@eyedeekay
&eche|on
&kytv
&zzz
+R4SAS
+RN
+RN_
+T3s|4
+acetone
+dr|z3d
+hk
+orignal
+postman
+weko
+wodencafe
An0nm0n
Arch
Danny
DeltaOreo
FreefallHeavens
Irc2PGuest21357
Irc2PGuest21881
Irc2PGuest5995
Irc2PGuest89954
Leopold_
Nausicaa
Onn4l7h
Onn4|7h
Over1
Sisyphus
Sleepy
Soni
T3s|4_
aargh2
anon2
b3t4f4c3
bak83
boonst
cumlord
dr4wd3
eyedeekay_bnc
hagen_
khb
not_bob_afk
plap
poriori
profetikla
r3med1tz
rapidash
shiver_
solidx66
tr
u5657
uop23ip
w8rabbit
x74a6
eyedeekay
After much fighting with it, F-Droid is uploading. These uploads take a long time but once I unpack it on the server f-droid.i2p.io will up updated
eyedeekay
Fdroid is out, Gplay shoud be soon
eyedeekay
You know there's a `bash.exe` in system32 now? What a world.
zlatinb
orly? does it work?
eyedeekay
Sort of?
eyedeekay
I think it's actually some kind of wrapper around wsl bash because when I build a jpackage with it I end up with a *Linux* image and not a Windows one
eyedeekay
whereas with git bash I get a windows one
eyedeekay
Not quite sure why it's there, powershell seems to prioritize git bash
anonymousmaybe
zzz if I2P autostarted on boot it will each time show "Reseed successful, fetched 154 router infos"
anonymousmaybe
shouldnt it only do that one time after first time installation?
zlatinb
anonymousmaybe: does it happen if you stop/start manually after boot?
anonymousmaybe
i tried reboot multiple times and it happen
eyedeekay
At minimum will do it on a first time installation, or if the existing peers are stale/unavailable, or if your netDB is not persisted to disk for some reason(liveCD)
anonymousmaybe
netDB is on root level or user level?
eyedeekay
For you, I *think* it should be owned by i2psvc, who's home directory is /var/lib/i2p
anonymousmaybe
ah yeah then its root level
eyedeekay
config directory is /var/lib/i2p/i2p-config
eyedeekay
Well, you have to be able to sudo to manipulate it. Technically it belongs to the i2psvc user
eyedeekay
You could `sudo -u i2psvc` and obtain the required rights
anonymousmaybe
ah i see
anonymousmaybe
great that you diagnosed the issue quickly
eyedeekay
Yeah I don't think we ever run as root, in fact we actively resist it if you try
anonymousmaybe
actually I2P on qubes OS has an issue, because I2P write to root level directory but in qubes Appvm root changes are non-persistnet
eyedeekay
Oh that explains a **LOT**
anonymousmaybe
only in template, and template doesnt has internet access (only for upgrading the template itself)
anonymousmaybe
yeah just mentioning this for users who might face the same issue
anonymousmaybe
eyedeekay but eyedeekay Tor doesnt need root rights anywhere wonder why not I2P do the same thing
eyedeekay
Your issues are somewhat unique but I find them interesting.
eyedeekay
By doing such extensive configuration Qubes/Whonix explores integration issues. Like the onion reseed thing(not giving up on that)
eyedeekay
Tor isn't strictly speaking "P2P" in the same way that I2P is
anonymousmaybe
yeah its not P2P but if I2P run only through user level which is like using i2prouter start
anonymousmaybe
this is great
anonymousmaybe
but it has 2 disadvatages: doesnt use apparmor and doesnt autostart
anonymousmaybe
asaik
anonymousmaybe
afaik*
eyedeekay
In I2P, everyone is a relay and everyone persists relay information unless, unless they are configured not to. In your case, by not persisting /var/ you are in effect not persisting relay information, so you need to re-bootstrap every time
eyedeekay
Yeah I'm working on the apparmor bit actually. It's a totally unsanctioned off-the-books operation lol
anonymousmaybe
oh awesome
eyedeekay
Arose by accident while I was aping features from torbrowser-launcher
anonymousmaybe
tbh we need to get rid of anything I2P right into Root directories, Only under user level
eyedeekay
In some ways yes, but in other ways no, we do that for a set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user
anonymousmaybe
ah what are the disadvantages?
