leycec / raiagent

Third-party Gentoo overlay. Ride the Lagrangian point between awesomeness and volatile compounds.
32 stars 15 forks source link

Support for ZeroNet #101

Open rllola opened 3 years ago

rllola commented 3 years ago

Hi @leycec

I am looking at the issues you raised on the ZeroNet repo regarding maintenance. You mentioned Bump ZeroNet to support at least CPython 3.8 (but ideally CPython 3.9). where did you see the dependency on cpython 3.6 ?

leycec commented 3 years ago

Wow! Thanks so much for the interest in resurrecting ZeroNet-on-raiagent. ZeroNet had such game-changing potential to be a genuine clearnet web-hosting competitor – and then @HelloZeroNet disappeared, no other prominent developer stepped up to the plate, and the whole fragile edifice of cards collapsed.

Back to ZeroNet dependencies. The dependency on Python < 3.8 is, as far as I know, indirect. ZeroNet currently requires as mandatory runtime dependencies various other unmaintained pure-Python packages incompatible with Python >= 3.8. Specifically, dev-python/{merkletools,pysha3} are incompatible with Python >= 3.8 and, because both are unmaintained, there's no possibility of a sane fix. This means the only way to restore ZeroNet support on modern Linux distros is for someone who is not me to (in order):

  1. Fork ZeroNet. Let's call it OneNet.
  2. Drop the mandatory runtime dependencies on merkletools and pysha3 from OneNet.
  3. Manually merge the subset of the merkletools API required by OneNet into the OneNet codebase.
  4. Publish the first stable release of OneNet.
  5. ...
  6. Win all the Bitcoins. Of course, Bitcoin is literally physically destroying the entire world – so, Win all the Proof-of-Stake-based Etherium instead.

Make this happen, someone who is not me. Since there's not much I can do here, I'll probably reluctantly close this in a few days. I feel bad about that sort of thing, so I'll leave this open for a bit on the off-hand chance anyone has substantially better ideas than me about this. </sigh>

rllola commented 3 years ago

I don't have plan to maintain a fork of ZeroNet and don't worry Tamas is coming back after summer.

I see someone from the community as already fix merkletools but they won't publish a new package on pypi. I guess we can integrate the functions needed to the base code so we won't have dependency on third party lib.

If it is the only thing that is required it should be doable.

leycec commented 3 years ago

Yup! That's it. It's definitely doable – but it also needs someone with HelloZeroNet/ZeroNet push access to merge those pull requests. If Tamas really is making a triumphant comeback in the autumn, Halloween can't come soon enough. :japanese_ogre:

As soon as ZeroNet fixes itself and pushes out a new stable release, I'll joyously restore the net-vpn/zeronet package back to this overlay. Let's leave this feature request open for a few months and see what happens.

rllola commented 3 years ago

sweet! That's sounds good to me.

purplesyringa commented 3 years ago

I am never going to work with you @p2p-publisher. I may look into the merkletree/pysha3 problem nevertheless if you all think it'd be useful.

ghost commented 3 years ago

:rofl: https://github.com/tenacityteam/tenacity/issues/93#issuecomment-877136664

Back then I wasn't even completely aware of free software, I'm a completely different person freedom wise now.

I'm teaching you how to become a person who standing against censorship. You should be thankful. Without me you wouldn't be the person you're today.

purplesyringa commented 3 years ago

I am one of those who has been defending RMS from the moment rms-open-letter was written, I did a lot as a volunteer to help rms-support-letter become maintainable list, not a mess, and I did everything I could to help people learn the truth and get help those who know the truth voice their opinion. Cancel culture is what helped me figure out what I really dislike and become the one I am today. Not you.

purplesyringa commented 3 years ago

My views have changed. I am truly sorry that I ignored you back then. I apologize to everyone whom I convinced to prefer Lax licenses over free licenses.

ghost commented 3 years ago

Apology accepted Ivan. :smile: :hugs:

rllola commented 3 years ago

Hey @p2p-publisher dude. I don't want to fight. If I have upset you in anyway I am sorry. If you want to exchange on how to improve ZeroNet that's sounds great. Let's just keep it friendly, ok?

purplesyringa commented 3 years ago

and you even in this topic waiting "after the summer" like Jesus returns or something

Tamas told me in private he's probably going to return after summer

purplesyringa commented 3 years ago

What's the change log compared to Tamas's latest version?

purplesyringa commented 3 years ago

It'd be great if you could make one and I didn't have to read the whole codebase :)

purplesyringa commented 3 years ago

I'm watching your *real time" domain registry for a while...

