<s​yntheticbird:monero.social> (reposting from #monero-community) I need everyone thoughts on this (one at a time please). I would like the new CCS website to require javascript on client. I have two choices, either we ship no javascript, which means on-demand rendering and a javascript runtime on server. Or we statically build the site and use embedded javascript for loading up to date informations:

<s​yntheticbird:monero.social> - The first permit to support Safest level Tor Browser and have generally always been seen as a requirement. Current CCS website implement SSR because it's PHP.

<s​yntheticbird:monero.social> - The latter is incompatible with Safest level. However, this would eliminate the need for a javascript runtime, reduce attack surface, make things 20x faster and 50x less memory usage, because we are just serving static assets and clients do the job of fetching information.

<s​yntheticbird:monero.social> Do you think such regression should be accepted? Yes? No? Why?

<s​iren:kernal.eu> Require JS. There's no need to fearmonger.

<j​effro256:monero.social> I think if all the base functionality works without JavaScript, but you have to refresh manually for client side updates , that should be fine for most

<j​effro256:monero.social> I browse the net without JS but I also don't have the expectation of super flashy dynamic Ui

<j​effro256:monero.social> Eh it can be real threat. Firefox this past year had a free-after-use RCE vulnerability with animations that was avoided if you didn't enable JS

<j​effro256:monero.social> *use-after-free lol

getmonero dot org has no JS, why does a new CCS site need it?

what is the resoning behind a new CCS site?

<o​frnxmr:xmr.mx> None

<3​21bob321:monero.social> Nfi

<s​yntheticbird:monero.social> nioc: new CCS website will have many UX/UI and process improvements, this will streamline and make CCS "proper". We need javascript because we will require a new backend that is exposing an API. Current one is PHP/MySQL and do not need that, because the PHP is connected to MySQL and just do its job locally.

<s​yntheticbird:monero.social> jeffro256: I get the fear of exploitation with js, and I won't undermine it (I'm using a VM for this purpose). But like, the website will be open source, community based, it's not shady, so I wouldn't worry. Unless there are reasons i missed that would make people find the monero website sus.

again, when both the getmonero and CCS websites were created there was discussion about using JS and it was determined that the risk it presented did not justify its use. What has changed in the past 10 years to make this no longer so?

I was not involved in the decision

<o​frnxmr:xmr.mx> Diego Salazar

<s​yntheticbird:monero.social> without any relative reasoning onto why. I think we had enough time to understand that it only make sense to use Safest on unknown or untrusted website. Why would someone think the CCS website would exploit them...

Do not that we've hosted malicious binaries in the past

Note*

<s​yntheticbird:monero.social> what?

Some naughty guys put their own binaries on getmonero

<s​yntheticbird:monero.social> how?

Fluffy says after looking into it, physical access to the box is most plausible

<s​yntheticbird:monero.social> 💀

Certs expiring is enough stress :)

<s​yntheticbird:monero.social> ACME exist

Sounds like a script! Shows fangs

<s​iren:kernal.eu> cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680

<s​iren:kernal.eu> Can be mitigated by secure coding and CSP. There's no need to disable JS altogether.

<s​yntheticbird:monero.social> > secure coding.

<s​yntheticbird:monero.social> > firefox

<s​yntheticbird:monero.social> \* proceed to laugh extensively \*

<s​yntheticbird:monero.social> you are right tho

<s​iren:kernal.eu> Secure coding as in don't write shit JS that is prone to XSS. Which isn't difficult.

<s​iren:kernal.eu> Sounds like you need to go out of your way to make it insecure anyway astro.build/blog/astro-023/#automatic-xss-protection

<s​iren:kernal.eu> For the actual user controlled input like proposals etc, if you continue using GitLab for that, it already does filtering against XSS in markdown and other formats.

<s​yntheticbird:monero.social> We're solely talking about informative frontend here, I haven't made my choice yet on how people are going to write proposals and discuss. I would like to make a whole new web app for that and sunset gitlab use, but i need to think about it.