eyedeekay
But a portable that can be run entirely without root, entirely from within $HOME, which has all the same features as Java I2P, and has apparmor, that might be a decent idea
anonymousmaybe
autorun and apparmor should be manageable to make them compatible with user rights only
eyedeekay
which is actually mostly added as options to i2p.plugins.tor-manager when running in freestanding mode
anonymousmaybe
" set of extremely good reasons and I for one would be affected negatively by losing the i2psvc user"
eyedeekay
I don't have autorun yet but I have `.desktop` file generation
anonymousmaybe
what are they?
anonymousmaybe
yeah autorun seems nice to have an option for it but not with systemctl
eyedeekay
Broadly, the ability to A) restrict the i2psvc user from accessing things outside it's purview and B) exempt the i2psvc user from the iptables rules that apply to every other app
eyedeekay
For the purposes of most DE's autorun seems to be a matter of generating a `.desktop` like file in the right location
anonymousmaybe
A is good, B is considered advatage?
eyedeekay
Yes absolutely
eyedeekay
i2psvc in my case does not use the VPN. The opposite applies too, BTW. You can apply specific rules to the i2psvc user, if necessary
anonymousmaybe
hmm if nftables (dont use iptables to avoid falling into legacy/deprecated firewall) blocking incoming connections in this case not applied to I2P?
eyedeekay
So C) to apply special iptables rules to the i2psvc users
eyedeekay
It's a feature, not getting dropped, especially when running as any non-root user is pretty much possible
anonymousmaybe
its true having different user for each app is a better thing no question about it
eyedeekay
If you want to run entirely from within $HOME on a VM, a portable install in $HOME running as the user is a perfectly reasonable thing to do. We just have to decide on a predictable location and write an apparmor profile for it
anonymousmaybe
and gnu/linux suffer from this vulnerability of all apps using shared user
eyedeekay
Yeah that's most of the reason for the i2psvc user
anonymousmaybe
this is android under the hood operation which is each app has its own user to avoid malicious apps from running in /home with just user power
anonymousmaybe
ok so if we can have apparmor and autorun feature by only user power this will resolve qubes-i2p issue
anonymousmaybe
but downside is I2P gonna be similarly to other apps gonna use the same host user
anonymousmaybe
eyedeekay can you ping me once you finish implementing it? or its just on faraway feature?
anonymousmaybe
future*
eyedeekay
Such is an imperfect world. As long as /var/lib/i2p is not persisted, running i2p as the i2psvc user will require repeated reseeding
anonymousmaybe
yeah i wont run i2p with i2psvc user
anonymousmaybe
thats not compatible with qubes model
eyedeekay
I've got half done already github.com/eyedeekay/i2p.plugins.tor-manager/blob/main/apparmor_linux.go mostly ripped off Micah Lee and turned into a profile-generator, you give it a directory and it spits out an apparmor profile
eyedeekay
Which assumes you are using it for I2P and Tor Browser
anonymousmaybe
ah i meant using i2prouter start will use the apparmor profiles
anonymousmaybe
and i2pconsol has an option to make i2p autostart
anonymousmaybe
i2prouter command is perfectly working with Qubes model because it doesnt need to write to root level directories
eyedeekay
Yes what you need is to have an apparmor profile for ~/i2p then, which isn't part of the core install
anonymousmaybe
yeah will it be from the core install?
eyedeekay
Once I figure out what it exactly needs to have in it I'll make an MR for it, if I'm seeing the forest for the trees now it should be pretty achievable
anonymousmaybe
great then, thank you
zlatinb
eyedeekay: have you had a problem with nsis compiler complaining about unclosed macro when using FindProcess.nsh?
eyedeekay
No not at all, I just ran makensis again and I'm scrolling through the output and I don't see it either, what's the error I can grep for?
eyedeekay
I'm on nis 3.08-2
eyedeekay
*nsis
zlatinb
oh, it's at the end of FindProcess.nsh, nevermind
zlatinb
yep now it works
eyedeekay
Oh good because that was `written by Donald Miller` circa 2007 and NSIS is like a makefile that was exposed to radiation
eyedeekay
*not* something I relished debugging at midnight
eyedeekay
That is my least-favorite part of i2p.firefox and one I'll change if I can soon
zlatinb
to what?