Name.YO you mean? I'm wondering if the backend is still up & running, I'll take a look. I'd love to make it distributed but that would probably require either getting a trusted group of developers running it (which is probably possible) or using a blockchain or using some zero-knowledge proof magic. My order of preference is 3 1 2 but unfortunately I'm too dumb to build something clever based on zkp at the moment.

purplesyringa commented 3 years ago

Modifications, like default ports, key-type to ed25519.... the .bit domain registry (I did not pushed the updater folder) in this fork nothing is called zero*, no zeroframe... nothing zero... the logo is temporary a Bitcoin logo... better timestamps allowing to use timezones apart from epoch... frame-ancestors used for sandboxing...

Not to get offensive but that mostly sounds like rebranding and some minor changes. In this case I'd prefer to unite with @geekless (cc) and other people who tried to fork ZeroNet.

rllola commented 3 years ago

If I may guys, let's leave this issue and move the discussion somewhere else. Better minimize the spamming. I am also interested in hearing what you guys are working on and see how I can help but I don't want to bother @leycec much more.

purplesyringa commented 3 years ago

@imachug is a great guy, I like him very much! but @rllola... @rllola has too much to lose with any fork.. she wanna just save herself.

You have been saying the exact opposite for months, now don't rotate by 180 degrees please

leycec commented 3 years ago

Oh... wow. This blew up overnight in the most negative way possible, which I didn't think was even possible, because the discussion at HelloZeroNet/ZeroNet#2749 was already trending towards vitriolic and nonsensical diatribe.

On the one hand, I get it. We all feel passionate about darknets in general and ZeroNet in specific or we wouldn't be here. On the other hand, this issue has devolved into a flash-mob scrum of hateful invective and incendiary grenades.

Not cool, guys. I'm a hair's width away from closing and locking this issue. Please don't make me do that, because I don't even have any hair anymore. I'm bald! Play nice and we can keep this open. Continue yelling at each other and I'll shut this down faster than Putin can frolic with dolphins. And Putin can frolic with dolphins very fast.

Kusoneko commented 3 years ago
6. **Win all the Bitcoins.** Of course, [Bitcoin is _literally_ physically destroying the entire world](https://www.newyorker.com/news/daily-comment/why-bitcoin-is-bad-for-the-environment) – so, **Win all the [Proof-of-Stake-based Etherium](https://ethereum.org/en/developers/docs/consensus-mechanisms/pos)** instead.

I would actually recommend using a privacy-friendly crypto like XMR instead of bitcoin if anyone was gonna fork it to use a different crypto as a backend, reason being that practically every crypto fails at the one main task of a currency, which is to keep transactions private and anonymous as much as possible. On both bitcoin and ethereum, you can actually see any money flow, so it's kinda pointless. Means that any government agency that somehow knows you bought either of these 2 at X time can literally follow where you're spending it with no issue whatsoever. I'm not implying that a government agency would waste it's time following monetary transfers of random nobodies, but at the same time, it's objectively better if the government can't do it at all than trust that you're not on some random watchlist where they're following each and every single transaction you make.

caryoscelus commented 2 years ago

hey all , i found your repo browsing old ZeroNet issues and wanted to let y'all know that we at zeronet-conservancy are actively maintaining and developing 0net with ambitious plans to gradually (without losing data) move on to a more secure, transparent and performant codebase

and to show my good intentions i'll mention (however i might dislike their development & community management style) there's an alternative fork as well . i encourage you to do your own research ;)

leycec commented 2 years ago

Well, colour me shocked. There are now two active ZeroNet forks that actively hate each other's stinking and festering guts. Welcome to being human, everyone!

