-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate argon2 issue (Termux/Raspberry Pi) #4422
Comments
I kinda feel like Termux is a combination of FreeBSD and Debian since it includes apt and pkg package managers. But the Argon2 error is affecting the entire NPM package. Wait a minute, let's go a minute back. What if Argon2's 0.28.0 release has the error? I just had a fantastic idea! @jsjoeio can you tell me when did Argon2 get implemented, before 3.10.0 or after 3.10.0? If it's after that, then why can't we use the older hashing module? Because, I observed, the password was hashed in my Pi, and I changed it, but it was hashed. If Argon2 was implemented before 3.10.0, we need to use an older version of Argon2, that might work, right? |
Can we create an x86 installer for code-server? |
Hmm...possibly! For hashing, we used sha256 which I think came from It's supposed to be more secure because it requires more computational effort for the password hashing. I still think we need to look more into argon2 to fix this. |
I appear to have picked the worst time to try code-server out on Termux, but I may have a lead on the argon issue. I unzipped the pre-built package in my Termux install, then changed the launch script to use the system node, and got this error:
I can confirm there's no libstdc++.so of any flavor in the libs folder, build-essentials omitted it, and gcc isn't on pkg to install it. Edit: I just extracted 3.10 with the script edited in the same way, and was able to launch it ok. |
Thanks for the notes @jwannebo! Right now we're recommending people install on Termux via 3.10 doesn't have issues because argon2 was adding in |
nodejs installs v16 which is not compatible. nodejs-lts currently uses v14.
Any updates? Should we open a ticket at Argon2 and mention this issue there? |
I just hopped onto the Argon2 repo and discovered something. Issue 317, ranisalt/node-argon2(don't want to mention it here because it might cause problems, idk but @jsjoeio what do you say? Linking our related Argon2 problems here? |
@im-coder-lg I don't have any updates yet but once we get 4.0.0 out, we can prioritize this! Thanks for linking those node-argon2 issues. We may have to switch away from node-argon2 but I don't want to make any decisions until we can investigate this further. |
node-rs now publishes an argon2 package. Might help here: https://github.com/napi-rs/node-rs/tree/main/packages/argon2 |
Yes, Feel free to try and give feedback! |
@jsjoeio can we test this on a separate branch? You can try building it(also can you tell hardware requirements for building code-server?) and sending a build to me over here(aarch64 please) and I'll test on Raspberry Pi with Ubuntu 21.10, what do you think? Also @yisibl can you tell us how to implement this over here? |
Amazing!
Will do! I wonder if it's as simple as replacing |
@im-coder-lg go for it!
I don't have a ton of bandwidth but if you give me some steps I can follow quickly, I can try building and sending to you! |
Wait wdym? Every build is done on a server? Any hardware requirements?
I don't know how to implement this yet, all of my devices are 4-8 GB. I have a nice bandwidth but no cloud server :( but if someone with a gaming-level/business-level computer could help us, that's be cool since a gaming machine would have atleast a minimum of 16 GB and a maximum of 32/64 GB of RAM, building would work flawlessly. |
@jsjoeio What other packages besides node-argon2 depend on
Lines 123 to 124 in 3d99998
|
Yes, the migration is very simple and the API is almost identical. const { hash, verify, Algorithm } = require('@node-rs/argon2')
export const hashPassword = async (password) => {
try {
return await hash(password, {
algorithm: Algorithm.Argon2id, // Default Value
})
} catch (error) {
console.log(error)
return ''
}
} |
@yisibl thanks for the code! @jsjoeio let's replace and test it? Maybe on a fork than here, what's your idea?
Hmm... What's your computer's RAM? It has to be kinda like 8-16 GB, that'd do some good. If you have a powerhouse machine with 16+ GB of memory, you could try building it on that. Are you telling that it's hard for you to clone the repo, that's why you said 'low bandwidth'? |
So, I started a Gitpod workspace and you added support for it?! That's extremely cool! |
Errors: Cannot find module '/workspace/code-server/vendor/modules/code-oss-dev/out/bootstrap-node' Require stack: - /workspace/code-server/out/node/util.js - /workspace/code-server/out/node/cli.js - /workspace/code-server/out/node/entry.js |
It's a file error. I will have to get that code. |
it's not here, but if we add that code, it might work. |
I believe it's just node-argon2 🤔 I looked at the VS Code requirements and don't see glibc so must just be that.
Easy then! |
Sorry, let me work with you on this in the next sprint or so! I have some other pressing things I need to do first, but when I start on this, I'll ping you and we can do it together :) |
When's it starting? If it's next week, maybe after 20th, I'll be decked up with everything for the test. |
@im-coder-lg I'm going to put together v4.0.2 milestone and start adding issues today. If you want, I can add it to that and that allocate some bandwidth to be around if you have questions while you're testing! |
Well, idk if I will have doubts, all I know of the tarball here is that you unzip it and execute the binary. If it works, I wil tell here. If it doesn't, I will try debugging more to get some insight on this. |
Sounds good! So I guess then what we need to do is:
|
Just noticed this, when are we gonna start? I'm a teenager and my holidays start on Thursday(Wednesday for you) so you could make the branch at that time, do the development and build and hopefully, I will test this by Sat/Sun IST. |
I'll see if I can get to this tomorrow or Wednesday which should give you enough time to help. Thank you for helping on your holidays! |
👍
No worries! I like something to keep me occupied during my free time. What'd the branch name be? |
Also(unrelated topic coming up!), I went to see the README, it has an extra comma beside the Coder link, it seems wrong to me, can you please inspect it? Also, since the Coder GitHub org changed the name from |
Also, we need to update all the |
@im-coder-lg that would be fantastic! |
Let me see if I can work on this this afternoon and get back to you! |
Alright I have a PR up. Once CI finishes, there will be a I'll add steps to the PR description for how to test. |
alr is the artifact ready? |
It's the new argon2's error. |
@im-coder-lg not yet. We'll have to check that PR again. I had to rerun the end-to-end tests |
I think this is happening again, any ideas on a fix? |
@im-coder-lg can you open a new issue? 🙏🏼 |
Yeah, will do so. But I want to get more info, so I'll post it by tonight(take IST, perhaps 8 pm here). |
We've had numerous reports of argon2 causing issues on Raspberry Pi and Linux (see here). We need to investigate
argon2
(repo here) to see if it's possible to build from source on those devices.I have a Pixel 2 with Termux so I can test there. Or we can spin up a dev environment on Coder that mimics Termux (Alpine Linux I think) or Raspberry Pi and test there.
If we can get
argon2
working, then we'll be able to unblock both Termux and Pi users of code-server.Special thanks to @im-coder-lg for all their help debugging this!
The text was updated successfully, but these errors were encountered: