Unattended updates #2467
Comments
|
Seems good to me. |
|
What do you think about the required signer list? |
|
Updating requires restarting ZeroNet, which would suck if you're currently in the middle of something. How exactly would applying the update work? Notify the user that restarting ZeroNet would apply an update? |
|
I think it'd be better to implement some kind of in-place update without restart. The propagated hotfixes will probably be small enough so they won't cause a problem. |
|
Or for more advanced updates that would need restart: Download update in background, notify user that restart is recommended, and replace/update ZeroNet on next startup. |
|
We could display a notification: "New critical update received, ZeroNet will restart in 59 minutes", "Restart now", "Delay update 6 hours" Update without restart also could work for some parts (there is a built-in support for that), but there is side-effects as it requires to modify in-memory objects and not every update is compatible with that. So I would avoid that.
It could work, but it requires properly, tested and implemented multisig support. |
|
We probably shouldn't show the fix to the public before it is completely signed (nor should we show that the process is going on) so I'd use some clearnet service (e.g. GitHub/GitLab + a bot) to develop the fix and sign it. So we already have all the signatures at the moment when we're publishing the fix. This means we could just hardcode the verification. |
|
Make the (0) button flash red for security notification or have an [!] notification (toast) flash and give the scoop. |
|
@HelloZeroNet Can I assume that if Config.py contains some revision number, the bundled code will contain exactly the changes up to the commit which changed the revision number? |
If we don't have multi-sig, then how do we distribute the version?
I always do increment the rev number, so I think yes. |
This is not really a feature request, more of a conversation request to see if we (as the community) can come to a solution that satisfies everyone.
Is your feature request related to a problem? Please describe.
The problem is that there were quite a lot of vulnerabilities found in ZeroNet earlier and we'll probably have many of them in the future. Every time a vuln is found, we have to broadcast the fix; unfortunately, what we are able to do now is definitely unsafe:
While some of these solutions are applicable right now, they aren't permanent and will definitely stop working well when new people come to ZeroNet.
Describe the solution you'd like
We could allow users to enable unattended updates, say, in /Config (it should probably be enabled by default because those who don't check /Config are most likely too non-techy to understand the consequences of the vulnerability). Some updates would be marked as "security". People who have unattended updates enabled would be updated automatically; those who don't will be shown a big red button on ZeroHello (probably also change
0icon for visibility? These are implementation details though). The update would be cryptographically signed. Whether only nofish will have to sign it or someone else as well is another question; say, lowering the required signature count would make ZeroNet more vulnerable to a single person's sudden decision, and increasing the count can make the vulnerability known before the fix is signed.Describe alternatives you've considered
The ones in the first section? Hehe.
Additional context
inb4: Quite a lot of well-known operating systems do that. For example, Ubuntu and Debian have
unattended-upgrades, Windows (oh well) does that too. ZeroNet is cross-platform and also uses ZeroUpdate for updates, not a central repository, so we can't count on the OS-specific stuff.@anoadragon453 @filips123 @blurHY
The text was updated successfully, but these errors were encountered: