1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Return-Path: <aj@erisian.com.au>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 7D521C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Aug 2022 03:09:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 43B4141C06
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Aug 2022 03:09:59 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 43B4141C06
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id H_pq7Z8rwBI4
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Aug 2022 03:09:58 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D31F841B95
Received: from azure.erisian.com.au (azure.erisian.com.au [172.104.61.193])
by smtp4.osuosl.org (Postfix) with ESMTPS id D31F841B95
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Aug 2022 03:09:57 +0000 (UTC)
Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au)
by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian))
id 1oOsOO-0002wF-1p; Fri, 19 Aug 2022 13:09:54 +1000
Received: by sapphire.erisian.com.au (sSMTP sendmail emulation);
Fri, 19 Aug 2022 13:09:46 +1000
Date: Fri, 19 Aug 2022 13:09:46 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Prayank <prayank@tutanota.de>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <Yv7++q6o+dtR01gT@erisian.com.au>
References: <CAPv7TjbvRE-b33MeYucUfr6CTooCRSH42hwSn5dMiJ4LODATRQ@mail.gmail.com>
<MktnWM7--3-2@tutanota.de>
<qNjz-H23x07OJjnf5Try4Qp8l5s23SQxhEE8yAfNbrniN34u2vM72FVFSDJxHg4HNTL8tdcm-KKT8h6XVRwOwN0ZmckxzWiMlNFmLbMNuHc=@protonmail.com>
<MkwZGYl--7-2@tutanota.de>
<CAMnpzfrNZ0vpiMVoH=0KW9jy1-vppudX3D7Z+aXpSp4h_7s=zw@mail.gmail.com>
<Ml-IIuL--3-2@tutanota.de>
<CAAxiurb1_-p2yO8183MvB2x_i9H+WAo9t0RH85faRrrKz9YxGg@mail.gmail.com>
<202110032133.44726.luke@dashjr.org>
<sez9AuvBEnKKkLkJ4aivnaLJz5M5VFz3yTOdreTGmFb6RzwMv7h0dRFbEiB1_aup4Daw7t9YwlZKp2YvbgCu1fzym28cHhlzRVC3efmfBpE=@protonmail.com>
<MoojKWD--3-2@tutanota.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MoojKWD--3-2@tutanota.de>
X-Spam-Score-int: -18
X-Spam-Bar: -
Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important
Bitcoin projects
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 03:09:59 -0000
On Thu, Nov 18, 2021 at 09:29:24PM +0100, Prayank via bitcoin-dev wrote:
> After reading all the emails, personally experiencing review process especially on important issues like privacy and security, re-evaluating everything and considering the time I can spend on this, I have decided to do this exercise for 3 projects with just 1 account. I have created a salted hash for the username as you had mentioned in the first email:
> f40bcb13dbcbf7b6245becb757777586c22798ed7360cd9853572152ddf07a39
> 3 Bitcoin projects are Bitcoin Core (full node implementation), LND (LN implementation) and Bisq (DEX).
> Pull requests will be created in next 6 months. If vulnerability gets caught during review, will publicly announce here that the project caught the PR and reveal the de-commitment publicly. If not caught during review, will privately reveal both the inserted vulnerability and the review failure via the normal private vulnerability-reporting channels. A summary with all the details will be shared later.
It's now been nine months since this email, but I don't believe
there's been any public report on this exercise. Does this mean that a
vulnerability has been introduced in one or all of the named projects?
Cheers,
aj
|
