Add warnings or discontinue zip files for Windows and maOS #29925

issue 1440000bytes opened this issue on April 20, 2024
  1. 1440000bytes commented at 10:14 PM on April 20, 2024: none

    1. One issue was shared in #27099 (comment)

      Example URL: https://bitcoincore.org∕bin∕bitcoin-core-27.0∕@bitcoin-27.0-win64.zip this will open attackers domain which in this case is bitcoin-27.0-win64.zip

    2. Other issue: https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/

      Example URL: https://github.com/bitcoin/bitcoin/files/15049876/bitcoin-27.0-arm64-apple-darwin.zip makes it seem like this zip file is present in this repository

  2. pinheadmz commented at 10:28 PM on April 20, 2024: member
    1. Example URL: https://bitcoincore.org∕bin∕bitcoin-core-27.0∕@bitcoin-27.0-win64.zip

    The @ is pretty obvious to me. But regardless what can bitcoin core do to protect users who download software from links they find anywhere outside bitcoincore.org ?

    Bitcoin core could stop serving releases altogether and replace the entire website with a warning, this .zip attack would be just as effective.

  3. 1440000bytes commented at 4:19 AM on April 21, 2024: none

    I don't have a good solution for this. Maybe warnings or not using zip would have helped.

  4. bitcoin locked this on Apr 21, 2025
Contributors
1440000bytespinheadmz
Linked (view graph)
#27099 build: produce a .zip for macOS distribution
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-15 15:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me