#i2p-dev (irc2p) | dev build 2.5.0-3 | Network reliability is degraded, please be patient as we work on mitigations

eyedeekay After much fighting with it, F-Droid is uploading. These uploads take a long time but once I unpack it on the server f-droid.i2p.io will up updated

eyedeekay Fdroid is out, Gplay shoud be soon

eyedeekay You know there's a `bash.exe` in system32 now? What a world.

zlatinb orly? does it work?

eyedeekay Sort of?

eyedeekay I think it's actually some kind of wrapper around wsl bash because when I build a jpackage with it I end up with a *Linux* image and not a Windows one

eyedeekay whereas with git bash I get a windows one

eyedeekay Not quite sure why it's there, powershell seems to prioritize git bash

anonymousmaybe zzz if I2P autostarted on boot it will each time show "Reseed successful, fetched 154 router infos"

anonymousmaybe shouldnt it only do that one time after first time installation?

zlatinb anonymousmaybe: does it happen if you stop/start manually after boot?

anonymousmaybe i tried reboot multiple times and it happen

eyedeekay At minimum will do it on a first time installation, or if the existing peers are stale/unavailable, or if your netDB is not persisted to disk for some reason(liveCD)

anonymousmaybe netDB is on root level or user level?

eyedeekay For you, I *think* it should be owned by i2psvc, who's home directory is /var/lib/i2p

anonymousmaybe ah yeah then its root level

eyedeekay config directory is /var/lib/i2p/i2p-config

eyedeekay Well, you have to be able to sudo to manipulate it. Technically it belongs to the i2psvc user

eyedeekay You could `sudo -u i2psvc` and obtain the required rights

anonymousmaybe ah i see

anonymousmaybe great that you diagnosed the issue quickly

eyedeekay Yeah I don't think we ever run as root, in fact we actively resist it if you try

anonymousmaybe actually I2P on qubes OS has an issue, because I2P write to root level directory but in qubes Appvm root changes are non-persistnet

eyedeekay Oh that explains a **LOT**

anonymousmaybe only in template, and template doesnt has internet access (only for upgrading the template itself)

anonymousmaybe yeah just mentioning this for users who might face the same issue

anonymousmaybe eyedeekay but eyedeekay Tor doesnt need root rights anywhere wonder why not I2P do the same thing

eyedeekay Your issues are somewhat unique but I find them interesting.

eyedeekay By doing such extensive configuration Qubes/Whonix explores integration issues. Like the onion reseed thing(not giving up on that)

eyedeekay Tor isn't strictly speaking "P2P" in the same way that I2P is

anonymousmaybe yeah its not P2P but if I2P run only through user level which is like using i2prouter start

anonymousmaybe this is great

anonymousmaybe but it has 2 disadvatages: doesnt use apparmor and doesnt autostart

anonymousmaybe asaik

anonymousmaybe afaik*

eyedeekay In I2P, everyone is a relay and everyone persists relay information unless, unless they are configured not to. In your case, by not persisting /var/ you are in effect not persisting relay information, so you need to re-bootstrap every time

eyedeekay Yeah I'm working on the apparmor bit actually. It's a totally unsanctioned off-the-books operation lol

anonymousmaybe oh awesome

eyedeekay Arose by accident while I was aping features from torbrowser-launcher

anonymousmaybe tbh we need to get rid of anything I2P right into Root directories, Only under user level

eyedeekay In some ways yes, but in other ways no, we do that for a set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user

anonymousmaybe ah what are the disadvantages?

eyedeekay But a portable that can be run entirely without root, entirely from within $HOME, which has all the same features as Java I2P, and has apparmor, that might be a decent idea

anonymousmaybe autorun and apparmor should be manageable to make them compatible with user rights only

eyedeekay which is actually mostly added as options to i2p.plugins.tor-manager when running in freestanding mode

anonymousmaybe " set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user"

eyedeekay I don't have autorun yet but I have `.desktop` file generation

anonymousmaybe what are they?

