03:23 <JacobWeisz[m]> I mean I kinda hope we can still upgrade the database, but Iunno how easy that update script is...

04:25 <isd> I haven't looked.

04:25 <isd> But it looks like Jason's fork was forked from some mirror on GitHub... the upstream project self-hosts their repo.

04:25 <isd> and said fork was last updated in 2010

04:26 <isd> whereas the app package was updated in 2016

04:26 <isd> So... has the sandstorm ttrss package ever done a database migration?

04:30 <isd> ...yeah, looking at the commit long I don't the actual TTRSS version has ever been updated.

04:30 <isd> All of the updates have just been packaging stuff.

04:30 <isd> commit log

12:42 <abliss> Any interest in using WebAuthn as a login mechanism to Sandstorm? I bought a shiny new yubikey5 to play with.

13:11 <JacobWeisz[m]> I imagine that'd be a good login method to add.

13:12 <JacobWeisz[m]> Question: Would multiple Sandstorm servers see any sort of common identifier for the same YubiKey?

13:31 <abliss> my understanding of webauthn is extremely thin, but my impression is no, they wouldn't, unless they coordinated with some backend relying party that would distribute a common identifier (like google login)

13:33 <abliss> I just tried the webauthn.io demo (https://github.com/duo-labs/webauthn.io) and it's a pretty smooth experience (android + chrome + usb yubikey5). i choose my own login handle, and register by touchig the key. later i can login by typing the same login handle and touching the key again.

13:34 <JacobWeisz[m]> Because of course, apart from internal org auth methods like LDAP and SAML, all Sandstorm login methods present Sandstorm a common identifier between servers, which presumably we may wish to use for federation.

13:35 <abliss> (i wonder if there's a way to skip the login handle. it doesn't seem like it should be necessary, and it's annoying to make the user invent one, make sure it's unique from all others, and then remember it)

13:43 <abliss> https://webauthn.bin.coffee/ seems to have a login flow that works with my key and doesn't require me to provide a userid (perhaps it's just choosing a random one for me). very smooth.

13:47 <abliss> ah yes, it requires Resident Key support: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

14:08 <abliss> dang, i take it back, resident keys seem to not work on my particular combination of device + OS + browser

14:21 <isd> Could we just use some function of the public key itself as the user ID?

14:22 <abliss> if you aren't using resident keys, the user still has to type some kind of identifier in order for the server to look up the record

14:23 <abliss> with resident keys, the server's URL gets passed to the token to discover the credential (i think)

14:23 <abliss> (if we assume the user has an email address that they want to tie to the account, that can be the username, which is probably fine for all practical purposes. but i like the idea of being able to login without ever typing anything.)

14:24 <isd> related: https://github.com/sandstorm-io/sandstorm/issues/220

14:32 <isd> One thing that zarvox brought up in that issue is that right now all of the login options leave sandstorm with an email address it can use to send notifications. It would be a shame to lose that guarantee

15:07 <isd> Ok, maybe I was wrong about the ttrss updates; there's a good amount of stuff pulled in from upstream that's not there in the thing Jason's repo is forked from. That's good.

17:06 <isd> https://github.com/zenhack/ttrss-sandstorm

17:06 <isd> Builds, launches the UI, but network stuff doesn't work yet. Obviously that will require more hacking.

17:30 <isd> So TTRSS had two CVEs in 2017. Neither one affects Sandstorm.

17:40 <JacobWeisz[m]> Always fun to see

17:40 <JacobWeisz[m]> Especially since I'm using a package from 2016

17:41 <isd> I think I have a strategy for geting ttrss to use the powerbox that shouldn't be too bad.

18:47 <abliss> api sessions can't invoke powerbox right? i often subscribe to new feeds through the mobile client.

18:48 <isd> Right. Wouldn't really work without the sandstorm UI available

18:49 <isd> ...as sandstorm has no way of prompting you

18:51 <abliss> yeah. someday it would be cool to have a dedicate sansdtorm app that could receive a push notification and pop open a powerbox ui on my phone.

18:51 <isd> Neat idea.

18:51 <isd> Want to open an issue for it?

18:52 <isd> Also: rather than a dedicated mobile app, might make more sense to just use the pwa stuff mobile browsers support

18:52 <isd> We already do the bare minimum to get add to home screen working, but we could do further integration.

18:53 <JacobWeisz[m]> I would be loathe to waste our limited resources on native OS code.

18:53 <isd> ...though meteor has a cordova backend, so there's that I guess.

18:54 <isd> But I am still most keen doing pwa stuff. Sandstorm is already pretty good on mobile browsers.

20:52 <abliss> should those two ttrss CVEs go onto sandstorm's list of security nonincidents?

22:31 <isd> First someone should confirm more rigoriously than I did whether they're exploitable.

22:31 <isd> (Though I'm pretty sure they're not)

23:11 <JacobWeisz[m]> How major were they? I have to imagine we have mitigated way more CVEs than we're bothering to monitor across all the apps.

23:12 <JacobWeisz[m]> I hesitate to over-list?

23:44 <isd> https://www.cvedetails.com/product/38823/Tt-rss-Tiny-Tiny-Rss.html?vendor_id=16686

23:44 <isd> I don't think it's important to go crazy with that page either.

23:44 <isd> The sql injection doesn't work because we have ttrss configured in single-user mode, so the vulnerable page doesn't exist.

23:46 <isd> The xss doesn't seem to work either, though I'm a little fuzzier on exactly how we're blocking it, but it seems like some kind of common sense same-origin restriction. I'd want to stare at that and understand the exact mechanics though.