Yeah, I know. I assume thatās why they went with the _sk (secret key) _pk (public key) suffixes.
Run it in a container with ports closed. I think thatās pretty secure, more so than running the node.
The problem with hpool is that you have no idea what us in the key they generated. It potentially could contain your mnemonic although hpool claims it does not.
With flexfarmer you ate able to review the python script script that extracts the farmer_sk and confirm that it not leaks your mnemonic.
It was my understanding that signing a block only required the farmer_sk and not the master keys. Does flex farmer require to enter the mnemonic or master keys in order to function, or can you simply give them the farmer keys?
When he says āyour private keyā, itās singular, so Iām assuming itās farmer_sk, right?
Gene Hoffman: "But to get the farmer private key, the software has access to the master private key.ā
The software in this case it would seem is the open source program used to extract those keys.
From what ppl are saying it looks like this done on your pc, so the all important spend keys remain secure.
The Chia Devs occasionally visit ChiaForum to post when they feel it important.
I wish they would just come here and settle the facts and issue.
Iām really tired of defending their quotes.
You can get the farmer sk from the master keys, but you canāt get the master keys from the farmer sk. So if you only need the farmer_sk, and you give flexfarmer only the farmer_sk, that would be secure.
I wish they could clarify on that, because itās not clear at this point and we look like fools who canāt read code to get the answers ourselves
Same conversation with new peeps round and round.
Iām pretty much done with the issue until we have Chia clarification.
I doubt theyāll bother.
They have stated they donāt encourage / support closed source pools not using the official pool protocol iirc.
The opposite they donāt support pools using the reference code. It was meant as a reference.
Though yes they do prefer pools use the NFT pool protocol. Every one of which is generally closed source since you canāt check what they are running on the backend.
Well have to agree to disagreeā¦ you could be correct, but I feel not.
Its called the " Pool Reference V1" as in it was meant to be referred to not actually used.
The summary also states āWhile this is a fully functional implementation, it requires some work in scalability and security to run in production.ā as in its not meant to be run.
Genes response is accurate but ignoring the fact that there are two parts of the software:
1/ A python script that extracts the farmer private key from the master private key.
2 /The actual flexfarmer that uses the farmer private key to sign blocks on yor behalf.
1/ Is open source, you can verify that it does not do anything but extract the farmer private key.
2/ Is closed source and should not be trusted, but it does NOT have access to your master private key (assuming you are smart enough to not run it on the same machine as Chia).
@sargonas sorry to @you but could you please chime in and give a confirmation that this is true on a technical level ?
I agree.
I think Chia do not wish to disclose the basis of this security issue they have claimed. I also think they do not wish to point fingers, name names, or enter into public debate.
Chia says a third party client cannot sign your blocks, or really function at all, without access to your master private key.
Many have pointed out that the master private key is NOT provided to Flexpool.
If Chia is correct, then how does FlexFarmer gain access to the master private key that it needs to function?
I do not know the answer to this question.
I have initiated and responded too many times now and I have nothing useful left to contribute.
Waiting for Chia Inc to answer the question and/or FlexFarmer to open its code ā¦ Until then we will not have a definitive answer ā¦
Please read the entire thread and watch at least the first half of the AMA video before asking me about already covered topics. Iām in sleep mode on this topic anywaze, so donāt expect me to reply before Chia does or FlexFarmer opens its code.
Are you aware that there are multiple key pairs with Chia ? Unlike other cryptocurrencies where there is only one set of keys, with Chia you have wallet and farmer key (and the old āpoolā key which deprecated) that are derived from the master key (which is itself derived from the seed). See key architecture
It seems weāre discussing different things.
They may well not support reference pools.
However thatās not the statement i was referring to.
As someone who has never used flexfarmer, is it possible to give flexfarmer only the farmer_sk?
It would appear so ( 20 chrs )