eyedeekay
Heads up: CVE-2022-2048 appears to affect jetty versions earlier than 9.4.47, appearing to include us
eyedeekay
It does not appear to have a workaround in jetty github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
eyedeekay
Except we might be able to just disable http/2 entirely? Do we do that? Is it on by default? Mostly asking rhetorically, going to confirm for myself
eyedeekay
mark22k brought this to my attention on Matrix, thanks mark22k
not_bob
At least it's just a DoS attack, not more.
eyedeekay
`java -jar $I2P/lib/jetty-start.jar --list-modules` does not show the http2 module or connector or any configuration, it looks like this probably misses us
not_bob
Good, good.
dr|z3d
no support for http/2 in i2p's jetty, eyedeekay
dr|z3d
we're missing the necessary libs, and in any event, http/2 requires https to function, so that pretty much rules us out
eyedeekay
Well zzz and I use it :)
dr|z3d
yeah, but you're freaks! :)
dr|z3d
there's maybe 2 or 3 chinese sites that use self-signed https, and that's probably about it.
dr|z3d
who's kicking off the meeting?
eyedeekay
Oh my gosh guys so sorry I am late, had a minor emergency
eyedeekay
I am here now and ready to start the meeting, really sincere apologies I got here as fast as I could
eyedeekay
1. Hi
eyedeekay
2. 1.9.0 development status
eyedeekay
3. Apple silicon bundle status
eyedeekay
4. Letter to EFF to clarify what "running" a network means
eyedeekay
5. New Outproxy ref: zzz.i2p/topics/3254
eyedeekay
a) Organizational and infrastructure overview (StormyCloud)
eyedeekay
b) Technical review and test results (zzz and others)
eyedeekay
c) ToS and log policy review stormycloud.i2p/outproxy.html (all)
eyedeekay
d) Vote to approve (all)
eyedeekay
e) Rollout plan (if approved) (zzz, StormyCloud)
eyedeekay
zzz zlatinb you guys here?
zzz
hi
zlatinb
hi yes
eyedeekay
Sorry about that again, had a cooking accident
eyedeekay
2. 1.9.0 development status
eyedeekay
We're 3 weeks from release, we pretty much settled on a date for it at ls2 meeting yesterday, it's going to be the 22nd. i2pd and/or Java I2P may enable SSU2 for new installs, or a small percentage of the network on restart like for router rekeying
eyedeekay
3 weeks left for bug reports and bug fixes
eyedeekay
Anything else to add zzz, zlatinb?
eyedeekay
3. Apple silicon bundle status
eyedeekay
zlatinb this one is your, please start when you are ready
zzz
let me add a little on 2) please
SilicaRice
is SSU2 officially stable? :o
eyedeekay
Ok go ahead, sorry did not mean to rush
zzz
lag
zzz
tag freeze will be Aug. 10, a week from tomorrow
zzz
the SSU2 testers have been very helpful, about 50-75 of them on the network
zzz
our goal is to enable it for a few hundred to a thousand routers in the this release
zzz
to help us shake out the remaining bugs, while avoiding any chance of disaster
zzz
and we'll enable it for everybody in the November release
SilicaRice
ahh :3
zzz
everything else is going smoothly as well, just the usual bug fixes all over
zzz
SSU2 is mostly finished, that doesn't mean it's mostly perfect yet
zzz
shout out also to the i2pd team, they're working hard also
zzz
I guess that's it unless there's any questions
not_bob
Will the update also effect the android build?
zzz
sure. We may also just enable SSU2 for all Android, since it's so much less CPU than SSU1 w/ ElGamal
not_bob
Good, good.
eyedeekay
I don't change any settings, SSU2 will technically be available but there won't be a UI to enable it
zzz
that's what i2pd is thinking, we may do the same
zzz
yeah, we're not going to put an option in the UI and then lobby like crazy for people to enable it
zzz
we'd never get the numbers we want
not_bob
Can we get an option to enable it if desired? Better battery life would be better.
eyedeekay
It just inherits defaults from i2p.i2p except where it has to to run on the Android environment
zzz
there's an advanced config, see zzz.i2p for info
not_bob
Thank you.
zzz
not sure if Android has access to advanced cnofig?
eyedeekay
No it doesn't, you have to do weird stuff to make it work
eyedeekay
Pretty much devs-only to manually edit non-i2ptunnel config files on Android
not_bob
:(
zzz
ok. anyway, might be good to enable it for android anyway, because one of the last features we need to implement is handling IP changes, so mobile routers will help us develop and test test
not_bob
I vote for that.
