Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/p9c/pod
Fully integrated all-in-one cli client, full node, wallet server, miner and GUI wallet for ParallelCoin
Straight to business, this is the part I am looking for, so it's here at the top.
These instructions expect that you understand basic usage of the bash shell and terminal,
and git usage. You should be able to edit a text file on the command line interface
though you could use gedit
or similar if you prefer.
First, you need a working Go 1.14+ installation for the platform you are using.
cd ~
sudo apt get install -y wget git build-essential
wget https://golang.org/dl/go1.14.13.linux-amd64.tar.gz
tar zxvf go1.14.13.linux-amd64.tar.gz
The build tools expect a working GOBIN which is also in PATH, so, open ~/.bashrc
in
a text editor and put in it:
export GOBIN=$HOME/bin
export GOPATH=$HOME
export GOROOT=$HOME/go
export PATH=$GOBIN:$PATH
then run
source ~/.bashrc
Clone this repository where you like:
cd /where/you/keep/your/things
git clone https://github.com/p9c/pod.git
cd pod
Before you can build it, though, see gioui.org install instructions - note that on linux xsel or other clipboard apps are required for clipboard functionality. The instructions there cover Ubuntu.
Several important libraries are required to build on each platform. Linux needs some input related X libraries, wayland and their GL libraries, and similar but different for Mac, Windows, iOS and Android.
More detailed instructions will follow as we work through each platform build. For now we develop on FreeBSD and Ubuntu so for now, at this early stage with the GUI, please bear with us.
Next, go to the repo root and build it.
make -B stroy
stroy
is a pure go replacement for make
. Run it without any options to get
a list of currently enabled build options.
If you don't have access to make (it can be tricky on windows), you can
build stroy
with this command:
go install -v github.com/p9c/pod/stroy
stroy stroy
stroy
replaces make as it is written in Go, and is customised to put values
into the binaries that show what the binary was built from.
The second invocation rebuilds stroy with stroy itself, which plants the build information into the main package, which records the details of the source code that it was built with, eg:
app information: repo: github.com/p9c/pod branch: refs/heads/l0k1 commit: 8b98e47b8a61a7e68a945ce65129f4dd49c6c086 built: 2021-01-12T06:34:34+01:00 tag: v0.4.25-testnet+...
The purpose of this is to improve debugging as this info is printed at the start of all components' startup, and allows the logs to inform developers what the user's build came from, when dealing with a bug report, to facilitate exact replication of the fault.
As you will find when you run stroy
without a build command name, there
is several commands that will launch wallet, node, the GUI, reset the
wallet, and so on.
For initial configuration, use the -D
and -n
flags combined with
the init
subcommand like so:
pod -D <data directory> -n <mainnet/testnet> init
This in one step creates a fresh new configuration file, all of the TLS certificates and default Certificate Authority to use the web sockets interface for especially the wallet async functionality, and prompts you on the CLI to enter a new wallet passphrase, gives seed you need to restore the wallet later, and fills the configuration with a set of starting mining addresses based on the wallet seed, for the defined network type.
**TODO:**s yes, we want to move these keys into the directory subfolder
so it can be done without the node running and on demand with a new
subcommand for exactly this purpose. New addresses require a wallet
but should be kept away from a public RPC or other remote protocol
endpoint. Only nodes need them while mining to use for creating
coinbase payment outpoints.
If you just want to use it as an RPC for only node services at localhost:11047 (no wallet)
pod node
For wallet only at localhost:11048 (a full node must be configured, by default should be found at localhost:11047)
pod wallet
For combined RPC wallet at localhost:11046
pod shell
For the standalone multicast miner worker 'Kopach':
pod kopach
The list of commands and options can be seen using the following command:
pod help
-D
Set the root folder of the data directory. Default is ~/.pod or the string 'pod' as the folder name in other systems.
-g
-g=false
disables mining
Enable mining, using inbuilt for run modes that enable a p2p blockchain node
-G
Set the number of threads to mine with. Performance with the Plan 9 hardfork will entirely depend on the performance characteristics of the processor and its' long division units and how they are scheduled. The inbuilt miner (which will be deprecated) has significantly inferior performance. Concurrency is not parallelism, and the stand-alone miner is better. The inbuilt miner will be entirely removed by release.
-n
Set the network type, mainnet and testnet are the main important options. Note that this is the main configuration as well as pre-shared key, to run the multi- cast mining system, as the different networks have different start heights for hard forks.
Configuration is designed to be largely automatic, however manual edits can be
made, from <pod profile directory>
/pod.json - notably critical elements for
the cluster mining configurations is the 'MiningPass' item matches up between
nodes you intend to communicate with each other.
For the time being all that is necessary is to copy the pod.json
file, and
that all nodes deployed are on the same subnets as the nodes. Note that it is
possible to isolate subnets and join them using nodes via dual network (virtual)
interfaces and that worker nodes trust implicitly all nodes that use the same
pre shared key (thus the configuration file).
Before beta release there will be a FreeBSD based live image that is written to using a utility app with the correct key and network settings and will be basically turn-key if used as default configured. BSD is being used because it is lighter and ensures your hardware is doing nothing more than exactly crunching giant numbers for the chance to get a block reward.s
rpc.cert
ca.cert
and rpc.key
files, which as they are can be used (not so
securely) for connecting nodes in one's server set up. The system can be run by
default in an 'insecure' configuration (they are wired to connect via localhost
ports). Presumably for this kind of production application one would use a complete
set of ports and custom CA file. What is provided by default is for development
purposes and on a relatively unconnected end user setup.
Further improvements in security are planned.
For now it is advisable to isolate wallet services strongly and the main attack vector is covered. Easier to use GUI interface for offline transaction signing and similar features also are planned for later implementation.
The GUI subsystem can be disabled in the build using
go install -tags headless
To build it, there are some GL and X prerequisites for the Linux build
sudo apt-get install libgles2-mesa-dev \
libxkbcommon-dev \
libxkbcommon-x11-dev
More info about building for other platforms to follow. There should be a build for Android and iOS eventually, they have extra build environment requirements (android sdk and xcode/mac respectively). Specifics for Windows builds also to come.
Files are included in Pod's root folder
Get them from here: https://git.parallelcoin.io/dev/parallelcoin-binaries
Goland's inbuilt terminal is very slow and has several bugs that my workflow exposes and I find very irritating, and out of the paned terminal apps I find Tilix the most usable, but it requires writing a regular expression to match and so the logger is written to output relative paths to the repository root.
The regexp that I use given my system base path is (exactly this with all
newlines removed for dconf with using tilix at the dconf path
/com/gexperts/Tilix/custom-hyperlinks
)
[
'[ ]((([a-zA-Z@0-9-_.]+/)+([a-zA-Z@0-9-_.]+)):([0-9]+))$,goland --line $5 $HOME/Public/pod/$2,false',
'([/](([a-zA-Z@0-9-_.]+/)+([a-zA-Z@0-9-_.]+)):([0-9]+)),goland --line $5 /$2,false'
]
These two seem to the work the best including allowing clicking on stack trace code location references. Change goland launcher and package root path as required. The logger code locations start with a space and absolute paths with a forward slash and you have to set the repository path manually.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.