From lf-lists at mattcorallo.com Sun Aug 27 18:00:49 2023 From: lf-lists at mattcorallo.com (Matt Corallo) Date: Sun, 27 Aug 2023 11:00:49 -0700 Subject: [Lightning-dev] Disclosure: Fake channel DoS vector In-Reply-To: References: <54da586f-0c95-7988-13b7-c43dedbbb25a@mattcorallo.com> Message-ID: <8b716653-ba95-32f9-1467-e8fceab31bc6@mattcorallo.com> On 8/26/23 5:03?AM, Antoine Riard wrote: > Hi Matt, > > > While you were aware of these fixes at the time, I'd appreciate it if you, someone who hasn't spent > > much time contributing to LDK over the past two or three years, stop trying to speak on behalf of > > the LDK project. > > While this statement is blatantly false and disregards all the review You've definitely done some review for some subset of code, mostly the anchors code which was added not too long ago, but please don't pretend you've reviewed a large volume of the pull requests in LDK, as far as I understand you have several other projects you focus heavily on, which is great, but that's not being a major LDK contributor. > and robustness hardening > landed during the last two or three years In 2022 and 2023 you: * landed a PR removing yourself from the security-reporting list (#2323, no idea why you're trying to speak for the project when you removed yourself!) * fixed one bug in the anchors aggregation stuff before it was released (#1841, thanks!) * made some constants public (#1839) * increase a constant (#1532) * added a trivial double-check of user code (#1531) You've also, to my knowledge, never joined the public bi-weekly LDK development calls, don't join the lightning spec meeting, and don't engage in the public discord discussions where development decisions are made. This implies you absolutely don't have a deep understanding of all the things happening in the project, which makes you poorly suited to speak on behalf of the project. I'm not trying to pass judgement on whether you've contributed (you have! thanks for your contributions!), but only suggesting that if you don't contribute regularly enough to have a good understanding of everything going on, speaking on behalf of the project isn't appropriate. > I would appreciate it from you in the conduct of your > maintenance janitorial role to have more regard for the LDK users funds security rather than a "move > fast and break things" attitude. While I know you feel like lightning at large isn't a protocol which takes security seriously, I think you're pretty far off base here. Getting lightning right is *hard*, as you well know there are many, many, many ways it can go wrong. And we, like every other lightning software project, take that seriously, while also trying to ship features to make lightning broadly useful and usable (two things that its historically not really been...because its hard for many reasons beyond just security issues). If you followed LDK (and other lightning) development more closely, I think you'd have a greater appreciation for these things :). > As such, and with in mind all open-source ethical rules, I'll keep speaking on the behalf of the LDK > project when I see fit, whether you're pleased or not. I'm really unsure what you mean here "open-source ethical rules" - is it your opinion that you should speak for a project you don't really follow closely just because you think the people who do work on it a lot aren't doing a good enough job in your opinion? That seems incredibly strange to me. Matt