00:00:03 jeffro256[m]: the same as in court: anyone who can be unbiased and know/follow laws/rules 00:00:44 So.. me 00:01:21 Do we.... vote? 😆 00:02:49 100% initial idea was that auditors will find something within 8149, so that I was sitting pointless on found vulnerabilities 00:02:53 but they didn't find 00:03:14 It would be interesting to have communication log with them 00:03:19 but it's private or unavailable 00:03:35 Would have been nice if YOU WERE PART OF THE COMMUNICSTIONS 00:03:53 I was against that audit 00:04:12 So why didnt you stop it 00:04:16 since it would be useless 00:04:19 Plowsof, what is the meaning is this?! 00:05:08 ofrnxmr[m]: UkoeHB and arnuscky wanted to test their hypothesis that auditors who failed 1st time will do better work 2nd time 00:05:31 Or... how about we do it the correct way 00:05:41 With your security analysis 00:06:02 in result nothing interesting + removed names + said this https://nitter.42l.fr/veorq/status/1541148206595284992#m "At the same time, one of the most overrated aspects of Cryptography is provable security." 00:06:03 funny 00:06:14 Or is that not the correct way 00:06:36 Facepalm. Twitter. Ooo?? 00:06:41 briefly what is a security analysis / how much did bulletproofs one cost / have you 'done' a security analysis on something and is it public? 00:07:23 "audit" vs "security analysis" ? 00:08:46 plowsof: https://eprint.iacr.org/2019/654.pdf - research paper with security analysis, https://ostif.org/wp-content/uploads/2020/07/ostif-clsag-audit-final-public.pdf - audit of research paper and implementation based on this 00:11:09 "sgp_, 19:28 <+selsta> merge 8149 -> merge burning bug -> keep experimental -> try to get more formal security proofs before removing experimental flag, seems perfect" cakewallet ordered 1st failed audit, another conflict of interest 00:12:08 "sg_, 19:28 <+selsta> merge 8149 -> merge burning bug -> keep experimental -> try to get more formal security proofs before removing experimental flag, besides ooo, does anyone else oppose this" why not to ask is anyone competent besides ooo to vote on this ? 00:12:28 ooo123ooo1234567: Because if ooo doesnt vote, ooos vote doesnt matter 00:12:38 Silly 00:13:12 if you share your security analysis then we don't have to merge 8149 00:13:46 is it possible to know who is taking this decision and full list of participants of that channe l? 00:13:53 s/taking/making/, s/channe/channel/, s/l// 00:14:04 You are. 00:15:28 what decision? everyone will agree, if you share your security analysis and if it shows that there are remaining issues then we won't merge 8149 00:19:35 why I have to prove everytime that there is some bug or that my patch isn't related to some bug, while others are doing blind merges of everything ? 00:20:58 " everyone will agree " what's the source of this certainty ? are they lacking their own will ? 00:21:17 because it gives us alternative path to move forward 00:21:17 ooo123ooo1234567: I said, you have a 99% vote 00:21:53 selsta: Do you know that doing something in a right way is much easier than to prove every time incompetent people that it's bad and it's good ? 00:22:04 * right way from the beginning is much 00:22:39 Agreed 00:22:49 So... instead of letting us merge broken multisig..... 00:22:59 ofrnxmr[m]: you don't have vote, not sure what's the purpose of this ACK 00:23:08 The right path, as per ooo, is..... ______<<<___ 00:23:27 ooo123ooo1234567: Im the self appointed ceo 00:23:55 not funny, only makes angry, since you really don't have any vote 00:24:25 So long as you arent voting, I do. 00:25:34 ofrnxmr[m]: And as far as getting angry... ^ 00:26:23 https://nitter.42l.fr/kayabaNerve/status/1400453070782271497#m, "Every discussion I had with its author always had them say "this is not audited". Respect the hell out of sarang for that." 00:26:40 and this human is advocating for merging cryptography changes without security analysis 00:26:56 and participating in bug bounties of other projects 00:27:47 Didn’t we just have an audit 00:28:22 Haven’t multiple people looked at the code? 00:28:25 Jesus, don't drag me into this conversation again 