[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #101 from Suvayu --- (In reply to Simone Caronni from comment #99) > > In particular: > https://github.com/negativo17/bitcoin-core/commit/ > b2763c75931fbac5eebd4838ae549e642c2885bd Looks good +1 -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #100 from Eugene A. Pivnev --- Will be good to download fresh srpm. I build f34.rpm for myself (periodically) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #99 from Simone Caronni --- Hey, thanks for all the help, but I think I solved it while making it an offline process for mock/koji. All changes that I will post for review are here: https://github.com/negativo17/bitcoin-core/commits/master In particular: https://github.com/negativo17/bitcoin-core/commit/b2763c75931fbac5eebd4838ae549e642c2885bd -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #98 from Suvayu --- (In reply to Simone Caronni from comment #96) > (In reply to Suvayu from comment #92) > > You can then verify with only this key. > > ...and it would require editing the asc file to remove all other signatures > or gpgv will complain anyway. I think the expectation is to filter for the key you are using to verify. So just grepping for the verified signature should be okay. $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys \ $(grep --color=never laanwj keys.txt | cut -d' ' -f1) $ gpg --verify SHA256SUMS.asc |& grep -C 2 'Good signature' gpg: Signature made Friday 10 September 2021 07:33:30 PM CEST gpg:using RSA key 9DEAE0DC7063249FB05474681E4AED62986CD25D gpg: Good signature from "Wladimir J. van der Laan " [unknown] gpg: aka "Wladimir J. van der Laan " [unknown] gpg: aka "Wladimir J. van der Laan " [unknown] Ideally failures should go to stderr, and success to stdout, but it seems both go to stderr. I wish gpg had an option to separate the failures (maybe there is, my quick look in the man page didn't turn up anything). Maybe this helps -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #97 from Suvayu --- I think you can use the GH public API: https://api.github.com/repos/bitcoin/bitcoin/releases Something like the following in a script should work; I'm using curl and python (no build dependencies) $ curl https://api.github.com/repos/bitcoin/bitcoin/releases > bitcoin-releases.json $ python >>> import json >>> with open("bitcoin-releases.json") as f: ... data = json.load(f) ... >>> data[0]["author"]["login"] 'laanwj' >>> data[0]["tag_name"] 'v22.0' If it's okay to add `jq` as a build dependency, you could also device a oneliner by piping the output of curl. Using the above JSON file, the following works: $ cat bitcoin-releases.json | jq '.[0]["author"]["login"], .[0]["tag_name"]' "laanwj" "v22.0" This does require network being enabled during the prebuild stage, does that match with how koji is setup? I would imagine it works, because downloading source tarballs is a common requirement. Hope this helps -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #96 from Simone Caronni --- (In reply to Suvayu from comment #92) > You can then verify with only this key. ...and it would require editing the asc file to remove all other signatures or gpgv will complain anyway. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #95 from Simone Caronni --- Well, on second thought this key might as well be revoked after a release and there is no .git information in the release tarball to derive it from, so anyway would need a prior script to execute before the build runs in koji/mock without network. I'll come up with something. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #94 from Simone Caronni --- (In reply to Suvayu from comment #92) > 2. I suggest you choose the person who signed and tagged the release. Very good idea! Thanks! -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #93 from Suvayu --- (In reply to Suvayu from comment #92) > $ cd bitcoin.git should be `$ cd bitcoin` -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #92 from Suvayu --- Hi Simone, Here's my suggestion: 1. the instructions on bitcoincore.org say "7. It is recommended that you choose a few individuals from this list who you find trustworthy and import their keys ..." 2. I suggest you choose the person who signed and tagged the release. To do that, you can do something like this: $ git clone https://github.com/bitcoin/bitcoin.git $ cd bitcoin.git $ grep --color=never $(git log -1 --format=%aL v22.0) contrib/builder-keys/keys.txt 71A3B16735405025D447E8F274810B012346C9A6 Wladimir J. van der Laan (laanwj) You can then verify with only this key. This should make the verification much simpler, what do you think? Cheers, -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #91 from Simone Caronni --- Basically verification requires at least one signature to be valid. I will pipe the output of a script like the one above and just grep for at least one occurrence of "^gpgv: Good signature from". This way, also in the future, after lots of revocations, as long as one of the signatures is valid the release can be verified, and the one "grepped" can also be different every time. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #90 from Simone Caronni --- Any idea how to solve it? - Editing SHA256SUM.asc to remove signatures with revoked keys involves prior manual work and then does not match the one included in the release folder. - Just checking all keys throws an error due to revoked keys. - Just checking one key throws an error due to missing keys (same as above). I think the best is to add a script like the one above and add a comment in the SPEC file on how to verify the signature and not actually check it. This means the package maintainer must do the proper due diligence before pushing sources to the lookaside cache. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #89 from Simone Caronni --- So here's the issue with the signature. 1- The tarball contains a file with all the PGP keys used to sign SHA256SUM (contrib/builder-keys/keys.txt). 2- The signatures are all in SHA256SUM.asc. 3- The keys can be on keyserver.ubuntu.com, keys.openpgp.org or both. 4- All keys need to be downloaded and put into the public keyring, or the signature verification fails (return code 2 instead of 0). 5- Some keys MIGHT be revoked when downloading them for the first time (which is the case now). So verifying signatures always fails with the bundled key file, to make it right someone needs to clean the SHA256SUM.asc files of all the signatures made with revoked files, which in the end does not match with what is downloaded. Steps to reproduce: tar -xzf bitcoin-22.0.tar.gz --strip-components=3 bitcoin-22.0/contrib/builder-keys/keys.txt rm -f bitcoin-22.0.gpg while read fingerprint keyholder_name; do gpg2 -q --no-default-keyring --keyring ./bitcoin-22.0.gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys ${fingerprint} gpg2 -q --no-default-keyring --keyring ./bitcoin-22.0.gpg --keyserver hkps://keys.openpgp.org --recv-keys ${fingerprint} gpg2 --no-default-keyring --keyring ./bitcoin-22.0.gpg --export --export-options export-minimal ${fingerprint} >> bitcoin-22.0-pubring.gpg done < keys.txt rm -fr keys.txt gpgv2 -q --keyring=`pwd`/bitcoin-22.0-pubring.gpg SHA256SUMS.asc SHA256SUMS -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #88 from Simone Caronni --- (In reply to Suvayu from comment #87) > (In reply to Simone Caronni from comment #86) > > Well not on bitcoin.org, but is live on bitcoincore.org: > > https://bitcoincore.org/en/download/ > > I believe bitcoincore.org is the canonical place maintained by core devs, > whereas bicoin.org is maintained by Cøbra Bitcoin and other contributors. > The key point is who controls the domain name. The releases are made > available on bitcoincore.org, which is mirrored on bitcoin.org at some > point. It has been this way for several years. The download link from the > github repo also points to bitcoincore.org. Good point, I've switched only to bitcoincore.org for all references in the SPEC file. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #87 from Suvayu --- (In reply to Simone Caronni from comment #86) > Well not on bitcoin.org, but is live on bitcoincore.org: > https://bitcoincore.org/en/download/ I believe bitcoincore.org is the canonical place maintained by core devs, whereas bicoin.org is maintained by Cøbra Bitcoin and other contributors. The key point is who controls the domain name. The releases are made available on bitcoincore.org, which is mirrored on bitcoin.org at some point. It has been this way for several years. The download link from the github repo also points to bitcoincore.org. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #86 from Simone Caronni --- Well not on bitcoin.org, but is live on bitcoincore.org: https://bitcoincore.org/en/download/ -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #85 from Simone Caronni --- Well, it's more complicated than it seems: https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys I need to download all of those keys in one GPG keyring and then verify the signatures inside the SPEC file. I'm thinking of adding a separate script and waiting until the official instructions go live: https://github.com/bitcoin-core/bitcoincore.org/commit/4bf8149e600ce9eb044dd0b87726e8341521883b Release 22.0 is not live yet on bitcoincore.org with the new instructions at the time of writing this. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #84 from Simone Caronni --- Sorry had some real life tasks that I had to deal with. Posting updated packages later today. Bitcoin release 22 (versioning change) has also a different tarball signature verification procedure, so I'm introducing that as well. I'll reply in the detail after. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #83 from Eugene A. Pivnev --- bitcoin-22.0 released -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #82 from Simone Caronni --- Will respond and continue during the week. Thanks. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #81 from Warren Togami --- (In reply to Warren Togami from comment #77) > Regarding bitcoin.service: > > Restart=on-failure > TimeoutStopSec=120 > TimeoutStartSec=60 > StartLimitInterval=240 > StartLimitBurst=5 > > There exists a corner case where "stop" can take significantly more time > than any amount hardcoded here. Force kill in that situation causes data > corruption and an even more time consuming recovery the next time indexing > begins again. I asked my engineers here if they came up with a better way to > detect a safe stop. PrivateTmp=true TimeoutStopSec=1200s TimeoutStartSec=5s # Fail when 10 tries within 1 minute fail (never) StartLimitInterval=60s StartLimitBurst=10 # Limit attempts to 1 per 10 seconds Restart=always RestartSec=10 This is what we've been using in prod here. We didn't find a more intelligent solution. Under normal operation it stops relatively fast but in rare situations it needs the extra time to cleanly shut down. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #80 from Warren Togami --- > E.g. I run bitcoind at one host (to store this huge database inplace) and use > bitcoin-cli in another hosts (without any bitcoin service). OK good point. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #79 from Eugene A. Pivnev --- (In reply to Warren Togami from comment #75) > Is there a benefit to 'utils' being a subpackage separate from `bitcoind`? > Many expect -cli to exist in order to manually send commands to their > bitcoind so it is unexpected for it to be installed separately IMO. > > I would expect the only reason to not ship them together is if it bloats a > minimal server with deps but that isn't the case? E.g. I run bitcoind at one host (to store this huge database inplace) and use bitcoin-cli in another hosts (without any bitcoin service). -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #78 from Eugene A. Pivnev --- (In reply to Warren Togami from comment #74) > * server vs core subpackage kind of bother me because while you don't use > bitcoind and bitcoin-qt simultaneously they are functionally identical. No. Bitcoind runs as service by 'bitcoin' user. Bitcoin-qt is running by ordinary user with his creditentials. PS. users that are not familiar with this system can run both of them and create two bitcoin services simultaneously but this is another question. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #77 from Warren Togami --- Regarding bitcoin.service: Restart=on-failure TimeoutStopSec=120 TimeoutStartSec=60 StartLimitInterval=240 StartLimitBurst=5 There exists a corner case where "stop" can take significantly more time than any amount hardcoded here. Force kill in that situation causes data corruption and an even more time consuming recovery the next time indexing begins again. I asked my engineers here if they came up with a better way to detect a safe stop. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #76 from Warren Togami --- The test suite is *excessively slow*. IMO we should not run these extensive tests during these builds. Upstream official builds do not. We developers should instead run these tests on the target platforms independently. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #75 from Warren Togami --- Is there a benefit to 'utils' being a subpackage separate from `bitcoind`? Many expect -cli to exist in order to manually send commands to their bitcoind so it is unexpected for it to be installed separately IMO. I would expect the only reason to not ship them together is if it bloats a minimal server with deps but that isn't the case? -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #74 from Warren Togami --- Points of Agreement: * Rename package to "bitcoincore" * Conflicts: bitcoin * Ask FESCO to disallow any package named "bitcoin". Advice: * EL7's boost is too old while EL8+ and Fedora are easy to support. Let's drop EL7 and documentation should say to use bitcoincore.org's builds on EL7. The plan to maintain a work-alike package suitable for upstream builds so this should be convenient enough for end-users. * How about rename the 'core' subpackage to 'qt' since that is what it contains? * bitcoin-wallet is actually a utility? It isn't a required part for the server to function. Hard Line: * The official supported file format of wallet.dat is db4. "./configure --with-incompatible-bdb" is named as such because it is not intended to be used by distributors. It exists as an unsupported option so the software is possible to use where db4 does not conveniently exist. I strongly advise against shipping an incompatible data format in a package that may be widely used as it will be an inevitable point of support confusion. The software should work identically when switching between Fedora or upstream's build. The only maintainable choice here is to ship exactly the db4 that upstream maintains and tests against within this package. Future Bitcoin Core will migrate to a different database but it will forever need to link to db4 to allow for automatic wallet migration. Regarding README.utils.redhat: "By default bitcoin-cli looks for configuration at /etc/bitcoin/bitcoin.conf. This must be readable only by users authorized to communicate with bitcoind." These binaries should behave the same as upstream's builds. The $HOME/.bitcoin/bitcoin.conf default path should remain supported so it behaves identically to upstream builds. I haven't tested if this isn't the case now. Other suggestions for further discussion: * server vs core subpackage kind of bother me because while you don't use bitcoind and bitcoin-qt simultaneously they are functionally identical. I don't know what to suggest about this. * The bitcoin.service file bothers me in that a single system service is one of many ways in which bitcoind is used. I'd prefer if it was a .service type that allowed for multiple admin "@" definable instances. There could also be a different .service file like "bitcoincore-homedir-service" that uses $HOME/.bitcoin as the datadir in the way many have already deployed the upstream binary? It is also my strong preference for the different types of .service files to be in their own subpackage. That would also help the above concern regarding a single hard-coded /etc/bitcoin/bitcoin.conf not being how many use this software. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #73 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #72) > Current package (0.21.0-4) _requires_ selinux subpackage. > So - no way to install bitcoin server without selnux. > What about 'Recommends' or 'Suggests'? Well it's requiring it only if the selinux-policy-targeted package is installed, otherwise not even suggesting it. I was using this guide which is still in draft: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy#Adding_dependency_to_the_spec_file_of_corresponding_package Do we have something a bit more up to date or official than this? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #72 from Eugene A. Pivnev --- Current package (0.21.0-4) _requires_ selinux subpackage. So - no way to install bitcoin server without selnux. What about 'Recommends' or 'Suggests'? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #71 from Simone Caronni --- (In reply to Warren Togami from comment #70) > * Fedora's package should be named "bitcoincore". It should conflict with > "bitcoin". This would allow a popular feature-fork "bitcoinknots" would have > the same binary and configuration files and would thus conflict with these > other names. Fine, I will make the necessary adjustments. > * Ask FESCO to disallow any package named "bitcoin". There are multiple > reasons for this including unexpected upgrade conflicts with ways it was > previously packaged. It is also convenient for distributors to entirely > sidestep political fights over what has the right to be called "bitcoin". Fine for me as well. > * Less important: Another upstream concern is the risk of old bitcoin > binaries in the wild when Fedora goes EOL. The simplest safeguard is to ship > a final RPM update before a Fedora release's EOL that simply removes the > binary. We would ask FESCO if they're OK with this. I think this solves nothing (someone could still avoid installing the updates, fetching an old package or we could just miss a release retirement because of a person being on holiday, etc. Same applies for manually installed binaries, there is no way to enforce that. If you want it I'm fine with that, but again I think it's completely useless. > FYI: Years ago the linked library dependencies were a terrible risk of > causing consensus failure. It was beyond hypothetical risk, it actually > happened to unmaintained clones who failed to heed CVE's. That previous risk > was mostly mitigated by the removal of openssl. Upstream aims to eventually > eliminate the boost dependency which would further reduce risk. In any case > the risk is low enough now that it might be OK to ship in downstream > distros. I'm fine with this as well and will try to keep it in sync as possible with these dependencies slated for removal. > Don't mistake this as endorsement. I intend for upstream to > distribute a reproducibly built RPM that would Epoch override the Fedora > package for those who prefer static libraries exactly as tested by upstream. > Upstream opposes automatic upgrades of Bitcoin Core so this would be a way > for Fedora users to opt-in to upstream's recommended deployment method. This > isn't Fedora's concern but just explaining the line of reasoning here. I'm willing to keep it updated / in sync with upstream for the time being, so we can ensure a smooth upgrade path for whoever wants to use official binaries. Count me in if you think I should contribute to the upstream's SPEC file and SELinux policies. I'm fine also in integrating Guix as conditionals in the SPEC file to allow building from the same SPEC file (e.g. hosted upstream, non-guix build in fedora, higher epoch and guix build upstream). Are you ok with these points? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #70 from Warren Togami --- I looked into packaging Guix for Fedora. It would be possible but difficult. For now I give up on the reproducible build goal as that is a problem that needs to be solved for the entire Fedora build system. These are my remaining recommendations to align best with upstream's intent. * Fedora's package should be named "bitcoincore". It should conflict with "bitcoin". This would allow a popular feature-fork "bitcoinknots" would have the same binary and configuration files and would thus conflict with these other names. * Ask FESCO to disallow any package named "bitcoin". There are multiple reasons for this including unexpected upgrade conflicts with ways it was previously packaged. It is also convenient for distributors to entirely sidestep political fights over what has the right to be called "bitcoin". * Less important: Another upstream concern is the risk of old bitcoin binaries in the wild when Fedora goes EOL. The simplest safeguard is to ship a final RPM update before a Fedora release's EOL that simply removes the binary. We would ask FESCO if they're OK with this. Thoughts? FYI: Years ago the linked library dependencies were a terrible risk of causing consensus failure. It was beyond hypothetical risk, it actually happened to unmaintained clones who failed to heed CVE's. That previous risk was mostly mitigated by the removal of openssl. Upstream aims to eventually eliminate the boost dependency which would further reduce risk. In any case the risk is low enough now that it might be OK to ship in downstream distros. Don't mistake this as endorsement. I intend for upstream to distribute a reproducibly built RPM that would Epoch override the Fedora package for those who prefer static libraries exactly as tested by upstream. Upstream opposes automatic upgrades of Bitcoin Core so this would be a way for Fedora users to opt-in to upstream's recommended deployment method. This isn't Fedora's concern but just explaining the line of reasoning here. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #69 from Simone Caronni --- Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-4.fc33.src.rpm * Wed Mar 10 2021 Simone Caronni - 0.21.0-4 - Fix build on RHEL/CentOS 8. - Adjust SELinux requirement for server subpackage. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #68 from Simone Caronni --- Separate SELinux policy package here: https://bugzilla.redhat.com/show_bug.cgi?id=1937302 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Simone Caronni changed: What|Removed |Added Link ID||Red Hat Bugzilla 1937302 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #67 from Simone Caronni --- Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-3.fc32.src.rpm * Wed Mar 10 2021 Simone Caronni - 0.21.0-3 - Remove requirements for utils subpackage in server subpackage. - Separate SELinux package in its own subpackage and use RPM rich booleans on Fedora and RHEL/CentOS 8+ to install the SELinux package if the base policy is installed. - Update server README. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #66 from Mattia Verga --- *** Bug 1020292 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #65 from Simone Caronni --- (In reply to Simone Caronni from comment #64) > (In reply to Eugene A. Pivnev from comment #59) > > Seems hardcoded selinux dependency not resolved. > > What about moving selinux things into -selinux subpackage? > > Replied here: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c9 Nevermind, saw a note in the package guidelines, will separate it from the main package. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #64 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #59) > Seems hardcoded selinux dependency not resolved. > What about moving selinux things into -selinux subpackage? Replied here: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c9 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #63 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #61) > > %package server > > Requires: %{name}-utils%{_isa} = %{version} > > Really? Well, to interact with the daemon you require the cli, but is not strictly required per se. I've removed the requirement. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #62 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #60) > (In reply to Robert-André Mauchin 🐧 from comment #7) > > Also create a logrotate file for the log: > > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > > #_logrotate_config_file > > And this is not solved yet too. I replied here, not planning to change it at the moment: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c19 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #61 from Eugene A. Pivnev --- > %package server > Requires: %{name}-utils%{_isa} = %{version} Really? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #60 from Eugene A. Pivnev --- (In reply to Robert-André Mauchin 🐧 from comment #7) > Also create a logrotate file for the log: > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_logrotate_config_file And this is not solved yet too. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #59 from Eugene A. Pivnev --- Seems hardcoded selinux dependency not resolved. What about moving selinux things into -selinux subpackage? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Warren Togami changed: What|Removed |Added Assignee|nob...@fedoraproject.org|wtog...@gmail.com -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #58 from Warren Togami --- > Yes, I know. But this doesn't automatically mean that Bitcoin Core developers > are right. Ethereum developers have radically different opinion, for example. Ethereum has had numerous emergency updates due to catastrophic errors through the years. Bitcoin has had significantly fewer emergency updates. You call this a difference of opinion. We call this wisdom. Let's not go deeper into the ideological debate. Regarding the bundled library argument I was unfair that I did not respond. I am well aware of the bundled library reasoning. I am among the people who wrote Fedora's packaging standards and zealously defended it years ago. There is more recently an exceptions process where bundled libraries are allowed in Fedora. Bitcoin Core through the years has been working towards progressively eliminating external library dependencies because they have been the source of most dangerous vulnerabilities. That being said the libraries that it continues to rely upon are carefully tracked by the upstream project. https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries Fedora now has a process to help keep track of bundled libraries. This package will follow these guidelines and anything else required by FESCO. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Warren Togami changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #57 from Warren Togami --- There were multiple misstatements of fact in what you wrote that I will not dissect here because this is the wrong forum for ideological debate between competitors. The only question here is if Fedora will follow Bitcoin Core upstream's safety recommendations. It was not possible in past years but now the toolchain is 99.99% ready. I'm working on this. Simone, I'm interested in collaborating with you. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #56 from Oleg Girko --- (In reply to Warren Togami from comment #55) > Oleg wrote: > > So far this threat is purely theoretical, there were no incidents related > > to that. > > This is incorrect. Some alt coins like PPC suffered exactly a catastrophic > fork because they disregarded warnings in this regard. I was not talking about minor altcoins with very low adoption rate. They suffer from more serious problems, like being vulnerable to 51% attacks. Also, they suffer from lack of developer resources and accumulate technical debt much quicker as a result. Hence, I'm not surprised that among thousands of altcoins you can find one that suffered because of this problem. You can find even more altcoins that suffered much worse problems because of bugs in their code anyway. > The diversity argument is counter to the opinion of among Bitcoin Core > developers. Yes, I know. But this doesn't automatically mean that Bitcoin Core developers are right. Ethereum developers have radically different opinion, for example. > Debating the diversity of implementations issue is not > productive here. I'm not debating diversity of implementations. I'm just using this argument to point to the fact that insisting on using particular versions of libraries is not an acceptable way to build reliable software. Unfortunately, it's becoming quite common mindset among developers: "I've tested my program with these particular versions of libraries, hence everyone should use them". Yes, this makes life easier for developers, but complicates life for everyone else. There is a good reason Fedora has a strong attitude against bundling of libraries. Upstream developers are usually not proficient enough to update all libraries they use in a timely manner. Maintainers of library packages are more proficient in this. If a remotely exploitable vulnerability is found in one of many libraries Bitcoin Core uses, it will take much more time for new version of Bitcoin Core to be released and packaged than for new version of this particular library packaged in Fedora. Very often Fedora gets patched package even before upstream releases a new version. Hence, if my argument about beneficial diversity is not enough for you, I have a much stronger argument: vulnerability in a bundled library. Remotely exploitable vulnerability is a true nightmare scenario for a cryptocurrency software, because it can lead to massive theft of funds. Unintended forks are just a nuisance compared to that. Even large-scale fork can lead just to temporary outage and increased time to reach consensus. Some transactions may be remaining in the mempool for a long time or even lost, so they have to be repeated later, but it's very unlikely that funds will be lost or stolen as a result. Single cases of double spend that can happen during an outage like this (that will be resolved when the fork is over anyway) are nothing compared to mass theft of funds. Considering a very minor fraction of nodes that will run Fedora-packaged Bitcoin Core, a theoretical fork involving these nodes will not be even large-scale. In worst case scenario, small percentage of nodes will be temporarily banned from the network until the problem is fixed. And probability of this is still lower than an unpatched vulnerability in a library Bitcoin uses. And packaging procedures in Fedora are well suited exactly to mitigate risks like this. > I ask that folks please defer to upstream Bitcoin Core > developer opinions on the wisdom and safety of how to ship Bitcoin Core in > downstream distributions. As a former Dash Core developer, I strongly disagree. Bitcoin Core deveopers' "wisdom" prevented Bitcoin Core client from being shipped in downstream distributions at all for 12 years already. > Simone wrote: > > I'm fine with your proposal, but the original bug report for the review is > > open since 2013, and apart high level things that should be done or not > > done I've not seen much from you on the topic. > > Upstream did not have a feasible build method until recently. I am sorry > this took so long. I also recognize this is extremely weird compared to the > normal way software is built in Fedora. The upstream developers felt so > strong about this that it was preferable to have no Bitcoin in the leading > Linux distros all these years. Now however we are close to a satisfactory > solution. I ask for a bit more patience. I don't think that building with all libraries bundled is satisfactory solution. At least, not for me. So, let's package Bitcoin Core client according to Fedora guidelines for now. However, I'm not against providing a bundled version as another option when it's available. I'm just against having this as the only option (and no option at all for quite a long time before it's available). Let users decide which slightly increased risk they prefer to take: minor fork and temporary ban or remotely exploitable v
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #55 from Warren Togami --- Oleg wrote: > So far this threat is purely theoretical, there were no incidents related to > that. This is incorrect. Some alt coins like PPC suffered exactly a catastrophic fork because they disregarded warnings in this regard. The diversity argument is counter to the opinion of among Bitcoin Core developers. Debating the diversity of implementations issue is not productive here. I ask that folks please defer to upstream Bitcoin Core developer opinions on the wisdom and safety of how to ship Bitcoin Core in downstream distributions. Simone wrote: > I'm fine with your proposal, but the original bug report for the review is > open since 2013, and apart high level things that should be done or not done > I've not seen much from you on the topic. Upstream did not have a feasible build method until recently. I am sorry this took so long. I also recognize this is extremely weird compared to the normal way software is built in Fedora. The upstream developers felt so strong about this that it was preferable to have no Bitcoin in the leading Linux distros all these years. Now however we are close to a satisfactory solution. I ask for a bit more patience. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #54 from Oleg Girko --- I think that threat of unintentional fork due to slightly different versions of system libraries is significantly exaggerated. So far this threat is purely theoretical, there were no incidents related to that. The problem fixed with BIP66 was caused not by variations of OpenSSL behaviour between different versions, but by using OpenSSL incorrectly in Bitcoin Core client. https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki Relying on specific implementation details of particular versions of libraries is harmful because it introduces undocumented implicit consensus rules nobody knows about. And requiring using one true build of a single client does not help at all, it just hides a ticking bomb until it explodes later. An incident with unintended hard fork when migrating Bitcoin Core client from BerkleyDB to LevelDB has shown this quite prominently. https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki Another lesson from this incident is that unintended forks caused by bugs in consensus rules do not cause catastrophic consequences and are resolved very quickly. And I'm pretty sure that they are beneficial in the long run because they fix hidden critical bugs that (also theoretically) can be exploited by malicious actors. Approach taken by Ethereum is much healthier. They not only don't require one true build of a single client, but they even encourage multiple client implementations. Consensus rules of Ethereum 2 beacon chain make using the most popular validator client riskier than less popular ones: more clients misbehave synchronously, bigger penalty they get. Of course, this doesn't guarantee from unintended forks caused by bugs of consensus implementation. But this causes most of these bugs to be caught early in testnet. Hence, building Bitcoin client with system libraries is only slightly riskier than using one true build, but this risk is very minor (and only theoretical so far), and this is acceptable risk. If Linux distributions adopt this approach, this will be beneficial in the long run because it will help to detect and fix bugs in consensus implementation earlier. I'm voting for adding properly built (using system libraries) Bitcoin Core client to Fedora and accepting minor risks caused by this for bigger benefit of Bitcoin ecosystem's diversity. And to show that I've already put my money where my mouth is, I use Dash Core client built the same way for almost 4 years without a single incident. https://obs.infoserver.lv/package/show/cryptocurrency/dash-core (Dash Core codebase is originally a fork of Bitcoin's one.) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #53 from Simone Caronni --- First of all, I've been using these packages myself for years, but I'm all in for one that is fine by everyone, including your concerns. (In reply to Warren Togami from comment #52) > I did not appreciate how you closed Bug #1020292 and disregarded the > warnings written there. Out of respect I am not unilaterally closing this > bug. The original ticket has been closed according to guidelines and the original poster even jumped in, so respect or not, this does not give you any entitlement to close tickets arbitrarily. All you've written it's all nice but I'm not even sure if builds based on GUIX that don't follow guidelines are allowed in Fedora/EPEL. Have you checked that? If not, that as well would grant people to ignore your comments and just proceed. > Step #2 above is an opportunity to collaborate. I assigned one of my > engineers to work on this. We should collaborate on what exactly we want to > be in a bitcoincore RPM package. For example instead of your -server package > we may want to consider systemd service @ units as an official way to > configure and launch multiple nodes. I'm fine with your proposal, but the original bug report for the review is open since 2013, and apart high level things that should be done or not done I've not seen much from you on the topic. If you think the various components (guix etc.) are mature enough why don't you post a review for guix, a guix-based RPM or the parts that in your opinion are important? You can take over, I don't mind. I can take the reviews straight away if you're fine so we can get this sorted out. Even if the various components are not 100% ok like you said, already it's a start. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #52 from Warren Togami --- > For the 0.21 release something has changed in the boost code, so Boost as > provided by the base distribution in CentOS/RHEL 7 is no longer enough. I have a plan to fix this and more for RHEL7+ and Fedora in a uniform way. It might take a few weeks for this to be ready. I can explain it sooner if you would like to talk. Sorry for injecting myself into this after you've put half a year of work into this. You disregarded critical warnings in Bug #1020292 as to why packaging this is hazardous. There are risks you are not familiar with as to why historically none of the leading distros (Fedora, Debian, Ubuntu) have packaged Bitcoin Core. Tldr: Builds dynamic linked to system libraries have previously been vulnerable to catastrophic network divergence. Distribution packages wouldn't be dangerous if only a few people used it. But should they become the most common way of using Bitcoin Core then it would be a systemic risk. This was not only a hypothetical problem. BIP66 is one such historical example that could have been exacerbated by distro packages becoming the most common way to run Bitcoin Core full nodes. The safer way for downstream distributions to handle this not become possible until recent upstream work (Guix-related). There's three step needed to make this usable for Fedora/RHEL. 1) Guix-based deterministic builds of Bitcoin Core to become the official release process (replacing their previous Ubuntu-based Gitian). This work is now 99% complete. 2) Add rpmbuild to upstream's Guix build process. It would generate deterministic binary RPMS alongside their binary tarballs. https://salsa.debian.org/debian/guix/-/tree/debian/devel/debian https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org 3) Package Guix for Fedora much in the same way as Debian did it. This would allow us to have a known deterministic build system that is capable of building identical binaries. I did not appreciate how you closed Bug #1020292 and disregarded the warnings written there. Out of respect I am not unilaterally closing this bug. Step #2 above is an opportunity to collaborate. I assigned one of my engineers to work on this. We should collaborate on what exactly we want to be in a bitcoincore RPM package. For example instead of your -server package we may want to consider systemd service @ units as an official way to configure and launch multiple nodes. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #50 from Warren Togami --- https://salsa.debian.org/debian/guix/-/tree/debian/devel/debian I'm told this is how Debian packaged Guix. It appears to be a proper bootstrap starting from guile. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #51 from Warren Togami --- oops wrong ticket -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #49 from Warren Togami --- > - permissions of /etc/bitcoin folder (0750) too strict - ordinary users > cannot view conf You mean bitcoin.conf? You absolutely do not want other users to be able to read that. It can contains secrets. Overall I have concerns that this package shoehorns non-default config and datadir. This is not the "normal" way of using bitcoind. This package entering the repository could be a surprise to some with several external repo packages that people have installed in the past years. I wrote related concerns of packaging conflicts at https://bugzilla.redhat.com/show_bug.cgi?id=1020292#c45 > # FIXME This is less than ideal, but until dwalsh gives me a better way... Mitigating factor is if all the non-upstream-default stuff is in an optional subpackage. In your case -server does seem to self-contain the .service, selinux, non-default config and non-default datadir. If people want to use it in the upstream way they could install only the main package. (I have not fully reviewed if these things are fully contained in the -server subpackage.) > * Wed Jul 22 2020 Simone Caronni - 0.20.0-7 > - Use libdb 5.x instead of deprecated 4.x. Fixes build on RHEL/CentOS 8. Sorry please do not do this. Upstream strongly recommends against using DB5 for a reason. db4 is the official upstream wallet.dat format. They plan to migrate away from db4 to sqlite in the next year. Building against db5 is in the build system as only a convenience but it is strongly discouraged all these years because db5 wallet.dat is not supported by the upstream distribution, and it could leave users stuck without a supported migration path. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Warren Togami changed: What|Removed |Added CC||wtog...@gmail.com --- Comment #48 from Warren Togami --- Sorry I've missed this discussion. Please do not proceed with this package in Fedora until we've had a chance to speak. I am concerned that we have a long-term plan in line with upstream's recommendations. Concerned parties please contact me at warren on Freenode or wtog...@gmail.com. Let's schedule a meeting to discuss this. See historical discussion in Bug #1020292. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #47 from Simone Caronni --- (In reply to Oleg Girko from comment #45) > - Update to 0.21.0. For the 0.21 release something has changed in the boost code, so Boost as provided by the base distribution in CentOS/RHEL 7 is no longer enough. I'm struggling on how to make the build system consider -I%{_includedir}/boost169 both at %configure time and at make time. If I add the BOOST_CPPFLAGS I can pass configure but not the build, if I add it to CXXFLAGS or CPPFLAGS it breaks the configure detection (with or without BOOST_CPPFLAGS declared). Any hint? Everything is in the SPEC file above. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #46 from Simone Caronni --- Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-2.fc32.src.rpm * Wed Jan 20 2021 Simone Caronni - 0.21.0-2 - Update to 0.21.0. - Remove java build requirement. - Use local folder for test output. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #45 from Oleg Girko --- Everything builds OK if I remove java from build requirements. I've built updated packages with the following changes: - Update to 0.21.0. - Use /var/tmp instead of /tmp as tmpdirprefix for functional tests. - Remove java from build requirements. See https://obs.infoserver.lv/package/show/cryptocurrency/bitcoin for details. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #44 from Oleg Girko --- 1. Please add "--tmpdirprefix %{_tmppath}" to command line args of functional tests in "%check" section. By default, "/tmp" is used by tests for temporary data dirs, usually it's mounted as tmpfs, but some tests use quite large amount of space (like 7 or 8 gigabytes), so it can lead to test failures on systems with limited amount of memory. 2. What's the reason to include java as build requirement? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #43 from Eugene A. Pivnev --- (In reply to Simone Caronni from comment #42) > Anyone up for review? And maybe help with the SELinux policy as well. I can review but just after selinux fix. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #42 from Simone Caronni --- Anyone up for review? And maybe help with the SELinux policy as well. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #41 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #40) > (In reply to Simone Caronni from comment #39) > > Keep in mind that now: > - bitcoins service does not covers DATA_DIR (/etc/sysconfig/bitcoin) with > "datadir=" variable from /etc/bitcoin/bitcoin.conf. > So if you want to move working data (~400GB) out from /var/lib you have to > edit right (and only) DATA_DIR Keep in mind that there is an SELinux policy that covers all these folders, so you would need to edit that as well. Let's say that if you have SELinux policies covering the specifics of a service you better think about it two times before shuffling things around. > - permissions of /etc/bitcoin folder (0750) too strict - ordinary users > cannot view conf > - permissions of bitcoind data folder (/var/lib/bitcoin if "out of box") too > strict too. Which is fine, as the former might contain the RPC password and the latter a wallet. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #40 from Eugene A. Pivnev --- (In reply to Simone Caronni from comment #39) Keep in mind that now: - bitcoins service does not covers DATA_DIR (/etc/sysconfig/bitcoin) with "datadir=" variable from /etc/bitcoin/bitcoin.conf. So if you want to move working data (~400GB) out from /var/lib you have to edit right (and only) DATA_DIR - permissions of /etc/bitcoin folder (0750) too strict - ordinary users cannot view conf - permissions of bitcoind data folder (/var/lib/bitcoin if "out of box") too strict too. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #39 from Simone Caronni --- House move, renovations, virus, work, kids, you name the issue. No time yet for looking at the SELinux policy. Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.1-2.fc32.src.rpm * Thu Nov 19 2020 Simone Caronni - 0.20.1-2 - Remove openssl/protobuf from build requirements. * Wed Oct 21 2020 Simone Caronni - 0.20.1-1 - Update to 0.20.1. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #38 from Simone Caronni --- Getting back to this over the weekend. I just moved and got back internet today. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #37 from marco --- > BuildRequires: openssl-devel > BuildRequires: protobuf-devel I believe neither of them are needed at all -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #36 from Simone Caronni --- I've tested with a few wallets and everything is fine, no conversion needed. Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-7.fc32.src.rpm * Wed Jul 22 2020 Simone Caronni - 0.20.0-7 - Use libdb 5.x instead of deprecated 4.x. Fixes build on RHEL/CentOS 8. Room for improvements: - Rework SELinux policy -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #35 from Simone Caronni --- Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-6.fc32.src.rpm * Tue Jul 21 2020 Simone Caronni - 0.20.0-6 - Update systemd unit. - Update configuration options. - Declared bundled libraries/forks. Room for improvements: - Rework SELinux policy - Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31 I've run out of procrastination items for the SELinux policy :D -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #34 from Simone Caronni --- I'll be away from the 25th of July for holidays until the 17th of August. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #33 from Simone Caronni --- (In reply to Björn Persson from comment #32) > Thank you for adding the signature verification, but you're still using HTTP > instead of HTTPS in URL and Source20 for no reason I can see. Just forgot it to change it in %url which get expanded in the Source20 line. Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-5.fc32.src.rpm More cleanups: * Tue Jul 21 2020 Simone Caronni - 0.20.0-5 - Use HTTPS for url tag. - Reorganize sources. Add cleaned files from the packaging repository directly; bash completion snippets are now supported in the main sources. - Move check section after install and include desktop file validating in there. Room for improvements: - Check hardening measures for the systemd unit (differences between the various distributions). Ex.: https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service#L53-L74 - Rework SELinux policy - Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31 -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #32 from Björn Persson --- Thank you for adding the signature verification, but you're still using HTTP instead of HTTPS in URL and Source20 for no reason I can see. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #31 from Simone Caronni --- Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-4.fc32.src.rpm * Sun Jul 19 2020 Simone Caronni - 0.20.0-4 - Fix tests on RHEL/CentOS 7. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #30 from Simone Caronni --- Thanks, I've added signature verification which is a bit from all comments above. The packaging guidelines are pretty clear about signatures, so: - Key is downloaded from the keyserver (as also suggested by upstream) and instructions are in the SPEC file. - Key is added to the Fedora SCM (aka it's in git). - Detached signed checksum is in the lookaside cache (aka it's in the sources file). - Since /usr/lib/rpm/redhat/gpgverify (aka %gpgverify) does not support signed sums files I've replaced it with gpgv2/sha256sum commands. I will also add the SHA256UM.asc file in the .gitignore file once approved so there is no chance that the hashed checksum gets into SCM and can only go into the lookaside cache. Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-3.fc32.src.rpm * Sat Jul 18 2020 Simone Caronni - 0.20.0-3 - Add signature verification. - Trim changelog. - Fix typo in the libs description. I will start working on the SELinux part hopefully soon (terribly busy in real life). -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #29 from Oleg Girko --- (In reply to Björn Persson from comment #28) > (In reply to Oleg Girko from comment #27) > > I think, the main PGP public key's checksum should be embedded into spec > > file and checked against to make sure all re-downloaded sources are correct. > > That wouldn't hurt. You would want a GnuPG command – or a series of commands > – to verify that the given keyring contains a key with the given > fingerprint, and also that it doesn't contain any other keys. Can you > propose such a command? Don't forget to ensure that GnuPG will look only in > the specified keyring even if the user has a default keyring. Something like this in %prep section: echo 123456789abcdef... %{SOURCE12} | sha256sum -c -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #28 from Björn Persson --- (In reply to Oleg Girko from comment #27) > What about those who want to re-build the package from the spec file I would recommend rebuilding from the source RPM package. Rebuilding from only a spec isn't possible in the general case. Many packages have patches, and sometimes there is no working URL to a source. Those will be missing if you try to rebuild from only the spec. > I think, the main PGP public key's checksum should be embedded into spec > file and checked against to make sure all re-downloaded sources are correct. That wouldn't hurt. You would want a GnuPG command – or a series of commands – to verify that the given keyring contains a key with the given fingerprint, and also that it doesn't contain any other keys. Can you propose such a command? Don't forget to ensure that GnuPG will look only in the specified keyring even if the user has a default keyring. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #27 from Oleg Girko --- (In reply to Björn Persson from comment #26) > (In reply to marco from comment #25) > > Source12 simply downloads the key from > > https://bitcoin.org/laanwj-releases.asc without checking the hash or > > fingerprint, so there is no way to detect changes. What am I missing? > > You're missing the fact that RPMbuild doesn't download anything and the Koji > builders are isolated from Internet access. All sources and patches are > taken from the Fedora Project's Git repository and lookaside cache, and > change only when a package maintainer uploads a new file. Our source file > verification policy says that the keyring shall be committed to Git: > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_source_file_verification > > The URL is there to document where the keyring came from, so that anyone can > download it and verify that it's identical to the one in Git. This looks too dependent on Fedora infrastructure. What about those who want to re-build the package from the spec file on their computer (and download all necessary sources using spectool)? What about those who want to re-build the package using OBS and download_files source service? I think, the main PGP public key's checksum should be embedded into spec file and checked against to make sure all re-downloaded sources are correct. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #26 from Björn Persson --- (In reply to marco from comment #25) > Source12 simply downloads the key from > https://bitcoin.org/laanwj-releases.asc without checking the hash or > fingerprint, so there is no way to detect changes. What am I missing? You're missing the fact that RPMbuild doesn't download anything and the Koji builders are isolated from Internet access. All sources and patches are taken from the Fedora Project's Git repository and lookaside cache, and change only when a package maintainer uploads a new file. Our source file verification policy says that the keyring shall be committed to Git: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification The URL is there to document where the keyring came from, so that anyone can download it and verify that it's identical to the one in Git. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #25 from marco --- > packagers must be very careful when a release-signing key changes Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc without checking the hash or fingerprint, so there is no way to detect changes. What am I missing? > To my slight surprise I found that the tarball from Github is identical to > the one on bitcoin.org (and on bitcoincore.org) I think this is only a coincidence for the 0.20.0 release. All other releases should not match, which is why I assumed the download sources are identical. > I don't see any statement that Hockeypuck has a solution to the spam attack Good point, personally I can recommend https://keys.openpgp.org/vks/v1/by-fingerprint/01EA5486DE18A882D4C2684590C8019E36C2E964, which claim to be resistant to those attacks ( https://keys.openpgp.org/about/faq#sks-pool ) Not sure, but keyserver.ubuntu.com might have solved the attack by disabling key updates, which could lead to problems should the key ever be revoked. Though generally, as long as the fingerprint matches, it should be possible to download the key from any source with reliable uptime. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #24 from Björn Persson --- (In reply to marco from comment #23) > If you fetch the key from the same website the binaries are taken from, > there is no security. Anyone replacing the binaries can trivially replace > the key. That would be true if the upstream project would generate a new key for every release, and also wouldn't sign their keys. When a new release is signed with the same key that the developers have been using for years, then that increases our confidence that it is from the same source as all the previous releases. When a key needs replacing, then the project can maintain continuity by signing the new key with the old key. We packagers must be very careful when a release-signing key changes, and not blindly replace the key like we replace a tarball. In this particular case you're also off the mark because my patched spec *doesn't* fetch the key from the same website as the binaries. To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org). If that's reliable, then we can improve security by fetching the tarball from Github and the signed checksum file from bitcoin.org or bitcoincore.org, and verifying them with the key we already have. An attacker will then have to acquire the secret key and compromise *both* websites before they can sneak malicious changes past the verification step. > Also, bitcoincore.org is the official download site (bitcoin.org is a mirror > site unrelated to the Bitcoin Core project). In that case the URL field in the package should also point to https://bitcoincore.org/en/about/. > The instructions recommend to fetch the key based on its fingerprint > (01EA5486DE18A882D4C2684590C8019E36C2E964). Hmm, they refer to keyserver.ubuntu.com, which runs Hockeypuck. I don't see any statement that Hockeypuck has a solution to the spam attack (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) that led to keys.fedoraproject.org being turned off (https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/message/COEYWJBQDAWRSYNQW7Y7TD2EKEGBWOAY/) in February this year. If it doesn't then you expose yourself to a denial of service when you fetch from the keyserver. In case somebody thinks that fetching a key from a keyserver is more secure than fetching it from the project's website: It's not, because anyone can write somebody else's name on a key and upload it to a keyserver. Only the fingerprint ensures that you get the right key, and someone who can replace files on the project's website can replace the fingerprint too. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #23 from marco --- If you fetch the key from the same website the binaries are taken from, there is no security. Anyone replacing the binaries can trivially replace the key. Also, bitcoincore.org is the official download site (bitcoin.org is a mirror site unrelated to the Bitcoin Core project). So I recommend to use the steps to verify from their download page: https://bitcoincore.org/en/download/ The instructions recommend to fetch the key based on its fingerprint (01EA5486DE18A882D4C2684590C8019E36C2E964). -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Björn Persson changed: What|Removed |Added CC||bj...@xn--rombobjrn-67a.se --- Comment #22 from Björn Persson --- Cryptocurrency wallets are very juicy targets for criminals, so it's paramount that you do everything you can to prevent and detect attempts to inject malware into the package. First, never use insecure HTTP if HTTPS is available. Second, verify upstream's signature before unpacking the tarball. Unfortunately they sign it in an indirect way that our handy verifier script doesn't expect. That makes the verification code a bit tricky, so I have written it for you. These are the changes you need to make: --- bitcoin.spec.old2020-06-30 12:57:18.0 +0200 +++ bitcoin.spec2020-07-06 15:48:51.656323998 +0200 @@ -7,9 +7,9 @@ Release:2%{?dist} Summary:Peer to Peer Cryptographic Currency License:MIT -URL:http://bitcoin.org/ +URL:https://bitcoin.org/ -Source0: http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source1:%{name}-tmpfiles.conf Source2:%{name}.sysconfig Source3:%{name}.service @@ -20,12 +20,16 @@ Source8:README.server.redhat Source9:README.utils.redhat Source10: README.gui.redhat +Source11: https://bitcoin.org/bin/bitcoin-core-%{version}/SHA256SUMS.asc +Source12: https://bitcoin.org/laanwj-releases.asc BuildRequires: autoconf BuildRequires: automake BuildRequires: boost-devel BuildRequires: checkpolicy BuildRequires: desktop-file-utils +BuildRequires: gnupg2 +BuildRequires: grep BuildRequires: java BuildRequires: libdb4-cxx-devel BuildRequires: libevent-devel @@ -76,7 +80,7 @@ may be used by third party software to provide consensus verification functionality. -Unless you know need this package, you probably do not. +Unless you know you need this package, you probably do not. %package devel Summary:Peer-to-peer digital currency @@ -126,6 +130,15 @@ need this package. %prep +gpgworkdir="$(mktemp --directory)" +# Decode the ASCII armor on the keyring. +gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg" --dearmor '%{SOURCE12}' +# Verify the signature on the checksums file using the decoded keyring. +gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg" '%{SOURCE11}' +# Verify the tarball using the checksums file minus the signature. +( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check --ignore-missing - ) +rm --recursive --force ${gpgworkdir} + %autosetup -a 4 -p1 mv packaging-*/debian/* contrib/debian/ -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #21 from Daniel Walsh --- Don't think you have to build multiple different SELinux policies, one should work on all variants. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #20 from Simone Caronni --- (In reply to marco from comment #17) > * In the spec file, what exactly is `Source4` used for? Contains some things related to packaging (icon, desktop menu, etc.). I might remove it entirely at some point. It's unpacked in the %autosetup macro: %autosetup -a 4 -p1 > * Is the package going to be made available in CentOS? If yes, on what > schedule is CentOS/RHEL going to update the package? Is there a chance that > EOL version are offered in the package manager? See > https://bitcoincore.org/en/lifecycle/ I'm planning to build it also on CentOS/RHEL 7+ (stuff is already in the spec file). I just plan to build the latest version. Maintaining minor releases of previous version in EPEL might be an option (ex. 0.20.1 in EPEL when 0.21 gets released in Fedora), but I don't really see the point honestly. Might be that at one point due to dependencies it's not possible to build the latest for EPEL, so in that case a maintained old release or bundling of some libraries could be an option. Regarding EOL releases, no, no plan to keep EOL releases alive. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #19 from Simone Caronni --- (In reply to Eugene A. Pivnev from comment #16) > (In reply to Simone Caronni from comment #10) > > (In reply to Robert-André Mauchin from comment #7) > > > Also create a logrotate file for the log: > > > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > > > #_logrotate_config_file > > > > A couple of notes here: > > > > - The log file after months of a running daemon is only 9.7 Mb, so I'm not > > sure there is really any benefit here. > > I think it is not matter how big is log file. > Let user to decide switch it off on demand. Exactly, but -shrinkdebugfile set to 1 automatically when in debug mode, the user will get truncated logs at restart. So in my opinion is better to disable the default shrinkdebugfile when turning on debug if we want to use logrotate. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #18 from Eugene A. Pivnev --- (In reply to marco from comment #17) > * Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core` > like in other package managers. E.g. https://snapcraft.io/bitcoin-core or > https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt I can try to answer this. * "bitcoin-core" includes bitcoind (bitcoin-server, but it is "client" of bitcoin network), bitcoin-utils (pure "client" as client) and bitcoin-qt ("server" as client + partially "client" as client all-in-one :-) * all of them are absolutely indepent from each another on runtime. So, this "-core" is not "core" and not includes runtime core (and this is big problem - it's impossible to select "-lib" from these tonns of code). And as for me I think current packaging (bitcoin => -server + -utils + -qt) is very logical. PS. in addition some of docs say "..then run bitcoin-core (they mean bitcoin-qt binary) and..." -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #17 from marco --- Some questions. * In the spec file, what exactly is `Source4` used for? * Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core` like in other package managers. E.g. https://snapcraft.io/bitcoin-core or https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt * Is the package going to be made available in CentOS? If yes, on what schedule is CentOS/RHEL going to update the package? Is there a chance that EOL version are offered in the package manager? See https://bitcoincore.org/en/lifecycle/ -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #16 from Eugene A. Pivnev --- (In reply to Simone Caronni from comment #10) > (In reply to Robert-André Mauchin from comment #7) > > Also create a logrotate file for the log: > > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > > #_logrotate_config_file > > A couple of notes here: > > - The log file after months of a running daemon is only 9.7 Mb, so I'm not > sure there is really any benefit here. I think it is not matter how big is log file. Let user to decide switch it off on demand. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #15 from Simone Caronni --- (In reply to Vit Mojzis from comment #14) > The Independent policy guide > (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all > you need in terms of packaging the policy. > As for the policy itself, please try to follow > https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using > "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC > denials are logged, but not enforced) and should therefore only be used for > debugging/testing. Ok, thanks for the info! -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Vit Mojzis changed: What|Removed |Added CC||vmoj...@redhat.com --- Comment #14 from Vit Mojzis --- The Independent policy guide (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all you need in terms of packaging the policy. As for the policy itself, please try to follow https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC denials are logged, but not enforced) and should therefore only be used for debugging/testing. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #13 from Simone Caronni --- (In reply to Robert-André Mauchin from comment #12) > - Could you follow the rules specified at > https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the > %pre/%post macros documented there? > > - See the post by DWalsh on the -devel ML: > https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/ > message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/ Ah, I was not aware of it. I will check, thanks! -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #12 from Robert-André Mauchin --- - Could you follow the rules specified at https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the %pre/%post macros documented there? - See the post by DWalsh on the -devel ML: https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/ -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #11 from Simone Caronni --- In the meanwhile, before changing anything for the logging: Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-2.fc32.src.rpm * Tue Jun 30 2020 Simone Caronni - 0.20.0-2 - Update Source0 URL. - Do not obsolete "bitcoin", just leave the provider for it. - Let the build install the man pages. - Make sure old post scriptlets run only on RHEL/CentOS 7. - Do not install static library and archive. - Be explicit with share object versions. - Use macros for more directories. - Use GCC 9 and not 7 to build on RHEL/CentOS 7. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #10 from Simone Caronni --- (In reply to Robert-André Mauchin from comment #7) > Also create a logrotate file for the log: > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_logrotate_config_file A couple of notes here: - The log file after months of a running daemon is only 9.7 Mb, so I'm not sure there is really any benefit here. - When enabling -debug on the daemon, the -shrinkdebugfile is automatically set to 1, so the log file is trimmed at startup. So I see two options: 1. Add -shrinkdebugfile=1 to the systemd unit, so the log file is also trimmed when NOT starting in debug mode 2. Add -shrinkdebugfile=0 to the systemd unit so the log file is never trimmed even when debugging and then add the logrotate file. I think solution 1 is better. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #9 from Simone Caronni --- (In reply to Robert-André Mauchin from comment #6) > Source0: > http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar. > gz Updated. > - Why does the core subpackage obsoletes the main package? Also for a > rename the Obsolete part must be fixed, to the release above the last > release of the obsoleted package. Long old gone thing, removed the Obsoletes. > - GZipping the man pages is handled by rpm, do not do it yourself: > > gzip %{buildroot}%{_mandir}/man1/$i.1 Missed it. Actually man pages are now installed automatically, so I removed the section entirely. > - This is only needed in EPEL7: > > %post core > /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : > > %postun core > if [ $1 -eq 0 ] ; then > /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null > /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : > fi > > %posttrans core > /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : > > Please put it behind a condition. Missed it, fixed. > - Do not package libtool archive. Static library are generally not > packaged, and, if really needed, must have their own static subpackage: > > %{_libdir}/libbitcoinconsensus.a > %{_libdir}/libbitcoinconsensus.la Disabled static library building and removed the local archive. > - In order to avoid unintentional soname bump, we recommend not globbing > the major SONAME version from shared library. Be more specific instead: > > %{_libdir}/libbitcoinconsensus.so.* Fixed. > - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir} > - /var/, %{_var} → use %{_localstatedir} > - /run → %{_rundir} Missed, all fixed. > - I know nothing about SELinux, I need to find another reviewer for this I will not separate the selinux policies from the main package. Many packages in the distribution require SELinux (ex. FreeIPA). It's not something that should be disabled, pretty much like the firewall. Testing now the above changes with 0.20, will post the updated src.rpm after all functional tests have run. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #8 from Simone Caronni --- Thanks for the feedback, updating the package now. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #7 from Robert-André Mauchin --- Also create a logrotate file for the log: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_logrotate_config_file -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Robert-André Mauchin changed: What|Removed |Added CC||zebo...@gmail.com --- Comment #6 from Robert-André Mauchin --- - Source0: http://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz → Source0: http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz - Why does the core subpackage obsoletes the main package? Also for a rename the Obsolete part must be fixed, to the release above the last release of the obsoleted package. %package core Summary:Peer to Peer Cryptographic Currency Obsoletes: %{name} < %{version}-%{release} Provides: %{name} = %{version}-%{release} - GZipping the man pages is handled by rpm, do not do it yourself: gzip %{buildroot}%{_mandir}/man1/$i.1 - This is only needed in EPEL7: %post core /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : %postun core if [ $1 -eq 0 ] ; then /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : fi %posttrans core /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : Please put it behind a condition. - Do not package libtool archive. Static library are generally not packaged, and, if really needed, must have their own static subpackage: %{_libdir}/libbitcoinconsensus.a %{_libdir}/libbitcoinconsensus.la - In order to avoid unintentional soname bump, we recommend not globbing the major SONAME version from shared library. Be more specific instead: %{_libdir}/libbitcoinconsensus.so.* - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir} - /var/, %{_var} → use %{_localstatedir} - /run → %{_rundir} - I know nothing about SELinux, I need to find another reviewer for this -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Eugene A. Pivnev changed: What|Removed |Added CC||ti.eug...@gmail.com --- Comment #5 from Eugene A. Pivnev --- Selinux* things must be optional. If user set "selinux=disabled" than he can remove most of *selinux* rpms from host. But your packages require to reinstall them again. Summary good job, I use this for last month ok (f30 x32, f32 x64). -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org
[Bug 1834731] Review Request: bitcoin - Peer to Peer Cryptographic Currency
https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #4 from Simone Caronni --- Thanks I will look at it. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org