<s​yntheticbird:monero.social> I don't care about js fear on the "app" part for people to write because they would already need to go over gitlab for that and it requries javascript.

<s​yntheticbird:monero.social> I don't care about js fear on the "app" part for people to write because they would already need to go over gitlab for that and it requires javascript.

<s​iren:kernal.eu> I think it's better to not depend on GitLab for proposals and actually spend time on making an independent platform. Can implement SSO logins for GitLab and GitHub to make life easier.

<s​iren:kernal.eu> Firefox has critical vulnerabilities each year, GitLab has them biweekly :D

<s​yntheticbird:monero.social> Ok I think i'll focus on the design for now. The new backend will be mandatory. Once I make people drool they might find it easier to accept the need for javascript

<s​yntheticbird:monero.social> or at least be matter of discussion

<s​yntheticbird:monero.social> (yes im taking my time to finish my sentence dont judge me)

<j​effro256:monero.social> I could either A) disable JS or B) audit Firefox's entire codebase myself, making sure to find zero-days before they happen. I think I'll do A lol

<s​yntheticbird:monero.social> jeffro256: would you pardon me if CCS website required javascript?

<j​effro256:monero.social> Required for which actions specifically?

<s​yntheticbird:monero.social> Required for seeing the CCS proposals altogether

<j​effro256:monero.social> Idk..... Why not e.g. a simple PHP list renderer ?

<j​effro256:monero.social> Not JS required on client, no advanced runtime on the server

<j​effro256:monero.social> Simple implementation

<s​yntheticbird:monero.social> There is nothing simple aobut PHP aside that it is a failure. They are battling their own runtime to break through the 1000 req/s while nodejs the worst js runtime on earth can handle 15000 req/s. Also making a PHP backend that is secure is awfully hard.

<j​effro256:monero.social> Okay fine node.js the

<j​effro256:monero.social> *then

<j​effro256:monero.social> I was just using PHP as an example

<j​effro256:monero.social> Could be Rust, Python, etc

<j​effro256:monero.social> Anything

<j​effro256:monero.social> Something that does small modifications to HTML content before returning the request

<s​yntheticbird:monero.social> I thought about using jinja like templating system for on-demand rendering on rust backend. It's not impossible but it make things really hard from a web dev pov.

<s​yntheticbird:monero.social> I don't exclude the option

<s​yntheticbird:monero.social> i got that you don't want client javascript 👍️

<j​effro256:monero.social> Which backend are you using now? Something completely static?

<j​effro256:monero.social> If you're doing funding updates, then there must be *some* live component somewhere in there

<s​yntheticbird:monero.social> if you talk backend backend (database/api) I have nothing right now. I'll make it in Rust. As for backend frontend (the thing that serve pages) it's Astrojs at the moment

<s​yntheticbird:monero.social> of course

<s​yntheticbird:monero.social> thats where is all the dillema. I can't just have a CI rebuilding the entire website from scratch every 20 minutes

<j​effro256:monero.social> Why would you be rebuilding the entire website every 20 minutes?

<s​yntheticbird:monero.social> work around for both not serving through a javascript runtime and have """up to date""" informations

<s​yntheticbird:monero.social> up to date as 20 minutes + time of compilation delay

<j​effro256:monero.social> Like CI will run a wallet itself and check that the server returns the correct number of funds for a given proposal?

<s​yntheticbird:monero.social> no no. like a cron job running like a zombie every 20 minute statically generating the whole website with information from backend at compile time. The backend is updated in real time.

<s​yntheticbird:monero.social> but the frontend needs to be regenerated for users

<s​yntheticbird:monero.social> that's a shitty workaround

<j​effro256:monero.social> Huh? With dynamic rendering you don't need to rebuild anything. You just serve the same page with modifications

<j​effro256:monero.social> Why would the backend need modification in real-time?

<j​effro256:monero.social> It ostensibly has some database (or it fetches information from somewhere) and fills it in

<j​effro256:monero.social> No need to modify any code or static content

<s​yntheticbird:monero.social> forget it

<s​yntheticbird:monero.social> You're right on-demand rendering is a solution

<s​yntheticbird:monero.social> but i find the tradeoff not worth it

<s​yntheticbird:monero.social> forget it (I was almost joking with my cron job idea)

<j​effro256:monero.social> What's the tradeoff ? Dev time ?

