#i2p-dev (irc2p) | 2.7.0-2 | Proposal 168 review Tues. Dec. 3, 8 PM UTC #ls2

eyedeekay Heads up: CVE-2022-2048 appears to affect jetty versions earlier than 9.4.47, appearing to include us

eyedeekay It does not appear to have a workaround in jetty github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

eyedeekay Except we might be able to just disable http/2 entirely? Do we do that? Is it on by default? Mostly asking rhetorically, going to confirm for myself

eyedeekay mark22k brought this to my attention on Matrix, thanks mark22k

not_bob At least it's just a DoS attack, not more.

eyedeekay `java -jar $I2P/lib/jetty-start.jar --list-modules` does not show the http2 module or connector or any configuration, it looks like this probably misses us

not_bob Good, good.

dr|z3d no support for http/2 in i2p's jetty, eyedeekay

dr|z3d we're missing the necessary libs, and in any event, http/2 requires https to function, so that pretty much rules us out

eyedeekay Well zzz and I use it :)

dr|z3d yeah, but you're freaks! :)

dr|z3d there's maybe 2 or 3 chinese sites that use self-signed https, and that's probably about it.

dr|z3d who's kicking off the meeting?

eyedeekay Oh my gosh guys so sorry I am late, had a minor emergency

eyedeekay I am here now and ready to start the meeting, really sincere apologies I got here as fast as I could

eyedeekay 1. Hi

eyedeekay 2. 1.9.0 development status

eyedeekay 3. Apple silicon bundle status

eyedeekay 4. Letter to EFF to clarify what "running" a network means

eyedeekay 5. New Outproxy ref: zzz.i2p/topics/3254

eyedeekay a) Organizational and infrastructure overview (StormyCloud)

eyedeekay b) Technical review and test results (zzz and others)

eyedeekay c) ToS and log policy review stormycloud.i2p/outproxy.html (all)

eyedeekay d) Vote to approve (all)

eyedeekay e) Rollout plan (if approved) (zzz, StormyCloud)

eyedeekay zzz zlatinb you guys here?

zzz hi

zlatinb hi yes

eyedeekay Sorry about that again, had a cooking accident

eyedeekay 2. 1.9.0 development status

eyedeekay We're 3 weeks from release, we pretty much settled on a date for it at ls2 meeting yesterday, it's going to be the 22nd. i2pd and/or Java I2P may enable SSU2 for new installs, or a small percentage of the network on restart like for router rekeying

eyedeekay 3 weeks left for bug reports and bug fixes

eyedeekay Anything else to add zzz, zlatinb?

eyedeekay 3. Apple silicon bundle status

eyedeekay zlatinb this one is your, please start when you are ready

zzz let me add a little on 2) please

SilicaRice is SSU2 officially stable? :o

eyedeekay Ok go ahead, sorry did not mean to rush

zzz lag

zzz tag freeze will be Aug. 10, a week from tomorrow

zzz the SSU2 testers have been very helpful, about 50-75 of them on the network

zzz our goal is to enable it for a few hundred to a thousand routers in the this release

zzz to help us shake out the remaining bugs, while avoiding any chance of disaster

zzz and we'll enable it for everybody in the November release

SilicaRice ahh :3

zzz everything else is going smoothly as well, just the usual bug fixes all over

zzz SSU2 is mostly finished, that doesn't mean it's mostly perfect yet

zzz shout out also to the i2pd team, they're working hard also

zzz I guess that's it unless there's any questions

not_bob Will the update also effect the android build?

zzz sure. We may also just enable SSU2 for all Android, since it's so much less CPU than SSU1 w/ ElGamal

not_bob Good, good.

eyedeekay I don't change any settings, SSU2 will technically be available but there won't be a UI to enable it

zzz that's what i2pd is thinking, we may do the same

zzz yeah, we're not going to put an option in the UI and then lobby like crazy for people to enable it

zzz we'd never get the numbers we want

not_bob Can we get an option to enable it if desired? Better battery life would be better.

eyedeekay It just inherits defaults from i2p.i2p except where it has to to run on the Android environment

zzz there's an advanced config, see zzz.i2p for info

not_bob Thank you.

zzz not sure if Android has access to advanced cnofig?

eyedeekay No it doesn't, you have to do weird stuff to make it work

eyedeekay Pretty much devs-only to manually edit non-i2ptunnel config files on Android

not_bob :(

zzz ok. anyway, might be good to enable it for android anyway, because one of the last features we need to implement is handling IP changes, so mobile routers will help us develop and test test

not_bob I vote for that.

