Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 31036C000D for ; Fri, 1 Oct 2021 12:27:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 122E540278 for ; Fri, 1 Oct 2021 12:27:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.297 X-Spam-Level: X-Spam-Status: No, score=0.297 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ek6RIZr_wPbF for ; Fri, 1 Oct 2021 12:27:24 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mail-40141.protonmail.ch (mail-40141.protonmail.ch [185.70.40.141]) by smtp2.osuosl.org (Postfix) with ESMTPS id B91EC401D0 for ; Fri, 1 Oct 2021 12:27:24 +0000 (UTC) Date: Fri, 01 Oct 2021 12:27:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1633091241; bh=auaUzyqvqrhV8jWwLTwAazlJPsSQXa6IP6KYUt2MhHc=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=JdErgXpWmijYEW1u6rWP5iqsG9RoPzTLIqCl+FlymfiRhJRaHXEk9Zh3LSl6fHYxB ZG6U1sneVHNat5LN9A6zrP8iBDN4XopbNkxbkomcUzgi21SKL4mD4Pr3kG9eMHotKR dLvF6meVafrrxBCDSbfDT1Z+9GjbgWZf5woDs3/I= To: Prayank , Bitcoin Protocol Discussion From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2021 12:27:26 -0000 Good morning Prayank, I think this is still good to do, controversial or no, but then I am perman= ently under a pseudonym anyway, for what that is worth. > Few questions for everyone reading this email: > > 1.What is better for Security? Trusting authors and their claims in PRs o= r a good review process? Review, of course. > 2.Few people use commits from unmerged PRs in production. Is it a good pr= actice? Not unless they carefully reviewed it and are familiar enough with the code= base to do so. In practice core maintainers of projects will **very** occassionally put un= merged PRs in experimental semi-production servers to get data on it, but t= hey tend to be very familiar with the code, being core maintainers, and pre= sumably have a better-than-average probability of catching security issues = beforehand. > 3.Does this exercise help us in being prepared for worst? I personally believe it does. Do note that in practice, humans being lazy, will come to trust long-time c= ontributors, and may reduce review for them just to keep their workload dow= n, so that is not tested (since you will be making throwaway accounts). However, long-time contributors introducing security vulnerabilities tend t= o be a good bit rarer anyway (reputations are valuable), so this somewhat m= atches expected problems (i.e. newer contributors deliberately or accidenta= lly (due to unfamiliarity) introducing vulnerabilities). I think it would be valuable to lay out exactly what you intend to do, e.g. * Generate commitments of the pseudonyms you will use. * Insert a few random 32-byte numbers among the commitments and shuffle the= m. * Post the list with the commitments + random crap here. * Insert avulnerability-adding PRs to targets. * If it gets caught during review, publicly announce here with praise that = their project caught the PR and reveal the decommitment publicly. * If not caught during review, privately reveal both the inserted vulnerabi= lity *and* the review failure via the normal private vulnerability-reportin= g channels. The extra random numbers mixed with the commitments produce uncertainty abo= ut whether or not you are done, which is important to ensure that private v= ulnerabilities are harder to sniff out. I think public praise of review processes is important, and to privately co= rrect review processes. Review processes **are** code, followed by sapient brains, and this kind of= testing is still valuable, but just as vulnerabilities in machine-readable= code require careful, initially-private handling, vulnerabilities in revie= w processes (being just another kind of code, readable by much more complic= ated machines) also require careful, initially-private handling. Basically: treat review process failures the same as code vulnerabilities, = pressure the maintainers to fix the review process failure, then only revea= l it later when the maintainers have cleaned up the review process. Regards, ZmnSCPxj