1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
|
Delivery-date: Wed, 27 Mar 2024 02:57:31 -0700
Received: from mail-oo1-f55.google.com ([209.85.161.55])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBAW3R6YAMGQE7OWF4YA@googlegroups.com>)
id 1rpQ2E-00060q-Bl
for bitcoindev@gnusha.org; Wed, 27 Mar 2024 02:57:30 -0700
Received: by mail-oo1-f55.google.com with SMTP id 006d021491bc7-59907104d88sf6019685eaf.3
for <bitcoindev@gnusha.org>; Wed, 27 Mar 2024 02:57:29 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711533444; cv=pass;
d=google.com; s=arc-20160816;
b=Chu7S8aYRc3lMdmYY3LBky6lO9cCXjKDNIxI/IbZdbWISk9VItLLe9X/Hh3PosA2rN
AkpIPd495rKZ5tLlUpksEh6/EGbWtKyyjvgmvGiOBkYCsjLkBHMA1pmmrDpWk50d5XI2
+YFstkBB6uKIm0CwUlNf5lExa4VVcJJ0lmcKFZOIcRrdK3m6RpKao09EBLKqN/yPRekD
wzy8cozv352AxP3xvQGJnjOUEdaPe7xz9wHpxLz4J3cgkXmY3Yb8mXnlxVwgHLuFrMmX
b6CdsYEp70lpyUCfL6N4jPNIbQgy28zgdPmekbcTdKIs4/XjXUMC0xow7eeQJU3/UyEB
oM1w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:sender:dkim-signature
:dkim-signature;
bh=fvikyCqEk3RBQdd1XknE46tgqyUxyA5+2XxOQfFl39Y=;
fh=lTD1osv9EyRBc07COCmJfNoGhvgNO8MjUjiXudHwwiQ=;
b=dzSLdBJhZ3boCUa2hKIOyz/iv4/LgS/JTtC5e5BL6cTi4qZZcv1T+qKhEw/KbdVh3b
iwozZ5bL9KqWC/GmS3ccc4Aht5FtW6D1cRqOsKEKSBT9ZZLaKmvgpNVq93s7f3V5xCYO
cPiVqaQLpcUfplsb77R0YegB/T6dm1htxu5mf7HkKWaIt2NVz0qzAIk+d1aTiJJAOZO5
MdtjQDfH1CvZaq4Rfz01Cggm4G8hl5gnNi3AYC9+NfUWDN6B8t3v7REyxQuCnt/1Sq3e
fSB5kw3HgqSMLE3sOKBhai/DF5RR9wMFNVsFGjLYYwm2S+YbYtC4ZXQF3HONa1dR+v3J
R4Eg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Fgf2VGIC;
spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1133 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1711533444; x=1712138244; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
:references:mime-version:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=fvikyCqEk3RBQdd1XknE46tgqyUxyA5+2XxOQfFl39Y=;
b=qvv3hIjF4uO/vdeT+IE1RWu3PvGneHGtpUgbb1cesHojyU9WGtSj5ko+azmIfNeP4u
C0zUqv8rWGiN7w/dSQqwqYpAqFqHI9ohT+t7jHW5B9Xf5/n1zXB2uCyGimG/7kCbeDBc
sDPl47FqaxmmWHDd8/pQvhFCkBPUw8nvMCaJ+sWwNU/Qo0LNnqjjwthyXKXvjkivbMnT
++80yPnVHUp1VCmQqyVSnC05efxS3tGpaEaupcaLmE7t5yC7Jr7JcaeGvGAIhjGxG1CL
d+2RoUgd8w18UVnBIfZao1i1Cb3cWLY2HUtx84qWJn5UZs/eQ393am6GNvmQRU18/89d
IsJQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1711533444; x=1712138244; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
:references:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=fvikyCqEk3RBQdd1XknE46tgqyUxyA5+2XxOQfFl39Y=;
b=hkl7cCkpZfoectdV/JeS84N2SACfnVO22yNZEXm2SS+nNqpLZpJDyDM4NJlx52JVbB
nS0/jM4fhS/a2c5xX3+tnAfzSlys/R/3Z/Ey5EwXSY+W1jTFtkYTJ3PZ+FZS/WSjA0/M
469A05+3AbL5i1nO3XYb19vPOOJCrja6/OQqXMcmpFea4EnkvhaFW+7CEmE9mtW3WnhI
sSnf76oLS0NYy/RbG8v2jHQ7TJAe8eXpovoVV1ktDoBmPhYU5Lkk8i5Lw7MoQLMCX1G2
1AVV9twT9H8Ky0AF6awKTVaKnZnrZVCkFmp75w+7UuKtQPuMcr0RuIhqNcMGL20Ew1fc
71OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1711533444; x=1712138244;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