<s​yntheticbird:monero.social> If we use Astro SSR: we rely on a js runtime, got shitty performance (20k req/s), uses gigabytes of memory, are exposed to V8 JIT memory corruption vulns.

<s​yntheticbird:monero.social> If we use Templating system: we can resolve that performance and attack surface issues, but maintenance would be awfully horrible. Migrating would be pain, adding features/pages/fixing would be pain. I'm not exaggerating btw, Gitea/Forgejo are using Go templates and that's why they absolutely do not want to touch the UI part, it's a mess.

<s​yntheticbird:monero.social> and thats where comes the "If we drop support for the 1% Safest level users all these issues would be gone"

<s​yntheticbird:monero.social> One advantage I have with SSG and embedding javascript is that I can autogenerate subresource integrity and CSP so if someone start tempering with them you browser would reject it

<s​iren:kernal.eu> The CVE is about the CSS animation frame directives, so I assume since you're so paranoid, you'll be disabling CSS too? Not all RCE is XSS related.

<s​yntheticbird:monero.social> tbf Safest level disable CSS animations

<s​yntheticbird:monero.social> and the vuln couldn't be triggered without js

<s​yntheticbird:monero.social> and the vuln couldn't be exploited without js

<s​iren:kernal.eu> That's not for certain

<s​iren:kernal.eu> Which is fine. What kind of CSS animations are you planning to have anyway. None.

<s​yntheticbird:monero.social> a lot

<s​yntheticbird:monero.social> A LOT

<s​iren:kernal.eu> Animations as in not transitions or not :hover etc.

<s​iren:kernal.eu> The cve is about animation keyframes, which is really niche developer.mozilla.org/en-US/docs/Web/CSS/@keyframes

<s​yntheticbird:monero.social> all the three, a lot

<s​yntheticbird:monero.social> transform, transitions, keyframes, hover etc

<s​iren:kernal.eu> Keyframes? What the fuck are you making?

<s​yntheticbird:monero.social> the website ccs deserve 😏

<s​iren:kernal.eu> They deserve down the gutter

<s​iren:kernal.eu> And you're making something unnecessarily bloated unless it looks majestic and from the screenshots it does not

<s​yntheticbird:monero.social> *"Haters are going to hate regardless"*

<s​yntheticbird:monero.social> - a redditor i forgot the name

<s​iren:kernal.eu> I hope you know what variable fonts are

<s​iren:kernal.eu> Because Montserrat has one and you should prefer it

<s​yntheticbird:monero.social> I don't understand exactly what you are doing Siren? Rambling to show your knowledge?

<s​yntheticbird:monero.social> You are free to disagree on my work and way to work. But "They deserve down the gutter" and "I hope you know what variable fonts are" is a majestic tantrum

<s​yntheticbird:monero.social> I hope you are just baiting and I didn't understand, because this looks bad

<o​frnxmr:xmr.mx> Jeez ofrn, wtf

<s​yntheticbird:monero.social> Sorry sorry syn

<o​frnxmr:xmr.mx> Np. We're used to it

<s​iren:kernal.eu> I'm drinking beer and chatting. Didn't mean to trigger you but your username displays "Montserrat-Regular Google fonts gang" to me in this room.

<s​iren:kernal.eu> So yeah change your name to Montserrat-Variable[wght] right now

<s​yntheticbird:monero.social> all fine, i missed the sarcasm

<s​iren:kernal.eu> Ah

<s​iren:kernal.eu> Matrix issues ig

<s​iren:kernal.eu> This is a tantrum, I do not like the CCS and they don't deserve your free dev hours implementing a proper project with access control not relying on GitLab.

<b​asses:matrix.org> website being open source doesn't matter that much, you can always serve another client code. If they are used to not have JS and suddenly see website not functionting probably, they start to worry.