anonymousmaybe yeah autorun seems nice to have an option for it but not with systemctl

eyedeekay Broadly, the ability to A) restrict the i2psvc user from accessing things outside it's purview and B) exempt the i2psvc user from the iptables rules that apply to every other app

eyedeekay For the purposes of most DE's autorun seems to be a matter of generating a `.desktop` like file in the right location

anonymousmaybe A is good, B is considered advatage?

eyedeekay Yes absolutely

eyedeekay i2psvc in my case does not use the VPN. The opposite applies too, BTW. You can apply specific rules to the i2psvc user, if necessary

anonymousmaybe hmm if nftables (dont use iptables to avoid falling into legacy/deprecated firewall) blocking incoming connections in this case not applied to I2P?

eyedeekay So C) to apply special iptables rules to the i2psvc users

eyedeekay It's a feature, not getting dropped, especially when running as any non-root user is pretty much possible

anonymousmaybe its true having different user for each app is a better thing no question about it

eyedeekay If you want to run entirely from within $HOME on a VM, a portable install in $HOME running as the user is a perfectly reasonable thing to do. We just have to decide on a predictable location and write an apparmor profile for it

anonymousmaybe and gnu/linux suffer from this vulnerability of all apps using shared user

eyedeekay Yeah that's most of the reason for the i2psvc user

anonymousmaybe this is android under the hood operation which is each app has its own user to avoid malicious apps from running in /home with just user power

anonymousmaybe ok so if we can have apparmor and autorun feature by only user power this will resolve qubes-i2p issue

anonymousmaybe but downside is I2P gonna be similarly to other apps gonna use the same host user

anonymousmaybe eyedeekay can you ping me once you finish implementing it? or its just on faraway feature?

anonymousmaybe future*

eyedeekay Such is an imperfect world. As long as /var/lib/i2p is not persisted, running i2p as the i2psvc user will require repeated reseeding

anonymousmaybe yeah i wont run i2p with i2psvc user

anonymousmaybe thats not compatible with qubes model

eyedeekay I've got half done already github.com/eyedeekay/i2p.plugins.tor-manager/blob/main/apparmor_linux.go mostly ripped off Micah Lee and turned into a profile-generator, you give it a directory and it spits out an apparmor profile

eyedeekay Which assumes you are using it for I2P and Tor Browser

anonymousmaybe ah i meant using i2prouter start will use the apparmor profiles

anonymousmaybe and i2pconsol has an option to make i2p autostart

anonymousmaybe i2prouter command is perfectly working with Qubes model because it doesnt need to write to root level directories

eyedeekay Yes what you need is to have an apparmor profile for ~/i2p then, which isn't part of the core install

anonymousmaybe yeah will it be from the core install?

eyedeekay Once I figure out what it exactly needs to have in it I'll make an MR for it, if I'm seeing the forest for the trees now it should be pretty achievable

anonymousmaybe great then, thank you

zlatinb eyedeekay: have you had a problem with nsis compiler complaining about unclosed macro when using FindProcess.nsh?

eyedeekay No not at all, I just ran makensis again and I'm scrolling through the output and I don't see it either, what's the error I can grep for?

eyedeekay I'm on nis 3.08-2

eyedeekay *nsis

zlatinb oh, it's at the end of FindProcess.nsh, nevermind

zlatinb yep now it works

eyedeekay Oh good because that was `written by Donald Miller` circa 2007 and NSIS is like a makefile that was exposed to radiation

eyedeekay *not* something I relished debugging at midnight

eyedeekay That is my least-favorite part of i2p.firefox and one I'll change if I can soon

zlatinb to what?

eyedeekay Something I can actually debug on the fly, what it is remains to be seen. go-I2P-jpackage can already more-or-less fill in the blanks, but other options include calling out to `bat` or `ps1` scripts

eyedeekay go-I2P-jpackage solves my second-least favorite thing though, which is that it assumes installation to 2 separate directories in %ProgramFiles% which is stupid, it should be able to install anywhere seamlessly

eyedeekay I'm secretly terrified of what happens if i2p.firefox gets installed somewhere too exotic, like a flash drive or something. Shortcuts break and all kinds of crap.