:references:mime-version:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=fvikyCqEk3RBQdd1XknE46tgqyUxyA5+2XxOQfFl39Y=;
b=E9ECJbnqR/6uFXvEuhBy1NE2cZAtpd6wQo8gUxN/c0iGPqliTs/AYbgQQbEj5tVuvC
hZ0NAJ1VMmjcjjSLnpPsnQxBoYdrs9cTCjAfLdDAuj+mISQJ72AERBBrZiuju2Xv6xGh
/NvtfNHAwbttd0IBQOEnUzua6fOrFR7VarH4CpBmvkG85mr+9/k1+UFRHQCR1oSsBBQU
NBvzVrdMoeFDVrkkBfZgYJGduoO2p62pQrPMSEcM1NL42UqTcSVBSFGYswQEQ/kQSDl1
frqxbpggONWVO2uwN37AbNFZKB7RxDhIs0m3cR+r6n0BPE8oY3H1pHjbXN44TUbVuasp
m00g==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUjK3AanDmF6x7kovOmZTYwA2pRJ1MSaBoCxvDPyZNJJNlhVFB8Y++cGQW9nBVQaKxygtcB3ep1mUX0NDj1svvks+fOEx4=
X-Gm-Message-State: AOJu0YyCCn6YkOcveL+eCW0M9ADC251HPe3XHs66LroT0Cl6HJzN6Od1
UnwFxlpqX/Z0K3dVzG1Zi3Ww1GrhxV5JB+IYgXkEw8xnyJdfBDek
X-Google-Smtp-Source: AGHT+IGryXQX2rVxiJV4H6ywA22zKQKPoxOd2Wbw5Bub7JufDUFBWJot8kLV7yQlcPkpp/alzOQVew==
X-Received: by 2002:a4a:ee86:0:b0:5a4:f5b6:4ed4 with SMTP id dk6-20020a4aee86000000b005a4f5b64ed4mr689241oob.8.1711533443606;
Wed, 27 Mar 2024 02:57:23 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:bb92:0:b0:5a5:3718:5787 with SMTP id h18-20020a4abb92000000b005a537185787ls3633462oop.1.-pod-prod-02-us;
Wed, 27 Mar 2024 02:57:22 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCVQhT0XlslJbrhOEd7H3L6a8ZyOVN5ixfeJcnYCFidxPT8pMBRdQQivh9Tn9mVp1KWdgAzsNWwDqOXterS5dJN/jKmDHu29TX8UBHg=
X-Received: by 2002:a05:6830:34a0:b0:6e6:ef7d:1a15 with SMTP id c32-20020a05683034a000b006e6ef7d1a15mr104606otu.1.1711533442662;
Wed, 27 Mar 2024 02:57:22 -0700 (PDT)
Received: by 2002:a05:6808:1288:b0:3c3:d110:85c6 with SMTP id 5614622812f47-3c3de9a8d9fmsb6e;
Tue, 26 Mar 2024 23:28:00 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUw+oo23FjSY4AARcl7kZSCm8gOPf1Bu6aRtVRAp3dHiYtYiAiN7Xqh6raG3pNjmpIFV751N+JUejp3lQYQTawv0eUGHnlSo5rWJR8=
X-Received: by 2002:a05:6808:3206:b0:3c3:d56a:d91 with SMTP id cb6-20020a056808320600b003c3d56a0d91mr465336oib.38.1711520879895;
Tue, 26 Mar 2024 23:27:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711520879; cv=none;
d=google.com; s=arc-20160816;
b=t1G0WANul6JmWM7d6IwB4e8qo5wvEa/FT6OK7uPCfUAnkbfLkWjhbV3cGG25VwCeRB
G1aug/rEuqsqKualN4H7sqvkpkBcNRsyrr7kBaKllWjzpN/btrAdBP9KHZNJHINg3Bla
MLsuR/My4fdMyWPNhSUa4Bm5A3E3ntCqaIZj3LPGXbLgnJEFefjclp0P2U0yBEIEAe44
eE5JSVJyt3FM/iKTG3XQxY86sO72uvK0GY6cLCp+h5Y78Zmtray9xxw7uGfUJFf0/CQR
RXUQIfUwz43n3B1zYZl/RPMgxX8rrFPRoENQSGTfBxWe3XnYApSrItRJu2GfBE6Qbj5s
V78Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:dkim-signature;
bh=5ZX5a+hq7/GqHuZyU64ZhvRa4fGtRWLzEaQnymZAsrc=;
fh=uzEk22hoDzqh09zTypPyue+JA+Ou3JKDcqpEHQC5XFA=;
b=RmX2R6sXGP+KoBMqtL/mdlxV+j4qV7g8Bvy2liv4aSdGYDb7kDnLv+7mz783FugT1f
sLtMUq/OHCmBuSpx6zIXCQsOF2yd9dZOHY48I0pk6yXF0i02pmM+HXymDOyNpfhyajaL
VV5r7VNf6DgxchXsROL5BPTTC6HwBeDYK+hYVHGOVyRzmAcA51/OixK5Zrlu9OnKM0An
knzMFmvfABGC3iN3Dois68ELpUIlTZTpXgV0izSepgfYQtrBEkre+vdQsVpSYvX4qe08
uVPjRpeoewkUACzTkdudsJpw7Ol7bSjBmFvQzPUziJ27Fe0eXJuNflKeDhco/3V+pUyk
Ms8Q==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Fgf2VGIC;
spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1133 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com. [2607:f8b0:4864:20::1133])
by gmr-mx.google.com with ESMTPS id x15-20020a056808144f00b003c39f1a5335si528512oiv.1.2024.03.26.23.27.59
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 26 Mar 2024 23:27:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1133 as permitted sender) client-ip=2607:f8b0:4864:20::1133;
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-60a046c5262so60482977b3.2
for <bitcoindev@googlegroups.com>; Tue, 26 Mar 2024 23:27:59 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCWfATHmZptZPT1IZ+au3YzjrPXr7Vdnb4OTuYbKmc0PpX8xEPC2Q+oR9/XHfmPd35FwVrI1J3JqFv7ngvK3kHGACvx1gLERgWN11MQ=
X-Received: by 2002:a0d:d842:0:b0:611:6d6d:5d7b with SMTP id
a63-20020a0dd842000000b006116d6d5d7bmr196711ywe.16.1711520879183; Tue, 26 Mar
2024 23:27:59 -0700 (PDT)
MIME-Version: 1.0
References: <Zfg/6IZyA/iInyMx@petertodd.org> <012f89763cc336cd91eec13dccefc921@dtrt.org>
In-Reply-To: <012f89763cc336cd91eec13dccefc921@dtrt.org>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Wed, 27 Mar 2024 06:27:47 +0000
Message-ID: <CALZpt+HNiwie1RNJOi9WJs-F2=YSvFdwCDfdNDuTdUuSf_kTBg@mail.gmail.com>
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
To: "David A. Harding" <dave@dtrt.org>
Cc: Peter Todd <pete@petertodd.org>, bitcoindev@googlegroups.com
Content-Type: multipart/alternative; boundary="0000000000000791e706149e825e"
X-Original-Sender: antoine.riard@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=Fgf2VGIC; spf=pass
(google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1133
as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
--0000000000000791e706149e825e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Dave,
> Could you tell us more about the disclosure process you followed? I'm
> surprised to see it disclosed without any apparent attempt at patching.
> I'm especially concerned given your past history of publicly revealing
> vulnerabilities before they could be quietly patched[1] and the conflict
> of interest of you using this disclosure to advocate for a policy change
> you are championing.
In defense of Peter, I don't think there is a low-hanging fruit that could
have
been landed easily in Bitcoin Core. The most obvious ones could have been
a) to reduce `MAX_STANDARD_TX_WEIGHT` or b) a new rule
`max_replacement_bandwidth`
or c) a new absolute-fee based penalty on bandwidth replacement cost.
All hard to integrate in a covert fashion without attracting some attention
from the
community, which would certainly ask why we're changing the marginal
bandwidth cost.
Potentially, impacting unfavorably some use-cases.
Certainly, Peter's report could have integrated a disclosure timeline at th=
e
example of CVE-2018-17144 [0], which I can recommend to anyone to follow
doing
security research or servicing as a security point of contact in our field.
I don't see the conflict of interest in the present disclosure ? It is
public information
that Peter is championing RBFR [1]. I'm not aware of any private interest
unfavorably
influencing Peter's behavior in the conduct of this security issue
disclosure.
One of the established principles in infosec, it's up to software vendors
to explain
why their softwares is broken or why they are "lazy" fixing issues.
Assuming sufficient
technical proof has been initially communicated by the reporter.
If you're dissatisfied by Peter's conduct in the handling of this
disclosure, you're welcome
to author vulnerability reports or assume the role of coordinating patching
responses yourself
more often. Assuming you can be reasonably trusted here.
Finally, in matters of ethics, talking as an external observer can be cheap
sometimes and it is
best to "lead-by-example", imho.
Best,
Antoine
[0] https://bitcoincore.org/en/2018/09/20/notice/
[1] https://petertodd.org/2024/one-shot-replace-by-fee-rate
Le mar. 26 mars 2024 =C3=A0 18:38, David A. Harding <dave@dtrt.org> a =C3=
=A9crit :
> On 2024-03-18 03:21, Peter Todd wrote:
> > [...] the existence of this attack is an argument in favor of
> > replace-by-fee-rate. While RBFR introduces a degree of free-relay, the
> > fact
> > that Bitcoin Core's existing rules *also* allow for free-relay in this
> > form
> > makes the difference inconsequential.
> >
> > # Disclosure
> >
> > This issue was disclosed to bitcoin-security first. I received no
> > objections to
> > making it public. All free-relay attacks are mitigated by the
> > requirement to at
> > least have sufficient funds available to allocate to fees, even if the
> > funds
> > might not actually be spent.
>
> Could you tell us more about the disclosure process you followed? I'm
> surprised to see it disclosed without any apparent attempt at patching.
> I'm especially concerned given your past history of publicly revealing
> vulnerabilities before they could be quietly patched[1] and the conflict
> of interest of you using this disclosure to advocate for a policy change
> you are championing.
>
> -Dave
>
> [1]
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016100.=
html
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/bitcoindev/EJYoeNTPVhg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bitcoindev/012f89763cc336cd91eec13dccef=
c921%40dtrt.org
> .
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/CALZpt%2BHNiwie1RNJOi9WJs-F2%3DYSvFdwCDfdNDuTdUuSf_kTBg%40mail.g=
mail.com.
--0000000000000791e706149e825e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Dave,<div><br></div><div>> Could you tell us more ab=
out the disclosure process you followed?=C2=A0 I'm<span class=3D"gmail-=
Apple-converted-space">=C2=A0</span><br>> surprised to see it disclosed =
without any apparent attempt at patching.=C2=A0<span class=3D"gmail-Apple-c=
onverted-space">=C2=A0</span><br>> I'm especially concerned given yo=
ur past history of publicly revealing<span class=3D"gmail-Apple-converted-s=
pace">=C2=A0</span><br>> vulnerabilities before they could be quietly pa=
tched[1] and the conflict<span class=3D"gmail-Apple-converted-space">=C2=A0=
</span><br>> of interest of you using this disclosure to advocate for a =
policy change<span class=3D"gmail-Apple-converted-space">=C2=A0</span><br>&=
gt; you are championing.<br></div><div><br></div><div>In defense of Peter, =
I don't think there is a low-hanging fruit that could have</div><div>be=
en landed easily in Bitcoin Core. The most obvious ones could have been</di=
v><div>a) to reduce `MAX_STANDARD_TX_WEIGHT` or b) a new rule `max_replacem=
ent_bandwidth`</div><div>or c) a new absolute-fee based penalty=C2=A0on ban=
dwidth replacement cost.</div><div><br></div><div>All hard to integrate in =
a covert fashion without attracting some attention from the</div><div>commu=
nity, which would certainly ask why we're changing the marginal bandwid=
th=C2=A0cost.</div><div>Potentially, impacting unfavorably some use-cases.<=
/div><div><br></div><div>Certainly, Peter's report could have integrate=
d a disclosure timeline at the</div><div>example of CVE-2018-17144 [0], whi=
ch I can recommend to anyone to follow doing</div><div>security research or=
servicing as a security point of contact in our field.</div><div><br></div=
><div>I don't see the conflict of interest in the present disclosure ? =
It is public information</div><div>that Peter is championing RBFR [1].=C2=
=A0 I'm not aware of any private interest unfavorably</div><div>influen=
cing Peter's behavior in the conduct of this security issue disclosure.=
</div><div><br></div><div>One of the established principles in infosec, it&=
#39;s up to software vendors to explain</div><div>why their softwares is br=
oken or why they are "lazy" fixing issues. Assuming sufficient</d=
iv><div>technical proof has been initially communicated by the reporter.</d=
iv><div><br></div><div>If you're dissatisfied by Peter's conduct in=
the handling of this disclosure, you're welcome</div><div>to author vu=
lnerability reports or assume the role of coordinating patching responses y=
ourself</div><div>more often. Assuming you can be reasonably trusted here.<=
/div><div><br></div><div>Finally, in matters of ethics, talking as an exter=
nal observer can=C2=A0be cheap sometimes and it is</div><div>best to "=
lead-by-example", imho.</div><div><br></div><div>Best,</div><div>Antoi=
ne</div><div><br></div><div>[0]=C2=A0<a href=3D"https://bitcoincore.org/en/=
2018/09/20/notice/">https://bitcoincore.org/en/2018/09/20/notice/</a></div>=
<div>[1]=C2=A0<a href=3D"https://petertodd.org/2024/one-shot-replace-by-fee=
-rate">https://petertodd.org/2024/one-shot-replace-by-fee-rate</a></div><di=
v>=C2=A0</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">Le=C2=A0mar. 26 mars 2024 =C3=A0=C2=A018:38, David A. Hardi=
ng <<a href=3D"mailto:dave@dtrt.org">dave@dtrt.org</a>> a =C3=A9crit=
=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:r=
gb(204,204,204);padding-left:1ex">On 2024-03-18 03:21, Peter Todd wrote:<br=
>
> [...] the existence of this attack is an argument in favor of<br>
> replace-by-fee-rate. While RBFR introduces a degree of free-relay, the=
<br>
> fact<br>
> that Bitcoin Core's existing rules *also* allow for free-relay in =
this <br>
> form<br>
> makes the difference inconsequential.<br>
> <br>
> # Disclosure<br>
> <br>
> This issue was disclosed to bitcoin-security first. I received no <br>
> objections to<br>
> making it public. All free-relay attacks are mitigated by the <br>
> requirement to at<br>
> least have sufficient funds available to allocate to fees, even if the=
<br>
> funds<br>
> might not actually be spent.<br>
<br>
Could you tell us more about the disclosure process you followed?=C2=A0 I&#=
39;m <br>
surprised to see it disclosed without any apparent attempt at patching.=C2=
=A0 <br>
I'm especially concerned given your past history of publicly revealing =
<br>
vulnerabilities before they could be quietly patched[1] and the conflict <b=
r>
of interest of you using this disclosure to advocate for a policy change <b=
r>
you are championing.<br>
<br>
-Dave<br>
<br>
[1] <br>
<a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-Jun=
e/016100.html" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoun=
dation.org/pipermail/bitcoin-dev/2018-June/016100.html</a><br>
<br>
-- <br>
You received this message because you are subscribed to a topic in the Goog=
le Groups "Bitcoin Development Mailing List" group.<br>
To unsubscribe from this topic, visit <a href=3D"https://groups.google.com/=
d/topic/bitcoindev/EJYoeNTPVhg/unsubscribe" rel=3D"noreferrer" target=3D"_b=
lank">https://groups.google.com/d/topic/bitcoindev/EJYoeNTPVhg/unsubscribe<=
/a>.<br>
To unsubscribe from this group and all its topics, send an email to <a href=
=3D"mailto:bitcoindev%2Bunsubscribe@googlegroups.com" target=3D"_blank">bit=
coindev+unsubscribe@googlegroups.com</a>.<br>
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/012f89763cc336cd91eec13dccefc921%40dtrt.org" rel=3D"n=
oreferrer" target=3D"_blank">https://groups.google.com/d/msgid/bitcoindev/0=
12f89763cc336cd91eec13dccefc921%40dtrt.org</a>.<br>
</blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/CALZpt%2BHNiwie1RNJOi9WJs-F2%3DYSvFdwCDfdNDuTdUuSf_kT=
Bg%40mail.gmail.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.=
google.com/d/msgid/bitcoindev/CALZpt%2BHNiwie1RNJOi9WJs-F2%3DYSvFdwCDfdNDuT=
dUuSf_kTBg%40mail.gmail.com</a>.<br />
--0000000000000791e706149e825e--
|