00:28:34 Here I can play the game too 00:28:34 even if the last would be audit that particular audit is shitty 00:28:49 * the last missing component would be 00:29:22 Why waste days and days here saying the same thing over and over 00:29:24 Monero is 100% completely broken and only I know how to fix it, but I can't tell you how because doing so would be unsafe. So you shouldn't use Monero, ever 00:29:33 chesterfield[m]: audit of C++ implementation without design isn't the same as audit of design + it's implementation 00:29:54 it's like checking built house without having intended design 00:29:59 Actually I'll do even better 00:30:38 this is like wrestlemania 00:30:40 ooo123ooo1234567 is literally the head of the NSA, and I'm 100% certain despite not being able to prove so publicly or privately 00:30:44 sgp_: source where it was said ? 00:30:59 No this is me as an expert saying this 00:31:11 And under your logic no one else can get a vote because they dumb dumb 00:31:40 sgp_: source where it was said ? 00:31:50 Therefore we literally can never trust anything you do, you gotta wait for me to rewrite multisig 00:31:53 incompetent is only related to knowledge about particular subject, not about general mental abilities 00:32:18 probably the least offensive adjective which still allows to point out problems 00:32:30 I don’t understand why you wouldn’t just simply point out the flaw in the code… people review all the time 00:33:52 sgp_, do you know details about 1st inferece.ag audit ? 00:34:23 Anyway ooo123ooo1234567's mission is successful because here I am wasting time talking to someone arguing in bad faith. Yay you win 00:34:25 are you allowed to share it's cost ? 00:34:55 What audit, CLSAG? 00:35:01 no, for cake wallet 00:35:04 thorchain one 00:36:02 Wait are you pretending I'm biased because of a "sunk cost" 00:36:16 No, I'm just asking for the cost if you know 00:36:17 Like now I'm on the hook to defend their implementation no matter what, something like that? 00:36:36 Why is that relevant, at all 00:36:49 it's interesting to compare it with 2nd audit 00:36:56 just numbers 00:37:19 It cost $2.50, good deal 00:37:40 $2500 or $2.5? 00:37:53 $2.50 00:37:56 hmm 00:43:36 The scope of that audit didn't cover any of the existing stuff though, just the thorchain changes 00:44:49 it would be interesting more about it (including real cost), but it's likely unavailable 00:44:54 * be interesting to know more about 00:44:57 But honestly I really think you're overplaying your hand here saying JP Aumasson is less competent at cryptography than a troll who wasted our time at a dev meeting and hasn't proven anything 00:45:22 quite sure JP himself didn't do the audit 00:46:09 cost / timeline / requested scope / auditors - everything have direct impact on result, give me full info and I'll try to figure out alone why it failed 00:46:48 * cost / timeline / requested scope / auditors - everything have direct impact on result, if full info would be available then it would be possible to figure out why it failed 00:47:16 I expected that you will not fire inference.ag audit on code 00:47:44 and this opportunity would be used on actual cryptography design, since 1st audit really failed 00:47:58 but it was burned on another paid audit done in private and only on code 00:48:06 Which first audit? The thorchain one? I'm worried you're confusing scope 00:49:17 s/would/will/ 00:50:46 "But honestly I really think you..." <- Would you risk with CCS payments and bounty for fix in order to just troll other people with nothing ? 00:51:03 > The client requested a review of the changes introduced by the thor_monero_signing_parallel... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/628a9e6e8583e2d9cee8fb6c6746d151bfcaff4e) 00:51:17 The changes 00:51:28 The Monero base portion wasn't audited 00:51:56 Also what CCS payments??? 00:52:17 sgp_, it was already discussed in -dev and -lounge, did you those arguments about diff that includes full vulnerable function ? 00:52:25 sgp_: the one for p2p 00:53:03 * sgp_, it was already discussed in -dev and -lounge, did you see those arguments about diff that includes full vulnerable function ? 