eyedeekay It needs to be a proper portable.

eyedeekay I say secretly but it's no secret really. My position is that it will fail closed, the router is missing, it has nothing to start.

eyedeekay But it's dumb and I hate it.

eyedeekay So yeah those are my two least favorite features of my biggest extant project, and on the ROADMAP.md, effectively, for 1.08.0 i2p.firefox

eyedeekay In-NSIS PID detection is a plugin-ridden, obfuscated pile that needs to be and can be about 1,000,000% simpler and it's capable of being a portable but it's shit at it right now

zlatinb do you know for sure it will be better elsewhere?

eyedeekay In terms of the PID detection? It can *only* get better

zlatinb famous last words :)

eyedeekay I've actually read `LogicLib.nsh` and mostly understood it, but I'm looking at `!include WordFunc.nsh` and thinking "I should probably read that..."

eyedeekay Surely it must have some way to attach to the output of some other process right? I mean I'll never put any level of stupidity passed NSIS at this point.

eyedeekay Honestly it's stressful, it reminds me of something Eric Raymond might have written as a joke

eyedeekay Apparently NSIS requires 2 plugins and like ~1500 LOC to actually look up a process, it's keeping me up at night

eyedeekay I mean the plugins come in a debian package so it's not *so bad* but it's kind of disturbing when you think the same thing in bash or even bat

eyedeekay Or java or go or powershell or python or anything

eyedeekay I'm sure Groovy has a less dumb-feeling way of doing it

zlatinb err, well yes it's verbose but it does expose all windows apis

zlatinb which may be too much rope

eyedeekay Specficially the PID thing annoys me. Like how is that not part of the language?

zlatinb well very few people use it

zlatinb our auto-update thing is very custom

eyedeekay I suppose. It just seems like shutting down a running instance of an application in order to unlock/write over the files it's using would be at least a *relatively* common case

eyedeekay I guess killing it by PID is an inarticulate way of doing it, but it's universal?

zlatinb btw network performance for 1.6.1 routers is still bad

zlatinb I'm running 1.7.0 on the mw update server and pings from 1.6.1 are not reaching it :(

eyedeekay Do we know if they're Java or i2pd?

zlatinb I'll just wait for 1.7.0 to hit maven I guess

eyedeekay I approved it earlier today, it should be moving through the process any minute

eyedeekay Well, any hour

zlatinb oh it's an mw with embedded 1.6.1 router

eyedeekay But seriously it was before noon my time

zlatinb it's too much of pain to set up external router on windows

eyedeekay So it should be soon

eyedeekay IMO setting it up incidentally is easy enough

eyedeekay "Oh somebody's already listening on localhost:7654? Let's try making an I2CP connection there and see what happens. If it works, use that."

zlatinb is the easy install bundle with 1.7.0 now?

zlatinb I don't remember signing it...

eyedeekay No it's not up

zlatinb I'll just wait then, np

eyedeekay Android proved to be a little more involved than I though, fdroidserver in `sid` is broken at the moment

zlatinb I don't like the "try external and use internal if fails" approach

zlatinb if users have specified external it should fail if it isn't found

eyedeekay Sure yeah

zlatinb nah, it's hopeless to keep trying with 1.6.1, pings just don't make it

eyedeekay I'm not sure it's mutually exclusive, if behavior is specified by the user, use the specified behavior. If behavior is unspecified, then my question is "What is the best guess?"

zlatinb when launching an nsis installer with /S from cmd.exe it still shows the signer warning

zlatinb I need to make sure it doesn't happen when invoked from a process

eyedeekay I'm pretty sure it does, but it does not show any other step of the process.

