anonymousmaybe
wonder why not continuing the scan with coverity? it say last scan since 2015
anonymousmaybe
false postives or whats the issue with it?
anonymousmaybe
cc eyedeekay zzz
anonymousmaybe
sonarqube is free software version and has intigeration for gitlab (not just github)
anonymousmaybe
but need some small fill request for free of cost request
anonymousmaybe
otherwise can be downloaded and used locally for free
anonymousmaybe
cc eyedeekay
anonymousmaybe
intigration*
dr|z3d
anonymousmaybe: CodeQL is pretty good.
dr|z3d
it used to be a commercial product iirc, now it's free to integrate on github.
anonymousmaybe
in comparison to the two projects above its doesnt look compatitor
dr|z3d
have you used it?
anonymousmaybe
no but by reading about them
dr|z3d
have you used any of the things you're recommending on the i2p codebase?
anonymousmaybe
sonarqube yes
anonymousmaybe
coverity is proprietary so i avoid it
dr|z3d
last time you posted a vulnerability report it was 99% bullshit iirc :)
anonymousmaybe
? which one you are talking about?
anonymousmaybe
if aboit i2p, i never tested on i2p
dr|z3d
I don't recall offhand, some web scanning thing.
anonymousmaybe
about*
dr|z3d
OWASP, was that it?
anonymousmaybe
ah that is for website scanning
anonymousmaybe
those above for static code scanning
anonymousmaybe
OWASP-Zaproxy is very nice tool to have and scan your website with for webapp vulnerabilities/improvements
dr|z3d
yeah, but pretty useless for scanning the console.
anonymousmaybe
i agree, but since i2p was using firefox on localhost i said why not scan i2p with owasp and check whats gonna say
anonymousmaybe
the report wasnt false, but for local connections not worth the fixes
SilicaRice
hmm...
SilicaRice
<SilicaRice> there's a bug in i2p router's SAMv3 bridge where you can make it forget it's a control socket and it leaves a permanent "SAM TCP Client" on the router
SilicaRice
<SilicaRice> specifically: "HELLO VERSION\nSESSION CREATE STYLE=STREAM ID=aaa DESTINATION=TRANSIENT\nSESSION CREATE STYLE=STREAM ID=aaa DESTINATION=TRANSIENT\nSTREAM FORWARD ID=aaa PORT=1234\n" causes "STREAM STATUS RESULT=OK"
SilicaRice
wonder if that's exploitable for DoSing the router
SilicaRice
the SAM bridge is pretty aggressive about closing the socket, so the browser's fetch() isn't gonna work there...
Xeha
zzz: please give c4talys7 +v, as he has a few dev questions.
Xeha
there we go :) thanks
c4talys7
thanks zzz!
c4talys7
Hello there everyone. c4talys7 here. I'm one of the networking layer developers for bisq. Nowadays v1 uses Tor as the main anonymity layer for our project, but starting with v2, we plan on using I2P as another option as well.
c4talys7
We already have a first version of the I2P layer implemented using the java Router embbeded into our application, but we're thinking about making some changes to this implementation. Mainly, the initial idea is to start using the i2p distribution and starting a separate process for i2p from within our application.
c4talys7
Anyways, I wanted to start the conversation and discuss ways where we could do our implementation without causing any disturbances to I2P as a whole
zlatinb
Hi, how do you embed the java router? Is bisq written in a jvm language?
zlatinb
in general spawning separate process can get messy
c4talys7
zlatinb: Our app is java based, yes. :)
zlatinb
then imo embedded router is the best option
zlatinb
if you use the I2CP interface you can give users the option to use an external router which can be i2pd as well
Xeha
+1 for I2CP. then you can even use a router at a different host
c4talys7
zlatinb: our line of thought on moving away from the embedded java router was start/stop time and not harming the network with short term use or non-graceful shutdown.
zlatinb
so, by default routers will not join participating tunnels until they reach at least 10 minutes of uptime, so you're not doing much harm with short uptimes
zlatinb
ofc that is avoided completely with an external router but then you need to manage the process and in my experience that is a a mess
c4talys7
Sorry, I have to step away for a few minutes. I'll be back shortly to continue the discussion.