00:54:08 "But honestly I really think you..." <- There are no questions to whoever did that audit as long as it doesn't affect monero development 00:54:12 ooo123ooo1234567: No, I would need it linked. But it's probably easier for me to just ask kayaba 00:54:47 If they indeed missed something obvious, I can communicate that with them 00:55:17 sgp_: are you joking ? inference.ag did 2nd audit with UkoeHB being involved, what are you going to communicate further ? 00:56:06 Oh the second audit from Rino? 01:00:24 "i don't think the audit was..." <- do you know the cost ? 01:00:59 no 01:01:00 "they would obviously prefer..." <- what's the next date for hardfork ? 01:01:41 we will hardfork august 13 01:01:48 or what do you mean with next date? 01:03:25 would be there something like: we do this hardfork and the next will be only 1 year away unconditionaly 01:04:20 There is clearly no consensus regarding importance of cryptography changes, but is there at least consensus that it's ok to do the next hardfork somewhere sooner if there are things to change ? 01:05:04 bulletproofs++? 01:05:09 or do you have something else in mind? 01:06:18 i think another hardfork in a year is doable, 6 months like initially is too short these days 01:06:32 Hardforks have happened sooner if there's good reason. There's precedent 01:06:51 But that's what it takes, good reason. Else think a year+ 01:07:16 I don't want to wait another year in the same shitty environment where I had to prove every change why it's important 01:09:17 If the cryptography bugs are indeed critical, then yes hardforks can happen sooner. That's what happened with RingCT 01:09:50 I thought that some delay hf would be fair punishment for poor development process and it would be enough time for me to implement may changes including bulletproofs++, but now you're talking about one more year 01:09:52 and it's boring 01:10:11 should I keep then this vulnerability to ask you all to do another hardfork in few months ? 01:10:20 Youre talking about 1yr 01:10:21 s/may/many/ 01:10:51 HF can happen any time necessary 01:10:54 Ugh, if there was a real vuln you could describe then do it now before we do anything. But you don't seem to get this and I'm not having another convo about this 01:11:12 can we have at least consensus with development process ? which you all are successfully hi-jacked with that meeting 01:12:11 I feel now isn't the time for that because we'll get mixed up in other drama, but overall I agree that some project formalization of processes and "project management" would be useful 01:12:15 I was talking a lot about development process and it went to nothing 01:12:27 https://youtu.be/MjNXmJUk2Jo 01:12:36 the same with cryptography changes 01:13:14 and revived scammer would be a cherry on top of that 01:15:21 ooo123ooo1234567: what do you mean with delay hf? 01:17:16 push back it a bit in order to have time for more changes that can be only via hardfork 01:18:04 i mean there is no rule that we have to wait X between hardforks 01:18:08 optimistically bulletproofs++ included, problems found from work on multisig and few MRL issues 01:19:40 "i think another hardfork in a..." <- why did you say this then ? 01:20:33 I agree that as soon as we know all requirements for the next hardfork cycle we can do much faster than currently 01:20:54 e.g. firmware for trezor and ledger are easy things to do, it's certainly not a blocker 01:22:46 i just think 6 months is quite optimistic, but not impossible if we have good reasons to upgrade 01:22:59 you asked me without any reasons to upgrade 01:23:04 Did I ever had bad reasons for any changes ? 01:23:21 s/had/have/ 01:23:21 no 01:25:32 What was optimistic plan for rino with experimental multisig becoming non experimental ? 01:25:41 hf + 1 week/ 1 month/2 months ? 01:26:03 it's all shitty since you don't know about underlying issues, but anyway what was their plan ? 01:26:17 my idea was to either use your security proof (compensated) or hire someone to write security proof for multisig 01:26:26 and not remove label before that 01:27:40 can you imagine someone who can write security proofs in current environment ? 