It's getting there, the reseeding is working and some other core functionality has been completed, but there's still a lot of work to be done to get it stable on all the platforms we support.

0.8.8.6 is the latest stable release. I'll quote from the project README on Github so you can understand:

"As with many development projects, the repository on Github is considered to be the "staging" area for the latest changes. Before changes are merged into that branch on the main repository, they are tested by individual developers, committed to the "development" branch, and then subsequently tested by contributors who focus on thorough testing and code reviews. That having been said, the repository should be carefully considered before using it in a production environment, unless there is a patch in the repository for a particular show-stopping issue you are experiencing. It is generally a better idea to use a tagged release for stability."

I was going through the spam threads, and this just caused me to chuckle, especially because of your "just a Bytecoin clone" voting option.

https://github.com/amjuarez/bytecoin/releases - they haven't done anything for 14 months, by your definition. Right?

And I guess 1000+ commits by 28 active contributors (including a commit by Bitcoin's lead developer) is no progress?

Monero core team here.

Please tell me more about our new marketing actions, since we know nothing about them.

Also, I don't agree with all the threads that have been opened, and would respectfully suggest the idiots opening them direct their efforts to the Monero forum and leave Bitcointalk out of it: https://forum.getmonero.org

Feel free to quote the above message to the new thread starters.

cAPSLOCK mostly maintains that list, so I'd suggest letting him know. Not everyone wants to be on the list, so it is a manual process. Typically when letting him know you include a transaction ID, and he's able to verify them with me or another member of the core team, and then Bob's your uncle (or aunt).

I speculate that Eddie and I should stop using wide screens when checking forum changes...

Commit updates:


6 hours ago   c8593fb   Added test script to export colour of cells from Google spreadsheets.
yesterday   f6cb27f   Lot view connects to character view and building view, although data is still false
yesterday   296eef4   Fixed some small typos
2 days ago   ca38bef   Added simple dialog for giving resources
2 days ago   fd31e1b   Fixed small bug for showing buildings
2 days ago   f7ff416   Allowed NPC status change on click
2 days ago   ccea7e3   Split chatbox into seperate screen because of css maniplulation by final.js
2 days ago   850294   Added buildings view from map display screen
3 days ago   b9d0c20   Fixed some layout issues now line spacing has changed
3 days ago   a956310   Line spacing is working properly
3 days ago   7bf9255   Static background image stays same on non-map screens
3 days ago   13bed81   Added back button functionality, with correct placement and image
3 days ago   351dbfa   Split resize code away from character screen
6 days ago   f9c8358   Changed map
6 days ago   7319e0e   Fixed bug that hid background on back button activation
6 days ago   ff8fc24   Added back button and functionality
7 days ago   26e7940   Added building links to character
8 days ago   157921f   Added wiki to new pages
8 days ago   ca4d8ac   Implementation of callbacks and AJAX code for single-item views works fine
9 days ago   d2c648c   Added missing templates
9 days ago   e3e41ff   Converted all old single and multiple data displays into new core single-page display
9 days ago   6a97c48   Map, chatbox and character screen integrated as original
9 days ago   fa32cfc   Chatbox same as original, mainly

To be more specific: the way it used to work was to split the URL up into parts separated by . (ie. waffle.blah.example.com is split into waffle, blah, example, com) and then check each part (from the last to the first) as follows:

1. concatenate it with the previous parts (so if we're checking "blah" then we'd be verifying blah.example.com)
2. using the system resolver get the NS record for the domain
3. ask the main nameserver (per the NS record) for the DNSKEY for that sub-domain, pass the D0 flag (ie. tell it we want DNSSEC data)
4. if it is DNSSEC signed we should receive the RRSET, which contains the DNSKEY and the RRSIG for that DNSKEY
5. validate that the signature is correct
6. repeat for the next part

This is reasonable, except it doesn't *actually* check the chain, it just checks each part of the chain. For DNSSEC to work you have to start at the root zone (which is .) as that is *the only certificate you will have on your computer*, and then you work your way down the chain, checking delegation at each point. Our checking sub-parts without delegation (and without starting at .) was lazy, and whilst it is unlikely you'd be able to cheat validation the risk is still non-negligible.

The updated verification that ThomasV has written validates the chain correctly.

You mean buutt-huurt, right?

Hi all - just to formally state: we're aware of the trademark claims, and after consulting with the EFF we are now working with the Software Freedom Law Center to figure out how best to deal with it. Please be aware that it is a slow process we have to work through, and there isn't much we can state publicly, until we are told otherwise by the attorneys. We will keep everyone updated as and when we are able to:)

Edit: any who have received trademark complaints, who don't need to stay pseudonymous, and want to work with us on this, please email us: dev@getmonero.org

In other news: https://forum.getmonero.org/1/news-announcements-and-editorials/319/monday-monero-missives-30-june-29th-2015

Absolutely, any "assistance" would naturally be limited to what is actually achievable by blockchain / data analysis of Monero transactions (practically nothing). In fact, going down the road of trying to assist them would be an excellent education in-and-of-itself, so that's good:)

Also I didn't mean I'd willingly disappear, I meant I'd *be* "disappeared" by forces unknown:)

On a completely personal level...not really. I'm more than happy to cooperate with governments, TLAs, and law enforcement, and to educate and give them guidance on how this newfangled world works.

