#i2p-dev (irc2p) | 2.7.0-2 | Proposal 168 review Tues. Dec. 3, 8 PM UTC #ls2

anonymousmaybe scan.coverity.com/projects/i2p

anonymousmaybe wonder why not continuing the scan with coverity? it say last scan since 2015

anonymousmaybe false postives or whats the issue with it?

anonymousmaybe cc eyedeekay zzz

anonymousmaybe sonarqube is free software version and has intigeration for gitlab (not just github)

anonymousmaybe sonarqube.org/gitlab-integration

anonymousmaybe but need some small fill request for free of cost request

anonymousmaybe otherwise can be downloaded and used locally for free

anonymousmaybe sonarqube.org

anonymousmaybe cc eyedeekay

anonymousmaybe intigration*

dr|z3d anonymousmaybe: CodeQL is pretty good.

dr|z3d codeql.github.com

dr|z3d it used to be a commercial product iirc, now it's free to integrate on github.

anonymousmaybe in comparison to the two projects above its doesnt look compatitor

dr|z3d have you used it?

anonymousmaybe no but by reading about them

dr|z3d have you used any of the things you're recommending on the i2p codebase?

anonymousmaybe sonarqube yes

anonymousmaybe coverity is proprietary so i avoid it

dr|z3d last time you posted a vulnerability report it was 99% bullshit iirc :)

anonymousmaybe ? which one you are talking about?

anonymousmaybe if aboit i2p, i never tested on i2p

dr|z3d I don't recall offhand, some web scanning thing.

anonymousmaybe about*

dr|z3d OWASP, was that it?

anonymousmaybe ah that is for website scanning

anonymousmaybe those above for static code scanning

anonymousmaybe OWASP-Zaproxy is very nice tool to have and scan your website with for webapp vulnerabilities/improvements

dr|z3d yeah, but pretty useless for scanning the console.

anonymousmaybe i agree, but since i2p was using firefox on localhost i said why not scan i2p with owasp and check whats gonna say

anonymousmaybe the report wasnt false, but for local connections not worth the fixes

SilicaRice hmm...

SilicaRice <SilicaRice> there's a bug in i2p router's SAMv3 bridge where you can make it forget it's a control socket and it leaves a permanent "SAM TCP Client" on the router

SilicaRice <SilicaRice> specifically: "HELLO VERSION\nSESSION CREATE STYLE=STREAM ID=aaa DESTINATION=TRANSIENT\nSESSION CREATE STYLE=STREAM ID=aaa DESTINATION=TRANSIENT\nSTREAM FORWARD ID=aaa PORT=1234\n" causes "STREAM STATUS RESULT=OK"

SilicaRice wonder if that's exploitable for DoSing the router

SilicaRice the SAM bridge is pretty aggressive about closing the socket, so the browser's fetch() isn't gonna work there...

Xeha zzz: please give c4talys7 +v, as he has a few dev questions.

Xeha there we go :) thanks

c4talys7 thanks zzz!

c4talys7 Hello there everyone. c4talys7 here. I'm one of the networking layer developers for bisq. Nowadays v1 uses Tor as the main anonymity layer for our project, but starting with v2, we plan on using I2P as another option as well.

c4talys7 We already have a first version of the I2P layer implemented using the java Router embbeded into our application, but we're thinking about making some changes to this implementation. Mainly, the initial idea is to start using the i2p distribution and starting a separate process for i2p from within our application.

c4talys7 Anyways, I wanted to start the conversation and discuss ways where we could do our implementation without causing any disturbances to I2P as a whole

zlatinb Hi, how do you embed the java router? Is bisq written in a jvm language?

zlatinb in general spawning separate process can get messy

c4talys7 zlatinb: Our app is java based, yes. :)

zlatinb then imo embedded router is the best option

zlatinb if you use the I2CP interface you can give users the option to use an external router which can be i2pd as well

Xeha +1 for I2CP. then you can even use a router at a different host

c4talys7 zlatinb: our line of thought on moving away from the embedded java router was start/stop time and not harming the network with short term use or non-graceful shutdown.

zlatinb so, by default routers will not join participating tunnels until they reach at least 10 minutes of uptime, so you're not doing much harm with short uptimes

zlatinb ofc that is avoided completely with an external router but then you need to manage the process and in my experience that is a a mess

c4talys7 Sorry, I have to step away for a few minutes. I'll be back shortly to continue the discussion.

