wallet2: No longer create '.address.txt' files for non-testnet wallets #3315
Conversation
|
NACK.
Are you one of the Cryptonote and/or Bytecoin authors who put that there for testing purposes and then later forgot to take it out? If not, why would you want to remove such useful functionality from the wallet and prevent anyone from being able to quickly associate wallet files with their respective addresses? If someone can see the contents of that file on your computer, you've got bigger problems than your public address getting exposed. |
|
How is this feature useful to you @iDunk5400? I was under the impression that the file was only used for unit tests inside Monero: If not completely getting rid of the file, we should at least offer a way to opt-out / explicitly opt-in by providing some CLI flag. fyi @moneromooo-monero as we talked on IRC. |
|
It is very useful to me as I can see which address a .keys file uses without opening it, if I want to quickly give a particular address to a sender. I don't have to open and log in to (possibly) many wallets to find the address I'm looking for. That's, basically, the purpose of having the *.address.txt file. |
|
I disagree agree with @iDunk5400, even though I use it the same way. I think your public address being visible is definitely a privacy risk. Yes, you might have a problem if someone can access your computer, but this is exactly why the wallet is encrypted. With your address being stored along side of it, you'll lose all plausible deniability. You can still keep a file alongside your wallets that lists the public addresses. As this is a bit inconvenient, how about the following compromise: On wallet creation, we prompt the user whether he wants to write the unencrypted address to a file? |
|
I think it's mildly good to have this file not written out by default. If people use it, then a flag to enable this would be good. Then those who want it have it, and people who don't know about it don't get their address written out where they might not expect it. |
|
Well, wallet creation is inherently an interactive process, so why not just prompt the user? |
leonklingele
force-pushed
the
nuke-address-file
branch
from
f1469d3
to
7a186cd
Compare
|
Added a way to opt-in to continue creating the address file for new wallets. |
src/wallet/wallet2.h
Outdated
| @@ -1137,6 +1142,7 @@ namespace tools | |||
| NodeRPCProxy m_node_rpc_proxy; | |||
| std::unordered_set<crypto::hash> m_scanned_pool_txs[2]; | |||
| size_t m_subaddress_lookahead_major, m_subaddress_lookahead_minor; | |||
| bool m_create_address_file; | |||
There was a problem hiding this comment.
Because wallet creation is only a one-time operation, the introduction of this member data doesn't make sense to me; it can simply be a local variable.
Also, I'd achieve the same goal without adding yet another command line flag (there are already quite many); the program can simply prompt the user during the wallet creation.
There was a problem hiding this comment.
OK, but add a flag to the json fo generate_from_json, and make sure there is no prompt in that case.
There was a problem hiding this comment.
I am against adding another interactive step for a user to follow in the wallet creation process. This just makes it more complicated to get started and I reckon a lot of first-time users are not interested in such an address file anyway.
There was a problem hiding this comment.
I changed my mind and agree with not doing it interactively.
There was a problem hiding this comment.
In that case I'm fine with not doing it at all. New users who aren't expecting it to happen won't be surprised then. Anyone who wants a copy of the address can just use the address command in the wallet and paste it into a file if they want to.
There was a problem hiding this comment.
@hyc I agree. Better a little inconvenience than compromising on privacy.
