New gossip release:
- This doesn't have the latest stuff (like bookmarks) but seemed like a stable place to make a release
- As usually happens, after hours of release processing, I discovered a bug. So there will be a point patch at some point.
The bug causes the 'pending' messages system to crash, but gossip otherwise keeps working
nostr:nevent1qqstvj73nmvvtj975uk6u3zmsefezahgr6y5dyhg7awcmr69jkxqp6cpz9mhxue69uhkummnw3ezuamfdejj7nwc9am
People should do is say it here, and then post just a nostr link on X (maybe to some web-based nostr client). People on X will need to follow that link to view the post.
If that is true, then I would just put the [nostr : nevent1...] text that isn't even recognized as a link. People will be like "WTF?" and have to do some research to figure out what it means and how to use them. Just an idea.
I used to backpack in Desolation Wilderness around Lake Tahoe, let's estimate I spent 20 days there over my lifetime. And I saw a bear just once, at a distance, and he wasn't interested in me.
OTOH in Yellowstone in the 1970s I saw black bears many times, just walking on the roadside or wherever.
It entirely depends on which 'woods' you are in.
People who are security-minded have a natural instinct to prepare for the worst case scenario. This leads them to imagine their enemies to be highly capable, murderous, colluding, nameless and faceless cabals. This is a good and correct instinct for preparing your defenses - you want to be able to defend even against this worst case scenario.
However, too many people use this same rubric wrongly when trying to assess actual events. The odds that an actual adversary is the worst case scenerio, is highly capable and in collusion with others who are highly capable, in any given actual event is very low. Incompetence is far more widespread than people realize. And parallel action (similar minds acting similarly) explains the vast majority of things that appear to be conspiracies.
To believe that Trump was shot as a false flag you have to believe that there was a shooter so perfect that he could perfectly clip Trump's ear even while Trump was gesticulating and rotating his head back and forth. You have to presume that they are murdering, willing to kill members of the audience to make it appear more real.
Just because that case is possible doesn't mean you should default to it. People who default to the belief that this was a false flag to garner sympathy for Trump, based entirely on the fact that an ear-clip is quite a lucky circumstance for Trump, do not have IMHO very good judgement. But they all probably make very good security-minded people because they are defaulting to the worst case scenario which is the right way for a security-minded person to think.
I don't rule it out, so I agree with you.
But I think the kinds of reasoning people go through that leads them to even speculate such a specific thing happened absent evidence is flawed due to a lack of considering Bayesian priors.
Take the fist pump. People see that as evidence that Trump wanted a photo-op. But my Bayesian priors are that (1) Trump will always fist pump, and (2) If someone on a stage falls down and is ok, they will signal to the crowd that they are ok. Given these priors, this 'fact' gives NO weight to the theory.
Take the flag in the photo. People see the flag in the image as evidence Trump wanted a photo-op. But my Bayesian priors are that Trump rallys are so heavily plastered in flags, that it is hard to point a camera in any direction and not have a flag in the shot. Given this prior, this fact gives NO weight to the theory.
As for explaining the 'blunder' of missing, when good snipers never miss at 100 yards, you can consider that people were calling out the sniper to the security, yelling about him, and he probably felt rushed. And anyone would be nervous knowing this might be their last few moments. So while a calm sniper can take that shot, a nervous 20 year old who is being called out probably doesn't have the nerves of steel required to make the shot. Also Trump turned his head at the last minute (that mattered by half-an-inch, it wouldn't have mattered if it was a good shot though).
1. I live in a farm area where rabbits had gotten to plague levels. They eat the grass, leaving less for the stock animals. So culling them helps local industry and keeps my sheep fed.
2. hunting rabbits allows me to "touch grass", get outside, get exercise.
3. It also exercises my dog, and is a bonding experience with the dog.
4. The dog eats the rabbits so I save on dogfood.
If they dog didn't eat these rabbits, she'd eat purchased meat which is also the flesh of a killed animal, so that choice doesn't avoid killing.
Of course it isn't very nice for the rabbits. But they are such simple creatures with such evil looking pure black eyes that I'm OK with it. But I still hate it when they don't die right away.
I first heard about the Trump-bullet incident on nostr. And I got lots of additional data here too. Nostr is my primary source of news and information now and I love it.
