subject:"\[Bug 1020292\] Review Request\: bitcoin \- Peer\-to\-peer digital currency"

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #56 from Suvayu  ---
(In reply to Simone Caronni from comment #55)
> (In reply to Suvayu from comment #54)
> > Unless Fedora can
> > guarantee that the distributed binary will be identical to the upstream
> > binary
> 
> This can never happen. Libraries, compilers, etc. will be different. Based
> on the same logic there should be one and only Linux distribution that
> everybody uses.

Sorry, here I misspoke slightly.  With reproducible builds already merged
upstream, it should be possible to have binaries that are identical when built
on a specific Fedora release, see comment #45 through comment #47 (also I
linked to relevant resources in my original response).


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #55 from Simone Caronni  ---
(In reply to Suvayu from comment #54)
> Unless Fedora can
> guarantee that the distributed binary will be identical to the upstream
> binary

This can never happen. Libraries, compilers, etc. will be different. Based on
the same logic there should be one and only Linux distribution that everybody
uses.

> or at least Fedora infrastructure will provide sufficient
> information to the user such that they can verify the Fedora packaged
> binaries aren't compromised, Fedora should not be including this in the
> repo.  Events since 2017 have shown this is an important concern.

This can be guaranteed by the various chain of trust (builders, package
signatures, etc.) and is easily verifiable. Putting this under doubt means
saying the distribution can not be trusted at all and any binary/pacakge in it
can be compromised easily.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #54 from Suvayu  ---
If I may chime in, not an expert on Bitcoin, but I do follow some of the
technical discussion in the community.

As I understand it, security of the distributed binary is of utmost importance.
 I believe to that effect, upstream now builds its releases in reproducible
builds (some info might be here:
https://bitcoinops.org/en/topics/reproducible-builds/).  Unless Fedora can
guarantee that the distributed binary will be identical to the upstream binary,
or at least Fedora infrastructure will provide sufficient information to the
user such that they can verify the Fedora packaged binaries aren't compromised,
Fedora should not be including this in the repo.  Events since 2017 have shown
this is an important concern.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #53 from Simone Caronni  ---
(In reply to Michael Hampton from comment #2)
> I'm happy to co-maintain this, especially since you've based this on my
> previous work.

Please feel free to jump in and comaintain! Thanks.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Simone Caronni  changed:

   What|Removed |Added

 Status|NEW |CLOSED
 Resolution|--- |DUPLICATE
Last Closed|2013-10-22 09:35:04 |2020-05-12 10:10:22



--- Comment #52 from Simone Caronni  ---
Thanks!

*** This bug has been marked as a duplicate of bug 1834731 ***


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #51 from Juan Orti Alcaine  ---
Go ahead, no problem.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-05-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #50 from Simone Caronni  ---
I've been packaging the software for myself for a few years now, if there is no
answer to this ticket from the original poster I will re-create the review and
close this as a duplicate.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-04-30 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Petr Pisar  changed:

   What|Removed |Added

   Assignee|wtog...@gmail.com   |nob...@fedoraproject.org



--- Comment #49 from Petr Pisar  ---
This package does not seem to ready for the review.

Once the packager, last seen on 2016-04-27, comes with a suitable spec file,
Warren, or anybody else can start the formal review with assigning the review
to himself, setting a state to ASSIGNED, and setting fedora-review flag to "?".


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2020-04-30 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Petr Pisar  changed:

   What|Removed |Added

 Status|ASSIGNED|NEW
 CC||ppi...@redhat.com




-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2019-10-16 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #48 from Tom "spot" Callaway  ---
Just a reminder, Fedora does not ship pre-built binaries. I honestly can't tell
if that's what you're advocating here or not.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2019-10-07 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #47 from Warren Togami  ---
https://github.com/bitcoin/bitcoin/tree/master/contrib/guix
The verifiable bootstrap and reproducibly built Bitcoin Core was merged a while
ago. Linux builds work great today but they are working to fix their Windows
and OS X cross compiled builds before the project switches to this method for
releases.

If people want this to be packaged into Fedora first we need to get its
buildsystem Guix accepted into Fedora. We might need FESCo approval for this or
later Bitcoin-specific steps.

https://copr.fedorainfracloud.org/coprs/lantw44/guix/
I have not tried this but somebody maintains it in COPR already.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2019-07-10 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #46 from Warren Togami  ---
https://youtu.be/I2iShmUTEl8
The above verifiable bootstrapping and reproducible toolchain is explained in
this video. I'm hoping it will become mature enough this year.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2019-02-14 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #45 from Warren Togami  ---
It took years but upstream Bitcoin is now approaching a satisfactory
replacement for the reproducible build problem.

https://github.com/bitcoin/bitcoin/pull/15277
This GNU GUIX based build system is a very minimal deterministic build
environment that results in a reproducible binary. It is meant to replace the
unverifiable, Ubuntu based Gitian build system. Once upstream is satisfied with
the stability of this approach then the upstream deterministic binaries is
exactly what we should ship in Fedora's RPM. Hypothetically the minimum core of
the build system could be packaged for Fedora so this can be built in the
Fedora build system resulting in an identical binary. This will take hopefully
a few months.

https://github.com/bitcoin/bitcoin/pull/12255/files
A different discussion we should have among the various RPM packagers of
Bitcoin is where the data directories should be. 10 days ago they changed
various paths in upstream's reference .spec file. We don't want Fedora shipping
a Bitcoin RPM to cause sudden surprises to people who had different paths from
other packages in recent years.

