1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
Delivery-date: Mon, 08 Jul 2024 18:16:24 -0700
Received: from mail-yb1-f186.google.com ([209.85.219.186])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBYE6WK2AMGQES43ZPKI@googlegroups.com>)
id 1sQzSx-0005JI-Ho
for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:23 -0700
Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e03a59172dbsf7991006276.3
for <bitcoindev@gnusha.org>; Mon, 08 Jul 2024 18:16:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
b=iwI6eEUjNA0Y4KcUnMFWqQA9pEosGbd4gbSLswal/uJgEezuOCAapsUWIyEuA8jw8o
aJZZzfULpqqLKbboKyNqVPWvE6H1FHXTdGVHND6C1ri8ojqWsBOn3cpkphXAfnULk+rt
KSkUoIXYkyMlRvglEAqLuGMWBAATnfT1Lr7x3o7NSw3ewl3AzwlBU14cabcVyL9ltCgs
qtK8+nQIG++JNE2Nhyhpj7h+STm9/rn7Sbkof0hM2MKKqy3vR0LV7W3b5osuXULWE+X9
Y9BYsFDsNW/YUMUAWoQVlO5fPTTqg4CTxMIme37Sdw14qonX8hVi5i8+USVbynEKActC
EyGg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
b=kJIibSGPRpA/3ceIjwNCceDpBgCO7PVOxMKZf56DascDp0o704ixrYL567DDbXioeb
S+zXW30EbT9ICCh6M4EMyFzrATF376FUZOaIiEe0xUp/zfANGtYWiq1j26E7mMzNFlp5
wDXuUNmtHu7+bpVjjdYGEZdtAKeSWen73Si2O72ifWN68igVe0tOSKSyINepy5xVt3G8
+jHR7nb0IHpqZfvjkrDCeYbuI9V7+Hi2UyY9jiXFwxcaig6Q6HKhsMRfBXSj4qGpu1Gx
K1WhygxRbUxUDF9rB4luv8n1VlBhW9i14zphbEAnKed2cSWCHZRh/UXEnkZqlKRRdXQk
co5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720487777; x=1721092577;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
b=QmcaAvokgB8DIfbkRPXIrLDehar5G8wRQIQpvCiFnFZR7VVLUnoSdkVNhvCzwmA79U
xM3BHC8BRhnNstiy5QpTgjNP+BvodUMR1t+/BzWt88fu84Tf2pT3RdFMR9gFsIatQ+m8
Dk86emBFkqxtErVA5Ep5SbKb7jipbQviccVeOf3gx9LsNWSM/99v+cBBLEGmWYh3luMi
LZjaHpnMwuFUz33W9NQ6AX7CGVSvYoH5KMQvQThMxc4kdqMYqE/wcKpVxbvbi489ZYCg
RS9pAcdmg8naqBJ/btO62+axsfxwx1W1GOvrW+ivq771wvXfm6G+Ko392rlKpHnhY2Rd
oSNw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCV2KaY7eLh9ihzECFEclszFVZ8JOTDyOPSlSLhrt5aOkN1FuKwLvz556V//VewmloYRP/nvdGxsNjeXpZUqwmpKeWSFtos=
X-Gm-Message-State: AOJu0YyEncSzwqYlEXaGA2CBBdZhvmKtYO9RYnVAk0XE86a+dUd0YHwJ
CmlROUVFpUa3FPM2YfKv/qBOPPlVXbgv4IbBWXa0+azv/W1SeyOu
X-Google-Smtp-Source: AGHT+IHUFDb2NbogU3c/Ag/uplqRuZOdZkxsge+SZGpUjeffcltj0x/fiIb4A9j1USaw8jL/+7AijA==
X-Received: by 2002:a25:5885:0:b0:e02:ab25:44aa with SMTP id 3f1490d57ef6-e041b11d353mr1409835276.47.1720487777367;
Mon, 08 Jul 2024 18:16:17 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:1896:b0:e02:c175:85f8 with SMTP id
3f1490d57ef6-e03bd03e946ls7410738276.1.-pod-prod-04-us; Mon, 08 Jul 2024
18:16:16 -0700 (PDT)
X-Received: by 2002:a05:690c:7244:b0:62f:22cd:7082 with SMTP id 00721157ae682-658f01f530bmr282657b3.5.1720487776069;
Mon, 08 Jul 2024 18:16:16 -0700 (PDT)
Received: by 2002:a05:690c:3012:b0:64b:8595:7a39 with SMTP id 00721157ae682-65145091b38ms7b3;
Thu, 4 Jul 2024 07:34:11 -0700 (PDT)
X-Received: by 2002:a05:6902:72a:b0:e03:53a4:1a7 with SMTP id 3f1490d57ef6-e03c1bbe6f4mr131940276.10.1720103650007;
Thu, 04 Jul 2024 07:34:10 -0700 (PDT)
Date: Thu, 4 Jul 2024 07:34:09 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <46a677b3-3838-4a2d-b8d3-8c0e05e4139dn@googlegroups.com>
In-Reply-To: <a9f31b7f-08c9-4ee0-97a0-1c8708ad5c63n@googlegroups.com>
References: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
<a9f31b7f-08c9-4ee0-97a0-1c8708ad5c63n@googlegroups.com>
Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_302180_1785546436.1720103649782"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_302180_1785546436.1720103649782
Content-Type: multipart/alternative;
boundary="----=_Part_302181_212545565.1720103649782"
------=_Part_302181_212545565.1720103649782
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Eric,
> Many other projects have been on the receiving end of this misperception,=
=20
and it has in fact caused material harm to the community
Without getting in unnecessarily re-opening old wounds, if you have=20
examples of what has caused material harm to the community, it can be=20
interesting to share.