zzz ok. to be clear, nobody's going to notice any difference with SSU2. It's mostly the same feature set, and currently a little slower than SSU1, at least on Java. It's faster for i2pd

eyedeekay Battery life is a huge deal if SSU2 will make a difference at that

eyedeekay We could be worse about how much battery we use, but we could also be better

zzz the benefits are more security, less CPU, more reliable firewall detection

zzz I may write up a whole blog post about it, I think it's one of the most censorship-resistant protocols ever designed. We'll see

zzz eot

eyedeekay Thanks zzz. I think people are hearing "Less CPU" and instantly making an association "Easier on battery for Androids" which may be part of the interest

eyedeekay 3. Apple silicon bundle status

eyedeekay zlatinb this one's yours, go ahead when you're ready

zlatinb Hi, I made the bundle available for download about 6 days ago and there have been almost 100 downloads since

zlatinb about 30% of the mac users download the arm64 bundle which surprises me

zlatinb I'm thinking to upgrade the 1.8 bundle to 1.9 when that becomes available to test the update channel although don't expect any issues

zlatinb yes, can do that tomorrow after my right hand will be fully functional again (hopefully)

zlatinb that's about it

zlatinb eot

zzz so I'd say after a successful update or news entry, stable is fine. I don't expect any issues either, but we've had plenty of news glitches before

zzz but willing to hear other opinions ofc

eyedeekay Thanks zlatinb, if you choose to do a news entry let me know and I'll update the servers

zlatinb the only real action for promoting to stable really is removing the "BETA" label from the website

zzz sure, it's more the principle than anything actually being different

zzz let's be purposeful in our labeling, that's all

eyedeekay 4. Letter to EFF to clarify what "running" a network means

zlatinb Yes, some background on that:

zlatinb eyedeekay and I met Kurt Opsahl from EFF at HOPE few weeks ago and asked him about legality of working on something like I2P

zlatinb He said that writing code is fine because "code == speech", however "running" the network may be a different story

zlatinb we didn't dig into what running the network means at HOPE

zlatinb but I think it's a good idea to reach out and clarify the topic as much as possible

zzz what would we do differently, based on conceivable responses?

zlatinb I'm having very hard time conceiving the responses as it's a very broad topic

eyedeekay It may inform who is able to run what services

zzz whatever "running" we're doing, it's much less than their darling Tor, and how might we do even less?

eyedeekay But I think one likely response is that running services to support a network is probably speech too

eyedeekay That may be optimistic, but it's also the one that involves the least leaps

zzz in my experience, ask a lawyer an informal question, you'll get good information. Send them a letter, they'll say they aren't licensed in your state, go hire somebody

zlatinb no idea, maybe reseeds are fine and addressbooks are not, who knows, Too many possible permutations

zzz if you want to follow up, follow up, but I've asked EFF for legal advice before, their answer is "we're not set up to be general purpose legal counsel. We litigate cases of interest"

eyedeekay Maybe I can track down somebody for an informal question next week then. Can't hurt to try both

eyedeekay Writing the letter would help inform the question

zzz email Kurt. He gave you a vague answer, following up is reasonable. He's always been quite nice every time I talk to him

eyedeekay Can do

zzz I just wouldn't expect anything actionable, but who knows?

zlatinb well it's worth structuring any such letter properly; also may be wise to build up the engagement gradually rather than dump a giant letter from the blue

eyedeekay zlatinb do you want to set up a time to sync up and write that letter this week?

zlatinb I suggest we start with a simple follow-up like "was nice to meet you" and then expand from there

zlatinb currently I'm thinking we should not write a giant letter describing how i2p works until we get an ack that eff is willing to work with us

eyedeekay OK

zlatinb they may decide they want a retainer, who knows

zzz see above. they don't do that

zzz you're misunderstanding how they work

zlatinb I'll shoot him a "was nice to meet you" follow up and cc you guys and take it from there.

zlatinb if they can't help at all that's fine too

eyedeekay Anything else for 4?

zlatinb no, eot

eyedeekay 5. New Outproxy ref: zzz.i2p/topics/3254

eyedeekay a) Organizational and infrastructure overview (StormyCloud)

eyedeekay b) Technical review and test results (zzz and others)

eyedeekay c) ToS and log policy review stormycloud.i2p/outproxy.html (all)

eyedeekay d) Vote to approve (all)

eyedeekay e) Rollout plan (if approved) (zzz, StormyCloud)

eyedeekay a) Organizational and infrastructure overview (StormyCloud)

zzz StormyCloud, you here?