A few ideas to reduce risk:
* We should consider naming Fedora's package "bitcoincore" for those who want
exactly upstream's bit-for-bit identical distribution that also behaves in a
manner matching upstream documentation. It should conflict with "bitcoin". A
popular feature-fork "bitcoinknots" would have the same binary and
configuration files and would thus conflict with these other names.
* Also Fedora should disallow any package named "bitcoin". There are multiple
reasons for this including unexpected upgrade conflicts with ways it was
previously packaged and also convenient way in which to sidestep eternal
political fights over what has the right to be called "bitcoin".
* Another upstream concern is the risk of old bitcoin binaries in the wild when
Fedora goes EOL. The simplest safeguard to this issue is to ship a final RPM
update before a Fedora release's EOL that simply removes the binary.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-10-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #44 from Warren Togami  ---
OK thanks, I misunderstood what I was seeing.  I have not been keeping close
tabs on Fedora dev in recent years.

https://fedoraproject.org/wiki/Bundled_Libraries
It seems that we have some hope for packaging this in a way that would be
compatible with upstream's security concerns.  We now need to wait for the
deterministic toolchain, demonstrate how it works, and then proceed to get
approval for this.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-10-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #43 from Simone Caronni  ---
(In reply to Warren Togami from comment #42)
> Hmm, looking deeper at the chromium.spec it appears that we actually mostly
> rely on Fedora's libraries, so this isn't a good point of comparison.

Am I missing something here? I see this in the chromium rpm:

bundled(NSBezierPath) = 1.0
bundled(SMHasher) = 0
bundled(angle) = 2422
bundled(bintrees) = 1.0.1
bundled(boringssl)
bundled(brotli)
bundled(bspatch)
bundled(cacheinvalidation) = 20150720
bundled(cardboard) = 0.5.4
bundled(colorama) = 799604a104
bundled(crashpad)
bundled(dmg_fp)
bundled(expat) = 2.1.0
bundled(fdmlibm) = 5.3
bundled(ffmpeg) = 2.6
bundled(fips181) = 2.2.3
bundled(fontconfig) = 2.11.0
bundled(gperftools) = svn144
bundled(gtk3) = 3.1.4
bundled(hunspell) = 1.3.2
bundled(iccjpeg)
bundled(icu) = 54.1
bundled(kitchensink) = 1
bundled(leveldb) = r80
bundled(libXNVCtrl) = 302.17
bundled(libaddressinput) = 0
bundled(libjingle) = 9564
bundled(libphonenumber) = svn584
bundled(libpng) = 1.6.22
bundled(libsrtp) = 1.5.2
bundled(libudis86) = 1.7.1
bundled(libvpx) = 1.4.0
bundled(libwebp) = 0.4.3
bundled(libyuv) = 1444
bundled(lzma) = 9.20
bundled(mesa) = 9.0.3
bundled(mozc)
bundled(mt19937ar) = 2002.1.26
bundled(ots) = 767d6040439e6ebcdb867271fcb686bd3f8ac739
bundled(protobuf) = r476
bundled(qcms) = 4
bundled(re2)
bundled(sfntly) = svn111
bundled(skia)
bundled(snappy) = r80
bundled(speech-dispatcher) = 0.7.1
bundled(sqlite) = 3.8.7.4
bundled(superfasthash) = 0
bundled(talloc) = 2.0.1
bundled(usrsctp) = 0
bundled(v8) = 4.5.103.35
bundled(webrtc) = 90usrsctp
bundled(woff2) = 445f541996fe8376f3976d35692fd2b9a6eedf2d
bundled(x86inc) = 0
bundled(xdg-mime)
bundled(xdg-user-dirs)
bundled(zlib) = 1.2.5

It bundles a lot of stuff that is already in Fedora.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-10-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #42 from Warren Togami  ---
Hmm, looking deeper at the chromium.spec it appears that we actually mostly
rely on Fedora's libraries, so this isn't a good point of comparison.

I think given the upcoming deterministic toolchain we can at least hopefully
look forward toward a COPR or maybe upstream yum/dnf repo.

There remains the concern that upstream is against automatic upgrades.  I don't
have a good suggestion for dealing with this issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-10-12 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #41 from Warren Togami  ---
Bitcoin is now getting close to building a self-hosted, general purpose
deterministic toolchain.  This toolchain will eventually be buildable from any
Linux distro, and using it in a controlled manner will allow building binaries
that are bit-for-bit identical no matter what Linux system you built it upon. 
I think this is the highest level of assurance we can realistically achieve in
guarding against potential compromise.

When this toolchain is ready we'll be able to separately package it in Fedora
and use it to build a Bitcoin RPM where the binary output could be identical to
binaries that we build elsewhere.  It could be compared to be similar in
concept to a cross-compilation toolchain.

Now it is a separate question if Fedora would allow special casing beyond the
normal packaging guidelines to allow for the use of such a different build
toolchain.

