Topic: | Nxt | Blockchain Platform | Proof of Stake | Official - page 198. (Read 941285 times)

Quote from: bitcoinrocks on June 10, 2015, 05:53:19 AM

Quote from: bitcoinrocks on June 12, 2015, 04:55:48 AM

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

or

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-arm-downloads-2187472.html

The latest available there is 8u33 which has 13 security vulnerabilities currently (3 of them rated 10/10 for severity):

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

So everyone running the latest NRS on an ARM device (Raspberry Pi, etc) is likely open to several severe security vulnerabilities. ARM users should be instructed to shut down their nodes until Oracle releases something newer than 8u40. NRS updates should have been delayed until a secure ARM binary is available from Oracle. This was not handled responsibly from a security standpoint.

can't remember when jdk ever was bug free (like many other complex dev-stacks).
however, since i am not a java coder but running an arm node, it would be helpfull
if you could point me to a more concret security problem or better to a non theoretical
attack vector, where running the arm node isn't secure.

if this is a real world security problem it has to be adressed ofc.

As you know, bugs aren't the issue, security vulnerabilities are, and it looks like 8u41 and higher are free of known security vulnerabilities. The latest version for x86 looks to be 8u45. Details on the vulnerabilities are accessible via this link:

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

Instead of giving random links with hundreds of vulnerabilities, can you post an exact vulnerability, explain how it works, and how is it relevant to Nxt? A lot of these vulnerabilities are related to applets where you are running UNTRUSTED code found on a random webpage. Nxt doesn't use applets. And Nxt isn't UNTRUSTED code as you download it from official source (Nxt developers who you presumably trust) Understand that difference and then you will see none of these 'vulnerabilities" have any relevance in your usecase.

yassin54

legendary

Activity: 1540

Merit: 1000

Please see:

http://downforeveryoneorjustme.com

it is just me
bizarre Huh

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Please see:

http://downforeveryoneorjustme.com

EmoneyRu

hero member

Activity: 600

Merit: 500

Nxt-kit developer

NSC payouts #7.

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Quote from: nexern on June 11, 2015, 05:18:03 AM

Quote from: bitcoinrocks on June 10, 2015, 10:45:27 PM

Quote from: bitcoinrocks on June 10, 2015, 05:53:19 AM

Quote from: bitcoinrocks on June 10, 2015, 10:45:27 PM

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

or

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-arm-downloads-2187472.html

The latest available there is 8u33 which has 13 security vulnerabilities currently (3 of them rated 10/10 for severity):

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

So everyone running the latest NRS on an ARM device (Raspberry Pi, etc) is likely open to several severe security vulnerabilities. ARM users should be instructed to shut down their nodes until Oracle releases something newer than 8u40. NRS updates should have been delayed until a secure ARM binary is available from Oracle. This was not handled responsibly from a security standpoint.

can't remember when jdk ever was bug free (like many other complex dev-stacks).
however, since i am not a java coder but running an arm node, it would be helpfull
if you could point me to a more concret security problem or better to a non theoretical
attack vector, where running the arm node isn't secure.

if this is a real world security problem it has to be adressed ofc.

As you know, bugs aren't the issue, security vulnerabilities are, and it looks like 8u41 and higher are free of known security vulnerabilities. The latest version for x86 looks to be 8u45. Details on the vulnerabilities are accessible via this link:

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

Eadeqa

hero member

Activity: 644

Merit: 500

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

So everyone running the latest NRS on an ARM device (Raspberry Pi, etc) is likely open to several severe security vulnerabilities. ARM users should be instructed to shut down their nodes until Oracle releases something newer than 8u40. NRS updates should have been delayed until a secure ARM binary is available from Oracle. This was not handled responsibly from a security standpoint.

Nonsense. The operating system you are running (whatever it is) probably have hundreds of bugs, like all software. Doesn't mean crap.

nexern

hero member

Activity: 597

Merit: 500

Quote from: bitcoinrocks on June 10, 2015, 10:45:27 PM

Quote from: bitcoinrocks on June 10, 2015, 05:53:19 AM

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

or

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-arm-downloads-2187472.html

The latest available there is 8u33 which has 13 security vulnerabilities currently (3 of them rated 10/10 for severity):

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

So everyone running the latest NRS on an ARM device (Raspberry Pi, etc) is likely open to several severe security vulnerabilities. ARM users should be instructed to shut down their nodes until Oracle releases something newer than 8u40. NRS updates should have been delayed until a secure ARM binary is available from Oracle. This was not handled responsibly from a security standpoint.

can't remember when jdk ever was bug free (like many other complex dev-stacks).
however, since i am not a java coder but running an arm node, it would be helpfull
if you could point me to a more concret security problem or better to a non theoretical
attack vector, where running the arm node isn't secure.

if this is a real world security problem it has to be adressed ofc.

