced military grade safe has been opened.
-
moneromooo
(allegedly)
-
sarang
-
hyc
we should be distributing updates via the monero p2p protocol ...
-
moneromooo
Oooh, and add twitter support. And a chat.
-
yanmaani
Do you really want to do down that road?
-
yanmaani
go*
-
hyc
if done correctly, that means all fullnodes will self-update, which removes a lot of the problem of sites not updating in time
-
moneromooo
They could do it right now. They can download and verify (from HTTPS though) already.
-
yanmaani
OTOH, it's a literal botnet with only one key compromise.
-
moneromooo
Piggybacking on Bittorrent seems safer and less work.
-
yanmaani
As well as horrible, horrible centralization
-
yanmaani
How about this? Add in a Bitcoin-style alert key, multisig.
-
moneromooo
Yu gotta be kidding. A botnet is 100% centralized by deifnition.
-
yanmaani
If signed by >70% of developers, propagate it
-
yanmaani
And devs can post messages, such as "Hardfork soon, pls update from monero-best-download.co.biz.ru.asia.tk/wp-content/login.php"
-
yanmaani
Or I suppose you can just add in libtorrent and call it a day.
-
hyc
using torrent protocol is less dev work, yes. more end-user work to administer bandwidth to two separate systems instead of just one
-
yanmaani
Well the end-user work would be the same. If you include libtorrent inside, I mean.
-
yanmaani
So, it gets a "signed update" message, and starts downloading, with its immediate p2p neighbors as peers, then does PEX
-
sarang
So: what's the best next step for self-hosting a pastebin?
-
sarang
That seems like an easy win for helpful functionality
-
sarang
(unless there are good reasons to avoid this that I am not thinking of)
-
kinghat[m]
github gists have version history
-
moneromooo
Spam is one.
-
moneromooo
I suppose we might not care if it gets added to robots.txt to avoid.
-
sarang
Set an auto-expire?
-
sarang
And require some kind of captcha?
-
sarang
spitballing here
-
yanmaani
proof of work is nicer than captcha tbh
-
yanmaani
but pastebins are dime a dozen
-
sarang
Well, local encryption is important
-
sarang
As in, the server can't view plaintext
-
yanmaani
OTOH it requires JS :)
-
yanmaani
a compromise is to have encryption at rest with optional client-side decryption
-
sarang
A server that can host arbitrary plaintext may run into liability issues (but I am not a lawyer)
-
yanmaani
nah
-
yanmaani
you could just dump it somewhere else
-
yanmaani
like on Freenet
-
yanmaani
that solves all the liability problems
-
yanmaani
all sorts of shit there but I haven't gotten any abuse notices yet
-
selsta
The throttling issue on getmonero is a bug / config problem and pigeons is looking into it.
-
selsta
GUI has its own auto update system now and we could bring it to CLI in the future, it requires GPG signatures from 2 maintainers.
-
selsta
Obviously modified to take advantage of gitian.sigs
-
selsta
19:08 <pigeons> Let me know if you get download failures on getmonero.org again. Should be good for now, there was a uid mismatch for the nginx cache volume
-
selsta
^ hopefully solved now