I love me some public GitHub drama, though. Please entice me to support your well-intended fork over the other guys. Specifically, please do my research for me by explaining why the other guys are bad and deserve just punishment:

however i might dislike their development & community management style

It's that bad, isn't it?

caryoscelus commented 2 years ago

Specifically, please do my research for me by explaining why the other guys are bad and deserve just punishment:

i have to politely decline , because that would defeat the point (which is that you should make properly informed decision on matter of security) and waste my time . there are open sources , like 0net forums , wikipedia , commit messages and github discussions and reddit . fortunately you don't even have to open webarchive

i don't like drama so if that's what you're looking for , please find it elsewhere (it's easy to get into one on 0net itself over any issue whatsoever , feel free to join!)

leycec commented 2 years ago

Look. I was being facetious when I politely requested drama. I dropped the /s tag implying sarcasm, because that should have been obvious. Nobody sane really wants drama, right? That includes me. Ain't nobody got time for drama queens on GitHub. We're all trying to perform productive work here – and I frankly have more pressing projects that demand my urgent attention on a daily basis.

I was hoping you'd at least defend your fork, however. For me, this isn't a matter of security so much as it is future-proofing. ZeroNet died, so why do you believe your fork will fare any better? There are two competing projects here. I can't reasonably support both. So, I need to predict the winner. Will yours survive the gruelling test of time and ultimately pummel the other guy into submission? I don't know – but I want you to convince me that you do.

If you can't be bothered to do at least that, I can't be bothered to revive our ZeroNet ebuild to support your fork. Show us all that you care, that you promise you know what you're doing, and that you believe in the righteous justice of your hard work.

Kusoneko commented 2 years ago

I hate to agree with someone asking for drama, however I had a quick look at both repos and didn't see any drama or disagreements that would explain a split, and I'm not about to spend time setting up zeronet again after all this time just to get on the zeronet forums to see the reasons behind the split, so I have to agree that you should at the very least provide links to wherever is the most easily accessible location where the disagreements are located. While this issue is specific to ZeroNet, this repo isn't and you're dumping work onto us to decide which one is better, which tbqh, another solution would be to simply put both in under whatever their new repo names are, so even then, there's not much reason to actually go and look for the reasons of the split ourselves.

caryoscelus commented 2 years ago

Nobody sane really wants drama, right? That includes me

well , we didn't exactly know each other prior and there are a lot of people who are less than sane and yet participate in development

I was hoping you'd at least defend your fork, however. For me, this isn't a matter of security so much as it is future-proofing. ZeroNet died, so why do you believe your fork will fare any better? There are two competing projects here. I can't reasonably support both. So, I need to predict the winner. Will yours survive the gruelling test of time and ultimately pummel the other guy into submission? I don't know – but I want you to convince me that you do.

FWIW , we might be headed to hard-fork sooner or later with potentially a long time of projects co-existing with diverged audience and the win will only be measured by who has a larger userbase

one of the core reasons why my fork even exists is because i have actual personal stakes on survival of 0net . for a long time it was the only place i've published my music and videos and still is the only place where i publish my manga . i never really wanted to get into the mess of 0net code – which is why my fork didn't emerge immediately upon @shortcutme leaving the project . i just really need the project to sustain my ability to host my stuff until we develop a better (somewhat compatible) alternative p2p , because i just really don't like going back to relying on single points of failure of centralized web . i've just had an unpleasant situation of poorly configured bot shadowbanning my messages where i was genuinely trying to help out a couple days ago . if i hate anything , it's not that other fork , it's this

now that doesn't answer the question how my fork is/will be better , only why i believe it'll survive . on that note : i have been around 0net for years and i know how it doesn't fully deliver on decentralization premise . the whole time an essential network service was completely centralized (which has no became a bottleneck for newcoming users) . my solution is to remove dependence on that service , giving users control of how they want to choose between legit and malicious identities . the other fork seems to intend to revive alternative (more distributed) system to alleviate the immediate problem , but that will still keep users tied to decisions made by "site-owners" (the whole concept i deem obsolete) rather than users themselves . that's just one example

i also can't say that much of the other project because it didn't promise anything specific rather than maintaining 0net at the beginning and switching to mysterious decentnet later on (this is ironically one point where both projects agree : at some point the project should (r)evolve into a better solution written pretty much from scratch) ; and then apparently reviving a rust rewrite of 0net ; but i don't specifically follow their developments

