zlatinb
eyedeekay: we may need to release new easy-install bundles very soon
zlatinb
zzz: pls let us know if that affects us ^
zzz
coffee
zzz
zlatinb, yes we use the JVM's implementation of ECDSA
zlatinb
fantastic
zlatinb
where is EcDSA used?
zzz
currently, just for router family
zzz
it was also the default for destinations for a short time, ca. 2014
zzz
in between DSA and EdDSA
zzz
so there's probably some ECDSA dests out there
zzz
I don't believe we ever used it for router identities
zzz
also we have one reseed with a self-signed ECDSA SSL cert
zlatinb
ok so it's not apocalyptic but serious
zzz
I think that's correct
zzz
I assume it's on twitter by now?
zlatinb
yeah I saw it on str4d's feed
zzz
it's java 15-18 only
zlatinb
easy-install bundles are with 17.0.1 afaik
zlatinb
or 17.0.2
zzz
so our recommendation is
zzz
update if available
zzz
if not, downgrade to 11
zzz
if you're running one of our bundles, updates will be available when?
zlatinb
I can build Mac today
zzz
how about muwire?
zlatinb
I waited for 18.0.1 and released 0.8.12 promptly after
zlatinb
so they can/should update asap
zzz
what are the fix numbers? 18.0.1 and 17.0.3?
zlatinb
18.0.1 for sure, I don't know why I don't see 17.0.3 on the oracle site
zzz
I assume we're a few days away from this showing up in debian/ubuntu
zzz
I need to wake up more before jumping into the twitter streets
zlatinb
after you tweet I'll post on reddit
zzz
writing a zzz.i2p post now that you can copy over
zzz
posted
zlatinb
copied over
mesh
ugh that's the real downside of repackaging the jvm
zlatinb
yeah
mesh
fortunately for us we never repackage the jvm
mesh
just "here are some jars, go wild"
zzz
who is "us"?
mesh
it's us
mesh
the people behind the curtain
zlatinb
ok at least you're human
zzz
up to you, but it's easier to help you if we know what you're working on
mesh
well right now it's all speculative tho some money has changed hands
zzz
got a couple tweets out, please RT
mesh
the code is all going to end up open source tho, I think
mesh
it might not make much sense but you can see the what is v2 shaping up at nquoczl5wbgbtsxrc77khmvsntawy5pflyxfafq5o6yqsl6krzvq.b32.i2p/ocean
mesh
that code is like a framework for building p2p apps on top of i2p
mesh
tho I haven't actually checked in anything to mesh-framework yet. just the component framework
zlatinb
zzz: do we need to up the core version to 1.7.1 in order for the automatic update to pick it up? Or is it enough to say 1.7.1 in the su3?
mesh
that code is all modular (see the module-info.java files) to support what will be the ability to load modules at runtime. hence why the package names are a big problem ;)
mesh
zlatinb: does i2p itself need to be updated or isd it enough to just update the jdk/jvm?
zlatinb
just the jvm
zzz
zlatinb, you need to update the core version, or else it will want to update again
zlatinb
blergh
zlatinb
ok, I leave that to you :)
zzz
huh?
zlatinb
I can't change the CoreVersion in i2p.i2p from i2p-jpackage-mac
zlatinb
basically we'll need to branch from the i2p-1.7.0 tag
zlatinb
just change the CoreVersion, then tag 1.7.1
zzz
then you need to fix your build process, or branch yourself? what do you need me for?
zlatinb
I don't have a way of intercepting the update decision from outside the router
zlatinb
so either I change CoreVersion to 1.7.1 locally and then build, or we put it in git
zlatinb
then eyedeekay has to do the same, so I thought we might as well pu it in git tag
zlatinb
put*
zzz
the former sounds easier, but it's your build process
zzz
why don't you wait for eyedeekay to wake up and figure it out together
zlatinb
yeah was just about to ping him :)
eyedeekay
The last time we had to do it we tagged it something like i2p-jpackage-1.7.1, checked out that tag when the build was done
eyedeekay
Ready to go
zlatinb
eyedeekay: we didn't have update mechanism or any updates pending afaik
zzz
eyedeekay has done a few windows releases in the last month or two I think? he should be good at it by now
zlatinb
I presume we want to push an update from 1.7.0. to 1.7.1? In that case the new CoreVersion needs to be 1.7.1
eyedeekay
What I would do is I would check out 1.7.0 into it's detatched state, git checkout -b i2p-jpackage-1.7.1, change the CoreVersion on that branch and that branch only, then configure the bundle build to build from that branch
zlatinb
that works too
zlatinb
I prefer branch-from-tag but w/e
zlatinb
the i2p-jpackage-1.7.1 does that ever get pushed to gitlab or just stays in the local git repo?
eyedeekay
I've been pushing it to gitlab on my fork when I need to
zlatinb
I just did the local edit
zlatinb
going to certify it now
zlatinb
eyedeekay: muwire.com/downloads/I2P-1.7.1.dmg
zlatinb
going to up a torrent on postman next
eyedeekay
I'll get it up to the mirrors.
eyedeekay
In a few minutes I'll have a Windows build ready, I'll need your help to sign it
zlatinb
ok
zlatinb
I created the torrent for the mac and updated i2p.newsxml/data/mac/stable/releases.json
zlatinb
I presume we're going to use the same news entry for all versions? Simpler that way
eyedeekay
Yeah
zzz
same for all bundle versions you mean? If we do one for the main feed it probably needs to be different
eyedeekay
I was thinking about it and I probably should do my own news entry, not sure about zlatinb
zlatinb
if you do one I"ll do one too
zzz
as I've been lobbying for a while, I think it's good practice to have bundle-specific news entries to talk specifically to your users
zlatinb
I was hoping to avoid messing with that strange xhtml or whatever it is called :)
zlatinb
can we at least share the same blog entry?
zzz
yes it's strict xhtml. every tag must be closed. I recommend xmllint to make sure it's valid
zzz
see README, I added info a while back on how to do that
zlatinb
got it
zzz
also, as you know, every news entry requires a link, so time to go write and post your release notes :)
zlatinb
that's what I was asking, can we share a single blog entry?
zzz
that's up to you two.
zlatinb
we should update the main feed too, no?
zzz
the link doesn't have to be to the www blog, it could be to muwire.i2p
zlatinb
then I'll just link to the post on zzz.i2p
zzz
as I said above, I don't know if we need to do the main feed, but if so, it's probably different text
zzz
you don't do release announcements on muwire.i2p?
zlatinb
not really, I have a in-network pull mechanism
zlatinb
and I don't want to use zab.i2p for this either tbh
zzz
well, independent of whatever you do with newsxml, I recommend you add release announcements to your site, it's good practice for any software product and it helps the google juice
zlatinb
I"ll think about it
zlatinb
what's a quick way to generate a random uuid ?
zzz
create_new_entry.sh does it for you for the main feed.
zzz
I don't know if it's been adapted for sub-feeds somehow
zzz
or just run it then move the template from the main feed to your feed
eyedeekay
Everything create_new_entry.sh does should honor environment variables now too, so you can do something like:
eyedeekay
TITLE="Update for Mac Jpackage 1.7.1" AUTHOR=zlatinb I2P_OS=osx I2P_BRANCH=stable ./create_new_entry.sh
eyedeekay
if you want to automate part of it too
zlatinb
I did it manually, xmllint passes
zlatinb
uuidgen generates an uuid
zlatinb
pushed
zlatinb
ideally xmllint should be the first step of the sanity check
eyedeekay
Pulled
zlatinb
I have some pretty serious sanity checks for the muwire update.json that verify the structure is kosher too
zzz
yeah if there's an easy way to validate the json, put that in the README
zlatinb
it's not going to be easy but in the end will save everyone time
zzz
we've butchered that also, more than once
zlatinb
like are all elements & attributes present etc.
zlatinb
no duplicate uuids, etc.
zzz
I also recommend opening entries.html in a browser, sometimes it's easier to see spelling errors that way
zzz
also after changing version from x to y in releases.json, search for x to make sure you got them all
zzz
and stare hard at the magnet link to make sure the hash is right
zlatinb
except for that last part everything is automate-able
eyedeekay
I'm doing my signing now, people who use my news server should be seeing updates soon, I'll do it again after we get Windows out
zzz
eyedeekay, what's your version going to be? are you up to 1.7.5 or something?