zlatinb
you may need to use OS-secific mechanisms like windows mutexes and whatnot.. those are easier with JNA than JNI but still tricky
zzz
agreed that everything in one JVM is by far the simplest both for devs and users
zlatinb
cd bisq
zlatinb
oops wrong window :)
mesh
I wonder if that'
mesh
's bitcoin bisq or if you actually happen to be cooking some lobster bisque\
zlatinb
it is, I just cloned the repo and "git grep i2p" returns results
mesh
yeah I think the bisq guys were definitely interested in using i2p
zlatinb
core/src/main/java/bisq/core/dao/node/full/rpc/dto/DtoNetworkInfo.java: IPV4("ipv4"), IPV6("ipv6"), ONION("onion"), I2P("i2p");
mesh
I was thinking of working with them. They are looking for somebody who knows Java, I2P, JavaFX: twitter.com/bisq_network/status/1489271686885109769
mesh
which of course perfectly describes me
zlatinb
just that enum though, no references from gradle files
zlatinb
might be on a branch
mesh
they claim to pay very well. But we'll see... still trying to do my own thing
mesh
zlatinb: I don't know if it exists yet but the plan is to do what i2psnark, syndie does and build a dht on top of i2p
mesh
(everybody wants to build a dht on top of i2p... it really should be a reusable library so people stop reinventing the wheel)
zzz
syndie doesn't do DHT
zzz
we do have a lib
mesh
zlatinb: the README makes it pretty clear, github.com/bisq-network/bisq2 ...
mesh
zzz: what lib?
zzz
core/java/src/net/i2p/kademlia in our source
mesh
might be syndie... last time I looked I found a couple of dhts. The one in i2psnark was sort of the most interesting.
mesh
zzz: yeah I saw that stuff. I'll probably look into it a bit later. Wasn't sure if it could actually be reused easily
zzz
thats why its there and not in snark, so it can be reused
zzz
it's just the data structures. messages are your problem
mesh
hehe, yeah
zlatinb
c4talys7: I have some comments on the code that starts an embedded router - namely you want to check in a loop instead of sleep once for 5 seconds
mesh
zzz: the other hard part is bootstrapping. I wonder if the i2p router "service discovery" proposal ever went anywhere?
zlatinb
c4talys7: the way I do it in muwire is here github.com/zlatinb/muwire/blob/master/core/src/main/groovy/com/muwire/core/Core.groovy check the startServices() method
zlatinb
lines 600-610
mesh
zzz: I think geti2p.net/spec/proposals/123-new-netdb-entries is it
zzz
no we didn't do service discovery
mesh
zzz: because it would cause too much load on the network?
zzz
no. low priority and the spamming/spoofing issues are not solved and maybe not solvable
mesh
zzz: hmm yeah
mesh
zlatinb: does lanterna work well for you on windows?
zlatinb
haven't tried it on windows but works fine on mac and linuxc
zlatinb
should work ok in a mingw32 terminal
mesh
zlatinb: last time I tried had all sorts of trouble on windows with lanterna.
mesh
might give it another shot. I like the idea of a TUI
c4talys7
Sorry, I had to leave for some personal stuff. Back now
zlatinb
c4talys7: I joined the matrix room you tweeted about
c4talys7
zlatinb: github.com/bisq-network/bisq2/tree/main/i2p and github.com/bisq-network/bisq2/tree/main/i2p /src/main/java/bisq/i2p are good starting points. This is being implemented on v2 of bisq, which is happening on a separate branch. It's a new product entirely
c4talys7
mesh: We had another developer which started to work on the I2P layer, he left and I took it over a few days ago.
c4talys7
zzz: Our initial implementation is doing it all in the bisq platform, indeed.
c4talys7
zlatinb: thanks for the tip on your muwire implementation.
zzz
c4talys7, hasn't been updated in a while but our embedding guide should be helpful i2p-projekt.i2p/en/docs/applications/embedding
c4talys7
Thanks zzz, I'll check that as well :)
mesh
c4talys7: you work with the bisq guys?
mesh
ah cool
c4talys7
mesh: I'm one of the developers, yes
c4talys7
I joined recently, picked up the I2P layer from another developer that left
SilicaRice
is this supposed to work? "USER=foo PASSWORD=bar \"\"COMMAND\"\"=HELLO \"\"OPCODE\"\"=VERSION" "HELLO REPLY RESULT=OK VERSION=3.3"
mesh
c4talys7: that's really cool. good to see i2p being used in a product like bisq
RN
I'm noticing this when skimming my logs. Cause for concern?
RN
ERROR [CP Reader 95] .client.ClientConnectionRunner: Disconnecting the client - java.io.EOFException: EOF reading 4 byte value