IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2022/08/02
eyedeekay Heads up: CVE-2022-2048 appears to affect jetty versions earlier than 9.4.47, appearing to include us
eyedeekay Except we might be able to just disable http/2 entirely? Do we do that? Is it on by default? Mostly asking rhetorically, going to confirm for myself
eyedeekay mark22k brought this to my attention on Matrix, thanks mark22k
not_bob At least it's just a DoS attack, not more.
eyedeekay `java -jar $I2P/lib/jetty-start.jar --list-modules` does not show the http2 module or connector or any configuration, it looks like this probably misses us
not_bob Good, good.
dr|z3d no support for http/2 in i2p's jetty, eyedeekay
dr|z3d we're missing the necessary libs, and in any event, http/2 requires https to function, so that pretty much rules us out
eyedeekay Well zzz and I use it :)
dr|z3d yeah, but you're freaks! :)
dr|z3d there's maybe 2 or 3 chinese sites that use self-signed https, and that's probably about it.
dr|z3d who's kicking off the meeting?
eyedeekay Oh my gosh guys so sorry I am late, had a minor emergency
eyedeekay I am here now and ready to start the meeting, really sincere apologies I got here as fast as I could
eyedeekay 2. 1.9.0 development status
eyedeekay 3. Apple silicon bundle status
eyedeekay 4. Letter to EFF to clarify what "running" a network means
eyedeekay 5. New Outproxy ref: zzz.i2p/topics/3254
eyedeekay a) Organizational and infrastructure overview (StormyCloud)
eyedeekay b) Technical review and test results (zzz and others)
eyedeekay c) ToS and log policy review stormycloud.i2p/outproxy.html (all)
eyedeekay d) Vote to approve (all)
eyedeekay e) Rollout plan (if approved) (zzz, StormyCloud)
eyedeekay zzz zlatinb you guys here?
zlatinb hi yes
eyedeekay Sorry about that again, had a cooking accident
eyedeekay 2. 1.9.0 development status
eyedeekay We're 3 weeks from release, we pretty much settled on a date for it at ls2 meeting yesterday, it's going to be the 22nd. i2pd and/or Java I2P may enable SSU2 for new installs, or a small percentage of the network on restart like for router rekeying
eyedeekay 3 weeks left for bug reports and bug fixes
eyedeekay Anything else to add zzz, zlatinb?
eyedeekay 3. Apple silicon bundle status
eyedeekay zlatinb this one is your, please start when you are ready
zzz let me add a little on 2) please
SilicaRice is SSU2 officially stable? :o
eyedeekay Ok go ahead, sorry did not mean to rush
zzz lag
zzz tag freeze will be Aug. 10, a week from tomorrow
zzz the SSU2 testers have been very helpful, about 50-75 of them on the network
zzz our goal is to enable it for a few hundred to a thousand routers in the this release
zzz to help us shake out the remaining bugs, while avoiding any chance of disaster
zzz and we'll enable it for everybody in the November release
zzz everything else is going smoothly as well, just the usual bug fixes all over
zzz SSU2 is mostly finished, that doesn't mean it's mostly perfect yet
zzz shout out also to the i2pd team, they're working hard also
zzz I guess that's it unless there's any questions
not_bob Will the update also effect the android build?
zzz sure. We may also just enable SSU2 for all Android, since it's so much less CPU than SSU1 w/ ElGamal
not_bob Good, good.
eyedeekay I don't change any settings, SSU2 will technically be available but there won't be a UI to enable it
zzz that's what i2pd is thinking, we may do the same
zzz yeah, we're not going to put an option in the UI and then lobby like crazy for people to enable it
zzz we'd never get the numbers we want
not_bob Can we get an option to enable it if desired? Better battery life would be better.
eyedeekay It just inherits defaults from i2p.i2p except where it has to to run on the Android environment
zzz there's an advanced config, see zzz.i2p for info
not_bob Thank you.
zzz not sure if Android has access to advanced cnofig?
eyedeekay No it doesn't, you have to do weird stuff to make it work
eyedeekay Pretty much devs-only to manually edit non-i2ptunnel config files on Android
zzz ok. anyway, might be good to enable it for android anyway, because one of the last features we need to implement is handling IP changes, so mobile routers will help us develop and test test
not_bob I vote for that.