<s​iren:kernal.eu> You're better off operating it yourself or as Cuprate. I do have a problem with you handing it off back to the very same corrupt people.

<s​yntheticbird:monero.social> You know, im not doing it for free. Either they accept some very strict condition to improve CCS (this include strict transparency) or they'll have to pay a big some of money. I can't operate it as Cuprate tho because it might just turn into another Kuno, and this would require consensus with cuprate members. But yeah I also thought the first C of CCS could be Cuprate

<s​iren:kernal.eu> I don't trust them to improve. That's the very reason I donate to Cuprate.

<s​iren:kernal.eu> I also get the idea that if you submitted this as a proposal they would never fund you no matter how necessary. Because they never fund useful stuff other than certain core dev work, the rest is family and friends scamming.

<3​21bob321:monero.social> Has core rejected anything in CCS ? That community wanted ?

<3​21bob321:monero.social> The over funding location is a joke

<b​asses:matrix.org> repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/464

<3​21bob321:monero.social> That I know

<3​21bob321:monero.social> No one wanted that

<o​frnxmr:xmr.mx> Metronero was red taped til it was closed, despite like 100% upvotes

<o​frnxmr:xmr.mx> exact same time mj was was paid and movie was merged

<o​frnxmr:xmr.mx> rules only apply to non-scammers

<s​iren:kernal.eu> My own proposal, Metronero yes.

<o​frnxmr:xmr.mx> Qtip ccs wasnt closed when community almost unamiously voted to close it. Instead devs were procured and time wasted to review the work to determine if qtip should be paid regardless of the obvious issues (and consensus) warranting closure

<b​asses:matrix.org> u freeross?

<o​frnxmr:xmr.mx> rando. "metronero"

<b​asses:matrix.org> oh, yes

<s​yntheticbird:monero.social> devs and third-parties*

<o​frnxmr:xmr.mx> Wasted tonnes of resources on an ant

<b​asses:matrix.org> github.com/metronero will want to change the link moneropay.eu/metronero broken

<s​yntheticbird:monero.social> I mean at thend all I want is that it benefits the community or that I get money out of it so feel free to provoke a revolution by forking the CCS altogether from core if you guys feel like it

<b​asses:matrix.org> github.com/metronero will want to change the link moneropay.eu/metronero not exists

<3​21bob321:monero.social> Nothing won't change

<3​21bob321:monero.social> Look at jet fund

<3​21bob321:monero.social> Classic example

<3​21bob321:monero.social> One dev to develop functional multi sig

<o​frnxmr:xmr.mx> Fr ^. Were adding noted to ccs and reducing amounts instead of moving the $ out of GENERALFUND

<o​frnxmr:xmr.mx> Why is the jetfund in generalfund? Why are we paying devs out of CCS wallet if the funds are in general fund?

<o​frnxmr:xmr.mx> blasphemous

<3​21bob321:monero.social> Even cuprate had push back

<o​frnxmr:xmr.mx> We do a lot to please the overlords who cant even do a transparency report or send jeffro his $ in less than 4 weeks (sometimes)

expert witnesses where asked to confirm accusations against kewbit. im not sure tonnes of time was wasted for initial feedback

<3​21bob321:monero.social> Waiting on Woodser I think ?

<o​frnxmr:xmr.mx> It wastes no less than like 200 combined community hours

<o​frnxmr:xmr.mx> it was a simple "close" and then we had to deal with his spam and nonsense for another like 3 weeks

as with any accusation that shuld gain enough traction, they need to be confirmed via expert witnesses.

<o​frnxmr:xmr.mx> syn spent a good amount of time compiling a historical account of his actions, including dates and times of when he registered domains, posted impersonation attempts, requested funds, what was / wasnt checked

<o​frnxmr:xmr.mx> Wtf js an expert witness?

<o​frnxmr:xmr.mx> Its all public

<o​frnxmr:xmr.mx> Whether his code worked or not is irrelevant when you're a bad actor and were not your employer AND you raised 0 xmr

<o​frnxmr:xmr.mx> Its not like he had ANY donors that we are accountable to

an expert witness is required to confirm accusations. i should hope the same process is followed for any other facing such heinous accusations

<o​frnxmr:xmr.mx> accusations of codeberg.org/HavenoDEX

<o​frnxmr:xmr.mx> Or haveno.com?