eyedeekay
Something I can actually debug on the fly, what it is remains to be seen. go-I2P-jpackage can already more-or-less fill in the blanks, but other options include calling out to `bat` or `ps1` scripts
eyedeekay
go-I2P-jpackage solves my second-least favorite thing though, which is that it assumes installation to 2 separate directories in %ProgramFiles% which is stupid, it should be able to install anywhere seamlessly
eyedeekay
I'm secretly terrified of what happens if i2p.firefox gets installed somewhere too exotic, like a flash drive or something. Shortcuts break and all kinds of crap.
eyedeekay
It needs to be a proper portable.
eyedeekay
I say secretly but it's no secret really. My position is that it will fail closed, the router is missing, it has nothing to start.
eyedeekay
But it's dumb and I hate it.
eyedeekay
So yeah those are my two least favorite features of my biggest extant project, and on the ROADMAP.md, effectively, for 1.08.0 i2p.firefox
eyedeekay
In-NSIS PID detection is a plugin-ridden, obfuscated pile that needs to be and can be about 1,000,000% simpler and it's capable of being a portable but it's shit at it right now
zlatinb
do you know for sure it will be better elsewhere?
eyedeekay
In terms of the PID detection? It can *only* get better
zlatinb
famous last words :)
eyedeekay
I've actually read `LogicLib.nsh` and mostly understood it, but I'm looking at `!include WordFunc.nsh` and thinking "I should probably read that..."
eyedeekay
Surely it must have some way to attach to the output of some other process right? I mean I'll never put any level of stupidity passed NSIS at this point.
eyedeekay
Honestly it's stressful, it reminds me of something Eric Raymond might have written as a joke
eyedeekay
Apparently NSIS requires 2 plugins and like ~1500 LOC to actually look up a process, it's keeping me up at night
eyedeekay
I mean the plugins come in a debian package so it's not *so bad* but it's kind of disturbing when you think the same thing in bash or even bat
eyedeekay
Or java or go or powershell or python or anything
eyedeekay
I'm sure Groovy has a less dumb-feeling way of doing it
zlatinb
err, well yes it's verbose but it does expose all windows apis
zlatinb
which may be too much rope
eyedeekay
Specficially the PID thing annoys me. Like how is that not part of the language?
zlatinb
well very few people use it
zlatinb
our auto-update thing is very custom
eyedeekay
I suppose. It just seems like shutting down a running instance of an application in order to unlock/write over the files it's using would be at least a *relatively* common case
eyedeekay
I guess killing it by PID is an inarticulate way of doing it, but it's universal?
zlatinb
btw network performance for 1.6.1 routers is still bad
zlatinb
I'm running 1.7.0 on the mw update server and pings from 1.6.1 are not reaching it :(
eyedeekay
Do we know if they're Java or i2pd?
zlatinb
I'll just wait for 1.7.0 to hit maven I guess
eyedeekay
I approved it earlier today, it should be moving through the process any minute
eyedeekay
Well, any hour
zlatinb
oh it's an mw with embedded 1.6.1 router
eyedeekay
But seriously it was before noon my time
zlatinb
it's too much of pain to set up external router on windows
eyedeekay
So it should be soon
eyedeekay
IMO setting it up incidentally is easy enough
eyedeekay
"Oh somebody's already listening on localhost:7654? Let's try making an I2CP connection there and see what happens. If it works, use that."
zlatinb
is the easy install bundle with 1.7.0 now?
zlatinb
I don't remember signing it...
eyedeekay
No it's not up
zlatinb
I'll just wait then, np
eyedeekay
Android proved to be a little more involved than I though, fdroidserver in `sid` is broken at the moment
zlatinb
I don't like the "try external and use internal if fails" approach
zlatinb
if users have specified external it should fail if it isn't found
eyedeekay
Sure yeah
zlatinb
nah, it's hopeless to keep trying with 1.6.1, pings just don't make it
eyedeekay
I'm not sure it's mutually exclusive, if behavior is specified by the user, use the specified behavior. If behavior is unspecified, then my question is "What is the best guess?"
zlatinb
when launching an nsis installer with /S from cmd.exe it still shows the signer warning
zlatinb
I need to make sure it doesn't happen when invoked from a process
eyedeekay
I'm pretty sure it does, but it does not show any other step of the process.
