papacarp
commented
1 year ago 1) version hashes are voluntarily reported. they could report anything they want and there is no way to independently verify what version of code they are running.
2) the pie chart is leftover from situations in the past where we have small variations in node code on the same node revision. That rarely happens anymore now that the node releases are more stable.
3) at this point I keep the chart around because it illustrates how many SPOs are probably running their own version of the node. By matching (even the first 5 characters) you can easily see if its a probably a publicly released version or something they tweaked. If they tweaked it, why would they do that? That IS a good question to ask. I know some SPO's compile versions to try to optimize for their CPU environments, but others may be tweaking the code further to change mempool or combine leaders together. If they were doing it for malicious purposes, they probably wouldn't report to us in the first place anyway.
4) btw, a full commit hash looks something like this: 36cc4ef5f4739e81620bfd6e57e8b9f6306396e8 so as you can see its neither 5 or 7 characters long. 5 characters fits better in the small space allowed by the pie chart.
5) Regarding ADA's ability to deal with malicious or stupid actors, This is not the forum to deal with that. I'd recommend you bring that up in the cardano forums or similar so there can be a community wide dialog about it.
paradoxicalsphere
Is there a security vulnerability in using (or is it just displaying?) a five-character short commit hash for Cardano Node software versions in use on the Cardano mainnet network at https://pooltool.io/networkhealth
GitHub seems clear that the (apparently unique?) short commit hash is a seven-character hash https://github.com/marketplace/actions/commit-hash
Could you not adjust your pie chart to display seven characters? Unless you are the CIA, FBI or military, if you know that the GitHub short commit hash is seven characters, then why would you create a pie chart displaying only five characters, knowing that the data a five-character pie chart displays about customization of open source Cardano Node software currently in use in production is no measure of security? Was that decision stupid or malicious?
So, if I was a malicious actor and I knew that PoolTool only tested the first five characters of a GitHub commit hash, then I would work to create a malicious code commit, and then add a bunch of crap text or whatever to the commit until the first five characters in the commit hash matched the commit hash of an official Cardano Node release. Then, I would run the modified code on mainnet undetected, and possibly share the commit with other malicious actors. How do you know such an issue is not in place and occurring on mainnet RIGHT NOW, and may have been going on and slowly growing over time, for a long time?
I would also recommend expanding data available at https://pooltool.io/networkhealth to include all environments listed at https://book.world.dev.cardano.org/environments.html Having TWO testing environments one step away from production become unstable within the period of a couple of months should be a MAJOR red flag that mainnet is vulnerable. No one seems to be scrambling to make improvements proactively or trying to understand what really may be going on with respect to the ongoing instabilities, other than blaming the official software (which I would trust much more than any customized and untested crap that some yahoo may decide to deploy and share with fellow yahoos).
If you are testing seven or more characters of the commit hash and only displaying five characters at https://pooltool.io/networkhealth in the pie chart displaying Cardano Node software customization data, then there is probably no security vulnerability there. HOWEVER, IN THAT CASE YOU ARE WASTING MY TIME BECAUSE I AM FORCED TO WRITE UP THIS ISSUE.
COULD YOU PLEASE CLARIFY WHETHER YOU ARE COMPETENT ON https://pooltool.io/networkhealth BECAUSE THERE ARE CERTAINLY ACTORS IN THE CARDANO TECHNICAL COMMUNITY WHO ARE EITHER STUPID OR MALICIOUS. HAVING TOO MANY OF THOSE AT ANY POINT IN TIME WILL CRASH THE NETWORK, EITHER ACCIDENTALLY OR PURPOSEFULLY, RESPECTIVELY.
I AM CURRENTLY NOT VERY CONFIDENT ABOUT CARDANO'S ABILITY TO WITHSTAND STUPID AND MALICIOUS ACTORS INDEFINITELY BECAUSE OF THE EVIDENCE OF TESTNETS CONTINUING TO BECOME UNRECOVERABLY UNSTABLE BEFORE, DURING AND NOW AFTER THE MOST RECENT HARD FORK(S).