Depending on the user, we offer a wide range of ways to get Bitcoin Core:
- Self-compilation (using system packages and optionally
./depends
) - Static gitian binaries (using
./depends
and Ubuntu system packages). They are signed for macOS and Windows, and reproducible to some extent. - https://snapcraft.io/bitcoin-core (using the gitian binaries)
- https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt (using the gitian binaries)
However, there is no way to get Bitcoin Core as a vanilla system package, where it could serve as a dependency for other packages. Currently the user needs to install and maintain the dependencies manually. This might not be ideal for everyone and we should make it easy to use Bitcoin Core as a non-sysadmin.
I think in the past, a vanilla system package has been rejected because it would make it hard to apply security fixes (some distros ship year-old software, https://lists.debian.org/debian-backports/2013/12/msg00062.html). Also, those package would generally not be deterministically compiled, thus not easily auditable.
However, now that Debian and Ubuntu are capable of shipping updated software (e.g. recent versions of docker or firefox), which receives security and other bugfixes, it seems time to maybe reconsider this decision.
And given that users of an operating system already need to trust the maintainers of their vanilla system package manager, it doesn’t seem to get worse when Bitcoin Core is offered through the same. I guess, if Bitcoin Core were offered as a new package and it used a deterministic build (like debians deterministic build effort) or bootstrapable build (like guix) it would be really nice to have, but not a requirement.
I am opening this issue mostly to see what everyone else thinks about this.