I love it because I trust this community's bias to be naturally averaged out, and because there is no algorithm attempting to manipulate that bias.
nostr:nevent1qqs8aenchc86ehcse4de4y2hz3hpx8c8uphdpgqtzrtvcj7833ncrysppemhxue69uhkummn9ekx7mp0qyghwumn8ghj7mn0wd68ytnhd9hx2tcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsfjj3ds
I have never known of any man who was more widely hated and more intensely hated than Donald Trump. Add to that the fact that he was running for President (and thus perceived as a threat) and I'm actually suprised that there wasn't an assassination attempt sooner.
This is easily explained as a rogue angry Democrat wanting him dead.
That doesn't mean it isn't something else, but any other theory is going to have to provide convincing supporting evidence that we don't currently have.
I'm sure you are being sarcastic. But truth is, I actually don't know.
I can think of many reasons not to like him: narcissism, lying, all image no substance, various policies you may not like. But none of those should rise to the level of hate.
I understand why people hate Netanyahu - for slaughtering innocent civilians with abandon.
I understand why people hate Fauci - for making them lockdown, wear masks, and inject an experimental treatment or lose their job.
But what did Trump do that calls for hatred?
I don't understand why some people love him either.
IMHO people who hate Trump are the brainwashable kind of people, and they hate him because the left-wing power politicians programmed them to. And what I've learned is how many people are the brainwashable kind... more than I thought.
CHORUS USERS:
v1.5.1 is on branch `latest`
- FIX: large non-utf8 messages were attempted to be logged causing a panic
- FIX: parse errors were not being punished so a nasty client could do a DoS of chorus with
simple junk.
hat tip @Alex Gleason 🐍
Very interesting. Yes, I think rate limiting on both sides is necessary.
This is an excellent fuzzing method.
I tried running chorus and hitting it with this attack from a local process. For about 100,000 bytes (in 0.031 seconds) chorus handles and prints all the errors, generally being JSON parse errors. Then a bug is hit and I get a thread panic (chorus main thread continues, only that one connection is dropped)
Also chorus has mechanisms to drop connections and block IPs based on too many errors coming in, but for some reason these didn't work against this.
This is Sunday I wasn't going to do dev work today, but this is too interesting.
CHORUS USERS:
Due to me breaking things quite often, I have created a `latest` branch which will be the latest stable release. Please don't run off of the master branch unless you read and understand the code because I will not have announced the config changes you may need to make until I do a release.
I just did a release so I could explain what I broke and what you must do.
### version 1.5.0 (2024-07-13, 870e470d)
- BREAKING: If you run chorus behind a proxy like nginx, you MUST set the new `chorus_is_behind_a_proxy`
config variable to true, and your proxy MUST set the `X-Real-IP` header. If the header is missing,
connections will not be served. If you fail to set the `chorus_is_behind_a_proxy` setting, the proxy
IP address will be used directly, generally causing all connections to quickly become banned due to
the bad behavior of just one client, or due to too many connections from a single IP.
- NEW CONFIG: `chorus_is_behind_a_proxy` (please set to true or false)
- NEW CONFIG: `max_connections_per_ip` (defaults to 5)
- NEW CONFIG: `moderator_hex_keys` (see next bullet point)
- A rudimentary Management API is now available using https://github.com/nostr-protocol/nips/pull/1325
To use management front ends against chorus, you must add hex pubkeys to `moderator_hex_keys`.
- Errors about DM kinds are much less common now, as we don't explicitly error unless they specify some set
of kinds (we implicitly filter out the DMs still)
- Accurate count of bytes sent/received (SSL header data is now counted)
- Kind 10050 dm relay list events are now treated the same way as kind 10002 relay list events.
- Error message detail (e.g. source code line numbers) is now no longer sent to clients.
- Some mild errors are now swallowed.
- Updates of many dependencies, some updates were very large jumps and may change network/http behavior.
- Receipt of a deleted EVENT now returns OK false (was OK true)
### Version 1.4.0 (2024-05-07, 25058ef4)
- Origin header logged
- CLOSED: auth-required sent if DMs requested and not authenticated yet
- config: minimum_ban_seconds, timeout_seconds, enable_ip_blocking
- default for allow_scrape_if_max_seconds raised from 3600 to 7200
- default for max_subscriptions raised from 32 to 128
- timeouts no longer affect ban seconds
- Internal: switched to pocket for the backend storage
- creates lmdb subdirectory if missing
- several bugfixes: filter parsing, empty tags, event ordering, chorus_compress was fixed
We just got word that the manufacturer is out of stock. The last parts were sent to Ukraine. And they are in a regional COVID lockdown so they can't make more.