While this issue is specific to ZeroNet, this repo isn't and you're dumping work onto us to decide which one is better

i'm not asking to decide which is better . i merely ask you to do the responsible maintainer's job of making sure their users are secure . if you deem both projects secure , that is your decision to make

you should at the very least provide links to wherever is the most easily accessible location where the disagreements are located

well, here's my recent explanation of how my fork came to be : https://www.reddit.com/r/zeronet/comments/uj4gmo/comment/i7pthm5/?utm_source=share&utm_medium=web2x&context=3

caryoscelus commented 2 years ago

and to add more directly historical links:

https://en.wikipedia.org/w/index.php?title=ZeroNet&oldid=1058301316

http://web.archive.org/web/20211202181147/https://zeronet.dev/

emdee-net commented 2 years ago

@leycec I understand where you are coming from, but at the same time, reviving a potential game-changer like ZeroNet is worthwhile, and a gentoo ebuild will really help. There are no problems installing as a venv with python3.9 in a current gentoo and pysha3 is no longer in the list of requirements.

@caryoscelus maybe it would help if you could tryout a setup.py like https://github.com/radfish/ZeroNet/blob/setuptools/setup.py and then you can relax the venv requirement and it will be easier to package as an ebuild.

@leycec I'm independent of the forked forks, and am leaning to helping the zeronet-conservancy fork, but because this is an ebuild, it would not shock me if more than one fork could be supported with a simple USE flag, if they both (all) used more or less the same setup.py if it came to that. It may just come down to changing the download URL but let's leave that for later.

Could I suggest that @caryoscelus checks in and tests out a setup.py , and if @leycec builds a branch/version, I can test it. I assume the ebuild didn't require a setup.py before, but would be make things easier if it was there.

Maybe you can update the list of requirements to update them and soften them where possible. Currently on Gentoo: msgpack = 1.0.4 gevent = 21.12.0 rsa = 4.8 dev-python/websocket-client = 1.3.3 dev-python/pyasn1 = 1.4.8 dev-python/rich = 12.5.1 dev-python/coincurve = 15.0.0 dev-python/maxminddb = 1.5.2 dev-python/defusedxml = 0.7.1 dev-python/pyaes = 1.6.1

emdee-net commented 2 years ago

I've had a a little time to evaluate 2 of the forks and I'd definitely stay away from https://github.com/zeronet-conservancy/zeronet-conservancy/. He plans on taking an infinite amount of time to rewrite from scratch a Python application into a theorem proving language that nobody knows, or uses, because he thinks JS is a dead language https://github.com/zeronet-conservancy/zeronet-conservancy/issues/6 . Sounds like a surefire recipe to bifurcate and stall development on a project.

I pinged another fork which has some of the original developers to get them to add a setup.py for you, and we can see if they respond https://github.com/zeronet-enhanced/ZeroNet/issues/13 It also runs in a venv on a current Gentoo and has the huge advantage of a maintained changelog https://github.com/zeronet-enhanced/ZeroNet/blob/massive-rework/ZNE-ChangeLog/ChangeLog-0.8.0.md which could go into the ebuild as DOC. No idea if the build and tests are passing on travis, as the badges are wrong.

caryoscelus commented 2 years ago

to anyone concerned : zeronet-enhanced developer have been missing around 0net ever since publishing their fork . some of the work done there is being ported into zeronet-conservancy . i will look at setup.py as soon as i have a moment to or hopefully someone else on the team or outside contributor can do that

emdee-net commented 2 years ago

It's worse than I thought: there's another fork at ZeroNetX/ZeroNet that a normal git clone is broken by default - it moved the plugins to a separate repository without using submodules, and there is core functionality in the plugins.

So you have 4 forks: one that plans on taking an infinite amount of time to rewrite from scratch a Python application into a theorem proving language that nobody knows, one that is broken by design, one that has no issue tracker, and one that dumped massive changes and walked away - serial abandonware. And no trace of the creator except a Ted talk that is not in front of an audience.

And it looks like there may be a RCE capable CVE in all code up until some of the recent forks, included in the executables pointed to by the main web site, a site nobody but the "creator" seems to have write access to.

This smells.

leycec commented 2 years ago

Wowza! ZeroNet resurrection blew up while I wasn't looking. I'm fully on-board with reviving ZeroNet on Gentoo – assuming that some sort of anarchic community consensus can convince me there is a worthwhile, well-maintained, and reasonably secure ZeroNet fork.