Another question is if Fedora will allow special casing to allow Bitcoin to
ship with its own static linked copies of libraries that it maintains
internally.  This is the only way it can achieve bit-for-bit determinism.

https://fedoraproject.org/wiki/Chromium
Historically Chromium was not allowed into Fedora because it relied upon Google
maintained internal copies of libraries, but it seems this was allowed into
Fedora August 2016.  Looking at the .spec it looks like Fedora must have
allowed it in as a special case, as it ships its own internal Google-maintained
libraries.  I wonder if they decided to just trust that the libraries
maintained by the vendor are well cared for.

So perhaps this a good sign that Fedora may allow this crazy package to be
built in a way that is compatible with upstream's security concerns.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-06-03 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #40 from Alexandre Franke  ---
Has upstream considered building and distributing a Flatpak of Bitcoin? That
would solve quite a few issues, including those exposed here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-06-03 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Neal Gompa  changed:

   What|Removed |Added

 CC||ngomp...@gmail.com



--- Comment #39 from Neal Gompa  ---
It might be worth considering exclusively offering Bitcoin in an out-of-band
repository built somewhat differently. For example, perhaps building against
EL7 and using that build for all Fedora targets along with EL7. Since it uses
its own bundled crypto, I would suggest that's probably the best way to go. It
might even be worth working with upstream to provide fully deterministic builds
that would work for RPM based distributions, built from the Fedora
infrastructure.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-05-31 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #38 from Warren Togami  ---
A few upstream developers were alarmed to hear how quickly Fedora releases are
EOL'ed.  This is of concern because it is hazardous for unmaintained versions
of Bitcoin to continue running after EOL.

There is a separate even bigger concern that it is very dangerous to have
automatic updates of Bitcoin software.  Does Fedora infrastructure have options
to further lock down the ability of insiders or hackers to push a trojan
through the update process?  The scenario of a compromised auto-update leading
to millions of dollars of losses is not a trivial risk when the incentive is
very high.

For reasons like this Ubuntu and Debian do not distribute Bitcoin at all.

Upstream goes through extreme effort to build deterministic, bit-for-bit
reproducible binaries that are verifiable as being identical to what others can
build as added protection against the possibility of trojan distribution.  They
are now in favor of upstream adding both rpm and deb outputs to distribute
their existing deterministic binary.

So yes, upstream would strongly caution against Fedora distributing Bitcoin for
the above reasons.  If Fedora insists on shipping Bitcoin then let us discuss
how to mitigate the risks in ways like:

* Ship the upstream deterministic binary in an RPM.  This is very much against
Fedora policy but this is the safest and easiest to maintain option.
* Make the build of Bitcoin within the Fedora build system deterministic and
verifiable when compared to building it on an identical buildroot.
* Add additional safeguards to the update process to require a much higher
threshold of review including build determinism testing.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-05-31 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #37 from Sascha Spreitzer  ---
Please consider that in 0.12 the vital cryptograpic parts are shipped with the
source:

[..]
-rw-r--r-- root/root  1057 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/COPYING
drwxr-xr-x root/root 0 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/include/
-rw-r--r-- root/root  1014 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/include/secp256k1_ecdh.h
-rw-r--r-- root/root 25771 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/include/secp256k1.h
-rw-r--r-- root/root  4700 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/include/secp256k1_recovery.h
-rw-r--r-- root/root  8302 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/include/secp256k1_schnorr.h
-rw-r--r-- root/root   322 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/libsecp256k1.pc.in
-rw-r--r-- root/root  3521 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/Makefile.am
-rw-r--r-- root/root 61657 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/Makefile.in
drwxr-xr-x root/root 0 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/
-rw-r--r-- root/root   944 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/basic-config.h
-rw-r--r-- root/root  1576 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_ecdh.c
-rw-r--r-- root/root  1726 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench.h
-rw-r--r-- root/root 12623 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_internal.c
-rw-r--r-- root/root  2022 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_recover.c
-rw-r--r-- root/root  2462 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_schnorr_verify.c
-rw-r--r-- root/root  1594 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_sign.c
-rw-r--r-- root/root  2437 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/bench_verify.c
-rw-r--r-- root/root  1172 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/ecdsa.h
-rw-r--r-- root/root 10247 2016-01-01 01:00
bitcoin-0.12.1/src/secp256k1/src/ecdsa_impl.h
[..]

Thus bitcoin is now safe for packaging for distributions? Please raise this to
the FESCo.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-05-07 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #36 from Warren Togami  ---
A few of the upstream Bitcoin Core project requests that Fedora reconsider
shipping any Bitcoin package at all.  It is notable that Debian does not, and
Ubuntu stopped shipping a bitcoin package a while ago.  Upstream has a new plan
to address the needs of the leading deb and rpm distros that significantly
reduces security risk for both the Linux distributions and the users.  I will
be bring the reasons to FESCo as this is not a normal situation after the new
plan has been implemented in code.  Sorry for the delays.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-04-27 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #35 from Juan Orti  ---
(In reply to Sascha Spreitzer from comment #34)
> Like to ask whether I can take over the maintainership of this package?

Sure. Thank you.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2016-04-27 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #34 from Sascha Spreitzer  ---
bitcoin (core) > 0.12 is released

Like to ask whether I can take over the maintainership of this package?

