-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Ready to be merged] Peer-to-peer applications #1430
Conversation
IRC test: 1FEL2HhvS48m8SsAPcuyo7irf7J9Ebx449.zip Create a new site, upload those files, sign&publish and call others to open the site on their computers. Chat without limitations :) |
@HelloZeroNet Need your advice. Currently messages are broadcasted to any ~5 peers (or whatever the developer chooses). But those 5 peers may not have And here is the question: is it secure enough to add |
@imachug is it preferable to have a system ping, system pong after you select your possible peers, you send systemping(with noreboradcast) to each peer(s), wait for their ping, ideally the peers will refresh every hour or some interval since things might change |
Some things not done yet:
|
Updated IRC |
also the IP: |
I hope this plugin will be embedded to ZeroNet via this PR, so soon you won't need |
@imachug I've just added it as an option to my installer! Download the new version here. |
@krixano Thank you! |
A better IRC site for tests: |
also here's the address for handly sake http://127.0.0.1:43110/1DdBX7wzwEaAEuEVQgYpMDhGCmXMXy9W6t/ |
also i keep getting not connected to anyone using that address |
@HelloZeroNet If you are by any chance reading this, please reply to #1430 (comment) |
Probably the most efficient/easiest way would do it using javascript + cors/merger: |
Sounds like a good solution without any need to change ZeroNet core. Thank you. By the way, currently active protection (i.e. validation via JS) is done only if browser is open. However, this may not be the case. We (@Thunder33345, @krixano, @AnthyG and me) decided that we can make a new language, or a JavaScript interpreter which would run some file, e.g. If you accept it, I would like to separate the plugin to another repository, because with the interpreter it's going to be large. You would either use submodules or subtrees or manually copy content from this another repository. You could either create it under @HelloZeroNet user and make me a collaborator (even if I make some security bug, it won't be added to this repo automatically, because submodules/subtrees aren't updated to the latest version by git automatically) or I can create a repo under @imachug and I'll add you as collaborator -- whatever you choose. |
i think it should have a seperated plugin, with optional support for p2p plugin |
It would be useful in many cases, but I wanted to avoid it as it's hard to make it secure, so I think it's better keep it in a separate repository. |
Will you create a repo for me under @HelloZeroNet and make a collaborator or do you let me create a repo under @imachug ? |
I'm working on hub stuff. (i.e. read permissions) |
Well, if we create our own language, like Solidity, it will be secure. I've created a bunch of languages (and they even worked sigh), so it might be a good idea. |
problem of creating a language is not begin flexible enough for security sake, we can sandbox each background instance, on the other hand, if we make our own, we dont need to deal with sandboxing, we can just make one that cant escape in the first place, but that means we are few steps behind everyone lacking in basic libraries that programmers rather have |
Sure, but i'm not sure about the name. Maybe "PeerMessage" would be more accurate, than "P2P-Message". What do you think? |
PeerMessage sounds good -- renaming. |
Renamed |
By the way, that stuff running in background should be probably separated to another plugin. I've created repo for it: https://github.com/imachug/ZeroNet-Background |
So what's different from this and having a one-click install function? You still have to trust the plugin and where it came from in both cases. While I agree that there should be a restricted API for plugins to ZeroNet, I do not agree that the users are incapable of identifying when a plugin is bad and that having a one-click install would be catastrophic. People can flag/comment/vote on plugins with a plugin store zite, we can have a 24/7 running client downloading all plugins from this plugin store and scanning them for malicious code, and users can trust or be wary of plugins by looking at who made them. There are many options to this, but I think the one's I have provided are the most basic and probably easiest, and will increase security quite a bit, imo. Also, aside from having a restricted plugin API (and perhaps a plugin permission system), I think the security of plugins should be handled by the plugin store rather than the client itself. |
@krixano There was probably a misunderstanding: what I've said is "using the current plugin infrastructure with the additional ability to add a plugin as a one-click action will be catastrophic", so if we had a restricted API for plugins, it would be totally okay to have a one-click install. I'm particularly interested in the malicious code scan, do you have some references to working POCs or projects for python? |
Permission managing system is also needed for plugins |
There is an idea. Not sure whether it works, but if it does, it could simplify installing plugins. The idea is to have permissions for plugins. I mean, we can have The sandbox can be created from my BackgroundProcessing plugin. It turned out to work well for sites (as IP exchange service, backend for KxoID on @krixano's side, etc.) It is not an interpreter of Python, it only makes code that looks dangerous... not dangerous. So it's practically as fast as Vanilla Python. Moreover, it means that @HelloZeroNet will only have to verify BackgroundProcessing, and other plugins will be executed via it. |
@imachug Good idea to sandbox the plugins in BackgroundProcessing. However, we should really change plugin architecture, since I don't think it is really modular as it currently stands out (subclassing the existing functions). Maybe having a look at pluggy or something similar? |
As far as I know there is no reliable sandbox for Python and writing a sandbox in Python itself is considered a bad idea: https://lwn.net/Articles/574215/ |
It's funny how one of the most used languages for plugins doesn't have proper sandbox support. |
Is there any language that has proper, supported and well tested sandboxing support? For example Visual Studio Code is written in js, but the plugins are not sandboxed: microsoft/vscode#52116 |
@HelloZeroNet Some languages, like JS, don't necessarily need sandboxing because the APIs etc. are already so restricted. Java has sandboxing built-in, afaik. I believe Lua also has some sandboxing or sandbox-like system. Additionally, let me expand on what I meant by "restricted API". I mean, the ability for these plugins to access ZeroNet internals should be restricted, not necessarily the OS (although this would be good too if python made this easy). The reason why I make this clear now is because I believe in python, you should be able to restrict access to ZeroNet internals (making things private/protected in classes, modules, etc. - I would think python has these concepts but I don't know much about the OOP side of python). I feel like I've had this whole conversation before with @imachug |
Let me also clear up one more thing about what I was saying before:
One more thing: I was thinking of sandboxing in the sense of restricting plugins from accessing the OS so that they have to go through a ZeroNet plugin API, but I think actual sandboxing may be different/more complex. |
The sandboxing of JS is done by the browsers. For example in a VS Code plugin you can execute an external application with |
@HelloZeroNet I see what you are getting at, although I'm not 100% sure yet. Additionally, I do think, as I was trying to get across above, that having code scanners, voting system, etc. would have a greater impact in a shorter amount of time. |
Just a little comment to that. The idea is simply: write a python interpreter inside python itself that allows only non-builtin functions to be called. Every time some interpreted pyton code calls an external module function, the interpreter could use This could at least prevent accessing the filesystem, the network and other "external world" functions. Finer restrictions on possible modifications of the ZeroNet classes I think would require a big amount of work. |
Consider to open an issue to talk about that |
4385739
to
1f20699
Compare
@HelloZeroNet What are your plans on this PR? |
@HelloZeroNet @imachug This PR is now 1 year old. Can it be merged? Are there any important issues with it? |
BTW the PeerMessage plugin repo has been updated, so this PR is outdated a bit. Let me update the submodule real fast |
There, done. |
I'm closing this PR as new changes should be only made on py3 branch, and there is a py3 version of this PR already. |
Implements a part of #1425.
Current state
Practically finished, all features are tested.
Docs are ready (check wiki).