zzz ok. to be clear, nobody's going to notice any difference with SSU2. It's mostly the same feature set, and currently a little slower than SSU1, at least on Java. It's faster for i2pd
eyedeekay Battery life is a huge deal if SSU2 will make a difference at that
eyedeekay We could be worse about how much battery we use, but we could also be better
zzz the benefits are more security, less CPU, more reliable firewall detection
zzz I may write up a whole blog post about it, I think it's one of the most censorship-resistant protocols ever designed. We'll see
zzz eot
eyedeekay Thanks zzz. I think people are hearing "Less CPU" and instantly making an association "Easier on battery for Androids" which may be part of the interest
eyedeekay 3. Apple silicon bundle status
eyedeekay zlatinb this one's yours, go ahead when you're ready
zlatinb Hi, I made the bundle available for download about 6 days ago and there have been almost 100 downloads since
zlatinb about 30% of the mac users download the arm64 bundle which surprises me
zlatinb I'm thinking to upgrade the 1.8 bundle to 1.9 when that becomes available to test the update channel although don't expect any issues
zlatinb yes, can do that tomorrow after my right hand will be fully functional again (hopefully)
zlatinb that's about it
zzz so I'd say after a successful update or news entry, stable is fine. I don't expect any issues either, but we've had plenty of news glitches before
zzz but willing to hear other opinions ofc
eyedeekay Thanks zlatinb, if you choose to do a news entry let me know and I'll update the servers
zlatinb the only real action for promoting to stable really is removing the "BETA" label from the website
zzz sure, it's more the principle than anything actually being different
zzz let's be purposeful in our labeling, that's all
eyedeekay 4. Letter to EFF to clarify what "running" a network means
zlatinb Yes, some background on that:
zlatinb eyedeekay and I met Kurt Opsahl from EFF at HOPE few weeks ago and asked him about legality of working on something like I2P
zlatinb He said that writing code is fine because "code == speech", however "running" the network may be a different story
zlatinb we didn't dig into what running the network means at HOPE
zlatinb but I think it's a good idea to reach out and clarify the topic as much as possible
zzz what would we do differently, based on conceivable responses?
zlatinb I'm having very hard time conceiving the responses as it's a very broad topic
eyedeekay It may inform who is able to run what services
zzz whatever "running" we're doing, it's much less than their darling Tor, and how might we do even less?
eyedeekay But I think one likely response is that running services to support a network is probably speech too
eyedeekay That may be optimistic, but it's also the one that involves the least leaps
zzz in my experience, ask a lawyer an informal question, you'll get good information. Send them a letter, they'll say they aren't licensed in your state, go hire somebody
zlatinb no idea, maybe reseeds are fine and addressbooks are not, who knows, Too many possible permutations
zzz if you want to follow up, follow up, but I've asked EFF for legal advice before, their answer is "we're not set up to be general purpose legal counsel. We litigate cases of interest"
eyedeekay Maybe I can track down somebody for an informal question next week then. Can't hurt to try both
eyedeekay Writing the letter would help inform the question
zzz email Kurt. He gave you a vague answer, following up is reasonable. He's always been quite nice every time I talk to him
zzz I just wouldn't expect anything actionable, but who knows?
zlatinb well it's worth structuring any such letter properly; also may be wise to build up the engagement gradually rather than dump a giant letter from the blue
eyedeekay zlatinb do you want to set up a time to sync up and write that letter this week?
zlatinb I suggest we start with a simple follow-up like "was nice to meet you" and then expand from there
zlatinb currently I'm thinking we should not write a giant letter describing how i2p works until we get an ack that eff is willing to work with us
zlatinb they may decide they want a retainer, who knows
zzz see above. they don't do that
zzz you're misunderstanding how they work
zlatinb I'll shoot him a "was nice to meet you" follow up and cc you guys and take it from there.
zlatinb if they can't help at all that's fine too
eyedeekay Anything else for 4?
zlatinb no, eot
eyedeekay 5. New Outproxy ref: zzz.i2p/topics/3254
eyedeekay a) Organizational and infrastructure overview (StormyCloud)
eyedeekay b) Technical review and test results (zzz and others)
eyedeekay c) ToS and log policy review stormycloud.i2p/outproxy.html (all)
eyedeekay d) Vote to approve (all)
eyedeekay e) Rollout plan (if approved) (zzz, StormyCloud)
eyedeekay a) Organizational and infrastructure overview (StormyCloud)
zzz StormyCloud, you here?
zzz this is a proposal to replace false.i2p, which was unreliable for years and is now dead
zzz thanks for volunteering to support a replacement
zzz please go ahead and give us a brief overview of your organization and your infrastructure
StormyCloud Who we are: We are a 501(c)(3) non-profit organization based out of Texas. Our mission is to provide privacy-based tools to allow everyone access to an unfiltered and unregulated Internet. We started this organization in 2021 and have been working closely with the TOR community by deploying exit nodes.