When you are reviewing this spec, please take a closer look on the crypto part.
Please also take a look on the daemon part as I dont feel fully comfortable
about the %pre and %post steps. As well as that their maybe should be a daemon
default config file?

Spec URL:
https://raw.githubusercontent.com/sspreitzer/bitcoin-specs/master/bitcoin.spec
SRPM URL:
https://kojipkgs.fedoraproject.org//work/tasks/1826/13821826/bitcoin-0.12.1-2.fc23.src.rpm
Description:
Bitcoin is an experimental new digital currency that enables instant
payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer
technology to operate with no central authority: managing transactions
and issuing money are carried out collectively by the network. Bitcoin Core
is the name of the open source software which enables the use of this currency.

Fedora Account System Username: sspreitz

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/package-review@lists.fedoraproject.org

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-11-16 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #32 from Bill McGonigle  
---

> the binary output packaged must be identical when built by anyone. 

Are we having Fedora-level problems where this isn't always true?  I'm used to
comparing md5sums when locally building to verify security-related packages. 
Not super-recently, though; wondering if there's been breakage. We had issues
dealing with ugly buildroots on CentOS 6, but I thought this was all straight
at this point.

> There are other challenges in the build that will require discussion with 
> FESCo.

can you outline those here?  We have folks on this bug who can help work those
in parallel.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-11-16 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #33 from Warren Togami  ---
>> the binary output packaged must be identical when built by anyone. 
> Are we having Fedora-level problems where this isn't always true?

When using mock to build a clean buildroot, given a set of N-V-R's the binary
output must be identical as the same package built in an identical buildroot. 
This would require build-time hacks beyond the usual 

>> There are other challenges in the build that will require discussion with 
>> FESCo.
> can you outline those here?

A few examples:
* The official file format of the wallet.dat is BDB4.  For this reason it MUST
build against libdb4-devel.  It appears this is fine in Fedora, but RHEL7 ships
only libdb4 without the -devel package, so we'd need an exception for EPEL.
* The leveldb/ directory of the source is a Bitcoin-specific fork of leveldb. 
Upstream leveldb is abandoned as a project, and leveldb is consensus critical
so it is unsafe to link it to an general distribution library maintained in a
separate package that could differ from leveldb used by non-Fedora Bitcoin
nodes.  FESCo would need to approve Bitcoin shipping its own fork of leveldb
that is static linked in Bitcoin itself.
* libsecp256k1/ directory of the source is another consensus critical library
static linked in Bitcoin.  FESCo must just allow Bitcoin to maintain and ship
its own internal components, especially these components that are shipped in
the Bitcoin source itself because they are consensus critical.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-11-15 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #31 from Warren Togami  ---
https://fedoraproject.org/wiki/BITCOIN
See packaging and security notes

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-09-24 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #30 from Warren Togami  ---
http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-September/011182.html
Release schedule for Bitcoin Core 0.12

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-09-02 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Warren Togami  changed:

   What|Removed |Added

  Flags|needinfo?(wtog...@gmail.com |
   |)   |



--- Comment #29 from Warren Togami  ---
Sorry for the delay.  Long story short, upstream Bitcoin recommends extreme
caution against shipping Bitcoin linked against the heavily patched openssl
that Fedora uses.  Upstream openssl has proven to be buggy and hazardous to
consensus due to unexpected behaviors on different architectures, and they do
not have the bandwidth to doubly check bug-for-bug compatibility with another
variant that is Fedora's openssl.

https://github.com/bitcoin/secp256k1
The next major release of Bitcoin within months will switch the consensus
critical portion of secp256k1 ECDSA signing and validation to a super optimized
and 2-year audited internal implementation that will be much safer.

The upstream recommendation is to HOLD on shipping Bitcoin in Fedora until the
new version is available.  The possibility of breaking the Bitcoin network due
to a large quantity of nodes having a subtly different rule is not only a
hypothetical problem.  The security issue recently fixed in BIP66 would have
been a way to break the network accidentally or intentionally.

There are other challenges in the build that will require discussion with
FESCo.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292
Bug 1020292 depends on bug 1021898, which changed state.

Bug 1021898 Summary: Enable curve secp256k1
https://bugzilla.redhat.com/show_bug.cgi?id=1021898

   What|Removed |Added

 Status|ON_QA   |CLOSED
 Resolution|--- |ERRATA



-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Itamar Reis Peixoto ita...@ispbrasil.com.br changed:

   What|Removed |Added

 CC||ita...@ispbrasil.com.br,
   ||j.orti.alca...@gmail.com
  Flags||needinfo?(j.orti.alcaine@gm
   ||ail.com)



--- Comment #21 from Itamar Reis Peixoto ita...@ispbrasil.com.br ---
is this time for a copr build ? 

anyone willing to take the review ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Luke Macken lmac...@redhat.com changed:

   What|Removed |Added

 Whiteboard|NotReady|



--- Comment #20 from Luke Macken lmac...@redhat.com ---
The secp256k1 curve has now been enabled in our openssl package (#1021898), so
I think we can finally move forward with this.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Juan Orti j.orti.alca...@gmail.com changed:

   What|Removed |Added

  Flags|needinfo?(j.orti.alcaine@gm |
   |ail.com)|



--- Comment #22 from Juan Orti j.orti.alca...@gmail.com ---
I'll have to refresh myself about this package, since I haven't looked at it
since a lot of time ago.

If someone wants to take over it, I'll be thankful, because I won't have many
free time in the near term. If some one is willing to take it, I can help
comaintaining.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #23 from Michael Hampton er...@ioerror.us ---
I'm happy to take this over (as I'm already building these anyway) but it'll be
a few days before I have something reviewable up, as I do want to test the new
OpenSSL version carefully before doing anything else. And it still needs a
FESCo exception for bundling libraries (mainly LevelDB), that needs to be taken
care of as well.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #24 from Warren Togami wtog...@gmail.com ---
I strongly suggest that I either take over the package or have last say in the
package review.  I work on the upstream project and yes, we have a number of
special security and safety hazard considerations that require discussion with
FESCO because it falls outside the ordinary rules of the packaging guidelines.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #26 from Michael Hampton er...@ioerror.us ---
There are actually several different test suites that should be run, which
validate various things. Some of them are non-obvious, some aren't enabled by
default, and some require downloading a separate test suite.

I've made a draft package (cutting out all the old EL6 stuff since we can't
build for it anymore) and I'll be submitting it here as soon as the openssl
build lands in updates-testing and I can do koji scratch builds. But all the
tests are passing for me locally.

I would be happy to pass off part or all of this work to Warren or another
Bitcoin Core developer. In fact I'm quite happy that upstream is so closely
involved; this is not a typical thing with most software projects. 

What is needed for a bundling exception is documented here:
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions

I would fill this out, but since upstream is involved I think it would be
better for an upstream developer to do it, as they'll be able to better make
the case for it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #25 from Bill McGonigle bill-bugzilla.redhat@bfccomputing.com 
---
I've been using Michael's packages for quite a while - +1. 

Fedora's model is to trust the packagers.  If there's not a 'make test'
validation suite then perhaps that can be fixed upstream.  We shouldn't treat
any software as magic and requiring particular people's blessings (not meant to
dissuade any potential packagers, of course).  If the upstream code is right
and the SPEC is right, the binary should work correctly (or one or both need
fixing).

I might well prefer to build from source anyway for a given mtune; if there's
ambiguity in the correctness of the build process that's going to be a large
problem for many users.

Warren - do you want to take lead on the FESCO ticket?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Warren Togami wtog...@gmail.com changed:

   What|Removed |Added

 Status|NEW |ASSIGNED
   Assignee|nob...@fedoraproject.org|wtog...@gmail.com
  Flags||needinfo?(wtog...@gmail.com
   ||)



--- Comment #27 from Warren Togami wtog...@gmail.com ---
Upstream has several major concerns about how to proceed here.  It is rather
complex to the point that I need to draft several pages and get them to review
it before approaching FESCo.

Please be patient and know that I am handling this.  This must not be rushed if
you want Bitcoin to be safe.  It matters that we get this right in how Fedora
and (and later EPEL) ships Bitcoin because a Fedora-specific bug could cause
the entire world to fail due to the peculiar and relatively new field of
consensus critical networks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Warren Togami wtog...@gmail.com changed:

   What|Removed |Added

  Flags||needinfo?(wtog...@gmail.com
   ||)



-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-08-13 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Warren Togami wtog...@gmail.com changed:

   What|Removed |Added

  Flags|needinfo?(wtog...@gmail.com |
   |)   |



--- Comment #28 from Warren Togami wtog...@gmail.com ---
http://luke.dashjr.org/tmp/code/20130723-linux-distribution-packaging-and-bitcoin.md.asc
This was a 2013 note on the hazards of consensus.  This is not a mere
hypothetical, paranoid concern.  It consensus already broke once due to leveldb
in early 2013, and things got close to horribly wrong due to unexpected
behaviors or bugs in openssl.

http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009697.html

This is fixable and Fedora can feasibly ship Bitcoin safely.  We just need to
fully communicate the issues between upstream Bitcoin and FESCo and decide on
what we can do together.  More details forthcoming.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2015-06-29 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292
Bug 1020292 depends on bug 999584, which changed state.

Bug 999584 Summary: Packaged policy modules need a way to determine the 
selinux-policy version number
https://bugzilla.redhat.com/show_bug.cgi?id=999584

   What|Removed |Added

 Status|ON_QA   |CLOSED
 Resolution|--- |EOL



-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-12-28 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Christopher Meng cicku...@gmail.com changed:

   What|Removed |Added

 Whiteboard||NotReady



-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #13 from Gregory Maxwell gmaxw...@gmail.com ---
Please close. The OpenSSL RPM in Fedora has now been re-hobbled to only use
NIST endorsed curves (commit b3551463cafee86a63c60e294f754a8c5cddc37a), unlike
the initial w/ EC OpenSSL RPM, and thus stock Fedora is unsuitable for Bitcoin.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Bug 1020292 depends on bug 319901, which changed state.

Bug 319901 Summary: missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=319901

   What|Removed |Added

 Status|CLOSED  |ASSIGNED
 Resolution|ERRATA  |---



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Bug 1020292 depends on bug 319901, which changed state.

Bug 319901 Summary: missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=319901

   What|Removed |Added

 Status|ASSIGNED|CLOSED
 Resolution|--- |CURRENTRELEASE



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Bug 1020292 depends on bug 319901, which changed state.

