IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2022/02/23
eyedeekay After much fighting with it, F-Droid is uploading. These uploads take a long time but once I unpack it on the server f-droid.i2p.io will up updated
eyedeekay Fdroid is out, Gplay shoud be soon
eyedeekay You know there's a `bash.exe` in system32 now? What a world.
zlatinb orly? does it work?
eyedeekay Sort of?
eyedeekay I think it's actually some kind of wrapper around wsl bash because when I build a jpackage with it I end up with a *Linux* image and not a Windows one
eyedeekay whereas with git bash I get a windows one
eyedeekay Not quite sure why it's there, powershell seems to prioritize git bash
anonymousmaybe zzz if I2P autostarted on boot it will each time show "Reseed successful, fetched 154 router infos"
anonymousmaybe shouldnt it only do that one time after first time installation?
zlatinb anonymousmaybe: does it happen if you stop/start manually after boot?
anonymousmaybe i tried reboot multiple times and it happen
eyedeekay At minimum will do it on a first time installation, or if the existing peers are stale/unavailable, or if your netDB is not persisted to disk for some reason(liveCD)
anonymousmaybe netDB is on root level or user level?
eyedeekay For you, I *think* it should be owned by i2psvc, who's home directory is /var/lib/i2p
anonymousmaybe ah yeah then its root level
eyedeekay config directory is /var/lib/i2p/i2p-config
eyedeekay Well, you have to be able to sudo to manipulate it. Technically it belongs to the i2psvc user
eyedeekay You could `sudo -u i2psvc` and obtain the required rights
anonymousmaybe great that you diagnosed the issue quickly
eyedeekay Yeah I don't think we ever run as root, in fact we actively resist it if you try
anonymousmaybe actually I2P on qubes OS has an issue, because I2P write to root level directory but in qubes Appvm root changes are non-persistnet
eyedeekay Oh that explains a **LOT**
anonymousmaybe only in template, and template doesnt has internet access (only for upgrading the template itself)
anonymousmaybe yeah just mentioning this for users who might face the same issue
anonymousmaybe eyedeekay but eyedeekay Tor doesnt need root rights anywhere wonder why not I2P do the same thing
eyedeekay Your issues are somewhat unique but I find them interesting.
eyedeekay By doing such extensive configuration Qubes/Whonix explores integration issues. Like the onion reseed thing(not giving up on that)
eyedeekay Tor isn't strictly speaking "P2P" in the same way that I2P is
anonymousmaybe yeah its not P2P but if I2P run only through user level which is like using i2prouter start
anonymousmaybe this is great
anonymousmaybe but it has 2 disadvatages: doesnt use apparmor and doesnt autostart
eyedeekay In I2P, everyone is a relay and everyone persists relay information unless, unless they are configured not to. In your case, by not persisting /var/ you are in effect not persisting relay information, so you need to re-bootstrap every time
eyedeekay Yeah I'm working on the apparmor bit actually. It's a totally unsanctioned off-the-books operation lol
anonymousmaybe oh awesome
eyedeekay Arose by accident while I was aping features from torbrowser-launcher
anonymousmaybe tbh we need to get rid of anything I2P right into Root directories, Only under user level
eyedeekay In some ways yes, but in other ways no, we do that for a set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user
anonymousmaybe ah what are the disadvantages?
eyedeekay But a portable that can be run entirely without root, entirely from within $HOME, which has all the same features as Java I2P, and has apparmor, that might be a decent idea
anonymousmaybe autorun and apparmor should be manageable to make them compatible with user rights only
eyedeekay which is actually mostly added as options to i2p.plugins.tor-manager when running in freestanding mode
anonymousmaybe " set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user"
eyedeekay I don't have autorun yet but I have `.desktop` file generation
anonymousmaybe what are they?