CHORUS users: There have been problems around "429 Too Many Requests" given out to clients that aren't making too many connections. I advise setting max_connections_per_ip to a high value until it gets resolved.
This is Derek's only meme. I don't know what it means.
nostr:nevent1qqszxhwpkh3rkxd454k2mlyntskpxjn7uvrgjpahvg0tkwd42lz3cdqppemhxue69uhkummn9ekx7mp0qyghwumn8ghj7mn0wd68ytnhd9hx2tcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsv7xtwq
Im just gonna make a quick statement here about cashu and nutsacks (I know very little, I just read some hype bullets).
I came here to empower speech. Many of you came here to empower money. I think both goals are laudable, but I am trying to avoid the liability of that second one.
Governments have crazy complex and onerous regulations around money. Any technology that touches money needs a legal team, or needs to be developed by anonymous developers (of which I am not).
Gossip client has zaps because there is no money transfer involved when creating an invoice, or in reading and displaying a receipt. And your private key does not unlock or lock any monetary balance.
I'm not sure what cashu/nutsack technology does, but based on the hype bullet points I don't think gossip can implement it.
If the government pervertedly and twistedly (as they do) begins to view nostr private keys as financial instruments or technology facilitating money transfer, then I will be forced to cease nostr development.
Also if nostr nsecs start to control money, then fiatjaf is wrong about subkeys not being necessary.
If there was a paid formal legal opinion from a respected US law firm about what a nostr client could safely do while clearly avoiding any of the financial regulations, I would trust that. So if anybody thinks this stuff isn't over any kind of line, and if someone wanted to fund such a legal opinion, that is a way you could convince me to code it.
Courts look favorably upon people who all along were taking steps to be within the law. So even if the speculation in it was wrong, it would likely have a big impact on any legal outcome.
I don't think nostr can be successfully construed as a money transfer system. I won't code for this thing and then hopefully I'll be just as liable as the company that made the disk drive that hosted the piece of data but had zero intention of facilitating money transfer... that is, not liable.
ODELL's keyboard only has capital letters. He got it cheap so he could save more bitcoin.
nostr:nevent1qqsx7w4c75u6qlvgcea6klkqkhh2wpf7en3f2gp3qs0m4khl0vxxfdqpzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtcd4l5fl
This is an interesting idea.
I find files on webservers are more reliable and die less soon than torrents which often disappear quite quickly (no peers). But maybe this is a consequence of there not being good backing of those torrents (as you say there is support for primary HTTP sources).
I think someone should put webtorrent into a client (can't be that hard) and experiment with it.
A node (client or relay) that doesn't upgrade will see these as broken invalid events. The signature will not match the pubkey field.
In the current NIP-26, at least the events are valid and people can see them, they just don't have a clear association between the signer and the delegator.
So I think this is a worse experience for nodes that don't upgrade.
If every node upgraded it would be fine, but I'm not sure it would be better. Both ways of doing it require code to update either it's signature verification or it's method of associating an author, neither being a harder ask IMHO.
BTW the delegation proof doesn't have to be replicated in every event if we wanted to save space, it could be a separate event.
I want my master key offline, and per-device signing keys online. That isn't centralization.
And I cannot do that with NIP-46 where the bunker has to be online.
The only solutions to provide this that I can conceive of are major breaking changes.
My keypair has leaked all over the place and it is only by the grace of god that people haven't noticed and posted as me. But as of today there is almost zilch I can do about it.
Why can't I publish a key schedule event to my outbox relays, created and signed offline by my master key, that says that some device key is now revoked?
Yes.
I haven't changed email providers or DNS providers in years. Once nostr settles down, changing relays will be a rare enough thing that requiring the master key to do it doesn't seem overly onerous to me.
My entire life, ever since 1970, I think I have fasted at least 12 hours per day. That's the time between the end of dinner (7pm latest) and the start of breakfast (7am earliest). Generally I've eaten dinner at 4-5pm though.
And I am overweight with metabolic syndrome.