Bug 319901 Summary: missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=319901

   What|Removed |Added

 Status|CLOSED  |ASSIGNED
 Resolution|CURRENTRELEASE  |---



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Bug 1020292 depends on bug 319901, which changed state.

Bug 319901 Summary: missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=319901

   What|Removed |Added

 Status|ASSIGNED|CLOSED
 Resolution|--- |CURRENTRELEASE



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Juan Orti Alcaine juan.o...@miceliux.com changed:

   What|Removed |Added

 Status|NEW |CLOSED
 Resolution|--- |CANTFIX
Last Closed||2013-10-22 05:35:04



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #14 from Vasiliy Glazov vasc...@gmail.com ---
Juan, can you add this package to rpmfusion repository? With needed ssl
additions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #15 from Peter Lemenkov lemen...@gmail.com ---
(In reply to Vasiliy Glazov from comment #14)
 Juan, can you add this package to rpmfusion repository? With needed ssl
 additions.

I doubt that the package (along with its dependencies) of this complexity can
make it to RPMFusion. And I didn't say anything about the further state, and
support of the package there.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #16 from Juan Orti Alcaine juan.o...@miceliux.com ---
(In reply to Vasiliy Glazov from comment #14)
 Juan, can you add this package to rpmfusion repository? With needed ssl
 additions.

There should be available openssl-freeworld as a parallel installable library
first.
I think this bug should be reopened:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=2842

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Cesar Eduardo Barros ces...@cesarb.eti.br changed:

   What|Removed |Added

 Depends On||1021898




Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1021898
[Bug 1021898] Enable curve secp256k1
-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #17 from Gregory Maxwell gmaxw...@gmail.com ---
Please do not defame Bitcoin by sticking it in some freeworld repository and
suggesting that there is any patent concern unless you are willing to contact
me (in private, if you like) with the patent numbers in particular you are
concerned with.

The patent environments around the authentication we use has been carefully
reviewed and there are no known concerns.  If RedHat is interested in only
shipping NIST approved cryptography thats its decision to make, but please
don't use this decision to suggest that there is any patent concern with
Bitcoin. It's simply not true as far as anyone knows.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #18 from Bill McGonigle bill-bugzilla.redhat@bfccomputing.com 
---
CANTFIX is a silly resolution while bug 1021898 is open.  The real current
status of this bug is that there's a dependency on other unfinished work. 
Drama or distro politics doesn't belong in a bug tracker.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Peter Lemenkov lemen...@gmail.com changed:

   What|Removed |Added

 Status|CLOSED  |ASSIGNED
 Resolution|CANTFIX |---
   Keywords||Reopened



--- Comment #19 from Peter Lemenkov lemen...@gmail.com ---
(In reply to Bill McGonigle from comment #18)
 CANTFIX is a silly resolution while bug 1021898 is open.  The real current
 status of this bug is that there's a dependency on other unfinished work. 
 Drama or distro politics doesn't belong in a bug tracker.

Agree. Let's reopen it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-22 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Peter Lemenkov lemen...@gmail.com changed:

   What|Removed |Added

 Status|ASSIGNED|NEW



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-20 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Bug 1020292 depends on bug 319901, which changed state.

Bug 319901 Summary: missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=319901

   What|Removed |Added

 Status|ON_QA   |CLOSED
 Resolution|--- |ERRATA



-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #7 from Jeff Garzik jgar...@pobox.com ---

We have direct field experience[1], learned during the ongoing growth of this
$1.6 billion dollar system[2], that database is a particularly sensitive area,
and chose to bundle the database after discussion.

Further, we have seen packagers in other distros -- Debian -- unthinkingly
change out bundled libraries and patch bitcoin to the point where the software
simply did not work:  it would not validate the blockchain at all.

Few technologists have (1) experience with distributed consensus, and (2) have
worked on sotware that secures over $1 billion in money from counterfeiting. 
Details which need care are not readily apparent, if you are not already
familiar with this technology.

Bitcoin has been compared to avionics or medical device software.  You simply
/have/ to get all details right.  The consequences of failure are total loss of
bitcoin value for the user, or even worse, total loss of value for all users.

Like avionics or medical device software, component and module upgrades are
VERY carefully tested and staged, much more rigorously than yum -y upgrade

[1] https://en.bitcoin.it/wiki/BIP_50
[2] http://bitcoinwatch.com/

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Gregory Maxwell gmaxw...@gmail.com changed:

   What|Removed |Added

 CC||gmaxw...@gmail.com



--- Comment #8 from Gregory Maxwell gmaxw...@gmail.com ---
(Jeff said all that I think needed to be said on the consensus points, so I'll
leave that alone for the moment)

The patch bitcoin-0.8.5-libdb_path.patch is unnecessary. The build uses
BDB_INCLUDE_PATH for this purpose, and it appears to be set in the spec so I'm
not sure why this patch is there.

I don't think installing the debian example configuration is of any use. I'd
forgotten that was in contrib at all, and the system will not work with that
configuration alone in any case. (Though in principle I don't see anything
wrong with using it in principle, the one in the bitcoin codebase is outdated
and not useful).