StormyCloud Yes

zzz this is a proposal to replace false.i2p, which was unreliable for years and is now dead

zzz thanks for volunteering to support a replacement

zzz please go ahead and give us a brief overview of your organization and your infrastructure

StormyCloud Who we are: We are a 501(c)(3) non-profit organization based out of Texas. Our mission is to provide privacy-based tools to allow everyone access to an unfiltered and unregulated Internet. We started this organization in 2021 and have been working closely with the TOR community by deploying exit nodes.

StormyCloud We own all of our hardware and currently colocate at a Tier 4 data center. As of now have a 10GBps uplink with the option to upgrade to 40GBps without the need for much change. We have our own ASN and IP space (IPv4 & IPv6).

StormyCloud Outproxy Infrastructure: Outproxies are run on Ubuntu 22.04 and have been optimized for I2P. The backend proxy software is TinyProxy and supports HTTP, HTTPS, I2P, and TOR onion links. Currently, the outproxy is multi-homed on two servers. We can increase this number of servers as needed.

zzz I want to invite everyone to ask questions of StormyCloud at any point as we go through the agenda

zzz any questions at this time?

not_bob Yes

not_bob How do you deal with users who try to use your service for "really nasty stuff"?

StormyCloud Nothing, we do not filter any requests. While that does invite "bad" users we feel the internet should be a free and open place.

R4SAS And one from me: will be here SOCKS5 proxies in future?

StormyCloud R4SAS: If there is a need for a SOCKS5 proxy I am sure we can get one deployed.

R4SAS Thanks

zzz any other questions on 5a) ?

not_bob notbob.i2p/graphs/stormycloud.i2p.yearly.svg

not_bob I just want to note that stormycloud has been great for uptime.

SilicaRice the backend supports I2P links uh huh?

not_bob And performance is great.

zzz that brings us to 5b, yes

zzz the outproxy has been in beta for quite a while

zzz testing should ensure that the service is reliable, meets applicable standards, and is secure

zzz we've encountered several issues over the last few months, and StormyCloud has always been responsive

SilicaRice (why would you run i2p links through an outproxy?)

zzz at this time my test results are good, and I'm recommending it to be our official outproxy

dr|z3d StormyCloud misspoke. there is no .i2p support.

zzz but let's hear any other test reports or questions

StormyCloud SilicaRice: My apologies I wrote that wrong

SilicaRice oh okay

R4SAS > We do not cooperate with any requests for information except where compelled by law, and in that event our ability to assist is limited by our logging policy.

R4SAS Will be here transparency reports in such situations?

zzz also, to be clear, this meeting is about Java I2P's default and recommendations. Any other project including i2pd may have their own processes and requirements and negotiations with the outproxy operator

StormyCloud R4SAS: Yes, we public a report quarterly on our clearnet website. That is something I can also do on our i2p site.

zzz ok, looks like we're on 5c) review of ToS and logging policies. The goal here is to ensure our users are protected.

R4SAS also, please, create in-i2p mail for contacting =)

zzz any comments or questions about the Tos?

R4SAS ah, btw, about 5b: StormyCloud, what tunnel settings are you using?

R4SAS length, amount, etc

dr|z3d 0 hop.

eyedeekay Everything it says looks pretty clear to me, although to follow up on what R4S4S it might be good to put a link to the transparency report in or after that > We do not... unless compelled by law section

zzz an outproxy operator is in a position to view all traffic, or at least all non-https traffic, so it's important that we trust the operator to protect our users

StormyCloud eyedeekay: Makes sense, ill get this added to the website

zzz it's currently two multihomed 0-hop servers, right StormyCloud ?

StormyCloud Correct

not_bob But, just to clarify, with the way i2p tunnels work, my 2-3 hops are still there. You are just not adding any more, right?

dr|z3d the client can configure as many hops as they wish, not_bob.

zzz I also saw on zzz.i2p that it's ipv4-only but that may get fixed soon, right?

not_bob Yep, that's what I thought. Thank you.

StormyCloud zzz: Correct, our upstream provider finished their upgrade. I didnt want to mess with IPv6 until all testing was done

zzz would you please elaborate on your experience running tor exits and the capacity of your tor exits?

StormyCloud Sure, we have been running tor exit since late last year, currently sitting at 130ish exits with about 1.6% of TOR exit traffic going through our servers.

StormyCloud Everything is virtualized and the process to setup has become pretty automated

zzz have you ever received any DMCA or other legal processes w.r.t. your tor exits? if so, how was it handled?

StormyCloud No legal requests and surprisingly no DMCA requests. We do get abuse complaints, we just respond and let them know this is a TOR exit and there is nothing further that can be done on our end.

R4SAS huh, acetone's bot has bug

zzz any other questions sor StormyCloud before we go to 5d) appproval ?