StormyCloud We own all of our hardware and currently colocate at a Tier 4 data center. As of now have a 10GBps uplink with the option to upgrade to 40GBps without the need for much change. We have our own ASN and IP space (IPv4 & IPv6).
StormyCloud Outproxy Infrastructure: Outproxies are run on Ubuntu 22.04 and have been optimized for I2P. The backend proxy software is TinyProxy and supports HTTP, HTTPS, I2P, and TOR onion links. Currently, the outproxy is multi-homed on two servers. We can increase this number of servers as needed.
zzz I want to invite everyone to ask questions of StormyCloud at any point as we go through the agenda
zzz any questions at this time?
not_bob How do you deal with users who try to use your service for "really nasty stuff"?
StormyCloud Nothing, we do not filter any requests. While that does invite "bad" users we feel the internet should be a free and open place.
R4SAS And one from me: will be here SOCKS5 proxies in future?
StormyCloud R4SAS: If there is a need for a SOCKS5 proxy I am sure we can get one deployed.
R4SAS Thanks
zzz any other questions on 5a) ?
not_bob I just want to note that stormycloud has been great for uptime.
SilicaRice the backend supports I2P links uh huh?
not_bob And performance is great.
zzz that brings us to 5b, yes
zzz the outproxy has been in beta for quite a while
zzz testing should ensure that the service is reliable, meets applicable standards, and is secure
zzz we've encountered several issues over the last few months, and StormyCloud has always been responsive
SilicaRice (why would you run i2p links through an outproxy?)
zzz at this time my test results are good, and I'm recommending it to be our official outproxy
dr|z3d StormyCloud misspoke. there is no .i2p support.
zzz but let's hear any other test reports or questions
StormyCloud SilicaRice: My apologies I wrote that wrong
SilicaRice oh okay
R4SAS > We do not cooperate with any requests for information except where compelled by law, and in that event our ability to assist is limited by our logging policy.
R4SAS Will be here transparency reports in such situations?
zzz also, to be clear, this meeting is about Java I2P's default and recommendations. Any other project including i2pd may have their own processes and requirements and negotiations with the outproxy operator
StormyCloud R4SAS: Yes, we public a report quarterly on our clearnet website. That is something I can also do on our i2p site.
zzz ok, looks like we're on 5c) review of ToS and logging policies. The goal here is to ensure our users are protected.
R4SAS also, please, create in-i2p mail for contacting =)
zzz any comments or questions about the Tos?
R4SAS ah, btw, about 5b: StormyCloud, what tunnel settings are you using?
R4SAS length, amount, etc
dr|z3d 0 hop.
eyedeekay Everything it says looks pretty clear to me, although to follow up on what R4S4S it might be good to put a link to the transparency report in or after that > We do not... unless compelled by law section
zzz an outproxy operator is in a position to view all traffic, or at least all non-https traffic, so it's important that we trust the operator to protect our users
StormyCloud eyedeekay: Makes sense, ill get this added to the website
zzz it's currently two multihomed 0-hop servers, right StormyCloud ?
not_bob But, just to clarify, with the way i2p tunnels work, my 2-3 hops are still there. You are just not adding any more, right?
dr|z3d the client can configure as many hops as they wish, not_bob.
zzz I also saw on zzz.i2p that it's ipv4-only but that may get fixed soon, right?
not_bob Yep, that's what I thought. Thank you.
StormyCloud zzz: Correct, our upstream provider finished their upgrade. I didnt want to mess with IPv6 until all testing was done
zzz would you please elaborate on your experience running tor exits and the capacity of your tor exits?
StormyCloud Sure, we have been running tor exit since late last year, currently sitting at 130ish exits with about 1.6% of TOR exit traffic going through our servers.
StormyCloud Everything is virtualized and the process to setup has become pretty automated
zzz have you ever received any DMCA or other legal processes w.r.t. your tor exits? if so, how was it handled?
StormyCloud No legal requests and surprisingly no DMCA requests. We do get abuse complaints, we just respond and let them know this is a TOR exit and there is nothing further that can be done on our end.
R4SAS huh, acetone's bot has bug
zzz any other questions sor StormyCloud before we go to 5d) appproval ?
