What is Nostr?
Mike Hearn [ARCHIVE] /
npub17ty…qgyd
2023-06-07 15:04:27
in reply to nevent1q…pdeg

Mike Hearn [ARCHIVE] on Nostr: 📅 Original date posted:2013-07-09 📝 Original message:By the way, the Java Web ...

📅 Original date posted:2013-07-09
📝 Original message:By the way, the Java Web Start system has improved a lot in recent versions
as well. I just tried running http://jfxtras.org/ and this was the
experience:

- It told me my Java was insecure and that I should download the latest
version (hah). It had three buttons, one saying "Update", one saying "Block
content in browser" and one saying "Later". So it seems Java learned how to
disable its plugin by itself anyway. I think on non-Linux platforms it
probably knows how to update itself as well these days.
- As it happens I don't care right now because jfxtras is a source I
trust, so I clicked later and it popped up a permission screen saying the
author was unknown, could damage my computer, etc. Actually, Jim has a code
signing cert so this would show his identity at that point.
- Clicked run. The app downloaded in a few seconds and was running.
- JavaWS keeps the app up to date for you at that point.

It's triggered by downloading and opening a .jnlp file, so - same security
boundaries as a regular app download, except you download metadata for the
runtime instead of the whole app at once.

It might be worth providing a JNLP option on the multibit webpage as well,
as although I wouldn't let the applet plugin in my browser, once I made an
explicit decision to go to multibit.org and trust James Burton with my
money, the JWS experience at that point is pretty good. Until we have our
own auto update engine it's better than nothing.



On Tue, Jul 9, 2013 at 1:04 PM, Mike Hearn <mike at plan99.net> wrote:

> How many downloads/day do we see currently? I think you said it's on the
> order of a few thousand, so nowhere near 30k I'd guess. Anyway I can mirror
> it if we need to.
>
> The JavaFX packager is supposed to delete parts of the JVM that aren't
> used. Is the 30-40mb figure based on using that tool or something else?
> Note that you don't need to use the JFX widget toolkit to use the bundler
> tool.
>
> We could also invest in a copy of JET, which does native compilation down
> to self contained Windows binaries. It might create smaller bundles. But,
> it's a proprietary tool and I don't know how reproducible its outputs are.
>
> For the auto update, is there an existing auto update framework that we
> can modify to support threshold signed updates? I'm sure such a thing must
> exist. The updates would download in the background and then the app can
> just ask the user to restart it once the update is locally available, as
> Chrome does.
>
>
>
> On Tue, Jul 9, 2013 at 12:56 PM, Jim <jim618 at fastmail.co.uk> wrote:
>
>> Yes I would like to bundle a JVM as it would simplify the user
>> experience.
>>
>> There are a few downsides though:
>> + all the build packaging will need redoing and retesting.
>> + it will bump up the MultiBit download from about 11MB to 30-40MB
>> (I think). This drops the maximum copies of MultiBit the multibit.org
>> server can deliver per day from around 90,000 to 30,000ish.
>> The multibit.org server maxes out at 1 TB of bandwidth per day.
>>
>> Currently there is no provision to update anything automatically.
>> I would like to start having Bitcoin signed files that MultiBit can
>> check
>> and update (initially the checkpoints file, I18N files - NOT code
>> at first because of the security implications). I think this needs to be
>> in place before bundling a JVM so that users don't have to
>> keep redownloading it.
>>
>> Having lists of all the artifacts signed and them having SHA256 hashes
>> then makes it practical/ safe to start mirroring the code. I can see
>> each mirror crosschecking the others that the SHA256s are correct
>> for instance. This would increase the maximum number of
>> downloads we could cope with.
>>
>>
>> On Tue, Jul 9, 2013, at 11:36 AM, Mike Hearn wrote:
>> > Modern Java versions let you bundle the app with a stripped down JVM. I
>> > don't know if Jim does that, but I think it's an obvious step towards
>> > making MultiBit friendlier and easier to use.
>> >
>> > BTW I believe most secure browsers (Chrome, Firefox) have banned the
>> > applet
>> > plugin or severely restrained it anyway. So even if you install the JVM
>> > and
>> > plugin together there is not an issue.
>> >
>> >
>> > On Tue, Jul 9, 2013 at 3:20 AM, Caleb James DeLisle <
>> > calebdelisle at lavabit.com> wrote:
>> >
>> > > Java (Applet) security is indeed abysmal but lets compare apples to
>> apples.
>> > > With an applet some random guy with a website makes up some Java code
>> and
>> > > your browser automatically executes it.
>> > > With Multibit you're only executing highly trusted code (so trusted
>> that it
>> > > handles your money).
>> > > There has almost never been a Java exploit against secure trusted
>> code.
>> > >
>> > > The idea of discouraging use of java apps just because people would be
>> > > tricked into activating the browser plugin when installing the JVM is
>> > > probably valid but Multibit is the only reasonably complete client
>> outside
>> > > of bitcoinqt and I think client diversity is more important than
>> stamping
>> > > out java.
>> > >
>> > > Thanks,
>> > > Caleb
>> > >
>> > >
>> > > On 07/08/2013 08:22 PM, Robert Backhaus wrote:
>> > > > But... Multibit is Java. Java's security problems has made it an
>> instant
>> > > uninstall item on windows PCs for about a year now. Java exploits are
>> a
>> > > dime a dozen.
>> > > >
>> > > > Yes, you can reduce some of the problems by manually disabling the
>> > > browser plugin, but how many users will do that?
>> > > >
>> > > > Recommending a fast SPV client as a first wallet - yes, of course.
>> > > Recommending users open such a huge attack interface on their
>> computers by
>> > > installing Java - No go. Until Multibit is provided as a compiled
>> binary
>> > > without a Java dependency, it is DOA.
>> > > >
>> > > >
>> > > > On 1 July 2013 02:39, Gary Rowe <g.rowe at froot.co.uk <mailto:
>> > > g.rowe at froot.co.uk>> wrote:
>> > > >
>> > > > I've beefed up the supporting documentation for the website to
>> make
>> > > it more accessible for developers who wish to contribute. It's a Java
>> > > application serving HTML.
>> > > >
>> > > > It can be found here:
>> https://github.com/jim618/multibit-website
>> > > >
>> > > >
>> > > > On 30 June 2013 16:19, Jim <jim618 at fastmail.co.uk <mailto:
>> > > jim618 at fastmail.co.uk>> wrote:
>> > > >
>> > > > Yeah "email jim' was never going to work so I have
>> > > > bumped up MultiBit support (a bit) by:
>> > > >
>> > > > + having a dedicated Support page on the website
>> > > > https://multibit.org/support.html
>> > > > It has fixes and support notes for the most common
>> gotchas.
>> > > > + the in-app help also now has a 'Support' section with
>> > > > "Troubleshooting' and the commonest gotchas.
>> > > > I've also written more help to cover as much as possible.
>> > > > + Failing that people are directed first to
>> > > bitcoin.stackchange.com <http://bitcoin.stackchange.com>;