R4SAS I'll PM him

zzz normally major doesn't have +v, but I turned +m off for the meeting, no big deal

zzz ok, if there's no more questions, everybody please indicate your approval / disapproval for making StormyCloud our official outproxy

not_bob Approve

zzz approve

zlatinb approve

eyedeekay approve

SilicaRice approve (if users count for anything)

R4SAS no objections, approve

zzz ok, great

zzz 5e) rollout

zzz the two major steps are:

zzz 1) setting it as default for new installs (as early as the next release in 3 weeks)

zzz 2) recommending to existing users to change their config (probably via console news, any time)

zzz these can happen in either order

zzz and we have no idea how much traffic either would generate

zzz other products (Android, bundles), probably aren't big enough to worry about timing

zzz StormyCloud, what is your request or recommendation on when and how we proceed?

StormyCloud If the console news can be set/sent anytime then we can let existing users know to switch now (if they want) and that gives us three weeks to monitor and spin up new servers if needed.

dr|z3d console news generally published with a new release.

not_bob StormyCloud: How much traffic are you handeling for the outproxy currently?

zzz ok. it would be nice to point to a howto page with screenshots for editing the hidden services manager config. That could be hosted on stormycloud.i2p, or a i2p-projekt.i2p blog post? Any volunteers to put that together?

StormyCloud Difficult to say at this time, since we dont log anything. I am monitoring network activity, but that too doesnt tell a full picture since its also passing i2p traffic.

eyedeekay I can do it

dr|z3d StormyCloud: we keep an eye on exit traffic via graphs..

dr|z3d in short, notbob, nothing worth getting excited about.

zzz dr|z3d, you have a guess on current % utilization of your two nodes? probably very small?

dr|z3d utilization in what sense?

dr|z3d capacity-wise?

zzz yes

zzz or maybe you don't really know until you hit it...

dr|z3d very small is about right.

dr|z3d throw a few thousand concurrent users at the outproxy, we'll then know :)

zzz yeah, apologies to StormyCloud, we were unable to get any historical estimates of false.i2p bandwidth

zzz so it's a little bit of a crap shoot, as long as you're monitoring things and have an expansion plan, we should be fine

StormyCloud All good, we will adjust as more and more people start to use the outproxy

dr|z3d well, as configured, the outproxies combined can handle up to 8192 concurrent streams. so there's plenty of capacity there, and StormyCloud has plenty of stuff in the wings if required.

zzz and StormyCloud re: new installs, should we plan to make it the default in the next release late this month as well?

StormyCloud Yes, that would be fine

zzz ok then. eyedeekay let me know when you have a blog post up, and then I'll write the news entry

zzz anything else on 5e) rollout ?

eyedeekay OK, expect it tonight or tomorrow

zzz thanks again StormyCloud

eyedeekay Nothing from me

zzz back to you eyedeekay

eyedeekay All right that's it for the listed items, I'll be at Def Con next week in case anybody who's watching wants to meet me there lol

eyedeekay If anybody else has anything else for the meeting, please speak up, otherwise timeout 1m

R4SAS I have one question, but it is out of meeting scope

zzz oh, also thanks to dr|z3d for vital technical assistance over the testing period

eyedeekay All right thanks everybody for coming to the meeting, I've got a kind of crazy section in the middle of my log but once I fix that I'll post the logs to the web site

eyedeekay Thanks for coming

not_bob Thank you for having us.

R4SAS Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion? Use case: as far as I know, public TLD lists doesn't include .i2p zone because it is not mentioned in ant of RFC or registars (idk how they really called)

R4SAS heh, message incorreclty splitted

R4SAS again

R4SAS Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion?

R4SAS Use case: as far as I know, public TLD lists doesn't include .i2p

R4SAS zone because it is not mentioned in ant of RFC or registars (idk how they really called)

dr|z3d R4SAS: there's a whole backstory there zzz will tell you about.

dr|z3d in brief, we were in line for registration and then Jacob Applebaum shafted us.

not_bob Yep, it was stupid.

R4SAS tried to create rfc or what?

dr|z3d same as tor and ,onion.. we were in the same boat.

zzz R4SAS, zzz.i2p/topics/2101 , see also the book "Weaving the Dark Web"

not_bob Yeah, just grab that book. Great writeup of it.

dr|z3d I wouldn't say great, but it's a writeup for sure.

not_bob Heh

R4SAS maybe EFF guys can help with it?

dr|z3d EFF don't promote I2P.

dr|z3d So, you know, it's a bit of a stretch thinking they're going to bat for I2P an its own tld.

R4SAS heh

dr|z3d when you see the i2p logo on their homepage, then thinking they might help with other stuff might be realistic.

zzz Tor is "special" for EFF. I asked if we could be special too. The answer was no.

R4SAS got it