01:29:01 that's why i suggested hire cryptographer to do it, now where to find someone is different questionn 01:32:12 I can't imagine how it will work given problems basic comp-sci and review 01:32:32 * given problems with basic comp-sci 01:32:33 * given problems with basic comp-sci, * and review process 01:34:08 "https://youtu.be/MjNXmJUk2Jo" <- great presentation thanks, (this is my first HF experience, everything makes sense now, chaos!) 01:34:36 "my idea was to either use your..." <- can you estimate time to do the job via this way ? 01:35:00 months 01:35:25 plowsof: https://giphy.com/gifs/reaction-uUIFcDYRbvJTtxaFNa 01:35:35 do you know whether rino wants to use multisig instantly after hf or only after removal of experimental flag ? 01:37:03 i don't know, no 01:39:44 binaryFate: can you comment on plans of your project regaring multisig ? 01:39:51 s/regaring/regarding/ 01:40:21 dead silence 01:40:54 it's 4am lol 01:47:18 Is it possible to allow them do hardfork as they want 01:47:29 * allow them (rino/ukoehb/...) do hardfork 01:47:53 rino is a web application, why would they need a hardfork? 01:47:59 but shortly after it there will be the next, what is the most optimistic duration ? 01:48:03 only +6 months ? 01:48:24 * Is it possible to allow them (rino/ukoehb/...) do hardfork with whatever patches they want 01:49:01 you have to be more clear with what you mean, why would koe do a hardfork? 01:49:32 that -dev meeting chosen path of arnuscky+ukoehb 01:49:46 ok it will happen on 13th august or whatever they've chosen 01:49:56 the next one when ? 01:50:14 "optimistically bulletproofs..." <- with all of this 01:52:45 if you are asking shorter than 6 months, no 01:52:53 optimistically 6 months, realistically 9 months 01:53:18 what's realistic delay for the upcoming hardfork then ? 01:53:26 * what's max realistic delay 01:54:11 selsta: do you know break down of this period ? 01:54:20 why there was delay this time? 01:54:53 selsta: no one was pushing for it, until people related to multisig started to push hardfork; are you about this delay ? 01:55:45 bp+ pr was unapproved for months 01:55:53 also a lot of PRs were unmerged before some push on merges, I didn't even reviewed them yet 01:56:10 unmerged? 01:56:29 probably the same as your unapproved for months 01:56:44 * PRs were unapproved/unreviewed/unmerged before 01:57:36 vtnerd wanted to review bp+, but then moved focus on multisig and then became unavailable for a bit 01:57:48 it took a while until we got other reviewers for bp+ 01:58:07 but also no one really pushed for it 02:11:32 what will determine delay of this hardfork ? 02:11:38 again crowd vote ? 02:12:15 I didn't see yet any situation when decision was takes exclusively with logic without any crowd 02:12:41 * ofrnxmr[m] uploaded an image: (261KiB) < https://libera.ems.host/_matrix/media/r0/download/monero.social/amFpSsRSskCAdNnEKNbKhfDD/Imagepipe_209.jpg > 02:12:49 Something like this 02:16:30 ooo123ooo1234567: You're referring to H. 02:18:16 ooo123ooo1234567: we already decided on delay today, August 13 02:19:05 the logic was... 1 month for everyone to upgrade, plus a couple days more to tag and put out release binaries 02:19:11 13th AUG - hf, release - ? 02:19:21 release 1 month before 02:19:30 with second release 1 week before 02:19:31 13th July ? 02:19:41 that's the plan, yes 02:19:55 second release 1 week before what ? 02:19:59 hf 02:20:10 what's the purpose of this release ? 02:20:27 * this release 1 week before hf? 02:20:52 hardware wallet changes that are not ready until first release, and also whatever fixes we find inbetween 02:22:29 why we ? does anybody is going to search for something ? 02:22:43 we = project 02:23:55 for example https://github.com/monero-project/monero/pull/8379 fixes a crash but i'm not sure if it gets reviewed in time for the first release 02:24:39 or the deadlock 02:30:17 "hardware wallet changes that are..." <- bulletproofs++ certainly not a fix 02:32:51 but how would you get bulletproofs++ ready in 3 weeks? 