<o​frnxmr:xmr.mx> Bro, click links -> confirmed

<s​yntheticbird:monero.social> r/whoops

<o​frnxmr:xmr.mx> my kitten is an expert witness

<o​frnxmr:xmr.mx> Anybody with internet can confirm

mobile wallet devs / developers and such who can make a judgement call on the code written.

<o​frnxmr:xmr.mx> Youre referring to whether the code was functional or ai drivel. pointless

<o​frnxmr:xmr.mx> i repeat: were not his employer, owe him nothing, owe donors nothing.

<o​frnxmr:xmr.mx> Bad actor > good bye

<o​frnxmr:xmr.mx> Nobody cares about the code

<o​frnxmr:xmr.mx> Why would we fund someone to attack us? Fuck the code

<3​21bob321:monero.social> Main witness

<o​frnxmr:xmr.mx> the ONLY time it would be controversial, would be if he raised the $ and donors had donated to his initiative. He didnt, and they didnt.

alot of people care about a mobile haveno app, if the code is indeed ai drivel, or, quality / partly done work that another team can bootstrap, even better. sadly that seems to not be the case

<o​frnxmr:xmr.mx> 0 people donated to a haveno app ccs

<s​yntheticbird:monero.social> Unrelated: Do we have "an official" illustrator in the community ?

<o​frnxmr:xmr.mx> Z e r o

<o​frnxmr:xmr.mx> Gnuteardrops and anhdres

<o​frnxmr:xmr.mx> And vost

<s​yntheticbird:monero.social> thx

i think rottenwheel is an illustrator also

<s​yntheticbird:monero.social> really?

<s​yntheticbird:monero.social> rottenwheel: you hide your talent pretty well

<s​yntheticbird:monero.social> dumbass

<r​ottenwheel:unredacted.org> Wow.

<r​ottenwheel:unredacted.org> Rude.

<o​frnxmr:xmr.mx> Vost = videos

<o​frnxmr:xmr.mx> Gnuteardrops = release icon etc

<o​frnxmr:xmr.mx> anhdres = a few things, like the community icon

<r​ottenwheel:unredacted.org> Unacceptable. I resign.

<s​yntheticbird:monero.social> is Gnuteardrops on matrix or irc ?

<r​ottenwheel:unredacted.org> Matrix, but not really... They don't check often. Gotta do email, old-school, my friend.

<r​ottenwheel:unredacted.org> [@vostoemisio:matrix.org](https://matrix.to/#/@vostoemisio:matrix.org)

<o​frnxmr:xmr.mx> gnuteardrops

<r​ottenwheel:unredacted.org> @user2570:unredacted.org too!

<s​yntheticbird:monero.social> thx you two, i'll contact them when needed

are we going to throw a transparency report party soon?

<o​frnxmr:xmr.mx> I'll believe it when i see it

when they "come clean" 😆

<v​ostoemisio:matrix.org> What's up!

<o​frnxmr:xmr.mx> Ive been sooned for 9 months already

<o​frnxmr:xmr.mx> detherminal

<o​frnxmr:xmr.mx> Syn asked who the official illustrator of monero is

<r​ottenwheel:unredacted.org> plowsof wen CCS mergeathon instead ser?

<r​ottenwheel:unredacted.org> Some kitty was asking for our "official illustrator", another opportunity for the CIA...

<s​yntheticbird:monero.social> I'm working on a new CCS website and was looking for an illustrator when needed

<s​yntheticbird:monero.social> I'm working on a new CCS website and was looking for an illustrator if needed

<r​ottenwheel:unredacted.org> Meeeeoooowww.

<v​ostoemisio:matrix.org> Cool, I'll DM you

this soon is sooner though. and @monero better be excited

CCS merges are over due yes

<r​ottenwheel:unredacted.org> First transparency report than CCS!?

