1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
Delivery-date: Sun, 21 Jul 2024 11:04:16 -0700
Received: from mail-yb1-f191.google.com ([209.85.219.191])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBCU2P6FJ3EBBBGM36W2AMGQEC4SYBLQ@googlegroups.com>)
id 1sVauu-00028V-8D
for bitcoindev@gnusha.org; Sun, 21 Jul 2024 11:04:16 -0700
Received: by mail-yb1-f191.google.com with SMTP id 3f1490d57ef6-e05d72f044csf7364451276.3
for <bitcoindev@gnusha.org>; Sun, 21 Jul 2024 11:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=;
b=I/clC5GWbAjfwdCPpTrB+m0ZHK+2cuNntnEX+v7Ij3tHL13WwV328ai5AWaJt0CnnC
7lCPaRelxWQ5DZYDVPMg0/v3gufru51vEXt4AEV46tMY+jjOFTLSCQEM+5vd0l7zZpp4
g+pbYSJ6Ew3yItZ6bZUxCc34D2XL0tbu5J7WFCdXjRU84tepEgPDeDPdu8eWaNNqgil8
dTN0pXyVdQdNYPbhoncK99Nbr817eHp6POt8Madp4T3YhDdwNvAE4z7SYMzUR/9391Di
LKei6kJ1Ptmy6btJp+ZHKAfssprQ1bP37tOtxzR7nms4vdpE/gOW6EjRRuDIJDDiWohb
2qVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=;
b=nMT/PviRHRVeFs+Y24PVvSL4UVRggSNVA0Z3on7J1AvcJoTeoL98NP54ymXfCmODrK
Z8lOGEjwdugVdTb13egKNtNM/F96Ps1+Hp2zi03AKswa2uN+w31qrxbDKSp1KzrWBaX9
4ay5f5OIWAnjVHRPxOYVawFlIR+tZaEGMOu9eBAarsoWhpAnDudObI/cUy68U7dFxtzm
+8bsjqkZ9VzNT/fLY8fD82nEibrKa2w8ds6O34o3FV1X/R0+78DhewYP9ieNuC6zh+ua
zYvufb6ztL6to0TZtJoBy/7EDq8TDwnnG8NsiGcBw79g824mEewYRR3oZT0Cxm0J+ALR
dPjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1721585050; x=1722189850;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=;
b=tTxVbyxEQXw9GqNkNYuugQCWEsRHNUaJAkP7jyhy/f6mSdNP6nh4m1RySXu01DmNrM
pnycFwesJ8uA/GkGhfFcRENUkATx87GJK/ZjsTEsr2JDk0VM6KYCDaWqz4MAzJjpaqVC
Z6Ap3lhfYw7m1AjahFZ7hSYc1f7dp57gMGSxQN/YrJilr9QWDeXFC2FptwHoOq9+eo6h
rzrUHtuc8iocIUDF/eRqvaKu5hr9oNxq3lAptni7vOnZbePAp0Q/Zp1yDbUqbCvUdvSg
VYS7T3L2PSrGXIjJvvK8jWaOJQyqaneNKQdAQxSZVeH6uu6ZuayDqP1gw0jgZgc0vsCw
1FVg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCWTVMlJFaf3Eq6xwzhXqpNRwXHF4P4UxArr1jPkOV9TaElybvVRbmZz/io1ruW5moLQz8wF5XjuhQuio+Rk7bDPbqH4IVQ=
X-Gm-Message-State: AOJu0YyRwrARpVcmLNZ2Q1DdYg0BPMtUb6iuh/uY8swYOq+lt8LbbzqE
67KTGW7xMrQAW9VR2L+bnji5IEEQqsMQgn3HLUNratklyVoLSMCQ
X-Google-Smtp-Source: AGHT+IGOnnzg0oQKtq7Jl6FDfDFk0vZybENcsYdK6nJ8yG4IPkjV32Y4IHWABFxcQc/xN3BPgnZZSw==
X-Received: by 2002:a05:6902:150b:b0:e08:84b0:986d with SMTP id 3f1490d57ef6-e0884b0a4f8mr4010174276.20.1721585050098;
Sun, 21 Jul 2024 11:04:10 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a25:c5c7:0:b0:e08:7bc1:5a4c with SMTP id 3f1490d57ef6-e087bc16666ls1026375276.0.-pod-prod-00-us;
Sun, 21 Jul 2024 11:04:08 -0700 (PDT)
X-Received: by 2002:a05:6902:1204:b0:e02:f35c:d398 with SMTP id 3f1490d57ef6-e086f372bdcmr218102276.0.1721585048861;
Sun, 21 Jul 2024 11:04:08 -0700 (PDT)
Received: by 2002:a05:690c:2d11:b0:66a:8967:a513 with SMTP id 00721157ae682-66a8967cff9ms7b3;
Sat, 20 Jul 2024 23:16:45 -0700 (PDT)
X-Received: by 2002:a05:690c:dce:b0:648:2f1d:1329 with SMTP id 00721157ae682-66a6335cb81mr5072827b3.1.1721542604672;