anonymousmaybe yeah autorun seems nice to have an option for it but not with systemctl
eyedeekay Broadly, the ability to A) restrict the i2psvc user from accessing things outside it's purview and B) exempt the i2psvc user from the iptables rules that apply to every other app
eyedeekay For the purposes of most DE's autorun seems to be a matter of generating a `.desktop` like file in the right location
anonymousmaybe A is good, B is considered advatage?
eyedeekay Yes absolutely
eyedeekay i2psvc in my case does not use the VPN. The opposite applies too, BTW. You can apply specific rules to the i2psvc user, if necessary
anonymousmaybe hmm if nftables (dont use iptables to avoid falling into legacy/deprecated firewall) blocking incoming connections in this case not applied to I2P?
eyedeekay So C) to apply special iptables rules to the i2psvc users
eyedeekay It's a feature, not getting dropped, especially when running as any non-root user is pretty much possible
anonymousmaybe its true having different user for each app is a better thing no question about it
eyedeekay If you want to run entirely from within $HOME on a VM, a portable install in $HOME running as the user is a perfectly reasonable thing to do. We just have to decide on a predictable location and write an apparmor profile for it
anonymousmaybe and gnu/linux suffer from this vulnerability of all apps using shared user
eyedeekay Yeah that's most of the reason for the i2psvc user
anonymousmaybe this is android under the hood operation which is each app has its own user to avoid malicious apps from running in /home with just user power
anonymousmaybe ok so if we can have apparmor and autorun feature by only user power this will resolve qubes-i2p issue
anonymousmaybe but downside is I2P gonna be similarly to other apps gonna use the same host user
anonymousmaybe eyedeekay can you ping me once you finish implementing it? or its just on faraway feature?
eyedeekay Such is an imperfect world. As long as /var/lib/i2p is not persisted, running i2p as the i2psvc user will require repeated reseeding
anonymousmaybe yeah i wont run i2p with i2psvc user
anonymousmaybe thats not compatible with qubes model
eyedeekay I've got half done already github.com/eyedeekay/i2p.plugins.tor-manager/blob/main/apparmor_linux.go mostly ripped off Micah Lee and turned into a profile-generator, you give it a directory and it spits out an apparmor profile
eyedeekay Which assumes you are using it for I2P and Tor Browser
anonymousmaybe ah i meant using i2prouter start will use the apparmor profiles
anonymousmaybe and i2pconsol has an option to make i2p autostart
anonymousmaybe i2prouter command is perfectly working with Qubes model because it doesnt need to write to root level directories
eyedeekay Yes what you need is to have an apparmor profile for ~/i2p then, which isn't part of the core install
anonymousmaybe yeah will it be from the core install?
eyedeekay Once I figure out what it exactly needs to have in it I'll make an MR for it, if I'm seeing the forest for the trees now it should be pretty achievable
anonymousmaybe great then, thank you
zlatinb eyedeekay: have you had a problem with nsis compiler complaining about unclosed macro when using FindProcess.nsh?
eyedeekay No not at all, I just ran makensis again and I'm scrolling through the output and I don't see it either, what's the error I can grep for?
eyedeekay I'm on nis 3.08-2
zlatinb oh, it's at the end of FindProcess.nsh, nevermind
zlatinb yep now it works
eyedeekay Oh good because that was `written by Donald Miller` circa 2007 and NSIS is like a makefile that was exposed to radiation
eyedeekay *not* something I relished debugging at midnight
eyedeekay That is my least-favorite part of i2p.firefox and one I'll change if I can soon
zlatinb to what?
eyedeekay Something I can actually debug on the fly, what it is remains to be seen. go-I2P-jpackage can already more-or-less fill in the blanks, but other options include calling out to `bat` or `ps1` scripts
eyedeekay go-I2P-jpackage solves my second-least favorite thing though, which is that it assumes installation to 2 separate directories in %ProgramFiles% which is stupid, it should be able to install anywhere seamlessly
eyedeekay I'm secretly terrified of what happens if i2p.firefox gets installed somewhere too exotic, like a flash drive or something. Shortcuts break and all kinds of crap.
