👮 major
irc2p
#i2p-dev #i2pd-dev #ls2 #saltr
ilita
#4rum #acetonevideo #dev #retroshare #torrent #video2p
IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2024/06/02
@eyedeekay
&kytv
&zzz
+R4SAS
+RN
+RN_
+dr|z3d
+hk
+orignal
+postman
+wodencafe
Arch
DeltaOreo
FreeRider
FreefallHeavens
Irc2PGuest19353
Irc2PGuest22478
Irc2PGuest48042
Irc2PGuest64530
Irc2PGuest77854
Nausicaa
Onn4l7h
Onn4|7h
Over1
Sisyphus
Sleepy
Soni
T3s|4_
Teeed
aargh3
acetone_
anon4
b3t4f4c3
bak83_
boonst
cumlord
dr4wd3
eyedeekay_bnc
hagen_
khb
not_bob_afk
plap
poriori_
profetikla
rapidash
shiver_1
solidx66
tr
u5657
uop23ip
w8rabbit
weko_
x74a6h
zzz interesting thread on a guy trying to be his own postman + eche|on i2pforum.i2p/viewtopic.php?p=3065
zzz eche|on didn't quite realize what he was asking for...
zzz eyedeekay, thanks for the MR review last week, but if you could pick up the review pace that would be great, your posted deadline is looming
zzz eche|on, can you raise the logged-in cookie timeout on i2pforum.i2p? It seems to only last about 15 minutes which is really annoying
eyedeekay psi did something which supposedly works for in net mail which is mostly self configuring github.com/majestrate/bdsmail but I have never tried it
eyedeekay I will do the rest of the pending reviews today
zzz thanks
zzz some are draft but still would appreciate a look
zzz here's my status stats.i2p/docs/roadmap-2.6-zzz.html
zzz acutally let me undraft the snark one now
zzz hadn't heard of bdsmail, interesting. The forum guy has his server of choice already, thought there was some magic gateway out there waiting for him
zzz didn't sound like he cared about in-net server-to-server
eyedeekay Thanks re: status
zzz eyedeekay, see my comment on your forum post on the 2.6 schedule re: dev updates, they need to be at an in-net url for automation to work I think
zzz and a full howto would be helpful
eyedeekay Sure I can set up an in-net URL for it and write a howto
zzz and if you're building every rev why are we tagging the -x revs? or are there two tracks, one for every rev and one for tagged ones?
eyedeekay The tagged ones are to make it easier to keep track of what I'm using when I do dev builds of anything that depends on the artifacts we upload to Maven. I don't have 2 tracks set up but it's <3 lines of config to set up so I'm going to do that
zzz super. the goal is to up the number of people testing, so let's push through with howtos and posts everywhere to make it happen
eyedeekay Sure, I'll get some of those going and/or published soon
zzz it would take some more automation, but you could even set up separate signed news feeds and stuff the git revs or history diffs into a <pre> in a news feed entry and have it all just automatic
zzz so every rev or every tag is a news entry and a new su3
eyedeekay I'm inching my way toward exactly that, using i2p.firefox and i2p.android.base to try things like setting up alternate signing keys and newsfeed generation from git log for the buildbots before I move them up to i2p.i2p
eyedeekay Right now buildbot-identifying-signing-keys is the key todo for i2p.android.base CI/CD
eyedeekay Once I figure that out I'll be able to do su3's with similar buildbot-identifying-keys
zzz ?? what is identifying-keys about?
eyedeekay Giving signed builds created by bots keys that say buildbot-maintainer@mail.i2p or something instead of my release keys
zzz but then users would have to add the pubkey certs for those to certificates/, right?
eyedeekay Yes but IMO they should, both because I don't think I should keep my release keys online on the server, and because if one or the other set of keys got stolen it would be possible to revoke one at a time
zzz to do it right, you'd sign the buildbot keys with your release keys, and we fixup the sig verification to handle ssl cert chains
zzz your news servers have your news privkeys on them, so just do the update signing there too?
zzz or have a signing service on a different machine?
eyedeekay No they don't actually, I sign in a VM on my laptop and upload static artifacts
zzz I don't see how having the buildbot sign the su3 is magically secure if you hand it some unique signing key
zzz the way su3 works you're just signing a hash, so there's not a lot of data going back and forth, if you do it right
zzz seems like "identifying keys" solves nothing though?
eyedeekay My thinking is that servers suspected of being part of our infra are potentially targeted, so leaving sensitive things on them is maybe not good
eyedeekay Up to this point my keys have never been on a device which is always online or out of my physical control/possession, like 99% of the time the device they're on isn't plugged in.
eyedeekay CI in general seems to expose a lot of attack surface, so that server makes me especially cautioud
zzz sure, I get that part, but if you put a different privkey on the CI and then ask our users to trust that key, nothing has changed, right?
eyedeekay Yes nothing has changed, the only advantage is that we can delete one key at a time
eyedeekay And I should be able to stay online from now on...
eyedeekay Actual cert chains are an interesting idea esp in light of plugins, might like to have one root key and sub-keys for dev builds, newsfeeds, plugins, reseed etc
eyedeekay Well that and that they don't trust the dev build key by default, so it can only be used by people who opt-in to updates
eyedeekay We could even give people a switch "enable dev builds" which copies the key from some inert location in the base dir to the appropriate certificates/*/ directories
zzz I think it makes more sense to just build the zip on the CI server, then have some automation to copy it over and create the su3 on your laptop and push it to the news servers