Sat, 20 Jul 2024 23:16:44 -0700 (PDT)
Date: Sat, 20 Jul 2024 23:16:44 -0700 (PDT)
From: /dev /fd0 <alicexbtong@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <955e7097-ca7a-452a-953f-718aca14cdc6n@googlegroups.com>
In-Reply-To: <ZpvS2haduzUQiojV@petertodd.org>
References: <Zpk7EYgmlgPP3Y9D@petertodd.org>
<18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com>
<9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com>
<fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n@googlegroups.com>
<ZpvS2haduzUQiojV@petertodd.org>
Subject: Re: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The
Lack of Full-RBF In Core
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_282838_657973650.1721542604474"
X-Original-Sender: alicexbtong@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_282838_657973650.1721542604474
Content-Type: multipart/alternative;
boundary="----=_Part_282839_1953426107.1721542604474"
------=_Part_282839_1953426107.1721542604474
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Peter,
I agree that handling of vulnerability reports could be improved, although=
=20
I have less expectations from bitcoin core to acknowledge any feedback.=20
Here are a few things that we can do to improve the process:
- Report vulnerabilities anonymously and share real identity with=20
disclosure later if required.
- Send the email to achow101 or sipa or fanquake and keep=20
security@bitcoincore.org in Cc.
- Lets create a hall of fame webpage which has the name of all developers=
=20
who reported vulnerabilities along with other details. Community could also=
=20
donate directly to developers.
- Do not expect response on weekends and wait for at least 7-30 days before=
=20
full disclosure if vulnerability report is ignored.
Maybe you and others on mailing list could add suggest more improvements.
/dev/fd0
floppy disk guy
On Saturday, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote:
> On Fri, Jul 19, 2024 at 10:57:40PM -0700, /dev /fd0 wrote:
> > Hi Antoine,
> >=20
> > > I'm interested if you can propose a formal or mathematical definition=
=20
> of=20
> > what constitute
> > > an in-topic of off-topic comments on a matters like full RBF, which=
=20
> has=20
> > been controversial
> > > for like a decade.
> >=20
> > I will quote _willcl-ark_'s last comment as I do not have enough=20
> > permissions in bitcoin core repository to moderate comments:
> >=20
> > "However the comments section here has become difficult to follow due t=
o=20
> > numerous off-topic comments, a few personal disagreements, and=20
> repetition=20
> > of arguments. In the interest of having a more productive and focused=
=20
> > technical and philosophical discussion we are going to close and lock=
=20
> this=20
> > PR."
> >=20
> > A new pull request should help reviewers. If you do not agree with it,=
=20
> feel=20
> > free to discuss it with moderators in bitcoin core IRC channel.