zlatinb ok maven is up, let me update

eyedeekay Actually, I'm quite sure it does, as in I've tested it with an unsigned installer and to the best of my knowledge it does

eyedeekay Re: the detection/use of an existing router, In the case of unspecified behavior, my "best guess" of what is correct is to minimize resource usage and consolidate log outputs and that leads me to believe that connecting to an API on the host that's already available is the "right" decision

zlatinb even then you open the door to malware and hijacking

eyedeekay If there's an app that's already connecting on localhost:7654 you've got real bad problems, way worse ones, anyway in my opinion

eyedeekay Although I really hate that argument

eyedeekay I2P is an exfiltration tool of convenience at that point, anything will do

eyedeekay And in practice many cast a broad net

eyedeekay Maybe we decide the filesystem is safer, and put a password on I2CP, SAM, I2Pcontrol, make apps get permission to read the file containing the password?

zlatinb that's a big topic

zlatinb we could hypothetically password-protect everything

eyedeekay It's a *huge* topic, and I even could bring in a quasi-ethical objection to creating a de-facto walled garden, but the security benefits would potentially be significant

zlatinb obv it won't work as a system service

eyedeekay Not universally I don't think... maybe? The hypothetical "password file" could be readable by members of a new group "i2papps"

eyedeekay It calls back to un-bundling...

eyedeekay This is why I haven't decided how to respond to the latest of: zzz.i2p/topics/2988-please-help-test-i2p-for-android-0-9-47-1

eyedeekay Dropped my connection for a second, did I miss anything?

zlatinb nah I'm restarting an mw with bundled router trying to get it to ping the udpate server :)

zlatinb it's a very slow process :(

eyedeekay Bummer

eyedeekay Jeesh. pidgin really being pidgin today. Can't wait to switch to BRB full-time.

anonymousmaybe pidgin in whonix announced as deprecated and insecure app since like 4-5 years ago

zlatinb damn it, requested operation requires elevation

zlatinb so no silent updates for windows I guess

eyedeekay Not entirely silent, yet

eyedeekay But if I can make it really portable I can install it to someplace that isn't %ProgramFiles% and the problem is solved, at least for all new users

eyedeekay Excecpt on the first run it will still ask them if they want to give it permission to talk to the network

eyedeekay (I'm pretty close)

eyedeekay The other problem with i2p.firefox is that since we can't bundle Firefox we have to guess where it is or read the registry where it might not be even if it's actually available

eyedeekay But we're definitely allowed to download and install a version of Firefox(Tor Browser) if we expressly tell the user that's what the tool is for and set expectations for the user that reflect the real capabilities of the application

eyedeekay And that can also be installed `installer.exe /S /D c:Custom/path`

eyedeekay So you don't have to guess where it is

eyedeekay Conveniently, also does not require admin rights

eyedeekay Unless you want it in %ProgramFiles% which is no longer the default

eyedeekay And since there's a `dist.torproject.i2p` now we can download in-I2P

eyedeekay And it's all well within the terms and more importantly, AFAICT, the practice of the licensing

eyedeekay Anyway it's late AF here, I better get around to building it before I talk myself out of it thinking about things that bug me

zlatinb have fun, I'm installing Visual C++ now :-/

R4SAS :D

eyedeekay Nice. Hope you have a fast connection

zlatinb yeah that's not the problem

zlatinb last time I wrote visual C++ code was 15+ years ago

eyedeekay Good luck then

eyedeekay I don't think I've ever tried visual C++, if it's anything like visual C# or visual basic it's probably got a whole UI toolkit and event system and everything on it

eyedeekay Like specific to the platform/IDE I mean

zlatinb oh it's a different world

eyedeekay I've only the vaguest notion

zlatinb it was traumatizing at uni when they taught us

zlatinb but maybe I can do it in pure C...

zlatinb eyedeekay: JNA solved the elevation problem in 5 minutes (at the cost of 4MB of jar files)

zlatinb with it it's possible to do whatever we want on windows

zlatinb also we should be using https://nsis.sourceforge.io/ShellExecAsUser_plug-in instead of ExecShell from the installer

zlatinb we can do things like register for system sleep notifications (like closing a laptop) etc.