Jump to content

XRP Incentive to developers


Eric123
 Share

Recommended Posts

1 hour ago, Di3twater said:

You seem to have some overly complex ideas of what it takes to create a library. Most in house libraries are created with a limited scope of responsibly and are not attended to cover all edge cases. In regard to your question about audits, code libraries are not taxes there is no "audit" that takes place simply peer review and good testing is needed.  

I'm not sure why you mentioned me in your first post, though.

It is true that libraries can have (very) limited scope. But it looks like you completely disregard this "compliance" and "risk" point of view. In corporate environments software sometimes has to be (externally) audited, too. And in this case it would be much more beneficial if Ripple had published such libraries that would have some kind of stronger "guarantees". Not necessarily in the SLA sense, but - for example - that they would use provably FIPS compliant components.

Because right now there is only one library (JS ripple-lib) which is kind of maintained. All other libraries (Java & .NET) are practically dead from the development point of view.

 

 

 

 

Link to comment
Share on other sites

11 minutes ago, Di3twater said:

@T8493 Basically the parts that would need that compliance are crypto libraries. The libraries we created only interface with the RCL, we rely on third party libraries like ripple's Key Pairs Library to generate our keys :) Awesome question by the way.

You see, here is the main problem. You trust third party library which wasn't audited (and there is no guarantee that it actually uses cryptographically secure random number generator, especially in some (older?) browsers) and this (or some very similar) code recently caused people to lose money (search for Jatchili's wallet on Mac on this forum).

However, this is not limited just to third party cryptographic software. Hackers recently stole 5M USD from GateHub and the (official) reason was some partial payments "problem", which was probably known for years and it was very well documented. But their developers still mishandled it.

 

 

Link to comment
Share on other sites

4 minutes ago, T8493 said:

You see, here is the main problem. You trust third party library which wasn't audited (and there is no guarantee that it actually uses cryptographically secure random number generator, especially in some (older?) browsers) and this (or some very similar) code recently caused people to lose money (search for Jatchili's wallet on Mac on this forum).

It is also not very visibly licensed - I had to dig quite a while to find out if this code is actually OK to use or if it is proprietary to Ripple Inc.

Link to comment
Share on other sites

@T8493 So from a casual reading it seems you are stating that ripple's own key pair generator can not be trusted and from an early post that any attempt of our own  would require massive overhead from regulation and other things.... are you planing on using the service? 

Edited by Di3twater
Link to comment
Share on other sites

1 hour ago, Di3twater said:

@T8493 So from a casual reading it seems you are stating that ripple's own key pair generator can not be trusted and from an early post that any attempt of our own  would require massive overhead from regulation and other things....

I would be slightly skeptical, yes, and I would certainly audit it before using it in production (especially if I could be potentially held liable for something).

Older versions of this code produced faulty Ripple addresses and I'm not sure substantial engineering effort went into resolving and pinpointing the exact issue (not only on the RL side, but also on the side of third party developers which could potentially prevent this issue from happening in the first place).

RL devs have added one additional test: https://github.com/ripple/ripple-keypairs/commit/1cf06f0f1ffe21ac4a0929545bc6d632f8648db3 . But - for example - are they testing this on every browser/nodejs/OS combination? I am not so sure. Are they testing for faulty message digests methods? Are they actually testing that rippled can actually verify the signatures produced with generated keypairs and public Ripple address?

This library also depends on some third party libraries (e.g. hash.js) that also lack substantial test coverage, IMHO.

However,  problem could be also in the environment in which this code is executed (e.g. browser or nodejs environment).

 

Quote

are you planing on using the service? 

I'm not sure why is this relevant. If it is somehow "provably secure", then yes, why not.

Link to comment
Share on other sites

5 minutes ago, T8493 said:

I would be slightly skeptical, yes, and I would certainly audit it before using it in production (especially if I could be potentially held liable for something).

It appears to use "brorand" 1.0.5 for random numbers: https://github.com/indutny/brorand/blob/571027e0ffa1119c720bcdb8aa9c987f63beb5a6/index.js - The stuff at line 50++ seems slightly shady to me and isn't present any more in the current release (1.0.5 is from 2014...).

The only test case is that it will generate an array of length 100. I'm slightly impressed that there's even a test case.

Link to comment
Share on other sites

3 hours ago, Di3twater said:

@Sukrim You have no intent to use the service your post are for the purpose of vanity alone.

I really appreciate your efforts to contribute to the Ripple ecosystem, but you must understand that this community can be sometimes quite critical (much more than other crypto communities). But I think this is a very good thing -  such brainstorming can lead to better (safer, more secure, reliable, with less privacy concerns, etc.) solutions for community members.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.