The only thing that needs to be set for the daemon to actually be usable is the
rpcuser / rpcpassword settings, and rpcpassword should be set to a
cryptographically strong random value.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #9 from Juan Orti Alcaine juan.o...@miceliux.com ---
I have dropped the patch, qmake didn't get the environment variables, so I've
added them as arguments.

Spec URL: http://jorti.fedorapeople.org/bitcoin/bitcoin.spec
SRPM URL: http://jorti.fedorapeople.org/bitcoin/bitcoin-0.8.5-3.fc19.src.rpm

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #10 from Warren Togami wtog...@gmail.com ---
Regarding selinux ...

/etc/bitcoin(/.*)? 
gen_context(system_u:object_r:bitcoin_conf_t,s0)
/usr/bin/bitcoind   -- 
gen_context(system_u:object_r:bitcoin_exec_t,s0)
/var/lib/bitcoin(/.*)? 
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)

1) Is this the only location where we want Bitcoin to have its configuration
and data files?  It is also very common for users to run it where all of this
stuff is in ~/.bitcoin/

2) bitcoin-qt (using the ~/.bitcoin) is unconfined?

3) Is it normal for packages to ship their own policy?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #11 from Warren Togami wtog...@gmail.com ---
Currently bitcoind is not well suited to operate as a system service.

The user's bitcoind as a RPC client could hypothetically operate to control the
system bitcoind, but that isn't true of the user's bitcoin-qt.  This makes
operating bitcoind as a system service confusingly disjunct from the user's
bitcoind and bitcoin-qt.  The user's bitcoind and bitcoin-qt are meant to
operate on the same data files and wallet while a system bitcoind.

bitcoin 0.9 is planned to have key improvements that make it more suitable to
use as system service.

Perhaps bitcoin 0.8 as packaged should ...

* Include a README.FEDORA in %doc explaining the current state of the package,
how it is meant to be used.
* The entire selinux policy design should be thought through carefully to be
able to handle the future expected uses of bitcoin.
* To handle today's normal use, the selinux policies should confine and permit
usage of the standard ~/.bitcoin directory in homedirs.
* Perhaps the selinux policy should additionally handle the system service
directories, even though it isn't commonly used yet.  Would that within the
same policy weaken protection of the system service?
* For now do not include the .service file.  That would misleadingly suggest
that running it as a system service is the normal method of operation.  Wait
until changes come in 0.9 then reassess the situation.
* Put the .service file in installed examples documented by README.FEDORA so
people know how to use the unsupported method of operation for now if they
really want it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-18 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #12 from Michael Hampton er...@ioerror.us ---
(In reply to Warren Togami from comment #10)
 Regarding selinux ...
 
 /etc/bitcoin(/.*)? 
 gen_context(system_u:object_r:bitcoin_conf_t,s0)
 /usr/bin/bitcoind   -- 
 gen_context(system_u:object_r:bitcoin_exec_t,s0)
 /var/lib/bitcoin(/.*)? 
 gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
 
 1) Is this the only location where we want Bitcoin to have its configuration
 and data files?  It is also very common for users to run it where all of
 this stuff is in ~/.bitcoin/
 
 2) bitcoin-qt (using the ~/.bitcoin) is unconfined?

The only real interest that I have had expressed to me with respect to an
SELinux policy was for securing it when running as a service. Nobody has yet
expressed interest in having a policy for the GUI client, though I think this
is a good idea anyway.

 3) Is it normal for packages to ship their own policy?

It's normal when there is no SELinux policy already existing upstream for the
package. For instance, see (possibly out of date)
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

Ideally the policy should eventually go upstream into the reference policy/Red
Hat policy.

(In reply to Warren Togami from comment #11)
 Currently bitcoind is not well suited to operate as a system service.
 
 The user's bitcoind as a RPC client could hypothetically operate to control
 the system bitcoind, but that isn't true of the user's bitcoin-qt.  This
 makes operating bitcoind as a system service confusingly disjunct from the
 user's bitcoind and bitcoin-qt.  The user's bitcoind and bitcoin-qt are
 meant to operate on the same data files and wallet while a system bitcoind.

It's been my experience that very few people who are interested in running a
system service also want to run the GUI client _on the same machine_. The usual
use case here is a service operator who wants his code to talk to bitcoind via
its API, and there's no GUI anywhere on the server. But, as you noted, bitcoind
isn't very well suited to run as a system service. The FHS compliance patch and
init script in my build address this, but not as well as could be done with
more extensive changes.

 bitcoin 0.9 is planned to have key improvements that make it more suitable
 to use as system service.

I am definitely looking forward to this.

 Perhaps bitcoin 0.8 as packaged should ...
 
 * Include a README.FEDORA in %doc explaining the current state of the
 package, how it is meant to be used.

This is a good idea and I'll put it in my next release.

 * The entire selinux policy design should be thought through carefully to be
 able to handle the future expected uses of bitcoin.
 * To handle today's normal use, the selinux policies should confine and
 permit usage of the standard ~/.bitcoin directory in homedirs.
 * Perhaps the selinux policy should additionally handle the system service
 directories, even though it isn't commonly used yet.  Would that within the
 same policy weaken protection of the system service?

The SELinux policy definitely needs more eyeballs. It's functional for what it
does though. But I expect it will need some perhaps significant work for the
0.9 changes you alluded to, so I want to look at how 0.9 is shaping up first.