zlatinb you may need to use OS-secific mechanisms like windows mutexes and whatnot.. those are easier with JNA than JNI but still tricky

zzz agreed that everything in one JVM is by far the simplest both for devs and users

zlatinb cd bisq

zlatinb oops wrong window :)

mesh I wonder if that'

mesh 's bitcoin bisq or if you actually happen to be cooking some lobster bisque\

zlatinb it is, I just cloned the repo and "git grep i2p" returns results

mesh yeah I think the bisq guys were definitely interested in using i2p

zlatinb core/src/main/java/bisq/core/dao/node/full/rpc/dto/DtoNetworkInfo.java: IPV4("ipv4"), IPV6("ipv6"), ONION("onion"), I2P("i2p");

mesh I was thinking of working with them. They are looking for somebody who knows Java, I2P, JavaFX: twitter.com/bisq_network/status/1489271686885109769

mesh which of course perfectly describes me

zlatinb just that enum though, no references from gradle files

zlatinb might be on a branch

mesh they claim to pay very well. But we'll see... still trying to do my own thing

mesh zlatinb: I don't know if it exists yet but the plan is to do what i2psnark, syndie does and build a dht on top of i2p

mesh (everybody wants to build a dht on top of i2p... it really should be a reusable library so people stop reinventing the wheel)

zzz syndie doesn't do DHT

zzz we do have a lib

mesh zlatinb: the README makes it pretty clear, github.com/bisq-network/bisq2 ...

mesh zzz: what lib?

zzz core/java/src/net/i2p/kademlia in our source

mesh might be syndie... last time I looked I found a couple of dhts. The one in i2psnark was sort of the most interesting.

mesh zzz: yeah I saw that stuff. I'll probably look into it a bit later. Wasn't sure if it could actually be reused easily

zzz thats why its there and not in snark, so it can be reused

zzz it's just the data structures. messages are your problem

mesh hehe, yeah

zlatinb c4talys7: I have some comments on the code that starts an embedded router - namely you want to check in a loop instead of sleep once for 5 seconds

mesh zzz: the other hard part is bootstrapping. I wonder if the i2p router "service discovery" proposal ever went anywhere?

zlatinb c4talys7: the way I do it in muwire is here github.com/zlatinb/muwire/blob/master/core/src/main/groovy/com/muwire/core/Core.groovy check the startServices() method

zlatinb lines 600-610

mesh zzz: I think geti2p.net/spec/proposals/123-new-netdb-entries is it

zzz no we didn't do service discovery

mesh zzz: because it would cause too much load on the network?

zzz no. low priority and the spamming/spoofing issues are not solved and maybe not solvable

mesh zzz: hmm yeah

mesh zlatinb: does lanterna work well for you on windows?

zlatinb haven't tried it on windows but works fine on mac and linuxc

zlatinb should work ok in a mingw32 terminal

mesh zlatinb: last time I tried had all sorts of trouble on windows with lanterna.

mesh might give it another shot. I like the idea of a TUI

c4talys7 Sorry, I had to leave for some personal stuff. Back now

zlatinb c4talys7: I joined the matrix room you tweeted about

c4talys7 zlatinb: github.com/bisq-network/bisq2/tree/main/i2p and github.com/bisq-network/bisq2/tree/main/i2p/src/main/java/bisq/i2p are good starting points. This is being implemented on v2 of bisq, which is happening on a separate branch. It's a new product entirely

c4talys7 mesh: We had another developer which started to work on the I2P layer, he left and I took it over a few days ago.

c4talys7 zzz: Our initial implementation is doing it all in the bisq platform, indeed.

c4talys7 zlatinb: thanks for the tip on your muwire implementation.

zzz c4talys7, hasn't been updated in a while but our embedding guide should be helpful i2p-projekt.i2p/en/docs/applications/embedding

c4talys7 Thanks zzz, I'll check that as well :)

mesh c4talys7: you work with the bisq guys?

mesh ah cool

c4talys7 mesh: I'm one of the developers, yes

c4talys7 I joined recently, picked up the I2P layer from another developer that left

SilicaRice is this supposed to work? "USER=foo PASSWORD=bar \"\"COMMAND\"\"=HELLO \"\"OPCODE\"\"=VERSION" "HELLO REPLY RESULT=OK VERSION=3.3"

mesh c4talys7: that's really cool. good to see i2p being used in a product like bisq

RN I'm noticing this when skimming my logs. Cause for concern?

RN ERROR [CP Reader 95] .client.ClientConnectionRunner: Disconnecting the client - java.io.EOFException: EOF reading 4 byte value