02:33:56 second release can't contain any consensus related changes unless it's an emergency 03:14:23 "but how would you get bulletproo..." <- with enough enthusiasm it's possible 03:38:33 Sometimes I don't know if I'm reading the same thousands of posts that I miss in a day or if my Alzheimer's is getting worse 03:39:25 cryptogrampy[m]: is it even possible to write code with Alzheimer ? 03:39:43 Did we hardfork already? What year is it and how many monero e-commerce solutions are there 03:40:16 ooo123ooo1234567: No I write everything in one of those drag and drop puzzle languages 03:40:33 I think it's called Scratch 03:40:47 is it layered sarcasm ? 03:40:53 * is it multi layered sarcasm ? 03:40:57 Compile to monero payment gateway 03:42:15 all of your sparring partners are sleeping ooo, you must recharge and prepare for battle again tomorrow 03:42:28 A young man named plowsof who works at my nursing home introduced me to this language. I had been spending hours and hours a day making puzzles and this kind gentleman introduced me to the computer puzzle coding language 03:42:45 And I will be forever grateful 03:43:39 fucking hilarious 03:44:19 plowsof: is it multi layered sarcasm or truth ? 03:44:50 bro you are a machine 03:44:53 just some jokes ooo 03:45:10 kinghat[m]: why ? 03:45:11 * cryptogrampy[m] uploaded an image: (31KiB) < https://libera.ems.host/_matrix/media/r0/download/monero.social/NzexauGQcWZPxuNPivLObIyt/1656647098307.jpg > 03:45:26 plz keep them coming. my brain needs it after reading that backlog. 03:45:42 puzzle factory 03:46:15 Upcoming monero payment gateway I'm prepping a ccs for: 03:46:19 * cryptogrampy[m] uploaded an image: (23KiB) < https://libera.ems.host/_matrix/media/r0/download/monero.social/yLoCmePvuGUurQbHusVFDDGK/1656647155136.jpg > 03:46:57 plowsof: is it at least old man behind that profile ? 03:47:04 or also just joke ? 03:47:57 I love you either way 03:48:11 Wait you're not my grandson 03:48:12 Where am i 03:48:23 cryptogrampy[m]: prolly going to waste a grip auditing this 🍝 03:49:05 I unironically may write something for node-red 03:49:31 i thought you didnt write anything in `node-red` 🤔 03:50:21 this is after hours -community (multi layered sarcastic / humour chat from people who should be sleeping) 03:51:26 i learned some Flash skills at school 03:51:26 * kinghat[m] recharging for battle 03:52:11 Oh you most certainly can write node-red nodes/flows 03:53:32 Just imagine a monero payment gateway node that no one uses that never gets finished. Could be huge 03:54:17 thanks for the laugh plowsof. im out ✌️ 03:54:19 If anyone has android/react native exp and wants to make a wallet, feel free to reach out btw 03:54:35 goodbye kinghat 👋 03:54:43 kinghat[m]: Goodnight king 03:55:47 look into tauri. should have mobile support in v2(they are working on it). 03:56:11 I <3 tauri 03:56:32 Been using it for a side project, I'm very happy with it 04:51:54 "1656647098307.jpg" <- Is this cryptogrampy or a friend? 10:15:36 ooo123ooo1234567: If I do the first implementation of an experimental protocol and it relies on an experimental proof, yes, of course I'm going to respect the author for not grandstanding and explicitly saying it should have formal review before being deployed .-. That's literally me taking your side on... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/f3cd621069fa7cff696a9bebbdb1f40024ea43fa) 10:16:23 Bah. Sent that with nicer spacing and Matrix removed it :( Regardless, sorry for the long message everyone, and I don't plan to keep this up here 10:47:09 Side note, basic swap was mentioned. It appears to be by Particl and they did a Python impl of the swap protocol back in the day. Their work now appears to be a continuation of it 10:49:36 At first sight, that looks promising, right? If they really deliver 10:56:50 I assume trades won't have fees, yet it'll run over Particl, a BTC fork, and have their TX fees :/ 10:57:22 Though I'm kinda just commenting on what generally happens when BTC forks launch DEXs. Still have to look a bit 10:58:54 Did not get the impression that Particl, the coin, will be involved. I understood all direct pairings of coins through true atomic swaps. But who really knows 10:59:12 ... yeah, no, this looks much better than I expected according to their blog post 10:59:27 :) 10:59:35 It is using Particl's, written as the project's, SMSG. I'm trying to confirm that's impermenant with no relation to Particl, the coin 11:00:10 I think they borrow some communication mechanism, but that can't hurt I would say 11:00:21 from the Particl code base 11:01:02 Ah, you say the same, that's "SMSG"? 