zzz
ok. to be clear, nobody's going to notice any difference with SSU2. It's mostly the same feature set, and currently a little slower than SSU1, at least on Java. It's faster for i2pd
eyedeekay
Battery life is a huge deal if SSU2 will make a difference at that
eyedeekay
We could be worse about how much battery we use, but we could also be better
zzz
the benefits are more security, less CPU, more reliable firewall detection
zzz
I may write up a whole blog post about it, I think it's one of the most censorship-resistant protocols ever designed. We'll see
zzz
eot
eyedeekay
Thanks zzz. I think people are hearing "Less CPU" and instantly making an association "Easier on battery for Androids" which may be part of the interest
eyedeekay
3. Apple silicon bundle status
eyedeekay
zlatinb this one's yours, go ahead when you're ready
zlatinb
Hi, I made the bundle available for download about 6 days ago and there have been almost 100 downloads since
zlatinb
about 30% of the mac users download the arm64 bundle which surprises me
zlatinb
I'm thinking to upgrade the 1.8 bundle to 1.9 when that becomes available to test the update channel although don't expect any issues
zlatinb
yes, can do that tomorrow after my right hand will be fully functional again (hopefully)
zlatinb
that's about it
zlatinb
eot
zzz
so I'd say after a successful update or news entry, stable is fine. I don't expect any issues either, but we've had plenty of news glitches before
zzz
but willing to hear other opinions ofc
eyedeekay
Thanks zlatinb, if you choose to do a news entry let me know and I'll update the servers
zlatinb
the only real action for promoting to stable really is removing the "BETA" label from the website
zzz
sure, it's more the principle than anything actually being different
zzz
let's be purposeful in our labeling, that's all
eyedeekay
4. Letter to EFF to clarify what "running" a network means
zlatinb
Yes, some background on that:
zlatinb
eyedeekay and I met Kurt Opsahl from EFF at HOPE few weeks ago and asked him about legality of working on something like I2P
zlatinb
He said that writing code is fine because "code == speech", however "running" the network may be a different story
zlatinb
we didn't dig into what running the network means at HOPE
zlatinb
but I think it's a good idea to reach out and clarify the topic as much as possible
zzz
what would we do differently, based on conceivable responses?
zlatinb
I'm having very hard time conceiving the responses as it's a very broad topic
eyedeekay
It may inform who is able to run what services
zzz
whatever "running" we're doing, it's much less than their darling Tor, and how might we do even less?
eyedeekay
But I think one likely response is that running services to support a network is probably speech too
eyedeekay
That may be optimistic, but it's also the one that involves the least leaps
zzz
in my experience, ask a lawyer an informal question, you'll get good information. Send them a letter, they'll say they aren't licensed in your state, go hire somebody
zlatinb
no idea, maybe reseeds are fine and addressbooks are not, who knows, Too many possible permutations
zzz
if you want to follow up, follow up, but I've asked EFF for legal advice before, their answer is "we're not set up to be general purpose legal counsel. We litigate cases of interest"
eyedeekay
Maybe I can track down somebody for an informal question next week then. Can't hurt to try both
eyedeekay
Writing the letter would help inform the question
zzz
email Kurt. He gave you a vague answer, following up is reasonable. He's always been quite nice every time I talk to him
eyedeekay
Can do
zzz
I just wouldn't expect anything actionable, but who knows?
zlatinb
well it's worth structuring any such letter properly; also may be wise to build up the engagement gradually rather than dump a giant letter from the blue
eyedeekay
zlatinb do you want to set up a time to sync up and write that letter this week?
zlatinb
I suggest we start with a simple follow-up like "was nice to meet you" and then expand from there
zlatinb
currently I'm thinking we should not write a giant letter describing how i2p works until we get an ack that eff is willing to work with us
eyedeekay
OK
zlatinb
they may decide they want a retainer, who knows
zzz
see above. they don't do that
zzz
you're misunderstanding how they work
zlatinb
I'll shoot him a "was nice to meet you" follow up and cc you guys and take it from there.
zlatinb
if they can't help at all that's fine too
eyedeekay
Anything else for 4?
zlatinb
no, eot
eyedeekay
5. New Outproxy ref: zzz.i2p/topics/3254
eyedeekay
a) Organizational and infrastructure overview (StormyCloud)
eyedeekay
b) Technical review and test results (zzz and others)
eyedeekay
c) ToS and log policy review stormycloud.i2p/outproxy.html (all)
eyedeekay
d) Vote to approve (all)
eyedeekay
e) Rollout plan (if approved) (zzz, StormyCloud)
eyedeekay
a) Organizational and infrastructure overview (StormyCloud)
zzz
StormyCloud, you here?
StormyCloud
Yes
zzz
this is a proposal to replace false.i2p, which was unreliable for years and is now dead
zzz
thanks for volunteering to support a replacement
zzz
please go ahead and give us a brief overview of your organization and your infrastructure
StormyCloud
Who we are: We are a 501(c)(3) non-profit organization based out of Texas. Our mission is to provide privacy-based tools to allow everyone access to an unfiltered and unregulated Internet. We started this organization in 2021 and have been working closely with the TOR community by deploying exit nodes.