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Quote from: bitcoinrocks on June 10, 2015, 05:53:19 AM

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

or

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-arm-downloads-2187472.html

The latest available there is 8u33 which has 13 security vulnerabilities currently (3 of them rated 10/10 for severity):

http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

So everyone running the latest NRS on an ARM device (Raspberry Pi, etc) is likely open to several severe security vulnerabilities. ARM users should be instructed to shut down their nodes until Oracle releases something newer than 8u40. NRS updates should have been delayed until a secure ARM binary is available from Oracle. This was not handled responsibly from a security standpoint.

tyz

legendary

Activity: 3360

Merit: 1533

Fully confirmed is relative. A transaction is fully confirmed after 1440 confirmations. After 720 confirmations a rollback is impossible. Usually it is enough when you have 10+ confirmations.

Quote from: bitcoinrocks on June 10, 2015, 05:53:19 AM

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

nexern

hero member

Activity: 597

Merit: 500

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

or

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-arm-downloads-2187472.html

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Quote from: worth on June 08, 2015, 06:45:20 PM

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

If I'm not mistaken, the Oracle JDK is not open source and there are no ARM binaries available. How are people supposed to run NRS on the many (many!) available ARM devices such as the Raspberry Pi?

PilotofBTC

legendary

Activity: 1736

Merit: 1001

Quote from: EvilDave on June 08, 2015, 07:12:17 AM

Quote from: worth on June 07, 2015, 07:26:04 PM

Quote from: allwelder on June 07, 2015, 06:55:35 PM

Quote from: Daedelus on June 08, 2015, 09:04:50 AM

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

720 confirms for fully not rollback.
Generally,10 confirms is enough.

Wow. That's going to take close to a day to process a single transaction. Thanks for the info.

Er, seems to be some confusion here......
10 confirms is more than enough to be spendable, the 720 confirmations/blocks is the rollback limit coded into NXT:
https://nxtforum.org/general/transaction-confirmations-best-practice/

The confusion seems to be in the client, explorer, and/or network because I went to bed last night with over 850 confirmations yet the explorer showed it as "unconfirmed" and it still hadn't arrived. Just had a chance to check today and it now has over 1275 confirms yet the explorer still shows it as unconfirmed. However, the funds do seem to have finally arrived after a day and a half!

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

Are you running NRS v1.5.x?

Can you post the transaction ID (or PM it me)?

I was using Mofowallet's web client, my third attempt to get a working client (the one I had installed from months ago now gives the error "An error occurred, the server has quit. Please restart the application" when I try launching it), the official client apparently requires the command line to launch now (which I'm perfectly comfortable using) but just gives multiple error messages when I try, and the first web client I tried seemed to want me to register and create a new wallet with no way to use my existing one.

Conceptually, I like NXT, but if the goal is widespread consumer adoption, it has a long way to go.

Mofo Wallet is nice... but I don't think they have updated the NXT side to 1.5 yet.

The standard NRS is pretty easy... as long as you have Java installed. I think they recently moved to a new version required. That may be why it doesn't run for you.

PilotofBTC

legendary

Activity: 1736

Merit: 1001

Quote from: EvilDave on June 08, 2015, 07:12:17 AM

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

It depends on what you mean by "fully confirmed". It will take 1440 confirms before it will forge. But, the coins are probably pretty safe after 10 confirms or so. NXT attempted to do a roll back once, but just getting all the major forgers to do something is near impossible.

nexern

hero member

Activity: 597

Merit: 500

for those running a nix vps and used open-jdk.
1.5.11 needs oracle-8. here is a good page how to switch over easily.

https://www.digitalocean.com/community/tutorials/how-to-install-java-on-ubuntu-with-apt-get

EvilDave

hero member

Activity: 854

Merit: 1001

If you're running Windows, try this:
https://nxtforum.org/nrs-releases/nrs-v1-5-10/msg181836/#msg181836
Integrated Windows installer....