11:01:31 Yup 11:02:43 https://particl.wiki/learn/marketplace/smsg/ 11:04:55 With this, if they can really get it off the ground, BTC-to-XMR atomic swaps suddenly would get a nice GUI 11:05:18 Right, and I don't see fees built into SMSG :) 11:05:28 Nice. Good for them. I'll try to review the code at some point 11:37:44 > <@kayabanerve:matrix.org> ooo123ooo1234567: If I do the first implementation of an experimental protocol and it relies on an experimental proof, yes, of course I'm going to respect the author for not grandstanding and explicitly saying it should have formal review before being deployed .-. That's... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/f2245699ef7d26062f1ad9b5e795351246511fa8) 11:38:23 it's for me 11:39:00 ... actually, no. CLSAG is proven IIRC. So is FROST. While multisig in Monero isn't FROST, the additive key share system is identical. The only distinction is how we generate keys, which isn't the discussion we're facing here. 11:39:40 *It's also identical to MuSig2 11:41:27 To be more specific, yes, Schnorr is linear. Simple fact of life. CLSAG is effectively Schnorr and... I do understand the signing process as a whole, regarding nonce handling, has differences and don't contest that. 11:41:33 I'm highlighting the simplicity and consistency for Schnorr though. 12:28:57 "... actually, no. CLSAG is..." <- ok, disagreement 12:31:02 "I'm offering my personal help, if we can at least talk things through, and you actually were wronged.", https://libera.monerologs.net/monero-dev/20220514#c94874, Do you agree that It was supposed to roll multisig as is without experimental flag before that meeting ? 12:31:11 yes/no ? 12:32:47 s/roll/release/ 12:35:10 The linked statement is from May 14. Opinions can and do develop, seems to me. 12:36:18 (after this msg https://libera.monerologs.net/monero-dev/20220507#c92669) 12:36:45 Yeah, I remember that :) 13:01:42 It's hard to say? The general agreement was multi sig had to be done but we were still discussing how to do it. Therefore, it wasn't necessarily without the experimental flag. Regardless, we agreed it should have one, so it's irrelevant to now 13:02:06 ok, another disagreement 13:02:17 Okay, do you have a point with this that leads to progress? 13:03:03 If this is us acknowledging our differences to clear the past, sure. If this is us acknowledging our differences so you can say we're different and you don't want to actually move forward together, I'll just head out now and save us the time 13:03:44 Because for some reason, I still try to work things out with you, despite all the ways you either tell or show me it's most likely pointless :/ 13:04:19 can you just honestly acknowledge without any conditionals ? 13:04:20 at least once 13:04:27 * honestly acknowledge or not without any 13:07:00 I've been in your position and I know you want these black and white answers. The issue is they don't necessarily exist 13:07:55 kayabanerve[m]: thanks 13:07:55 So sure, if you want an overly simplistic answer, at that point in time, yes, we had plans to release multi sig and didn't have plans to include the experimental label 13:08:07 It just ignores that as part of our plans for multisig the label was proposed and we adopted it since we were actively planning 13:08:25 kayabanerve[m]: would it possible to do that active planning without my replies ? 13:08:32 before May I was silent in public 13:08:47 I have no idea. I'm not a psychic 13:10:51 I waited few meetings to be sure that perspective is stable 13:20:14 "It just ignores that as part..." <- can you help me to find any public message before 14th May about such plans ? 