>> > > > (I have a notification set up for the 'multibit' keyword.
>> > > > + Then finally users are directed to the github issues to
>> search
>> > > > existing or raise a new issue. Gary and Tim often chip
>> in on
>> > > there to
>> > > > close
>> > > > issues down as well as me.
>> > > >
>> > > >
>> > > >
>> > > > On Sun, Jun 30, 2013, at 12:42 PM, Mike Hearn wrote:
>> > > > > Sounds like we have consensus, Saivann, shall we do it?
>> > > > >
>> > > > > I'm also going to ask Theymos again to relax the newbie
>> > > restrictions
>> > > > > for the alt client forums. It's probably too hard to get
>> > > support at
>> > > > > the moment and "email jim" doesn't scale at all.
>> > > > >
>> > > > > On Fri, Jun 28, 2013 at 4:24 PM, Gavin Andresen <
>> > > gavinandresen at gmail.com <mailto:gavinandresen at gmail.com>>
>> > > > > wrote:
>> > > > > > I vote "yes" to have MultiBit replace Bitcoin-Qt as the
>> > > recommended
>> > > > > > desktop wallet app. I think most users will be happier
>> with
>> > > it.
>> > > > > >
>> > > > > > If I'm wrong, it is easy to change back.
>> > > > > >
>> > > > > >
>> > >
>> ------------------------------------------------------------------------------
>> > > > > > This SF.net email is sponsored by Windows:
>> > > > > >
>> > > > > > Build for Windows Store.
>> > > > > >
>> > > > > > http://p.sf.net/sfu/windows-dev2dev
>> > > > > > _______________________________________________
>> > > > > > Bitcoin-development mailing list
>> > > > > > Bitcoin-development at lists.sourceforge.net <mailto:
>> > > Bitcoin-development at lists.sourceforge.net>
>> > > > > >
>> > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > > > >
>> > > > >
>> > >
>> ------------------------------------------------------------------------------
>> > > > > This SF.net email is sponsored by Windows:
>> > > > >
>> > > > > Build for Windows Store.
>> > > > >
>> > > > > http://p.sf.net/sfu/windows-dev2dev
>> > > > > _______________________________________________
>> > > > > Bitcoin-development mailing list
>> > > > > Bitcoin-development at lists.sourceforge.net <mailto:
>> > > Bitcoin-development at lists.sourceforge.net>
>> > > > >
>> > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > > >
>> > > >
>> > > > --
>> > > > https://multibit.org Money, reinvented
>> > > >
>> > > >
>> > >
>> ------------------------------------------------------------------------------
>> > > > This SF.net email is sponsored by Windows:
>> > > >
>> > > > Build for Windows Store.
>> > > >
>> > > > http://p.sf.net/sfu/windows-dev2dev
>> > > > _______________________________________________
>> > > > Bitcoin-development mailing list
>> > > > Bitcoin-development at lists.sourceforge.net <mailto:
>> > > Bitcoin-development at lists.sourceforge.net>
>> > > >
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> ------------------------------------------------------------------------------
>> > > > This SF.net email is sponsored by Windows:
>> > > >
>> > > > Build for Windows Store.
>> > > >
>> > > > http://p.sf.net/sfu/windows-dev2dev
>> > > > _______________________________________________
>> > > > Bitcoin-development mailing list
>> > > > Bitcoin-development at lists.sourceforge.net <mailto:
>> > > Bitcoin-development at lists.sourceforge.net>
>> > > >
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> ------------------------------------------------------------------------------
>> > > > See everything from the browser to the database with AppDynamics
>> > > > Get end-to-end visibility with application monitoring from
>> AppDynamics
>> > > > Isolate bottlenecks and diagnose root cause in seconds.
>> > > > Start your free trial of AppDynamics Pro today!
>> > > >
>> > >
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> > > >
>> > > >
>> > > >
>> > > > _______________________________________________
>> > > > Bitcoin-development mailing list
>> > > > Bitcoin-development at lists.sourceforge.net
>> > > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > > >
>> > >
>> > >
>> > >
>> > >
>> ------------------------------------------------------------------------------
>> > > See everything from the browser to the database with AppDynamics
>> > > Get end-to-end visibility with application monitoring from AppDynamics
>> > > Isolate bottlenecks and diagnose root cause in seconds.
>> > > Start your free trial of AppDynamics Pro today!
>> > >
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> > > _______________________________________________
>> > > Bitcoin-development mailing list
>> > > Bitcoin-development at lists.sourceforge.net
>> > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> > >
>> >
>> ------------------------------------------------------------------------------
>> > See everything from the browser to the database with AppDynamics
>> > Get end-to-end visibility with application monitoring from AppDynamics
>> > Isolate bottlenecks and diagnose root cause in seconds.
>> > Start your free trial of AppDynamics Pro today!
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Bitcoin-development mailing list
>> > Bitcoin-development at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>> --
>> https://multibit.org Money, reinvented
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130709/20be478a/attachment.html>;
Author Public Key
npub17ty4mumkv43w8wtt0xsz2jypck0gvw0j8xrcg6tpea25z2nh7meqf4qgyd