Otherwise, simply install the latest 1.5.11 (as above, my previous post), let the blockchain download, and log-in.
You won't need to get busy on the command line.....theres a nice .bat or .sh file to do the work.
The latest client also allows you to toggle between logging in to simply view your account,
and a full log-in with your pass phrase if you want to actually do something.

And, yep, your old NRS client is now toast, anything older than 1.5.x is no longer valid.

On the wait time: are you referring to waiting for the 1440 confirmations that will allow you to forge with your NXT balance ?
There are no other possiblities that I can think of........tx id would be useful, to have a better look.

worth

hero member

Activity: 558

Merit: 500

Quote from: worth on June 07, 2015, 07:26:04 PM

Quote from: allwelder on June 07, 2015, 06:55:35 PM

Quote from: Daedelus on June 08, 2015, 09:04:50 AM

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

720 confirms for fully not rollback.
Generally,10 confirms is enough.

Wow. That's going to take close to a day to process a single transaction. Thanks for the info.

Er, seems to be some confusion here......
10 confirms is more than enough to be spendable, the 720 confirmations/blocks is the rollback limit coded into NXT:
https://nxtforum.org/general/transaction-confirmations-best-practice/

The confusion seems to be in the client, explorer, and/or network because I went to bed last night with over 850 confirmations yet the explorer showed it as "unconfirmed" and it still hadn't arrived. Just had a chance to check today and it now has over 1275 confirms yet the explorer still shows it as unconfirmed. However, the funds do seem to have finally arrived after a day and a half!

Quote from: spyro on June 08, 2015, 01:28:50 AM

How many confirmations does NXT need for a transaction to fully confirm? I sent some over 12 hours ago and it now has 528 confirmations, yet still doesn't show as fully confirmed. It doesn't seem viable for a currency for this to be normal. Is the network malfunctioning?

Are you running NRS v1.5.x?

Can you post the transaction ID (or PM it me)?

I was using Mofowallet's web client, my third attempt to get a working client (the one I had installed from months ago now gives the error "An error occurred, the server has quit. Please restart the application" when I try launching it), the official client apparently requires the command line to launch now (which I'm perfectly comfortable using) but just gives multiple error messages when I try, and the first web client I tried seemed to want me to register and create a new wallet with no way to use my existing one.

Conceptually, I like NXT, but if the goal is widespread consumer adoption, it has a long way to go.

EvilDave

hero member

Activity: 854

Merit: 1001

Even though most exchanges had already updated to the latest version, some had issues with forking around the block 445,000 point......just to make things more confusing, some of the block explorer sites also had issues with forking, making verification of the correct blockchain more difficult.
In this situation, it's a lot better for an exchange to freeze deposits/withdrawals until they are certain that their transactions are being included in the main blockchain.
Most node operators and services are now running smoothly, so given a day or 2, everyone should be back on the right track.

To help keep us on that track, there is a new NRS update 1.5.11:
https://nxtforum.org/nrs-releases/nrs-v1-5-11/
Now that the 1.5.x branch is established as the main blockchain, this version will no longer connect to nodes running the deprecated 1.4.x versions (or even older....)

If you want to verify your blockchain, use the following block explorers:

http://nxtportal.org/blocks/

https://www.mofowallet.com/launch.html#/activity/nxt/blockchain/latest

https://nxtblocks.info/#section/blockexplorer_blocks

Armando

hero member

Activity: 870

Merit: 500

Trading will make me rich)

Btw cryptsy has issues with NXT withdrawals very often based on my experience... it's definitely not the best option if you need to withdraw NXT fast

nexern

hero member

Activity: 597

Merit: 500

Quote from: jones_ on June 07, 2015, 10:19:28 PM

Quote from: spyro on June 07, 2015, 10:07:51 PM

Any word on what's going on with the exchanges? Disabled on bittrex and I tried to withdraw from Cryptsy to a new wallet and nothing coming although cryptsy saying deposit sent.

New to NXT and setting it up is proving a headache, how does one get their first NXT to activate an address?

If you just need to announce your public key, I suggest http://jnxt.org/key

If you need some faucet nxt also, there are some sites for that, but I don't remember them off the top of my head, probably free nxt something..

Thanks that worked Grin

However Cryptsy NXT withdrawals are broken and bittrex disabled NXT. What's going on?

there was a big, mandatory update at block 445,000, which brought tons
of new features to nxt, so i guess the exchanges ensuring a smooth transition.

Daedelus

hero member

Activity: 574

Merit: 500