13:20:30 s/14th/7th/ 13:20:56 "If this is us acknowledging..." <- "If this is us acknowledging our differences to clear the past, sure." yes, it's needed to move forward 13:21:09 Are you saying that the discussion you quoted actively discussing how to merge multisig isn't active planning? 13:21:37 I didn't say the label had been proposed yet. I said it was proposed when we were still planning 13:21:52 It's not acting in good faith to say we didn't plan to have the label we came up when planning 13:22:26 We were planning. It was a suggestion. We adopted it. It's part of the plan. Therefore, it's been planned 13:23:07 I couldn't care less when it came up with in the plans. I'd only chastise Monero if we rejected legitimately beneficial suggestions, delaying their inclusion in our plans. 13:23:52 And while you believe your suggestions are legitimately beneficial, most people do not, and I don't believe their inclusion is delayed. We'll get security proofs when we do. The distinction is we're not letting them be roadblocks leaving users critically insecure 13:26:01 I agree that even with knowledge about potential problem It's better to merge 8149 with experimental flag, rather than not at all 13:26:44 But was there any value in knowledge about potential problem and did it help to make a decision about experimental flag ? yes/no / 13:26:44 I am happy to hear that :) 13:26:54 I want to contribute a "wow" 13:27:17 I wanted to prevent failure, since I was somehow responsible for UkoeHB knowledge about that patch 13:27:20 I'll also know that we don't have knowledge about a potential problem, as in, there's a potential problem that may be an issue. We've been told there's potentially a problem with no evidence. We can't live our lives around that. 13:27:37 Though yes, I will note you have have the talent to find/disclose/fix such problems 13:28:30 ooo123ooo1234567: Honestly? I'd have to re-read the chat logs 13:28:48 kayabanerve[m]: It would be good 7th-14th May -dev 13:29:27 From my current understanding, key word being current and not historically accurate, I don't believe the community believes you actually have an exploitable issue in the multisig signing process beyond what we accept 13:30:10 Though we did just say "experimental" is planned to be kept until we have a formal specification AND review/proofs accordingly 13:30:38 So I'd note your insistence there regarding formal review likely did raise our opinion of it, though I'm unsure where our opinion would've been without you 13:30:45 Regardless, I do think you contributed there 13:31:04 I think it was mostly decision of UkoeHB based on private previous communication, but it can't be verified via public info 13:34:20 "I've been in your position and I..." <- regarding black and white, I'm operating with black/white always, not only during bug bounty process 13:34:25 is it the same for you or not ? 13:35:04 Initially the idea was to remove the experimental flag if the audit came back good. 13:35:04 Multisig was prioritized because, I assume, we thought it was fixed. 13:35:04 But the audit was sub par + rumors of an exploit (but no disclosure), so disabled and experimental stuck pending disclosure. 13:35:10 "I'm operating with black/white always" I have a hard time to believe that's a promising strategy long time, in the "real world". 13:35:18 > <@kayabanerve:matrix.org> I've been in your position and I know you want these black and white answers. The issue is they don't necessarily exist 13:35:18 * regarding black and white, I'm always operating in black/white terms, not only during bug bounty process 13:36:17 Uhhhhhhhhh there's an honest answer and a polite answer 13:36:40 In any case, communicating with a group of people in something like a black or white manner is a recipe for trouble 13:37:06 I don't care politeness mostly, it's either silent/ignore or honest reply from my side 13:37:06 I'll say I acknowledge that mindset and why, and wish it was possible 13:37:06 But it isn't 13:37:36 And that thankfully, that's something I've become more accepting of as I've grown as an individual 13:39:26 * don't care about politeness mostly, 13:41:19 Ah, well, I think we write quite politely here right now. Things probably only turn ugly if opinions differ widely. 