1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <john.dillon892@googlemail.com>) id 1V3VbN-00062C-4F
for bitcoin-development@lists.sourceforge.net;
Sun, 28 Jul 2013 18:21:53 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of googlemail.com
designates 74.125.83.68 as permitted sender)
client-ip=74.125.83.68;
envelope-from=john.dillon892@googlemail.com;
helo=mail-ee0-f68.google.com;
Received: from mail-ee0-f68.google.com ([74.125.83.68])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1V3VbL-0003f3-A4
for bitcoin-development@lists.sourceforge.net;
Sun, 28 Jul 2013 18:21:53 +0000
Received: by mail-ee0-f68.google.com with SMTP id d41so1489654eek.3
for <bitcoin-development@lists.sourceforge.net>;
Sun, 28 Jul 2013 11:21:45 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.14.47.134 with SMTP id t6mr2069052eeb.141.1375035704933;
Sun, 28 Jul 2013 11:21:44 -0700 (PDT)
Received: by 10.223.12.131 with HTTP; Sun, 28 Jul 2013 11:21:44 -0700 (PDT)
In-Reply-To: <CAAS2fgR7evOkrTpX75EQgJzuDUBqGOKCAvWJR_5T64REOJmJ8A@mail.gmail.com>
References: <CANEZrP2GvgZP_1z3EoSs3p+db7tZB6JfEVAewLpGE5eRpGgR3w@mail.gmail.com>
<CAAS2fgT+GPgOtvvrjKozYc-Swqw-+HPcyZY5MbqvY9oEhiWRuA@mail.gmail.com>
<CANEZrP2hn3oXp4CU7-85vpSLc_3GGnRgfQNKDc+28jkB2DE2JA@mail.gmail.com>
<CAAS2fgR7evOkrTpX75EQgJzuDUBqGOKCAvWJR_5T64REOJmJ8A@mail.gmail.com>
Date: Sun, 28 Jul 2013 18:21:44 +0000
Message-ID: <CAPaL=UWsZ1xAgqSC==FzT3xEi1J6-qw4mYmnL0vycq5ipC0v7g@mail.gmail.com>
From: John Dillon <john.dillon892@googlemail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Spam-Score: -1.4 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(john.dillon892[at]googlemail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (john.dillon892[at]googlemail.com)
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1V3VbL-0003f3-A4
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Linux packaging letter
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sun, 28 Jul 2013 18:21:53 -0000
My signature:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Linux distribution packaging and Bitcoin
========================================
2013-07-23
This note summarises the dangers inherent in the Linux distribution
packaging model for Bitcoin, and forms a request from upstream
maintainers to not distribute Bitcoin node software as part of
distribution package repositories without understanding the special
requirements of Bitcoin.
Distributors typically unbundle internal libraries and apply other
patches for a variety of generally good reasons, including ensuring
that security-critical fixes can be applied once, rather than multiple
times for many different packages. In most cases, the common
distribution packaging policy has many advantages.
However, Bitcoin nodes are an unusual category of software: they
implement a complex group consensus in which every client verifies the
behaviour of every other exactly. Even an exceptionally subtle change -
including apparently harmless bugfixes - can cause a failure to reach
consensus. A consensus failure of one client is a security risk to the
user of that client. A significant number of nodes failing to reach
consensus - as happened in March 2013 due to a change in database
libraries[1] - is a critical problem that threatens the functionality
and security of the system for all users.
For this reason, it is _vital_ that as much of the network as possible
uses _unmodified_ implementations that have been carefully audited and
tested, including dependencies. For instance, if the included copy
of LevelDB in bitcoind is replaced by a system-wide shared library,
_any_ change to that shared library requires auditing and testing,
a requirement generally not met by standard distributor packaging
practices.
Because distributed global consensus is a new area of computer science
research, the undersigned request that distributors refrain from
packaging Bitcoin node software (including bitcoind and Bitcoin-Qt)
and direct users to the upstream-provided binaries instead _until they
understand the unique testing procedures and other requirements to
achieve consensus_. Beyond being globally consistent, upstream binaries
are produced using a reproducible build system[2], ensuring that they
can be audited for backdoors.
1. https://en.bitcoin.it/wiki/BIP_0050
2. http://gitian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBCAAGBQJR9WC5AAoJEEWCsU4mNhiPg6UH/2oHzBWBPaQMhH/GCTHQEi5U
7GSRfqwihIs/M2ROHLNq0HhgWR7mPAh5TTI6+tG95FCGCGNZq0seqw9wW4ZyGCoc
VueY51q4hcn23405oLD/QGK2lDxxywWY8XtFYVPqAzXTq6zRzgpNJkjoRtOAUOP7
3PrRkimYYyj0KrqFg+cEvZDT27dkeX+5PXM6Ua0o7h/TlhR2RJPhej5DI8cNLXgA
f0t+mES4Apb6zLgnEYYlPp22FR9vuFcJO3z1akhVL4DLUMqr58NYHLVnH1FH0Jhn
hVuld159QtCjQ5Qyn19cn86akTQJVi+ikCXqaKriCc2jBFX7TCI8WTDc6aSZpsQ=
=oX5d
-----END PGP SIGNATURE-----
|
