release / process process depends on unverified code #2531

issue adrelanos opened this issue on April 14, 2013
  1. adrelanos commented at 11:49 PM on April 14, 2013: none

    https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.txt

    wget 'http://miniupnp.free.fr/files/download.php?file=miniupnpc-1.6.tar.gz' -O miniupnpc-1.6.tar.gz

    and the other instances of wget to not verify what they download. Not by OpenPGP, and not even by TLS.

    The build dependency maintainers themselves, people who compromise the build dependency maintainers, (crackers of) sourceforge and any man-in-the middle are in a position to backdoor that code and therefore compromise the Bitcoin software.

  2. gavinandresen commented at 11:59 PM on April 14, 2013: contributor

    "meh"

    Builders fetch dependencies independently, and we only re-fetch when dependencies change.

    And any differences are picked up by the gitian build process; see, for example: https://github.com/bitcoin/gitian.sigs/blob/master/0.8.1/gavinandresen/bitcoin-build.assert#L564 ... for the sha256 sum of the miniupnpc.tar.gz used to build release 0.8.1

    More gitian builders is the right defense against men in the middle compromising Bitcoin. @adrelanos : can we count on you to help gitian build future releases?

  3. laanwj commented at 10:56 AM on October 24, 2013: member

    Inputs are checked for integrity now by the gitian descriptors, closing

  4. laanwj closed this on Oct 24, 2013
  5. MarcoFalke locked this on Sep 8, 2021
Contributors
adrelanosgavinandresenlaanwj
Labels
Build system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-15 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me