13:45:51 "I don't care politeness mostly..." <- Being honest =/= being productive. You can be honest and play ping pong all day. Easier = being honest and to the point. Dont need to beat around the bush. 13:45:51 im not the only one who has been trying to tap into our psychic powers to figure out what you're trying to get across.. 13:46:12 "I agree that even with knowledge..." <- ^ when I read this, I almost thought "sarcasm?" 13:46:33 "From my current understanding..." <- https://github.com/monero-project/monero/pull/8328#issue-1236108836, "There are vulnerabilities in multisig protocol if the parties do not trust each other ..." this disclaimer doesn't credit the source of such danger, and at the same time even after audit it wasn't removed; 13:47:11 For me it's like choosing something between credit those who prevented failure and not merge and take responsibility for failure + audit + merge 13:47:13 "Ah, well, I think we write quite..." <- Idk, I said a few bad words last night :O Tired Kayaba loses their filter 13:47:41 ooo123ooo1234567: Moo wrote this PR in like 5 minutes 13:47:44 I don't like that I wasn't credited for that prevented failure, also was attacked and now even after audit experimental flag wasn't removed 13:47:57 Maybe, but the last 3 hours or so have been really refreshing, if you ask me 13:49:00 ooo123ooo1234567: Who do we credit? Anon? Ooo? 13:49:01 * + merge without experimental 13:50:09 "I don't like that I wasn't credited for that prevented failure" that's a clear and frank statement, something to work with. 13:50:27 These things can be easily fixed. Proper attributions etc. 13:50:35 I really don't think we have a culture and a problem of "not crediting" or not wanting to 13:51:52 ooo123ooo1234567: If you want to be credited, which I think you should have been asked about, I'd either go there now or ask mooo for such a correction 13:52:16 Looks like you came under the bus here, but not because of bad faith, I would say 13:52:27 ofrnxmr: It's called asking the discloser and honestly is just a basic sign of respect. While I understand being in a rush/being distracted, I will say it's always what people should do if possible 13:52:31 The moo PR was written after a meeting where it was decided to disabled it outright pending audit results. 13:52:31 I highly doubt there was any malicious intent. Moo just heard "disable multisig" and did it. 13:53:20 And I say that in response to the potentially-sarcastic "Who do we credit?" + providing a counterpoint to excusing mooo, though I won't say they shouldn't be excused 13:53:28 I'd assume it's an oversight 13:54:58 prevented failure -> 1 week -> merge 8149 with experimental flag -> audit in order to find undisclosed failure -> 13:55:10 and here I expected the following 13:55:19 kayabanerve[m]: This is all im saying. 13:55:19 Also with 8149, perfect daemon account would have the active pr. I feel perfect daemon deserves the credit due, 100%. 13:56:59 Well, as far as I know not *everything* that UkoeHB did after he took over the PR was mere cosmetics. So 100% of the credit for *8149* to ooo is probably a bit much 13:57:20 How about 95% :) 13:59:42 rbrunner: Dont remember the original PR # , but I was referring to if koe didnt resubmit the pr as 8149 it would still be [old pr] 14:01:52 Yes, I understood. But that "old pr" developed further, that's what I mean. And not just inserting a few empty lines for it to look more pretty. 14:01:59 Koe did a lot of work on the TX building process, actually 14:02:27 And before we misunderstand: We don't imply ooo would not have been able to do that as well. 14:02:51 They just did not, as things turned out. 14:03:16 ooo's PR does have a lot of the cleanups I appreciated. Just saying koe did a bit more than 5% 14:03:52 and then, AFAIK, the security of the two are mostly the same. I believe ooo's declared the transcript format used in 8149 I noted a transcript conflict in 14:04:21 Which was also in 8149. koe said they fixed it in 8149 though :p 14:04:30 what transcript conflict ? 14:06:09