[MacPorts] #43297: bitcoin - adopt mainstream binaries
MacPorts
noreply at macports.org
Thu Apr 10 01:22:16 PDT 2014
#43297: bitcoin - adopt mainstream binaries
--------------------------------+------------------------
Reporter: and.damore@… | Owner: easieste@…
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.2.1
Resolution: | Keywords:
Port: bitcoin, bitcoind |
--------------------------------+------------------------
Comment (by easieste@…):
Replying to [comment:2 and.damore@…]:
> Replying to [comment:1 easieste@…]:
> > For my use of BTC (and open source software under OS X in general), I
want to compile from the source for which I can verify PGP signatures.
>
> This despite the Bitcoin core request? This is a case where the
functionality of the network as a whole is affected by subtle
differencies.
I believe the Bitcoin core request is somewhat misguided: they need to
decide whether they want to develop as open source or not.
Satoshi Bitcoin is not the only peer running on the network: it is a
collaborative, evolving effort akin to bittorent. As such, bitcoin peers
need to be heavily defensive in their coding practices about sanitizing
their input. If you spend some time analyzing bitcoin peer traffic at a
network level, you will notice great deviations in format, some of which
is obviously (to me) attempts to force other peers to misbehave. This
will not change if Bitcoin Core forces "everyone" to use signed binaries.
From my experience (with its associated prejudice), it is much more likely
that someone will tamper with the "official binaries" rather than the
source. There have certainly cases of people injecting malicious code in
open source code, such as the code in the Linux kernel network drivers in
the late 90s that was disguised as assembly which responded to an
specifically crafted ICMP packet by listening on a port with a root shell.
This exploit went undetected for some 18 months, but I would argue that
its acceptance into the Linux kernel was a product of the Linux
community's (at that time) attitude/policy around patches. Such an exploit
has never been detected in FreeBSD, which has always had much more
"professional" attitude towards code submissions (and an official
"Security Officer"). So, obviously just because something is built from
open source does not guarantee that it is secore. But I believe that the
value in open source lies in a shared, agreed upon source that can be
hashed for verification, to produce binaries. Only from this model where
a sizable number of parties actually build and use the thing, we will
converge on greater security.
>
> > I use MacPorts specifically so I can share the work of maintaining
build infrastructure with other developers.
>
> The drawback of doing this is that in the case of the heartbleed bug the
0.9.1 upgrade would have been useless if the openssl port hadn't been
upgraded to 1.0.1g already. Even worse this could have given a false sense
of security.
I would have contributed to the upgrade of openssl under MacPorts. As
such, others in the MacPorts commit community beat me to updating the
port. I think the response time to the heartbleed bug strengthens my case
for running software compiled from source for which build recipes are
maintained in a distributed fashion.
>
> > You will need to audit the chain of trust for verifying the official
Bitcoin binaries.
>
> I don't like fetching the binary myself but this is a case where this
kind of request could actually make sense, and it comes from upstream core
developers team.
>
> Also the trust chain wouldn't be very different, the code is still
available and you'd be fetching a signed binary from one of the authors.
> That's the actual trust part you're giving and it's not any worse than
building a source tree without reading it but relying on it's openness as
a guarantee of trust.
The fact that the source is hashed, cryptographically signed, and run by
many parties is the game-theoretic part that makes open source *more*
trustworthy in the long run than running binaries.
>
> Another scenario could be a (bitcoin-mp, bitcoin) pair of ports or maybe
just a +macports variant providing the required flexibility to users
willing to build or to patch their client package. This would compromise
both requirements.
That's cool with me: as long as we leave a possibility of building the
Satoshi Bitcoin code from source in MacPorts, as that's what I will
contribute to maintaining.
--
Ticket URL: <https://trac.macports.org/ticket/43297#comment:3>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list