|
Cherry-picked @stoffu's commit, ptal |
|
@leonklingele Please squash the second commit because it reverts some changes made in the first one. |
leonklingele
force-pushed
the
nuke-address-file
branch
from
d1162a4
to
5ae770b
Compare
|
I have enjoyed the .address.txt files for the same reason that @iDunk5400 mentioned - being able to get the address associated with a wallet without opening it, but it would be fine if it was a wallet command ... not that there needs to be anymore commands, but whattaya gonna do. |
|
It has always been a wallet command. |
|
@leonklingele please rebase |
leonklingele
force-pushed
the
nuke-address-file
branch
from
5ae770b
to
328f759
Compare
|
Rebased & refreshed commit message. |
|
I also prefer to keep the file. I use it similarly to iDunk and Gingeropolous. |
|
my 2 cents: This breaks the API as it behaves differently than before. I feel strongly that APIs should not be broken unless in case of emergency. Which this is not. Wallets using the API will either break or function differently than before. When breaking the API I think it would be important to give the consumers of the API time to adjust (2 weeks is not enough - 2-3 release cycles is more appropriate). They also need to be informed of such changes (eg. via changelog). Obviously this is nothing specific to this PR. I see no API code here to create the address.txt at a later time. And none for removing it if the user opted to generate it on wallet creation. I also feel that that we should not have the API (or anything else in general) behave differently on testnet than on mainnet. |
|
This patch does not touch any API. |
|
i suck at C++, but as far as i can tell, the wallet2 api uses the tools::wallet2 generate methods. which now behave differently. EDIT: if this is true, it's now impossible to create the address.txt file through the api. (i also noticed that the new parameter create_address_file is undocumented in the wallet2.h declarations, whereas the other parameters are) |
…r new wallets
Previously, a file containing the unencrypted Monero address was
created by default in the wallet's directory. This file might pose
as a privacy risk. The creation of this file is now opt-in and can
be enabled by providing
--create-address-file
leonklingele
force-pushed
the
nuke-address-file
branch
from
328f759
to
649a1b7
Compare
|
@m2049r the wallet2 API can be found here: https://github.com/monero-project/monero/blob/e9f41e405f1f75533ef6e9d5adc76ba41dd29e8c/src/wallet/api/wallet2_api.h
Good catch, updated. |
yes, and it uses the generate() methods changed in this PR effectively changing the api without the possibility for the same behaviour. if you find the time, please comment on my original comment concerning testnet/mainnet discrepancies & possibility to create/remove address.txt after wallet creation. |
|
Ah, those are not meant to be stable. Nothing in the code is yet. |
|
even so - i don't understand the need for deliberately introducing a discrepancy between simplewallet and the wallet2 api functionality. as there are at least three wallets based on the wallet2 api i don't feel it's a good idea to treat it as "unstable" by default (although it may be). |
|
The API is exposed through wallet2_api.h which is not changed in this PR. 3rd party developers shouldn’t need to worry about how the API calls get passed to the actual wallet2 code, as implemented in e.g. api/wallet.cpp. IMO whether to generate address.txt or not is rather an internal design decision and not part of the API. |
|
an API is not merely a method signature - it's a contract as to what the method does (incl. side effects). the address.txt is the direct result of calling a create method and a caller may rely on that - like they rely on the keys file being created in a specific place. in particular, monerujo does exactly this. as you can see in the comments to this PR many users would like to see the public address without having to open their wallets. monerujo shows the address.txt info in the wallet list for this purpose (future plans include optionally removing the address.txt for more privacy as described in this PR). |
|
OK, so your problem is that the API from wallet2_api.h did NOT change, then. Patches welcome. |
| * \param wallet_ Name of wallet file | ||
| * \param password Password of wallet file | ||
| * \param viewkey view secret key | ||
| * \param spendkey spend secret key |
There was a problem hiding this comment.
Looks like the address argument is also undocumented here (which is also the case for another overload below). Also, the ordering of spendkey and viewkey is reversed. These are minor issues, but maybe you can fix them as well while you're at it?
There was a problem hiding this comment.
I'll open a separate PR to fix those comments.
There was a problem hiding this comment.
Fixed with #3405
That's a valid point. Then, maybe |
|
That will cause the GUI wallet to leave these, which would defeat most of the point of this patch. |
|
I was somehow assuming that this patch was for the CLI users. If the ability to opt-in for the creation of address.txt is to be available for the GUI as well, then the API also needs to be changed. I'm not sure if that's outside the scope of this PR, though. |
|
I was assuming the intent was to prevent people from unknowingly leaking their address. If so, GUI users are more likely to not realize they do. Not a huge leak, mind. |
649a1b7 wallet2 / simplewallet: Must opt-in to create '.address.txt' files for new wallets (Leon Klingele)
Previously, a file containing the unencrypted Monero address was
created in the wallet's directory. This file is only used for testing
purposes and might pose as a privacy risk.