Notably, this still concerns me:

I'd definitely stay away from https://github.com/zeronet-conservancy/zeronet-conservancy/. He plans on taking an infinite amount of time to rewrite from scratch a Python application into a theorem proving language that nobody knows, or uses, because he thinks JS is a dead language https://github.com/zeronet-conservancy/zeronet-conservancy/issues/6 . Sounds like a surefire recipe to bifurcate and stall development on a project.

Yes. Absolutely. Are you me, @emdee-net? Because you sound like me.

I stumbled headlong into the same discussion and thought to myself: "Nah, I'm good. Let's never touch this with a ten-foot spent plutonium rod." That 99-year plan isn't just "concerning"; it's genuine cray-cray territory that makes me question the collective sanity of the human race. ...yet again :face_exhaling:

@zeronet-conservancy: you are right out.

zeronet-enhanced developer have been missing around 0net ever since publishing their fork .

Oh, Gods.

some of the work done there is https://github.com/zeronet-conservancy/zeronet-conservancy/pull/122 into zeronet-conservancy .

Oh, Gods.

there's another fork at ZeroNetX/ZeroNet that a normal git clone is broken by default

Oh, Gods.

And it looks like there may be a RCE capable CVE in all code up until some of the recent forks, included in the executables pointed to by the main web site, a site nobody but the "creator" seems to have write access to.

OH, GODS!!!

At least we can still publicly chuckle about this, everyone:

And no trace of the creator except a Ted talk that is not in front of an audience.

...I didn't know that was even a thing. TIL, but I kinda wish I didn't.

caryoscelus commented 2 years ago

i'm literally marveling at these interactions inside what people perceive is "open-source community" and i'm now a little more understanding about people who stay away from FLOSS movement altogether . like people not only not believing in software freedoms or open source being workably open , they also act exactly the same as in proprietary world except instead of altogether different software a nasty argument can also be had about forks of all things . all the same "brand" , "ownership" , "personality" bullshit . it's disappointing and sad , but

thanks everyone envolved , TIL and it's a good lesson ^_^

leycec commented 2 years ago

We are human. We are frail; we are flawed; we taint everything we touch with the faint stink of ego, attention-seeking, and self-aggrandizement. It's just humans doing human things – myself included.

Ideological justifications underpin most of what we do here, of course. Many of us do fundamentally believe in freedom-as-in-beer-and-or-speech. But some of us only do open-source for shameless self-promotion and social media branding. A few of us even do both! :raising_hand:

Tech interviews now encourage link-dropping public GitHub and StackOverflow profiles on resumes. After all, what better way to get lots of humans to know and like you than to just give away all the awesome stuff you make for free?

...back to ZeroNet

This issue will eventually resolve itself. Everyone wants ZeroNet to be well-maintained and working – enough to donate piles of crypto to whatever open-source dev is willing to make that happen. Therefore, some open-source dev will make that happen.

The hype is there. The money is there. Trust in the power of greed humanity. :money_mouth_face:

emdee-net commented 2 years ago

I;m not so sure that Zeronet will resolve itself: in the case of merkletools someone would have to replace it as it is known to be vulnerable to attacking-merkle-trees-with-a-second-preimage-attack - see https://github.com/Tierion/pymerkletools/issues/13#issuecomment-471181413 They never did update the README to disclose this.

So not only is Zeronet itself vulnerable (RCE), one of its requirements is vulnerable.

caryoscelus commented 2 years ago

@emdee-net please kindly file separate issue(s) on merkletools vulnerability in affected repositories so that interested parties can asses and fix it

emdee-net commented 1 year ago

And no trace of the creator except a Ted talk that is not in front of an audience.

...I didn't know that was even a thing. TIL, but I kinda wish I didn't.

@leycec I don't think that there is such a thing, yet it's on a TED site ... which makes me think the whole thing stinks.

To top it off: <more than bold caps> Although the RCE was discussed on github and ZeroNet, none of the developers of any of these forks filed a CVE (AFAIK despite me pushing for it) with the CVE vulnerable exe still downloadable from zeronet.io </more than bold caps>.