 * For now do not include the .service file.  That would misleadingly suggest
 that running it as a system service is the normal method of operation.  Wait
 until changes come in 0.9 then reassess the situation.
 * Put the .service file in installed examples documented by README.FEDORA so
 people know how to use the unsupported method of operation for now if they
 really want it.

This is a problem because if we don't install the init script, we can't update
it later except by overwriting the user's manually installed init script. (And
I want to switch this out for a systemd unit file soon, which would still be a
pain for users to manually install. This will almost certainly wait for 0.9.)
And if we remove it, then existing installations break after updating. Bad news
both ways.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Juan Orti Alcaine juan.o...@miceliux.com changed:

   What|Removed |Added

 CC||tcall...@redhat.com
 Depends On||319901, 999584



--- Comment #1 from Juan Orti Alcaine juan.o...@miceliux.com ---
I submit this package now that EC crypto has been enabled in Fedora.
Co-mantainers are welcomed!


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=319901
[Bug 319901] missing ec and ecparam commands in openssl package
https://bugzilla.redhat.com/show_bug.cgi?id=999584
[Bug 999584] Packaged policy modules need a way to determine the
selinux-policy version number
-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Michael Hampton er...@ioerror.us changed:

   What|Removed |Added

 CC||er...@ioerror.us



--- Comment #2 from Michael Hampton er...@ioerror.us ---
I'm happy to co-maintain this, especially since you've based this on my
previous work.

One big problem that is not resolved here is that Bitcoin ships a bundled copy
of leveldb, and this needs to be dealt with. This is harder than it looks:
Bitcoin uses code from leveldb that Fedora does not currently ship, so leveldb
is going to need to be changed first.

I'll do a full review later.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292

Warren Togami wtog...@gmail.com changed:

   What|Removed |Added

 CC||wtog...@gmail.com



--- Comment #3 from Warren Togami wtog...@gmail.com ---
Upstream developers including gmaxwell, jgarzik and myself expressed an
interest in being involved with this review.  Please DO NOT APPROVE without
upstream cooperation.

Bitcoin is very strange software where distributions can create systemic risk
if inappropriately modified nodes exist in large numbers due to the danger of
altering the norms of global consensus.

http://bitcoinmagazine.com/5858/linux-distribution-packaging-and-bitcoin/
For this reason, it is vital that as much of the network as possible uses
unmodified implementations that have been carefully audited and tested,
including dependencies. For instance, if the included copy of LevelDB in
bitcoind is replaced by a system-wide shared library, any change to that shared
library requires auditing and testing, a requirement generally not met by
standard distributor packaging practices.

Luke-Jr packagers can use system leveldb, but doing so safely *needs*
appropriate care
Luke-Jr most distros aren't willing to give that care
Luke-Jr in particular, they need to lock leveldb to known-good versions (not
even doing bugfixes), and disable snappy support

Bitcoin's leveldb is a fork or a separately built and maintained instance of
leveldb.  I suggested that they rename this separate leveldb to make it clear
that it is Bitcoin-specific.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #4 from Juan Orti Alcaine juan.o...@miceliux.com ---
If anyone with deeper understanding of the inner workings of Bitcoin want to
take the ownership of this request, feel free to do it.

I'm not a developer, so all the work needed with the libraries will be hard to
me.

Michael, thank you for your previous work.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #5 from Jeff Garzik jgar...@pobox.com ---

Bitcoin is part of a new category of software that relies on distributed
consensus.  The integrity of the entire system, the ability to secure money
itself, relies on all nodes coming to a consensus on a timeline of transactions
(block chain).

Any part of the system which causes a deviation, however slight, in a
hash-secured system will partition nodes away from the main network.

In bitcoin's history, the database library has **already** played a role in
causing the network consensus to fail: https://en.bitcoin.it/wiki/BIP_50

To be specific, if Fedora's system leveldb is upgraded, that could partition
nodes receiving the upgrade away from other nodes on the network, if a
network-exposed database detail is present.

It may seem counterintuitive, but for the sake of distributed consensus, we may
even elect to _not_ upgrade a piece of code, thereby maintaining bug-for-bug
compatibility with existing network nodes.

Bitcoin is quite literally a new form of database, similar to Amazon Dynamo's
eventually consistent distributed database.

We need a special Fedora policy exception WRT system libraries, for this
reason.

It is standard distro policy to remove embedded libs, for very good reasons:  
an embedded zlib, for example, would not receive a bug fix that the system zlib
will receive.

Bitcoin is the opposite.  We MUST be bug-for-bug compatible, and an upgrade of
a system lib has the potential to break consensus.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

[Bug 1020292] Review Request: bitcoin - Peer-to-peer digital currency

2013-10-17 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1020292



--- Comment #6 from Peter Lemenkov lemen...@gmail.com ---
(In reply to Jeff Garzik from comment #5)

 To be specific, if Fedora's system leveldb is upgraded, that could partition
 nodes receiving the upgrade away from other nodes on the network, if a
 network-exposed database detail is present.

This sounds very strange to me. If it's true, and Bitcoin is so fragile due to
changes in underlying libraries, then it looks like a potential attack vector.

Btw why not to maintain glibc, kernel, compilers in sync as well?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

69 matches

Mail list logo