From experience with second-layers, as soon as you start to have many=20
codebases affected by a vuln, it's another kind of dynamics so good to draw=
=20
lessons.
> I don't know what precipitated this change, but props to you all for=20
stepping up.
About the timing, among many factors, the bitcoin whitepaper assignment=20
legal issue is hopefully less a concern now so some competent people have=
=20
more time to handle that job of publicly disclosing security bugs. In=20
addition, the bitcoin open-source landscape has more resources (for the=20
best and worst) than 10 years ago. From sharing beers with Amir not so=20
lately, it wasn't that +10 years ago. I know he was kicked-off from the=20
original sec list, though I'm not sure the reasons are well-known.
Best,
Antoine
Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Voskuil a =C3=A9crit :
> > The project has historically done a poor job at publicly disclosing=20
> security-critical bugs, whether externally reported or found by=20
> contributors. This has led to a situation where a lot of users perceive=
=20
> Bitcoin Core as never having bugs. This perception is dangerous and,=20
> unfortunately, not accurate.
>
> I have to say this is one of the most compelling statements I've seen fro=
m=20
> the bitcoind/Bitcoin Core team in over 10 years. Many other projects have=
=20
> been on the receiving end of this misperception, and it has in fact cause=
d=20
> material harm to the community. I don't know what precipitated this chang=
e,=20
> but props to you all for stepping up.
>
> Best,
> Eric
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com.
------=_Part_302181_212545565.1720103649782
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div>Hi Eric,</div><div><br /></div><div>> Many other projects have been=
on the receiving end of this misperception, and it has in fact caused mate=
rial harm to the community</div><div><br /></div><div>Without getting in un=
necessarily re-opening old wounds, if you have examples of what has caused =
material harm to the community, it can be interesting to share.</div><div>F=
rom experience with second-layers, as soon as you start to have many codeba=
ses affected by a vuln, it's another kind of dynamics so good to draw lesso=
ns.</div><div><br /></div>> I don't know what precipitated this change, =
but props to you all for stepping up.<div><br /></div><div>About the timing=
, among many factors, the bitcoin whitepaper assignment legal issue is hope=
fully less a concern now so some competent people have more time to handle =
that job of publicly disclosing security bugs. In addition, the bitcoin ope=
n-source landscape has more resources (for the best and worst) than 10 year=
s ago. From sharing beers with Amir not so lately, it wasn't that +10 years=
ago. I know he was kicked-off from the original sec list, though I'm not s=
ure the reasons are well-known.</div><div><br /></div><div>Best,</div><div>=
Antoine</div><div><br /></div><div class=3D"gmail_quote"><div dir=3D"auto" =
class=3D"gmail_attr">Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Vo=
skuil a =C3=A9crit=C2=A0:<br/></div><blockquote class=3D"gmail_quote" style=
=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding=
-left: 1ex;">> The project has historically done a poor job at publicly =
disclosing security-critical bugs, whether externally reported or found by =
contributors. This has led to a situation where a lot of users perceive Bit=
coin Core as never having bugs. This perception is dangerous and, unfortuna=
tely, not accurate.<br><br>I have to say this is one of the most compelling=
statements I've seen from the bitcoind/Bitcoin Core team in over 10 ye=
ars. Many other projects have been on the receiving end of this mispercepti=
on, and it has in fact caused material harm to the community. I don't k=
now what precipitated this change, but props to you all for stepping up.<br=
><br>Best,<div>Eric</div></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com</a>.=
<br />
------=_Part_302181_212545565.1720103649782--
------=_Part_302180_1785546436.1720103649782--
|
