00:15:47 (reposting from #monero-community) I need everyone thoughts on this (one at a time please). I would like the new CCS website to require javascript on client. I have two choices, either we ship no javascript, which means on-demand rendering and a javascript runtime on server. Or we statically build the site and use embedded javascript for loading up to date informations: 00:15:48 - The first permit to support Safest level Tor Browser and have generally always been seen as a requirement. Current CCS website implement SSR because it's PHP. 00:15:50 - The latter is incompatible with Safest level. However, this would eliminate the need for a javascript runtime, reduce attack surface, make things 20x faster and 50x less memory usage, because we are just serving static assets and clients do the job of fetching information. 00:15:52 Do you think such regression should be accepted? Yes? No? Why? 02:38:28 Require JS. There's no need to fearmonger. 03:12:15 I think if all the base functionality works without JavaScript, but you have to refresh manually for client side updates , that should be fine for most 03:13:16 I browse the net without JS but I also don't have the expectation of super flashy dynamic Ui 03:16:42 Eh it can be real threat. Firefox this past year had a free-after-use RCE vulnerability with animations that was avoided if you didn't enable JS 03:18:01 *use-after-free lol 03:49:36 getmonero dot org has no JS, why does a new CCS site need it? 03:51:14 what is the resoning behind a new CCS site? 03:54:02 None 10:23:21 <321bob321:monero.social> Nfi 12:08:59 nioc: new CCS website will have many UX/UI and process improvements, this will streamline and make CCS "proper". We need javascript because we will require a new backend that is exposing an API. Current one is PHP/MySQL and do not need that, because the PHP is connected to MySQL and just do its job locally. 12:13:21 jeffro256: I get the fear of exploitation with js, and I won't undermine it (I'm using a VM for this purpose). But like, the website will be open source, community based, it's not shady, so I wouldn't worry. Unless there are reasons i missed that would make people find the monero website sus. 13:01:47 again, when both the getmonero and CCS websites were created there was discussion about using JS and it was determined that the risk it presented did not justify its use. What has changed in the past 10 years to make this no longer so? 13:02:14 I was not involved in the decision 13:02:51 Diego Salazar 13:08:46 without any relative reasoning onto why. I think we had enough time to understand that it only make sense to use Safest on unknown or untrusted website. Why would someone think the CCS website would exploit them... 13:21:46 Do not that we've hosted malicious binaries in the past 13:23:35 Note* 13:34:44 what? 13:39:24 Some naughty guys put their own binaries on getmonero 13:39:35 how? 13:40:18 Fluffy says after looking into it, physical access to the box is most plausible 13:40:52 💀 13:43:44 Certs expiring is enough stress :) 13:47:32 ACME exist 13:47:55 Sounds like a script! Shows fangs 14:01:48 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680 14:01:50 Can be mitigated by secure coding and CSP. There's no need to disable JS altogether. 14:03:07 > secure coding. 14:03:08 > firefox 14:03:10 \* proceed to laugh extensively \* 14:03:21 you are right tho 14:03:44 Secure coding as in don't write shit JS that is prone to XSS. Which isn't difficult. 14:07:09 Sounds like you need to go out of your way to make it insecure anyway https://astro.build/blog/astro-023/#automatic-xss-protection 14:09:14 For the actual user controlled input like proposals etc, if you continue using GitLab for that, it already does filtering against XSS in markdown and other formats. 14:11:45 We're solely talking about informative frontend here, I haven't made my choice yet on how people are going to write proposals and discuss. I would like to make a whole new web app for that and sunset gitlab use, but i need to think about it. 14:13:59 I don't care about js fear on the "app" part for people to write because they would already need to go over gitlab for that and it requries javascript. 14:14:29 I don't care about js fear on the "app" part for people to write because they would already need to go over gitlab for that and it requires javascript. 