Look at how "the man" has struggled to adapt to everything from p2p distribution mechanisms to consumer-grade "drones". They don't understand Twitter or Instagram or Snapchat, they don't know how to police or govern any of it. Personal beliefs aside, we have to pragmatically recognise that the "status quo" is going to stay as it is for the foreseeable future in most countries, and it's better to help them understand potentially ubiquitous technology.

The worst thing that can happen to me is that I'm "disappeared", but that's why the core team is seven strong:)

question mark

noun

1.
Also called interrogation point, interrogation mark. a mark indicating a question: usually, as in English, the mark (?) placed after a question.


Because I was asking generalizethis if that was the correct tl;dr.

tl;dr - Bitcointalk is for gossip, Monero Forum is for discussion? :-P

Just replied to that thread with details

When we didn't have QoS then we had people complaining about the bandwidth usage. Now we have QoS and a sane bandwidth limit, and people are complaining about it not using enough bandwidth:-P

This is really what MRL-0004 deals with (the section on Temporal Association attacks).

A lot of this changes with the recommendations MRL4 made, which will come in a hard fork later this year (once we've established a forking strategy, per this forum post).

I don't check this thread, so if you reply and don't hear back from me in a couple of days just send me a PM nudging me:)

There isn't a mainnet faucet that I know of, but there is a testnet faucet: http://monerotap.com

Ok so just to clarify: with AngularJS you basically just get index.html + a bunch of JS files, and then it gets "partials" (kinda like views in an MVC pattern) as it needs. BUT that's just static files. The stuff that is polled regularly / any actual interaction with MyMonero is done through the API. Now the MyMonero API is on a different domain (api.mymonero.com), so cookies are never sent to it (the cookie was explicitly for "mymonero.com", not ".mymonero.com" which would have included subdomains). So the risk we identified with it (ie. why we dropped that functionality) was because it would be included in static object requests, which is something that the developer who added that functionality in the very initial version never considered.


I understand that - what I meant is that ?2 should never be served by index.html:)


That code hasn't existed on the server (except as a git blob) for ages, so there's nothing to delete on that side. When you add ?2 to the file you're being served a cached file somewhere along the line, which is why I went and cleared a bunch of things server-side that could be caching it. I suspect the reason that actual file can still be accessed is because CloudFlare has longer lived caching on some of their endpoints. But beyond that nobody should ever be served ?2, so the caching of the actual JS should be/have been largely irrelevant.

Re: shredding, we don't log static object requests, as that just clutters the log, and we've never logged cookies (even when we do receive them). Since all the heavy lifting is done client-side, and then on the server side by the API, the static objects are just cached aggressively and served as quickly as possible. Logging would interfere with that. We also don't log much of anything else, because I don't want to have an environment where I've got metadata that can be requested by LEA.


Nowhere near a year:) It's been up since the end of last year (so about 5 months), and as mentioned above private keys weren't going to the API, and static requests weren't logged.


Yes absolutely to the MITM risk that existed with that code snippet, or to the risk that I'm outright lying and we've logged everything. But, at the same time, the risk profile doesn't change: if I really wanted to I could serve up some obfuscated JS buried deep in the code (not obvious and outright like you've seen) that surreptitiously sends me private keys. That's the risk you take with any webwallet, Bitcoin or otherwise, and that is why it doesn't matter how much is done client-side, you still have to trust the operator 100%. I don't think (or hope) that anyone that uses MyMonero is under any illusions there. They have to trust me, it's the nature of using a web wallet.


It's a commercial project that cost a lot of money to develop and build out by a small team of accomplished developers. This isn't something I hacked up on a weekend, and I'm also not the only owner (Risto Pietilä owns half of it). There's no secrecy with the backend, it's just a commercial project that isn't going to be made open-source just yet. We do have long-term plans to provide a user-hostable version, but right now it's just too complex and "delicate" to release.

No you can't have an indication as to the userbase for two reasons. Firstly, it's a commercial project, and the Google Analytics stats are not public. Secondly, even if I provided stats on the number of viewkeys it's all rather meaningless, as it's really easy to create multiple accounts.


No, it'll be replaced by Monero Core as the first option when that is completed. MyMonero fills a usability gap that couldn't be filled with Monero Core fast enough, and there was (and is) a need for those that are interested in tinkering around with Monero to have something that they could use.

I would never, ever recommend anyone store large quantities of value in Monero itself (which is somewhat trivially attacked by a motivated attacker with enough mining power) and definitely not in MyMonero. But overall I think you misunderstand what Monero is trying to achieve. It's not designed to be some super-secret currency that is so private that nobody even knows it exists. It's not designed to fill some specific use-case like "buying dildos on the dark web". It is designed to be truly fungible, sure, but that is only one aspect of its design.

Things like our eternal emission (to retain mining incentives), or the move to a 6-month rolling hard fork window, are there to make Monero useful. Things like OpenAlias, and the slowly-increasing easy-to-understand content on GetMonero.org, are there to make Monero usable. Transactional privacy is a core feature, but even that is not yet complete (eg. we still have to implement the changes posited in MRL-0004). We ultimately want Monero to be easy to use by everyone, whether they're very familiar with cryptocurrencies or not.