StormyCloud
We own all of our hardware and currently colocate at a Tier 4 data center. As of now have a 10GBps uplink with the option to upgrade to 40GBps without the need for much change. We have our own ASN and IP space (IPv4 & IPv6).
StormyCloud
Outproxy Infrastructure: Outproxies are run on Ubuntu 22.04 and have been optimized for I2P. The backend proxy software is TinyProxy and supports HTTP, HTTPS, I2P, and TOR onion links. Currently, the outproxy is multi-homed on two servers. We can increase this number of servers as needed.
zzz
I want to invite everyone to ask questions of StormyCloud at any point as we go through the agenda
zzz
any questions at this time?
not_bob
Yes
not_bob
How do you deal with users who try to use your service for "really nasty stuff"?
StormyCloud
Nothing, we do not filter any requests. While that does invite "bad" users we feel the internet should be a free and open place.
R4SAS
And one from me: will be here SOCKS5 proxies in future?
StormyCloud
R4SAS: If there is a need for a SOCKS5 proxy I am sure we can get one deployed.
R4SAS
Thanks
zzz
any other questions on 5a) ?
not_bob
I just want to note that stormycloud has been great for uptime.
SilicaRice
the backend supports I2P links uh huh?
not_bob
And performance is great.
zzz
that brings us to 5b, yes
zzz
the outproxy has been in beta for quite a while
zzz
testing should ensure that the service is reliable, meets applicable standards, and is secure
zzz
we've encountered several issues over the last few months, and StormyCloud has always been responsive
SilicaRice
(why would you run i2p links through an outproxy?)
zzz
at this time my test results are good, and I'm recommending it to be our official outproxy
dr|z3d
StormyCloud misspoke. there is no .i2p support.
zzz
but let's hear any other test reports or questions
StormyCloud
SilicaRice: My apologies I wrote that wrong
SilicaRice
oh okay
R4SAS
> We do not cooperate with any requests for information except where compelled by law, and in that event our ability to assist is limited by our logging policy.
R4SAS
Will be here transparency reports in such situations?
zzz
also, to be clear, this meeting is about Java I2P's default and recommendations. Any other project including i2pd may have their own processes and requirements and negotiations with the outproxy operator
StormyCloud
R4SAS: Yes, we public a report quarterly on our clearnet website. That is something I can also do on our i2p site.
zzz
ok, looks like we're on 5c) review of ToS and logging policies. The goal here is to ensure our users are protected.
R4SAS
also, please, create in-i2p mail for contacting =)
zzz
any comments or questions about the Tos?
R4SAS
ah, btw, about 5b: StormyCloud, what tunnel settings are you using?
R4SAS
length, amount, etc
dr|z3d
0 hop.
eyedeekay
Everything it says looks pretty clear to me, although to follow up on what R4S4S it might be good to put a link to the transparency report in or after that > We do not... unless compelled by law section
zzz
an outproxy operator is in a position to view all traffic, or at least all non-https traffic, so it's important that we trust the operator to protect our users
StormyCloud
eyedeekay: Makes sense, ill get this added to the website
zzz
it's currently two multihomed 0-hop servers, right StormyCloud ?
StormyCloud
Correct
not_bob
But, just to clarify, with the way i2p tunnels work, my 2-3 hops are still there. You are just not adding any more, right?
dr|z3d
the client can configure as many hops as they wish, not_bob.
zzz
I also saw on zzz.i2p that it's ipv4-only but that may get fixed soon, right?
not_bob
Yep, that's what I thought. Thank you.
StormyCloud
zzz: Correct, our upstream provider finished their upgrade. I didnt want to mess with IPv6 until all testing was done
zzz
would you please elaborate on your experience running tor exits and the capacity of your tor exits?
StormyCloud
Sure, we have been running tor exit since late last year, currently sitting at 130ish exits with about 1.6% of TOR exit traffic going through our servers.
StormyCloud
Everything is virtualized and the process to setup has become pretty automated
zzz
have you ever received any DMCA or other legal processes w.r.t. your tor exits? if so, how was it handled?
StormyCloud
No legal requests and surprisingly no DMCA requests. We do get abuse complaints, we just respond and let them know this is a TOR exit and there is nothing further that can be done on our end.
R4SAS
huh, acetone's bot has bug
zzz
any other questions sor StormyCloud before we go to 5d) appproval ?
