Hi!
After adding default IPFS empty folder to denylist ipfs daemon is not able to start anymore:

ipfs  | 2023-07-12T11:05:55.613Z        INFO    nopfs   nopfs-kubo-plugin/plugin.go:59  Loading Nopfs plugin: content blocking
ipfs  | 2023-07-12T11:05:56.599Z        INFO    nopfs   [email protected]/denylist.go:165    Processing /data/ipfs/.config/ipfs/denylists/test-list.deny: test-list (test list for trying nopfs) by None
ipfs  | 2023-07-12T11:05:56.602Z        ERROR   core    core/builder.go:158     constructing the node: could not build arguments for function "reflect".makeFuncStub (reflect/asm_amd64.s:28): failed to build *mfs.Root: received non-nil error from function "github.com/ipfs/kubo/core/node".Files (github.com/ipfs/[email protected]/core/node/core.go:136): failure writing to dagstore: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is blocked and cannot be provided
ipfs  |
ipfs  | Error: constructing the node (see log for full detail): failure writing to dagstore: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is blocked and cannot be provided

configuration for the denylist:

name: "test-list"
---
/ipfs/QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn

As this CID is present in badbits lists - we cannot just download and use those lists as-is, we need to remove line with hash "//6fe4a9f9ee915120a76ac47bf396198b02a1457dd1234ab75b2c394ca8ef5779" before using it. Not sure if its a bug, or maybe some notification in the documentation about this could be enough.

Hi there!
Sorry if this is not the right place to ask about this.

I have a simple Python-based HTTP proxy created to block incoming request if the CID included in the request is in the badbits denylist (https://badbits.dwebops.pub/denylist.json).

The problem is that I don't know how to calculate the hash/multihash.
The indications in Badbits to calculate the hash is not enough for me.

The Bad Bits Denylist is a list of hashed CIDs that have been flagged for various reasons (copyright violation, malware, etc). Each entry is the hex-encoded result of applying SHA2_256 to a /<optional_path> string. This format is legacy and we are moving to support double-hashed mulihashes instead.

Please, could you help me with that?
Regards.

As it stands, the NoPFS library only supports reading the denylist format, but doesn't have any support for writing the denylist to a file. While most applications will only be reading the denylist, there are some that will need to write. It would be best to have both functionalities in the same library, to ensure correct round-tripping.

Hi, nopfs looks perfect for integrating bad bits. However, it's unclear to me how to install and use nopfs.

Thanks!

See how the code does not apply any blocking on sessions.
Theses are used by boxo/blockservice.NewSession when a session is used.

This also cause issues with new ContextWithSession feature because it's not possible to unwrap a nopfs blockservice and access the real one underneath (so the context value key becomes the nopfs blockservice which isn't what we want because nopfs doesn't do session redirection based on context).

We should do blocking on the blockstore.Blockstore and exchange.Exchange API arguments before they are passed to the blockservice.

Adding /ipfs/QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn (empty unixfs dir) bricks Kubo, daemon is unable to start:

2023-10-19T19:51:49.062+0200	WARN	nopfs	[email protected]/denylist.go:169	Opening /home/lidel/tmp/ttl-ipns-repo/denylists/text.deny: empty header
2023-10-19T19:51:49.063+0200	INFO	nopfs	[email protected]/denylist.go:170	Processing /home/lidel/tmp/ttl-ipns-repo/denylists/text.deny: text.deny (No header found) by unknown
2023-10-19T19:51:49.063+0200	DEBUG	nopfs	[email protected]/denylist.go:431	text.deny:1: IPFS rule. Key: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn. Entry: Path: (empty). Prefix: false. AllowRule: false.
2023-10-19T19:51:49.063+0200	DEBUG	nopfs	[email protected]/denylist.go:783	IsCidBlocked load: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn
2023-10-19T19:51:49.063+0200	DEBUG	nopfs	[email protected]/entry.go:38	check-path:  matches
2023-10-19T19:51:49.063+0200	ERROR	core	core/builder.go:158	constructing the node: could not build arguments for function "reflect".makeFuncStub (reflect/asm_amd64.s:28): failed to build *mfs.Root: received non-nil error from function "github.com/ipfs/kubo/core/node".Files (github.com/ipfs/kubo/core/node/core.go:136): failure writing to dagstore: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is blocked and cannot be provided

Error: constructing the node (see log for full detail): failure writing to dagstore: QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is blocked and cannot be provided

In practice, there is a short set of well-known empty CIDs that should never be blocked:

• empty unixfs directory
  • QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn
  • bafyaabakaieac (inlined)
• empty block
  • raw: bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku
  • inlined raw: bafkqaaa
  • dag-pb: QmbFMke1KXqnYyBBWxB74N4c5SBnJMVAiMNRcGu6x1AwQH
  • dag-cbor: bafyreigbtj4x7ip5legnfznufuopl4sg4knzc2cof6duas4b3q2fy6swua
  • dag-json: baguqeeraiqjw7i2vwntyuekgvulpp2det2kpwt6cd7tx5ayqybqpmhfk76fa

@hsanjuan thoughts? would it be feasible to keep a safelist that overrides denylists, or are we ok with the footgun? (feature, not a bug)

Tried to adjust a deny list with a python package through the open / write functions. Sometimes the plugin takes notice of the change, sometimes it does not. My code looks something like this (not proficient in Python by any means):

with open(os.path.expanduser(ipfsFilePath), "wt", encoding="utf-8") as ipfs_cids_file: ipfs_cids_file.write('\n'.join(list(map(lambda x: '//' + x, cids))) + '\n')

It has inconsistent behaviour both in deletion and in addition of cids.

How I'm testing the addition of new cids:

1. Upload the file to the GUI
2. Hash the file's CID with sha-256
3. Take hash and add it to the .deny file through the code above that runs in a python package
4. Check in GUI if I can pin the file
5. Sometimes it works, but most of the time it does not

I'm testing the deletion of cids in the same way, the only difference being that I run the ipfs daemon already having the hash inside the deny list (and it obviously does not allow me to pin the file), then I delete the line through the python code from the .deny list and I try again. Most of the time it still blocks it, even though the line was deleted.

The following are my thoughts on how to provide denylists so that they can be subscribed-to.

Server

• Using HTTP (poll), essentially an IPFS-gateway served file:
  • Lists are made available over an http endpoint.
  • Range requests are supported an accepted.
  • eTag (set to CID )and caching headers
  • I'd like to expand this to use Server Push / Notifications, but it is actually simpler and ok if clients check regularly and check e-tag to see if content changed.
• Using IPFS:
  • Denylist IPFS-host server publishes to pubsub topic denylist/<name>. Must be a signed message.
  • The message includes the CID of the latest version of the list. This is published every minute, or when it is updated.
  • The CID is the CID of the denylist which is a normal unixfs file (balanced chunking).
  • UnixFS files have support for seeking out of the box, and only the necessary blocks are downloaded when looking for specific bytes.

Client

• HTTP: Client polls for the file every minute using a ranged request starting at the last byte read. A head request can be done in advance to check eTAG and decide if a GET request is needed. New bytes are appended to the file on disk.
• IPFS: Client subscribes to pubsub topic. If a new CID comes in, we use unixfs to seek to the last byte read and then it is appended to the file on disk. The pubsub message can include more than the CID, for example a field to indicate if redownloading the full file and processing from the beginning is necessary.