eyedeekay
Browser profile/installer will be version 1.7.4
eyedeekay
But those three updates have all happened on the settable-paths branch
zzz
your download page says 1.07.2 is that a typo?
eyedeekay
I was numbering the profiles independently of the router before I added the jpackage to it
zzz
so not-a-typo
eyedeekay
That reflects the profile version that they'll get
eyedeekay
They're all going to use the same number when I switch to auto-updates for everybody at 1.8.0
zzz
eyedeekay, just tried to download it, the in-net mirror mgp6...b32.i2p is returning 503
zzz
whose is that?
zzz
yeah I don't recommend leading zeros in version numbers, it raises hell in comparisons and might even be interpreted as octal
eyedeekay
mgp is me but it was supposed to be temporary, it's also just a proxy of the clearnet mirror so it shouldn't be possible for it to 503...
eyedeekay
I am logged in there I'll see what's up
zzz
it hangs for maybe a minute and then returns 503, so the tunnel is up but it can't get to the server
eyedeekay
I see what's wrong it'll be fixed in a second
zzz
yet another thing to add to your monitoring
eyedeekay
Yeah I got a lot of stuff to watch
zzz
anyway, lets not do .07. type version numbers in the future if possible because then you get to .08. and it explodes
eyedeekay
Can do, there's no need for a separate profile version number anymore anyway, when the installer gets updated everything gets updated now
eyedeekay
Am I reading this correctly that I'm still waiting on an update before I can be ready to build my bundle? github.com/adoptium/adoptium/issues/140
zzz
whats the new version today going to be on the website?
zlatinb
if you're using adoptium they take some time
zlatinb
eyedeekay: get from oracle
eyedeekay
Sure zlatinb
zzz
eyedeekay, if you do switch to oracle, make sure you fix all your license statements and meet their requirements
eyedeekay
zzz I'll make it 1.7.4 for this release
zzz
as necessary. I don't know if the licensing is different
zzz
I assume and hope zlatinb has already done the research and changes required
zlatinb
Blinded message
zlatinb
no I haven't done a thing besides read the blurb on top about GPLv2 + classpath exception
zzz
come on guys, this is basic stuff, it's your responsibility when bundling other software
eyedeekay
GPL2+Classpath exception for Oracle, EPL for Adoptium
eyedeekay
So compliance shouldn't be that different
zzz
different is different
zlatinb
I'll make sure it's done for 1.8
zlatinb
probably just a matter of putting a copy of the exact license in the licenses folder
zzz
assuming you do bundle LICENSE.txt and licenses/*, you already have GPLv2, but not classpath exception or EPL
zzz
I wouldn't have agreed to your promotion out of beta, or even into beta, without having this all straight
zlatinb
sorry
zlatinb
mea culpa
zzz
iirc you were all good at one point but then I guess you switched to oracle
zzz
I also don't understand why you two are using different Java suppliers... why???
zlatinb
not sure, I don't remember what was the license before it became EPL
zlatinb
Well we started with AdoptOpenJDK because knaccc from i2p-zero said it was good, then they became Adoptium and started lagging behind Oracle releases by a few days
zzz
so then why is eyedeekay still on adpotium?
zlatinb
lack of coordination
eyedeekay
Yes I did not know that I should be switching, if I need to switch to Oracle then that's what I'll do instead
eyedeekay
Just need a little while to get everything switched over
zlatinb
adoptium is sometimes days behind.. they have a different jvm "J9" which is supposed to be optimized for desktop apps
zlatinb
I'm not aware of any other technological differences
eyedeekay
It's just what I set up first, learned how to update, and got used to using as far as I'm concerned. Not a big deal to get used to a different one.
zzz
ok, lets work smarter and get less siloed on the bundle products, we shouldn't be letting them diverge so much
eyedeekay
Oh good an opportunity to make building it a little nicer, fringe benefit of switching JDK's for the first time I guess, highlights the pain points
eche|on
back alive
eyedeekay
Re: a general announcement about the ECDSA bug, I think we'll need to do one for the sake of Debian folks as well informing them that they may need to downgrade to Java 11 for a couple days
eyedeekay
I can write that announcement if need be
zlatinb
if you deploy the bundles to getip2.net pls update the reddit post (if I'm not around)
eyedeekay
Will do