<r​ottenwheel:unredacted.org> That taller Italian Mario knockoff...

<r​ottenwheel:unredacted.org> Ser muh famiglia.

<s​yntheticbird:monero.social> don't worry backend will implement a twitter bot

<s​yntheticbird:monero.social> no need to rely on @monero for relaying CCS proposals

first RSS feed.

<s​yntheticbird:monero.social> plowsof understood

and then everything else github.com/caronc/apprise

python though 😔

<s​yntheticbird:monero.social> 😔

<o​frnxmr:xmr.mx> What about phyton?

<s​iren:kernal.eu> Python and PHP result in unmaintainable slop

<o​frnxmr:xmr.mx> I said phyton tho :P

<3​21bob321:monero.social> Rotten twats that

<3​21bob321:monero.social> From monerospace

<o​frnxmr:xmr.mx> Announces to all of his non-followers everytime he tweets too

<3​21bob321:monero.social> Would be nice if monero tweeted about ccs and not other stuff

<3​21bob321:monero.social> Its keystone to the adoption of monero !

We're excited to announce that Cuprate has been syncing the full #Monero blockchain in ~4 hours! This will benefit users of low power devices e.g. CakeWallet users who may soon be able to use a Cup-Cake DOT com rust only FULL node wallet 🍰 🍰 Have your CAKE and Cupr-eat'i-D 🥞

<s​yntheticbird:monero.social> 🚀🚀🚀🚀🚀🥞🥞🥞🥞🥞🥞.

will the whales like and use the new CCS site?

only question needed

<s​yntheticbird:monero.social> idk, they don't particularly like hanging out here

<3​21bob321:monero.social> Well it is esg compliant, so safe for whales

objection your honour, pure speculation

<o​frnxmr:xmr.mx> Cake never responded

<o​frnxmr:xmr.mx> Cupcake release -> cake forcefully turned on trusted node toggle for existing users -> cake transfers privacy harming data to node when using cupcake

<o​frnxmr:xmr.mx> Idk why they did this instead of just telling users that "cupcake won't work w/o a trusted node, disclaimer: the node will gain knowledge of your owned outputs"

<s​yntheticbird:monero.social> outputs is light years ahead of braindead newbies who don't understand how tf a cryptocurrency work.

<s​yntheticbird:monero.social> This is because of people like you that the fall is gonna fall

<s​yntheticbird:monero.social> #JusticeForVikSharma

<s​yntheticbird:monero.social> #AllTheMoneyToCake

<s​yntheticbird:monero.social> #CakeDiDNothingWrong

<o​frnxmr:xmr.mx> cake did lol

<s​yntheticbird:monero.social> the world is gonna fall*

<o​frnxmr:xmr.mx> That's the plan! are you with me??

<s​yntheticbird:monero.social> YES

<o​frnxmr:xmr.mx> I dont understand how a cryptocurrency works, but i do know that quietly leaking owned outputs isnt a good idea when promoting a "safer" alternative

<o​frnxmr:xmr.mx> Especially when the wallet doesnt have cert pinning

<o​frnxmr:xmr.mx> it SHOULD check for trusted toggle on _any_ node that the user selects, and prompt to enable it to allow cupcake to function

<s​yntheticbird:monero.social> we should rename this channel #monero-rant

<o​frnxmr:xmr.mx> do we have a monero-ofrn yet? I mean, monero-rant

<o​frnxmr:xmr.mx> tbf, i commented quietly on the repo where the code was added

<o​frnxmr:xmr.mx> And tbf tbf, it was pointed out to me by multiple ppl

<o​frnxmr:xmr.mx> And tbf tbf tbf, when cake added the trusted toggle years ago, it was explicitly disabled by default (opt-in) due to understanding about weakened privacy

<o​frnxmr:xmr.mx> Switching it for existing users is just another one of those wth moments. cutting corners, and leaving UX gaps (users who who any other node aside from cake's. Even cakes onion)

<o​frnxmr:xmr.mx> Rant over. im blaming plowsof for bringing up cupcake and blaming cake for ignoring me

My apologies