>
> It's quite bizzare to use "off topic comments" as an excuse to close a=20
> pull-req
> fixing a specific security vulnerability, assuming you actually care abou=
t=20
> that
> vulnerability. As I've said elsewhere, Core could have easily and quietly
> merged that pull-req as-is, possibly by having a few people write some=20
> obvious
> ACK rationals.
>
> The only good explanation for closing it is to further delay merging the
> pull-req, as well as disclosing the vulnerability.
>
> --=20
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com.
------=_Part_282839_1953426107.1721542604474
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Peter,<div><br /></div><div>I agree that handling of vulnerability repor=
ts could be improved, although I have less expectations from bitcoin core t=
o acknowledge any feedback. Here are a few things that we can do to improve=
the process:</div><div><br /></div><div>- Report vulnerabilities anonymous=
ly and share real identity with disclosure later if required.</div><div>- S=
end the email to achow101 or sipa or fanquake and keep security@bitcoincore=
.org in Cc.</div><div>- Lets create a hall of fame webpage which has the na=
me of all developers who reported vulnerabilities along with other details.=
Community could also donate directly to developers.</div><div>- Do not exp=
ect response on weekends and wait for at least 7-30 days before full disclo=
sure if vulnerability report is ignored.</div><div><br /></div><div>Maybe y=
ou and others on mailing list could add suggest more improvements.</div><di=
v><br /></div><div>/dev/fd0</div><div>floppy disk guy</div><div><br /></div=
><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Satur=
day, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote:<br/></div><b=
lockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: =
1px solid rgb(204, 204, 204); padding-left: 1ex;">On Fri, Jul 19, 2024 at 1=
0:57:40PM -0700, /dev /fd0 wrote:
<br>> Hi Antoine,
<br>>=20
<br>> > I'm interested if you can propose a formal or mathematic=
al definition of=20
<br>> what constitute
<br>> > an in-topic of off-topic comments on a matters like full RBF,=
which has=20
<br>> been controversial
<br>> > for like a decade.
<br>>=20
<br>> I will quote _willcl-ark_'s last comment as I do not have enou=
gh=20
<br>> permissions in bitcoin core repository to moderate comments:
<br>>=20
<br>> "However the comments section here has become difficult to fo=
llow due to=20
<br>> numerous off-topic comments, a few personal disagreements, and rep=
etition=20
<br>> of arguments. In the interest of having a more productive and focu=
sed=20
<br>> technical and philosophical discussion we are going to close and l=
ock this=20
<br>> PR."
<br>>=20
<br>> A new pull request should help reviewers. If you do not agree with=
it, feel=20
<br>> free to discuss it with moderators in bitcoin core IRC channel.
<br>
<br>It's quite bizzare to use "off topic comments" as an excu=
se to close a pull-req
<br>fixing a specific security vulnerability, assuming you actually care ab=
out that
<br>vulnerability. As I've said elsewhere, Core could have easily and q=
uietly
<br>merged that pull-req as-is, possibly by having a few people write some =
obvious
<br>ACK rationals.
<br>
<br>The only good explanation for closing it is to further delay merging th=
e
<br>pull-req, as well as disclosing the vulnerability.
<br>
<br>--=20
<br><a href=3D"https://petertodd.org" target=3D"_blank" rel=3D"nofollow" da=
ta-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://pe=
tertodd.org&source=3Dgmail&ust=3D1721626646552000&usg=3DAOvVaw2=
JSBe0750jhDyC3Zta_EyJ">https://petertodd.org</a> 'peter'[:-1]@<a hr=
ef=3D"http://petertodd.org" target=3D"_blank" rel=3D"nofollow" data-safered=
irecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttp://petertodd.org=
&source=3Dgmail&ust=3D1721626646552000&usg=3DAOvVaw0bBHxHb8vxSN=
ez5PQ90-bw">petertodd.org</a>
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com</a>.=
<br />
------=_Part_282839_1953426107.1721542604474--
------=_Part_282838_657973650.1721542604474--
|