eyedeekay It needs to be a proper portable.
eyedeekay I say secretly but it's no secret really. My position is that it will fail closed, the router is missing, it has nothing to start.
eyedeekay But it's dumb and I hate it.
eyedeekay So yeah those are my two least favorite features of my biggest extant project, and on the ROADMAP.md, effectively, for 1.08.0 i2p.firefox
eyedeekay In-NSIS PID detection is a plugin-ridden, obfuscated pile that needs to be and can be about 1,000,000% simpler and it's capable of being a portable but it's shit at it right now
zlatinb do you know for sure it will be better elsewhere?
eyedeekay In terms of the PID detection? It can *only* get better
zlatinb famous last words :)
eyedeekay I've actually read `LogicLib.nsh` and mostly understood it, but I'm looking at `!include WordFunc.nsh` and thinking "I should probably read that..."
eyedeekay Surely it must have some way to attach to the output of some other process right? I mean I'll never put any level of stupidity passed NSIS at this point.
eyedeekay Honestly it's stressful, it reminds me of something Eric Raymond might have written as a joke
eyedeekay Apparently NSIS requires 2 plugins and like ~1500 LOC to actually look up a process, it's keeping me up at night
eyedeekay I mean the plugins come in a debian package so it's not *so bad* but it's kind of disturbing when you think the same thing in bash or even bat
eyedeekay Or java or go or powershell or python or anything
eyedeekay I'm sure Groovy has a less dumb-feeling way of doing it
zlatinb err, well yes it's verbose but it does expose all windows apis
zlatinb which may be too much rope
eyedeekay Specficially the PID thing annoys me. Like how is that not part of the language?
zlatinb well very few people use it
zlatinb our auto-update thing is very custom
eyedeekay I suppose. It just seems like shutting down a running instance of an application in order to unlock/write over the files it's using would be at least a *relatively* common case
eyedeekay I guess killing it by PID is an inarticulate way of doing it, but it's universal?
zlatinb btw network performance for 1.6.1 routers is still bad
zlatinb I'm running 1.7.0 on the mw update server and pings from 1.6.1 are not reaching it :(
eyedeekay Do we know if they're Java or i2pd?
zlatinb I'll just wait for 1.7.0 to hit maven I guess
eyedeekay I approved it earlier today, it should be moving through the process any minute
eyedeekay Well, any hour
zlatinb oh it's an mw with embedded 1.6.1 router
eyedeekay But seriously it was before noon my time
zlatinb it's too much of pain to set up external router on windows
eyedeekay So it should be soon
eyedeekay IMO setting it up incidentally is easy enough
eyedeekay "Oh somebody's already listening on localhost:7654? Let's try making an I2CP connection there and see what happens. If it works, use that."
zlatinb is the easy install bundle with 1.7.0 now?
zlatinb I don't remember signing it...
eyedeekay No it's not up
zlatinb I'll just wait then, np
eyedeekay Android proved to be a little more involved than I though, fdroidserver in `sid` is broken at the moment
zlatinb I don't like the "try external and use internal if fails" approach
zlatinb if users have specified external it should fail if it isn't found
eyedeekay Sure yeah
zlatinb nah, it's hopeless to keep trying with 1.6.1, pings just don't make it
eyedeekay I'm not sure it's mutually exclusive, if behavior is specified by the user, use the specified behavior. If behavior is unspecified, then my question is "What is the best guess?"
zlatinb when launching an nsis installer with /S from cmd.exe it still shows the signer warning
zlatinb I need to make sure it doesn't happen when invoked from a process
eyedeekay I'm pretty sure it does, but it does not show any other step of the process.