14:17:27 I think it's better to not depend on GitLab for proposals and actually spend time on making an independent platform. Can implement SSO logins for GitLab and GitHub to make life easier. 14:21:40 Firefox has critical vulnerabilities each year, GitLab has them biweekly :D 14:22:59 Ok I think i'll focus on the design for now. The new backend will be mandatory. Once I make people drool they might find it easier to accept the need for javascript 16:17:40 or at least be matter of discussion 16:17:54 (yes im taking my time to finish my sentence dont judge me) 16:19:40 I could either A) disable JS or B) audit Firefox's entire codebase myself, making sure to find zero-days before they happen. I think I'll do A lol 16:20:36 jeffro256: would you pardon me if CCS website required javascript? 16:39:15 Required for which actions specifically? 16:39:42 Required for seeing the CCS proposals altogether 16:41:00 Idk..... Why not e.g. a simple PHP list renderer ? 16:41:31 Not JS required on client, no advanced runtime on the server 16:41:57 Simple implementation 16:43:02 There is nothing simple aobut PHP aside that it is a failure. They are battling their own runtime to break through the 1000 req/s while nodejs the worst js runtime on earth can handle 15000 req/s. Also making a PHP backend that is secure is awfully hard. 16:43:50 Okay fine node.js the 16:43:53 *then 16:43:58 I was just using PHP as an example 16:44:10 Could be Rust, Python, etc 16:44:16 Anything 16:44:51 Something that does small modifications to HTML content before returning the request 16:45:38 I thought about using jinja like templating system for on-demand rendering on rust backend. It's not impossible but it make things really hard from a web dev pov. 16:45:55 I don't exclude the option 16:46:27 i got that you don't want client javascript 👍️ 16:47:10 Which backend are you using now? Something completely static? 16:47:40 If you're doing funding updates, then there must be *some* live component somewhere in there 16:48:02 if you talk backend backend (database/api) I have nothing right now. I'll make it in Rust. As for backend frontend (the thing that serve pages) it's Astrojs at the moment 16:48:25 of course 16:48:42 thats where is all the dillema. I can't just have a CI rebuilding the entire website from scratch every 20 minutes 16:50:36 Why would you be rebuilding the entire website every 20 minutes? 16:51:20 work around for both not serving through a javascript runtime and have """up to date""" informations 16:51:50 up to date as 20 minutes + time of compilation delay 16:52:42 Like CI will run a wallet itself and check that the server returns the correct number of funds for a given proposal? 16:54:00 no no. like a cron job running like a zombie every 20 minute statically generating the whole website with information from backend at compile time. The backend is updated in real time. 16:54:21 but the frontend needs to be regenerated for users 16:54:27 that's a shitty workaround 16:55:05 Huh? With dynamic rendering you don't need to rebuild anything. You just serve the same page with modifications 16:55:25 Why would the backend need modification in real-time? 16:55:47 It ostensibly has some database (or it fetches information from somewhere) and fills it in 16:55:57 No need to modify any code or static content 16:56:31 forget it 16:57:03 You're right on-demand rendering is a solution 16:57:13 but i find the tradeoff not worth it 16:57:34 forget it (I was almost joking with my cron job idea) 16:58:02 What's the tradeoff ? Dev time ? 17:00:51 If we use Astro SSR: we rely on a js runtime, got shitty performance (20k req/s), uses gigabytes of memory, are exposed to V8 JIT memory corruption vulns. 17:00:52 If we use Templating system: we can resolve that performance and attack surface issues, but maintenance would be awfully horrible. Migrating would be pain, adding features/pages/fixing would be pain. I'm not exaggerating btw, Gitea/Forgejo are using Go templates and that's why they absolutely do not want to touch the UI part, it's a mess. 17:02:59 and thats where comes the "If we drop support for the 1% Safest level users all these issues would be gone" 17:03:54 One advantage I have with SSG and embedding javascript is that I can autogenerate subresource integrity and CSP so if someone start tempering with them you browser would reject it 17:40:36 The CVE is about the CSS animation frame directives, so I assume since you're so paranoid, you'll be disabling CSS too? Not all RCE is XSS related. 