zlatinb
ok maven is up, let me update
eyedeekay
Actually, I'm quite sure it does, as in I've tested it with an unsigned installer and to the best of my knowledge it does
eyedeekay
Re: the detection/use of an existing router, In the case of unspecified behavior, my "best guess" of what is correct is to minimize resource usage and consolidate log outputs and that leads me to believe that connecting to an API on the host that's already available is the "right" decision
zlatinb
even then you open the door to malware and hijacking
eyedeekay
If there's an app that's already connecting on localhost:7654 you've got real bad problems, way worse ones, anyway in my opinion
eyedeekay
Although I really hate that argument
eyedeekay
I2P is an exfiltration tool of convenience at that point, anything will do
eyedeekay
And in practice many cast a broad net
eyedeekay
Maybe we decide the filesystem is safer, and put a password on I2CP, SAM, I2Pcontrol, make apps get permission to read the file containing the password?
zlatinb
that's a big topic
zlatinb
we could hypothetically password-protect everything
eyedeekay
It's a *huge* topic, and I even could bring in a quasi-ethical objection to creating a de-facto walled garden, but the security benefits would potentially be significant
zlatinb
obv it won't work as a system service
eyedeekay
Not universally I don't think... maybe? The hypothetical "password file" could be readable by members of a new group "i2papps"
eyedeekay
It calls back to un-bundling...
eyedeekay
This is why I haven't decided how to respond to the latest of: zzz.i2p/topics/2988-please-help-test-i2p-for-android-0-9-47-1
eyedeekay
Dropped my connection for a second, did I miss anything?
zlatinb
nah I'm restarting an mw with bundled router trying to get it to ping the udpate server :)
zlatinb
it's a very slow process :(
eyedeekay
Bummer
eyedeekay
Jeesh. pidgin really being pidgin today. Can't wait to switch to BRB full-time.
anonymousmaybe
pidgin in whonix announced as deprecated and insecure app since like 4-5 years ago
zlatinb
damn it, requested operation requires elevation
zlatinb
so no silent updates for windows I guess
eyedeekay
Not entirely silent, yet
eyedeekay
But if I can make it really portable I can install it to someplace that isn't %ProgramFiles% and the problem is solved, at least for all new users
eyedeekay
Excecpt on the first run it will still ask them if they want to give it permission to talk to the network
eyedeekay
(I'm pretty close)
eyedeekay
The other problem with i2p.firefox is that since we can't bundle Firefox we have to guess where it is or read the registry where it might not be even if it's actually available
eyedeekay
But we're definitely allowed to download and install a version of Firefox(Tor Browser) if we expressly tell the user that's what the tool is for and set expectations for the user that reflect the real capabilities of the application
eyedeekay
And that can also be installed `installer.exe /S /D c:Custom/path`
eyedeekay
So you don't have to guess where it is
eyedeekay
Conveniently, also does not require admin rights
eyedeekay
Unless you want it in %ProgramFiles% which is no longer the default
eyedeekay
And since there's a `dist.torproject.i2p` now we can download in-I2P
eyedeekay
And it's all well within the terms and more importantly, AFAICT, the practice of the licensing
eyedeekay
Anyway it's late AF here, I better get around to building it before I talk myself out of it thinking about things that bug me
zlatinb
have fun, I'm installing Visual C++ now :-/
R4SAS
:D
eyedeekay
Nice. Hope you have a fast connection
zlatinb
yeah that's not the problem
zlatinb
last time I wrote visual C++ code was 15+ years ago
eyedeekay
Good luck then
eyedeekay
I don't think I've ever tried visual C++, if it's anything like visual C# or visual basic it's probably got a whole UI toolkit and event system and everything on it
eyedeekay
Like specific to the platform/IDE I mean
zlatinb
oh it's a different world
eyedeekay
I've only the vaguest notion
zlatinb
it was traumatizing at uni when they taught us
zlatinb
but maybe I can do it in pure C...
zlatinb
eyedeekay: JNA solved the elevation problem in 5 minutes (at the cost of 4MB of jar files)
zlatinb
with it it's possible to do whatever we want on windows
zlatinb
also we should be using https://nsis.sourceforge.io/ShellExecAsUser_plug-in instead of ExecShell from the installer
zlatinb
we can do things like register for system sleep notifications (like closing a laptop) etc.