R4SAS
I'll PM him
zzz
normally major doesn't have +v, but I turned +m off for the meeting, no big deal
zzz
ok, if there's no more questions, everybody please indicate your approval / disapproval for making StormyCloud our official outproxy
not_bob
Approve
zzz
approve
zlatinb
approve
eyedeekay
approve
SilicaRice
approve (if users count for anything)
R4SAS
no objections, approve
zzz
ok, great
zzz
5e) rollout
zzz
the two major steps are:
zzz
1) setting it as default for new installs (as early as the next release in 3 weeks)
zzz
2) recommending to existing users to change their config (probably via console news, any time)
zzz
these can happen in either order
zzz
and we have no idea how much traffic either would generate
zzz
other products (Android, bundles), probably aren't big enough to worry about timing
zzz
StormyCloud, what is your request or recommendation on when and how we proceed?
StormyCloud
If the console news can be set/sent anytime then we can let existing users know to switch now (if they want) and that gives us three weeks to monitor and spin up new servers if needed.
dr|z3d
console news generally published with a new release.
not_bob
StormyCloud: How much traffic are you handeling for the outproxy currently?
zzz
ok. it would be nice to point to a howto page with screenshots for editing the hidden services manager config. That could be hosted on stormycloud.i2p, or a i2p-projekt.i2p blog post? Any volunteers to put that together?
StormyCloud
Difficult to say at this time, since we dont log anything. I am monitoring network activity, but that too doesnt tell a full picture since its also passing i2p traffic.
eyedeekay
I can do it
dr|z3d
StormyCloud: we keep an eye on exit traffic via graphs..
dr|z3d
in short, notbob, nothing worth getting excited about.
zzz
dr|z3d, you have a guess on current % utilization of your two nodes? probably very small?
dr|z3d
utilization in what sense?
dr|z3d
capacity-wise?
zzz
yes
zzz
or maybe you don't really know until you hit it...
dr|z3d
very small is about right.
dr|z3d
throw a few thousand concurrent users at the outproxy, we'll then know :)
zzz
yeah, apologies to StormyCloud, we were unable to get any historical estimates of false.i2p bandwidth
zzz
so it's a little bit of a crap shoot, as long as you're monitoring things and have an expansion plan, we should be fine
StormyCloud
All good, we will adjust as more and more people start to use the outproxy
dr|z3d
well, as configured, the outproxies combined can handle up to 8192 concurrent streams. so there's plenty of capacity there, and StormyCloud has plenty of stuff in the wings if required.
zzz
and StormyCloud re: new installs, should we plan to make it the default in the next release late this month as well?
StormyCloud
Yes, that would be fine
zzz
ok then. eyedeekay let me know when you have a blog post up, and then I'll write the news entry
zzz
anything else on 5e) rollout ?
eyedeekay
OK, expect it tonight or tomorrow
zzz
thanks again StormyCloud
eyedeekay
Nothing from me
zzz
back to you eyedeekay
eyedeekay
All right that's it for the listed items, I'll be at Def Con next week in case anybody who's watching wants to meet me there lol
eyedeekay
If anybody else has anything else for the meeting, please speak up, otherwise timeout 1m
R4SAS
I have one question, but it is out of meeting scope
zzz
oh, also thanks to dr|z3d for vital technical assistance over the testing period
eyedeekay
All right thanks everybody for coming to the meeting, I've got a kind of crazy section in the middle of my log but once I fix that I'll post the logs to the web site
eyedeekay
Thanks for coming
not_bob
Thank you for having us.
R4SAS
Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion? Use case: as far as I know, public TLD lists doesn't include .i2p zone because it is not mentioned in ant of RFC or registars (idk how they really called)
R4SAS
heh, message incorreclty splitted
R4SAS
again
R4SAS
Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion?
R4SAS
Use case: as far as I know, public TLD lists doesn't include .i2p
R4SAS
zone because it is not mentioned in ant of RFC or registars (idk how they really called)
dr|z3d
R4SAS: there's a whole backstory there zzz will tell you about.
dr|z3d
in brief, we were in line for registration and then Jacob Applebaum shafted us.
not_bob
Yep, it was stupid.
R4SAS
tried to create rfc or what?
dr|z3d
same as tor and ,onion.. we were in the same boat.
zzz
R4SAS, zzz.i2p/topics/2101 , see also the book "Weaving the Dark Web"
not_bob
Yeah, just grab that book. Great writeup of it.
dr|z3d
I wouldn't say great, but it's a writeup for sure.
not_bob
Heh
R4SAS
maybe EFF guys can help with it?
dr|z3d
EFF don't promote I2P.
dr|z3d
So, you know, it's a bit of a stretch thinking they're going to bat for I2P an its own tld.
R4SAS
heh
dr|z3d
when you see the i2p logo on their homepage, then thinking they might help with other stuff might be realistic.
zzz
Tor is "special" for EFF. I asked if we could be special too. The answer was no.
R4SAS
got it