17:42:00 tbf Safest level disable CSS animations 17:42:11 and the vuln couldn't be triggered without js 17:42:21 and the vuln couldn't be exploited without js 17:43:22 That's not for certain 17:43:55 Which is fine. What kind of CSS animations are you planning to have anyway. None. 17:45:38 a lot 17:45:47 A LOT 17:46:56 Animations as in not transitions or not :hover etc. 17:47:29 The cve is about animation keyframes, which is really niche https://developer.mozilla.org/en-US/docs/Web/CSS/@keyframes 17:49:09 all the three, a lot 17:49:18 transform, transitions, keyframes, hover etc 17:49:44 Keyframes? What the fuck are you making? 17:50:18 the website ccs deserve 😏 17:50:49 They deserve down the gutter 17:51:50 And you're making something unnecessarily bloated unless it looks majestic and from the screenshots it does not 17:56:46 *"Haters are going to hate regardless"* 17:56:48 - a redditor i forgot the name 17:58:01 I hope you know what variable fonts are 17:58:11 Because Montserrat has one and you should prefer it 18:08:06 I don't understand exactly what you are doing Siren? Rambling to show your knowledge? 18:10:00 You are free to disagree on my work and way to work. But "They deserve down the gutter" and "I hope you know what variable fonts are" is a majestic tantrum 18:11:06 I hope you are just baiting and I didn't understand, because this looks bad 18:11:30 Jeez ofrn, wtf 18:12:22 Sorry sorry syn 18:12:48 Np. We're used to it 18:31:18 I'm drinking beer and chatting. Didn't mean to trigger you but your username displays "Montserrat-Regular Google fonts gang" to me in this room. 18:31:51 So yeah change your name to Montserrat-Variable[wght] right now 18:32:58 all fine, i missed the sarcasm 18:33:17 Ah 18:33:25 Matrix issues ig 18:34:39 This is a tantrum, I do not like the CCS and they don't deserve your free dev hours implementing a proper project with access control not relying on GitLab. 18:35:04 website being open source doesn't matter that much, you can always serve another client code. If they are used to not have JS and suddenly see website not functionting probably, they start to worry. 18:35:23 You're better off operating it yourself or as Cuprate. I do have a problem with you handing it off back to the very same corrupt people. 18:37:25 You know, im not doing it for free. Either they accept some very strict condition to improve CCS (this include strict transparency) or they'll have to pay a big some of money. I can't operate it as Cuprate tho because it might just turn into another Kuno, and this would require consensus with cuprate members. But yeah I also thought the first C of CCS could be Cuprate 18:39:53 I don't trust them to improve. That's the very reason I donate to Cuprate. 18:52:51 I also get the idea that if you submitted this as a proposal they would never fund you no matter how necessary. Because they never fund useful stuff other than certain core dev work, the rest is family and friends scamming. 19:02:03 <321bob321:monero.social> Has core rejected anything in CCS ? That community wanted ? 19:02:38 <321bob321:monero.social> The over funding location is a joke 19:02:41 https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/464 19:02:43 <321bob321:monero.social> That I know 19:03:37 <321bob321:monero.social> No one wanted that 19:04:53 Metronero was red taped til it was closed, despite like 100% upvotes 19:05:08 exact same time mj was was paid and movie was merged 19:07:18 rules only apply to non-scammers 19:08:27 My own proposal, Metronero yes. 19:09:25 Qtip ccs wasnt closed when community almost unamiously voted to close it. Instead devs were procured and time wasted to review the work to determine if qtip should be paid regardless of the obvious issues (and consensus) warranting closure 19:10:42 u freeross? 