zlatinb ok maven is up, let me update
eyedeekay Actually, I'm quite sure it does, as in I've tested it with an unsigned installer and to the best of my knowledge it does
eyedeekay Re: the detection/use of an existing router, In the case of unspecified behavior, my "best guess" of what is correct is to minimize resource usage and consolidate log outputs and that leads me to believe that connecting to an API on the host that's already available is the "right" decision
zlatinb even then you open the door to malware and hijacking
eyedeekay If there's an app that's already connecting on localhost:7654 you've got real bad problems, way worse ones, anyway in my opinion
eyedeekay Although I really hate that argument
eyedeekay I2P is an exfiltration tool of convenience at that point, anything will do
eyedeekay And in practice many cast a broad net
eyedeekay Maybe we decide the filesystem is safer, and put a password on I2CP, SAM, I2Pcontrol, make apps get permission to read the file containing the password?
zlatinb that's a big topic
zlatinb we could hypothetically password-protect everything
eyedeekay It's a *huge* topic, and I even could bring in a quasi-ethical objection to creating a de-facto walled garden, but the security benefits would potentially be significant
zlatinb obv it won't work as a system service
eyedeekay Not universally I don't think... maybe? The hypothetical "password file" could be readable by members of a new group "i2papps"
eyedeekay It calls back to un-bundling...
eyedeekay This is why I haven't decided how to respond to the latest of: zzz.i2p/topics/2988-please-help-test-i2p-for-android-0-9-47-1
eyedeekay Dropped my connection for a second, did I miss anything?
zlatinb nah I'm restarting an mw with bundled router trying to get it to ping the udpate server :)
zlatinb it's a very slow process :(
eyedeekay Jeesh. pidgin really being pidgin today. Can't wait to switch to BRB full-time.
anonymousmaybe pidgin in whonix announced as deprecated and insecure app since like 4-5 years ago
zlatinb damn it, requested operation requires elevation
zlatinb so no silent updates for windows I guess
eyedeekay Not entirely silent, yet
eyedeekay But if I can make it really portable I can install it to someplace that isn't %ProgramFiles% and the problem is solved, at least for all new users
eyedeekay Excecpt on the first run it will still ask them if they want to give it permission to talk to the network
eyedeekay (I'm pretty close)
eyedeekay The other problem with i2p.firefox is that since we can't bundle Firefox we have to guess where it is or read the registry where it might not be even if it's actually available
eyedeekay But we're definitely allowed to download and install a version of Firefox(Tor Browser) if we expressly tell the user that's what the tool is for and set expectations for the user that reflect the real capabilities of the application
eyedeekay And that can also be installed `installer.exe /S /D c:Custom/path`
eyedeekay So you don't have to guess where it is
eyedeekay Conveniently, also does not require admin rights
eyedeekay Unless you want it in %ProgramFiles% which is no longer the default
eyedeekay And since there's a `dist.torproject.i2p` now we can download in-I2P
eyedeekay And it's all well within the terms and more importantly, AFAICT, the practice of the licensing
eyedeekay Anyway it's late AF here, I better get around to building it before I talk myself out of it thinking about things that bug me
zlatinb have fun, I'm installing Visual C++ now :-/
eyedeekay Nice. Hope you have a fast connection
zlatinb yeah that's not the problem
zlatinb last time I wrote visual C++ code was 15+ years ago
eyedeekay Good luck then
eyedeekay I don't think I've ever tried visual C++, if it's anything like visual C# or visual basic it's probably got a whole UI toolkit and event system and everything on it
eyedeekay Like specific to the platform/IDE I mean
zlatinb oh it's a different world
eyedeekay I've only the vaguest notion
zlatinb it was traumatizing at uni when they taught us
zlatinb but maybe I can do it in pure C...
zlatinb eyedeekay: JNA solved the elevation problem in 5 minutes (at the cost of 4MB of jar files)
zlatinb with it it's possible to do whatever we want on windows
zlatinb also we should be using https://nsis.sourceforge.io/ShellExecAsUser_plug-in instead of ExecShell from the installer
zlatinb we can do things like register for system sleep notifications (like closing a laptop) etc.