R4SAS I'll PM him
zzz normally major doesn't have +v, but I turned +m off for the meeting, no big deal
zzz ok, if there's no more questions, everybody please indicate your approval / disapproval for making StormyCloud our official outproxy
not_bob Approve
zzz approve
zlatinb approve
eyedeekay approve
SilicaRice approve (if users count for anything)
R4SAS no objections, approve
zzz ok, great
zzz 5e) rollout
zzz the two major steps are:
zzz 1) setting it as default for new installs (as early as the next release in 3 weeks)
zzz 2) recommending to existing users to change their config (probably via console news, any time)
zzz these can happen in either order
zzz and we have no idea how much traffic either would generate
zzz other products (Android, bundles), probably aren't big enough to worry about timing
zzz StormyCloud, what is your request or recommendation on when and how we proceed?
StormyCloud If the console news can be set/sent anytime then we can let existing users know to switch now (if they want) and that gives us three weeks to monitor and spin up new servers if needed.
dr|z3d console news generally published with a new release.
not_bob StormyCloud: How much traffic are you handeling for the outproxy currently?
zzz ok. it would be nice to point to a howto page with screenshots for editing the hidden services manager config. That could be hosted on stormycloud.i2p, or a i2p-projekt.i2p blog post? Any volunteers to put that together?
StormyCloud Difficult to say at this time, since we dont log anything. I am monitoring network activity, but that too doesnt tell a full picture since its also passing i2p traffic.
eyedeekay I can do it
dr|z3d StormyCloud: we keep an eye on exit traffic via graphs..
dr|z3d in short, notbob, nothing worth getting excited about.
zzz dr|z3d, you have a guess on current % utilization of your two nodes? probably very small?
dr|z3d utilization in what sense?
dr|z3d capacity-wise?
zzz yes
zzz or maybe you don't really know until you hit it...
dr|z3d very small is about right.
dr|z3d throw a few thousand concurrent users at the outproxy, we'll then know :)
zzz yeah, apologies to StormyCloud, we were unable to get any historical estimates of false.i2p bandwidth
zzz so it's a little bit of a crap shoot, as long as you're monitoring things and have an expansion plan, we should be fine
StormyCloud All good, we will adjust as more and more people start to use the outproxy
dr|z3d well, as configured, the outproxies combined can handle up to 8192 concurrent streams. so there's plenty of capacity there, and StormyCloud has plenty of stuff in the wings if required.
zzz and StormyCloud re: new installs, should we plan to make it the default in the next release late this month as well?
StormyCloud Yes, that would be fine
zzz ok then. eyedeekay let me know when you have a blog post up, and then I'll write the news entry
zzz anything else on 5e) rollout ?
eyedeekay OK, expect it tonight or tomorrow
zzz thanks again StormyCloud
eyedeekay Nothing from me
zzz back to you eyedeekay
eyedeekay All right that's it for the listed items, I'll be at Def Con next week in case anybody who's watching wants to meet me there lol
eyedeekay If anybody else has anything else for the meeting, please speak up, otherwise timeout 1m
R4SAS I have one question, but it is out of meeting scope
zzz oh, also thanks to dr|z3d for vital technical assistance over the testing period
eyedeekay All right thanks everybody for coming to the meeting, I've got a kind of crazy section in the middle of my log but once I fix that I'll post the logs to the web site
eyedeekay Thanks for coming
not_bob Thank you for having us.
R4SAS Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion? Use case: as far as I know, public TLD lists doesn't include .i2p zone because it is not mentioned in ant of RFC or registars (idk how they really called)
R4SAS heh, message incorreclty splitted
R4SAS again
R4SAS Q: have somebody tried to write RFC for registering .i2p tld like tor developers did for .onion?
R4SAS Use case: as far as I know, public TLD lists doesn't include .i2p
R4SAS zone because it is not mentioned in ant of RFC or registars (idk how they really called)
dr|z3d R4SAS: there's a whole backstory there zzz will tell you about.
dr|z3d in brief, we were in line for registration and then Jacob Applebaum shafted us.
not_bob Yep, it was stupid.
R4SAS tried to create rfc or what?
dr|z3d same as tor and ,onion.. we were in the same boat.
zzz R4SAS, zzz.i2p/topics/2101 , see also the book "Weaving the Dark Web"
not_bob Yeah, just grab that book. Great writeup of it.
dr|z3d I wouldn't say great, but it's a writeup for sure.
R4SAS maybe EFF guys can help with it?
dr|z3d EFF don't promote I2P.
dr|z3d So, you know, it's a bit of a stretch thinking they're going to bat for I2P an its own tld.
dr|z3d when you see the i2p logo on their homepage, then thinking they might help with other stuff might be realistic.
zzz Tor is "special" for EFF. I asked if we could be special too. The answer was no.
R4SAS got it