19:10:58 rando. "metronero" 19:11:07 oh, yes 19:11:10 devs and third-parties* 19:11:53 Wasted tonnes of resources on an ant 19:12:32 https://github.com/metronero will want to change the link https://moneropay.eu/metronero/ broken 19:12:45 I mean at thend all I want is that it benefits the community or that I get money out of it so feel free to provoke a revolution by forking the CCS altogether from core if you guys feel like it 19:12:46 https://github.com/metronero will want to change the link https://moneropay.eu/metronero/ not exists 19:14:02 <321bob321:monero.social> Nothing won't change 19:14:09 <321bob321:monero.social> Look at jet fund 19:14:15 <321bob321:monero.social> Classic example 19:14:33 <321bob321:monero.social> One dev to develop functional multi sig 19:14:43 Fr ^. Were adding noted to ccs and reducing amounts instead of moving the $ out of GENERALFUND 19:15:14 Why is the jetfund in generalfund? Why are we paying devs out of CCS wallet if the funds are in general fund? 19:15:22 blasphemous 19:16:38 <321bob321:monero.social> Even cuprate had push back 19:17:42 We do a lot to please the overlords who cant even do a transparency report or send jeffro his $ in less than 4 weeks (sometimes) 19:17:53 expert witnesses where asked to confirm accusations against kewbit. im not sure tonnes of time was wasted for initial feedback 19:18:18 <321bob321:monero.social> Waiting on Woodser I think ? 19:18:20 It wastes no less than like 200 combined community hours 19:18:45 it was a simple "close" and then we had to deal with his spam and nonsense for another like 3 weeks 19:19:31 as with any accusation that shuld gain enough traction, they need to be confirmed via expert witnesses. 19:20:04 syn spent a good amount of time compiling a historical account of his actions, including dates and times of when he registered domains, posted impersonation attempts, requested funds, what was / wasnt checked 19:20:09 Wtf js an expert witness? 19:20:13 Its all public 19:20:41 Whether his code worked or not is irrelevant when you're a bad actor and were not your employer AND you raised 0 xmr 19:20:56 Its not like he had ANY donors that we are accountable to 19:21:30 an expert witness is required to confirm accusations. i should hope the same process is followed for any other facing such heinous accusations 19:21:53 accusations of codeberg.org/HavenoDEX 19:21:55 Or haveno.com? 19:22:03 Bro, click links -> confirmed 19:22:07 r/whoops 19:22:16 my kitten is an expert witness 19:22:27 Anybody with internet can confirm 19:22:49 mobile wallet devs / developers and such who can make a judgement call on the code written. 19:23:15 Youre referring to whether the code was functional or ai drivel. pointless 19:23:28 i repeat: were not his employer, owe him nothing, owe donors nothing. 19:23:30 Bad actor > good bye 19:23:42 Nobody cares about the code 19:24:10 Why would we fund someone to attack us? Fuck the code 19:25:11 <321bob321:monero.social> Main witness 19:25:29 the ONLY time it would be controversial, would be if he raised the $ and donors had donated to his initiative. He didnt, and they didnt. 19:27:19 alot of people care about a mobile haveno app, if the code is indeed ai drivel, or, quality / partly done work that another team can bootstrap, even better. sadly that seems to not be the case 19:27:59 0 people donated to a haveno app ccs 19:28:12 Unrelated: Do we have "an official" illustrator in the community ? 19:28:14 Z e r o 19:28:47 Gnuteardrops and anhdres 19:28:52 And vost 19:29:01 thx 19:29:07 i think rottenwheel is an illustrator also 19:29:19 really? 19:29:27 rottenwheel: you hide your talent pretty well 19:29:31 dumbass 19:29:50 Wow. 19:29:52 Rude. 19:29:55 Vost = videos 19:29:56 Gnuteardrops = release icon etc 19:29:58 anhdres = a few things, like the community icon 19:30:03 Unacceptable. I resign. 19:30:18 is Gnuteardrops on matrix or irc ? 19:30:40 Matrix, but not really... They don't check often. Gotta do email, old-school, my friend. 19:30:45 https://monero.graphics/ 19:30:52 [@vostoemisio:matrix.org](https://matrix.to/#/@vostoemisio:matrix.org) 19:30:59 gnuteardrops 19:31:19 @user2570:unredacted.org too! 19:31:25 thx you two, i'll contact them when needed 19:32:13 are we going to throw a transparency report party soon? 19:32:29 I'll believe it when i see it 19:32:45 when they "come clean" 😆 19:32:49 What's up! 19:32:50 Ive been sooned for 9 months already 19:33:01 detherminal 19:33:19 Syn asked who the official illustrator of monero is 19:33:23 plowsof wen CCS mergeathon instead ser? 19:33:53 Some kitty was asking for our "official illustrator", another opportunity for the CIA... 19:33:55 I'm working on a new CCS website and was looking for an illustrator when needed 19:34:12 I'm working on a new CCS website and was looking for an illustrator if needed 19:34:14 Meeeeoooowww. 19:34:47 Cool, I'll DM you 19:35:25 this soon is sooner though. and @monero better be excited 19:36:02 CCS merges are over due yes 19:36:07