For me to get any kind of measurable improvement I have to fast for at least 16, maybe 18 hours per day, something like breakfast at 11am and dinner at 4pm.
My girlfriend was in a coma. The doctor tried everything, then he told me "there is one more thing we can try. It's a long shot, quite experimental." I said to him "anything, doc, anything we can do." He said "you could try oral sex" and I said "god no! oh god!" he says "I've seen it work" so I say "ok ok then I'll give it a try." So I go into her room, and five minutes later I come out and say "Doctor, doctor! she's choking!"
--
I gave my cat a bath today. I know they say you aren't supposed to give cats baths, but she was dirty and so I did it anyway. And it turned out fine. She just sat there purring the whole time. So you can ignore what they say, it's perfectly fine to give a cat a bath. The fur will stick to your tongue a bit, but other than that there's nothing wrong with it.
I'm thinking of javascript clients in web browsers as we have today. They can't do wireguard. I don't even think they can do DNS lookups.
Also wireguard isn't going to protect anybody's IP address. VPNs work only by virtue of mixing a bunch of people into the same IP address and adding an extra hop.
I've looked into WebTransport, abusing HTTP/2, and other alternatives over QUIC and I think that websockets is still the best choice.
As for every client being a relay, please elaborate. What does this bring us?
I have put NIP-26 delegation support back into gossip.
As a punishment for taking it out of gossip in the first place, I swear that I will, upon midnight, slaughter a sheep and spread it's entrails over my naked body, beating my breast at the moon and whailing, asking the universe why oh why did I think it was okay to remove unused code? Never again. I will from this day forward take a vow to always make sure the code base grows and grows and grows without bounds supporting even VHS and even going so far back as to support arsenical bronze as well as tin-based bronze. And with this arsenical bronze knife I cut myself, mixing my blood with that of the slaughtered sheep, wrapping myself in black sackcloth and covering myself in ashes I shall wander this Earth as an outcast and evil nostr developer, bearing the stench, wearing the large letter C pinned to my sackcloth.... the C of "centralization". Because as every 5 year old knows, if you remove code that nobody uses, that is centralization.
I almost want to reply with a pic ... but I'm not sure everybody in the pic wants the particular picture to become public.
So just imagine that instead of a sheep it is four scantily clad girls, and instead of entrails it is bead necklaces, and instead of sackcloth I am wearing ... um ... let's say kooshball underwear
There is a far bigger problem than what you have highlighted: People are building so many crazy-idea apps on top of a fundamental nostr layer which still has problems and still needs breaking changes. And now that they have, if we break those fundamentals everybody's houses of cards fall down. And so IMHO all the rapid adoption is the thing that will probably kill nostr. Far too much built on top of a still flimsy foundation that is now unable to be fixed. I wrestle with this dilemma in my dreams at night, tossing and turning, considering all the ways to make subkeys happen and how every single one breaks something deeply, etc.
The issues in your OP are smallish bug/features that can very easily be solved by comparison. Amethyst can become less complicated (by automating things or something I dunno), and can add ability to tag somebody, and primal can add ability to block somebody. These are stupid simple problems that just haven't happened yet. I think your expectations of how things should already be are very high.
First, I shouldn't have said "need" that is too strong of a word. Nostr can keep going without breaking changes.
And in part I'm speaking in the abstract based on experience, based on the number of breaking changes that have happened so far and their approximate rate.
But I think some of the big things below app level are subkeys (for an offline masterkey) through something like a slightly modified NIP-26, binary events over websocket binary, something like negative filters or negentropy (specifics to be worked out), some kind of better relay usage for the many basic usages that actually exist (Vitor is working on that), ... that is off the top of my head.
Write a client and send any stream of bytes you wish to any machine you wish. Now ask yourself the question, who controlled you? Whatever the answer to that question is, that is the answer to your question.
EVERY VOICE means every voice that I was hearing about this topic. All conversations I had encountered about this topic led me to believe nobody supported it except gossip and nobody planned to support it. So because all I ever heard was negative, and it was hard to maintain, I took it out.
Every voice most definitely does not mean I speak for every voice.
Please take your medicine.
Reticulum looks very cool. What would need to be changed to support it? How much breakage? Would you be tunnelling IP over it? I don't really know anything about it.
Oddbean new post about login | logout
Notes by Magister Michael Dilger M.Sc. | export